openSUSE Security Update: Security update for trivy
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:10022-1
Rating:             moderate
References:         #1199760 
Cross-References:   CVE-2022-23648 CVE-2022-28946
CVSS scores:
                    CVE-2022-23648 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
                    CVE-2022-23648 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
                    CVE-2022-28946 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2022-28946 (SUSE): 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Affected Products:
                    openSUSE Backports SLE-15-SP4
______________________________________________________________________________

   An update that fixes two vulnerabilities is now available.

Description:

   This update for trivy fixes the following issues:

   trivy was updated to version 0.28.0 (boo#1199760, CVE-2022-28946):

   * fix: remove Highlighted from json output (#2131)
   * fix: remove trivy-kubernetes replace (#2132)
   * docs: Add Operator docs under Kubernetes section (#2111)
   * fix(k8s): security-checks panic (#2127)
   * ci: added k8s scope (#2130)
   * docs: Update misconfig output in examples (#2128)
   * fix(misconf): Fix coloured output in Goland terminal (#2126)
   * docs(secret): Fix default value of --security-checks in docs (#2107)
   * refactor(report): move colorize function from trivy-db (#2122)
   * feat: k8s resource scanning (#2118)
   * chore: add CODEOWNERS (#2121)
   * feat(image): add `--server` option for remote scans (#1871)
   * refactor: k8s (#2116)
   * refactor: export useful APIs (#2108)
   * docs: fix k8s doc (#2114)
   * feat(kubernetes): Add report flag for summary (#2112)
   * fix: Remove problematic advanced rego policies (#2113)
   * feat(misconf): Add special output format for misconfigurations (#2100)
   * feat:  add k8s subcommand (#2065)
   * chore: fix make lint version (#2102)
   * fix(java): handle relative pom modules (#2101)
   * fix(misconf): Add missing links for non-rego misconfig results (#2094)
   * feat(misconf): Added fs.FS based scanning via latest defsec (#2084)
   * chore(deps): bump trivy-issue-action to v0.0.4 (#2091)
   * chore(deps): bump github.com/twitchtv/twirp (#2077)
   * chore(deps): bump github.com/urfave/cli/v2 from 2.4.0 to 2.5.1 (#2074)
   * chore(os): updated fanal version and alpine distroless test (#2086)
   * chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.1 to 0.5.2
     (#2075)
   * chore(deps): bump github.com/samber/lo from 1.16.0 to 1.19.0 (#2076)
   * feat(report): add support for SPDX (#2059)
   * chore(deps): bump actions/setup-go from 2 to 3 (#2073)
   * chore(deps): bump actions/cache from 3.0.1 to 3.0.2 (#2071)
   * chore(deps): bump golang from 1.18.0 to 1.18.1 (#2069)
   * chore(deps): bump actions/stale from 4 to 5 (#2070)
   * chore(deps): bump sigstore/cosign-installer from 2.0.0 to 2.3.0 (#2072)
   * chore(deps): bump github.com/open-policy-agent/opa from 0.39.0 to 0.40.0
     (#2079)
   * chore: app version 0.27.0 (#2046)
   * fix(misconf): added to skip conf files if their scanning is not enabled
     (#2066)
   * docs(secret) fix rule path in docs (#2061)
   * docs: change from go.sum to go.mod (#2056)

   Update to version 0.27.1:

   * chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.0 to 0.5.1
     (#1926)
   * refactor(fs): scanner options (#2050)
   * feat(secret): truncate long line (#2052)
   * docs: fix a broken bullets (#2042)
   * feat(ubuntu): add 22.04 approx eol date (#2044)
   * docs: update installation.md (#2027)
   * docs: add Containerfile (#2032)

   Update to version 0.27.0:

   * fix(go): fixed panic to scan gomod without version (#2038)
   * docs(mariner): confirm it works with Mariner 2.0 VM (#2036)
   * feat(secret): support enable rules (#2035)
   * chore: app version 26.0 (#2030)
   * docs(secret): add a demo movie (#2031)
   * feat: support cache TTL in Redis (#2021)
   * fix(go): skip system installed binaries (#2028)
   * fix(go): check if go.sum is nil (#2029)
   * feat: add secret scanning (#1901)
   * chore: gh publish only with push the tag release (#2025)
   * fix(fs): ignore permission errors (#2022)
   * test(mod): using correct module inside test go.mod (#2020)
   * feat(server): re-add proxy support for client/server communications
     (#1995)
   * fix(report): truncate a description before escaping in ASFF template
     (#2004)
   * fix(cloudformation): correct margin removal for empty lines (#2002)
   * fix(template): correct check of old sarif template files (#2003)

   Update to version 0.26.0:

   * feat(alpine): warn mixing versions (#2000)
   * Update ASFF template (#1914)
   * chore(deps): replace `containerd/containerd` version to fix
     CVE-2022-23648 (#1994)
   * chore(deps): bump alpine from 3.15.3 to 3.15.4 (#1993)
   * test(go): add integration tests for gomod (#1989)
   * fix(python): fixed panic when scan .egg archive (#1992)
   * fix(go): set correct go modules type (#1990)
   * feat(alpine): support apk repositories (#1987)
   * docs: add CBL-Mariner (#1982)
   * docs(go): fix version (#1986)
   * feat(go): support go.mod in Go 1.17+ (#1985)
   * ci: fix URLs in the PR template (#1972)
   * ci: add semantic pull requests check (#1968)
   * docs(issue): added docs for wrong detection issues (#1961)

   Update to version 0.25.4:

   * docs: move CONTRIBUTING.md to docs (#1971)
   * refactor(table): use file name instead package path (#1966)
   * fix(sbom): add --db-repository (#1964)
   * feat(table): add PkgPath in table result (#1960)
   * fix(pom): merge multiple pom imports in a good manner (#1959)

   Update to version 0.25.3:

   * fix(downloadDB): add dbRepositoryFlag to repository and rootfs commands
     (#1956)
   * fix(misconf): update BurntSushi/toml for fix runtime error (#1948)
   * fix(misconf): Update fanal/defsec to resolve missing metadata issues
     (#1947)
   * feat(jar): allow setting Maven Central URL using environment variable
     (#1939)
   * chore(chart): update Trivy version in HelmChart to 0.25.0 (#1931)
   * chore(chart): remove version comments (#1933)

   Update to version 0.25.2:

   * fix(downloadDB): add flag to server command (#1942)

   Update to version 0.25.1:

   * fix(misconf): update defsec to resolve panics (#1935)
   * chore(deps): bump github.com/docker/docker (#1924)
   * docs: restructure the documentation (#1887)
   * chore(deps): bump github.com/urfave/cli/v2 from 2.3.0 to 2.4.0 (#1923)
   * chore(deps): bump actions/cache from 2 to 3.0.1 (#1920)
   * chore(deps): bump actions/checkout from 2 to 3 (#1916)
   * chore(deps): bump github.com/open-policy-agent/opa from 0.37.2 to 0.39.0
     (#1921)
   * chore(deps): bump sigstore/cosign-installer from 2.0.0 to 2.1.0 (#1919)
   * chore(deps): bump helm/chart-testing-action from 2.2.0 to 2.2.1 (#1918)
   * chore(deps): bump golang from 1.17 to 1.18.0 (#1915)
   * Add trivy horizontal logo (#1932)
   * chore(deps): bump alpine from 3.15.0 to 3.15.3 (#1917)
   * chore(deps): bump github.com/go-redis/redis/v8 from 8.11.4 to 8.11.5
     (#1925)
   * chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (#1927)
   * feat(db): Add dbRepository flag to get advisory database from OCI
     registry (#1873)

   Update to version 0.25.0:

   * docs(filter vulnerabilities): fix link (#1880)
   * feat(template) Add misconfigurations to gitlab codequality report (#1756)
   * fix(rpc): add PkgPath field to client / server mode (#1643)
   * fix(vulnerabilities): fixed trivy-db vulns (#1883)
   * feat(cache): remove temporary cache after filesystem scanning (#1868)
   * feat(sbom): add a dedicated sbom command (#1799)
   * feat(cyclonedx): add vulnerabilities (#1832)
   * fix(option): hide false warning about remote options (#1865)
   * chore: bump up Go to 1.18 (#1862)
   * feat(filesystem): scan in client/server mode (#1829)
   * refactor(template): remove unused test (#1861)
   * fix(cli): json format for trivy version (#1854)
   * docs: change URL for tfsec-checks (#1857)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP4:

      zypper in -t patch openSUSE-2022-10022=1



Package List:

   - openSUSE Backports SLE-15-SP4 (aarch64 i586 s390x x86_64):

      trivy-0.28.0-bp154.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2022-23648.html
   https://www.suse.com/security/cve/CVE-2022-28946.html
   https://bugzilla.suse.com/1199760

openSUSE: 2022:10022-1 moderate: trivy

June 21, 2022
An update that fixes two vulnerabilities is now available

Description

This update for trivy fixes the following issues: trivy was updated to version 0.28.0 (boo#1199760, CVE-2022-28946): * fix: remove Highlighted from json output (#2131) * fix: remove trivy-kubernetes replace (#2132) * docs: Add Operator docs under Kubernetes section (#2111) * fix(k8s): security-checks panic (#2127) * ci: added k8s scope (#2130) * docs: Update misconfig output in examples (#2128) * fix(misconf): Fix coloured output in Goland terminal (#2126) * docs(secret): Fix default value of --security-checks in docs (#2107) * refactor(report): move colorize function from trivy-db (#2122) * feat: k8s resource scanning (#2118) * chore: add CODEOWNERS (#2121) * feat(image): add `--server` option for remote scans (#1871) * refactor: k8s (#2116) * refactor: export useful APIs (#2108) * docs: fix k8s doc (#2114) * feat(kubernetes): Add report flag for summary (#2112) * fix: Remove problematic advanced rego policies (#2113) * feat(misconf): Add special output format for misconfigurations (#2100) * feat: add k8s subcommand (#2065) * chore: fix make lint version (#2102) * fix(java): handle relative pom modules (#2101) * fix(misconf): Add missing links for non-rego misconfig results (#2094) * feat(misconf): Added fs.FS based scanning via latest defsec (#2084) * chore(deps): bump trivy-issue-action to v0.0.4 (#2091) * chore(deps): bump github.com/twitchtv/twirp (#2077) * chore(deps): bump github.com/urfave/cli/v2 from 2.4.0 to 2.5.1 (#2074) * chore(os): updated fanal version and alpine distroless test (#2086) * chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.1 to 0.5.2 (#2075) * chore(deps): bump github.com/samber/lo from 1.16.0 to 1.19.0 (#2076) * feat(report): add support for SPDX (#2059) * chore(deps): bump actions/setup-go from 2 to 3 (#2073) * chore(deps): bump actions/cache from 3.0.1 to 3.0.2 (#2071) * chore(deps): bump golang from 1.18.0 to 1.18.1 (#2069) * chore(deps): bump actions/stale from 4 to 5 (#2070) * chore(deps): bump sigstore/cosign-installer from 2.0.0 to 2.3.0 (#2072) * chore(deps): bump github.com/open-policy-agent/opa from 0.39.0 to 0.40.0 (#2079) * chore: app version 0.27.0 (#2046) * fix(misconf): added to skip conf files if their scanning is not enabled (#2066) * docs(secret) fix rule path in docs (#2061) * docs: change from go.sum to go.mod (#2056) Update to version 0.27.1: * chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.0 to 0.5.1 (#1926) * refactor(fs): scanner options (#2050) * feat(secret): truncate long line (#2052) * docs: fix a broken bullets (#2042) * feat(ubuntu): add 22.04 approx eol date (#2044) * docs: update installation.md (#2027) * docs: add Containerfile (#2032) Update to version 0.27.0: * fix(go): fixed panic to scan gomod without version (#2038) * docs(mariner): confirm it works with Mariner 2.0 VM (#2036) * feat(secret): support enable rules (#2035) * chore: app version 26.0 (#2030) * docs(secret): add a demo movie (#2031) * feat: support cache TTL in Redis (#2021) * fix(go): skip system installed binaries (#2028) * fix(go): check if go.sum is nil (#2029) * feat: add secret scanning (#1901) * chore: gh publish only with push the tag release (#2025) * fix(fs): ignore permission errors (#2022) * test(mod): using correct module inside test go.mod (#2020) * feat(server): re-add proxy support for client/server communications (#1995) * fix(report): truncate a description before escaping in ASFF template (#2004) * fix(cloudformation): correct margin removal for empty lines (#2002) * fix(template): correct check of old sarif template files (#2003) Update to version 0.26.0: * feat(alpine): warn mixing versions (#2000) * Update ASFF template (#1914) * chore(deps): replace `containerd/containerd` version to fix CVE-2022-23648 (#1994) * chore(deps): bump alpine from 3.15.3 to 3.15.4 (#1993) * test(go): add integration tests for gomod (#1989) * fix(python): fixed panic when scan .egg archive (#1992) * fix(go): set correct go modules type (#1990) * feat(alpine): support apk repositories (#1987) * docs: add CBL-Mariner (#1982) * docs(go): fix version (#1986) * feat(go): support go.mod in Go 1.17+ (#1985) * ci: fix URLs in the PR template (#1972) * ci: add semantic pull requests check (#1968) * docs(issue): added docs for wrong detection issues (#1961) Update to version 0.25.4: * docs: move CONTRIBUTING.md to docs (#1971) * refactor(table): use file name instead package path (#1966) * fix(sbom): add --db-repository (#1964) * feat(table): add PkgPath in table result (#1960) * fix(pom): merge multiple pom imports in a good manner (#1959) Update to version 0.25.3: * fix(downloadDB): add dbRepositoryFlag to repository and rootfs commands (#1956) * fix(misconf): update BurntSushi/toml for fix runtime error (#1948) * fix(misconf): Update fanal/defsec to resolve missing metadata issues (#1947) * feat(jar): allow setting Maven Central URL using environment variable (#1939) * chore(chart): update Trivy version in HelmChart to 0.25.0 (#1931) * chore(chart): remove version comments (#1933) Update to version 0.25.2: * fix(downloadDB): add flag to server command (#1942) Update to version 0.25.1: * fix(misconf): update defsec to resolve panics (#1935) * chore(deps): bump github.com/docker/docker (#1924) * docs: restructure the documentation (#1887) * chore(deps): bump github.com/urfave/cli/v2 from 2.3.0 to 2.4.0 (#1923) * chore(deps): bump actions/cache from 2 to 3.0.1 (#1920) * chore(deps): bump actions/checkout from 2 to 3 (#1916) * chore(deps): bump github.com/open-policy-agent/opa from 0.37.2 to 0.39.0 (#1921) * chore(deps): bump sigstore/cosign-installer from 2.0.0 to 2.1.0 (#1919) * chore(deps): bump helm/chart-testing-action from 2.2.0 to 2.2.1 (#1918) * chore(deps): bump golang from 1.17 to 1.18.0 (#1915) * Add trivy horizontal logo (#1932) * chore(deps): bump alpine from 3.15.0 to 3.15.3 (#1917) * chore(deps): bump github.com/go-redis/redis/v8 from 8.11.4 to 8.11.5 (#1925) * chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 (#1927) * feat(db): Add dbRepository flag to get advisory database from OCI registry (#1873) Update to version 0.25.0: * docs(filter vulnerabilities): fix link (#1880) * feat(template) Add misconfigurations to gitlab codequality report (#1756) * fix(rpc): add PkgPath field to client / server mode (#1643) * fix(vulnerabilities): fixed trivy-db vulns (#1883) * feat(cache): remove temporary cache after filesystem scanning (#1868) * feat(sbom): add a dedicated sbom command (#1799) * feat(cyclonedx): add vulnerabilities (#1832) * fix(option): hide false warning about remote options (#1865) * chore: bump up Go to 1.18 (#1862) * feat(filesystem): scan in client/server mode (#1829) * refactor(template): remove unused test (#1861) * fix(cli): json format for trivy version (#1854) * docs: change URL for tfsec-checks (#1857)

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2022-10022=1


Package List

- openSUSE Backports SLE-15-SP4 (aarch64 i586 s390x x86_64): trivy-0.28.0-bp154.2.3.1


References

https://www.suse.com/security/cve/CVE-2022-23648.html https://www.suse.com/security/cve/CVE-2022-28946.html https://bugzilla.suse.com/1199760


Severity
Announcement ID: openSUSE-SU-2022:10022-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP4 .

Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved