Merge branch 'main' of github.com:DmitriyLewen/trivy into feat-conan/…

…license

.github/workflows/auto-update-labels.yaml

@@ -20,7 +20,7 @@ jobs:
           go-version-file: go.mod
 
       - name: Install aqua tools
-        uses: aquaproj/aqua-installer@v2.2.0
+        uses: aquaproj/aqua-installer@v3.0.0
         with:
           aqua_version: v1.25.0
 

.github/workflows/canary.yaml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Restore Trivy binaries from cache
-        uses: actions/cache@v4.0.0
+        uses: actions/cache@v4.0.2
         with:
           path: dist/
           key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

.github/workflows/release.yaml

@@ -24,7 +24,7 @@ jobs:
           fetch-depth: 0
 
       - name: Restore Trivy binaries from cache
-        uses: actions/cache@v4.0.0
+        uses: actions/cache@v4.0.2
         with:
           path: dist/
           key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

.github/workflows/reusable-release.yaml

@@ -121,7 +121,7 @@ jobs:
             public.ecr.aws/aquasecurity/trivy:canary
 
       - name: Cache Trivy binaries
-        uses: actions/cache@v4.0.0
+        uses: actions/cache@v4.0.2
         with:
           path: dist/
           # use 'github.sha' to create a unique cache folder for each run.

.github/workflows/test.yaml

@@ -57,7 +57,7 @@ jobs:
         if: ${{ failure() && steps.lint.conclusion == 'failure' }}
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
+        uses: aquaproj/aqua-installer@v3.0.0
         with:
           aqua_version: v1.25.0
           aqua_opts: ""
@@ -87,7 +87,7 @@ jobs:
           go-version-file: go.mod
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
+        uses: aquaproj/aqua-installer@v3.0.0
         with:
           aqua_version: v1.25.0
 
@@ -116,7 +116,7 @@ jobs:
           go-version-file: go.mod
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
+        uses: aquaproj/aqua-installer@v3.0.0
         with:
           aqua_version: v1.25.0
 
@@ -136,7 +136,7 @@ jobs:
           go-version-file: go.mod
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
+        uses: aquaproj/aqua-installer@v3.0.0
         with:
           aqua_version: v1.25.0
 
@@ -166,7 +166,7 @@ jobs:
         with:
           go-version-file: go.mod
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
+        uses: aquaproj/aqua-installer@v3.0.0
         with:
           aqua_version: v1.25.0
       - name: Run vm integration tests

.golangci.yaml

@@ -88,12 +88,14 @@ linters:
     - gocritic
 
 run:
-  go: '1.21'
+  go: '1.22'
   skip-files:
     - ".*_mock.go$"
     - ".*_test.go$"
     - "integration/*"
     - "examples/*"
+  skip-dirs:
+    - "pkg/iac/scanners/terraform/parser/funcs" # copies of Terraform functions
 
 issues:
   exclude-rules:

Dockerfile.protoc

@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 golang:1.21
+FROM --platform=linux/amd64 golang:1.22
 
 # Set environment variable for protoc
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip

aqua.yaml

@@ -5,6 +5,6 @@ registries:
 - type: standard
   ref: v3.157.0 # renovate: depName=aquaproj/aqua-registry
 packages:
-- name: tinygo-org/tinygo@v0.29.0
+- name: tinygo-org/tinygo@v0.31.1
 - name: WebAssembly/binaryen@version_112
 - name: magefile/mage@v1.14.0

cmd/trivy/main.go

@@ -15,7 +15,7 @@ import (
 
 func main() {
 	if err := run(); err != nil {
-		log.Fatal(err)
+		log.Fatal("Fatal error", log.Err(err))
 	}
 }
 

contrib/gitlab.tpl

@@ -73,8 +73,11 @@
 	  {{- /* TODO: Type not extractable - https://github.com/aquasecurity/trivy-db/pull/24 */}}
           "type": "cve",
           "name": "{{ .VulnerabilityID }}",
-          "value": "{{ .VulnerabilityID }}",
+          "value": "{{ .VulnerabilityID }}"
+          {{- /* cf. https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/e3d280d7f0862ca66a1555ea8b24016a004bb914/dist/container-scanning-report-format.json#L157-179 */}}
+          {{- if .PrimaryURL | regexMatch "^(https?|ftp)://.+" -}},
           "url": "{{ .PrimaryURL }}"
+          {{- end }}
         }
       ],
       "links": [
@@ -85,9 +88,13 @@
         {{- else -}}
           ,
         {{- end -}}
+        {{- if . | regexMatch "^(https?|ftp)://.+" -}}
         {
-          "url": "{{ regexFind "[^ ]+" . }}"
+          "url": "{{ . }}"
         }
+        {{- else -}}
+          {{- $l_first = true }}
+        {{- end -}}
         {{- end }}
       ]
     }

docs/docs/advanced/air-gap.md

@@ -137,6 +137,6 @@ $ trivy conf --skip-policy-update /path/to/conf
 ```
 
 [allowlist]: ../references/troubleshooting.md
-[oras]: https://oras.land/cli/
+[oras]: https://oras.land/docs/installation
 
 [^1]: This is only required to scan `jar` files. More information about `Java index db` [here](../coverage/language/java.md)

docs/docs/configuration/reporting.md

@@ -63,6 +63,7 @@ The following languages are currently supported:
 | Go       | [go.mod][go-mod]                           |
 | PHP      | [composer.lock][composer-lock]             |
 | Java     | [pom.xml][pom-xml]                         |
+|          | [*gradle.lockfile][gradle-lockfile]        |
 | Dart     | [pubspec.lock][pubspec-lock]               |
 
 This tree is the reverse of the dependency graph.
@@ -445,5 +446,6 @@ $ trivy convert --format table --severity CRITICAL result.json
 [go-mod]: ../coverage/language/golang.md#go-modules
 [composer-lock]: ../coverage/language/php.md#composer
 [pom-xml]: ../coverage/language/java.md#pomxml
+[gradle-lockfile]: ../coverage/language/java.md#gradlelock
 [pubspec-lock]: ../coverage/language/dart.md#dart
 [cargo-binaries]: ../coverage/language/rust.md#binaries

docs/docs/coverage/iac/index.md

@@ -8,14 +8,15 @@ Trivy scans Infrastructure as Code (IaC) files for
 
 ## Supported configurations
 
-| Config type                         | File patterns                 |
-|-------------------------------------|-------------------------------|
-| [Kubernetes](kubernetes.md)         | *.yml, *.yaml, *.json         |
-| [Docker](docker.md)                 | Dockerfile, Containerfile     |
-| [Terraform](terraform.md)           | *.tf, *.tf.json, *.tfvars,    |
-| [CloudFormation](cloudformation.md) | *.yml, *.yaml, *.json         |
-| [Azure ARM Template](azure-arm.md)  | *.json                        |
-| [Helm](helm.md)                     | *.yaml, *.tpl, *.tar.gz, etc. |
+| Config type                         | File patterns                                 |
+|-------------------------------------|-----------------------------------------------|
+| [Kubernetes](kubernetes.md)         | \*.yml, \*.yaml, \*.json                      |
+| [Docker](docker.md)                 | Dockerfile, Containerfile                     |
+| [Terraform](terraform.md)           | \*.tf, \*.tf.json, \*.tfvars                  |
+| [Terraform Plan](terraform.md)      | tfplan, \*.tfplan, \*.tfplan.json, \*.tf.json |
+| [CloudFormation](cloudformation.md) | \*.yml, \*.yaml, \*.json                      |
+| [Azure ARM Template](azure-arm.md)  | \*.json                                       |
+| [Helm](helm.md)                     | \*.yaml, \*.tpl, \*.tar.gz, etc.              |
 
 [misconf]: ../../scanner/misconfiguration/index.md
 [secret]: ../../scanner/secret.md

docs/docs/coverage/language/java.md

@@ -3,19 +3,19 @@ Trivy supports three types of Java scanning: `JAR/WAR/PAR/EAR`, `pom.xml` and `*
 
 Each artifact supports the following scanners:
 
-| Artifact         | SBOM  | Vulnerability | License |
-| ---------------- | :---: | :-----------: | :-----: |
-| JAR/WAR/PAR/EAR  |   ✓   |       ✓       |    -    |
-| pom.xml          |   ✓   |       ✓       |    ✓    |
-| *gradle.lockfile |   ✓   |       ✓       |    -    |
+| Artifact         | SBOM | Vulnerability | License |
+|------------------|:----:|:-------------:|:-------:|
+| JAR/WAR/PAR/EAR  |  ✓   |       ✓       |    -    |
+| pom.xml          |  ✓   |       ✓       |    ✓    |
+| *gradle.lockfile |  ✓   |       ✓       |    ✓    |
 
 The following table provides an outline of the features Trivy offers.
 
 | Artifact         |    Internet access    | Dev dependencies | [Dependency graph][dependency-graph] | Position |
 |------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|
 | JAR/WAR/PAR/EAR  |     Trivy Java DB     |     Include      |                  -                   |    -     |
 | pom.xml          | Maven repository [^1] |     Exclude      |                  ✓                   |  ✓[^7]   |
-| *gradle.lockfile |           -           |     Exclude      |                  -                   |    ✓     |
+| *gradle.lockfile |           -           |     Exclude      |                  ✓                   |    ✓     |
 
 These may be enabled or disabled depending on the target.
 See [here](./index.md) for the detail.
@@ -64,18 +64,32 @@ If you need to show them, use the `--include-dev-deps` flag.
 
 
 ## Gradle.lock
-`gradle.lock` files contain all necessary information about used dependencies.
-Trivy simply parses the file, extract dependencies, and finds vulnerabilities for them.
-It doesn't require the internet access.
+`gradle.lock` files only contain information about used dependencies.
+
+!!!note
+    All necessary files are checked locally. Gradle file scanning doesn't require internet access.
+
+### Dependency-tree
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+Trivy finds child dependencies from `*.pom` files in the cache[^8] directory.
+
+But there is no reliable way to determine direct dependencies (even using other files).
+Therefore, we mark all dependencies as indirect to use logic to guess direct dependencies and build a dependency tree.
+
+### Licenses
+Trity also can detect licenses for dependencies.
+
+Make sure that you have cache[^8] directory to find licenses from `*.pom` dependency files.
 
-[^1]: https://github.com/aquasecurity/trivy-java-db
 [^1]: Uses maven repository to get information about dependencies. Internet access required.
 [^2]: It means `*.jar`, `*.war`, `*.par` and `*.ear` file
 [^3]: `ArtifactID`, `GroupID` and `Version`
 [^4]: e.g. when parent pom.xml file has `../pom.xml` path
 [^5]: When you use dependency path in `relativePath` field in pom.xml file
 [^6]: `/Users/<username>/.m2/repository` (for Linux and Mac) and `C:/Users/<username>/.m2/repository` (for Windows) by default
 [^7]: To avoid confusion, Trivy only finds locations for direct dependencies from the base pom.xml file.
+[^8]: The supported directories are `$GRADLE_USER_HOME/caches` and `$HOME/.gradle/caches` (`%HOMEPATH%\.gradle\caches` for Windows).
 
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
 [maven-invoker-plugin]: https://maven.apache.org/plugins/maven-invoker-plugin/usage.html

docs/docs/references/configuration/cli/trivy.md

@@ -53,7 +53,7 @@ trivy [global flags] command [flags] target
 * [trivy plugin](trivy_plugin.md)	 - Manage plugins
 * [trivy repository](trivy_repository.md)	 - Scan a repository
 * [trivy rootfs](trivy_rootfs.md)	 - Scan rootfs
-* [trivy sbom](trivy_sbom.md)	 - Scan SBOM for vulnerabilities
+* [trivy sbom](trivy_sbom.md)	 - Scan SBOM for vulnerabilities and licenses
 * [trivy server](trivy_server.md)	 - Server mode
 * [trivy version](trivy_version.md)	 - Print the version
 * [trivy vm](trivy_vm.md)	 - [EXPERIMENTAL] Scan a virtual machine image

docs/docs/references/configuration/cli/trivy_aws.md

@@ -76,6 +76,8 @@ trivy aws [flags]
       --endpoint string                   AWS Endpoint override
       --exit-code int                     specify exit code when any security issues are found
   -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)

docs/docs/references/configuration/cli/trivy_config.md

@@ -20,6 +20,8 @@ trivy config [flags] DIR
       --exit-code int                     specify exit code when any security issues are found
       --file-patterns strings             specify config file patterns
   -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -35,6 +35,8 @@ trivy filesystem [flags] PATH
       --exit-code int                     specify exit code when any security issues are found
       --file-patterns strings             specify config file patterns
   -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)

docs/docs/references/configuration/cli/trivy_image.md

@@ -51,6 +51,8 @@ trivy image [flags] IMAGE_NAME
       --exit-on-eol int                   exit with the specified code when the OS reaches end of service/life
       --file-patterns strings             specify config file patterns
   -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -46,6 +46,8 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg:
       --exit-code int                     specify exit code when any security issues are found
       --file-patterns strings             specify config file patterns
   -f, --format string                     format (table,json,cyclonedx) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)

docs/docs/references/configuration/cli/trivy_repository.md

@@ -35,6 +35,8 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --exit-code int                     specify exit code when any security issues are found
       --file-patterns strings             specify config file patterns
   -f, --format string                     format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+      --helm-api-versions strings         Available API versions used for Capabilities.APIVersions. This flag is the same as the api-versions flag of the helm template command. (can specify multiple or separate values with commas: policy/v1/PodDisruptionBudget,apps/v1/Deployment)
+      --helm-kube-version string          Kubernetes version used for Capabilities.KubeVersion. This flag is the same as the kube-version flag of the helm template command.
       --helm-set strings                  specify Helm values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)
       --helm-set-file strings             specify Helm values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
       --helm-set-string strings           specify Helm string values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)