Add 0.34.0 release (#177)

* bump to ghcr.io/aquasecurity/trivy:0.33.0

* fix tests

* bump to 0.34.0

.github/workflows/build.yaml

@@ -1,7 +1,7 @@
 name: "build"
 on: [push, pull_request]
 env:
-  TRIVY_VERSION: 0.31.2
+  TRIVY_VERSION: 0.34.0
   BATS_LIB_PATH: '/usr/lib/'
 jobs:
   build:

Dockerfile

@@ -1,5 +1,5 @@
-FROM ghcr.io/aquasecurity/trivy:0.31.2
+FROM ghcr.io/aquasecurity/trivy:0.34.0
 COPY entrypoint.sh /
-RUN apk --no-cache add bash curl
+RUN apk --no-cache add bash curl npm
 RUN chmod +x /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]

test/data/config-sarif.test

@@ -13,7 +13,7 @@
               "id": "DS002",
               "name": "Misconfiguration",
               "shortDescription": {
-                "text": "DS002"
+                "text": "Image user should not be \u0026#39;root\u0026#39;"
               },
               "fullDescription": {
                 "text": "Running containers with \u0026#39;root\u0026#39; user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a \u0026#39;USER\u0026#39; statement to the Dockerfile."
@@ -37,7 +37,7 @@
               }
             }
           ],
-          "version": "0.31.2"
+          "version": "0.34.0"
         }
       },
       "results": [
@@ -61,6 +61,9 @@
                   "endLine": 1,
                   "endColumn": 1
                 }
+              },
+              "message": {
+                "text": "Dockerfile"
               }
             }
           ]

test/data/config.test

@@ -28,6 +28,7 @@
         {
           "Type": "Dockerfile Security Check",
           "ID": "DS002",
+          "AVDID": "AVD-DS-0002",
           "Title": "Image user should not be 'root'",
           "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
           "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",

test/data/fs-scheck.test

@@ -28,6 +28,7 @@
         {
           "Type": "Dockerfile Security Check",
           "ID": "DS002",
+          "AVDID": "AVD-DS-0002",
           "Title": "Image user should not be 'root'",
           "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
           "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",

test/data/image-sarif.test

@@ -37,7 +37,7 @@
               }
             }
           ],
-          "version": "0.31.2"
+          "version": "0.34.0"
         }
       },
       "results": [

test/data/image-trivyignores.test

@@ -75,12 +75,15 @@ Total: 19 (CRITICAL: 19)
 
 rust-app/Cargo.lock (cargo)
 ===========================
-Total: 1 (CRITICAL: 1)
+Total: 2 (CRITICAL: 2)
 
 ┌──────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
 │ Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
 ├──────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
-│ smallvec │ CVE-2021-25900 │ CRITICAL │ 0.6.9             │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │
+│ openssl  │ CVE-2018-20997 │ CRITICAL │ 0.8.3             │ 0.10.9        │ Use after free in openssl                                   │
+│          │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-20997                  │
+├──────────┼────────────────┤          ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ smallvec │ CVE-2021-25900 │          │ 0.6.9             │ 1.6.1, 0.6.14 │ An issue was discovered in the smallvec crate before 0.6.14 │
 │          │                │          │                   │               │ and 1.x...                                                  │
 │          │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-25900                  │
 └──────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

test/data/image.test

@@ -75,12 +75,15 @@ Total: 19 (CRITICAL: 19)
 
 rust-app/Cargo.lock (cargo)
 ===========================
-Total: 4 (CRITICAL: 4)
+Total: 5 (CRITICAL: 5)
 
 ┌───────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
 │  Library  │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
 ├───────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
-│ rand_core │ CVE-2020-25576 │ CRITICAL │ 0.4.0             │ 0.3.1, 0.4.2  │ An issue was discovered in the rand_core crate before 0.4.2 │
+│ openssl   │ CVE-2018-20997 │ CRITICAL │ 0.8.3             │ 0.10.9        │ Use after free in openssl                                   │
+│           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-20997                  │
+├───────────┼────────────────┤          ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
+│ rand_core │ CVE-2020-25576 │          │ 0.4.0             │ 0.3.1, 0.4.2  │ An issue was discovered in the rand_core crate before 0.4.2 │
 │           │                │          │                   │               │ for Rust....                                                │
 │           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-25576                  │
 ├───────────┼────────────────┤          ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
@@ -92,7 +95,7 @@ Total: 4 (CRITICAL: 4)
 │           │                │          │                   │               │ for Rust....                                                │
 │           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-15554                  │
 │           ├────────────────┤          │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
-│           │ CVE-2021-25900 │          │                   │ 0.6.14, 1.6.1 │ An issue was discovered in the smallvec crate before 0.6.14 │
+│           │ CVE-2021-25900 │          │                   │ 1.6.1, 0.6.14 │ An issue was discovered in the smallvec crate before 0.6.14 │
 │           │                │          │                   │               │ and 1.x...                                                  │
 │           │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-25900                  │
 └───────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

test/data/repo.test

@@ -69,7 +69,6 @@
             ]
           },
           "Match": "export GITHUB_PAT=****************************************",
-          "Deleted": false,
           "Layer": {}
         }
       ]

test/data/yamlconfig.test

@@ -60,6 +60,7 @@
       "Vulnerabilities": [
         {
           "VulnerabilityID": "CVE-2021-36159",
+          "PkgID": "apk-tools@2.10.6-r0",
           "PkgName": "apk-tools",
           "InstalledVersion": "2.10.6-r0",
           "FixedVersion": "2.10.7-r0",