v0.41.0

[aqua-bot]

🚀 What's new? 🚀

🛡️ Vulnerability Exploitability Exchange (VEX) 💱

Trivy now supports filtering detected vulnerabilities using the Vulnerability Exploitability Exchange (VEX), a standardized format for sharing and exchanging information about vulnerabilities.

Currently, it supports the following two formats:

• CycloneDX
• OpenVEX

You can scan SBOM with your VEX document by --vex.

$ trivy sbom debian11.sbom.cdx --vex trivy.vex.cdx

Details

$ trivy fs --format cyclonedx --output trivy.sbom.cdx ./go.mod
$ trivy sbom trivy.sbom.cdx

go.mod (gomod)
==============
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│          Library          │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8911 │ MEDIUM   │ 1.44.234          │               │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto  │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8911                  │
│                           ├───────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                           │ CVE-2020-8912 │ LOW      │                   │               │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8912                  │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

$ cat trivy.vex.cdx
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "version": 1,
  "vulnerabilities": [
    {
      "id": "CVE-2020-8911",
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": ["will_not_fix", "update"],
        "detail": "The vulnerable function is not called"
      },
      "affects": [
        {
          "ref": "urn:cdx:5e745bd2-0754-4d34-8f22-8940492b63fd/1#pkg:golang/github.com/aws/aws-sdk-go@1.44.234"
        }
      ]
    }
  ]
}

$ trivy sbom trivy.sbom.cdx --vex trivy.vex.cdx
...
2023-04-13T12:55:44.838+0300    INFO    Filtered out the detected vulnerability {"VEX format": "CycloneDX", "vulnerability-id": "CVE-2020-8911", "status": "not_affected", "justification": "code_not_reachable"}

go.mod (gomod)
==============
Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│          Library          │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8912 │ LOW      │ 1.44.234          │               │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8912                  │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

$ cat trivy.openvex
{
  "@context": "https://openvex.dev/ns",
  "@id": "https://openvex.dev/docs/public/vex-2e67563e128250cbcb3e98930df948dd053e43271d70dc50cfa22d57e03fe96f",
  "author": "Aqua Security",
  "timestamp": "2023-01-16T19:07:16.853479631-06:00",
  "version": "1",
  "statements": [
    {
      "vulnerability": "CVE-2020-8911",
      "products": [
        "urn:cdx:5e745bd2-0754-4d34-8f22-8940492b63fd/1#pkg:golang/github.com/aws/aws-sdk-go@1.44.234"
      ],
      "status": "not_affected",
      "justification": "vulnerable_code_not_in_execute_path"
    }
  ]
}

$ trivy sbom trivy.sbom.cdx --vex trivy.openvex
...
2023-04-13T12:56:42.954+0300    INFO    Filtered out the detected vulnerability {"VEX format": "OpenVEX", "vulnerability-id": "CVE-2020-8911", "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path"}

go.mod (gomod)
==============
Total: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│          Library          │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8912 │ LOW      │ 1.44.234          │               │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8912                  │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

See here for more details.

⚠️ EXPERIMENTAL: This feature is still experimental. It might change without preserving backward compatibility.

💿 SBOM support for VM images 🖥️

Trivy can now generate SBOM such as CycloneDX and SPDX for VM images.
Just like other targets, all you need to do is specify --format.

$ trivy vm --format cyclonedx ami:ami-0123456789abcdefg

🫖 Show nested JAR paths 📁

Previously, when a JAR file contained another JAR file, only the path of the outermost JAR was included in the JSON output. This could be confusing, especially when a single JAR file contains multiple versions of the same artifact.

Consider an example where log4j-1.2.12.jar is contained within test.jar:

• Previously:app/test.jar
• Now: app/test.jar/test/log4j-1.2.12.jar

Users can now find the log4j-1.2.12.jar by extracting test.jar. Please note that this full path is only displayed with --format json and not with --format table.

📜 License confidence level 🎚️

Trivy identifies licenses for dpkg and Go modules by estimating the license type from the contents of the files. By default, only licenses with a high confidence level from the classifier, specifically 0.9 or higher, are detected. By using the --license-confidence-level flag, you can change this threshold and detect licenses with a lower confidence level as determined by the classifier.

$ trivy fs --scanners license --license-confidence-level 0.8 debian:11

See here for more details.

Thanks @thevibegod!

🐳 Custom Docker host 🌐

If you are using a custom Docker socket (the Docker client will default to connecting to unix:///var/run/docker.sock on Linux, and tcp://127.0.0.1:2376 on Windows), you could previously only specify this path using the DOCKER_HOST env. In this version, the --docker-host flag has been added, making it possible to configure it via CLI flag as well.

$ trivy image --docker-host unix:///run/user/1000/docker.sock YOUR_IMAGE

See here for more details.

Thanks @aswath-s-tw!

📄 SPDX 2.3 🐧

Trivy now outputs SPDX 2.3 with --format spdx and --format spdx-json.

$ trivy image --format spdx-json debian:11

See here for the SPDX detail.

Thanks @FrimIdan!

🧾 Custom Compliance reports with config and fs sub-commands

Trivy now support generation of custom compliance reports with config and fs sub-commands.
This capability enables the user to provide custom compliance specifications with an input resource folder and trivy will produce the compliance report accordingly.

trivy config ~/data/input.json   --compliance=@/Users/name/data/custom_spec.yaml --report summary

See here for more details on compliance Reports.