Merge pull request 'Update to 0.54.1' (#6) from dirkmueller/trivy:factory into factory

Reviewed-on: pool/trivy#1

_scmsync.obsinfo

@@ -1,4 +1,4 @@
-mtime: 1717679875
-commit: 579ede4865fcf5783c98eab0446e1c095dd85e84
-url: https://src.opensuse.org/dirkmueller/trivy.git
-revision: 579ede4865fcf5783c98eab0446e1c095dd85e84
+mtime: 1717765405
+commit: 96ac2f27c0ccdd6423580fc28d828483ef3309a85f4741eb93d275b73f7ef52c
+url: https://src.opensuse.org/pool/trivy.git
+revision: factory

_service

@@ -2,7 +2,7 @@
   <service name="tar_scm" mode="manual">
     <param name="url">https://github.com/aquasecurity/trivy</param>
     <param name="scm">git</param>
-    <param name="revision">v0.52.0</param>
+    <param name="revision">v0.54.1</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="changesgenerate">enable</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/aquasecurity/trivy</param>
-              <param name="changesrevision">c24dfbab68056a42aff9589b024c6f2d067f9f52</param></service></servicedata>
+              <param name="changesrevision">854c61d34a550a9fcbab3bc59e55b868c15d1962</param></service></servicedata>

trivy.changes

@@ -1,3 +1,185 @@
+-------------------------------------------------------------------
+Thu Aug 01 12:24:35 UTC 2024 - dmueller@suse.com
+
+- Update to version 0.54.1:
+  * release: v0.54.1 [release/v0.54] (#7282)
+  * fix(flag): incorrect behavior for deprected flag `--clear-cache` [backport: release/v0.54] (#7285)
+  * fix(java): Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#7283)
+  * fix(plugin): do not call GitHub content API for releases and tags [backport: release/v0.54] (#7279)
+  * release: v0.54.0 [main] (#7075)
+  * docs: update ecosystem page reporting with plopsec.com app (#7262)
+  * chore(deps): bump google.golang.org/grpc from 1.64.0 to 1.64.1 (#7136)
+  * feat(vex): retrieve VEX attestations from OCI registries (#7249)
+  * feat(sbom): add image labels into `SPDX` and `CycloneDX` reports (#7257)
+  * refactor(flag): return error if both `--download-db-only` and `--download-java-db-only` are specified (#7259)
+  * fix(nodejs): detect direct dependencies when using `latest` version for files `yarn.lock` + `package.json` (#7110)
+  * fix(java): avoid panic if deps from `pom` in `it` dir are not found (#7245)
+  * chore: show VEX notice for OSS maintainers in CI environments (#7246)
+  * feat(vuln): add `--pkg-relationships` (#7237)
+  * docs: show VEX cli pages + update config file page for VEX flags (#7244)
+  * fix(dotnet): show `nuget package dir not found` log only when checking `nuget` packages (#7194)
+  * chore(deps): bump the common group across 1 directory with 17 updates (#7230)
+  * feat(vex): VEX Repository support (#7206)
+  * fix(secret): skip regular strings contain secret patterns (#7182)
+  * feat: share build-in rules (#7207)
+  * fix(report): hide empty table when all secrets/license/misconfigs are ignored (#7171)
+  * fix(cli): error on missing config file (#7154)
+  * fix(secret): update length of `hugging-face-access-token` (#7216)
+  * feat(sbom): add vulnerability support for SPDX formats (#7213)
+  * ci: use free runner for all tests except `build tests` (#7215)
+  * chore(deps): bump the docker group across 1 directory with 2 updates (#7208)
+  * fix(secret): trim excessively long lines (#7192)
+  * chore(vex): update subcomponents for CVE-2023-42363/42364/42365/42366 (#7201)
+  * fix(server): pass license categories to options (#7203)
+  * feat(mariner): Add support for Azure Linux (#7186)
+  * docs: updates config file (#7188)
+  * refactor(fs): remove unused field for CompositeFS (#7195)
+  * fix(dotnet): don't include non-runtime libraries into report for `*.deps.json` files (#7039)
+  * chore(deps): bump goreleaser from `v2.0.0` to `v2.1.0` (#7162)
+  * fix: add missing platform and type to spec (#7149)
+  * chore(deps): bump the aws group with 6 updates (#7166)
+  * feat(misconf): enabled China configuration for ACRs (#7156)
+  * fix: close file when failed to open gzip (#7164)
+  * docs: Fix PR documentation to use GitHub Discussions, not Issues (#7141)
+  * docs(misconf): add info about limitations for terraform plan json (#7143)
+  * chore: add VEX for Trivy images (#7140)
+  * chore(deps): bump the common group across 1 directory with 7 updates (#7125)
+  * chore: add VEX document and generator for Trivy  (#7128)
+  * fix(misconf): do not evaluate TF when a load error occurs (#7109)
+  * feat(cli): rename `--vuln-type` flag to `--pkg-types` flag (#7104)
+  * refactor(secret): move warning about file size after `IsBinary` check (#7123)
+  * chore(deps): bump the docker group with 2 updates (#7116)
+  * feat: add openSUSE tumbleweed detection and scanning (#6965)
+  * test: add missing advisory details for integration tests database (#7122)
+  * fix: Add dependencyManagement exclusions to the child exclusions (#6969)
+  * chore(deps): bump the aws group with 4 updates (#7115)
+  * fix: ignore nodes when listing permission is not allowed (#7107)
+  * fix(java): use `go-mvn-version` to remove `Package` duplicates (#7088)
+  * refactor(secret): add warning about large files (#7085)
+  * feat(nodejs): add license parser to pnpm analyser (#7036)
+  * refactor(sbom): add sbom prefix + filepaths for decode log messages (#7074)
+  * feat: add `log.FilePath()` function for logger (#7080)
+  * chore: bump golangci-lint from v1.58 to v1.59 (#7077)
+  * chore(deps): bump the common group across 1 directory with 23 updates (#7066)
+  * perf(debian): use `bytes.Index` in `emptyLineSplit` to cut allocation (#7065)
+  * refactor: pass DB dir to trivy-db (#7057)
+  * docs: navigate to the release highlights and summary (#7072)
+  * chore(deps): bump the github-actions group with 2 updates (#7067)
+-  drop add-opensuse-tumbleweed-db.patch,
+   add-opensuse-tumbleweed-support.patch: merged upstream
+
+-------------------------------------------------------------------
+Thu Jul 25 09:40:25 UTC 2024 - Dirk Müller <dmueller@suse.com>
+
+- refresh add-opensuse-tumbleweed-support.patch
+
+-------------------------------------------------------------------
+Thu Jul 11 15:31:03 UTC 2024 - dmueller@suse.com
+
+- Update to version 0.53.0 (bsc#1227022, CVE-2024-6257):
+  * release: v0.53.0 [main] (#6855)
+  * feat(conda): add licenses support for `environment.yml` files (#6953)
+  * fix(sbom): fix panic when scanning SBOM file without root component into SBOM format (#7051)
+  * feat: add memory cache backend (#7048)
+  * fix(sbom): use package UIDs for uniqueness (#7042)
+  * feat(php): add installed.json file support (#4865)
+  * docs: ✨ Updated ecosystem docs with reference to new community app (#7041)
+  * fix: use embedded when command path not found (#7037)
+  * chore(deps): bump trivy-kubernetes version (#7012)
+  * refactor: use google/wire for cache (#7024)
+  * fix(cli): show info message only when --scanners is available (#7032)
+  * chore: enable float-compare rule from testifylint (#6967)
+  * docs: Add sudo on commands, chmod before mv on install docs (#7009)
+  * fix(plugin): respect `--insecure` (#7022)
+  * feat(k8s)!: node-collector dynamic commands support (#6861)
+  * fix(sbom): take pkg name from `purl` for maven pkgs (#7008)
+  * chore(deps): bump github.com/hashicorp/go-getter from 1.7.4 to 1.7.5 (#7018)
+  * feat!: add clean subcommand (#6993)
+  * chore: use `!` for breaking changes (#6994)
+  * feat(aws)!: Remove aws subcommand (#6995)
+  * refactor: replace global cache directory with parameter passing (#6986)
+  * fix(sbom): use `purl` for `bitnami` pkg names (#6982)
+  * chore: bump Go toolchain version (#6984)
+  * refactor: unify cache implementations (#6977)
+  * docs: non-packaged and sbom clarifications (#6975)
+  * BREAKING(aws): Deprecate `trivy aws` as subcmd in favour of a plugin (#6819)
+  * docs: delete unknown URL (#6972)
+  * refactor: use version-specific URLs for documentation references (#6966)
+  * refactor: delete db mock (#6940)
+  * ci: add depguard (#6963)
+  * refactor: add warning if severity not from vendor (or NVD or GH) is used (#6726)
+  * feat: Add local ImageID to SARIF metadata (#6522)
+  * fix(suse): Add SLES 15.6 and Leap 15.6 (#6964)
+  * feat(java): add support for sbt projects using sbt-dependency-lock (#6882)
+  * feat(java): add support for `maven-metadata.xml` files for remote snapshot repositories. (#6950)
+  * fix(purl): add missed os types (#6955)
+  * fix(cyclonedx): trim non-URL info for `advisory.url` (#6952)
+  * fix(c): don't skip conan files from `file-patterns` and scan `.conan2` cache dir (#6949)
+  * ci: correctly handle categories (#6943)
+  * fix(image): parse `image.inspect.Created` field only for non-empty values (#6948)
+  * fix(misconf): handle source prefix to ignore (#6945)
+  * fix(misconf): fix parsing of engine links and frameworks (#6937)
+  * feat(misconf): support of selectors for all providers for Rego (#6905)
+  * ci: don't run `tests` for `release-please` PRs (#6936)
+  * fix(license): return license separation using separators  `,`, `or`, etc. (#6916)
+  * ci: use `ubuntu-latest-m` runner (#6918)
+  * feat(misconf): add support for AWS::EC2::SecurityGroupIngress/Egress (#6755)
+  * BREAKING(misconf): flatten recursive types (#6862)
+  * ci: move triage workflow yaml under .github/workflows (#6895)
+  * ci: add `trivy` group for `dependabot` (#6908)
+  * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.2 to 1.6.0 (#6910)
+  * test: bump docker API to 1.45  (#6914)
+  * feat(sbom): migrate to `CycloneDX v1.6` (#6903)
+  * chore(deps): bump the aws group with 8 updates (#6898)
+  * ci: bump `github.com/goreleaser/goreleaser` to `v2.0.0` (#6887)
+  * feat(image): Set User-Agent header for Trivy container registry requests (#6868)
+  * fix(debian): take installed files from the origin layer (#6849)
+  * fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken (#6858)
+  * feat(misconf): API Gateway V1 support for CloudFormation (#6874)
+  * ci: add created release branch to `rulesets` to enable merge queue (#6880)
+  * feat(plugin): add support for nested archives (#6845)
+  * fix(sbom): don't overwrite `srcEpoch` when decoding SBOM files (#6866)
+  * fix(secret): `Asymmetric Private Key` shouldn't start with space (#6867)
+  * ci: use author permission check instead of `author_association` field for backport workflow (#6870)
+  * chore: auto label discussions (#5259)
+  * docs: explain how VEX is applied (#6864)
+  * ci: automate backporting process (#6781)
+  * ci: create release branch (#6859)
+  * fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase (#6852)
+  * fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)
+  * feat(dart): use first version of constraint for dependencies using SDK version (#6239)
+  * fix(misconf): parsing numbers without fraction as int (#6834)
+  * fix(misconf): fix caching of modules in subdirectories (#6814)
+  * feat(misconf): add metadata to Cloud schema (#6831)
+  * chore(deps): bump the aws group across 1 directory with 7 updates (#6837)
+  * chore(deps): bump the common group with 5 updates (#6842)
+  * test: replace embedded Git repository with dynamically created repository (#6824)
+
+-------------------------------------------------------------------
+Wed Jun 19 15:58:20 UTC 2024 - dmueller@suse.com
+
+- Update to version 0.52.2:
+  * release: v0.52.2 [release/v0.52] (#6896)
+  * ci: use `ubuntu-latest-m` runner [backport: release/v0.52] (#6933)
+  * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.2 to 1.6.0 [backport: release/v0.52] (#6919)
+  * test: bump docker API to 1.45  [backport: release/v0.52] (#6922)
+  * ci: bump `github.com/goreleaser/goreleaser` to `v2.0.0` [backport: release/v0.52] (#6893)
+  * fix(debian): take installed files from the origin layer [backport: release/v0.52] (#6892)
+- add add-opensuse-tumbleweed-db.patch,
+  add-opensuse-tumbleweed-support.patch: patches for tumbleweed
+  support
+
+-------------------------------------------------------------------
+Wed Jun 12 14:19:45 UTC 2024 - dmueller@suse.com
+
+- Update to version 0.52.1:
+  * release: v0.52.1 [release/v0.52] (#6877)
+  * fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken [backport: release/v0.52] (#6888)
+  * fix(sbom): don't overwrite `srcEpoch` when decoding SBOM files [backport: release/v0.52] (#6881)
+  * fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase [backport: release/v0.52] (#6878)
+  * docs: explain how VEX is applied (#6864)
+  * fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)
+
 -------------------------------------------------------------------
 Thu Jun 06 13:09:56 UTC 2024 - dmueller@suse.com
 

trivy.spec

@@ -17,7 +17,7 @@
 
 
 Name:           trivy
-Version:        0.52.0
+Version:        0.54.1
 Release:        0
 Summary:        A Simple and Comprehensive Vulnerability Scanner for Containers
 License:        Apache-2.0
@@ -43,7 +43,7 @@ scan. All you need to do for scanning is to specify a target such as an image
 name of the container.
 
 %prep
-%autosetup -p1 -a1
+%setup -a1
 
 %build
 export CGO_ENABLED=1