Merge pull request 'remove rpm dependency' (#20) from dirkmueller/trivy:factory into factory

Includes a changes file update to mention a already previously
dropped patch file

CVE-2025-53547.patch

@@ -0,0 +1,38 @@
+From 00de613324df4dd930e6d231d9aae7f9dee29c76 Mon Sep 17 00:00:00 2001
+From: Matt Farina <matt.farina@suse.com>
+Date: Wed, 2 Jul 2025 15:10:04 -0400
+Subject: [PATCH] Updating link handling
+
+Signed-off-by: Matt Farina <matt.farina@suse.com>
+(cherry picked from commit 76fdba4c8c2a4829a6b7abb48a08e51fd07fa0b3)
+(cherry picked from commit 4389fa639a4d8e6836fa8df9bb70dd69c2820c12)
+---
+ pkg/downloader/manager.go      | 14 +++++
+ pkg/downloader/manager_test.go | 94 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 108 insertions(+)
+
+diff --git a/pkg/downloader/manager.go b/pkg/downloader/manager.go
+index ec4056d2753..cc7850aae4b 100644
+--- a/pkg/downloader/manager.go
++++ b/pkg/downloader/manager.go
+@@ -852,6 +852,20 @@ func writeLock(chartpath string, lock *chart.Lock, legacyLockfile bool) error {
+ 		lockfileName = "requirements.lock"
+ 	}
+ 	dest := filepath.Join(chartpath, lockfileName)
++
++	info, err := os.Lstat(dest)
++	if err != nil && !os.IsNotExist(err) {
++		return fmt.Errorf("error getting info for %q: %w", dest, err)
++	} else if err == nil {
++		if info.Mode()&os.ModeSymlink != 0 {
++			link, err := os.Readlink(dest)
++			if err != nil {
++				return fmt.Errorf("error reading symlink for %q: %w", dest, err)
++			}
++			return fmt.Errorf("the %s file is a symlink to %q", lockfileName, link)
++		}
++	}
++
+ 	return os.WriteFile(dest, data, 0644)
+ }
+ 

_service

@@ -2,7 +2,7 @@
   <service name="tar_scm" mode="manual">
     <param name="url">https://github.com/aquasecurity/trivy</param>
     <param name="scm">git</param>
-    <param name="revision">v0.59.0</param>
+    <param name="revision">v0.64.1</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="changesgenerate">enable</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/aquasecurity/trivy</param>
-              <param name="changesrevision">a58d6854dcfec0349daef27e180f2bdb5b380315</param></service></servicedata>
+              <param name="changesrevision">86ee3c1176d4707536914dfa65ac8eca452e14cd</param></service></servicedata>

trivy.changes

@@ -1,3 +1,313 @@
+-------------------------------------------------------------------
+Tue Jul 22 10:27:07 UTC 2025 - Christopher Hofmann <cwh@suse.com>
+
+- remove dependency on 'rpm' which became obsolete a while ago
+
+-------------------------------------------------------------------
+Wed Jul  9 15:48:08 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- add CVE-2025-53547.patch: (CVE-2025-53547, bsc#1246151)
+
+-------------------------------------------------------------------
+Wed Jul 09 15:17:39 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- Update to version 0.64.1:
+  * release: v0.64.1 [release/v0.64] (#9122)
+  * fix(misconf): skip rewriting expr if attr is nil [backport: release/v0.64] (#9127)
+  * fix(cli): Add more non-sensitive flags to telemetry [backport: release/v0.64] (#9124)
+  * fix(rootio): check full version to detect `root.io` packages [backport: release/v0.64] (#9120)
+  * fix(alma): parse epochs from rpmqa file [backport: release/v0.64] (#9119)
+  * release: v0.64.0 [main] (#8955)
+  * docs(python): fix type with METADATA file name (#9090)
+  * feat: reject unsupported artifact types in remote image retrieval (#9052)
+  * chore(deps): bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 (#9088)
+  * refactor(misconf): rewrite Rego module filtering using functional filters (#9061)
+  * feat(terraform): add partial evaluation for policy templates (#8967)
+  * feat(vuln): add Root.io support for container image scanning (#9073)
+  * feat(sbom): add manufacturer field to CycloneDX tools metadata (#9019)
+  * fix(cli): add some values to the telemetry call (#9056)
+  * feat(ubuntu): add end of life date for Ubuntu 25.04 (#9077)
+  * refactor: centralize HTTP transport configuration (#9058)
+  * test: include integration tests in linting and fix all issues (#9060)
+  * chore(deps): bump the common group across 1 directory with 26 updates (#9063)
+  * feat(java): dereference all maven settings.xml env placeholders (#9024)
+  * fix(misconf): reduce log noise on incompatible check (#9029)
+  * fix(misconf): .Config.User always takes precedence over USER in .History (#9050)
+  * chore(deps): update Docker to v28.2.2 and fix compatibility issues (#9037)
+  * docs(misconf): simplify misconfiguration docs (#9030)
+  * fix(misconf): move disabled checks filtering after analyzer scan (#9002)
+  * docs: add PR review policy for maintainers (#9032)
+  * fix(sbom): remove unnecessary OS detection check in SBOM decoding (#9034)
+  * test: improve and extend tests for iac/adapters/arm (#9028)
+  * chore: bump up Go version to 1.24.4 (#9031)
+  * feat(cli): add version constraints to annoucements (#9023)
+  * fix(misconf): correct Azure value-to-time conversion in AsTimeValue (#9015)
+  * feat(ubuntu): add eol date for 20.04-ESM (#8981)
+  * fix(report): don't panic when report contains vulns, but doesn't contain packages for `table` format (#8549)
+  * fix(nodejs): correctly parse `packages` array of `bun.lock` file (#8998)
+  * refactor: use strings.SplitSeq instead of strings.Split in for-loop (#8983)
+  * docs: change --disable-metrics to --disable-telemetry in example (#8999) (#9003)
+  * feat(misconf): add OpenTofu file extension support (#8747)
+  * refactor(misconf): set Trivy version by default in Rego scanner (#9001)
+  * docs: fix assets with versioning (#8996)
+  * docs: add partners page (#8988)
+  * chore(alpine): add EOL date for Alpine 3.22 (#8992)
+  * fix: don't show corrupted trivy-db warning for first run (#8991)
+  * Update installation.md (#8979)
+  * feat(misconf): normalize CreatedBy for buildah and legacy docker builder (#8953)
+  * chore(k8s): update comments with deprecated command format (#8964)
+  * chore: fix errors and typos in docs (#8963)
+  * fix: Add missing version check flags (#8951)
+  * feat(redhat): Add EOL date for RHEL 10. (#8910)
+  * fix: Correctly check for semver versions for trivy version check (#8948)
+  * refactor(server): change custom advisory and vulnerability data types fr… (#8923)
+  * ci(helm): bump Trivy version to 0.63.0 for Trivy Helm Chart 0.15.0 (#8946)
+  * release: v0.63.0 [main] (#8809)
+  * fix(misconf): use argument value in WithIncludeDeprecatedChecks (#8942)
+  * chore(deps): Bump trivy-checks (#8934)
+  * fix(julia): add `Relationship` field support (#8939)
+  * feat(minimos): Add support for MinimOS (#8792)
+  * feat(alpine): add maintainer field extraction for APK packages (#8930)
+  * feat(echo): Add Echo Support (#8833)
+  * fix(redhat): Also try to find buildinfo in root layer (layer 0) (#8924)
+  * fix(wolfi): support new APK database location (#8937)
+  * feat(k8s): get components from namespaced resources (#8918)
+  * refactor(cloudformation): remove unused ScanFile method from Scanner (#8927)
+  * refactor(terraform): remove result sorting from scanner (#8928)
+  * feat(misconf): Add support for `Minimum Trivy Version` (#8880)
+  * docs: improve skipping files documentation (#8749)
+  * feat(cli): Add available version checking (#8553)
+  * feat(nodejs): add a bun.lock analyzer (#8897)
+  * feat: terraform parser option to set current working directory (#8909)
+  * perf(secret): only match secrets of meaningful length, allow example strings to not be matched (#8602)
+  * feat(misconf): export raw Terraform data to Rego (#8741)
+  * refactor(terraform): simplify AllReferences method signature in Attribute (#8906)
+  * fix: check post-analyzers for StaticPaths (#8904)
+  * feat: add Bottlerocket OS package analyzer (#8653)
+  * feat(license): improve work text licenses with custom classification (#8888)
+  * chore(deps): bump github.com/containerd/containerd/v2 from 2.1.0 to 2.1.1 (#8901)
+  * chore(deps): bump the common group across 1 directory with 9 updates (#8887)
+  * refactor(license): simplify compound license scanning (#8896)
+  * feat(license): Support compound licenses (licenses using SPDX operators) (#8816)
+  * fix(k8s): use in-memory cache backend during misconfig scanning (#8873)
+  * feat(nodejs): add bun.lock parser (#8851)
+  * feat(license): improve work with custom classification of licenses from config file (#8861)
+  * fix(cli): disable `--skip-dir` and `--skip-files` flags for `sbom` command (#8886)
+  * fix: julia parser panicing (#8883)
+  * refactor(db): change logic to detect wrong DB (#8864)
+  * fix(cli): don't use allow values for `--compliance` flag (#8881)
+  * docs(misconf): Reorganize misconfiguration scan pages (#8206)
+  * fix(server): add missed Relationship field for `rpc` (#8872)
+  * feat: add JSONC support for comments and trailing commas (#8862)
+  * fix(vex): use `lo.IsNil` to check `VEX` from OCI artifact (#8858)
+  * feat(go): support license scanning in both GOPATH and vendor (#8843)
+  * fix(redhat): save contentSets for OS packages in fs/vm modes (#8820)
+  * fix: filter all files when processing files installed from package managers (#8842)
+  * feat(misconf): add misconfiguration location to junit template (#8793)
+  * docs(vuln): remove OSV for Python from data sources (#8841)
+  * chore: add an issue template for maintainers (#8838)
+  * chore: enable staticcheck (#8815)
+  * ci(helm): bump Trivy version to 0.62.1 for Trivy Helm Chart 0.14.1 (#8836)
+  * feat(license): scan vendor directory for license for go.mod files (#8689)
+  * docs(java):  Update info about dev deps in gradle lock (#8830)
+  * chore(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 in the common group (#8822)
+  * fix(java): exclude dev dependencies in gradle lockfile (#8803)
+  * fix: octalLiteral from go-critic (#8811)
+  * fix(redhat): trim invalid suffix from content_sets in manifest parsing (#8818)
+  * chore(deps): bump the common group across 1 directory with 10 updates (#8817)
+  * fix: use-any from revive (#8810)
+  * fix: more revive rules (#8814)
+  * docs: change in java.md: fix the Trity -to-> Trivy typo (#8813)
+  * fix(misconf): check if for-each is known when expanding dyn block (#8808)
+  * ci(helm): bump Trivy version to 0.62.0 for Trivy Helm Chart 0.14.0 (#8802)
+
+-------------------------------------------------------------------
+Wed May 07 15:37:35 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- Update to version 0.62.1:
+  * release: v0.62.1 [release/v0.62] (#8825)
+  * chore(deps): bump the common group across 1 directory with 10 updates [backport: release/v0.62] (#8831)
+  * fix(misconf): check if for-each is known when expanding dyn block [backport: release/v0.62] (#8826)
+  * fix(redhat): trim invalid suffix from content_sets in manifest parsing [backport: release/v0.62] (#8824)
+  * release: v0.62.0 [main] (#8669)
+  * feat(nodejs): add root and workspace for `yarn` packages (#8535)
+  * fix: unused-parameter rule from revive (#8794)
+  * chore(deps): Update trivy-checks (#8798)
+  * fix: early-return, indent-error-flow and superfluous-else rules from revive  (#8796)
+  * fix(k8s): remove using `last-applied-configuration` (#8791)
+  * refactor(misconf): remove unused methods from providers (#8781)
+  * refactor(misconf): remove unused methods from iac types (#8782)
+  * fix(misconf): filter null nodes when parsing json manifest (#8785)
+  * fix: testifylint last issues (#8768)
+  * fix(misconf): perform operations on attribute safely (#8774)
+  * refactor(ubuntu): update time handling for fixing time (#8780)
+  * chore(deps): bump golangci-lint to v2.1.2 (#8766)
+  * feat(image): save layers metadata into report (#8394)
+  * feat(misconf): convert AWS managed policy to document (#8757)
+  * chore(deps): bump the docker group across 1 directory with 3 updates (#8762)
+  * ci(helm): bump Trivy version to 0.61.1 for Trivy Helm Chart 0.13.1 (#8753)
+  * ci(helm): create a helm branch for patches from main (#8673)
+  * fix(terraform): hcl object expressions to return references (#8271)
+  * chore(terraform): option to pass in instanced logger  (#8738)
+  * ci: use `Skitionek/notify-microsoft-teams` instead of `aquasecurity` fork (#8740)
+  * chore(terraform): remove os.OpenPath call from terraform file functions (#8737)
+  * chore(deps): bump the common group across 1 directory with 23 updates (#8733)
+  * feat(rust): add root and workspace relationships/package for `cargo` lock files (#8676)
+  * refactor(misconf): remove module outputs from parser.EvaluateAll (#8587)
+  * fix(misconf): populate context correctly for module instances (#8656)
+  * fix(misconf): check if metadata is not nil (#8647)
+  * refactor(misconf): switch to x/json  (#8719)
+  * fix(report): clean buffer after flushing (#8725)
+  * ci: improve PR title validation workflow (#8720)
+  * refactor(flag): improve flag system architecture and extensibility (#8718)
+  * fix(terraform): `evaluateStep` to correctly set `EvalContext` for multiple instances of blocks (#8555)
+  * refactor: migrate from `github.com/aquasecurity/jfather` to `github.com/go-json-experiment/json` (#8591)
+  * feat(misconf): support auto_provisioning_defaults in google_container_cluster (#8705)
+  * ci: use `github.event.pull_request.user.login` for release PR check workflow (#8702)
+  * refactor: add hook interface for extended functionality (#8585)
+  * fix(misconf): add missing variable as unknown (#8683)
+  * docs: Update maintainer docs (#8674)
+  * ci(vuln): reduce github action script injection attack risk (#8610)
+  * fix(secret): ignore .dist-info directories during secret scanning (#8646)
+  * fix(server): fix redis key when trying to delete blob (#8649)
+  * chore(deps): bump the testcontainers group with 2 updates (#8650)
+  * test: use `aquasecurity` repository for test images (#8677)
+  * chore(deps): bump the aws group across 1 directory with 5 updates (#8652)
+  * fix(k8s): skip passed misconfigs for the summary report (#8684)
+  * fix(k8s): correct compare artifact versions (#8682)
+  * chore: update Docker lib (#8681)
+  * refactor(misconf): remove unused terraform attribute methods (#8657)
+  * feat(misconf): add option to pass Rego scanner to IaC scanner (#8369)
+  * chore: typo fix to replace `rego` with `repo` on the RepoFlagGroup options error output (#8643)
+  * docs: Add info about helm charts release (#8640)
+  * ci(helm): bump Trivy version to 0.61.0 for Trivy Helm Chart 0.13.0 (#8638)
+
+-------------------------------------------------------------------
+Thu Apr 24 15:03:57 UTC 2025 - dmueller@suse.com
+
+- Update to version 0.61.1:
+  * release: v0.61.1 [release/v0.61] (#8704)
+  * fix(k8s): skip passed misconfigs for the summary report [backport: release/v0.61] (#8748)
+  * fix(k8s): correct compare artifact versions [backport: release/v0.61] (#8699)
+  * test: use `aquasecurity` repository for test images [backport: release/v0.61] (#8698)
+  * release: v0.61.0 [main] (#8507)
+  * fix(misconf): Improve logging for unsupported checks (#8634)
+  * feat(k8s): add support for controllers (#8614)
+  * fix(debian): don't include empty licenses for `dpkgs` (#8623)
+  * fix(misconf): Check values wholly prior to evalution (#8604)
+  * chore(deps): Bump trivy-checks (#8619)
+  * fix(k8s): show report for `--report all` (#8613)
+  * chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#8597)
+  * refactor: rename scanner to service (#8584)
+  * fix(misconf): do not skip loading documents from subdirectories (#8526)
+  * refactor(misconf): get a block or attribute without calling HasChild (#8586)
+  * fix(misconf): identify the chart file exactly by name (#8590)
+  * test: use table-driven tests in Helm scanner tests (#8592)
+  * refactor(misconf): Simplify misconfig checks bundle parsing (#8533)
+  * chore(deps): bump the common group across 1 directory with 10 updates (#8566)
+  * fix(misconf): do not use cty.NilVal for non-nil values (#8567)
+  * docs(cli): improve flag value display format (#8560)
+  * fix(misconf): set default values for AWS::EKS::Cluster.ResourcesVpcConfig (#8548)
+  * docs: remove slack (#8565)
+  * fix: use `--file-patterns` flag for all post analyzers (#7365)
+  * docs(python): Mention pip-compile (#8484)
+  * feat(misconf): adapt aws_opensearch_domain (#8550)
+  * feat(misconf): adapt AWS::EC2::VPC (#8534)
+  * docs: fix a broken link (#8546)
+  * fix(fs): check postAnalyzers for StaticPaths (#8543)
+  * refactor(misconf): remove unused methods for ec2.Instance (#8536)
+  * feat(misconf): adapt aws_default_security_group (#8538)
+  * feat(fs): optimize scanning performance by direct file access for known paths (#8525)
+  * feat(misconf): adapt AWS::DynamoDB::Table (#8529)
+  * style: Fix MD syntax in self-hosting.md (#8523)
+  * perf(misconf): retrieve check metadata from annotations once (#8478)
+  * feat(misconf): Add support for aws_ami (#8499)
+  * fix(misconf): skip Azure CreateUiDefinition (#8503)
+  * refactor(misconf): use OPA v1 (#8518)
+  * fix(misconf): add ephemeral block type to config schema (#8513)
+  * perf(misconf): parse input for Rego once (#8483)
+  * feat: replace TinyGo with standard Go for WebAssembly modules (#8496)
+  * chore: replace deprecated tenv linter with usetesting (#8504)
+  * fix(spdx): save text licenses into `otherLicenses` without normalize (#8502)
+  * chore(deps): bump the common group across 1 directory with 13 updates (#8491)
+  * chore: use go.mod for managing Go tools (#8493)
+  * ci(helm): bump Trivy version to 0.60.0 for Trivy Helm Chart 0.12.0 (#8494)
+  * release: v0.60.0 [main] (#8327)
+  * fix(sbom): improve logic for binding direct dependency to parent component (#8489)
+  * chore(deps): remove missed replace of `trivy-db` (#8492)
+  * chore(deps): bump alpine from 3.21.0 to 3.21.3 in the docker group across 1 directory (#8490)
+  * chore(deps): update Go to 1.24 and switch to go-version-file (#8388)
+  * docs: add abbreviation list (#8453)
+  * chore(terraform): assign *terraform.Module 'parent' field (#8444)
+  * feat: add report summary table (#8177)
+  * chore(deps): bump the github-actions group with 3 updates (#8473)
+  * refactor(vex): improve SBOM reference handling with project standards (#8457)
+  * ci: update GitHub Actions cache to v4 (#8475)
+  * feat: add `--vuln-severity-source` flag (#8269)
+  * fix(os): add mapping OS aliases (#8466)
+  * chore(deps): bump the aws group across 1 directory with 7 updates (#8468)
+  * chore(deps): Bump trivy-checks to v1.7.1 (#8467)
+  * refactor(report): write tables after rendering all results (#8357)
+  * docs: update VEX documentation index page (#8458)
+  * fix(db): fix case when 2 trivy-db were copied at the same time (#8452)
+  * feat(misconf): render causes for Terraform (#8360)
+  * fix(misconf): fix incorrect k8s locations due to JSON to YAML conversion (#8073)
+  * feat(cyclonedx): Add initial support for loading external VEX files from SBOM references (#8254)
+  * chore(deps): update go-rustaudit location (#8450)
+  * fix: update all documentation links (#8045)
+  * chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#8443)
+  * chore(deps): bump the common group with 6 updates (#8411)
+  * fix(k8s): add missed option `PkgRelationships` (#8442)
+  * fix(sbom): add SBOM file's filePath as Application FilePath if we can't detect its path (#8346)
+  * feat(go): fix parsing main module version for go >= 1.24 (#8433)
+  * refactor(misconf): make Rego scanner independent of config type (#7517)
+  * fix(image): disable AVD-DS-0007 for history scanning (#8366)
+  * fix(server): secrets inspectation for the config analyzer in client server mode (#8418)
+  * chore: remove mockery (#8417)
+  * test(server): replace mock driver with memory cache in server tests (#8416)
+  * test: replace mock with memory cache and fix non-deterministic tests (#8410)
+  * test: replace mock with memory cache in scanner tests (#8413)
+  * test: use memory cache (#8403)
+  * fix(spdx): init `pkgFilePaths` map for all formats (#8380)
+  * chore(deps): bump the common group across 1 directory with 11 updates (#8381)
+  * docs: correct Ruby documentation (#8402)
+  * chore: bump `mockery` to update v2.52.2 version and rebuild mock files (#8390)
+  * fix: don't use `scope` for `trivy registry login` command (#8393)
+  * fix(go): merge nested flags into string for ldflags for Go binaries (#8368)
+  * chore(terraform): export module path on terraform modules (#8374)
+  * fix(terraform): apply parser options to submodule parsing (#8377)
+  * docs: Fix typos in documentation (#8361)
+  * docs: fix navigate links (#8336)
+  * ci(helm): bump Trivy version to 0.59.1 for Trivy Helm Chart 0.11.1 (#8354)
+  * ci(spdx): add `aqua-installer` step to fix `mage` error (#8353)
+  * chore: remove debug prints (#8347)
+  * fix(misconf): do not log scanners when misconfig scanning is disabled (#8345)
+  * fix(report): remove html escaping for `shortDescription` and `fullDescription` fields for sarif reports (#8344)
+  * chore(deps): bump Go to `v1.23.5` (#8341)
+  * fix(python): add `poetry` v2 support (#8323)
+  * chore(deps): bump the github-actions group across 1 directory with 4 updates (#8331)
+  * fix(misconf): ecs include enhanced for container insights (#8326)
+  * fix(sbom): preserve OS packages from multiple SBOMs (#8325)
+  * ci(helm): bump Trivy version to 0.59.0 for Trivy Helm Chart 0.11.0 (#8311)
+- drop jwe-avoid-unbounded-splits.patch (included upstream via
+  version update)
+
+-------------------------------------------------------------------
+Wed Feb 26 09:01:28 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- add jwe-avoid-unbounded-splits.patch (bsc#1237618,
+  CVE-2025-27144)
+
+-------------------------------------------------------------------
+Tue Feb 25 14:46:22 UTC 2025 - dmueller@suse.com
+
+- Update to version 0.59.1:
+  * release: v0.59.1 [release/v0.59] (#8334)
+  * fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#8349)
+  * chore(deps): bump Go to `v1.23.5` [backport: release/v0.59] (#8343)
+  * fix(python): add `poetry` v2 support [backport: release/v0.59] (#8335)
+  * fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#8333)
+
 -------------------------------------------------------------------
 Fri Feb  7 11:33:46 UTC 2025 - Dirk Müller <dmueller@suse.com>
 
@@ -97,7 +407,8 @@ Wed Jan 29 11:56:12 UTC 2025 - dmueller@suse.com
 
 - Update to version 0.58.2 (
       bsc#1234512, CVE-2024-45337,
-      bsc#1235265, CVE-2024-45338):
+      bsc#1235265, CVE-2024-45338,
+      bsc#1232948, CVE-2024-51744):
   * release: v0.58.2 [release/v0.58] (#8216)
   * fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)
   * fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)

trivy.spec

@@ -17,7 +17,7 @@
 
 
 Name:           trivy
-Version:        0.59.0
+Version:        0.64.1
 Release:        0
 Summary:        A Simple and Comprehensive Vulnerability Scanner for Containers
 License:        Apache-2.0
@@ -25,12 +25,13 @@ Group:          System/Management
 URL:            https://github.com/aquasecurity/trivy
 Source:         %{name}-%{version}.tar.zst
 Source1:        vendor.tar.zst
+# PATCH-FIX-OPENSUSE: backport from  https://github.com/helm/helm/commit/00de613324df4dd930e6d231d9aae7f9dee29c76.patch
+Patch1:         CVE-2025-53547.patch
 BuildRequires:  golang-packaging
 BuildRequires:  zstd
-BuildRequires:  golang(API) = 1.23
+BuildRequires:  golang(API) = 1.24
 Requires:       ca-certificates
 Requires:       git-core
-Requires:       rpm
 
 %description
 Trivy (`tri` pronounced like trigger, `vy` pronounced like envy) is a simple and
@@ -44,6 +45,9 @@ name of the container.
 
 %prep
 %setup -a1
+pushd vendor/helm.sh/helm/v3
+%patch -P 1 -p1
+popd
 
 %build
 export CGO_ENABLED=1