openSUSE-SU-2025:0056-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2025:0056-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2025:0056-1
Related
Published
2025-02-07T11:01:31Z
Modified
2025-02-07T11:01:31Z
Summary
Security update for trivy
Details

This update for trivy fixes the following issues:

Update to version 0.58.2 (

  boo#1234512, CVE-2024-45337,
  boo#1235265, CVE-2024-45338):
  • fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)
  • fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)
  • fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215)
  • fix(sbom): attach nested packages to Application [backport: release/v0.58] (#8168)
  • fix(python): skip dev group's deps for poetry [backport: release/v0.58] (#8158)
  • fix(sbom): use root package for unknown dependencies (if exists) [backport: release/v0.58] (#8156)
  • chore(deps): bump golang.org/x/net from v0.32.0 to v0.33.0 [backport: release/v0.58] (#8142)
  • chore(deps): bump github.com/CycloneDX/cyclonedx-go from v0.9.1 to v0.9.2 [backport: release/v0.58] (#8136)
  • fix(redhat): correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] (#8135)
  • fix(oracle): add architectures support for advisories [backport: release/v0.58] (#8125)
  • fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] (#8124)
  • chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 [backport: release/v0.58] (#8122)
  • fix: handle BLOW_UNKNOWN error to download DBs [backport: release/v0.58] (#8121)
  • fix(java): correctly overwrite version from depManagement if dependency uses project.* props [backport: release/v0.58] (#8119)
  • release: v0.58.0 [main] (#7874)
  • fix(misconf): wrap AWS EnvVar to iac types (#7407)
  • chore(deps): Upgrade trivy-checks (#8018)
  • refactor(misconf): Remove unused options (#7896)
  • docs: add terminology page to explain Trivy concepts (#7996)
  • feat: add workspaceRelationship (#7889)
  • refactor(sbom): simplify relationship generation (#7985)
  • docs: improve databases documentation (#7732)
  • refactor: remove support for custom Terraform checks (#7901)
  • docs: drop AWS account scanning (#7997)
  • fix(aws): change CPU and Memory type of ContainerDefinition to a string (#7995)
  • fix(cli): Handle empty ignore files more gracefully (#7962)
  • fix(misconf): load full Terraform module (#7925)
  • fix(misconf): properly resolve local Terraform cache (#7983)
  • refactor(k8s): add v prefix for Go packages (#7839)
  • test: replace Go checks with Rego (#7867)
  • feat(misconf): log causes of HCL file parsing errors (#7634)
  • chore(deps): bump the aws group across 1 directory with 7 updates (#7991)
  • chore(deps): bump github.com/moby/buildkit from 0.17.0 to 0.17.2 in the docker group across 1 directory (#7990)
  • chore(deps): update csaf module dependency from csaf-poc to gocsaf (#7992)
  • chore: downgrade the failed block expand message to debug (#7964)
  • fix(misconf): do not erase variable type for child modules (#7941)
  • feat(go): construct dependencies of go.mod main module in the parser (#7977)
  • feat(go): construct dependencies in the parser (#7973)
  • feat: add cvss v4 score and vector in scan response (#7968)
  • docs: add overview page for others (#7972)
  • fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871)
  • feat(suse): Align SUSE/OpenSUSE OS Identifiers (#7965)
  • chore(deps): bump the common group with 4 updates (#7949)
  • feat(oracle): add flavors support (#7858)
  • fix(misconf): Update trivy-checks default repo to mirror.gcr.io (#7953)
  • chore(deps): Bump up trivy-checks to v1.3.0 (#7959)
  • fix(k8s): check all results for vulnerabilities (#7946)
  • ci(helm): bump Trivy version to 0.57.1 for Trivy Helm Chart 0.9.0 (#7945)
  • feat(secret): Add built-in secrets rules for Private Packagist (#7826)
  • docs: Fix broken links (#7900)
  • docs: fix mistakes/typos (#7942)
  • feat: Update registry fallbacks (#7679)
  • fix(alpine): add UID for removed packages (#7887)
  • chore(deps): bump the aws group with 6 updates (#7902)
  • chore(deps): bump the common group with 6 updates (#7904)
  • fix(debian): infinite loop (#7928)
  • fix(redhat): don't return error if root/buildinfo/content_manifests/ contains files that are not contentSets files (#7912)
  • docs: add note about temporary podman socket (#7921)
  • docs: combine trivy.dev into trivy docs (#7884)
  • test: change branch in spdx schema link to check in integration tests (#7935)
  • docs: add Headlamp to the Trivy Ecosystem page (#7916)
  • fix(report): handle git@github.com schema for misconfigs in sarif report (#7898)
  • chore(k8s): enhance k8s scan log (#6997)
  • fix(terraform): set null value as fallback for missing variables (#7669)
  • fix(misconf): handle null properties in CloudFormation templates (#7813)
  • fix(fs): add missing defered Cleanup() call to post analyzer fs (#7882)
  • chore(deps): bump the common group across 1 directory with 20 updates (#7876)
  • chore: bump containerd to v2.0.0 (#7875)
  • fix: Improve version comparisons when build identifiers are present (#7873)
  • feat(k8s): add default commands for unknown platform (#7863)
  • chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#7868)
  • refactor(secret): optimize performance by moving ToLower operation outside loop (#7862)
  • test: save containerd image into archive and use in tests (#7816)
  • chore(deps): bump the github-actions group across 1 directory with 2 updates (#7854)
  • chore: bump golangci-lint to v1.61.0 (#7853)

    • Update to version 0.57.1:
  • release: v0.57.1 [release/v0.57] (#7943)
  • feat: Update registry fallbacks [backport: release/v0.57] (#7944)
  • fix(redhat): don't return error if root/buildinfo/content_manifests/ contains files that are not contentSets files [backport: release/v0.57] (#7939)
  • test: change branch in spdx schema link to check in integration tests [backport: release/v0.57] (#7940)
  • release: v0.57.0 [main] (#7710)
  • chore: lint errors.Join (#7845)
  • feat(db): append errors (#7843)
  • docs(java): add info about supported scopes (#7842)
  • docs: add example of creating whitelist of checks (#7821)
  • chore(deps): Bump trivy-checks (#7819)
  • fix(go): Do not trim v prefix from versions in Go Mod Analyzer (#7733)
  • fix(k8s): skip resources without misconfigs (#7797)
  • fix(sbom): use Annotation instead of AttributionTexts for SPDX formats (#7811)
  • fix(cli): add config name to skip-policy-update alias (#7820)
  • fix(helm): properly handle multiple archived dependencies (#7782)
  • refactor(misconf): Deprecate EXCEPTIONS for misconfiguration scanning (#7776)
  • fix(k8s)!: support k8s multi container (#7444)
  • fix(k8s): support kubernetes v1.31 (#7810)
  • docs: add Windows install instructions (#7800)
  • ci(helm): auto public Helm chart after PR merged (#7526)
  • feat: add end of life date for Ubuntu 24.10 (#7787)
  • feat(report): update gitlab template to populate operating_system value (#7735)
  • feat(misconf): Show misconfig ID in output (#7762)
  • feat(misconf): export unresolvable field of IaC types to Rego (#7765)
  • refactor(k8s): scan config files as a folder (#7690)
  • fix(license): fix license normalization for Universal Permissive License (#7766)
  • fix: enable usestdlibvars linter (#7770)
  • fix(misconf): properly expand dynamic blocks (#7612)
  • feat(cyclonedx): add file checksums to CycloneDX reports (#7507)
  • fix(misconf): fix for Azure Storage Account network acls adaptation (#7602)
  • refactor(misconf): simplify k8s scanner (#7717)
  • feat(parser): ignore white space in pom.xml files (#7747)
  • test: use forked images (#7755)
  • fix(java): correctly inherit version and scope from upper/root depManagement and dependencies into parents (#7541)
  • fix(misconf): check if property is not nil before conversion (#7578)
  • fix(misconf): change default ACL of digitaloceanspacesbucket to private (#7577)
  • feat(misconf): ssl_mode support for GCP SQL DB instance (#7564)
  • test: define constants for test images (#7739)
  • docs: add note about disabled DS016 check (#7724)
  • feat(misconf): public network support for Azure Storage Account (#7601)
  • feat(cli): rename trivy auth to trivy registry (#7727)
  • docs: apt-transport-https is a transitional package (#7678)
  • refactor(misconf): introduce generic scanner (#7515)
  • fix(cli): clean --all deletes only relevant dirs (#7704)
  • feat(cli): add trivy auth (#7664)
  • fix(sbom): add options for DBs in private registries (#7660)
  • docs(report): fix reporting doc format (#7671)
  • fix(repo): git clone output to Stderr (#7561)
  • fix(redhat): include arch in PURL qualifiers (#7654)
  • fix(report): Fix invalid URI in SARIF report (#7645)
  • docs(report): Improve SARIF reporting doc (#7655)
  • fix(db): fix javadb downloading error handling (#7642)
  • feat(cli): error out when ignore file cannot be found (#7624)

    • Update to version 0.56.2:
  • release: v0.56.2 [release/v0.56] (#7694)
  • fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#7702)
  • fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#7691)

    • Update to version 0.56.1:
  • release: v0.56.1 [release/v0.56] (#7648)
  • fix(db): fix javadb downloading error handling [backport: release/v0.56] (#7646)
  • release: v0.56.0 [main] (#7447)
  • fix(misconf): not to warn about missing selectors of libraries (#7638)
  • feat: support RPM archives (#7628)
  • fix(secret): change grafana token regex to find them without unquoted (#7627)
  • fix(misconf): Disable deprecated checks by default (#7632)
  • chore: add prefixes to log messages (#7625)
  • feat(misconf): Support --skip-* for all included modules (#7579)
  • feat: support multiple DB repositories for vulnerability and Java DB (#7605)
  • ci: don't use cache for setup-go (#7622)
  • test: use loaded image names (#7617)
  • feat(java): add empty versions if pom.xml dependency versions can't be detected (#7520)
  • feat(secret): enhance secret scanning for python binary files (#7223)
  • refactor: fix auth error handling (#7615)
  • ci: split save and restore cache actions (#7614)
  • fix(misconf): disable DS016 check for image history analyzer (#7540)
  • feat(suse): added SUSE Linux Enterprise Micro support (#7294)
  • feat(misconf): add ability to disable checks by ID (#7536)
  • fix(misconf): escape all special sequences (#7558)
  • test: use a local registry for remote scanning (#7607)
  • fix: allow access to '..' in mapfs (#7575)
  • fix(db): check DownloadedAt for trivy-java-db (#7592)
  • chore(deps): bump the common group across 1 directory with 20 updates (#7604)
  • ci: add workflow_dispatch trigger for test workflow. (#7606)
  • ci: cache test images for integration, VM and module tests (#7599)
  • chore(deps): remove broken replaces for opa and discovery (#7600)
  • docs(misconf): Add more info on how to use arbitrary JSON/YAML scan feat (#7458)
  • fix(misconf): Fixed scope for China Cloud (#7560)
  • perf(misconf): use port ranges instead of enumeration (#7549)
  • fix(sbom): export bom-ref when converting a package to a component (#7340)
  • refactor(misconf): pass options to Rego scanner as is (#7529)
  • fix(sbom): parse type framework as library when unmarshalling CycloneDX files (#7527)
  • chore(deps): bump go-ebs-file (#7513)
  • fix(misconf): Fix logging typo (#7473)
  • feat(misconf): Register checks only when needed (#7435)
  • refactor: split .egg and packaging analyzers (#7514)
  • fix(java): use dependencyManagement from root/child pom's for dependencies from parents (#7497)
  • chore(vex): add CVE-2024-34155, CVE-2024-34156 and CVE-2024-34158 in trivy.openvex.json (#7510)
  • chore(deps): bump alpine from 3.20.0 to 3.20.3 (#7508)
  • chore(vex): suppress openssl vulnerabilities (#7500)
  • revert(java): stop supporting of test scope for pom.xml files (#7488)
  • docs(db): add a manifest example (#7485)
  • feat(license): improve license normalization (#7131)
  • docs(oci): Add a note About the expected Media Type for the Trivy-DB OCI Artifact (#7449)
  • fix(report): fix error with unmarshal of ExperimentalModifiedFindings (#7463)
  • fix(report): change a receiver of MarshalJSON (#7483)
  • fix(oracle): Update EOL date for Oracle 7 (#7480)
  • chore(deps): bump the aws group with 6 updates (#7468)
  • chore(deps): bump the common group across 1 directory with 19 updates (#7436)
  • chore(helm): bump up Trivy Helm chart (#7441)
  • refactor(java): add error/statusCode for logs when we can't get pom.xml/maven-metadata.xml from remote repo (#7451)
  • fix(license): stop spliting a long license text (#7336)
  • release: v0.55.0 [main] (#7271)
  • feat(go): use toolchain as stdlib version for go.mod files (#7163)
  • fix(license): add license handling to JUnit template (#7409)
  • feat(java): add test scope support for pom.xml files (#7414)
  • chore(deps): Bump trivy-checks and pin OPA (#7427)
  • fix(helm): explicitly define kind and apiVersion of volumeClaimTemplate element (#7362)
  • feat(sbom): set User-Agent header on requests to Rekor (#7396)
  • test: add integration plugin tests (#7299)
  • fix(nodejs): check all importers to detect dev deps from pnpm-lock.yaml file (#7387)
  • fix: logger initialization before flags parsing (#7372)
  • fix(aws): handle ECR repositories in different regions (#6217)
  • fix(misconf): fix infer type for null value (#7424)
  • fix(secret): use .eyJ keyword for JWT secret (#7410)
  • fix(misconf): do not recreate filesystem map (#7416)
  • chore(deps): Bump trivy-checks (#7417)
  • fix(misconf): do not register Rego libs in checks registry (#7420)
  • fix(sbom): use NOASSERTION for licenses fields in SPDX formats (#7403)
  • feat(report): export modified findings in JSON (#7383)
  • feat(server): Make Trivy Server Multiplexer Exported (#7389)
  • chore: update CODEOWNERS (#7398)
  • fix(secret): use only line with secret for long secret lines (#7412)
  • chore: fix allow rule of ignoring test files to make it case insensitive (#7415)
  • feat(misconf): port and protocol support for EC2 networks (#7146)
  • fix(misconf): do not filter Terraform plan JSON by name (#7406)
  • feat(misconf): support for ignore by nested attributes (#7205)
  • fix(misconf): use module to log when metadata retrieval fails (#7405)
  • fix(report): escape Message field in asff.tpl template (#7401)
  • feat(misconf): Add support for using spec from on-disk bundle (#7179)
  • docs: add pkg flags to config file page (#7370)
  • feat(python): use minimum version for pip packages (#7348)
  • fix(misconf): support deprecating for Go checks (#7377)
  • fix(misconf): init frameworks before updating them (#7376)
  • feat(misconf): ignore duplicate checks (#7317)
  • refactor(misconf): use slog (#7295)
  • chore(deps): bump trivy-checks (#7350)
  • feat(server): add internal --path-prefix flag for client/server mode (#7321)
  • chore(deps): bump the aws group across 1 directory with 7 updates (#7358)
  • fix: safely check if the directory exists (#7353)
  • feat(misconf): variable support for Terraform Plan (#7228)
  • feat(misconf): scanning support for YAML and JSON (#7311)
  • fix(misconf): wrap Azure PortRange in iac types (#7357)
  • refactor(misconf): highlight only affected rows (#7310)
  • fix(misconf): change default TLS values for the Azure storage account (#7345)
  • chore(deps): bump the common group with 9 updates (#7333)
  • docs(misconf): Update callsites to use correct naming (#7335)
  • docs: update air-gapped docs (#7160)
  • refactor: replace ftypes.Gradle with packageurl.TypeGradle (#7323)
  • perf(misconf): optimize work with context (#6968)
  • docs: update links to packaging.python.org (#7318)
  • docs: update client/server docs for misconf and license scanning (#7277)
  • chore(deps): bump the common group across 1 directory with 7 updates (#7305)
  • feat(misconf): iterator argument support for dynamic blocks (#7236)
  • fix(misconf): do not set default value for defaultcachebehavior (#7234)
  • feat(misconf): support for policy and bucket grants (#7284)
  • fix(misconf): load only submodule if it is specified in source (#7112)
  • perf(misconf): use json.Valid to check validity of JSON (#7308)
  • refactor(misconf): remove unused universal scanner (#7293)
  • perf(misconf): do not convert contents of a YAML file to string (#7292)
  • fix(terraform): add aws_region name to presets (#7184)
  • docs: add auto-generated config (#7261)
  • feat(vuln): Add --detection-priority flag for accuracy tuning (#7288)
  • refactor(misconf): remove file filtering from parsers (#7289)
  • fix(flag): incorrect behavior for deprected flag --clear-cache (#7281)
  • fix(java): Return error when trying to find a remote pom to avoid segfault (#7275)
  • fix(plugin): do not call GitHub content API for releases and tags (#7274)
  • feat(vm): support the Ext2/Ext3 filesystems (#6983)
  • feat(cli)!: delete deprecated SBOM flags (#7266)
  • feat(vm): Support direct filesystem (#7058)

    • Update to version 0.51.1 (boo#1227010, CVE-2024-3817):
References

Affected packages

SUSE:Package Hub 15 SP6 / trivy

Package

Name
trivy
Purl
pkg:rpm/suse/trivy&distro=SUSE%20Package%20Hub%2015%20SP6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.58.2-bp156.2.6.1

Ecosystem specific

{
    "binaries": [
        {
            "trivy": "0.58.2-bp156.2.6.1"
        }
    ]
}

openSUSE:Leap 15.6 / trivy

Package

Name
trivy
Purl
pkg:rpm/opensuse/trivy&distro=openSUSE%20Leap%2015.6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.58.2-bp156.2.6.1

Ecosystem specific

{
    "binaries": [
        {
            "trivy": "0.58.2-bp156.2.6.1"
        }
    ]
}