Prepare for v0.57.0

[knqyf263]

Draft to collaborate on v0.57.0

📑 Table of Contents

• 💔 Breaking Changes 💔
  • 🐾 Dropping support for "Exceptions" in misconfiguration scanning ⚠️
  • ☸ Kubernetes Pod report supports multiple containers 📦
• 🚀 What's new? 🚀
  • 🔐 New trivy registry Command for Authentication 🔑
  • 🏴󠁩󠁤󠁪󠁷󠁿 Trivy now supports trimming whitespace in pom.xml file fields 👾
  • 📜 Gitlab template supports operating_system field for OS packages ✂️
  • 🐦 Ubuntu 24.10 is now supported 🟠
  • 🔍 Show misconfig ID in table output 🏷️
  • 🌐 Handle publicNetworkAccess for Azure Storage Account 🔒
  • 🕵️‍♂️ Detect secrets leaks in Dockerfile 🐳

💔 Breaking Changes 💔

🐾 Dropping support for "Exceptions" in misconfiguration scanning ⚠️

We have previously announced intention to deprecate conftest style Exceptions. In this release we have removed Exceptions from misconfiguration scanning report.

Before

main.tf (terraform)

Tests: 8 (SUCCESSES: 0, FAILURES: 7, EXCEPTIONS: 1)
Failures: 7 (UNKNOWN: 0, LOW: 2, MEDIUM: 1, HIGH: 4, CRITICAL: 0)

HIGH: No public access block so not blocking public acls

After

main.tf (terraform)

Tests: 7 (SUCCESSES: 0, FAILURES: 7)
Failures: 7 (UNKNOWN: 0, LOW: 2, MEDIUM: 1, HIGH: 4, CRITICAL: 0)

HIGH: No public access block so not blocking public acls

NB Ignores are still listed as part of the regular log output

2024-10-23T13:46:30-06:00       INFO    [terraform executor] Ignore finding     rule="aws-s3-encryption-customer-key" range="main.tf:13-21"

☸ Kubernetes Pod report supports multiple containers 📦

This release adds support for scanning multi-container Kubernetes Pods. In order to aggregate findings from multiple containers in the same report, the Findings[].Metadata field for Pods, which used to be an object describing a single pod, has changed to an array of objects each describing a pod. See example output in the feature announcement below.

Report before change

{
  "ClusterName": "",
  "Findings": [
    {
      "Namespace": "default",
      "Kind": "Pod",
      "Name": "nginx-fluentd-pod",
      "Metadata": {
        "OS": {
          "Family": "debian",
          "Name": "12.6"
        },
          "RepoTags": [
            "nginx:latest"
          ],
          "DiffIDs": []
      },
      "Results": [
        {
          "Target": "nginx:latest (debian 12.6)",
          "Class": "os-pkgs",
          "Type": "debian",
          "Packages": [],
          "Vulnerabilities": []
        },
        {
          "Target": "fluent/fluentd:v1.17-armhf-debian (debian 12.6)",
          "Class": "os-pkgs",
          "Type": "debian",
          "Packages": [],
          "Vulnerabilities": []
        },
        {
          "Target": "Ruby",
          "Class": "lang-pkgs",
          "Type": "gemspec",
          "Packages": [],
          "Vulnerabilities": []
        }
      ]
    }
  ]
}

Report after change

{
  "ClusterName": "",
  "Findings": [
    {
      "Namespace": "default",
      "Kind": "Pod",
      "Name": "nginx-fluentd-pod",
      "Metadata": [
        {
          "OS": {
            "Family": "debian",
            "Name": "12.6"
          },
          "RepoTags": [
            "nginx:latest"
          ],
          "DiffIDs": []
        },
        {
          "OS": {
            "Family": "debian",
            "Name": "12.6"
          },
          "RepoTags": [
            "fluent/fluentd:v1.17-armhf-debian"
          ],
          "DiffIDs": []
        }
      ],
      "Results": [
        {
          "Target": "nginx:latest (debian 12.6)",
          "Class": "os-pkgs",
          "Type": "debian",
          "Packages": [],
          "Vulnerabilities": []
        },
        {
          "Target": "fluent/fluentd:v1.17-armhf-debian (debian 12.6)",
          "Class": "os-pkgs",
          "Type": "debian",
          "Packages": [],
          "Vulnerabilities": []
        },
        {
          "Target": "Ruby",
          "Class": "lang-pkgs",
          "Type": "gemspec",
          "Packages": [],
          "Vulnerabilities": []
        }
      ]
    }
  ]
}

Thanks @smtan-gl

🚀 What's new? 🚀

🔐 New trivy registry Command for Authentication 🔑

This release introduces the trivy registry command, providing an alternative to docker login and docker logout for environments without container runtimes like Docker. Now, you can authenticate directly with Trivy to access private container registries.

$ cat ~/my_password.txt | trivy registry login --username foo --password-stdin ghcr.io
$ trivy image ghcr.io/your/private_image
$ trivy registry logout ghcr.io

For more details, please refer to the document

🧩 Enhanced CycloneDX Reports with File Checksums 🔗

This update enriches CycloneDX SBOMs by adding file checksums (such as SHA-1), a feature previously exclusive to SPDX reports. Now, JAR files and other relevant files in CycloneDX reports include checksums, boosting traceability and ensuring integrity verification across software components.

Thanks to @Churro for implementing this change.

🏴󠁩󠁤󠁪󠁷󠁿 Trimming whitespace in pom.xml file fields 👾

Trivy now correctly followed Maven (mnv) behavior of trimming leading and trailing whitespace for pom.xmlfields (ArtifactID, GroupID, etc).

Thanks @sgaist

📜 GitLab template supports operating_system field for OS packages ✂️

Trivy now populates the operating_system field for OS package vulnerabilities.

Thanks @aarongoldenthal

🐦 Ubuntu 24.10 is now supported 🟠

Trivy correctly detects vulnerabilities for Ubuntu 24.10.

Thanks @itsdean

🔍 Show misconfig ID in table output 🏷️

Trivy now includes misconfiguration IDs directly in the table output, making it easier to reference or ignore specific issues.

AVD-XYZ-0123 (HIGH): Oh no, a bad config.
════════════════════════════════════════
Your config file is not good.

See https://google.com/search?q=bad%20config
────────────────────────────────────────
 my-file
────────────────────────────────────────
   1   
   2 [ bad: true
   3   
────────────────────────────────────────

🌐 Handle publicNetworkAccess for Azure Storage Account 🔒

Added a check for public network access to storage accounts. By default, storage accounts allow connections from any network, potentially exposing sensitive data. This update ensures that public access is appropriately restricted where needed.

🕵️‍♂️ Detect secrets leaks in Dockerfile 🐳

Added a check for potential secrets leakage in Dockerfiles. This check is triggered in the following cases:

• Using secret environment variables in ARG or ENV instructions.

ARG GITHUB_TOKEN

• Copying secret files (e.g., AWS credentials) into the image with COPY.

ENV AWS_CONFIG_FILE=/.aws/config
COPY ./config $AWS_CONFIG_FILE

• Setting credentials via the RUN command.

RUN aws configure set aws_access_key_id test-id && \
    aws configure set aws_secret_access_key test-key

This check can accept custom environment variables:

❯ cat my-envs.yaml
ds031:
  included_envs: ["MY_SECRET"]

❯ cat Dockerfile.custom
from alpine

arg MY_SECRET

❯ trivy conf -d Dockerfile.custom --config-data my-envs.yaml
CRITICAL: Possible exposure of secret env "MY_SECRET" in ARG
═══════════════════════════════════════════════════════════════════════════════════════════════════════════
Passing secrets via `build-args` or envs or copying secret files can leak them out

See https://avd.aquasec.com/misconfig/ds031
───────────────────────────────────────────────────────────────────────────────────────────────────────────
 Dockerfile.custom:3
───────────────────────────────────────────────────────────────────────────────────────────────────────────
   3 [ arg MY_SECRET
───────────────────────────────────────────────────────────────────────────────────────────────────────────

These measures help prevent the accidental exposure of sensitive information during the build process.

👷‍♂️ Notable Fixes 🛠️

• bug(pom): wrong inheritance of version and scope from root DepManagement in parent dependencies #7539
• Incorrect using of AttributionText in SPDX output #7756
• fix(golang): do not trim v prefix from versions #7711
• fix(report): Fix invalid URI in SARIF report #7645
• fix(misconf): change default ACL of digitalocean_spaces_bucket to private #7577
• fix(misconf): check if property is not nil before conversion #7578
• fix(misconf): fix for Azure Storage Account network acls adaptation #7602
• fix(misconf): properly expand dynamic blocks #7612