search

project-copacetic / copacetic

🧵 CLI tool for directly patching container images using reports from vulnerability scanners
https://project-copacetic.github.io/copacetic/
Apache License 2.0
843 stars 57 forks source link

chore: bump github.com/aquasecurity/trivy from 0.51.4 to 0.52.1 #655

Closed dependabot[bot] closed 2 weeks ago

dependabot[bot] commented 3 weeks ago

Bumps github.com/aquasecurity/trivy from 0.51.4 to 0.52.1.

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.52.1

Changelog

  • a3caf0658 release: v0.52.1 [release/v0.52] (#6877)
  • 01dbb42ae fix(nodejs): fix infinite loop when package link from package-lock.json file is broken [backport: release/v0.52] (#6888)
  • f186d22bf fix(sbom): don't overwrite srcEpoch when decoding SBOM files [backport: release/v0.52] (#6881)
  • 093c0ae02 fix(python): compare pkg names from poetry.lock and pyproject.toml in lowercase [backport: release/v0.52] (#6878)
  • 6bfda7602 Merge pull request #6879 from aquasecurity/backport-pr-6864-to-release/v0.52
  • 53850c8b2 docs: explain how VEX is applied (#6864)
  • 221196202 Merge pull request #6875 from aquasecurity/backport-pr-6857-to-release/v0.52
  • a614b693d fix(nodejs): fix infinity loops for pnpm with cyclic imports (#6857)

v0.52.0

⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/6838

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0520-2024-06-03

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.52.1 (2024-06-10)

Bug Fixes

  • nodejs: fix infinite loop when package link from package-lock.json file is broken [backport: release/v0.52] (#6888) (01dbb42)
  • nodejs: fix infinity loops for pnpm with cyclic imports (#6857) (a614b69)
  • python: compare pkg names from poetry.lock and pyproject.toml in lowercase [backport: release/v0.52] (#6878) (093c0ae)
  • sbom: don't overwrite srcEpoch when decoding SBOM files [backport: release/v0.52] (#6881) (f186d22)

0.52.0 (2024-06-03)

Features

  • Add Julia language analyzer support (#5635) (fecafb1)
  • add support for plugin index (#6674) (26faf8f)
  • misconf: Add support for deprecating a check (#6664) (88702cf)
  • misconf: add Terraform 'removed' block to schema (#6640) (b7a0a13)
  • misconf: register builtin Rego funcs from trivy-checks (#6616) (7c22ee3)
  • misconf: resolve tf module from OpenTofu compatible registry (#6743) (ac74520)
  • misconf: support for VPC resources for inbound/outbound rules (#6779) (349caf9)
  • misconf: support symlinks inside of Helm archives (#6621) (4eae37c)
  • nodejs: add v9 pnpm lock file support (#6617) (1e08648)
  • plugin: specify plugin version (#6683) (d6dc567)
  • python: add license support for requirement.txt files (#6782) (29615be)
  • python: add line number support for requirement.txt files (#6729) (2bc54ad)
  • report: Include licenses and secrets filtered by rego to ModifiedFindings (#6483) (fa3cf99)
  • vex: improve relationship support in CSAF VEX (#6735) (a447f6b)
  • vex: support non-root components for products in OpenVEX (#6728) (9515695)

Bug Fixes

  • clean up golangci lint configuration (#6797) (62de6f3)
  • cli: always output fatal errors to stderr (#6827) (c2b9132)
  • close APKINDEX archive file (#6672) (5caf437)
  • close settings.xml (#6768) (9c3e895)
  • close testfile (#6830) (aa0c413)
  • conda: add support pip deps for environment.yml files (#6675) (150a773)
  • go: add only non-empty root modules for gobinaries (#6710) (c96f2a5)
  • go: include only .version|.ver (no prefixes) ldflags for gobinaries (#6705) (afb4f9d)
  • Golang version parsing from binaries w/GOEXPERIMENT (#6696) (696f2ae)
  • include packages unless it is not needed (#6765) (56dbe1f)
  • misconf: don't shift ignore rule related to code (#6708) (39a746c)
  • misconf: skip Rego errors with a nil location (#6638) (a2c522d)
  • misconf: skip Rego errors with a nil location (#6666) (a126e10)
  • node-collector high and critical cves (#6707) (ff32deb)
  • plugin: initialize logger (#6836) (728e77a)
  • python: add package name and version validation for requirements.txt files. (#6804) (ea3a124)

... (truncated)

Commits
  • a3caf06 release: v0.52.1 [release/v0.52] (#6877)
  • 01dbb42 fix(nodejs): fix infinite loop when package link from package-lock.json fil...
  • f186d22 fix(sbom): don't overwrite srcEpoch when decoding SBOM files [backport: rel...
  • 093c0ae fix(python): compare pkg names from poetry.lock and pyproject.toml in low...
  • 6bfda76 Merge pull request #6879 from aquasecurity/backport-pr-6864-to-release/v0.52
  • 53850c8 docs: explain how VEX is applied (#6864)
  • 2211962 Merge pull request #6875 from aquasecurity/backport-pr-6857-to-release/v0.52
  • a614b69 fix(nodejs): fix infinity loops for pnpm with cyclic imports (#6857)
  • c24dfba release: v0.52.0 [main] (#6809)
  • 728e77a fix(plugin): initialize logger (#6836)
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot] commented 3 weeks ago

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.

ashnamehrotra commented 3 weeks ago

@dependabot rebase

dependabot[bot] commented 2 weeks ago

Superseded by #666.