Releases: future-architect/vuls
v0.26.0
What's Changed
- fix(trivy-to-vuls): remove cvss/severity duplicates, list all severities by @MaineK00n in #1929
- feat(reporter/s3): support minio by @MaineK00n in #1930
- feat(ci): group aws-sdk-go-v2 updates, check github actions update by @MaineK00n in #1941
- fix(redhat-based): collect running kernel packages by @MaineK00n in #1950
- fix(debian,ubuntu): collect running kernel source package by @MaineK00n in #1935
- fix(ci): Remove unused files to avoid disk full by @shino in #1957
- feat(config/os): add alpine 3.19, 3.20 EOL by @MaineK00n in #1965
- style(log): saas s3 upload error log by @future-ryunosuketanai in #1966
- refactor(report/s3): remove deprecated method for s3 endpoint by @MaineK00n in #1967
- feat: update EOL and Windows KB list by @MaineK00n in #1971
- fix(config/os): Fix EOL date of ubuntu 23.10 by @shino in #1972
Misc changes
- chore(deps): bump github.com/package-url/packageurl-go from 0.1.2 to 0.1.3 by @dependabot in #1927
- chore(deps): bump github.com/aquasecurity/trivy from 0.51.1 to 0.51.2 by @dependabot in #1928
- chore(deps): use aws-sdk-go-v2 by @MaineK00n in #1922
- chore(deps): bump github.com/aws/aws-sdk-go from 1.53.0 to 1.53.9 by @dependabot in #1934
- chore(deps): bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.15 to 1.17.16 by @dependabot in #1936
- chore(deps): bump docker/login-action from 2 to 3 by @dependabot in #1942
- chore(deps): bump goreleaser/goreleaser-action from 4 to 5 by @dependabot in #1943
- chore(deps): bump actions/checkout from 3 to 4 by @dependabot in #1944
- chore(deps): bump docker/build-push-action from 2 to 5 by @dependabot in #1945
- chore(deps): bump the aws group with 2 updates by @dependabot in #1947
- chore(deps): bump github.com/hashicorp/go-version from 1.6.0 to 1.7.0 by @dependabot in #1948
- chore(deps): bump actions/setup-go from 3 to 5 by @dependabot in #1946
- chore(deps): bump github.com/BurntSushi/toml from 1.3.2 to 1.4.0 by @dependabot in #1949
- chore(deps): use github.com/Azure/azure-sdk-for-go/sdk/storage/azblob by @MaineK00n in #1661
- chore(deps): bump github.com/aquasecurity/trivy from 0.51.2 to 0.51.4 by @dependabot in #1938
- chore(deps): bump github/codeql-action from 2 to 3 by @dependabot in #1951
- chore(deps): bump golangci/golangci-lint-action from 3 to 6 by @dependabot in #1952
- chore(deps): bump docker/metadata-action from 4 to 5 by @dependabot in #1953
- chore(deps): bump docker/setup-qemu-action from 2 to 3 by @dependabot in #1954
- chore(deps): bump docker/setup-buildx-action from 2 to 3 by @dependabot in #1955
- chore(deps): bump the aws group with 5 updates by @dependabot in #1958
- chore(deps): bump golang.org/x/text from 0.15.0 to 0.16.0 by @dependabot in #1959
- chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.8.0 to 0.9.0 by @dependabot in #1960
- chore(deps): bump golang.org/x/oauth2 from 0.20.0 to 0.21.0 by @dependabot in #1962
- chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.2 to 1.6.0 by @dependabot in #1964
- chore(deps): bump github.com/aquasecurity/trivy from 0.51.4 to 0.52.1 by @dependabot in #1961
- chore(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 by @dependabot in #1970
- chore(deps): bump github.com/aquasecurity/trivy from 0.52.1 to 0.52.2 by @dependabot in #1969
Full Changelog: v0.25.4...v0.26.0
v0.26.0-rc2
Changelog
- cb26be1 fix(ci): Remove unused files to avoid disk full (#1957)
- e1fab80 fix(debian,ubuntu): collect running kernel source package (#1935)
- 5af1a22 fix(redhat-based): collect running kernel packages (#1950)
- 0533069 chore(deps): bump docker/setup-buildx-action from 2 to 3 (#1955)
- 3e1f2bc chore(deps): bump docker/setup-qemu-action from 2 to 3 (#1954)
- 368c496 chore(deps): bump docker/metadata-action from 4 to 5 (#1953)
- a99e3af chore(deps): bump golangci/golangci-lint-action from 3 to 6 (#1952)
- 1769107 chore(deps): bump github/codeql-action from 2 to 3 (#1951)
- 2e5884b chore(deps): bump github.com/aquasecurity/trivy from 0.51.2 to 0.51.4 (#1938)
- cc9734d chore(deps): use github.com/Azure/azure-sdk-for-go/sdk/storage/azblob (#1661)
- 227208b chore(deps): bump github.com/BurntSushi/toml from 1.3.2 to 1.4.0 (#1949)
- 949d72d chore(deps): bump actions/setup-go from 3 to 5 (#1946)
- 2f02918 chore(deps): bump github.com/hashicorp/go-version from 1.6.0 to 1.7.0 (#1948)
- 7391718 chore(deps): bump the aws group with 2 updates (#1947)
- 980c1ff chore(deps): bump docker/build-push-action from 2 to 5 (#1945)
- 58bb6c7 chore(deps): bump actions/checkout from 3 to 4 (#1944)
- 977fe0c chore(deps): bump goreleaser/goreleaser-action from 4 to 5 (#1943)
- 474c76e chore(deps): bump docker/login-action from 2 to 3 (#1942)
- 5116a6a feat(ci): group aws-sdk-go-v2 updates, check github actions update (#1941)
- 8449f2e chore(deps): bump github.com/aws/aws-sdk-go-v2/credentials (#1936)
- db2c502 feat(reporter/s3): support minio (#1930)
- 337eb0b chore(deps): bump github.com/aws/aws-sdk-go from 1.53.0 to 1.53.9 (#1934)
- d8bce94 chore(deps): use aws-sdk-go-v2 (#1922)
- 9107d1b chore(deps): bump github.com/aquasecurity/trivy from 0.51.1 to 0.51.2 (#1928)
- 407407d fix(contrib/trivy-to-vuls): remove cvss/severity duplicates, list all severities (#1929)
- dccdd8a chore(deps): bump github.com/package-url/packageurl-go from 0.1.2 to 0.1.3 (#1927)
v0.25.4
This release includes a bug fix and a few additional features.
New feature
- Now modularity label is added in the scan result for Red Hat like OSes
- This fixed #1915
- feat(scanner/redhat): each package has modularitylabel by @MaineK00n in #1381
- Vendor severity and every CVSS information are added to
cveContents
- This fixed #1919
- Both detector and trivy-to-vuls command are changed in similar way
- feat(detector, contrib/trivy-to-vuls): collect vendor severity and cvss by @MaineK00n in #1921
(Potential) Incompatibilities
enabledDnfModules
element no more exists in scanner results- By #1381
- In elements in
cveContents
originated from trivy,type
fields are changed fromtrivy
totrivy:nvd
/trivy:ghsa
etc.- By #1921
Bug fixes
- fix(gost/debian): show all severities that appeared by @MaineK00n in #1914
Misc Changes
- chore(deps): bump github.com/emersion/go-smtp from 0.21.1 to 0.21.2 by @dependabot in #1918
- chore(deps): bump github.com/aquasecurity/trivy from 0.50.1 to 0.51.1 by @dependabot in #1912
Full Changelog: v0.25.3...v0.25.4
v0.25.3
This release includes recently released Ubuntu 24.04 support, some additional features, and several bug fixes.
We strongly recommend update to this version for Red Hat-like distribution users.
Watch out corresponding goval-dictionary and gost updates!
New feature
- Ubuntu 24.04 support comes in
- Depends on new gost, vulsio/gost#249
- feat(ubuntu): add 24.04 noble by @MaineK00n in #1878
- TLS insecure flag is added for SMTP notification
(Potential) Incompatibilities
- Use new gost for Ubuntu 24.04 support (#1878)
- Use new goval-dictionary for detection on Red Hat-like distributions (#1907)
Bug fixes
- For Red Hat-like distributions, there were false-positives and false negatives in detection results
- See #1906 for details
- Now fixed by the PR: feat(detect/redhat): detect unpatched vulnerabilities with oval, stop using gost by @MaineK00n in #1907
- style(log) config.toml template docs url by @future-ryunosuketanai in #1894
- style: fix some typos in comments by @deferdeter in #1897
- (fix) Exclude dev dependencies from npm's package-lock.json and Fix Java DB download endpoint by @shino in #1893
- fix(detector/suse): support when advisory.cves has both NVD and SUSE evaluations by @MaineK00n in #1899
- style(log) fix trivy docs link by @future-ryunosuketanai in #1902
Misc Changes
- chore(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 by @dependabot in #1903
- chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #1898
- chore(deps): bump github.com/emersion/go-smtp from 0.20.2 to 0.21.0 by @dependabot in #1888
- chore(deps): bump golang.org/x/oauth2 from 0.18.0 to 0.19.0 by @dependabot in #1891
- chore(deps): bump golang.org/x/sync from 0.6.0 to 0.7.0 by @dependabot in #1890
- chore(deps): bump github.com/emersion/go-smtp from 0.21.0 to 0.21.1 by @dependabot in #1896
- chore(deps): bump github.com/aquasecurity/trivy from 0.49.1 to 0.50.1 by @dependabot in #1885
- chore(deps): bump go.etcd.io/bbolt from 1.3.9 to 1.3.10 by @dependabot in #1908
- chore(deps): bump golang.org/x/text from 0.14.0 to 0.15.0 by @dependabot in #1909
- chore(deps): bump golang.org/x/oauth2 from 0.19.0 to 0.20.0 by @dependabot in #1910
New Contributors
- @Koodt made their first contribution in #1220
- @deferdeter made their first contribution in #1897
Full Changelog: v0.25.2...v0.25.3
v0.25.2
This release includes one additional feature and some bug fixes.
If you use Amazon Linux 2023, you have to harry to update.
New feature
- Some enterprise features of WPScan are now added to scan results.
(Potential) Incompatibilities
- Names and Versions of JAR-like files of scan results can be overwritten at
vuls result
phase.
Bug fixes
- Amazon Linux 2023 have changed its release version format in
/etc/amazon-linux-release
- It causes inability of EOL detection at
vuls scan
phase and failure of vulnerability detection atvuls report
phase. - No vulnerabilities are detected unless this bug fix, please update quickly if you use Amazon Linux 2023.
- e1df74c fix(amazon): use major version for checking eol, security advisories (#1873)
- It causes inability of EOL detection at
Misc Changes
- e25ec99 chore(deps): bump github.com/aws/aws-sdk-go from 1.49.21 to 1.51.5 (#1881)
- 472df0e chore(deps): update dictionary modules (#1877)
- 7d5a47b chore(deps): bump github.com/docker/docker (#1880)
- 426eb53 chore(deps): bump github.com/jackc/pgx/v5 from 5.5.1 to 5.5.4 (#1872)
- bda089b chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (#1871)
- 02d1f6f chore(deps): bump golang.org/x/oauth2 from 0.17.0 to 0.18.0 (#1868)
New Contributors
- @future-ryunosuketanai made their first contribution in #1875
Full Changelog: v0.25.1...v0.25.2
v0.25.1
Caution
Version 0.25.0 is SKIPped. DON'T USE 0.25.0.
Highlights
-
Trivy dependency is updated, 0.35.0 to 0.49.1
- Dart's pubspec.lock, Elixir's mix.lock, Swift's Podfile.lock and Package.resolved are newly
detected by lockfile scan, these can be auto detected (findLock = true) - Rust's binary can also be scanned as lockfile, but not auto detected
- Related PRs
- Dart's pubspec.lock, Elixir's mix.lock, Swift's Podfile.lock and Package.resolved are newly
-
Add PURL (Package URL) in scan results
- feat(PackageURL):add package URL for library scan result by @TsubasaKanemitsu in #1862
(Potential) Incompatibilities
-
In previous versions, vuls did not output results when all scans had failed, now outputs results
even when all scans failed- Related PRs
- fix(scanner): output all results even if all fail by @MaineK00n in #1866
- refactor(config): move syslogconf to config/syslog package by @MaineK00n in #1865
- Related PRs
-
Due to Trivy dependency update (in Highlights), some of scan logic previously
executed invuls scan
phase are moved tovuls report
phase- If new vuls binary is used in
vuls scan
and older ones invuls report
, there can be
missing vulnerabilities, don't do that - This only affects JAR-like lockfile scan
- If new vuls binary is used in
Misc changes
- fix(ci): use go version of go.mod by @MaineK00n in #1858
- fix(build): Change timeout to 60 minutes by @shino #1867
- chore(deps): bump golang.org/x/oauth2 from 0.16.0 to 0.17.0 by @dependabot in #1849
- chore(deps): bump go.etcd.io/bbolt from 1.3.8 to 1.3.9 by @dependabot in #1854
- chore(deps): bump helm.sh/helm/v3 from 3.14.0 to 3.14.2 by @dependabot in #1856
- chore(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 by @dependabot in #1861
New Contributors
- @TsubasaKanemitsu made their first contribution in #1862
Full Changelog: v0.24.9...v0.25.1
v0.25.1-beta2
Changelog
- 5af3226 fix(build): Change timeout to 60 minutes
v0.25.1-beta1
Changelog
- 18b4cbb Add 2 hour timeout
v0.25.0
v0.24.9
Changelog
- b9ebcf3 fix(scanner/windows): support when default shell is powershell (#1844)
- 7e91f5e fix(contrib/trivy): fix convert for src package (#1842)
- 76267a5 delete: cab validation (#1843)
- ea84385 fix(scanner/macos): remove unnecessary error check (#1836)
- d6589c2 chore(deps): bump github.com/google/uuid from 1.5.0 to 1.6.0 (#1837)
- 6e07103 chore(deps): bump github.com/emersion/go-smtp from 0.20.1 to 0.20.2 (#1838)
- b7e5bb2 chore(deps): bump golang.org/x/oauth2 from 0.15.0 to 0.16.0 (#1831)
- 91ed768 chore(deps): bump golang.org/x/sync from 0.5.0 to 0.6.0 (#1833)
- 098f308 chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.2 to 0.8.0 (#1829)
- 0e04d21 chore(deps): bump github.com/emersion/go-smtp from 0.20.0 to 0.20.1 (#1826)
- f1005e5 chore(deps): bump github.com/emersion/go-smtp from 0.19.0 to 0.20.0 (#1824)
- 1acc4d8 chore(deps): bump github.com/c-robinson/iplib from 1.0.7 to 1.0.8 (#1819)
- eee6441 chore(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#1818)