v0.59.0

[aqua-bot]

📑 Table of Contents

• 🚀 What's new? 🚀
  • 🪞Registry mirrors support 🪩
  • 🔄 Manual OS Distribution Override 🎭
  • 🎯 Improved Cache Efficiency for Git Repositories 💾
  • ✨ Improve artifact selections from Kubernetes cluster 🕋
  • 🔗 Support for npm Peer Dependencies 🤝
  • ⚓️ Support for inline ignores for Dockerfiles and Helm ⎈
  • 🐍 Support for the Python uv package manager 📦
  • 🎶 Support for Poetry dev dependencies 🎵 🧑‍💻
  • 🐳 Added option to prevent scanning of oversized container images 🚫
• 👷‍♂️ Notable Fixes 🛠️

🚀 What's new? 🚀

🪞Registry mirrors support 🪩

⚠️ EXPERIMENTAL: This feature is still experimental. It might change without preserving backward compatibility.

Trivy now supports mirrors for registries.
To set them up, you need to configure the host and mirrors in the Trivy config file
For more information, see https://trivy.dev/latest/docs/configuration/others/#mirror-registries.

🔄 Manual OS Distribution Override 🎭

⚠️ EXPERIMENTAL: This feature is still experimental. It might change without preserving backward compatibility.

Trivy now supports manually specifying the OS distribution for vulnerability scanning through the new --distro flag. This feature is particularly useful in several scenarios:

• When you need to scan vulnerabilities against a different OS version than the installed one
• When OS detection fails (e.g., in distroless images where /etc/os-release is removed)
• When scanning non-container artifacts like RPM archives that don't provide OS information

Usage:

# Scan Alpine 3.20 image against edge repository
$ trivy image --distro alpine/edge alpine:3.20

# Scan distroless image with Debian 11 vulnerabilities
$ trivy image --distro debian/11 my-distroless

# Scan RPM archives using Red Hat 9 security advisories
$ trivy fs --distro redhat/9 ./rpms/

When the --distro flag is provided, it will override any automatically detected OS information. The flag expects the format <family>/<version> and supports major Linux distributions, including Alpine, Debian, and Red Hat.

🎯 Improved Cache Efficiency for Git Repositories 💾

Trivy now uses Git commit hashes as cache keys when scanning clean Git repositories, resulting in more efficient caching and subsequent faster scans. This improvement helps eliminate unnecessary cache invalidation and repeated scans.

Key improvements:

• Uses commit hash as a stable cache key for clean Git repositories
• Skips cache deletion after scanning clean repositories
• Falls back to UUID-based caching for repositories with uncommitted changes
• Reduces unnecessary I/O operations through better cache reuse

Usage:

# Cache will always use commit hash as key for repository scanning
$ trivy repo github.com/aquasecurity/trivy

# Cache will be preserved for clean local Git repositories
$ trivy fs /path/to/clean/git/repo

# For local repositories with uncommitted changes, falls back to the previous behavior
$ trivy fs /path/to/dirty/git/repo

✨ Improve artifact selections from Kubernetes cluster 🕋

Enhanced artifact handling and filtering based on --include-namespaces/--exclude-namespaces and --include-kinds/--exclude-kinds flags. Scanning a Kubernetes cluster now requires only Role for the relevant namespaces instead of ClusterRole.

This command selects artifacts only from limitedns namespace for the next role

$ trivy k8s --report summary --kubeconfig myconfig mycontext --include-namespaces limitedns

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: limited-role
  namespace: limitedns
rules:
- apiGroups: [""]
  resources: ["*"]
  verbs: ["list"]
- apiGroups: ["apps", "batch", "networking.k8s.io","rbac.authorization.k8s.io"]
  resources: ["*"]
  verbs: ["list"]

🔗 Support for npm Peer Dependencies 🤝

Trivy now treats peer dependencies as normal dependencies for more accurate vulnerability detection and dependency tree visualization. This change aligns with modern npm behavior (v7+) where peer dependencies are installed and displayed in the dependency tree like regular dependencies.

This improvement helps:

• Detect vulnerabilities in peer dependencies that are listed in package-lock.json
• Reduce confusion by following npm's newer approach to peer dependency handling

Usage:

# Scan a Node.js project with peer dependencies
trivy repo /path/to/nodejs/project

⚓️ Support for inline ignores for Dockerfiles and Helm ⎈

Trivy now supports inline ignores for Dockerfile and Helm misconfiguration scanning.

Dockerfile:

FROM scratch

# trivy:ignore:AVD-DS-0022
MAINTAINER [email protected]

Helm:

      serviceAccountName: "testchart.serviceAccountName"
      containers:
        # trivy:ignore:KSV018
        - name: "testchart"
          securityContext:
            runAsUser: 1000
            runAsGroup: 3000
          image: "your-repository/your-image:your-tag"
          imagePullPolicy: "Always"

🐍 Support for the Python uv package manager 📦

Trivy now supports scanning the uv.lock lock file of the uv package manger to extract dependencies and find vulnerabilities. By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them.

❯ uv init
❯ uv add django==4.2.16
❯ ./trivy fs uv.lock -d --dependency-tree
uv.lock (uv)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────────────┬────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │     Fixed Version     │                         Title                          │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────────────┼────────────────────────────────────────────────────────┤
│ django  │ CVE-2024-53908 │ HIGH     │ fixed  │ 4.2.16            │ 5.0.10, 5.1.4, 4.2.17 │ django: Potential SQL injection in HasKey(lhs, rhs) on │
│         │                │          │        │                   │                       │ Oracle                                                 │
│         │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2024-53908             │
│         ├────────────────┼──────────┤        │                   ├───────────────────────┼────────────────────────────────────────────────────────┤
│         │ CVE-2024-53907 │ MEDIUM   │        │                   │ 5.1.4, 4.2.17, 5.0.10 │ django: Potential denial-of-service in                 │
│         │                │          │        │                   │                       │ django.utils.html.strip_tags()                         │
│         │                │          │        │                   │                       │ https://avd.aquasec.com/nvd/cve-2024-53907             │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────────────┴────────────────────────────────────────────────────────┘

Dependency Origin Tree (Reversed)
=================================
uv.lock
└── [email protected], (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

🎶 Support for Poetry dev dependencies 🎵 🧑‍💻

Trivy now extracts dev dependencies from the poetry.lock lock file. By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them.

❯ poetry add pytest --group dev
Using version ^8.3.4 for pytest

Updating dependencies
Resolving dependencies... (0.1s)

❯ trivy fs poetry-demo --include-dev-deps --list-all-pkgs -f json |jq '.Results[].Packages[].ID'
2025-01-30T15:01:45+06:00       INFO    [vuln] Vulnerability scanning is enabled
2025-01-30T15:01:45+06:00       INFO    [secret] Secret scanning is enabled
2025-01-30T15:01:45+06:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-30T15:01:45+06:00       INFO    [secret] Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret#recommendation for faster secret detection
2025-01-30T15:01:45+06:00       INFO    Number of language-specific files       num=1
2025-01-30T15:01:45+06:00       INFO    [poetry] Detecting vulnerabilities...
"[email protected]"
"[email protected]"
"[email protected]"
"[email protected]"
"[email protected]"

🐳 Added option to prevent scanning of oversized container images 🚫

⚠️ EXPERIMENTAL: This feature is still experimental. It might change without preserving backward compatibility.

Use the --max-image-size flag to avoid scanning images that exceed a specified size. The size is specified in a human-readable format (e.g., 100MB, 10GB). Trivy uses decimal (SI) prefixes (based on 1000) for size.

An error is returned in the following cases:

• if the compressed image size exceeds the limit,
• if the accumulated size of the uncompressed layers exceeds the limit during their pulling.

❯ trivy image alpine:3.19 --max-image-size 1mb --platform amd/linux64 -q
2025-01-30T15:07:45+06:00       FATAL   Error   compressed image size 3.65MB exceeds maximum allowed size 1MB

👷‍♂️ Notable Fixes 🛠️

• fix(dpkg): de-duplicate same packages with different filePaths from different layers #8297
• bug: config file generated by --generate-default-config contains removed and deprecated flags #8043
• bug(license): trim leading and trailing spaces for licenses #8094
• feat(redhat): also parse /usr/share/buildinfo for "content manifests" #8213
• bug(redhat): Trivy doesn't skip vulnerability from CVE-ID if package version is not affected for RHSA-ID of this vulnerability #8061
• fix(sbom): scan results of SBOMs generated from container images are missing layers #7635 Thanks @fabriziosestito
• fix(spdx): use hasExtractedLicensingInfos for licenses not in the SPDX license list #7721
• fix(misconf): correctly handle all YAML tags in K8S templates #8259
• fix(misconf): disable git terminal prompt on tf module load #8026
• fix(misconf): handle heredocs in dockerfile instructions #8284
• golang.org/x/crypto: CVE-2024-45337 #8100
• github.com/go-git/go-git/v5: CVE-2025-21613 #8211
• fix(fs): improve cache key generation for parallel execution #8280
• bug: docker history analyzer exports instructions with build arguments without processing #8277
• fix(misconf): correctly handle all YAML tags in K8S templates #8252