v0.56.0

[aqua-bot]

📑 Table of Contents

• 🚀 What's new? 🚀
  • 📦 Support for multiple DB repositories for vulnerability and Java DB ↻
  • 📜 License normalization has been greatly improved ⏫
  • 🦎 Support for SUSE Linux Enterprise Micro 🌍
  • 🎩 Support for RPM Archives 🐧
  • 🐍 Enhance secret scanning for python binary files 🛠️
  • 📝 Improve S3 server logging access detection for AVD-AWS-0089 🧹
  • 📑 Align AVD-AWS-0107 and AVD-AWS-0105 checks with AWS CIS Benchmarks 🤝🏻
  • ⛁ SslMode support for GCP SQL Database instance in AVD-GCP-0015 ⚙️
  • 🍔 --skip-dirs and --skip-files now supports nested terraform modules 🍕

🚀 What's new? 🚀

📦 Support for multiple DB repositories for vulnerability and Java DB ↻

The --db-repository and --java-db-repository flags can now take multiple values, improving reliability when downloading databases. Databases are downloaded in priority order until one is successful. An attempt to download from the next repository is only made if a temporary error is received (e.g. status 429 or 5xx).

For example, downloading the vulnerability DB from another repository when receiving error code 429:

./trivy image alpine:3.19 --db-repository "ghcr.io/aquasecurity/trivy-db:2","public.ecr.aws/aquasecurity/trivy-db"
...
2024-10-01T14:00:39+06:00       INFO    [db] Need to update DB
2024-10-01T14:00:39+06:00       INFO    Downloading vulnerability DB...
2024-10-01T14:00:39+06:00       INFO    Downloading  artifact...        repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-01T14:00:41+06:00       ERROR   Failed to download artifact     repo="ghcr.io/aquasecurity/trivy-db:2" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:23d1b901e7534020d5ac5f238b090ad66dcb78afef7301ed7d8ebe6b974ab5f1: TOOMANYREQUESTS: retry-after: 1.254886ms, allowed: 44000/minute"
2024-10-01T14:00:41+06:00       INFO    Trying to download artifact from other repository...
2024-10-01T14:00:41+06:00       INFO    Downloading  artifact...        repo="public.ecr.aws/aquasecurity/trivy-db:2"
53.85 MiB / 53.85 MiB [--------------------------------------------------------------------------------------] 100.00% 1.45 MiB p/s 37s
2024-10-01T14:01:22+06:00       INFO    Artifact successfully downloaded        repo="public.ecr.aws/aquasecurity/trivy-db:2"
...

📜 License normalization has been greatly improved ⏫

Our license normalization takes into account more possible cases.
See here for more details.

Many thanks to @pbaumard.

🦎 Support for SUSE Linux Enterprise Micro 🌍

This release adds support for the SUSE Linux Enterprise Micro family, expanding Trivy's compatibility with this lightweight SUSE distribution. The update also improves how SUSE and openSUSE are handled within the package URL (purl) logic, aligning with standard expectations.

Thanks to @msmeissn for implementing this change.

🎩 Support for RPM Archives 🐧

This update introduces experimental support for scanning RPM archive files. Trivy can now analyze these archives for SBOM, expanding its utility in Red Hat-based environments. This feature is currently disabled by default but can be enabled with an environment variable, TRIVY_EXPERIMENTAL_RPM_ARCHIVE.

$ TRIVY_EXPERIMENTAL_RPM_ARCHIVE=true trivy fs ./redhat-7.9-rpms --format cyclonedx

See here for more details.

🐍 Enhance secret scanning for Python binary files 🛠️

Recent incidents have shown that certain binary files, such as .pyc files, may contain valuable information for secret detection. And now Trivy can detect secrets in compiled Python .pyc files.

$ cat main.py
secret1 = "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"
print(secret1)%

$ python3 -m compileall .

$ trivy fs --scanners secret __pycache__/
secret.cpython-310.pyc (secrets)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

CRITICAL: GitHub (github-fine-grained-pat)
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
GitHub Fine-grained personal access tokens
──────────────────────────────────────────────────────────────────────────────────────────────────────────────

📝 Improve S3 server logging access detection for AVD-AWS-0089 🧹

The AVD-AWS-0089 check reports the need to enable logging for buckets that do not log access to the server. Previously, we only identified such buckets by Canned ACL, which could lead to false positives. Now all possible ways of granting logging access are supported:

• Bucket Policy
• Grants
• Canned ACLs

📑 Align AVD-AWS-0107 and AVD-AWS-0105 checks with CIS Benchmarks 🤝🏻

AVD-AWS-0107 and AVD-AWS-0105 checks are now aligned with AWS CIS v1.2 and v1.4 benchmarks. The rules for triggering checks and their level of severity have changed. See more details.

⛁ ssl_mode support for GCP SQL DB instance in AVD-GCP-0015 ⚙️

The ssl_mode attribute has been added for the google_sql_database_instance resource to replace the deprecated require_ssl attribute, and since provider version 0.6.1 it has been removed. Support for this attribute has been added to the AVD-GCP-0015 check.

🍔 --skip-dirs and --skip-files now supports nested terraform modules 🍕

Previously passing the --skip-* flags would not result in skipping off the files and directories that were found within the nested terraform modules. This behavior has now been updated to include such nested modules and files. Furthermore, the filtering is done prior to evaluation of the checks, thereby reducing the evaluation time required to scan terraform modules.

👷‍♂️ Notable Fixes 🛠️

• fix(db): check DownloadedAt for trivy-java-db #7592
• bug(pom): use dependencyManagement's for dependencies from parents #7493
• bug(convert): unable to decode ModifiedFinding.Results.ExperimentalModifiedFindings.Finding field #7461
• fix(CycloneDX): parse framework type as library #7432
• Unmatched Vulnerabilities.affects.ref when scanning CycloneDX sbom with duplicate Purls #7337
• Azure China scope is incorrect #7562
• fix(misconf): escape all special sequences #7557
• bug(misconf): Apply AVD-DS-0016 only to final layer #7368
• bug(terraform): Trivy does not load a module from the parent directory #7535
• perf(misconf): Trivy IaC scanner OOM when run in container or github actions #7548
• Some secret detection regexes expect the value to be surrounded by quotes #6787

[nvuillam]

Your trivy-loving community is still suffering of all the random failures, and you can't request everyone to update their calls to trivy :/

Please can you consider my suggestion to publish on multiple mirrors and automatically find a working one without asking your users to add new CLI arguments or handle their owk vulnerability db mirrors ?

#7668