Merge branch 'main' into feat/python-lic-fields

.github/DISCUSSION_TEMPLATE/bugs.yml

@@ -114,7 +114,7 @@ body:
  label: Checklist
  description: Have you tried the following?
  options:
- - label: Run `trivy --reset`
+ - label: Run `trivy image --reset`
  - label: Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
  - type: markdown
  attributes:

Dockerfile.canary

@@ -1,4 +1,4 @@
-FROM alpine:3.18.0
+FROM alpine:3.18.2
 RUN apk --no-cache add ca-certificates git
 
 # binaries were created with GoReleaser

contrib/install.sh

@@ -75,6 +75,7 @@ get_binaries() {
  linux/ppc64le) BINARIES="trivy" ;;
  linux/arm64) BINARIES="trivy" ;;
  linux/armv7) BINARIES="trivy" ;;
+ linux/s390x) BINARIES="trivy" ;;
  openbsd/386) BINARIES="trivy" ;;
  openbsd/amd64) BINARIES="trivy" ;;
  openbsd/arm64) BINARIES="trivy" ;;
@@ -115,7 +116,8 @@ adjust_os() {
  amd64) OS=64bit ;;
  arm) OS=ARM ;;
  arm64) OS=ARM64 ;;
- ppc64le) OS=PPC64LE ;;
+ ppc64le) OS=Linux ;;
+ s390x) OS=Linux ;;
  darwin) OS=macOS ;;
  dragonfly) OS=DragonFlyBSD ;;
  freebsd) OS=FreeBSD ;;
@@ -133,7 +135,8 @@ adjust_arch() {
  arm) ARCH=ARM ;;
  armv7) ARCH=ARM ;;
  arm64) ARCH=ARM64 ;;
- ppc64le) OS=PPC64LE ;;
+ ppc64le) ARCH=PPC64LE ;;
+ s390x) ARCH=s390x ;;
  darwin) ARCH=macOS ;;
  dragonfly) ARCH=DragonFlyBSD ;;
  freebsd) ARCH=FreeBSD ;;
@@ -222,6 +225,7 @@ uname_arch() {
  armv5*) arch="armv5" ;;
  armv6*) arch="armv6" ;;
  armv7*) arch="armv7" ;;
+ s390*) arch="s390x" ;;
  esac
  echo ${arch}
 }

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -43,6 +43,7 @@ trivy filesystem [flags] PATH
  --ignore-unfixed display only fixed vulnerabilities
  --ignored-licenses strings specify a list of license to ignore
  --ignorefile string specify .trivyignore file (default ".trivyignore")
+ --include-dev-deps include development dependencies in the report (supported: npm)
  --include-non-failures include successes and exceptions, available with '--scanners config'
  --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
  --license-confidence-level float specify license classifier's confidence level (default 0.9)

docs/docs/references/configuration/cli/trivy_sbom.md

@@ -48,7 +48,6 @@ trivy sbom [flags] SBOM_PATH
  --rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
  --reset remove all caches and database
  --sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
- --scanners strings comma-separated list of what security issues to detect (vuln,config,secret,license) (default [vuln,secret])
  --server string server address in client mode
  -s, --severity string severities of security issues to be displayed (comma separated) (default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
  --skip-db-update skip updating vulnerability database

docs/docs/scanner/vulnerability/language/index.md

@@ -4,33 +4,33 @@
 
 ## Supported languages
 
-| Language | File | Image[^7] | Rootfs[^8] | Filesystem[^9] | Repository[^10] | Dev dependencies | Dependency location[^11] |
-|----------------------|--------------------------------------------------------------------------------------------|:---------:|:----------:|:--------------:|:---------------:|------------------|:------------------------:|
-| Ruby | Gemfile.lock | - | - | ✅ | ✅ | included | - |
-| | gemspec | ✅ | ✅ | - | - | included | - |
-| [Python](python.md) | Pipfile.lock | - | - | ✅ | ✅ | excluded | ✅ |
-| | poetry.lock | - | - | ✅ | ✅ | excluded | - |
-| | requirements.txt | - | - | ✅ | ✅ | included | - |
-| | egg package[^1] | ✅ | ✅ | - | - | excluded | - |
-| | wheel package[^2] | ✅ | ✅ | - | - | excluded | - |
-| [PHP](php.md) | composer.lock | ✅ | ✅ | ✅ | ✅ | excluded | ✅ |
-| [Node.js](nodejs.md) | package-lock.json | - | - | ✅ | ✅ | excluded  | ✅ |
-| | yarn.lock | - | - | ✅ | ✅ | included  | ✅ |
-| | pnpm-lock.yaml | - | - | ✅ | ✅ | excluded | - |
-| | package.json | ✅ | ✅ | - | - | excluded | - |
-| .NET | packages.lock.json | ✅ | ✅ | ✅ | ✅ | included | ✅ |
-| | packages.config | ✅ | ✅ | ✅ | ✅ | excluded | - |
-| | .deps.json | ✅ | ✅ | ✅ | ✅ | excluded | ✅ |
-| [Java](java.md) | JAR/WAR/PAR/EAR[^3] | ✅ | ✅ | - | - | included | - |
-| | pom.xml[^4] | - | - | ✅ | ✅ | excluded | - |
-| | *gradle.lockfile | - | - | ✅ | ✅ | excluded | - |
-| [Go](golang.md) | Binaries built by Go[^5] | ✅ | ✅ | - | - | excluded | - |
-| | go.mod[^6] | - | - | ✅ | ✅ | included | - |
-| [Rust](rust.md) | Cargo.lock | ✅ | ✅ | ✅ | ✅ | excluded | ✅ |
-| | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) | ✅ | ✅ | - | - | excluded | - |
-| C/C++ | conan.lock[^12] | - | - | ✅ | ✅ | excluded | - | 
-| Elixir | mix.lock[^12] | - | - | ✅ | ✅ | excluded | ✅ |
-| Dart | pubspec.lock | - | - | ✅ | ✅ | included | - |
+| Language | File | Image[^7] | Rootfs[^8] | Filesystem[^9] | Repository[^10] | Dev dependencies  | Dependency location[^11] |
+|----------------------|--------------------------------------------------------------------------------------------|:---------:|:----------:|:--------------:|:---------------:|------------------------------|:------------------------:|
+| Ruby | Gemfile.lock | - | - | ✅ | ✅ | included  | - |
+| | gemspec | ✅ | ✅ | - | - | included  | - |
+| [Python](python.md) | Pipfile.lock | - | - | ✅ | ✅ | excluded  | ✅ |
+| | poetry.lock | - | - | ✅ | ✅ | excluded  | - |
+| | requirements.txt | - | - | ✅ | ✅ | included  | - |
+| | egg package[^1] | ✅ | ✅ | - | - | excluded  | - |
+| | wheel package[^2] | ✅ | ✅ | - | - | excluded  | - |
+| [PHP](php.md) | composer.lock | ✅ | ✅ | ✅ | ✅ | excluded  | ✅ |
+| [Node.js](nodejs.md) | package-lock.json | - | - | ✅ | ✅ | [excluded](./nodejs.md#npm) | ✅ |
+| | yarn.lock | - | - | ✅ | ✅ | [excluded](./nodejs.md#yarn) | ✅ |
+| | pnpm-lock.yaml | - | - | ✅ | ✅ | excluded  | - |
+| | package.json | ✅ | ✅ | - | - | excluded  | - |
+| .NET | packages.lock.json | ✅ | ✅ | ✅ | ✅ | included  | ✅ |
+| | packages.config | ✅ | ✅ | ✅ | ✅ | excluded  | - |
+| | .deps.json | ✅ | ✅ | ✅ | ✅ | excluded  | ✅ |
+| [Java](java.md) | JAR/WAR/PAR/EAR[^3] | ✅ | ✅ | - | - | included  | - |
+| | pom.xml[^4] | - | - | ✅ | ✅ | excluded  | - |
+| | *gradle.lockfile | - | - | ✅ | ✅ | excluded  | - |
+| [Go](golang.md) | Binaries built by Go[^5] | ✅ | ✅ | - | - | excluded  | - |
+| | go.mod[^6] | - | - | ✅ | ✅ | included  | - |
+| [Rust](rust.md) | Cargo.lock | ✅ | ✅ | ✅ | ✅ | excluded  | ✅ |
+| | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) | ✅ | ✅ | - | - | excluded  | - |
+| C/C++ | conan.lock[^12] | - | - | ✅ | ✅ | excluded  | - | 
+| Elixir | mix.lock[^12] | - | - | ✅ | ✅ | excluded  | ✅ |
+| Dart | pubspec.lock | - | - | ✅ | ✅ | included  | - |
 
 The path of these files does not matter.
 

docs/docs/scanner/vulnerability/language/nodejs.md

@@ -3,11 +3,11 @@
 Trivy supports three types of Node.js package managers: `npm`, `Yarn` and `pnpm`.
 The following table provides an outline of the features Trivy offers.
 
-| Package manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position | License |
-|:---------------:|-------------------|:-----------------------:|:----------------:|:----------------:|:--------:|:-------:|
-| npm | package-lock.json | ✅ |  Excluded  | ✅ | ✅ | ✅ |
-| Yarn | yarn.lock | ✅ |  Excluded  | ✅ | ✅ | - |
-| pnpm | pnpm-lock.yaml | ✅ | Excluded | ✅ | - | - |
+| Package manager | File | Transitive dependencies | Dev dependencies  | Dependency graph | Position | License |
+|:---------------:|-------------------|:-----------------------:|:-----------------:|:----------------:|:--------:|:-------:|
+| npm | package-lock.json | ✅ | [Excluded](#npm) | ✅ | ✅ | ✅ |
+| Yarn | yarn.lock | ✅ | [Excluded](#yarn) | ✅ | ✅ | - |
+| pnpm | pnpm-lock.yaml | ✅ | Excluded  | ✅ | - | - |
 
 In addition, Trivy scans installed packages with `package.json`.
 
@@ -29,6 +29,8 @@ Trivy parses `package-lock.json`.
 To identify licenses, you need to download dependencies to `node_modules` beforehand.
 Trivy analyzes `node_modules` for licenses.
 
+By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
+
 ### Yarn
 Trivy parses `yarn.lock`, which doesn't contain information about development dependencies.
 To exclude devDependencies, `package.json` also needs to be present next to `yarn.lock`.