Prepare for v0.52.0

[knqyf263]

Draft to collaborate on v0.52.0 release announcement

📑 Table of Contents

• 🚀 What's new? 🚀
  • 🔌 Plugin Index 🔍
  • 🔕 Advanced VEX Relationship Support 👪
  • 🧩 Julia Language Support 🪼
  • 📦 pnpm lockfile v9 support 🔍
  • 🐍 Support for Line Numbers for requirements.txt files📍
  • 🐍 Support for License Detection for requirements.txt Files ✨
  • 🧀 Added support for modules from OpenTofu registry👨🏼‍⚖️
  • 📎Support for symlinks inside Helm archives 📕
  • 🍎 Support for deprecating misconfiguration checks 🙇‍♂️
• 👷‍♂️ Notable Fixes 🛠️

🚀 What's new? 🚀

🔌 Plugin Index 🔍

The plugin index is now available. Users can discover, install, and manage Trivy plugins from the central index.

Usage:

1. Update plugin index:
   $ trivy plugin update

2. Search for plugins:
   $ trivy plugin search

3. Install a plugin:
   $ trivy plugin install [PLUGIN_NAME]

4. Use the installed plugin:
   $ trivy [PLUGIN_NAME] --help

5. Upgrade plugins:
   $ trivy plugin upgrade

6. Uninstall a plugin:
   $ trivy plugin uninstall [PLUGIN_NAME]

Anyone can easily create a plugin and publish it via the index.
See here for more details.

🔕 Advanced VEX Relationship Support 👪

Trivy has enhanced its VEX support by improving the handling of subcomponents in OpenVEX and relationships in CSAF. This feature allows for more granularly filtering of scan results by excluding vulnerabilities for specific packages or modules within a larger component.

Previously, support for subcomponents and relationships was limited. With this new version, Trivy can more effectively utilize VEX documents during scans. By internally constructing a dependency tree and applying VEX relationships to it, Trivy enables more accurate and granular vulnerability filtering.

For example, you can now apply a VEX document that addresses vulnerabilities in a Go binary and its dependent modules to a container image.

$ cat coredns.openvex
{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://openvex.dev/docs/public/vex-2e67563e128250cbcb3e98930df948dd053e43271d70dc50cfa22d57e03fe96f",
  "author": "Aqua Security",
  "timestamp": "2024-05-30T19:07:16.853479631-06:00",
  "version": 1,
  "statements": [
    {
      "vulnerability": {"name": "CVE-2024-22189"},
      "products": [
        {
          "@id": "pkg:golang/github.com/coredns/coredns",
          "subcomponents": [
            { "@id": "pkg:golang/github.com/quic-go/quic-go" }
          ]
        }
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path"
    }
  ]
}

$ trivy image coredns/coredns:1.11.1 --vex ./coredns.openvex --show-suppressed

Suppressed Vulnerabilities (Total: 1)
=====================================
┌────────────────────────────┬────────────────┬──────────┬──────────────┬─────────────────────────────────────┬─────────┐
│          Library           │ Vulnerability  │ Severity │    Status    │              Statement              │ Source  │
├────────────────────────────┼────────────────┼──────────┼──────────────┼─────────────────────────────────────┼─────────┤
│ github.com/quic-go/quic-go │ CVE-2024-22189 │ HIGH     │ not_affected │ vulnerable_code_not_in_execute_path │ OpenVEX │
└────────────────────────────┴────────────────┴──────────┴──────────────┴─────────────────────────────────────┴─────────┘

This example applies a VEX statement suppressing the vulnerability CVE-2024-22189 in the github.com/quic-go/quic-go Go module, which is a dependency of the github.com/coredns/coredns Go module, to the coredns/coredns:1.11.1 container image. This VEX document can be re-used when scanning other container images.

Note: This is just an example, and the VEX statement mentioned is not actually valid.

See here for more details.

🧩 Julia Language Support 🪼

This version introduces support for analyzing Julia language projects, enabling the generation of SBOMs for Julia dependencies. Note that vulnerability scanning is not supported.

See here for more details.

Thanks to @Octogonapus

📦 pnpm lockfile v9 support 🔍

Trivy now supports pnpm lockfile v9. This enhancement allows you to correctly scan lock files of any version of pnpm as of today.

🐍 Support for Line Numbers for requirements.txt files📍

Trivy now supports line numbers for dependencies in requirements.txt files.

Example:

{
  ...
  "Results": [
    {
      "Target": "requirements.txt",
      "Class": "lang-pkgs",
      "Type": "pip",
      "Packages": [
        {
          "Name": "Flask",
          "Identifier": {
            "PURL": "pkg:pypi/[email protected]",
            "UID": "bc43fff99d65fcc6"
          },
          "Version": "2.3.3",
          "Layer": {},
          "Locations": [
            {
              "StartLine": 3,
              "EndLine": 3
            }
          ]
        }
      ]
    }
  ]
}

🐍 Support for License Detection for requirements.txt Files ✨

Trivy now supports license detection for requirements.txt files by parsing METADATA files in site-packages directory.
To detect site-packages directory, Trivy uses venv or path to the Python binary.

Total: 1 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────┬─────────────┬────────────────┬──────────┐
│ Package │   License   │ Classification │ Severity │
├─────────┼─────────────┼────────────────┼──────────┤
│ Flask   │ BSD License │ Non Standard   │ UNKNOWN  │
└─────────┴─────────────┴────────────────┴──────────┘

Read more here.

🧀 Added support for modules from OpenTofu registry👨🏼‍⚖️

Trivy is now able to resolve any Terraform modules from an OpenTofu compatible registry.

$ cat main.tf
module "bucket" {
  source  = "registry.opentofu.org/terraform-aws-modules/s3-bucket/aws"
  version = "= 4.1.2"
}

$ trivy conf . -d
....
2024-05-22T13:38:58+07:00       DEBUG   [misconf] 38:58.632363000 terraform.parser.<root>.evaluator.resolver Resolving module 'module.bucket' with source: 'registry.opentofu.org/terraform-aws-modules/s3-bucket/aws'...
2024-05-22T13:38:58+07:00       DEBUG   [misconf] 38:58.632389000 terraform.parser.<root>.evaluator.resolver Trying to resolve: cc0c14b7c898f35f408c748e32f7784c
2024-05-22T13:38:58+07:00       DEBUG   [misconf] 38:58.632409000 terraform.parser.<root>.evaluator.resolver no token was found for the registry at registry.opentofu.org
2024-05-22T13:38:58+07:00       DEBUG   [misconf] 38:58.632412000 terraform.parser.<root>.evaluator.resolver Requesting module versions from registry using 'https://registry.opentofu.org/v1/modules/terraform-aws-modules/s3-bucket/aws/versions'...
2024-05-22T13:38:59+07:00       DEBUG   [misconf] 38:59.692377000 terraform.parser.<root>.evaluator.resolver Found version '4.1.2' for constraint '= 4.1.2'
2024-05-22T13:38:59+07:00       DEBUG   [misconf] 38:59.692447000 terraform.parser.<root>.evaluator.resolver Requesting module source from registry using 'https://registry.opentofu.org/v1/modules/terraform-aws-modules/s3-bucket/aws/4.1.2/download'...
....

📎Support for symlinks inside Helm archives 📕

Trivy can now properly scan any symlinks that might be present within archives. One example of this is the presence of symlinks within a Helm archive.

🍎 Support for deprecating misconfiguration checks 🙇‍♂️

We've now added the ability in checks to be deprecated as and when they are no longer relevant. By default now Trivy will ignore any checks that are marked as deprecated but if you still wish to include them for any reason, you can do so by passing in the --include-deprecated-checks flag. A custom check can also be deprecated, see an example below

# METADATA
# title: i am a deprecated check
# description: i am a description
# related_resources:
# - https://google.com
# custom:
#   id: EG123
#   avd_id: AVD-EG-0123
#   severity: LOW
#   recommended_action: have a cup of tea
#   deprecated: true
package defsec.test
deny {
  input.text
}

👷‍♂️ Notable Fixes 🛠️

• fix(checks): AVD-DS-0015 FP about yum clean all missed #6776
• bug(misconf): terraform local cache is ignored #6603
• feat(terraform): support for VPC resources for inbound and outbound rules #6764
• Report is not empty even if there are no findings #6351
• bug(conda): pip dependencies are not supported in new Conda integration #6659
• bug(gobinary): incorrect ldflags parsing when version part has prefix #6702
• bug(gobinaries): empty Package for gobinaries without main information #6709
• fix(pip): Validate package names and versions #6750
• segmentation violation when running trivy in convert mode #6780