Skip to content

Releases: future-architect/vuls

v0.28.1

18 Dec 16:56
b0c5dec
Compare
Choose a tag to compare

What's Changed

  • feat(config/os): update eol by @MaineK00n in #2085
  • fix(detector/gost/ubuntu): detection logic when esm etc. are mixed by @MaineK00n in #2090
  • chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.9.1 to 0.9.2 by @dependabot in #2089
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.70.0 to 1.71.0 in the aws group by @dependabot in #2078
  • chore(deps): bump golang.org/x/sync from 0.9.0 to 0.10.0 by @dependabot in #2080
  • chore(deps): bump golang.org/x/crypto from 0.28.0 to 0.31.0 by @dependabot in #2088
  • chore(deps): bump golang.org/x/text from 0.20.0 to 0.21.0 by @dependabot in #2081
  • fix(scanner/redhatbase): don't return error when parse failure of source file by @shino in #2092
  • fix(scanner/suse): skip table header in zypper -q lu by @MaineK00n in #2093

Full Changelog: v0.28.0...v0.28.1

v0.28.0

08 Dec 08:38
703ba66
Compare
Choose a tag to compare

What's Changed

  • feat(contrib/snmp2cpe): add --port/-P option by @MaineK00n in #2046
  • feat(scanner/windows): support Windows 11 24H2 by @MaineK00n in #2051
  • fix(gost/windows): ignore other products that do not have KBs by @MaineK00n in #2054
  • chore(deps): bump github.com/aquasecurity/trivy from 0.56.1 to 0.56.2 by @dependabot in #2049
  • chore(deps): bump the aws group across 1 directory with 5 updates by @dependabot in #2052
  • feat(ubuntu): add 24.10 oracular by @MaineK00n in #2055
  • chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 by @dependabot in #2058
  • chore(deps): bump github.com/aquasecurity/trivy from 0.56.2 to 0.57.0 by @dependabot in #2057
  • chore(deps): bump the aws group across 1 directory with 5 updates by @dependabot in #2060
  • feat(scanner/windows): add Windows Server 2025 and 2022, 23H2 by @MaineK00n in #2059
  • feat(oval/oracle): ignore fips patched version for non fips package versions by @wagde-orca in #2047
  • chore(deps): bump golang.org/x/text from 0.19.0 to 0.20.0 by @dependabot in #2061
  • chore(deps): bump golang.org/x/oauth2 from 0.23.0 to 0.24.0 by @dependabot in #2063
  • fix(scanner/debian): fill kernel version from kernel package by @MaineK00n in #2064
  • feat(scanner): skip SSH configuration validation when ssh-key(scan|gen) failed by @MaineK00n in #2065
  • chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/storage/azblob from 1.4.1 to 1.5.0 by @dependabot in #2068
  • chore(deps): bump the aws group across 1 directory with 5 updates by @dependabot in #2069
  • chore(deps): bump github.com/aquasecurity/trivy from 0.57.0 to 0.57.1 by @dependabot in #2067
  • refactor: remove old buildtag by @MaineK00n in #2072
  • feat!(scanner/rpm): change queryformat (add sourcerpm) by @MaineK00n in #2074
  • chore(deps): bump the aws group with 5 updates by @dependabot in #2073

Full Changelog: v0.27.0...v0.28.0

v0.27.0

09 Oct 02:53
087b620
Compare
Choose a tag to compare

Changelog

  • 087b620 chore(deps): bump github.com/aquasecurity/trivy from 0.55.2 to 0.56.1 (#2044)
  • 7c749ea chore(deps): bump the aws group with 5 updates (#2043)
  • 939299b chore(deps): bump golang.org/x/text from 0.18.0 to 0.19.0 (#2045)
  • 3dd738d feat(detector/microsoft): set WindowsRoughMatch if KB or Version to be fixed is unknown (#2041)
  • 80e417b refactor: use std slices, maps package (#2042)
  • d5982a2 chore(deps): bump dictionary versions to latest ones (#2040)
  • 0e21ce2 fix(detector/cpe): do not overwrite distro advisories (#2039)
  • efa2900 chore(deps): bump the aws group with 4 updates (#2038)
  • e6c0da6 fix!(alpine): use source package for detection (#2037)
  • 98cbe6e build: update go to 1.23 (#2032)
  • 2944887 chore(deps): bump github.com/aquasecurity/trivy from 0.55.1 to 0.55.2 (#2030)
  • 1bdf139 chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/storage/azblob (#2029)
  • ba2796f chore(deps): bump the aws group with 5 updates (#2028)
  • f00ac85 chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.9.0 to 0.9.1 (#2026)
  • 8889335 chore(deps): bump github.com/open-policy-agent/opa from 0.67.1 to 0.68.0 (#2027)
  • 1a54673 feat(oval/suse): skip comparing TDC package and non-TDC package (#2025)
  • e776be1 chore(deps): bump github.com/aquasecurity/trivy from 0.54.1 to 0.55.1 (#2022)
  • ff1ac6d chore(deps): bump the aws group with 5 updates (#2020)
  • 47bd2f1 chore(deps): bump golang.org/x/oauth2 from 0.22.0 to 0.23.0 (#2023)
  • 61359db chore(deps): bump golang.org/x/text from 0.17.0 to 0.18.0 (#2021)
  • 192e017 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 (#2015)
  • e049df5 feat!(models): add vulncheck kev (#2014)
  • dce8379 chore(deps): bump the aws group across 1 directory with 5 updates (#2013)
  • 6d9c6c4 chore(deps): bump github.com/samber/lo from 1.46.0 to 1.47.0 (#2008)
  • 2cb2f36 chore(deps): bump go.etcd.io/bbolt from 1.3.10 to 1.3.11 (#2012)
  • 3d01ed8 feat(models): add new cveContentType trivy:azure (#2006)
  • 5858b0a chore(deps): bump github.com/gosnmp/gosnmp from 1.37.0 to 1.38.0 (#2005)
  • 8eca96f chore(deps): bump golang.org/x/text from 0.16.0 to 0.17.0 (#2004)
  • 6425193 fix(detect/oracle): handle ksplice advisories (#2003)
  • f14ca86 feat(trivy): support CVSS v4.0 (#1980)
  • b2d4eaf chore(deps): bump golang.org/x/sync from 0.7.0 to 0.8.0 (#2002)
  • 46758ee chore(deps): bump github.com/aquasecurity/trivy from 0.53.0 to 0.54.1 (#2000)
  • 733fbf5 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 (#1999)
  • 369837f chore(deps): bump golang.org/x/oauth2 from 0.21.0 to 0.22.0 (#2001)
  • c3d21ea docs: correct ubuntu oval link (#1997)
  • 6c4af01 chore(deps): bump github.com/docker/docker (#1995)
  • f6aee5a chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/storage/azblob (#1994)
  • 25b15e8 chore(deps): bump the aws group with 2 updates (#1993)
  • f31cf23 chore(deps): bump github.com/samber/lo from 1.44.0 to 1.46.0 (#1992)
  • ed0d1b8 chore(deps): bump github.com/emersion/go-smtp from 0.21.2 to 0.21.3 (#1991)
  • 24ae273 chore(deps): bump the aws group with 5 updates (#1990)
  • ab62467 chore(deps): bump google.golang.org/grpc from 1.64.0 to 1.64.1 (#1988)
  • a00fe47 chore(deps): bump the aws group with 3 updates (#1987)
  • d4f7550 chore(deps): bump github.com/aquasecurity/trivy from 0.52.2 to 0.53.0 (#1984)
  • 1333f3a fix(scanner/suse): skip new line in zyper -q lu (#1986)
  • ac55380 chore(deps): bump github.com/samber/lo from 1.39.0 to 1.44.0 (#1985)
  • 109891e chore(deps): bump goreleaser/goreleaser-action from 5 to 6 (#1981)
  • 4633c04 chore(deps): bump the aws group with 5 updates (#1983)
  • 5db0fdb chore(deps): bump docker/build-push-action from 5 to 6 (#1982)
  • a76302c feat(cve/nvd): support CVSS v4.0 (#1979)
  • d8173cd feat(cve/mitre): support go-cve-dictionary:mitre (#1978)
  • 9beb5fc chore(deps): bump github.com/hashicorp/go-getter from 1.7.4 to 1.7.5 (#1976)
  • 0b4dfa0 chore(deps): bump the aws group with 5 updates (#1974)
  • 0a47a26 chore(deps): update goval-dictionary (#1973)

v0.26.0

24 Jun 07:48
86d3681
Compare
Choose a tag to compare

What's Changed

Misc changes

  • chore(deps): bump github.com/package-url/packageurl-go from 0.1.2 to 0.1.3 by @dependabot in #1927
  • chore(deps): bump github.com/aquasecurity/trivy from 0.51.1 to 0.51.2 by @dependabot in #1928
  • chore(deps): use aws-sdk-go-v2 by @MaineK00n in #1922
  • chore(deps): bump github.com/aws/aws-sdk-go from 1.53.0 to 1.53.9 by @dependabot in #1934
  • chore(deps): bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.15 to 1.17.16 by @dependabot in #1936
  • chore(deps): bump docker/login-action from 2 to 3 by @dependabot in #1942
  • chore(deps): bump goreleaser/goreleaser-action from 4 to 5 by @dependabot in #1943
  • chore(deps): bump actions/checkout from 3 to 4 by @dependabot in #1944
  • chore(deps): bump docker/build-push-action from 2 to 5 by @dependabot in #1945
  • chore(deps): bump the aws group with 2 updates by @dependabot in #1947
  • chore(deps): bump github.com/hashicorp/go-version from 1.6.0 to 1.7.0 by @dependabot in #1948
  • chore(deps): bump actions/setup-go from 3 to 5 by @dependabot in #1946
  • chore(deps): bump github.com/BurntSushi/toml from 1.3.2 to 1.4.0 by @dependabot in #1949
  • chore(deps): use github.com/Azure/azure-sdk-for-go/sdk/storage/azblob by @MaineK00n in #1661
  • chore(deps): bump github.com/aquasecurity/trivy from 0.51.2 to 0.51.4 by @dependabot in #1938
  • chore(deps): bump github/codeql-action from 2 to 3 by @dependabot in #1951
  • chore(deps): bump golangci/golangci-lint-action from 3 to 6 by @dependabot in #1952
  • chore(deps): bump docker/metadata-action from 4 to 5 by @dependabot in #1953
  • chore(deps): bump docker/setup-qemu-action from 2 to 3 by @dependabot in #1954
  • chore(deps): bump docker/setup-buildx-action from 2 to 3 by @dependabot in #1955
  • chore(deps): bump the aws group with 5 updates by @dependabot in #1958
  • chore(deps): bump golang.org/x/text from 0.15.0 to 0.16.0 by @dependabot in #1959
  • chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.8.0 to 0.9.0 by @dependabot in #1960
  • chore(deps): bump golang.org/x/oauth2 from 0.20.0 to 0.21.0 by @dependabot in #1962
  • chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.2 to 1.6.0 by @dependabot in #1964
  • chore(deps): bump github.com/aquasecurity/trivy from 0.51.4 to 0.52.1 by @dependabot in #1961
  • chore(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @dependabot in #1970
  • chore(deps): bump github.com/aquasecurity/trivy from 0.52.1 to 0.52.2 by @dependabot in #1969

Full Changelog: v0.25.4...v0.26.0

v0.26.0-rc2

09 Jun 04:07
cb26be1
Compare
Choose a tag to compare
v0.26.0-rc2 Pre-release
Pre-release

Changelog

  • cb26be1 fix(ci): Remove unused files to avoid disk full (#1957)
  • e1fab80 fix(debian,ubuntu): collect running kernel source package (#1935)
  • 5af1a22 fix(redhat-based): collect running kernel packages (#1950)
  • 0533069 chore(deps): bump docker/setup-buildx-action from 2 to 3 (#1955)
  • 3e1f2bc chore(deps): bump docker/setup-qemu-action from 2 to 3 (#1954)
  • 368c496 chore(deps): bump docker/metadata-action from 4 to 5 (#1953)
  • a99e3af chore(deps): bump golangci/golangci-lint-action from 3 to 6 (#1952)
  • 1769107 chore(deps): bump github/codeql-action from 2 to 3 (#1951)
  • 2e5884b chore(deps): bump github.com/aquasecurity/trivy from 0.51.2 to 0.51.4 (#1938)
  • cc9734d chore(deps): use github.com/Azure/azure-sdk-for-go/sdk/storage/azblob (#1661)
  • 227208b chore(deps): bump github.com/BurntSushi/toml from 1.3.2 to 1.4.0 (#1949)
  • 949d72d chore(deps): bump actions/setup-go from 3 to 5 (#1946)
  • 2f02918 chore(deps): bump github.com/hashicorp/go-version from 1.6.0 to 1.7.0 (#1948)
  • 7391718 chore(deps): bump the aws group with 2 updates (#1947)
  • 980c1ff chore(deps): bump docker/build-push-action from 2 to 5 (#1945)
  • 58bb6c7 chore(deps): bump actions/checkout from 3 to 4 (#1944)
  • 977fe0c chore(deps): bump goreleaser/goreleaser-action from 4 to 5 (#1943)
  • 474c76e chore(deps): bump docker/login-action from 2 to 3 (#1942)
  • 5116a6a feat(ci): group aws-sdk-go-v2 updates, check github actions update (#1941)
  • 8449f2e chore(deps): bump github.com/aws/aws-sdk-go-v2/credentials (#1936)
  • db2c502 feat(reporter/s3): support minio (#1930)
  • 337eb0b chore(deps): bump github.com/aws/aws-sdk-go from 1.53.0 to 1.53.9 (#1934)
  • d8bce94 chore(deps): use aws-sdk-go-v2 (#1922)
  • 9107d1b chore(deps): bump github.com/aquasecurity/trivy from 0.51.1 to 0.51.2 (#1928)
  • 407407d fix(contrib/trivy-to-vuls): remove cvss/severity duplicates, list all severities (#1929)
  • dccdd8a chore(deps): bump github.com/package-url/packageurl-go from 0.1.2 to 0.1.3 (#1927)

v0.25.4

21 May 01:54
878c25b
Compare
Choose a tag to compare

This release includes a bug fix and a few additional features.

New feature

  • Now modularity label is added in the scan result for Red Hat like OSes
  • Vendor severity and every CVSS information are added to cveContents
    • This fixed #1919
    • Both detector and trivy-to-vuls command are changed in similar way
    • feat(detector, contrib/trivy-to-vuls): collect vendor severity and cvss by @MaineK00n in #1921

(Potential) Incompatibilities

  • enabledDnfModules element no more exists in scanner results
  • In elements in cveContents originated from trivy, type fields are changed from trivy to trivy:nvd / trivy:ghsa etc.

Bug fixes

  • fix(gost/debian): show all severities that appeared by @MaineK00n in #1914

Misc Changes

  • chore(deps): bump github.com/emersion/go-smtp from 0.21.1 to 0.21.2 by @dependabot in #1918
  • chore(deps): bump github.com/aquasecurity/trivy from 0.50.1 to 0.51.1 by @dependabot in #1912

Full Changelog: v0.25.3...v0.25.4

v0.25.3

10 May 10:04
ef2be3d
Compare
Choose a tag to compare

This release includes recently released Ubuntu 24.04 support, some additional features, and several bug fixes.
We strongly recommend update to this version for Red Hat-like distribution users.
Watch out corresponding goval-dictionary and gost updates!

New feature

  • Ubuntu 24.04 support comes in
  • TLS insecure flag is added for SMTP notification

(Potential) Incompatibilities

  • Use new gost for Ubuntu 24.04 support (#1878)
  • Use new goval-dictionary for detection on Red Hat-like distributions (#1907)

Bug fixes

  • For Red Hat-like distributions, there were false-positives and false negatives in detection results
    • See #1906 for details
    • Now fixed by the PR: feat(detect/redhat): detect unpatched vulnerabilities with oval, stop using gost by @MaineK00n in #1907
  • style(log) config.toml template docs url by @future-ryunosuketanai in #1894
  • style: fix some typos in comments by @deferdeter in #1897
  • (fix) Exclude dev dependencies from npm's package-lock.json and Fix Java DB download endpoint by @shino in #1893
  • fix(detector/suse): support when advisory.cves has both NVD and SUSE evaluations by @MaineK00n in #1899
  • style(log) fix trivy docs link by @future-ryunosuketanai in #1902

Misc Changes

  • chore(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 by @dependabot in #1903
  • chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #1898
  • chore(deps): bump github.com/emersion/go-smtp from 0.20.2 to 0.21.0 by @dependabot in #1888
  • chore(deps): bump golang.org/x/oauth2 from 0.18.0 to 0.19.0 by @dependabot in #1891
  • chore(deps): bump golang.org/x/sync from 0.6.0 to 0.7.0 by @dependabot in #1890
  • chore(deps): bump github.com/emersion/go-smtp from 0.21.0 to 0.21.1 by @dependabot in #1896
  • chore(deps): bump github.com/aquasecurity/trivy from 0.49.1 to 0.50.1 by @dependabot in #1885
  • chore(deps): bump go.etcd.io/bbolt from 1.3.9 to 1.3.10 by @dependabot in #1908
  • chore(deps): bump golang.org/x/text from 0.14.0 to 0.15.0 by @dependabot in #1909
  • chore(deps): bump golang.org/x/oauth2 from 0.19.0 to 0.20.0 by @dependabot in #1910

New Contributors

Full Changelog: v0.25.2...v0.25.3

v0.25.2

22 Mar 07:59
e25ec99
Compare
Choose a tag to compare

This release includes one additional feature and some bug fixes.
If you use Amazon Linux 2023, you have to harry to update.

New feature

  • Some enterprise features of WPScan are now added to scan results.

(Potential) Incompatibilities

  • Names and Versions of JAR-like files of scan results can be overwritten at vuls result phase.
    • These values after vuls scan phase may be incorrect or insufficient because Trivy's Java DB is not used at the phase.
    • Correct them at vuls report phase with the help of Java DB.
    • 99cf9db feat(detector/library): update JAR-like files' Name/Version in library list (#1874)

Bug fixes

  • Amazon Linux 2023 have changed its release version format in /etc/amazon-linux-release
    • It causes inability of EOL detection at vuls scan phase and failure of vulnerability detection at vuls report phase.
    • No vulnerabilities are detected unless this bug fix, please update quickly if you use Amazon Linux 2023.
    • e1df74c fix(amazon): use major version for checking eol, security advisories (#1873)

Misc Changes

  • e25ec99 chore(deps): bump github.com/aws/aws-sdk-go from 1.49.21 to 1.51.5 (#1881)
  • 472df0e chore(deps): update dictionary modules (#1877)
  • 7d5a47b chore(deps): bump github.com/docker/docker (#1880)
  • 426eb53 chore(deps): bump github.com/jackc/pgx/v5 from 5.5.1 to 5.5.4 (#1872)
  • bda089b chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (#1871)
  • 02d1f6f chore(deps): bump golang.org/x/oauth2 from 0.17.0 to 0.18.0 (#1868)

New Contributors

Full Changelog: v0.25.1...v0.25.2

v0.25.1

11 Mar 01:40
75c1956
Compare
Choose a tag to compare

Caution

Version 0.25.0 is SKIPped. DON'T USE 0.25.0.

Highlights

  • Trivy dependency is updated, 0.35.0 to 0.49.1

    • Dart's pubspec.lock, Elixir's mix.lock, Swift's Podfile.lock and Package.resolved are newly
      detected by lockfile scan, these can be auto detected (findLock = true)
    • Rust's binary can also be scanned as lockfile, but not auto detected
    • Related PRs
      • Update trivy from 0.35.0 to 0.49.1 by @shino in #1806
      • fix(detector): library.Scan move to detector by @MaineK00n in #1864
      • Avoid to use sync.Once inside trivy javadb Updater by @shino in #1859
  • Add PURL (Package URL) in scan results

(Potential) Incompatibilities

  • In previous versions, vuls did not output results when all scans had failed, now outputs results
    even when all scans failed

    • Related PRs
      • fix(scanner): output all results even if all fail by @MaineK00n in #1866
      • refactor(config): move syslogconf to config/syslog package by @MaineK00n in #1865
  • Due to Trivy dependency update (in Highlights), some of scan logic previously
    executed in vuls scan phase are moved to vuls report phase

    • If new vuls binary is used in vuls scan and older ones in vuls report, there can be
      missing vulnerabilities, don't do that
    • This only affects JAR-like lockfile scan

Misc changes

New Contributors

Full Changelog: v0.24.9...v0.25.1

v0.25.1-beta2

11 Mar 00:58
Compare
Choose a tag to compare
v0.25.1-beta2 Pre-release
Pre-release

Changelog

  • 5af3226 fix(build): Change timeout to 60 minutes