diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo
index 622af26..5c7b8a3 100644
--- a/_scmsync.obsinfo
+++ b/_scmsync.obsinfo
@@ -1,4 +1,4 @@
-mtime: 1691061996
-commit: 3b8b301ce3e352f21ca0c2faef2ca1bc9b104ec7
+mtime: 1707400276
+commit: 2104123c72636f1cd80a006a15bd8b68af402960
 url: https://src.opensuse.org/dirkmueller/trivy.git
-revision: 3b8b301ce3e352f21ca0c2faef2ca1bc9b104ec7
+revision: 2104123c72636f1cd80a006a15bd8b68af402960
diff --git a/_service b/_service
index 043e57a..47bc656 100644
--- a/_service
+++ b/_service
@@ -1,20 +1,20 @@
 <services>
-  <service name="tar_scm" mode="disabled">
+  <service name="tar_scm" mode="manual">
     <param name="url">https://github.com/aquasecurity/trivy</param>
     <param name="scm">git</param>
-    <param name="revision">v0.44.0</param>
+    <param name="revision">v0.49.1</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="versionrewrite-pattern">v(.*)</param>
     <param name="changesgenerate">enable</param>
   </service>
-  <service name="recompress" mode="disabled">
+  <service name="recompress" mode="manual">
     <param name="file">trivy-*.tar</param>
     <param name="compression">zst</param>
   </service>
-  <service name="set_version" mode="disabled">
+  <service name="set_version" mode="manual">
     <param name="basename">trivy</param>
   </service>
-  <service name="go_modules" mode="disabled">
+  <service name="go_modules" mode="manual">
     <param name="compression">zst</param>
   </service>
 </services>
diff --git a/_servicedata b/_servicedata
index 9abcb76..df0565d 100644
--- a/_servicedata
+++ b/_servicedata
@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/aquasecurity/trivy</param>
-              <param name="changesrevision">d19c7d9f292759848aa77109357b405a64716c78</param></service></servicedata>
\ No newline at end of file
+              <param name="changesrevision">6ccc0a554b07b05fd049f882a1825a0e1e0aabe1</param></service></servicedata>
\ No newline at end of file
diff --git a/trivy-0.44.0.tar.zst b/trivy-0.44.0.tar.zst
deleted file mode 100644
index f773913..0000000
--- a/trivy-0.44.0.tar.zst
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:190ab990a011bbdd520a50d6d3717720aa94865564230dbbc2cd5c40ded5ef17
-size 43435292
diff --git a/trivy-0.49.1.tar.zst b/trivy-0.49.1.tar.zst
new file mode 100644
index 0000000..9b3a01f
--- /dev/null
+++ b/trivy-0.49.1.tar.zst
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:af2581e711ad9215913b5665699bd04afda7e5f952ce1200558a6efe16b7fd83
+size 37063408
diff --git a/trivy.changes b/trivy.changes
index c142c70..754e9fc 100644
--- a/trivy.changes
+++ b/trivy.changes
@@ -1,3 +1,357 @@
+-------------------------------------------------------------------
+Thu Feb 08 12:51:32 UTC 2024 - dmueller@suse.com
+
+- Update to version 0.49.1:
+  * fix: check unescaped `BomRef` when matching `PkgIdentifier` (#6025)
+  * docs: Fix broken link to "pronunciation" (#6057)
+  * chore(deps): bump actions/upload-artifact from 3 to 4 (#6047)
+  * chore(deps): bump github.com/spf13/viper from 1.16.0 to 1.18.2 (#6042)
+  * chore(deps): bump k8s.io/api from 0.29.0 to 0.29.1 (#6043)
+  * ci: reduce `root-reserve-mb` size for `maximize-build-space` (#6064)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.0 to 1.48.1 (#6041)
+  * chore(deps): bump github.com/open-policy-agent/opa from 0.60.0 to 0.61.0 (#6039)
+  * fix: fix cursor usage in Redis Clear function (#6056)
+  * chore(deps): bump github.com/go-openapi/runtime from 0.26.0 to 0.27.1 (#6037)
+  * fix(nodejs): add local packages support for `pnpm-lock.yaml` files (#6034)
+  * chore(deps): bump sigstore/cosign-installer from 3.3.0 to 3.4.0 (#6046)
+  * chore(deps): bump github.com/go-openapi/strfmt from 0.21.7 to 0.22.0 (#6044)
+  * chore(deps): bump actions/cache from 3.3.2 to 4.0.0 (#6048)
+  * test: fix flaky `TestDockerEngine` (#6054)
+  * chore(deps): bump github.com/google/go-containerregistry from 0.17.0 to 0.19.0 (#6040)
+  * chore(deps): bump easimon/maximize-build-space from 9 to 10 (#6049)
+  * chore(deps): bump alpine from 3.19.0 to 3.19.1 (#6051)
+  * chore(deps): bump github.com/moby/buildkit from 0.11.6 to 0.12.5 (#6028)
+  * fix(java): recursive check all nested depManagements with import scope for pom.xml files (#5982)
+  * chore(deps): bump github.com/opencontainers/runc from 1.1.5 to 1.1.12 (#6029)
+  * fix(cli): inconsistent behavior across CLI flags, environment variables, and config files (#5843)
+  * feat(rust): Support workspace.members parsing for Cargo.toml analysis (#5285)
+  * docs: add note about Bun (#6001)
+  * fix(report): use `AWS_REGION` env for secrets in `asff` template (#6011)
+  * fix: check returned error before deferring f.Close() (#6007)
+  * feat(misconf): add support of buildkit instructions when building dockerfile from image config (#5990)
+  * feat(vuln): enable `--vex` for all targets (#5992)
+  * docs: update link to data sources (#6000)
+  * feat(java): add support for line numbers for pom.xml files (#5991)
+  * refactor(sbom): use new `metadata.tools` struct for CycloneDX (#5981)
+  * docs: Update troubleshooting guide with image not found error (#5983)
+  * style: update band logos (#5968)
+  * chore(deps): Update misconfig deps (#5956)
+  * docs: update cosign tutorial and commands, update kyverno policy (#5929)
+  * docs: update command to scan go binary (#5969)
+  * fix: handle non-parsable images names (#5965)
+  * chore(deps): bump aquaproj/aqua-installer from 2.1.2 to 2.2.0 (#5693)
+  * fix(amazon): save system files for pkgs containing `amzn` in src (#5951)
+  * fix(alpine): Add EOL support for alpine 3.19. (#5938)
+  * feat: allow end-users to adjust K8S client QPS and burst (#5910)
+  * chore(deps): bump go-ebs-file (#5934)
+  * fix(nodejs): find licenses for packages with slash (#5836)
+  * fix(sbom): use `group` field for pom.xml and nodejs files for CycloneDX reports (#5922)
+  * fix: ignore no init containers (#5939)
+  * docs: Fix documentation of ecosystem (#5940)
+  * docs(misconf): multiple ignores in comment (#5926)
+  * fix(secret): find aws secrets ending with a comma or dot (#5921)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.11.90 to 1.15.11 (#5885)
+  * docs: ✨ Updated ecosystem docs with reference to new community app (#5918)
+  * fix(java): don't remove excluded deps from upper pom's (#5838)
+  * fix(java): check if a version exists when determining GAV by file name for `jar` files (#5630)
+  * feat(vex): add PURL matching for CSAF VEX (#5890)
+  * fix(secret): `AWS Secret Access Key` must include only secrets with `aws` text. (#5901)
+  * revert(report): don't escape new line characters for sarif format (#5897)
+  * docs: improve filter by rego (#5402)
+  * chore(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7 (#5892)
+  * docs: add_scan2html_to_trivy_ecosystem (#5875)
+  * fix(vm): update ext4-filesystem fix reading groupdescriptor in 32bit mode (#5888)
+  * feat(vex): Add support for CSAF format (#5535)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts from 1.26.2 to 1.26.7 (#5880)
+  * chore(deps): bump actions/setup-go from 4 to 5 (#5845)
+  * chore(deps): bump actions/stale from 8 to 9 (#5846)
+  * chore(deps): bump github.com/open-policy-agent/opa from 0.58.0 to 0.60.0 (#5853)
+  * chore(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 (#5847)
+  * chore(deps): bump modernc.org/sqlite from 1.23.1 to 1.28.0 (#5854)
+  * chore(deps): bump alpine from 3.18.5 to 3.19.0 (#5849)
+  * chore(deps): bump actions/setup-python from 4 to 5 (#5848)
+  * feat(python): parse licenses from dist-info folder (#4724)
+  * chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.7.0 to 0.8.0 (#5852)
+  * feat(nodejs): add yarn alias support (#5818)
+  * chore(deps): bump github.com/samber/lo from 1.38.1 to 1.39.0 (#5850)
+  * chore(deps): bump github.com/hashicorp/go-getter from 1.7.2 to 1.7.3 (#5856)
+  * chore(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0 (#5855)
+  * refactor: propagate time through context values (#5858)
+  * refactor: move PkgRef under PkgIdentifier (#5831)
+  * fix(cyclonedx): fix unmarshal for licenses (#5828)
+  * chore(deps): bump github.com/go-git/go-git/v5 from 5.10.1 to 5.11.0 (#5830)
+  * feat(vuln): include pkg identifier on detected vulnerabilities (#5439)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from v1.116.0 to v1.134.0 (#5822)
+  * chore(deps): bump github.com/containerd/containerd from 1.7.7 to 1.7.11 (#5809)
+  * chore(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 (#5805)
+
+-------------------------------------------------------------------
+Tue Dec 19 14:18:46 UTC 2023 - dmueller@suse.com
+
+- Update to version 0.48.1:
+  * chore(deps): bump trivy-iac to v0.7.1 (#5797)
+  * fix(bitnami): use a different comparer for detecting vulnerabilities (#5633)
+  * refactor(sbom): disable html escaping for CycloneDX (#5764)
+  * refactor(purl): use `pub` from `package-url` (#5784)
+  * docs(python): add note to using `pip freeze` for `compatible releases` (#5760)
+  * fix(report): use OS information for OS packages purl in `github` template (#5783)
+  * fix(report): fix error if miconfigs are empty (#5782)
+  * refactor(vuln): don't remove VendorSeverity in JSON report (#5761)
+  * fix(report): don't mark misconfig passed tests as failed in junit.tpl (#5767)
+  * docs(k8s): replace --scanners config with --scanners misconfig in docs (#5746)
+  * fix(report): update Gitlab template (#5721)
+  * feat(secret): add support of GitHub fine-grained tokens (#5740)
+  * fix(misconf): add an image misconf to result (#5731)
+  * feat(secret): added support of Docker registry credentials (#5720)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.18.45 to 1.25.11 (#5717)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.21.0 to 1.24.1 (#5701)
+
+-------------------------------------------------------------------
+Wed Dec 06 10:00:18 UTC 2023 - dmueller@suse.com
+
+- Update to version 0.48.0:
+  * chore(deps): bump sigstore/cosign-installer from 4a861528be5e691840a69536975ada1d4c30349d to 1fc5bd396d372bee37d608f955b336615edf79c8 (#5696)
+  * chore(deps): bump helm/chart-testing-action from 2.4.0 to 2.6.1 (#5694)
+  * feat: filter k8s core components vuln results (#5713)
+  * feat(vuln): remove duplicates in Fixed Version (#5596)
+  * feat(report): output plugin (#4863)
+  * chore(deps): bump alpine from 3.18.4 to 3.18.5 (#5700)
+  * chore(deps): bump github.com/google/go-containerregistry from 0.16.1 to 0.17.0 (#5704)
+  * chore(deps): bump github.com/go-git/go-git/v5 from 5.8.1 to 5.10.1 (#5699)
+  * chore(deps): bump actions/github-script from 6 to 7 (#5697)
+  * chore(deps): bump easimon/maximize-build-space from 8 to 9 (#5695)
+  * docs: typo in modules.md (#5712)
+  * feat: Add flag to configure node-collector image ref (#5710)
+  * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.7.1 to 1.9.0 (#5702)
+  * chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.4 to 2.31.0 (#5698)
+  * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.3.1 to 1.4.0 (#5706)
+  * feat(misconf): Add `--misconfig-scanners` option (#5670)
+  * chore: bump Go to 1.21 (#5662)
+  * feat: Packagesprops support (#5605)
+  * chore(deps): Bump up trivy misconf deps (#5656)
+  * docs: update adopters discussion template (#5632)
+  * docs: terraform tutorial links updated to point to correct loc (#5661)
+  * fix(secret): add `sec` and space to secret prefix for `aws-secret-access-key` (#5647)
+  * fix(nodejs): support protocols for dependency section in yarn.lock files (#5612)
+  * fix(secret): exclude upper case before secret for `alibaba-access-key-id` (#5618)
+  * docs: Update Arch Linux package URL in installation.md (#5619)
+  * chore: add prefix to image errors (#5601)
+  * docs(vuln): fix link anchor (#5606)
+  * docs: Add Dagger integration section and cleanup Ecosystem CICD docs page (#5608)
+  * fix: k8s friendly error messages kbom non cluster scans (#5594)
+  * feat: set InstalledFiles for DEB and RPM packages (#5488)
+  * fix(report): use time.Time for CreatedAt (#5598)
+  * test: retry containerd initialization (#5597)
+  * feat(misconf): Expose misconf engine debug logs with `--debug` option (#5550)
+  * test: mock VM walker (#5589)
+  * chore: bump node-collector v0.0.9 (#5591)
+  * feat(misconf): Add support for `--cf-params` for CFT (#5507)
+  * feat(flag): replace '--slow' with '--parallel' (#5572)
+  * fix(report): add escaping for Sarif format (#5568)
+  * chore: show a deprecation notice for `--scanners config` (#5587)
+  * feat(report): Add CreatedAt to the JSON report. (#5542) (#5549)
+  * test: mock RPM DB (#5567)
+  * feat: add aliases to '--scanners' (#5558)
+  * refactor: reintroduce output writer (#5564)
+  * chore(deps): bump google.golang.org/grpc from 1.58.2 to 1.58.3 (#5543)
+  * chore: not load plugins for auto-generating docs (#5569)
+  * chore: sort supported AWS services (#5570)
+  * fix: no schedule toleration (#5562)
+  * fix(cli): set correct `scanners` for `k8s` target (#5561)
+  * fix(sbom): add `FilesAnalyzed` and `PackageVerificationCode` fields for SPDX (#5533)
+  * refactor(misconf): Update refactored dependencies (#5245)
+  * feat(secret): add built-in rule for JWT tokens (#5480)
+  * fix: trivy k8s parse ecr image with arn (#5537)
+  * fix: fail k8s resource scanning (#5529)
+  * refactor(misconf): don't remove Highlighted in json format (#5531)
+  * docs(k8s): fix link in kubernetes.md (#5524)
+  * docs(k8s): fix whitespace in list syntax (#5525)
+
+-------------------------------------------------------------------
+Tue Nov 07 12:24:51 UTC 2023 - dmueller@suse.com
+
+- Update to version 0.47.0:
+  * docs: add info that license scanning supports file-patterns flag (#5484)
+  * docs: add Zora integration into Ecosystem session (#5490)
+  * fix(sbom): Use UUID as BomRef for packages with empty purl (#5448)
+  * ci: use maximize build space for K8s tests (#5387)
+  * fix: correct error mismatch causing race in fast walks (#5516)
+  * docs: k8s vulnerability scanning (#5515)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts from 1.23.2 to 1.25.0 (#5506)
+  * chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.2.2 to 2.3.0 (#5493)
+  * docs: remove glad for java datasources (#5508)
+  * chore(deps): bump github.com/testcontainers/testcontainers-go/modules/localstack from 0.21.0 to 0.26.0 (#5475)
+  * chore: remove unused logger attribute in amazon detector (#5476)
+  * fix: correct error mismatch causing race in fast walks (#5482)
+  * chore(deps): bump goreleaser/goreleaser-action from 4 to 5 (#5502)
+  * chore(deps): bump docker/build-push-action from 4 to 5 (#5500)
+  * chore(deps): bump github.com/package-url/packageurl-go from 0.1.2-0.20230812223828-f8bb31c1f10b to 0.1.2 (#5491)
+  * fix(server): add licenses to `BlobInfo` message (#5382)
+  * chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 (#5501)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.17.18 to 1.21.0 (#5497)
+  * feat: scan vulns on k8s core component apps (#5418)
+  * fix(java): fix infinite loop when `relativePath` field points to `pom.xml` being scanned (#5470)
+  * chore(deps): bump github.com/docker/docker from 24.0.5+incompatible to 24.0.7+incompatible (#5472)
+  * fix(sbom): save digests for package/application when scanning SBOM files (#5432)
+  * docs: fix the broken link (#5454)
+  * docs: fix error when installing `PyYAML` for gh pages (#5462)
+  * fix(java): download java-db once (#5442)
+  * chore(deps): bump google.golang.org/grpc from 1.57.0 to 1.57.1 (#5447)
+  * docs(misconf): Update `--tf-exclude-downloaded-modules` description (#5419)
+  * feat(misconf): Support `--ignore-policy` in config scans (#5359)
+  * docs(misconf): fix broken table for `Use container image` section (#5425)
+  * feat(dart): add graph support (#5374)
+  * refactor: define a new struct for scan targets (#5397)
+  * fix(sbom): add missed `primaryURL` and `source severity` for CycloneDX (#5399)
+  * fix: correct invalid MD5 hashes for rpms ending with one or more zero bytes (#5393)
+  * chore(deps): move to aws-sdk-go-v2 (#5381)
+  * docs: remove --scanners none (#5384)
+  * docs: Update container_image.md #5182 (#5193)
+  * feat(report): Add `InstalledFiles` field to Package (#4706)
+  * feat(k8s): add support for vulnerability detection (#5268)
+  * fix(python): override BOM in `requirements.txt` files (#5375)
+  * docs: add kbom documentation (#5363)
+  * test: use maximize build space for VM tests (#5362)
+  * chore(deps): bump golang.org/x/net from 0.15.0 to 0.17.0 (#5365)
+  * fix(report): add escaping quotes in misconfig Title for asff template (#5351)
+  * ci: add workflow to check Go versions of dependencies (#5340)
+  * chore(deps): Upgrade defsec to v0.93.1 (#5348)
+  * chore(deps): bump alpine from 3.18.3 to 3.18.4 (#5300)
+  * fix: Report error when os.CreateTemp fails (to be consistent with other uses) (#5342)
+  * fix: add config files to FS for post-analyzers (#5333)
+  * fix: fix MIME warnings after updating to Go 1.20 (#5336)
+  * build: fix a compile error with Go 1.21 (#5339)
+  * feat: added `Metadata` into the k8s resource's scan report (#5322)
+  * ci: check only PR's in `actions/stale` (#5337)
+  * chore: update adopters template (#5330)
+  * ci: do not trigger tests on the push event (#5313)
+  * fix(sbom): use PURL or Group and Name in case of Java  (#5154)
+  * docs: add buildkite repository to ecosystem page (#5316)
+  * chore(deps): bump docker/setup-qemu-action from 2 to 3 (#5290)
+  * chore(deps): bump docker/setup-buildx-action from 2 to 3 (#5292)
+  * chore(deps): bump actions/cache from 3.3.1 to 3.3.2 (#5293)
+  * chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 (#5286)
+  * chore(deps): bump github.com/hashicorp/go-getter from 1.7.1 to 1.7.2 (#5289)
+  * chore: enable go-critic (#5302)
+  * chore(deps): bump actions/checkout from 3.6.0 to 4.1.0 (#5288)
+  * chore(deps): bump github.com/aws/aws-sdk-go from 1.45.3 to 1.45.19 (#5287)
+  * close java-db client (#5273)
+  * chore(deps): bump docker/login-action from 2 to 3 (#5291)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#5294)
+  * chore(deps): bump github.com/sigstore/rekor from 1.2.1 to 1.3.0 (#5304)
+  * chore(deps): bump github.com/opencontainers/image-spec (#5295)
+  * fix(report): removes git::http from uri in sarif (#5244)
+  * Improve the meaning of  sentence (#5301)
+  * chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.2.0 to 2.2.2 (#5297)
+  * chore(deps): bump golang.org/x/term from 0.11.0 to 0.12.0 (#5296)
+  * add app nil check (#5274)
+  * typo: in secret.md (#5281)
+  * docs: add info about `github` format (#5265)
+  * feat(dotnet): add license support for NuGet (#5217)
+  * docs: correctly export variables (#5260)
+  * chore: Add line numbers for lint output (#5247)
+  * chore(cli): disable java-db flags in server mode (#5263)
+  * feat(db): allow passing registry options (#5226)
+  * chore(deps): Bump up defsec to v0.93.0 (#5253)
+  * refactor(purl): use TypeApk from purl (#5232)
+  * chore: enable more linters (#5228)
+  * ci: bump GoReleaser from 1.16.2 to 1.20.0 (#5236)
+  * Fix typo on ide.md (#5239)
+  * refactor: use defined types (#5225)
+  * fix(purl): skip local Go packages (#5190)
+  * docs: update info about license scanning in Yarn projects (#5207)
+  * ci: auto apply labels (#5200)
+  * fix link (#5203)
+  * fix(purl): handle rust types (#5186)
+  * chore: auto-close issues (#5177)
+  * chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 (#5093)
+  * fix(k8s): kbom support addons labels (#5178)
+  * test: validate SPDX with the JSON schema (#5124)
+  * chore: bump trivy-kubernetes-latest (#5161)
+  * docs: add 'Signature Verification' guide (#4731)
+  * docs: add image-scanner-with-trivy for ecosystem (#5159)
+  * fix(fs): assign the absolute path to be inspected to ROOTPATH when filesystem (#5158)
+  * chore(deps): bump github.com/CycloneDX/cyclonedx-go (#5102)
+  * Update filtering.md (#5131)
+  * chore(deps): bump sigstore/cosign-installer (#5104)
+  * chore(deps): bump github.com/cyphar/filepath-securejoin (#5143)
+  * chore(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (#5103)
+  * chore(deps): bump easimon/maximize-build-space from 7 to 8 (#5105)
+  * chore(deps): bump github.com/aws/aws-sdk-go from 1.44.273 to 1.45.3 (#5126)
+  * chaging adopters discussion tempalte (#5091)
+  * chore(deps): bump github.com/cheggaaa/pb/v3 from 3.1.2 to 3.1.4 (#5092)
+  * chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.2 to 2.0.6 (#5094)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#5095)
+  * chore(deps): bump github.com/containerd/containerd from 1.7.3 to 1.7.5 (#5097)
+  * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#5098)
+  * chore(deps): bump actions/checkout from 3.5.3 to 3.6.0 (#5106)
+  * docs: add Bitnami (#5078)
+  * feat(docker): add support for scanning Bitnami components (#5062)
+  * feat: add support for .trivyignore.yaml (#5070)
+  * fix(terraform): improve detection of terraform files (#4984)
+  * feat: filter artifacts on --exclude-owned flag (#5059)
+  * fix(sbom): cyclonedx advisory should omit `null` value (#5041)
+  * build: maximize build space for build tests (#5072)
+  * feat: improve kbom component name (#5058)
+  * fix(pom): add licenses for pom artifacts (#5071)
+  * chore(deps): Update defsec to v0.92.0 (#5068)
+  * chore: bump Go to `1.20` (#5067)
+  * feat: PURL matching with qualifiers in OpenVEX (#5061)
+  * feat(java): add graph support for pom.xml (#4902)
+  * feat(swift): add vulns for cocoapods (#5037)
+  * fix: support image pull secret for additional workloads (#5052)
+  * fix: #5033 Superfluous double quote in html.tpl (#5036)
+  * docs(repo): update trivy repo usage and example (#5049)
+  * perf: Optimize Dockerfile for reduced layers and size (#5038)
+  * feat: scan K8s Resources Kind with --all-namespaces (#5043)
+  * fix: vulnerability typo (#5044)
+  * docs: adding a terraform tutorial to the docs (#3708)
+  * feat(report): add licenses to sarif format (#4866)
+  * feat(misconf): show the resource name in the report (#4806)
+  * chore: update alpine base images (#5015)
+  * feat: add Package.resolved swift files support (#4932)
+  * feat(nodejs): parse licenses in yarn projects (#4652)
+  * fix: k8s private registries support (#5021)
+  * bump github.com/testcontainers/testcontainers-go from 0.21.0 to 0.23.0 (#5018)
+  * feat(vuln): support last_affected field from osv (#4944)
+  * feat(server): add version endpoint (#4869)
+  * feat: k8s private registries support (#4987)
+  * fix(server): add indirect prop to package (#4974)
+  * docs: add coverage (#4954)
+  * feat(c): add location for lock file dependencies. (#4994)
+  * docs: adding blog post on ec2 (#4813)
+  * revert 32bit bins (#4977)
+  * chore(deps): bump github.com/xlab/treeprint from 1.1.0 to 1.2.0 (#4917)
+
+-------------------------------------------------------------------
+Thu Aug 10 10:51:52 UTC 2023 - dmueller@suse.com
+
+- Update to version 0.44.1:
+  * fix(report): return severity colors in table format (#4969)
+  * build: maximize available disk space for release (#4937)
+  * test(cli): Fix assertion helptext (#4966)
+  * chore(deps): Bump defsec to v0.91.1 (#4965)
+  * test: validate CycloneDX with the JSON schema (#4956)
+  * fix(server): add licenses to the Result message (#4955)
+  * fix(aws): resolve endpoint if endpoint is passed (#4925)
+  * fix(sbom): move licenses to `name` field in Cyclonedx format (#4941)
+  * add only uniq deps in dependsOn (#4943)
+  * use testify instead of gotest.tools (#4946)
+  * fix(nodejs): do not detect lock file in node_modules as an app (#4949)
+  * bump go-dep-parser (#4936)
+  * chore(deps): bump github.com/openvex/go-vex from 0.2.0 to 0.2.1 (#4914)
+  * chore(deps): bump helm/kind-action from 1.7.0 to 1.8.0 (#4909)
+  * chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore (#4912)
+  * test(aws): move part of unit tests to integration (#4884)
+  * docs(cli): update help string for file and dir skipping (#4872)
+  * chore(deps): bump sigstore/cosign-installer (#4910)
+  * chore(deps): bump github.com/sosedoff/gitkit from 0.3.0 to 0.4.0 (#4916)
+  * chore(deps): bump k8s.io/api from 0.27.3 to 0.27.4 (#4918)
+  * chore(deps): bump github.com/secure-systems-lab/go-securesystemslib (#4919)
+  * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#4913)
+  * chore(deps): bump github.com/magefile/mage from 1.14.0 to 1.15.0 (#4915)
+  * docs: update the discussion template (#4928)
+
 -------------------------------------------------------------------
 Thu Aug 03 11:21:12 UTC 2023 - dmueller@suse.com
 
diff --git a/trivy.spec b/trivy.spec
index 039e0a7..4641bda 100644
--- a/trivy.spec
+++ b/trivy.spec
@@ -17,7 +17,7 @@
 
 
 Name:           trivy
-Version:        0.44.0
+Version:        0.49.1
 Release:        0
 Summary:        A Simple and Comprehensive Vulnerability Scanner for Containers
 License:        Apache-2.0
@@ -25,9 +25,9 @@ Group:          System/Management
 URL:            https://github.com/aquasecurity/trivy
 Source:         %{name}-%{version}.tar.zst
 Source1:        vendor.tar.zst
+BuildRequires:  golang(API) = 1.21
 BuildRequires:  golang-packaging
 BuildRequires:  zstd
-BuildRequires:  golang(API) = 1.19
 Requires:       ca-certificates
 Requires:       git-core
 Requires:       rpm
diff --git a/vendor.obscpio b/vendor.obscpio
deleted file mode 100644
index 0c27c9b..0000000
--- a/vendor.obscpio
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f44cf2cabdc09d63678bdb9cf4c5b82b4a96a7e960f22243e230c579299bb094
-size 307762556
diff --git a/vendor.tar.zst b/vendor.tar.zst
index 84fe870..26a25e2 100644
--- a/vendor.tar.zst
+++ b/vendor.tar.zst
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:707a5cf67a90ba306e85f858c6f6172b9c43a8bba127bf47a6749be278b1f557
-size 19359855
+oid sha256:4c586bca703cce84f944618187ea5e2a8f6acab677c5ac3aa3a8e714d54d80c4
+size 20136283