From ae25eb4b08b39e5030c6e1118495c12af04d6f8b Mon Sep 17 00:00:00 2001 From: Felipe Cruz Martinez <15997951+felipecruz91@users.noreply.github.com> Date: Thu, 25 Jul 2024 17:29:41 +0200 Subject: [PATCH] add release notes for docker scout v1.11.0 (#20416) * Update description of SSC attestations * add release notes for docker scout v1.11.0 Signed-off-by: felipecruz91 * Fix version in header Signed-off-by: felipecruz91 * Revert --provenance=mode=max change Signed-off-by: felipecruz91 --------- Signed-off-by: felipecruz91 Co-authored-by: Allie Sadler <102604716+aevesdocker@users.noreply.github.com> --- .../scout-cli/docs/docker_scout_cves.yaml | 10 +++ .../scout-cli/docs/docker_scout_push.yaml | 14 ++++- .../github.com/docker/scout-cli/docs/scout.md | 2 +- .../docker/scout-cli/docs/scout_cves.md | 1 + .../docker/scout-cli/docs/scout_push.md | 3 +- _vendor/modules.txt | 2 +- content/scout/policy/_index.md | 34 ++++++++++- content/scout/release-notes/cli.md | 61 ++++++++++++++++--- go.mod | 4 +- go.sum | 2 + 10 files changed, 118 insertions(+), 15 deletions(-) diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml index f202f668e7..cb9ab4921c 100644 --- a/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml +++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml @@ -144,6 +144,16 @@ options: experimentalcli: false kubernetes: false swarm: false + - option: only-cisa-kev + value_type: bool + default_value: "false" + description: Filter to CVEs listed in the CISA KEV catalog + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false - option: only-cve-id value_type: stringSlice default_value: '[]' diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_push.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_push.yaml index 4b1370ce08..b48952c961 100644 --- a/_vendor/github.com/docker/scout-cli/docs/docker_scout_push.yaml +++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_push.yaml @@ -1,5 +1,5 @@ command: docker scout push -short: Push an image or image index to Docker Scout (experimental) +short: Push an image or image index to Docker Scout long: | The `docker scout push` command lets you push an image or analysis result to Docker Scout. usage: docker scout push IMAGE @@ -15,6 +15,16 @@ options: experimentalcli: false kubernetes: false swarm: false + - option: dry-run + value_type: bool + default_value: "false" + description: Do not push the image but process it + deprecated: false + hidden: false + experimental: false + experimentalcli: false + kubernetes: false + swarm: false - option: org value_type: string description: Namespace of the Docker organization to which image will be pushed @@ -91,7 +101,7 @@ examples: |- ``` deprecated: false experimental: false -experimentalcli: true +experimentalcli: false kubernetes: false swarm: false diff --git a/_vendor/github.com/docker/scout-cli/docs/scout.md b/_vendor/github.com/docker/scout-cli/docs/scout.md index ded1ca4e90..aeac72b4c6 100644 --- a/_vendor/github.com/docker/scout-cli/docs/scout.md +++ b/_vendor/github.com/docker/scout-cli/docs/scout.md @@ -22,7 +22,7 @@ Command line tool for Docker Scout | [`help`](scout_help.md) | Display information about the available commands | | [`integration`](scout_integration.md) | Commands to list, configure, and delete Docker Scout integrations | | [`policy`](scout_policy.md) | Evaluate policies against an image and display the policy evaluation results (experimental) | -| [`push`](scout_push.md) | Push an image or image index to Docker Scout (experimental) | +| [`push`](scout_push.md) | Push an image or image index to Docker Scout | | [`quickview`](scout_quickview.md) | Quick overview of an image | | [`recommendations`](scout_recommendations.md) | Display available base image updates and remediation recommendations | | [`repo`](scout_repo.md) | Commands to list, enable, and disable Docker Scout on repositories | diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_cves.md b/_vendor/github.com/docker/scout-cli/docs/scout_cves.md index 8f1618ad42..4c96d050c1 100644 --- a/_vendor/github.com/docker/scout-cli/docs/scout_cves.md +++ b/_vendor/github.com/docker/scout-cli/docs/scout_cves.md @@ -21,6 +21,7 @@ Display CVEs identified in a software artifact | `--ignore-base` | | | Filter out CVEs introduced from base image | | `--locations` | | | Print package locations including file paths and layer diff_id | | `--multi-stage` | | | Show packages from multi-stage Docker builds | +| `--only-cisa-kev` | | | Filter to CVEs listed in the CISA KEV catalog | | `--only-cve-id` | `stringSlice` | | Comma separated list of CVE ids (like CVE-2021-45105) to search for | | `--only-fixed` | | | Filter to fixable CVEs | | `--only-metric` | `stringSlice` | | Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by | diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_push.md b/_vendor/github.com/docker/scout-cli/docs/scout_push.md index 6ddfeda0e3..09e3397e5c 100644 --- a/_vendor/github.com/docker/scout-cli/docs/scout_push.md +++ b/_vendor/github.com/docker/scout-cli/docs/scout_push.md @@ -1,13 +1,14 @@ # docker scout push -Push an image or image index to Docker Scout (experimental) +Push an image or image index to Docker Scout ### Options | Name | Type | Default | Description | |:-----------------|:---------|:--------|:-------------------------------------------------------------------| | `--author` | `string` | | Name of the author of the image | +| `--dry-run` | | | Do not push the image but process it | | `--org` | `string` | | Namespace of the Docker organization to which image will be pushed | | `-o`, `--output` | `string` | | Write the report to a file | | `--platform` | `string` | | Platform of image to be pushed | diff --git a/_vendor/modules.txt b/_vendor/modules.txt index 777a2d169a..83e565b5e8 100644 --- a/_vendor/modules.txt +++ b/_vendor/modules.txt @@ -3,4 +3,4 @@ # github.com/docker/buildx v0.16.2 # github.com/docker/cli v27.0.3+incompatible # github.com/docker/compose/v2 v2.29.1 -# github.com/docker/scout-cli v1.10.0 +# github.com/docker/scout-cli v1.11.0 diff --git a/content/scout/policy/_index.md b/content/scout/policy/_index.md index 98580a81c5..81607bfc36 100644 --- a/content/scout/policy/_index.md +++ b/content/scout/policy/_index.md @@ -159,13 +159,45 @@ For more information about building with attestations, see [Attestations](../../build/attestations/_index.md). +### Quality gates passed + +The Quality gates passed policy builds on the [SonarQube +integration](../integrations/code-quality/sonarqube.md) to assess the quality +of your source code. This policy works by ingesting the SonarQube code analysis +results into Docker Scout. + +You define the criteria for this policy using SonarQube's [quality +gates](https://docs.sonarsource.com/sonarqube/latest/user-guide/quality-gates/). +SonarQube evaluates your source code against the quality gates you've defined +in SonarQube. Docker Scout surfaces the SonarQube assessment as a Docker Scout +policy. + +Docker Scout uses [provenance](../../build/attestations/slsa-provenance.md) +attestations or the `org.opencontainers.image.revision` OCI annotation to link +SonarQube analysis results with container images. In addition to enabling the +SonarQube integration, you must also make sure that your images has either the +attestation or the label. + +![Git commit SHA links image with SonarQube analysis](../images/scout-sq-commit-sha.webp) + +Once you push an image and policy evaluation completes, the results from the +SonarQube quality gates display as a policy in the Docker Scout Dashboard, and +in the CLI. + +> **Note** +> +> Docker Scout can only access SonarQube analyses created after the integration +> is enabled. Docker Scout doesn't have access to historic evaluations. Trigger +> a SonarQube analysis and policy evaluation after enabling the integration to +> view the results in Docker Scout. + ### Default non-root user By default, containers run as the `root` superuser with full system administration privileges inside the container, unless the Dockerfile specifies a different default user. Running containers as a privileged user weakens their runtime security, as it means any code that runs in the container can perform -administrative actions. +administrative actions. The **Default non-root user** policy detects images that are set to run as the default `root` user. To comply with this policy, images must specify a non-root diff --git a/content/scout/release-notes/cli.md b/content/scout/release-notes/cli.md index b49c7ed0df..0766130c91 100644 --- a/content/scout/release-notes/cli.md +++ b/content/scout/release-notes/cli.md @@ -8,6 +8,53 @@ This page contains information about the new features, improvements, known issues, and bug fixes in the Docker Scout [CLI plugin](https://github.com/docker/scout-cli/) and the `docker/scout-action` [GitHub Action](https://github.com/docker/scout-action). +## 1.11.0 + +{{< release-date date="2024-07-25" >}} + +### New + +- Filter CVEs listed in the CISA Known Exploited Vulnerabilities catalog. + + ```console {title="CLI"} + $ docker scout cves [IMAGE] --only-cisa-kev + + ... (cropped output) ... + ## Packages and Vulnerabilities + + 0C 1H 0M 0L io.netty/netty-codec-http2 4.1.97.Final + pkg:maven/io.netty/netty-codec-http2@4.1.97.Final + + ✗ HIGH CVE-2023-44487 CISA KEV [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2023-44487 + Affected range : <4.1.100 + Fixed version : 4.1.100.Final + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + ... (cropped output) ... + ``` + + ```yaml {title="GitHub Action"} + uses: docker/scout-action@v1 + with: + command: cves + image: [IMAGE] + only-cisa-kev: true + ``` + +- Add new classifiers: + - `spiped` + - `swift` + - `eclipse-mosquitto` + - `znc` + +### Bug fixes and enhancements + +- Allow VEX matching when no subcomponents. +- Fix panic when attaching an invalid VEX document. +- Fix SPDX document root. +- Fix base image detection when image uses SCRATCH as the base image. + ## 1.10.0 {{< release-date date="2024-06-26" >}} @@ -68,16 +115,16 @@ and the `docker/scout-action` [GitHub Action](https://github.com/docker/scout-ac DOCKER_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG before_script: - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY - + # Install curl and the Docker Scout CLI - | apk add --update curl - curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- - apk del curl - rm -rf /var/cache/apk/* + curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- + apk del curl + rm -rf /var/cache/apk/* # Login to Docker Hub required for Docker Scout CLI - echo "$DOCKER_HUB_PAT" | docker login --username "$DOCKER_HUB_USER" --password-stdin - + # All branches are tagged with $DOCKER_IMAGE_NAME (defaults to commit ref slug) # Default branch is also tagged with `latest` script: @@ -118,7 +165,7 @@ Discarded in favor of [1.9.1](#191). ### Bug fixes and enhancements - Improve format of EPSS score and percentile. - + Before: ```text @@ -249,7 +296,7 @@ Discarded in favor of [1.9.1](#191). ### Bug fixes and enhancements - Use Windows cache from WSL2 - + When inside WSL2 with Docker Desktop running, the Docker Scout CLI plugin now uses the cache from Windows. That way, if an image has been indexed for instance by Docker Desktop there's no need anymore to re-index it on WSL2 diff --git a/go.mod b/go.mod index ccfc229228..6dfaed27e9 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/docker/buildx v0.16.2 // indirect github.com/docker/cli v27.0.3+incompatible // indirect github.com/docker/compose/v2 v2.29.1 // indirect - github.com/docker/scout-cli v1.10.0 // indirect + github.com/docker/scout-cli v1.11.0 // indirect github.com/moby/buildkit v0.15.1 // indirect github.com/moby/moby v27.0.3+incompatible // indirect ) @@ -17,7 +17,7 @@ replace ( github.com/docker/buildx => github.com/docker/buildx v0.16.2 github.com/docker/cli => github.com/docker/cli v27.0.3+incompatible github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.29.0 - github.com/docker/scout-cli => github.com/docker/scout-cli v1.10.0 + github.com/docker/scout-cli => github.com/docker/scout-cli v1.11.0 github.com/moby/buildkit => github.com/moby/buildkit v0.14.0-rc2.0.20240611065153-eed17a45c62b github.com/moby/moby => github.com/moby/moby v27.0.3+incompatible ) diff --git a/go.sum b/go.sum index 97647d4aaf..3d7e92c4da 100644 --- a/go.sum +++ b/go.sum @@ -200,6 +200,8 @@ github.com/docker/scout-cli v1.9.3 h1:u3lKQ7A1EvT3qNe5lR2c8dTNcAGIoSmH8HvSYarLlJ github.com/docker/scout-cli v1.9.3/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc= github.com/docker/scout-cli v1.10.0 h1:C8Gm+6Oc7NqhtZ/UoACv3N2LaP1jqkhlIDRhBOqMBng= github.com/docker/scout-cli v1.10.0/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc= +github.com/docker/scout-cli v1.11.0 h1:I310kNhjw3oeKe8T1cQEh6yPgy6VtpuwzjWchETn8KU= +github.com/docker/scout-cli v1.11.0/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc= github.com/elazarl/goproxy v0.0.0-20191011121108-aa519ddbe484/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=