Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SBOM] Keep layer info in SBOM components #32435

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[SBOM] Keep layer info in SBOM components #32435

wants to merge 2 commits into from
+665 −175

Conversation

lebauce
Copy link
Contributor

@lebauce lebauce commented Dec 20, 2024
edited
Loading

What does this PR do?

Change the sbom.container_image.overlayfs_direct_scan mode to
keep the layers information attached to each component of the SBOM.

This PR also bump Trivy and uses a custom walker to implement
most of the features previously implemented in our Trivy fork.

Motivation

This allows to match vulnerabilities to the layer they are part of.

Describe how you validated your changes

Set sbom.container_image.overlayfs_direct_scan in both host and containerized mode,
for both the docker and the containerd runtimes.

Possible Drawbacks / Trade-offs

Additional Notes

@lebauce lebauce added changelog/no-changelog team/agent-security qa/rc-required Only for a PR that requires validation on the Release Candidate labels Dec 20, 2024
@lebauce lebauce added this to the 7.63.0 milestone Dec 20, 2024
@lebauce lebauce requested review from a team as code owners December 20, 2024 17:51
@cit-pr-commenter cit-pr-commenter
Copy link

Go Package Import Differences

Baseline: bd259ed
Comparison: 7da1ad1

binaryosarchchange
agentlinuxamd64
+174, -13 
+github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure
+github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure/oval
-github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner
-github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner/oval
+github.com/aquasecurity/trivy/pkg/cache
+github.com/aquasecurity/trivy/pkg/db
+github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/java
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/nodejs
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/php
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/python
+github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest
+github.com/aquasecurity/trivy/pkg/dependency/parser/sbt/lockfile
-github.com/aquasecurity/trivy/pkg/dependency/types
+github.com/aquasecurity/trivy/pkg/detector/ospkg/azure
-github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/conda/environment
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/sbt
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg
-github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/mariner
+github.com/aquasecurity/trivy/pkg/fanal/artifact/container
-github.com/aquasecurity/trivy/pkg/fanal/cache
-github.com/aquasecurity/trivy/pkg/fanal/log
+github.com/aquasecurity/trivy/pkg/fanal/image/registry/ecr
+github.com/aquasecurity/trivy/pkg/fanal/image/registry/intf
+github.com/aquasecurity/trivy/pkg/iac/rego
-github.com/aquasecurity/trivy/pkg/version
+github.com/aquasecurity/trivy/pkg/version/app
+github.com/aquasecurity/trivy/pkg/version/doc
+github.com/aquasecurity/trivy/pkg/vex/repo
+github.com/aquasecurity/trivy/pkg/x/slices
+github.com/aws/aws-sdk-go-v2/service/ecr
+github.com/aws/aws-sdk-go-v2/service/ecr/internal/endpoints
+github.com/aws/aws-sdk-go-v2/service/ecr/types
+github.com/blang/semver
+github.com/containerd/continuity/devices
+github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer
+github.com/digitorus/pkcs7
+github.com/digitorus/timestamp
+github.com/docker/docker/pkg/system
+github.com/go-chi/chi
+github.com/go-chi/chi/middleware
-github.com/golang/protobuf/ptypes
+github.com/google/certificate-transparency-go
+github.com/google/certificate-transparency-go/asn1
+github.com/google/certificate-transparency-go/gossip/minimal/x509ext
+github.com/google/certificate-transparency-go/tls
+github.com/google/certificate-transparency-go/x509
+github.com/google/certificate-transparency-go/x509/pkix
+github.com/google/certificate-transparency-go/x509util
+github.com/google/go-containerregistry/internal/windows
+github.com/google/go-containerregistry/pkg/crane
+github.com/google/go-containerregistry/pkg/legacy
+github.com/google/go-containerregistry/pkg/legacy/tarball
+github.com/google/go-containerregistry/pkg/v1/static
+github.com/google/go-github/v62/github
+github.com/google/go-querystring/query
+github.com/hashicorp/go-retryablehttp
+github.com/jedisct1/go-minisign
+github.com/letsencrypt/boulder/core
+github.com/letsencrypt/boulder/goodkey
+github.com/letsencrypt/boulder/identifier
+github.com/letsencrypt/boulder/probs
+github.com/letsencrypt/boulder/revocation
+github.com/letsencrypt/boulder/strictyaml
+github.com/masahiro331/go-disk/fs
+github.com/moby/buildkit/frontend/dockerfile/linter
+github.com/nozzle/throttler
+github.com/openvex/discovery/pkg/discovery
+github.com/openvex/discovery/pkg/discovery/options
+github.com/openvex/discovery/pkg/oci
+github.com/openvex/discovery/pkg/probers/oci
+github.com/openvex/go-vex/pkg/attestation
-github.com/saracen/walker
+github.com/sassoftware/go-rpmutils
+github.com/sassoftware/go-rpmutils/cpio
+github.com/sassoftware/go-rpmutils/fileutil
+github.com/sassoftware/relic/lib/pkcs7
+github.com/sassoftware/relic/lib/x509tools
+github.com/secure-systems-lab/go-securesystemslib/encrypted
+github.com/sigstore/cosign/v2/internal/pkg/cosign
+github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size
+github.com/sigstore/cosign/v2/internal/pkg/now
+github.com/sigstore/cosign/v2/internal/pkg/oci/remote
+github.com/sigstore/cosign/v2/internal/ui
+github.com/sigstore/cosign/v2/pkg/blob
+github.com/sigstore/cosign/v2/pkg/cosign
+github.com/sigstore/cosign/v2/pkg/cosign/bundle
+github.com/sigstore/cosign/v2/pkg/cosign/env
+github.com/sigstore/cosign/v2/pkg/cosign/fulcioverifier/ctutil
+github.com/sigstore/cosign/v2/pkg/oci
+github.com/sigstore/cosign/v2/pkg/oci/empty
+github.com/sigstore/cosign/v2/pkg/oci/internal/signature
+github.com/sigstore/cosign/v2/pkg/oci/layout
+github.com/sigstore/cosign/v2/pkg/oci/remote
+github.com/sigstore/cosign/v2/pkg/oci/signed
+github.com/sigstore/cosign/v2/pkg/oci/static
+github.com/sigstore/cosign/v2/pkg/types
+github.com/sigstore/rekor/pkg/client
+github.com/sigstore/rekor/pkg/log
+github.com/sigstore/rekor/pkg/pki
+github.com/sigstore/rekor/pkg/pki/identity
+github.com/sigstore/rekor/pkg/pki/minisign
+github.com/sigstore/rekor/pkg/pki/pgp
+github.com/sigstore/rekor/pkg/pki/pkcs7
+github.com/sigstore/rekor/pkg/pki/ssh
+github.com/sigstore/rekor/pkg/pki/tuf
+github.com/sigstore/rekor/pkg/pki/x509
+github.com/sigstore/rekor/pkg/types
+github.com/sigstore/rekor/pkg/types/dsse
+github.com/sigstore/rekor/pkg/types/dsse/v0.0.1
+github.com/sigstore/rekor/pkg/types/hashedrekord
+github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1
+github.com/sigstore/rekor/pkg/types/intoto
+github.com/sigstore/rekor/pkg/types/intoto/v0.0.1
+github.com/sigstore/rekor/pkg/types/intoto/v0.0.2
+github.com/sigstore/rekor/pkg/types/rekord
+github.com/sigstore/rekor/pkg/types/rekord/v0.0.1
+github.com/sigstore/rekor/pkg/util
+github.com/sigstore/sigstore/pkg/cryptoutils
+github.com/sigstore/sigstore/pkg/signature
+github.com/sigstore/sigstore/pkg/signature/dsse
+github.com/sigstore/sigstore/pkg/signature/options
+github.com/sigstore/sigstore/pkg/signature/payload
+github.com/sigstore/sigstore/pkg/tuf
+github.com/sigstore/timestamp-authority/pkg/verification
+github.com/syndtr/goleveldb/leveldb
+github.com/syndtr/goleveldb/leveldb/cache
+github.com/syndtr/goleveldb/leveldb/comparer
+github.com/syndtr/goleveldb/leveldb/errors
+github.com/syndtr/goleveldb/leveldb/filter
+github.com/syndtr/goleveldb/leveldb/iterator
+github.com/syndtr/goleveldb/leveldb/journal
+github.com/syndtr/goleveldb/leveldb/memdb
+github.com/syndtr/goleveldb/leveldb/opt
+github.com/syndtr/goleveldb/leveldb/storage
+github.com/syndtr/goleveldb/leveldb/table
+github.com/syndtr/goleveldb/leveldb/util
-github.com/tetratelabs/wazero/internal/close
-github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64
+github.com/tetratelabs/wazero/internal/expctxkeys
-github.com/tetratelabs/wazero/internal/wazeroir
+github.com/theupdateframework/go-tuf
+github.com/theupdateframework/go-tuf/client
+github.com/theupdateframework/go-tuf/client/leveldbstore
+github.com/theupdateframework/go-tuf/data
+github.com/theupdateframework/go-tuf/internal/fsutil
+github.com/theupdateframework/go-tuf/internal/roles
+github.com/theupdateframework/go-tuf/internal/sets
+github.com/theupdateframework/go-tuf/internal/signer
+github.com/theupdateframework/go-tuf/pkg/keys
+github.com/theupdateframework/go-tuf/pkg/targets
+github.com/theupdateframework/go-tuf/sign
+github.com/theupdateframework/go-tuf/util
+github.com/theupdateframework/go-tuf/verify
+github.com/titanous/rocacheck
+github.com/tonistiigi/go-csvvalue
+github.com/transparency-dev/merkle
+github.com/transparency-dev/merkle/compact
+github.com/transparency-dev/merkle/proof
+github.com/transparency-dev/merkle/rfc6962
+github.com/ulikunitz/xz/internal/hash
+github.com/ulikunitz/xz/internal/xlog
+github.com/ulikunitz/xz/lzma
+github.com/xeipuuv/gojsonpointer
+github.com/xeipuuv/gojsonreference
+github.com/xeipuuv/gojsonschema
+golang.org/x/crypto/cryptobyte
+golang.org/x/crypto/cryptobyte/asn1
+golang.org/x/crypto/ed25519
+golang.org/x/crypto/nacl/secretbox
+golang.org/x/crypto/ocsp
+golang.org/x/crypto/openpgp
+golang.org/x/crypto/openpgp/armor
+golang.org/x/crypto/openpgp/elgamal
+golang.org/x/crypto/openpgp/errors
+golang.org/x/crypto/openpgp/packet
+golang.org/x/crypto/openpgp/s2k
+golang.org/x/crypto/salsa20/salsa
+golang.org/x/crypto/ssh/terminal
+golang.org/x/mod/sumdb/note
+gopkg.in/go-jose/go-jose.v2
+gopkg.in/go-jose/go-jose.v2/cipher
+gopkg.in/go-jose/go-jose.v2/json
+rsc.io/binaryregexp
+rsc.io/binaryregexp/syntax
agentlinuxarm64
+174, -13 
+github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure
+github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure/oval
-github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner
-github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner/oval
+github.com/aquasecurity/trivy/pkg/cache
+github.com/aquasecurity/trivy/pkg/db
+github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/java
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/nodejs
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/php
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/python
+github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest
+github.com/aquasecurity/trivy/pkg/dependency/parser/sbt/lockfile
-github.com/aquasecurity/trivy/pkg/dependency/types
+github.com/aquasecurity/trivy/pkg/detector/ospkg/azure
-github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/conda/environment
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/sbt
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg
-github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/mariner
+github.com/aquasecurity/trivy/pkg/fanal/artifact/container
-github.com/aquasecurity/trivy/pkg/fanal/cache
-github.com/aquasecurity/trivy/pkg/fanal/log
+github.com/aquasecurity/trivy/pkg/fanal/image/registry/ecr
+github.com/aquasecurity/trivy/pkg/fanal/image/registry/intf
+github.com/aquasecurity/trivy/pkg/iac/rego
-github.com/aquasecurity/trivy/pkg/version
+github.com/aquasecurity/trivy/pkg/version/app
+github.com/aquasecurity/trivy/pkg/version/doc
+github.com/aquasecurity/trivy/pkg/vex/repo
+github.com/aquasecurity/trivy/pkg/x/slices
+github.com/aws/aws-sdk-go-v2/service/ecr
+github.com/aws/aws-sdk-go-v2/service/ecr/internal/endpoints
+github.com/aws/aws-sdk-go-v2/service/ecr/types
+github.com/blang/semver
+github.com/containerd/continuity/devices
+github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer
+github.com/digitorus/pkcs7
+github.com/digitorus/timestamp
+github.com/docker/docker/pkg/system
+github.com/go-chi/chi
+github.com/go-chi/chi/middleware
-github.com/golang/protobuf/ptypes
+github.com/google/certificate-transparency-go
+github.com/google/certificate-transparency-go/asn1
+github.com/google/certificate-transparency-go/gossip/minimal/x509ext
+github.com/google/certificate-transparency-go/tls
+github.com/google/certificate-transparency-go/x509
+github.com/google/certificate-transparency-go/x509/pkix
+github.com/google/certificate-transparency-go/x509util
+github.com/google/go-containerregistry/internal/windows
+github.com/google/go-containerregistry/pkg/crane
+github.com/google/go-containerregistry/pkg/legacy
+github.com/google/go-containerregistry/pkg/legacy/tarball
+github.com/google/go-containerregistry/pkg/v1/static
+github.com/google/go-github/v62/github
+github.com/google/go-querystring/query
+github.com/hashicorp/go-retryablehttp
+github.com/jedisct1/go-minisign
+github.com/letsencrypt/boulder/core
+github.com/letsencrypt/boulder/goodkey
+github.com/letsencrypt/boulder/identifier
+github.com/letsencrypt/boulder/probs
+github.com/letsencrypt/boulder/revocation
+github.com/letsencrypt/boulder/strictyaml
+github.com/masahiro331/go-disk/fs
+github.com/moby/buildkit/frontend/dockerfile/linter
+github.com/nozzle/throttler
+github.com/openvex/discovery/pkg/discovery
+github.com/openvex/discovery/pkg/discovery/options
+github.com/openvex/discovery/pkg/oci
+github.com/openvex/discovery/pkg/probers/oci
+github.com/openvex/go-vex/pkg/attestation
-github.com/saracen/walker
+github.com/sassoftware/go-rpmutils
+github.com/sassoftware/go-rpmutils/cpio
+github.com/sassoftware/go-rpmutils/fileutil
+github.com/sassoftware/relic/lib/pkcs7
+github.com/sassoftware/relic/lib/x509tools
+github.com/secure-systems-lab/go-securesystemslib/encrypted
+github.com/sigstore/cosign/v2/internal/pkg/cosign
+github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size
+github.com/sigstore/cosign/v2/internal/pkg/now
+github.com/sigstore/cosign/v2/internal/pkg/oci/remote
+github.com/sigstore/cosign/v2/internal/ui
+github.com/sigstore/cosign/v2/pkg/blob
+github.com/sigstore/cosign/v2/pkg/cosign
+github.com/sigstore/cosign/v2/pkg/cosign/bundle
+github.com/sigstore/cosign/v2/pkg/cosign/env
+github.com/sigstore/cosign/v2/pkg/cosign/fulcioverifier/ctutil
+github.com/sigstore/cosign/v2/pkg/oci
+github.com/sigstore/cosign/v2/pkg/oci/empty
+github.com/sigstore/cosign/v2/pkg/oci/internal/signature
+github.com/sigstore/cosign/v2/pkg/oci/layout
+github.com/sigstore/cosign/v2/pkg/oci/remote
+github.com/sigstore/cosign/v2/pkg/oci/signed
+github.com/sigstore/cosign/v2/pkg/oci/static
+github.com/sigstore/cosign/v2/pkg/types
+github.com/sigstore/rekor/pkg/client
+github.com/sigstore/rekor/pkg/log
+github.com/sigstore/rekor/pkg/pki
+github.com/sigstore/rekor/pkg/pki/identity
+github.com/sigstore/rekor/pkg/pki/minisign
+github.com/sigstore/rekor/pkg/pki/pgp
+github.com/sigstore/rekor/pkg/pki/pkcs7
+github.com/sigstore/rekor/pkg/pki/ssh
+github.com/sigstore/rekor/pkg/pki/tuf
+github.com/sigstore/rekor/pkg/pki/x509
+github.com/sigstore/rekor/pkg/types
+github.com/sigstore/rekor/pkg/types/dsse
+github.com/sigstore/rekor/pkg/types/dsse/v0.0.1
+github.com/sigstore/rekor/pkg/types/hashedrekord
+github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1
+github.com/sigstore/rekor/pkg/types/intoto
+github.com/sigstore/rekor/pkg/types/intoto/v0.0.1
+github.com/sigstore/rekor/pkg/types/intoto/v0.0.2
+github.com/sigstore/rekor/pkg/types/rekord
+github.com/sigstore/rekor/pkg/types/rekord/v0.0.1
+github.com/sigstore/rekor/pkg/util
+github.com/sigstore/sigstore/pkg/cryptoutils
+github.com/sigstore/sigstore/pkg/signature
+github.com/sigstore/sigstore/pkg/signature/dsse
+github.com/sigstore/sigstore/pkg/signature/options
+github.com/sigstore/sigstore/pkg/signature/payload
+github.com/sigstore/sigstore/pkg/tuf
+github.com/sigstore/timestamp-authority/pkg/verification
+github.com/syndtr/goleveldb/leveldb
+github.com/syndtr/goleveldb/leveldb/cache
+github.com/syndtr/goleveldb/leveldb/comparer
+github.com/syndtr/goleveldb/leveldb/errors
+github.com/syndtr/goleveldb/leveldb/filter
+github.com/syndtr/goleveldb/leveldb/iterator
+github.com/syndtr/goleveldb/leveldb/journal
+github.com/syndtr/goleveldb/leveldb/memdb
+github.com/syndtr/goleveldb/leveldb/opt
+github.com/syndtr/goleveldb/leveldb/storage
+github.com/syndtr/goleveldb/leveldb/table
+github.com/syndtr/goleveldb/leveldb/util
-github.com/tetratelabs/wazero/internal/close
-github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64
+github.com/tetratelabs/wazero/internal/expctxkeys
-github.com/tetratelabs/wazero/internal/wazeroir
+github.com/theupdateframework/go-tuf
+github.com/theupdateframework/go-tuf/client
+github.com/theupdateframework/go-tuf/client/leveldbstore
+github.com/theupdateframework/go-tuf/data
+github.com/theupdateframework/go-tuf/internal/fsutil
+github.com/theupdateframework/go-tuf/internal/roles
+github.com/theupdateframework/go-tuf/internal/sets
+github.com/theupdateframework/go-tuf/internal/signer
+github.com/theupdateframework/go-tuf/pkg/keys
+github.com/theupdateframework/go-tuf/pkg/targets
+github.com/theupdateframework/go-tuf/sign
+github.com/theupdateframework/go-tuf/util
+github.com/theupdateframework/go-tuf/verify
+github.com/titanous/rocacheck
+github.com/tonistiigi/go-csvvalue
+github.com/transparency-dev/merkle
+github.com/transparency-dev/merkle/compact
+github.com/transparency-dev/merkle/proof
+github.com/transparency-dev/merkle/rfc6962
+github.com/ulikunitz/xz/internal/hash
+github.com/ulikunitz/xz/internal/xlog
+github.com/ulikunitz/xz/lzma
+github.com/xeipuuv/gojsonpointer
+github.com/xeipuuv/gojsonreference
+github.com/xeipuuv/gojsonschema
+golang.org/x/crypto/cryptobyte
+golang.org/x/crypto/cryptobyte/asn1
+golang.org/x/crypto/ed25519
+golang.org/x/crypto/nacl/secretbox
+golang.org/x/crypto/ocsp
+golang.org/x/crypto/openpgp
+golang.org/x/crypto/openpgp/armor
+golang.org/x/crypto/openpgp/elgamal
+golang.org/x/crypto/openpgp/errors
+golang.org/x/crypto/openpgp/packet
+golang.org/x/crypto/openpgp/s2k
+golang.org/x/crypto/salsa20/salsa
+golang.org/x/crypto/ssh/terminal
+golang.org/x/mod/sumdb/note
+gopkg.in/go-jose/go-jose.v2
+gopkg.in/go-jose/go-jose.v2/cipher
+gopkg.in/go-jose/go-jose.v2/json
+rsc.io/binaryregexp
+rsc.io/binaryregexp/syntax
agentwindowsamd64
+0, -1 
-github.com/golang/protobuf/ptypes
agentdarwinamd64
+0, -1 
-github.com/golang/protobuf/ptypes
agentdarwinarm64
+0, -1 
-github.com/golang/protobuf/ptypes
iot-agentlinuxamd64
+0, -1 
-github.com/golang/protobuf/ptypes
iot-agentlinuxarm64
+0, -1 
-github.com/golang/protobuf/ptypes
heroku-agentlinuxamd64
+0, -1 
-github.com/golang/protobuf/ptypes
cluster-agentlinuxamd64
+0, -1 
-github.com/golang/protobuf/ptypes
cluster-agentlinuxarm64
+0, -1 
-github.com/golang/protobuf/ptypes
cluster-agent-cloudfoundrylinuxamd64
+0, -1 
-github.com/golang/protobuf/ptypes
cluster-agent-cloudfoundrylinuxarm64
+0, -1 
-github.com/golang/protobuf/ptypes
process-agentlinuxamd64
+0, -1 
-github.com/golang/protobuf/ptypes
process-agentlinuxarm64
+0, -1 
-github.com/golang/protobuf/ptypes
process-agentwindowsamd64
+0, -1 
-github.com/golang/protobuf/ptypes
process-agentdarwinamd64
+0, -1 
-github.com/golang/protobuf/ptypes
process-agentdarwinarm64
+0, -1 
-github.com/golang/protobuf/ptypes
security-agentlinuxamd64
+0, -1 
-github.com/golang/protobuf/ptypes
security-agentlinuxarm64
+0, -1 
-github.com/golang/protobuf/ptypes
security-agentwindowsamd64
+0, -1 
-github.com/golang/protobuf/ptypes
system-probelinuxamd64
+150, -13 
+github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure
+github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure/oval
-github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner
-github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner/oval
+github.com/aquasecurity/trivy/pkg/cache
+github.com/aquasecurity/trivy/pkg/db
+github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/java
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/nodejs
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/php
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/python
+github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest
+github.com/aquasecurity/trivy/pkg/dependency/parser/sbt/lockfile
-github.com/aquasecurity/trivy/pkg/dependency/types
+github.com/aquasecurity/trivy/pkg/detector/ospkg/azure
-github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/conda/environment
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/sbt
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg
-github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/mariner
+github.com/aquasecurity/trivy/pkg/fanal/artifact/container
-github.com/aquasecurity/trivy/pkg/fanal/cache
-github.com/aquasecurity/trivy/pkg/fanal/log
+github.com/aquasecurity/trivy/pkg/fanal/image/registry/ecr
+github.com/aquasecurity/trivy/pkg/fanal/image/registry/intf
+github.com/aquasecurity/trivy/pkg/iac/rego
-github.com/aquasecurity/trivy/pkg/version
+github.com/aquasecurity/trivy/pkg/version/app
+github.com/aquasecurity/trivy/pkg/version/doc
+github.com/aquasecurity/trivy/pkg/vex/repo
+github.com/aquasecurity/trivy/pkg/x/slices
+github.com/aws/aws-sdk-go-v2/service/ecr
+github.com/aws/aws-sdk-go-v2/service/ecr/internal/endpoints
+github.com/aws/aws-sdk-go-v2/service/ecr/types
+github.com/blang/semver
+github.com/containerd/continuity/devices
+github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer
+github.com/digitorus/pkcs7
+github.com/digitorus/timestamp
+github.com/docker/docker/pkg/system
+github.com/go-chi/chi
+github.com/go-chi/chi/middleware
-github.com/golang/protobuf/ptypes
+github.com/google/certificate-transparency-go
+github.com/google/certificate-transparency-go/asn1
+github.com/google/certificate-transparency-go/gossip/minimal/x509ext
+github.com/google/certificate-transparency-go/tls
+github.com/google/certificate-transparency-go/x509
+github.com/google/certificate-transparency-go/x509/pkix
+github.com/google/certificate-transparency-go/x509util
+github.com/google/go-containerregistry/internal/windows
+github.com/google/go-containerregistry/pkg/crane
+github.com/google/go-containerregistry/pkg/legacy
+github.com/google/go-containerregistry/pkg/legacy/tarball
+github.com/google/go-containerregistry/pkg/v1/static
+github.com/google/go-github/v62/github
+github.com/google/go-querystring/query
+github.com/hashicorp/go-retryablehttp
+github.com/jedisct1/go-minisign
+github.com/letsencrypt/boulder/core
+github.com/letsencrypt/boulder/goodkey
+github.com/letsencrypt/boulder/identifier
+github.com/letsencrypt/boulder/probs
+github.com/letsencrypt/boulder/revocation
+github.com/letsencrypt/boulder/strictyaml
+github.com/masahiro331/go-disk/fs
+github.com/moby/buildkit/frontend/dockerfile/linter
+github.com/nozzle/throttler
+github.com/openvex/discovery/pkg/discovery
+github.com/openvex/discovery/pkg/discovery/options
+github.com/openvex/discovery/pkg/oci
+github.com/openvex/discovery/pkg/probers/oci
+github.com/openvex/go-vex/pkg/attestation
-github.com/saracen/walker
+github.com/sassoftware/relic/lib/pkcs7
+github.com/sassoftware/relic/lib/x509tools
+github.com/secure-systems-lab/go-securesystemslib/encrypted
+github.com/sigstore/cosign/v2/internal/pkg/cosign
+github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size
+github.com/sigstore/cosign/v2/internal/pkg/now
+github.com/sigstore/cosign/v2/internal/pkg/oci/remote
+github.com/sigstore/cosign/v2/internal/ui
+github.com/sigstore/cosign/v2/pkg/blob
+github.com/sigstore/cosign/v2/pkg/cosign
+github.com/sigstore/cosign/v2/pkg/cosign/bundle
+github.com/sigstore/cosign/v2/pkg/cosign/env
+github.com/sigstore/cosign/v2/pkg/cosign/fulcioverifier/ctutil
+github.com/sigstore/cosign/v2/pkg/oci
+github.com/sigstore/cosign/v2/pkg/oci/empty
+github.com/sigstore/cosign/v2/pkg/oci/internal/signature
+github.com/sigstore/cosign/v2/pkg/oci/layout
+github.com/sigstore/cosign/v2/pkg/oci/remote
+github.com/sigstore/cosign/v2/pkg/oci/signed
+github.com/sigstore/cosign/v2/pkg/oci/static
+github.com/sigstore/cosign/v2/pkg/types
+github.com/sigstore/rekor/pkg/client
+github.com/sigstore/rekor/pkg/log
+github.com/sigstore/rekor/pkg/pki
+github.com/sigstore/rekor/pkg/pki/identity
+github.com/sigstore/rekor/pkg/pki/minisign
+github.com/sigstore/rekor/pkg/pki/pgp
+github.com/sigstore/rekor/pkg/pki/pkcs7
+github.com/sigstore/rekor/pkg/pki/ssh
+github.com/sigstore/rekor/pkg/pki/tuf
+github.com/sigstore/rekor/pkg/pki/x509
+github.com/sigstore/rekor/pkg/types
+github.com/sigstore/rekor/pkg/types/dsse
+github.com/sigstore/rekor/pkg/types/dsse/v0.0.1
+github.com/sigstore/rekor/pkg/types/hashedrekord
+github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1
+github.com/sigstore/rekor/pkg/types/intoto
+github.com/sigstore/rekor/pkg/types/intoto/v0.0.1
+github.com/sigstore/rekor/pkg/types/intoto/v0.0.2
+github.com/sigstore/rekor/pkg/types/rekord
+github.com/sigstore/rekor/pkg/types/rekord/v0.0.1
+github.com/sigstore/rekor/pkg/util
+github.com/sigstore/sigstore/pkg/cryptoutils
+github.com/sigstore/sigstore/pkg/signature
+github.com/sigstore/sigstore/pkg/signature/dsse
+github.com/sigstore/sigstore/pkg/signature/options
+github.com/sigstore/sigstore/pkg/signature/payload
+github.com/sigstore/sigstore/pkg/tuf
+github.com/sigstore/timestamp-authority/pkg/verification
-github.com/tetratelabs/wazero/internal/close
-github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/arm64
+github.com/tetratelabs/wazero/internal/expctxkeys
-github.com/tetratelabs/wazero/internal/wazeroir
+github.com/theupdateframework/go-tuf
+github.com/theupdateframework/go-tuf/client
+github.com/theupdateframework/go-tuf/client/leveldbstore
+github.com/theupdateframework/go-tuf/data
+github.com/theupdateframework/go-tuf/internal/fsutil
+github.com/theupdateframework/go-tuf/internal/roles
+github.com/theupdateframework/go-tuf/internal/sets
+github.com/theupdateframework/go-tuf/internal/signer
+github.com/theupdateframework/go-tuf/pkg/keys
+github.com/theupdateframework/go-tuf/pkg/targets
+github.com/theupdateframework/go-tuf/sign
+github.com/theupdateframework/go-tuf/util
+github.com/theupdateframework/go-tuf/verify
+github.com/titanous/rocacheck
+github.com/tonistiigi/go-csvvalue
+github.com/transparency-dev/merkle
+github.com/transparency-dev/merkle/compact
+github.com/transparency-dev/merkle/proof
+github.com/transparency-dev/merkle/rfc6962
+github.com/xeipuuv/gojsonpointer
+github.com/xeipuuv/gojsonreference
+github.com/xeipuuv/gojsonschema
+golang.org/x/crypto/cryptobyte
+golang.org/x/crypto/cryptobyte/asn1
+golang.org/x/crypto/ed25519
+golang.org/x/crypto/nacl/secretbox
+golang.org/x/crypto/ocsp
+golang.org/x/crypto/salsa20/salsa
+golang.org/x/crypto/ssh/terminal
+golang.org/x/mod/sumdb/note
+gopkg.in/go-jose/go-jose.v2
+gopkg.in/go-jose/go-jose.v2/cipher
+gopkg.in/go-jose/go-jose.v2/json
+rsc.io/binaryregexp
+rsc.io/binaryregexp/syntax
system-probelinuxarm64
+150, -13 
+github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure
+github.com/aquasecurity/trivy-db/pkg/vulnsrc/azure/oval
-github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner
-github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner/oval
+github.com/aquasecurity/trivy/pkg/cache
+github.com/aquasecurity/trivy/pkg/db
+github.com/aquasecurity/trivy/pkg/dependency/parser/conda/environment
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/java
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/nodejs
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/php
+github.com/aquasecurity/trivy/pkg/dependency/parser/executable/python
+github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest
+github.com/aquasecurity/trivy/pkg/dependency/parser/sbt/lockfile
-github.com/aquasecurity/trivy/pkg/dependency/types
+github.com/aquasecurity/trivy/pkg/detector/ospkg/azure
-github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/conda/environment
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/sbt
+github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg
-github.com/aquasecurity/trivy/pkg/fanal/analyzer/os/mariner
+github.com/aquasecurity/trivy/pkg/fanal/artifact/container
-github.com/aquasecurity/trivy/pkg/fanal/cache
-github.com/aquasecurity/trivy/pkg/fanal/log
+github.com/aquasecurity/trivy/pkg/fanal/image/registry/ecr
+github.com/aquasecurity/trivy/pkg/fanal/image/registry/intf
+github.com/aquasecurity/trivy/pkg/iac/rego
-github.com/aquasecurity/trivy/pkg/version
+github.com/aquasecurity/trivy/pkg/version/app
+github.com/aquasecurity/trivy/pkg/version/doc
+github.com/aquasecurity/trivy/pkg/vex/repo
+github.com/aquasecurity/trivy/pkg/x/slices
+github.com/aws/aws-sdk-go-v2/service/ecr
+github.com/aws/aws-sdk-go-v2/service/ecr/internal/endpoints
+github.com/aws/aws-sdk-go-v2/service/ecr/types
+github.com/blang/semver
+github.com/containerd/continuity/devices
+github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer
+github.com/digitorus/pkcs7
+github.com/digitorus/timestamp
+github.com/docker/docker/pkg/system
+github.com/go-chi/chi
+github.com/go-chi/chi/middleware
-github.com/golang/protobuf/ptypes
+github.com/google/certificate-transparency-go
+github.com/google/certificate-transparency-go/asn1
+github.com/google/certificate-transparency-go/gossip/minimal/x509ext
+github.com/google/certificate-transparency-go/tls
+github.com/google/certificate-transparency-go/x509
+github.com/google/certificate-transparency-go/x509/pkix
+github.com/google/certificate-transparency-go/x509util
+github.com/google/go-containerregistry/internal/windows
+github.com/google/go-containerregistry/pkg/crane
+github.com/google/go-containerregistry/pkg/legacy
+github.com/google/go-containerregistry/pkg/legacy/tarball
+github.com/google/go-containerregistry/pkg/v1/static
+github.com/google/go-github/v62/github
+github.com/google/go-querystring/query
+github.com/hashicorp/go-retryablehttp
+github.com/jedisct1/go-minisign
+github.com/letsencrypt/boulder/core
+github.com/letsencrypt/boulder/goodkey
+github.com/letsencrypt/boulder/identifier
+github.com/letsencrypt/boulder/probs
+github.com/letsencrypt/boulder/revocation
+github.com/letsencrypt/boulder/strictyaml
+github.com/masahiro331/go-disk/fs
+github.com/moby/buildkit/frontend/dockerfile/linter
+github.com/nozzle/throttler
+github.com/openvex/discovery/pkg/discovery
+github.com/openvex/discovery/pkg/discovery/options
+github.com/openvex/discovery/pkg/oci
+github.com/openvex/discovery/pkg/probers/oci
+github.com/openvex/go-vex/pkg/attestation
-github.com/saracen/walker
+github.com/sassoftware/relic/lib/pkcs7
+github.com/sassoftware/relic/lib/x509tools
+github.com/secure-systems-lab/go-securesystemslib/encrypted
+github.com/sigstore/cosign/v2/internal/pkg/cosign
+github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size
+github.com/sigstore/cosign/v2/internal/pkg/now
+github.com/sigstore/cosign/v2/internal/pkg/oci/remote
+github.com/sigstore/cosign/v2/internal/ui
+github.com/sigstore/cosign/v2/pkg/blob
+github.com/sigstore/cosign/v2/pkg/cosign
+github.com/sigstore/cosign/v2/pkg/cosign/bundle
+github.com/sigstore/cosign/v2/pkg/cosign/env
+github.com/sigstore/cosign/v2/pkg/cosign/fulcioverifier/ctutil
+github.com/sigstore/cosign/v2/pkg/oci
+github.com/sigstore/cosign/v2/pkg/oci/empty
+github.com/sigstore/cosign/v2/pkg/oci/internal/signature
+github.com/sigstore/cosign/v2/pkg/oci/layout
+github.com/sigstore/cosign/v2/pkg/oci/remote
+github.com/sigstore/cosign/v2/pkg/oci/signed
+github.com/sigstore/cosign/v2/pkg/oci/static
+github.com/sigstore/cosign/v2/pkg/types
+github.com/sigstore/rekor/pkg/client
+github.com/sigstore/rekor/pkg/log
+github.com/sigstore/rekor/pkg/pki
+github.com/sigstore/rekor/pkg/pki/identity
+github.com/sigstore/rekor/pkg/pki/minisign
+github.com/sigstore/rekor/pkg/pki/pgp
+github.com/sigstore/rekor/pkg/pki/pkcs7
+github.com/sigstore/rekor/pkg/pki/ssh
+github.com/sigstore/rekor/pkg/pki/tuf
+github.com/sigstore/rekor/pkg/pki/x509
+github.com/sigstore/rekor/pkg/types
+github.com/sigstore/rekor/pkg/types/dsse
+github.com/sigstore/rekor/pkg/types/dsse/v0.0.1
+github.com/sigstore/rekor/pkg/types/hashedrekord
+github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1
+github.com/sigstore/rekor/pkg/types/intoto
+github.com/sigstore/rekor/pkg/types/intoto/v0.0.1
+github.com/sigstore/rekor/pkg/types/intoto/v0.0.2
+github.com/sigstore/rekor/pkg/types/rekord
+github.com/sigstore/rekor/pkg/types/rekord/v0.0.1
+github.com/sigstore/rekor/pkg/util
+github.com/sigstore/sigstore/pkg/cryptoutils
+github.com/sigstore/sigstore/pkg/signature
+github.com/sigstore/sigstore/pkg/signature/dsse
+github.com/sigstore/sigstore/pkg/signature/options
+github.com/sigstore/sigstore/pkg/signature/payload
+github.com/sigstore/sigstore/pkg/tuf
+github.com/sigstore/timestamp-authority/pkg/verification
-github.com/tetratelabs/wazero/internal/close
-github.com/tetratelabs/wazero/internal/engine/wazevo/backend/isa/amd64
+github.com/tetratelabs/wazero/internal/expctxkeys
-github.com/tetratelabs/wazero/internal/wazeroir
+github.com/theupdateframework/go-tuf
+github.com/theupdateframework/go-tuf/client
+github.com/theupdateframework/go-tuf/client/leveldbstore
+github.com/theupdateframework/go-tuf/data
+github.com/theupdateframework/go-tuf/internal/fsutil
+github.com/theupdateframework/go-tuf/internal/roles
+github.com/theupdateframework/go-tuf/internal/sets
+github.com/theupdateframework/go-tuf/internal/signer
+github.com/theupdateframework/go-tuf/pkg/keys
+github.com/theupdateframework/go-tuf/pkg/targets
+github.com/theupdateframework/go-tuf/sign
+github.com/theupdateframework/go-tuf/util
+github.com/theupdateframework/go-tuf/verify
+github.com/titanous/rocacheck
+github.com/tonistiigi/go-csvvalue
+github.com/transparency-dev/merkle
+github.com/transparency-dev/merkle/compact
+github.com/transparency-dev/merkle/proof
+github.com/transparency-dev/merkle/rfc6962
+github.com/xeipuuv/gojsonpointer
+github.com/xeipuuv/gojsonreference
+github.com/xeipuuv/gojsonschema
+golang.org/x/crypto/cryptobyte
+golang.org/x/crypto/cryptobyte/asn1
+golang.org/x/crypto/ed25519
+golang.org/x/crypto/nacl/secretbox
+golang.org/x/crypto/ocsp
+golang.org/x/crypto/salsa20/salsa
+golang.org/x/crypto/ssh/terminal
+golang.org/x/mod/sumdb/note
+gopkg.in/go-jose/go-jose.v2
+gopkg.in/go-jose/go-jose.v2/cipher
+gopkg.in/go-jose/go-jose.v2/json
+rsc.io/binaryregexp
+rsc.io/binaryregexp/syntax
system-probewindowsamd64
+0, -1 
-github.com/golang/protobuf/ptypes
trace-agentlinuxamd64
+0, -1 
-github.com/golang/protobuf/ptypes
trace-agentlinuxarm64
+0, -1 
-github.com/golang/protobuf/ptypes
trace-agentwindowsamd64
+0, -1 
-github.com/golang/protobuf/ptypes
trace-agentdarwinamd64
+0, -1 
-github.com/golang/protobuf/ptypes
trace-agentdarwinarm64
+0, -1 
-github.com/golang/protobuf/ptypes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
changelog/no-changelog qa/rc-required Only for a PR that requires validation on the Release Candidate team/agent-security
Projects
None yet
Milestone
7.63.0
Development

Successfully merging this pull request may close these issues.
1 participant
@lebauce