trivy changelogs since trivy | diffwithgpt
AI Summary
The commit updates the golang.org/x/sync dependency from version 0.13.0 to 0.14.0. This is a dependency upgrade with no changes to Go source files, likely to address security fixes or bug fixes.
Commit Log
chore(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 in the common group (#8822)
AI Summary
The code adds logic to exclude development dependencies in Gradle lockfiles by checking if all class paths start with 'test'. It updates the test file to include a test case for a development dependency with 'test' class paths and adjusts line numbers for accurate location tracking.
Commit Log
fix(java): exclude dev dependencies in gradle lockfile (#8803)
AI Summary
The code changes primarily involve replacing octal literals with their '0o' prefixed equivalents to align with modern Go syntax standards, improving readability and avoiding potential issues with older Go versions that do not support the '0o' syntax. These changes are made across multiple files in the Trivy project, particularly in test utilities and file operations, to ensure consistency and compatibility with Go 1.21 and later versions.
Commit Log
fix: octalLiteral from go-critic (#8811)
AI Summary
The code adds functionality to clean content sets by removing generic suffixes like '__8' from Red Hat package manifests. This change ensures valid repository names are preserved while filtering out build artifacts that are not valid repository names.
Commit Log
fix(redhat): trim invalid suffix from content_sets in manifest parsing (#8818)
AI Summary
This commit updates multiple dependencies in the project's go.mod and go.sum files to newer versions, primarily across the common group. The changes include upgrades to libraries like aquasecurity/table, AWS SDK services, containerd, go-git, buildkit, OPA, and others, likely to address bugs, security issues, or new features.
Commit Log
chore(deps): bump the common group across 1 directory with 10 updates (#8817)
AI Summary
The commit updates the .golangci.yaml configuration to replace 'interface{}' with 'use-any' in specific files, likely to enforce the use of 'any' type from Go 1.18 for better type safety. This change is part of a broader effort to modernize the codebase by leveraging Go's new 'any' type, which replaces the generic 'interface{}' type in certain contexts.
Commit Log
fix: use-any from revive (#8810)
AI Summary
The code changes primarily focus on simplifying error handling by removing redundant return statements and nil checks, improving code readability and maintainability. The changes also include minor syntax adjustments, such as fixing variable declarations and increment operators, which align with style guidelines and improve code quality. The updated dependencies in go.mod suggest that the project is incorporating new libraries and tools, which may enhance functionality or support for specific features.
Commit Log
fix: more revive rules (#8814)
AI Summary
The commit fixes a typo in the Java documentation, changing 'Trity' to 'Trivy'. This correction ensures accurate documentation for users relying on Trivy's license detection feature.
Commit Log
docs: change in java.md: fix the Trity -to-> Trivy typo (#8813)
AI Summary
The code adds a check to ensure that the 'for-each' expression in dynamic blocks is known before expansion, preventing potential runtime errors. This change improves the accuracy of Terraform configuration analysis by catching unknown 'for-each' values during parsing.
Commit Log
fix(misconf): check if for-each is known when expanding dyn block (#8808)
AI Summary
The commit updates the Trivy Helm Chart version to 0.14.0 and aligns the appVersion with Trivy 0.62.0. This change ensures compatibility between the Helm Chart and the Trivy version it packages.
Commit Log
ci(helm): bump Trivy version to 0.62.0 for Trivy Helm Chart 0.14.0 (#8802)
AI Summary
This commit updates the Trivy version from 0.61.0 to 0.62.0, indicating a new release with various features and bug fixes. The changelog includes improvements for image scanning, misconfiguration detection, and support for new tools like Rego scanner and Terraform enhancements.
Commit Log
release: v0.62.0 [main] (#8669)
AI Summary
The code adds support for analyzing Yarn workspaces and root packages, allowing Trivy to handle both direct and indirect dependencies, as well as development dependencies. It introduces new functions to parse and resolve dependencies from package.json and workspace files, improving the accuracy of dependency relationships and license detection. The changes also include updates to documentation and test cases to reflect the new functionality and ensure compatibility with Yarn workspaces.
Commit Log
feat(nodejs): add root and workspace for `yarn` packages (#8535)
AI Summary
The code changes are removing unused parameters from function signatures across multiple files in the Trivy project to address a 'unused-parameter' rule from revive. This change improves code cleanliness by eliminating parameters that are not used within the function, reducing potential confusion and improving maintainability.
Commit Log
fix: unused-parameter rule from revive (#8794)
AI Summary
The code updates dependencies for trivy-checks and lo to newer versions, likely to include security fixes and new features. It also adjusts test data files to reflect changes in the number of failures and successes, possibly due to updated checks or test cases.
Commit Log
chore(deps): Update trivy-checks (#8798)
AI Summary
The code diff applies fixes for specific revive linter rules (early-return, indent-error-flow, and superfluous-else) across multiple files in the Trivy project, improving code structure and readability. The changes primarily involve removing redundant else blocks and adjusting code formatting to align with best practices, which enhances maintainability and reduces potential confusion in control flow.
Commit Log
fix: early-return, indent-error-flow and superfluous-else rules from revive (#8796)
AI Summary
The commit updates several dependencies to newer versions, including k8s.io/api and related Kubernetes packages, to address potential issues or improvements. It also updates other dependencies like testcontainers-go, protobuf, and various Go libraries to their latest versions, which may include bug fixes, security patches, or new features.
Commit Log
fix(k8s): remove using `last-applied-configuration` (#8791)
AI Summary
The code diff removes unused methods from various AWS and other cloud providers in Trivy's IaC analysis module, likely to reduce code complexity and improve maintainability. The removed methods were not being called anywhere in the codebase, indicating they were no longer needed and could be safely deleted.
Commit Log
refactor(misconf): remove unused methods from providers (#8781)
AI Summary
The code removes unused methods and simplifies the string comparison logic by eliminating equality options and associated helper functions. This refactor reduces code complexity and potential maintenance overhead by removing unused functionality that is no longer referenced.
Commit Log
refactor(misconf): remove unused methods from iac types (#8782)
AI Summary
The code filters out null nodes when parsing JSON manifests to avoid processing invalid or empty data structures. The change includes handling null values in arrays and maps by removing them using the 'lo' package for cleaner data structures.
Commit Log
fix(misconf): filter null nodes when parsing json manifest (#8785)
AI Summary
The code changes are fixing issues related to test assertions by replacing deprecated assertion methods with their updated counterparts. The changes involve replacing 'assert.Equal' with 'assert.Len' and 'assert.EqualValues' with 'assert.Equal' in various test files to align with current best practices and improve readability.
Commit Log
fix: testifylint last issues (#8768)
AI Summary
The code introduces a 'safeOp' function to handle attribute operations safely, preventing nil pointer dereferences and ensuring robustness in attribute value handling. This change improves the reliability of attribute operations by wrapping them in a function that safely handles nil attributes and unknown values. Potential risks include compatibility issues if existing code relies on the old behavior of attribute operations, and edge cases where the 'safeOp' function may return default values instead of actual results.
Commit Log
fix(misconf): perform operations on attribute safely (#8774)
AI Summary
The code updates time handling in the Ubuntu vulnerability scanner to use a clock package for better testability and flexibility. The change replaces direct calls to time.Now() with clock.Now(ctx), allowing for mock time in tests and easier customization of time behavior.
Commit Log
refactor(ubuntu): update time handling for fixing time (#8780)
AI Summary
The diff updates golangci-lint to version v2.1.2 and adjusts related configuration to align with the new version's features and syntax. Changes include updating the GitHub Action version, modifying the golangci-lint version string, and reorganizing the .golangci.yaml file to match the new configuration structure.
Commit Log
chore(deps): bump golangci-lint to v2.1.2 (#8766)
AI Summary
The code adds functionality to save layer metadata, including size, digest, and diffID, into the report for Trivy's image scanning feature. This change enhances the report by including detailed layer information, which is useful for debugging and analysis. The code also includes test updates to ensure the new layer metadata is correctly handled and persisted in the report.
Commit Log
feat(image): save layers metadata into report (#8394)
AI Summary
The code adds support for converting AWS managed policies (both by ARN and name) into the internal Document format used by Trivy for policy analysis. It introduces a map of known AWS managed policies and logic to detect and apply them directly when parsing Terraform configurations.
Commit Log
feat(misconf): convert AWS managed policy to document (#8757)
AI Summary
The commit updates several Docker-related dependencies to newer versions across the project's go.mod and go.sum files. This includes bumping docker/cli and docker/docker to v28.1.1, buildkit to v0.21.0, and other indirect dependencies to newer versions.
Commit Log
chore(deps): bump the docker group across 1 directory with 3 updates (#8762)
AI Summary
The commit updates the Trivy Helm Chart version to 0.13.1 and aligns the appVersion with Trivy 0.61.1. This change ensures compatibility between the Helm Chart and the Trivy version it packages.
Commit Log
ci(helm): bump Trivy version to 0.61.1 for Trivy Helm Chart 0.13.1 (#8753)
AI Summary
The code adds a new workflow job to update the helm chart version by creating a PR from the main branch, ensuring patch releases use the latest chart version. It checks out the main branch to fetch the latest chart version before updating it, which is essential for accurate patch release versioning.
Commit Log
ci(helm): create a helm branch for patches from main (#8673)
AI Summary
The code change updates the handling of HCL object expressions to correctly identify and return references in Terraform configurations, particularly for JSON expressions. It modifies the `AllReferences` method to use `referencesFromExpression` which now handles JSON expressions and relative traversals more accurately.
Commit Log
fix(terraform): hcl object expressions to return references (#8271)
AI Summary
The code introduces an option to pass an instanced logger to the Terraform parser, allowing more granular and scoped logging. This change enhances logging control by using slog instead of the previous log package, and ensures logs are attached to the instanced logger rather than the global one.
Commit Log
chore(terraform): option to pass in instanced logger (#8738)
AI Summary
The commit replaces the use of the aquasecurity fork of the notify-microsoft-teams action with the original Skitionek/notify-microsoft-teams repository at a specific commit hash. This change likely aims to use a more up-to-date or maintained version of the Microsoft Teams notification action, possibly addressing issues or improvements in the original repository.
Commit Log
ci: use `Skitionek/notify-microsoft-teams` instead of `aquasecurity` fork (#8740)
AI Summary
The code change removes the use of os.OpenPath and replaces it with a check for a nil filesystem, returning an error if it is nil. This change likely aims to improve error handling by ensuring the filesystem is not nil before attempting to open files.
Commit Log
chore(terraform): remove os.OpenPath call from terraform file functions (#8737)
AI Summary
This commit updates multiple dependencies in the project's go.mod and go.sum files to newer versions, primarily across various SDKs, libraries, and tools. The changes include version upgrades for Azure SDKs, AWS SDKs, OpenTelemetry, and other dependencies, which may include bug fixes, security patches, and new features.
Commit Log
chore(deps): bump the common group across 1 directory with 23 updates (#8733)
AI Summary
The code adds support for identifying root and workspace packages in Cargo.lock files, enhancing dependency analysis for Rust projects. It introduces a new package relationship type 'workspace' and updates the parsing logic to handle workspace members and their dependencies. The changes include new functions for parsing Cargo.toml files, generating package IDs, and modifying dependency relationships.
Commit Log
feat(rust): add root and workspace relationships/package for `cargo` lock files (#8676)
AI Summary
The code refactor removes module outputs from the EvaluateAll method in the Terraform parser, simplifying error handling and reducing redundant output tracking. This change likely aims to improve code clarity and maintainability by removing unnecessary output handling, which may have been causing complexity or potential issues in error propagation.
Commit Log
refactor(misconf): remove module outputs from parser.EvaluateAll (#8587)
AI Summary
The code fixes an issue where context was not being populated correctly for module instances in Terraform, particularly when using count or for_each. The changes ensure that block instance values are properly passed to the context, improving the accuracy of module evaluation and context propagation.
Commit Log
fix(misconf): populate context correctly for module instances (#8656)
AI Summary
The code change adds a check to ensure that metadata is not nil before proceeding with policy loading. This prevents potential nil pointer dereferences when handling embedded policies.
Commit Log
fix(misconf): check if metadata is not nil (#8647)
AI Summary
The code refactor switches from using jfather to x/json for JSON parsing in multiple packages, including cloudformation and kubernetes parsers, which likely improves maintainability and reduces dependency on external libraries. This change involves replacing jfather-related imports and functions with x/json, which may affect how JSON data is unmarshaled and parsed, potentially introducing breaking changes if the new library's behavior differs from jfather.
Commit Log
refactor(misconf): switch to x/json (#8719)
AI Summary
The code change adds a call to `Reset()` on the buffer after flushing, ensuring it is cleaned for future use. This is likely to prevent buffer leaks or incorrect data accumulation in subsequent report generations.
Commit Log
fix(report): clean buffer after flushing (#8725)
AI Summary
The commit changes the name of a GitHub Actions workflow from 'Lint PR title' to 'Validate PR Title' and modifies the event trigger from 'pull_request_target' to 'pull_request'. The workflow now includes a custom validation script that checks the PR title format and content against predefined types and scopes, ensuring it follows a specific semantic convention.
Commit Log
ci: improve PR title validation workflow (#8720)
AI Summary
The code refactor improves the flag system architecture by introducing a more modular and extensible design, replacing direct flag group handling with a unified Flags struct and ToOptions method. The changes include replacing individual flag group ToOptions methods with a centralized approach, which simplifies flag processing and enhances maintainability. Potential risks include breaking existing flag handling logic if not properly tested, and compatibility issues with older versions that rely on the previous flag system.
Commit Log
refactor(flag): improve flag system architecture and extensibility (#8718)
AI Summary
The code introduces a function `insertTupleElement` to handle inserting values into tuples, ensuring correct behavior for out-of-bounds indices and non-list inputs. The function is used in `blockInstanceValues` to correctly set `EvalContext` for multiple instances of blocks, particularly when using `count` or `for_each` arguments in Terraform configurations. The changes include test cases to validate the behavior of `insertTupleElement` and ensure compatibility with different Terraform block types and evaluation contexts.
Commit Log
fix(terraform): `evaluateStep` to correctly set `EvalContext` for multiple instances of blocks (#8555)
AI Summary
The code refactors the JSON parsing implementation by replacing the 'github.com/aquasecurity/jfather' package with 'github.com/go-json-experiment/json', which is an experimental JSON parser for Go. This change involves updating imports, replacing function calls, and modifying struct fields to use the new package's features, such as tracking line numbers for error reporting and location metadata.
Commit Log
refactor: migrate from `github.com/aquasecurity/jfather` to `github.com/go-json-experiment/json` (#8591)
AI Summary
The code adds support for auto_provisioning_defaults in Google Kubernetes Engine (GKE) clusters by modifying the Terraform adapter to handle new attributes and structures. It introduces new functions like adaptManagement and adaptNodeConfig to parse and convert Terraform configurations into the internal GKE model, including auto_provisioning_defaults and management settings.
Commit Log
feat(misconf): support auto_provisioning_defaults in google_container_cluster (#8705)
AI Summary
The code change updates the release PR check workflow to use the PR author's login from the GitHub event data. This ensures the PR author is correctly identified for authorization checks in the workflow.
Commit Log
ci: use `github.event.pull_request.user.login` for release PR check workflow (#8702)
AI Summary
The code introduces a hook interface to allow extended functionality in Trivy by enabling pre and post hooks for various stages like run, scan, and report. This refactor replaces the previous post-scanner mechanism with a more flexible hook system that supports multiple hook types (RunHook, ScanHook, ReportHook). Potential risks include compatibility issues with existing plugins that relied on the old post-scanner API, and the need to ensure all hook implementations correctly handle errors and data modifications.
Commit Log
refactor: add hook interface for extended functionality (#8585)
AI Summary
The code change adds fallback values for missing variables in Terraform parsing to handle cases where variables are not defined, improving error handling and evaluation behavior. The change modifies the logic to set fallback values based on variable types, which may affect how expressions with missing variables are evaluated and logged.
Commit Log
fix(misconf): add missing variable as unknown (#8683)
AI Summary
The commit updates the maintainer documentation to include a tip about reviewing and merging dependabot vulnerability updates before creating a release. It also updates a link to the release-please tool in the release-flow documentation.
Commit Log
docs: Update maintainer docs (#8674)
AI Summary
The changes aim to reduce the risk of GitHub Action script injection attacks by using environment variables instead of directly interpolating event data. The modifications replace direct use of GitHub event body or message with environment variables, making the scripts safer by avoiding potential injection vulnerabilities.
Commit Log
ci(vuln): reduce github action script injection attack risk (#8610)
AI Summary
The code adds a rule to ignore .dist-info directories during secret scanning. This rule was added to address an issue where .dist-info directories, which contain metadata, were being incorrectly flagged as containing secrets.
Commit Log
fix(secret): ignore .dist-info directories during secret scanning (#8646)
AI Summary
The code change fixes a bug in the Redis key construction for deleting blobs by using the correct bucket name. The test cases were updated to reflect the new key format and verify that blobs are properly deleted.
Commit Log
fix(server): fix redis key when trying to delete blob (#8649)
AI Summary
The commit updates dependencies, specifically testcontainers-go and related modules to version 0.36.0, and updates OpenTelemetry packages to version 1.35.0. It also adds the 'github.com/ebitengine/purego' dependency at version 0.8.2 and replaces 'github.com/shirou/gopsutil/v3' with 'github.com/shirou/gopsutil/v4'.
Commit Log
chore(deps): bump the testcontainers group with 2 updates (#8650)
AI Summary
The commit updates the test image repositories from 'knqyf263' to 'aquasecurity' to use images from the Aquasecurity organization. It also modifies the jq commands in the GitHub Actions workflows to use the 'Tags |= sort' operator instead of 'Tags | sort' for sorting tags, which is more idiomatic in jq.
Commit Log
test: use `aquasecurity` repository for test images (#8677)
AI Summary
The commit updates the AWS SDK Go v2 dependencies to newer versions across multiple services to ensure compatibility and security. The changes include version upgrades for config, credentials, and specific service modules like EC2, ECR, and S3, along with their indirect dependencies.
Commit Log
chore(deps): bump the aws group across 1 directory with 5 updates (#8652)
AI Summary
The code change skips misconfigurations with status 'Passed' in the summary report to avoid including them in severity counts. This modification was likely added to ensure that passed misconfigurations are not counted as issues in the report, improving clarity and accuracy.
Commit Log
fix(k8s): skip passed misconfigs for the summary report (#8684)
AI Summary
The commit updates dependencies to newer versions of trivy-checks and trivy-kubernetes to fix artifact version comparison issues in Kubernetes scanning. The changes ensure compatibility with the latest versions of these libraries, which likely include bug fixes or improvements related to version parsing and comparison.
Commit Log
fix(k8s): correct compare artifact versions (#8682)
AI Summary
The code diff updates Docker libraries to version 28.0.4, replacing older versions to ensure compatibility with newer features and security fixes. Changes include updating function calls to use new options like `ImageLoadWithQuiet` and modifying function signatures to accept new parameters such as `ImageSaveOption`. Potential risks include breaking changes if existing code relies on deprecated APIs or if the new Docker versions introduce incompatible behavior.
Commit Log
chore: update Docker lib (#8681)
AI Summary
The code removes unused methods for checking attribute values in Terraform resources, such as StartsWith, EndsWith, IsAny, and others. These methods were likely removed to clean up the codebase and remove redundant functionality that is no longer used.
Commit Log
refactor(misconf): remove unused terraform attribute methods (#8657)
AI Summary
The code introduces an option to pass a Rego scanner to the IaC scanner, allowing for custom Rego policy enforcement during infrastructure-as-code scanning. This change modifies several scanner implementations to use a shared RegoScannerProvider, which manages the Rego scanner lifecycle and ensures consistent policy loading across different IaC formats. The new functionality is integrated into the misconf package to support passing a pre-initialized Rego scanner, enhancing flexibility and reusability in policy enforcement.
Commit Log
feat(misconf): add option to pass Rego scanner to IaC scanner (#8369)
AI Summary
The code change fixes a typo in an error message, replacing 'rego' with 'repo' in the flag error output. This correction ensures the error message accurately reflects the intended context of the flag group.
Commit Log
chore: typo fix to replace `rego` with `repo` on the RepoFlagGroup options error output (#8643)
AI Summary
The commit adds documentation about the Helm chart release process, including steps to handle auto-generated PRs and potential delays between release and Helm chart updates. It explains that if the Helm chart action runs before the release is complete, it may fail and recommends manually restarting the Helm chart action after the release is finalized.
Commit Log
docs: Add info about helm charts release (#8640)
AI Summary
The commit updates the Trivy Helm Chart version from 0.12.0 to 0.13.0 and aligns the appVersion with Trivy 0.61.0. This change ensures compatibility between the Helm Chart and the Trivy version it packages.
Commit Log
ci(helm): bump Trivy version to 0.61.0 for Trivy Helm Chart 0.13.0 (#8638)
AI Summary
This commit updates the version of Trivy to 0.61.0 and includes several new features, bug fixes, and performance improvements. The changes include optimizations for file scanning, support for new Kubernetes controllers, and improvements in misconfiguration detection for AWS resources.
Commit Log
release: v0.61.0 [main] (#8507)
AI Summary
The code change modifies logging levels and messages in the fallbackChecks function to provide more informative debug logs when parsing checks fails due to unsupported features. The original error logs are replaced with debug logs to avoid overwhelming users with unnecessary error messages, while still capturing relevant information for debugging.
Commit Log
fix(misconf): Improve logging for unsupported checks (#8634)
AI Summary
The code adds support for Kubernetes controllers by updating dependencies and enhancing the scanner to include vulnerability severity sources. The changes include upgrading trivy-kubernetes and related Kubernetes dependencies to newer versions, which may introduce new features or bug fixes.
Commit Log
feat(k8s): add support for controllers (#8614)
AI Summary
The code change filters out empty license strings during copyright file parsing to avoid including invalid or empty licenses. This ensures that only valid licenses are considered, improving accuracy in license detection for Debian packages.
Commit Log
fix(debian): don't include empty licenses for `dpkgs` (#8623)
AI Summary
The code change replaces a check for known and null values with a check for wholly known values in the writeBlock function, likely to improve accuracy in handling Terraform configurations. The test file has been updated to include new test cases for checking rendered causes, including scenarios with service accounts and privileged roles, which may help ensure the correctness of the new logic.
Commit Log
fix(misconf): Check values wholly prior to evalution (#8604)
AI Summary
The diff represents a dependency update for Trivy, specifically bumping the trivy-checks package from version 1.7.1 to 1.8.0, along with other minor version updates for related dependencies. The changes include new test cases and updated expected results in the integration test data, likely to reflect new security checks introduced in the updated trivy-checks version.
Commit Log
chore(deps): Bump trivy-checks (#8619)
AI Summary
The code change adds support for the `--report all` flag in Kubernetes reports by modifying the TableWriter to include detailed table mode and updating test cases to validate the behavior. It introduces a new test case for the `Table` report type, ensuring that detailed tables are shown when `--report all` is used, while the summary report is handled separately.
Commit Log
fix(k8s): show report for `--report all` (#8613)
AI Summary
The commit updates the JWT library from version 4.5.1 to 4.5.2 to include security patches or bug fixes. This change is a dependency update with no code changes, affecting only the version of the JWT library used indirectly.
Commit Log
chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#8597)
AI Summary
The code refactor renames multiple scanner-related functions and variables from 'scanner' to 'scan' to improve naming consistency and clarity. This change involves updating imports, function signatures, and variable names across multiple files to align with the new naming convention.
Commit Log
refactor: rename scanner to service (#8584)
AI Summary
The code change ensures that documents are not skipped when loading from subdirectories by manually collecting data files using fs.WalkDir. This change addresses a misconfiguration where subdirectory files were not being properly loaded, likely due to incorrect path handling or filtering logic.
Commit Log
fix(misconf): do not skip loading documents from subdirectories (#8526)
AI Summary
The code refactor replaces calls to HasChild with direct calls to GetBlock and GetAttribute, improving reliability by checking for existence before accessing. This change avoids potential nil pointer dereferences by explicitly checking if the block or attribute exists using IsNotNil(), enhancing code safety. The refactor is likely aimed at improving code robustness and reducing runtime errors related to missing blocks or attributes.
Commit Log
refactor(misconf): get a block or attribute without calling HasChild (#8586)
AI Summary
The code change renames parameters in the ScanFS method to use 'fsys' and 'dir' instead of 'target' and 'path', improving clarity and consistency in handling file systems. It also updates related test code to use the new parameter names and introduces a new test case for non-Helm charts to ensure compatibility and correct behavior.
Commit Log
fix(misconf): identify the chart file exactly by name (#8590)
AI Summary
The code change introduces table-driven tests for Helm scanner tests, replacing hardcoded test cases with structured test data to improve maintainability and readability. The change uses a helper function 'fsysForAcrhive' to create a filesystem for testing, which simplifies test setup and avoids redundant code. The tests now use a new 'assertIds' helper function to validate expected rule IDs, making test assertions more concise and consistent.
Commit Log
test: use table-driven tests in Helm scanner tests (#8592)
AI Summary
The code refactor simplifies the parsing of misconfiguration checks bundle by replacing direct calls to InitBuiltinChecks with a policy client-based approach. This change likely improves maintainability and reduces redundancy by centralizing policy handling through the policy.Client interface. Potential risks include breaking changes if the policy.Client interface is not backward compatible with previous versions of the code.
Commit Log
refactor(misconf): Simplify misconfig checks bundle parsing (#8533)
AI Summary
The commit updates multiple dependencies in the go.mod and go.sum files, primarily bumping versions of various Go packages, including viper, crypto, and Kubernetes-related modules. These changes are likely to ensure compatibility with the latest features, security patches, and bug fixes provided by the updated dependencies.
Commit Log
chore(deps): bump the common group across 1 directory with 10 updates (#8566)
AI Summary
The code change replaces the use of `cty.NilVal` with `cty.DynamicVal` in the `Value()` method to handle non-nil values correctly in Terraform attribute handling. This change ensures that attributes with unknown or null values are represented accurately, avoiding potential misinterpretation of nil values as invalid or missing. A new test case was added to verify the behavior of converting objects with unknown and null values to maps, ensuring compatibility with Terraform's type system.
Commit Log
fix(misconf): do not use cty.NilVal for non-nil values (#8567)
AI Summary
The code change improves the display format of flag values in Trivy's CLI documentation by showing allowed values in a more readable format, either inline for small lists or as a bullet list for larger ones. This change enhances user experience by making it easier to understand the available options for each flag, especially when there are many allowed values.
Commit Log
docs(cli): improve flag value display format (#8560)
AI Summary
The code sets default values for missing properties in AWS EKS cluster configurations, specifically for PublicAccessEnabled and PublicCIDRs. This change ensures that if the required properties are not present in the CloudFormation template, default values are used to avoid errors or misconfigurations.
Commit Log
fix(misconf): set default values for AWS::EKS::Cluster.ResourcesVpcConfig (#8548)
AI Summary
The commit removes references to the Slack community from the project's documentation. This change likely reflects a decision to discontinue or reduce reliance on the Slack community for communication.
Commit Log
docs: remove slack (#8565)
AI Summary
The code change introduces a `FilePatterns` type and updates the `PostAnalyze` method to use the `--file-patterns` flag for all post analyzers, improving file pattern matching logic. This change ensures that file patterns are applied consistently across all analyzers, allowing for more flexible and accurate file filtering during analysis.
Commit Log
fix: use `--file-patterns` flag for all post analyzers (#7365)
AI Summary
The code change adds a mention of `pip-compile` as an alternative to `pip freeze` for generating `requirements.txt` in the Python documentation. This update likely aims to provide users with more flexibility in generating dependency lists, especially for managing transitive dependencies.
Commit Log
docs(python): Mention pip-compile (#8484)
AI Summary
The code adapts Terraform AWS Elasticsearch resources to support both 'aws_elasticsearch_domain' and 'aws_opensearch_domain' types. It updates the test cases to reflect the new structure, using 'elasticsearch.Elasticsearch' instead of 'elasticsearch.Domain'.
Commit Log
feat(misconf): adapt aws_opensearch_domain (#8550)
AI Summary
The code adds support for detecting and adapting AWS EC2 VPC flow logs in CloudFormation templates, enhancing Trivy's ability to analyze misconfigurations. The changes include new test cases and functions to parse and map VPC resources and their associated flow logs, improving the accuracy of security checks.
Commit Log
feat(misconf): adapt AWS::EC2::VPC (#8534)
AI Summary
The commit fixes a broken link in the README.md file by updating the documentation link to point to the latest version of Trivy's documentation. This change ensures users are directed to the correct and up-to-date documentation, improving the user experience and reducing confusion.
Commit Log
docs: fix a broken link (#8546)
AI Summary
The code checks if any post-analyzers are enabled and returns false if they are, to prevent using StaticPath. This change ensures that post-analyzers, which do not implement StaticPathAnalyzer, are excluded from StaticPaths collection.
Commit Log
fix(fs): check postAnalyzers for StaticPaths (#8543)
AI Summary
The code diff removes unused methods and imports related to the 'squealer' package from the EC2 instance implementation. The removed methods were related to checking sensitive information in user data and were no longer in use.
Commit Log
refactor(misconf): remove unused methods for ec2.Instance (#8536)
AI Summary
The code adds support for adapting AWS default security groups in Terraform configurations, specifically handling the 'aws_default_security_group' resource type. It introduces logic to parse and adapt security group rules, including handling protocol values that may be numeric or string-based.
Commit Log
feat(misconf): adapt aws_default_security_group (#8538)
AI Summary
The code introduces a performance optimization by allowing analyzers to specify static file paths instead of traversing the entire filesystem, reducing scanning time for known paths. It adds a StaticPathAnalyzer interface and updates the AnalyzerGroup to collect static paths from analyzers, enabling faster analysis when all analyzers support static paths. The Artifact's Inspect method now checks if static paths are available and uses them instead of full traversal, improving efficiency for specific use cases.
Commit Log
feat(fs): optimize scanning performance by direct file access for known paths (#8525)
AI Summary
The code updates the AWS DynamoDB table adapter to include server-side encryption (SSE) and point-in-time recovery (PITR) properties, aligning with new configuration standards. It introduces a new function `getTables` to extract and format DynamoDB tables from CloudFormation files, ensuring compatibility with updated schema expectations.
Commit Log
feat(misconf): adapt AWS::DynamoDB::Table (#8529)
AI Summary
The commit fixes Markdown syntax in the self-hosting.md documentation file by correcting a misplaced comma in the list of container registry tools. This change ensures the documentation is rendered correctly and improves readability for users.
Commit Log
style: Fix MD syntax in self-hosting.md (#8523)
AI Summary
The code change introduces a refactor to retrieve check metadata from annotations in Rego policies, replacing legacy metadata formats with a more structured approach. This change improves metadata handling by using annotations instead of legacy rules like '__rego_metadata__' and '__rego_input__', enhancing maintainability and compatibility with modern practices.
Commit Log
perf(misconf): retrieve check metadata from annotations once (#8478)
AI Summary
The code adds support for detecting AWS AMI configurations in Terraform by introducing new functions and test cases to adapt and validate AMI data. It defines functions to convert Terraform AMI blocks into the internal representation used by Trivy for analysis, including handling owners and metadata.
Commit Log
feat(misconf): Add support for aws_ami (#8499)
AI Summary
The code change skips scanning of Azure CreateUiDefinition files by checking for the filename in the Required method. This is done to avoid false positives or unnecessary processing of files that are not relevant for the scanner.
Commit Log
fix(misconf): skip Azure CreateUiDefinition (#8503)
AI Summary
The code refactor updates Trivy to use OPA v1 instead of the older OPA version, replacing imports and function calls to align with the new package structure. This change likely aims to modernize the codebase, improve compatibility with newer OPA features, and ensure consistency across dependencies.
Commit Log
refactor(misconf): use OPA v1 (#8518)
AI Summary
The code adds support for the 'ephemeral' block type to the Terraform configuration schema, allowing it to be parsed and validated. This change enables Trivy to correctly interpret and analyze Terraform configurations that include ephemeral blocks, improving accuracy in security checks.
Commit Log
fix(misconf): add ephemeral block type to config schema (#8513)
AI Summary
The code change optimizes the parsing of input for Rego by parsing it once and reusing the parsed value in both ScanInput and applyRule methods. This avoids redundant parsing of the same input, improving performance and reducing potential errors from repeated parsing.
Commit Log
perf(misconf): parse input for Rego once (#8483)
AI Summary
The code change replaces TinyGo with standard Go for compiling WebAssembly modules in Trivy, updating build commands and dependencies. This change removes TinyGo-specific tooling and replaces it with Go's standard toolchain, which simplifies the build process and reduces dependency complexity. The change also updates type references from 'artifact.Type' to 'ftypes.ArtifactType' across multiple files to align with the new package structure.
Commit Log
feat: replace TinyGo with standard Go for WebAssembly modules (#8496)
AI Summary
The code replaces the deprecated 'tenv' linter with 'usetesting' in the .golangci.yaml configuration file, which is used for Go testing. This change updates multiple test files to use 't.Context()' instead of 'context.Background()' to align with the new linter's requirements and improve test context management.
Commit Log
chore: replace deprecated tenv linter with usetesting (#8504)