TCE-1371 Bump Trivy 0.65.0 (#168)

DMarinhoCodacy · afsmeira · web-flow · commit 1db741e37539 · 2025-08-04T14:29:01.000+01:00
* TCE-1371 Bump Trivy 0.65.0

* fix: Use flag `--vuln-severity-source auto` to make trivy compute results severity

---------

Co-authored-by: André Meira &lt;andre.meira@codacy.com&gt;
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,22 +1,22 @@
 version: 2.1
 
 orbs:
-  codacy: codacy/base@12.0.0
+  codacy: codacy/base@12.2.0
   codacy_plugins_test: codacy/plugins-test@2.0.11
 
 references:
   install_trivy_and_download_dbs: &install_trivy_and_download_dbs
     persist_to_workspace: true
-    # https://aquasecurity.github.io/trivy/v0.59/getting-started/installation/#install-script
+    # https://aquasecurity.github.io/trivy/v0.65/getting-started/installation/#install-script
     cmd: |
-      curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b . v0.59.1
+      curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b . v0.65.0
       mkdir cache
       ./trivy --cache-dir ./cache image --download-db-only
 
   build_and_publish_docker: &build_and_publish_docker
     persist_to_workspace: true
     cmd: |
-      docker build -t $CIRCLE_PROJECT_REPONAME:latest --build-arg TRIVY_VERSION=0.59.1 .
+      docker build -t $CIRCLE_PROJECT_REPONAME:latest --build-arg TRIVY_VERSION=0.65.0 .
       docker save --output docker-image.tar $CIRCLE_PROJECT_REPONAME:latest
 
 workflows:
diff --git a/.gitignore b/.gitignore
@@ -13,3 +13,7 @@ bin
 cache
 *.gen.go
 .codacyrc
+
+
+#Ignore vscode AI rules
+.github/copilot-instructions.md
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.23-alpine as builder
+FROM golang:1.24-alpine as builder
 
 ARG TRIVY_VERSION=dev
 ENV TRIVY_VERSION=$TRIVY_VERSION
diff --git a/README.md b/README.md
@@ -28,8 +28,7 @@ go mod download
  3. Run the DocGenerator:
 
 ```bash
-go run ./doc-generator.go &&\
-scala-cli doc-generator.sc
+go run ./cmd/docgen
 ```
 
 ## Test
diff --git a/docs/description/vulnerability.md b/docs/description/vulnerability.md
@@ -1,2 +1,2 @@
 ## Insecure dependencies detection (critical and high severity)
-Detects insecure dependencies (critical and high severity) by checking the libraries declared in the package manager and flagging used library versions with known security vulnerabilities.
+Detects insecure dependencies (critical and high severity) by checking the libraries declared in the package manager and flagging used library versions with known security vulnerabilities.
diff --git a/docs/description/vulnerability_medium.md b/docs/description/vulnerability_medium.md
@@ -1,2 +1,2 @@
 ## Insecure dependencies detection (medium severity)
-Detects insecure dependencies (medium severity) by checking the libraries declared in the package manager and flagging used library versions with known security vulnerabilities.
+Detects insecure dependencies (medium severity) by checking the libraries declared in the package manager and flagging used library versions with known security vulnerabilities.
diff --git a/docs/description/vulnerability_minor.md b/docs/description/vulnerability_minor.md
@@ -1,2 +1,2 @@
 ## Insecure dependencies detection (minor severity)
-Detects insecure dependencies (minor severity) by checking the libraries declared in the package manager and flagging used library versions with known security vulnerabilities.
+Detects insecure dependencies (minor severity) by checking the libraries declared in the package manager and flagging used library versions with known security vulnerabilities.
diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/internal/tool/runner.go b/internal/tool/runner.go
@@ -9,13 +9,13 @@ import (
 
 // RunnerFactory can create new Trivy runners.
 type RunnerFactory interface {
-	NewRunner(ctx context.Context, config flag.Options) (artifact.Runner, error)
+	NewRunner(ctx context.Context, config flag.Options, targetKind artifact.TargetKind, opts ...artifact.RunnerOption) (artifact.Runner, error)
 }
 
 type defaultRunnerFactory struct{}
 
-func (f defaultRunnerFactory) NewRunner(ctx context.Context, config flag.Options) (artifact.Runner, error) {
-	runner, err := artifact.NewRunner(ctx, config)
+func (f defaultRunnerFactory) NewRunner(ctx context.Context, config flag.Options, targetKind artifact.TargetKind, opts ...artifact.RunnerOption) (artifact.Runner, error) {
+	runner, err := artifact.NewRunner(ctx, config, targetKind, opts...)
 	if err != nil {
 		return nil, &ToolError{msg: "Failed to initialize Codacy Trivy", w: err}
 	}
diff --git a/internal/tool/tool.go b/internal/tool/tool.go
@@ -13,6 +13,7 @@ import (
 
 	cdx "github.com/CycloneDX/cyclonedx-go"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/commands/artifact"
 	"github.com/aquasecurity/trivy/pkg/fanal/secret"
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/flag"
@@ -125,9 +126,15 @@ func (t codacyTrivy) runBaseScan(ctx context.Context, sourceDir string) (ptypes.
 			// This is REQUIRED for detecting vulnerabilites in go standard library.
 			DetectionPriority: ftypes.PriorityComprehensive,
 		},
+		// Make Trivy automatically select a severity for a vulnerability, from its many sources.
+		// This is used by default when calling Trivy from the command line but given our Trivy usage, we need to make it explicit.
+		VulnerabilityOptions: flag.VulnerabilityOptions{
+			VulnSeveritySources: []dbTypes.SourceID{dbTypes.SourceID("auto")},
+		},
 	}
 
-	runner, err := t.runnerFactory.NewRunner(ctx, config)
+	// Right now we only support vulnerability scans for file system targets.
+	runner, err := t.runnerFactory.NewRunner(ctx, config, artifact.TargetFilesystem)
 	if err != nil {
 		return ptypes.Report{}, err
 	}
diff --git a/internal/tool/tool_test.go b/internal/tool/tool_test.go
@@ -14,7 +14,6 @@ import (
 	"github.com/CycloneDX/cyclonedx-go"
 	dbtypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/commands/artifact"
-	fartifact "github.com/aquasecurity/trivy/pkg/fanal/artifact"
 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/flag"
 	ptypes "github.com/aquasecurity/trivy/pkg/types"
@@ -100,10 +99,13 @@ func TestRun(t *testing.T) {
 			Target:            srcDir,
 			DetectionPriority: ftypes.PriorityComprehensive,
 		},
+		VulnerabilityOptions: flag.VulnerabilityOptions{
+			VulnSeveritySources: []dbtypes.SourceID{dbtypes.SourceID("auto")},
+		},
 	}
 
 	report := ptypes.Report{
-		ArtifactType: fartifact.TypeFilesystem,
+		ArtifactType: ftypes.TypeFilesystem,
 		Results: ptypes.Results{
 			{
 				Target: fileName,
@@ -289,7 +291,10 @@ func TestRun(t *testing.T) {
 					Tools: &cyclonedx.ToolsChoice{
 						Components: &[]cyclonedx.Component{
 							{
-								Type:    "application",
+								Type: "application",
+								Manufacturer: &cyclonedx.OrganizationalEntity{
+									Name: "Aqua Security Software Ltd.",
+								},
 								Group:   "aquasecurity",
 								Name:    "trivy",
 								Version: "dev",
@@ -498,6 +503,9 @@ func TestRunScanFilesystemError(t *testing.T) {
 			Target:            sourceDir,
 			DetectionPriority: ftypes.PriorityComprehensive,
 		},
+		VulnerabilityOptions: flag.VulnerabilityOptions{
+			VulnSeveritySources: []dbtypes.SourceID{dbtypes.SourceID("auto")},
+		},
 	}
 
 	mockRunner := NewMockRunner(ctrl)
@@ -832,14 +840,14 @@ type mockRunnerFactory struct {
 	mockRunner artifact.Runner
 }
 
-func (f mockRunnerFactory) NewRunner(_ context.Context, _ flag.Options) (artifact.Runner, error) {
+func (f mockRunnerFactory) NewRunner(_ context.Context, _ flag.Options, _ artifact.TargetKind, _ ...artifact.RunnerOption) (artifact.Runner, error) {
 	return f.mockRunner, nil
 }
 
 type errorRunnerFactory struct {
 	err error
 }
 
-func (f errorRunnerFactory) NewRunner(_ context.Context, _ flag.Options) (artifact.Runner, error) {
+func (f errorRunnerFactory) NewRunner(_ context.Context, _ flag.Options, _ artifact.TargetKind, _ ...artifact.RunnerOption) (artifact.Runner, error) {
 	return nil, f.err
 }

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM golang:1.23-alpine as builder`
	`1`	`+FROM golang:1.24-alpine as builder`
`2`	`2`
`3`	`3`	`ARG TRIVY_VERSION=dev`
`4`	`4`	`ENV TRIVY_VERSION=$TRIVY_VERSION`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`## Insecure dependencies detection (critical and high severity)`
`2`		`-Detects insecure dependencies (critical and high severity) by checking the libraries declared in the package manager and flagging used library versions with known security vulnerabilities.`
	`2`	`+Detects insecure dependencies (critical and high severity) by checking the libraries declared in the package manager and flagging used library versions with known security vulnerabilities.`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`## Insecure dependencies detection (medium severity)`
`2`		`-Detects insecure dependencies (medium severity) by checking the libraries declared in the package manager and flagging used library versions with known security vulnerabilities.`
	`2`	`+Detects insecure dependencies (medium severity) by checking the libraries declared in the package manager and flagging used library versions with known security vulnerabilities.`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`## Insecure dependencies detection (minor severity)`
`2`		`-Detects insecure dependencies (minor severity) by checking the libraries declared in the package manager and flagging used library versions with known security vulnerabilities.`
	`2`	`+Detects insecure dependencies (minor severity) by checking the libraries declared in the package manager and flagging used library versions with known security vulnerabilities.`
Original file line number	Diff line number	Diff line change
`@@ -9,13 +9,13 @@ import (`
`9`	`9`
`10`	`10`	`// RunnerFactory can create new Trivy runners.`
`11`	`11`	`type RunnerFactory interface {`
`12`		`- NewRunner(ctx context.Context, config flag.Options) (artifact.Runner, error)`
	`12`	`+ NewRunner(ctx context.Context, config flag.Options, targetKind artifact.TargetKind, opts ...artifact.RunnerOption) (artifact.Runner, error)`
`13`	`13`	`}`
`14`	`14`
`15`	`15`	`type defaultRunnerFactory struct{}`
`16`	`16`
`17`		`-func (f defaultRunnerFactory) NewRunner(ctx context.Context, config flag.Options) (artifact.Runner, error) {`
`18`		`- runner, err := artifact.NewRunner(ctx, config)`
	`17`	`+func (f defaultRunnerFactory) NewRunner(ctx context.Context, config flag.Options, targetKind artifact.TargetKind, opts ...artifact.RunnerOption) (artifact.Runner, error) {`
	`18`	`+ runner, err := artifact.NewRunner(ctx, config, targetKind, opts...)`
`19`	`19`	`if err != nil {`
`20`	`20`	`return nil, &ToolError{msg: "Failed to initialize Codacy Trivy", w: err}`
`21`	`21`	`}`