future-architect/vuls v0.25.1

on GitHub

Caution

Version 0.25.0 is SKIPped. DON'T USE 0.25.0.

Highlights

• Trivy dependency is updated, 0.35.0 to 0.49.1

  • Dart's pubspec.lock, Elixir's mix.lock, Swift's Podfile.lock and Package.resolved are newly
    detected by lockfile scan, these can be auto detected (findLock = true)
  • Rust's binary can also be scanned as lockfile, but not auto detected
  • Related PRs
    • Update trivy from 0.35.0 to 0.49.1 by @shino in #1806
    • fix(detector): library.Scan move to detector by @MaineK00n in #1864
    • Avoid to use sync.Once inside trivy javadb Updater by @shino in #1859

• Add PURL (Package URL) in scan results

  • feat(PackageURL):add package URL for library scan result by @TsubasaKanemitsu in #1862

(Potential) Incompatibilities

• In previous versions, vuls did not output results when all scans had failed, now outputs results
  even when all scans failed

  • Related PRs
    • fix(scanner): output all results even if all fail by @MaineK00n in #1866
    • refactor(config): move syslogconf to config/syslog package by @MaineK00n in #1865

• Due to Trivy dependency update (in Highlights), some of scan logic previously
  executed in vuls scan phase are moved to vuls report phase

  • If new vuls binary is used in vuls scan and older ones in vuls report, there can be
    missing vulnerabilities, don't do that
  • This only affects JAR-like lockfile scan

Misc changes

• fix(ci): use go version of go.mod by @MaineK00n in #1858
• fix(build): Change timeout to 60 minutes by @shino #1867
• chore(deps): bump golang.org/x/oauth2 from 0.16.0 to 0.17.0 by @dependabot in #1849
• chore(deps): bump go.etcd.io/bbolt from 1.3.8 to 1.3.9 by @dependabot in #1854
• chore(deps): bump helm.sh/helm/v3 from 3.14.0 to 3.14.2 by @dependabot in #1856
• chore(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 by @dependabot in #1861

New Contributors

• @TsubasaKanemitsu made their first contribution in #1862

Full Changelog: v0.24.9...v0.25.1