openSUSE-SU-2024:0268-1

trivy was updated to fix the following issues:

Update to version 0.54.1:

• fix(flag): incorrect behavior for deprected flag --clear-cache [backport: release/v0.54] (#7285)
• fix(java): Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#7283)
• fix(plugin): do not call GitHub content API for releases and tags [backport: release/v0.54] (#7279)
• docs: update ecosystem page reporting with plopsec.com app (#7262)
• feat(vex): retrieve VEX attestations from OCI registries (#7249)
• feat(sbom): add image labels into SPDX and CycloneDX reports (#7257)
• refactor(flag): return error if both --download-db-only and --download-java-db-only are specified (#7259)
• fix(nodejs): detect direct dependencies when using latest version for files yarn.lock + package.json (#7110)
• chore: show VEX notice for OSS maintainers in CI environments (#7246)
• feat(vuln): add --pkg-relationships (#7237)
• docs: show VEX cli pages + update config file page for VEX flags (#7244)
• fix(dotnet): show nuget package dir not found log only when checking nuget packages (#7194)
• feat(vex): VEX Repository support (#7206)
• fix(secret): skip regular strings contain secret patterns (#7182)
• feat: share build-in rules (#7207)
• fix(report): hide empty table when all secrets/license/misconfigs are ignored (#7171)
• fix(cli): error on missing config file (#7154)
• fix(secret): update length of hugging-face-access-token (#7216)
• feat(sbom): add vulnerability support for SPDX formats (#7213)
• fix(secret): trim excessively long lines (#7192)
• chore(vex): update subcomponents for CVE-2023-42363/42364/42365/42366 (#7201)
• fix(server): pass license categories to options (#7203)
• feat(mariner): Add support for Azure Linux (#7186)
• docs: updates config file (#7188)
• refactor(fs): remove unused field for CompositeFS (#7195)
• fix: add missing platform and type to spec (#7149)
• feat(misconf): enabled China configuration for ACRs (#7156)
• fix: close file when failed to open gzip (#7164)
• docs: Fix PR documentation to use GitHub Discussions, not Issues (#7141)
• docs(misconf): add info about limitations for terraform plan json (#7143)
• chore: add VEX for Trivy images (#7140)
• chore: add VEX document and generator for Trivy (#7128)
• fix(misconf): do not evaluate TF when a load error occurs (#7109)
• feat(cli): rename --vuln-type flag to --pkg-types flag (#7104)
• refactor(secret): move warning about file size after IsBinary check (#7123)
• feat: add openSUSE tumbleweed detection and scanning (#6965)
• test: add missing advisory details for integration tests database (#7122)
• fix: Add dependencyManagement exclusions to the child exclusions (#6969)
• fix: ignore nodes when listing permission is not allowed (#7107)
• fix(java): use go-mvn-version to remove Package duplicates (#7088)
• refactor(secret): add warning about large files (#7085)
• feat(nodejs): add license parser to pnpm analyser (#7036)
• refactor(sbom): add sbom prefix + filepaths for decode log messages (#7074)
• feat: add log.FilePath() function for logger (#7080)
• chore: bump golangci-lint from v1.58 to v1.59 (#7077)
• perf(debian): use bytes.Index in emptyLineSplit to cut allocation (#7065)
• refactor: pass DB dir to trivy-db (#7057)
• docs: navigate to the release highlights and summary (#7072)

Update to version 0.53.0 (bsc#1227022, CVE-2024-6257):

• feat(conda): add licenses support for environment.yml files (#6953)
• fix(sbom): fix panic when scanning SBOM file without root component into SBOM format (#7051)
• feat: add memory cache backend (#7048)
• fix(sbom): use package UIDs for uniqueness (#7042)
• feat(php): add installed.json file support (#4865)
• docs: ✨ Updated ecosystem docs with reference to new community app (#7041)
• fix: use embedded when command path not found (#7037)
• refactor: use google/wire for cache (#7024)
• fix(cli): show info message only when --scanners is available (#7032)
• chore: enable float-compare rule from testifylint (#6967)
• docs: Add sudo on commands, chmod before mv on install docs (#7009)
• fix(plugin): respect --insecure (#7022)
• feat(k8s)!: node-collector dynamic commands support (#6861)
• fix(sbom): take pkg name from purl for maven pkgs (#7008)
• feat!: add clean subcommand (#6993)
• chore: use ! for breaking changes (#6994)
• feat(aws)!: Remove aws subcommand (#6995)
• refactor: replace global cache directory with parameter passing (#6986)
• fix(sbom): use purl for bitnami pkg names (#6982)
• chore: bump Go toolchain version (#6984)
• refactor: unify cache implementations (#6977)
• docs: non-packaged and sbom clarifications (#6975)
• BREAKING(aws): Deprecate trivy aws as subcmd in favour of a plugin (#6819)
• docs: delete unknown URL (#6972)
• refactor: use version-specific URLs for documentation references (#6966)
• refactor: delete db mock (#6940)
• refactor: add warning if severity not from vendor (or NVD or GH) is used (#6726)
• feat: Add local ImageID to SARIF metadata (#6522)
• fix(suse): Add SLES 15.6 and Leap 15.6 (#6964)
• feat(java): add support for sbt projects using sbt-dependency-lock (#6882)
• feat(java): add support for maven-metadata.xml files for remote snapshot repositories. (#6950)
• fix(purl): add missed os types (#6955)
• fix(cyclonedx): trim non-URL info for advisory.url (#6952)
• fix(c): don't skip conan files from file-patterns and scan .conan2 cache dir (#6949)
• fix(image): parse image.inspect.Created field only for non-empty values (#6948)
• fix(misconf): handle source prefix to ignore (#6945)
• fix(misconf): fix parsing of engine links and frameworks (#6937)
• feat(misconf): support of selectors for all providers for Rego (#6905)
• fix(license): return license separation using separators ,, or, etc. (#6916)
• feat(misconf): add support for AWS::EC2::SecurityGroupIngress/Egress (#6755)
• BREAKING(misconf): flatten recursive types (#6862)
• test: bump docker API to 1.45 (#6914)
• feat(sbom): migrate to CycloneDX v1.6 (#6903)
• feat(image): Set User-Agent header for Trivy container registry requests (#6868)
• fix(debian): take installed files from the origin layer (#6849)
• fix(nodejs): fix infinite loop when package link from package-lock.json file is broken (#6858)
• feat(misconf): API Gateway V1 support for CloudFormation (#6874)
• feat(plugin): add support for nested archives (#6845)
• fix(sbom): don't overwrite srcEpoch when decoding SBOM files (#6866)
• fix(secret): Asymmetric Private Key shouldn't start with space (#6867)
• chore: auto label discussions (#5259)
• docs: explain how VEX is applied (#6864)
• fix(python): compare pkg names from poetry.lock and pyproject.toml in lowercase (#6852)
• fix(nodejs): fix infinity loops for pnpm with cyclic imports (#6857)
• feat(dart): use first version of constraint for dependencies using SDK version (#6239)
• fix(misconf): parsing numbers without fraction as int (#6834)
• fix(misconf): fix caching of modules in subdirectories (#6814)
• feat(misconf): add metadata to Cloud schema (#6831)
• test: replace embedded Git repository with dynamically created repository (#6824)

Update to version 0.52.2:

• test: bump docker API to 1.45 [backport: release/v0.52] (#6922)
• fix(debian): take installed files from the origin layer [backport: release/v0.52] (#6892)

Update to version 0.52.1:

• fix(nodejs): fix infinite loop when package link from package-lock.json file is broken [backport: release/v0.52] (#6888)
• fix(sbom): don't overwrite srcEpoch when decoding SBOM files [backport: release/v0.52] (#6881)
• fix(python): compare pkg names from poetry.lock and pyproject.toml in lowercase [backport: release/v0.52] (#6878)
• docs: explain how VEX is applied (#6864)
• fix(nodejs): fix infinity loops for pnpm with cyclic imports (#6857)

Update to version 0.52.0 (bsc#1224781, CVE-2024-35192):

• fix(plugin): initialize logger (#6836)
• fix(cli): always output fatal errors to stderr (#6827)
• fix: close testfile (#6830)
• docs(julia): add scanner table (#6826)
• feat(python): add license support for requirement.txt files (#6782)
• docs: add more workarounds for out-of-disk (#6821)
• chore: improve error message for image not found (#6822)
• fix(sbom): fix panic for convert mode when scanning json file derived from sbom file (#6808)
• fix: clean up golangci lint configuration (#6797)
• fix(python): add package name and version validation for requirements.txt files. (#6804)
• feat(vex): improve relationship support in CSAF VEX (#6735)
• chore(alpine): add eol date for Alpine 3.20 (#6800)
• docs(plugin): add missed plugin section (#6799)
• fix: include packages unless it is not needed (#6765)
• feat(misconf): support for VPC resources for inbound/outbound rules (#6779)
• chore: replace interface{} with any (#6751)
• fix: close settings.xml (#6768)
• refactor(go): add priority for gobinary module versions from ldflags (#6745)
• build: use main package instead of main.go (#6766)
• feat(misconf): resolve tf module from OpenTofu compatible registry (#6743)
• docs: add info on adding compliance checks (#6275)
• docs: Add documentation for contributing additional checks to the trivy policies repo (#6234)
• feat(nodejs): add v9 pnpm lock file support (#6617)
• feat(vex): support non-root components for products in OpenVEX (#6728)
• feat(python): add line number support for requirement.txt files (#6729)
• chore: respect timeout value in .golangci.yaml (#6724)
• fix: node-collector high and critical cves (#6707)
• Merge pull request from GHSA-xcq4-m2r3-cmrj
• chore: auto-bump golang patch versions (#6711)
• fix(misconf): don't shift ignore rule related to code (#6708)
• feat(plugin): specify plugin version (#6683)
• chore: enforce golangci-lint version (#6700)
• fix(go): include only .version|.ver (no prefixes) ldflags for gobinaries (#6705)
• fix(go): add only non-empty root modules for gobinaries (#6710)
• refactor: unify package addition and vulnerability scanning (#6579)
• fix: Golang version parsing from binaries w/GOEXPERIMENT (#6696)
• feat(misconf): Add support for deprecating a check (#6664)
• feat: Add Julia language analyzer support (#5635)
• feat(misconf): register builtin Rego funcs from trivy-checks (#6616)
• fix(report): hide empty tables if all vulns has been filtered (#6352)
• feat(report): Include licenses and secrets filtered by rego to ModifiedFindings (#6483)
• feat: add support for plugin index (#6674)
• docs: add support table for client server mode (#6498)
• fix: close APKINDEX archive file (#6672)
• fix(misconf): skip Rego errors with a nil location (#6666)
• refactor: move artifact types under artifact package to avoid import cycles (#6652)
• refactor(misconf): remove extrafs (#6656)
• refactor: re-define module structs for serialization (#6655)
• chore(misconf): Clean up iac logger (#6642)
• feat(misconf): support symlinks inside of Helm archives (#6621)
• feat(misconf): add Terraform 'removed' block to schema (#6640)
• refactor: unify Library and Package structs (#6633)
• fix: use of specified context to obtain cluster name (#6645)
• perf(misconf): parse rego input once (#6615)
• fix(misconf): skip Rego errors with a nil location (#6638)
• docs: link warning to both timeout config options (#6620)
• docs: fix usage of image-config-scanners (#6635)

Update to version 0.51.1:

• fix(fs): handle default skip dirs properly (#6628)
• fix(misconf): load cached tf modules (#6607)
• fix(misconf): do not use semver for parsing tf module versions (#6614)
• refactor: move setting scanners when using compliance reports to flag parsing (#6619)
• feat: introduce package UIDs for improved vulnerability mapping (#6583)
• perf(misconf): Improve cause performance (#6586)
• docs: trivy-k8s new experiance remove un-used section (#6608)
• docs: remove mention of GitLab Gold because it doesn't exist anymore (#6609)
• feat(misconf): Use updated terminology for misconfiguration checks (#6476)
• docs: use generic link from trivy-repo (#6606)
• docs: update trivy k8s with new experience (#6465)
• feat: support --skip-images scanning flag (#6334)
• BREAKING: add support for k8s disable-node-collector flag (#6311)
• feat: add ubuntu 23.10 and 24.04 support (#6573)
• docs(go): add stdlib (#6580)
• feat(go): parse main mod version from build info settings (#6564)
• feat: respect custom exit code from plugin (#6584)
• docs: add asdf and mise installation method (#6063)
• feat(vuln): Handle scanning conan v2.x lockfiles (#6357)
• feat: add support environment.yaml files (#6569)
• fix: close plugin.yaml (#6577)
• fix: trivy k8s avoid deleting non-default node collector namespace (#6559)
• BREAKING: support exclude kinds/namespaces and include kinds/namespaces (#6323)
• feat(go): add main module (#6574)
• feat: add relationships (#6563)
• docs: mention --show-suppressed is available in table (#6571)
• chore: fix sqlite to support loong64 (#6511)
• fix(debian): sort dpkg info before parsing due to exclude directories (#6551)
• docs: update info about config file (#6547)
• docs: remove RELEASE_VERSION from trivy.repo (#6546)
• fix(sbom): change error to warning for multiple OSes (#6541)
• fix(vuln): skip empty versions (#6542)
• feat(c): add license support for conan lock files (#6329)
• fix(terraform): Attribute and fileset fixes (#6544)
• refactor: change warning if no vulnerability details are found (#6230)
• refactor(misconf): improve error handling in the Rego scanner (#6527)
• feat(go): parse main module of go binary files (#6530)
• refactor(misconf): simplify the retrieval of module annotations (#6528)
• docs(nodejs): add info about supported versions of pnpm lock files (#6510)
• feat(misconf): loading embedded checks as a fallback (#6502)
• fix(misconf): Parse JSON k8s manifests properly (#6490)
• refactor: remove parallel walk (#5180)
• fix: close pom.xml (#6507)
• fix(secret): convert severity for custom rules (#6500)
• fix(java): update logic to detect pom.xml file snapshot artifacts from remote repositories (#6412)
• fix: typo (#6283)
• docs(k8s,image): fix command-line syntax issues (#6403)
• fix(misconf): avoid panic if the scheme is not valid (#6496)
• feat(image): goversion as stdlib (#6277)
• fix: add color for error inside of log message (#6493)
• docs: fix links to OPA docs (#6480)
• refactor: replace zap with slog (#6466)
• docs: update links to IaC schemas (#6477)
• chore: bump Go to 1.22 (#6075)
• refactor(terraform): sync funcs with Terraform (#6415)
• feat(misconf): add helm-api-version and helm-kube-version flag (#6332)
• fix(terraform): eval submodules (#6411)
• refactor(terraform): remove unused options (#6446)
• refactor(terraform): remove unused file (#6445)
• fix(misconf): Escape template value correctly (#6292)
• feat(misconf): add support for wildcard ignores (#6414)
• fix(cloudformation): resolve DedicatedMasterEnabled parsing issue (#6439)
• refactor(terraform): remove metrics collection (#6444)
• feat(cloudformation): add support for logging and endpoint access for EKS (#6440)
• fix(db): check schema version for image name only (#6410)
• feat(misconf): Support private registries for misconf check bundle (#6327)
• feat(cloudformation): inline ignore support for YAML templates (#6358)
• feat(terraform): ignore resources by nested attributes (#6302)
• perf(helm): load in-memory files (#6383)
• feat(aws): apply filter options to result (#6367)
• feat(aws): quiet flag support (#6331)
• fix(misconf): clear location URI for SARIF (#6405)
• test(cloudformation): add CF tests (#6315)
• fix(cloudformation): infer type after resolving a function (#6406)
• fix(sbom): fix error when parent of SPDX Relationships is not a package. (#6399)
• docs: add info about support for package license detection in fs/repo modes (#6381)
• fix(nodejs): add support for parsing workspaces from package.json as an object (#6231)
• fix: use 0600 perms for tmp files for post analyzers (#6386)
• fix(helm): scan the subcharts once (#6382)
• docs(terraform): add file patterns for Terraform Plan (#6393)
• fix(terraform): сhecking SSE encryption algorithm validity (#6341)
• fix(java): parse modules from pom.xml files once (#6312)
• fix(server): add Locations for Packages in client/server mode (#6366)
• fix(sbom): add check for CreationInfo to nil when detecting SPDX created using Trivy (#6346)
• fix(report): don't include empty strings in .vulnerabilities[].identifiers[].url when gitlab.tpl is used (#6348)
• chore(ubuntu): Add Ubuntu 22.04 EOL date (#6371)
• feat(java): add support licenses and graph for gradle lock files (#6140)
• feat(vex): consider root component for relationships (#6313)
• fix: increase the default buffer size for scanning dpkg status files by 2 times (#6298)
• chore: updates wazero to v1.7.0 (#6301)
• feat(sbom): Support license detection for SBOM scan (#6072)
• refactor(sbom): use intermediate representation for SPDX (#6310)
• docs(terraform): improve documentation for filtering by inline comments (#6284)
• fix(terraform): fix policy document retrieval (#6276)
• refactor(terraform): remove unused custom error (#6303)
• refactor(sbom): add intermediate representation for BOM (#6240)
• fix(amazon): check only major version of AL to find advisories (#6295)
• fix(db): use schema version as tag only for trivy-db and trivy-java-db registries by default (#6219)
• fix(nodejs): add name validation for package name from package.json (#6268)
• docs: Added install instructions for FreeBSD (#6293)
• feat(image): customer podman host or socket option (#6256)
• feat(java): mark dependencies from maven-invoker-plugin integration tests pom.xml files as Dev (#6213)
• fix(license): reorder logic of how python package licenses are acquired (#6220)
• test(terraform): skip cached modules (#6281)
• feat(secret): Support for detecting Hugging Face Access Tokens (#6236)
• fix(cloudformation): support of all SSE algorithms for s3 (#6270)
• feat(terraform): Terraform Plan snapshot scanning support (#6176)
• fix: typo function name and comment optimization (#6200)
• fix(java): don't ignore runtime scope for pom.xml files (#6223)
• fix(license): add FilePath to results to allow for license path filtering via trivyignore file (#6215)
• test(k8s): use test-db for k8s integration tests (#6222)
• fix(terraform): fix root module search (#6160)
• test(parser): squash test data for yarn (#6203)
• fix(terraform): do not re-expand dynamic blocks (#6151)
• docs: update ecosystem page reporting with db app (#6201)
• fix: k8s summary separate infra and user finding results (#6120)
• fix: add context to target finding on k8s table view (#6099)
• fix: Printf format err (#6198)
• refactor: better integration of the parser into Trivy (#6183)
• feat(terraform): Add hyphen and non-ASCII support for domain names in credential extraction (#6108)
• fix(vex): CSAF filtering should consider relationships (#5923)
• refactor(report): Replacing source_location in github report when scanning an image (#5999)
• feat(vuln): ignore vulnerabilities by PURL (#6178)
• feat(java): add support for fetching packages from repos mentioned in pom.xml (#6171)
• feat(k8s): rancher rke2 version support (#5988)
• docs: update kbom distribution for scanning (#6019)
• chore: update CODEOWNERS (#6173)
• fix(swift): try to use branch to resolve version (#6168)
• fix(terraform): ensure consistent path handling across OS (#6161)
• fix(java): add only valid libs from pom.properties files from jars (#6164)
• fix(sbom): skip executable file analysis if Rekor isn't a specified SBOM source (#6163)
• docs(report): add remark about path to filter licenses using .trivyignore.yaml file (#6145)
• docs: update template path for gitlab-ci tutorial (#6144)
• feat(report): support for filtering licenses and secrets via rego policy files (#6004)
• fix(cyclonedx): move root component from scanned cyclonedx file to output cyclonedx file (#6113)
• docs: add SecObserve in CI/CD and reporting (#6139)
• fix(alpine): exclude empty licenses for apk packages (#6130)
• docs: add docs tutorial on custom policies with rego (#6104)
• fix(nodejs): use project dir when searching for workspaces for Yarn.lock files (#6102)
• feat(vuln): show suppressed vulnerabilities in table (#6084)
• docs: rename governance to principles (#6107)
• docs: add governance (#6090)
• feat(java): add dependency location support for gradle files (#6083)
• fix(misconf): get user from Config.User (#6070)

Update to version 0.49.1:

• fix: check unescaped BomRef when matching PkgIdentifier (#6025)
• docs: Fix broken link to 'pronunciation' (#6057)
• fix: fix cursor usage in Redis Clear function (#6056)
• fix(nodejs): add local packages support for pnpm-lock.yaml files (#6034)
• test: fix flaky TestDockerEngine (#6054)
• fix(java): recursive check all nested depManagements with import scope for pom.xml files (#5982)
• fix(cli): inconsistent behavior across CLI flags, environment variables, and config files (#5843)
• feat(rust): Support workspace.members parsing for Cargo.toml analysis (#5285)
• docs: add note about Bun (#6001)
• fix(report): use AWS_REGION env for secrets in asff template (#6011)
• fix: check returned error before deferring f.Close() (#6007)
• feat(misconf): add support of buildkit instructions when building dockerfile from image config (#5990)
• feat(vuln): enable --vex for all targets (#5992)
• docs: update link to data sources (#6000)
• feat(java): add support for line numbers for pom.xml files (#5991)
• refactor(sbom): use new metadata.tools struct for CycloneDX (#5981)
• docs: Update troubleshooting guide with image not found error (#5983)
• style: update band logos (#5968)
• docs: update cosign tutorial and commands, update kyverno policy (#5929)
• docs: update command to scan go binary (#5969)
• fix: handle non-parsable images names (#5965)
• fix(amazon): save system files for pkgs containing amzn in src (#5951)
• fix(alpine): Add EOL support for alpine 3.19. (#5938)
• feat: allow end-users to adjust K8S client QPS and burst (#5910)
• fix(nodejs): find licenses for packages with slash (#5836)
• fix(sbom): use group field for pom.xml and nodejs files for CycloneDX reports (#5922)
• fix: ignore no init containers (#5939)
• docs: Fix documentation of ecosystem (#5940)
• docs(misconf): multiple ignores in comment (#5926)
• fix(secret): find aws secrets ending with a comma or dot (#5921)
• docs: ✨ Updated ecosystem docs with reference to new community app (#5918)
• fix(java): check if a version exists when determining GAV by file name for jar files (#5630)
• feat(vex): add PURL matching for CSAF VEX (#5890)
• fix(secret): AWS Secret Access Key must include only secrets with aws text. (#5901)
• revert(report): don't escape new line characters for sarif format (#5897)
• docs: improve filter by rego (#5402)
• docs: addscan2htmltotrivyecosystem (#5875)
• fix(vm): update ext4-filesystem fix reading groupdescriptor in 32bit mode (#5888)
• feat(vex): Add support for CSAF format (#5535)
• feat(python): parse licenses from dist-info folder (#4724)
• feat(nodejs): add yarn alias support (#5818)
• refactor: propagate time through context values (#5858)
• refactor: move PkgRef under PkgIdentifier (#5831)
• fix(cyclonedx): fix unmarshal for licenses (#5828)
• feat(vuln): include pkg identifier on detected vulnerabilities (#5439)

Update to version 0.48.1:

• fix(bitnami): use a different comparer for detecting vulnerabilities (#5633)
• refactor(sbom): disable html escaping for CycloneDX (#5764)
• refactor(purl): use pub from package-url (#5784)
• docs(python): add note to using pip freeze for compatible releases (#5760)
• fix(report): use OS information for OS packages purl in github template (#5783)
• fix(report): fix error if miconfigs are empty (#5782)
• refactor(vuln): don't remove VendorSeverity in JSON report (#5761)
• fix(report): don't mark misconfig passed tests as failed in junit.tpl (#5767)
• docs(k8s): replace --scanners config with --scanners misconfig in docs (#5746)
• fix(report): update Gitlab template (#5721)
• feat(secret): add support of GitHub fine-grained tokens (#5740)
• fix(misconf): add an image misconf to result (#5731)
• feat(secret): added support of Docker registry credentials (#5720)

Update to version 0.48.0:

• feat: filter k8s core components vuln results (#5713)
• feat(vuln): remove duplicates in Fixed Version (#5596)
• feat(report): output plugin (#4863)
• docs: typo in modules.md (#5712)
• feat: Add flag to configure node-collector image ref (#5710)
• feat(misconf): Add --misconfig-scanners option (#5670)
• chore: bump Go to 1.21 (#5662)
• feat: Packagesprops support (#5605)
• docs: update adopters discussion template (#5632)
• docs: terraform tutorial links updated to point to correct loc (#5661)
• fix(secret): add sec and space to secret prefix for aws-secret-access-key (#5647)
• fix(nodejs): support protocols for dependency section in yarn.lock files (#5612)
• fix(secret): exclude upper case before secret for alibaba-access-key-id (#5618)
• docs: Update Arch Linux package URL in installation.md (#5619)
• chore: add prefix to image errors (#5601)
• docs(vuln): fix link anchor (#5606)
• docs: Add Dagger integration section and cleanup Ecosystem CICD docs page (#5608)
• fix: k8s friendly error messages kbom non cluster scans (#5594)
• feat: set InstalledFiles for DEB and RPM packages (#5488)
• fix(report): use time.Time for CreatedAt (#5598)
• test: retry containerd initialization (#5597)
• feat(misconf): Expose misconf engine debug logs with --debug option (#5550)
• test: mock VM walker (#5589)
• chore: bump node-collector v0.0.9 (#5591)
• feat(misconf): Add support for --cf-params for CFT (#5507)
• feat(flag): replace '--slow' with '--parallel' (#5572)
• fix(report): add escaping for Sarif format (#5568)
• chore: show a deprecation notice for --scanners config (#5587)
• feat(report): Add CreatedAt to the JSON report. (#5542) (#5549)
• test: mock RPM DB (#5567)
• feat: add aliases to '--scanners' (#5558)
• refactor: reintroduce output writer (#5564)
• chore: not load plugins for auto-generating docs (#5569)
• chore: sort supported AWS services (#5570)
• fix: no schedule toleration (#5562)
• fix(cli): set correct scanners for k8s target (#5561)
• fix(sbom): add FilesAnalyzed and PackageVerificationCode fields for SPDX (#5533)
• refactor(misconf): Update refactored dependencies (#5245)
• feat(secret): add built-in rule for JWT tokens (#5480)
• fix: trivy k8s parse ecr image with arn (#5537)
• fix: fail k8s resource scanning (#5529)
• refactor(misconf): don't remove Highlighted in json format (#5531)
• docs(k8s): fix link in kubernetes.md (#5524)
• docs(k8s): fix whitespace in list syntax (#5525)

Update to version 0.47.0:

• docs: add info that license scanning supports file-patterns flag (#5484)
• docs: add Zora integration into Ecosystem session (#5490)
• fix(sbom): Use UUID as BomRef for packages with empty purl (#5448)
• fix: correct error mismatch causing race in fast walks (#5516)
• docs: k8s vulnerability scanning (#5515)
• docs: remove glad for java datasources (#5508)
• chore: remove unused logger attribute in amazon detector (#5476)
• fix: correct error mismatch causing race in fast walks (#5482)
• fix(server): add licenses to BlobInfo message (#5382)
• feat: scan vulns on k8s core component apps (#5418)
• fix(java): fix infinite loop when relativePath field points to pom.xml being scanned (#5470)
• fix(sbom): save digests for package/application when scanning SBOM files (#5432)
• docs: fix the broken link (#5454)
• docs: fix error when installing PyYAML for gh pages (#5462)
• fix(java): download java-db once (#5442)
• docs(misconf): Update --tf-exclude-downloaded-modules description (#5419)
• feat(misconf): Support --ignore-policy in config scans (#5359)
• docs(misconf): fix broken table for Use container image section (#5425)
• feat(dart): add graph support (#5374)
• refactor: define a new struct for scan targets (#5397)
• fix(sbom): add missed primaryURL and source severity for CycloneDX (#5399)
• fix: correct invalid MD5 hashes for rpms ending with one or more zero bytes (#5393)
• docs: remove --scanners none (#5384)
• docs: Update container_image.md #5182 (#5193)
• feat(report): Add InstalledFiles field to Package (#4706)
• feat(k8s): add support for vulnerability detection (#5268)
• fix(python): override BOM in requirements.txt files (#5375)
• docs: add kbom documentation (#5363)
• test: use maximize build space for VM tests (#5362)
• fix(report): add escaping quotes in misconfig Title for asff template (#5351)
• fix: Report error when os.CreateTemp fails (to be consistent with other uses) (#5342)
• fix: add config files to FS for post-analyzers (#5333)
• fix: fix MIME warnings after updating to Go 1.20 (#5336)
• build: fix a compile error with Go 1.21 (#5339)
• feat: added Metadata into the k8s resource's scan report (#5322)
• chore: update adopters template (#5330)
• fix(sbom): use PURL or Group and Name in case of Java (#5154)
• docs: add buildkite repository to ecosystem page (#5316)
• chore: enable go-critic (#5302)
• close java-db client (#5273)
• fix(report): removes git::http from uri in sarif (#5244)
• Improve the meaning of sentence (#5301)
• add app nil check (#5274)
• typo: in secret.md (#5281)
• docs: add info about github format (#5265)
• feat(dotnet): add license support for NuGet (#5217)
• docs: correctly export variables (#5260)
• chore: Add line numbers for lint output (#5247)
• chore(cli): disable java-db flags in server mode (#5263)
• feat(db): allow passing registry options (#5226)
• refactor(purl): use TypeApk from purl (#5232)
• chore: enable more linters (#5228)
• Fix typo on ide.md (#5239)
• refactor: use defined types (#5225)
• fix(purl): skip local Go packages (#5190)
• docs: update info about license scanning in Yarn projects (#5207)
• fix link (#5203)
• fix(purl): handle rust types (#5186)
• chore: auto-close issues (#5177)
• fix(k8s): kbom support addons labels (#5178)
• test: validate SPDX with the JSON schema (#5124)
• chore: bump trivy-kubernetes-latest (#5161)
• docs: add 'Signature Verification' guide (#4731)
• docs: add image-scanner-with-trivy for ecosystem (#5159)
• fix(fs): assign the absolute path to be inspected to ROOTPATH when filesystem (#5158)
• Update filtering.md (#5131)
• chaging adopters discussion tempalte (#5091)
• docs: add Bitnami (#5078)
• feat(docker): add support for scanning Bitnami components (#5062)
• feat: add support for .trivyignore.yaml (#5070)
• fix(terraform): improve detection of terraform files (#4984)
• feat: filter artifacts on --exclude-owned flag (#5059)
• fix(sbom): cyclonedx advisory should omit null value (#5041)
• build: maximize build space for build tests (#5072)
• feat: improve kbom component name (#5058)
• fix(pom): add licenses for pom artifacts (#5071)
• chore: bump Go to 1.20 (#5067)
• feat: PURL matching with qualifiers in OpenVEX (#5061)
• feat(java): add graph support for pom.xml (#4902)
• feat(swift): add vulns for cocoapods (#5037)
• fix: support image pull secret for additional workloads (#5052)
• fix: #5033 Superfluous double quote in html.tpl (#5036)
• docs(repo): update trivy repo usage and example (#5049)
• perf: Optimize Dockerfile for reduced layers and size (#5038)
• feat: scan K8s Resources Kind with --all-namespaces (#5043)
• fix: vulnerability typo (#5044)
• docs: adding a terraform tutorial to the docs (#3708)
• feat(report): add licenses to sarif format (#4866)
• feat(misconf): show the resource name in the report (#4806)
• chore: update alpine base images (#5015)
• feat: add Package.resolved swift files support (#4932)
• feat(nodejs): parse licenses in yarn projects (#4652)
• fix: k8s private registries support (#5021)
• bump github.com/testcontainers/testcontainers-go from 0.21.0 to 0.23.0 (#5018)
• feat(vuln): support last_affected field from osv (#4944)
• feat(server): add version endpoint (#4869)
• feat: k8s private registries support (#4987)
• fix(server): add indirect prop to package (#4974)
• docs: add coverage (#4954)
• feat(c): add location for lock file dependencies. (#4994)
• docs: adding blog post on ec2 (#4813)
• revert 32bit bins (#4977)

Update to version 0.44.1:

• fix(report): return severity colors in table format (#4969)
• build: maximize available disk space for release (#4937)
• test(cli): Fix assertion helptext (#4966)
• test: validate CycloneDX with the JSON schema (#4956)
• fix(server): add licenses to the Result message (#4955)
• fix(aws): resolve endpoint if endpoint is passed (#4925)
• fix(sbom): move licenses to name field in Cyclonedx format (#4941)
• use testify instead of gotest.tools (#4946)
• fix(nodejs): do not detect lock file in node_modules as an app (#4949)
• bump go-dep-parser (#4936)
• test(aws): move part of unit tests to integration (#4884)
• docs(cli): update help string for file and dir skipping (#4872)

• docs: update the discussion template (#4928)

  Update to version 0.44.0:

• feat(repo): support local repositories (#4890)

• bump go-dep-parser (#4893)
• fix(misconf): add missing fields to proto (#4861)
• fix: remove trivy-db package replacement (#4877)
• chore(test): bump the integration test timeout to 15m (#4880)
• chore: update CODEOWNERS (#4871)
• feat(vuln): support vulnerability status (#4867)
• feat(misconf): Support custom URLs for policy bundle (#4834)
• refactor: replace with sortable packages (#4858)
• docs: correct license scanning sample command (#4855)
• fix(report): close the file (#4842)
• feat(misconf): Add support for independently enabling libraries (#4070)
• feat(secret): add secret config file for cache calculation (#4837)
• Fix a link in gitlab-ci.md (#4850)
• fix(flag): use globalstar to skip directories (#4854)
• fix(license): using common way for splitting licenses (#4434)
• fix(containerd): Use img platform in exporter instead of strict host platform (#4477)
• remove govulndb (#4783)
• fix(java): inherit licenses from parents (#4817)
• refactor: add allowed values for CLI flags (#4800)
• add example regex to allow rules (#4827)
• feat(misconf): Support custom data for rego policies for cloud (#4745)
• docs: correcting the trivy k8s tutorial (#4815)
• feat(cli): add --tf-exclude-downloaded-modules flag (#4810)
• fix(sbom): cyclonedx recommendations should include fixed versions for each package (#4794)
• feat(misconf): enable --policy flag to accept directory and files both (#4777)
• feat(python): add license fields (#4722)
• fix: support trivy k8s-version on k8s sub-command (#4786)

Update to version 0.43.1:

• docs(image): fix the comment on the soft/hard link (#4740)
• check Type when filling pkgs in vulns (#4776)
• feat: add support of linux/ppc64le and linux/s390x architectures for Install.sh script (#4770)
• fix(rocky): add architectures support for advisories (#4691)
• fix: documentation about reseting trivy image (#4733)
• fix(suse): Add openSUSE Leap 15.5 eol date as well (#4744)
• fix: update Amazon Linux 1 EOL (#4761)

Update to version 0.43.0:

• feat(nodejs): support yarn workspaces (#4664)
• fix(image): pass the secret scanner option to scan the img config (#4735)
• fix: scan job pod it not found on k8s-1.27.x (#4729)
• feat(docker): add support for mTLS authentication when connecting to registry (#4649)
• fix: skip scanning the gpg-pubkey package (#4720)
• Fix http registry oci pull (#4701)
• feat(misconf): Support skipping services (#4686)
• docs: fix supported modes for pubspec.lock files (#4713)
• fix(misconf): disable the terraform plan analyzer for other scanners (#4714)
• clarifying a dir path is required for custom policies (#4716)
• chore: update alpine base images (#4715)
• fix last-history-created (#4697)
• feat: kbom and cyclonedx v1.5 spec support (#4708)
• docs: add information about Aqua (#4590)
• fix: k8s escape resource filename on windows os (#4693)
• feat: cyclondx sbom custom property support (#4688)
• add SUSE Linux Enterprise Server 15 SP5 and update SP4 eol date (#4690)
• use group field for jar in cyclonedx (#4674)
• feat(java): capture licenses from pom.xml (#4681)
• feat(helm): make sessionAffinity configurable (#4623)
• fix: Show the correct URL of the secret scanning (#4682)
• document expected file pattern definition format (#4654)
• fix: format arg error (#4642)
• feat(k8s): cyclonedx kbom support (#4557)
• fix(nodejs): remove unused fields for the pnpm lockfile (#4630)
• fix(vm): update ext4-filesystem parser for parse multi block extents (#4616)
• fix(debian): update EOL for Debian 12 (#4647)
• chore: unnecessary use of fmt.Sprintf (S1039) (#4637)
• fix(db): change argument order in Exists query for JavaDB (#4595)
• feat(aws): Add support to see successes in results (#4427)
• feat: trivy k8s private registry support (#4567)
• docs: add general coverage page (#3859)
• chore: create SECURITY.md (#4601)

Update to version 0.42.1:

• fix(misconf): deduplicate misconf results (#4588)
• fix(vm): support sector size of 4096 (#4564)
• fix(misconf): terraform relative paths (#4571)
• fix(purl): skip unsupported library type (#4577)
• fix(terraform): recursively detect all Root Modules (#4457)
• fix(vm): support post analyzer for vm command (#4544)
• fix(nodejs): change the type of the devDependencies field (#4560)
• fix(sbom): export empty dependencies in CycloneDX (#4568)
• refactor: add composite fs for post-analyzers (#4556)
• feat: add SBOM analyzer (#4210)
• fix(sbom): update logic for work with files in spdx format (#4513)
• feat: azure workload identity support (#4489)
• feat(ubuntu): add eol date for 18.04 ESM (#4524)
• fix(misconf): Update required extensions for terraformplan (#4523)
• refactor(cyclonedx): add intermediate representation (#4490)
• fix(misconf): Remove debug print while scanning (#4521)
• fix(java): remove duplicates of jar libs (#4515)
• fix(java): fix overwriting project props in pom.xml (#4498)
• docs: Update compilation instructions (#4512)
• fix(nodejs): update logic for parsing pnpm lock files (#4502)
• fix(secret): remove aws-account-id rule (#4494)
• feat(oci): add support for referencing an input image by digest (#4470)
• docs: fixed the format (#4503)
• fix(java): add support of * for exclusions for pom.xml files (#4501)
• feat: adding issue template for documentation (#4453)
• docs: switch glad to ghsa for Go (#4493)
• feat(misconf): Add terraformplan support (#4342)
• feat(debian): add digests for dpkg (#4445)
• feat(k8s): exclude node scanning by node labels (#4459)
• docs: add info about multi-line mode for regexp from custom secret rules (#4159)
• feat(cli): convert JSON reports into a different format (#4452)
• feat(image): add logic to guess base layer for docker-cis scan (#4344)
• fix(cyclonedx): set original names for packages (#4306)
• feat: group subcommands (#4449)
• feat(cli): add retry to cache operations (#4189)
• fix(vuln): report architecture for apk packages (#4247)
• refactor: enable cases where return values are not needed in pipeline (#4443)
• fix(image): resolve scan deadlock when error occurs in slow mode (#4336)
• docs(misconf): Update docs for kubernetes file patterns (#4435)
• test: k8s integration tests (#4423)
• feat(redhat): add package digest for rpm (#4410)
• feat(misconf): Add --reset-policy-bundle for policy bundle (#4167)
• fix: typo (#4431)
• add user instruction to imgconf (#4429)
• fix(k8s): add image sources (#4411)
• docs(scanning): Add versioning banner (#4415)
• feat(cli): add mage command to update golden integration test files (#4380)
• feat: node-collector custom namespace support (#4407)
• refactor(sbom): use multiline json for spdx-json format (#4404)
• fix(ubuntu): add EOL date for Ubuntu 23.04 (#4347)
• refactor: code-optimization (#4214)
• feat(image): Add image-src flag to specify which runtime(s) to use (#4047)
• test: skip wrong update of test golden files (#4379)
• refactor: don't return error for package.json without version/name (#4377)
• docs: cmd error (#4376)
• test(cli): add test for config file and env combination (#2666)
• fix(report): set a correct file location for license scan output (#4326)
• chore(alpine): Update Alpine to 3.18 (#4351)
• fix(alpine): add EOL date for Alpine 3.18 (#4308)
• feat: allow root break for mapfs (#4094)
• docs(misconf): Remove examples.md (#4256)
• fix(ubuntu): update eol dates for Ubuntu (#4258)
• feat(alpine): add digests for apk packages (#4168)
• chore: add discussion templates (#4190)
• fix(terraform): Support tfvars (#4123)
• chore: separate docs:generate (#4242)
• refactor: define vulnerability scanner interfaces (#4117)
• feat: unified k8s scan resources (#4188)
• chore: trivy bin ignore (#4212)
• feat(image): enforce image platform (#4083)
• fix(ubuntu): fix version selection logic for ubuntu esm (#4171)
• chore: install.sh support for windows (#4155)
• docs: moving skipping files out of others (#4154)

Update to version 0.41.0:

• fix(spdx): add workaround for no src packages (#4118)
• test(golang): rename broken go.mod (#4129)
• feat(sbom): add supplier field (#4122)
• test(misconf): skip downloading of policies for tests #4126
• refactor: use debug message for post-analyze errors (#4037)
• feat(sbom): add VEX support (#4053)
• feat(sbom): add primary package purpose field for SPDX (#4119)
• fix(k8s): fix quiet flag (#4120)
• fix(python): parse of pip extras (#4103)
• feat(java): use full path for nested jars (#3992)
• feat(license): add new flag for classifier confidence level (#4073)
• feat: config and fs compliance support (#4097)
• feat(spdx): add support for SPDX 2.3 (#4058)
• fix: k8s all-namespaces support (#4096)
• perf(misconf): replace with post-analyzers (#4090)
• fix(helm): update networking API version detection (#4106)
• feat(image): custom docker host option (#3599)
• style: debug flag is incorrect and needs extra - (#4087)
• docs(vuln): Document inline vulnerability filtering comments (#4024)
• feat(fs): customize error callback during fs walk (#4038)
• fix(ubuntu): skip copyright files from subfolders (#4076)
• docs: restructure scanners (#3977)
• fix: fix file does not exist error for post-analyzers (#4061)

Update to version 0.40.0:

• feat(flag): Support globstar for --skip-files and --skip-directories (#4026)
• fix: return insecure option to download javadb (#4064)
• fix(nodejs): don't stop parsing when unsupported yarn.lock protocols are found (#4052)
• fix(k8s): current context title (#4055)
• fix(k8s): quit support on k8s progress bar (#4021)
• chore: add a note about Dockerfile.canary (#4050)
• fix(vuln): report architecture for debian packages (#4032)
• feat: add support for Chainguard's commercial distro (#3641)
• fix(vuln): fix error message for remote scanners (#4031)
• feat(report): add image metadata to SARIF (#4020)
• docs: fix broken cache link on Installation page (#3999)
• fix: lock downloading policies and database (#4017)
• fix: avoid concurrent access to the global map (#4014)
• feat(rust): add Cargo.lock v3 support (#4012)
• feat: auth support oci download server subcommand (#4008)
• chore: install.sh support for armv7 (#3985)

Update to version 0.39.1:

• fix(rust): fix panic when 'dependencies' field is not used in cargo.toml (#3997)
• fix(sbom): fix infinite loop for cyclonedx (#3998)
• fix: use warning for errors from enrichment files for post-analyzers (#3972)
• fix(helm): added annotation to psp configurable from values (#3893)
• fix(secret): update built-in rule tests (#3855)
• test: rewrite scripts in Go (#3968)
• docs(cli): Improve glob documentation (#3945)

Update to version 0.39.0:

• docs(cli): added makefile and go file to create docs (#3930)
• feat(cyclonedx): support dependency graph (#3177)
• feat(server): redis with public TLS certs support (#3783)
• feat(flag): Add glob support to --skip-dirs and --skip-files (#3866)
• chore: replace make with mage (#3932)
• fix(sbom): add checksum to files (#3888)
• chore: remove unused mount volumes (#3927)
• feat: add auth support for downloading OCI artifacts (#3915)
• refactor(purl): use epoch in qualifier (#3913)
• feat(image): add registry options (#3906)
• feat(rust): dependency tree and line numbers support for cargo lock file (#3746)
• feat(php): add support for location, licenses and graph for composer.lock files (#3873)
• feat(image): discover SBOM in OCI referrers (#3768)
• docs: change cache-dir key in config file (#3897)
• fix(sbom): use release and epoch for SPDX package version (#3896)
• docs: Update incorrect comment for skip-update flag (#3878)
• refactor(misconf): simplify policy filesystem (#3875)
• feat(nodejs): parse package.json alongside yarn.lock (#3757)
• fix(spdx): add PkgDownloadLocation field (#3879)
• chore(amazon): update EOL (#3876)
• fix(nodejs): improvement logic for package-lock.json v2-v3 (#3877)
• feat(amazon): add al2023 support (#3854)
• docs(misconf): Add information about selectors (#3703)
• docs(cli): update CLI docs with cobra (#3815)
• feat: k8s parallel processing (#3693)
• docs: add DefectDojo in the Security Management section (#3871)
• refactor: add pipeline (#3868)
• feat(cli): add javadb metadata to version info (#3835)
• feat(sbom): add support for CycloneDX JSON Attestation of the correct specification (#3849)
• feat: add node toleration option (#3823)
• fix: allow mapfs to open dirs (#3867)
• fix(report): update uri only for os class targets (#3846)
• feat(nodejs): Add v3 npm lock file support (#3826)
• feat(nodejs): parse package.json files alongside package-lock.json (#2916)
• docs(misconf): Fix links to built in policies (#3841)

Update to version 0.38.3:

from 1.86.1 to 1.89.1 * fix(java): skip empty files for jar post analyzer * fix(docker): build healthcheck command for line without /bin/sh prefix * refactor(license): use goyacc for license parser (#3824) 23.0.0-rc.1+incompatible to 23.0.1+incompatible * fix: populate timeout context to node-collector * fix: exclude node collector scanning (#3771) * fix: display correct flag in error message when skipping java db update #3808 * fix: disable jar analyzer for scanners other than vuln (#3810) * fix(sbom): fix incompliant license format for spdx (#3335) * fix(java): the project props take precedence over the parent's props (#3320) * docs: add canary build info to README.md (#3799) * docs: adding link to gh token generation (#3784) * docs: changing docs in accordance with #3460 (#3787)

Update to version 0.38.2:

• fix(license): disable jar analyzer for licence scan only (#3780)
• bump trivy-issue-action to v0.0.0; skip pkg dir (#3781)
• fix: skip checking dirs for required post-analyzers (#3773)
• docs: add information about plugin format (#3749)
• fix(sbom): add trivy version to spdx creators tool field (#3756)

Update to version 0.38.1:

• feat(misconf): Add support to show policy bundle version (#3743)
• fix(python): fix error with optional dependencies in pyproject.toml (#3741)
• add id for package.json files (#3750)

Update to version 0.38.0:

• fix(cli): pass integer to exit-on-eol (#3716)
• feat: add kubernetes pss compliance (#3498)
• feat: Adding --module-dir and --enable-modules (#3677)
• feat: add special IDs for filtering secrets (#3702)
• docs(misconf): Add guide on input schema (#3692)
• feat(go): support dependency graph and show only direct dependencies in the tree (#3691)
• feat: docker multi credential support (#3631)
• feat: summarize vulnerabilities in compliance reports (#3651)
• feat(python): parse pyproject.toml alongside poetry.lock (#3695)
• feat(python): add dependency tree for poetry lock file (#3665)
• fix(cyclonedx): incompliant affect ref (#3679)
• chore(helm): update skip-db-update environment variable (#3657)
• fix(spdx): change CreationInfo timestamp format RFC3336Nano to RFC3336 (#3675)
• fix(sbom): export empty dependencies in CycloneDX (#3664)
• docs: java-db air-gap doc tweaks (#3561)
• feat(go): license support (#3683)
• feat(ruby): add dependency tree/location support for Gemfile.lock (#3669)
• fix(k8s): k8s label size (#3678)
• fix(cyclondx): fix array empty value, null to [] (#3676)
• refactor: rewrite gomod analyzer as post-analyzer (#3674)
• feat: config outdated-api result filtered by k8s version (#3578)
• fix: Update to Alpine 3.17.2 (#3655)
• feat: add support for virtual files (#3654)
• feat: add post-analyzers (#3640)
• feat(python): add dependency locations for Pipfile.lock (#3614)
• fix(java): fix groupID selection by ArtifactID for jar files. (#3644)
• fix(aws): Adding a fix for update-cache flag that is not applied on AWS scans. (#3619)
• feat(cli): add command completion (#3061)
• docs(misconf): update dockerfile link (#3627)
• feat(flag): add exit-on-eosl option (#3423)
• fix(cli): make java db repository configurable (#3595)
• chore: bump trivy-kubernetes (#3613)