openSUSE-SU-2023:0064-1

This update for trivy fixes the following issues:

Update to version 0.37.3 (boo#1208091, CVE-2023-25165):

• chore(helm): update Trivy from v0.36.1 to v0.37.2 (#3574)
• ci: quote pros in c++ for semantic pr (#3605)
• fix(image): check proxy settings from env for remote images (#3604)

Update to version 0.37.2:

• BREAKING: use normalized trivy-java-db (#3583)
• fix(image): add timeout for remote images (#3582)
• fix(misconf): handle dot files better (#3550)

Update to version 0.37.1:

• fix(sbom): download the Java DB when generating SBOM (#3539)
• fix: use cgo free sqlite driver (#3521)
• ci: fix path to dist folder (#3527)

Update to version 0.37.0:

• fix(image): close layers (#3517)
• refactor: db client changed (#3515)
• feat(java): use trivy-java-db to get GAV (#3484)
• docs: add note about the limitation in Rekor (#3494)
• docs: aggregate targets (#3503)
• deps: updates wazero to 1.0.0-pre.8 (#3510)
• docs: add alma 9 and rocky 9 to supported os (#3513)
• chore: add missing target labels (#3504)
• docs: add java vulnerability page (#3429)
• feat(image): add support for Docker CIS Benchmark (#3496)
• feat(image): secret scanning on container image config (#3495)
• chore(deps): Upgrade defsec to v0.82.8 (#3488)
• feat(image): scan misconfigurations in image config (#3437)
• chore(helm): update Trivy from v0.30.4 to v0.36.1 (#3489)
• feat(k8s): add node info resource (#3482)
• perf(secret): optimize secret scanning memory usage (#3453)
• feat: support aliases in CLI flag, env and config (#3481)
• fix(k8s): migrate rbac k8s (#3459)
• feat(java): add implementationVendor and specificationVendor fields to detect GroupID from MANIFEST.MF (#3480)
• refactor: rename security-checks to scanners (#3467)
• chore: display the troubleshooting URL for the DB denial error (#3474)
• docs: yaml tabs to spaces, auto create namespace (#3469)
• docs: adding show-and-tell template to GH discussions (#3391)
• fix: Fix a temporary file leak in case of error (#3465)
• fix(test): sort cyclonedx components (#3468)
• docs: fixing spelling mistakes (#3462)
• ci: set paths triggering VM tests in PR (#3438)
• docs: typo in --skip-files (#3454)
• feat(custom-forward): Extended advisory data (#3444)
• docs: fix spelling error (#3436)
• refactor(image): extend image config analyzer (#3434)
• fix(nodejs): add ignore protocols to yarn parser (#3433)
• fix(db): check proxy settings when using insecure flag (#3435)
• feat(misconf): Fetch policies from OCI registry (#3015)
• ci: downgrade Go to 1.18 and use stable and oldstable go versions for unit tests (#3413)
• ci: store URLs to Github Releases in RPM repository (#3414)
• feat(server): add support of skip-db-update flag for hot db update (#3416)
• fix(image): handle wrong empty layer detection (#3375)
• test: fix integration tests for spdx and cycloneDX (#3412)
• feat(python): Include Conda packages in SBOMs (#3379)
• feat: add support pubspec.lock files for dart (#3344)
• fix(image): parsePlatform is failing with UNAUTHORIZED error (#3326)
• fix(license): change normalize for GPL-3+-WITH-BISON-EXCEPTION (#3405)
• feat(server): log errors on server side (#3397)
• docs: rewrite installation docs and general improvements (#3368)
• chore: update code owners (#3393)
• chore: test docs separately from code (#3392)
• docs: use the formula maintained by Homebrew (#3389)
• docs: add Security Management section with SonarQube plugin

Update to version 0.36.1:

• fix(deps): fix errors on yarn.lock files that contain local file reference (#3384)
• feat(flag): early fail when the format is invalid (#3370)
• docs(aws): fix broken links (#3374)

Update to version 0.36.0:

• docs: improve compliance docs (#3340)
• feat(deps): add yarn lock dependency tree (#3348)
• fix: compliance change id and title naming (#3349)
• feat: add support for mix.lock files for elixir language (#3328)
• feat: add k8s cis bench (#3315)
• test: disable SearchLocalStoreByNameOrDigest test for non-amd64 arch (#3322)
• revert: cache merged layers (#3334)
• feat(cyclonedx): add recommendation (#3336)
• feat(ubuntu): added support ubuntu ESM versions (#1893)
• fix: change logic to build relative paths for skip-dirs and skip-files (#3331)
• feat: Adding support for Windows testing (#3037)
• feat: add support for Alpine 3.17 (#3319)
• docs: change PodFile.lock to Podfile.lock (#3318)
• fix(sbom): support for the detection of old CycloneDX predicate type (#3316)
• feat(secret): Use .trivyignore for filtering secret scanning result (#3312)
• chore(go): remove experimental FS API usage in Wasm (#3299)
• ci: add workflow to add issues to roadmap project (#3292)
• fix(vuln): include duplicate vulnerabilities with different package paths in the final report (#3275)
• feat(sbom): better support for third-party SBOMs (#3262)
• docs: add information about languages with support for dependency locations (#3306)
• feat(vm): add region option to vm scan to be able to scan any region's ami and ebs snapshots (#3284)
• fix(vuln): change severity vendor priority for ghsa-ids and vulns from govuln (#3255)
• docs: remove comparisons (#3289)
• feat: add support for Wolfi Linux (#3215)
• ci: add go.mod to canary workflow (#3288)
• feat(python): skip dev dependencies (#3282)
• chore: update ubuntu version for Github action runnners (#3257)
• fix(go): skip dep without Path for go-binaries (#3254)
• feat(rust): add ID for cargo pgks (#3256)
• feat: add support for swift cocoapods lock files (#2956)
• fix(sbom): use proper constants (#3286)
• test(vm): import relevant analyzers (#3285)
• feat: support scan remote repository (#3131)
• docs: fix typo in fluxcd (#3268)
• docs: fix broken 'ecosystem' link in readme (#3280)
• feat(misconf): Add compliance check support (#3130)
• docs: Adding Concourse resource for trivy (#3224)
• chore(deps): change golang from 1.19.2 to 1.19 (#3249)
• fix(sbom): duplicate dependson (#3261)
• chore(go): updates wazero to 1.0.0-pre.4 (#3242)
• feat(report): add dependency locations to sarif format (#3210)
• fix(rpm): add rocky to osVendors (#3241)
• docs: fix a typo (#3236)
• feat(dotnet): add dependency parsing for nuget lock files (#3222)
• docs: add pre-commit hook to community tools (#3203)
• feat(helm): pass arbitrary env vars to trivy (#3208)

Update to version 0.35.0:

• chore(vm): update xfs filesystem parser for change log (#3230)
• feat: add virtual machine scan command (#2910)
• docs: reorganize index and readme (#3026)
• fix: slowSizeThreshold should be less than defaultSizeThreshold (#3225)
• feat: Export functions for trivy plugin (#3204)
• feat(image): add support wildcard for platform os (#3196)
• fix: load compliance report from file system (#3161)
• fix(suse): use package name to get advisories (#3199)
• docs(image): space issues during image scan (#3190)
• feat(containerd): scan image by digest (#3075)
• fix(vuln): add package name to title (#3183)
• fix: present control status instead of compliance percentage in compliance report (#3181)
• perf(license): remove go-enry/go-license-detector. (#3187)
• fix: workdir command as empty layer (#3087)
• docs: reorganize ecosystem section (#3025)
• feat(dotnet): add support dependency location for dotnet-core files (#3095)
• feat(dotnet): add support dependency location for nuget lock files (#3032)
• chore: update code owners for misconfigurations (#3176)
• feat: add slow mode (#3084)
• docs: fix typo in enable-builin-rules mentions (#3118)
• feat: Add maintainer field to OS packages (#3149)
• docs: fix some typo (#3171)
• docs: fix links on Built-in Policies page (#3124)
• fix: Perform filepath.Clean first and then filepath.ToSlash for skipFile/skipDirs settings (#3144)
• chore: use newline for semantic pr (#3172)
• fix(spdx): rename describes field in spdx (#3102)
• chore: handle GOPATH with several paths in make file (#3092)
• docs(flag): add 'rego' configuration file options (#3165)
• chore(go): updates wazero to 1.0.0-pre.3 (#3090)
• docs(license): fix typo inside quick start (#3134)
• chore: update codeowners for docs (#3135)
• fix(cli): exclude --compliance flag from non supported sub-commands (#3158)
• fix: remove --security-checks none from image help (#3156)
• fix: compliance flag description (#3160)
• docs(k8s): fix a typo (#3163)

Update to version 0.34.0:

• feat(vuln): support dependency graph for RHEL/CentOS (#3094)
• feat(vuln): support dependency graph for dpkg and apk (#3093)
• perf(license): enable license classifier only with '--license-full' (#3086)
• feat(report): add secret scanning to ASFF template (#2860)
• feat: Allow override of containerd namespace (#3060)
• fix(vuln): In alpine use Name as SrcName (#3079)
• fix(secret): Alibaba AccessKey ID (#3083)

Update to version 0.33.0:

• refactor(k8s): custom reports (#3076)
• fix(misconf): Bump in-toto-golang with correct CycloneDX predicate (#3068)
• feat(image): add support for passing architecture and OS (#3012)
• test: disable containerd integration tests for non-amd64 arch (#3073)
• feat(server): Add support for client/server mode to rootfs command (#3021)
• feat(vuln): support non-packaged binaries (#3019)
• feat: compliance reports (#2951)
• fix(flag): disable flag parsing for each plugin command (#3074)
• feat(nodejs): add support dependency location for yarn.lock files (#3016)
• chore: Switch github.com/liamg dependencies to github.com/aquasecurity (#3069)
• feat: add k8s components (#2589)
• fix(secret): update the regex for secrets scanning (#2964)
• fix: bump trivy-kubernetes (#3064)
• docs: fix missing 'image' subcommand (#3051)
• chore: Patch golang x/text vulnerability (#3046)
• chore: add licensed project logo (#3058)
• feat(ubuntu): set Ubuntu 22.10 EOL (#3054)
• refactor(analyzer): use strings.TrimSuffix instead of strings.HasSuffix (#3028)
• feat(report): Use understandable value for shortDescription in SARIF reports (#3009)
• docs(misconf): fix typo (#3043)
• feat: add support for scanning azure ARM (#3011)
• feat(report): add location.message to SARIF output (#3002) (#3003)
• feat(nodejs): add dependency line numbers for npm lock files (#2932)
• test(fs): add --skip-files, --skip-dirs (#2984)
• docs: add Woodpecker CI integrations example (#2823)
• fix(sbom): ref generation if serialNumber is empty when input is cyclonedx file (#3000)
• fix(java): don't stop parsing jar file when wrong inner jar is found (#2989)
• fix(sbom): use nuget purl type for dotnet-core (#2990)
• perf: retrieve rekor entries in bulk (#2987)
• feat(aws): Custom rego policies for AWS scanning (#2994)
• docs: jq cli formatting (#2881)
• docs(repo): troubleshooting $TMPDIR customization (#2985)
• chore: run go fmt (#2897)
• chore(go): updates wazero to 1.0.0-pre.2 (#2955)
• fix(aws): Less function for slice sorting always returns false #2967
• fix(java): fix unmarshal pom exclusions (#2936)

Update to version 0.32.1:

• fix(java): use fields of dependency from dependencyManagement from upper pom.xml to parse deps (#2943)
• chore: expat lib and go binary deps vulns (#2940)
• wasm: Removes accidentally exported memory (#2950)
• fix(sbom): fix package name separation for gradle (#2906)
• docs(readme.md): fix broken integrations link (#2931)
• fix(image): handle images with single layer in rescan mergedLayers cache (#2927)
• fix(cli): split env values with ',' for slice flags (#2926)
• fix(cli): config/helm: also take into account files with .yml (#2928)
• fix(flag): add file-patterns flag for config subcommand (#2925)

Update to version 0.32.0:

• docs: add Rekor SBOM attestation scanning (#2893)
• chore: narrow the owner scope (#2894)
• fix: remove a patch number from the recommendation link (#2891)
• fix: enable parsing of UUID-only rekor entry ID (#2887)
• docs(sbom): add SPDX scanning (#2885)
• docs: restructure docs and add tutorials (#2883)
• feat(sbom): scan sbom attestation in the rekor record (#2699)
• feat(k8s): support outdated-api (#2877)
• fix(c): support revisions in Conan parser (#2878)
• feat: dynamic links support for scan results (#2838)
• docs: update archlinux commands (#2876)
• feat(secret): add line from dockerfile where secret was added to secret result (#2780)
• feat(sbom): Add unmarshal for spdx (#2868)
• fix: revert asff arn and add documentation (#2852)
• docs: batch-import-findings limit (#2851)
• feat(sbom): Add marshal for spdx (#2867)
• build: checkout before setting up Go (#2873)
• docs: azure doc and trivy (#2869)
• fix: Scan tarr'd dependencies (#2857)
• chore(helm): helm test with ingress (#2630)
• feat(report): add secrets to sarif format (#2820)
• refactor: add a new interface for initializing analyzers (#2835)
• fix: update ProductArn with account id (#2782)
• feat(helm): make cache TTL configurable (#2798)
• build(): Sign releaser artifacts, not only container manifests (#2789)
• chore: improve doc about azure devops (#2795)
• docs: don't push patch versions (#2824)
• feat: add support for conan.lock file (#2779)
• feat: cache merged layers
• feat: add support for gradle.lockfile (#2759)
• feat: move file patterns to a global level to be able to use it on any analyzer (#2539)
• Fix url validaton failures (#2783)
• fix(image): add logic to detect empty layers (#2790)
• feat(rust): add dependency graph from Rust binaries (#2771)

Update to version 0.31.3:

• fix: handle empty OS family (#2768)
• fix: fix k8s summary report (#2777)
• fix: don't skip packages that don't contain vulns, when using --list-all-pkgs flag (#2767)
• chore: bump trivy-kubernetes (#2770)
• fix(secret): Consider secrets in rpc calls (#2753)
• fix(java): check depManagement from upper pom's (#2747)
• fix(php): skip composer.lock inside vendor folder (#2718)
• fix: fix k8s rbac filter (#2765)
• feat(misconf): skipping misconfigurations by AVD ID (#2743)
• chore(deps): Upgrade Alpine to 3.16.2 to fix zlib issue (#2741)
• docs: add MacPorts install instructions (#2727)
• docs: typo (#2730)

Update to version 0.31.2:

• fix: Correctly handle recoverable AWS scanning errors (#2726)
• docs: Remove reference to SecurityAudit policy for AWS scanning (#2721)

Update to version 0.31.1:

• fix: upgrade defsec to v0.71.7 for elb scan panic (#2720)

Update to version 0.31.0:

• fix(flag): add error when there are no supported security checks (#2713)
• fix(vuln): continue scanning when no vuln found in the first application (#2712)
• revert: add new classes for vulnerabilities (#2701)
• feat(secret): detect secrets removed or overwritten in upper layer (#2611)
• fix(cli): secret scanning perf link fix (#2607)
• chore(deps): bump github.com/spf13/viper from 1.8.1 to 1.12.0 (#2650)
• feat: Add AWS Cloud scanning (#2493)
• docs: specify the type when verifying an attestation (#2697)
• docs(sbom): improve SBOM docs by adding a description for scanning SBOM attestation (#2690)
• fix(rpc): scanResponse rpc conversion for custom resources (#2692)
• feat(rust): Add support for cargo-auditable (#2675)
• feat: Support passing value overrides for configuration checks (#2679)
• feat(sbom): add support for scanning a sbom attestation (#2652)
• chore(image): skip symlinks and hardlinks from tar scan (#2634)
• fix(report): Update junit.tpl (#2677)
• fix(cyclonedx): add nil check to metadata.component (#2673)
• docs(secret): fix missing and broken links (#2674)
• refactor(cyclonedx): implement json.Unmarshaler (#2662)
• feat(kubernetes): add option to specify kubeconfig file path (#2576)
• docs: follow Debian's 'instructions to connect to a third-party repository' (#2511)
• feat(alma): set AlmaLinux 9 EOL (#2653)
• fix(misconf): Allow quotes in Dockerfile WORKDIR when detecting relative dirs (#2636)
• test(misconf): add tests for misconf handler for dockerfiles (#2621)
• feat(oracle): set Oracle Linux 9 EOL (#2635)
• BREAKING: add new classes for vulnerabilities (#2541)
• fix(secret): add newline escaping for asymmetric private key (#2532)
• docs: improve formatting (#2572)
• feat(helm): allows users to define an existing secret for tokens (#2587)
• docs(mariner): use tdnf in fs usage example (#2616)
• docs: remove unnecessary double quotation marks (#2609)
• fix: Fix --file-patterns flag (#2625)
• feat(report): add support for Cosign vulnerability attestation (#2567)
• docs(mariner): use v2.0 in examples (#2602)
• feat(report): add secrets template for codequality report (#2461)