chore: Update Trivy to 0.40.0 (#223)

* chore: Update trivy to 0.39.0

* chore: Update trivy to 0.40.0

.github/workflows/build.yaml

@@ -1,7 +1,7 @@
 name: "build"
 on: [push, pull_request]
 env:
-  TRIVY_VERSION: 0.31.2
+  TRIVY_VERSION: 0.40.0
   BATS_LIB_PATH: '/usr/lib/'
 jobs:
   build:

Dockerfile

@@ -1,5 +1,5 @@
-FROM ghcr.io/aquasecurity/trivy:0.31.2
+FROM ghcr.io/aquasecurity/trivy:0.40.0
 COPY entrypoint.sh /
-RUN apk --no-cache add bash curl
+RUN apk --no-cache add bash curl npm
 RUN chmod +x /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]

README.md

@@ -262,7 +262,7 @@ jobs:
           sarif_file: 'trivy-results.sarif'
 ```
 
-### Using Trivy to scan Infrastucture as Code
+### Using Trivy to scan Infrastructure as Code
 It's also possible to scan your IaC repos with Trivy's built-in repo scan. This can be handy if you want to run Trivy as a build time check on each PR that gets opened in your repo. This helps you identify potential vulnerablites that might get introduced with each PR.
 
 If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Trivy as a scanning tool as follows:
@@ -299,11 +299,12 @@ jobs:
 ```
 
 ### Using Trivy to generate SBOM
-It's possible for Trivy to generate an SBOM of your dependencies and submit them to a consumer like GitHub Dependency Snapshot.
+It's possible for Trivy to generate an [SBOM](https://www.aquasec.com/cloud-native-academy/supply-chain-security/sbom/) of your dependencies and submit them to a consumer like [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph).
 
-The sending of SBOM to GitHub feature is only available if you currently have [GitHub Dependency Snapshot](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) available to you in your repo. 
+The [sending of an SBOM to GitHub](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api) feature is only available if you currently have GitHub Dependency Graph [enabled in your repo](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-the-dependency-graph#enabling-and-disabling-the-dependency-graph-for-a-private-repository). 
+
+In order to send results to GitHub Dependency Graph, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) or use the [GitHub installation access token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) (also known as `GITHUB_TOKEN`):
 
-In order to send results to the GitHub Dependency Snapshot, you will need to create a [GitHub PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)
 ```yaml
 ---
 name: Pull Request
@@ -311,7 +312,11 @@ on:
   push:
     branches:
     - master
-  pull_request:
+
+## GITHUB_TOKEN authentication, add only if you're not going to use a PAT
+permissions:
+  contents: write
+
 jobs:
   build:
     name: Checks
@@ -320,14 +325,14 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v3
 
-      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
+      - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
         uses: aquasecurity/trivy-action@master
         with:
           scan-type: 'fs'
           format: 'github'
           output: 'dependency-results.sbom.json'
           image-ref: '.'
-          github-pat: '<github_pat_token>'
+          github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
 ```
 
 ### Using Trivy to scan your private registry
@@ -498,9 +503,11 @@ Following inputs can be used as `step.with` keys:
 | `ignore-policy`   | String  |                                    | Filter vulnerabilities with OPA rego language                                                   |
 | `hide-progress`   | String  | `true`                             | Suppress progress bar                                                                           |
 | `list-all-pkgs`   | String  |                                    | Output all packages regardless of vulnerability                                                 |
-| `security-checks` | String  | `vuln,secret`                      | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`)               |
+| `scanners` | String  | `vuln,secret`                      | comma-separated list of what security issues to detect (`vuln`,`secret`,`config`)               |
 | `trivyignores`    | String  |                                    | comma-separated list of relative paths in repository to one or more `.trivyignore` files        |
-| `github-pat`      | String  |                                    | GitHub Personal Access Token (PAT) for sending SBOM scan results to GitHub Dependency Snapshots |
+| `trivy-config`    | String  |                                    | Path to trivy.yaml config                                                                       |
+| `github-pat`      | String  |                                    | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN |
+| `limit-severities-for-sarif`      | Boolean  | false                                   | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** |
 
 [release]: https://github.com/aquasecurity/trivy-action/releases/latest
 [release-img]: https://img.shields.io/github/release/aquasecurity/trivy-action.svg?logo=github

action.yaml

@@ -71,7 +71,7 @@ inputs:
     description: 'output all packages regardless of vulnerability'
     required: false
     default: 'false'
-  security-checks:
+  scanners:
     description: 'comma-separated list of what security issues to detect'
     required: false
     default: ''
@@ -88,6 +88,9 @@ inputs:
   trivy-config:
     description: 'path to trivy.yaml config'
     required: false
+  limit-severities-for-sarif:
+    description: 'limit severities for SARIF format'
+    required: false
 
 runs:
   using: 'docker'
@@ -111,7 +114,8 @@ runs:
     - '-p ${{ inputs.hide-progress }}'
     - '-q ${{ inputs.skip-files }}'
     - '-r ${{ inputs.list-all-pkgs }}'
-    - '-s ${{ inputs.security-checks }}'
+    - '-s ${{ inputs.scanners }}'
     - '-t ${{ inputs.trivyignores }}'
     - '-u ${{ inputs.github-pat }}'
     - '-v ${{ inputs.trivy-config }}'
+    - '-z ${{ inputs.limit-severities-for-sarif }}'

entrypoint.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 set -e
-while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
+while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:z:" o; do
    case "${o}" in
        a)
          export scanType=${OPTARG}
@@ -57,7 +57,7 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
          export listAllPkgs=${OPTARG}
        ;;
        s)
-         export securityChecks=${OPTARG}
+         export scanners=${OPTARG}
        ;;
        t)
          export trivyIgnores=${OPTARG}
@@ -68,6 +68,9 @@ while getopts "a:b:c:d:e:f:g:h:i:j:k:l:m:n:o:p:q:r:s:t:u:v:" o; do
        v)
          export trivyConfig=${OPTARG}
        ;;
+       z)
+         export limitSeveritiesForSARIF=${OPTARG}
+       ;;
   esac
 done
 
@@ -81,8 +84,10 @@ input=$(echo $input | tr -d '\r')
 if [ $input ]; then
   artifactRef="--input $input"
 fi
+#trim leading spaces for boolean params
 ignoreUnfixed=$(echo $ignoreUnfixed | tr -d '\r')
 hideProgress=$(echo $hideProgress | tr -d '\r')
+limitSeveritiesForSARIF=$(echo $limitSeveritiesForSARIF | tr -d '\r')
 
 GLOBAL_ARGS=""
 if [ $cacheDir ];then
@@ -109,9 +114,9 @@ if [ $vulnType ] && [ "$scanType" != "config" ] && [ "$scanType" != "sbom" ];the
   ARGS="$ARGS --vuln-type $vulnType"
   SARIF_ARGS="$SARIF_ARGS --vuln-type $vulnType"
 fi
-if [ $securityChecks ];then
-  ARGS="$ARGS --security-checks $securityChecks"
-  SARIF_ARGS="$SARIF_ARGS --security-checks $securityChecks"
+if [ $scanners ];then
+  ARGS="$ARGS --scanners $scanners"
+  SARIF_ARGS="$SARIF_ARGS --scanners $scanners"
 fi
 if [ $severity ];then
   ARGS="$ARGS --severity $severity"
@@ -164,7 +169,13 @@ if [ "$skipFiles" ];then
 fi
 
 trivyConfig=$(echo $trivyConfig | tr -d '\r')
-if [ $trivyConfig ]; then
+if [ "${format}" == "sarif" ] && [ "${limitSeveritiesForSARIF}" != "true" ]; then
+  # SARIF is special. We output all vulnerabilities,
+  # regardless of severity level specified in this report.
+  # This is a feature, not a bug :)
+  echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
+  trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
+elif [ $trivyConfig ]; then
    echo "Running Trivy with trivy.yaml config from: " $trivyConfig
    trivy --config $trivyConfig ${scanType} ${artifactRef}
    returnCode=$?
@@ -175,14 +186,6 @@ else
    returnCode=$?
 fi
 
-# SARIF is special. We output all vulnerabilities,
-# regardless of severity level specified in this report.
-# This is a feature, not a bug :)
-if [[ "${format}" == "sarif" ]]; then
-  echo "Building SARIF report with options: ${SARIF_ARGS}" "${artifactRef}"
-  trivy --quiet ${scanType} --format sarif --output ${output} $SARIF_ARGS ${artifactRef}
-fi
-
 if [[ "${format}" == "github" ]]; then
   if [[ "$(echo $githubPAT | xargs)" != "" ]]; then
     printf "\n Uploading GitHub Dependency Snapshot"

test/data/config-sarif.test

@@ -13,7 +13,7 @@
               "id": "DS002",
               "name": "Misconfiguration",
               "shortDescription": {
-                "text": "DS002"
+                "text": "Image user should not be \u0026#39;root\u0026#39;"
               },
               "fullDescription": {
                 "text": "Running containers with \u0026#39;root\u0026#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a \u0026#39;USER\u0026#39; statement to the Dockerfile."
@@ -35,9 +35,36 @@
                   "HIGH"
                 ]
               }
+            },
+            {
+              "id": "DS026",
+              "name": "Misconfiguration",
+              "shortDescription": {
+                "text": "No HEALTHCHECK defined"
+              },
+              "fullDescription": {
+                "text": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
+              },
+              "defaultConfiguration": {
+                "level": "note"
+              },
+              "helpUri": "https://avd.aquasec.com/misconfig/ds026",
+              "help": {
+                "text": "Misconfiguration DS026\nType: Dockerfile Security Check\nSeverity: LOW\nCheck: No HEALTHCHECK defined\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
+                "markdown": "**Misconfiguration DS026**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\n\nYou should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers."
+              },
+              "properties": {
+                "precision": "very-high",
+                "security-severity": "2.0",
+                "tags": [
+                  "misconfiguration",
+                  "security",
+                  "LOW"
+                ]
+              }
             }
           ],
-          "version": "0.31.2"
+          "version": "0.40.0"
         }
       },
       "results": [
@@ -61,6 +88,36 @@
                   "endLine": 1,
                   "endColumn": 1
                 }
+              },
+              "message": {
+                "text": "Dockerfile"
+              }
+            }
+          ]
+        },
+        {
+          "ruleId": "DS026",
+          "ruleIndex": 1,
+          "level": "note",
+          "message": {
+            "text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)"
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "Dockerfile",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1,
+                  "startColumn": 1,
+                  "endLine": 1,
+                  "endColumn": 1
+                }
+              },
+              "message": {
+                "text": "Dockerfile"
               }
             }
           ]

test/data/config.test

@@ -20,14 +20,15 @@
       "Class": "config",
       "Type": "dockerfile",
       "MisconfSummary": {
-        "Successes": 21,
-        "Failures": 1,
+        "Successes": 24,
+        "Failures": 2,
         "Exceptions": 0
       },
       "Misconfigurations": [
         {
           "Type": "Dockerfile Security Check",
           "ID": "DS002",
+          "AVDID": "AVD-DS-0002",
           "Title": "Image user should not be 'root'",
           "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
           "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
@@ -49,6 +50,32 @@
               "Lines": null
             }
           }
+        },
+        {
+          "Type": "Dockerfile Security Check",
+          "ID": "DS026",
+          "AVDID": "AVD-DS-0026",
+          "Title": "No HEALTHCHECK defined",
+          "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
+          "Message": "Add HEALTHCHECK instruction in your Dockerfile",
+          "Namespace": "builtin.dockerfile.DS026",
+          "Query": "data.builtin.dockerfile.DS026.deny",
+          "Resolution": "Add HEALTHCHECK instruction in Dockerfile",
+          "Severity": "LOW",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
+          "References": [
+            "https://blog.aquasec.com/docker-security-best-practices",
+            "https://avd.aquasec.com/misconfig/ds026"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "Dockerfile",
+            "Service": "general",
+            "Code": {
+              "Lines": null
+            }
+          }
         }
       ]
     }

test/data/fs-scheck.test

@@ -20,14 +20,15 @@
       "Class": "config",
       "Type": "dockerfile",
       "MisconfSummary": {
-        "Successes": 21,
-        "Failures": 1,
+        "Successes": 24,
+        "Failures": 2,
         "Exceptions": 0
       },
       "Misconfigurations": [
         {
           "Type": "Dockerfile Security Check",
           "ID": "DS002",
+          "AVDID": "AVD-DS-0002",
           "Title": "Image user should not be 'root'",
           "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
           "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
@@ -49,6 +50,32 @@
               "Lines": null
             }
           }
+        },
+        {
+          "Type": "Dockerfile Security Check",
+          "ID": "DS026",
+          "AVDID": "AVD-DS-0026",
+          "Title": "No HEALTHCHECK defined",
+          "Description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
+          "Message": "Add HEALTHCHECK instruction in your Dockerfile",
+          "Namespace": "builtin.dockerfile.DS026",
+          "Query": "data.builtin.dockerfile.DS026.deny",
+          "Resolution": "Add HEALTHCHECK instruction in Dockerfile",
+          "Severity": "LOW",
+          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026",
+          "References": [
+            "https://blog.aquasec.com/docker-security-best-practices",
+            "https://avd.aquasec.com/misconfig/ds026"
+          ],
+          "Status": "FAIL",
+          "Layer": {},
+          "CauseMetadata": {
+            "Provider": "Dockerfile",
+            "Service": "general",
+            "Code": {
+              "Lines": null
+            }
+          }
         }
       ]
     }

test/data/image-sarif.test

@@ -37,7 +37,7 @@
               }
             }
           ],
-          "version": "0.31.2"
+          "version": "0.40.0"
         }
       },
       "results": [

test/data/image-trivyignores.test

@@ -75,12 +75,15 @@ Total: 19 (CRITICAL: 19)
 
 rust-app/Cargo.lock (cargo)
 ===========================
-Total: 1 (CRITICAL: 1)
+Total: 2 (CRITICAL: 2)
 
 ┌──────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
 │ Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
 ├──────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
-│ smallvec │ CVE-2021-25900 │ CRITICAL │ 0.6.9             │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │
+│ openssl  │ CVE-2018-20997 │ CRITICAL │ 0.8.3             │ 0.10.9        │ Use after free in openssl                                   │
+│          │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-20997                  │
+├──────────┼────────────────┤          ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ smallvec │ CVE-2021-25900 │          │ 0.6.9             │ 1.6.1, 0.6.14 │ An issue was discovered in the smallvec crate before 0.6.14 │
 │          │                │          │                   │               │ and 1.x...                                                  │
 │          │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-25900                  │
 └──────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

test/data/image.test

@@ -75,12 +75,15 @@ Total: 19 (CRITICAL: 19)
 
 rust-app/Cargo.lock (cargo)
 ===========================
-Total: 4 (CRITICAL: 4)
+Total: 5 (CRITICAL: 5)
 
 ┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
 │  Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
 ├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
-│ rand_core │ CVE-2020-25576 │ CRITICAL │ 0.4.0             │ 0.3.1, 0.4.2  │ An issue was discovered in the rand_core crate before 0.4.2 │
+│ openssl   │ CVE-2018-20997 │ CRITICAL │ 0.8.3             │ 0.10.9        │ Use after free in openssl                                   │
+│           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-20997                  │
+├───────────┼────────────────┤          ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ rand_core │ CVE-2020-25576 │          │ 0.4.0             │ 0.3.1, 0.4.2  │ An issue was discovered in the rand_core crate before 0.4.2 │
 │           │                │          │                   │               │ for Rust....                                                │
 │           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-25576                  │
 ├───────────┼────────────────┤          ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
@@ -92,7 +95,7 @@ Total: 4 (CRITICAL: 4)
 │           │                │          │                   │               │ for Rust....                                                │
 │           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-15554                  │
 │           ├────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
-│           │ CVE-2021-25900 │          │                   │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │
+│           │ CVE-2021-25900 │          │                   │ 1.6.1, 0.6.14 │ An issue was discovered in the smallvec crate before 0.6.14 │
 │           │                │          │                   │               │ and 1.x...                                                  │
 │           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-25900                  │
 └───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

test/data/repo.test

@@ -69,7 +69,6 @@
             ]
           },
           "Match": "export GITHUB_PAT=****************************************",
-          "Deleted": false,
           "Layer": {}
         }
       ]

test/data/yamlconfig.test

@@ -60,6 +60,7 @@
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2021-36159",
+          "PkgID": "apk-tools@2.10.6-r0",
           "PkgName": "apk-tools",
           "InstalledVersion": "2.10.6-r0",
           "FixedVersion": "2.10.7-r0",

test/test.bats

@@ -4,7 +4,7 @@ bats_load_library bats-assert
 bats_load_library bats-file
 
 @test "trivy repo with securityCheck secret only" {
-  # trivy repo --format json --output repo.test --security-checks=secret https://github.com/krol3/demo-trivy/
+  # trivy repo --format json --output repo.test --scanners=secret https://github.com/krol3/demo-trivy/
   run ./entrypoint.sh '-b json' '-h repo.test' '-s secret' '-a repo' '-j https://github.com/krol3/demo-trivy/'
   run diff repo.test ./test/data/repo.test
   echo "$output"
@@ -52,7 +52,7 @@ bats_load_library bats-file
 }
 
 @test "trivy fs with securityChecks option" {
-  # trivy fs --format json --security-checks=vuln,config --output fs-scheck.test .
+  # trivy fs --format json --scanners=vuln,config --output fs-scheck.test .
   run ./entrypoint.sh '-a fs' '-b json' '-j .' '-s vuln,config,secret' '-h fs-scheck.test'
   run diff fs-scheck.test ./test/data/fs-scheck.test
   echo "$output"

workflow.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
     steps:
       - name: Checkout code
         uses: actions/checkout@v2