chore(deps): update dependency aquasecurity/trivy-operator to v0.22.0

uniget-bot commented 6 days ago

This PR contains the following updates:

Package	Update	Change
aquasecurity/trivy-operator	minor	`0.21.3` -> `0.22.0`

[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

aquasecurity/trivy-operator (aquasecurity/trivy-operator)

### [`v0.22.0`](https://togithub.com/aquasecurity/trivy-operator/releases/tag/v0.22.0) [Compare Source](https://togithub.com/aquasecurity/trivy-operator/compare/v0.21.3...v0.22.0) Ref to Release Notes [#2169](https://togithub.com/aquasecurity/trivy-operator/issues/2169) #### Changelog ##### ✨ Notable Changes ✨ - [`1d4ec56`](https://togithub.com/aquasecurity/trivy-operator/commit/1d4ec56cd7d70a041b82f9b26925beb918ee5396): feat: dynamic compliance reports ([#2160](https://togithub.com/aquasecurity/trivy-operator/issues/2160)) ([@chen-keinan](https://togithub.com/chen-keinan)) ##### 🐛 Notable Fixes 🐛 - [`ec93a42`](https://togithub.com/aquasecurity/trivy-operator/commit/ec93a422fa3b75e69227c4e1b0ad475cdcca30bc): fix: Prevent grouped vulnerability entries by including target and package path ([#2140](https://togithub.com/aquasecurity/trivy-operator/issues/2140)) ([@kersten](https://togithub.com/kersten)) - [`5d266cf`](https://togithub.com/aquasecurity/trivy-operator/commit/5d266cfb4c9b643446c2262160c5d5f04b95f651): fix: helm param gcr service account auth ([#2108](https://togithub.com/aquasecurity/trivy-operator/issues/2108)) ([@chen-keinan](https://togithub.com/chen-keinan)) - [`181ebae`](https://togithub.com/aquasecurity/trivy-operator/commit/181ebaebf8453074467fce1852cafd377ec8e6cc): fix: update olm defaults ([#2138](https://togithub.com/aquasecurity/trivy-operator/issues/2138)) ([@chen-keinan](https://togithub.com/chen-keinan)) ##### 📝 Documentation 📝 - [`3448c9e`](https://togithub.com/aquasecurity/trivy-operator/commit/3448c9e33f50d36ddb66b3ccdd2a9b43991afad4): docs: add section on importing the Grafana dashboard using the Grafana Helm Chart ([#2155](https://togithub.com/aquasecurity/trivy-operator/issues/2155)) ([@maritiren](https://togithub.com/maritiren)) ##### 🔧 Miscellaneous 🔧 - [`74a7d44`](https://togithub.com/aquasecurity/trivy-operator/commit/74a7d449edf6ec8d17564eb9af309180c2e6e376): chore: bump github.com/hashicorp/go-getter-v1.7.5 ([#2162](https://togithub.com/aquasecurity/trivy-operator/issues/2162)) ([@chen-keinan](https://togithub.com/chen-keinan)) - [`d7f3484`](https://togithub.com/aquasecurity/trivy-operator/commit/d7f34845cc3a1d2b195fe665f5c4069474ee9e31): chore: make operator policies-config optional ([#2152](https://togithub.com/aquasecurity/trivy-operator/issues/2152)) ([@chen-keinan](https://togithub.com/chen-keinan)) ##### 👷 Other work 👷 - [`1c035b0`](https://togithub.com/aquasecurity/trivy-operator/commit/1c035b0e5253929aa8ba880805df2c05bce4943c): build(deps): bump github.com/aquasecurity/trivy from 0.52.0 to 0.52.2 ([#2149](https://togithub.com/aquasecurity/trivy-operator/issues/2149)) ([@dependabot](https://togithub.com/dependabot)\[bot]) - [`d135915`](https://togithub.com/aquasecurity/trivy-operator/commit/d135915a2ec5a4c6a1c6ed34cfa62cbfb71910fc): build(deps): bump github.com/aws/aws-sdk-go from 1.53.14 to 1.53.19 ([#2133](https://togithub.com/aquasecurity/trivy-operator/issues/2133)) ([@dependabot](https://togithub.com/dependabot)\[bot]) - [`08afd7f`](https://togithub.com/aquasecurity/trivy-operator/commit/08afd7f5b4660d447ce959edcccb582bf3f91f58): build(deps): bump github.com/aws/aws-sdk-go from 1.53.19 to 1.54.6 ([#2157](https://togithub.com/aquasecurity/trivy-operator/issues/2157)) ([@dependabot](https://togithub.com/dependabot)\[bot]) - [`d6632d9`](https://togithub.com/aquasecurity/trivy-operator/commit/d6632d93bc2e583fc089ee1cb2019feec60db86e): build(deps): bump github.com/aws/aws-sdk-go from 1.54.6 to 1.54.11 ([#2164](https://togithub.com/aquasecurity/trivy-operator/issues/2164)) ([@dependabot](https://togithub.com/dependabot)\[bot]) - [`19bf370`](https://togithub.com/aquasecurity/trivy-operator/commit/19bf3707bdc9300d36535bf558cf2127117d8a22): build(deps): bump github.com/google/go-containerregistry ([#2145](https://togithub.com/aquasecurity/trivy-operator/issues/2145)) ([@dependabot](https://togithub.com/dependabot)\[bot]) - [`20acccc`](https://togithub.com/aquasecurity/trivy-operator/commit/20acccc0d1998e219bb93eeda91ebf42ecef0880): build(deps): bump golang.org/x/net from 0.25.0 to 0.26.0 ([#2131](https://togithub.com/aquasecurity/trivy-operator/issues/2131)) ([@dependabot](https://togithub.com/dependabot)\[bot]) - [`886550d`](https://togithub.com/aquasecurity/trivy-operator/commit/886550d755478cdafa59e2d17fef448aa1c930cd): build(deps): bump golang.org/x/text from 0.15.0 to 0.16.0 ([#2129](https://togithub.com/aquasecurity/trivy-operator/issues/2129)) ([@dependabot](https://togithub.com/dependabot)\[bot]) - [`bb9a08d`](https://togithub.com/aquasecurity/trivy-operator/commit/bb9a08dea082e9555b7df1a9f2ca7eb73aaad4e5): build(deps): bump goreleaser/goreleaser-action from 5 to 6 ([#2128](https://togithub.com/aquasecurity/trivy-operator/issues/2128)) ([@dependabot](https://togithub.com/dependabot)\[bot]) - [`fbf4a75`](https://togithub.com/aquasecurity/trivy-operator/commit/fbf4a757ef7bab93282d85c942b3cec95458eea8): build(deps): bump k8s.io/apiextensions-apiserver from 0.30.1 to 0.30.2 ([#2156](https://togithub.com/aquasecurity/trivy-operator/issues/2156)) ([@dependabot](https://togithub.com/dependabot)\[bot]) - [`8bc9854`](https://togithub.com/aquasecurity/trivy-operator/commit/8bc985499a4fcf7a88bea8bf185400158a4a8d9d): build(deps): bump k8s.io/cli-runtime from 0.30.1 to 0.30.2 ([#2148](https://togithub.com/aquasecurity/trivy-operator/issues/2148)) ([@dependabot](https://togithub.com/dependabot)\[bot]) - [`2479a90`](https://togithub.com/aquasecurity/trivy-operator/commit/2479a90b8b00279ecd69df3d14a19e80141f84aa): build(deps): bump k8s.io/client-go from 0.30.1 to 0.30.2 ([#2146](https://togithub.com/aquasecurity/trivy-operator/issues/2146)) ([@dependabot](https://togithub.com/dependabot)\[bot]) - [`d9924b1`](https://togithub.com/aquasecurity/trivy-operator/commit/d9924b155a3c38fb232d4813790dd2b036e6b081): build(deps): bump sigs.k8s.io/controller-runtime from 0.18.3 to 0.18.4 ([#2130](https://togithub.com/aquasecurity/trivy-operator/issues/2130)) ([@dependabot](https://togithub.com/dependabot)\[bot]) - [`af05935`](https://togithub.com/aquasecurity/trivy-operator/commit/af0593548364a980363024dfbfecd673c4d4cad0): fix typos ([#2154](https://togithub.com/aquasecurity/trivy-operator/issues/2154)) ([@maritiren](https://togithub.com/maritiren))

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

github-actions[bot] commented 6 days ago

:mag: Vulnerabilities of `ghcr.io/uniget-org/tools/trivy-operator:0.22.0`

:package: Image Reference ghcr.io/uniget-org/tools/trivy-operator:0.22.0

digest	`sha256:e2158be6d18c0e7b6c18bcc9cb5f7c9848d741720d3db0f892807cc87fc56bff`
vulnerabilities
platform	linux/amd64
size	35 MB
packages	336

github.com/aws/aws-sdk-go 1.54.6 (golang)

pkg:golang/github.com/aws/aws-sdk-go@1.54.6

Affected range	`>=0`
Fixed version	Not Fixed

Description

The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket. Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.

Affected range	`>=0`
Fixed version	Not Fixed

Description

The Go AWS S3 Crypto SDK contains vulnerabilities that can permit an attacker with write access to a bucket to decrypt files in that bucket. Files encrypted by the V1 EncryptionClient using either the AES-CBC content cipher or the KMS key wrap algorithm are vulnerable. Users should migrate to the V1 EncryptionClientV2 API, which will not create vulnerable files. Old files will remain vulnerable until re-encrypted with the new client.

k8s.io/apiserver 0.30.2 (golang)

pkg:golang/k8s.io/apiserver@0.30.2

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<1.15.10`
Fixed version	`1.15.10, 1.16.7, 1.17.3`
CVSS Score	`4.3`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L`

Description

The Kubernetes API server component has been found to be vulnerable to a denial of service attack via successful API requests.

stdlib 1.22.4 (golang)

pkg:golang/stdlib@1.22.4

Affected range	`>=1.22.0-0 <1.22.5`
Fixed version	`1.22.5`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

github-actions[bot] commented 6 days ago

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/9797588055.

github-actions[bot] commented 6 days ago

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/9797588055.

uniget-org / tools