From ce2b208230dec9e0a6878984d55ed98d364087d7 Mon Sep 17 00:00:00 2001 From: Yves Brissaud Date: Wed, 29 May 2024 09:44:50 +0200 Subject: [PATCH 1/2] scout: CLI v1.9.x release notes Signed-off-by: Yves Brissaud Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> --- content/scout/release-notes/cli.md | 72 ++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) diff --git a/content/scout/release-notes/cli.md b/content/scout/release-notes/cli.md index 5d789e2d87..3cb6f303b1 100644 --- a/content/scout/release-notes/cli.md +++ b/content/scout/release-notes/cli.md @@ -8,6 +8,78 @@ This page contains information about the new features, improvements, known issues, and bug fixes in the Docker Scout [CLI plugin](https://github.com/docker/scout-cli/) and the `docker/scout-action` [GitHub Action](https://github.com/docker/scout-action). +## 1.9.3 + +{{< release-date date="2024-05-28" >}} + +### Bug fix + +- Fix a panic while retrieving cached SBOMs. + +## 1.9.1 + +{{< release-date date="2024-05-27" >}} + +### New + +- Add support for the [GitLab container scanning file format](https://docs.gitlab.com/ee/development/integrations/secure.html#container-scanning) with `--format gitlab` on `docker scout cves` command. + + Here is an example pipeline: + + ```yaml + docker-build: + # Use the official docker image. + image: docker:cli + stage: build + services: + - docker:dind + variables: + DOCKER_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG + before_script: + - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY + + # Install curl and the Docker Scout CLI + - | + apk add --update curl + curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- + apk del curl + rm -rf /var/cache/apk/* + # Login to Docker Hub required for Docker Scout CLI + - echo "$DOCKER_HUB_PAT" | docker login --username "$DOCKER_HUB_USER" --password-stdin + + # All branches are tagged with $DOCKER_IMAGE_NAME (defaults to commit ref slug) + # Default branch is also tagged with `latest` + script: + - docker buildx b --pull -t "$DOCKER_IMAGE_NAME" . + - docker scout cves "$DOCKER_IMAGE_NAME" --format gitlab --output gl-container-scanning-report.json + - docker push "$DOCKER_IMAGE_NAME" + - | + if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then + docker tag "$DOCKER_IMAGE_NAME" "$CI_REGISTRY_IMAGE:latest" + docker push "$CI_REGISTRY_IMAGE:latest" + fi + # Run this job in a branch where a Dockerfile exists + rules: + - if: $CI_COMMIT_BRANCH + exists: + - Dockerfile + artifacts: + reports: + container_scanning: gl-container-scanning-report.json + ``` + +### Bug fixes and enhancements + +- Support single-architecture images for `docker scout attest add` command +- Indicate on the `docker scout quickview` and `docker scout recommendations` commands if image provenance was not created using `mode=max`. + Without `mode=max`, base images may be incorrectly detected, resulting in less accurate results. + +## 1.9.0 + +{{< release-date date="2024-05-24" >}} + +Discarded in favor of [1.9.1](#191). + ## 1.8.0 {{< release-date date="2024-04-25" >}} From e0faa0939380e2bd17aeb1d2f9b999a5dc65a5c5 Mon Sep 17 00:00:00 2001 From: David Karlsson <35727626+dvdksn@users.noreply.github.com> Date: Wed, 29 May 2024 10:04:22 +0200 Subject: [PATCH 2/2] vendor: github.com/docker/scout-cli v1.9.3 Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com> --- .../scout-cli/docs/docker_scout_cves.yaml | 1 + .../docker/scout-cli/docs/scout_cves.md | 56 +++++++++---------- _vendor/modules.txt | 2 +- go.mod | 4 +- go.sum | 2 + 5 files changed, 34 insertions(+), 31 deletions(-) diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml index dd1637ade6..f202f668e7 100644 --- a/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml +++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml @@ -105,6 +105,7 @@ options: - packages: default output, plain text with vulnerabilities grouped by packages - sarif: json Sarif output - spdx: json SPDX output + - gitlab: json GitLab output - markdown: markdown output (including some html tags like collapsible sections) - sbom: json SBOM output deprecated: false diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_cves.md b/_vendor/github.com/docker/scout-cli/docs/scout_cves.md index b8f119d8a9..8f1618ad42 100644 --- a/_vendor/github.com/docker/scout-cli/docs/scout_cves.md +++ b/_vendor/github.com/docker/scout-cli/docs/scout_cves.md @@ -9,34 +9,34 @@ Display CVEs identified in a software artifact ### Options -| Name | Type | Default | Description | -|:-----------------------|:--------------|:-----------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `--details` | | | Print details on default text output | -| `--env` | `string` | | Name of environment | -| [`--epss`](#epss) | | | Display the EPSS scores and organize the package's CVEs according to their EPSS score | -| `--epss-percentile` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified percentile (0 to 1) | -| `--epss-score` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified value (0 to 1) | -| `-e`, `--exit-code` | | | Return exit code '2' if vulnerabilities are detected | -| `--format` | `string` | `packages` | Output format of the generated vulnerability report:
- packages: default output, plain text with vulnerabilities grouped by packages
- sarif: json Sarif output
- spdx: json SPDX output
- markdown: markdown output (including some html tags like collapsible sections)
- sbom: json SBOM output
| -| `--ignore-base` | | | Filter out CVEs introduced from base image | -| `--locations` | | | Print package locations including file paths and layer diff_id | -| `--multi-stage` | | | Show packages from multi-stage Docker builds | -| `--only-cve-id` | `stringSlice` | | Comma separated list of CVE ids (like CVE-2021-45105) to search for | -| `--only-fixed` | | | Filter to fixable CVEs | -| `--only-metric` | `stringSlice` | | Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by | -| `--only-package` | `stringSlice` | | Comma separated regular expressions to filter packages by | -| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) | -| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by | -| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names | -| `--only-unfixed` | | | Filter to unfixed CVEs | -| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected | -| `--only-vuln-packages` | | | When used with --format=only-packages ignore packages with no vulnerabilities | -| `--org` | `string` | | Namespace of the Docker organization | -| `-o`, `--output` | `string` | | Write the report to a file | -| `--platform` | `string` | | Platform of image to analyze | -| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive | -| `--vex-author` | `stringSlice` | | List of VEX statement authors to accept | -| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements | +| Name | Type | Default | Description | +|:-----------------------|:--------------|:-----------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `--details` | | | Print details on default text output | +| `--env` | `string` | | Name of environment | +| [`--epss`](#epss) | | | Display the EPSS scores and organize the package's CVEs according to their EPSS score | +| `--epss-percentile` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified percentile (0 to 1) | +| `--epss-score` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified value (0 to 1) | +| `-e`, `--exit-code` | | | Return exit code '2' if vulnerabilities are detected | +| `--format` | `string` | `packages` | Output format of the generated vulnerability report:
- packages: default output, plain text with vulnerabilities grouped by packages
- sarif: json Sarif output
- spdx: json SPDX output
- gitlab: json GitLab output
- markdown: markdown output (including some html tags like collapsible sections)
- sbom: json SBOM output
| +| `--ignore-base` | | | Filter out CVEs introduced from base image | +| `--locations` | | | Print package locations including file paths and layer diff_id | +| `--multi-stage` | | | Show packages from multi-stage Docker builds | +| `--only-cve-id` | `stringSlice` | | Comma separated list of CVE ids (like CVE-2021-45105) to search for | +| `--only-fixed` | | | Filter to fixable CVEs | +| `--only-metric` | `stringSlice` | | Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by | +| `--only-package` | `stringSlice` | | Comma separated regular expressions to filter packages by | +| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) | +| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by | +| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names | +| `--only-unfixed` | | | Filter to unfixed CVEs | +| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected | +| `--only-vuln-packages` | | | When used with --format=only-packages ignore packages with no vulnerabilities | +| `--org` | `string` | | Namespace of the Docker organization | +| `-o`, `--output` | `string` | | Write the report to a file | +| `--platform` | `string` | | Platform of image to analyze | +| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive | +| `--vex-author` | `stringSlice` | | List of VEX statement authors to accept | +| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements | diff --git a/_vendor/modules.txt b/_vendor/modules.txt index 49b821d70e..54c2ad7cb0 100644 --- a/_vendor/modules.txt +++ b/_vendor/modules.txt @@ -3,4 +3,4 @@ # github.com/docker/buildx v0.14.1 # github.com/docker/cli v26.1.3+incompatible # github.com/docker/compose/v2 v2.27.0 -# github.com/docker/scout-cli v1.8.0 +# github.com/docker/scout-cli v1.9.3 diff --git a/go.mod b/go.mod index 64ad68a6cf..34b3126ae7 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/docker/buildx v0.14.1 // indirect github.com/docker/cli v26.1.3+incompatible // indirect github.com/docker/compose/v2 v2.27.0 // indirect - github.com/docker/scout-cli v1.8.0 // indirect + github.com/docker/scout-cli v1.9.3 // indirect github.com/moby/buildkit v0.13.1 // indirect github.com/moby/moby v26.1.2+incompatible // indirect ) @@ -17,7 +17,7 @@ replace ( github.com/docker/buildx => github.com/docker/buildx v0.14.1 github.com/docker/cli => github.com/docker/cli v26.1.3-0.20240513184838-60f2d38d5341+incompatible github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.27.0 - github.com/docker/scout-cli => github.com/docker/scout-cli v1.8.0 + github.com/docker/scout-cli => github.com/docker/scout-cli v1.9.3 github.com/moby/buildkit => github.com/moby/buildkit v0.13.0-rc3.0.20240424175633-5fce077ed0e0 github.com/moby/moby => github.com/moby/moby v26.1.2+incompatible ) diff --git a/go.sum b/go.sum index 5cf82dea1b..883dd0bd7e 100644 --- a/go.sum +++ b/go.sum @@ -176,6 +176,8 @@ github.com/docker/scout-cli v1.7.0 h1:2dEbQKqkxM6wsJab/Ma3EJacS9ZrkVs1C4KbjXggJj github.com/docker/scout-cli v1.7.0/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc= github.com/docker/scout-cli v1.8.0 h1:rxwU9Xzt1LhqSY37ZVe/GPRCQxrEaQNipOMpCrUdGns= github.com/docker/scout-cli v1.8.0/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc= +github.com/docker/scout-cli v1.9.3 h1:u3lKQ7A1EvT3qNe5lR2c8dTNcAGIoSmH8HvSYarLlJY= +github.com/docker/scout-cli v1.9.3/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc= github.com/elazarl/goproxy v0.0.0-20191011121108-aa519ddbe484/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=