Merge pull request 'Update to 0.59.0' (#12) from cwh/trivy:factory into factory

_service

@@ -2,7 +2,7 @@
   <service name="tar_scm" mode="manual">
     <param name="url">https://github.com/aquasecurity/trivy</param>
     <param name="scm">git</param>
-    <param name="revision">v0.58.2</param>
+    <param name="revision">v0.59.0</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="changesgenerate">enable</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/aquasecurity/trivy</param>
-              <param name="changesrevision">936f06a57864d073aa77b38f77fe76c4fcb1f7c1</param></service></servicedata>
+              <param name="changesrevision">a58d6854dcfec0349daef27e180f2bdb5b380315</param></service></servicedata>

trivy.changes

@@ -1,3 +1,97 @@
+-------------------------------------------------------------------
+Fri Feb  7 11:33:46 UTC 2025 - Dirk Müller <dmueller@suse.com>
+
+- bump go version
+
+-------------------------------------------------------------------
+Wed Feb 05 16:28:33 UTC 2025 - cwh@suse.com
+
+- Update to version 0.59.0:
+  * release: v0.59.0 [main] (#8041)
+  * feat(image): return error early if total size of layers exceeds limit (#8294)
+  * chore(deps): Bump trivy-checks (#8310)
+  * chore(terraform): add accessors to underlying raw hcl values (#8306)
+  * fix: improve conversion of image config to Dockerfile (#8308)
+  * docs: replace short codes with Unicode emojis (#8296)
+  * feat(k8s): improve artifact selections for specific namespaces (#8248)
+  * chore: update code owners (#8303)
+  * fix(misconf): handle heredocs in dockerfile instructions (#8284)
+  * fix: de-duplicate same `dpkg` packages with different filePaths from different layers (#8298)
+  * chore(deps): bump the aws group with 7 updates (#8299)
+  * chore(deps): bump the common group with 12 updates (#8301)
+  * chore: enable int-conversion from perfsprint (#8194)
+  * feat(fs): use git commit hash as cache key for clean repositories (#8278)
+  * fix(spdx): use the `hasExtractedLicensingInfos` field for licenses that are not listed in the SPDX (#8077)
+  * chore: use require.ErrorContains when possible (#8291)
+  * feat(image): prevent scanning oversized container images (#8178)
+  * chore(deps): use aqua forks for `github.com/liamg/jfather` and `github.com/liamg/iamgo` (#8289)
+  * fix(fs): fix cache key generation to use UUID (#8275)
+  * fix(misconf): correctly handle all YAML tags in K8S templates (#8259)
+  * feat: add support for registry mirrors (#8244)
+  * chore(deps): bump the common group across 1 directory with 29 updates (#8261)
+  * refactor(license): improve license expression normalization (#8257)
+  * feat(misconf): support for ignoring by inline comments for Dockerfile (#8115)
+  * feat: add a examples field to check metadata (#8068)
+  * chore(deps): bump alpine from 3.20.0 to 3.21.0 in the docker group across 1 directory (#8196)
+  * ci: add workflow to restrict direct PRs to release branches (#8240)
+  * fix(suse): SUSE - update OSType constants and references for compatility (#8236)
+  * ci: fix path to main dir for canary builds (#8231)
+  * chore(secret): add reported issues related to secrets in junit template (#8193)
+  * refactor: use trivy-checks/pkg/specs package (#8226)
+  * ci(helm): bump Trivy version to 0.58.1 for Trivy Helm Chart 0.10.0 (#8170)
+  * fix(misconf): allow null values only for tf variables (#8112)
+  * feat(misconf): support for ignoring by inline comments for Helm (#8138)
+  * fix(redhat): check `usr/share/buildinfo/` dir to detect content sets (#8222)
+  * chore(alpine): add EOL date for Alpine 3.21 (#8221)
+  * fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field (#8207)
+  * fix(misconf): disable git terminal prompt on tf module load (#8026)
+  * chore: remove aws iam related scripts (#8179)
+  * docs: Updated JSON schema version 2 in the trivy documentation (#8188)
+  * refactor(python): use once + debug for `License acquired from METADATA...` logs (#8175)
+  * refactor: use slices package instead of custom function (#8172)
+  * chore(deps): bump the common group with 6 updates (#8162)
+  * feat(python): add support for uv dev and optional dependencies (#8134)
+  * feat(python): add support for poetry dev dependencies (#8152)
+  * fix(sbom): attach nested packages to Application (#8144)
+  * docs(vex): use debian minor version in examples (#8166)
+  * refactor: add generic Set implementation (#8149)
+  * chore(deps): bump the aws group across 1 directory with 6 updates (#8163)
+  * fix(python): skip dev group's deps for poetry (#8106)
+  * fix(sbom): use root package for `unknown` dependencies (if exists) (#8104)
+  * chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` (#8140)
+  * chore(vex): suppress CVE-2024-45338 (#8137)
+  * feat(python): add support for uv (#8080)
+  * chore(deps): bump the docker group across 1 directory with 3 updates (#8127)
+  * chore(deps): bump the common group across 1 directory with 14 updates (#8126)
+  * chore: bump go to 1.23.4 (#8123)
+  * test: set dummy value for NUGET_PACKAGES (#8107)
+  * chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` (#8105)
+  * chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#8103)
+  * fix: wasm module test (#8099)
+  * fix: CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass (#8088)
+  * chore(vex): suppress CVE-2024-45337 (#8101)
+  * fix(license): always trim leading and trailing spaces for licenses (#8095)
+  * fix(sbom): scan results of SBOMs generated from container images are missing layers (#7635)
+  * fix(redhat): correct rewriting of recommendations for the same vulnerability (#8063)
+  * fix: enable err-error and errorf rules from perfsprint linter (#7859)
+  * chore(deps): bump the aws group across 1 directory with 6 updates (#8074)
+  * perf: avoid heap allocation in applier findPackage (#7883)
+  * fix: Updated twitter icon (#7772)
+  * docs(k8s): add a note about multi-container pods (#7815)
+  * feat: add `--distro` flag to manually specify OS distribution for vulnerability scanning (#8070)
+  * fix(oracle): add architectures support for advisories (#4809)
+  * fix: handle `BLOW_UNKNOWN` error to download DBs (#8060)
+  * feat(misconf): generate placeholders for random provider resources (#8051)
+  * fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type (#8052)
+  * fix(flag): skip hidden flags for `--generate-default-config` command (#8046)
+  * fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props (#8050)
+  * feat(nodejs): respect peer dependencies for dependency tree (#7989)
+  * ci(helm): bump Trivy version to 0.58.0 for Trivy Helm Chart 0.10.0 (#8038)
+  * fix: respect GITHUB_TOKEN to download artifacts from GHCR (#7580)
+  * chore(deps): bump github.com/moby/buildkit from 0.17.2 to 0.18.0 in the docker group (#8029)
+  * fix(misconf): use log instead of fmt for logging (#8033)
+  * docs: add commercial content (#8030)
+
 -------------------------------------------------------------------
 Wed Jan 29 11:56:12 UTC 2025 - dmueller@suse.com
 

trivy.spec

@@ -17,7 +17,7 @@
 
 
 Name:           trivy
-Version:        0.58.2
+Version:        0.59.0
 Release:        0
 Summary:        A Simple and Comprehensive Vulnerability Scanner for Containers
 License:        Apache-2.0
@@ -27,7 +27,7 @@ Source:         %{name}-%{version}.tar.zst
 Source1:        vendor.tar.zst
 BuildRequires:  golang-packaging
 BuildRequires:  zstd
-BuildRequires:  golang(API) = 1.22
+BuildRequires:  golang(API) = 1.23
 Requires:       ca-certificates
 Requires:       git-core
 Requires:       rpm