Upgrade Trivy to 0.47.0

Signed-off-by: Guilherme Macedo <guilherme@gmacedo.com>

_scmsync.obsinfo

@@ -0,0 +1,4 @@
+mtime: 1692203616
+commit: fe5cccdebe8c3f80a50568289bbf4e65174e54d1
+url: https://src.opensuse.org/dirkmueller/trivy.git
+revision: fe5cccdebe8c3f80a50568289bbf4e65174e54d1

_service

@@ -2,7 +2,7 @@
   <service name="tar_scm" mode="disabled">
     <param name="url">https://github.com/aquasecurity/trivy</param>
     <param name="scm">git</param>
-    <param name="revision">v0.42.1</param>
+    <param name="revision">v0.47.0</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="changesgenerate">enable</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/aquasecurity/trivy</param>
-              <param name="changesrevision">9a279fa7bb5ccdcda642f99ac2dfd80551082ee2</param></service></servicedata>
+              <param name="changesrevision">d6df5fbcda878e43e5e02484304726ebe7c6c418</param></service></servicedata>

trivy.changes

@@ -1,3 +1,311 @@
+-------------------------------------------------------------------
+Mon Nov 06 14:10:06 UTC 2023 - guilherme.macedo@suse.com
+
+- Update to version 0.47.0:
+  * docs: add info that license scanning supports file-patterns flag (#5484)
+  * docs: add Zora integration into Ecosystem session (#5490)
+  * fix(sbom): Use UUID as BomRef for packages with empty purl (#5448)
+  * ci: use maximize build space for K8s tests (#5387)
+  * fix: correct error mismatch causing race in fast walks (#5516)
+  * docs: k8s vulnerability scanning (#5515)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts from 1.23.2 to 1.25.0 (#5506)
+  * chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.2.2 to 2.3.0 (#5493)
+  * docs: remove glad for java datasources (#5508)
+  * chore(deps): bump github.com/testcontainers/testcontainers-go/modules/localstack from 0.21.0 to 0.26.0 (#5475)
+  * chore: remove unused logger attribute in amazon detector (#5476)
+  * fix: correct error mismatch causing race in fast walks (#5482)
+  * chore(deps): bump goreleaser/goreleaser-action from 4 to 5 (#5502)
+  * chore(deps): bump docker/build-push-action from 4 to 5 (#5500)
+  * chore(deps): bump github.com/package-url/packageurl-go from 0.1.2-0.20230812223828-f8bb31c1f10b to 0.1.2 (#5491)
+  * fix(server): add licenses to `BlobInfo` message (#5382)
+  * chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 (#5501)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.17.18 to 1.21.0 (#5497)
+  * feat: scan vulns on k8s core component apps (#5418)
+  * fix(java): fix infinite loop when `relativePath` field points to `pom.xml` being scanned (#5470)
+  * chore(deps): bump github.com/docker/docker from 24.0.5+incompatible to 24.0.7+incompatible (#5472)
+  * fix(sbom): save digests for package/application when scanning SBOM files (#5432)
+  * docs: fix the broken link (#5454)
+  * docs: fix error when installing `PyYAML` for gh pages (#5462)
+  * fix(java): download java-db once (#5442)
+  * chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.57.1 (#5447)
+  * docs(misconf): Update `--tf-exclude-downloaded-modules` description (#5419)
+  * feat(misconf): Support `--ignore-policy` in config scans (#5359)
+  * docs(misconf): fix broken table for `Use container image` section (#5425)
+  * feat(dart): add graph support (#5374)
+  * refactor: define a new struct for scan targets (#5397)
+  * fix(sbom): add missed `primaryURL` and `source severity` for CycloneDX (#5399)
+  * fix: correct invalid MD5 hashes for rpms ending with one or more zero bytes (#5393)
+  * chore(deps): move to aws-sdk-go-v2 (#5381)
+  * docs: remove --scanners none (#5384)
+  * docs: Update container_image.md #5182 (#5193)
+  * feat(report): Add `InstalledFiles` field to Package (#4706)
+  * feat(k8s): add support for vulnerability detection (#5268)
+  * fix(python): override BOM in `requirements.txt` files (#5375)
+  * docs: add kbom documentation (#5363)
+  * test: use maximize build space for VM tests (#5362)
+  * chore(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 (#5365)
+  * fix(report): add escaping quotes in misconfig Title for asff template (#5351)
+  * ci: add workflow to check Go versions of dependencies (#5340)
+  * chore(deps): Upgrade defsec to v0.93.1 (#5348)
+  * chore(deps): bump alpine from 3.18.3 to 3.18.4 (#5300)
+  * fix: Report error when os.CreateTemp fails (to be consistent with other uses) (#5342)
+  * fix: add config files to FS for post-analyzers (#5333)
+  * fix: fix MIME warnings after updating to Go 1.20 (#5336)
+  * build: fix a compile error with Go 1.21 (#5339)
+  * feat: added `Metadata` into the k8s resource's scan report (#5322)
+  * ci: check only PR's in `actions/stale` (#5337)
+  * chore: update adopters template (#5330)
+  * ci: do not trigger tests on the push event (#5313)
+  * fix(sbom): use PURL or Group and Name in case of Java  (#5154)
+  * docs: add buildkite repository to ecosystem page (#5316)
+  * chore(deps): bump docker/setup-qemu-action from 2 to 3 (#5290)
+  * chore(deps): bump docker/setup-buildx-action from 2 to 3 (#5292)
+  * chore(deps): bump actions/cache from 3.3.1 to 3.3.2 (#5293)
+  * chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 (#5286)
+  * chore(deps): bump github.com/hashicorp/go-getter from 1.7.1 to 1.7.2 (#5289)
+  * chore: enable go-critic (#5302)
+  * chore(deps): bump actions/checkout from 3.6.0 to 4.1.0 (#5288)
+  * chore(deps): bump github.com/aws/aws-sdk-go from 1.45.3 to 1.45.19 (#5287)
+  * close java-db client (#5273)
+  * chore(deps): bump docker/login-action from 2 to 3 (#5291)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#5294)
+  * chore(deps): bump github.com/sigstore/rekor from 1.2.1 to 1.3.0 (#5304)
+  * chore(deps): bump github.com/opencontainers/image-spec (#5295)
+  * fix(report): removes git::http from uri in sarif (#5244)
+  * Improve the meaning of  sentence (#5301)
+  * chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.2.0 to 2.2.2 (#5297)
+  * chore(deps): bump golang.org/x/term from 0.11.0 to 0.12.0 (#5296)
+  * add app nil check (#5274)
+  * typo: in secret.md (#5281)
+  * docs: add info about `github` format (#5265)
+  * feat(dotnet): add license support for NuGet (#5217)
+  * docs: correctly export variables (#5260)
+  * chore: Add line numbers for lint output (#5247)
+  * chore(cli): disable java-db flags in server mode (#5263)
+  * feat(db): allow passing registry options (#5226)
+  * chore(deps): Bump up defsec to v0.93.0 (#5253)
+  * refactor(purl): use TypeApk from purl (#5232)
+  * chore: enable more linters (#5228)
+  * ci: bump GoReleaser from 1.16.2 to 1.20.0 (#5236)
+  * Fix typo on ide.md (#5239)
+  * refactor: use defined types (#5225)
+  * fix(purl): skip local Go packages (#5190)
+  * docs: update info about license scanning in Yarn projects (#5207)
+  * ci: auto apply labels (#5200)
+  * fix link (#5203)
+  * fix(purl): handle rust types (#5186)
+  * chore: auto-close issues (#5177)
+  * chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 (#5093)
+  * fix(k8s): kbom support addons labels (#5178)
+  * test: validate SPDX with the JSON schema (#5124)
+  * chore: bump trivy-kubernetes-latest (#5161)
+  * docs: add 'Signature Verification' guide (#4731)
+  * docs: add image-scanner-with-trivy for ecosystem (#5159)
+  * fix(fs): assign the absolute path to be inspected to ROOTPATH when filesystem (#5158)
+  * chore(deps): bump github.com/CycloneDX/cyclonedx-go (#5102)
+  * Update filtering.md (#5131)
+  * chore(deps): bump sigstore/cosign-installer (#5104)
+  * chore(deps): bump github.com/cyphar/filepath-securejoin (#5143)
+  * chore(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#5103)
+  * chore(deps): bump easimon/maximize-build-space from 7 to 8 (#5105)
+  * chore(deps): bump github.com/aws/aws-sdk-go from 1.44.273 to 1.45.3 (#5126)
+  * chaging adopters discussion tempalte (#5091)
+  * chore(deps): bump github.com/cheggaaa/pb/v3 from 3.1.2 to 3.1.4 (#5092)
+  * chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.2 to 2.0.6 (#5094)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#5095)
+  * chore(deps): bump github.com/containerd/containerd from 1.7.3 to 1.7.5 (#5097)
+  * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#5098)
+  * chore(deps): bump actions/checkout from 3.5.3 to 3.6.0 (#5106)
+  * docs: add Bitnami (#5078)
+  * feat(docker): add support for scanning Bitnami components (#5062)
+  * feat: add support for .trivyignore.yaml (#5070)
+  * fix(terraform): improve detection of terraform files (#4984)
+  * feat: filter artifacts on --exclude-owned flag (#5059)
+  * fix(sbom): cyclonedx advisory should omit `null` value (#5041)
+  * build: maximize build space for build tests (#5072)
+  * feat: improve kbom component name (#5058)
+  * fix(pom): add licenses for pom artifacts (#5071)
+  * chore(deps): Update defsec to v0.92.0 (#5068)
+  * chore: bump Go to `1.20` (#5067)
+  * feat: PURL matching with qualifiers in OpenVEX (#5061)
+  * feat(java): add graph support for pom.xml (#4902)
+  * feat(swift): add vulns for cocoapods (#5037)
+  * fix: support image pull secret for additional workloads (#5052)
+  * fix: #5033 Superfluous double quote in html.tpl (#5036)
+  * docs(repo): update trivy repo usage and example (#5049)
+  * perf: Optimize Dockerfile for reduced layers and size (#5038)
+  * feat: scan K8s Resources Kind with --all-namespaces (#5043)
+  * fix: vulnerability typo (#5044)
+  * docs: adding a terraform tutorial to the docs (#3708)
+  * feat(report): add licenses to sarif format (#4866)
+  * feat(misconf): show the resource name in the report (#4806)
+  * chore: update alpine base images (#5015)
+  * feat: add Package.resolved swift files support (#4932)
+  * feat(nodejs): parse licenses in yarn projects (#4652)
+  * fix: k8s private registries support (#5021)
+  * bump github.com/testcontainers/testcontainers-go from 0.21.0 to 0.23.0 (#5018)
+  * feat(vuln): support last_affected field from osv (#4944)
+  * feat(server): add version endpoint (#4869)
+  * feat: k8s private registries support (#4987)
+  * fix(server): add indirect prop to package (#4974)
+  * docs: add coverage (#4954)
+  * feat(c): add location for lock file dependencies. (#4994)
+  * docs: adding blog post on ec2 (#4813)
+  * revert 32bit bins (#4977)
+  * chore(deps): bump github.com/xlab/treeprint from 1.1.0 to 1.2.0 (#4917)
+
+-------------------------------------------------------------------
+Thu Aug 10 10:51:52 UTC 2023 - dmueller@suse.com
+
+- Update to version 0.44.1:
+  * fix(report): return severity colors in table format (#4969)
+  * build: maximize available disk space for release (#4937)
+  * test(cli): Fix assertion helptext (#4966)
+  * chore(deps): Bump defsec to v0.91.1 (#4965)
+  * test: validate CycloneDX with the JSON schema (#4956)
+  * fix(server): add licenses to the Result message (#4955)
+  * fix(aws): resolve endpoint if endpoint is passed (#4925)
+  * fix(sbom): move licenses to `name` field in Cyclonedx format (#4941)
+  * add only uniq deps in dependsOn (#4943)
+  * use testify instead of gotest.tools (#4946)
+  * fix(nodejs): do not detect lock file in node_modules as an app (#4949)
+  * bump go-dep-parser (#4936)
+  * chore(deps): bump github.com/openvex/go-vex from 0.2.0 to 0.2.1 (#4914)
+  * chore(deps): bump helm/kind-action from 1.7.0 to 1.8.0 (#4909)
+  * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore (#4912)
+  * test(aws): move part of unit tests to integration (#4884)
+  * docs(cli): update help string for file and dir skipping (#4872)
+  * chore(deps): bump sigstore/cosign-installer (#4910)
+  * chore(deps): bump github.com/sosedoff/gitkit from 0.3.0 to 0.4.0 (#4916)
+  * chore(deps): bump k8s.io/api from 0.27.3 to 0.27.4 (#4918)
+  * chore(deps): bump github.com/secure-systems-lab/go-securesystemslib (#4919)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#4913)
+  * chore(deps): bump github.com/magefile/mage from 1.14.0 to 1.15.0 (#4915)
+  * docs: update the discussion template (#4928)
+
+-------------------------------------------------------------------
+Thu Aug 03 11:21:12 UTC 2023 - dmueller@suse.com
+
+- Update to version 0.44.0:
+  * feat(repo): support local repositories (#4890)
+  * bump go-dep-parser (#4893)
+  * fix(misconf): add missing fields to proto (#4861)
+  * fix: remove trivy-db package replacement (#4877)
+  * chore(test): bump the integration test timeout to 15m (#4880)
+  * chore(deps): Update defsec to v0.91.0 (#4886)
+  * chore: update CODEOWNERS (#4871)
+  * feat(vuln): support vulnerability status (#4867)
+  * feat(misconf): Support custom URLs for policy bundle (#4834)
+  * refactor: replace with sortable packages (#4858)
+  * docs: correct license scanning sample command (#4855)
+  * fix(report): close the file (#4842)
+  * feat(nodejs): add support for include-dev-deps flag for yarn (#4812)
+  * feat(misconf): Add support for independently enabling libraries (#4070)
+  * feat(secret): add secret config file for cache calculation (#4837)
+  * Fix a link in gitlab-ci.md (#4850)
+  * fix(flag): use globalstar to skip directories (#4854)
+  * chore(deps): bump github.com/docker/docker from v23.0.5+incompatible to v23.0.7-0.20230714215826-f00e7af96042+incompatible (#4849)
+  * fix(license): using common way for splitting licenses (#4434)
+  * fix(containerd): Use img platform in exporter instead of strict host platform (#4477)
+  * remove govulndb (#4783)
+  * fix(java): inherit licenses from parents (#4817)
+  * refactor: add allowed values for CLI flags (#4800)
+  * add example regex to allow rules (#4827)
+  * feat(misconf): Support custom data for rego policies for cloud (#4745)
+  * docs: correcting the trivy k8s tutorial (#4815)
+  * feat(cli): add --tf-exclude-downloaded-modules flag (#4810)
+  * fix(sbom): cyclonedx recommendations should include fixed versions for each package (#4794)
+  * feat(misconf): enable --policy flag to accept directory and files both (#4777)
+  * feat(python): add license fields (#4722)
+  * fix: support trivy k8s-version on k8s sub-command (#4786)
+
+-------------------------------------------------------------------
+Thu Jul 13 08:47:12 UTC 2023 - dmueller@suse.com
+
+- Update to version 0.43.1:
+  * chore(deps): Update defsec to v0.90.3 (#4793)
+  * chore(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0 (#4752)
+  * chore(deps): bump alpine from 3.18.0 to 3.18.2 (#4748)
+  * chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.3 to 2.30.4 (#4758)
+  * docs(image): fix the comment on the soft/hard link (#4740)
+  * check Type when filling pkgs in vulns (#4776)
+  * feat: add support of linux/ppc64le and linux/s390x architectures for Install.sh script (#4770)
+  * chore(deps): bump modernc.org/sqlite from 1.20.3 to 1.23.1 (#4756)
+  * fix(rocky): add architectures support for advisories (#4691)
+  * chore(deps): bump github.com/opencontainers/image-spec (#4751)
+  * chore(deps): bump github.com/package-url/packageurl-go (#4754)
+  * chore(deps): bump golang.org/x/sync from 0.2.0 to 0.3.0 (#4750)
+  * chore(deps): bump github.com/tetratelabs/wazero from 1.2.0 to 1.2.1 (#4755)
+  * chore(deps): bump github.com/testcontainers/testcontainers-go (#4759)
+  * fix: documentation about reseting trivy image (#4733)
+  * fix(suse): Add openSUSE Leap 15.5 eol date as well (#4744)
+  * fix: update Amazon Linux 1 EOL (#4761)
+- drop eol-dates.patch (all upstream)
+
+-------------------------------------------------------------------
+Mon Jul 03 13:22:20 UTC 2023 - dmueller@suse.com
+
+- Update to version 0.43.0:
+  * chore(deps): Update defsec to v0.90.1 (#4739)
+  * feat(nodejs): support yarn workspaces (#4664)
+  * feat(cli): add include-dev-deps flag (#4700)
+  * fix(image): pass the secret scanner option to scan the img config (#4735)
+  * fix: scan job pod it not found on k8s-1.27.x (#4729)
+  * feat(docker): add support for mTLS authentication when connecting to registry (#4649)
+  * chore(deps): Update defsec to v0.90.0 (#4723)
+  * fix: skip scanning the gpg-pubkey package (#4720)
+  * Fix http registry oci pull (#4701)
+  * feat(misconf): Support skipping services (#4686)
+  * docs: fix supported modes for pubspec.lock files (#4713)
+  * fix(misconf): disable the terraform plan analyzer for other scanners (#4714)
+  * clarifying a dir path is required for custom policies (#4716)
+  * chore: update alpine base images (#4715)
+  * fix last-history-created (#4697)
+  * feat: kbom and cyclonedx v1.5 spec support (#4708)
+  * docs: add information about Aqua (#4590)
+  * fix: k8s escape resource filename on windows os (#4693)
+  * ci: ignore merge queue branches (#4696)
+  * chore(deps): bump actions/checkout from 2.4.0 to 3.5.3 (#4695)
+  * chore(deps): bump aquaproj/aqua-installer from 2.1.1 to 2.1.2 (#4694)
+  * feat: cyclondx sbom custom property support (#4688)
+  * ci: do not trigger tests in main (#4692)
+  * add SUSE Linux Enterprise Server 15 SP5 and update SP4 eol date (#4690)
+  * use group field for jar in cyclonedx (#4674)
+  * feat(java): capture licenses from pom.xml (#4681)
+  * feat(helm): make sessionAffinity configurable (#4623)
+  * fix: Show the correct URL of the secret scanning (#4682)
+  * document expected file pattern definition format (#4654)
+  * fix: format arg error (#4642)
+  * feat(k8s): cyclonedx kbom support (#4557)
+  * fix(nodejs): remove unused fields for the pnpm lockfile (#4630)
+  * fix(vm): update ext4-filesystem parser for parse multi block extents (#4616)
+  * ci: update build IDs (#4641)
+  * fix(debian): update EOL for Debian 12 (#4647)
+  * chore(deps): bump go-containerregistry (#4639)
+  * chore: unnecessary use of fmt.Sprintf (S1039) (#4637)
+  * fix(db): change argument order in Exists query for JavaDB (#4595)
+  * feat(aws): Add support to see successes in results (#4427)
+  * chore(deps): bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 (#4613)
+  * ci: do not trigger tests in main (#4614)
+  * chore(deps): bump sigstore/cosign-installer (#4609)
+  * chore(deps): bump CycloneDX/gh-gomod-generate-sbom from 1 to 2 (#4608)
+  * ci: bypass the required status checks (#4611)
+  * ci: support merge queue (#3652)
+  * ci: matrix build for testing (#4587)
+  * feat: trivy k8s private registry support (#4567)
+  * docs: add general coverage page (#3859)
+  * chore: create SECURITY.md (#4601)
+
+-------------------------------------------------------------------
+Fri Jun 30 15:06:47 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- add eol-dates.patch to list SLE/Leap 15.5
+
+-------------------------------------------------------------------
+Thu Jun 22 08:39:30 UTC 2023 - Dirk Müller <dmueller@suse.com>
+
+- add NOTICE to doc
+
 -------------------------------------------------------------------
 Mon Jun 12 07:56:25 UTC 2023 - dmueller@suse.com
 

trivy.spec

@@ -17,7 +17,7 @@
 
 
 Name:           trivy
-Version:        0.42.1
+Version:        0.47.0
 Release:        0
 Summary:        A Simple and Comprehensive Vulnerability Scanner for Containers
 License:        Apache-2.0
@@ -27,7 +27,7 @@ Source:         %{name}-%{version}.tar.zst
 Source1:        vendor.tar.zst
 BuildRequires:  golang-packaging
 BuildRequires:  zstd
-BuildRequires:  golang(API) = 1.19
+BuildRequires:  golang(API) = 1.20
 Requires:       ca-certificates
 Requires:       git-core
 Requires:       rpm
@@ -43,7 +43,7 @@ scan. All you need to do for scanning is to specify a target such as an image
 name of the container.
 
 %prep
-%setup -qa1
+%autosetup -p1 -a1
 
 %build
 export CGO_ENABLED=1
@@ -54,7 +54,7 @@ install -D -m 755 trivy %{buildroot}/%{_bindir}/%{name}
 
 %files
 %license LICENSE
-%doc README.md
+%doc NOTICE README.md
 %{_bindir}/%{name}
 
 %changelog