Merge pull request #481 from aquasecurity/bump-trivy-1755898251

nikpivkin · web-flow · commit f9424c10c36e · 2025-08-27T13:19:48.000+06:00
diff --git a/.github/workflows/bump-trivy.yaml b/.github/workflows/bump-trivy.yaml
@@ -22,6 +22,9 @@ jobs:
       - name: Update Trivy versions
         run: make bump-trivy
 
+      - name: Update golden files
+        run: make update-golden
+
       - name: Create PR
         id: create-pr
         uses: peter-evans/create-pull-request@v5
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
 
 env:
-  TRIVY_VERSION: 0.64.1
+  TRIVY_VERSION: 0.65.0
   BATS_LIB_PATH: '/usr/lib/'
 
 jobs:
diff --git a/Makefile b/Makefile
@@ -7,12 +7,26 @@ SED = gsed
 BATS_LIB_PATH = /opt/homebrew/lib
 endif
 
+BATS_ENV := BATS_LIB_PATH=$(BATS_LIB_PATH) \
+	GITHUB_REPOSITORY_OWNER=aquasecurity \
+	TRIVY_CACHE_DIR=.cache \
+	TRIVY_DISABLE_VEX_NOTICE=true \
+	TRIVY_DEBUG=true
+
+BATS_FLAGS := --recursive --timing --verbose-run .
+
 .PHONY: test
-test:
+test: init-cache
+	$(BATS_ENV) bats $(BATS_FLAGS)
+
+.PHONY: update-golden
+update-golden: init-cache
+	UPDATE_GOLDEN=1 $(BATS_ENV) bats $(BATS_FLAGS)
+
+.PHONY: init-cache
+init-cache:
 	mkdir -p .cache
-	BATS_LIB_PATH=$(BATS_LIB_PATH) GITHUB_REPOSITORY_OWNER=aquasecurity\
-	  TRIVY_CACHE_DIR=.cache TRIVY_DISABLE_VEX_NOTICE=true TRIVY_DEBUG=true\
-	  bats --recursive --timing --verbose-run .
+	rm -f .cache/fanal/fanal.db
 
 bump-trivy:
 	@[ $$NEW_VERSION ] || ( echo "env 'NEW_VERSION' is not set"; exit 1 )
diff --git a/README.md b/README.md
@@ -215,7 +215,7 @@ jobs:
       uses: aquasecurity/setup-trivy@v0.2.0
       with:
         cache: true
-        version: v0.64.1
+        version: v0.65.0
 
     - name: Run Trivy vulnerability scanner in repo mode
       uses: aquasecurity/trivy-action@master
@@ -847,7 +847,7 @@ Following inputs can be used as `step.with` keys:
 | `github-pat`                 | String  |                                    | Authentication token to enable sending SBOM scan results to GitHub Dependency Graph. Can be either a GitHub Personal Access Token (PAT) or GITHUB_TOKEN          |
 | `limit-severities-for-sarif` | Boolean | false                              | By default *SARIF* format enforces output of all vulnerabilities regardless of configured severities. To override this behavior set this parameter to **true**   |
 | `docker-host`                | String  |                                    | By default it is set to `unix://var/run/docker.sock`, but can be updated to help with containerized infrastructure values (`unix:/` or other prefix is required) |
-| `version`                    | String  | `v0.64.1`                          | Trivy version to use, e.g. `latest` or `v0.64.1`                                                                                                                 |
+| `version`                    | String  | `v0.65.0`                          | Trivy version to use, e.g. `latest` or `v0.65.0`                                                                                                                 |
 | `skip-setup-trivy`           | Boolean | false                              | Skip calling the `setup-trivy` action to install `trivy`                                                                                                         |
 | `token-setup-trivy`          | Boolean |                                    | Overwrite `github.token` used by `setup-trivy` to checkout the `trivy` repository                                                                                |
 
diff --git a/action.yaml b/action.yaml
@@ -98,7 +98,7 @@ inputs:
   version:
     description: 'Trivy version to use'
     required: false
-    default: 'v0.64.1'
+    default: 'v0.65.0'
   cache:
     description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
     required: false
diff --git a/test/data/config-scan/report.json b/test/data/config-scan/report.json
@@ -2,18 +2,6 @@
   "SchemaVersion": 2,
   "ArtifactName": "test/data/config-scan",
   "ArtifactType": "filesystem",
-  "Metadata": {
-    "ImageConfig": {
-      "architecture": "",
-      "created": "0001-01-01T00:00:00Z",
-      "os": "",
-      "rootfs": {
-        "type": "",
-        "diff_ids": null
-      },
-      "config": {}
-    }
-  },
   "Results": [
     {
       "Target": ".",
@@ -50,7 +38,6 @@
             "https://avd.aquasec.com/misconfig/avd-aws-0086"
           ],
           "Status": "FAIL",
-          "Layer": {},
           "CauseMetadata": {
             "Resource": "aws_s3_bucket.bucket",
             "Provider": "AWS",
@@ -90,8 +77,7 @@
                   "LastCause": true
                 }
               ]
-            },
-            "RenderedCause": {}
+            }
           }
         },
         {
@@ -111,7 +97,6 @@
             "https://avd.aquasec.com/misconfig/avd-aws-0087"
           ],
           "Status": "FAIL",
-          "Layer": {},
           "CauseMetadata": {
             "Resource": "aws_s3_bucket.bucket",
             "Provider": "AWS",
@@ -151,8 +136,7 @@
                   "LastCause": true
                 }
               ]
-            },
-            "RenderedCause": {}
+            }
           }
         },
         {
@@ -172,7 +156,6 @@
             "https://avd.aquasec.com/misconfig/avd-aws-0088"
           ],
           "Status": "FAIL",
-          "Layer": {},
           "CauseMetadata": {
             "Resource": "aws_s3_bucket.bucket",
             "Provider": "AWS",
@@ -212,8 +195,7 @@
                   "LastCause": true
                 }
               ]
-            },
-            "RenderedCause": {}
+            }
           }
         },
         {
@@ -234,7 +216,6 @@
             "https://avd.aquasec.com/misconfig/s3-bucket-logging"
           ],
           "Status": "FAIL",
-          "Layer": {},
           "CauseMetadata": {
             "Resource": "aws_s3_bucket.bucket",
             "Provider": "AWS",
@@ -274,8 +255,7 @@
                   "LastCause": true
                 }
               ]
-            },
-            "RenderedCause": {}
+            }
           }
         },
         {
@@ -295,7 +275,6 @@
             "https://avd.aquasec.com/misconfig/avd-aws-0090"
           ],
           "Status": "FAIL",
-          "Layer": {},
           "CauseMetadata": {
             "Resource": "aws_s3_bucket_versioning.bucket_versioning",
             "Provider": "AWS",
@@ -416,7 +395,6 @@
             "https://avd.aquasec.com/misconfig/avd-aws-0091"
           ],
           "Status": "FAIL",
-          "Layer": {},
           "CauseMetadata": {
             "Resource": "aws_s3_bucket.bucket",
             "Provider": "AWS",
@@ -456,8 +434,7 @@
                   "LastCause": true
                 }
               ]
-            },
-            "RenderedCause": {}
+            }
           }
         },
         {
@@ -477,7 +454,6 @@
             "https://avd.aquasec.com/misconfig/avd-aws-0093"
           ],
           "Status": "FAIL",
-          "Layer": {},
           "CauseMetadata": {
             "Resource": "aws_s3_bucket.bucket",
             "Provider": "AWS",
@@ -517,8 +493,7 @@
                   "LastCause": true
                 }
               ]
-            },
-            "RenderedCause": {}
+            }
           }
         },
         {
@@ -538,7 +513,6 @@
             "https://avd.aquasec.com/misconfig/avd-aws-0094"
           ],
           "Status": "FAIL",
-          "Layer": {},
           "CauseMetadata": {
             "Resource": "aws_s3_bucket.bucket",
             "Provider": "AWS",
@@ -578,8 +552,7 @@
                   "LastCause": true
                 }
               ]
-            },
-            "RenderedCause": {}
+            }
           }
         },
         {
@@ -599,7 +572,6 @@
             "https://avd.aquasec.com/misconfig/avd-aws-0132"
           ],
           "Status": "FAIL",
-          "Layer": {},
           "CauseMetadata": {
             "Resource": "aws_s3_bucket.bucket",
             "Provider": "AWS",
@@ -639,8 +611,7 @@
                   "LastCause": true
                 }
               ]
-            },
-            "RenderedCause": {}
+            }
           }
         }
       ]
diff --git a/test/data/image-scan/report b/test/data/image-scan/report
@@ -51,7 +51,8 @@ Total: 19 (CRITICAL: 19)
 │             │                │          │        │                   │               │ Windows Subsystem for...                                     │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1353                    │
 ├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ libbz2      │ CVE-2019-12900 │          │        │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: out-of-bounds write in function BZ2_decompress        │
+│ libbz2      │ CVE-2019-12900 │          │        │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: bzip2: Data integrity error when decompressing (with  │
+│             │                │          │        │                   │               │ data integrity tests fail)....                               │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12900                   │
 ├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
 │ libcurl     │ CVE-2018-16839 │          │        │ 7.61.1-r0         │ 7.61.1-r1     │ curl: Integer overflow leading to heap-based buffer overflow │
diff --git a/test/data/secret-scan/report.json b/test/data/secret-scan/report.json
@@ -3,16 +3,12 @@
   "ArtifactName": "https://github.com/krol3/demo-trivy/",
   "ArtifactType": "repository",
   "Metadata": {
-    "ImageConfig": {
-      "architecture": "",
-      "created": "0001-01-01T00:00:00Z",
-      "os": "",
-      "rootfs": {
-        "type": "",
-        "diff_ids": null
-      },
-      "config": {}
-    }
+    "RepoURL": "https://github.com/krol3/demo-trivy/",
+    "Branch": "main",
+    "Commit": "547db823c73fdb3385871f6235e946c72291f734",
+    "CommitMsg": "chore: add gitignore",
+    "Author": "carolina valencia <krol3@users.noreply.github.com>",
+    "Committer": "carolina valencia <krol3@users.noreply.github.com>"
   },
   "Results": [
     {
@@ -68,8 +64,7 @@
               }
             ]
           },
-          "Match": "export GITHUB_PAT=****************************************",
-          "Layer": {}
+          "Match": "export GITHUB_PAT=****************************************"
         }
       ]
     }
diff --git a/test/data/with-ignore-files/report b/test/data/with-ignore-files/report
@@ -51,7 +51,8 @@ Total: 19 (CRITICAL: 19)
 │             │                │          │        │                   │               │ Windows Subsystem for...                                     │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1353                    │
 ├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
-│ libbz2      │ CVE-2019-12900 │          │        │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: out-of-bounds write in function BZ2_decompress        │
+│ libbz2      │ CVE-2019-12900 │          │        │ 1.0.6-r6          │ 1.0.6-r7      │ bzip2: bzip2: Data integrity error when decompressing (with  │
+│             │                │          │        │                   │               │ data integrity tests fail)....                               │
 │             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-12900                   │
 ├─────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
 │ libcurl     │ CVE-2018-16839 │          │        │ 7.61.1-r0         │ 7.61.1-r1     │ curl: Integer overflow leading to heap-based buffer overflow │
diff --git a/test/data/with-tf-vars/report.json b/test/data/with-tf-vars/report.json
@@ -2,18 +2,6 @@
   "SchemaVersion": 2,
   "ArtifactName": "test/data/with-tf-vars/main.tf",
   "ArtifactType": "filesystem",
-  "Metadata": {
-    "ImageConfig": {
-      "architecture": "",
-      "created": "0001-01-01T00:00:00Z",
-      "os": "",
-      "rootfs": {
-        "type": "",
-        "diff_ids": null
-      },
-      "config": {}
-    }
-  },
   "Results": [
     {
       "Target": ".",
diff --git a/test/data/with-trivy-yaml-cfg/report.json b/test/data/with-trivy-yaml-cfg/report.json
@@ -1,6 +1,5 @@
 {
   "SchemaVersion": 2,
-  "CreatedAt": "2025-06-03T01:26:45.367171-06:00",
   "ArtifactName": "alpine:3.10",
   "ArtifactType": "container_image",
   "Metadata": {
@@ -72,7 +71,7 @@
           "PkgID": "apk-tools@2.10.6-r0",
           "PkgName": "apk-tools",
           "PkgIdentifier": {
-            "PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64\u0026distro=3.10.9",
+            "PURL": "pkg:apk/alpine/apk-tools@2.10.6-r0?arch=x86_64&distro=3.10.9",
             "UID": "b7a64ae671a99195"
           },
           "InstalledVersion": "2.10.6-r0",
@@ -123,7 +122,7 @@
             "https://www.cve.org/CVERecord?id=CVE-2021-36159"
           ],
           "PublishedDate": "2021-08-03T14:15:08.233Z",
-          "LastModifiedDate": "2023-11-07T03:36:43.337Z"
+          "LastModifiedDate": "2024-11-21T06:13:13.57Z"
         }
       ]
     }
diff --git a/test/test.bats b/test/test.bats
@@ -57,9 +57,16 @@ function compare_files() {
   remove_github_fields "$file1"
   remove_github_fields "$file2"
   
-  run diff "$file1" "$file2"
-  echo "$output"
-  assert_files_equal "$file1" "$file2"
+  if [ "${UPDATE_GOLDEN}" = "1" ]; then
+    cp "$file1" "$file2"
+    echo "Updated golden file: $file2"
+  else
+    run diff "$file1" "$file2"
+    echo "$output"
+    assert_files_equal "$file1" "$file2"
+  fi
+
+  rm -f "$file1"
 }
 
 @test "trivy repo with securityCheck secret only" {

Original file line number	Diff line number	Diff line change
`@@ -2,18 +2,6 @@`
`2`	`2`	`"SchemaVersion": 2,`
`3`	`3`	`"ArtifactName": "test/data/config-scan",`
`4`	`4`	`"ArtifactType": "filesystem",`
`5`		`- "Metadata": {`
`6`		`- "ImageConfig": {`
`7`		`- "architecture": "",`
`8`		`- "created": "0001-01-01T00:00:00Z",`
`9`		`- "os": "",`
`10`		`- "rootfs": {`
`11`		`- "type": "",`
`12`		`- "diff_ids": null`
`13`		`- },`
`14`		`- "config": {}`
`15`		`- }`
`16`		`- },`
`17`	`5`	`"Results": [`
`18`	`6`	`{`
`19`	`7`	`"Target": ".",`
`@@ -50,7 +38,6 @@`
`50`	`38`	`"https://avd.aquasec.com/misconfig/avd-aws-0086"`
`51`	`39`	`],`
`52`	`40`	`"Status": "FAIL",`
`53`		`- "Layer": {},`
`54`	`41`	`"CauseMetadata": {`
`55`	`42`	`"Resource": "aws_s3_bucket.bucket",`
`56`	`43`	`"Provider": "AWS",`
`@@ -90,8 +77,7 @@`
`90`	`77`	`"LastCause": true`
`91`	`78`	`}`
`92`	`79`	`]`
`93`		`- },`
`94`		`- "RenderedCause": {}`
	`80`	`+ }`
`95`	`81`	`}`
`96`	`82`	`},`
`97`	`83`	`{`
`@@ -111,7 +97,6 @@`
`111`	`97`	`"https://avd.aquasec.com/misconfig/avd-aws-0087"`
`112`	`98`	`],`
`113`	`99`	`"Status": "FAIL",`
`114`		`- "Layer": {},`
`115`	`100`	`"CauseMetadata": {`
`116`	`101`	`"Resource": "aws_s3_bucket.bucket",`
`117`	`102`	`"Provider": "AWS",`
`@@ -151,8 +136,7 @@`
`151`	`136`	`"LastCause": true`
`152`	`137`	`}`
`153`	`138`	`]`
`154`		`- },`
`155`		`- "RenderedCause": {}`
	`139`	`+ }`
`156`	`140`	`}`
`157`	`141`	`},`
`158`	`142`	`{`
`@@ -172,7 +156,6 @@`
`172`	`156`	`"https://avd.aquasec.com/misconfig/avd-aws-0088"`
`173`	`157`	`],`
`174`	`158`	`"Status": "FAIL",`
`175`		`- "Layer": {},`
`176`	`159`	`"CauseMetadata": {`
`177`	`160`	`"Resource": "aws_s3_bucket.bucket",`
`178`	`161`	`"Provider": "AWS",`
`@@ -212,8 +195,7 @@`
`212`	`195`	`"LastCause": true`
`213`	`196`	`}`
`214`	`197`	`]`
`215`		`- },`
`216`		`- "RenderedCause": {}`
	`198`	`+ }`
`217`	`199`	`}`
`218`	`200`	`},`
`219`	`201`	`{`
`@@ -234,7 +216,6 @@`
`234`	`216`	`"https://avd.aquasec.com/misconfig/s3-bucket-logging"`
`235`	`217`	`],`
`236`	`218`	`"Status": "FAIL",`
`237`		`- "Layer": {},`
`238`	`219`	`"CauseMetadata": {`
`239`	`220`	`"Resource": "aws_s3_bucket.bucket",`
`240`	`221`	`"Provider": "AWS",`
`@@ -274,8 +255,7 @@`
`274`	`255`	`"LastCause": true`
`275`	`256`	`}`
`276`	`257`	`]`
`277`		`- },`
`278`		`- "RenderedCause": {}`
	`258`	`+ }`
`279`	`259`	`}`
`280`	`260`	`},`
`281`	`261`	`{`
`@@ -295,7 +275,6 @@`
`295`	`275`	`"https://avd.aquasec.com/misconfig/avd-aws-0090"`
`296`	`276`	`],`
`297`	`277`	`"Status": "FAIL",`
`298`		`- "Layer": {},`
`299`	`278`	`"CauseMetadata": {`
`300`	`279`	`"Resource": "aws_s3_bucket_versioning.bucket_versioning",`
`301`	`280`	`"Provider": "AWS",`
`@@ -416,7 +395,6 @@`
`416`	`395`	`"https://avd.aquasec.com/misconfig/avd-aws-0091"`
`417`	`396`	`],`
`418`	`397`	`"Status": "FAIL",`
`419`		`- "Layer": {},`
`420`	`398`	`"CauseMetadata": {`
`421`	`399`	`"Resource": "aws_s3_bucket.bucket",`
`422`	`400`	`"Provider": "AWS",`
`@@ -456,8 +434,7 @@`
`456`	`434`	`"LastCause": true`
`457`	`435`	`}`
`458`	`436`	`]`
`459`		`- },`
`460`		`- "RenderedCause": {}`
	`437`	`+ }`
`461`	`438`	`}`
`462`	`439`	`},`
`463`	`440`	`{`
`@@ -477,7 +454,6 @@`
`477`	`454`	`"https://avd.aquasec.com/misconfig/avd-aws-0093"`
`478`	`455`	`],`
`479`	`456`	`"Status": "FAIL",`
`480`		`- "Layer": {},`
`481`	`457`	`"CauseMetadata": {`
`482`	`458`	`"Resource": "aws_s3_bucket.bucket",`
`483`	`459`	`"Provider": "AWS",`
`@@ -517,8 +493,7 @@`
`517`	`493`	`"LastCause": true`
`518`	`494`	`}`
`519`	`495`	`]`
`520`		`- },`
`521`		`- "RenderedCause": {}`
	`496`	`+ }`
`522`	`497`	`}`
`523`	`498`	`},`
`524`	`499`	`{`
`@@ -538,7 +513,6 @@`
`538`	`513`	`"https://avd.aquasec.com/misconfig/avd-aws-0094"`
`539`	`514`	`],`
`540`	`515`	`"Status": "FAIL",`
`541`		`- "Layer": {},`
`542`	`516`	`"CauseMetadata": {`
`543`	`517`	`"Resource": "aws_s3_bucket.bucket",`
`544`	`518`	`"Provider": "AWS",`
`@@ -578,8 +552,7 @@`
`578`	`552`	`"LastCause": true`
`579`	`553`	`}`
`580`	`554`	`]`
`581`		`- },`
`582`		`- "RenderedCause": {}`
	`555`	`+ }`
`583`	`556`	`}`
`584`	`557`	`},`
`585`	`558`	`{`
`@@ -599,7 +572,6 @@`
`599`	`572`	`"https://avd.aquasec.com/misconfig/avd-aws-0132"`
`600`	`573`	`],`
`601`	`574`	`"Status": "FAIL",`
`602`		`- "Layer": {},`
`603`	`575`	`"CauseMetadata": {`
`604`	`576`	`"Resource": "aws_s3_bucket.bucket",`
`605`	`577`	`"Provider": "AWS",`
`@@ -639,8 +611,7 @@`
`639`	`611`	`"LastCause": true`
`640`	`612`	`}`
`641`	`613`	`]`
`642`		`- },`
`643`		`- "RenderedCause": {}`
	`614`	`+ }`
`644`	`615`	`}`
`645`	`616`	`}`
`646`	`617`	`]`
Original file line number	Diff line number	Diff line change
`@@ -3,16 +3,12 @@`
`3`	`3`	`"ArtifactName": "https://github.com/krol3/demo-trivy/",`
`4`	`4`	`"ArtifactType": "repository",`
`5`	`5`	`"Metadata": {`
`6`		`- "ImageConfig": {`
`7`		`- "architecture": "",`
`8`		`- "created": "0001-01-01T00:00:00Z",`
`9`		`- "os": "",`
`10`		`- "rootfs": {`
`11`		`- "type": "",`
`12`		`- "diff_ids": null`
`13`		`- },`
`14`		`- "config": {}`
`15`		`- }`
	`6`	`+ "RepoURL": "https://github.com/krol3/demo-trivy/",`
	`7`	`+ "Branch": "main",`
	`8`	`+ "Commit": "547db823c73fdb3385871f6235e946c72291f734",`
	`9`	`+ "CommitMsg": "chore: add gitignore",`
	`10`	`+ "Author": "carolina valencia <krol3@users.noreply.github.com>",`
	`11`	`+ "Committer": "carolina valencia <krol3@users.noreply.github.com>"`
`16`	`12`	`},`
`17`	`13`	`"Results": [`
`18`	`14`	`{`
`@@ -68,8 +64,7 @@`
`68`	`64`	`}`
`69`	`65`	`]`
`70`	`66`	`},`
`71`		`- "Match": "export GITHUB_PAT=****************************************",`
`72`		`- "Layer": {}`
	`67`	`+ "Match": "export GITHUB_PAT=****************************************"`
`73`	`68`	`}`
`74`	`69`	`]`
`75`	`70`	`}`