v0.42.0

[aqua-bot]

🚀 What's new? 🚀

🔄 Convert JSON reports into different formats 📄

Trivy now includes a new subcommand to convert JSON reports into different formats. This feature allows users to transform the output of their security scans to meet their specific needs.

$ trivy image -f json -o result.json --list-all-pkgs debian:11
$ trivy convert --format cyclonedx --output result.cdx result.json

Note: JSON results in Kubernetes and AWS scanning are not yet supported.

See here for the detail.

📦 Show digests for OS packages 📝

Trivy has added support for digests of OS packages such as apk, dpkg and rpm. This enhancement also includes the addition of the digest to SBOM, CycloneDX and SPDX.

$ trivy image --format cyclonedx alpine:3.17 | jq '.components[0]' | head -n 10
...

{
  "bom-ref": "pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&distro=3.17.3",
  "type": "library",
  "name": "alpine-baselayout",
  "version": "3.4.0-r0",
  "hashes": [
    {
      "alg": "SHA-1",
      "content": "fde5df99b613d565de9c54aa2a3ae86322bce0d1"
    }

🎛️ Specify which image sources(s) to use 🖥️

When scanning a container image (with trivy image command), Trivy will look for the image in the following order: Docker Engine, Containerd, Podman, and finally pull from registry. The new --image-src allows users to override the search order:

$ trivy image alpine:3.7.3 # default behavior
$ trivy image --image-src=podman,containerd alpine:3.7.3 # tries only podman, containerd in the specified order

See here for the detail.

Thanks to @pmengelbert for this contribution!

🎯 Support for referencing an input image by digest 📌

Trivy now supports referencing a local OCI image using the digest of its manifest.

$ trivy image --input alpine@sha256:56ae38f2f5c54b98311b8b2463d4861368c451ac17098f4227d84946b42ab96d

Thanks to @laurentiuNiculae for this contribution!

🂱 Support for Terraform Plan files 🥽

Trivy now supports scanning Terraform plan files

$ tree
.
└── tfplan.json

$ trivy config .

2023-05-31T17:36:49.180-0600    INFO    Misconfiguration scanning is enabled
2023-05-31T17:36:49.651-0600    INFO    Detected config files: 1

main.tf (terraformplan)
=======================
Tests: 7 (SUCCESSES: 3, FAILURES: 4, EXCEPTIONS: 0)
Failures: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 0)

<snip>

You can read more on this here.

📦 Support duplicate Dockerfile stage names 〄

It is now possible to supply a Dockerfile with stages that are not unique. For example:

FROM foo
CMD bar
FROM foo
ENTRYPOINT zzz

Misc

• Support for pnpm Lockfile v6
• Support for npm local modules

👷‍♂️ Notable Fixes 🛠️

• Don't fail Trivy scanning when a single rego check errors feat: trivy should not fail if one rego policy fails #4183
• Fix pnpm scanning fix(nodejs): update logic for parsing pnpm lock files #4502

[visit1985]

@knqyf263 There seems to be something wrong with the rhel7 repo metadata. Checksums for the latest release do not match, and the location element in the primary db contains the wrong prefix "v0.42.0" for all previous releases.

[afdesk]

@visit1985 thanks for the report!
we'are fixing it right now.

[afdesk]

@visit1985 now we fixed metadata for v0.42.0.
could you confirm that it works for you?

[visit1985]

Yes, it works. Thanks for the quick reaction.

# yum --enablerepo=trivy clean metadata
# yum -y reinstall trivy
.
.
.
Installed:
  trivy.x86_64 0:0.42.0-1