From f453699762a9947c2166f27eba77b4e9ac2cedac330a336be6edd27484d12366 Mon Sep 17 00:00:00 2001 From: Christopher Hofmann Date: Mon, 3 Feb 2025 15:56:21 +0100 Subject: [PATCH] Update to 0.59.0 --- _service | 2 +- _servicedata | 2 +- trivy-0.57.1.tar.zst | 3 - trivy-0.59.0.tar.zst | 3 + trivy.changes | 177 ++++++++++++++++++++++++++++++++++++++++++- trivy.spec | 4 +- vendor.tar.zst | 4 +- 7 files changed, 185 insertions(+), 10 deletions(-) delete mode 100644 trivy-0.57.1.tar.zst create mode 100644 trivy-0.59.0.tar.zst diff --git a/_service b/_service index 5051684..7e3ef32 100644 --- a/_service +++ b/_service @@ -2,7 +2,7 @@ https://github.com/aquasecurity/trivy git - v0.57.1 + v0.59.0 @PARENT_TAG@ v(.*) enable diff --git a/_servicedata b/_servicedata index 18be96b..59d8914 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://github.com/aquasecurity/trivy - b7947b37ee47ea79dff550462c297164eb47aa9e \ No newline at end of file + a58d6854dcfec0349daef27e180f2bdb5b380315 \ No newline at end of file diff --git a/trivy-0.57.1.tar.zst b/trivy-0.57.1.tar.zst deleted file mode 100644 index ad38c5a..0000000 --- a/trivy-0.57.1.tar.zst +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8dc264ae1d62328368db5f943125e4f53fd6a0cef05bae06a59225051df41281 -size 52184713 diff --git a/trivy-0.59.0.tar.zst b/trivy-0.59.0.tar.zst new file mode 100644 index 0000000..e79d0ed --- /dev/null +++ b/trivy-0.59.0.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:612f51e63b713df373a4da635359687555dffb519073ce0796a0459a8cbb78ca +size 52492427 diff --git a/trivy.changes b/trivy.changes index 1145de8..2d420ef 100644 --- a/trivy.changes +++ b/trivy.changes @@ -1,3 +1,178 @@ +------------------------------------------------------------------- +Mon Feb 03 14:29:10 UTC 2025 - cwh@suse.com + +- Update to version 0.59.0 (bsc#1235572, CVE-2025-21613, CVE-2025-21614): + * release: v0.59.0 [main] (#8041) + * feat(image): return error early if total size of layers exceeds limit (#8294) + * chore(deps): Bump trivy-checks (#8310) + * chore(terraform): add accessors to underlying raw hcl values (#8306) + * fix: improve conversion of image config to Dockerfile (#8308) + * docs: replace short codes with Unicode emojis (#8296) + * feat(k8s): improve artifact selections for specific namespaces (#8248) + * chore: update code owners (#8303) + * fix(misconf): handle heredocs in dockerfile instructions (#8284) + * fix: de-duplicate same `dpkg` packages with different filePaths from different layers (#8298) + * chore(deps): bump the aws group with 7 updates (#8299) + * chore(deps): bump the common group with 12 updates (#8301) + * chore: enable int-conversion from perfsprint (#8194) + * feat(fs): use git commit hash as cache key for clean repositories (#8278) + * fix(spdx): use the `hasExtractedLicensingInfos` field for licenses that are not listed in the SPDX (#8077) + * chore: use require.ErrorContains when possible (#8291) + * feat(image): prevent scanning oversized container images (#8178) + * chore(deps): use aqua forks for `github.com/liamg/jfather` and `github.com/liamg/iamgo` (#8289) + * fix(fs): fix cache key generation to use UUID (#8275) + * fix(misconf): correctly handle all YAML tags in K8S templates (#8259) + * feat: add support for registry mirrors (#8244) + * chore(deps): bump the common group across 1 directory with 29 updates (#8261) + * refactor(license): improve license expression normalization (#8257) + * feat(misconf): support for ignoring by inline comments for Dockerfile (#8115) + * feat: add a examples field to check metadata (#8068) + * chore(deps): bump alpine from 3.20.0 to 3.21.0 in the docker group across 1 directory (#8196) + * ci: add workflow to restrict direct PRs to release branches (#8240) + * fix(suse): SUSE - update OSType constants and references for compatility (#8236) + * ci: fix path to main dir for canary builds (#8231) + * chore(secret): add reported issues related to secrets in junit template (#8193) + * refactor: use trivy-checks/pkg/specs package (#8226) + * ci(helm): bump Trivy version to 0.58.1 for Trivy Helm Chart 0.10.0 (#8170) + * fix(misconf): allow null values only for tf variables (#8112) + * feat(misconf): support for ignoring by inline comments for Helm (#8138) + * fix(redhat): check `usr/share/buildinfo/` dir to detect content sets (#8222) + * chore(alpine): add EOL date for Alpine 3.21 (#8221) + * fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field (#8207) + * fix(misconf): disable git terminal prompt on tf module load (#8026) + * chore: remove aws iam related scripts (#8179) + * docs: Updated JSON schema version 2 in the trivy documentation (#8188) + * refactor(python): use once + debug for `License acquired from METADATA...` logs (#8175) + * refactor: use slices package instead of custom function (#8172) + * chore(deps): bump the common group with 6 updates (#8162) + * feat(python): add support for uv dev and optional dependencies (#8134) + * feat(python): add support for poetry dev dependencies (#8152) + * fix(sbom): attach nested packages to Application (#8144) + * docs(vex): use debian minor version in examples (#8166) + * refactor: add generic Set implementation (#8149) + * chore(deps): bump the aws group across 1 directory with 6 updates (#8163) + * fix(python): skip dev group's deps for poetry (#8106) + * fix(sbom): use root package for `unknown` dependencies (if exists) (#8104) + * chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` (#8140) + * chore(vex): suppress CVE-2024-45338 (#8137) + * feat(python): add support for uv (#8080) + * chore(deps): bump the docker group across 1 directory with 3 updates (#8127) + * chore(deps): bump the common group across 1 directory with 14 updates (#8126) + * chore: bump go to 1.23.4 (#8123) + * test: set dummy value for NUGET_PACKAGES (#8107) + * chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` (#8105) + * chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#8103) + * fix: wasm module test (#8099) + * fix: CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass (#8088) + * chore(vex): suppress CVE-2024-45337 (#8101) + * fix(license): always trim leading and trailing spaces for licenses (#8095) + * fix(sbom): scan results of SBOMs generated from container images are missing layers (#7635) + * fix(redhat): correct rewriting of recommendations for the same vulnerability (#8063) + * fix: enable err-error and errorf rules from perfsprint linter (#7859) + * chore(deps): bump the aws group across 1 directory with 6 updates (#8074) + * perf: avoid heap allocation in applier findPackage (#7883) + * fix: Updated twitter icon (#7772) + * docs(k8s): add a note about multi-container pods (#7815) + * feat: add `--distro` flag to manually specify OS distribution for vulnerability scanning (#8070) + * fix(oracle): add architectures support for advisories (#4809) + * fix: handle `BLOW_UNKNOWN` error to download DBs (#8060) + * feat(misconf): generate placeholders for random provider resources (#8051) + * fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type (#8052) + * fix(flag): skip hidden flags for `--generate-default-config` command (#8046) + * fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props (#8050) + * feat(nodejs): respect peer dependencies for dependency tree (#7989) + * ci(helm): bump Trivy version to 0.58.0 for Trivy Helm Chart 0.10.0 (#8038) + * fix: respect GITHUB_TOKEN to download artifacts from GHCR (#7580) + * chore(deps): bump github.com/moby/buildkit from 0.17.2 to 0.18.0 in the docker group (#8029) + * fix(misconf): use log instead of fmt for logging (#8033) + * docs: add commercial content (#8030) + +------------------------------------------------------------------- +Wed Jan 29 11:56:12 UTC 2025 - dmueller@suse.com + +- Update to version 0.58.2 ( + bsc#1234512, CVE-2024-45337, + bsc#1235265, CVE-2024-45338): + * release: v0.58.2 [release/v0.58] (#8216) + * fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238) + * fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237) + * fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215) + * release: v0.58.1 [release/v0.58] (#8120) + * fix(sbom): attach nested packages to Application [backport: release/v0.58] (#8168) + * fix(python): skip dev group's deps for poetry [backport: release/v0.58] (#8158) + * fix(sbom): use root package for `unknown` dependencies (if exists) [backport: release/v0.58] (#8156) + * chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` [backport: release/v0.58] (#8142) + * chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` [backport: release/v0.58] (#8136) + * fix(redhat): correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] (#8135) + * fix(oracle): add architectures support for advisories [backport: release/v0.58] (#8125) + * fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] (#8124) + * chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 [backport: release/v0.58] (#8122) + * fix: handle `BLOW_UNKNOWN` error to download DBs [backport: release/v0.58] (#8121) + * fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props [backport: release/v0.58] (#8119) + * release: v0.58.0 [main] (#7874) + * fix(misconf): wrap AWS EnvVar to iac types (#7407) + * chore(deps): Upgrade trivy-checks (#8018) + * refactor(misconf): Remove unused options (#7896) + * docs: add terminology page to explain Trivy concepts (#7996) + * feat: add `workspaceRelationship` (#7889) + * refactor(sbom): simplify relationship generation (#7985) + * chore: remove Go checks (#7907) + * docs: improve databases documentation (#7732) + * refactor: remove support for custom Terraform checks (#7901) + * docs: fix dead links (#7998) + * docs: drop AWS account scanning (#7997) + * fix(aws): change CPU and Memory type of ContainerDefinition to a string (#7995) + * fix(cli): Handle empty ignore files more gracefully (#7962) + * fix(misconf): load full Terraform module (#7925) + * fix(misconf): properly resolve local Terraform cache (#7983) + * refactor(k8s): add v prefix for Go packages (#7839) + * test: replace Go checks with Rego (#7867) + * feat(misconf): log causes of HCL file parsing errors (#7634) + * chore(deps): bump the aws group across 1 directory with 7 updates (#7991) + * chore(deps): bump github.com/moby/buildkit from 0.17.0 to 0.17.2 in the docker group across 1 directory (#7990) + * chore(deps): update csaf module dependency from csaf-poc to gocsaf (#7992) + * chore: downgrade the failed block expand message to debug (#7964) + * fix(misconf): do not erase variable type for child modules (#7941) + * feat(go): construct dependencies of `go.mod` main module in the parser (#7977) + * feat(go): construct dependencies in the parser (#7973) + * feat: add cvss v4 score and vector in scan response (#7968) + * docs: add `overview` page for `others` (#7972) + * fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871) + * feat(suse): Align SUSE/OpenSUSE OS Identifiers (#7965) + * chore(deps): bump the common group with 4 updates (#7949) + * feat(oracle): add `flavors` support (#7858) + * fix(misconf): Update trivy-checks default repo to `mirror.gcr.io` (#7953) + * chore(deps): Bump up trivy-checks to v1.3.0 (#7959) + * fix(k8s): check all results for vulnerabilities (#7946) + * ci(helm): bump Trivy version to 0.57.1 for Trivy Helm Chart 0.9.0 (#7945) + * feat(secret): Add built-in secrets rules for Private Packagist (#7826) + * docs: Fix broken links (#7900) + * docs: fix mistakes/typos (#7942) + * feat: Update registry fallbacks (#7679) + * fix(alpine): add `UID` for removed packages (#7887) + * chore(deps): bump the aws group with 6 updates (#7902) + * chore(deps): bump the common group with 6 updates (#7904) + * fix(debian): infinite loop (#7928) + * fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files (#7912) + * docs: add note about temporary podman socket (#7921) + * docs: combine trivy.dev into trivy docs (#7884) + * test: change branch in spdx schema link to check in integration tests (#7935) + * docs: add Headlamp to the Trivy Ecosystem page (#7916) + * fix(report): handle `git@github.com` schema for misconfigs in `sarif` report (#7898) + * chore(k8s): enhance k8s scan log (#6997) + * fix(terraform): set null value as fallback for missing variables (#7669) + * fix(misconf): handle null properties in CloudFormation templates (#7813) + * fix(fs): add missing defered Cleanup() call to post analyzer fs (#7882) + * chore(deps): bump the common group across 1 directory with 20 updates (#7876) + * chore: bump containerd to v2.0.0 (#7875) + * fix: Improve version comparisons when build identifiers are present (#7873) + * feat(k8s): add default commands for unknown platform (#7863) + * chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#7868) + * refactor(secret): optimize performance by moving ToLower operation outside loop (#7862) + * test: save `containerd` image into archive and use in tests (#7816) + * chore(deps): bump the github-actions group across 1 directory with 2 updates (#7854) + * chore: bump golangci-lint to v1.61.0 (#7853) + ------------------------------------------------------------------- Mon Dec 02 13:10:12 UTC 2024 - cwh@suse.com @@ -467,7 +642,7 @@ Thu Jun 06 13:09:56 UTC 2024 - dmueller@suse.com ------------------------------------------------------------------- Thu May 09 13:21:53 UTC 2024 - dmueller@suse.com -- Update to version 0.51.1: +- Update to version 0.51.1 (bsc#1227010, CVE-2024-3817): * fix(fs): handle default skip dirs properly (#6628) * fix(misconf): load cached tf modules (#6607) * fix(misconf): do not use semver for parsing tf module versions (#6614) diff --git a/trivy.spec b/trivy.spec index 1f158ed..46bf61f 100644 --- a/trivy.spec +++ b/trivy.spec @@ -17,7 +17,7 @@ Name: trivy -Version: 0.57.1 +Version: 0.59.0 Release: 0 Summary: A Simple and Comprehensive Vulnerability Scanner for Containers License: Apache-2.0 @@ -27,7 +27,7 @@ Source: %{name}-%{version}.tar.zst Source1: vendor.tar.zst BuildRequires: golang-packaging BuildRequires: zstd -BuildRequires: golang(API) = 1.22 +BuildRequires: golang(API) = 1.23 Requires: ca-certificates Requires: git-core Requires: rpm diff --git a/vendor.tar.zst b/vendor.tar.zst index 0b8fe97..5511c81 100644 --- a/vendor.tar.zst +++ b/vendor.tar.zst @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:88daeadb5207f6f5a6eb6c2a59ad7abf712536c430486f4c387bf3971b14ab75 -size 58174263 +oid sha256:412f086edb3b7d257aab613a40e010b388083a86648599dba7a92b85bab4a54f +size 38403467