From 3aa0363cbf239ec99c9d24406cfd274465861de0c4d145c2d9620b1c7a9d6822 Mon Sep 17 00:00:00 2001 From: Git SCM Staging Date: Fri, 17 May 2024 20:27:28 +0000 Subject: [PATCH] [info=9db9048f8fcda9228fdaecd994a195b439617cc7] OBS-URL: https://build.opensuse.org/package/show/devel:Factory:git-workflow:staging:dirkmueller:trivy:6/trivy?expand=0&rev=1 --- _scmsync.obsinfo | 6 +- _service | 2 +- _servicedata | 2 +- trivy-0.49.1.tar.zst | 3 - trivy-0.51.1.tar.zst | 3 + trivy.changes | 201 +++++++++++++++++++++++++++++++++++++++++++ trivy.spec | 4 +- vendor.tar.zst | 4 +- 8 files changed, 213 insertions(+), 12 deletions(-) delete mode 100644 trivy-0.49.1.tar.zst create mode 100644 trivy-0.51.1.tar.zst diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo index 5c7b8a3..f167295 100644 --- a/_scmsync.obsinfo +++ b/_scmsync.obsinfo @@ -1,4 +1,4 @@ -mtime: 1707400276 -commit: 2104123c72636f1cd80a006a15bd8b68af402960 +mtime: 1715975286 +commit: 9db9048f8fcda9228fdaecd994a195b439617cc7 url: https://src.opensuse.org/dirkmueller/trivy.git -revision: 2104123c72636f1cd80a006a15bd8b68af402960 +revision: 9db9048f8fcda9228fdaecd994a195b439617cc7 diff --git a/_service b/_service index 47bc656..0feb57b 100644 --- a/_service +++ b/_service @@ -2,7 +2,7 @@ https://github.com/aquasecurity/trivy git - v0.49.1 + v0.51.1 @PARENT_TAG@ v(.*) enable diff --git a/_servicedata b/_servicedata index df0565d..a3ea9b9 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://github.com/aquasecurity/trivy - 6ccc0a554b07b05fd049f882a1825a0e1e0aabe1 \ No newline at end of file + 8016b821a260840ccb81ef520f2804b9482f3820 \ No newline at end of file diff --git a/trivy-0.49.1.tar.zst b/trivy-0.49.1.tar.zst deleted file mode 100644 index 9b3a01f..0000000 --- a/trivy-0.49.1.tar.zst +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:af2581e711ad9215913b5665699bd04afda7e5f952ce1200558a6efe16b7fd83 -size 37063408 diff --git a/trivy-0.51.1.tar.zst b/trivy-0.51.1.tar.zst new file mode 100644 index 0000000..673bb16 --- /dev/null +++ b/trivy-0.51.1.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5b51bdf48408ce778d9cd20c291ce284c60febce0d66be794060eb5e89e244af +size 51094632 diff --git a/trivy.changes b/trivy.changes index 754e9fc..a87358c 100644 --- a/trivy.changes +++ b/trivy.changes @@ -1,3 +1,204 @@ +------------------------------------------------------------------- +Fri May 17 19:43:20 UTC 2024 - dmueller@suse.com + +- Update to version 0.51.1: + * fix(fs): handle default skip dirs properly (#6628) + * fix(misconf): load cached tf modules (#6607) + * fix(misconf): do not use semver for parsing tf module versions (#6614) + * refactor: move setting scanners when using compliance reports to flag parsing (#6619) + * feat: introduce package UIDs for improved vulnerability mapping (#6583) + * perf(misconf): Improve cause performance (#6586) + * docs: trivy-k8s new experiance remove un-used section (#6608) + * chore(deps): bump github.com/docker/docker from 26.0.1+incompatible to 26.0.2+incompatible (#6612) + * docs: remove mention of GitLab Gold because it doesn't exist anymore (#6609) + * feat(misconf): Use updated terminology for misconfiguration checks (#6476) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.15 to 1.16.15 (#6593) + * docs: use `generic` link from `trivy-repo` (#6606) + * docs: update trivy k8s with new experience (#6465) + * feat: support `--skip-images` scanning flag (#6334) + * BREAKING: add support for k8s `disable-node-collector` flag (#6311) + * chore(deps): bump github.com/zclconf/go-cty from 1.14.1 to 1.14.4 (#6601) + * chore(deps): bump github.com/sigstore/rekor from 1.2.2 to 1.3.6 (#6599) + * chore(deps): bump google.golang.org/protobuf from 1.33.0 to 1.34.0 (#6597) + * chore(deps): bump sigstore/cosign-installer from 3.4.0 to 3.5.0 (#6588) + * chore(deps): bump github.com/testcontainers/testcontainers-go from 0.28.0 to 0.30.0 (#6595) + * chore(deps): bump github.com/open-policy-agent/opa from 0.62.0 to 0.64.1 (#6596) + * feat: add ubuntu 23.10 and 24.04 support (#6573) + * chore(deps): bump azure/setup-helm from 3.5 to 4 (#6590) + * chore(deps): bump actions/checkout from 4.1.2 to 4.1.4 (#6587) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.24.6 to 1.27.4 (#6598) + * docs(go): add stdlib (#6580) + * chore(deps): bump github.com/containerd/containerd from 1.7.13 to 1.7.16 (#6592) + * chore(deps): bump github.com/go-openapi/runtime from 0.27.1 to 0.28.0 (#6600) + * feat(go): parse main mod version from build info settings (#6564) + * feat: respect custom exit code from plugin (#6584) + * docs: add asdf and mise installation method (#6063) + * feat(vuln): Handle scanning conan v2.x lockfiles (#6357) + * feat: add support `environment.yaml` files (#6569) + * fix: close plugin.yaml (#6577) + * fix: trivy k8s avoid deleting non-default node collector namespace (#6559) + * BREAKING: support exclude `kinds/namespaces` and include `kinds/namespaces` (#6323) + * feat(go): add main module (#6574) + * feat: add relationships (#6563) + * ci: disable `Go` cache for `reusable-release.yaml` (#6572) + * docs: mention `--show-suppressed` is available in table (#6571) + * chore: fix sqlite to support loong64 (#6511) + * fix(debian): sort dpkg info before parsing due to exclude directories (#6551) + * docs: update info about config file (#6547) + * docs: remove RELEASE_VERSION from trivy.repo (#6546) + * fix(sbom): change error to warning for multiple OSes (#6541) + * fix(vuln): skip empty versions (#6542) + * feat(c): add license support for conan lock files (#6329) + * fix(terraform): Attribute and fileset fixes (#6544) + * refactor: change warning if no vulnerability details are found (#6230) + * refactor(misconf): improve error handling in the Rego scanner (#6527) + * ci: use tmp dir inside Trivy repo dir for GoReleaser (#6533) + * feat(go): parse main module of go binary files (#6530) + * chore(deps): bump golang.org/x/net from 0.21.0 to 0.23.0 (#6526) + * refactor(misconf): simplify the retrieval of module annotations (#6528) + * chore(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 (#6523) + * docs(nodejs): add info about supported versions of pnpm lock files (#6510) + * feat(misconf): loading embedded checks as a fallback (#6502) + * fix(misconf): Parse JSON k8s manifests properly (#6490) + * refactor: remove parallel walk (#5180) + * fix: close pom.xml (#6507) + * fix(secret): convert severity for custom rules (#6500) + * fix(java): update logic to detect `pom.xml` file snapshot artifacts from remote repositories (#6412) + * fix: typo (#6283) + * docs(k8s,image): fix command-line syntax issues (#6403) + * chore(deps): bump actions/checkout from 4.1.1 to 4.1.2 (#6435) + * fix(misconf): avoid panic if the scheme is not valid (#6496) + * feat(image): goversion as stdlib (#6277) + * fix: add color for error inside of log message (#6493) + * chore(deps): bump actions/add-to-project from 0.4.1 to 1.0.0 (#6438) + * docs: fix links to OPA docs (#6480) + * refactor: replace zap with slog (#6466) + * docs: update links to IaC schemas (#6477) + * chore: bump Go to 1.22 (#6075) + * refactor(terraform): sync funcs with Terraform (#6415) + * feat(misconf): add helm-api-version and helm-kube-version flag (#6332) + * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.4.0 to 1.5.1 (#6426) + * chore(deps): bump github.com/go-openapi/strfmt from 0.22.0 to 0.23.0 (#6452) + * chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.6 to 2.0.7 (#6430) + * chore(deps): bump aquaproj/aqua-installer from 2.2.0 to 3.0.0 (#6437) + * fix(terraform): eval submodules (#6411) + * refactor(terraform): remove unused options (#6446) + * refactor(terraform): remove unused file (#6445) + * chore(deps): bump github.com/testcontainers/testcontainers-go to v0.28.0 (#6387) + * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.9.0 to 1.10.0 (#6427) + * fix(misconf): Escape template value correctly (#6292) + * feat(misconf): add support for wildcard ignores (#6414) + * fix(cloudformation): resolve `DedicatedMasterEnabled` parsing issue (#6439) + * refactor(terraform): remove metrics collection (#6444) + * feat(cloudformation): add support for logging and endpoint access for EKS (#6440) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.51.1 to 1.53.1 (#6424) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.27.4 to 1.27.10 (#6428) + * chore(deps): bump go.etcd.io/bbolt from 1.3.8 to 1.3.9 (#6429) + * fix(db): check schema version for image name only (#6410) + * chore(deps): bump github.com/google/wire from 0.5.0 to 0.6.0 (#6425) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.149.1 to 1.155.1 (#6433) + * chore(deps): bump actions/cache from 4.0.0 to 4.0.2 (#6436) + * feat(misconf): Support private registries for misconf check bundle (#6327) + * feat(cloudformation): inline ignore support for YAML templates (#6358) + * feat(terraform): ignore resources by nested attributes (#6302) + * perf(helm): load in-memory files (#6383) + * feat(aws): apply filter options to result (#6367) + * feat(aws): quiet flag support (#6331) + * fix(misconf): clear location URI for SARIF (#6405) + * test(cloudformation): add CF tests (#6315) + * fix(cloudformation): infer type after resolving a function (#6406) + * fix(sbom): fix error when parent of SPDX Relationships is not a package. (#6399) + * fix(nodejs): merge `Indirect`, `Dev`, `ExternalReferences` fields for same deps from `package-lock.json` files v2 or later (#6356) + * docs: add info about support for package license detection in `fs`/`repo` modes (#6381) + * fix(nodejs): add support for parsing `workspaces` from `package.json` as an object (#6231) + * fix: use `0600` perms for tmp files for post analyzers (#6386) + * fix(helm): scan the subcharts once (#6382) + * docs(terraform): add file patterns for Terraform Plan (#6393) + * fix(terraform): сhecking SSE encryption algorithm validity (#6341) + * fix(java): parse modules from `pom.xml` files once (#6312) + * chore(deps): bump github.com/docker/docker from 25.0.3+incompatible to 25.0.5+incompatible (#6364) + * fix(server): add Locations for `Packages` in client/server mode (#6366) + * fix(sbom): add check for `CreationInfo` to nil when detecting SPDX created using Trivy (#6346) + * fix(report): don't include empty strings in `.vulnerabilities[].identifiers[].url` when `gitlab.tpl` is used (#6348) + * chore(ubuntu): Add Ubuntu 22.04 EOL date (#6371) + * chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (#6321) + * feat(java): add support licenses and graph for gradle lock files (#6140) + * feat(vex): consider root component for relationships (#6313) + * fix: increase the default buffer size for scanning dpkg status files by 2 times (#6298) + * chore: updates wazero to v1.7.0 (#6301) + * feat(sbom): Support license detection for SBOM scan (#6072) + * refactor(sbom): use intermediate representation for SPDX (#6310) + * docs(terraform): improve documentation for filtering by inline comments (#6284) + * fix(terraform): fix policy document retrieval (#6276) + * refactor(terraform): remove unused custom error (#6303) + * refactor(sbom): add intermediate representation for BOM (#6240) + * fix(amazon): check only major version of AL to find advisories (#6295) + * fix(db): use schema version as tag only for `trivy-db` and `trivy-java-db` registries by default (#6219) + * fix(nodejs): add name validation for package name from `package.json` (#6268) + * docs: Added install instructions for FreeBSD (#6293) + * feat(image): customer podman host or socket option (#6256) + * chore(deps): bump wazero from 1.2.1 to 1.6.0 (#6290) + * feat(java): mark dependencies from `maven-invoker-plugin` integration tests pom.xml files as `Dev` (#6213) + * fix(license): reorder logic of how python package licenses are acquired (#6220) + * test(terraform): skip cached modules (#6281) + * feat(secret): Support for detecting Hugging Face Access Tokens (#6236) + * fix(cloudformation): support of all SSE algorithms for s3 (#6270) + * feat(terraform): Terraform Plan snapshot scanning support (#6176) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.6 to 1.27.4 (#6249) + * fix: typo function name and comment optimization (#6200) + * fix(java): don't ignore runtime scope for pom.xml files (#6223) + * chore(deps): bump helm/kind-action from 1.8.0 to 1.9.0 (#6242) + * chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (#6243) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.1 to 1.51.1 (#6251) + * chore(deps): bump github.com/hashicorp/go-uuid from 1.0.1 to 1.0.3 (#6253) + * chore(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.62.0 (#6250) + * chore(deps): bump github.com/containerd/containerd from 1.7.12 to 1.7.13 (#6247) + * chore(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 (#6246) + * fix(license): add FilePath to results to allow for license path filtering via trivyignore file (#6215) + * chore(deps): Upgrade iac deps (#6255) + * feat: add info log message about dev deps suppression (#6211) + * test(k8s): use test-db for k8s integration tests (#6222) + * ci: add maximize-build-space for `Test` job (#6221) + * fix(terraform): fix root module search (#6160) + * test(parser): squash test data for yarn (#6203) + * fix(terraform): do not re-expand dynamic blocks (#6151) + * docs: update ecosystem page reporting with db app (#6201) + * fix: k8s summary separate infra and user finding results (#6120) + * fix: add context to target finding on k8s table view (#6099) + * fix: Printf format err (#6198) + * refactor: better integration of the parser into Trivy (#6183) + * chore(deps): bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 (#6189) + * feat(terraform): Add hyphen and non-ASCII support for domain names in credential extraction (#6108) + * fix(vex): CSAF filtering should consider relationships (#5923) + * refactor(report): Replacing `source_location` in `github` report when scanning an image (#5999) + * feat(vuln): ignore vulnerabilities by PURL (#6178) + * feat(java): add support for fetching packages from repos mentioned in pom.xml (#6171) + * feat(k8s): rancher rke2 version support (#5988) + * docs: update kbom distribution for scanning (#6019) + * chore: update CODEOWNERS (#6173) + * fix(swift): try to use branch to resolve version (#6168) + * fix(terraform): ensure consistent path handling across OS (#6161) + * fix(java): add only valid libs from `pom.properties` files from `jars` (#6164) + * fix(sbom): skip executable file analysis if Rekor isn't a specified SBOM source (#6163) + * chore(deps): merge go-dep-parser into Trivy (#6094) + * docs(report): add remark about `path` to filter licenses using `.trivyignore.yaml` file (#6145) + * docs: update template path for gitlab-ci tutorial (#6144) + * feat(report): support for filtering licenses and secrets via rego policy files (#6004) + * fix(cyclonedx): move root component from scanned cyclonedx file to output cyclonedx file (#6113) + * refactor(deps): Merge defsec into trivy (#6109) + * chore(deps): bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 (#6142) + * docs: add SecObserve in CI/CD and reporting (#6139) + * fix(alpine): exclude empty licenses for apk packages (#6130) + * docs: add docs tutorial on custom policies with rego (#6104) + * fix(nodejs): use project dir when searching for workspaces for Yarn.lock files (#6102) + * feat(vuln): show suppressed vulnerabilities in table (#6084) + * docs: rename governance to principles (#6107) + * docs: add governance (#6090) + * refactor(deps): Merge trivy-iac into Trivy (#6005) + * feat(java): add dependency location support for `gradle` files (#6083) + * chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.11 to 1.15.15 (#6038) + * fix(misconf): get `user` from `Config.User` (#6070) + ------------------------------------------------------------------- Thu Feb 08 12:51:32 UTC 2024 - dmueller@suse.com diff --git a/trivy.spec b/trivy.spec index 4641bda..e84568c 100644 --- a/trivy.spec +++ b/trivy.spec @@ -17,7 +17,7 @@ Name: trivy -Version: 0.49.1 +Version: 0.51.1 Release: 0 Summary: A Simple and Comprehensive Vulnerability Scanner for Containers License: Apache-2.0 @@ -25,7 +25,7 @@ Group: System/Management URL: https://github.com/aquasecurity/trivy Source: %{name}-%{version}.tar.zst Source1: vendor.tar.zst -BuildRequires: golang(API) = 1.21 +BuildRequires: golang(API) = 1.22 BuildRequires: golang-packaging BuildRequires: zstd Requires: ca-certificates diff --git a/vendor.tar.zst b/vendor.tar.zst index 26a25e2..13064b3 100644 --- a/vendor.tar.zst +++ b/vendor.tar.zst @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:4c586bca703cce84f944618187ea5e2a8f6acab677c5ac3aa3a8e714d54d80c4 -size 20136283 +oid sha256:99a177f5384578ed62dcfeaf67e3500d64cdbea56291f41616e111a97f13c18f +size 35359667