Lucene search

K
suseSuseOPENSUSE-SU-2022:10081-1
HistoryAug 06, 2022 - 12:00 a.m.

Security update for trivy (moderate)

2022-08-0600:00:00
lists.opensuse.org
98

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

An update that fixes one vulnerability is now available.

Description:

This update for trivy fixes the following issues:

trivy was updated to version 0.30.4:

  • fix: remove the first arg when running as a plugin (#2595)
  • fix: k8s controlplaner scanning (#2593)
  • fix(vuln): GitLab report template (#2578)

Update to version 0.30.3:

  • fix(server): use a new db worker for hot updates (#2581)
  • docs: add trivy with download-db-only flag to Air-Gapped Environment
    (#2583)
  • docs: split commands to download db for different versions of oras
    (#2582)
  • feat(report): export exitcode for license checks (#2564)
  • fix: cli can use lowercase for severities (#2565)
  • fix: allow subcommands with TRIVY_RUN_AS_PLUGIN (#2577)
  • fix: add missing types in TypeOSes and TypeLanguages in analyzer (#2569)
  • fix: enable some features of the wasm runtime (#2575)
  • fix(k8s): no error logged if trivy can’t get docker image in kubernetes
    mode (#2521)
  • docs(sbom): improve sbom attestation documentation (#2566)

Update to version 0.30.2:

  • fix(report): show the summary without results (#2548)
  • fix(cli): replace ‘-’ to ‘_’ for env vars (#2561)

Update to version 0.30.1:

  • chore: remove a test repository (#2551)
  • fix(license): lazy loading of classifiers (#2547)
  • fix: CVE-2022-1996 in Trivy (#2499)
  • docs(sbom): add sbom attestation (#2527)
  • feat(rocky): set Rocky Linux 9 EOL (#2543)
  • docs: add attributes to the video tag to autoplay demo videos (#2538)
  • fix: yaml files with non-string chart name (#2534)
  • fix: skip dirs (#2530)
  • feat(repo): add support for branch, commit, & tag (#2494)
  • fix: remove auto configure environment variables via viper (#2526)

Update to version 0.30.0:

  • fix: separating multiple licenses from one line in dpkg copyright files
    (#2508)
  • fix: change a capital letter for plugin uninstall subcommand (#2519)
  • fix: k8s hide empty report when scanning resource (#2517)
  • refactor: fix comments (#2516)
  • fix: scan vendor dir (#2515)
  • feat: Add support for license scanning (#2418)
  • chore: add owners for secret scanning (#2485)
  • fix: remove dependency-tree flag for image subcommand (#2492)
  • fix(k8s): add shorthand for k8s namespace flag (#2495)
  • docs: add information about using multiple servers to troubleshooting
    (#2498)
  • ci: add pushing canary build images to registries (#2428)
  • feat(dotnet): add support for .Net core .deps.json files (#2487)
  • feat(amazon): add support for 2022 version (#2429)
  • Type correction bitnami chart (#2415)
  • docs: add config file and update CLI references (#2489)
  • feat: add support for flag groups (#2488)
  • refactor: move from urfave/cli to spf13/cobra (#2458)
  • fix: Fix secrets output not containing file/lines (#2467)
  • fix: clear output with modules (#2478)
  • docs(cbl): distroless 1.0 supported (#2473)
  • fix: Fix example dockerfile rego policy (#2460)
  • fix(config): add helm to list of config analyzers (#2457)
  • feat: k8s resouces scan (#2395)
  • feat(sbom): add cyclonedx sbom scan (#2203)
  • docs: remove links to removed content (#2431)
  • ci: added rpm build for rhel 9 (#2437)
  • fix(secret): remove space from asymmetric private key (#2434)
  • test(integration): fix golden files for debian 9 (#2435)
  • fix(cli): fix version string in docs link when secret scanning is
    enabled (#2422)
  • refactor: move CycloneDX marshaling (#2420)
  • docs(nodejs): add docs about pnpm support (#2423)
  • docs: improve k8s usage documentation (#2425)
  • feat: Make secrets scanning output consistant (#2410)
  • ci: create canary build after main branch changes (#1638)
  • fix(misconf): skip broken scans (#2396)
  • feat(nodejs): add pnpm support (#2414)
  • fix: Fix false positive for use of COS images (#2413)
  • eliminate nerdctl dependency (#2412)
  • Add EOL date for SUSE SLES 15.3, 15.4 and OpenSUSE 15.4 (#2403)
  • fix(go): no cast to lowercase go package names (#2401)
  • BREAKING(sbom): change ‘trivy sbom’ to scan SBOM (#2408)
  • fix(server): hot update the db from custom repository (#2406)
  • feat: added license parser for dpkg (#2381)
  • fix(misconf): Update defsec (v0.68.5) to fix docker rego duplicate key
    (#2400)
  • feat: extract stripe publishable and secret keys (#2392)
  • feat: rbac support k8s sub-command (#2339)
  • feat(ruby): drop platform strings from dependency versions bundled with
    bundler v2 (#2390)
  • docs: Updating README with new CLI command (#2359)
  • fix(misconf): Update defsec to v0.68.4 to resolve CF detection bug
    (#2383)
  • chore: add integration label and merge security label (#2316)

Update to version 0.29.2:

  • chore: skip Visual Studio Code project folder (#2379)
  • fix(helm): handle charts with templated names (#2374)
  • docs: redirect operator docs to trivy-operator repo (#2372)
  • fix(secret): use secret result when determining Failed status (#2370)
  • try removing libdb-dev
  • run integration tests in fanal
  • use same testing images in fanal
  • feat(helm): add support for trivy dbRepository (#2345)
  • fix: Fix failing test due to deref lint issue
  • test: Fix broken test
  • fix: Fix makefile when no previous named ref is visible in a shallow
    clone
  • chore: Fix linting issues in fanal
  • refactor: Fix fanal import paths and remove dotfiles

Update to version 0.29.1:

  • fix(report): add required fields to the SARIF template (#2341)
  • chore: fix spelling errors (#2352)
  • Omit Remediation if PrimaryURL is empty (#2006)
  • docs(repo): Link to installation documentation in readme shows 404
    (#2348)
  • feat(alma): support for scanning of modular packages for AlmaLinux
    (#2347)

Update to version 0.29.0:

  • fix(lang): fix dependency graph in client server mode (#2336)
  • feat: allow expiration date for .trivyignore entries (#2332)
  • feat(lang): add dependency origin graph (#1970)
  • docs: update nix installation info (#2331)
  • feat: add rbac scanning support (#2328)
  • refactor: move WordPress module to another repository (#2329)
  • ci: add support for ppc64le (#2281)
  • feat: add support for WASM modules (#2195)
  • feat(secret): show recommendation for slow scanning (#2051)
  • fix(flag): remove --clear-cache flag client mode (#2301)
  • fix(java): added check for looping for variable evaluation in pom file
    (#2322)
  • BREAKING(k8s): change CLI API (#2186)
  • feat(alpine): add Alpine Linux 3.16 (#2319)
  • ci: add go mod tidy check (#2314)
  • chore: run go mod tidy (#2313)
  • fix: do not exit if one resource is not found (#2311)
  • feat(cli): use stderr for all log messages (resolve #381) (#2289)
  • test: replace deprecated subcommand client in integration tests (#2308)
  • feat: add support for containerd (#2305)
  • fix(kubernetes): Support floats in manifest yaml (#2297)
  • docs(kubernetes): dead links (#2307)
  • chore: add license label (#2304)
  • feat(mariner): added support for CBL-Mariner Distroless v2.0 (#2293)
  • feat(helm): add pod annotations (#2272)
  • refactor: do not import defsec in fanal types package (#2292)
  • feat(report): Add misconfiguration support to ASFF report template
    (#2285)
  • test: use images in GHCR (#2275)
  • feat(helm): support pod annotations (#2265)
  • feat(misconf): Helm chart scanning (#2269)
  • docs: Update custom rego policy docs to reflect latest defsec/fanal
    changes (#2267)
  • fix: mask redis credentials when logging (#2264)
  • refactor: extract commands Runner interface (#2147)
  • docs: update operator release (#2263)
  • feat(redhat): added architecture check (#2172)
  • docs: updating links in the docs to work again (#2256)
  • docs: fix readme (#2251)
  • fix: fixed incorrect CycloneDX output format (#2255)
  • refactor(deps): move dependencies to package (#2189)
  • fix(report): change github format version to required (#2229)
  • docs: update readme (#2110)
  • docs: added information about choosing advisory database (#2212)
  • chore: update trivy-kubernetes (#2224)
  • docs: clarifying parts of the k8s docs and updating links (#2222)
  • fix(k8s): timeout error logging (#2179)
  • chore(deps): updated fanal after fix AsymmetricPrivateKeys (#2214)
  • feat(k8s): add --context flag (#2171)
  • fix(k8s): properly instantiate TableWriter (#2175)
  • test: fixed integration tests after updating testcontainers to v0.13.0
    (#2208)
  • chore: update labels (#2197)
  • fix(report): fixed panic if all misconf reports were removed in filter
    (#2188)
  • feat(k8s): scan secrets (#2178)
  • feat(report): GitHub Dependency Snapshots support (#1522)
  • feat(db): added insecure skip tls verify to download trivy db (#2140)
  • fix(redhat): always use vulns with fixed version if there is one (#2165)
  • chore(redhat): Add support for Red Hat UBI 9. (#2183)
  • fix(k8s): update trivy-kubernetes (#2163)
  • fix misconfig start line for code quality tpl (#2181)
  • fix: update docker/distribution from 2.8.0 to 2.8.1 (#2176)
  • docs(vuln): Include GitLab 15.0 integration (#2153)
  • docs: fix the operator version (#2167)
  • fix(k8s): summary report when when only vulns exit (#2146)
  • chore(deps): Update fanal to get defsec v0.58.2 (fixes false positives
    in ksv038) (#2156)
  • perf(misconf): Improve performance when scanning very large files (#2152)
  • docs(misconf): Update examples and docs to refer to builtin/defsec
    instead of appshield (#2150)
  • chore(deps): Update fanal (for less verbose code in misconf results)
    (#2151)
  • docs: fixed installation instruction for rhel/centos (#2143)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

  • openSUSE Backports SLE-15-SP4:

    zypper in -t patch openSUSE-2022-10081=1

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

Related for OPENSUSE-SU-2022:10081-1