search

future-architect / vuls

Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
https://vuls.io/
GNU General Public License v3.0
10.8k stars 1.16k forks source link

chore(deps): bump github.com/aquasecurity/trivy from 0.51.4 to 0.52.0 #1956

Closed dependabot[bot] closed 1 month ago

dependabot[bot] commented 1 month ago

Bumps github.com/aquasecurity/trivy from 0.51.4 to 0.52.0.

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.52.0

⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/6838

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0520-2024-06-03

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.52.0 (2024-06-03)

Features

  • Add Julia language analyzer support (#5635) (fecafb1)
  • add support for plugin index (#6674) (26faf8f)
  • misconf: Add support for deprecating a check (#6664) (88702cf)
  • misconf: add Terraform 'removed' block to schema (#6640) (b7a0a13)
  • misconf: register builtin Rego funcs from trivy-checks (#6616) (7c22ee3)
  • misconf: resolve tf module from OpenTofu compatible registry (#6743) (ac74520)
  • misconf: support for VPC resources for inbound/outbound rules (#6779) (349caf9)
  • misconf: support symlinks inside of Helm archives (#6621) (4eae37c)
  • nodejs: add v9 pnpm lock file support (#6617) (1e08648)
  • plugin: specify plugin version (#6683) (d6dc567)
  • python: add license support for requirement.txt files (#6782) (29615be)
  • python: add line number support for requirement.txt files (#6729) (2bc54ad)
  • report: Include licenses and secrets filtered by rego to ModifiedFindings (#6483) (fa3cf99)
  • vex: improve relationship support in CSAF VEX (#6735) (a447f6b)
  • vex: support non-root components for products in OpenVEX (#6728) (9515695)

Bug Fixes

  • clean up golangci lint configuration (#6797) (62de6f3)
  • cli: always output fatal errors to stderr (#6827) (c2b9132)
  • close APKINDEX archive file (#6672) (5caf437)
  • close settings.xml (#6768) (9c3e895)
  • close testfile (#6830) (aa0c413)
  • conda: add support pip deps for environment.yml files (#6675) (150a773)
  • go: add only non-empty root modules for gobinaries (#6710) (c96f2a5)
  • go: include only .version|.ver (no prefixes) ldflags for gobinaries (#6705) (afb4f9d)
  • Golang version parsing from binaries w/GOEXPERIMENT (#6696) (696f2ae)
  • include packages unless it is not needed (#6765) (56dbe1f)
  • misconf: don't shift ignore rule related to code (#6708) (39a746c)
  • misconf: skip Rego errors with a nil location (#6638) (a2c522d)
  • misconf: skip Rego errors with a nil location (#6666) (a126e10)
  • node-collector high and critical cves (#6707) (ff32deb)
  • plugin: initialize logger (#6836) (728e77a)
  • python: add package name and version validation for requirements.txt files. (#6804) (ea3a124)
  • report: hide empty tables if all vulns has been filtered (#6352) (3d388d8)
  • sbom: fix panic for convert mode when scanning json file derived from sbom file (#6808) (f92ea09)
  • use of specified context to obtain cluster name (#6645) (39ebed4)

Performance Improvements

Commits
  • c24dfba release: v0.52.0 [main] (#6809)
  • 728e77a fix(plugin): initialize logger (#6836)
  • 83fc6e7 chore(deps): bump alpine from 3.19.1 to 3.20.0 in the docker group (#6835)
  • c2b9132 fix(cli): always output fatal errors to stderr (#6827)
  • aa0c413 fix: close testfile (#6830)
  • 1c49ae9 docs(julia): add scanner table (#6826)
  • 29615be feat(python): add license support for requirement.txt files (#6782)
  • 2f05418 docs: add more workarounds for out-of-disk (#6821)
  • 5b0bc58 chore: improve error message for image not found (#6822)
  • f92ea09 fix(sbom): fix panic for convert mode when scanning json file derived from ...
  • Additional commits viewable in compare view


Most Recent Ignore Conditions Applied to This Pull Request | Dependency Name | Ignore Conditions | | --- | --- | | github.com/aquasecurity/trivy | [>= 0.50.2.a, < 0.50.3] | | github.com/aquasecurity/trivy | [< 0.51, > 0.50.1] |

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
shino commented 1 month ago

By using pnpm-lock.json from https://github.com/bastienwirtz/homer/blob/e23868c5940e805a259d7836190923b1ee6efbfa/pnpm-lock.yaml, stack overflow was caused:

[Jun  7 11:54:22]  INFO [pnpm-v9] Scanning listen port...
[Jun  7 11:54:22]  INFO [pnpm-v9] Using Port Scanner: Vuls built-in Scanner
[Jun  7 11:54:22]  INFO [pnpm-v9] Scanning Language-specific Packages...
runtime: goroutine stack exceeds 1000000000-byte limit
runtime: sp=0xc02368e5f8 stack=[0xc02368e000, 0xc04368e000]
fatal error: stack overflow
runtime stack:
runtime.throw({0x3b21e25?, 0x200000001?})
        /home/shino/sdk/go1.22.3/src/runtime/panic.go:1023 +0x5c fp=0x7fff4345fda8 sp=0x7fff4345fd78 pc=0x43e43c
runtime.newstack()
        /home/shino/sdk/go1.22.3/src/runtime/stack.go:1103 +0x5bd fp=0x7fff4345ff58 sp=0x7fff4345fda8 pc=0x459bfd
runtime.morestack()
        /home/shino/sdk/go1.22.3/src/runtime/asm_amd64.s:616 +0x7a fp=0x7fff4345ff60 sp=0x7fff4345ff58 pc=0x4728da
goroutine 72 gp=0xc000e97c00 m=0 mp=0x6dbfe00 [running]:
github.com/aquasecurity/trivy/pkg/dependency/parser/nodejs/pnpm.(*Parser).markRootPkgs(0xc001ff27b8, {0xc00247de90, 0x22}, 0xc04368d7e8, 0xc04368d6e8)
        /home/shino/go/pkg/mod/github.com/aquasecurity/trivy@v0.52.0/pkg/dependency/parser/nodejs/pnpm/parse.go:222 +0x1fc fp=0xc02368e608 sp=0xc02368e600 pc=0x27e33bc  
github.com/aquasecurity/trivy/pkg/dependency/parser/nodejs/pnpm.(*Parser).markRootPkgs(0xc001ff27b8, {0xc0008977d0, 0x13}, 0xc04368d7e8, 0xc04368d6e8)
        /home/shino/go/pkg/mod/github.com/aquasecurity/trivy@v0.52.0/pkg/dependency/parser/nodejs/pnpm/parse.go:233 +0x1bc fp=0xc02368e9d8 sp=0xc02368e608 pc=0x27e337c  
github.com/aquasecurity/trivy/pkg/dependency/parser/nodejs/pnpm.(*Parser).markRootPkgs(0xc001ff27b8, {0xc002598348, 0x14}, 0xc04368d7e8, 0xc04368d6e8)
        /home/shino/go/pkg/mod/github.com/aquasecurity/trivy@v0.52.0/pkg/dependency/parser/nodejs/pnpm/parse.go:233 +0x1bc fp=0xc02368eda8 sp=0xc02368e9d8 pc=0x27e337c  
github.com/aquasecurity/trivy/pkg/dependency/parser/nodejs/pnpm.(*Parser).markRootPkgs(0xc001ff27b8, {0xc0025bc100, 0x19}, 0xc04368d7e8, 0xc04368d6e8)
        /home/shino/go/pkg/mod/github.com/aquasecurity/trivy@v0.52.0/pkg/dependency/parser/nodejs/pnpm/parse.go:233 +0x1bc fp=0xc02368f178 sp=0xc02368eda8 pc=0x27e337c
[snip]

This has been fixed at main branch probably by https://github.com/aquasecurity/trivy/pull/6857

Commit graph after v0.52.0 is as follow at this point

 e8d8af450 (HEAD -> refs/heads/main, refs/remotes/origin/main, refs/remotes/origin/HEAD) chore: auto label discussions (#5259)
| * 25e89c8af (refs/remotes/origin/release-please--branches--main) release: v0.53.0 [main]
|/
* 63eb85a06 docs: explain how VEX is applied (#6864)
* 1e2db83e4 ci: automate backporting process (#6781)
* d4aea2788 ci: create release branch (#6859)
* faa9d92cf fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase (#6852)
* 7d083bc89 fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)            ### <===== FIXED
* 042d6b08c feat(dart): use first version of constraint for dependencies using SDK version (#6239)
* 8141a137b fix(misconf): parsing numbers without fraction as int (#6834)
* 0bcfedbca fix(misconf): fix caching of modules in subdirectories (#6814)
* 02d540478 feat(misconf): add metadata to Cloud schema (#6831)
* 8dd076a76 chore(deps): bump the aws group across 1 directory with 7 updates (#6837)
* bab16b88a chore(deps): bump the common group with 5 updates (#6842)
* b7b8cdc9e test: replace embedded Git repository with dynamically created repository (#6824)
* c24dfbab6 (tag: refs/tags/v0.52.0, refs/remotes/origin/release/v0.52) release: v0.52.0 [main] (#6809)
shino commented 1 month ago

@MaineK00n How about skipping this version?

dependabot[bot] commented 1 month ago

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.