Prepare for v0.29.0

[knqyf263]

The release note of v0.29.0

💔 BREAKING CHANGES 💔

Change trivy k8s API

It requires cluster or all for cluster scanning.

# Root command shows help message, like other trivy subcommands
$ trivy k8s

# Scanning a full cluster (including cluster level resources)

$ trivy k8s --report=summary cluster

# Scanning namespaces

$ trivy k8s --report=summary all # scans the default namespace
$ trivy k8s --report=summary --namespace=kube-system all

See here for the detail.

Change to rego input schema for dockerfile custom policies

The rego input schema has changed to fix an issue with stage ordering in the Dockerfile parser.

Before:

type Dockerfile struct {
	Stages map[string][]Command
}

After:

type Dockerfile struct {
	Stages []Stage
}

type Stage struct {
	Name     string
	Commands []Command
}

🚀 What's new? 🚀

🧇 Extensibility using WebAssembly 🐯

Trivy has a new extensions model that allows you to customize the way vulnerabilities are detected and reported, powered by WebAssembly!
Most vulnerability scanners assume that the existence of a vulnerable package indicates your application is vulnerable, but in many cases the vulnerability may not actually affect your application - depending on the runtime version, middleware configuration, or other environmental conditions. The result is that vulnerability scanners sometimes show false positives.
For example, an application with Spring4Shell vulnerability (CVE-2022-22965) would be actually safe if it used JAR packaging and an old Java 8 version - even though your application depends on a vulnerable version of Spring Framework.

With the new extensibility model, a WebAsssembly module can inject custom detection into scanning results.
The following Trivy module for Spring4Shell detects the Tomcat and Java versions in addition to the version of Spring Framework. The module then lowers the severity because this image doesn't satisfy any of the vulnerability conditions and is not actually affected by this vulnerability.

$ trivy module install ghcr.io/aquasecurity/trivy-module-spring4shell
$ trivy image ghcr.io/aquasecurity/trivy-test-images:spring4shell-jre8
2022-06-12T12:57:13.210+0300    INFO    Loading ghcr.io/aquasecurity/trivy-module-spring4shell/spring4shell.wasm...
2022-06-12T12:57:13.596+0300    INFO    Registering WASM module: spring4shell@v1
...
2022-06-12T12:57:14.865+0300    INFO    Module spring4shell: Java Version: 8, Tomcat Version: 8.5.77
2022-06-12T12:57:14.865+0300    INFO    Module spring4shell: change CVE-2022-22965 severity from CRITICAL to LOW

⚠️ EXPERIMENTAL: This feature might change without preserving backwards compatibility.

🌴 Show origins of vulnerable dependencies 🎄

Modern software development relies on the use of third-party libraries. Third-party dependencies also depend on others so a list of dependencies can be represented as a dependency graph. In some cases, vulnerable dependencies are not linked directly, and it requires analyses of the tree. To make this task simpler Trivy can show a dependency origin tree with the --dependency-tree flag. This flag is available with the --format table flag only. It supports only Node.js (package-lock.json) as of v0.29.0.

This tree is the reverse of the npm list command. However, if you want to resolve a vulnerability in a particular indirect dependency, the reversed tree is useful to know where that dependency comes from and identify which package you actually need to update.

⚠️ EXPERIMENTAL: This feature might change without preserving backwards compatibility.

🎊 containerd support 🤓

When scanning container images, Trivy will try to use images from local image store before attempting to pull from registry. This local image scanning worked with Docker, and from today, it also works with contained.

$ sudo nerdctl images
REPOSITORY        TAG       IMAGE ID        CREATED               PLATFORM       SIZE         BLOB SIZE
knqyf263/nginx    latest    2bcabc23b454    57 seconds ago        linux/amd64    149.1 MiB    54.1 MiB
$ trivy image knqyf263/nginx

ℹ️ Rootless containerd is not yet supported.

⛵ Helm Chart scanning 🗺️

Trivy now supports scanning Helm Charts as directories or tarballs (tar, tgz, tar.gz).

Helm charts are rendered into the Kubernetes manifest files that will be applied and any configuration issues displayed for the manifest that would be used.

trivy fs --security-checks config consul.tar.gz 
2022-06-14T11:13:31.789+0100	INFO	Detected config files: 6

consul.tar.gz:templates/consul-statefulset.yaml (helm)

Tests: 34 (SUCCESSES: 22, FAILURES: 12, EXCEPTIONS: 0)
Failures: 12 (UNKNOWN: 0, LOW: 10, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

MEDIUM: Container 'consul' of StatefulSet 'consul' should set 'securityContext.allowPrivilegeEscalation' to false
═══════════════════════════════════════════════════════════════════════════════════════════════
A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node.

See https://avd.aquasec.com/misconfig/ksv001
───────────────────────────────────────────────────────────────────────────────────────────────
 consul.tar.gz:templates/consul-statefulset.yaml:45-107
───────────────────────────────────────────────────────────────────────────────────────────────
  45 ┌       - name: "consul"
  46 │         image: "consul:1.5.3"
  47 │         imagePullPolicy: "Always"
  48 │         ports:
  49 │         - name: http
  50 │           containerPort: 8500
  51 │         - name: rpc
  52 │           containerPort: 8400
  53 └         - name: serflan-tcp
  ..   
───────────────────────────────────────────────────────────────────────────────────────────────


LOW: Container 'consul' of StatefulSet 'consul' should add 'ALL' to 'securityContext.capabilities.drop'
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
The container should drop all default capabilities and add only those that are needed for its execution.

See https://avd.aquasec.com/misconfig/ksv003
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 consul.tar.gz:templates/consul-statefulset.yaml:45-107
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  45 ┌       - name: "consul"
  46 │         image: "consul:1.5.3"
  47 │         imagePullPolicy: "Always"
  48 │         ports:
  49 │         - name: http
  50 │           containerPort: 8500
  51 │         - name: rpc
  52 │           containerPort: 8400
  53 └         - name: serflan-tcp
  ..   
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
... results truncated ...

ℹ️ Support for injecting values files will be added in future releases.

🖌️ Kubernetes secret scanning 📟

trivy k8s now finds exposed secrets in container images.

$ trivy k8s --report=summary all
3 / 3 [------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1 p/s

Summary Report for minikube
┌───────────┬─────────────────┬─────────────────────┬────────────────────┬───────────────────┐
│ Namespace │    Resource     │   Vulnerabilities   │ Misconfigurations  │      Secrets      │
│           │                 ├───┬───┬────┬────┬───┼───┬───┬───┬────┬───┼───┬───┬───┬───┬───┤
│           │                 │ C │ H │ M  │ L  │ U │ C │ H │ M │ L  │ U │ C │ H │ M │ L │ U │
├───────────┼─────────────────┼───┼───┼────┼────┼───┼───┼───┼───┼────┼───┼───┼───┼───┼───┼───┤
│ default   │ Deployment/lua  │   │   │ 33 │ 50 │   │   │   │ 2 │ 10 │   │   │ 2 │   │   │   │
└───────────┴─────────────────┴───┴───┴────┴────┴───┴───┴───┴───┴────┴───┴───┴───┴───┴───┴───┘
Severities: C=CRITICAL H=HIGH M=MEDIUM L=LOW U=UNKNOWN

🔥 RBAC scanning

Trivy now scans Kubernetes RBAC roles in filesystem and it will identify security issues such as permissive or risky role definitions or other RBAC related security best practices.

$ trivy fs --security-checks config /roles

shell_access_role.yaml (rbac)

Tests: 16 (SUCCESSES: 15, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Role permits getting shell on pods
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Check whether role permits getting shell on pods

See https://avd.aquasec.com/misconfig/ksv053
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 shell_access_role.yaml:8-13
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   8 ┌ - apiGroups:
   9 │   - "*"
  10 │   resources:
  11 │   - pods/exec
  12 │   verbs:
  13 └   - create
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

[itaysk]

cc: @AnaisUrlichs

[itaysk]

I've removed the disclaimer about the line numbers (from helm and RBAC) since I think it belongs in the documentation and might be TMI in the context of release notes (if you disagree just restore it)

[dAnjou]

Hi there 👋 I see that this milestone is due by today, is that still true? Sorry for being a bit impatient, we're looking forward to #2188 🙂

[knqyf263]

Yes, we plan to release it today.