Merge branch 'main' into 'feat/composer-intalled-json'

.github/workflows/semantic-pr.yaml

@@ -73,6 +73,7 @@ jobs:
             c\+\+
             elixir
             dart
+            swift
 
             os
             lang

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.18.2
+FROM alpine:3.18.3
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

Dockerfile.canary

@@ -1,4 +1,4 @@
-FROM alpine:3.18.2
+FROM alpine:3.18.3
 RUN apk --no-cache add ca-certificates git
 
 # binaries were created with GoReleaser

Dockerfile.protoc

@@ -1,15 +1,21 @@
 FROM --platform=linux/amd64 golang:1.19
 
-# Install protoc (cf. http://google.github.io/proto-lens/installing-protoc.html)
+# Set environment variable for protoc
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip
-RUN apt-get update && apt-get install -y unzip
+
+# Install unzip for protoc installation and clean up cache
+RUN apt-get update && apt-get install -y unzip && rm -rf /var/lib/apt/lists/*
+
+# Download and install protoc
 RUN curl --retry 5 -OL https://github.com/protocolbuffers/protobuf/releases/download/v3.19.4/$PROTOC_ZIP \
     && unzip -o $PROTOC_ZIP -d /usr/local bin/protoc \
-    && unzip -o $PROTOC_ZIP -d /usr/local 'include/*' \ 
+    && unzip -o $PROTOC_ZIP -d /usr/local 'include/*' \
     && rm -f $PROTOC_ZIP
 
-RUN go install github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0
-RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.27.1
-RUN go install github.com/magefile/mage@v1.14.0
+# Install Go tools
+RUN go install \
+    github.com/twitchtv/twirp/protoc-gen-twirp@v8.1.0 \
+    google.golang.org/protobuf/cmd/protoc-gen-go@v1.27.1 \
+    github.com/magefile/mage@v1.14.0
 
 ENV TRIVY_PROTOC_CONTAINER=true

contrib/html.tpl

@@ -128,7 +128,7 @@
         <td>{{ escapeXML .ID }}</td>
         <td class="misconf-check">{{ escapeXML .Title }}</td>
         <td class="severity">{{ escapeXML .Severity }}</td>
-        <td class="link" data-more-links="off"  style="white-space:normal;"">
+        <td class="link" data-more-links="off"  style="white-space:normal;">
           {{ escapeXML .Message }}
           <br>
             <a href={{ escapeXML .PrimaryURL | printf "%q" }}>{{ escapeXML .PrimaryURL }}</a>

docs/docs/configuration/reporting.md

@@ -246,7 +246,7 @@ $ trivy image -f json -o results.json golang:1.12-alpine
 |  Vulnerability   |     ✓     |
 | Misconfiguration |     ✓     |
 |      Secret      |     ✓     |
-|     License      |           |
+|     License      |     ✓     |
 
 [SARIF][sarif] can be generated with the `--format sarif` flag.
 

docs/docs/coverage/language/nodejs.md

@@ -42,7 +42,8 @@ By default, Trivy doesn't report development dependencies. Use the `--include-de
 
 ### Yarn
 Trivy parses `yarn.lock`, which doesn't contain information about development dependencies.
-To exclude devDependencies, `package.json` also needs to be present next to `yarn.lock`.
+To exclude devDependencies, `package.json` also needs to be present next to `yarn.lock`. 
+Trivy analyzes `.yarn` (Yarn 2+) or `node_modules` (Yarn Classic) folder next to the yarn.lock file to detect licenses.
 
 By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
 

docs/docs/coverage/language/php.md

@@ -24,7 +24,7 @@ Since this information is not included in `composer.lock`, Trivy parses `compose
 If you want to see the dependency tree, please ensure that `composer.json` is present.
 
 ## installed.json
-By default, you can find this file at `path_to_app/vendor/composer/installed.json`. Trivy doesn't support dependency detection for `installed.json` files, because this file doesn't contain Direct/Indirect dependency information.
+By default, you can find this file at `path_to_app/vendor/composer/installed.json`. Trivy doesn't support dependency graph for `installed.json` files, because this file doesn't contain Direct/Indirect dependency information.
 
 [composer]: https://getcomposer.org/
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies

docs/docs/references/configuration/cli/trivy.md

@@ -51,7 +51,7 @@ trivy [global flags] command [flags] target
 * [trivy kubernetes](trivy_kubernetes.md)	 - [EXPERIMENTAL] Scan kubernetes cluster
 * [trivy module](trivy_module.md)	 - Manage modules
 * [trivy plugin](trivy_plugin.md)	 - Manage plugins
-* [trivy repository](trivy_repository.md)	 - Scan a remote repository
+* [trivy repository](trivy_repository.md)	 - Scan a repository
 * [trivy rootfs](trivy_rootfs.md)	 - Scan rootfs
 * [trivy sbom](trivy_sbom.md)	 - Scan SBOM for vulnerabilities
 * [trivy server](trivy_server.md)	 - Server mode

docs/docs/references/configuration/cli/trivy_repository.md

@@ -1,16 +1,18 @@
 ## trivy repository
 
-Scan a remote repository
+Scan a repository
 
 ```
-trivy repository [flags] REPO_URL
+trivy repository [flags] (REPO_PATH | REPO_URL)
 ```
 
 ### Examples
 
 ```
   # Scan your remote git repository
   $ trivy repo https://github.com/knqyf263/trivy-ci-test
+  # Scan your local git repository
+  $ trivy repo /path/to/your/repository
 ```
 
 ### Options

docs/docs/scanner/vulnerability.md

@@ -98,7 +98,7 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
 [^1]: Intentional delay between vulnerability disclosure and registration in the DB
 
 ## Database
-Trivy downloads [the vulnerabillity database](https://github.com/aquasecurity/trivy-db) every 6 hours.
+Trivy downloads [the vulnerability database](https://github.com/aquasecurity/trivy-db) every 6 hours.
 Trivy uses two types of databases for vulnerability detection:
 
 - Vulnerability Database
@@ -177,4 +177,4 @@ Currently, specifying a username and password is not supported.
 [python-osv]: https://osv.dev/list?q=&ecosystem=PyPI
 [rust-osv]: https://osv.dev/list?q=&ecosystem=crates.io
 
-[nvd]: https://nvd.nist.gov/vuln
+[nvd]: https://nvd.nist.gov/vuln

docs/docs/target/repository.md

@@ -86,23 +86,23 @@ It is disabled by default and can be enabled with `--scanners config`.
 See [here](../scanner/misconfiguration/index.md) for the detail.
 
 ```shell
-$ trivy repo --scanners config [YOUR_REPO_URL]
+$ trivy repo --scanners config (REPO_PATH | REPO_URL)
 ```
 
 ### Secrets
 It is enabled by default.
 See [here](../scanner/secret.md) for the detail.
 
 ```shell
-$ trivy repo [YOUR_REPO_URL]
+$ trivy repo (REPO_PATH | REPO_URL)
 ```
 
 ### Licenses
 It is disabled by default.
 See [here](../scanner/license.md) for the detail.
 
 ```shell
-$ trivy repo --scanners license [YOUR_REPO_URL]
+$ trivy repo --scanners license (REPO_PATH | REPO_URL)
 ```
 
 ## SBOM generation

docs/tutorials/misconfiguration/terraform.md

@@ -0,0 +1,129 @@
+# Scanning Terraform files with Trivy
+
+This tutorial is focused on ways Trivy can scan Terraform IaC configuration files. 
+
+A video tutorial on Terraform Misconfiguration scans can be found on the [Aqua Open Source YouTube account.](https://youtu.be/BWp5JLXkbBc)
+
+**A note to tfsec users** 
+We have been consolidating all of our scanning-related efforts in one place, and that is Trivy. You can read more on the decision in the [tfsec discussions.](https://github.com/aquasecurity/tfsec/discussions/1994)
+
+## Trivy Config Command 
+
+Terraform configuration scanning is available as part of the `trivy config` command. This command scans all configuration files for misconfiguration issues. You can find the details within [misconfiguration scans in the Trivy documentation.](https://aquasecurity.github.io/trivy/latest/docs/misconfiguration/scanning/) 
+
+Command structure: 
+``` 
+trivy config <any flags you want to use> <file or directory that you would like to scan> 
+``` 
+
+The `trivy config` command can scan Terraform configuration, CloudFormation, Dockerfile, Kubernetes manifests, and Helm Charts for misconfiguration. Trivy will compare the configuration found in the file with a set of best practices.  
+
+- If the configuration is following best practices, the check will pass,  
+- If the configuration does not define the resource of some configuration, Trivy will assume the default configuration for the resource creation is used. In this case, the check might fail.
+- If the configuration that has been defined does not follow best practices, the check will fail.  
+
+### Prerequisites 
+Install Trivy on your local machines. The documentation provides several [different installation options.](https://aquasecurity.github.io/trivy/latest/getting-started/installation/) 
+This tutorial will use this example [Terraform tutorial](https://github.com/Cloud-Native-Security/trivy-demo/tree/main/bad_iac/terraform) for terraform misconfiguration scanning with Trivy. 
+
+Git clone the tutorial and cd into the directory: 
+``` 
+git clone git@github.com:Cloud-Native-Security/trivy-demo.git
+cd bad_iac/terraform
+``` 
+In this case, the folder only containes Terraform configuration files. However, you could scan a directory that contains several different configurations e.g. Kubernetes YAML manifests, Dockerfile, and Terraform. Trivy will then detect the different configuration files and apply the right rules automatically. 
+
+## Different types of `trivy config` scans 
+
+Below are several examples of how the trivy config scan can be used. 
+
+General Terraform scan with trivy: 
+``` 
+trivy config <specify the directory> 
+``` 
+
+So if we are already in the directory that we want to scan: 
+``` 
+trivy config ./ 
+``` 
+### Specify the scan format 
+The `--format` flag changes the way that Trivy displays the scan result: 
+
+JSON: 
+```
+trivy config -f json terraform-infra 
+``` 
+
+Sarif: 
+``` 
+trivy config -f sarif terraform-infra 
+``` 
+
+### Specifying the output location 
+
+The `--output` flag specifies the file location in which the scan result should be saved: 
+
+JSON: 
+``` 
+trivy config -f json -o example.json terraform-infra 
+``` 
+
+Sarif: 
+``` 
+trivy config -f sarif -o example.sarif terraform-infra 
+``` 
+
+### Filtering by severity 
+
+If you are presented with lots and lots of misconfiguration across different files, you might want to filter or the misconfiguration with the highest severity: 
+
+``` 
+trivy config --severity CRITICAL, MEDIUM terraform-infra 
+``` 
+
+### Passing tf.tfvars files into `trivy config` scans 
+
+You can pass terraform values to Trivy to override default values found in the Terraform HCL code. More information are provided [in the documentation.](https://aquasecurity.github.io/trivy/latest/docs/misconfiguration/options/values/) 
+
+``` 
+trivy conf --tf-vars terraform.tfvars ./
+``` 
+### Custom Checks 
+
+We have lots of examples in the [documentation](https://aquasecurity.github.io/trivy/latest/docs/misconfiguration/custom/) on how you can write and pass custom Rego policies into terraform misconfiguration scans. 
+
+## Secret and vulnerability scans
+
+The `trivy config` command does not perform secrete and vulnerability checks out of the box. However, you can specify as part of your `trivy fs` scan that you would like to scan you terraform files for exposed secrets and misconfiguraction through the following flags: 
+
+```
+trivy fs --scanners secret,config ./
+```
+
+The `trivy config` command is a sub-command of the `trivy fs` command. You can learn more about this command in the [documentation.](https://aquasecurity.github.io/trivy/latest/docs/target/filesystem/) 
+
+## Scanning Terraform Plan files
+
+Instead of scanning your different Terraform resources individually, you could also scan your terraform plan output before it is deployed for misconfiguration. This will give you insights into any misconfiguration of your resources as they would become deployed. [Here](https://aquasecurity.github.io/trivy/latest/docs/scanner/misconfiguration/custom/examples/#terraform-plan) is the link to the documentation.
+
+First, create a terraform plan and save it to a file:
+```
+terraform plan --out tfplan.binary
+```
+
+Next, convert the file into json format:
+```
+terraform show -json tfplan.binary > tfplan.json
+```
+
+Lastly, scan the file with the `trivy config` command:
+```
+trivy config ./tfplan.json
+```
+
+Note that you need to be able to create a terraform init and plan without any errors. 
+
+## Using Trivy in your CI/CD pipeline 
+Similar to tfsec, Trivy can be used either on local developer machines or integrated into your CI/CD pipeline. There are several steps available for different pipelines, including GitHub Actions, Circle CI, GitLab, Travis and more in the tutorials section of the documentation: [https://aquasecurity.github.io/trivy/latest/tutorials/integrations/](https://aquasecurity.github.io/trivy/latest/tutorials/integrations/) 
+
+

docs/tutorials/shell/shell-completion.md

@@ -58,7 +58,7 @@ image       -- Scan a container image
 kubernetes  -- scan kubernetes cluster
 module      -- Manage modules
 plugin      -- Manage plugins
-repository  -- Scan a remote repository
+repository  -- Scan a repository
 rootfs      -- Scan rootfs
 sbom        -- Scan SBOM for vulnerabilities
 server      -- Server mode

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/alicebob/miniredis/v2 v2.30.4
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
 	github.com/aquasecurity/defsec v0.91.1
-	github.com/aquasecurity/go-dep-parser v0.0.0-20230816082938-c86bfd152132
+	github.com/aquasecurity/go-dep-parser v0.0.0-20230823094455-40c1f85cc942
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
@@ -23,7 +23,7 @@ require (
 	github.com/aquasecurity/table v1.8.0
 	github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da
 	github.com/aquasecurity/tml v0.6.1
-	github.com/aquasecurity/trivy-db v0.0.0-20230817085355-15ce04b6527c
+	github.com/aquasecurity/trivy-db v0.0.0-20230823084507-315928e846ff
 	github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728
 	github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230814115812-7afa52705226
 	github.com/aws/aws-sdk-go v1.44.273

go.sum

@@ -325,8 +325,8 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
 github.com/aquasecurity/defsec v0.91.1 h1:dBIPm6Tva9I+ZTQv+6t9wob3ZlMSu8NFqMJr4mgJC5A=
 github.com/aquasecurity/defsec v0.91.1/go.mod h1:l/srzxtuuyb6c6FlqUvMp3xw2ZbvuZ0l9972MNJM7V8=
-github.com/aquasecurity/go-dep-parser v0.0.0-20230816082938-c86bfd152132 h1:SiiJwsijT2zgXJLGAPc5xXYH6QAnZjfsegm6vi2h/qo=
-github.com/aquasecurity/go-dep-parser v0.0.0-20230816082938-c86bfd152132/go.mod h1:0+GvQF0gL4YEAAUPpNeLeGpFDxMvvIHLMd7vk9bpwko=
+github.com/aquasecurity/go-dep-parser v0.0.0-20230823094455-40c1f85cc942 h1:VGfeUtZyya9Vsl8enDurZ7pb/NDp2aJlL2rx2g4pR6A=
+github.com/aquasecurity/go-dep-parser v0.0.0-20230823094455-40c1f85cc942/go.mod h1:0+GvQF0gL4YEAAUPpNeLeGpFDxMvvIHLMd7vk9bpwko=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-mock-aws v0.0.0-20230328195059-5bf52338aec3 h1:Vt9y1gZS5JGY3tsL9zc++Cg4ofX51CG7PaMyC5SXWPg=
@@ -345,8 +345,8 @@ github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da h1:pj/adfN
 github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da/go.mod h1:852lbQLpK2nCwlR4ZLYIccxYCfoQao6q9Nl6tjz54v8=
 github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gwo=
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
-github.com/aquasecurity/trivy-db v0.0.0-20230817085355-15ce04b6527c h1:vsWd8uL6C1MoeYhEaJFQU+Rcx93Qv1eFe6N1BO2LjUs=
-github.com/aquasecurity/trivy-db v0.0.0-20230817085355-15ce04b6527c/go.mod h1:iJSGMMclPEhkYeyiN9i+gzjV9jhEv+XfPzfVgFhfvTE=
+github.com/aquasecurity/trivy-db v0.0.0-20230823084507-315928e846ff h1:+MLnPm81Msu921N/lBrKd/NwwBrrzRoTgyMq0pIUhbs=
+github.com/aquasecurity/trivy-db v0.0.0-20230823084507-315928e846ff/go.mod h1:iJSGMMclPEhkYeyiN9i+gzjV9jhEv+XfPzfVgFhfvTE=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728 h1:0eS+V7SXHgqoT99tV1mtMW6HL4HdoB9qGLMCb1fZp8A=
 github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
 github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230814115812-7afa52705226 h1:fL4BpAfnLFruHqkomRDAB7Lv8yv3zuKdg71mZk9y61c=

integration/repo_test.go

@@ -175,6 +175,15 @@ func TestRepository(t *testing.T) {
 			},
 			golden: "testdata/dotnet.json.golden",
 		},
+		{
+			name: "swift",
+			args: args{
+				scanner:     types.VulnerabilityScanner,
+				listAllPkgs: true,
+				input:       "testdata/fixtures/repo/swift",
+			},
+			golden: "testdata/swift.json.golden",
+		},
 		{
 			name: "cocoapods",
 			args: args{

integration/testdata/fixtures/db/swift.yaml

@@ -0,0 +1,14 @@
+- bucket: "swift::GitHub Security Advisory Swift"
+  pairs:
+    - bucket: github.com/apple/swift-nio
+      pairs:
+        - key: CVE-2022-3215
+          value:
+            PatchedVersions:
+              - "2.29.1"
+              - "2.39.1"
+              - "2.42.0"
+            VulnerableVersions:
+              - "< 2.29.1"
+              - ">= 2.39.0, < 2.39.1"
+              - ">= 2.41.0, < 2.42.0"

integration/testdata/fixtures/db/vulnerability.yaml

@@ -1290,6 +1290,24 @@
         - https://github.com/advisories/GHSA-4rgh-jx4f-qfcq
       PublishedDate: "2022-05-24T17:37:16Z"
       LastModifiedDate: "2022-10-06T20:26:08Z"
+  - key: CVE-2022-3215
+    value:
+      Title: "SwiftNIO vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')"
+      Description: "`NIOHTTP1` and projects using it for generating HTTP responses, including SwiftNIO, can be subject to a HTTP Response Injection attack..."
+      Severity: MEDIUM
+      VendorSeverity:
+        ghsa: 2
+      CVSS:
+        ghsa:
+          V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+          V3Score: 5.3
+      References:
+        - https://github.com/apple/swift-nio/security/advisories/GHSA-7fj7-39wj-c64f
+        - https://nvd.nist.gov/vuln/detail/CVE-2022-3215
+        - https://github.com/apple/swift-nio/commit/a16e2f54a25b2af217044e5168997009a505930f
+        - https://github.com/advisories/GHSA-7fj7-39wj-c64f
+      PublishedDate: "2023-06-07T16:01:53Z"
+      LastModifiedDate: "2023-06-19T16:45:07Z"
   - key: CVE-2022-24775
     value:
       Title: "Improper Input Validation in guzzlehttp/psr7"