Merge branch 'main' into helm-versions

# Conflicts:
#	pkg/iac/scanners/helm/test/option_test.go
#	pkg/iac/scanners/helm/test/parser_test.go

.github/workflows/auto-update-labels.yaml

@@ -20,7 +20,7 @@ jobs:
           go-version-file: go.mod
 
       - name: Install aqua tools
-        uses: aquaproj/aqua-installer@v2.2.0
+        uses: aquaproj/aqua-installer@v3.0.0
         with:
           aqua_version: v1.25.0
 

.github/workflows/canary.yaml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Restore Trivy binaries from cache
-        uses: actions/[email protected].0
+        uses: actions/[email protected].2
         with:
           path: dist/
           key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

.github/workflows/release.yaml

@@ -24,7 +24,7 @@ jobs:
           fetch-depth: 0
 
       - name: Restore Trivy binaries from cache
-        uses: actions/[email protected].0
+        uses: actions/[email protected].2
         with:
           path: dist/
           key: ${{ runner.os }}-bins-${{github.workflow}}-${{github.sha}}

.github/workflows/reusable-release.yaml

@@ -121,7 +121,7 @@ jobs:
             public.ecr.aws/aquasecurity/trivy:canary
 
       - name: Cache Trivy binaries
-        uses: actions/[email protected].0
+        uses: actions/[email protected].2
         with:
           path: dist/
           # use 'github.sha' to create a unique cache folder for each run.

.github/workflows/test.yaml

@@ -57,7 +57,7 @@ jobs:
         if: ${{ failure() && steps.lint.conclusion == 'failure' }}
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
+        uses: aquaproj/aqua-installer@v3.0.0
         with:
           aqua_version: v1.25.0
           aqua_opts: ""
@@ -87,7 +87,7 @@ jobs:
           go-version-file: go.mod
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
+        uses: aquaproj/aqua-installer@v3.0.0
         with:
           aqua_version: v1.25.0
 
@@ -116,7 +116,7 @@ jobs:
           go-version-file: go.mod
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
+        uses: aquaproj/aqua-installer@v3.0.0
         with:
           aqua_version: v1.25.0
 
@@ -136,7 +136,7 @@ jobs:
           go-version-file: go.mod
 
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
+        uses: aquaproj/aqua-installer@v3.0.0
         with:
           aqua_version: v1.25.0
 
@@ -166,7 +166,7 @@ jobs:
         with:
           go-version-file: go.mod
       - name: Install tools
-        uses: aquaproj/aqua-installer@v2.2.0
+        uses: aquaproj/aqua-installer@v3.0.0
         with:
           aqua_version: v1.25.0
       - name: Run vm integration tests

contrib/gitlab.tpl

@@ -73,8 +73,11 @@
 	  {{- /* TODO: Type not extractable - https://github.com/aquasecurity/trivy-db/pull/24 */}}
           "type": "cve",
           "name": "{{ .VulnerabilityID }}",
-          "value": "{{ .VulnerabilityID }}",
+          "value": "{{ .VulnerabilityID }}"
+          {{- /* cf. https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/e3d280d7f0862ca66a1555ea8b24016a004bb914/dist/container-scanning-report-format.json#L157-179 */}}
+          {{- if .PrimaryURL | regexMatch "^(https?|ftp)://.+" -}},
           "url": "{{ .PrimaryURL }}"
+          {{- end }}
         }
       ],
       "links": [
@@ -85,9 +88,13 @@
         {{- else -}}
           ,
         {{- end -}}
+        {{- if . | regexMatch "^(https?|ftp)://.+" -}}
         {
-          "url": "{{ regexFind "[^ ]+" . }}"
+          "url": "{{ . }}"
         }
+        {{- else -}}
+          {{- $l_first = true }}
+        {{- end -}}
         {{- end }}
       ]
     }

docs/docs/configuration/reporting.md

@@ -63,6 +63,7 @@ The following languages are currently supported:
 | Go       | [go.mod][go-mod]                           |
 | PHP      | [composer.lock][composer-lock]             |
 | Java     | [pom.xml][pom-xml]                         |
+|          | [*gradle.lockfile][gradle-lockfile]        |
 | Dart     | [pubspec.lock][pubspec-lock]               |
 
 This tree is the reverse of the dependency graph.
@@ -445,5 +446,6 @@ $ trivy convert --format table --severity CRITICAL result.json
 [go-mod]: ../coverage/language/golang.md#go-modules
 [composer-lock]: ../coverage/language/php.md#composer
 [pom-xml]: ../coverage/language/java.md#pomxml
+[gradle-lockfile]: ../coverage/language/java.md#gradlelock
 [pubspec-lock]: ../coverage/language/dart.md#dart
 [cargo-binaries]: ../coverage/language/rust.md#binaries

docs/docs/coverage/iac/index.md

@@ -8,14 +8,15 @@ Trivy scans Infrastructure as Code (IaC) files for
 
 ## Supported configurations
 
-| Config type                         | File patterns                 |
-|-------------------------------------|-------------------------------|
-| [Kubernetes](kubernetes.md)         | *.yml, *.yaml, *.json         |
-| [Docker](docker.md)                 | Dockerfile, Containerfile     |
-| [Terraform](terraform.md)           | *.tf, *.tf.json, *.tfvars,    |
-| [CloudFormation](cloudformation.md) | *.yml, *.yaml, *.json         |
-| [Azure ARM Template](azure-arm.md)  | *.json                        |
-| [Helm](helm.md)                     | *.yaml, *.tpl, *.tar.gz, etc. |
+| Config type                         | File patterns                                 |
+|-------------------------------------|-----------------------------------------------|
+| [Kubernetes](kubernetes.md)         | \*.yml, \*.yaml, \*.json                      |
+| [Docker](docker.md)                 | Dockerfile, Containerfile                     |
+| [Terraform](terraform.md)           | \*.tf, \*.tf.json, \*.tfvars                  |
+| [Terraform Plan](terraform.md)      | tfplan, \*.tfplan, \*.tfplan.json, \*.tf.json |
+| [CloudFormation](cloudformation.md) | \*.yml, \*.yaml, \*.json                      |
+| [Azure ARM Template](azure-arm.md)  | \*.json                                       |
+| [Helm](helm.md)                     | \*.yaml, \*.tpl, \*.tar.gz, etc.              |
 
 [misconf]: ../../scanner/misconfiguration/index.md
 [secret]: ../../scanner/secret.md

docs/docs/coverage/language/java.md

@@ -3,19 +3,19 @@ Trivy supports three types of Java scanning: `JAR/WAR/PAR/EAR`, `pom.xml` and `*
 
 Each artifact supports the following scanners:
 
-| Artifact         | SBOM  | Vulnerability | License |
-| ---------------- | :---: | :-----------: | :-----: |
-| JAR/WAR/PAR/EAR  |   ✓   |       ✓       |    -    |
-| pom.xml          |   ✓   |       ✓       |    ✓    |
-| *gradle.lockfile |   ✓   |       ✓       |    -    |
+| Artifact         | SBOM | Vulnerability | License |
+|------------------|:----:|:-------------:|:-------:|
+| JAR/WAR/PAR/EAR  |  ✓   |       ✓       |    -    |
+| pom.xml          |  ✓   |       ✓       |    ✓    |
+| *gradle.lockfile |  ✓   |       ✓       |    ✓    |
 
 The following table provides an outline of the features Trivy offers.
 
 | Artifact         |    Internet access    | Dev dependencies | [Dependency graph][dependency-graph] | Position |
 |------------------|:---------------------:|:----------------:|:------------------------------------:|:--------:|
 | JAR/WAR/PAR/EAR  |     Trivy Java DB     |     Include      |                  -                   |    -     |
 | pom.xml          | Maven repository [^1] |     Exclude      |                  ✓                   |  ✓[^7]   |
-| *gradle.lockfile |           -           |     Exclude      |                  -                   |    ✓     |
+| *gradle.lockfile |           -           |     Exclude      |                  ✓                   |    ✓     |
 
 These may be enabled or disabled depending on the target.
 See [here](./index.md) for the detail.
@@ -64,18 +64,32 @@ If you need to show them, use the `--include-dev-deps` flag.
 
 
 ## Gradle.lock
-`gradle.lock` files contain all necessary information about used dependencies.
-Trivy simply parses the file, extract dependencies, and finds vulnerabilities for them.
-It doesn't require the internet access.
+`gradle.lock` files only contain information about used dependencies.
+
+!!!note
+    All necessary files are checked locally. Gradle file scanning doesn't require internet access.
+
+### Dependency-tree
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+Trivy finds child dependencies from `*.pom` files in the cache[^8] directory.
+
+But there is no reliable way to determine direct dependencies (even using other files).
+Therefore, we mark all dependencies as indirect to use logic to guess direct dependencies and build a dependency tree.
+
+### Licenses
+Trity also can detect licenses for dependencies.
+
+Make sure that you have cache[^8] directory to find licenses from `*.pom` dependency files.
 
-[^1]: https://github.com/aquasecurity/trivy-java-db
 [^1]: Uses maven repository to get information about dependencies. Internet access required.
 [^2]: It means `*.jar`, `*.war`, `*.par` and `*.ear` file
 [^3]: `ArtifactID`, `GroupID` and `Version`
 [^4]: e.g. when parent pom.xml file has `../pom.xml` path
 [^5]: When you use dependency path in `relativePath` field in pom.xml file
 [^6]: `/Users/<username>/.m2/repository` (for Linux and Mac) and `C:/Users/<username>/.m2/repository` (for Windows) by default
 [^7]: To avoid confusion, Trivy only finds locations for direct dependencies from the base pom.xml file.
+[^8]: The supported directories are `$GRADLE_USER_HOME/caches` and `$HOME/.gradle/caches` (`%HOMEPATH%\.gradle\caches` for Windows).
 
 [dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
 [maven-invoker-plugin]: https://maven.apache.org/plugins/maven-invoker-plugin/usage.html

docs/docs/references/configuration/cli/trivy.md

@@ -53,7 +53,7 @@ trivy [global flags] command [flags] target
 * [trivy plugin](trivy_plugin.md)	 - Manage plugins
 * [trivy repository](trivy_repository.md)	 - Scan a repository
 * [trivy rootfs](trivy_rootfs.md)	 - Scan rootfs
-* [trivy sbom](trivy_sbom.md)	 - Scan SBOM for vulnerabilities
+* [trivy sbom](trivy_sbom.md)	 - Scan SBOM for vulnerabilities and licenses
 * [trivy server](trivy_server.md)	 - Server mode
 * [trivy version](trivy_version.md)	 - Print the version
 * [trivy vm](trivy_vm.md)	 - [EXPERIMENTAL] Scan a virtual machine image

docs/docs/references/configuration/cli/trivy_sbom.md

@@ -1,6 +1,6 @@
 ## trivy sbom
 
-Scan SBOM for vulnerabilities
+Scan SBOM for vulnerabilities and licenses
 
 ```
 trivy sbom [flags] SBOM_PATH
@@ -36,6 +36,7 @@ trivy sbom [flags] SBOM_PATH
       --ignore-policy string        specify the Rego file path to evaluate each vulnerability
       --ignore-status strings       comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
       --ignore-unfixed              display only fixed vulnerabilities
+      --ignored-licenses strings    specify a list of license to ignore
       --ignorefile string           specify .trivyignore file (default ".trivyignore")
       --java-db-repository string   OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1")
       --list-all-pkgs               enabling the option will output all packages regardless of vulnerability
@@ -50,6 +51,7 @@ trivy sbom [flags] SBOM_PATH
       --rekor-url string            [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
       --reset                       remove all caches and database
       --sbom-sources strings        [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners strings            comma-separated list of what security issues to detect (vuln,license) (default [vuln])
       --server string               server address in client mode
   -s, --severity strings            severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
       --show-suppressed             [EXPERIMENTAL] show suppressed vulnerabilities

docs/docs/scanner/license.md

@@ -22,18 +22,16 @@ Check out [the coverage document][coverage] for details.
 To enable extended license scanning, you can use `--license-full`.
 In addition to package licenses, Trivy scans source code files, Markdown documents, text files and `LICENSE` documents to identify license usage within the image or filesystem.
 
-By default, Trivy only classifies licenses that are matched with a confidence level of 0.9 or more by the classifer.
+By default, Trivy only classifies licenses that are matched with a confidence level of 0.9 or more by the classifier.
 To configure the confidence level, you can use `--license-confidence-level`. This enables us to classify licenses that might be matched with a lower confidence level by the classifer. 
 
 !!! note
     The full license scanning is expensive. It takes a while.
 
-Currently, the standard license scanning doesn't support filesystem and repository scanning.
-
-|   License scanning    | Image | Rootfs | Filesystem | Repository |
-| :-------------------: | :---: | :----: | :--------: | :--------: |
-|       Standard        |   ✅   |   ✅    |     -      |     -      |
-| Full (--license-full) |   ✅   |   ✅    |     ✅      |     ✅      |
+|   License scanning    | Image | Rootfs | Filesystem | Repository | SBOM |
+|:---------------------:|:-----:|:------:|:----------:|:----------:|:----:|
+|       Standard        |   ✅   |   ✅    | ✅[^1][^2]  | ✅[^1][^2]  |  ✅   |
+| Full (--license-full) |   ✅   |   ✅    |     ✅      |     ✅      |  -   |
 
 License checking classifies the identified licenses and map the classification to severity.
 
@@ -344,6 +342,8 @@ license:
   permissive: []
 ```
 
+[^1]: See the list of supported language files [here](../coverage/language/index.md).
+[^2]: Some lock files require additional files (e.g. files from the cache directory) to detect licenses. Check [coverage][coverage] for more information.
 
 [coverage]: ../coverage/index.md
 [google-license-classification]: https://opensource.google/documentation/reference/thirdparty/licenses

docs/docs/scanner/misconfiguration/index.md

@@ -381,7 +381,7 @@ If multiple variables evaluate to the same hostname, Trivy will choose the envir
 
 ### Skipping resources by inline comments
 
-Trivy supports ignoring misconfigured resources by inline comments for Terraform configuration files only.
+Trivy supports ignoring misconfigured resources by inline comments for Terraform and CloudFormation configuration files only.
 
 In cases where Trivy can detect comments of a specific format immediately adjacent to resource definitions, it is possible to ignore findings from a single source of resource definition (in contrast to `.trivyignore`, which has a directory-wide scope on all of the files scanned). The format for these comments is `trivy:ignore:<rule>` immediately following the format-specific line-comment [token](https://developer.hashicorp.com/terraform/language/syntax/configuration#comments).
 
@@ -422,6 +422,17 @@ As an example, consider the following check metadata:
 
 Long ID would look like the following: `aws-s3-enable-logging`.
 
+Example for CloudFromation:
+```yaml
+AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+#trivy:ignore:*
+  S3Bucket:
+    Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName: test-bucket
+```
+
 #### Expiration Date
 
 You can specify the expiration date of the ignore rule in `yyyy-mm-dd` format. This is a useful feature when you want to make sure that an ignored issue is not forgotten and worth revisiting in the future. For example:
@@ -494,8 +505,21 @@ resource "aws_security_group_rule" "example" {
 }
 ```
 
-!!! note
-    Currently nested attributes are not supported. For example you will not be able to reference the `each.key` attribute.
+Checks can also be ignored by nested attributes, but certain restrictions apply:
+
+- You cannot access an individual block using indexes, for example when working with dynamic blocks.
+- Special variables like [each](https://developer.hashicorp.com/terraform/language/meta-arguments/for_each#the-each-object) and [count](https://developer.hashicorp.com/terraform/language/meta-arguments/count#the-count-object) cannot be accessed.
+
+```tf
+#trivy:ignore:*[logging_config.prefix=myprefix]
+resource "aws_cloudfront_distribution" "example" {
+  logging_config {
+    include_cookies = false
+    bucket          = "mylogs.s3.amazonaws.com"
+    prefix          = "myprefix"
+  }
+}
+```
 
 #### Ignoring module issues
 
@@ -523,4 +547,15 @@ module "s3_bucket" {
   bucket   = each.value
 }
 ```
-[custom]: custom/index.md
+
+#### Support for Wildcards
+
+You can use wildcards in the `ws` (workspace) and `ignore` sections of the ignore rules.
+
+```tf
+# trivy:ignore:aws-s3-*:ws:dev-*
+```
+
+This example ignores all checks starting with `aws-s3-` for workspaces matching the pattern `dev-*`.
+
+[custom]: custom/index.md

docs/docs/target/sbom.md

@@ -1,6 +1,6 @@
 # SBOM scanning
 
-Trivy can take the following SBOM formats as an input and scan for vulnerabilities.
+Trivy can take the following SBOM formats as an input and scan for vulnerabilities and licenses.
 
 - CycloneDX
 - SPDX
@@ -17,6 +17,9 @@ $ trivy sbom /path/to/sbom_file
 
 ```
 
+By default, vulnerability scan in SBOM is executed. You can use `--scanners vuln,license` 
+command property to select also license scan, or `--scanners license` alone.
+
 !!! note
     Passing SBOMs generated by tool other than Trivy may result in inaccurate detection
     because Trivy relies on custom properties in SBOM for accurate scanning.