Prepare for v0.50.0

[simar7]

Draft to collaborate on v0.50.0 release announcement

🚀 What's new? 🚀

🚫 PURL Support for .trivyignore.yaml 📝

Trivy now supports ignoring vulnerabilities by PURL (Package URL) in the .trivyignore.yaml file, enabling more precise control over scan results.

vulnerabilities:
  - id: CVE-2022-40897
    paths:
      - "usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA"
    statement: Accept the risk
  - id: CVE-2023-3817
    purls:
      - "pkg:deb/debian/libssl1.1"

📝 Expanded Rego Policy Support in Reports 🛡️

Trivy now extends its Rego policy file support to include filtering for licenses and secrets, adding to the existing support for vulnerabilities and misconfiguration.

Thanks to @kristyko

🌺 Enhanced Suppressed Vulnerabilities Display 👻

Trivy's --show-suppressed flag now reveals suppressed vulnerabilities due to .trivyignore, Rego policies, or VEX declarations, improving transparency and context in security reports.

When the --show-suppressed flag is specified, it now displays suppressed vulnerabilities alongside the regular detected vulnerabilities as follows:

$ trivy image --vex debian11.csaf.vex --ignorefile .trivyignore.yaml --show-suppressed debian:11
...

Suppressed Vulnerabilities (Total: 9)
======================================
┌───────────────┬───────────────┬──────────┬──────────────┬─────────────────────────────────────────────┬───────────────────┐
│    Library    │ Vulnerability │ Severity │    Status    │                  Statement                  │      Source       │
├───────────────┼───────────────┼──────────┼──────────────┼─────────────────────────────────────────────┼───────────────────┤
│ libdb5.3      │ CVE-2019-8457 │ CRITICAL │ not_affected │ vulnerable_code_not_in_execute_path         │ CSAF VEX          │
├───────────────┼───────────────┼──────────┼──────────────┼─────────────────────────────────────────────┼───────────────────┤
│ bsdutils      │ CVE-2022-0563 │ LOW      │ ignored      │ Accept the risk                             │ .trivyignore.yaml │
├───────────────┤               │          │              │                                             │                   │
│ libblkid1     │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ libmount1     │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ libsmartcols1 │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ libuuid1      │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ mount         │               │          │              │                                             │                   │
├───────────────┼───────────────┤          │              ├─────────────────────────────────────────────┤                   │
│ tar           │ CVE-2005-2541 │          │              │ The vulnerable configuration is not enabled │                   │
├───────────────┼───────────────┤          │              ├─────────────────────────────────────────────┤                   │
│ util-linux    │ CVE-2022-0563 │          │              │ Accept the risk                             │                   │

🦕 Custom Podman Host Support 🛃

Trivy now includes a --podman-host option for the image command, allowing users to specify a custom Podman host for image scanning.

Thanks to @parvez0

☕ Maven Invoker Plugin Dependency Marking 👿

Trivy now marks dependencies from maven-invoker-plugin integration tests in **/[src|target]/it/*/pom.xml files as the development dependencies, enhancing Java project scans by allowing these dependencies to be included or skipped with the --include-dev-deps flag.

⎈ Rancher RKE2 Control Plane and Node components vulnerability scanning 💀

Trivy now supports the Rancher RKE2 control plane and node components (apiserver, controller-manager, kubelet, kube-proxy and etc) vulnerability scanning.

🍰Simplification of Misconfiguration scanning 🍄

We've integrated misconfiguration scanning better into Trivy by merging defsec into it. As a result Trivy is the only place you need to contribute for misconfiguration scanning. The checks are all defined within the trivy-policies repo.

🦆Improved support for Terraform Dynamic blocks 🧱

We've improved correctly evaluating dynamic blocks by not re-expanding them. This helps prevents false positives.

🪭Improved scanning support for Terraform Plan in JSON 🗃️

Scanning Terraform Plan files has been improved and now it's possible to scan both the Terraform Plan snapshots and their JSON representations.

$ terraform plan --out tfplan
trivy conf tfplan

Will generate and scan a terraform plan snapshot. We recommend saving the plan as a snapshot and scanning approach.

👷‍♂️ Notable Fixes 🛠️

• bug(misconf): False positives for ksv116 and ksv104 #4922
• feat(terraform): hyphen and non-ASCII support for domain names in credential extraction #6068 (thanks to @adam-carruthers)
• fix(terraform): modules with the count meta-argument are not ignored #5665
• bug(kubernetes): KSV001 FP #6232
• false positive AVD-AWS-0057 for actions that apply only to all resources #5040
• bug(misconf): Resolve attributes depending on conditions irrespective of placement  #5686