release: v0.54.0 [main]

[DmitriyLewen]

🤖 I have created a release beep boop

0.54.0 (2024-07-04)

⚠ BREAKING CHANGES

• k8s: node-collector dynamic commands support (#6861)
• add clean subcommand (#6993)
• aws: Remove aws subcommand (#6995)

Features

• add log.FilePath() function for logger (#7080) (1f5f348)
• add clean subcommand (#6993) (8d0ae1f)
• Add flag to configure node-collector image ref (#5710) (2569575)
• add info log message about dev deps suppression (#6211) (7cb6c02)
• Add Julia language analyzer support (#5635) (fecafb1)
• Add local ImageID to SARIF metadata (#6522) (f144e91)
• add memory cache backend (#7048) (55ccd06)
• add relationships (#6563) (6343e4f)
• add support environment.yaml files (#6569) (e3bef02)
• add support for plugin index (#6674) (26faf8f)
• add ubuntu 23.10 and 24.04 support (#6573) (4369a19)
• allow end-users to adjust K8S client QPS and burst (#5910) (2c9d7c6)
• aws: apply filter options to result (#6367) (09e37b7)
• aws: quiet flag support (#6331) (87a9aa6)
• aws: Remove aws subcommand (#6995) (979e118)
• c: add license support for conan lock files (#6329) (5dd9bd4)
• cloudformation: add support for logging and endpoint access for EKS (#6440) (86714bf)
• cloudformation: inline ignore support for YAML templates (#6358) (df024e8)
• conda: add licenses support for environment.yml files (#6953) (654217a)
• dart: use first version of constraint for dependencies using SDK version (#6239) (042d6b0)
• filter k8s core components vuln results (#5713) (0ff5f96)
• go: add main module (#6574) (2d090ef)
• go: parse main mod version from build info settings (#6564) (419e3d2)
• go: parse main module of go binary files (#6530) (e32215c)
• image: customer podman host or socket option (#6256) (9d2057a)
• image: goversion as stdlib (#6277) (d82d6cb)
• image: Set User-Agent header for Trivy container registry requests (#6868) (9b31697)
• introduce package UIDs for improved vulnerability mapping (#6583) (998f750)
• java: add dependency location support for gradle files (#6083) (535b5a9)
• java: add support for maven-metadata.xml files for remote snapshot repositories. (#6950) (1f8fca1)
• java: add support for fetching packages from repos mentioned in pom.xml (#6171) (ce81c05)
• java: add support for line numbers for pom.xml files (#5991) (b4b90cf)
• java: add support for sbt projects using sbt-dependency-lock (#6882) (f18d035)
• java: add support licenses and graph for gradle lock files (#6140) (f6c5d58)
• java: mark dependencies from maven-invoker-plugin integration tests pom.xml files as Dev (#6213) (617c3e3)
• k8s: node-collector dynamic commands support (#6861) (8d618e4)
• k8s: rancher rke2 version support (#5988) (cf0f0d0)
• misconf: Add --misconfig-scanners option (#5670) (b5874e3)
• misconf: add helm-api-version and helm-kube-version flag (#6332) (53517d6)
• misconf: add metadata to Cloud schema (#6831) (02d5404)
• misconf: add support for AWS::EC2::SecurityGroupIngress/Egress (#6755) (55fa610)
• misconf: Add support for deprecating a check (#6664) (88702cf)
• misconf: add support for wildcard ignores (#6414) (8dd0fcd)
• misconf: add support of buildkit instructions when building dockerfile from image config (#5990) (adfde63)
• misconf: add Terraform 'removed' block to schema (#6640) (b7a0a13)
• misconf: API Gateway V1 support for CloudFormation (#6874) (8491469)
• misconf: Expose misconf engine debug logs with --debug option (#5550) (1336223)
• misconf: loading embedded checks as a fallback (#6502) (12ec0df)
• misconf: register builtin Rego funcs from trivy-checks (#6616) (7c22ee3)
• misconf: resolve tf module from OpenTofu compatible registry (#6743) (ac74520)
• misconf: support for VPC resources for inbound/outbound rules (#6779) (349caf9)
• misconf: support of selectors for all providers for Rego (#6905) (bc3741a)
• misconf: Support private registries for misconf check bundle (#6327) (f23ed77)
• misconf: support symlinks inside of Helm archives (#6621) (4eae37c)
• misconf: Use updated terminology for misconfiguration checks (#6476) (37da98d)
• nodejs: add license parser to pnpm analyser (#7036) (03ac93d)
• nodejs: add v9 pnpm lock file support (#6617) (1e08648)
• nodejs: add yarn alias support (#5818) (30eff9c)
• Packagesprops support (#5605) (16b757d)
• php: add installed.json file support (#4865) (edc556b)
• plugin: add support for nested archives (#6845) (622c67b)
• plugin: specify plugin version (#6683) (d6dc567)
• python: add license support for requirement.txt files (#6782) (29615be)
• python: add line number support for requirement.txt files (#6729) (2bc54ad)
• python: parse licenses from dist-info folder (#4724) (df3e90a)
• report: Include licenses and secrets filtered by rego to ModifiedFindings (#6483) (fa3cf99)
• report: output plugin (#4863) (99c04c4)
• report: support for filtering licenses and secrets via rego policy files (#6004) (c6844a7)
• respect custom exit code from plugin (#6584) (f0961d5)
• rust: Support workspace.members parsing for Cargo.toml analysis (#5285) (5924c02)
• sbom: migrate to CycloneDX v1.6 (#6903) (09e50ce)
• sbom: Support license detection for SBOM scan (#6072) (eb3ceb3)
• secret: add support of GitHub fine-grained tokens (#5740) (be1c554)
• secret: added support of Docker registry credentials (#5720) (108a5b0)
• secret: Support for detecting Hugging Face Access Tokens (#6236) (6639911)
• set InstalledFiles for DEB and RPM packages (#5488) (44d0b28)
• support --skip-images scanning flag (#6334) (e739ab8)
• terraform: Add hyphen and non-ASCII support for domain names in credential extraction (#6108) (4a9ac6d)
• terraform: ignore resources by nested attributes (#6302) (29dee32)
• terraform: Terraform Plan snapshot scanning support (#6176) (9361cdb)
• vex: add PURL matching for CSAF VEX (#5890) (d0c81e2)
• vex: Add support for CSAF format (#5535) (c47ed0d)
• vex: consider root component for relationships (#6313) (c4022d6)
• vex: improve relationship support in CSAF VEX (#6735) (a447f6b)
• vex: support non-root components for products in OpenVEX (#6728) (9515695)
• vuln: enable --vex for all targets (#5992) (e2eb70e)
• vuln: Handle scanning conan v2.x lockfiles (#6357) (29b8faf)
• vuln: ignore vulnerabilities by PURL (#6178) (cd3e4bc)
• vuln: include pkg identifier on detected vulnerabilities (#5439) (1f0d629)
• vuln: remove duplicates in Fixed Version (#5596) (a54d1e9)
• vuln: show suppressed vulnerabilities in table (#6084) (3c1601b)

Bug Fixes

• add color for error inside of log message (#6493) (cfddfb3)
• add context to target finding on k8s table view (#6099) (1b7e474)
• alpine: Add EOL support for alpine 3.19. (#5938) (260aa28)
• alpine: exclude empty licenses for apk packages (#6130) (aadbad1)
• amazon: check only major version of AL to find advisories (#6295) (fb8c516)
• amazon: save system files for pkgs containing amzn in src (#5951) (fbc1a83)
• bitnami: use a different comparer for detecting vulnerabilities (#5633) (abf227e)
• c: don't skip conan files from file-patterns and scan .conan2 cache dir (#6949) (38b35dd)
• check returned error before deferring f.Close() (#6007) (13f797f)
• check unescaped BomRef when matching PkgIdentifier (#6025) (6ccc0a5)
• clean up golangci lint configuration (#6797) (62de6f3)
• cli: always output fatal errors to stderr (#6827) (c2b9132)
• cli: inconsistent behavior across CLI flags, environment variables, and config files (#5843) (59e5433)
• cli: show info message only when --scanners is available (#7032) (e9fc3e3)
• close APKINDEX archive file (#6672) (5caf437)
• close plugin.yaml (#6577) (916f6c6)
• close pom.xml (#6507) (a986199)
• close settings.xml (#6768) (9c3e895)
• close testfile (#6830) (aa0c413)
• cloudformation: infer type after resolving a function (#6406) (6a2f6fd)
• cloudformation: resolve DedicatedMasterEnabled parsing issue (#6439) (74e4c6e)
• cloudformation: support of all SSE algorithms for s3 (#6270) (337cb75)
• conda: add support pip deps for environment.yml files (#6675) (150a773)
• cyclonedx: fix unmarshal for licenses (#5828) (b3d516e)
• cyclonedx: move root component from scanned cyclonedx file to output cyclonedx file (#6113) (a813506)
• cyclonedx: trim non-URL info for advisory.url (#6952) (417212e)
• db: check schema version for image name only (#6410) (8baccd7)
• db: use schema version as tag only for trivy-db and trivy-java-db registries by default (#6219) (96bd7ac)
• debian: sort dpkg info before parsing due to exclude directories (#6551) (9aca98c)
• debian: take installed files from the origin layer (#6849) (089b953)
• fix cursor usage in Redis Clear function (#6056) (2900a21)
• fs: handle default skip dirs properly (#6628) (8016b82)
• go: add only non-empty root modules for gobinaries (#6710) (c96f2a5)
• go: include only .version|.ver (no prefixes) ldflags for gobinaries (#6705) (afb4f9d)
• Golang version parsing from binaries w/GOEXPERIMENT (#6696) (696f2ae)
• handle non-parsable images names (#5965) (2212d14)
• helm: scan the subcharts once (#6382) (f148eb1)
• ignore no init containers (#5939) (a3fac90)
• image: parse image.inspect.Created field only for non-empty values (#6948) (0af5730)
• include packages unless it is not needed (#6765) (56dbe1f)
• increase the default buffer size for scanning dpkg status files by 2 times (#6298) (3177924)
• java: add only valid libs from pom.properties files from jars (#6164) (8221473)
• java: check if a version exists when determining GAV by file name for jar files (#5630) (37e7e3e)
• java: don't ignore runtime scope for pom.xml files (#6223) (c4b5ab7)
• java: don't remove excluded deps from upper pom's (#5838) (7895657)
• java: parse modules from pom.xml files once (#6312) (7c409fd)
• java: recursive check all nested depManagements with import scope for pom.xml files (#5982) (729a051)
• java: update logic to detect pom.xml file snapshot artifacts from remote repositories (#6412) (34ab09d)
• k8s friendly error messages kbom non cluster scans (#5594) (2145464)
• k8s summary separate infra and user finding results (#6120) (dc76c6e)
• license: add FilePath to results to allow for license path filtering via trivyignore file (#6215) (04535b5)
• license: reorder logic of how python package licenses are acquired (#6220) (56cedc0)
• license: return license separation using separators ,, or, etc. (#6916) (52f7aa5)
• misconf: add an image misconf to result (#5731) (a5342da)
• misconf: avoid panic if the scheme is not valid (#6496) (4337068)
• misconf: clear location URI for SARIF (#6405) (712dcd3)
• misconf: do not use semver for parsing tf module versions (#6614) (9c794c0)
• misconf: don't shift ignore rule related to code (#6708) (39a746c)
• misconf: Escape template value correctly (#6292) (1c49a16)
• misconf: fix caching of modules in subdirectories (#6814) (0bcfedb)
• misconf: fix parsing of engine links and frameworks (#6937) (ec68c9a)
• misconf: get user from Config.User (#6070) (7fec991)
• misconf: handle source prefix to ignore (#6945) (c3192f0)
• misconf: load cached tf modules (#6607) (7a25dad)
• misconf: Parse JSON k8s manifests properly (#6490) (9b7d713)
• misconf: parsing numbers without fraction as int (#6834) (8141a13)
• misconf: skip Rego errors with a nil location (#6638) (a2c522d)
• misconf: skip Rego errors with a nil location (#6666) (a126e10)
• node-collector high and critical cves (#6707) (ff32deb)
• nodejs: add local packages support for pnpm-lock.yaml files (#6034) (4e962c0)
• nodejs: add name validation for package name from package.json (#6268) (12c5bf0)
• nodejs: add support for parsing workspaces from package.json as an object (#6231) (f85c9fa)
• nodejs: find licenses for packages with slash (#5836) (f90d4ee)
• nodejs: fix infinite loop when package link from package-lock.json file is broken (#6858) (cf5aa33)
• nodejs: fix infinity loops for pnpm with cyclic imports (#6857) (7d083bc)
• nodejs: merge Indirect, Dev, ExternalReferences fields for same deps from package-lock.json files v2 or later (#6356) (258d153)
• nodejs: support protocols for dependency section in yarn.lock files (#5612) (ad977a4)
• nodejs: use project dir when searching for workspaces for Yarn.lock files (#6102) (3ac6388)
• plugin: initialize logger (#6836) (728e77a)
• plugin: respect --insecure (#7022) (3d02a31)
• Printf format err (#6198) (876ab84)
• purl: add missed os types (#6955) (2d85a00)
• python: add package name and version validation for requirements.txt files. (#6804) (ea3a124)
• python: compare pkg names from poetry.lock and pyproject.toml in lowercase (#6852) (faa9d92)
• report: don't include empty strings in .vulnerabilities[].identifiers[].url when gitlab.tpl is used (#6348) (1870f28)
• report: don't mark misconfig passed tests as failed in junit.tpl (#5767) (be5a550)
• report: fix error if miconfigs are empty (#5782) (c317fe8)
• report: hide empty tables if all vulns has been filtered (#6352) (3d388d8)
• report: update Gitlab template (#5721) (eb97419)
• report: use AWS_REGION env for secrets in asff template (#6011) (70dd572)
• report: use OS information for OS packages purl in github template (#5783) (6cc00c2)
• report: use time.Time for CreatedAt (#5598) (ae4bcf6)
• sbom: add check for CreationInfo to nil when detecting SPDX created using Trivy (#6346) (e866bd5)
• sbom: change error to warning for multiple OSes (#6541) (d2d4022)
• sbom: don't overwrite srcEpoch when decoding SBOM files (#6866) (04af59c)
• sbom: fix error when parent of SPDX Relationships is not a package. (#6399) (5f69937)
• sbom: fix panic for convert mode when scanning json file derived from sbom file (#6808) (f92ea09)
• sbom: fix panic when scanning SBOM file without root component into SBOM format (#7051) (3d4ae8b)
• sbom: skip executable file analysis if Rekor isn't a specified SBOM source (#6163) (7694df1)
• sbom: take pkg name from purl for maven pkgs (#7008) (a76e328)
• sbom: use group field for pom.xml and nodejs files for CycloneDX reports (#5922) (c75143f)
• sbom: use purl for bitnami pkg names (#6982) (7eabb92)
• sbom: use package UIDs for uniqueness (#7042) (14d71ba)
• secret: Asymmetric Private Key shouldn't start with space (#6867) (bb26445)
• secret: AWS Secret Access Key must include only secrets with aws text. (#5901) (958e1f1)
• secret: add sec and space to secret prefix for aws-secret-access-key (#5647) (8ff574e)
• secret: convert severity for custom rules (#6500) (46d5aba)
• secret: exclude upper case before secret for alibaba-access-key-id (#5618) (b1dc60b)
• secret: find aws secrets ending with a comma or dot (#5921) (ae134a9)
• server: add Locations for Packages in client/server mode (#6366) (a2482c1)
• suse: Add SLES 15.6 and Leap 15.6 (#6964) (5ee4e9d)
• swift: try to use branch to resolve version (#6168) (e787e1a)
• terraform: Attribute and fileset fixes (#6544) (7c2017f)
• terraform: do not re-expand dynamic blocks (#6151) (64926d8)
• terraform: ensure consistent path handling across OS (#6161) (327cf88)
• terraform: eval submodules (#6411) (13190e9)
• terraform: fix policy document retrieval (#6276) (102b6df)
• terraform: fix root module search (#6160) (1dfece8)
• terraform: сhecking SSE encryption algorithm validity (#6341) (abd62ae)
• trivy k8s avoid deleting non-default node collector namespace (#6559) (8e6cd0e)
• typo (#6283) (1ba5b59)
• typo function name and comment optimization (#6200) (3d2f583)
• use 0600 perms for tmp files for post analyzers (#6386) (9d7f5c9)
• use embedded when command path not found (#7037) (137c916)
• use of specified context to obtain cluster name (#6645) (39ebed4)
• vex: CSAF filtering should consider relationships (#5923) (9c5e5a0)
• vm: update ext4-filesystem fix reading groupdescriptor in 32bit mode (#5888) (0ebb6c4)
• vuln: skip empty versions (#6542) (164b025)

Performance Improvements

• debian: use bytes.Index in emptyLineSplit to cut allocation (#7065) (acbec05)
• helm: load in-memory files (#6383) (1a67472)
• misconf: Improve cause performance (#6586) (770b141)
• misconf: parse rego input once (#6615) (67c6b1d)

Reverts

• report: don't escape new line characters for sarif format (#5897) (56c4e24)

---

This PR was generated with Release Please. See documentation.

[github-actions]

This PR is stale because it has been labeled with inactivity.

[github-actions]

This PR is stale because it has been labeled with inactivity.