Prepare for v0.55.0

[simar7]

Draft to collaborate on v0.55.0

📑 Table of Contents

• 💔 Breaking Changes 💔
  • 🗑️ Removal of deprecated SBOM flags 🛠️
• 🚀 What's new? 🚀
  • 🎛️ Introducing the --detection-priority Flag 🕵️
  • 📝 Support test scope for pom.xml files 🧪
  • 🥣 IaC scanning now supports generic YAML and JSON file types 🛼
  • 🌰 Terraform scanning now supports iterator argument for dynamic blocks 🥂
  • 🎣 Terraform plan scanning now supports input variables 🏭
  • 🧳 Misconfiguration scanning now ignores duplicate checks 🍼
  • 🪨 Compliance spec bundles are now included within the Trivy Checks bundle 🗿
  • 🏃🏻‍♀️Terraform now supports ignores on nested attributes 🪺
  • 💽 Support for Direct Filesystem 💾
  • 🐧 Support for Ext2/Ext3 Filesystems 🧩

💔 Breaking Changes 💔

🗑️ Removal of deprecated SBOM flags 🛠️

In this release, we've removed the deprecated --sbom-format and --artifact-type flags from the sbom subcommand. These flags were deprecated two years ago, and their removal is part of our ongoing effort to streamline the CLI and remove outdated options.

For more details, please refer to the announcement here.

🚀 What's new? 🚀

🎛️ Introducing the --detection-priority Flag 🕵️

This update introduces the --detection-priority flag to the vulnerability scanner, providing users with control over the scanner's accuracy and coverage. The flag allows you to select between precise mode, which focuses on reducing false positives, and comprehensive mode, which increases detection coverage at the risk of including some false positives. This feature is particularly useful in environments where either accuracy or comprehensive detection is critical.

$ trivy image registry.access.redhat.com/ubi8/ubi --detection-priority comprehensive --scanners vuln

See here for more details.

The following language-specific files supported new flag. Logic for --detection-priority comprehensive:

• go.mod: save minimum required Go version as stdlib. Supported only Go after 1.21. See here for more details.
• requirements.txt: save minimum version for pip packages. Supported only >=,~= and a trailing .*. See here for more details.
• pubspec.lock: use minimum versions from sdks for SDK dependencies. See here for more details.

📝 Support test scope for pom.xml files 🧪

Trivy currently supports dependencies with test scope. To include these dependencies into result - use --include-dev-deps flag.

🥣 IaC scanning now supports generic YAML and JSON file types 🛼

Previously for Trivy to perform misconfiguration scanning, it had to confirm to one of the supported types. We've now added support for any generic YAML or JSON file type to be scanned. This is best demonstrated by an example:

For example consider the following inputs

$ cat iac/serverless.yaml
service: serverless-rest-api-with-pynamodb
frameworkVersion: ">=2.24.0"
plugins:
  - serverless-python-requirements
...
$ cat serverless.rego
# METADATA
# title: Serverless Framework service name not starting with "aws-"
# description: Ensure that Serverless Framework service names start with "aws-"
# schemas:
#   - input: schema["serverless-schema"]
# custom:
#   id: SF001
#   severity: LOW
package user.serverless001
deny[res] {
    not startswith(input.service, "aws-")
    res := result.new(
        sprintf("Service name %q is not allowed", [input.service]),
        input.service
    )
}

With the new support, we can scan the input as such

$ trivy config --misconfig-scanners=json,yaml --config-check ./serverless.rego --check-namespaces user ./iac
serverless.yaml (yaml)
Tests: 4 (SUCCESSES: 3, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
LOW: Service name "serverless-rest-api-with-pynamodb" is not allowed
═════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensure that Serverless Framework service names start with "aws-"

You can also pass schemas using the config-file-schemas flag. Trivy will use these schemas for file filtering and type checking in Rego checks. If the file does not match any of the passed schemas, it will be ignored.

You can find more details on this feature here

🌰 Terraform scanning now supports iterator argument for dynamic blocks 🥂

Trivy now supports the iterator argument for dynamic blocks. Previously this led to false positives while scanning terraform code. The following block is now supported with Trivy scanning

resource "aws_s3_bucket" "this" {
  dynamic versioning {
    for_each = ["true"]
    iterator = ver

    content {
      enabled = ver.value
    }
  } 
}

🎣 Terraform plan scanning now supports input variables 🏭

Trivy now supports scanning of terraform plans that contain variables inside of them. As always the user can pass the variables in as such:

$ trivy config --tf-vars vars.tfvars  --misconfig-scanners "terraformplan-snapshot" tfplan

Will now properly evaluate the passed input variables for the terraform plan being scanned.

🧳 Misconfiguration scanning now ignores duplicate checks 🍼

Trivy now ignores any duplicated checks in the output by skipping them if they've already been evaluated. This helps prevent cases where a duplicated custom check might be accidentally supplied by the user.

🪨 Compliance spec bundles are now included within the Trivy Checks bundle 🗿

Trivy checks bundle now includes compliance spec bundles. This provides users with up to date compliance specs without having to wait for an update of Trivy or it's dependencies as the compliance specs will now be released and available for use at the time of a new bundle being published.

🏃🏻‍♀️Terraform now supports ignores on nested attributes 🪺

Previously it was not possible to ignore on special variables such as each and count that terraform offers, especially when working within dynamic blocks.

locals {
  vms = [
    {
      ip_address = "10.0.0.1"
      name       = "vm-1"
    },
    {
      ip_address = "10.0.0.2"
      name       = "vm-2"
    }
  ]
}
// trivy:ignore:*[each.value.name=vm-2]
resource "bad" "my-rule" {
  secure = false
  for_each   = { for vm in local.vms : vm.name => vm }
  ip_address = each.value.ip_address
}

Will now ignore each.value with the name of vm-2. More info on this feature here

💽 Support for Direct Filesystem 💾

This update enhances the vm subcommand by adding support for scanning filesystems directly, even when there's no Master Boot Record (MBR) present.

Thanks to @yusuke-koyoshi.

🐧 Support for Ext2/Ext3 Filesystems 🧩

In this release, the vm subcommand has been enhanced to support Ext2 and Ext3 filesystems. This addition broadens the range of filesystems that can be scanned, making it more versatile for various virtual machine environments.

Thanks to @aruneko.

👷‍♂️ Notable Fixes 🛠️

• fix(terraform): add aws_region name to presets #7184
• fix(misconf): support deprecating for Go checks #7377
• fix(misconf): Improve filtering of terraform JSON #7393
• bug(template): Message field not escaped in asff.tpl #7400
• Unknown license and download location information should be NOASSERTION instead of NONE in SPDX #7402
• bug(secret): long secrets with short line prefix/suffix contain characters from other lines  #7411
• JWT secret detector only works if "JWT" word is in scope #6802
• Trivy marks all dependencies of subdirectories as 'dev dependency' for PNPM #7386
• fix(aws): handle ECR repositories in different regions #6217
• fix(license): add license handling to JUnit template #7409