From fd82b347f4dee9953357d5ef606d3a05300123bf01bd3f24e9cfd37d46528933 Mon Sep 17 00:00:00 2001 From: Robert Frohl Date: Tue, 3 Feb 2026 18:16:47 +0100 Subject: [PATCH] Update submodules from pool/trivy#32 and create patchinfo.20260203171624727972.93181000773252/_patchinfo --- .../_patchinfo | 92 +++++++++++++++++++ trivy | 2 +- 2 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 patchinfo.20260203171624727972.93181000773252/_patchinfo diff --git a/patchinfo.20260203171624727972.93181000773252/_patchinfo b/patchinfo.20260203171624727972.93181000773252/_patchinfo new file mode 100644 index 0000000..f3ac5e6 --- /dev/null +++ b/patchinfo.20260203171624727972.93181000773252/_patchinfo @@ -0,0 +1,92 @@ + + VUL-0: CVE-2025-64702: trivy: github.com/quic-go/quic-go/http3: quic-go HTTP/3 QPACK Header Expansion DoS + CVE-2025-66564 github.com/sigstore/timestamp-authority: Sigstore Timestamp Authority: Denial of Service via excessive OID or Content-Type header parsing + VUL-0: CVE-2025-64702: TRACKERBUG: github.com/quic-go/quic-go/http3: quic-go HTTP/3 QPACK Header Expansion DoS + dirkmueller + important + security + Security update for trivy + This update for trivy fixes the following issues: + +Changes in trivy: + +- Update to version 0.69.0 (bsc#1255366, CVE-2025-64702): + * release: v0.69.0 [main] (#9886) + * chore: bump trivy-checks to v2 (#9875) + * chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.3.1 to 2.4.1 (#10091) + * fix(repo): return a nil interface for gitAuth if missing (#10097) + * fix(java): correctly inherit properties from parent fields for pom.xml files (#9111) + * fix(rust): implement version inheritance for Cargo mono repos (#10011) + * feat(activestate): add support ActiveState images (#10081) + * feat(vex): support per-repo tls configuration (#10030) + * refactor: allow per-request transport options override (#10083) + * chore(deps): bump github.com/sigstore/rekor from 1.4.3 to 1.5.0 (#10084) + * chore(deps): bump github.com/sigstore/sigstore from 1.10.3 to 1.10.4 (#10085) + * fix(java): correctly propagate repositories from upper POMs to dependencies (#10077) + * feat(rocky): enable modular package vulnerability detection (#10069) + * chore(deps): bump github.com/theupdateframework/go-tuf/v2 from 2.3.0 to 2.3.1 (#10079) + * docs: fix mistake in config file example for skip-dirs/skip-files flag (#10070) + * feat(report): add Trivy version to JSON output (#10065) + * fix(rust): add cargo workspace members glob support (#10032) + * feat: add AnalyzedBy field to track which analyzer detected packages (#10059) + * fix: use canonical SPDX license IDs from embeded licenses.json (#10053) + * docs: fix link to Docker Image Specification (#10057) + * feat(secret): add detection for Symfony default secret key (#9892) + * refactor(misconf): move common logic to base value and simplify typed values (#9986) + * fix(java): add hash of GAV+root pom file path for pkgID for packages from pom.xml files (#9880) + * feat(misconf): use Terraform plan configuration to partially restore schema (#9623) + * feat(misconf): add action block to Terraform schema (#10035) + * fix(misconf): correct typos in block and attribute names (#9993) + * test(misconf): simplify test values using *Test helpers (#9985) + * fix(misconf): safely parse rotation_period in google_kms_crypto_key (#9980) + * feat(misconf): support for ARM resources defined as an object (#9959) + * feat(misconf): support for azurerm_*_web_app (#9944) + * test: migrate private test helpers to `export_test.go` convention (#10043) + * chore(deps): bump github.com/sigstore/cosign/v2 from 2.2.4 to 2.6.2 (#10048) + * fix(secret): improve word boundary detection for Hugging Face tokens (#10046) + * fix(go): use ldflags version for all pseudo-versions (#10037) + * chore: switch to ID from AVDID in internal and user-facing fields (#9655) + * refactor(misconf)!: use ID instead of AVDID for providers mapping (#9752) + * fix: move enum into items for array-type fields in JSON Schema (#10039) + * docs: fix incorrect documentation URLs (#10038) + * feat(sbom): exclude PEP 770 SBOMs in .dist-info/sboms/ (#10033) + * fix(docker): fix non-det scan results for images with embedded SBOM (#9866) + * chore(deps): bump the github-actions group with 11 updates (#10001) + * test: fix assertion after 2026 roll over (#10002) + * fix(vuln): skip vulns detection for CentOS Stream family without scan failure (#9964) + * fix(license): normalize licenses for PostAnalyzers (#9941) + * feat(nodejs): parse licenses from `package-lock.json` file (#9983) + * chore: update reference links to Go Wiki (#9987) + * refactor: add xslices.Map and replace lo.Map usages (#9984) + * fix(image): race condition in image artifact inspection (#9966) + * feat(flag): add JSON Schema for trivy.yaml configuration file (#9971) + * refactor(debian): use txtar format for test data (#9957) + * chore(deps): bump `golang.org/x/tools` to `v0.40.0` + `gopls` to `v0.21.0` (#9973) + * feat(rootio): Update trivy db to support usage of Severity from root.io feed (#9930) + * feat(vuln): skip vulnerability scanning for third-party packages in Debian/Ubuntu (#9932) + * docs: add info that `--file-pattern` flag doesn't disable default behaviuor (#9961) + * perf(misconf): optimize string concatenation in azure scanner (#9969) + * chore: add client option to install script (#9962) + * ci(helm): bump Trivy version to 0.68.2 for Trivy Helm Chart 0.20.1 (#9956) + * chore(deps): bump github.com/quic-go/quic-go from 0.54.1 to 0.57.0 (#9952) + * docs: update binary signature verification for sigstore bundles (#9929) + * chore(deps): bump alpine from `3.22.1` to `3.23.0` (#9935) + * chore(alpine): add EOL date for alpine 3.23 (#9934) + * feat(cloudformation): add support for Fn::ForEach (#9508) + * ci: enable `check-latest` for `setup-go` (#9931) + * feat(debian): detect third-party packages using maintainer list (#9917) + * fix(vex): add CVE-2025-66564 as not_affected into Trivy VEX file (#9924) + * feat(helm): add sslCertDir parameter (#9697) + * fix(misconf): respect .yml files when Helm charts are detected (#9912) + * feat(php): add support for dev dependencies in Composer (#9910) + * chore(deps): bump the common group across 1 directory with 9 updates (#9903) + * chore(deps): bump github.com/docker/cli from 29.0.3+incompatible to 29.1.1+incompatible in the docker group (#9859) + * fix: remove trailing tab in statefulset template (#9889) + * feat(julia): enable vulnerability scanning for the Julia language ecosystem (#9800) + * feat(misconf): initial ansible scanning support (#9332) + * feat(misconf): Update Azure Database schema (#9811) + * ci(helm): bump Trivy version to 0.68.1 for Trivy Helm Chart 0.20.0 (#9869) + * chore: update the install script (#9874) + + trivy + diff --git a/trivy b/trivy index 1901ecd..a46492e 160000 --- a/trivy +++ b/trivy @@ -1 +1 @@ -Subproject commit 1901ecd77018a9e9571b5e53df8e678c87a1f734550691a5b989d5d7cb425715 +Subproject commit a46492e6455879f06344dd8c73e54de4d9c40eb24a8f15054c952afc846e8f48 -- 2.51.1