diff --git a/docs/community/maintainer/release-flow.md b/docs/community/maintainer/release-flow.md index 6c5bd17fc69d..ad917081df95 100644 --- a/docs/community/maintainer/release-flow.md +++ b/docs/community/maintainer/release-flow.md @@ -10,7 +10,7 @@ For detailed behavior, please refer to [the GitHub Actions configuration][workfl !!! note Commits with prefixes like `chore` or `build` are not considered releasable, and no release PR is created. - To include such commits in a release, you need to either include commits with `feat` or `fix` prefixes or perform a manual release as described [below](#manual-release). + To include such commits in a release, you need to either include commits with `feat` or `fix` prefixes or perform a manual release as described [below](#manual-release-pr-creation). ## Flow The release flow consists of the following main steps: diff --git a/docs/community/maintainer/triage.md b/docs/community/maintainer/triage.md index 4d72fda693c9..1921a421d0ab 100644 --- a/docs/community/maintainer/triage.md +++ b/docs/community/maintainer/triage.md @@ -188,7 +188,7 @@ We use two labels [help wanted](https://github.com/aquasecurity/trivy/issues?q=i and [good first issue](https://github.com/aquasecurity/trivy/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22) to identify issues that have been specially groomed for new contributors. -We have specific [guidelines](/docs/community/maintainer/help-wanted.md) +We have specific [guidelines](./help-wanted.md) for how to use these labels. If you see an issue that satisfies these guidelines, you can add the `help wanted` label and the `good first issue` label. Please note that adding the `good first issue` label must also diff --git a/docs/docs/compliance/contrib-compliance.md b/docs/docs/compliance/contrib-compliance.md index 653fb28467a2..d7151b80b263 100644 --- a/docs/docs/compliance/contrib-compliance.md +++ b/docs/docs/compliance/contrib-compliance.md @@ -3,7 +3,7 @@ Trivy supports several different compliance specs. The details on compliance scanning with Trivy are provided in the [compliance documentation](../../docs/compliance/compliance.md). All of the Compliance Specs currently available in Trivy can be found in the `trivy-checks/pkg/specs/compliance/` directory ([Link](https://github.com/aquasecurity/trivy-checks/tree/main/pkg/specs/compliance)). -New checks are based on the custom compliance report detailed in the [main documentation.](../../docs/compliance/compliance/#custom-compliance) +New checks are based on the custom compliance report detailed in the [main documentation.](./compliance.md#custom-compliance) If you would like to create your custom compliance report, please reference the information in the main documentation. This section details how community members can contribute new Compliance Specs to Trivy. All compliance specs in Trivy are based on formal compliance reports such as CIS Benchmarks. @@ -20,7 +20,7 @@ Create a new file under `trivy-checks/specs/compliance/` and name the file in th ### Minimum spec structure -The structure of the compliance spec is detailed in the [main documentation](./compliance/#custom-compliance). +The structure of the compliance spec is detailed in the [main documentation](./compliance.md#custom-compliance). The first section in the spec is focused on the metadata of the spec. Replace all the fields of the metadata with the information relevant to the compliance spec that will be added. This information can be taken from the official report e.g. the CIS Benchmark report. diff --git a/docs/docs/configuration/reporting.md b/docs/docs/configuration/reporting.md index a72689a410c5..636766692d11 100644 --- a/docs/docs/configuration/reporting.md +++ b/docs/docs/configuration/reporting.md @@ -450,8 +450,8 @@ $ trivy convert --format table --severity CRITICAL result.json [dotnet-packages-lock]: ../coverage/language/dotnet.md#packageslockjson [poetry-lock]: ../coverage/language/python.md#poetry [gemfile-lock]: ../coverage/language/ruby.md#bundler -[go-mod]: ../coverage/language/golang.md#go-modules -[composer-lock]: ../coverage/language/php.md#composer +[go-mod]: ../coverage/language/golang.md#go-module +[composer-lock]: ../coverage/language/php.md#composerlock [pom-xml]: ../coverage/language/java.md#pomxml [gradle-lockfile]: ../coverage/language/java.md#gradlelock [sbt-lockfile]: ../coverage/language/java.md#sbt diff --git a/docs/docs/coverage/kubernetes.md b/docs/docs/coverage/kubernetes.md index 5f2b3a62fc5e..9e925ca39900 100644 --- a/docs/docs/coverage/kubernetes.md +++ b/docs/docs/coverage/kubernetes.md @@ -17,7 +17,7 @@ Container image is scanned for: Kubernetes resource definition is scanned for: -- Vulnerabilities - partially supported through [KBOM scanning](#KBOM) +- Vulnerabilities - partially supported through [KBOM scanning](../target/kubernetes.md#kbom) - Misconfigurations - Exposed secrets diff --git a/docs/docs/coverage/language/golang.md b/docs/docs/coverage/language/golang.md index cd1a30c53e9c..ca3f880bef45 100644 --- a/docs/docs/coverage/language/golang.md +++ b/docs/docs/coverage/language/golang.md @@ -12,17 +12,17 @@ The following scanners are supported. The table below provides an outline of the features Trivy offers. -| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] | Stdlib | [Detection Priority][detection-priority] | -|----------|:-----------:|:-----------------|:------------------------------------:|:------------------------:|:----------------------------------------:| -| Modules | ✅ | Include | [✅](#dependency-graph) | [✅](#standard-library) | [✅](#standard-library) | -| Binaries | ✅ | Exclude | - | [✅](#standard-library-1) | Not needed | +| Artifact | Offline[^1] | Dev dependencies | [Dependency graph][dependency-graph] | Stdlib | [Detection Priority][detection-priority] | +|----------|:-----------:|:-----------------|:------------------------------------:|:----------------------:|:----------------------------------------:| +| Modules | ✅ | Include | [✅](#dependency-graph) | [✅](#gomod-stdlib) | [✅](#gomod-stdlib) | +| Binaries | ✅ | Exclude | - | [✅](#go-binary-stdlib) | Not needed | !!! note When scanning Go projects (go.mod or binaries built with Go), Trivy scans only dependencies of the project, and does not detect vulnerabilities of application itself. For example, when scanning the Docker project (Docker's source code with go.mod or the Docker binary), Trivy might find vulnerabilities in Go modules that Docker depends on, but won't find vulnerabilities of Docker itself. Moreover, when scanning the Trivy project, which happens to use Docker, Docker's vulnerabilities might be detected as dependencies of Trivy. ## Data Sources -The data sources are listed [here](../../scanner/vulnerability.md#data-sources-1). +The data sources are listed [here](../../scanner/vulnerability.md#langpkg-data-sources). Trivy uses Go Vulnerability Database for [standard library](https://pkg.go.dev/std) and uses GitHub Advisory Database for other Go modules. ## Go Module @@ -60,12 +60,12 @@ If you want to have better detection, please consider updating the Go version in $ go mod tidy -go=1.18 ``` -### Main Module +### Main Module { #gomod-main } Trivy scans only dependencies of the project, and does not detect vulnerabilities of the main module. For example, when scanning the Docker project (Docker's source code with go.mod), Trivy might find vulnerabilities in Go modules that Docker depends on, but won't find vulnerabilities of Docker itself. Moreover, when scanning the Trivy project, which happens to use Docker, Docker's vulnerabilities might be detected as dependencies of Trivy. -### Standard Library +### Standard Library { #gomod-stdlib } Detecting the version of Go used in the project can be tricky. The go.mod file include hints that allows Trivy to guess the Go version but it eventually depends on the Go tool version in the build environment. Since this strategy is not fully deterministic and accurate, it is enabled only in [--detection-priority comprehensive][detection-priority] mode. @@ -105,7 +105,7 @@ In other cases, Go uses the `(devel)` version[^2]. In this case, Trivy will attempt to parse any `-ldflags` as it's a common practice to pass versions this way. If unsuccessful, the version will be empty[^3]. -### Standard Library +### Standard Library { #go-binary-stdlib } Trivy detects the Go version used to compile the binary and detects its vulnerabilities in the standard libraries. It possibly produces false positives. See [the caveat](#stdlib-vulnerabilities) for details. @@ -120,7 +120,7 @@ There are a few ways to mitigate this: 2. Suppress non-applicable vulnerabilities using either [ignore file](../../configuration/filtering.md) for self-use or [VEX Hub](../../supply-chain/vex/repo.md) for public use. ### Empty Version -As described in the [Main Module](#main-module-1) section, the main module of Go binaries might have an empty version. +As described in the [Main Module](#gomod-main) section, the main module of Go binaries might have an empty version. Also, dependencies replaced with local ones will have an empty version. [^1]: It doesn't require the Internet access. diff --git a/docs/docs/coverage/language/index.md b/docs/docs/coverage/language/index.md index a0deec6ceac4..74d578852241 100644 --- a/docs/docs/coverage/language/index.md +++ b/docs/docs/coverage/language/index.md @@ -34,7 +34,7 @@ On the other hand, when the target is a post-build artifact, like a container im | [.NET](dotnet.md) | packages.lock.json | ✅ | ✅ | ✅ | ✅ | | | packages.config | ✅ | ✅ | ✅ | ✅ | | | .deps.json | ✅ | ✅ | ✅ | ✅ | -| | *Packages.props[^10] | ✅ | ✅ | ✅ | ✅ | +| | *Packages.props[^9] | ✅ | ✅ | ✅ | ✅ | | [Java](java.md) | JAR/WAR/PAR/EAR[^3] | ✅ | ✅ | - | - | | | pom.xml | - | - | ✅ | ✅ | | | *gradle.lockfile | - | - | ✅ | ✅ | @@ -44,7 +44,7 @@ On the other hand, when the target is a post-build artifact, like a container im | [Rust](rust.md) | Cargo.lock | ✅ | ✅ | ✅ | ✅ | | | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) | ✅ | ✅ | - | - | | [C/C++](c.md) | conan.lock | - | - | ✅ | ✅ | -| [Elixir](elixir.md) | mix.lock[^9] | - | - | ✅ | ✅ | +| [Elixir](elixir.md) | mix.lock[^8] | - | - | ✅ | ✅ | | [Dart](dart.md) | pubspec.lock | - | - | ✅ | ✅ | | [Swift](swift.md) | Podfile.lock | - | - | ✅ | ✅ | | | Package.resolved | - | - | ✅ | ✅ | @@ -65,6 +65,5 @@ Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Do [^5]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning [^6]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning [^7]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning -[^8]: ✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in [json](../../configuration/reporting.md#json) and [sarif](../../configuration/reporting.md#sarif) formats. SARIF uses `startline == 1 and endline == 1` for unsupported file types -[^9]: To scan a filename other than the default filename use [file-patterns](../../configuration/skipping.md#file-patterns) -[^10]: `Directory.Packages.props` and legacy `Packages.props` file names are supported +[^8]: To scan a filename other than the default filename use [file-patterns](../../configuration/skipping.md#file-patterns) +[^9]: `Directory.Packages.props` and legacy `Packages.props` file names are supported diff --git a/docs/docs/coverage/language/java.md b/docs/docs/coverage/language/java.md index 30aca897670a..934d4149d4d8 100644 --- a/docs/docs/coverage/language/java.md +++ b/docs/docs/coverage/language/java.md @@ -60,7 +60,7 @@ Trivy reproduces Maven's repository selection and priority: !!! Note Trivy only takes information about packages. We don't take a list of vulnerabilities for packages from the `maven repository`. - Information about data sources for Java you can see [here](../../scanner/vulnerability.md#data-sources-1). + Information about data sources for Java you can see [here](../../scanner/vulnerability.md#langpkg-data-sources). You can disable connecting to the maven repository with the `--offline-scan` flag. The `--offline-scan` flag does not affect the Trivy database. diff --git a/docs/docs/coverage/language/python.md b/docs/docs/coverage/language/python.md index 27b776ec2d75..6b249adfcb8b 100644 --- a/docs/docs/coverage/language/python.md +++ b/docs/docs/coverage/language/python.md @@ -44,7 +44,7 @@ Trivy parses your files generated by package managers in filesystem/repository s #### Dependency detection By default, Trivy only parses [version specifiers](https://packaging.python.org/en/latest/specifications/version-specifiers/#id5) with `==` comparison operator and without `.*`. -Using the [--detection-priority comprehensive](#detection-priority) option ensures that the tool establishes a minimum version, which is particularly useful in scenarios where identifying the exact version is challenging. +Using the [--detection-priority comprehensive][detection-priority] option ensures that the tool establishes a minimum version, which is particularly useful in scenarios where identifying the exact version is challenging. In such case Trivy parses specifiers `>=`,`~=` and a trailing `.*`. ``` diff --git a/docs/docs/references/troubleshooting.md b/docs/docs/references/troubleshooting.md index 2c9a74a0e89a..5d51b0532200 100644 --- a/docs/docs/references/troubleshooting.md +++ b/docs/docs/references/troubleshooting.md @@ -269,4 +269,4 @@ $ trivy clean --all [air-gapped]: ../advanced/air-gap.md [network]: ../advanced/air-gap.md#network-requirements -[redis-cache]: ../../vulnerability/examples/cache/#cache-backend +[redis-cache]: ../configuration/cache.md#redis diff --git a/docs/docs/scanner/misconfiguration/check/builtin.md b/docs/docs/scanner/misconfiguration/check/builtin.md index c4ca18e79006..77b68f7ed09d 100644 --- a/docs/docs/scanner/misconfiguration/check/builtin.md +++ b/docs/docs/scanner/misconfiguration/check/builtin.md @@ -9,7 +9,7 @@ See [here](../../../coverage/iac/index.md) for the list of supported config type When performing a misconfiguration scan, Trivy will automatically download the relevant Checks bundle. The bundle is cached locally and Trivy will reuse it for subsequent scans on the same machine. Trivy takes care of updating the cache automatically, so normally users can be oblivious to it. ## Checks Distribution -Trivy checks are distributed as an [OPA bundle](opa-bundle) hosted in the following GitHub Container Registry: . +Trivy checks are distributed as an [OPA bundle][opa-bundle] hosted in the following GitHub Container Registry: . Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates. ### External connectivity diff --git a/docs/docs/scanner/vulnerability.md b/docs/docs/scanner/vulnerability.md index ba5d0014d6bf..8608a7e22348 100644 --- a/docs/docs/scanner/vulnerability.md +++ b/docs/docs/scanner/vulnerability.md @@ -113,7 +113,7 @@ To hide unfixed/unfixable vulnerabilities, you can use the `--ignore-unfixed` fl ### Supported Languages See [here](../coverage/language/index.md#supported-languages) for the supported languages. -### Data Sources +### Data Sources { #langpkg-data-sources } | Language | Source | Commercial Use | Delay[^1] | |----------|-----------------------------------------------------|:--------------:|:---------:| @@ -141,10 +141,10 @@ See [here](../coverage/language/index.md#supported-languages) for the supported If you have software that is not managed by a package manager, Trivy can still detect vulnerabilities in it in some cases: -- [Using SBOM from Sigstore Rekor](../supply-chain/attestation/rekor/#non-packaged-binaries) -- [Go Binaries with embedded module information](../coverage/language/golang/#go-binaries) -- [Rust Binaries with embedded information](../coverage/language/rust/#binaries) -- [SBOM embedded in container images](../supply-chain/container-image/#sbom-embedded-in-container-images) +- [Using SBOM from Sigstore Rekor](../supply-chain/attestation/rekor.md#non-packaged-binaries) +- [Go Binaries with embedded module information](../coverage/language/golang.md#go-binary) +- [Rust Binaries with embedded information](../coverage/language/rust.md#binaries) +- [SBOM embedded in container images](../supply-chain/sbom.md#sbom-detection-inside-targets) ## Kubernetes @@ -152,9 +152,9 @@ Trivy can detect vulnerabilities in Kubernetes clusters and components by scanni ### Data Sources -| Vendor | Source | -| ------------- |---------------------------------------------| -| Kubernetes | [Kubernetes Official CVE feed][k8s-cve][^1] | +| Vendor | Source | +|------------|---------------------------------------------| +| Kubernetes | [Kubernetes Official CVE feed][k8s-cve][^1] | [^1]: Some manual triage and correction has been made. diff --git a/docs/docs/supply-chain/sbom.md b/docs/docs/supply-chain/sbom.md index 7b48fb1a59d5..454cb834bc33 100644 --- a/docs/docs/supply-chain/sbom.md +++ b/docs/docs/supply-chain/sbom.md @@ -738,6 +738,7 @@ See [here](../target/sbom.md) for more details. ### SBOM Detection inside Targets Trivy searches for SBOM files in container images with the following extensions: + - `.spdx` - `.spdx.json` - `.cdx` diff --git a/docs/docs/target/sbom.md b/docs/docs/target/sbom.md index 4ea50035df1c..5d6a5f184463 100644 --- a/docs/docs/target/sbom.md +++ b/docs/docs/target/sbom.md @@ -6,7 +6,7 @@ Trivy can take the following SBOM formats as an input and scan for vulnerabiliti - SPDX - SPDX JSON - CycloneDX-type attestation -- [KBOM](./kubernetes.md#KBOM) in CycloneDX format +- [KBOM](./kubernetes.md#kbom) in CycloneDX format To scan SBOM, you can use the `sbom` subcommand and pass the path to the SBOM. The input format is automatically detected. @@ -118,7 +118,7 @@ Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 2) ## KBOM -To read more about KBOM, see the [documentation for Kubernetes scanning](./kubernetes.md#KBOM). +To read more about KBOM, see the [documentation for Kubernetes scanning](./kubernetes.md#kbom). The supported Kubernetes distributions for core components vulnerability scanning are: diff --git a/docs/tutorials/kubernetes/cluster-scanning.md b/docs/tutorials/kubernetes/cluster-scanning.md index 4cd2de6ee694..e18595579900 100644 --- a/docs/tutorials/kubernetes/cluster-scanning.md +++ b/docs/tutorials/kubernetes/cluster-scanning.md @@ -59,7 +59,7 @@ This has several benefits: - The CRDs can be both machine and human-readable depending on which applications consume the CRDs. This allows for more versatile applications of the Trivy operator. -There are several ways that you can install the Trivy Operator in your cluster. In this guide, we’re going to use the Helm installation based on the [following documentation.](../../docs/target/kubernetes.md#trivy-operator) +There are several ways that you can install the Trivy Operator in your cluster. In this guide, we’re going to use the Helm installation. Please follow the Trivy Operator documentation for further information on: