search

ChristofferNissen / helmper

Import Helm Charts to OCI registries, optionally with vulnerability patching
https://christoffernissen.github.io/helmper/
Apache License 2.0
229 stars 9 forks source link

Bump github.com/aquasecurity/trivy from 0.45.1 to 0.51.2 #23

Closed dependabot[bot] closed 3 months ago

dependabot[bot] commented 6 months ago

Bumps github.com/aquasecurity/trivy from 0.45.1 to 0.51.2.

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.51.2

Changelog

  • eadc6fb64 fix: node-collector high and critical cves (#6707)
  • cc489b1af Merge pull request from GHSA-xcq4-m2r3-cmrj
  • 013f71a6a chore: auto-bump golang patch versions (#6711)
  • 113a5b216 fix(misconf): don't shift ignore rule related to code (#6708)
  • 733e5ac1f fix(go): include only .version|.ver (no prefixes) ldflags for gobinaries (#6705)
  • d311e49bc fix(go): add only non-empty root modules for gobinaries (#6710)
  • cf1a7bf30 refactor: unify package addition and vulnerability scanning (#6579)
  • d465d9d1e fix: Golang version parsing from binaries w/GOEXPERIMENT (#6696)
  • 0af225ccf fix(conda): add support pip deps for environment.yml files (#6675)
  • 6f64d5518 fix(misconf): skip Rego errors with a nil location (#6666)
  • 8c27430a2 fix(misconf): skip Rego errors with a nil location (#6638)
  • c2b46d3c2 refactor: unify Library and Package structs (#6633)
  • 4368f11e0 fix: use of specified context to obtain cluster name (#6645)
  • 5ec62f863 docs: fix usage of image-config-scanners (#6635)

v0.51.1

Changelog

  • 8016b821a fix(fs): handle default skip dirs properly (#6628)
  • 7a25dadb4 fix(misconf): load cached tf modules (#6607)
  • 9c794c0ff fix(misconf): do not use semver for parsing tf module versions (#6614)

v0.51.0

⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/6622

Changelog

  • 14c1024b4 refactor: move setting scanners when using compliance reports to flag parsing (#6619)
  • 998f75043 feat: introduce package UIDs for improved vulnerability mapping (#6583)
  • 770b14113 perf(misconf): Improve cause performance (#6586)
  • 3ccb1a0f1 docs: trivy-k8s new experiance remove un-used section (#6608)
  • 58cfd1b07 chore(deps): bump github.com/docker/docker from 26.0.1+incompatible to 26.0.2+incompatible (#6612)
  • 715963d75 docs: remove mention of GitLab Gold because it doesn't exist anymore (#6609)
  • 37da98df4 feat(misconf): Use updated terminology for misconfiguration checks (#6476)
  • cdee7030a chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.15 to 1.16.15 (#6593)
  • 6a2225b42 docs: use generic link from trivy-repo (#6606)
  • a2a02de7c docs: update trivy k8s with new experience (#6465)
  • e739ab850 feat: support --skip-images scanning flag (#6334)
  • c6d5d856c BREAKING: add support for k8s disable-node-collector flag (#6311)
  • 194a81468 chore(deps): bump github.com/zclconf/go-cty from 1.14.1 to 1.14.4 (#6601)
  • 03830c50c chore(deps): bump github.com/sigstore/rekor from 1.2.2 to 1.3.6 (#6599)
  • 8e814fa23 chore(deps): bump google.golang.org/protobuf from 1.33.0 to 1.34.0 (#6597)
  • 2dc76ba78 chore(deps): bump sigstore/cosign-installer from 3.4.0 to 3.5.0 (#6588)
  • c17176ba9 chore(deps): bump github.com/testcontainers/testcontainers-go from 0.28.0 to 0.30.0 (#6595)
  • bce70af36 chore(deps): bump github.com/open-policy-agent/opa from 0.62.0 to 0.64.1 (#6596)
  • 4369a19af feat: add ubuntu 23.10 and 24.04 support (#6573)
  • 5566548b7 chore(deps): bump azure/setup-helm from 3.5 to 4 (#6590)
  • a8af76a47 chore(deps): bump actions/checkout from 4.1.2 to 4.1.4 (#6587)

... (truncated)

Commits
  • eadc6fb fix: node-collector high and critical cves (#6707)
  • cc489b1 Merge pull request from GHSA-xcq4-m2r3-cmrj
  • 013f71a chore: auto-bump golang patch versions (#6711)
  • 113a5b2 fix(misconf): don't shift ignore rule related to code (#6708)
  • 733e5ac fix(go): include only .version|.ver (no prefixes) ldflags for `gobinaries...
  • d311e49 fix(go): add only non-empty root modules for gobinaries (#6710)
  • cf1a7bf refactor: unify package addition and vulnerability scanning (#6579)
  • d465d9d fix: Golang version parsing from binaries w/GOEXPERIMENT (#6696)
  • 0af225c fix(conda): add support pip deps for environment.yml files (#6675)
  • 6f64d55 fix(misconf): skip Rego errors with a nil location (#6666)
  • Additional commits viewable in compare view


Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/ChristofferNissen/helmper/network/alerts).

Note Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

ChristofferNissen commented 5 months ago

Copacetic is keeping us from upgrading Trivy to fix the vulnerability. Follow here https://github.com/project-copacetic/copacetic/pull/397

ChristofferNissen commented 5 months ago

PR merged in Copacetic, waiting for release of 6.3

dependabot[bot] commented 3 months ago

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.