aquasecurity/trivy v0.10.0

on GitHub

Changes

Ensure trivy docker image runs as a non root user (#519)

This change has been reverted in v0.10.1.

Trivy runs as a non-root user in the docker image. If you run Trivy in the docker image and specify the root directory as a cache directory as follows, it may fail due to permission denied.

$ docker run --rm -v $PWD:/root/.cache/  aquasec/trivy:latest --cache-dir /root/.cache image centos:7

In that case, you can try a different directory like

$ docker run --rm -v $PWD:/tmp/.cache/  aquasec/trivy:latest --cache-dir /tmp/.cache image centos:7

See also: https://github.com/aquasecurity/trivy#others

Only show severity total from filter flags (#559)

$ trivy image --severity MEDIUM alpine:3.10.2
2020-07-30T16:16:37.890+0300    INFO    Detecting Alpine vulnerabilities...

alpine:3.10.2 (alpine 3.10.2)
=============================
Total: 4 (MEDIUM: 4)

New features

Support OPA to filter vulnerabilities (#562)

Trivy supports Open Policy Agent (OPA) to filter vulnerabilities. You can specify a Rego file with --ignore-policy option.

$ trivy image --policy contrib/example_filter/basic.rego centos:7

For more details: https://github.com/aquasecurity/trivy#filter-the-vulnerabilities-by-open-policy-agent-policy

Add CWE-ID (#561)

$ trivy image -f json alpine:3.10.2
[
  {
    "Target": "alpine:3.10.2 (alpine 3.10.2)",
    "Type": "alpine",
    "Vulnerabilities": [
      {
        "VulnerabilityID": "CVE-2019-1549",
        "CweIDs": [
          "CWE-330"
        ],
...

Add --list-all-pkgs option (#574)

--list-all-pkgs option outputs all the installed packages/libraries even though there are no vulnerabilities.

$ trivy image -f json --list-all-pkgs alpine:3.10.2
[
  {
    "Target": "alpine:3.10.2 (alpine 3.10.2)",
    "Type": "alpine",
    "Packages": [
      {
        "Name": "alpine-baselayout",
        "Version": "3.1.2-r0",
        "Layer": {
          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
        }
      },
      {
        "Name": "alpine-keys",
        "Version": "2.1-r2",
        "Layer": {
          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
        }
      },
...

Add sarif template (#558)

https://github.blog/2020-10-07-announcing-third-party-code-scanning-tools-infrastructure-as-code-and-container-scanning/

Fixes

• improve ruby comparison version check. (#552)
• Fix --timeout flag (#569)
• rpc: Add CVSS information to client/server (#564)

Changelog

20f2bae Fix non-root directory permission denied error (#578)
8eb9df8 .circleci: Add code coverage (#572)
88aaffa Added support of list-all-packages (#574)
469c0b4 fix: only show severity total from filter flags (#559)
4a34f72 Update README.md (#575)
4d721e1 SARIF: Tweak format for GitHub UI (#571)
9c91da8 Add non root user (#570)
5b9d942 rpc: Add CVSS information to client/server (#564)
d6b37cb Fix --timeout flag (#569)
9c6f077 feat(report): support OPA to filter vulnerabilities (#562)
0b5d936 Fixed case when pre-release is in suffix (#565)
6eebed3 improve ruby comparison version check. (#552)
43085a8 Added sarif template (#558)
4f90b11 feat(vulnerability): add CWE-ID (#561)

Docker images

• docker pull docker.io/aquasec/trivy:0.10.0
• docker pull docker.io/aquasec/trivy:latest