search

project-copacetic / copacetic

🧵 CLI tool for directly patching container images using reports from vulnerability scanners
https://project-copacetic.github.io/copacetic/
Apache License 2.0
843 stars 57 forks source link

chore: bump github.com/aquasecurity/trivy from 0.51.4 to 0.53.0 #684

Open dependabot[bot] opened 6 days ago

dependabot[bot] commented 6 days ago

Bumps github.com/aquasecurity/trivy from 0.51.4 to 0.53.0.

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.53.0

Changelog

  • c55b0e6ca release: v0.53.0 [main] (#6855)
  • 654217a65 feat(conda): add licenses support for environment.yml files (#6953)
  • 3d4ae8b5b fix(sbom): fix panic when scanning SBOM file without root component into SBOM format (#7051)
  • 55ccd06df feat: add memory cache backend (#7048)
  • 14d71ba63 fix(sbom): use package UIDs for uniqueness (#7042)
  • edc556b85 feat(php): add installed.json file support (#4865)
  • 4f8b3996e docs: ✨ Updated ecosystem docs with reference to new community app (#7041)
  • 137c91642 fix: use embedded when command path not found (#7037)
  • 9e4927ee1 chore(deps): bump trivy-kubernetes version (#7012)
  • 4be02bab8 refactor: use google/wire for cache (#7024)
  • e9fc3e339 fix(cli): show info message only when --scanners is available (#7032)
  • 0ccdbfbb6 chore: enable float-compare rule from testifylint (#6967)
  • 9045f2445 docs: Add sudo on commands, chmod before mv on install docs (#7009)
  • 3d02a31b4 fix(plugin): respect --insecure (#7022)
  • 8d618e48a feat(k8s)!: node-collector dynamic commands support (#6861)
  • a76e3286c fix(sbom): take pkg name from purl for maven pkgs (#7008)
  • eb636c1b3 chore(deps): bump github.com/hashicorp/go-getter from 1.7.4 to 1.7.5 (#7018)
  • 8d0ae1f5d feat!: add clean subcommand (#6993)
  • de201dc77 chore: use ! for breaking changes (#6994)
  • 979e118a9 feat(aws)!: Remove aws subcommand (#6995)
  • 648ead955 refactor: replace global cache directory with parameter passing (#6986)
  • 7eabb92ec fix(sbom): use purl for bitnami pkg names (#6982)
  • 333087c9e chore: bump Go toolchain version (#6984)
  • 6dff4223e refactor: unify cache implementations (#6977)
  • 9dc8a2ba6 docs: non-packaged and sbom clarifications (#6975)
  • b58d42dc9 BREAKING(aws): Deprecate trivy aws as subcmd in favour of a plugin (#6819)
  • 6469d37cc docs: delete unknown URL (#6972)
  • 30bcb9535 refactor: use version-specific URLs for documentation references (#6966)
  • e493fc931 refactor: delete db mock (#6940)
  • 983ac15f2 ci: add depguard (#6963)
  • dfe757e37 refactor: add warning if severity not from vendor (or NVD or GH) is used (#6726)
  • f144e912d feat: Add local ImageID to SARIF metadata (#6522)
  • 5ee4e9d30 fix(suse): Add SLES 15.6 and Leap 15.6 (#6964)
  • f18d035ae feat(java): add support for sbt projects using sbt-dependency-lock (#6882)
  • 1f8fca1fc feat(java): add support for maven-metadata.xml files for remote snapshot repositories. (#6950)
  • 2d85a003b fix(purl): add missed os types (#6955)
  • 417212e09 fix(cyclonedx): trim non-URL info for advisory.url (#6952)
  • 38b35dd3c fix(c): don't skip conan files from file-patterns and scan .conan2 cache dir (#6949)
  • eb6d0d977 ci: correctly handle categories (#6943)
  • 0af5730cb fix(image): parse image.inspect.Created field only for non-empty values (#6948)
  • c3192f061 fix(misconf): handle source prefix to ignore (#6945)
  • ec68c9ab4 fix(misconf): fix parsing of engine links and frameworks (#6937)
  • bc3741ae2 feat(misconf): support of selectors for all providers for Rego (#6905)
  • 735aadf2d ci: don't run tests for release-please PRs (#6936)
  • 52f7aa54b fix(license): return license separation using separators ,, or, etc. (#6916)
  • d77d9ce38 ci: use ubuntu-latest-m runner (#6918)
  • 55fa6109c feat(misconf): add support for AWS::EC2::SecurityGroupIngress/Egress (#6755)
  • cd360dde2 BREAKING(misconf): flatten recursive types (#6862)

... (truncated)

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.53.0 (2024-07-01)

⚠ BREAKING CHANGES

  • k8s: node-collector dynamic commands support (#6861)
  • add clean subcommand (#6993)
  • aws: Remove aws subcommand (#6995)

Features

  • add clean subcommand (#6993) (8d0ae1f)
  • Add local ImageID to SARIF metadata (#6522) (f144e91)
  • add memory cache backend (#7048) (55ccd06)
  • aws: Remove aws subcommand (#6995) (979e118)
  • conda: add licenses support for environment.yml files (#6953) (654217a)
  • dart: use first version of constraint for dependencies using SDK version (#6239) (042d6b0)
  • image: Set User-Agent header for Trivy container registry requests (#6868) (9b31697)
  • java: add support for maven-metadata.xml files for remote snapshot repositories. (#6950) (1f8fca1)
  • java: add support for sbt projects using sbt-dependency-lock (#6882) (f18d035)
  • k8s: node-collector dynamic commands support (#6861) (8d618e4)
  • misconf: add metadata to Cloud schema (#6831) (02d5404)
  • misconf: add support for AWS::EC2::SecurityGroupIngress/Egress (#6755) (55fa610)
  • misconf: API Gateway V1 support for CloudFormation (#6874) (8491469)
  • misconf: support of selectors for all providers for Rego (#6905) (bc3741a)
  • php: add installed.json file support (#4865) (edc556b)
  • plugin: add support for nested archives (#6845) (622c67b)
  • sbom: migrate to CycloneDX v1.6 (#6903) (09e50ce)

Bug Fixes

  • c: don't skip conan files from file-patterns and scan .conan2 cache dir (#6949) (38b35dd)
  • cli: show info message only when --scanners is available (#7032) (e9fc3e3)
  • cyclonedx: trim non-URL info for advisory.url (#6952) (417212e)
  • debian: take installed files from the origin layer (#6849) (089b953)
  • image: parse image.inspect.Created field only for non-empty values (#6948) (0af5730)
  • license: return license separation using separators ,, or, etc. (#6916) (52f7aa5)
  • misconf: fix caching of modules in subdirectories (#6814) (0bcfedb)
  • misconf: fix parsing of engine links and frameworks (#6937) (ec68c9a)
  • misconf: handle source prefix to ignore (#6945) (c3192f0)
  • misconf: parsing numbers without fraction as int (#6834) (8141a13)
  • nodejs: fix infinite loop when package link from package-lock.json file is broken (#6858) (cf5aa33)
  • nodejs: fix infinity loops for pnpm with cyclic imports (#6857) (7d083bc)
  • plugin: respect --insecure (#7022) (3d02a31)
  • purl: add missed os types (#6955) (2d85a00)
  • python: compare pkg names from poetry.lock and pyproject.toml in lowercase (#6852) (faa9d92)
  • sbom: don't overwrite srcEpoch when decoding SBOM files (#6866) (04af59c)
  • sbom: fix panic when scanning SBOM file without root component into SBOM format (#7051) (3d4ae8b)
  • sbom: take pkg name from purl for maven pkgs (#7008) (a76e328)

... (truncated)

Commits
  • c55b0e6 release: v0.53.0 [main] (#6855)
  • 654217a feat(conda): add licenses support for environment.yml files (#6953)
  • 3d4ae8b fix(sbom): fix panic when scanning SBOM file without root component into SBOM...
  • 55ccd06 feat: add memory cache backend (#7048)
  • 14d71ba fix(sbom): use package UIDs for uniqueness (#7042)
  • edc556b feat(php): add installed.json file support (#4865)
  • 4f8b399 docs: ✨ Updated ecosystem docs with reference to new community app (#7041)
  • 137c916 fix: use embedded when command path not found (#7037)
  • 9e4927e chore(deps): bump trivy-kubernetes version (#7012)
  • 4be02ba refactor: use google/wire for cache (#7024)
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)