Skip to content

v0.25.1

Compare
Choose a tag to compare
@github-actions github-actions released this 11 Mar 01:40
· 140 commits to master since this release
75c1956

Caution

Version 0.25.0 is SKIPped. DON'T USE 0.25.0.

Highlights

  • Trivy dependency is updated, 0.35.0 to 0.49.1

    • Dart's pubspec.lock, Elixir's mix.lock, Swift's Podfile.lock and Package.resolved are newly
      detected by lockfile scan, these can be auto detected (findLock = true)
    • Rust's binary can also be scanned as lockfile, but not auto detected
    • Related PRs
      • Update trivy from 0.35.0 to 0.49.1 by @shino in #1806
      • fix(detector): library.Scan move to detector by @MaineK00n in #1864
      • Avoid to use sync.Once inside trivy javadb Updater by @shino in #1859
  • Add PURL (Package URL) in scan results

(Potential) Incompatibilities

  • In previous versions, vuls did not output results when all scans had failed, now outputs results
    even when all scans failed

    • Related PRs
      • fix(scanner): output all results even if all fail by @MaineK00n in #1866
      • refactor(config): move syslogconf to config/syslog package by @MaineK00n in #1865
  • Due to Trivy dependency update (in Highlights), some of scan logic previously
    executed in vuls scan phase are moved to vuls report phase

    • If new vuls binary is used in vuls scan and older ones in vuls report, there can be
      missing vulnerabilities, don't do that
    • This only affects JAR-like lockfile scan

Misc changes

New Contributors

Full Changelog: v0.24.9...v0.25.1