trivy/trivy.changes

2680 lines
146 KiB
Plaintext
Raw Permalink Normal View History

2024-08-01 14:46:45 +02:00
-------------------------------------------------------------------
Thu Aug 01 12:24:35 UTC 2024 - dmueller@suse.com
- Update to version 0.54.1:
* release: v0.54.1 [release/v0.54] (#7282)
* fix(flag): incorrect behavior for deprected flag `--clear-cache` [backport: release/v0.54] (#7285)
* fix(java): Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#7283)
* fix(plugin): do not call GitHub content API for releases and tags [backport: release/v0.54] (#7279)
* release: v0.54.0 [main] (#7075)
* docs: update ecosystem page reporting with plopsec.com app (#7262)
* chore(deps): bump google.golang.org/grpc from 1.64.0 to 1.64.1 (#7136)
* feat(vex): retrieve VEX attestations from OCI registries (#7249)
* feat(sbom): add image labels into `SPDX` and `CycloneDX` reports (#7257)
* refactor(flag): return error if both `--download-db-only` and `--download-java-db-only` are specified (#7259)
* fix(nodejs): detect direct dependencies when using `latest` version for files `yarn.lock` + `package.json` (#7110)
* fix(java): avoid panic if deps from `pom` in `it` dir are not found (#7245)
* chore: show VEX notice for OSS maintainers in CI environments (#7246)
* feat(vuln): add `--pkg-relationships` (#7237)
* docs: show VEX cli pages + update config file page for VEX flags (#7244)
* fix(dotnet): show `nuget package dir not found` log only when checking `nuget` packages (#7194)
* chore(deps): bump the common group across 1 directory with 17 updates (#7230)
* feat(vex): VEX Repository support (#7206)
* fix(secret): skip regular strings contain secret patterns (#7182)
* feat: share build-in rules (#7207)
* fix(report): hide empty table when all secrets/license/misconfigs are ignored (#7171)
* fix(cli): error on missing config file (#7154)
* fix(secret): update length of `hugging-face-access-token` (#7216)
* feat(sbom): add vulnerability support for SPDX formats (#7213)
* ci: use free runner for all tests except `build tests` (#7215)
* chore(deps): bump the docker group across 1 directory with 2 updates (#7208)
* fix(secret): trim excessively long lines (#7192)
* chore(vex): update subcomponents for CVE-2023-42363/42364/42365/42366 (#7201)
* fix(server): pass license categories to options (#7203)
* feat(mariner): Add support for Azure Linux (#7186)
* docs: updates config file (#7188)
* refactor(fs): remove unused field for CompositeFS (#7195)
* fix(dotnet): don't include non-runtime libraries into report for `*.deps.json` files (#7039)
* chore(deps): bump goreleaser from `v2.0.0` to `v2.1.0` (#7162)
* fix: add missing platform and type to spec (#7149)
* chore(deps): bump the aws group with 6 updates (#7166)
* feat(misconf): enabled China configuration for ACRs (#7156)
* fix: close file when failed to open gzip (#7164)
* docs: Fix PR documentation to use GitHub Discussions, not Issues (#7141)
* docs(misconf): add info about limitations for terraform plan json (#7143)
* chore: add VEX for Trivy images (#7140)
* chore(deps): bump the common group across 1 directory with 7 updates (#7125)
* chore: add VEX document and generator for Trivy (#7128)
* fix(misconf): do not evaluate TF when a load error occurs (#7109)
* feat(cli): rename `--vuln-type` flag to `--pkg-types` flag (#7104)
* refactor(secret): move warning about file size after `IsBinary` check (#7123)
* chore(deps): bump the docker group with 2 updates (#7116)
* feat: add openSUSE tumbleweed detection and scanning (#6965)
* test: add missing advisory details for integration tests database (#7122)
* fix: Add dependencyManagement exclusions to the child exclusions (#6969)
* chore(deps): bump the aws group with 4 updates (#7115)
* fix: ignore nodes when listing permission is not allowed (#7107)
* fix(java): use `go-mvn-version` to remove `Package` duplicates (#7088)
* refactor(secret): add warning about large files (#7085)
* feat(nodejs): add license parser to pnpm analyser (#7036)
* refactor(sbom): add sbom prefix + filepaths for decode log messages (#7074)
* feat: add `log.FilePath()` function for logger (#7080)
* chore: bump golangci-lint from v1.58 to v1.59 (#7077)
* chore(deps): bump the common group across 1 directory with 23 updates (#7066)
* perf(debian): use `bytes.Index` in `emptyLineSplit` to cut allocation (#7065)
* refactor: pass DB dir to trivy-db (#7057)
* docs: navigate to the release highlights and summary (#7072)
* chore(deps): bump the github-actions group with 2 updates (#7067)
- drop add-opensuse-tumbleweed-db.patch,
add-opensuse-tumbleweed-support.patch: merged upstream
2024-07-25 11:40:38 +02:00
-------------------------------------------------------------------
Thu Jul 25 09:40:25 UTC 2024 - Dirk Müller <dmueller@suse.com>
- refresh add-opensuse-tumbleweed-support.patch
2024-07-11 17:36:46 +02:00
-------------------------------------------------------------------
Thu Jul 11 15:31:03 UTC 2024 - dmueller@suse.com
- Update to version 0.53.0 (bsc#1227022, CVE-2024-6257):
2024-07-11 17:36:46 +02:00
* release: v0.53.0 [main] (#6855)
* feat(conda): add licenses support for `environment.yml` files (#6953)
* fix(sbom): fix panic when scanning SBOM file without root component into SBOM format (#7051)
* feat: add memory cache backend (#7048)
* fix(sbom): use package UIDs for uniqueness (#7042)
* feat(php): add installed.json file support (#4865)
* docs: ✨ Updated ecosystem docs with reference to new community app (#7041)
* fix: use embedded when command path not found (#7037)
* chore(deps): bump trivy-kubernetes version (#7012)
* refactor: use google/wire for cache (#7024)
* fix(cli): show info message only when --scanners is available (#7032)
* chore: enable float-compare rule from testifylint (#6967)
* docs: Add sudo on commands, chmod before mv on install docs (#7009)
* fix(plugin): respect `--insecure` (#7022)
* feat(k8s)!: node-collector dynamic commands support (#6861)
* fix(sbom): take pkg name from `purl` for maven pkgs (#7008)
* chore(deps): bump github.com/hashicorp/go-getter from 1.7.4 to 1.7.5 (#7018)
* feat!: add clean subcommand (#6993)
* chore: use `!` for breaking changes (#6994)
* feat(aws)!: Remove aws subcommand (#6995)
* refactor: replace global cache directory with parameter passing (#6986)
* fix(sbom): use `purl` for `bitnami` pkg names (#6982)
* chore: bump Go toolchain version (#6984)
* refactor: unify cache implementations (#6977)
* docs: non-packaged and sbom clarifications (#6975)
* BREAKING(aws): Deprecate `trivy aws` as subcmd in favour of a plugin (#6819)
* docs: delete unknown URL (#6972)
* refactor: use version-specific URLs for documentation references (#6966)
* refactor: delete db mock (#6940)
* ci: add depguard (#6963)
* refactor: add warning if severity not from vendor (or NVD or GH) is used (#6726)
* feat: Add local ImageID to SARIF metadata (#6522)
* fix(suse): Add SLES 15.6 and Leap 15.6 (#6964)
* feat(java): add support for sbt projects using sbt-dependency-lock (#6882)
* feat(java): add support for `maven-metadata.xml` files for remote snapshot repositories. (#6950)
* fix(purl): add missed os types (#6955)
* fix(cyclonedx): trim non-URL info for `advisory.url` (#6952)
* fix(c): don't skip conan files from `file-patterns` and scan `.conan2` cache dir (#6949)
* ci: correctly handle categories (#6943)
* fix(image): parse `image.inspect.Created` field only for non-empty values (#6948)
* fix(misconf): handle source prefix to ignore (#6945)
* fix(misconf): fix parsing of engine links and frameworks (#6937)
* feat(misconf): support of selectors for all providers for Rego (#6905)
* ci: don't run `tests` for `release-please` PRs (#6936)
* fix(license): return license separation using separators `,`, `or`, etc. (#6916)
* ci: use `ubuntu-latest-m` runner (#6918)
* feat(misconf): add support for AWS::EC2::SecurityGroupIngress/Egress (#6755)
* BREAKING(misconf): flatten recursive types (#6862)
* ci: move triage workflow yaml under .github/workflows (#6895)
* ci: add `trivy` group for `dependabot` (#6908)
* chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.2 to 1.6.0 (#6910)
* test: bump docker API to 1.45 (#6914)
* feat(sbom): migrate to `CycloneDX v1.6` (#6903)
* chore(deps): bump the aws group with 8 updates (#6898)
* ci: bump `github.com/goreleaser/goreleaser` to `v2.0.0` (#6887)
* feat(image): Set User-Agent header for Trivy container registry requests (#6868)
* fix(debian): take installed files from the origin layer (#6849)
* fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken (#6858)
* feat(misconf): API Gateway V1 support for CloudFormation (#6874)
* ci: add created release branch to `rulesets` to enable merge queue (#6880)
* feat(plugin): add support for nested archives (#6845)
* fix(sbom): don't overwrite `srcEpoch` when decoding SBOM files (#6866)
* fix(secret): `Asymmetric Private Key` shouldn't start with space (#6867)
* ci: use author permission check instead of `author_association` field for backport workflow (#6870)
* chore: auto label discussions (#5259)
* docs: explain how VEX is applied (#6864)
* ci: automate backporting process (#6781)
* ci: create release branch (#6859)
* fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase (#6852)
* fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)
* feat(dart): use first version of constraint for dependencies using SDK version (#6239)
* fix(misconf): parsing numbers without fraction as int (#6834)
* fix(misconf): fix caching of modules in subdirectories (#6814)
* feat(misconf): add metadata to Cloud schema (#6831)
* chore(deps): bump the aws group across 1 directory with 7 updates (#6837)
* chore(deps): bump the common group with 5 updates (#6842)
* test: replace embedded Git repository with dynamically created repository (#6824)
2024-06-19 18:19:40 +02:00
-------------------------------------------------------------------
Wed Jun 19 15:58:20 UTC 2024 - dmueller@suse.com
- Update to version 0.52.2:
* release: v0.52.2 [release/v0.52] (#6896)
* ci: use `ubuntu-latest-m` runner [backport: release/v0.52] (#6933)
* chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.2 to 1.6.0 [backport: release/v0.52] (#6919)
* test: bump docker API to 1.45 [backport: release/v0.52] (#6922)
* ci: bump `github.com/goreleaser/goreleaser` to `v2.0.0` [backport: release/v0.52] (#6893)
* fix(debian): take installed files from the origin layer [backport: release/v0.52] (#6892)
- add add-opensuse-tumbleweed-db.patch,
add-opensuse-tumbleweed-support.patch: patches for tumbleweed
support
2024-06-12 16:23:06 +02:00
-------------------------------------------------------------------
Wed Jun 12 14:19:45 UTC 2024 - dmueller@suse.com
- Update to version 0.52.1:
* release: v0.52.1 [release/v0.52] (#6877)
* fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken [backport: release/v0.52] (#6888)
* fix(sbom): don't overwrite `srcEpoch` when decoding SBOM files [backport: release/v0.52] (#6881)
* fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase [backport: release/v0.52] (#6878)
* docs: explain how VEX is applied (#6864)
* fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)
-------------------------------------------------------------------
Thu Jun 06 13:09:56 UTC 2024 - dmueller@suse.com
- Update to version 0.52.0 (bsc#1224781, CVE-2024-35192):
* release: v0.52.0 [main] (#6809)
* fix(plugin): initialize logger (#6836)
* chore(deps): bump alpine from 3.19.1 to 3.20.0 in the docker group (#6835)
* fix(cli): always output fatal errors to stderr (#6827)
* fix: close testfile (#6830)
* docs(julia): add scanner table (#6826)
* feat(python): add license support for `requirement.txt` files (#6782)
* docs: add more workarounds for out-of-disk (#6821)
* chore: improve error message for image not found (#6822)
* fix(sbom): fix panic for `convert` mode when scanning json file derived from sbom file (#6808)
* ci(deps): use modules instead of incompatible version (#6805)
* ci: set initial version to v0.51.1 (#6810)
* ci: replace PAT with ORG_REPO_TOKEN (#6806)
* chore(deps): bump the common group with 3 updates (#6789)
* fix: clean up golangci lint configuration (#6797)
* ci: introduce Release Please for automated release management (#6795)
* fix(python): add package name and version validation for `requirements.txt` files. (#6804)
* feat(vex): improve relationship support in CSAF VEX (#6735)
* chore(alpine): add eol date for Alpine 3.20 (#6800)
* docs(plugin): add missed `plugin` section (#6799)
* fix: include packages unless it is not needed (#6765)
* ci(deps): fix ineffassign and bodyclose in ".*_test.go$" (#6777)
* chore(deps): Bump trivy-aws and trivy-checks (#6796)
* feat(misconf): support for VPC resources for inbound/outbound rules (#6779)
* ci(deps): fix govet in ".*_test.go$" (#6736)
* ci(deps): simplify gosec rules exclusion (#6778)
* chore: replace interface{} with any (#6751)
* fix: close settings.xml (#6768)
* refactor(go): add priority for gobinary module versions from `ldflags` (#6745)
* ci(deps): fix gocritic in ".*_test.go$" (#6763)
* build: use main package instead of main.go (#6766)
* feat(misconf): resolve tf module from OpenTofu compatible registry (#6743)
* chore(deps): bump the common group across 1 directory with 29 updates (#6756)
* ci(deps): fix tenv in ".*_test.go$" (#6748)
* chore(deps): bump the aws group with 8 updates (#6738)
* chore(deps): bump the docker group with 2 updates (#6739)
* chore(deps): bump the github-actions group with 4 updates (#6737)
* chore(deps): bump the testcontainers group with 2 updates (#6740)
* docs: add info on adding compliance checks (#6275)
* docs: Add documentation for contributing additional checks to the trivy policies repo (#6234)
* ci: add groups for `dependabot` (#6734)
* ci(deps): fix gci and gofmt in ".*_test.go$" (#6721)
* feat(nodejs): add v9 pnpm lock file support (#6617)
* feat(vex): support non-root components for products in OpenVEX (#6728)
* feat(python): add line number support for `requirement.txt` files (#6729)
* chore: respect timeout value in .golangci.yaml (#6724)
* ci(deps): enable `require-error` rule from `testifylint` linter (#6718)
* chore(deps): bump golangci-lint to v1.58.2 (#6719)
* fix: node-collector high and critical cves (#6707)
* Merge pull request from GHSA-xcq4-m2r3-cmrj
* chore: auto-bump golang patch versions (#6711)
* fix(misconf): don't shift ignore rule related to code (#6708)
* feat(plugin): specify plugin version (#6683)
* chore: enforce golangci-lint version (#6700)
* ci(deps): update golangci-lint-action and enable testifylint linter on "integration/*" (#6706)
* fix(go): include only `.version`|`.ver` (no prefixes) ldflags for `gobinaries` (#6705)
* fix(go): add only non-empty root modules for `gobinaries` (#6710)
* refactor: unify package addition and vulnerability scanning (#6579)
* fix: Golang version parsing from binaries w/GOEXPERIMENT (#6696)
* ci(deps): enable testifylint linter on .*_test.go$ (#6688)
* feat(misconf): Add support for deprecating a check (#6664)
* chore(deps): use `google.golang.org/protobuf/types/known` instead of `github.com/golang/protobuf/ptypes` (#6681)
* feat: Add Julia language analyzer support (#5635)
* feat(misconf): register builtin Rego funcs from trivy-checks (#6616)
* fix(report): hide empty tables if all vulns has been filtered (#6352)
* feat(report): Include licenses and secrets filtered by rego to ModifiedFindings (#6483)
* feat: add support for plugin index (#6674)
* fix(conda): add support `pip` deps for `environment.yml` files (#6675)
* docs: add support table for client server mode (#6498)
* fix: close APKINDEX archive file (#6672)
* fix(misconf): skip Rego errors with a nil location (#6666)
* refactor: move artifact types under artifact package to avoid import cycles (#6652)
* refactor(misconf): remove extrafs (#6656)
* refactor: re-define module structs for serialization (#6655)
* chore(misconf): Clean up iac logger (#6642)
* feat(misconf): support symlinks inside of Helm archives (#6621)
* feat(misconf): add Terraform 'removed' block to schema (#6640)
* refactor: unify Library and Package structs (#6633)
* fix: use of specified context to obtain cluster name (#6645)
* perf(misconf): parse rego input once (#6615)
* fix(misconf): skip Rego errors with a nil location (#6638)
* ci: add `generic` dir to deb deploy script (#6636)
* docs: link warning to both timeout config options (#6620)
* docs: fix usage of image-config-scanners (#6635)
* chore(deps): bump `knqyf263/trivy-issue-action` to v0.0.6 (#6632)
-------------------------------------------------------------------
Thu May 09 13:21:53 UTC 2024 - dmueller@suse.com
- Update to version 0.51.1:
* fix(fs): handle default skip dirs properly (#6628)
* fix(misconf): load cached tf modules (#6607)
* fix(misconf): do not use semver for parsing tf module versions (#6614)
* refactor: move setting scanners when using compliance reports to flag parsing (#6619)
* feat: introduce package UIDs for improved vulnerability mapping (#6583)
* perf(misconf): Improve cause performance (#6586)
* docs: trivy-k8s new experiance remove un-used section (#6608)
* chore(deps): bump github.com/docker/docker from 26.0.1+incompatible to 26.0.2+incompatible (#6612)
* docs: remove mention of GitLab Gold because it doesn't exist anymore (#6609)
* feat(misconf): Use updated terminology for misconfiguration checks (#6476)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.15 to 1.16.15 (#6593)
* docs: use `generic` link from `trivy-repo` (#6606)
* docs: update trivy k8s with new experience (#6465)
* feat: support `--skip-images` scanning flag (#6334)
* BREAKING: add support for k8s `disable-node-collector` flag (#6311)
* chore(deps): bump github.com/zclconf/go-cty from 1.14.1 to 1.14.4 (#6601)
* chore(deps): bump github.com/sigstore/rekor from 1.2.2 to 1.3.6 (#6599)
* chore(deps): bump google.golang.org/protobuf from 1.33.0 to 1.34.0 (#6597)
* chore(deps): bump sigstore/cosign-installer from 3.4.0 to 3.5.0 (#6588)
* chore(deps): bump github.com/testcontainers/testcontainers-go from 0.28.0 to 0.30.0 (#6595)
* chore(deps): bump github.com/open-policy-agent/opa from 0.62.0 to 0.64.1 (#6596)
* feat: add ubuntu 23.10 and 24.04 support (#6573)
* chore(deps): bump azure/setup-helm from 3.5 to 4 (#6590)
* chore(deps): bump actions/checkout from 4.1.2 to 4.1.4 (#6587)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.24.6 to 1.27.4 (#6598)
* docs(go): add stdlib (#6580)
* chore(deps): bump github.com/containerd/containerd from 1.7.13 to 1.7.16 (#6592)
* chore(deps): bump github.com/go-openapi/runtime from 0.27.1 to 0.28.0 (#6600)
* feat(go): parse main mod version from build info settings (#6564)
* feat: respect custom exit code from plugin (#6584)
* docs: add asdf and mise installation method (#6063)
* feat(vuln): Handle scanning conan v2.x lockfiles (#6357)
* feat: add support `environment.yaml` files (#6569)
* fix: close plugin.yaml (#6577)
* fix: trivy k8s avoid deleting non-default node collector namespace (#6559)
* BREAKING: support exclude `kinds/namespaces` and include `kinds/namespaces` (#6323)
* feat(go): add main module (#6574)
* feat: add relationships (#6563)
* ci: disable `Go` cache for `reusable-release.yaml` (#6572)
* docs: mention `--show-suppressed` is available in table (#6571)
* chore: fix sqlite to support loong64 (#6511)
* fix(debian): sort dpkg info before parsing due to exclude directories (#6551)
* docs: update info about config file (#6547)
* docs: remove RELEASE_VERSION from trivy.repo (#6546)
* fix(sbom): change error to warning for multiple OSes (#6541)
* fix(vuln): skip empty versions (#6542)
* feat(c): add license support for conan lock files (#6329)
* fix(terraform): Attribute and fileset fixes (#6544)
* refactor: change warning if no vulnerability details are found (#6230)
* refactor(misconf): improve error handling in the Rego scanner (#6527)
* ci: use tmp dir inside Trivy repo dir for GoReleaser (#6533)
* feat(go): parse main module of go binary files (#6530)
* chore(deps): bump golang.org/x/net from 0.21.0 to 0.23.0 (#6526)
* refactor(misconf): simplify the retrieval of module annotations (#6528)
* chore(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 (#6523)
* docs(nodejs): add info about supported versions of pnpm lock files (#6510)
* feat(misconf): loading embedded checks as a fallback (#6502)
* fix(misconf): Parse JSON k8s manifests properly (#6490)
* refactor: remove parallel walk (#5180)
* fix: close pom.xml (#6507)
* fix(secret): convert severity for custom rules (#6500)
* fix(java): update logic to detect `pom.xml` file snapshot artifacts from remote repositories (#6412)
* fix: typo (#6283)
* docs(k8s,image): fix command-line syntax issues (#6403)
* chore(deps): bump actions/checkout from 4.1.1 to 4.1.2 (#6435)
* fix(misconf): avoid panic if the scheme is not valid (#6496)
* feat(image): goversion as stdlib (#6277)
* fix: add color for error inside of log message (#6493)
* chore(deps): bump actions/add-to-project from 0.4.1 to 1.0.0 (#6438)
* docs: fix links to OPA docs (#6480)
* refactor: replace zap with slog (#6466)
* docs: update links to IaC schemas (#6477)
* chore: bump Go to 1.22 (#6075)
* refactor(terraform): sync funcs with Terraform (#6415)
* feat(misconf): add helm-api-version and helm-kube-version flag (#6332)
* chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.4.0 to 1.5.1 (#6426)
* chore(deps): bump github.com/go-openapi/strfmt from 0.22.0 to 0.23.0 (#6452)
* chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.6 to 2.0.7 (#6430)
* chore(deps): bump aquaproj/aqua-installer from 2.2.0 to 3.0.0 (#6437)
* fix(terraform): eval submodules (#6411)
* refactor(terraform): remove unused options (#6446)
* refactor(terraform): remove unused file (#6445)
* chore(deps): bump github.com/testcontainers/testcontainers-go to v0.28.0 (#6387)
* chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.9.0 to 1.10.0 (#6427)
* fix(misconf): Escape template value correctly (#6292)
* feat(misconf): add support for wildcard ignores (#6414)
* fix(cloudformation): resolve `DedicatedMasterEnabled` parsing issue (#6439)
* refactor(terraform): remove metrics collection (#6444)
* feat(cloudformation): add support for logging and endpoint access for EKS (#6440)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.51.1 to 1.53.1 (#6424)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.27.4 to 1.27.10 (#6428)
* chore(deps): bump go.etcd.io/bbolt from 1.3.8 to 1.3.9 (#6429)
* fix(db): check schema version for image name only (#6410)
* chore(deps): bump github.com/google/wire from 0.5.0 to 0.6.0 (#6425)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.149.1 to 1.155.1 (#6433)
* chore(deps): bump actions/cache from 4.0.0 to 4.0.2 (#6436)
* feat(misconf): Support private registries for misconf check bundle (#6327)
* feat(cloudformation): inline ignore support for YAML templates (#6358)
* feat(terraform): ignore resources by nested attributes (#6302)
* perf(helm): load in-memory files (#6383)
* feat(aws): apply filter options to result (#6367)
* feat(aws): quiet flag support (#6331)
* fix(misconf): clear location URI for SARIF (#6405)
* test(cloudformation): add CF tests (#6315)
* fix(cloudformation): infer type after resolving a function (#6406)
* fix(sbom): fix error when parent of SPDX Relationships is not a package. (#6399)
* fix(nodejs): merge `Indirect`, `Dev`, `ExternalReferences` fields for same deps from `package-lock.json` files v2 or later (#6356)
* docs: add info about support for package license detection in `fs`/`repo` modes (#6381)
* fix(nodejs): add support for parsing `workspaces` from `package.json` as an object (#6231)
* fix: use `0600` perms for tmp files for post analyzers (#6386)
* fix(helm): scan the subcharts once (#6382)
* docs(terraform): add file patterns for Terraform Plan (#6393)
* fix(terraform): сhecking SSE encryption algorithm validity (#6341)
* fix(java): parse modules from `pom.xml` files once (#6312)
* chore(deps): bump github.com/docker/docker from 25.0.3+incompatible to 25.0.5+incompatible (#6364)
* fix(server): add Locations for `Packages` in client/server mode (#6366)
* fix(sbom): add check for `CreationInfo` to nil when detecting SPDX created using Trivy (#6346)
* fix(report): don't include empty strings in `.vulnerabilities[].identifiers[].url` when `gitlab.tpl` is used (#6348)
* chore(ubuntu): Add Ubuntu 22.04 EOL date (#6371)
* chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (#6321)
* feat(java): add support licenses and graph for gradle lock files (#6140)
* feat(vex): consider root component for relationships (#6313)
* fix: increase the default buffer size for scanning dpkg status files by 2 times (#6298)
* chore: updates wazero to v1.7.0 (#6301)
* feat(sbom): Support license detection for SBOM scan (#6072)
* refactor(sbom): use intermediate representation for SPDX (#6310)
* docs(terraform): improve documentation for filtering by inline comments (#6284)
* fix(terraform): fix policy document retrieval (#6276)
* refactor(terraform): remove unused custom error (#6303)
* refactor(sbom): add intermediate representation for BOM (#6240)
* fix(amazon): check only major version of AL to find advisories (#6295)
* fix(db): use schema version as tag only for `trivy-db` and `trivy-java-db` registries by default (#6219)
* fix(nodejs): add name validation for package name from `package.json` (#6268)
* docs: Added install instructions for FreeBSD (#6293)
* feat(image): customer podman host or socket option (#6256)
* chore(deps): bump wazero from 1.2.1 to 1.6.0 (#6290)
* feat(java): mark dependencies from `maven-invoker-plugin` integration tests pom.xml files as `Dev` (#6213)
* fix(license): reorder logic of how python package licenses are acquired (#6220)
* test(terraform): skip cached modules (#6281)
* feat(secret): Support for detecting Hugging Face Access Tokens (#6236)
* fix(cloudformation): support of all SSE algorithms for s3 (#6270)
* feat(terraform): Terraform Plan snapshot scanning support (#6176)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.6 to 1.27.4 (#6249)
* fix: typo function name and comment optimization (#6200)
* fix(java): don't ignore runtime scope for pom.xml files (#6223)
* chore(deps): bump helm/kind-action from 1.8.0 to 1.9.0 (#6242)
* chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (#6243)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.1 to 1.51.1 (#6251)
* chore(deps): bump github.com/hashicorp/go-uuid from 1.0.1 to 1.0.3 (#6253)
* chore(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.62.0 (#6250)
* chore(deps): bump github.com/containerd/containerd from 1.7.12 to 1.7.13 (#6247)
* chore(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 (#6246)
* fix(license): add FilePath to results to allow for license path filtering via trivyignore file (#6215)
* chore(deps): Upgrade iac deps (#6255)
* feat: add info log message about dev deps suppression (#6211)
* test(k8s): use test-db for k8s integration tests (#6222)
* ci: add maximize-build-space for `Test` job (#6221)
* fix(terraform): fix root module search (#6160)
* test(parser): squash test data for yarn (#6203)
* fix(terraform): do not re-expand dynamic blocks (#6151)
* docs: update ecosystem page reporting with db app (#6201)
* fix: k8s summary separate infra and user finding results (#6120)
* fix: add context to target finding on k8s table view (#6099)
* fix: Printf format err (#6198)
* refactor: better integration of the parser into Trivy (#6183)
* chore(deps): bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 (#6189)
* feat(terraform): Add hyphen and non-ASCII support for domain names in credential extraction (#6108)
* fix(vex): CSAF filtering should consider relationships (#5923)
* refactor(report): Replacing `source_location` in `github` report when scanning an image (#5999)
* feat(vuln): ignore vulnerabilities by PURL (#6178)
* feat(java): add support for fetching packages from repos mentioned in pom.xml (#6171)
* feat(k8s): rancher rke2 version support (#5988)
* docs: update kbom distribution for scanning (#6019)
* chore: update CODEOWNERS (#6173)
* fix(swift): try to use branch to resolve version (#6168)
* fix(terraform): ensure consistent path handling across OS (#6161)
* fix(java): add only valid libs from `pom.properties` files from `jars` (#6164)
* fix(sbom): skip executable file analysis if Rekor isn't a specified SBOM source (#6163)
* chore(deps): merge go-dep-parser into Trivy (#6094)
* docs(report): add remark about `path` to filter licenses using `.trivyignore.yaml` file (#6145)
* docs: update template path for gitlab-ci tutorial (#6144)
* feat(report): support for filtering licenses and secrets via rego policy files (#6004)
* fix(cyclonedx): move root component from scanned cyclonedx file to output cyclonedx file (#6113)
* refactor(deps): Merge defsec into trivy (#6109)
* chore(deps): bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 (#6142)
* docs: add SecObserve in CI/CD and reporting (#6139)
* fix(alpine): exclude empty licenses for apk packages (#6130)
* docs: add docs tutorial on custom policies with rego (#6104)
* fix(nodejs): use project dir when searching for workspaces for Yarn.lock files (#6102)
* feat(vuln): show suppressed vulnerabilities in table (#6084)
* docs: rename governance to principles (#6107)
* docs: add governance (#6090)
* refactor(deps): Merge trivy-iac into Trivy (#6005)
* feat(java): add dependency location support for `gradle` files (#6083)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.11 to 1.15.15 (#6038)
* fix(misconf): get `user` from `Config.User` (#6070)
-------------------------------------------------------------------
Thu Feb 08 12:51:32 UTC 2024 - dmueller@suse.com
- Update to version 0.49.1:
* fix: check unescaped `BomRef` when matching `PkgIdentifier` (#6025)
* docs: Fix broken link to "pronunciation" (#6057)
* chore(deps): bump actions/upload-artifact from 3 to 4 (#6047)
* chore(deps): bump github.com/spf13/viper from 1.16.0 to 1.18.2 (#6042)
* chore(deps): bump k8s.io/api from 0.29.0 to 0.29.1 (#6043)
* ci: reduce `root-reserve-mb` size for `maximize-build-space` (#6064)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.0 to 1.48.1 (#6041)
* chore(deps): bump github.com/open-policy-agent/opa from 0.60.0 to 0.61.0 (#6039)
* fix: fix cursor usage in Redis Clear function (#6056)
* chore(deps): bump github.com/go-openapi/runtime from 0.26.0 to 0.27.1 (#6037)
* fix(nodejs): add local packages support for `pnpm-lock.yaml` files (#6034)
* chore(deps): bump sigstore/cosign-installer from 3.3.0 to 3.4.0 (#6046)
* chore(deps): bump github.com/go-openapi/strfmt from 0.21.7 to 0.22.0 (#6044)
* chore(deps): bump actions/cache from 3.3.2 to 4.0.0 (#6048)
* test: fix flaky `TestDockerEngine` (#6054)
* chore(deps): bump github.com/google/go-containerregistry from 0.17.0 to 0.19.0 (#6040)
* chore(deps): bump easimon/maximize-build-space from 9 to 10 (#6049)
* chore(deps): bump alpine from 3.19.0 to 3.19.1 (#6051)
* chore(deps): bump github.com/moby/buildkit from 0.11.6 to 0.12.5 (#6028)
* fix(java): recursive check all nested depManagements with import scope for pom.xml files (#5982)
* chore(deps): bump github.com/opencontainers/runc from 1.1.5 to 1.1.12 (#6029)
* fix(cli): inconsistent behavior across CLI flags, environment variables, and config files (#5843)
* feat(rust): Support workspace.members parsing for Cargo.toml analysis (#5285)
* docs: add note about Bun (#6001)
* fix(report): use `AWS_REGION` env for secrets in `asff` template (#6011)
* fix: check returned error before deferring f.Close() (#6007)
* feat(misconf): add support of buildkit instructions when building dockerfile from image config (#5990)
* feat(vuln): enable `--vex` for all targets (#5992)
* docs: update link to data sources (#6000)
* feat(java): add support for line numbers for pom.xml files (#5991)
* refactor(sbom): use new `metadata.tools` struct for CycloneDX (#5981)
* docs: Update troubleshooting guide with image not found error (#5983)
* style: update band logos (#5968)
* chore(deps): Update misconfig deps (#5956)
* docs: update cosign tutorial and commands, update kyverno policy (#5929)
* docs: update command to scan go binary (#5969)
* fix: handle non-parsable images names (#5965)
* chore(deps): bump aquaproj/aqua-installer from 2.1.2 to 2.2.0 (#5693)
* fix(amazon): save system files for pkgs containing `amzn` in src (#5951)
* fix(alpine): Add EOL support for alpine 3.19. (#5938)
* feat: allow end-users to adjust K8S client QPS and burst (#5910)
* chore(deps): bump go-ebs-file (#5934)
* fix(nodejs): find licenses for packages with slash (#5836)
* fix(sbom): use `group` field for pom.xml and nodejs files for CycloneDX reports (#5922)
* fix: ignore no init containers (#5939)
* docs: Fix documentation of ecosystem (#5940)
* docs(misconf): multiple ignores in comment (#5926)
* fix(secret): find aws secrets ending with a comma or dot (#5921)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.11.90 to 1.15.11 (#5885)
* docs: ✨ Updated ecosystem docs with reference to new community app (#5918)
* fix(java): don't remove excluded deps from upper pom's (#5838)
* fix(java): check if a version exists when determining GAV by file name for `jar` files (#5630)
* feat(vex): add PURL matching for CSAF VEX (#5890)
* fix(secret): `AWS Secret Access Key` must include only secrets with `aws` text. (#5901)
* revert(report): don't escape new line characters for sarif format (#5897)
* docs: improve filter by rego (#5402)
* chore(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7 (#5892)
* docs: add_scan2html_to_trivy_ecosystem (#5875)
* fix(vm): update ext4-filesystem fix reading groupdescriptor in 32bit mode (#5888)
* feat(vex): Add support for CSAF format (#5535)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts from 1.26.2 to 1.26.7 (#5880)
* chore(deps): bump actions/setup-go from 4 to 5 (#5845)
* chore(deps): bump actions/stale from 8 to 9 (#5846)
* chore(deps): bump github.com/open-policy-agent/opa from 0.58.0 to 0.60.0 (#5853)
* chore(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 (#5847)
* chore(deps): bump modernc.org/sqlite from 1.23.1 to 1.28.0 (#5854)
* chore(deps): bump alpine from 3.18.5 to 3.19.0 (#5849)
* chore(deps): bump actions/setup-python from 4 to 5 (#5848)
* feat(python): parse licenses from dist-info folder (#4724)
* chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.7.0 to 0.8.0 (#5852)
* feat(nodejs): add yarn alias support (#5818)
* chore(deps): bump github.com/samber/lo from 1.38.1 to 1.39.0 (#5850)
* chore(deps): bump github.com/hashicorp/go-getter from 1.7.2 to 1.7.3 (#5856)
* chore(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0 (#5855)
* refactor: propagate time through context values (#5858)
* refactor: move PkgRef under PkgIdentifier (#5831)
* fix(cyclonedx): fix unmarshal for licenses (#5828)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.10.1 to 5.11.0 (#5830)
* feat(vuln): include pkg identifier on detected vulnerabilities (#5439)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from v1.116.0 to v1.134.0 (#5822)
* chore(deps): bump github.com/containerd/containerd from 1.7.7 to 1.7.11 (#5809)
* chore(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 (#5805)
-------------------------------------------------------------------
Tue Dec 19 14:18:46 UTC 2023 - dmueller@suse.com
- Update to version 0.48.1:
* chore(deps): bump trivy-iac to v0.7.1 (#5797)
* fix(bitnami): use a different comparer for detecting vulnerabilities (#5633)
* refactor(sbom): disable html escaping for CycloneDX (#5764)
* refactor(purl): use `pub` from `package-url` (#5784)
* docs(python): add note to using `pip freeze` for `compatible releases` (#5760)
* fix(report): use OS information for OS packages purl in `github` template (#5783)
* fix(report): fix error if miconfigs are empty (#5782)
* refactor(vuln): don't remove VendorSeverity in JSON report (#5761)
* fix(report): don't mark misconfig passed tests as failed in junit.tpl (#5767)
* docs(k8s): replace --scanners config with --scanners misconfig in docs (#5746)
* fix(report): update Gitlab template (#5721)
* feat(secret): add support of GitHub fine-grained tokens (#5740)
* fix(misconf): add an image misconf to result (#5731)
* feat(secret): added support of Docker registry credentials (#5720)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.45 to 1.25.11 (#5717)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.21.0 to 1.24.1 (#5701)
-------------------------------------------------------------------
Wed Dec 06 10:00:18 UTC 2023 - dmueller@suse.com
- Update to version 0.48.0:
* chore(deps): bump sigstore/cosign-installer from 4a861528be5e691840a69536975ada1d4c30349d to 1fc5bd396d372bee37d608f955b336615edf79c8 (#5696)
* chore(deps): bump helm/chart-testing-action from 2.4.0 to 2.6.1 (#5694)
* feat: filter k8s core components vuln results (#5713)
* feat(vuln): remove duplicates in Fixed Version (#5596)
* feat(report): output plugin (#4863)
* chore(deps): bump alpine from 3.18.4 to 3.18.5 (#5700)
* chore(deps): bump github.com/google/go-containerregistry from 0.16.1 to 0.17.0 (#5704)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.8.1 to 5.10.1 (#5699)
* chore(deps): bump actions/github-script from 6 to 7 (#5697)
* chore(deps): bump easimon/maximize-build-space from 8 to 9 (#5695)
* docs: typo in modules.md (#5712)
* feat: Add flag to configure node-collector image ref (#5710)
* chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.7.1 to 1.9.0 (#5702)
* chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.4 to 2.31.0 (#5698)
* chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.3.1 to 1.4.0 (#5706)
* feat(misconf): Add `--misconfig-scanners` option (#5670)
* chore: bump Go to 1.21 (#5662)
* feat: Packagesprops support (#5605)
* chore(deps): Bump up trivy misconf deps (#5656)
* docs: update adopters discussion template (#5632)
* docs: terraform tutorial links updated to point to correct loc (#5661)
* fix(secret): add `sec` and space to secret prefix for `aws-secret-access-key` (#5647)
* fix(nodejs): support protocols for dependency section in yarn.lock files (#5612)
* fix(secret): exclude upper case before secret for `alibaba-access-key-id` (#5618)
* docs: Update Arch Linux package URL in installation.md (#5619)
* chore: add prefix to image errors (#5601)
* docs(vuln): fix link anchor (#5606)
* docs: Add Dagger integration section and cleanup Ecosystem CICD docs page (#5608)
* fix: k8s friendly error messages kbom non cluster scans (#5594)
* feat: set InstalledFiles for DEB and RPM packages (#5488)
* fix(report): use time.Time for CreatedAt (#5598)
* test: retry containerd initialization (#5597)
* feat(misconf): Expose misconf engine debug logs with `--debug` option (#5550)
* test: mock VM walker (#5589)
* chore: bump node-collector v0.0.9 (#5591)
* feat(misconf): Add support for `--cf-params` for CFT (#5507)
* feat(flag): replace '--slow' with '--parallel' (#5572)
* fix(report): add escaping for Sarif format (#5568)
* chore: show a deprecation notice for `--scanners config` (#5587)
* feat(report): Add CreatedAt to the JSON report. (#5542) (#5549)
* test: mock RPM DB (#5567)
* feat: add aliases to '--scanners' (#5558)
* refactor: reintroduce output writer (#5564)
* chore(deps): bump google.golang.org/grpc from 1.58.2 to 1.58.3 (#5543)
* chore: not load plugins for auto-generating docs (#5569)
* chore: sort supported AWS services (#5570)
* fix: no schedule toleration (#5562)
* fix(cli): set correct `scanners` for `k8s` target (#5561)
* fix(sbom): add `FilesAnalyzed` and `PackageVerificationCode` fields for SPDX (#5533)
* refactor(misconf): Update refactored dependencies (#5245)
* feat(secret): add built-in rule for JWT tokens (#5480)
* fix: trivy k8s parse ecr image with arn (#5537)
* fix: fail k8s resource scanning (#5529)
* refactor(misconf): don't remove Highlighted in json format (#5531)
* docs(k8s): fix link in kubernetes.md (#5524)
* docs(k8s): fix whitespace in list syntax (#5525)
-------------------------------------------------------------------
Tue Nov 07 12:24:51 UTC 2023 - dmueller@suse.com
- Update to version 0.47.0:
* docs: add info that license scanning supports file-patterns flag (#5484)
* docs: add Zora integration into Ecosystem session (#5490)
* fix(sbom): Use UUID as BomRef for packages with empty purl (#5448)
* ci: use maximize build space for K8s tests (#5387)
* fix: correct error mismatch causing race in fast walks (#5516)
* docs: k8s vulnerability scanning (#5515)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts from 1.23.2 to 1.25.0 (#5506)
* chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.2.2 to 2.3.0 (#5493)
* docs: remove glad for java datasources (#5508)
* chore(deps): bump github.com/testcontainers/testcontainers-go/modules/localstack from 0.21.0 to 0.26.0 (#5475)
* chore: remove unused logger attribute in amazon detector (#5476)
* fix: correct error mismatch causing race in fast walks (#5482)
* chore(deps): bump goreleaser/goreleaser-action from 4 to 5 (#5502)
* chore(deps): bump docker/build-push-action from 4 to 5 (#5500)
* chore(deps): bump github.com/package-url/packageurl-go from 0.1.2-0.20230812223828-f8bb31c1f10b to 0.1.2 (#5491)
* fix(server): add licenses to `BlobInfo` message (#5382)
* chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 (#5501)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.17.18 to 1.21.0 (#5497)
* feat: scan vulns on k8s core component apps (#5418)
* fix(java): fix infinite loop when `relativePath` field points to `pom.xml` being scanned (#5470)
* chore(deps): bump github.com/docker/docker from 24.0.5+incompatible to 24.0.7+incompatible (#5472)
* fix(sbom): save digests for package/application when scanning SBOM files (#5432)
* docs: fix the broken link (#5454)
* docs: fix error when installing `PyYAML` for gh pages (#5462)
* fix(java): download java-db once (#5442)
* chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.57.1 (#5447)
* docs(misconf): Update `--tf-exclude-downloaded-modules` description (#5419)
* feat(misconf): Support `--ignore-policy` in config scans (#5359)
* docs(misconf): fix broken table for `Use container image` section (#5425)
* feat(dart): add graph support (#5374)
* refactor: define a new struct for scan targets (#5397)
* fix(sbom): add missed `primaryURL` and `source severity` for CycloneDX (#5399)
* fix: correct invalid MD5 hashes for rpms ending with one or more zero bytes (#5393)
* chore(deps): move to aws-sdk-go-v2 (#5381)
* docs: remove --scanners none (#5384)
* docs: Update container_image.md #5182 (#5193)
* feat(report): Add `InstalledFiles` field to Package (#4706)
* feat(k8s): add support for vulnerability detection (#5268)
* fix(python): override BOM in `requirements.txt` files (#5375)
* docs: add kbom documentation (#5363)
* test: use maximize build space for VM tests (#5362)
* chore(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 (#5365)
* fix(report): add escaping quotes in misconfig Title for asff template (#5351)
* ci: add workflow to check Go versions of dependencies (#5340)
* chore(deps): Upgrade defsec to v0.93.1 (#5348)
* chore(deps): bump alpine from 3.18.3 to 3.18.4 (#5300)
* fix: Report error when os.CreateTemp fails (to be consistent with other uses) (#5342)
* fix: add config files to FS for post-analyzers (#5333)
* fix: fix MIME warnings after updating to Go 1.20 (#5336)
* build: fix a compile error with Go 1.21 (#5339)
* feat: added `Metadata` into the k8s resource's scan report (#5322)
* ci: check only PR's in `actions/stale` (#5337)
* chore: update adopters template (#5330)
* ci: do not trigger tests on the push event (#5313)
* fix(sbom): use PURL or Group and Name in case of Java (#5154)
* docs: add buildkite repository to ecosystem page (#5316)
* chore(deps): bump docker/setup-qemu-action from 2 to 3 (#5290)
* chore(deps): bump docker/setup-buildx-action from 2 to 3 (#5292)
* chore(deps): bump actions/cache from 3.3.1 to 3.3.2 (#5293)
* chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 (#5286)
* chore(deps): bump github.com/hashicorp/go-getter from 1.7.1 to 1.7.2 (#5289)
* chore: enable go-critic (#5302)
* chore(deps): bump actions/checkout from 3.6.0 to 4.1.0 (#5288)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.45.3 to 1.45.19 (#5287)
* close java-db client (#5273)
* chore(deps): bump docker/login-action from 2 to 3 (#5291)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#5294)
* chore(deps): bump github.com/sigstore/rekor from 1.2.1 to 1.3.0 (#5304)
* chore(deps): bump github.com/opencontainers/image-spec (#5295)
* fix(report): removes git::http from uri in sarif (#5244)
* Improve the meaning of sentence (#5301)
* chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.2.0 to 2.2.2 (#5297)
* chore(deps): bump golang.org/x/term from 0.11.0 to 0.12.0 (#5296)
* add app nil check (#5274)
* typo: in secret.md (#5281)
* docs: add info about `github` format (#5265)
* feat(dotnet): add license support for NuGet (#5217)
* docs: correctly export variables (#5260)
* chore: Add line numbers for lint output (#5247)
* chore(cli): disable java-db flags in server mode (#5263)
* feat(db): allow passing registry options (#5226)
* chore(deps): Bump up defsec to v0.93.0 (#5253)
* refactor(purl): use TypeApk from purl (#5232)
* chore: enable more linters (#5228)
* ci: bump GoReleaser from 1.16.2 to 1.20.0 (#5236)
* Fix typo on ide.md (#5239)
* refactor: use defined types (#5225)
* fix(purl): skip local Go packages (#5190)
* docs: update info about license scanning in Yarn projects (#5207)
* ci: auto apply labels (#5200)
* fix link (#5203)
* fix(purl): handle rust types (#5186)
* chore: auto-close issues (#5177)
* chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 (#5093)
* fix(k8s): kbom support addons labels (#5178)
* test: validate SPDX with the JSON schema (#5124)
* chore: bump trivy-kubernetes-latest (#5161)
* docs: add 'Signature Verification' guide (#4731)
* docs: add image-scanner-with-trivy for ecosystem (#5159)
* fix(fs): assign the absolute path to be inspected to ROOTPATH when filesystem (#5158)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go (#5102)
* Update filtering.md (#5131)
* chore(deps): bump sigstore/cosign-installer (#5104)
* chore(deps): bump github.com/cyphar/filepath-securejoin (#5143)
* chore(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#5103)
* chore(deps): bump easimon/maximize-build-space from 7 to 8 (#5105)
* chore(deps): bump github.com/aws/aws-sdk-go from 1.44.273 to 1.45.3 (#5126)
* chaging adopters discussion tempalte (#5091)
* chore(deps): bump github.com/cheggaaa/pb/v3 from 3.1.2 to 3.1.4 (#5092)
* chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.2 to 2.0.6 (#5094)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#5095)
* chore(deps): bump github.com/containerd/containerd from 1.7.3 to 1.7.5 (#5097)
* chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#5098)
* chore(deps): bump actions/checkout from 3.5.3 to 3.6.0 (#5106)
* docs: add Bitnami (#5078)
* feat(docker): add support for scanning Bitnami components (#5062)
* feat: add support for .trivyignore.yaml (#5070)
* fix(terraform): improve detection of terraform files (#4984)
* feat: filter artifacts on --exclude-owned flag (#5059)
* fix(sbom): cyclonedx advisory should omit `null` value (#5041)
* build: maximize build space for build tests (#5072)
* feat: improve kbom component name (#5058)
* fix(pom): add licenses for pom artifacts (#5071)
* chore(deps): Update defsec to v0.92.0 (#5068)
* chore: bump Go to `1.20` (#5067)
* feat: PURL matching with qualifiers in OpenVEX (#5061)
* feat(java): add graph support for pom.xml (#4902)
* feat(swift): add vulns for cocoapods (#5037)
* fix: support image pull secret for additional workloads (#5052)
* fix: #5033 Superfluous double quote in html.tpl (#5036)
* docs(repo): update trivy repo usage and example (#5049)
* perf: Optimize Dockerfile for reduced layers and size (#5038)
* feat: scan K8s Resources Kind with --all-namespaces (#5043)
* fix: vulnerability typo (#5044)
* docs: adding a terraform tutorial to the docs (#3708)
* feat(report): add licenses to sarif format (#4866)
* feat(misconf): show the resource name in the report (#4806)
* chore: update alpine base images (#5015)
* feat: add Package.resolved swift files support (#4932)
* feat(nodejs): parse licenses in yarn projects (#4652)
* fix: k8s private registries support (#5021)
* bump github.com/testcontainers/testcontainers-go from 0.21.0 to 0.23.0 (#5018)
* feat(vuln): support last_affected field from osv (#4944)
* feat(server): add version endpoint (#4869)
* feat: k8s private registries support (#4987)
* fix(server): add indirect prop to package (#4974)
* docs: add coverage (#4954)
* feat(c): add location for lock file dependencies. (#4994)
* docs: adding blog post on ec2 (#4813)
* revert 32bit bins (#4977)
* chore(deps): bump github.com/xlab/treeprint from 1.1.0 to 1.2.0 (#4917)
-------------------------------------------------------------------
Thu Aug 10 10:51:52 UTC 2023 - dmueller@suse.com
- Update to version 0.44.1:
* fix(report): return severity colors in table format (#4969)
* build: maximize available disk space for release (#4937)
* test(cli): Fix assertion helptext (#4966)
* chore(deps): Bump defsec to v0.91.1 (#4965)
* test: validate CycloneDX with the JSON schema (#4956)
* fix(server): add licenses to the Result message (#4955)
* fix(aws): resolve endpoint if endpoint is passed (#4925)
* fix(sbom): move licenses to `name` field in Cyclonedx format (#4941)
* add only uniq deps in dependsOn (#4943)
* use testify instead of gotest.tools (#4946)
* fix(nodejs): do not detect lock file in node_modules as an app (#4949)
* bump go-dep-parser (#4936)
* chore(deps): bump github.com/openvex/go-vex from 0.2.0 to 0.2.1 (#4914)
* chore(deps): bump helm/kind-action from 1.7.0 to 1.8.0 (#4909)
* chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore (#4912)
* test(aws): move part of unit tests to integration (#4884)
* docs(cli): update help string for file and dir skipping (#4872)
* chore(deps): bump sigstore/cosign-installer (#4910)
* chore(deps): bump github.com/sosedoff/gitkit from 0.3.0 to 0.4.0 (#4916)
* chore(deps): bump k8s.io/api from 0.27.3 to 0.27.4 (#4918)
* chore(deps): bump github.com/secure-systems-lab/go-securesystemslib (#4919)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#4913)
* chore(deps): bump github.com/magefile/mage from 1.14.0 to 1.15.0 (#4915)
* docs: update the discussion template (#4928)
-------------------------------------------------------------------
Thu Aug 03 11:21:12 UTC 2023 - dmueller@suse.com
- Update to version 0.44.0:
* feat(repo): support local repositories (#4890)
* bump go-dep-parser (#4893)
* fix(misconf): add missing fields to proto (#4861)
* fix: remove trivy-db package replacement (#4877)
* chore(test): bump the integration test timeout to 15m (#4880)
* chore(deps): Update defsec to v0.91.0 (#4886)
* chore: update CODEOWNERS (#4871)
* feat(vuln): support vulnerability status (#4867)
* feat(misconf): Support custom URLs for policy bundle (#4834)
* refactor: replace with sortable packages (#4858)
* docs: correct license scanning sample command (#4855)
* fix(report): close the file (#4842)
* feat(nodejs): add support for include-dev-deps flag for yarn (#4812)
* feat(misconf): Add support for independently enabling libraries (#4070)
* feat(secret): add secret config file for cache calculation (#4837)
* Fix a link in gitlab-ci.md (#4850)
* fix(flag): use globalstar to skip directories (#4854)
* chore(deps): bump github.com/docker/docker from v23.0.5+incompatible to v23.0.7-0.20230714215826-f00e7af96042+incompatible (#4849)
* fix(license): using common way for splitting licenses (#4434)
* fix(containerd): Use img platform in exporter instead of strict host platform (#4477)
* remove govulndb (#4783)
* fix(java): inherit licenses from parents (#4817)
* refactor: add allowed values for CLI flags (#4800)
* add example regex to allow rules (#4827)
* feat(misconf): Support custom data for rego policies for cloud (#4745)
* docs: correcting the trivy k8s tutorial (#4815)
* feat(cli): add --tf-exclude-downloaded-modules flag (#4810)
* fix(sbom): cyclonedx recommendations should include fixed versions for each package (#4794)
* feat(misconf): enable --policy flag to accept directory and files both (#4777)
* feat(python): add license fields (#4722)
* fix: support trivy k8s-version on k8s sub-command (#4786)
-------------------------------------------------------------------
Thu Jul 13 08:47:12 UTC 2023 - dmueller@suse.com
- Update to version 0.43.1:
* chore(deps): Update defsec to v0.90.3 (#4793)
* chore(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0 (#4752)
* chore(deps): bump alpine from 3.18.0 to 3.18.2 (#4748)
* chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.3 to 2.30.4 (#4758)
* docs(image): fix the comment on the soft/hard link (#4740)
* check Type when filling pkgs in vulns (#4776)
* feat: add support of linux/ppc64le and linux/s390x architectures for Install.sh script (#4770)
* chore(deps): bump modernc.org/sqlite from 1.20.3 to 1.23.1 (#4756)
* fix(rocky): add architectures support for advisories (#4691)
* chore(deps): bump github.com/opencontainers/image-spec (#4751)
* chore(deps): bump github.com/package-url/packageurl-go (#4754)
* chore(deps): bump golang.org/x/sync from 0.2.0 to 0.3.0 (#4750)
* chore(deps): bump github.com/tetratelabs/wazero from 1.2.0 to 1.2.1 (#4755)
* chore(deps): bump github.com/testcontainers/testcontainers-go (#4759)
* fix: documentation about reseting trivy image (#4733)
* fix(suse): Add openSUSE Leap 15.5 eol date as well (#4744)
* fix: update Amazon Linux 1 EOL (#4761)
- drop eol-dates.patch (all upstream)
-------------------------------------------------------------------
Mon Jul 03 13:22:20 UTC 2023 - dmueller@suse.com
- Update to version 0.43.0:
* chore(deps): Update defsec to v0.90.1 (#4739)
* feat(nodejs): support yarn workspaces (#4664)
* feat(cli): add include-dev-deps flag (#4700)
* fix(image): pass the secret scanner option to scan the img config (#4735)
* fix: scan job pod it not found on k8s-1.27.x (#4729)
* feat(docker): add support for mTLS authentication when connecting to registry (#4649)
* chore(deps): Update defsec to v0.90.0 (#4723)
* fix: skip scanning the gpg-pubkey package (#4720)
* Fix http registry oci pull (#4701)
* feat(misconf): Support skipping services (#4686)
* docs: fix supported modes for pubspec.lock files (#4713)
* fix(misconf): disable the terraform plan analyzer for other scanners (#4714)
* clarifying a dir path is required for custom policies (#4716)
* chore: update alpine base images (#4715)
* fix last-history-created (#4697)
* feat: kbom and cyclonedx v1.5 spec support (#4708)
* docs: add information about Aqua (#4590)
* fix: k8s escape resource filename on windows os (#4693)
* ci: ignore merge queue branches (#4696)
* chore(deps): bump actions/checkout from 2.4.0 to 3.5.3 (#4695)
* chore(deps): bump aquaproj/aqua-installer from 2.1.1 to 2.1.2 (#4694)
* feat: cyclondx sbom custom property support (#4688)
* ci: do not trigger tests in main (#4692)
* add SUSE Linux Enterprise Server 15 SP5 and update SP4 eol date (#4690)
* use group field for jar in cyclonedx (#4674)
* feat(java): capture licenses from pom.xml (#4681)
* feat(helm): make sessionAffinity configurable (#4623)
* fix: Show the correct URL of the secret scanning (#4682)
* document expected file pattern definition format (#4654)
* fix: format arg error (#4642)
* feat(k8s): cyclonedx kbom support (#4557)
* fix(nodejs): remove unused fields for the pnpm lockfile (#4630)
* fix(vm): update ext4-filesystem parser for parse multi block extents (#4616)
* ci: update build IDs (#4641)
* fix(debian): update EOL for Debian 12 (#4647)
* chore(deps): bump go-containerregistry (#4639)
* chore: unnecessary use of fmt.Sprintf (S1039) (#4637)
* fix(db): change argument order in Exists query for JavaDB (#4595)
* feat(aws): Add support to see successes in results (#4427)
* chore(deps): bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 (#4613)
* ci: do not trigger tests in main (#4614)
* chore(deps): bump sigstore/cosign-installer (#4609)
* chore(deps): bump CycloneDX/gh-gomod-generate-sbom from 1 to 2 (#4608)
* ci: bypass the required status checks (#4611)
* ci: support merge queue (#3652)
* ci: matrix build for testing (#4587)
* feat: trivy k8s private registry support (#4567)
* docs: add general coverage page (#3859)
* chore: create SECURITY.md (#4601)
-------------------------------------------------------------------
Fri Jun 30 15:06:47 UTC 2023 - Dirk Müller <dmueller@suse.com>
- add eol-dates.patch to list SLE/Leap 15.5
-------------------------------------------------------------------
Thu Jun 22 08:39:30 UTC 2023 - Dirk Müller <dmueller@suse.com>
- add NOTICE to doc
- Update to version 0.42.1: * ci: remove 32bit packages (#4585) * fix(misconf): deduplicate misconf results (#4588) * fix(vm): support sector size of 4096 (#4564) * fix(misconf): terraform relative paths (#4571) * fix(purl): skip unsupported library type (#4577) * fix(terraform): recursively detect all Root Modules (#4457) * fix(vm): support post analyzer for vm command (#4544) * fix(nodejs): change the type of the devDependencies field (#4560) * fix(sbom): export empty dependencies in CycloneDX (#4568) * refactor: add composite fs for post-analyzers (#4556) * chore(deps): bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 (#4554) * chore(deps): bump helm/kind-action from 1.5.0 to 1.7.0 (#4526) * chore(deps): bump github.com/BurntSushi/toml from 1.2.1 to 1.3.0 (#4528) * chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.2 to 2.30.3 (#4529) * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 (#4536) * chore(deps): bump github.com/tetratelabs/wazero from 1.0.0 to 1.2.0 (#4549) * chore(deps): bump github.com/spf13/cast from 1.5.0 to 1.5.1 (#4532) * chore(deps): bump github.com/testcontainers/testcontainers-go (#4537) * chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#4530) * chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#4534) * chore(deps): bump github.com/sigstore/rekor from 1.2.0 to 1.2.1 (#4533) * chore(deps): bump alpine from 3.17.3 to 3.18.0 (#4525) * feat: add SBOM analyzer (#4210) * fix(sbom): update logic for work with files in spdx format (#4513) * feat: azure workload identity support (#4489) * feat(ubuntu): add eol date for 18.04 ESM (#4524) * fix(misconf): Update required extensions for terraformplan (#4523) * refactor(cyclonedx): add intermediate representation (#4490) * fix(misconf): Remove debug print while scanning (#4521) OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/trivy?expand=0&rev=63
2023-06-12 10:17:18 +02:00
-------------------------------------------------------------------
Mon Jun 12 07:56:25 UTC 2023 - dmueller@suse.com
- Update to version 0.42.1:
* ci: remove 32bit packages (#4585)
* fix(misconf): deduplicate misconf results (#4588)
* fix(vm): support sector size of 4096 (#4564)
* fix(misconf): terraform relative paths (#4571)
* fix(purl): skip unsupported library type (#4577)
* fix(terraform): recursively detect all Root Modules (#4457)
* fix(vm): support post analyzer for vm command (#4544)
* fix(nodejs): change the type of the devDependencies field (#4560)
* fix(sbom): export empty dependencies in CycloneDX (#4568)
* refactor: add composite fs for post-analyzers (#4556)
* chore(deps): bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 (#4554)
* chore(deps): bump helm/kind-action from 1.5.0 to 1.7.0 (#4526)
* chore(deps): bump github.com/BurntSushi/toml from 1.2.1 to 1.3.0 (#4528)
* chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.2 to 2.30.3 (#4529)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 (#4536)
* chore(deps): bump github.com/tetratelabs/wazero from 1.0.0 to 1.2.0 (#4549)
* chore(deps): bump github.com/spf13/cast from 1.5.0 to 1.5.1 (#4532)
* chore(deps): bump github.com/testcontainers/testcontainers-go (#4537)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#4530)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#4534)
* chore(deps): bump github.com/sigstore/rekor from 1.2.0 to 1.2.1 (#4533)
* chore(deps): bump alpine from 3.17.3 to 3.18.0 (#4525)
* feat: add SBOM analyzer (#4210)
* fix(sbom): update logic for work with files in spdx format (#4513)
* feat: azure workload identity support (#4489)
* feat(ubuntu): add eol date for 18.04 ESM (#4524)
* fix(misconf): Update required extensions for terraformplan (#4523)
* refactor(cyclonedx): add intermediate representation (#4490)
* fix(misconf): Remove debug print while scanning (#4521)
* fix(java): remove duplicates of jar libs (#4515)
* fix(java): fix overwriting project props in pom.xml (#4498)
* docs: Update compilation instructions (#4512)
* fix(nodejs): update logic for parsing pnpm lock files (#4502)
* fix(secret): remove aws-account-id rule (#4494)
* feat(oci): add support for referencing an input image by digest (#4470)
* chore(deps): bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#4338)
* docs: fixed the format (#4503)
* fix(java): add support of * for exclusions for pom.xml files (#4501)
* feat: adding issue template for documentation (#4453)
* docs: switch glad to ghsa for Go (#4493)
* chore(deps): Update defsec to v0.89.0 (#4474)
* feat(misconf): Add terraformplan support (#4342)
* feat(debian): add digests for dpkg (#4445)
* chore(deps): bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 (#4478)
* feat(k8s): exclude node scanning by node labels (#4459)
* docs: add info about multi-line mode for regexp from custom secret rules (#4159)
* feat(cli): convert JSON reports into a different format (#4452)
* feat(image): add logic to guess base layer for docker-cis scan (#4344)
* fix(cyclonedx): set original names for packages (#4306)
* feat: group subcommands (#4449)
* feat(cli): add retry to cache operations (#4189)
* fix(vuln): report architecture for `apk` packages (#4247)
* refactor: enable cases where return values are not needed in pipeline (#4443)
* fix(image): resolve scan deadlock when error occurs in slow mode (#4336)
* docs(misconf): Update docs for kubernetes file patterns (#4435)
* test: k8s integration tests (#4423)
* feat(redhat): add package digest for rpm (#4410)
* feat(misconf): Add `--reset-policy-bundle` for policy bundle (#4167)
* fix: typo (#4431)
* add user instruction to imgconf (#4429)
* fix(k8s): add image sources (#4411)
* docs(scanning): Add versioning banner (#4415)
* feat(cli): add mage command to update golden integration test files (#4380)
* feat: node-collector custom namespace support (#4407)
* chore(deps): bump owenrumney/go-sarif from v2.1.3 to v2.2.0 (#4378)
* refactor(sbom): use multiline json for spdx-json format (#4404)
* fix(ubuntu): add EOL date for Ubuntu 23.04 (#4347)
* refactor: code-optimization (#4214)
* feat(image): Add image-src flag to specify which runtime(s) to use (#4047)
* test: skip wrong update of test golden files (#4379)
* refactor: don't return error for package.json without version/name (#4377)
* docs: cmd error (#4376)
* test(cli): add test for config file and env combination (#2666)
* fix(report): set a correct file location for license scan output (#4326)
* ci: rpm repository for all versions and aarch64 (#4077)
* chore(alpine): Update Alpine to 3.18 (#4351)
* fix(alpine): add EOL date for Alpine 3.18 (#4308)
* chore(deps): bump github.com/docker/distribution (#4337)
* feat: allow root break for mapfs (#4094)
* docs(misconf): Remove examples.md (#4256)
* fix(ubuntu): update eol dates for Ubuntu (#4258)
* feat(alpine): add digests for apk packages (#4168)
* chore: add discussion templates (#4190)
* fix(terraform): Support tfvars (#4123)
* chore: separate docs:generate (#4242)
* chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#4246)
* refactor: define vulnerability scanner interfaces (#4117)
* feat: unified k8s scan resources (#4188)
* chore(deps): Update defsec to v0.88.1 (#4178)
* chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.1 to 2.30.2 (#4141)
* chore: trivy bin ignore (#4212)
* feat(image): enforce image platform (#4083)
* chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.1.2 to 2.1.3 (#4143)
* chore(deps): bump github.com/docker/docker (#4144)
* chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.1 to 2.0.2 (#4146)
* chore(deps): bump aquaproj/aqua-installer from 2.0.2 to 2.1.1 (#4140)
* fix(ubuntu): fix version selection logic for ubuntu esm (#4171)
* chore(deps): bump github.com/samber/lo from 1.37.0 to 1.38.1 (#4147)
* chore(deps): bump github.com/hashicorp/go-getter from 1.7.0 to 1.7.1 (#4145)
* chore(deps): bump sigstore/cosign-installer from 3.0.1 to 3.0.3 (#4138)
* chore(deps): bump github.com/testcontainers/testcontainers-go (#4150)
* chore: install.sh support for windows (#4155)
* chore(deps): bump github.com/sigstore/rekor from 1.1.0 to 1.1.1 (#4166)
* chore(deps): bump golang.org/x/crypto from 0.7.0 to 0.8.0 (#4149)
* docs: moving skipping files out of others (#4154)
-------------------------------------------------------------------
Thu May 11 17:05:04 UTC 2023 - Dirk Müller <dmueller@suse.com>
- actually create a PIE binary
-------------------------------------------------------------------
Fri Apr 28 07:31:35 UTC 2023 - dmueller@suse.com
- Update to version 0.41.0:
* fix(spdx): add workaround for no src packages (#4118)
* test(golang): rename broken go.mod (#4129)
* feat(sbom): add supplier field (#4122)
* test(misconf): skip downloading of policies for tests #4126
* refactor: use debug message for post-analyze errors (#4037)
* feat(sbom): add VEX support (#4053)
* feat(sbom): add primary package purpose field for SPDX (#4119)
* fix(k8s): fix quiet flag (#4120)
* fix(python): parse of pip extras (#4103)
* feat(java): use full path for nested jars (#3992)
* feat(license): add new flag for classifier confidence level (#4073)
* feat: config and fs compliance support (#4097)
* chore(deps): bump sigstore/cosign-installer from 2.8.1 to 3.0.1 (#3952)
* feat(spdx): add support for SPDX 2.3 (#4058)
* fix: k8s all-namespaces support (#4096)
* perf(misconf): replace with post-analyzers (#4090)
* fix(helm): update networking API version detection (#4106)
* feat(image): custom docker host option (#3599)
* style: debug flag is incorrect and needs extra - (#4087)
* docs(vuln): Document inline vulnerability filtering comments (#4024)
* feat(fs): customize error callback during fs walk (#4038)
* fix(ubuntu): skip copyright files from subfolders (#4076)
* docs: restructure scanners (#3977)
* fix: fix `file does not exist` error for post-analyzers (#4061)
-------------------------------------------------------------------
Sun Apr 16 18:05:08 UTC 2023 - dmueller@suse.com
- Update to version 0.40.0:
* feat(flag): Support globstar for `--skip-files` and `--skip-directories` (#4026)
* chore(deps): bump actions/stale from 7 to 8 (#3955)
* fix: return insecure option to download javadb (#4064)
* fix(nodejs): don't stop parsing when unsupported yarn.lock protocols are found (#4052)
* ci: add gpg signing for RPM packages (#4056)
* fix(k8s): current context title (#4055)
* fix(k8s): quit support on k8s progress bar (#4021)
* chore: add a note about Dockerfile.canary (#4050)
* ci: fix path to canary binaries (#4045)
* fix(vuln): report architecture for debian packages (#4032)
* feat: add support for Chainguard's commercial distro (#3641)
* ci: bump goreleaser for Github Action from 1.4.1 to 1.16.2 (#3979)
* fix(vuln): fix error message for remote scanners (#4031)
* feat(report): add image metadata to SARIF (#4020)
* docs: fix broken cache link on Installation page (#3999)
* fix: lock downloading policies and database (#4017)
* fix: avoid concurrent access to the global map (#4014)