v0.68.1

[aqua-bot]

📑 Table of Contents

• 🚀 What's new? 🚀
  • 🧩 Scan report identification fields 📊
  • 🐳 Preserve RepoTags in Docker archive 🏷️
  • 🧩 Scan fs as git Repositories 📁
  • 🧬 Vulnerability Fingerprint Generation 🆔
  • 🌳 Dependency tree for .NET 📦
  • ⚙️ Java remote repositories 🫙
  • 📜 Easier to ignore licenses detection 🪪
  • 🏴 New --cacert flag ⛔
  • 🪪 SPDX Attestation Support Added 🧷
  • 🧾 Supoprt SBOM files in Sigstore bundle 🔐
  • ⚠️ Limit Rego Compile Errors 🧯
  • 🧩 Accurate YAML snippets in diagnostics ✅
  • 🗄️ Concurrent Vulnerability DB Access ⚡
• 👷‍♂️ Notable Fixes 🛠️

🚀 What's new? 🚀

🧩 Scan report identification fields 📊

Scan reports now includes the following identification fields to help track, manage and process reports:

• ReportID - Unique identifier for each individual scan report.
• ArtifactID - Unique identifier for each scanned artifact.
• Metadata.Reference - Captures the exact image reference used during the scan.

Example:

{
  "SchemaVersion": 2,
  "ReportID": "278d4718-2366-46d0-8525-fc288c4eb5f9",
  "ArtifactID": "sha256:055936d39205...",
  "ArtifactName": "debian:11",
  "ArtifactType": "container_image",
  "Metadata": {
    "ImageID": "sha256:e7b300aee9f9b...",
    "Reference": "debian:11",
    "RepoTags": ["debian:latest", "debian:11"]
  }
}

🐳 Preserve RepoTags in Docker archive 🏷️

Trivy now preserves image repository tags when scanning Docker archives (.tar files created with docker save, skopeo copy, etc).

Example:

$ docker save alpine:3.19 -o alpine.tar
$ trivy image --input alpine.tar -f json | jq '.Metadata | {RepoTags, RepoDigests, ImageID}'
{
  "RepoTags": [
    "alpine:3.19"
  ],
  "RepoDigests": null,
  "ImageID": "sha256:6cf065f724d522cbb3e1898559cd88f015db8a1a4210d2d048a0853b69b57ba9"
}

🧩 Scan fs as git Repositories 📁

When scanning a directory using trivy fs, Trivy now automatically sets the artifact type in the scan report to repository if the target is a git repository. This behavior is automatic — no configuration needed.

🧬 Vulnerability Fingerprint Generation 🆔

Trivy now generates unique fingerprints for each detected vulnerability, enabling consistent tracking across multiple scans.

Each fingerprint is a deterministic SHA256 digest derived from:

• Artifact ID
• Target path
• Package ID (with version)
• Vulnerability ID

The resulting value uses the sha256: prefix, consistent with Docker/OCI digest notation.

Example:

"Fingerprint": "sha256:c2f054e07c516fabf395ddc7b362fbe43597bc2e1d80ac46d6043a0e67968efb"

🌳 Dependency tree for .NET 📦

Trivy can now builds a dependency tree for .NET *.deps.json files.
It also detects the project’s package (RootRelationship), as well as direct and indirect dependencies.

Thanks to @alexinslc

⚙️ Java remote repositories🫙

Trivy now uses remote repositories from settings.xml files when scanning pom.xml files.

Thanks to @ricardo-kh

📜 Easier to ignore licenses detection 🪪

It’s no longer necessary to specify each SPDX expression individually to ignore them.
You can specify SPDX IDs, and if Trivy finds all of them in an expression, it’ll ignore that license.

For example you can use --ignored-licenses LGPLv2+,MIT to ignore MIT AND GPL-2.0-or-later expression.

Thanks to @yutatokoi

🏴 New --cacert flag ⛔

The conventional SSL_CERT_FILE environment variable didn't work consistently across all operating systems. We have now added the --cacert flag, which allows you to specify the path to a PEM-encoded CA certificate file on any OS.

🪪 SPDX Attestation Support Added 🧷

Trivy now supports scanning SBOM attestations in SPDX 2.3 format — specifically when wrapped as a DSSE (in-toto) envelope.

🧾 Supoprt SBOM files in Sigstore bundle 🔐

Trivy can now extract and analyze SBOM files packaged as a Sigstore bundle, as introduced in Sigstore v2.6.

Thanks to @RingoDev

⚠️ Limit Rego Compile Errors 🧯

You can now set the limit for the number of Rego compile errors allowed during policy compilation (currently set to 10 by default) using the --rego-error-limit flag. Rego compiliation errors can legitimately occur when using newer checks with older versions of Trivy, in which case checks might refer to fields which weren't supported. If the number of errors exceeds the specified limit, Trivy will stop the scan. Setting it to 0 enforces strict checking and disallows any compile errors.

🧩 Accurate YAML snippets ✅

Trivy now captures the correct start line for map nodes in YAML manifests. Previously, snippets showin in misconfiguration scanning results began at the first value and did not include the key, which could make diagnostics harder.

Before:

4 [   name: hello-host-ports

After:

3 ┌ metadata:
4 └   name: hello-host-ports

🗄️ Concurrent Vulnerability DB Access ⚡

Trivy’s vulnerability database is now opened in read-only mode, allowing multiple Trivy processes to access the same database concurrently without running into lock timeouts. This is especially useful when running parallel scans or using Trivy in multi-process environments.

When using in-memory caching (e.g., fs, rootfs, config, sbom) or Redis caching, scans can run entirely in parallel without contention.
When using the filesystem cache (e.g, image, repo), cache files still involve write operations, so file locks may occur. Parallelism is therefore limited by cache writes, not the vulnerability database.

👷‍♂️ Notable Fixes 🛠️

• bug(license): Trivy doesn't detect all SPDX license IDs #9491
• bug(pom): Trivy incorrect inherit versions and scope from multiple dependencyManagements places #9574
• Trivy incorrectly reports "UNLICENSED" software as "Unencumbered" #9581
• fix(nodejs): fix npmjs parser.pkgNameFromPath() panic issue #9688 Thanks to @derekhjray
• bug(pnpm): Trivy doesn't detect licenses for packages when ID contains peer deps #9660
• bug(pip): Trivy doesn’t trim the end-of-range suffix when using the --detection-priority comprehensive flag. #9609 Thanks to @raghur-orca
• bug(sbom): Trivy doens't keep buildInfo for rpm packages #9682
• bug: Trivy doesn’t use context in dependency parsers to stop the run. #9417
• fix: close all opened resources if an error occurs #9665 Thanks to @fabriziosestito
• bug(license): Trivy splits licenses that include the WITH separator when determining the category. #9379
• bug(cyclonedx): Trivy panics when scanning an SBOM in CycloneDX format if the file has an empty metadata component. #9561
• fix(java): use true as default value for Repository Release|Snapshot Enabled in pom.xml and settings.xml files #9751
• bug(vex): Trivy skips the rule if we check the same parent from different paths. #9757
• fix(misconf): map healthcheck start period flag to --start-period instead of --startPeriod #9837
• fix(misconf): handle unsupported experimental flags in Dockerfile #9769
• bug(misconf): Dockerfile scanner fails to parse HEALTHCHECK with --start-period flag #9836
• Dockerfile parser fails on instructions with unsupported experimental flags #9768
• bug(terraform): Trivy panics when an ignore marker value is unknown #9834
• fix(misconf): ensure boolean metadata values are correctly interpreted #9762

[c4k4kvq6r7-rgb]

📑 Table of Contents

• 🚀 What's new? 🚀

  • 🧩 Scan report identification fields 📊

  • 🐳 Preserve RepoTags in Docker archive 🏷️

  • 🧩 Scan fs as git Repositories 📁

  • 🧬 Vulnerability Fingerprint Generation 🆔

  • 🌳 Dependency tree for .NET 📦

  • ⚙️ Java remote repositories 🫙

  • 📜 Easier to ignore licenses detection 🪪

  • 🏴 New --cacert flag ⛔

  • 🪪 SPDX Attestation Support Added 🧷

  • 🧾 Supoprt SBOM files in Sigstore bundle 🔐

  • ⚠️ Limit Rego Compile Errors 🧯

  • 🧩 Accurate YAML snippets in diagnostics ✅

  • 🗄️ Concurrent Vulnerability DB Access ⚡

• 👷‍♂️ Notable Fixes 🛠️

🚀 What's new? 🚀

🧩 Scan report identification fields 📊

Scan reports now includes the following identification fields to help track, manage and process reports:

• ReportID - Unique identifier for each individual scan report.

• ArtifactID - Unique identifier for each scanned artifact.

• Metadata.Reference - Captures the exact image reference used during the scan.

Example:

{

  "SchemaVersion": 2,

  "ReportID": "278d4718-2366-46d0-8525-fc288c4eb5f9",

  "ArtifactID": "sha256:055936d39205...",

  "ArtifactName": "debian:11",

  "ArtifactType": "container_image",

  "Metadata": {

    "ImageID": "sha256:e7b300aee9f9b...",

    "Reference": "debian:11",

    "RepoTags": ["debian:latest", "debian:11"]

  }

}

🐳 Preserve RepoTags in Docker archive 🏷️

Trivy now preserves image repository tags when scanning Docker archives (.tar files created with docker save, skopeo copy, etc).

Example:

$ docker save alpine:3.19 -o alpine.tar

$ trivy image --input alpine.tar -f json | jq '.Metadata | {RepoTags, RepoDigests, ImageID}'

{

  "RepoTags": [

    "alpine:3.19"

  ],

  "RepoDigests": null,

  "ImageID": "sha256:6cf065f724d522cbb3e1898559cd88f015db8a1a4210d2d048a0853b69b57ba9"

}

🧩 Scan fs as git Repositories 📁

When scanning a directory using trivy fs, Trivy now automatically sets the artifact type in the scan report to repository if the target is a git repository. This behavior is automatic — no configuration needed.

🧬 Vulnerability Fingerprint Generation 🆔

Trivy now generates unique fingerprints for each detected vulnerability, enabling consistent tracking across multiple scans.

Each fingerprint is a deterministic SHA256 digest derived from:

• Artifact ID

• Target path

• Package ID (with version)

• Vulnerability ID

The resulting value uses the sha256: prefix, consistent with Docker/OCI digest notation.

Example:

"Fingerprint": "sha256:c2f054e07c516fabf395ddc7b362fbe43597bc2e1d80ac46d6043a0e67968efb"

🌳 Dependency tree for .NET 📦

Trivy can now builds a dependency tree for .NET *.deps.json files.

It also detects the project’s package (RootRelationship), as well as direct and indirect dependencies.

Thanks to @alexinslc

⚙️ Java remote repositories🫙

Trivy now uses remote repositories from settings.xml files when scanning pom.xml files.

Thanks to @ricardo-kh

📜 Easier to ignore licenses detection 🪪

It’s no longer necessary to specify each SPDX expression individually to ignore them.

You can specify SPDX IDs, and if Trivy finds all of them in an expression, it’ll ignore that license.

For example you can use --ignored-licenses LGPLv2+,MIT to ignore MIT AND GPL-2.0-or-later expression.

Thanks to @yutatokoi

🏴 New --cacert flag ⛔

The conventional SSL_CERT_FILE environment variable didn't work consistently across all operating systems. We have now added the --cacert flag, which allows you to specify the path to a PEM-encoded CA certificate file on any OS.

🪪 SPDX Attestation Support Added 🧷

Trivy now supports scanning SBOM attestations in SPDX 2.3 format — specifically when wrapped as a DSSE (in-toto) envelope.

🧾 Supoprt SBOM files in Sigstore bundle 🔐

Trivy can now extract and analyze SBOM files packaged as a Sigstore bundle, as introduced in Sigstore v2.6.

Thanks to @RingoDev

⚠️ Limit Rego Compile Errors 🧯

You can now set the limit for the number of Rego compile errors allowed during policy compilation (currently set to 10 by default) using the --rego-error-limit flag. Rego compiliation errors can legitimately occur when using newer checks with older versions of Trivy, in which case checks might refer to fields which weren't supported. If the number of errors exceeds the specified limit, Trivy will stop the scan. Setting it to 0 enforces strict checking and disallows any compile errors.

🧩 Accurate YAML snippets ✅

Trivy now captures the correct start line for map nodes in YAML manifests. Previously, snippets showin in misconfiguration scanning results began at the first value and did not include the key, which could make diagnostics harder.

Before:

4 [   name: hello-host-ports

After:

3 ┌ metadata:

4 └   name: hello-host-ports

🗄️ Concurrent Vulnerability DB Access ⚡

Trivy’s vulnerability database is now opened in read-only mode, allowing multiple Trivy processes to access the same database concurrently without running into lock timeouts. This is especially useful when running parallel scans or using Trivy in multi-process environments.

When using in-memory caching (e.g., fs, rootfs, config, sbom) or Redis caching, scans can run entirely in parallel without contention.

When using the filesystem cache (e.g, image, repo), cache files still involve write operations, so file locks may occur. Parallelism is therefore limited by cache writes, not the vulnerability database.

👷‍♂️ Notable Fixes 🛠️

• bug(license): Trivy doesn't detect all SPDX license IDs #9491

• bug(pom): Trivy incorrect inherit versions and scope from multiple dependencyManagements places #9574

• Trivy incorrectly reports "UNLICENSED" software as "Unencumbered" #9581

• fix(nodejs): fix npmjs parser.pkgNameFromPath() panic issue #9688 Thanks to @derekhjray

• bug(pnpm): Trivy doesn't detect licenses for packages when ID contains peer deps #9660

• bug(pip): Trivy doesn’t trim the end-of-range suffix when using the --detection-priority comprehensive flag. #9609 Thanks to @raghur-orca

• bug(sbom): Trivy doens't keep buildInfo for rpm packages #9682

• bug: Trivy doesn’t use context in dependency parsers to stop the run. #9417

• fix: close all opened resources if an error occurs #9665 Thanks to @fabriziosestito

• bug(license): Trivy splits licenses that include the WITH separator when determining the category. #9379

• bug(cyclonedx): Trivy panics when scanning an SBOM in CycloneDX format if the file has an empty metadata component. #9561

• fix(java): use true as default value for Repository Release|Snapshot Enabled in pom.xml and settings.xml files #9751

• bug(vex): Trivy skips the rule if we check the same parent from different paths. #9757

• fix(misconf): map healthcheck start period flag to --start-period instead of --startPeriod #9837

• fix(misconf): handle unsupported experimental flags in Dockerfile #9769

• bug(misconf): Dockerfile scanner fails to parse HEALTHCHECK with --start-period flag #9836

• Dockerfile parser fails on instructions with unsupported experimental flags #9768

• bug(terraform): Trivy panics when an ignore marker value is unknown #9834

• fix(misconf): ensure boolean metadata values are correctly interpreted #9762