Docker Scout CLI Release Notes: Versions 1.11.0

uses: docker/scout-action@v1 with: command: cves image: [IMAGE] only-vex-affected: true vex-location: ./path/to/my.vex.json ``` ### Bug fixes and enhancements - Update `github.com/docker/docker` to `v26.1.5+incompatible` to fix CVE-2024-41110. - Update Syft to 1.10.0. ## 1.11.0 {{< release-date date="2024-07-25" >}} ### New - Filter CVEs listed in the CISA Known Exploited Vulnerabilities catalog. ```console {title="CLI"} $ docker scout cves [IMAGE] --only-cisa-kev ... (cropped output) ... ## Packages and Vulnerabilities 0C 1H 0M 0L io.netty/netty-codec-http2 4.1.97.Final pkg:maven/io.netty/netty-codec-http2@4.1.97.Final ✗ HIGH CVE-2023-44487 CISA KEV [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] https://scout.docker.com/v/CVE-2023-44487 Affected range : <4.1.100 Fixed version : 4.1.100.Final CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ... (cropped output) ... ``` ```yaml {title="GitHub Action"} uses: docker/scout-action@v1 with: command: cves image: [IMAGE] only-cisa-kev: true ``` - Add new classifiers: - `spiped` - `swift` - `eclipse-mosquitto` - `znc` ### Bug fixes and enhancements - Allow VEX matching when no subcomponents. - Fix panic when attaching an invalid VEX document. - Fix SPDX document root. - Fix base image detection when image uses SCRATCH as the base image. ## 1.10.0 {{< release-date date="2024-06-26" >}} ### Bug fixes and enhancements - Add new classifiers: - `irssi` - `Backdrop` - `CrateDB CLI (Crash)` - `monica` - `Openliberty` - `dumb-init` - `friendica` - `redmine` - Fix whitespace-only originator on package breaking BuildKit exporters - Fix parsing image references in SPDX statement for images with a digest - Support `sbom://` prefix for image comparison: ```console {title="CLI"} $ docker scout compare sbom://image1.json --to sbom://image2.json ``` ```yaml {title="GitHub Action"} uses: docker/scout-action@v1 with: command: compare image: sbom://image1.json to: sbom://image2.json ``` ## 1.9.3 {{< release-date date="2024-05-28" >}} ### Bug fix - Fix a panic while retrieving cached SBOMs. ## 1.9.1 {{< release-date date="2024-05-27" >}} ### New - Add support for the [GitLab container scanning file format](https://docs.gitlab.com/ee/development/integrations/secure.html#container-scanning) with `--format gitlab` on `docker scout cves` command. Here is an example pipeline: ```yaml docker-build: # Use the official docker image. image: docker:cli stage: build services: - docker:dind variables: DOCKER_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG before_script: - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY # Install curl and the Docker Scout CLI - | apk add --update curl curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- apk del curl rm -rf /var/cache/apk/* # Login to Docker Hub required for Docker Scout CLI - echo "$DOCKER_HUB_PAT" | docker login --username "$DOCKER_HUB_USER" --password-stdin # All branches are tagged with $DOCKER_IMAGE_NAME (defaults to commit ref slug) # Default branch is also tagged with `latest` script: - docker buildx b --pull -t "$DOCKER_IMAGE_NAME" . - docker scout cves "$DOCKER_IMAGE_NAME" --format gitlab --output gl-container-scanning-report.json - docker push "$DOCKER_IMAGE_NAME" - | if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then docker tag "$DOCKER_IMAGE_NAME" "$CI_REGISTRY_IMAGE:latest" docker push "$CI_REGISTRY_IMAGE:latest" fi # Run this job in a branch where a Dockerfile exists rules: - if: $CI_COMMIT_BRANCH exists: - Dockerfile artifacts:

This document details the release notes for the Docker Scout CLI plugin and the docker/scout-action GitHub Action, covering versions 1.11.0 through 1.9.1. It highlights new features, enhancements, and bug fixes, including CISA KEV filtering, new classifiers, VEX matching improvements, support for sbom:// prefix for image comparison, and GitLab container scanning file format support.