DmitriyLewen

bug(vex): Trivy doesn't support auth for OCI images from private registries

2

## Description When trying to get VEX documents from the OCI image we get an authentication error: ``` failed to probe the package URL: github.com/aquasecurity/trivy/pkg/vex.RetrieveVEXAttestation /home/runner/work/trivy/trivy/pkg/vex/oci.go:42 fetching documents: looking for...

fix(sbom): improve logic for determining Application type and filepath for non-Trivy SBOMs

4

## Description We currently detect `Application` type from `properties` only. FilePath for Application can be detected from component `name` only. This PR adds new logic: - Detect Application type from...

question: how handle `affected[].ranges[].events` + `affectedversions-field`

3

## Description Hello! Thanks for your work! I found 1 confusing case: https://github.com/advisories/GHSA-h4j7-5rxr-p4wc advisory contains `affected[].ranges[].events` + `affectedversions-field`: ``` { "package": { "ecosystem": "NuGet", "name": "Microsoft.Build.Tasks.Core" }, "ranges": [ {...

feat(sbom): add CoreOS support

2

## Description CoreOS uses specific path to rpm DB - `/usr/share/rpm/rpmdb.sqlite`. We need to add support this path. ### Required changes: - add new path into [requiredFiles](https://github.com/aquasecurity/trivy/blob/8f5b56005a4e8752976524750089dc9ea2c91e40/pkg/fanal/analyzer/pkg/rpm/rpm.go#L31-L42) + add comment...

## Description This PR adds support for detecting vulnerabilities in Seal Security packages within Trivy. Seal Security provides patched versions of open source packages with security fixes that may not...

## Description Add information about using `-` for the secret/license scanner in the summary table when no findings are found. ## Related issues - Close #9440 ## Checklist - [x]...

bug(aws): Trivy can't connect to `IMDS` to get credentials

6

## Description We started using `xhttp.Client` for aws config in #9322 to add the Insecure option. But with this client, the `aws-sdk` cannot connect to `IMDS` to get credentials. ##...

## Description There is a problem with `xhttp.Client` — Trivy `aws-sdk` cannot connect to `IMDS`. That is why some users cannot get credentials. The `aws` docs recommend using `BuildableClient` —...

## Description Trivy checks licenses that include `WITH` separator as multiple licenses when determining license category: ```bash ➜ cat trivy-full.yaml license: notice: - Similar to Apache License but with the...

bug(vulnerability): `--vuln-severity-source` doesn't work for package-specific severity (e.g. Debian)

1

## Description There are cases when vendor might provide package-specific severity (e.g. CVE-2015-2328 in Debian has "unimportant" for mongodb and "low" for pcre3.) Trivy always uses this severity (even `--vuln-severity-source`...