From 74c123e46715b11e134b8a9f80135e77b43d64ba19903284a20b303dde3dc240 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dirk=20M=C3=BCller?= Date: Wed, 29 Jan 2025 13:00:41 +0100 Subject: [PATCH 1/3] Update to 0.58.2 --- _service | 2 +- _servicedata | 2 +- trivy-0.57.1.tar.zst | 3 -- trivy-0.58.2.tar.zst | 3 ++ trivy.changes | 84 ++++++++++++++++++++++++++++++++++++++++++++ trivy.spec | 2 +- vendor.tar.zst | 4 +-- 7 files changed, 92 insertions(+), 8 deletions(-) delete mode 100644 trivy-0.57.1.tar.zst create mode 100644 trivy-0.58.2.tar.zst diff --git a/_service b/_service index 5051684..59fff74 100644 --- a/_service +++ b/_service @@ -2,7 +2,7 @@ https://github.com/aquasecurity/trivy git - v0.57.1 + v0.58.2 @PARENT_TAG@ v(.*) enable diff --git a/_servicedata b/_servicedata index 18be96b..e9e86e1 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://github.com/aquasecurity/trivy - b7947b37ee47ea79dff550462c297164eb47aa9e \ No newline at end of file + 936f06a57864d073aa77b38f77fe76c4fcb1f7c1 \ No newline at end of file diff --git a/trivy-0.57.1.tar.zst b/trivy-0.57.1.tar.zst deleted file mode 100644 index ad38c5a..0000000 --- a/trivy-0.57.1.tar.zst +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8dc264ae1d62328368db5f943125e4f53fd6a0cef05bae06a59225051df41281 -size 52184713 diff --git a/trivy-0.58.2.tar.zst b/trivy-0.58.2.tar.zst new file mode 100644 index 0000000..ac95b79 --- /dev/null +++ b/trivy-0.58.2.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b7b2d27c09d283571d4b999436c7dad271157ccd7bbd546f7afb51de7162b09f +size 52590814 diff --git a/trivy.changes b/trivy.changes index 1145de8..5df1360 100644 --- a/trivy.changes +++ b/trivy.changes @@ -1,3 +1,87 @@ +------------------------------------------------------------------- +Wed Jan 29 11:56:12 UTC 2025 - dmueller@suse.com + +- Update to version 0.58.2 (bsc#1234512, CVE-2024-45337): + * release: v0.58.2 [release/v0.58] (#8216) + * fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238) + * fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237) + * fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215) + * release: v0.58.1 [release/v0.58] (#8120) + * fix(sbom): attach nested packages to Application [backport: release/v0.58] (#8168) + * fix(python): skip dev group's deps for poetry [backport: release/v0.58] (#8158) + * fix(sbom): use root package for `unknown` dependencies (if exists) [backport: release/v0.58] (#8156) + * chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` [backport: release/v0.58] (#8142) + * chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` [backport: release/v0.58] (#8136) + * fix(redhat): correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] (#8135) + * fix(oracle): add architectures support for advisories [backport: release/v0.58] (#8125) + * fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] (#8124) + * chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 [backport: release/v0.58] (#8122) + * fix: handle `BLOW_UNKNOWN` error to download DBs [backport: release/v0.58] (#8121) + * fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props [backport: release/v0.58] (#8119) + * release: v0.58.0 [main] (#7874) + * fix(misconf): wrap AWS EnvVar to iac types (#7407) + * chore(deps): Upgrade trivy-checks (#8018) + * refactor(misconf): Remove unused options (#7896) + * docs: add terminology page to explain Trivy concepts (#7996) + * feat: add `workspaceRelationship` (#7889) + * refactor(sbom): simplify relationship generation (#7985) + * chore: remove Go checks (#7907) + * docs: improve databases documentation (#7732) + * refactor: remove support for custom Terraform checks (#7901) + * docs: fix dead links (#7998) + * docs: drop AWS account scanning (#7997) + * fix(aws): change CPU and Memory type of ContainerDefinition to a string (#7995) + * fix(cli): Handle empty ignore files more gracefully (#7962) + * fix(misconf): load full Terraform module (#7925) + * fix(misconf): properly resolve local Terraform cache (#7983) + * refactor(k8s): add v prefix for Go packages (#7839) + * test: replace Go checks with Rego (#7867) + * feat(misconf): log causes of HCL file parsing errors (#7634) + * chore(deps): bump the aws group across 1 directory with 7 updates (#7991) + * chore(deps): bump github.com/moby/buildkit from 0.17.0 to 0.17.2 in the docker group across 1 directory (#7990) + * chore(deps): update csaf module dependency from csaf-poc to gocsaf (#7992) + * chore: downgrade the failed block expand message to debug (#7964) + * fix(misconf): do not erase variable type for child modules (#7941) + * feat(go): construct dependencies of `go.mod` main module in the parser (#7977) + * feat(go): construct dependencies in the parser (#7973) + * feat: add cvss v4 score and vector in scan response (#7968) + * docs: add `overview` page for `others` (#7972) + * fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871) + * feat(suse): Align SUSE/OpenSUSE OS Identifiers (#7965) + * chore(deps): bump the common group with 4 updates (#7949) + * feat(oracle): add `flavors` support (#7858) + * fix(misconf): Update trivy-checks default repo to `mirror.gcr.io` (#7953) + * chore(deps): Bump up trivy-checks to v1.3.0 (#7959) + * fix(k8s): check all results for vulnerabilities (#7946) + * ci(helm): bump Trivy version to 0.57.1 for Trivy Helm Chart 0.9.0 (#7945) + * feat(secret): Add built-in secrets rules for Private Packagist (#7826) + * docs: Fix broken links (#7900) + * docs: fix mistakes/typos (#7942) + * feat: Update registry fallbacks (#7679) + * fix(alpine): add `UID` for removed packages (#7887) + * chore(deps): bump the aws group with 6 updates (#7902) + * chore(deps): bump the common group with 6 updates (#7904) + * fix(debian): infinite loop (#7928) + * fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files (#7912) + * docs: add note about temporary podman socket (#7921) + * docs: combine trivy.dev into trivy docs (#7884) + * test: change branch in spdx schema link to check in integration tests (#7935) + * docs: add Headlamp to the Trivy Ecosystem page (#7916) + * fix(report): handle `git@github.com` schema for misconfigs in `sarif` report (#7898) + * chore(k8s): enhance k8s scan log (#6997) + * fix(terraform): set null value as fallback for missing variables (#7669) + * fix(misconf): handle null properties in CloudFormation templates (#7813) + * fix(fs): add missing defered Cleanup() call to post analyzer fs (#7882) + * chore(deps): bump the common group across 1 directory with 20 updates (#7876) + * chore: bump containerd to v2.0.0 (#7875) + * fix: Improve version comparisons when build identifiers are present (#7873) + * feat(k8s): add default commands for unknown platform (#7863) + * chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#7868) + * refactor(secret): optimize performance by moving ToLower operation outside loop (#7862) + * test: save `containerd` image into archive and use in tests (#7816) + * chore(deps): bump the github-actions group across 1 directory with 2 updates (#7854) + * chore: bump golangci-lint to v1.61.0 (#7853) + ------------------------------------------------------------------- Mon Dec 02 13:10:12 UTC 2024 - cwh@suse.com diff --git a/trivy.spec b/trivy.spec index 1f158ed..8af33d3 100644 --- a/trivy.spec +++ b/trivy.spec @@ -17,7 +17,7 @@ Name: trivy -Version: 0.57.1 +Version: 0.58.2 Release: 0 Summary: A Simple and Comprehensive Vulnerability Scanner for Containers License: Apache-2.0 diff --git a/vendor.tar.zst b/vendor.tar.zst index 0b8fe97..aa2eae5 100644 --- a/vendor.tar.zst +++ b/vendor.tar.zst @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:88daeadb5207f6f5a6eb6c2a59ad7abf712536c430486f4c387bf3971b14ab75 -size 58174263 +oid sha256:55a58d7eed07ce8323fd2c097bf323cd1983c0bd6354abc7161cc37fea78c2c3 +size 37314026 From 021d08eb6c78bbc001f94dcca2f742ac746cbb341cc186ed238693ecf3c84dcd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dirk=20M=C3=BCller?= Date: Wed, 29 Jan 2025 13:05:37 +0100 Subject: [PATCH 2/3] update changes file --- trivy.changes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/trivy.changes b/trivy.changes index 5df1360..bdf6803 100644 --- a/trivy.changes +++ b/trivy.changes @@ -551,7 +551,7 @@ Thu Jun 06 13:09:56 UTC 2024 - dmueller@suse.com ------------------------------------------------------------------- Thu May 09 13:21:53 UTC 2024 - dmueller@suse.com -- Update to version 0.51.1: +- Update to version 0.51.1 (bsc#1227010, CVE-2024-3817): * fix(fs): handle default skip dirs properly (#6628) * fix(misconf): load cached tf modules (#6607) * fix(misconf): do not use semver for parsing tf module versions (#6614) From 757447aee927fa8446de045d0c1b532e9a3787977a6cd9b2e6282a170bd4b0a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dirk=20M=C3=BCller?= Date: Wed, 29 Jan 2025 13:07:39 +0100 Subject: [PATCH 3/3] capture another missing CVE --- trivy.changes | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/trivy.changes b/trivy.changes index bdf6803..73baed9 100644 --- a/trivy.changes +++ b/trivy.changes @@ -1,7 +1,9 @@ ------------------------------------------------------------------- Wed Jan 29 11:56:12 UTC 2025 - dmueller@suse.com -- Update to version 0.58.2 (bsc#1234512, CVE-2024-45337): +- Update to version 0.58.2 ( + bsc#1234512, CVE-2024-45337, + bsc#1235265, CVE-2024-45338): * release: v0.58.2 [release/v0.58] (#8216) * fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238) * fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)