centersl/docker-docs
1
0
Fork 0
mirror of https://github.com/docker/docs.git synced 2026-03-27 14:28:47 +07:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20119 from eunomie/docker-scout-1-9

Browse Source 
docker scout changelog for 1.9.x
This commit is contained in:
David Karlsson
2024-05-29 10:10:33 +02:00
committed by GitHub
parent d9ad51d5e1 e0faa09393
commit dcdab79a6a
6 changed files with 106 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml generated
View File

@@ -105,6 +105,7 @@ options:
- packages: default output, plain text with vulnerabilities grouped by packages
- sarif: json Sarif output
- spdx: json SPDX output
- gitlab: json GitLab output
- markdown: markdown output (including some html tags like collapsible sections)
- sbom: json SBOM output
deprecated: false

56
_vendor/github.com/docker/scout-cli/docs/scout_cves.md generated
View File

@@ -9,34 +9,34 @@ Display CVEs identified in a software artifact
### Options
| Name | Type | Default | Description |
|:-----------------------|:--------------|:-----------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `--details` | | | Print details on default text output |
| `--env` | `string` | | Name of environment |
| [`--epss`](#epss) | | | Display the EPSS scores and organize the package's CVEs according to their EPSS score |
| `--epss-percentile` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified percentile (0 to 1) |
| `--epss-score` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified value (0 to 1) |
| `-e`, `--exit-code` | | | Return exit code '2' if vulnerabilities are detected |
| `--format` | `string` | `packages` | Output format of the generated vulnerability report:<br>- packages: default output, plain text with vulnerabilities grouped by packages<br>- sarif: json Sarif output<br>- spdx: json SPDX output<br>- markdown: markdown output (including some html tags like collapsible sections)<br>- sbom: json SBOM output<br> |
| `--ignore-base` | | | Filter out CVEs introduced from base image |
| `--locations` | | | Print package locations including file paths and layer diff_id |
| `--multi-stage` | | | Show packages from multi-stage Docker builds |
| `--only-cve-id` | `stringSlice` | | Comma separated list of CVE ids (like CVE-2021-45105) to search for |
| `--only-fixed` | | | Filter to fixable CVEs |
| `--only-metric` | `stringSlice` | | Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by |
| `--only-package` | `stringSlice` | | Comma separated regular expressions to filter packages by |
| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) |
| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by |
| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names |
| `--only-unfixed` | | | Filter to unfixed CVEs |
| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected |
| `--only-vuln-packages` | | | When used with --format=only-packages ignore packages with no vulnerabilities |
| `--org` | `string` | | Namespace of the Docker organization |
| `-o`, `--output` | `string` | | Write the report to a file |
| `--platform` | `string` | | Platform of image to analyze |
| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.<br>Can only be used with archive |
| `--vex-author` | `stringSlice` | | List of VEX statement authors to accept |
| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements |
| Name | Type | Default | Description |
|:-----------------------|:--------------|:-----------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `--details` | | | Print details on default text output |
| `--env` | `string` | | Name of environment |
| [`--epss`](#epss) | | | Display the EPSS scores and organize the package's CVEs according to their EPSS score |
| `--epss-percentile` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified percentile (0 to 1) |
| `--epss-score` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified value (0 to 1) |
| `-e`, `--exit-code` | | | Return exit code '2' if vulnerabilities are detected |
| `--format` | `string` | `packages` | Output format of the generated vulnerability report:<br>- packages: default output, plain text with vulnerabilities grouped by packages<br>- sarif: json Sarif output<br>- spdx: json SPDX output<br>- gitlab: json GitLab output<br>- markdown: markdown output (including some html tags like collapsible sections)<br>- sbom: json SBOM output<br> |
| `--ignore-base` | | | Filter out CVEs introduced from base image |
| `--locations` | | | Print package locations including file paths and layer diff_id |
| `--multi-stage` | | | Show packages from multi-stage Docker builds |
| `--only-cve-id` | `stringSlice` | | Comma separated list of CVE ids (like CVE-2021-45105) to search for |
| `--only-fixed` | | | Filter to fixable CVEs |
| `--only-metric` | `stringSlice` | | Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by |
| `--only-package` | `stringSlice` | | Comma separated regular expressions to filter packages by |
| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) |
| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by |
| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names |
| `--only-unfixed` | | | Filter to unfixed CVEs |
| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected |
| `--only-vuln-packages` | | | When used with --format=only-packages ignore packages with no vulnerabilities |
| `--org` | `string` | | Namespace of the Docker organization |
| `-o`, `--output` | `string` | | Write the report to a file |
| `--platform` | `string` | | Platform of image to analyze |
| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.<br>Can only be used with archive |
| `--vex-author` | `stringSlice` | | List of VEX statement authors to accept |
| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements |
<!---MARKER_GEN_END-->

2
_vendor/modules.txt
View File

@@ -3,4 +3,4 @@
# github.com/docker/buildx v0.14.1
# github.com/docker/cli v26.1.3+incompatible
# github.com/docker/compose/v2 v2.27.0
# github.com/docker/scout-cli v1.8.0
# github.com/docker/scout-cli v1.9.3

72
content/scout/release-notes/cli.md
View File

@@ -8,6 +8,78 @@ This page contains information about the new features, improvements, known
issues, and bug fixes in the Docker Scout [CLI plugin](https://github.com/docker/scout-cli/)
and the `docker/scout-action` [GitHub Action](https://github.com/docker/scout-action).
## 1.9.3
{{< release-date date="2024-05-28" >}}
### Bug fix
- Fix a panic while retrieving cached SBOMs.
## 1.9.1
{{< release-date date="2024-05-27" >}}
### New
- Add support for the [GitLab container scanning file format](https://docs.gitlab.com/ee/development/integrations/secure.html#container-scanning) with `--format gitlab` on `docker scout cves` command.
Here is an example pipeline:
```yaml
docker-build:
# Use the official docker image.
image: docker:cli
stage: build
services:
- docker:dind
variables:
DOCKER_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
# Install curl and the Docker Scout CLI
- |
apk add --update curl
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
apk del curl
rm -rf /var/cache/apk/*
# Login to Docker Hub required for Docker Scout CLI
- echo "$DOCKER_HUB_PAT" | docker login --username "$DOCKER_HUB_USER" --password-stdin
# All branches are tagged with $DOCKER_IMAGE_NAME (defaults to commit ref slug)
# Default branch is also tagged with `latest`
script:
- docker buildx b --pull -t "$DOCKER_IMAGE_NAME" .
- docker scout cves "$DOCKER_IMAGE_NAME" --format gitlab --output gl-container-scanning-report.json
- docker push "$DOCKER_IMAGE_NAME"
- |
if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
docker tag "$DOCKER_IMAGE_NAME" "$CI_REGISTRY_IMAGE:latest"
docker push "$CI_REGISTRY_IMAGE:latest"
fi
# Run this job in a branch where a Dockerfile exists
rules:
- if: $CI_COMMIT_BRANCH
exists:
- Dockerfile
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
```
### Bug fixes and enhancements
- Support single-architecture images for `docker scout attest add` command
- Indicate on the `docker scout quickview` and `docker scout recommendations` commands if image provenance was not created using `mode=max`.
Without `mode=max`, base images may be incorrectly detected, resulting in less accurate results.
## 1.9.0
{{< release-date date="2024-05-24" >}}
Discarded in favor of [1.9.1](#191).
## 1.8.0
{{< release-date date="2024-04-25" >}}

4
go.mod
View File

@@ -8,7 +8,7 @@ require (
github.com/docker/buildx v0.14.1 // indirect
github.com/docker/cli v26.1.3+incompatible // indirect
github.com/docker/compose/v2 v2.27.0 // indirect
github.com/docker/scout-cli v1.8.0 // indirect
github.com/docker/scout-cli v1.9.3 // indirect
github.com/moby/buildkit v0.13.1 // indirect
github.com/moby/moby v26.1.2+incompatible // indirect
)
@@ -17,7 +17,7 @@ replace (
github.com/docker/buildx => github.com/docker/buildx v0.14.1
github.com/docker/cli => github.com/docker/cli v26.1.3-0.20240513184838-60f2d38d5341+incompatible
github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.27.0
github.com/docker/scout-cli => github.com/docker/scout-cli v1.8.0
github.com/docker/scout-cli => github.com/docker/scout-cli v1.9.3
github.com/moby/buildkit => github.com/moby/buildkit v0.13.0-rc3.0.20240424175633-5fce077ed0e0
github.com/moby/moby => github.com/moby/moby v26.1.2+incompatible
)

2
go.sum
View File

@@ -176,6 +176,8 @@ github.com/docker/scout-cli v1.7.0 h1:2dEbQKqkxM6wsJab/Ma3EJacS9ZrkVs1C4KbjXggJj
github.com/docker/scout-cli v1.7.0/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc=
github.com/docker/scout-cli v1.8.0 h1:rxwU9Xzt1LhqSY37ZVe/GPRCQxrEaQNipOMpCrUdGns=
github.com/docker/scout-cli v1.8.0/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc=
github.com/docker/scout-cli v1.9.3 h1:u3lKQ7A1EvT3qNe5lR2c8dTNcAGIoSmH8HvSYarLlJY=
github.com/docker/scout-cli v1.9.3/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc=
github.com/elazarl/goproxy v0.0.0-20191011121108-aa519ddbe484/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=