openSUSE-SU-2025-20117-1

Опубликовано: 27 нояб. 2025

Источник: suse-cvrf

Описание

Security update for trivy

This update for trivy fixes the following issues:

Changes in trivy:

Update to version 0.67.2 (bsc#1250625, CVE-2025-11065, bsc#1248897, CVE-2025-58058):

fix: Use fetch-level: 1 to check out trivy-repo in the release workflow [backport: release/v0.67] (#9638)
fix: restore compatibility for google.protobuf.Value [backport: release/v0.67] (#9631)
fix: using SrcVersion instead of Version for echo detector [backport: release/v0.67] (#9629)
fix: add buildInfo for BlobInfo in rpc package [backport: release/v0.67] (#9615)
fix(vex): don't use reused BOM [backport: release/v0.67] (#9612)
fix(vex): don't suppress vulns for packages with infinity loop (#9465)
fix(aws): use BuildableClient insead of xhttp.Client (#9436)
refactor(misconf): replace github.com/liamg/memoryfs with internal mapfs and testing/fstest (#9282)
docs: clarify inline ignore limitations for resource-less checks (#9537)
fix(k8s): disable parallel traversal with fs cache for k8s images (#9534)
fix(misconf): handle tofu files in module detection (#9486)
feat(seal): add seal support (#9370)
docs: fix modules path and update code example (#9539)
fix: close file descriptors and pipes on error paths (#9536)
feat: add documentation URL for database lock errors (#9531)
fix(db): Dowload database when missing but metadata still exists (#9393)
feat(cloudformation): support default values and list results in Fn::FindInMap (#9515)
fix(misconf): unmark cty values before access (#9495)
feat(cli): change --list-all-pkgs default to true (#9510)
fix(nodejs): parse workspaces as objects for package-lock.json files (#9518)
refactor(fs): use underlyingPath to determine virtual files more reliably (#9302)
refactor: remove google/wire dependency and implement manual DI (#9509)
chore(deps): bump the aws group with 6 updates (#9481)
chore(deps): bump the common group across 1 directory with 24 updates (#9507)
fix(misconf): wrap legacy ENV values in quotes to preserve spaces (#9497)
docs: move info about detection priority into coverage section (#9469)
feat(sbom): added support for CoreOS (#9448)
fix(misconf): strip build metadata suffixes from image history (#9498)
feat(cyclonedx): preserve SBOM structure when scanning SBOM files with vulnerability updates (#9439)
docs: Fix typo in terraform docs (#9492)
feat(redhat): add os-release detection for RHEL-based images (#9458)
ci(deps): add 3-day cooldown period for Dependabot updates (#9475)
refactor: migrate from go-json-experiment to encoding/json/v2 (#9422)
fix(vuln): compare nuget package names in lower case (#9456)
chore: Update release flow to include chocolatey (#9460)
docs: document eol supportability (#9434)
docs(report): add nuanses about secret/license scanner in summary table (#9442)
ci: use environment variables in GitHub Actions for improved security (#9433)
chore: bump Go to 1.24.7 (#9435)
fix(nodejs): use snapshot string as Package.ID for pnpm packages (#9330)
ci(helm): bump Trivy version to 0.66.0 for Trivy Helm Chart 0.18.0 (#9425)

Update to version 0.66.0 (bsc#1248937, CVE-2025-58058):

chore(deps): bump the aws group with 7 updates (#9419)
refactor(secret): clarify secret scanner messages (#9409)
fix(cyclonedx): handle multiple license types (#9378)
fix(repo): sanitize git repo URL before inserting into report metadata (#9391)
test: add HTTP basic authentication to git test server (#9407)
fix(sbom): add support for file component type of CycloneDX (#9372)
fix(misconf): ensure module source is known (#9404)
ci: migrate GitHub Actions from version tags to SHA pinning (#9405)
fix: create temp file under composite fs dir (#9387)
chore(deps): bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 (#9403)
refactor: switch to stable azcontainerregistry SDK package (#9319)
chore(deps): bump the common group with 7 updates (#9382)
refactor(misconf): migrate from custom Azure JSON parser (#9222)
fix(repo): preserve RepoMetadata on FS cache hit (#9389)
refactor(misconf): use atomic.Int32 (#9385)
chore(deps): bump the aws group with 6 updates (#9383)
docs: Fix broken link to "Built-in Checks" (#9375)
fix(plugin): don't remove plugins when updating index.yaml file (#9358)
fix: persistent flag option typo (#9374)
chore(deps): bump the common group across 1 directory with 26 updates (#9347)
fix(image): use standardized HTTP client for ECR authentication (#9322)
refactor: export systemFileFiltering Post Handler (#9359)
docs: update links to Semaphore pages (#9352)
fix(conda): memory leak by adding closure method for package.json file (#9349)
feat: add timeout handling for cache database operations (#9307)
fix(misconf): use correct field log_bucket instead of target_bucket in gcp bucket (#9296)
fix(misconf): ensure ignore rules respect subdirectory chart paths (#9324)
chore(deps): bump alpine from 3.21.4 to 3.22.1 (#9301)
feat(terraform): use .terraform cache for remote modules in plan scanning (#9277)
chore: fix some function names in comment (#9314)
chore(deps): bump the aws group with 7 updates (#9311)
docs: add explanation for how to use non-system certificates (#9081)
chore(deps): bump the github-actions group across 1 directory with 2 updates (#8962)
fix(misconf): preserve original paths of remote submodules from .terraform (#9294)
refactor(terraform): make Scan method of Terraform plan scanner private (#9272)
fix: suppress debug log for context cancellation errors (#9298)
feat(secret): implement streaming secret scanner with byte offset tracking (#9264)
fix(python): impove package name normalization (#9290)
feat(misconf): added audit config attribute (#9249)
refactor(misconf): decouple input fs and track extracted files with fs references (#9281)
test(misconf): remove BenchmarkCalculate using outdated check metadata (#9291)
refactor: simplify Detect function signature (#9280)
ci(helm): bump Trivy version to 0.65.0 for Trivy Helm Chart 0.17.0 (#9288)
fix(fs): avoid shadowing errors in file.glob (#9286)
test(misconf): move terraform scan tests to integration tests (#9271)
test(misconf): drop gcp iam test covered by another case (#9285)
chore(deps): bump to alpine from 3.21.3 to 3.21.4 (#9283)

Update to version 0.65.0:

fix(cli): ensure correct command is picked by telemetry (#9260)
feat(flag): add schema validation for --server flag (#9270)
chore(deps): bump github.com/docker/docker from 28.3.2+incompatible to 28.3.3+incompatible (#9274)
ci: skip undefined labels in discussion triage action (#9175)
feat(repo): add git repository metadata to reports (#9252)
fix(license): handle WITH operator for LaxSplitLicenses (#9232)
chore: add modernize tool integration for code modernization (#9251)
fix(secret): add UTF-8 validation in secret scanner to prevent protobuf marshalling errors (#9253)
chore: implement process-safe temp file cleanup (#9241)
fix: prevent graceful shutdown message on normal exit (#9244)
fix(misconf): correctly parse empty port ranges in google_compute_firewall (#9237)
feat: add graceful shutdown with signal handling (#9242)
chore: update template URL for brew formula (#9221)
test: add end-to-end testing framework with image scan and proxy tests (#9231)
refactor(db): use Getter interface with GetParams for trivy-db sources (#9239)
ci: specify repository for gh cache delete in canary worklfow (#9240)
ci: remove invalid --confirm flag from gh cache delete command in canary builds (#9236)
fix(misconf): fix log bucket in schema (#9235)
chore(deps): bump the common group across 1 directory with 24 updates (#9228)
ci: move runner.os context from job-level env to step-level in canary workflow (#9233)
chore(deps): bump up Trivy-kubernetes to v0.9.1 (#9214)
feat(misconf): added logging and versioning to the gcp storage bucket (#9226)
fix(server): add HTTP transport setup to server mode (#9217)
chore: update the rpm download Update (#9202)
feat(alma): add AlmaLinux 10 support (#9207)
fix(nodejs): don't use prerelease logic for compare npm constraints (#9208)
fix(rootio): fix severity selection (#9181)
fix(sbom): merge in-graph and out-of-graph OS packages in scan results (#9194)
fix(cli): panic: attempt to get os.Args[1] when len(os.Args) < 2 (#9206)
fix(misconf): correctly adapt azure storage account (#9138)
feat(misconf): add private ip google access attribute to subnetwork (#9199)
feat(report): add CVSS vectors in sarif report (#9157)
fix(terraform): for_each on a map returns a resource for every key (#9156)
fix: supporting .egg-info/METADATA in python.Packaging analyzer (#9151)
chore: migrate protoc setup from Docker to buf CLI (#9184)
ci: delete cache after artifacts upload in canary workflow (#9177)
refactor: remove aws flag helper message (#9080)
ci: use gh pr view to get PR number for forked repositories in auto-ready workflow (#9183)
ci: add auto-ready-for-review workflow (#9179)
feat(image): add Docker context resolution (#9166)
ci: optimize golangci-lint performance with cache-based strategy (#9173)
feat: add HTTP request/response tracing support (#9125)
fix(aws): update amazon linux 2 EOL date (#9176)
chore: Update release workflow to trigger version updates (#9162)
chore(deps): bump helm.sh/helm/v3 from 3.18.3 to 3.18.4 (#9164)
fix: also check filepath when removing duplicate packages (#9142)
chore: add debug log to show image source location (#9163)
docs: add section on customizing default check data (#9114)
chore(deps): bump the common group across 1 directory with 9 updates (#9153)
docs: partners page content updates (#9149)
chore(license): add missed spdx exceptions: (#9147)
docs: trivy partners page updates (#9133)
fix: migrate from *.list to *.md5sums files for dpkg (#9131)
ci(helm): bump Trivy version to 0.64.1 for Trivy Helm Chart 0.16.1 (#9135)
feat(sbom): add SHA-512 hash support for CycloneDX SBOM (#9126)
fix(misconf): skip rewriting expr if attr is nil (#9113)
fix(license): add missed GFDL-NIV-1.1 and GFDL-NIV-1.2 into Trivy mapping (#9116)
fix(cli): Add more non-sensitive flags to telemetry (#9110)
fix(alma): parse epochs from rpmqa file (#9101)
fix(rootio): check full version to detect root.io packages (#9117)
chore: drop FreeBSD 32-bit support (#9102)
fix(sbom): use correct field for licenses in CycloneDX reports (#9057)
fix(secret): fix line numbers for multiple-line secrets (#9104)
feat(license): observe pkg types option in license scanner (#9091)
ci(helm): bump Trivy version to 0.64.0 for Trivy Helm Chart 0.16.0 (#9107)

(CVE-2025-53547, bsc#1246151)
Update to version 0.64.1 (bsc#1243633, CVE-2025-47291, (bsc#1246730, CVE-2025-46569):
- fix(misconf): skip rewriting expr if attr is nil [backport: release/v0.64] (#9127)
- fix(cli): Add more non-sensitive flags to telemetry [backport: release/v0.64] (#9124)
- fix(rootio): check full version to detect root.io packages [backport: release/v0.64] (#9120)
- fix(alma): parse epochs from rpmqa file [backport: release/v0.64] (#9119)
- docs(python): fix type with METADATA file name (#9090)
- feat: reject unsupported artifact types in remote image retrieval (#9052)
- chore(deps): bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 (#9088)
- refactor(misconf): rewrite Rego module filtering using functional filters (#9061)
- feat(terraform): add partial evaluation for policy templates (#8967)
- feat(vuln): add Root.io support for container image scanning (#9073)
- feat(sbom): add manufacturer field to CycloneDX tools metadata (#9019)
- fix(cli): add some values to the telemetry call (#9056)
- feat(ubuntu): add end of life date for Ubuntu 25.04 (#9077)
- refactor: centralize HTTP transport configuration (#9058)
- test: include integration tests in linting and fix all issues (#9060)
- chore(deps): bump the common group across 1 directory with 26 updates (#9063)
- feat(java): dereference all maven settings.xml env placeholders (#9024)
- fix(misconf): reduce log noise on incompatible check (#9029)
- fix(misconf): .Config.User always takes precedence over USER in .History (#9050)
- chore(deps): update Docker to v28.2.2 and fix compatibility issues (#9037)
- docs(misconf): simplify misconfiguration docs (#9030)
- fix(misconf): move disabled checks filtering after analyzer scan (#9002)
- docs: add PR review policy for maintainers (#9032)
- fix(sbom): remove unnecessary OS detection check in SBOM decoding (#9034)
- test: improve and extend tests for iac/adapters/arm (#9028)
- chore: bump up Go version to 1.24.4 (#9031)
- feat(cli): add version constraints to annoucements (#9023)
- fix(misconf): correct Azure value-to-time conversion in AsTimeValue (#9015)
- feat(ubuntu): add eol date for 20.04-ESM (#8981)
- fix(report): don't panic when report contains vulns, but doesn't contain packages for table format (#8549)
- fix(nodejs): correctly parse packages array of bun.lock file (#8998)
- refactor: use strings.SplitSeq instead of strings.Split in for-loop (#8983)
- docs: change --disable-metrics to --disable-telemetry in example (#8999) (#9003)
- feat(misconf): add OpenTofu file extension support (#8747)
- refactor(misconf): set Trivy version by default in Rego scanner (#9001)
- docs: fix assets with versioning (#8996)
- docs: add partners page (#8988)
- chore(alpine): add EOL date for Alpine 3.22 (#8992)
- fix: don't show corrupted trivy-db warning for first run (#8991)
- Update installation.md (#8979)
- feat(misconf): normalize CreatedBy for buildah and legacy docker builder (#8953)
- chore(k8s): update comments with deprecated command format (#8964)
- chore: fix errors and typos in docs (#8963)
- fix: Add missing version check flags (#8951)
- feat(redhat): Add EOL date for RHEL 10. (#8910)
- fix: Correctly check for semver versions for trivy version check (#8948)
- refactor(server): change custom advisory and vulnerability data types fr… (#8923)
- ci(helm): bump Trivy version to 0.63.0 for Trivy Helm Chart 0.15.0 (#8946)
- fix(misconf): use argument value in WithIncludeDeprecatedChecks (#8942)
- chore(deps): Bump trivy-checks (#8934)
- fix(julia): add Relationship field support (#8939)
- feat(minimos): Add support for MinimOS (#8792)
- feat(alpine): add maintainer field extraction for APK packages (#8930)
- feat(echo): Add Echo Support (#8833)
- fix(redhat): Also try to find buildinfo in root layer (layer 0) (#8924)
- fix(wolfi): support new APK database location (#8937)
- feat(k8s): get components from namespaced resources (#8918)
- refactor(cloudformation): remove unused ScanFile method from Scanner (#8927)
- refactor(terraform): remove result sorting from scanner (#8928)
- feat(misconf): Add support for Minimum Trivy Version (#8880)
- docs: improve skipping files documentation (#8749)
- feat(cli): Add available version checking (#8553)
- feat(nodejs): add a bun.lock analyzer (#8897)
- feat: terraform parser option to set current working directory (#8909)
- perf(secret): only match secrets of meaningful length, allow example strings to not be matched (#8602)
- feat(misconf): export raw Terraform data to Rego (#8741)
- refactor(terraform): simplify AllReferences method signature in Attribute (#8906)
- fix: check post-analyzers for StaticPaths (#8904)
- feat: add Bottlerocket OS package analyzer (#8653)
- feat(license): improve work text licenses with custom classification (#8888)
- chore(deps): bump github.com/containerd/containerd/v2 from 2.1.0 to 2.1.1 (#8901)
- chore(deps): bump the common group across 1 directory with 9 updates (#8887)
- refactor(license): simplify compound license scanning (#8896)
- feat(license): Support compound licenses (licenses using SPDX operators) (#8816)
- fix(k8s): use in-memory cache backend during misconfig scanning (#8873)
- feat(nodejs): add bun.lock parser (#8851)
- feat(license): improve work with custom classification of licenses from config file (#8861)
- fix(cli): disable --skip-dir and --skip-files flags for sbom command (#8886)
- fix: julia parser panicing (#8883)
- refactor(db): change logic to detect wrong DB (#8864)
- fix(cli): don't use allow values for --compliance flag (#8881)
- docs(misconf): Reorganize misconfiguration scan pages (#8206)
- fix(server): add missed Relationship field for rpc (#8872)
- feat: add JSONC support for comments and trailing commas (#8862)
- fix(vex): use lo.IsNil to check VEX from OCI artifact (#8858)
- feat(go): support license scanning in both GOPATH and vendor (#8843)
- fix(redhat): save contentSets for OS packages in fs/vm modes (#8820)
- fix: filter all files when processing files installed from package managers (#8842)
- feat(misconf): add misconfiguration location to junit template (#8793)
- docs(vuln): remove OSV for Python from data sources (#8841)
- chore: add an issue template for maintainers (#8838)
- chore: enable staticcheck (#8815)
- ci(helm): bump Trivy version to 0.62.1 for Trivy Helm Chart 0.14.1 (#8836)
- feat(license): scan vendor directory for license for go.mod files (#8689)
- docs(java): Update info about dev deps in gradle lock (#8830)
- chore(deps): bump golang.org/x/sync from 0.13.0 to 0.14.0 in the common group (#8822)
- fix(java): exclude dev dependencies in gradle lockfile (#8803)
- fix: octalLiteral from go-critic (#8811)
- fix(redhat): trim invalid suffix from content_sets in manifest parsing (#8818)
- chore(deps): bump the common group across 1 directory with 10 updates (#8817)
- fix: use-any from revive (#8810)
- fix: more revive rules (#8814)
- docs: change in java.md: fix the Trity -to-> Trivy typo (#8813)
- fix(misconf): check if for-each is known when expanding dyn block (#8808)
- ci(helm): bump Trivy version to 0.62.0 for Trivy Helm Chart 0.14.0 (#8802)
Update to version 0.62.1 (bsc#1239225, CVE-2025-22868, bsc#1241724, CVE-2025-22872):
- chore(deps): bump the common group across 1 directory with 10 updates [backport: release/v0.62] (#8831)
- fix(misconf): check if for-each is known when expanding dyn block [backport: release/v0.62] (#8826)
- fix(redhat): trim invalid suffix from content_sets in manifest parsing [backport: release/v0.62] (#8824)
- feat(nodejs): add root and workspace for yarn packages (#8535)
- fix: unused-parameter rule from revive (#8794)
- chore(deps): Update trivy-checks (#8798)
- fix: early-return, indent-error-flow and superfluous-else rules from revive (#8796)
- fix(k8s): remove using last-applied-configuration (#8791)
- refactor(misconf): remove unused methods from providers (#8781)
- refactor(misconf): remove unused methods from iac types (#8782)
- fix(misconf): filter null nodes when parsing json manifest (#8785)
- fix: testifylint last issues (#8768)
- fix(misconf): perform operations on attribute safely (#8774)
- refactor(ubuntu): update time handling for fixing time (#8780)
- chore(deps): bump golangci-lint to v2.1.2 (#8766)
- feat(image): save layers metadata into report (#8394)
- feat(misconf): convert AWS managed policy to document (#8757)
- chore(deps): bump the docker group across 1 directory with 3 updates (#8762)
- ci(helm): bump Trivy version to 0.61.1 for Trivy Helm Chart 0.13.1 (#8753)
- ci(helm): create a helm branch for patches from main (#8673)
- fix(terraform): hcl object expressions to return references (#8271)
- chore(terraform): option to pass in instanced logger (#8738)
- ci: use Skitionek/notify-microsoft-teams instead of aquasecurity fork (#8740)
- chore(terraform): remove os.OpenPath call from terraform file functions (#8737)
- chore(deps): bump the common group across 1 directory with 23 updates (#8733)
- feat(rust): add root and workspace relationships/package for cargo lock files (#8676)
- refactor(misconf): remove module outputs from parser.EvaluateAll (#8587)
- fix(misconf): populate context correctly for module instances (#8656)
- fix(misconf): check if metadata is not nil (#8647)
- refactor(misconf): switch to x/json (#8719)
- fix(report): clean buffer after flushing (#8725)
- ci: improve PR title validation workflow (#8720)
- refactor(flag): improve flag system architecture and extensibility (#8718)
- fix(terraform): evaluateStep to correctly set EvalContext for multiple instances of blocks (#8555)
- refactor: migrate from github.com/aquasecurity/jfather to github.com/go-json-experiment/json (#8591)
- feat(misconf): support auto_provisioning_defaults in google_container_cluster (#8705)
- ci: use github.event.pull_request.user.login for release PR check workflow (#8702)
- refactor: add hook interface for extended functionality (#8585)
- fix(misconf): add missing variable as unknown (#8683)
- docs: Update maintainer docs (#8674)
- ci(vuln): reduce github action script injection attack risk (#8610)
- fix(secret): ignore .dist-info directories during secret scanning (#8646)
- fix(server): fix redis key when trying to delete blob (#8649)
- chore(deps): bump the testcontainers group with 2 updates (#8650)
- test: use aquasecurity repository for test images (#8677)
- chore(deps): bump the aws group across 1 directory with 5 updates (#8652)
- fix(k8s): skip passed misconfigs for the summary report (#8684)
- fix(k8s): correct compare artifact versions (#8682)
- chore: update Docker lib (#8681)
- refactor(misconf): remove unused terraform attribute methods (#8657)
- feat(misconf): add option to pass Rego scanner to IaC scanner (#8369)
- chore: typo fix to replace rego with repo on the RepoFlagGroup options error output (#8643)
- docs: Add info about helm charts release (#8640)
- ci(helm): bump Trivy version to 0.61.0 for Trivy Helm Chart 0.13.0 (#8638)

Update to version 0.61.1 (bsc#1239385, CVE-2025-22869, bsc#1240466, CVE-2025-30204):

fix(k8s): skip passed misconfigs for the summary report [backport: release/v0.61] (#8748)
fix(k8s): correct compare artifact versions [backport: release/v0.61] (#8699)
test: use aquasecurity repository for test images [backport: release/v0.61] (#8698)
fix(misconf): Improve logging for unsupported checks (#8634)
feat(k8s): add support for controllers (#8614)
fix(debian): don't include empty licenses for dpkgs (#8623)
fix(misconf): Check values wholly prior to evalution (#8604)
chore(deps): Bump trivy-checks (#8619)
fix(k8s): show report for --report all (#8613)
chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#8597)
refactor: rename scanner to service (#8584)
fix(misconf): do not skip loading documents from subdirectories (#8526)
refactor(misconf): get a block or attribute without calling HasChild (#8586)
fix(misconf): identify the chart file exactly by name (#8590)
test: use table-driven tests in Helm scanner tests (#8592)
refactor(misconf): Simplify misconfig checks bundle parsing (#8533)
chore(deps): bump the common group across 1 directory with 10 updates (#8566)
fix(misconf): do not use cty.NilVal for non-nil values (#8567)
docs(cli): improve flag value display format (#8560)
fix(misconf): set default values for AWS::EKS::Cluster.ResourcesVpcConfig (#8548)
docs: remove slack (#8565)
fix: use --file-patterns flag for all post analyzers (#7365)
docs(python): Mention pip-compile (#8484)
feat(misconf): adapt aws_opensearch_domain (#8550)
feat(misconf): adapt AWS::EC2::VPC (#8534)
docs: fix a broken link (#8546)
fix(fs): check postAnalyzers for StaticPaths (#8543)
refactor(misconf): remove unused methods for ec2.Instance (#8536)
feat(misconf): adapt aws_default_security_group (#8538)
feat(fs): optimize scanning performance by direct file access for known paths (#8525)
feat(misconf): adapt AWS::DynamoDB::Table (#8529)
style: Fix MD syntax in self-hosting.md (#8523)
perf(misconf): retrieve check metadata from annotations once (#8478)
feat(misconf): Add support for aws_ami (#8499)
fix(misconf): skip Azure CreateUiDefinition (#8503)
refactor(misconf): use OPA v1 (#8518)
fix(misconf): add ephemeral block type to config schema (#8513)
perf(misconf): parse input for Rego once (#8483)
feat: replace TinyGo with standard Go for WebAssembly modules (#8496)
chore: replace deprecated tenv linter with usetesting (#8504)
fix(spdx): save text licenses into otherLicenses without normalize (#8502)
chore(deps): bump the common group across 1 directory with 13 updates (#8491)
chore: use go.mod for managing Go tools (#8493)
ci(helm): bump Trivy version to 0.60.0 for Trivy Helm Chart 0.12.0 (#8494)
fix(sbom): improve logic for binding direct dependency to parent component (#8489)
chore(deps): remove missed replace of trivy-db (#8492)
chore(deps): bump alpine from 3.21.0 to 3.21.3 in the docker group across 1 directory (#8490)
chore(deps): update Go to 1.24 and switch to go-version-file (#8388)
docs: add abbreviation list (#8453)
chore(terraform): assign *terraform.Module 'parent' field (#8444)
feat: add report summary table (#8177)
chore(deps): bump the github-actions group with 3 updates (#8473)
refactor(vex): improve SBOM reference handling with project standards (#8457)
ci: update GitHub Actions cache to v4 (#8475)
feat: add --vuln-severity-source flag (#8269)
fix(os): add mapping OS aliases (#8466)
chore(deps): bump the aws group across 1 directory with 7 updates (#8468)
chore(deps): Bump trivy-checks to v1.7.1 (#8467)
refactor(report): write tables after rendering all results (#8357)
docs: update VEX documentation index page (#8458)
fix(db): fix case when 2 trivy-db were copied at the same time (#8452)
feat(misconf): render causes for Terraform (#8360)
fix(misconf): fix incorrect k8s locations due to JSON to YAML conversion (#8073)
feat(cyclonedx): Add initial support for loading external VEX files from SBOM references (#8254)
chore(deps): update go-rustaudit location (#8450)
fix: update all documentation links (#8045)
chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#8443)
chore(deps): bump the common group with 6 updates (#8411)
fix(k8s): add missed option PkgRelationships (#8442)
fix(sbom): add SBOM file's filePath as Application FilePath if we can't detect its path (#8346)
feat(go): fix parsing main module version for go >= 1.24 (#8433)
refactor(misconf): make Rego scanner independent of config type (#7517)
fix(image): disable AVD-DS-0007 for history scanning (#8366)
fix(server): secrets inspectation for the config analyzer in client server mode (#8418)
chore: remove mockery (#8417)
test(server): replace mock driver with memory cache in server tests (#8416)
test: replace mock with memory cache and fix non-deterministic tests (#8410)
test: replace mock with memory cache in scanner tests (#8413)
test: use memory cache (#8403)
fix(spdx): init pkgFilePaths map for all formats (#8380)
chore(deps): bump the common group across 1 directory with 11 updates (#8381)
docs: correct Ruby documentation (#8402)
chore: bump mockery to update v2.52.2 version and rebuild mock files (#8390)
fix: don't use scope for trivy registry login command (#8393)
fix(go): merge nested flags into string for ldflags for Go binaries (#8368)
chore(terraform): export module path on terraform modules (#8374)
fix(terraform): apply parser options to submodule parsing (#8377)
docs: Fix typos in documentation (#8361)
docs: fix navigate links (#8336)
ci(helm): bump Trivy version to 0.59.1 for Trivy Helm Chart 0.11.1 (#8354)
ci(spdx): add aqua-installer step to fix mage error (#8353)
chore: remove debug prints (#8347)
fix(misconf): do not log scanners when misconfig scanning is disabled (#8345)
fix(report): remove html escaping for shortDescription and fullDescription fields for sarif reports (#8344)
chore(deps): bump Go to v1.23.5 (#8341)
fix(python): add poetry v2 support (#8323)
chore(deps): bump the github-actions group across 1 directory with 4 updates (#8331)
fix(misconf): ecs include enhanced for container insights (#8326)
fix(sbom): preserve OS packages from multiple SBOMs (#8325)
ci(helm): bump Trivy version to 0.59.0 for Trivy Helm Chart 0.11.0 (#8311)
(bsc#1237618, CVE-2025-27144)

Update to version 0.59.1:

fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#8349)
chore(deps): bump Go to v1.23.5 [backport: release/v0.59] (#8343)
fix(python): add poetry v2 support [backport: release/v0.59] (#8335)
fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#8333)

Update to version 0.59.0:

feat(image): return error early if total size of layers exceeds limit (#8294)
chore(deps): Bump trivy-checks (#8310)
chore(terraform): add accessors to underlying raw hcl values (#8306)
fix: improve conversion of image config to Dockerfile (#8308)
docs: replace short codes with Unicode emojis (#8296)
feat(k8s): improve artifact selections for specific namespaces (#8248)
chore: update code owners (#8303)
fix(misconf): handle heredocs in dockerfile instructions (#8284)
fix: de-duplicate same dpkg packages with different filePaths from different layers (#8298)
chore(deps): bump the aws group with 7 updates (#8299)
chore(deps): bump the common group with 12 updates (#8301)
chore: enable int-conversion from perfsprint (#8194)
feat(fs): use git commit hash as cache key for clean repositories (#8278)
fix(spdx): use the hasExtractedLicensingInfos field for licenses that are not listed in the SPDX (#8077)
chore: use require.ErrorContains when possible (#8291)
feat(image): prevent scanning oversized container images (#8178)
chore(deps): use aqua forks for github.com/liamg/jfather and github.com/liamg/iamgo (#8289)
fix(fs): fix cache key generation to use UUID (#8275)
fix(misconf): correctly handle all YAML tags in K8S templates (#8259)
feat: add support for registry mirrors (#8244)
chore(deps): bump the common group across 1 directory with 29 updates (#8261)
refactor(license): improve license expression normalization (#8257)
feat(misconf): support for ignoring by inline comments for Dockerfile (#8115)
feat: add a examples field to check metadata (#8068)
chore(deps): bump alpine from 3.20.0 to 3.21.0 in the docker group across 1 directory (#8196)
ci: add workflow to restrict direct PRs to release branches (#8240)
fix(suse): SUSE - update OSType constants and references for compatility (#8236)
ci: fix path to main dir for canary builds (#8231)
chore(secret): add reported issues related to secrets in junit template (#8193)
refactor: use trivy-checks/pkg/specs package (#8226)
ci(helm): bump Trivy version to 0.58.1 for Trivy Helm Chart 0.10.0 (#8170)
fix(misconf): allow null values only for tf variables (#8112)
feat(misconf): support for ignoring by inline comments for Helm (#8138)
fix(redhat): check usr/share/buildinfo/ dir to detect content sets (#8222)
chore(alpine): add EOL date for Alpine 3.21 (#8221)
fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field (#8207)
fix(misconf): disable git terminal prompt on tf module load (#8026)
chore: remove aws iam related scripts (#8179)
docs: Updated JSON schema version 2 in the trivy documentation (#8188)
refactor(python): use once + debug for License acquired from METADATA... logs (#8175)
refactor: use slices package instead of custom function (#8172)
chore(deps): bump the common group with 6 updates (#8162)
feat(python): add support for uv dev and optional dependencies (#8134)
feat(python): add support for poetry dev dependencies (#8152)
fix(sbom): attach nested packages to Application (#8144)
docs(vex): use debian minor version in examples (#8166)
refactor: add generic Set implementation (#8149)
chore(deps): bump the aws group across 1 directory with 6 updates (#8163)
fix(python): skip dev group's deps for poetry (#8106)
fix(sbom): use root package for unknown dependencies (if exists) (#8104)
chore(deps): bump golang.org/x/net from v0.32.0 to v0.33.0 (#8140)
chore(vex): suppress CVE-2024-45338 (#8137)
feat(python): add support for uv (#8080)
chore(deps): bump the docker group across 1 directory with 3 updates (#8127)
chore(deps): bump the common group across 1 directory with 14 updates (#8126)
chore: bump go to 1.23.4 (#8123)
test: set dummy value for NUGET_PACKAGES (#8107)
chore(deps): bump github.com/CycloneDX/cyclonedx-go from v0.9.1 to v0.9.2 (#8105)
chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 (#8103)
fix: wasm module test (#8099)
fix: CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass (#8088)
chore(vex): suppress CVE-2024-45337 (#8101)
fix(license): always trim leading and trailing spaces for licenses (#8095)
fix(sbom): scan results of SBOMs generated from container images are missing layers (#7635)
fix(redhat): correct rewriting of recommendations for the same vulnerability (#8063)
fix: enable err-error and errorf rules from perfsprint linter (#7859)
chore(deps): bump the aws group across 1 directory with 6 updates (#8074)
perf: avoid heap allocation in applier findPackage (#7883)
fix: Updated twitter icon (#7772)
docs(k8s): add a note about multi-container pods (#7815)
feat: add --distro flag to manually specify OS distribution for vulnerability scanning (#8070)
fix(oracle): add architectures support for advisories (#4809)
fix: handle BLOW_UNKNOWN error to download DBs (#8060)
feat(misconf): generate placeholders for random provider resources (#8051)
fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type (#8052)
fix(flag): skip hidden flags for --generate-default-config command (#8046)
fix(java): correctly overwrite version from depManagement if dependency uses project.* props (#8050)
feat(nodejs): respect peer dependencies for dependency tree (#7989)
ci(helm): bump Trivy version to 0.58.0 for Trivy Helm Chart 0.10.0 (#8038)
fix: respect GITHUB_TOKEN to download artifacts from GHCR (#7580)
chore(deps): bump github.com/moby/buildkit from 0.17.2 to 0.18.0 in the docker group (#8029)
fix(misconf): use log instead of fmt for logging (#8033)
docs: add commercial content (#8030)

Update to version 0.58.2 ( bsc#1234512, CVE-2024-45337, bsc#1235265, CVE-2024-45338, bsc#1232948, CVE-2024-51744):
- fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)
- fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)
- fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215)
- fix(sbom): attach nested packages to Application [backport: release/v0.58] (#8168)
- fix(python): skip dev group's deps for poetry [backport: release/v0.58] (#8158)
- fix(sbom): use root package for unknown dependencies (if exists) [backport: release/v0.58] (#8156)
- chore(deps): bump golang.org/x/net from v0.32.0 to v0.33.0 [backport: release/v0.58] (#8142)
- chore(deps): bump github.com/CycloneDX/cyclonedx-go from v0.9.1 to v0.9.2 [backport: release/v0.58] (#8136)
- fix(redhat): correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] (#8135)
- fix(oracle): add architectures support for advisories [backport: release/v0.58] (#8125)
- fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] (#8124)
- chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 [backport: release/v0.58] (#8122)
- fix: handle BLOW_UNKNOWN error to download DBs [backport: release/v0.58] (#8121)
- fix(java): correctly overwrite version from depManagement if dependency uses project.* props [backport: release/v0.58] (#8119)
- fix(misconf): wrap AWS EnvVar to iac types (#7407)
- chore(deps): Upgrade trivy-checks (#8018)
- refactor(misconf): Remove unused options (#7896)
- docs: add terminology page to explain Trivy concepts (#7996)
- feat: add workspaceRelationship (#7889)
- refactor(sbom): simplify relationship generation (#7985)
- chore: remove Go checks (#7907)
- docs: improve databases documentation (#7732)
- refactor: remove support for custom Terraform checks (#7901)
- docs: fix dead links (#7998)
- docs: drop AWS account scanning (#7997)
- fix(aws): change CPU and Memory type of ContainerDefinition to a string (#7995)
- fix(cli): Handle empty ignore files more gracefully (#7962)
- fix(misconf): load full Terraform module (#7925)
- fix(misconf): properly resolve local Terraform cache (#7983)
- refactor(k8s): add v prefix for Go packages (#7839)
- test: replace Go checks with Rego (#7867)
- feat(misconf): log causes of HCL file parsing errors (#7634)
- chore(deps): bump the aws group across 1 directory with 7 updates (#7991)
- chore(deps): bump github.com/moby/buildkit from 0.17.0 to 0.17.2 in the docker group across 1 directory (#7990)
- chore(deps): update csaf module dependency from csaf-poc to gocsaf (#7992)
- chore: downgrade the failed block expand message to debug (#7964)
- fix(misconf): do not erase variable type for child modules (#7941)
- feat(go): construct dependencies of go.mod main module in the parser (#7977)
- feat(go): construct dependencies in the parser (#7973)
- feat: add cvss v4 score and vector in scan response (#7968)
- docs: add overview page for others (#7972)
- fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871)
- feat(suse): Align SUSE/OpenSUSE OS Identifiers (#7965)
- chore(deps): bump the common group with 4 updates (#7949)
- feat(oracle): add flavors support (#7858)
- fix(misconf): Update trivy-checks default repo to mirror.gcr.io (#7953)
- chore(deps): Bump up trivy-checks to v1.3.0 (#7959)
- fix(k8s): check all results for vulnerabilities (#7946)
- ci(helm): bump Trivy version to 0.57.1 for Trivy Helm Chart 0.9.0 (#7945)
- feat(secret): Add built-in secrets rules for Private Packagist (#7826)
- docs: Fix broken links (#7900)
- docs: fix mistakes/typos (#7942)
- feat: Update registry fallbacks (#7679)
- fix(alpine): add UID for removed packages (#7887)
- chore(deps): bump the aws group with 6 updates (#7902)
- chore(deps): bump the common group with 6 updates (#7904)
- fix(debian): infinite loop (#7928)
- fix(redhat): don't return error if root/buildinfo/content_manifests/ contains files that are not contentSets files (#7912)
- docs: add note about temporary podman socket (#7921)
- docs: combine trivy.dev into trivy docs (#7884)
- test: change branch in spdx schema link to check in integration tests (#7935)
- docs: add Headlamp to the Trivy Ecosystem page (#7916)
- fix(report): handle git@github.com schema for misconfigs in sarif report (#7898)
- chore(k8s): enhance k8s scan log (#6997)
- fix(terraform): set null value as fallback for missing variables (#7669)
- fix(misconf): handle null properties in CloudFormation templates (#7813)
- fix(fs): add missing defered Cleanup() call to post analyzer fs (#7882)
- chore(deps): bump the common group across 1 directory with 20 updates (#7876)
- chore: bump containerd to v2.0.0 (#7875)
- fix: Improve version comparisons when build identifiers are present (#7873)
- feat(k8s): add default commands for unknown platform (#7863)
- chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#7868)
- refactor(secret): optimize performance by moving ToLower operation outside loop (#7862)
- test: save containerd image into archive and use in tests (#7816)
- chore(deps): bump the github-actions group across 1 directory with 2 updates (#7854)
- chore: bump golangci-lint to v1.61.0 (#7853)

Update to version 0.57.1:

feat: Update registry fallbacks [backport: release/v0.57] (#7944)
fix(redhat): don't return error if root/buildinfo/content_manifests/ contains files that are not contentSets files [backport: release/v0.57] (#7939)
test: change branch in spdx schema link to check in integration tests [backport: release/v0.57] (#7940)
release: v0.57.0 [main] (#7710)
chore: lint errors.Join (#7845)
feat(db): append errors (#7843)
docs(java): add info about supported scopes (#7842)
docs: add example of creating whitelist of checks (#7821)
chore(deps): Bump trivy-checks (#7819)
fix(go): Do not trim v prefix from versions in Go Mod Analyzer (#7733)
fix(k8s): skip resources without misconfigs (#7797)
fix(sbom): use Annotation instead of AttributionTexts for SPDX formats (#7811)
fix(cli): add config name to skip-policy-update alias (#7820)
fix(helm): properly handle multiple archived dependencies (#7782)
refactor(misconf): Deprecate EXCEPTIONS for misconfiguration scanning (#7776)
fix(k8s)!: support k8s multi container (#7444)
fix(k8s): support kubernetes v1.31 (#7810)
docs: add Windows install instructions (#7800)
ci(helm): auto public Helm chart after PR merged (#7526)
feat: add end of life date for Ubuntu 24.10 (#7787)
feat(report): update gitlab template to populate operating_system value (#7735)
feat(misconf): Show misconfig ID in output (#7762)
feat(misconf): export unresolvable field of IaC types to Rego (#7765)
refactor(k8s): scan config files as a folder (#7690)
fix(license): fix license normalization for Universal Permissive License (#7766)
fix: enable usestdlibvars linter (#7770)
fix(misconf): properly expand dynamic blocks (#7612)
feat(cyclonedx): add file checksums to CycloneDX reports (#7507)
fix(misconf): fix for Azure Storage Account network acls adaptation (#7602)
refactor(misconf): simplify k8s scanner (#7717)
feat(parser): ignore white space in pom.xml files (#7747)
test: use forked images (#7755)
fix(java): correctly inherit version and scope from upper/root depManagement and dependencies into parents (#7541)
fix(misconf): check if property is not nil before conversion (#7578)
fix(misconf): change default ACL of digitalocean_spaces_bucket to private (#7577)
feat(misconf): ssl_mode support for GCP SQL DB instance (#7564)
test: define constants for test images (#7739)
docs: add note about disabled DS016 check (#7724)
feat(misconf): public network support for Azure Storage Account (#7601)
feat(cli): rename trivy auth to trivy registry (#7727)
docs: apt-transport-https is a transitional package (#7678)
refactor(misconf): introduce generic scanner (#7515)
fix(cli): clean --all deletes only relevant dirs (#7704)
feat(cli): add trivy auth (#7664)
fix(sbom): add options for DBs in private registries (#7660)
docs(report): fix reporting doc format (#7671)
fix(repo): git clone output to Stderr (#7561)
fix(redhat): include arch in PURL qualifiers (#7654)
fix(report): Fix invalid URI in SARIF report (#7645)
docs(report): Improve SARIF reporting doc (#7655)
fix(db): fix javadb downloading error handling (#7642)
feat(cli): error out when ignore file cannot be found (#7624)

Update to version 0.56.2:

fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#7702)
fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#7691)

Update to version 0.51.1 (bsc#1227010, CVE-2024-3817):

Список пакетов

openSUSE Leap 16.0

trivy-0.66.0-bp160.1.1

Ссылки

https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1227010
SUSE Bug 1227010
https://bugzilla.suse.com/1232948
SUSE Bug 1232948
https://bugzilla.suse.com/1234512
SUSE Bug 1234512
https://bugzilla.suse.com/1235265
SUSE Bug 1235265
https://bugzilla.suse.com/1237618
SUSE Bug 1237618
https://bugzilla.suse.com/1239225
SUSE Bug 1239225
https://bugzilla.suse.com/1239385
SUSE Bug 1239385
https://bugzilla.suse.com/1240466
SUSE Bug 1240466
https://bugzilla.suse.com/1241724
SUSE Bug 1241724
https://bugzilla.suse.com/1243633
SUSE Bug 1243633
https://bugzilla.suse.com/1246151
SUSE Bug 1246151
https://bugzilla.suse.com/1246730
SUSE Bug 1246730
https://bugzilla.suse.com/1248897
SUSE Bug 1248897
https://bugzilla.suse.com/1248937
SUSE Bug 1248937
https://bugzilla.suse.com/1250625
SUSE Bug 1250625
https://www.suse.com/security/cve/CVE-2024-3817/
SUSE CVE CVE-2024-3817 page
https://www.suse.com/security/cve/CVE-2024-45337/
SUSE CVE CVE-2024-45337 page
https://www.suse.com/security/cve/CVE-2024-45338/
SUSE CVE CVE-2024-45338 page
https://www.suse.com/security/cve/CVE-2024-51744/
SUSE CVE CVE-2024-51744 page

Описание

HashiCorp's go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package.