From 7c0244b8c6bbe5b2b98b1012f747da7477efdba0 Mon Sep 17 00:00:00 2001 From: simar7 Date: Fri, 22 Aug 2025 21:30:51 +0000 Subject: [PATCH 1/6] chore(deps): Update trivy to v0.65.0 --- .github/workflows/test.yaml | 2 +- README.md | 4 ++-- action.yaml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 246ceae..50dd980 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -6,7 +6,7 @@ on: workflow_dispatch: env: - TRIVY_VERSION: 0.64.1 + TRIVY_VERSION: 0.65.0 BATS_LIB_PATH: '/usr/lib/' jobs: diff --git a/README.md b/README.md index b555718..c7cbbd9 100644 --- a/README.md +++ b/README.md @@ -215,7 +215,7 @@ jobs: uses: aquasecurity/setup-trivy@v0.2.0 with: cache: true - version: v0.64.1 + version: v0.65.0 - name: Run Trivy vulnerability scanner in repo mode uses: aquasecurity/trivy-action@master @@ -847,7 +847,7 @@ Following inputs can be used as `step.with` keys: | `github-pat` | String | | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN | | `limit-severities-for-sarif` | Boolean | false | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true** | | `docker-host` | String | | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values (`unix:/` or other prefix is required) | -| `version` | String | `v0.64.1` | Trivy version to use, e.g. `latest` or `v0.64.1` | +| `version` | String | `v0.65.0` | Trivy version to use, e.g. `latest` or `v0.65.0` | | `skip-setup-trivy` | Boolean | false | Skip calling the `setup-trivy` action to install `trivy` | | `token-setup-trivy` | Boolean | | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository | diff --git a/action.yaml b/action.yaml index eedc7f8..714089d 100644 --- a/action.yaml +++ b/action.yaml @@ -98,7 +98,7 @@ inputs: version: description: 'Trivy version to use' required: false - default: 'v0.64.1' + default: 'v0.65.0' cache: description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.' required: false From 636fd3c4eb543cadbbdbe619b32a2e8fa000b199 Mon Sep 17 00:00:00 2001 From: Simar Date: Tue, 26 Aug 2025 19:07:53 -0600 Subject: [PATCH 2/6] fix: update tests --- test/data/image-scan/report | 3 ++- test/data/with-ignore-files/report | 3 ++- test/data/with-trivy-yaml-cfg/report.json | 5 ++--- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/test/data/image-scan/report b/test/data/image-scan/report index 5b10bb1..993d79f 100644 --- a/test/data/image-scan/report +++ b/test/data/image-scan/report @@ -51,7 +51,8 @@ Total: 19 (CRITICAL: 19) │ │ │ │ │ │ │ Windows Subsystem for... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │ +│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: bzip2: Data integrity error when decompressing (with │ +│ │ │ │ │ │ │ data integrity tests fail).... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │ diff --git a/test/data/with-ignore-files/report b/test/data/with-ignore-files/report index c31dc97..d188c7f 100644 --- a/test/data/with-ignore-files/report +++ b/test/data/with-ignore-files/report @@ -51,7 +51,8 @@ Total: 19 (CRITICAL: 19) │ │ │ │ │ │ │ Windows Subsystem for... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-1353 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ -│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: out-of-bounds write in function BZ2_decompress │ +│ libbz2 │ CVE-2019-12900 │ │ │ 1.0.6-r6 │ 1.0.6-r7 │ bzip2: bzip2: Data integrity error when decompressing (with │ +│ │ │ │ │ │ │ data integrity tests fail).... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12900 │ ├─────────────┼────────────────┤ │ ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤ │ libcurl │ CVE-2018-16839 │ │ │ 7.61.1-r0 │ 7.61.1-r1 │ curl: Integer overflow leading to heap-based buffer overflow │ diff --git a/test/data/with-trivy-yaml-cfg/report.json b/test/data/with-trivy-yaml-cfg/report.json index a68318e..64d26a9 100644 --- a/test/data/with-trivy-yaml-cfg/report.json +++ b/test/data/with-trivy-yaml-cfg/report.json @@ -1,6 +1,5 @@ { "SchemaVersion": 2, - "CreatedAt": "2025-06-03T01:26:45.367171-06:00", "ArtifactName": "alpine:3.10", "ArtifactType": "container_image", "Metadata": { @@ -72,7 +71,7 @@ "PkgID": "apk-tools@2.10.6-r0", "PkgName": "apk-tools", "PkgIdentifier": { - "PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64\u0026distro=3.10.9", + "PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64&distro=3.10.9", "UID": "b7a64ae671a99195" }, "InstalledVersion": "2.10.6-r0", @@ -123,7 +122,7 @@ "https://www.cve.org/CVERecord?id=CVE-2021-36159" ], "PublishedDate": "2021-08-03T14:15:08.233Z", - "LastModifiedDate": "2023-11-07T03:36:43.337Z" + "LastModifiedDate": "2024-11-21T06:13:13.57Z" } ] } From bf330b1153903db69c138b270026394621567622 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Wed, 27 Aug 2025 12:19:06 +0600 Subject: [PATCH 3/6] test: update golden files Signed-off-by: Nikita Pivkin --- test/data/config-scan/report.json | 45 ++++++------------------------ test/data/secret-scan/report.json | 15 +--------- test/data/with-tf-vars/report.json | 12 -------- 3 files changed, 9 insertions(+), 63 deletions(-) diff --git a/test/data/config-scan/report.json b/test/data/config-scan/report.json index f1ac724..b2cd4a4 100644 --- a/test/data/config-scan/report.json +++ b/test/data/config-scan/report.json @@ -2,18 +2,6 @@ "SchemaVersion": 2, "ArtifactName": "test/data/config-scan", "ArtifactType": "filesystem", - "Metadata": { - "ImageConfig": { - "architecture": "", - "created": "0001-01-01T00:00:00Z", - "os": "", - "rootfs": { - "type": "", - "diff_ids": null - }, - "config": {} - } - }, "Results": [ { "Target": ".", @@ -50,7 +38,6 @@ "https://avd.aquasec.com/misconfig/avd-aws-0086" ], "Status": "FAIL", - "Layer": {}, "CauseMetadata": { "Resource": "aws_s3_bucket.bucket", "Provider": "AWS", @@ -90,8 +77,7 @@ "LastCause": true } ] - }, - "RenderedCause": {} + } } }, { @@ -111,7 +97,6 @@ "https://avd.aquasec.com/misconfig/avd-aws-0087" ], "Status": "FAIL", - "Layer": {}, "CauseMetadata": { "Resource": "aws_s3_bucket.bucket", "Provider": "AWS", @@ -151,8 +136,7 @@ "LastCause": true } ] - }, - "RenderedCause": {} + } } }, { @@ -172,7 +156,6 @@ "https://avd.aquasec.com/misconfig/avd-aws-0088" ], "Status": "FAIL", - "Layer": {}, "CauseMetadata": { "Resource": "aws_s3_bucket.bucket", "Provider": "AWS", @@ -212,8 +195,7 @@ "LastCause": true } ] - }, - "RenderedCause": {} + } } }, { @@ -234,7 +216,6 @@ "https://avd.aquasec.com/misconfig/s3-bucket-logging" ], "Status": "FAIL", - "Layer": {}, "CauseMetadata": { "Resource": "aws_s3_bucket.bucket", "Provider": "AWS", @@ -274,8 +255,7 @@ "LastCause": true } ] - }, - "RenderedCause": {} + } } }, { @@ -295,7 +275,6 @@ "https://avd.aquasec.com/misconfig/avd-aws-0090" ], "Status": "FAIL", - "Layer": {}, "CauseMetadata": { "Resource": "aws_s3_bucket_versioning.bucket_versioning", "Provider": "AWS", @@ -416,7 +395,6 @@ "https://avd.aquasec.com/misconfig/avd-aws-0091" ], "Status": "FAIL", - "Layer": {}, "CauseMetadata": { "Resource": "aws_s3_bucket.bucket", "Provider": "AWS", @@ -456,8 +434,7 @@ "LastCause": true } ] - }, - "RenderedCause": {} + } } }, { @@ -477,7 +454,6 @@ "https://avd.aquasec.com/misconfig/avd-aws-0093" ], "Status": "FAIL", - "Layer": {}, "CauseMetadata": { "Resource": "aws_s3_bucket.bucket", "Provider": "AWS", @@ -517,8 +493,7 @@ "LastCause": true } ] - }, - "RenderedCause": {} + } } }, { @@ -538,7 +513,6 @@ "https://avd.aquasec.com/misconfig/avd-aws-0094" ], "Status": "FAIL", - "Layer": {}, "CauseMetadata": { "Resource": "aws_s3_bucket.bucket", "Provider": "AWS", @@ -578,8 +552,7 @@ "LastCause": true } ] - }, - "RenderedCause": {} + } } }, { @@ -599,7 +572,6 @@ "https://avd.aquasec.com/misconfig/avd-aws-0132" ], "Status": "FAIL", - "Layer": {}, "CauseMetadata": { "Resource": "aws_s3_bucket.bucket", "Provider": "AWS", @@ -639,8 +611,7 @@ "LastCause": true } ] - }, - "RenderedCause": {} + } } } ] diff --git a/test/data/secret-scan/report.json b/test/data/secret-scan/report.json index b7bc4dc..ec3d59b 100644 --- a/test/data/secret-scan/report.json +++ b/test/data/secret-scan/report.json @@ -2,18 +2,6 @@ "SchemaVersion": 2, "ArtifactName": "https://github.com/krol3/demo-trivy/", "ArtifactType": "repository", - "Metadata": { - "ImageConfig": { - "architecture": "", - "created": "0001-01-01T00:00:00Z", - "os": "", - "rootfs": { - "type": "", - "diff_ids": null - }, - "config": {} - } - }, "Results": [ { "Target": "env", @@ -68,8 +56,7 @@ } ] }, - "Match": "export GITHUB_PAT=****************************************", - "Layer": {} + "Match": "export GITHUB_PAT=****************************************" } ] } diff --git a/test/data/with-tf-vars/report.json b/test/data/with-tf-vars/report.json index 9a187ce..d7286e2 100644 --- a/test/data/with-tf-vars/report.json +++ b/test/data/with-tf-vars/report.json @@ -2,18 +2,6 @@ "SchemaVersion": 2, "ArtifactName": "test/data/with-tf-vars/main.tf", "ArtifactType": "filesystem", - "Metadata": { - "ImageConfig": { - "architecture": "", - "created": "0001-01-01T00:00:00Z", - "os": "", - "rootfs": { - "type": "", - "diff_ids": null - }, - "config": {} - } - }, "Results": [ { "Target": ".", From 71f6a8fb8bcf6de1e478caf1ffbf96e8634f63e3 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Wed, 27 Aug 2025 12:20:05 +0600 Subject: [PATCH 4/6] dev: add update-golden goal Signed-off-by: Nikita Pivkin --- Makefile | 17 ++++++++++++++--- test/test.bats | 13 ++++++++++--- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index a1b72d9..bd701f4 100644 --- a/Makefile +++ b/Makefile @@ -7,12 +7,23 @@ SED = gsed BATS_LIB_PATH = /opt/homebrew/lib endif +BATS_ENV := BATS_LIB_PATH=$(BATS_LIB_PATH) \ + GITHUB_REPOSITORY_OWNER=aquasecurity \ + TRIVY_CACHE_DIR=.cache \ + TRIVY_DISABLE_VEX_NOTICE=true \ + TRIVY_DEBUG=true + +BATS_FLAGS := --recursive --timing --verbose-run . + .PHONY: test test: mkdir -p .cache - BATS_LIB_PATH=$(BATS_LIB_PATH) GITHUB_REPOSITORY_OWNER=aquasecurity\ - TRIVY_CACHE_DIR=.cache TRIVY_DISABLE_VEX_NOTICE=true TRIVY_DEBUG=true\ - bats --recursive --timing --verbose-run . + $(BATS_ENV) bats $(BATS_FLAGS) + +.PHONY: update-golden +update-golden: + mkdir -p .cache + UPDATE_GOLDEN=1 $(BATS_ENV) bats $(BATS_FLAGS) bump-trivy: @[ $$NEW_VERSION ] || ( echo "env 'NEW_VERSION' is not set"; exit 1 ) diff --git a/test/test.bats b/test/test.bats index e3e47c6..e3c10cc 100644 --- a/test/test.bats +++ b/test/test.bats @@ -57,9 +57,16 @@ function compare_files() { remove_github_fields "$file1" remove_github_fields "$file2" - run diff "$file1" "$file2" - echo "$output" - assert_files_equal "$file1" "$file2" + if [ "${UPDATE_GOLDEN}" = "1" ]; then + cp "$file1" "$file2" + echo "Updated golden file: $file2" + else + run diff "$file1" "$file2" + echo "$output" + assert_files_equal "$file1" "$file2" + fi + + rm -f "$file1" } @test "trivy repo with securityCheck secret only" { From a1698702b6572282ec311be7857219a18858aa70 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Wed, 27 Aug 2025 12:33:47 +0600 Subject: [PATCH 5/6] ci: update golden files on Trivy bump Signed-off-by: Nikita Pivkin --- .github/workflows/bump-trivy.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/bump-trivy.yaml b/.github/workflows/bump-trivy.yaml index 4f4ce76..0ad310a 100644 --- a/.github/workflows/bump-trivy.yaml +++ b/.github/workflows/bump-trivy.yaml @@ -22,6 +22,9 @@ jobs: - name: Update Trivy versions run: make bump-trivy + - name: Update golden files + run: make update-golden + - name: Create PR id: create-pr uses: peter-evans/create-pull-request@v5 From 85abccb4a45b17f7272c97fb6789a215fca1f434 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Wed, 27 Aug 2025 13:05:59 +0600 Subject: [PATCH 6/6] dev: delete fanal.db before tests Signed-off-by: Nikita Pivkin --- Makefile | 11 +++++++---- test/data/secret-scan/report.json | 8 ++++++++ 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index bd701f4..2cf081d 100644 --- a/Makefile +++ b/Makefile @@ -16,15 +16,18 @@ BATS_ENV := BATS_LIB_PATH=$(BATS_LIB_PATH) \ BATS_FLAGS := --recursive --timing --verbose-run . .PHONY: test -test: - mkdir -p .cache +test: init-cache $(BATS_ENV) bats $(BATS_FLAGS) .PHONY: update-golden -update-golden: - mkdir -p .cache +update-golden: init-cache UPDATE_GOLDEN=1 $(BATS_ENV) bats $(BATS_FLAGS) +.PHONY: init-cache +init-cache: + mkdir -p .cache + rm -f .cache/fanal/fanal.db + bump-trivy: @[ $$NEW_VERSION ] || ( echo "env 'NEW_VERSION' is not set"; exit 1 ) @CURRENT_VERSION=$$(grep "TRIVY_VERSION:" .github/workflows/test.yaml | awk '{print $$2}');\ diff --git a/test/data/secret-scan/report.json b/test/data/secret-scan/report.json index ec3d59b..b22503e 100644 --- a/test/data/secret-scan/report.json +++ b/test/data/secret-scan/report.json @@ -2,6 +2,14 @@ "SchemaVersion": 2, "ArtifactName": "https://github.com/krol3/demo-trivy/", "ArtifactType": "repository", + "Metadata": { + "RepoURL": "https://github.com/krol3/demo-trivy/", + "Branch": "main", + "Commit": "547db823c73fdb3385871f6235e946c72291f734", + "CommitMsg": "chore: add gitignore", + "Author": "carolina valencia ", + "Committer": "carolina valencia " + }, "Results": [ { "Target": "env",