- Update to version 0.41.0:
* fix(spdx): add workaround for no src packages (#4118)
* test(golang): rename broken go.mod (#4129)
* feat(sbom): add supplier field (#4122)
* test(misconf): skip downloading of policies for tests #4126
* refactor: use debug message for post-analyze errors (#4037)
* feat(sbom): add VEX support (#4053)
* feat(sbom): add primary package purpose field for SPDX (#4119)
* fix(k8s): fix quiet flag (#4120)
* fix(python): parse of pip extras (#4103)
* feat(java): use full path for nested jars (#3992)
* feat(license): add new flag for classifier confidence level (#4073)
* feat: config and fs compliance support (#4097)
* chore(deps): bump sigstore/cosign-installer from 2.8.1 to 3.0.1 (#3952)
* feat(spdx): add support for SPDX 2.3 (#4058)
* fix: k8s all-namespaces support (#4096)
* perf(misconf): replace with post-analyzers (#4090)
* fix(helm): update networking API version detection (#4106)
* feat(image): custom docker host option (#3599)
* style: debug flag is incorrect and needs extra - (#4087)
* docs(vuln): Document inline vulnerability filtering comments (#4024)
* feat(fs): customize error callback during fs walk (#4038)
* fix(ubuntu): skip copyright files from subfolders (#4076)
* docs: restructure scanners (#3977)
* fix: fix `file does not exist` error for post-analyzers (#4061)
OBS-URL: https://build.opensuse.org/request/show/1083465
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/trivy?expand=0&rev=51
- Update to version 0.40.0:
* feat(flag): Support globstar for `--skip-files` and `--skip-directories` (#4026)
* chore(deps): bump actions/stale from 7 to 8 (#3955)
* fix: return insecure option to download javadb (#4064)
* fix(nodejs): don't stop parsing when unsupported yarn.lock protocols are found (#4052)
* ci: add gpg signing for RPM packages (#4056)
* fix(k8s): current context title (#4055)
* fix(k8s): quit support on k8s progress bar (#4021)
* chore: add a note about Dockerfile.canary (#4050)
* ci: fix path to canary binaries (#4045)
* fix(vuln): report architecture for debian packages (#4032)
* feat: add support for Chainguard's commercial distro (#3641)
* ci: bump goreleaser for Github Action from 1.4.1 to 1.16.2 (#3979)
* fix(vuln): fix error message for remote scanners (#4031)
* feat(report): add image metadata to SARIF (#4020)
* docs: fix broken cache link on Installation page (#3999)
* fix: lock downloading policies and database (#4017)
* fix: avoid concurrent access to the global map (#4014)
* feat(rust): add Cargo.lock v3 support (#4012)
* feat: auth support oci download server subcommand (#4008)
* chore(deps): bump github.com/docker/docker (#4009)
* chore: install.sh support for armv7 (#3985)
* chore(deps): bump github.com/Azure/go-autorest/autorest/adal (#3961)
- Update to version 0.39.1:
* fix(rust): fix panic when 'dependencies' field is not used in cargo.toml (#3997)
* fix(sbom): fix infinite loop for cyclonedx (#3998)
* chore(deps): bump helm/chart-testing-action from 2.3.1 to 2.4.0 (#3954)
* fix: use warning for errors from enrichment files for post-analyzers (#3972)
* chore(deps): bump github.com/docker/docker (#3963)
OBS-URL: https://build.opensuse.org/request/show/1079785
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/trivy?expand=0&rev=50
* fix(rust): fix panic when 'dependencies' field is not used in cargo.toml (#3997)
* fix(sbom): fix infinite loop for cyclonedx (#3998)
* chore(deps): bump helm/chart-testing-action from 2.3.1 to 2.4.0 (#3954)
* fix: use warning for errors from enrichment files for post-analyzers (#3972)
* chore(deps): bump github.com/docker/docker (#3963)
* fix(helm): added annotation to psp configurable from values (#3893)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.5.2 to 5.6.1 (#3962)
* fix(secret): update built-in rule `tests` (#3855)
* chore(deps): bump github.com/alicebob/miniredis/v2 from 2.23.0 to 2.30.1 (#3957)
* test: rewrite scripts in Go (#3968)
* docs(cli): Improve glob documentation (#3945)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#3959)
* ci: check CLI references (#3967)
* chore(deps): bump alpine from 3.17.2 to 3.17.3 (#3951)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.212 to 1.44.234 (#3956)
* chore(deps): bump github.com/moby/buildkit from 0.11.4 to 0.11.5 (#3958)
* chore(deps): bump actions/setup-go from 3 to 4 (#3953)
* chore(deps): bump actions/cache from 3.2.6 to 3.3.1 (#3950)
* chore(deps): bump github.com/containerd/containerd from 1.6.19 to 1.7.0 (#3965)
* chore(deps): bump github.com/sigstore/rekor from 1.0.1 to 1.1.0 (#3964)
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/trivy?expand=0&rev=55
- Update to version 0.39.0:
* docs(cli): added makefile and go file to create docs (#3930)
* chore: Revert "ci: add gpg signing for RPM packages (#3612)" (#3946)
* chore: ignore gpg key (#3943)
* feat(cyclonedx): support dependency graph (#3177)
* chore(deps): Bump defsec to v0.85.0 (#3940)
* feat(rust): remove dev deps and find direct deps for Cargo.lock (#3919)
* feat(server): redis with public TLS certs support (#3783)
* feat(flag): Add glob support to `--skip-dirs` and `--skip-files` (#3866)
* chore: replace make with mage (#3932)
* fix(sbom): add checksum to files (#3888)
* chore(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#3928)
* chore: remove unused mount volumes (#3927)
* feat: add auth support for downloading OCI artifacts (#3915)
* refactor(purl): use epoch in qualifier (#3913)
* chore(deps): bump github.com/in-toto/in-toto-golang from 0.5.0 to 0.7.0 (#3727)
* feat(image): add registry options (#3906)
* feat(rust): dependency tree and line numbers support for cargo lock file (#3746)
* chore(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1 (#3905)
* feat(php): add support for location, licenses and graph for composer.lock files (#3873)
* chore(deps): updates wazero to 1.0.0 (#3904)
* feat(image): discover SBOM in OCI referrers (#3768)
* docs: change cache-dir key in config file (#3897)
* fix(sbom): use release and epoch for SPDX package version (#3896)
* ci: add gpg signing for RPM packages (#3612)
* docs: Update incorrect comment for skip-update flag (#3878)
* refactor(misconf): simplify policy filesystem (#3875)
* feat(nodejs): parse package.json alongside yarn.lock (#3757)
* fix(spdx): add PkgDownloadLocation field (#3879)
* fix(report): try to guess direct deps for dependency tree (#3852)
OBS-URL: https://build.opensuse.org/request/show/1077009
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/trivy?expand=0&rev=49
* docs(cli): added makefile and go file to create docs (#3930)
* chore: Revert "ci: add gpg signing for RPM packages (#3612)" (#3946)
* chore: ignore gpg key (#3943)
* feat(cyclonedx): support dependency graph (#3177)
* chore(deps): Bump defsec to v0.85.0 (#3940)
* feat(rust): remove dev deps and find direct deps for Cargo.lock (#3919)
* feat(server): redis with public TLS certs support (#3783)
* feat(flag): Add glob support to `--skip-dirs` and `--skip-files` (#3866)
* chore: replace make with mage (#3932)
* fix(sbom): add checksum to files (#3888)
* chore(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#3928)
* chore: remove unused mount volumes (#3927)
* feat: add auth support for downloading OCI artifacts (#3915)
* refactor(purl): use epoch in qualifier (#3913)
* chore(deps): bump github.com/in-toto/in-toto-golang from 0.5.0 to 0.7.0 (#3727)
* feat(image): add registry options (#3906)
* feat(rust): dependency tree and line numbers support for cargo lock file (#3746)
* chore(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1 (#3905)
* feat(php): add support for location, licenses and graph for composer.lock files (#3873)
* chore(deps): updates wazero to 1.0.0 (#3904)
* feat(image): discover SBOM in OCI referrers (#3768)
* docs: change cache-dir key in config file (#3897)
* fix(sbom): use release and epoch for SPDX package version (#3896)
* ci: add gpg signing for RPM packages (#3612)
* docs: Update incorrect comment for skip-update flag (#3878)
* refactor(misconf): simplify policy filesystem (#3875)
* feat(nodejs): parse package.json alongside yarn.lock (#3757)
* fix(spdx): add PkgDownloadLocation field (#3879)
* fix(report): try to guess direct deps for dependency tree (#3852)
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/trivy?expand=0&rev=53
- Update to version 0.38.3:
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.86.1 to 1.89.1 (#3827)
* fix(java): skip empty files for jar post analyzer (#3832)
* fix(docker): build healthcheck command for line without /bin/sh prefix (#3831)
* refactor(license): use goyacc for license parser (#3824)
* chore(deps): bump github.com/docker/docker from 23.0.0-rc.1+incompatible to 23.0.1+incompatible (#3586)
* fix: populate timeout context to node-collector (#3766)
* fix: exclude node collector scanning (#3771)
* fix: display correct flag in error message when skipping java db update #3808
* fix: disable jar analyzer for scanners other than vuln (#3810)
* fix(sbom): fix incompliant license format for spdx (#3335)
* fix(java): the project props take precedence over the parent's props (#3320)
* docs: add canary build info to README.md (#3799)
* docs: adding link to gh token generation (#3784)
* docs: changing docs in accordance with #3460 (#3787)
OBS-URL: https://build.opensuse.org/request/show/1071463
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/trivy?expand=0&rev=48
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.86.1 to 1.89.1 (#3827)
* fix(java): skip empty files for jar post analyzer (#3832)
* fix(docker): build healthcheck command for line without /bin/sh prefix (#3831)
* refactor(license): use goyacc for license parser (#3824)
* chore(deps): bump github.com/docker/docker from 23.0.0-rc.1+incompatible to 23.0.1+incompatible (#3586)
* fix: populate timeout context to node-collector (#3766)
* fix: exclude node collector scanning (#3771)
* fix: display correct flag in error message when skipping java db update #3808
* fix: disable jar analyzer for scanners other than vuln (#3810)
* fix(sbom): fix incompliant license format for spdx (#3335)
* fix(java): the project props take precedence over the parent's props (#3320)
* docs: add canary build info to README.md (#3799)
* docs: adding link to gh token generation (#3784)
* docs: changing docs in accordance with #3460 (#3787)
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/trivy?expand=0&rev=50
* chore(deps): bump github.com/moby/buildkit from 0.11.0 to 0.11.4 (#3789)
* chore(deps): bump actions/add-to-project from 0.4.0 to 0.4.1 (#3724)
* fix(license): disable jar analyzer for licence scan only (#3780)
* bump trivy-issue-action to v0.0.0; skip `pkg` dir (#3781)
* fix: skip checking dirs for required post-analyzers (#3773)
* docs: add information about plugin format (#3749)
* fix(sbom): add trivy version to spdx creators tool field (#3756)
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/trivy?expand=0&rev=48
- Update to version 0.38.1:
* feat(misconf): Add support to show policy bundle version (#3743)
* fix(python): fix error with optional dependencies in pyproject.toml (#3741)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.210 to 1.44.212 (#3740)
* add id for package.json files (#3750)
* chore(deps): bump github.com/containerd/containerd from 1.6.18 to 1.6.19 (#3738)
* chore(deps): bump actions/cache from 3.2.4 to 3.2.6 (#3725)
* chore(deps): bump github.com/google/go-containerregistry (#3731)
* chore(deps): bump go.etcd.io/bbolt from 1.3.6 to 1.3.7 (#3732)
* chore(deps): bump alpine from 3.17.1 to 3.17.2 (#3723)
OBS-URL: https://build.opensuse.org/request/show/1069011
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/trivy?expand=0&rev=46
* feat(misconf): Add support to show policy bundle version (#3743)
* fix(python): fix error with optional dependencies in pyproject.toml (#3741)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.210 to 1.44.212 (#3740)
* add id for package.json files (#3750)
* chore(deps): bump github.com/containerd/containerd from 1.6.18 to 1.6.19 (#3738)
* chore(deps): bump actions/cache from 3.2.4 to 3.2.6 (#3725)
* chore(deps): bump github.com/google/go-containerregistry (#3731)
* chore(deps): bump go.etcd.io/bbolt from 1.3.6 to 1.3.7 (#3732)
* chore(deps): bump alpine from 3.17.1 to 3.17.2 (#3723)
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/trivy?expand=0&rev=46
* chore(helm): update Trivy from v0.36.1 to v0.37.2 (#3574)
* chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#3536)
* chore(deps): bump golang/x/mod to v0.8.0 (#3606)
* chore(deps): bump golang.org/x/crypto from 0.3.0 to 0.5.0 (#3529)
* chore(deps): bump helm.sh/helm/v3 from 3.10.3 to 3.11.1 (#3580)
* ci: quote pros in c++ for semantic pr (#3605)
* fix(image): check proxy settings from env for remote images (#3604)
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/trivy?expand=0&rev=42
- Update to version 0.36.1:
* fix(deps): fix errors on yarn.lock files that contain local file reference (#3384)
* feat(flag): early fail when the format is invalid (#3370)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.136 to 1.44.171 (#3366)
* docs(aws): fix broken links (#3374)
* chore(deps): bump actions/stale from 6 to 7 (#3360)
* chore(deps): bump helm/kind-action from 1.4.0 to 1.5.0 (#3359)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.6.0 to 0.7.0 (#2974)
* chore(deps): bump azure/setup-helm from 3.4 to 3.5 (#3358)
* chore(deps): bump github.com/moby/buildkit from 0.10.4 to 0.10.6 (#3173)
* chore(deps): bump goreleaser/goreleaser-action from 3 to 4 (#3357)
* chore(deps): bump github.com/containerd/containerd from 1.6.8 to 1.6.14 (#3367)
* chore(go): updates wazero to v1.0.0-pre.7 (#3355)
* chore(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 (#3362)
* chore(deps): bump actions/cache from 3.0.11 to 3.2.2 (#3356)
OBS-URL: https://build.opensuse.org/request/show/1056176
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/trivy?expand=0&rev=40
* fix(deps): fix errors on yarn.lock files that contain local file reference (#3384)
* feat(flag): early fail when the format is invalid (#3370)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.136 to 1.44.171 (#3366)
* docs(aws): fix broken links (#3374)
* chore(deps): bump actions/stale from 6 to 7 (#3360)
* chore(deps): bump helm/kind-action from 1.4.0 to 1.5.0 (#3359)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.6.0 to 0.7.0 (#2974)
* chore(deps): bump azure/setup-helm from 3.4 to 3.5 (#3358)
* chore(deps): bump github.com/moby/buildkit from 0.10.4 to 0.10.6 (#3173)
* chore(deps): bump goreleaser/goreleaser-action from 3 to 4 (#3357)
* chore(deps): bump github.com/containerd/containerd from 1.6.8 to 1.6.14 (#3367)
* chore(go): updates wazero to v1.0.0-pre.7 (#3355)
* chore(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 (#3362)
* chore(deps): bump actions/cache from 3.0.11 to 3.2.2 (#3356)
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/trivy?expand=0&rev=34
- Update to version 0.36.0:
* docs: improve compliance docs (#3340)
* feat(deps): add yarn lock dependency tree (#3348)
* fix: compliance change id and title naming (#3349)
* feat: add support for mix.lock files for elixir language (#3328)
* feat: add k8s cis bench (#3315)
* test: disable SearchLocalStoreByNameOrDigest test for non-amd64 arch (#3322)
* revert: cache merged layers (#3334)
* feat(cyclonedx): add recommendation (#3336)
* feat(ubuntu): added support ubuntu ESM versions (#1893)
* fix: change logic to build relative paths for skip-dirs and skip-files (#3331)
* chore(deps): bump github.com/hashicorp/golang-lru from 0.5.4 to 2.0.1 (#3265)
* feat: Adding support for Windows testing (#3037)
* feat: add support for Alpine 3.17 (#3319)
* docs: change PodFile.lock to Podfile.lock (#3318)
* fix(sbom): support for the detection of old CycloneDX predicate type (#3316)
* feat(secret): Use .trivyignore for filtering secret scanning result (#3312)
* chore(go): remove experimental FS API usage in Wasm (#3299)
* ci: add workflow to add issues to roadmap project (#3292)
* fix(vuln): include duplicate vulnerabilities with different package paths in the final report (#3275)
* chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#3250)
* feat(sbom): better support for third-party SBOMs (#3262)
* docs: add information about languages with support for dependency locations (#3306)
* feat(vm): add `region` option to vm scan to be able to scan any region's ami and ebs snapshots (#3284)
* chore(deps): bump github.com/Azure/azure-sdk-for-go from 66.0.0+incompatible to 67.1.0+incompatible (#3251)
* fix(vuln): change severity vendor priority for ghsa-ids and vulns from govuln (#3255)
* docs: remove comparisons (#3289)
* feat: add support for Wolfi Linux (#3215)
* ci: add go.mod to canary workflow (#3288)
* feat(python): skip dev dependencies (#3282)
OBS-URL: https://build.opensuse.org/request/show/1046089
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/trivy?expand=0&rev=39
* docs: improve compliance docs (#3340)
* feat(deps): add yarn lock dependency tree (#3348)
* fix: compliance change id and title naming (#3349)
* feat: add support for mix.lock files for elixir language (#3328)
* feat: add k8s cis bench (#3315)
* test: disable SearchLocalStoreByNameOrDigest test for non-amd64 arch (#3322)
* revert: cache merged layers (#3334)
* feat(cyclonedx): add recommendation (#3336)
* feat(ubuntu): added support ubuntu ESM versions (#1893)
* fix: change logic to build relative paths for skip-dirs and skip-files (#3331)
* chore(deps): bump github.com/hashicorp/golang-lru from 0.5.4 to 2.0.1 (#3265)
* feat: Adding support for Windows testing (#3037)
* feat: add support for Alpine 3.17 (#3319)
* docs: change PodFile.lock to Podfile.lock (#3318)
* fix(sbom): support for the detection of old CycloneDX predicate type (#3316)
* feat(secret): Use .trivyignore for filtering secret scanning result (#3312)
* chore(go): remove experimental FS API usage in Wasm (#3299)
* ci: add workflow to add issues to roadmap project (#3292)
* fix(vuln): include duplicate vulnerabilities with different package paths in the final report (#3275)
* chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#3250)
* feat(sbom): better support for third-party SBOMs (#3262)
* docs: add information about languages with support for dependency locations (#3306)
* feat(vm): add `region` option to vm scan to be able to scan any region's ami and ebs snapshots (#3284)
* chore(deps): bump github.com/Azure/azure-sdk-for-go from 66.0.0+incompatible to 67.1.0+incompatible (#3251)
* fix(vuln): change severity vendor priority for ghsa-ids and vulns from govuln (#3255)
* docs: remove comparisons (#3289)
* feat: add support for Wolfi Linux (#3215)
* ci: add go.mod to canary workflow (#3288)
* feat(python): skip dev dependencies (#3282)
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/trivy?expand=0&rev=32
- Update to version 0.32.1:
* fix(java): use fields of dependency from dependencyManagement from upper pom.xml to parse deps (#2943)
* chore: expat lib and go binary deps vulns (#2940)
* wasm: Removes accidentally exported memory (#2950)
* fix(sbom): fix package name separation for gradle (#2906)
* docs(readme.md): fix broken integrations link (#2931)
* fix(image): handle images with single layer in rescan mergedLayers cache (#2927)
* fix(cli): split env values with ',' for slice flags (#2926)
* fix(cli): config/helm: also take into account files with `.yml` (#2928)
* fix(flag): add file-patterns flag for config subcommand (#2925)
* chore(deps): bump github.com/open-policy-agent/opa from 0.43.0 to 0.43.1 (#2902)
OBS-URL: https://build.opensuse.org/request/show/1006699
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/trivy?expand=0&rev=35
* fix(java): use fields of dependency from dependencyManagement from upper pom.xml to parse deps (#2943)
* chore: expat lib and go binary deps vulns (#2940)
* wasm: Removes accidentally exported memory (#2950)
* fix(sbom): fix package name separation for gradle (#2906)
* docs(readme.md): fix broken integrations link (#2931)
* fix(image): handle images with single layer in rescan mergedLayers cache (#2927)
* fix(cli): split env values with ',' for slice flags (#2926)
* fix(cli): config/helm: also take into account files with `.yml` (#2928)
* fix(flag): add file-patterns flag for config subcommand (#2925)
* chore(deps): bump github.com/open-policy-agent/opa from 0.43.0 to 0.43.1 (#2902)
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/trivy?expand=0&rev=24