Merge branch 'main' into 'feat/pom-dep-tree'

docs/docs/coverage/language/index.md

@@ -17,7 +17,7 @@ If the target is a pre-build project, like a code repository, Trivy will analyze
 On the other hand, when the target is a post-build artifact, like a container image, Trivy will analyze installed package metadata like `.gemspec`, binary files, and so on.
 
 | Language             | File                                                                                       | Image[^5] | Rootfs[^6] | Filesystem[^7] | Repository[^8] |
-| -------------------- | ------------------------------------------------------------------------------------------ | :-------: | :--------: | :------------: | :------------: |
+|----------------------|--------------------------------------------------------------------------------------------|:---------:|:----------:|:--------------:|:--------------:|
 | [Ruby](ruby.md)      | Gemfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 |                      | gemspec                                                                                    |     ✅     |     ✅      |       -        |       -        |
 | [Python](python.md)  | Pipfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
@@ -45,6 +45,7 @@ On the other hand, when the target is a post-build artifact, like a container im
 | [Elixir](elixir.md)  | mix.lock[^10]                                                                              |     -     |     -      |       ✅        |       ✅        |
 | [Dart](dart.md)      | pubspec.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 | [Swift](swift.md)    | Podfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
+|                      | Package.resolved                                                                           |     -     |     -      |       ✅        |       ✅        |
 
 The path of these files does not matter.
 

docs/docs/coverage/language/swift.md

@@ -1,10 +1,44 @@
 # Swift
 
-Trivy supports [CocoaPods][cocoapods] for Swift packages.
+Trivy supports [CocoaPods][cocoapods] and [Swift][swift] package managers.
+
 The following scanners are supported.
 
-| Package manager | SBOM  | Vulnerability | License |
-| --------------- | :---: | :-----------: | :-----: |
-| CocoaPods       |   ✓   |       -       |    -    |
+| Package manager | SBOM | Vulnerability | License |
+|-----------------|:----:|:-------------:|:-------:|
+| Swift           |  ✓   |       ✓       |    -    |
+| CocoaPods       |  ✓   |       ✓       |    -    |
+
+The following table provides an outline of the features Trivy offers.
+
+| Package manager | File             | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
+|:---------------:|------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
+|      Swift      | Package.resolved |            ✓            |     Included     |                  -                   |    ✓     |
+|    CocoaPods    | Podfile.lock     |            ✓            |     Included     |                  ✓                   |    -     |
+
+These may be enabled or disabled depending on the target.
+See [here](./index.md) for the detail.
+
+## Swift
+Trivy parses [Package.resolved][package-resolved] file to find dependencies.
+Don't forget to update (`swift package update` command) this file before scanning.
+
+## CocoaPods
+CocoaPods uses package names in `PodFile.lock`, but [GitHub Advisory Database (GHSA)][ghsa] Trivy relies on uses Git URLs. 
+We parse [the CocoaPods Specs][cocoapods-specs] to match package names and links.
+
+!!! note "Limitation"
+    Since [GHSA][ghsa] holds only Git URLs, such as github.com/apple/swift-nio, 
+    Trivy can't identify affected submodules, and detect all submodules maintained by the same URL.
+    For example, [SwiftNIOHTTP1][niohttp1] and [SwiftNIOWebSocket][niowebsocket] both are maintained under `github.com/apple/swift-nio`,
+    and Trivy detect CVE-2022-3215 for both of them, even though only [SwiftNIOHTTP1][niohttp1] is actually affected.
+
+[cocoapods]: https://cocoapods.org/
+[cocoapods-specs]: https://github.com/CocoaPods/Specs
+[ghsa]: https://github.com/advisories?query=type%3Areviewed+ecosystem%3Aswift
+[swift]: https://www.swift.org/package-manager/
+[package-resolved]: https://github.com/apple/swift-package-manager/blob/4a42f2519e3f7b8a731c5ed89b47ed577df8f86c/Documentation/Usage.md#resolving-versions-packageresolved-file
+[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
 
-[cocoapods]: https://cocoapods.org/
+[niohttp1]: https://cocoapods.org/pods/SwiftNIOHTTP1
+[niowebsocket]: https://cocoapods.org/pods/SwiftNIOWebSocket

docs/docs/scanner/vulnerability.md

@@ -77,7 +77,7 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
 ### Data Sources
 
 | Language | Source                                              | Commercial Use | Delay[^1] |
-| -------- | --------------------------------------------------- | :------------: | :-------: |
+|----------|-----------------------------------------------------|:--------------:|:---------:|
 | PHP      | [PHP Security Advisories Database][php]             |       ✅        |     -     |
 |          | [GitHub Advisory Database (Composer)][php-ghsa]     |       ✅        |     -     |
 | Python   | [GitHub Advisory Database (pip)][python-ghsa]       |       ✅        |     -     |
@@ -93,7 +93,8 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
 | .NET     | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     |       ✅        |     -     |
 | C/C++    | [GitLab Advisories Community][gitlab]               |       ✅        |  1 month  |
 | Dart     | [GitHub Advisory Database (Pub)][pub-ghsa]          |       ✅        |     -     |
-| Elixir   | [GitHub Advisory Database (Erlang)][erlang-ghsa]    |       ✅        |           |
+| Elixir   | [GitHub Advisory Database (Erlang)][erlang-ghsa]    |       ✅        |     -     |
+| Swift    | [GitHub Advisory Database (Swift)][swift-ghsa]      |       ✅        |     -     |
 
 [^1]: Intentional delay between vulnerability disclosure and registration in the DB
 
@@ -168,6 +169,7 @@ Currently, specifying a username and password is not supported.
 [pub-ghsa]: https://github.com/advisories?query=ecosystem%3Apub
 [erlang-ghsa]: https://github.com/advisories?query=ecosystem%3Aerlang
 [go-ghsa]: https://github.com/advisories?query=ecosystem%3Ago
+[swift-ghsa]: https://github.com/advisories?query=ecosystem%3Aswift
 
 [php]: https://github.com/FriendsOfPHP/security-advisories
 [ruby]: https://github.com/rubysec/ruby-advisory-db

go.mod

@@ -23,9 +23,9 @@ require (
 	github.com/aquasecurity/table v1.8.0
 	github.com/aquasecurity/testdocker v0.0.0-20230111101738-e741bda259da
 	github.com/aquasecurity/tml v0.6.1
-	github.com/aquasecurity/trivy-db v0.0.0-20230823084507-315928e846ff
+	github.com/aquasecurity/trivy-db v0.0.0-20230828105148-2c9c4da5a321
 	github.com/aquasecurity/trivy-java-db v0.0.0-20230209231723-7cddb1406728
-	github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230814115812-7afa52705226
+	github.com/aquasecurity/trivy-kubernetes v0.5.7-0.20230828123538-ef13fef6ce5b
 	github.com/aws/aws-sdk-go v1.44.273
 	github.com/aws/aws-sdk-go-v2 v1.20.0
 	github.com/aws/aws-sdk-go-v2/config v1.18.25
@@ -103,8 +103,8 @@ require (
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2
 	google.golang.org/protobuf v1.31.0
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.27.4
-	k8s.io/utils v0.0.0-20230220204549-a5ecb0141aa5
+	k8s.io/api v0.28.0
+	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
 	modernc.org/sqlite v1.23.1
 )
 
@@ -238,7 +238,7 @@ require (
 	github.com/go-openapi/analysis v0.21.4 // indirect
 	github.com/go-openapi/errors v0.20.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
-	github.com/go-openapi/jsonreference v0.20.1 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/loads v0.21.2 // indirect
 	github.com/go-openapi/spec v0.20.9 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
@@ -250,7 +250,7 @@ require (
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/gnostic v0.5.7-v3refs // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/s2a-go v0.1.3 // indirect
@@ -323,10 +323,10 @@ require (
 	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.15.1 // indirect
+	github.com/prometheus/client_golang v1.16.0 // indirect
 	github.com/prometheus/client_model v0.4.0 // indirect
-	github.com/prometheus/common v0.42.0 // indirect
-	github.com/prometheus/procfs v0.9.0 // indirect
+	github.com/prometheus/common v0.44.0 // indirect
+	github.com/prometheus/procfs v0.10.1 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
@@ -354,8 +354,8 @@ require (
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/otel v1.14.0 // indirect
 	go.opentelemetry.io/otel/trace v1.14.0 // indirect
-	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
-	go.uber.org/multierr v1.10.0 // indirect
+	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
+	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/crypto v0.12.0 // indirect
 	golang.org/x/net v0.14.0 // indirect
 	golang.org/x/oauth2 v0.8.0 // indirect
@@ -375,14 +375,14 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	helm.sh/helm/v3 v3.12.1 // indirect
 	k8s.io/apiextensions-apiserver v0.27.2 // indirect
-	k8s.io/apimachinery v0.27.4 // indirect
+	k8s.io/apimachinery v0.28.0 // indirect
 	k8s.io/apiserver v0.27.2 // indirect
-	k8s.io/cli-runtime v0.27.4 // indirect
-	k8s.io/client-go v0.27.4 // indirect
-	k8s.io/component-base v0.27.4 // indirect
+	k8s.io/cli-runtime v0.28.0 // indirect
+	k8s.io/client-go v0.28.0 // indirect
+	k8s.io/component-base v0.28.0 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
-	k8s.io/kubectl v0.27.4 // indirect
+	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
+	k8s.io/kubectl v0.28.0 // indirect
 	lukechampine.com/uint128 v1.2.0 // indirect
 	modernc.org/cc/v3 v3.40.0 // indirect
 	modernc.org/ccgo/v3 v3.16.13 // indirect
@@ -394,8 +394,8 @@ require (
 	modernc.org/token v1.0.1 // indirect
 	oras.land/oras-go v1.2.2 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/kustomize/api v0.13.2 // indirect
-	sigs.k8s.io/kustomize/kyaml v0.14.1 // indirect
+	sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect
 )