openSUSE-SU-2024:0269-1

Описание

trivy was updated to fix the following issues:

Update to version 0.54.1:

• fix(flag): incorrect behavior for deprected flag --clear-cache [backport: release/v0.54] (#7285)
• fix(java): Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#7283)
• fix(plugin): do not call GitHub content API for releases and tags [backport: release/v0.54] (#7279)
• release: v0.54.0 [main] (#7075)
• docs: update ecosystem page reporting with plopsec.com app (#7262)
• feat(vex): retrieve VEX attestations from OCI registries (#7249)
• feat(sbom): add image labels into SPDX and CycloneDX reports (#7257)
• refactor(flag): return error if both --download-db-only and --download-java-db-only are specified (#7259)
• fix(nodejs): detect direct dependencies when using latest version for files yarn.lock + package.json (#7110)
• chore: show VEX notice for OSS maintainers in CI environments (#7246)
• feat(vuln): add --pkg-relationships (#7237)
• docs: show VEX cli pages + update config file page for VEX flags (#7244)
• fix(dotnet): show nuget package dir not found log only when checking nuget packages (#7194)
• feat(vex): VEX Repository support (#7206)
• fix(secret): skip regular strings contain secret patterns (#7182)
• feat: share build-in rules (#7207)
• fix(report): hide empty table when all secrets/license/misconfigs are ignored (#7171)
• fix(cli): error on missing config file (#7154)
• fix(secret): update length of hugging-face-access-token (#7216)
• feat(sbom): add vulnerability support for SPDX formats (#7213)
• fix(secret): trim excessively long lines (#7192)
• chore(vex): update subcomponents for CVE-2023-42363/42364/42365/42366 (#7201)
• fix(server): pass license categories to options (#7203)
• feat(mariner): Add support for Azure Linux (#7186)
• docs: updates config file (#7188)
• refactor(fs): remove unused field for CompositeFS (#7195)
• fix: add missing platform and type to spec (#7149)
• feat(misconf): enabled China configuration for ACRs (#7156)
• fix: close file when failed to open gzip (#7164)
• docs: Fix PR documentation to use GitHub Discussions, not Issues (#7141)
• docs(misconf): add info about limitations for terraform plan json (#7143)
• chore: add VEX for Trivy images (#7140)
• chore: add VEX document and generator for Trivy (#7128)
• fix(misconf): do not evaluate TF when a load error occurs (#7109)
• feat(cli): rename --vuln-type flag to --pkg-types flag (#7104)
• refactor(secret): move warning about file size after IsBinary check (#7123)
• feat: add openSUSE tumbleweed detection and scanning (#6965)
• test: add missing advisory details for integration tests database (#7122)
• fix: Add dependencyManagement exclusions to the child exclusions (#6969)
• fix: ignore nodes when listing permission is not allowed (#7107)
• fix(java): use go-mvn-version to remove Package duplicates (#7088)
• refactor(secret): add warning about large files (#7085)
• feat(nodejs): add license parser to pnpm analyser (#7036)
• refactor(sbom): add sbom prefix + filepaths for decode log messages (#7074)
• feat: add log.FilePath() function for logger (#7080)
• chore: bump golangci-lint from v1.58 to v1.59 (#7077)
• perf(debian): use bytes.Index in emptyLineSplit to cut allocation (#7065)
• refactor: pass DB dir to trivy-db (#7057)
• docs: navigate to the release highlights and summary (#7072)

Update to version 0.53.0 (bsc#1227022, CVE-2024-6257):

• release: v0.53.0 [main] (#6855)
• feat(conda): add licenses support for environment.yml files (#6953)
• fix(sbom): fix panic when scanning SBOM file without root component into SBOM format (#7051)
• feat: add memory cache backend (#7048)
• fix(sbom): use package UIDs for uniqueness (#7042)
• feat(php): add installed.json file support (#4865)
• docs: ✨ Updated ecosystem docs with reference to new community app (#7041)
• fix: use embedded when command path not found (#7037)
• refactor: use google/wire for cache (#7024)
• fix(cli): show info message only when --scanners is available (#7032)
• chore: enable float-compare rule from testifylint (#6967)
• docs: Add sudo on commands, chmod before mv on install docs (#7009)
• fix(plugin): respect --insecure (#7022)
• feat(k8s)!: node-collector dynamic commands support (#6861)
• fix(sbom): take pkg name from purl for maven pkgs (#7008)
• feat!: add clean subcommand (#6993)
• chore: use ! for breaking changes (#6994)
• feat(aws)!: Remove aws subcommand (#6995)
• refactor: replace global cache directory with parameter passing (#6986)
• fix(sbom): use purl for bitnami pkg names (#6982)
• chore: bump Go toolchain version (#6984)
• refactor: unify cache implementations (#6977)
• docs: non-packaged and sbom clarifications (#6975)
• BREAKING(aws): Deprecate trivy aws as subcmd in favour of a plugin (#6819)
• docs: delete unknown URL (#6972)
• refactor: use version-specific URLs for documentation references (#6966)
• refactor: delete db mock (#6940)
• refactor: add warning if severity not from vendor (or NVD or GH) is used (#6726)
• feat: Add local ImageID to SARIF metadata (#6522)
• fix(suse): Add SLES 15.6 and Leap 15.6 (#6964)
• feat(java): add support for sbt projects using sbt-dependency-lock (#6882)
• feat(java): add support for maven-metadata.xml files for remote snapshot repositories. (#6950)
• fix(purl): add missed os types (#6955)
• fix(cyclonedx): trim non-URL info for advisory.url (#6952)
• fix(c): don't skip conan files from file-patterns and scan .conan2 cache dir (#6949)
• fix(image): parse image.inspect.Created field only for non-empty values (#6948)
• fix(misconf): handle source prefix to ignore (#6945)
• fix(misconf): fix parsing of engine links and frameworks (#6937)
• feat(misconf): support of selectors for all providers for Rego (#6905)
• fix(license): return license separation using separators ,, or, etc. (#6916)
• feat(misconf): add support for AWS::EC2::SecurityGroupIngress/Egress (#6755)
• BREAKING(misconf): flatten recursive types (#6862)
• test: bump docker API to 1.45 (#6914)
• feat(sbom): migrate to CycloneDX v1.6 (#6903)
• feat(image): Set User-Agent header for Trivy container registry requests (#6868)
• fix(debian): take installed files from the origin layer (#6849)
• fix(nodejs): fix infinite loop when package link from package-lock.json file is broken (#6858)
• feat(misconf): API Gateway V1 support for CloudFormation (#6874)
• feat(plugin): add support for nested archives (#6845)
• fix(sbom): don't overwrite srcEpoch when decoding SBOM files (#6866)
• fix(secret): Asymmetric Private Key shouldn't start with space (#6867)
• chore: auto label discussions (#5259)
• docs: explain how VEX is applied (#6864)
• fix(python): compare pkg names from poetry.lock and pyproject.toml in lowercase (#6852)
• fix(nodejs): fix infinity loops for pnpm with cyclic imports (#6857)
• feat(dart): use first version of constraint for dependencies using SDK version (#6239)
• fix(misconf): parsing numbers without fraction as int (#6834)
• fix(misconf): fix caching of modules in subdirectories (#6814)
• feat(misconf): add metadata to Cloud schema (#6831)
• test: replace embedded Git repository with dynamically created repository (#6824)

Update to version 0.52.2:

• test: bump docker API to 1.45 [backport: release/v0.52] (#6922)
• fix(debian): take installed files from the origin layer [backport: release/v0.52] (#6892)

Update to version 0.52.1:

• release: v0.52.1 [release/v0.52] (#6877)
• fix(nodejs): fix infinite loop when package link from package-lock.json file is broken [backport: release/v0.52] (#6888)
• fix(sbom): don't overwrite srcEpoch when decoding SBOM files [backport: release/v0.52] (#6881)
• fix(python): compare pkg names from poetry.lock and pyproject.toml in lowercase [backport: release/v0.52] (#6878)
• docs: explain how VEX is applied (#6864)
• fix(nodejs): fix infinity loops for pnpm with cyclic imports (#6857)

Update to version 0.52.0 (bsc#1224781, CVE-2024-35192):

• release: v0.52.0 [main] (#6809)
• fix(plugin): initialize logger (#6836)
• fix(cli): always output fatal errors to stderr (#6827)
• fix: close testfile (#6830)
• docs(julia): add scanner table (#6826)
• feat(python): add license support for requirement.txt files (#6782)
• docs: add more workarounds for out-of-disk (#6821)
• chore: improve error message for image not found (#6822)
• fix(sbom): fix panic for convert mode when scanning json file derived from sbom file (#6808)
• fix: clean up golangci lint configuration (#6797)
• fix(python): add package name and version validation for requirements.txt files. (#6804)
• feat(vex): improve relationship support in CSAF VEX (#6735)
• chore(alpine): add eol date for Alpine 3.20 (#6800)
• docs(plugin): add missed plugin section (#6799)
• fix: include packages unless it is not needed (#6765)
• feat(misconf): support for VPC resources for inbound/outbound rules (#6779)
• chore: replace interface{} with any (#6751)
• fix: close settings.xml (#6768)
• refactor(go): add priority for gobinary module versions from ldflags (#6745)
• build: use main package instead of main.go (#6766)
• feat(misconf): resolve tf module from OpenTofu compatible registry (#6743)
• docs: add info on adding compliance checks (#6275)
• docs: Add documentation for contributing additional checks to the trivy policies repo (#6234)
• feat(nodejs): add v9 pnpm lock file support (#6617)
• feat(vex): support non-root components for products in OpenVEX (#6728)
• feat(python): add line number support for requirement.txt files (#6729)
• chore: respect timeout value in .golangci.yaml (#6724)
• fix: node-collector high and critical cves (#6707)
• Merge pull request from GHSA-xcq4-m2r3-cmrj
• chore: auto-bump golang patch versions (#6711)
• fix(misconf): don't shift ignore rule related to code (#6708)
• feat(plugin): specify plugin version (#6683)
• chore: enforce golangci-lint version (#6700)
• fix(go): include only .version|.ver (no prefixes) ldflags for gobinaries (#6705)
• fix(go): add only non-empty root modules for gobinaries (#6710)
• refactor: unify package addition and vulnerability scanning (#6579)
• fix: Golang version parsing from binaries w/GOEXPERIMENT (#6696)
• feat(misconf): Add support for deprecating a check (#6664)
• feat: Add Julia language analyzer support (#5635)
• feat(misconf): register builtin Rego funcs from trivy-checks (#6616)
• fix(report): hide empty tables if all vulns has been filtered (#6352)
• feat(report): Include licenses and secrets filtered by rego to ModifiedFindings (#6483)
• feat: add support for plugin index (#6674)
• docs: add support table for client server mode (#6498)
• fix: close APKINDEX archive file (#6672)
• fix(misconf): skip Rego errors with a nil location (#6666)
• refactor: move artifact types under artifact package to avoid import cycles (#6652)
• refactor(misconf): remove extrafs (#6656)
• refactor: re-define module structs for serialization (#6655)
• chore(misconf): Clean up iac logger (#6642)
• feat(misconf): support symlinks inside of Helm archives (#6621)
• feat(misconf): add Terraform 'removed' block to schema (#6640)
• refactor: unify Library and Package structs (#6633)
• fix: use of specified context to obtain cluster name (#6645)
• perf(misconf): parse rego input once (#6615)
• fix(misconf): skip Rego errors with a nil location (#6638)
• docs: link warning to both timeout config options (#6620)
• docs: fix usage of image-config-scanners (#6635)

Update to version 0.51.1:

• fix(fs): handle default skip dirs properly (#6628)
• fix(misconf): load cached tf modules (#6607)
• fix(misconf): do not use semver for parsing tf module versions (#6614)
• refactor: move setting scanners when using compliance reports to flag parsing (#6619)
• feat: introduce package UIDs for improved vulnerability mapping (#6583)
• perf(misconf): Improve cause performance (#6586)
• docs: trivy-k8s new experiance remove un-used section (#6608)
• docs: remove mention of GitLab Gold because it doesn't exist anymore (#6609)
• feat(misconf): Use updated terminology for misconfiguration checks (#6476)
• docs: use generic link from trivy-repo (#6606)
• docs: update trivy k8s with new experience (#6465)
• feat: support --skip-images scanning flag (#6334)
• BREAKING: add support for k8s disable-node-collector flag (#6311)
• feat: add ubuntu 23.10 and 24.04 support (#6573)
• docs(go): add stdlib (#6580)
• feat(go): parse main mod version from build info settings (#6564)
• feat: respect custom exit code from plugin (#6584)
• docs: add asdf and mise installation method (#6063)
• feat(vuln): Handle scanning conan v2.x lockfiles (#6357)
• feat: add support environment.yaml files (#6569)
• fix: close plugin.yaml (#6577)
• fix: trivy k8s avoid deleting non-default node collector namespace (#6559)
• BREAKING: support exclude kinds/namespaces and include kinds/namespaces (#6323)
• feat(go): add main module (#6574)
• feat: add relationships (#6563)
• docs: mention --show-suppressed is available in table (#6571)
• chore: fix sqlite to support loong64 (#6511)
• fix(debian): sort dpkg info before parsing due to exclude directories (#6551)
• docs: update info about config file (#6547)
• docs: remove RELEASE_VERSION from trivy.repo (#6546)
• fix(sbom): change error to warning for multiple OSes (#6541)
• fix(vuln): skip empty versions (#6542)
• feat(c): add license support for conan lock files (#6329)
• fix(terraform): Attribute and fileset fixes (#6544)
• refactor: change warning if no vulnerability details are found (#6230)
• refactor(misconf): improve error handling in the Rego scanner (#6527)
• feat(go): parse main module of go binary files (#6530)
• refactor(misconf): simplify the retrieval of module annotations (#6528)
• docs(nodejs): add info about supported versions of pnpm lock files (#6510)
• feat(misconf): loading embedded checks as a fallback (#6502)
• fix(misconf): Parse JSON k8s manifests properly (#6490)
• refactor: remove parallel walk (#5180)
• fix: close pom.xml (#6507)
• fix(secret): convert severity for custom rules (#6500)
• fix(java): update logic to detect pom.xml file snapshot artifacts from remote repositories (#6412)
• fix: typo (#6283)
• docs(k8s,image): fix command-line syntax issues (#6403)
• fix(misconf): avoid panic if the scheme is not valid (#6496)
• feat(image): goversion as stdlib (#6277)
• fix: add color for error inside of log message (#6493)
• docs: fix links to OPA docs (#6480)
• refactor: replace zap with slog (#6466)
• docs: update links to IaC schemas (#6477)
• chore: bump Go to 1.22 (#6075)
• refactor(terraform): sync funcs with Terraform (#6415)
• feat(misconf): add helm-api-version and helm-kube-version flag (#6332)
• fix(terraform): eval submodules (#6411)
• refactor(terraform): remove unused options (#6446)
• refactor(terraform): remove unused file (#6445)
• fix(misconf): Escape template value correctly (#6292)
• feat(misconf): add support for wildcard ignores (#6414)
• fix(cloudformation): resolve DedicatedMasterEnabled parsing issue (#6439)
• refactor(terraform): remove metrics collection (#6444)
• feat(cloudformation): add support for logging and endpoint access for EKS (#6440)
• fix(db): check schema version for image name only (#6410)
• feat(misconf): Support private registries for misconf check bundle (#6327)
• feat(cloudformation): inline ignore support for YAML templates (#6358)
• feat(terraform): ignore resources by nested attributes (#6302)
• perf(helm): load in-memory files (#6383)
• feat(aws): apply filter options to result (#6367)
• feat(aws): quiet flag support (#6331)
• fix(misconf): clear location URI for SARIF (#6405)
• test(cloudformation): add CF tests (#6315)
• fix(cloudformation): infer type after resolving a function (#6406)
• fix(sbom): fix error when parent of SPDX Relationships is not a package. (#6399)
• docs: add info about support for package license detection in fs/repo modes (#6381)
• fix(nodejs): add support for parsing workspaces from package.json as an object (#6231)
• fix: use 0600 perms for tmp files for post analyzers (#6386)
• fix(helm): scan the subcharts once (#6382)
• docs(terraform): add file patterns for Terraform Plan (#6393)
• fix(terraform): сhecking SSE encryption algorithm validity (#6341)
• fix(java): parse modules from pom.xml files once (#6312)
• fix(server): add Locations for Packages in client/server mode (#6366)
• fix(sbom): add check for CreationInfo to nil when detecting SPDX created using Trivy (#6346)
• fix(report): don't include empty strings in .vulnerabilities[].identifiers[].url when gitlab.tpl is used (#6348)
• chore(ubuntu): Add Ubuntu 22.04 EOL date (#6371)
• feat(java): add support licenses and graph for gradle lock files (#6140)
• feat(vex): consider root component for relationships (#6313)
• fix: increase the default buffer size for scanning dpkg status files by 2 times (#6298)
• chore: updates wazero to v1.7.0 (#6301)
• feat(sbom): Support license detection for SBOM scan (#6072)
• refactor(sbom): use intermediate representation for SPDX (#6310)
• docs(terraform): improve documentation for filtering by inline comments (#6284)
• fix(terraform): fix policy document retrieval (#6276)
• refactor(terraform): remove unused custom error (#6303)
• refactor(sbom): add intermediate representation for BOM (#6240)
• fix(amazon): check only major version of AL to find advisories (#6295)
• fix(db): use schema version as tag only for trivy-db and trivy-java-db registries by default (#6219)
• fix(nodejs): add name validation for package name from package.json (#6268)
• docs: Added install instructions for FreeBSD (#6293)
• feat(image): customer podman host or socket option (#6256)
• feat(java): mark dependencies from maven-invoker-plugin integration tests pom.xml files as Dev (#6213)
• fix(license): reorder logic of how python package licenses are acquired (#6220)
• test(terraform): skip cached modules (#6281)
• feat(secret): Support for detecting Hugging Face Access Tokens (#6236)
• fix(cloudformation): support of all SSE algorithms for s3 (#6270)
• feat(terraform): Terraform Plan snapshot scanning support (#6176)
• fix: typo function name and comment optimization (#6200)
• fix(java): don't ignore runtime scope for pom.xml files (#6223)
• fix(license): add FilePath to results to allow for license path filtering via trivyignore file (#6215)
• test(k8s): use test-db for k8s integration tests (#6222)
• fix(terraform): fix root module search (#6160)
• test(parser): squash test data for yarn (#6203)
• fix(terraform): do not re-expand dynamic blocks (#6151)
• docs: update ecosystem page reporting with db app (#6201)
• fix: k8s summary separate infra and user finding results (#6120)
• fix: add context to target finding on k8s table view (#6099)
• fix: Printf format err (#6198)
• refactor: better integration of the parser into Trivy (#6183)
• feat(terraform): Add hyphen and non-ASCII support for domain names in credential extraction (#6108)
• fix(vex): CSAF filtering should consider relationships (#5923)
• refactor(report): Replacing source_location in github report when scanning an image (#5999)
• feat(vuln): ignore vulnerabilities by PURL (#6178)
• feat(java): add support for fetching packages from repos mentioned in pom.xml (#6171)
• feat(k8s): rancher rke2 version support (#5988)
• docs: update kbom distribution for scanning (#6019)
• chore: update CODEOWNERS (#6173)
• fix(swift): try to use branch to resolve version (#6168)
• fix(terraform): ensure consistent path handling across OS (#6161)
• fix(java): add only valid libs from pom.properties files from jars (#6164)
• fix(sbom): skip executable file analysis if Rekor isn't a specified SBOM source (#6163)
• docs(report): add remark about path to filter licenses using .trivyignore.yaml file (#6145)
• docs: update template path for gitlab-ci tutorial (#6144)
• feat(report): support for filtering licenses and secrets via rego policy files (#6004)
• fix(cyclonedx): move root component from scanned cyclonedx file to output cyclonedx file (#6113)
• docs: add SecObserve in CI/CD and reporting (#6139)
• fix(alpine): exclude empty licenses for apk packages (#6130)
• docs: add docs tutorial on custom policies with rego (#6104)
• fix(nodejs): use project dir when searching for workspaces for Yarn.lock files (#6102)
• feat(vuln): show suppressed vulnerabilities in table (#6084)
• docs: rename governance to principles (#6107)
• docs: add governance (#6090)
• feat(java): add dependency location support for gradle files (#6083)
• fix(misconf): get user from Config.User (#6070)

Update to version 0.49.1:

• fix: check unescaped BomRef when matching PkgIdentifier (#6025)
• docs: Fix broken link to 'pronunciation' (#6057)
• fix: fix cursor usage in Redis Clear function (#6056)
• fix(nodejs): add local packages support for pnpm-lock.yaml files (#6034)
• test: fix flaky TestDockerEngine (#6054)
• fix(java): recursive check all nested depManagements with import scope for pom.xml files (#5982)
• fix(cli): inconsistent behavior across CLI flags, environment variables, and config files (#5843)
• feat(rust): Support workspace.members parsing for Cargo.toml analysis (#5285)
• docs: add note about Bun (#6001)
• fix(report): use AWS_REGION env for secrets in asff template (#6011)
• fix: check returned error before deferring f.Close() (#6007)
• feat(misconf): add support of buildkit instructions when building dockerfile from image config (#5990)
• feat(vuln): enable --vex for all targets (#5992)
• docs: update link to data sources (#6000)
• feat(java): add support for line numbers for pom.xml files (#5991)
• refactor(sbom): use new metadata.tools struct for CycloneDX (#5981)
• docs: Update troubleshooting guide with image not found error (#5983)
• style: update band logos (#5968)
• docs: update cosign tutorial and commands, update kyverno policy (#5929)
• docs: update command to scan go binary (#5969)
• fix: handle non-parsable images names (#5965)
• fix(amazon): save system files for pkgs containing amzn in src (#5951)
• fix(alpine): Add EOL support for alpine 3.19. (#5938)
• feat: allow end-users to adjust K8S client QPS and burst (#5910)
• fix(nodejs): find licenses for packages with slash (#5836)
• fix(sbom): use group field for pom.xml and nodejs files for CycloneDX reports (#5922)
• fix: ignore no init containers (#5939)
• docs: Fix documentation of ecosystem (#5940)
• docs(misconf): multiple ignores in comment (#5926)
• fix(secret): find aws secrets ending with a comma or dot (#5921)
• docs: ✨ Updated ecosystem docs with reference to new community app (#5918)
• fix(java): check if a version exists when determining GAV by file name for jar files (#5630)
• feat(vex): add PURL matching for CSAF VEX (#5890)
• fix(secret): AWS Secret Access Key must include only secrets with aws text. (#5901)
• revert(report): don't escape new line characters for sarif format (#5897)
• docs: improve filter by rego (#5402)
• docs: add_scan2html_to_trivy_ecosystem (#5875)
• fix(vm): update ext4-filesystem fix reading groupdescriptor in 32bit mode (#5888)
• feat(vex): Add support for CSAF format (#5535)
• feat(python): parse licenses from dist-info folder (#4724)
• feat(nodejs): add yarn alias support (#5818)
• refactor: propagate time through context values (#5858)
• refactor: move PkgRef under PkgIdentifier (#5831)
• fix(cyclonedx): fix unmarshal for licenses (#5828)
• feat(vuln): include pkg identifier on detected vulnerabilities (#5439)

Update to version 0.48.1:

• fix(bitnami): use a different comparer for detecting vulnerabilities (#5633)
• refactor(sbom): disable html escaping for CycloneDX (#5764)
• refactor(purl): use pub from package-url (#5784)
• docs(python): add note to using pip freeze for compatible releases (#5760)
• fix(report): use OS information for OS packages purl in github template (#5783)
• fix(report): fix error if miconfigs are empty (#5782)
• refactor(vuln): don't remove VendorSeverity in JSON report (#5761)
• fix(report): don't mark misconfig passed tests as failed in junit.tpl (#5767)
• docs(k8s): replace --scanners config with --scanners misconfig in docs (#5746)
• fix(report): update Gitlab template (#5721)
• feat(secret): add support of GitHub fine-grained tokens (#5740)
• fix(misconf): add an image misconf to result (#5731)
• feat(secret): added support of Docker registry credentials (#5720)

Update to version 0.48.0:

• feat: filter k8s core components vuln results (#5713)
• feat(vuln): remove duplicates in Fixed Version (#5596)
• feat(report): output plugin (#4863)
• docs: typo in modules.md (#5712)
• feat: Add flag to configure node-collector image ref (#5710)
• feat(misconf): Add --misconfig-scanners option (#5670)
• chore: bump Go to 1.21 (#5662)
• feat: Packagesprops support (#5605)
• docs: update adopters discussion template (#5632)
• docs: terraform tutorial links updated to point to correct loc (#5661)
• fix(secret): add sec and space to secret prefix for aws-secret-access-key (#5647)
• fix(nodejs): support protocols for dependency section in yarn.lock files (#5612)
• fix(secret): exclude upper case before secret for alibaba-access-key-id (#5618)
• docs: Update Arch Linux package URL in installation.md (#5619)
• chore: add prefix to image errors (#5601)
• docs(vuln): fix link anchor (#5606)
• docs: Add Dagger integration section and cleanup Ecosystem CICD docs page (#5608)
• fix: k8s friendly error messages kbom non cluster scans (#5594)
• feat: set InstalledFiles for DEB and RPM packages (#5488)
• fix(report): use time.Time for CreatedAt (#5598)
• test: retry containerd initialization (#5597)
• feat(misconf): Expose misconf engine debug logs with --debug option (#5550)
• test: mock VM walker (#5589)
• chore: bump node-collector v0.0.9 (#5591)
• feat(misconf): Add support for --cf-params for CFT (#5507)
• feat(flag): replace '--slow' with '--parallel' (#5572)
• fix(report): add escaping for Sarif format (#5568)
• chore: show a deprecation notice for --scanners config (#5587)
• feat(report): Add CreatedAt to the JSON report. (#5542) (#5549)
• test: mock RPM DB (#5567)
• feat: add aliases to '--scanners' (#5558)
• refactor: reintroduce output writer (#5564)
• chore: not load plugins for auto-generating docs (#5569)
• chore: sort supported AWS services (#5570)
• fix: no schedule toleration (#5562)
• fix(cli): set correct scanners for k8s target (#5561)
• fix(sbom): add FilesAnalyzed and PackageVerificationCode fields for SPDX (#5533)
• refactor(misconf): Update refactored dependencies (#5245)
• feat(secret): add built-in rule for JWT tokens (#5480)
• fix: trivy k8s parse ecr image with arn (#5537)
• fix: fail k8s resource scanning (#5529)
• refactor(misconf): don't remove Highlighted in json format (#5531)
• docs(k8s): fix link in kubernetes.md (#5524)
• docs(k8s): fix whitespace in list syntax (#5525)

Update to version 0.47.0:

• docs: add info that license scanning supports file-patterns flag (#5484)
• docs: add Zora integration into Ecosystem session (#5490)
• fix(sbom): Use UUID as BomRef for packages with empty purl (#5448)
• fix: correct error mismatch causing race in fast walks (#5516)
• docs: k8s vulnerability scanning (#5515)
• docs: remove glad for java datasources (#5508)
• chore: remove unused logger attribute in amazon detector (#5476)
• fix: correct error mismatch causing race in fast walks (#5482)
• fix(server): add licenses to BlobInfo message (#5382)
• feat: scan vulns on k8s core component apps (#5418)
• fix(java): fix infinite loop when relativePath field points to pom.xml being scanned (#5470)
• fix(sbom): save digests for package/application when scanning SBOM files (#5432)
• docs: fix the broken link (#5454)
• docs: fix error when installing PyYAML for gh pages (#5462)
• fix(java): download java-db once (#5442)
• docs(misconf): Update --tf-exclude-downloaded-modules description (#5419)
• feat(misconf): Support --ignore-policy in config scans (#5359)
• docs(misconf): fix broken table for Use container image section (#5425)
• feat(dart): add graph support (#5374)
• refactor: define a new struct for scan targets (#5397)
• fix(sbom): add missed primaryURL and source severity for CycloneDX (#5399)
• fix: correct invalid MD5 hashes for rpms ending with one or more zero bytes (#5393)
• docs: remove --scanners none (#5384)
• docs: Update container_image.md #5182 (#5193)
• feat(report): Add InstalledFiles field to Package (#4706)
• feat(k8s): add support for vulnerability detection (#5268)
• fix(python): override BOM in requirements.txt files (#5375)
• docs: add kbom documentation (#5363)
• test: use maximize build space for VM tests (#5362)
• fix(report): add escaping quotes in misconfig Title for asff template (#5351)
• fix: Report error when os.CreateTemp fails (to be consistent with other uses) (#5342)
• fix: add config files to FS for post-analyzers (#5333)
• fix: fix MIME warnings after updating to Go 1.20 (#5336)
• build: fix a compile error with Go 1.21 (#5339)
• feat: added Metadata into the k8s resource's scan report (#5322)
• chore: update adopters template (#5330)
• fix(sbom): use PURL or Group and Name in case of Java (#5154)
• docs: add buildkite repository to ecosystem page (#5316)
• chore: enable go-critic (#5302)
• close java-db client (#5273)
• fix(report): removes git::http from uri in sarif (#5244)
• Improve the meaning of sentence (#5301)
• add app nil check (#5274)
• typo: in secret.md (#5281)
• docs: add info about github format (#5265)
• feat(dotnet): add license support for NuGet (#5217)
• docs: correctly export variables (#5260)
• chore: Add line numbers for lint output (#5247)
• chore(cli): disable java-db flags in server mode (#5263)
• feat(db): allow passing registry options (#5226)
• refactor(purl): use TypeApk from purl (#5232)
• chore: enable more linters (#5228)
• Fix typo on ide.md (#5239)
• refactor: use defined types (#5225)
• fix(purl): skip local Go packages (#5190)
• docs: update info about license scanning in Yarn projects (#5207)
• fix link (#5203)
• fix(purl): handle rust types (#5186)
• chore: auto-close issues (#5177)
• fix(k8s): kbom support addons labels (#5178)
• test: validate SPDX with the JSON schema (#5124)
• chore: bump trivy-kubernetes-latest (#5161)
• docs: add 'Signature Verification' guide (#4731)
• docs: add image-scanner-with-trivy for ecosystem (#5159)
• fix(fs): assign the absolute path to be inspected to ROOTPATH when filesystem (#5158)
• Update filtering.md (#5131)
• chaging adopters discussion tempalte (#5091)
• docs: add Bitnami (#5078)
• feat(docker): add support for scanning Bitnami components (#5062)
• feat: add support for .trivyignore.yaml (#5070)
• fix(terraform): improve detection of terraform files (#4984)
• feat: filter artifacts on --exclude-owned flag (#5059)
• fix(sbom): cyclonedx advisory should omit null value (#5041)
• build: maximize build space for build tests (#5072)
• feat: improve kbom component name (#5058)
• fix(pom): add licenses for pom artifacts (#5071)
• chore: bump Go to 1.20 (#5067)
• feat: PURL matching with qualifiers in OpenVEX (#5061)
• feat(java): add graph support for pom.xml (#4902)
• feat(swift): add vulns for cocoapods (#5037)
• fix: support image pull secret for additional workloads (#5052)
• fix: #5033 Superfluous double quote in html.tpl (#5036)
• docs(repo): update trivy repo usage and example (#5049)
• perf: Optimize Dockerfile for reduced layers and size (#5038)
• feat: scan K8s Resources Kind with --all-namespaces (#5043)
• fix: vulnerability typo (#5044)
• docs: adding a terraform tutorial to the docs (#3708)
• feat(report): add licenses to sarif format (#4866)
• feat(misconf): show the resource name in the report (#4806)
• chore: update alpine base images (#5015)
• feat: add Package.resolved swift files support (#4932)
• feat(nodejs): parse licenses in yarn projects (#4652)
• fix: k8s private registries support (#5021)
• bump github.com/testcontainers/testcontainers-go from 0.21.0 to 0.23.0 (#5018)
• feat(vuln): support last_affected field from osv (#4944)
• feat(server): add version endpoint (#4869)
• feat: k8s private registries support (#4987)
• fix(server): add indirect prop to package (#4974)
• docs: add coverage (#4954)
• feat(c): add location for lock file dependencies. (#4994)
• docs: adding blog post on ec2 (#4813)
• revert 32bit bins (#4977)