Vuls Versions Save

This release includes recently released Ubuntu 24.04 support, some additional features, and several bug fixes. We strongly recommend update to this version for Red Hat-like distribution users. Watch out corresponding goval-dictionary and gost updates!

New feature

• Ubuntu 24.04 support comes in
  • Depends on new gost, https://github.com/vulsio/gost/pull/249
  • feat(ubuntu): add 24.04 noble by @MaineK00n in https://github.com/future-architect/vuls/pull/1878
• TLS insecure flag is added for SMTP notification
  • TLS insecure option adding by @Koodt in https://github.com/future-architect/vuls/pull/1220

(Potential) Incompatibilities

• Use new gost for Ubuntu 24.04 support (https://github.com/future-architect/vuls/pull/1878)
• Use new goval-dictionary for detection on Red Hat-like distributions (https://github.com/future-architect/vuls/pull/1907)

Bug fixes

• For Red Hat-like distributions, there were false-positives and false negatives in detection results
  • See https://github.com/future-architect/vuls/issues/1906 for details
  • Now fixed by the PR: feat(detect/redhat): detect unpatched vulnerabilities with oval, stop using gost by @MaineK00n in https://github.com/future-architect/vuls/pull/1907
• style(log) config.toml template docs url by @future-ryunosuketanai in https://github.com/future-architect/vuls/pull/1894
• style: fix some typos in comments by @deferdeter in https://github.com/future-architect/vuls/pull/1897
• (fix) Exclude dev dependencies from npm's package-lock.json and Fix Java DB download endpoint by @shino in https://github.com/future-architect/vuls/pull/1893
• fix(detector/suse): support when advisory.cves has both NVD and SUSE evaluations by @MaineK00n in https://github.com/future-architect/vuls/pull/1899
• style(log) fix trivy docs link by @future-ryunosuketanai in https://github.com/future-architect/vuls/pull/1902

Misc Changes

• chore(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 by @dependabot in https://github.com/future-architect/vuls/pull/1903
• chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in https://github.com/future-architect/vuls/pull/1898
• chore(deps): bump github.com/emersion/go-smtp from 0.20.2 to 0.21.0 by @dependabot in https://github.com/future-architect/vuls/pull/1888
• chore(deps): bump golang.org/x/oauth2 from 0.18.0 to 0.19.0 by @dependabot in https://github.com/future-architect/vuls/pull/1891
• chore(deps): bump golang.org/x/sync from 0.6.0 to 0.7.0 by @dependabot in https://github.com/future-architect/vuls/pull/1890
• chore(deps): bump github.com/emersion/go-smtp from 0.21.0 to 0.21.1 by @dependabot in https://github.com/future-architect/vuls/pull/1896
• chore(deps): bump github.com/aquasecurity/trivy from 0.49.1 to 0.50.1 by @dependabot in https://github.com/future-architect/vuls/pull/1885
• chore(deps): bump go.etcd.io/bbolt from 1.3.9 to 1.3.10 by @dependabot in https://github.com/future-architect/vuls/pull/1908
• chore(deps): bump golang.org/x/text from 0.14.0 to 0.15.0 by @dependabot in https://github.com/future-architect/vuls/pull/1909
• chore(deps): bump golang.org/x/oauth2 from 0.19.0 to 0.20.0 by @dependabot in https://github.com/future-architect/vuls/pull/1910

New Contributors

• @Koodt made their first contribution in https://github.com/future-architect/vuls/pull/1220
• @deferdeter made their first contribution in https://github.com/future-architect/vuls/pull/1897

Full Changelog: https://github.com/future-architect/vuls/compare/v0.25.2...v0.25.3

This release includes one additional feature and some bug fixes. If you use Amazon Linux 2023, you have to harry to update.

New feature

• Some enterprise features of WPScan are now added to scan results.
  • 50580f6 feat(wpscan): support enterprise feature (#1875)

(Potential) Incompatibilities

• Names and Versions of JAR-like files of scan results can be overwritten at vuls result phase.
  • These values after vuls scan phase may be incorrect or insufficient because Trivy's Java DB is not used at the phase.
  • Correct them at vuls report phase with the help of Java DB.
  • 99cf9db feat(detector/library): update JAR-like files' Name/Version in library list (#1874)

Bug fixes

• Amazon Linux 2023 have changed its release version format in /etc/amazon-linux-release
  • It causes inability of EOL detection at vuls scan phase and failure of vulnerability detection at vuls report phase.
  • No vulnerabilities are detected unless this bug fix, please update quickly if you use Amazon Linux 2023.
  • e1df74c fix(amazon): use major version for checking eol, security advisories (#1873)

Misc Changes

• e25ec99 chore(deps): bump github.com/aws/aws-sdk-go from 1.49.21 to 1.51.5 (#1881)
• 472df0e chore(deps): update dictionary modules (#1877)
• 7d5a47b chore(deps): bump github.com/docker/docker (#1880)
• 426eb53 chore(deps): bump github.com/jackc/pgx/v5 from 5.5.1 to 5.5.4 (#1872)
• bda089b chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (#1871)
• 02d1f6f chore(deps): bump golang.org/x/oauth2 from 0.17.0 to 0.18.0 (#1868)

New Contributors

• @future-ryunosuketanai made their first contribution in https://github.com/future-architect/vuls/pull/1875

Full Changelog: https://github.com/future-architect/vuls/compare/v0.25.1...v0.25.2

Caution

Version 0.25.0 is SKIPped. DON'T USE 0.25.0.

Highlights

• Trivy dependency is updated, 0.35.0 to 0.49.1

  • Dart's pubspec.lock, Elixir's mix.lock, Swift's Podfile.lock and Package.resolved are newly detected by lockfile scan, these can be auto detected (findLock = true)
  • Rust's binary can also be scanned as lockfile, but not auto detected
  • Related PRs
    • Update trivy from 0.35.0 to 0.49.1 by @shino in https://github.com/future-architect/vuls/pull/1806
    • fix(detector): library.Scan move to detector by @MaineK00n in https://github.com/future-architect/vuls/pull/1864
    • Avoid to use sync.Once inside trivy javadb Updater by @shino in https://github.com/future-architect/vuls/pull/1859

• Add PURL (Package URL) in scan results

  • feat(PackageURL):add package URL for library scan result by @TsubasaKanemitsu in https://github.com/future-architect/vuls/pull/1862

(Potential) Incompatibilities

• In previous versions, vuls did not output results when all scans had failed, now outputs results even when all scans failed

  • Related PRs
    • fix(scanner): output all results even if all fail by @MaineK00n in https://github.com/future-architect/vuls/pull/1866
    • refactor(config): move syslogconf to config/syslog package by @MaineK00n in https://github.com/future-architect/vuls/pull/1865

• Due to Trivy dependency update (in Highlights), some of scan logic previously executed in vuls scan phase are moved to vuls report phase

  • If new vuls binary is used in vuls scan and older ones in vuls report, there can be missing vulnerabilities, don't do that
  • This only affects JAR-like lockfile scan

Misc changes

• fix(ci): use go version of go.mod by @MaineK00n in https://github.com/future-architect/vuls/pull/1858
• fix(build): Change timeout to 60 minutes by @shino https://github.com/future-architect/vuls/pull/1867
• chore(deps): bump golang.org/x/oauth2 from 0.16.0 to 0.17.0 by @dependabot in https://github.com/future-architect/vuls/pull/1849
• chore(deps): bump go.etcd.io/bbolt from 1.3.8 to 1.3.9 by @dependabot in https://github.com/future-architect/vuls/pull/1854
• chore(deps): bump helm.sh/helm/v3 from 3.14.0 to 3.14.2 by @dependabot in https://github.com/future-architect/vuls/pull/1856
• chore(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 by @dependabot in https://github.com/future-architect/vuls/pull/1861

New Contributors

• @TsubasaKanemitsu made their first contribution in https://github.com/future-architect/vuls/pull/1862

Full Changelog: https://github.com/future-architect/vuls/compare/v0.24.9...v0.25.1

Changelog

• 5af3226 fix(build): Change timeout to 60 minutes

DONT USE THIS VERSION, SKIPPED

Changelog

• 18b4cbb Add 2 hour timeout

Changelog

• b9ebcf3 fix(scanner/windows): support when default shell is powershell (#1844)
• 7e91f5e fix(contrib/trivy): fix convert for src package (#1842)
• 76267a5 delete: cab validation (#1843)
• ea84385 fix(scanner/macos): remove unnecessary error check (#1836)
• d6589c2 chore(deps): bump github.com/google/uuid from 1.5.0 to 1.6.0 (#1837)
• 6e07103 chore(deps): bump github.com/emersion/go-smtp from 0.20.1 to 0.20.2 (#1838)
• b7e5bb2 chore(deps): bump golang.org/x/oauth2 from 0.15.0 to 0.16.0 (#1831)
• 91ed768 chore(deps): bump golang.org/x/sync from 0.5.0 to 0.6.0 (#1833)
• 098f308 chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.2 to 0.8.0 (#1829)
• 0e04d21 chore(deps): bump github.com/emersion/go-smtp from 0.20.0 to 0.20.1 (#1826)
• f1005e5 chore(deps): bump github.com/emersion/go-smtp from 0.19.0 to 0.20.0 (#1824)
• 1acc4d8 chore(deps): bump github.com/c-robinson/iplib from 1.0.7 to 1.0.8 (#1819)
• eee6441 chore(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#1818)

What's Changed

• fix(scanner/redhat): do not make cache when offline of redhat fast by @MaineK00n in https://github.com/future-architect/vuls/pull/1814
• chore(deps): bump dictionaries by @MaineK00n in https://github.com/future-architect/vuls/pull/1815

Full Changelog: https://github.com/future-architect/vuls/compare/v0.24.7...v0.24.8

What's Changed

• feat(os): add FreeBSD 14 EOL by @MaineK00n in https://github.com/future-architect/vuls/pull/1797
• chore(deps): bump github.com/gosnmp/gosnmp from 1.36.1 to 1.37.0 by @dependabot in https://github.com/future-architect/vuls/pull/1798
• chore(deps): bump golang.org/x/oauth2 from 0.14.0 to 0.15.0 by @dependabot in https://github.com/future-architect/vuls/pull/1799
• chore(deps): bump go-cve-dictionary to 0.10.0 by @MaineK00n in https://github.com/future-architect/vuls/pull/1803
• feat(models/nvd): group by source by @MaineK00n in https://github.com/future-architect/vuls/pull/1805
• fix(scanner/redhat): make cache before detect dnf modules by @wadda0714 in https://github.com/future-architect/vuls/pull/1812

Full Changelog: https://github.com/future-architect/vuls/compare/v0.24.6...v0.24.7

Changelog

• ef29afb feat(scanner/windows): remove unnecessary cab (#1793)