Accepting request 1174935 from devel:Factory:git-workflow:staging:dirkmueller:trivy:6

Update to 0.51.1 (🤖: Submission of trivy via pool/trivy#6 by dirkmueller) OBS-URL: https://build.opensuse.org/request/show/1174935 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/trivy?expand=0&rev=62
2024-05-20 16:11:26 +00:00 · 2024-05-20 16:11:26 +00:00 · cd0e81cfb6
commit cd0e81cfb6
parent d4192f4986 3aa0363cbf
8 changed files with 213 additions and 12 deletions
--- a/_scmsync.obsinfo
+++ b/_scmsync.obsinfo
@ -1,4 +1,4 @@
-mtime: 1707400276
-commit: 2104123c72636f1cd80a006a15bd8b68af402960
+mtime: 1715975286
+commit: 9db9048f8fcda9228fdaecd994a195b439617cc7
 url: https://src.opensuse.org/dirkmueller/trivy.git
-revision: 2104123c72636f1cd80a006a15bd8b68af402960
+revision: 9db9048f8fcda9228fdaecd994a195b439617cc7
--- a/2
+++ b/2
@ -2,7 +2,7 @@
  <service name="tar_scm" mode="manual">
    <param name="url">https://github.com/aquasecurity/trivy</param>
    <param name="scm">git</param>
-    <param name="revision">v0.49.1</param>
+    <param name="revision">v0.51.1</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="versionrewrite-pattern">v(.*)</param>
    <param name="changesgenerate">enable</param>
--- a/2
+++ b/2
@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/aquasecurity/trivy</param>
-              <param name="changesrevision">6ccc0a554b07b05fd049f882a1825a0e1e0aabe1</param></service></servicedata>
+              <param name="changesrevision">8016b821a260840ccb81ef520f2804b9482f3820</param></service></servicedata>
--- a/trivy-0.49.1.tar.zst
+++ b/trivy-0.49.1.tar.zst
--- a/trivy-0.51.1.tar.zst
+++ b/trivy-0.51.1.tar.zst
--- a/trivy.changes
+++ b/trivy.changes
@ -1,3 +1,204 @@
+-------------------------------------------------------------------
+Fri May 17 19:43:20 UTC 2024 - dmueller@suse.com
+
+- Update to version 0.51.1:
+  * fix(fs): handle default skip dirs properly (#6628)
+  * fix(misconf): load cached tf modules (#6607)
+  * fix(misconf): do not use semver for parsing tf module versions (#6614)
+  * refactor: move setting scanners when using compliance reports to flag parsing (#6619)
+  * feat: introduce package UIDs for improved vulnerability mapping (#6583)
+  * perf(misconf): Improve cause performance (#6586)
+  * docs: trivy-k8s new experiance remove un-used section (#6608)
+  * chore(deps): bump github.com/docker/docker from 26.0.1+incompatible to 26.0.2+incompatible (#6612)
+  * docs: remove mention of GitLab Gold because it doesn't exist anymore (#6609)
+  * feat(misconf): Use updated terminology for misconfiguration checks (#6476)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.15 to 1.16.15 (#6593)
+  * docs: use `generic` link from `trivy-repo` (#6606)
+  * docs: update trivy k8s with new experience (#6465)
+  * feat: support `--skip-images` scanning flag (#6334)
+  * BREAKING: add support for k8s `disable-node-collector` flag (#6311)
+  * chore(deps): bump github.com/zclconf/go-cty from 1.14.1 to 1.14.4 (#6601)
+  * chore(deps): bump github.com/sigstore/rekor from 1.2.2 to 1.3.6 (#6599)
+  * chore(deps): bump google.golang.org/protobuf from 1.33.0 to 1.34.0 (#6597)
+  * chore(deps): bump sigstore/cosign-installer from 3.4.0 to 3.5.0 (#6588)
+  * chore(deps): bump github.com/testcontainers/testcontainers-go from 0.28.0 to 0.30.0 (#6595)
+  * chore(deps): bump github.com/open-policy-agent/opa from 0.62.0 to 0.64.1 (#6596)
+  * feat: add ubuntu 23.10 and 24.04 support (#6573)
+  * chore(deps): bump azure/setup-helm from 3.5 to 4 (#6590)
+  * chore(deps): bump actions/checkout from 4.1.2 to 4.1.4 (#6587)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.24.6 to 1.27.4 (#6598)
+  * docs(go): add stdlib (#6580)
+  * chore(deps): bump github.com/containerd/containerd from 1.7.13 to 1.7.16 (#6592)
+  * chore(deps): bump github.com/go-openapi/runtime from 0.27.1 to 0.28.0 (#6600)
+  * feat(go): parse main mod version from build info settings (#6564)
+  * feat: respect custom exit code from plugin (#6584)
+  * docs: add asdf and mise installation method (#6063)
+  * feat(vuln): Handle scanning conan v2.x lockfiles (#6357)
+  * feat: add support `environment.yaml` files (#6569)
+  * fix: close plugin.yaml (#6577)
+  * fix: trivy k8s avoid deleting non-default node collector namespace  (#6559)
+  * BREAKING: support exclude `kinds/namespaces` and include `kinds/namespaces` (#6323)
+  * feat(go): add main module (#6574)
+  * feat: add relationships (#6563)
+  * ci: disable `Go` cache for `reusable-release.yaml` (#6572)
+  * docs: mention `--show-suppressed` is available in table (#6571)
+  * chore: fix sqlite to support loong64 (#6511)
+  * fix(debian): sort dpkg info before parsing due to exclude directories (#6551)
+  * docs: update info about config file (#6547)
+  * docs: remove RELEASE_VERSION from trivy.repo (#6546)
+  * fix(sbom): change error to warning for multiple OSes (#6541)
+  * fix(vuln): skip empty versions (#6542)
+  * feat(c): add license support for conan lock files (#6329)
+  * fix(terraform): Attribute and fileset fixes (#6544)
+  * refactor: change warning if no vulnerability details are found (#6230)
+  * refactor(misconf): improve error handling in the Rego scanner (#6527)
+  * ci: use tmp dir inside Trivy repo dir for GoReleaser (#6533)
+  * feat(go): parse main module of go binary files (#6530)
+  * chore(deps): bump golang.org/x/net from 0.21.0 to 0.23.0 (#6526)
+  * refactor(misconf): simplify the retrieval of module annotations (#6528)
+  * chore(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 (#6523)
+  * docs(nodejs): add info about supported versions of pnpm lock files (#6510)
+  * feat(misconf): loading embedded checks as a fallback (#6502)
+  * fix(misconf): Parse JSON k8s manifests properly (#6490)
+  * refactor: remove parallel walk (#5180)
+  * fix: close pom.xml (#6507)
+  * fix(secret): convert severity for custom rules (#6500)
+  * fix(java): update logic to detect `pom.xml` file snapshot artifacts from remote repositories (#6412)
+  * fix: typo (#6283)
+  * docs(k8s,image): fix command-line syntax issues (#6403)
+  * chore(deps): bump actions/checkout from 4.1.1 to 4.1.2 (#6435)
+  * fix(misconf): avoid panic if the scheme is not valid (#6496)
+  * feat(image): goversion as stdlib (#6277)
+  * fix: add color for error inside of log message (#6493)
+  * chore(deps): bump actions/add-to-project from 0.4.1 to 1.0.0 (#6438)
+  * docs: fix links to OPA docs (#6480)
+  * refactor: replace zap with slog (#6466)
+  * docs: update links to IaC schemas (#6477)
+  * chore: bump Go to 1.22 (#6075)
+  * refactor(terraform): sync funcs with Terraform (#6415)
+  * feat(misconf): add helm-api-version and helm-kube-version flag (#6332)
+  * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.4.0 to 1.5.1 (#6426)
+  * chore(deps): bump github.com/go-openapi/strfmt from 0.22.0 to 0.23.0 (#6452)
+  * chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.6 to 2.0.7 (#6430)
+  * chore(deps): bump aquaproj/aqua-installer from 2.2.0 to 3.0.0 (#6437)
+  * fix(terraform): eval submodules (#6411)
+  * refactor(terraform): remove unused options (#6446)
+  * refactor(terraform): remove unused file (#6445)
+  * chore(deps): bump github.com/testcontainers/testcontainers-go to v0.28.0 (#6387)
+  * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.9.0 to 1.10.0 (#6427)
+  * fix(misconf): Escape template value correctly (#6292)
+  * feat(misconf): add support for wildcard ignores (#6414)
+  * fix(cloudformation): resolve `DedicatedMasterEnabled` parsing issue (#6439)
+  * refactor(terraform): remove metrics collection (#6444)
+  * feat(cloudformation): add support for logging and endpoint access for EKS (#6440)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.51.1 to 1.53.1 (#6424)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.27.4 to 1.27.10 (#6428)
+  * chore(deps): bump go.etcd.io/bbolt from 1.3.8 to 1.3.9 (#6429)
+  * fix(db): check schema version for image name only (#6410)
+  * chore(deps): bump github.com/google/wire from 0.5.0 to 0.6.0 (#6425)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.149.1 to 1.155.1 (#6433)
+  * chore(deps): bump actions/cache from 4.0.0 to 4.0.2 (#6436)
+  * feat(misconf): Support private registries for misconf check bundle (#6327)
+  * feat(cloudformation): inline ignore support for YAML templates (#6358)
+  * feat(terraform): ignore resources by nested attributes (#6302)
+  * perf(helm): load in-memory files (#6383)
+  * feat(aws): apply filter options to result (#6367)
+  * feat(aws): quiet flag support (#6331)
+  * fix(misconf): clear location URI for SARIF (#6405)
+  * test(cloudformation): add CF tests (#6315)
+  * fix(cloudformation): infer type after resolving a function (#6406)
+  * fix(sbom): fix error when parent of SPDX Relationships is not a package. (#6399)
+  * fix(nodejs): merge `Indirect`, `Dev`, `ExternalReferences` fields for same deps from `package-lock.json` files v2 or later (#6356)
+  * docs: add info about support for package license detection in `fs`/`repo` modes (#6381)
+  * fix(nodejs): add support for parsing `workspaces` from `package.json` as an object (#6231)
+  * fix: use `0600` perms for tmp files for post analyzers (#6386)
+  * fix(helm): scan the subcharts once (#6382)
+  * docs(terraform): add file patterns for Terraform Plan (#6393)
+  * fix(terraform): сhecking SSE encryption algorithm validity (#6341)
+  * fix(java): parse modules from `pom.xml` files once (#6312)
+  * chore(deps): bump github.com/docker/docker from 25.0.3+incompatible to 25.0.5+incompatible (#6364)
+  * fix(server): add Locations for `Packages` in client/server mode (#6366)
+  * fix(sbom): add check for `CreationInfo` to nil when detecting SPDX created using Trivy (#6346)
+  * fix(report): don't include empty strings in `.vulnerabilities[].identifiers[].url` when `gitlab.tpl` is used (#6348)
+  * chore(ubuntu): Add Ubuntu 22.04 EOL date (#6371)
+  * chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (#6321)
+  * feat(java): add support licenses and graph for gradle lock files (#6140)
+  * feat(vex): consider root component for relationships (#6313)
+  * fix: increase the default buffer size for scanning dpkg status files by 2 times (#6298)
+  * chore: updates wazero to v1.7.0 (#6301)
+  * feat(sbom): Support license detection for SBOM scan (#6072)
+  * refactor(sbom): use intermediate representation for SPDX (#6310)
+  * docs(terraform): improve documentation for filtering by inline comments (#6284)
+  * fix(terraform): fix policy document retrieval (#6276)
+  * refactor(terraform): remove unused custom error (#6303)
+  * refactor(sbom): add intermediate representation for BOM (#6240)
+  * fix(amazon): check only major version of AL to find advisories (#6295)
+  * fix(db): use schema version as tag only for `trivy-db` and `trivy-java-db` registries by default (#6219)
+  * fix(nodejs): add name validation for package name from `package.json`  (#6268)
+  * docs: Added install instructions for FreeBSD (#6293)
+  * feat(image): customer podman host or socket option (#6256)
+  * chore(deps): bump wazero from 1.2.1 to 1.6.0 (#6290)
+  * feat(java): mark dependencies from `maven-invoker-plugin` integration tests pom.xml files as `Dev` (#6213)
+  * fix(license): reorder logic of how python package licenses are acquired (#6220)
+  * test(terraform): skip cached modules (#6281)
+  * feat(secret): Support for detecting Hugging Face Access Tokens (#6236)
+  * fix(cloudformation): support of all SSE algorithms for s3 (#6270)
+  * feat(terraform): Terraform Plan snapshot scanning support (#6176)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.6 to 1.27.4 (#6249)
+  * fix: typo function name and comment optimization (#6200)
+  * fix(java): don't ignore runtime scope for pom.xml files (#6223)
+  * chore(deps): bump helm/kind-action from 1.8.0 to 1.9.0 (#6242)
+  * chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (#6243)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.1 to 1.51.1 (#6251)
+  * chore(deps): bump github.com/hashicorp/go-uuid from 1.0.1 to 1.0.3 (#6253)
+  * chore(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.62.0 (#6250)
+  * chore(deps): bump github.com/containerd/containerd from 1.7.12 to 1.7.13 (#6247)
+  * chore(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 (#6246)
+  * fix(license): add FilePath to results to allow for license path filtering via trivyignore file (#6215)
+  * chore(deps): Upgrade iac deps (#6255)
+  * feat: add info log message about dev deps suppression (#6211)
+  * test(k8s): use test-db for k8s integration tests (#6222)
+  * ci: add maximize-build-space for `Test` job (#6221)
+  * fix(terraform): fix root module search (#6160)
+  * test(parser): squash test data for yarn (#6203)
+  * fix(terraform): do not re-expand dynamic blocks (#6151)
+  * docs: update ecosystem page reporting with db app (#6201)
+  * fix: k8s summary separate infra and user finding results (#6120)
+  * fix: add context to target finding on k8s table view (#6099)
+  * fix: Printf format err (#6198)
+  * refactor: better integration of the parser into Trivy (#6183)
+  * chore(deps): bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 (#6189)
+  * feat(terraform): Add hyphen and non-ASCII support for domain names in credential extraction (#6108)
+  * fix(vex): CSAF filtering should consider relationships (#5923)
+  * refactor(report): Replacing `source_location` in `github` report when scanning an image (#5999)
+  * feat(vuln): ignore vulnerabilities by PURL (#6178)
+  * feat(java): add support for fetching packages from repos mentioned in pom.xml (#6171)
+  * feat(k8s): rancher rke2 version support (#5988)
+  * docs: update kbom distribution for scanning (#6019)
+  * chore: update CODEOWNERS (#6173)
+  * fix(swift): try to use branch to resolve version (#6168)
+  * fix(terraform): ensure consistent path handling across OS (#6161)
+  * fix(java): add only valid libs from `pom.properties` files from `jars` (#6164)
+  * fix(sbom): skip executable file analysis if Rekor isn't a specified SBOM source (#6163)
+  * chore(deps): merge go-dep-parser into Trivy (#6094)
+  * docs(report): add remark about `path` to filter licenses using `.trivyignore.yaml` file (#6145)
+  * docs: update template path for gitlab-ci tutorial (#6144)
+  * feat(report): support for filtering licenses and secrets via rego policy files (#6004)
+  * fix(cyclonedx): move root component from scanned cyclonedx file to output cyclonedx file (#6113)
+  * refactor(deps): Merge defsec into trivy (#6109)
+  * chore(deps): bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 (#6142)
+  * docs: add SecObserve in CI/CD and reporting (#6139)
+  * fix(alpine): exclude empty licenses for apk packages (#6130)
+  * docs: add docs tutorial on custom policies with rego (#6104)
+  * fix(nodejs): use project dir when searching for workspaces for Yarn.lock files (#6102)
+  * feat(vuln): show suppressed vulnerabilities in table (#6084)
+  * docs: rename governance to principles (#6107)
+  * docs: add governance (#6090)
+  * refactor(deps): Merge trivy-iac into Trivy (#6005)
+  * feat(java): add dependency location support for `gradle` files (#6083)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.11 to 1.15.15 (#6038)
+  * fix(misconf): get `user` from `Config.User` (#6070)
+
 -------------------------------------------------------------------
 Thu Feb 08 12:51:32 UTC 2024 - dmueller@suse.com

--- a/trivy.spec
+++ b/trivy.spec
@ -17,7 +17,7 @@


 Name:           trivy
-Version:        0.49.1
+Version:        0.51.1
 Release:        0
 Summary:        A Simple and Comprehensive Vulnerability Scanner for Containers
 License:        Apache-2.0
@ -25,7 +25,7 @@ Group:          System/Management
 URL:            https://github.com/aquasecurity/trivy
 Source:         %{name}-%{version}.tar.zst
 Source1:        vendor.tar.zst
-BuildRequires:  golang(API) = 1.21
+BuildRequires:  golang(API) = 1.22
 BuildRequires:  golang-packaging
 BuildRequires:  zstd
 Requires:       ca-certificates
--- a/vendor.tar.zst
+++ b/vendor.tar.zst