openSUSE-SU-2025:0056-1

This update for trivy fixes the following issues:

Update to version 0.58.2 (

  boo#1234512, CVE-2024-45337,
  boo#1235265, CVE-2024-45338):

• fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)
• fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)
• fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215)
• fix(sbom): attach nested packages to Application [backport: release/v0.58] (#8168)
• fix(python): skip dev group's deps for poetry [backport: release/v0.58] (#8158)
• fix(sbom): use root package for unknown dependencies (if exists) [backport: release/v0.58] (#8156)
• chore(deps): bump golang.org/x/net from v0.32.0 to v0.33.0 [backport: release/v0.58] (#8142)
• chore(deps): bump github.com/CycloneDX/cyclonedx-go from v0.9.1 to v0.9.2 [backport: release/v0.58] (#8136)
• fix(redhat): correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] (#8135)
• fix(oracle): add architectures support for advisories [backport: release/v0.58] (#8125)
• fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] (#8124)
• chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 [backport: release/v0.58] (#8122)
• fix: handle BLOW_UNKNOWN error to download DBs [backport: release/v0.58] (#8121)
• fix(java): correctly overwrite version from depManagement if dependency uses project.* props [backport: release/v0.58] (#8119)
• release: v0.58.0 [main] (#7874)
• fix(misconf): wrap AWS EnvVar to iac types (#7407)
• chore(deps): Upgrade trivy-checks (#8018)
• refactor(misconf): Remove unused options (#7896)
• docs: add terminology page to explain Trivy concepts (#7996)
• feat: add workspaceRelationship (#7889)
• refactor(sbom): simplify relationship generation (#7985)
• docs: improve databases documentation (#7732)
• refactor: remove support for custom Terraform checks (#7901)
• docs: drop AWS account scanning (#7997)
• fix(aws): change CPU and Memory type of ContainerDefinition to a string (#7995)
• fix(cli): Handle empty ignore files more gracefully (#7962)
• fix(misconf): load full Terraform module (#7925)
• fix(misconf): properly resolve local Terraform cache (#7983)
• refactor(k8s): add v prefix for Go packages (#7839)
• test: replace Go checks with Rego (#7867)
• feat(misconf): log causes of HCL file parsing errors (#7634)
• chore(deps): bump the aws group across 1 directory with 7 updates (#7991)
• chore(deps): bump github.com/moby/buildkit from 0.17.0 to 0.17.2 in the docker group across 1 directory (#7990)
• chore(deps): update csaf module dependency from csaf-poc to gocsaf (#7992)
• chore: downgrade the failed block expand message to debug (#7964)
• fix(misconf): do not erase variable type for child modules (#7941)
• feat(go): construct dependencies of go.mod main module in the parser (#7977)
• feat(go): construct dependencies in the parser (#7973)
• feat: add cvss v4 score and vector in scan response (#7968)
• docs: add overview page for others (#7972)
• fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871)
• feat(suse): Align SUSE/OpenSUSE OS Identifiers (#7965)
• chore(deps): bump the common group with 4 updates (#7949)
• feat(oracle): add flavors support (#7858)
• fix(misconf): Update trivy-checks default repo to mirror.gcr.io (#7953)
• chore(deps): Bump up trivy-checks to v1.3.0 (#7959)
• fix(k8s): check all results for vulnerabilities (#7946)
• ci(helm): bump Trivy version to 0.57.1 for Trivy Helm Chart 0.9.0 (#7945)
• feat(secret): Add built-in secrets rules for Private Packagist (#7826)
• docs: Fix broken links (#7900)
• docs: fix mistakes/typos (#7942)
• feat: Update registry fallbacks (#7679)
• fix(alpine): add UID for removed packages (#7887)
• chore(deps): bump the aws group with 6 updates (#7902)
• chore(deps): bump the common group with 6 updates (#7904)
• fix(debian): infinite loop (#7928)
• fix(redhat): don't return error if root/buildinfo/content_manifests/ contains files that are not contentSets files (#7912)
• docs: add note about temporary podman socket (#7921)
• docs: combine trivy.dev into trivy docs (#7884)
• test: change branch in spdx schema link to check in integration tests (#7935)
• docs: add Headlamp to the Trivy Ecosystem page (#7916)
• fix(report): handle git@github.com schema for misconfigs in sarif report (#7898)
• chore(k8s): enhance k8s scan log (#6997)
• fix(terraform): set null value as fallback for missing variables (#7669)
• fix(misconf): handle null properties in CloudFormation templates (#7813)
• fix(fs): add missing defered Cleanup() call to post analyzer fs (#7882)
• chore(deps): bump the common group across 1 directory with 20 updates (#7876)
• chore: bump containerd to v2.0.0 (#7875)
• fix: Improve version comparisons when build identifiers are present (#7873)
• feat(k8s): add default commands for unknown platform (#7863)
• chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#7868)
• refactor(secret): optimize performance by moving ToLower operation outside loop (#7862)
• test: save containerd image into archive and use in tests (#7816)
• chore(deps): bump the github-actions group across 1 directory with 2 updates (#7854)

• chore: bump golangci-lint to v1.61.0 (#7853)

  • Update to version 0.57.1:
• release: v0.57.1 [release/v0.57] (#7943)
• feat: Update registry fallbacks [backport: release/v0.57] (#7944)
• fix(redhat): don't return error if root/buildinfo/content_manifests/ contains files that are not contentSets files [backport: release/v0.57] (#7939)
• test: change branch in spdx schema link to check in integration tests [backport: release/v0.57] (#7940)
• release: v0.57.0 [main] (#7710)
• chore: lint errors.Join (#7845)
• feat(db): append errors (#7843)
• docs(java): add info about supported scopes (#7842)
• docs: add example of creating whitelist of checks (#7821)
• chore(deps): Bump trivy-checks (#7819)
• fix(go): Do not trim v prefix from versions in Go Mod Analyzer (#7733)
• fix(k8s): skip resources without misconfigs (#7797)
• fix(sbom): use Annotation instead of AttributionTexts for SPDX formats (#7811)
• fix(cli): add config name to skip-policy-update alias (#7820)
• fix(helm): properly handle multiple archived dependencies (#7782)
• refactor(misconf): Deprecate EXCEPTIONS for misconfiguration scanning (#7776)
• fix(k8s)!: support k8s multi container (#7444)
• fix(k8s): support kubernetes v1.31 (#7810)
• docs: add Windows install instructions (#7800)
• ci(helm): auto public Helm chart after PR merged (#7526)
• feat: add end of life date for Ubuntu 24.10 (#7787)
• feat(report): update gitlab template to populate operating_system value (#7735)
• feat(misconf): Show misconfig ID in output (#7762)
• feat(misconf): export unresolvable field of IaC types to Rego (#7765)
• refactor(k8s): scan config files as a folder (#7690)
• fix(license): fix license normalization for Universal Permissive License (#7766)
• fix: enable usestdlibvars linter (#7770)
• fix(misconf): properly expand dynamic blocks (#7612)
• feat(cyclonedx): add file checksums to CycloneDX reports (#7507)
• fix(misconf): fix for Azure Storage Account network acls adaptation (#7602)
• refactor(misconf): simplify k8s scanner (#7717)
• feat(parser): ignore white space in pom.xml files (#7747)
• test: use forked images (#7755)
• fix(java): correctly inherit version and scope from upper/root depManagement and dependencies into parents (#7541)
• fix(misconf): check if property is not nil before conversion (#7578)
• fix(misconf): change default ACL of digitaloceanspacesbucket to private (#7577)
• feat(misconf): ssl_mode support for GCP SQL DB instance (#7564)
• test: define constants for test images (#7739)
• docs: add note about disabled DS016 check (#7724)
• feat(misconf): public network support for Azure Storage Account (#7601)
• feat(cli): rename trivy auth to trivy registry (#7727)
• docs: apt-transport-https is a transitional package (#7678)
• refactor(misconf): introduce generic scanner (#7515)
• fix(cli): clean --all deletes only relevant dirs (#7704)
• feat(cli): add trivy auth (#7664)
• fix(sbom): add options for DBs in private registries (#7660)
• docs(report): fix reporting doc format (#7671)
• fix(repo): git clone output to Stderr (#7561)
• fix(redhat): include arch in PURL qualifiers (#7654)
• fix(report): Fix invalid URI in SARIF report (#7645)
• docs(report): Improve SARIF reporting doc (#7655)
• fix(db): fix javadb downloading error handling (#7642)

• feat(cli): error out when ignore file cannot be found (#7624)

  • Update to version 0.56.2:
• release: v0.56.2 [release/v0.56] (#7694)
• fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#7702)

• fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#7691)

  • Update to version 0.56.1:
• release: v0.56.1 [release/v0.56] (#7648)
• fix(db): fix javadb downloading error handling [backport: release/v0.56] (#7646)
• release: v0.56.0 [main] (#7447)
• fix(misconf): not to warn about missing selectors of libraries (#7638)
• feat: support RPM archives (#7628)
• fix(secret): change grafana token regex to find them without unquoted (#7627)
• fix(misconf): Disable deprecated checks by default (#7632)
• chore: add prefixes to log messages (#7625)
• feat(misconf): Support --skip-* for all included modules (#7579)
• feat: support multiple DB repositories for vulnerability and Java DB (#7605)
• ci: don't use cache for setup-go (#7622)
• test: use loaded image names (#7617)
• feat(java): add empty versions if pom.xml dependency versions can't be detected (#7520)
• feat(secret): enhance secret scanning for python binary files (#7223)
• refactor: fix auth error handling (#7615)
• ci: split save and restore cache actions (#7614)
• fix(misconf): disable DS016 check for image history analyzer (#7540)
• feat(suse): added SUSE Linux Enterprise Micro support (#7294)
• feat(misconf): add ability to disable checks by ID (#7536)
• fix(misconf): escape all special sequences (#7558)
• test: use a local registry for remote scanning (#7607)
• fix: allow access to '..' in mapfs (#7575)
• fix(db): check DownloadedAt for trivy-java-db (#7592)
• chore(deps): bump the common group across 1 directory with 20 updates (#7604)
• ci: add workflow_dispatch trigger for test workflow. (#7606)
• ci: cache test images for integration, VM and module tests (#7599)
• chore(deps): remove broken replaces for opa and discovery (#7600)
• docs(misconf): Add more info on how to use arbitrary JSON/YAML scan feat (#7458)
• fix(misconf): Fixed scope for China Cloud (#7560)
• perf(misconf): use port ranges instead of enumeration (#7549)
• fix(sbom): export bom-ref when converting a package to a component (#7340)
• refactor(misconf): pass options to Rego scanner as is (#7529)
• fix(sbom): parse type framework as library when unmarshalling CycloneDX files (#7527)
• chore(deps): bump go-ebs-file (#7513)
• fix(misconf): Fix logging typo (#7473)
• feat(misconf): Register checks only when needed (#7435)
• refactor: split .egg and packaging analyzers (#7514)
• fix(java): use dependencyManagement from root/child pom's for dependencies from parents (#7497)
• chore(vex): add CVE-2024-34155, CVE-2024-34156 and CVE-2024-34158 in trivy.openvex.json (#7510)
• chore(deps): bump alpine from 3.20.0 to 3.20.3 (#7508)
• chore(vex): suppress openssl vulnerabilities (#7500)
• revert(java): stop supporting of test scope for pom.xml files (#7488)
• docs(db): add a manifest example (#7485)
• feat(license): improve license normalization (#7131)
• docs(oci): Add a note About the expected Media Type for the Trivy-DB OCI Artifact (#7449)
• fix(report): fix error with unmarshal of ExperimentalModifiedFindings (#7463)
• fix(report): change a receiver of MarshalJSON (#7483)
• fix(oracle): Update EOL date for Oracle 7 (#7480)
• chore(deps): bump the aws group with 6 updates (#7468)
• chore(deps): bump the common group across 1 directory with 19 updates (#7436)
• chore(helm): bump up Trivy Helm chart (#7441)
• refactor(java): add error/statusCode for logs when we can't get pom.xml/maven-metadata.xml from remote repo (#7451)
• fix(license): stop spliting a long license text (#7336)
• release: v0.55.0 [main] (#7271)
• feat(go): use toolchain as stdlib version for go.mod files (#7163)
• fix(license): add license handling to JUnit template (#7409)
• feat(java): add test scope support for pom.xml files (#7414)
• chore(deps): Bump trivy-checks and pin OPA (#7427)
• fix(helm): explicitly define kind and apiVersion of volumeClaimTemplate element (#7362)
• feat(sbom): set User-Agent header on requests to Rekor (#7396)
• test: add integration plugin tests (#7299)
• fix(nodejs): check all importers to detect dev deps from pnpm-lock.yaml file (#7387)
• fix: logger initialization before flags parsing (#7372)
• fix(aws): handle ECR repositories in different regions (#6217)
• fix(misconf): fix infer type for null value (#7424)
• fix(secret): use .eyJ keyword for JWT secret (#7410)
• fix(misconf): do not recreate filesystem map (#7416)
• chore(deps): Bump trivy-checks (#7417)
• fix(misconf): do not register Rego libs in checks registry (#7420)
• fix(sbom): use NOASSERTION for licenses fields in SPDX formats (#7403)
• feat(report): export modified findings in JSON (#7383)
• feat(server): Make Trivy Server Multiplexer Exported (#7389)
• chore: update CODEOWNERS (#7398)
• fix(secret): use only line with secret for long secret lines (#7412)
• chore: fix allow rule of ignoring test files to make it case insensitive (#7415)
• feat(misconf): port and protocol support for EC2 networks (#7146)
• fix(misconf): do not filter Terraform plan JSON by name (#7406)
• feat(misconf): support for ignore by nested attributes (#7205)
• fix(misconf): use module to log when metadata retrieval fails (#7405)
• fix(report): escape Message field in asff.tpl template (#7401)
• feat(misconf): Add support for using spec from on-disk bundle (#7179)
• docs: add pkg flags to config file page (#7370)
• feat(python): use minimum version for pip packages (#7348)
• fix(misconf): support deprecating for Go checks (#7377)
• fix(misconf): init frameworks before updating them (#7376)
• feat(misconf): ignore duplicate checks (#7317)
• refactor(misconf): use slog (#7295)
• chore(deps): bump trivy-checks (#7350)
• feat(server): add internal --path-prefix flag for client/server mode (#7321)
• chore(deps): bump the aws group across 1 directory with 7 updates (#7358)
• fix: safely check if the directory exists (#7353)
• feat(misconf): variable support for Terraform Plan (#7228)
• feat(misconf): scanning support for YAML and JSON (#7311)
• fix(misconf): wrap Azure PortRange in iac types (#7357)
• refactor(misconf): highlight only affected rows (#7310)
• fix(misconf): change default TLS values for the Azure storage account (#7345)
• chore(deps): bump the common group with 9 updates (#7333)
• docs(misconf): Update callsites to use correct naming (#7335)
• docs: update air-gapped docs (#7160)
• refactor: replace ftypes.Gradle with packageurl.TypeGradle (#7323)
• perf(misconf): optimize work with context (#6968)
• docs: update links to packaging.python.org (#7318)
• docs: update client/server docs for misconf and license scanning (#7277)
• chore(deps): bump the common group across 1 directory with 7 updates (#7305)
• feat(misconf): iterator argument support for dynamic blocks (#7236)
• fix(misconf): do not set default value for defaultcachebehavior (#7234)
• feat(misconf): support for policy and bucket grants (#7284)
• fix(misconf): load only submodule if it is specified in source (#7112)
• perf(misconf): use json.Valid to check validity of JSON (#7308)
• refactor(misconf): remove unused universal scanner (#7293)
• perf(misconf): do not convert contents of a YAML file to string (#7292)
• fix(terraform): add aws_region name to presets (#7184)
• docs: add auto-generated config (#7261)
• feat(vuln): Add --detection-priority flag for accuracy tuning (#7288)
• refactor(misconf): remove file filtering from parsers (#7289)
• fix(flag): incorrect behavior for deprected flag --clear-cache (#7281)
• fix(java): Return error when trying to find a remote pom to avoid segfault (#7275)
• fix(plugin): do not call GitHub content API for releases and tags (#7274)
• feat(vm): support the Ext2/Ext3 filesystems (#6983)
• feat(cli)!: delete deprecated SBOM flags (#7266)

• feat(vm): Support direct filesystem (#7058)

  • Update to version 0.51.1 (boo#1227010, CVE-2024-3817):