Prepare for v0.49.0

[knqyf263]

Draft to collaborate on v0.49.0 release announcement

🚀 What's new? 🚀

💱 VEX Support Extended Across All Targets 🎯

Trivy now enables the --vex flag for all scanning targets, broadening its vulnerability capabilities. This update allows users to leverage VEX information across various assets, including container images, improving the granularity and relevance of security insights.

$ trivy image debian:11 --vex debian11.vex.csaf

🌊 CSAF VEX Support 🐦

Trivy now supports the CSAF format for filtering vulnerabilities with the --vex flag, expanding its compatibility with various VEX formats, including OpenVEX and CycloneDX.

Details

$ cat <<EOF > debian11.vex.csaf
{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "notes": [
      {
        "category": "summary",
        "text": "Example Company VEX document. Unofficial content for demonstration purposes only.",
        "title": "Author comment"
      }
    ],
    "publisher": {
      "category": "vendor",
      "name": "Example Company ProductCERT",
      "namespace": "https://psirt.example.com"
    },
    "title": "AquaSecurity example VEX document",
    "tracking": {
      "current_release_date": "2024-01-01T11:00:00.000Z",
      "generator": {
        "date": "2024-01-01T11:00:00.000Z",
        "engine": {
          "name": "Secvisogram",
          "version": "1.11.0"
        }
      },
      "id": "2024-EVD-UC-01-A-001",
      "initial_release_date": "2024-01-01T11:00:00.000Z",
      "revision_history": [
        {
          "date": "2024-01-01T11:00:00.000Z",
          "number": "1",
          "summary": "Initial version."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "5.3",
                "product": {
                  "name": "Database Libraries 5.3",
                  "product_id": "LIBDB-5328",
                  "product_identification_helper": {
                    "purl": "pkg:deb/debian/[email protected]%2Bdfsg1-0.8?arch=amd64\u0026distro=debian-11.8"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Database Libraries"
          }
        ],
        "category": "vendor",
        "name": "Debian"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-8457",
      "notes": [
        {
          "category": "description",
          "text": "SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "known_not_affected": [
          "LIBDB-5328"
        ]
      },
      "threats": [
        {
          "category": "impact",
          "details": "Vulnerable code not in execute path.",
          "product_ids": [
            "LIBDB-5328"
          ]
        }
      ]
    }
  ]
}
EOF

$ trivy image debian:11 -vex debian11.vex.csaf
2023-11-08T11:27:53.281+0100	INFO	Vulnerability scanning is enabled
2023-11-08T11:27:53.313+0100	INFO	Filtered out the detected vulnerability	{"VEX format": "CSAF", "vulnerability-id": "CVE-2023-1732", "status": "not_affected"}
...

🐍 Python License Parsing Enhancement 📄

Trivy now parses new license-related fields from the .dist-info folder in Python projects, aligning with PEP-639's introduction of the License-File field. This update enhances license detection in Python packages by utilizing the specified license files, even when the license itself is not explicitly mentioned in the package metadata.

📑 Line Numbers for pom.xml in Trivy 📍

Trivy now supports line numbers for dependencies in pom.xml, enhancing the precision of Java project scans. This offers locations for its direct dependencies while modules and transitive dependencies do not have this detail.

Example:

{
  ...
  "Results": [
    {
      "Target": "pom.xml",
      "Class": "lang-pkgs",
      "Type": "pom",
      "Packages": [
        {
          "ID": "com.fasterxml.jackson.core:jackson-databind:2.9.1",
          "Name": "com.fasterxml.jackson.core:jackson-databind",
          "Identifier": {
            "PURL": "pkg:maven/com.fasterxml.jackson.core/[email protected]"
          },
          "Version": "2.9.1",
          "Locations": [
            {
              "StartLine": 41,
              "EndLine": 45
            }
          ]
        }
      ]
    }
  ]
}

🧶 Yarn Alias Support 👽

Trivy now supports Yarn aliases, enhancing its Node.js package scanning capabilities. This update allows for more accurate dependency tracking in projects using Yarn's alias feature.

Example

$ cat yarn.lock
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
# yarn lockfile v1


"foo-ms@npm:ms":
  version "2.1.3"
  resolved "https://registry.yarnpkg.com/ms/-/ms-2.1.3.tgz#574c8138ce1d2b5861f0b44579dbadd60c6615b2"
  integrity sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==

$ app cat package.json 
{
  "name": "test",
  "version": "1.0.0",
  "main": "index.js",
  "license": "MIT",
  "dependencies": {
    "foo-ms": "npm:ms"
  }
}

🦀 Rust Workspace Support 📦

Trivy now parses workspace.members in Cargo.toml for Rust projects, improving dependency analysis within Rust workspaces.

$ cat Cargo.toml
[workspace.package]
name = "toml-workspace-members"
version = "0.1.0"

[workspace]
resolver = "2"
members = ["member", "member2"]

[workspace.dependencies]
regex = "1"
$ trivy repo ./

Thanks to @anfedotoff

👾Aliases support for misconfig checks 👽

Misconfiguration rego checks can now be supplied with aliases. An example would be as such:

# METADATA
# title: "My Custom S3 Bucket Logging"
# custom:
#   aliases:
#   - my-custom-logging-check

This alias can be then used to ignore this check just like other properties.

#trivy:ignore:my-custom-terraform-check
resource "aws_s3_bucket" "s3_logs" {
  bucket = "foo-logging"
  tags = {
    Name = "foo"
  }
}

🚀 Support EC2 launch templates for misconfig scans 💣

It's now possible to scan AWS IaC that includes launch templates. The templates will be rendered prior to evaluation so as to display correct misconfiguration results.

For instance, the following EC2 config with the launch template will now be evaluated including the launch template details. Previously this would lead to false positives.

This feature is supported for both CloudFormation and Terraform IaC scanning.

AWSTemplateFormatVersion: 2010-09-09
Resources:
  MyLaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Properties:
        LaunchTemplateName: MyTemplate
        LaunchTemplateData:
          MetadataOptions:
            HttpEndpoint: enabled
            HttpTokens: required
  MyEC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: "ami-abc"
      LaunchTemplate:
        LaunchTemplateName: MyTemplate

👷‍♂️ Notable Fixes 🛠️

• Empty vendor for RPM packages in Amazon Linux #5887
• identify jar files by file names only for GAV from required version #5627
• bug(pom): remove excluded deps from upper pom's #5827
• improve AVD-AWS-0057 rule for S3 #5114
• bug(misconf): False Positive detection for AVD-AWS-0028 #5793
• feat(misconf): Improve AVD-DIG-0002 for enforce-https #5111
• bug(cloudformation): Trivy sometimes fails to recognise string interpretations of Boolean values #5802