v0.60.0

[aqua-bot]

📑 Table of Contents

• 🚀 What's new? 🚀

  • 📋 Report Summary 📊
  • 🛈 Ability to select sources for vulnerability severity 🔋
  • 🌐 Dynamic VEX Retrieval from SBOM External References 🔗
  • 🏰 Rendering misconfiguration causes 🪭

• 👷‍♂️ Notable Fixes 🛠️

🚀 What's new? 🚀

📋 Report Summary 📊

⚠️ EXPERIMENTAL: This feature is still experimental. It might change without preserving backward compatibility.

Scanning report in table format now includes a high level summary of all findings.

┌───────────────────────────────┬────────┬─────────────────┬─────────┐
│            Target             │  Type  │ Vulnerabilities │ Secrets │
├───────────────────────────────┼────────┼─────────────────┼─────────┤
│ alpine:3.20.0 (alpine 3.20.0) │ alpine │       20        │    -    │
└───────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

You can enable/disable this with the new --table-mode flag.

See https://trivy.dev/v0.60/docs/configuration/reporting/#table-mode for more details.

🛈 Select sources for vulnerability severity 🔋

Trivy's vulnerabilities information is sourced from different sources, each might decide on a different severity for the same vulnerability (more on this here). The new --vuln-severity-source flag allows you to customize the order of precendence for vulnerability severity sources based on your preference.

See https://trivy.dev/v0.60/docs/scanner/vulnerability/#severity-selection_1 for more details.

🌐 VEX Retrieval from SBOM External References 🔗

⚠️ EXPERIMENTAL: This feature is still experimental. It might change without preserving backward compatibility.

When scanning SBOM, you can now load Vulnerability Exploitability eXchange (VEX) statements via CycloneDX "external references". CycloneDX standard allows inclusion of external references, such as "exploitability-statement", which can point to URLs containing relevant VEX information.

Read the documentation for details.

Thanks to @RingoDev.

🏰 Rendering misconfiguration causes 🪭

When scanning IaC files which contain dynamically generated or templated resources, Trivy can now shows the rendered resource (in addition to the previously shown original code). This is enabled by the new --render-cause flag. Currently this feature is only supported for Terraform misconfiguration scanning.

trivy conf --render-cause=terraform main.tf
2024-11-01T17:19:19+06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-11-01T17:19:19+06:00       INFO    [terraform scanner] Scanning root module        file_path="."
2024-11-01T17:19:19+06:00       INFO    Detected config files   num=2

main.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 1)

AVD-AWS-0102 (CRITICAL): Network ACL rule allows access using ALL ports.
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensure access to specific required ports is allowed, and nothing else.


See https://avd.aquasec.com/misconfig/aws-vpc-no-excessive-port-access
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:37
   via main.tf:31-41 (aws_network_acl_rule.public_inbound[0])
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  31   resource "aws_network_acl_rule" "public_inbound" {
  32     network_acl_id = aws_network_acl.this.id
  33     count          = 2
  34     egress         = false
  35     rule_number    = var.public_inbound_acl_rules[count.index]["rule_number"]
  36     rule_action    = var.public_inbound_acl_rules[count.index]["rule_action"]
  37 [   protocol       = var.public_inbound_acl_rules[count.index]["protocol"]
  38     cidr_block     = lookup(var.public_inbound_acl_rules[count.index], "cidr_block", null)
  39     from_port      = lookup(var.public_inbound_acl_rules[count.index], "from_port", null)
  ..   
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Rendered cause:
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
resource "aws_network_acl_rule" "public_inbound[0]" {
  protocol = "all"
}
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

👷‍♂️ Notable Fixes 🛠️

• bug(misconf): AVD-DS-0001 started to trigger on variables #8438
• bug(misconf): Incorrect location of findings in k8s JSON scan #8072
• fix(checks): Only One Entrypoint false negative #8364
• fix(misconf): make protocol checks case-insensitive #8460
• trivy registry login fails for docker.io with "unknown resource type" error #8386
• bug(gobinary): Trivy fails when ldflags contain nested flags #8365
• bug(sarif): don't escape shortDescription and fullDescription fields #8342
• bug(report): empty Target for some SBOM files in image #8189
• Trivy client server mode not scanning secrets exposed in image, Trivy standalone works #6742 (thank @iamtraining)
• bug(spdx): panic when parse SPDX-tv file with files #8379
• bug(db): When several parallel Trivy processes download trivy-db - situation may arise when some processes will use empty trivy-db #8454