Prepare for v0.58.0

[simar7]

Draft to collaborate on v0.58.0

📑 Table of Contents

• 💔 Breaking Changes 💔
  • 🥜 Removal of Go Checks 🐿️
  • 🎐 Deprecation of some Rego options for IaC scanning 🪢
• 🚀 What's new? 🚀
  • 🦎 Aligned SUSE and OpenSUSE OS Identifiers ⚙️
  • 🧮 flavors support for Oracle Linux 🔢
  • 🌌 New workspace relationship 🌕
  • 🐬 Improved Terraform cause logging output 🏂
  • 🦒 Better handling of CloudFormation templates 🐃
  • 🤫 Packagist tokens support 🥷

💔 Breaking Changes 💔

🥜 Removal of Go Checks 🐿️

As previously announced here we've already migrated all Go checks to Rego and there's no longer a need to keep the Go checks. As a result they will be removed in this release. Please note that this does not impact any functionality in terms of coverage of checks as all checks have already been re-written in Rego and are being using in Trivy since the v0.56.0 release.

🎐 Deprecation of some Rego options for IaC scanning 🪢

As announced here we will be deprecating certain Rego options for misconfiguration scanning.

🚀 What's new? 🚀

🦎 Aligned SUSE and OpenSUSE OS Identifiers ⚙️

This update aligns SUSE and OpenSUSE OS identifiers with their respective /etc/os-release values. SUSE systems now use shorter names like sles and slem to match the content in the ID field, while OpenSUSE identifiers replace dots with dashes for consistency. For more details, please refer to the discussion here.

Thanks to @josegomezr.

🧮 flavors support for Oracle Linux 🔢

Starting from this version Trivy distinguishes and selects fixed version only for same flavor of package for Oracle Linux.
See #1967 (comment) for more details.

Big thanks to @bpfoster for helping and working on this task!

🌌 New workspace relationship 🌕

We've added a new workspace relationship (you can see the package relationship in json format using the --list-all-pkgs flag).
Trivy currently only marks maven modules as workspace.
We'll expand this list in future versions.

🐬 Improved Terraform cause logging output 🏂

Previously, it was difficult to figure out any parsing errors while scanning Terraform HCL. With this release, it is now possible to exactly see where the parser throws an error (if any), thereby helping users to know if there's any invalid HCL that is being scanned.

❯ cat main.tf
resource "aws-s3-bucket" "name" {
  bucket = <
}%

❯ ./trivy conf main.tf -d
...
2024-10-02T15:56:47+06:00       DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2024-10-02T15:56:47+06:00       DEBUG   [terraform parser] Parsing      module="root" file_path="main.tf"
2024-10-02T15:56:47+06:00       ERROR   [terraform parser] Error parsing file   module="root" file_path="main.tf" cause="  bucket = <" err="main.tf:2,12-13: Invalid expression; Expected the start of an expression, but found an invalid expression token."
...

🦒 Better handling of CloudFormation templates 🐃

Trivy now properly handles CloudFormation templates that have null properties in them. For example:

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  TestBucket:
    Type: "AWS::S3::Bucket"
    Properties:
      BucketName:

Will now be properly scanned instead of erroring out.

🤫Packagist tokens support 🥷

Trivy detects Packagist tokens now.

Thanks @nicwortel

👷‍♂️ Notable Fixes 🛠️

• bug(cli): Don't error out on empty trivy config yaml file #7934
• fix(misconf): check only clusters in AVD-AWS-0343 #7899
• fix(misconf): do not erase variable type for child modules #7936
• fix(checks): Improve AVD-DS-0005 logic #7806 Thanks @nicwortel
• bug(os): apline removed packages don't have UID #7886
• bug(sarif): we need to handle schema for URI's for misconfig  #7897
• bug(redhat): we don't need to return error if redhat image doesn't contain content_sets  #7911
• bug(java): dependOn contains extra dependencies for pom.xml files with modules when using SBOM formats #7802