{"affected":[{"ecosystem_specific":{"binaries":[{"trivy":"0.54.1-bp155.2.3.1"}]},"package":{"ecosystem":"SUSE:Package Hub 15 SP5","name":"trivy","purl":"pkg:rpm/suse/trivy&distro=SUSE%20Package%20Hub%2015%20SP5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.54.1-bp155.2.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"trivy":"0.54.1-bp155.2.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.5","name":"trivy","purl":"pkg:rpm/opensuse/trivy&distro=openSUSE%20Leap%2015.5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.54.1-bp155.2.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"\ntrivy was updated to fix the following issues:\n\nUpdate to version 0.54.1:\n\n* fix(flag): incorrect behavior for deprected flag `--clear-cache` [backport: release/v0.54] (#7285)\n* fix(java): Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#7283)\n* fix(plugin): do not call GitHub content API for releases and tags [backport: release/v0.54] (#7279)\n* docs: update ecosystem page reporting with plopsec.com app (#7262)\n* feat(vex): retrieve VEX attestations from OCI registries (#7249)\n* feat(sbom): add image labels into `SPDX` and `CycloneDX` reports (#7257)\n* refactor(flag): return error if both `--download-db-only` and `--download-java-db-only` are specified (#7259)\n* fix(nodejs): detect direct dependencies when using `latest` version for files `yarn.lock` + `package.json` (#7110)\n* chore: show VEX notice for OSS maintainers in CI environments (#7246)\n* feat(vuln): add `--pkg-relationships` (#7237)\n* docs: show VEX cli pages + update config file page for VEX flags (#7244)\n* fix(dotnet): show `nuget package dir not found` log only when checking `nuget` packages (#7194)\n* feat(vex): VEX Repository support (#7206)\n* fix(secret): skip regular strings contain secret patterns (#7182)\n* feat: share build-in rules (#7207)\n* fix(report): hide empty table when all secrets/license/misconfigs are ignored (#7171)\n* fix(cli): error on missing config file (#7154)\n* fix(secret): update length of `hugging-face-access-token` (#7216)\n* feat(sbom): add vulnerability support for SPDX formats (#7213)\n* fix(secret): trim excessively long lines (#7192)\n* chore(vex): update subcomponents for CVE-2023-42363/42364/42365/42366 (#7201)\n* fix(server): pass license categories to options (#7203)\n* feat(mariner): Add support for Azure Linux (#7186)\n* docs: updates config file (#7188)\n* refactor(fs): remove unused field for CompositeFS (#7195)\n* fix: add missing platform and type to spec (#7149)\n* feat(misconf): enabled China configuration for ACRs (#7156)\n* fix: close file when failed to open gzip (#7164)\n* docs: Fix PR documentation to use GitHub Discussions, not Issues (#7141)\n* docs(misconf): add info about limitations for terraform plan json (#7143)\n* chore: add VEX for Trivy images (#7140)\n* chore: add VEX document and generator for Trivy  (#7128)\n* fix(misconf): do not evaluate TF when a load error occurs (#7109)\n* feat(cli): rename `--vuln-type` flag to `--pkg-types` flag (#7104)\n* refactor(secret): move warning about file size after `IsBinary` check (#7123)\n* feat: add openSUSE tumbleweed detection and scanning (#6965)\n* test: add missing advisory details for integration tests database (#7122)\n* fix: Add dependencyManagement exclusions to the child exclusions (#6969)\n* fix: ignore nodes when listing permission is not allowed (#7107)\n* fix(java): use `go-mvn-version` to remove `Package` duplicates (#7088)\n* refactor(secret): add warning about large files (#7085)\n* feat(nodejs): add license parser to pnpm analyser (#7036)\n* refactor(sbom): add sbom prefix + filepaths for decode log messages (#7074)\n* feat: add `log.FilePath()` function for logger (#7080)\n* chore: bump golangci-lint from v1.58 to v1.59 (#7077)\n* perf(debian): use `bytes.Index` in `emptyLineSplit` to cut allocation (#7065)\n* refactor: pass DB dir to trivy-db (#7057)\n* docs: navigate to the release highlights and summary (#7072)\n\nUpdate to version 0.53.0 (bsc#1227022, CVE-2024-6257):\n\n* feat(conda): add licenses support for `environment.yml` files (#6953)\n* fix(sbom): fix panic when scanning SBOM file without root component into SBOM format (#7051)\n* feat: add memory cache backend (#7048)\n* fix(sbom): use package UIDs for uniqueness (#7042)\n* feat(php): add installed.json file support (#4865)\n* docs: ✨ Updated ecosystem docs with reference to new community app (#7041)\n* fix: use embedded when command path not found (#7037)\n* refactor: use google/wire for cache (#7024)\n* fix(cli): show info message only when --scanners is available (#7032)\n* chore: enable float-compare rule from testifylint (#6967)\n* docs: Add sudo on commands, chmod before mv on install docs (#7009)\n* fix(plugin): respect `--insecure` (#7022)\n* feat(k8s)!: node-collector dynamic commands support (#6861)\n* fix(sbom): take pkg name from `purl` for maven pkgs (#7008)\n* feat!: add clean subcommand (#6993)\n* chore: use `!` for breaking changes (#6994)\n* feat(aws)!: Remove aws subcommand (#6995)\n* refactor: replace global cache directory with parameter passing (#6986)\n* fix(sbom): use `purl` for `bitnami` pkg names (#6982)\n* chore: bump Go toolchain version (#6984)\n* refactor: unify cache implementations (#6977)\n* docs: non-packaged and sbom clarifications (#6975)\n* BREAKING(aws): Deprecate `trivy aws` as subcmd in favour of a plugin (#6819)\n* docs: delete unknown URL (#6972)\n* refactor: use version-specific URLs for documentation references (#6966)\n* refactor: delete db mock (#6940)\n* refactor: add warning if severity not from vendor (or NVD or GH) is used (#6726)\n* feat: Add local ImageID to SARIF metadata (#6522)\n* fix(suse): Add SLES 15.6 and Leap 15.6 (#6964)\n* feat(java): add support for sbt projects using sbt-dependency-lock (#6882)\n* feat(java): add support for `maven-metadata.xml` files for remote snapshot repositories. (#6950)\n* fix(purl): add missed os types (#6955)\n* fix(cyclonedx): trim non-URL info for `advisory.url` (#6952)\n* fix(c): don't skip conan files from `file-patterns` and scan `.conan2` cache dir (#6949)\n* fix(image): parse `image.inspect.Created` field only for non-empty values (#6948)\n* fix(misconf): handle source prefix to ignore (#6945)\n* fix(misconf): fix parsing of engine links and frameworks (#6937)\n* feat(misconf): support of selectors for all providers for Rego (#6905)\n* fix(license): return license separation using separators  `,`, `or`, etc. (#6916)\n* feat(misconf): add support for AWS::EC2::SecurityGroupIngress/Egress (#6755)\n* BREAKING(misconf): flatten recursive types (#6862)\n* test: bump docker API to 1.45  (#6914)\n* feat(sbom): migrate to `CycloneDX v1.6` (#6903)\n* feat(image): Set User-Agent header for Trivy container registry requests (#6868)\n* fix(debian): take installed files from the origin layer (#6849)\n* fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken (#6858)\n* feat(misconf): API Gateway V1 support for CloudFormation (#6874)\n* feat(plugin): add support for nested archives (#6845)\n* fix(sbom): don't overwrite `srcEpoch` when decoding SBOM files (#6866)\n* fix(secret): `Asymmetric Private Key` shouldn't start with space (#6867)\n* chore: auto label discussions (#5259)\n* docs: explain how VEX is applied (#6864)\n* fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase (#6852)\n* fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)\n* feat(dart): use first version of constraint for dependencies using SDK version (#6239)\n* fix(misconf): parsing numbers without fraction as int (#6834)\n* fix(misconf): fix caching of modules in subdirectories (#6814)\n* feat(misconf): add metadata to Cloud schema (#6831)\n* test: replace embedded Git repository with dynamically created repository (#6824)\n\nUpdate to version 0.52.2:\n\n* test: bump docker API to 1.45  [backport: release/v0.52] (#6922)\n* fix(debian): take installed files from the origin layer [backport: release/v0.52] (#6892)\n\nUpdate to version 0.52.1:\n\n* fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken [backport: release/v0.52] (#6888)\n* fix(sbom): don't overwrite `srcEpoch` when decoding SBOM files [backport: release/v0.52] (#6881)\n* fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase [backport: release/v0.52] (#6878)\n* docs: explain how VEX is applied (#6864)\n* fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)\n\nUpdate to version 0.52.0 (bsc#1224781, CVE-2024-35192):\n\n* fix(plugin): initialize logger (#6836)\n* fix(cli): always output fatal errors to stderr (#6827)\n* fix: close testfile (#6830)\n* docs(julia): add scanner table (#6826)\n* feat(python): add license support for `requirement.txt` files (#6782)\n* docs: add more workarounds for out-of-disk (#6821)\n* chore: improve error message for image not found (#6822)\n* fix(sbom): fix panic for `convert` mode when scanning json file derived from sbom file (#6808)\n* fix: clean up golangci lint configuration (#6797)\n* fix(python): add package name and version validation for `requirements.txt` files. (#6804)\n* feat(vex): improve relationship support in CSAF VEX (#6735)\n* chore(alpine): add eol date for Alpine 3.20 (#6800)\n* docs(plugin): add missed `plugin` section (#6799)\n* fix: include packages unless it is not needed (#6765)\n* feat(misconf): support for VPC resources for inbound/outbound rules (#6779)\n* chore: replace interface{} with any (#6751)\n* fix: close settings.xml (#6768)\n* refactor(go): add priority for gobinary module versions from `ldflags` (#6745)\n* build: use main package instead of main.go (#6766)\n* feat(misconf): resolve tf module from OpenTofu compatible registry (#6743)\n* docs: add info on adding compliance checks (#6275)\n* docs: Add documentation for contributing additional checks to the trivy policies repo (#6234)\n* feat(nodejs): add v9 pnpm lock file support (#6617)\n* feat(vex): support non-root components for products in OpenVEX (#6728)\n* feat(python): add line number support for `requirement.txt` files (#6729)\n* chore: respect timeout value in .golangci.yaml (#6724)\n* fix: node-collector high and critical cves (#6707)\n* Merge pull request from GHSA-xcq4-m2r3-cmrj\n* chore: auto-bump golang patch versions (#6711)\n* fix(misconf): don't shift ignore rule related to code (#6708)\n* feat(plugin): specify plugin version (#6683)\n* chore: enforce golangci-lint version (#6700)\n* fix(go): include only `.version`|`.ver` (no prefixes) ldflags for `gobinaries` (#6705)\n* fix(go): add only non-empty root modules for `gobinaries` (#6710)\n* refactor: unify package addition and vulnerability scanning (#6579)\n* fix: Golang version parsing from binaries w/GOEXPERIMENT (#6696)\n* feat(misconf): Add support for deprecating a check (#6664)\n* feat: Add Julia language analyzer support (#5635)\n* feat(misconf): register builtin Rego funcs from trivy-checks (#6616)\n* fix(report): hide empty tables if all vulns has been filtered (#6352)\n* feat(report): Include licenses and secrets filtered by rego to ModifiedFindings (#6483)\n* feat: add support for plugin index (#6674)\n* docs: add support table for client server mode (#6498)\n* fix: close APKINDEX archive file (#6672)\n* fix(misconf): skip Rego errors with a nil location (#6666)\n* refactor: move artifact types under artifact package to avoid import cycles (#6652)\n* refactor(misconf): remove extrafs (#6656)\n* refactor: re-define module structs for serialization (#6655)\n* chore(misconf): Clean up iac logger (#6642)\n* feat(misconf): support symlinks inside of Helm archives (#6621)\n* feat(misconf): add Terraform 'removed' block to schema (#6640)\n* refactor: unify Library and Package structs (#6633)\n* fix: use of specified context to obtain cluster name (#6645)\n* perf(misconf): parse rego input once (#6615)\n* fix(misconf): skip Rego errors with a nil location (#6638)\n* docs: link warning to both timeout config options (#6620)\n* docs: fix usage of image-config-scanners (#6635)\n\nUpdate to version 0.51.1:\n\n* fix(fs): handle default skip dirs properly (#6628)\n* fix(misconf): load cached tf modules (#6607)\n* fix(misconf): do not use semver for parsing tf module versions (#6614)\n* refactor: move setting scanners when using compliance reports to flag parsing (#6619)\n* feat: introduce package UIDs for improved vulnerability mapping (#6583)\n* perf(misconf): Improve cause performance (#6586)\n* docs: trivy-k8s new experiance remove un-used section (#6608)\n* docs: remove mention of GitLab Gold because it doesn't exist anymore (#6609)\n* feat(misconf): Use updated terminology for misconfiguration checks (#6476)\n* docs: use `generic` link from `trivy-repo` (#6606)\n* docs: update trivy k8s with new experience (#6465)\n* feat: support `--skip-images` scanning flag (#6334)\n* BREAKING: add support for k8s `disable-node-collector` flag (#6311)\n* feat: add ubuntu 23.10 and 24.04 support (#6573)\n* docs(go): add stdlib (#6580)\n* feat(go): parse main mod version from build info settings (#6564)\n* feat: respect custom exit code from plugin (#6584)\n* docs: add asdf and mise installation method (#6063)\n* feat(vuln): Handle scanning conan v2.x lockfiles (#6357)\n* feat: add support `environment.yaml` files (#6569)\n* fix: close plugin.yaml (#6577)\n* fix: trivy k8s avoid deleting non-default node collector namespace  (#6559)\n* BREAKING: support exclude `kinds/namespaces` and include `kinds/namespaces` (#6323)\n* feat(go): add main module (#6574)\n* feat: add relationships (#6563)\n* docs: mention `--show-suppressed` is available in table (#6571)\n* chore: fix sqlite to support loong64 (#6511)\n* fix(debian): sort dpkg info before parsing due to exclude directories (#6551)\n* docs: update info about config file (#6547)\n* docs: remove RELEASE_VERSION from trivy.repo (#6546)\n* fix(sbom): change error to warning for multiple OSes (#6541)\n* fix(vuln): skip empty versions (#6542)\n* feat(c): add license support for conan lock files (#6329)\n* fix(terraform): Attribute and fileset fixes (#6544)\n* refactor: change warning if no vulnerability details are found (#6230)\n* refactor(misconf): improve error handling in the Rego scanner (#6527)\n* feat(go): parse main module of go binary files (#6530)\n* refactor(misconf): simplify the retrieval of module annotations (#6528)\n* docs(nodejs): add info about supported versions of pnpm lock files (#6510)\n* feat(misconf): loading embedded checks as a fallback (#6502)\n* fix(misconf): Parse JSON k8s manifests properly (#6490)\n* refactor: remove parallel walk (#5180)\n* fix: close pom.xml (#6507)\n* fix(secret): convert severity for custom rules (#6500)\n* fix(java): update logic to detect `pom.xml` file snapshot artifacts from remote repositories (#6412)\n* fix: typo (#6283)\n* docs(k8s,image): fix command-line syntax issues (#6403)\n* fix(misconf): avoid panic if the scheme is not valid (#6496)\n* feat(image): goversion as stdlib (#6277)\n* fix: add color for error inside of log message (#6493)\n* docs: fix links to OPA docs (#6480)\n* refactor: replace zap with slog (#6466)\n* docs: update links to IaC schemas (#6477)\n* chore: bump Go to 1.22 (#6075)\n* refactor(terraform): sync funcs with Terraform (#6415)\n* feat(misconf): add helm-api-version and helm-kube-version flag (#6332)\n* fix(terraform): eval submodules (#6411)\n* refactor(terraform): remove unused options (#6446)\n* refactor(terraform): remove unused file (#6445)\n* fix(misconf): Escape template value correctly (#6292)\n* feat(misconf): add support for wildcard ignores (#6414)\n* fix(cloudformation): resolve `DedicatedMasterEnabled` parsing issue (#6439)\n* refactor(terraform): remove metrics collection (#6444)\n* feat(cloudformation): add support for logging and endpoint access for EKS (#6440)\n* fix(db): check schema version for image name only (#6410)\n* feat(misconf): Support private registries for misconf check bundle (#6327)\n* feat(cloudformation): inline ignore support for YAML templates (#6358)\n* feat(terraform): ignore resources by nested attributes (#6302)\n* perf(helm): load in-memory files (#6383)\n* feat(aws): apply filter options to result (#6367)\n* feat(aws): quiet flag support (#6331)\n* fix(misconf): clear location URI for SARIF (#6405)\n* test(cloudformation): add CF tests (#6315)\n* fix(cloudformation): infer type after resolving a function (#6406)\n* fix(sbom): fix error when parent of SPDX Relationships is not a package. (#6399)\n* docs: add info about support for package license detection in `fs`/`repo` modes (#6381)\n* fix(nodejs): add support for parsing `workspaces` from `package.json` as an object (#6231)\n* fix: use `0600` perms for tmp files for post analyzers (#6386)\n* fix(helm): scan the subcharts once (#6382)\n* docs(terraform): add file patterns for Terraform Plan (#6393)\n* fix(terraform): сhecking SSE encryption algorithm validity (#6341)\n* fix(java): parse modules from `pom.xml` files once (#6312)\n* fix(server): add Locations for `Packages` in client/server mode (#6366)\n* fix(sbom): add check for `CreationInfo` to nil when detecting SPDX created using Trivy (#6346)\n* fix(report): don't include empty strings in `.vulnerabilities[].identifiers[].url` when `gitlab.tpl` is used (#6348)\n* chore(ubuntu): Add Ubuntu 22.04 EOL date (#6371)\n* feat(java): add support licenses and graph for gradle lock files (#6140)\n* feat(vex): consider root component for relationships (#6313)\n* fix: increase the default buffer size for scanning dpkg status files by 2 times (#6298)\n* chore: updates wazero to v1.7.0 (#6301)\n* feat(sbom): Support license detection for SBOM scan (#6072)\n* refactor(sbom): use intermediate representation for SPDX (#6310)\n* docs(terraform): improve documentation for filtering by inline comments (#6284)\n* fix(terraform): fix policy document retrieval (#6276)\n* refactor(terraform): remove unused custom error (#6303)\n* refactor(sbom): add intermediate representation for BOM (#6240)\n* fix(amazon): check only major version of AL to find advisories (#6295)\n* fix(db): use schema version as tag only for `trivy-db` and `trivy-java-db` registries by default (#6219)\n* fix(nodejs): add name validation for package name from `package.json`  (#6268)\n* docs: Added install instructions for FreeBSD (#6293)\n* feat(image): customer podman host or socket option (#6256)\n* feat(java): mark dependencies from `maven-invoker-plugin` integration tests pom.xml files as `Dev` (#6213)\n* fix(license): reorder logic of how python package licenses are acquired (#6220)\n* test(terraform): skip cached modules (#6281)\n* feat(secret): Support for detecting Hugging Face Access Tokens (#6236)\n* fix(cloudformation): support of all SSE algorithms for s3 (#6270)\n* feat(terraform): Terraform Plan snapshot scanning support (#6176)\n* fix: typo function name and comment optimization (#6200)\n* fix(java): don't ignore runtime scope for pom.xml files (#6223)\n* fix(license): add FilePath to results to allow for license path filtering via trivyignore file (#6215)\n* test(k8s): use test-db for k8s integration tests (#6222)\n* fix(terraform): fix root module search (#6160)\n* test(parser): squash test data for yarn (#6203)\n* fix(terraform): do not re-expand dynamic blocks (#6151)\n* docs: update ecosystem page reporting with db app (#6201)\n* fix: k8s summary separate infra and user finding results (#6120)\n* fix: add context to target finding on k8s table view (#6099)\n* fix: Printf format err (#6198)\n* refactor: better integration of the parser into Trivy (#6183)\n* feat(terraform): Add hyphen and non-ASCII support for domain names in credential extraction (#6108)\n* fix(vex): CSAF filtering should consider relationships (#5923)\n* refactor(report): Replacing `source_location` in `github` report when scanning an image (#5999)\n* feat(vuln): ignore vulnerabilities by PURL (#6178)\n* feat(java): add support for fetching packages from repos mentioned in pom.xml (#6171)\n* feat(k8s): rancher rke2 version support (#5988)\n* docs: update kbom distribution for scanning (#6019)\n* chore: update CODEOWNERS (#6173)\n* fix(swift): try to use branch to resolve version (#6168)\n* fix(terraform): ensure consistent path handling across OS (#6161)\n* fix(java): add only valid libs from `pom.properties` files from `jars` (#6164)\n* fix(sbom): skip executable file analysis if Rekor isn't a specified SBOM source (#6163)\n* docs(report): add remark about `path` to filter licenses using `.trivyignore.yaml` file (#6145)\n* docs: update template path for gitlab-ci tutorial (#6144)\n* feat(report): support for filtering licenses and secrets via rego policy files (#6004)\n* fix(cyclonedx): move root component from scanned cyclonedx file to output cyclonedx file (#6113)\n* docs: add SecObserve in CI/CD and reporting (#6139)\n* fix(alpine): exclude empty licenses for apk packages (#6130)\n* docs: add docs tutorial on custom policies with rego (#6104)\n* fix(nodejs): use project dir when searching for workspaces for Yarn.lock files (#6102)\n* feat(vuln): show suppressed vulnerabilities in table (#6084)\n* docs: rename governance to principles (#6107)\n* docs: add governance (#6090)\n* feat(java): add dependency location support for `gradle` files (#6083)\n* fix(misconf): get `user` from `Config.User` (#6070)\n\nUpdate to version 0.49.1:\n\n* fix: check unescaped `BomRef` when matching `PkgIdentifier` (#6025)\n* docs: Fix broken link to 'pronunciation' (#6057)\n* fix: fix cursor usage in Redis Clear function (#6056)\n* fix(nodejs): add local packages support for `pnpm-lock.yaml` files (#6034)\n* test: fix flaky `TestDockerEngine` (#6054)\n* fix(java): recursive check all nested depManagements with import scope for pom.xml files (#5982)\n* fix(cli): inconsistent behavior across CLI flags, environment variables, and config files (#5843)\n* feat(rust): Support workspace.members parsing for Cargo.toml analysis (#5285)\n* docs: add note about Bun (#6001)\n* fix(report): use `AWS_REGION` env for secrets in `asff` template (#6011)\n* fix: check returned error before deferring f.Close() (#6007)\n* feat(misconf): add support of buildkit instructions when building dockerfile from image config (#5990)\n* feat(vuln): enable `--vex` for all targets (#5992)\n* docs: update link to data sources (#6000)\n* feat(java): add support for line numbers for pom.xml files (#5991)\n* refactor(sbom): use new `metadata.tools` struct for CycloneDX (#5981)\n* docs: Update troubleshooting guide with image not found error (#5983)\n* style: update band logos (#5968)\n* docs: update cosign tutorial and commands, update kyverno policy (#5929)\n* docs: update command to scan go binary (#5969)\n* fix: handle non-parsable images names (#5965)\n* fix(amazon): save system files for pkgs containing `amzn` in src (#5951)\n* fix(alpine): Add EOL support for alpine 3.19. (#5938)\n* feat: allow end-users to adjust K8S client QPS and burst (#5910)\n* fix(nodejs): find licenses for packages with slash (#5836)\n* fix(sbom): use `group` field for pom.xml and nodejs files for CycloneDX reports (#5922)\n* fix: ignore no init containers (#5939)\n* docs: Fix documentation of ecosystem (#5940)\n* docs(misconf): multiple ignores in comment (#5926)\n* fix(secret): find aws secrets ending with a comma or dot (#5921)\n* docs: ✨ Updated ecosystem docs with reference to new community app (#5918)\n* fix(java): check if a version exists when determining GAV by file name for `jar` files (#5630)\n* feat(vex): add PURL matching for CSAF VEX (#5890)\n* fix(secret): `AWS Secret Access Key` must include only secrets with `aws` text. (#5901)\n* revert(report): don't escape new line characters for sarif format (#5897)\n* docs: improve filter by rego (#5402)\n* docs: add_scan2html_to_trivy_ecosystem (#5875)\n* fix(vm): update ext4-filesystem fix reading groupdescriptor in 32bit mode (#5888)\n* feat(vex): Add support for CSAF format (#5535)\n* feat(python): parse licenses from dist-info folder (#4724)\n* feat(nodejs): add yarn alias support (#5818)\n* refactor: propagate time through context values (#5858)\n* refactor: move PkgRef under PkgIdentifier (#5831)\n* fix(cyclonedx): fix unmarshal for licenses (#5828)\n* feat(vuln): include pkg identifier on detected vulnerabilities (#5439)\n\nUpdate to version 0.48.1:\n\n* fix(bitnami): use a different comparer for detecting vulnerabilities (#5633)\n* refactor(sbom): disable html escaping for CycloneDX (#5764)\n* refactor(purl): use `pub` from `package-url` (#5784)\n* docs(python): add note to using `pip freeze` for `compatible releases` (#5760)\n* fix(report): use OS information for OS packages purl in `github` template (#5783)\n* fix(report): fix error if miconfigs are empty (#5782)\n* refactor(vuln): don't remove VendorSeverity in JSON report (#5761)\n* fix(report): don't mark misconfig passed tests as failed in junit.tpl (#5767)\n* docs(k8s): replace --scanners config with --scanners misconfig in docs (#5746)\n* fix(report): update Gitlab template (#5721)\n* feat(secret): add support of GitHub fine-grained tokens (#5740)\n* fix(misconf): add an image misconf to result (#5731)\n* feat(secret): added support of Docker registry credentials (#5720)\n\nUpdate to version 0.48.0:\n\n* feat: filter k8s core components vuln results (#5713)\n* feat(vuln): remove duplicates in Fixed Version (#5596)\n* feat(report): output plugin (#4863)\n* docs: typo in modules.md (#5712)\n* feat: Add flag to configure node-collector image ref (#5710)\n* feat(misconf): Add `--misconfig-scanners` option (#5670)\n* chore: bump Go to 1.21 (#5662)\n* feat: Packagesprops support (#5605)\n* docs: update adopters discussion template (#5632)\n* docs: terraform tutorial links updated to point to correct loc (#5661)\n* fix(secret): add `sec` and space to secret prefix for `aws-secret-access-key` (#5647)\n* fix(nodejs): support protocols for dependency section in yarn.lock files (#5612)\n* fix(secret): exclude upper case before secret for `alibaba-access-key-id` (#5618)\n* docs: Update Arch Linux package URL in installation.md (#5619)\n* chore: add prefix to image errors (#5601)\n* docs(vuln): fix link anchor (#5606)\n* docs: Add Dagger integration section and cleanup Ecosystem CICD docs page (#5608)\n* fix: k8s friendly error messages kbom non cluster scans (#5594)\n* feat: set InstalledFiles for DEB and RPM packages (#5488)\n* fix(report): use time.Time for CreatedAt (#5598)\n* test: retry containerd initialization (#5597)\n* feat(misconf): Expose misconf engine debug logs with `--debug` option (#5550)\n* test: mock VM walker (#5589)\n* chore: bump node-collector v0.0.9 (#5591)\n* feat(misconf): Add support for `--cf-params` for CFT (#5507)\n* feat(flag): replace '--slow' with '--parallel' (#5572)\n* fix(report): add escaping for Sarif format (#5568)\n* chore: show a deprecation notice for `--scanners config` (#5587)\n* feat(report): Add CreatedAt to the JSON report. (#5542) (#5549)\n* test: mock RPM DB (#5567)\n* feat: add aliases to '--scanners' (#5558)\n* refactor: reintroduce output writer (#5564)\n* chore: not load plugins for auto-generating docs (#5569)\n* chore: sort supported AWS services (#5570)\n* fix: no schedule toleration (#5562)\n* fix(cli): set correct `scanners` for `k8s` target (#5561)\n* fix(sbom): add `FilesAnalyzed` and `PackageVerificationCode` fields for SPDX (#5533)\n* refactor(misconf): Update refactored dependencies (#5245)\n* feat(secret): add built-in rule for JWT tokens (#5480)\n* fix: trivy k8s parse ecr image with arn (#5537)\n* fix: fail k8s resource scanning (#5529)\n* refactor(misconf): don't remove Highlighted in json format (#5531)\n* docs(k8s): fix link in kubernetes.md (#5524)\n* docs(k8s): fix whitespace in list syntax (#5525)\n\nUpdate to version 0.47.0:\n\n* docs: add info that license scanning supports file-patterns flag (#5484)\n* docs: add Zora integration into Ecosystem session (#5490)\n* fix(sbom): Use UUID as BomRef for packages with empty purl (#5448)\n* fix: correct error mismatch causing race in fast walks (#5516)\n* docs: k8s vulnerability scanning (#5515)\n* docs: remove glad for java datasources (#5508)\n* chore: remove unused logger attribute in amazon detector (#5476)\n* fix: correct error mismatch causing race in fast walks (#5482)\n* fix(server): add licenses to `BlobInfo` message (#5382)\n* feat: scan vulns on k8s core component apps (#5418)\n* fix(java): fix infinite loop when `relativePath` field points to `pom.xml` being scanned (#5470)\n* fix(sbom): save digests for package/application when scanning SBOM files (#5432)\n* docs: fix the broken link (#5454)\n* docs: fix error when installing `PyYAML` for gh pages (#5462)\n* fix(java): download java-db once (#5442)\n* docs(misconf): Update `--tf-exclude-downloaded-modules` description (#5419)\n* feat(misconf): Support `--ignore-policy` in config scans (#5359)\n* docs(misconf): fix broken table for `Use container image` section (#5425)\n* feat(dart): add graph support (#5374)\n* refactor: define a new struct for scan targets (#5397)\n* fix(sbom): add missed `primaryURL` and `source severity` for CycloneDX (#5399)\n* fix: correct invalid MD5 hashes for rpms ending with one or more zero bytes (#5393)\n* docs: remove --scanners none (#5384)\n* docs: Update container_image.md #5182 (#5193)\n* feat(report): Add `InstalledFiles` field to Package (#4706)\n* feat(k8s): add support for vulnerability detection (#5268)\n* fix(python): override BOM in `requirements.txt` files (#5375)\n* docs: add kbom documentation (#5363)\n* test: use maximize build space for VM tests (#5362)\n* fix(report): add escaping quotes in misconfig Title for asff template (#5351)\n* fix: Report error when os.CreateTemp fails (to be consistent with other uses) (#5342)\n* fix: add config files to FS for post-analyzers (#5333)\n* fix: fix MIME warnings after updating to Go 1.20 (#5336)\n* build: fix a compile error with Go 1.21 (#5339)\n* feat: added `Metadata` into the k8s resource's scan report (#5322)\n* chore: update adopters template (#5330)\n* fix(sbom): use PURL or Group and Name in case of Java  (#5154)\n* docs: add buildkite repository to ecosystem page (#5316)\n* chore: enable go-critic (#5302)\n* close java-db client (#5273)\n* fix(report): removes git::http from uri in sarif (#5244)\n* Improve the meaning of  sentence (#5301)\n* add app nil check (#5274)\n* typo: in secret.md (#5281)\n* docs: add info about `github` format (#5265)\n* feat(dotnet): add license support for NuGet (#5217)\n* docs: correctly export variables (#5260)\n* chore: Add line numbers for lint output (#5247)\n* chore(cli): disable java-db flags in server mode (#5263)\n* feat(db): allow passing registry options (#5226)\n* refactor(purl): use TypeApk from purl (#5232)\n* chore: enable more linters (#5228)\n* Fix typo on ide.md (#5239)\n* refactor: use defined types (#5225)\n* fix(purl): skip local Go packages (#5190)\n* docs: update info about license scanning in Yarn projects (#5207)\n* fix link (#5203)\n* fix(purl): handle rust types (#5186)\n* chore: auto-close issues (#5177)\n* fix(k8s): kbom support addons labels (#5178)\n* test: validate SPDX with the JSON schema (#5124)\n* chore: bump trivy-kubernetes-latest (#5161)\n* docs: add 'Signature Verification' guide (#4731)\n* docs: add image-scanner-with-trivy for ecosystem (#5159)\n* fix(fs): assign the absolute path to be inspected to ROOTPATH when filesystem (#5158)\n* Update filtering.md (#5131)\n* chaging adopters discussion tempalte (#5091)\n* docs: add Bitnami (#5078)\n* feat(docker): add support for scanning Bitnami components (#5062)\n* feat: add support for .trivyignore.yaml (#5070)\n* fix(terraform): improve detection of terraform files (#4984)\n* feat: filter artifacts on --exclude-owned flag (#5059)\n* fix(sbom): cyclonedx advisory should omit `null` value (#5041)\n* build: maximize build space for build tests (#5072)\n* feat: improve kbom component name (#5058)\n* fix(pom): add licenses for pom artifacts (#5071)\n* chore: bump Go to `1.20` (#5067)\n* feat: PURL matching with qualifiers in OpenVEX (#5061)\n* feat(java): add graph support for pom.xml (#4902)\n* feat(swift): add vulns for cocoapods (#5037)\n* fix: support image pull secret for additional workloads (#5052)\n* fix: #5033 Superfluous double quote in html.tpl (#5036)\n* docs(repo): update trivy repo usage and example (#5049)\n* perf: Optimize Dockerfile for reduced layers and size (#5038)\n* feat: scan K8s Resources Kind with --all-namespaces (#5043)\n* fix: vulnerability typo (#5044)\n* docs: adding a terraform tutorial to the docs (#3708)\n* feat(report): add licenses to sarif format (#4866)\n* feat(misconf): show the resource name in the report (#4806)\n* chore: update alpine base images (#5015)\n* feat: add Package.resolved swift files support (#4932)\n* feat(nodejs): parse licenses in yarn projects (#4652)\n* fix: k8s private registries support (#5021)\n* bump github.com/testcontainers/testcontainers-go from 0.21.0 to 0.23.0 (#5018)\n* feat(vuln): support last_affected field from osv (#4944)\n* feat(server): add version endpoint (#4869)\n* feat: k8s private registries support (#4987)\n* fix(server): add indirect prop to package (#4974)\n* docs: add coverage (#4954)\n* feat(c): add location for lock file dependencies. (#4994)\n* docs: adding blog post on ec2 (#4813)\n* revert 32bit bins (#4977)\n\nUpdate to version 0.44.1:\n\n* fix(report): return severity colors in table format (#4969)\n* build: maximize available disk space for release (#4937)\n* test(cli): Fix assertion helptext (#4966)\n* test: validate CycloneDX with the JSON schema (#4956)\n* fix(server): add licenses to the Result message (#4955)\n* fix(aws): resolve endpoint if endpoint is passed (#4925)\n* fix(sbom): move licenses to `name` field in Cyclonedx format (#4941)\n* use testify instead of gotest.tools (#4946)\n* fix(nodejs): do not detect lock file in node_modules as an app (#4949)\n* bump go-dep-parser (#4936)\n* test(aws): move part of unit tests to integration (#4884)\n* docs(cli): update help string for file and dir skipping (#4872)\n* docs: update the discussion template (#4928)\n\n Update to version 0.44.0:\n\n* feat(repo): support local repositories (#4890)\n* bump go-dep-parser (#4893)\n* fix(misconf): add missing fields to proto (#4861)\n* fix: remove trivy-db package replacement (#4877)\n* chore(test): bump the integration test timeout to 15m (#4880)\n* chore: update CODEOWNERS (#4871)\n* feat(vuln): support vulnerability status (#4867)\n* feat(misconf): Support custom URLs for policy bundle (#4834)\n* refactor: replace with sortable packages (#4858)\n* docs: correct license scanning sample command (#4855)\n* fix(report): close the file (#4842)\n* feat(misconf): Add support for independently enabling libraries (#4070)\n* feat(secret): add secret config file for cache calculation (#4837)\n* Fix a link in gitlab-ci.md (#4850)\n* fix(flag): use globalstar to skip directories (#4854)\n* fix(license): using common way for splitting licenses (#4434)\n* fix(containerd): Use img platform in exporter instead of strict host platform (#4477)\n* remove govulndb (#4783)\n* fix(java): inherit licenses from parents (#4817)\n* refactor: add allowed values for CLI flags (#4800)\n* add example regex to allow rules (#4827)\n* feat(misconf): Support custom data for rego policies for cloud (#4745)\n* docs: correcting the trivy k8s tutorial (#4815)\n* feat(cli): add --tf-exclude-downloaded-modules flag (#4810)\n* fix(sbom): cyclonedx recommendations should include fixed versions for each package (#4794)\n* feat(misconf): enable --policy flag to accept directory and files both (#4777)\n* feat(python): add license fields (#4722)\n* fix: support trivy k8s-version on k8s sub-command (#4786)\n\nUpdate to version 0.43.1:\n\n* docs(image): fix the comment on the soft/hard link (#4740)\n* check Type when filling pkgs in vulns (#4776)\n* feat: add support of linux/ppc64le and linux/s390x architectures for Install.sh script (#4770)\n* fix(rocky): add architectures support for advisories (#4691)\n* fix: documentation about reseting trivy image (#4733)\n* fix(suse): Add openSUSE Leap 15.5 eol date as well (#4744)\n* fix: update Amazon Linux 1 EOL (#4761)\n\nUpdate to version 0.43.0:\n\n* feat(nodejs): support yarn workspaces (#4664)\n* fix(image): pass the secret scanner option to scan the img config (#4735)\n* fix: scan job pod it not found on k8s-1.27.x (#4729)\n* feat(docker): add support for mTLS authentication when connecting to registry (#4649)\n* fix: skip scanning the gpg-pubkey package (#4720)\n* Fix http registry oci pull (#4701)\n* feat(misconf): Support skipping services (#4686)\n* docs: fix supported modes for pubspec.lock files (#4713)\n* fix(misconf): disable the terraform plan analyzer for other scanners (#4714)\n* clarifying a dir path is required for custom policies (#4716)\n* chore: update alpine base images (#4715)\n* fix last-history-created (#4697)\n* feat: kbom and cyclonedx v1.5 spec support (#4708)\n* docs: add information about Aqua (#4590)\n* fix: k8s escape resource filename on windows os (#4693)\n* feat: cyclondx sbom custom property support (#4688)\n* add SUSE Linux Enterprise Server 15 SP5 and update SP4 eol date (#4690)\n* use group field for jar in cyclonedx (#4674)\n* feat(java): capture licenses from pom.xml (#4681)\n* feat(helm): make sessionAffinity configurable (#4623)\n* fix: Show the correct URL of the secret scanning (#4682)\n* document expected file pattern definition format (#4654)\n* fix: format arg error (#4642)\n* feat(k8s): cyclonedx kbom support (#4557)\n* fix(nodejs): remove unused fields for the pnpm lockfile (#4630)\n* fix(vm): update ext4-filesystem parser for parse multi block extents (#4616)\n* fix(debian): update EOL for Debian 12 (#4647)\n* chore: unnecessary use of fmt.Sprintf (S1039) (#4637)\n* fix(db): change argument order in Exists query for JavaDB (#4595)\n* feat(aws): Add support to see successes in results (#4427)\n* feat: trivy k8s private registry support (#4567)\n* docs: add general coverage page (#3859)\n* chore: create SECURITY.md (#4601)\n\nUpdate to version 0.42.1:\n\n* fix(misconf): deduplicate misconf results (#4588)\n* fix(vm): support sector size of 4096 (#4564)\n* fix(misconf): terraform relative paths (#4571)\n* fix(purl): skip unsupported library type (#4577)\n* fix(terraform): recursively detect all Root Modules (#4457)\n* fix(vm): support post analyzer for vm command (#4544)\n* fix(nodejs): change the type of the devDependencies field (#4560)\n* fix(sbom): export empty dependencies in CycloneDX (#4568)\n* refactor: add composite fs for post-analyzers (#4556)\n* feat: add SBOM analyzer (#4210)\n* fix(sbom): update logic for work with files in spdx format (#4513)\n* feat: azure workload identity support (#4489)\n* feat(ubuntu): add eol date for 18.04 ESM (#4524)\n* fix(misconf): Update required extensions for terraformplan (#4523)\n* refactor(cyclonedx): add intermediate representation (#4490)\n* fix(misconf): Remove debug print while scanning (#4521)\n* fix(java): remove duplicates of jar libs (#4515)\n* fix(java): fix overwriting project props in pom.xml (#4498)\n* docs: Update compilation instructions (#4512)\n* fix(nodejs): update logic for parsing pnpm lock files (#4502)\n*  fix(secret): remove aws-account-id rule (#4494)\n* feat(oci): add support for referencing an input image by digest (#4470)\n* docs: fixed the format (#4503)\n* fix(java): add support of * for exclusions for pom.xml files (#4501)\n* feat: adding issue template for documentation (#4453)\n* docs: switch glad to ghsa for Go (#4493)\n* feat(misconf): Add terraformplan support (#4342)\n* feat(debian): add digests for dpkg (#4445)\n* feat(k8s): exclude node scanning by node labels (#4459)\n* docs: add info about multi-line mode for regexp from custom secret rules (#4159)\n* feat(cli): convert JSON reports into a different format (#4452)\n* feat(image): add logic to guess base layer for docker-cis scan (#4344)\n* fix(cyclonedx): set original names for packages (#4306)\n* feat: group subcommands (#4449)\n* feat(cli): add retry to cache operations (#4189)\n* fix(vuln): report architecture for `apk` packages (#4247)\n* refactor: enable cases where return values are not needed in pipeline (#4443)\n* fix(image): resolve scan deadlock when error occurs in slow mode (#4336)\n* docs(misconf): Update docs for kubernetes file patterns (#4435)\n* test: k8s integration tests (#4423)\n* feat(redhat): add package digest for rpm (#4410)\n* feat(misconf): Add `--reset-policy-bundle` for policy bundle (#4167)\n* fix: typo (#4431)\n* add user instruction to imgconf (#4429)\n* fix(k8s): add image sources (#4411)\n* docs(scanning): Add versioning banner (#4415)\n* feat(cli): add mage command to update golden integration test files (#4380)\n* feat: node-collector custom namespace support (#4407)\n* refactor(sbom): use multiline json for spdx-json format (#4404)\n* fix(ubuntu): add EOL date for Ubuntu 23.04 (#4347)\n* refactor: code-optimization (#4214)\n* feat(image): Add image-src flag to specify which runtime(s) to use (#4047)\n*  test: skip wrong update of test golden files (#4379)\n* refactor: don't return error for package.json without version/name (#4377)\n* docs: cmd  error (#4376)\n* test(cli): add test for config file and env combination (#2666)\n* fix(report): set a correct file location for license scan output (#4326)\n* chore(alpine): Update Alpine to 3.18 (#4351)\n* fix(alpine): add EOL date for Alpine 3.18 (#4308)\n* feat: allow root break for mapfs (#4094)\n* docs(misconf): Remove examples.md (#4256)\n* fix(ubuntu): update eol dates for Ubuntu (#4258)\n* feat(alpine): add digests for apk packages (#4168)\n* chore: add discussion templates (#4190)\n* fix(terraform): Support tfvars (#4123)\n* chore: separate docs:generate (#4242)\n* refactor: define vulnerability scanner interfaces (#4117)\n* feat: unified k8s scan resources (#4188)\n* chore: trivy bin ignore (#4212)\n* feat(image): enforce image platform (#4083)\n* fix(ubuntu): fix version selection logic for ubuntu esm (#4171)\n* chore: install.sh support for windows (#4155)\n* docs: moving skipping files out of others (#4154)\n\nUpdate to version 0.41.0:\n\n* fix(spdx): add workaround for no src packages (#4118)\n* test(golang): rename broken go.mod (#4129)\n* feat(sbom): add supplier field (#4122)\n* test(misconf): skip downloading of policies for tests #4126\n* refactor: use debug message for post-analyze errors (#4037)\n* feat(sbom): add VEX support (#4053)\n* feat(sbom): add primary package purpose field for SPDX (#4119)\n* fix(k8s): fix quiet flag (#4120)\n* fix(python): parse of pip extras (#4103)\n* feat(java): use full path for nested jars (#3992)\n* feat(license): add new flag for classifier confidence level (#4073)\n* feat: config and fs compliance support (#4097)\n* feat(spdx): add support for SPDX 2.3 (#4058)\n* fix: k8s all-namespaces support (#4096)\n* perf(misconf): replace with post-analyzers (#4090)\n* fix(helm): update networking API version detection (#4106)\n* feat(image): custom docker host option (#3599)\n* style: debug flag is incorrect and needs extra - (#4087)\n* docs(vuln): Document inline vulnerability filtering comments (#4024)\n* feat(fs): customize error callback during fs walk (#4038)\n* fix(ubuntu): skip copyright files from subfolders (#4076)\n* docs: restructure scanners (#3977)\n* fix: fix `file does not exist` error for post-analyzers (#4061)\n\nUpdate to version 0.40.0:\n\n* feat(flag): Support globstar for `--skip-files` and `--skip-directories` (#4026)\n* fix: return insecure option to download javadb (#4064)\n* fix(nodejs): don't stop parsing when unsupported yarn.lock protocols are found (#4052)\n* fix(k8s): current context title (#4055)\n* fix(k8s): quit support on k8s progress bar (#4021)\n* chore: add a note about Dockerfile.canary (#4050)\n* fix(vuln): report architecture for debian packages (#4032)\n* feat: add support for Chainguard's commercial distro (#3641)\n* fix(vuln): fix error message for remote scanners (#4031)\n* feat(report): add image metadata to SARIF (#4020)\n* docs: fix broken cache link on Installation page (#3999)\n* fix: lock downloading policies and database (#4017)\n* fix: avoid concurrent access to the global map (#4014)\n* feat(rust): add Cargo.lock v3 support (#4012)\n* feat: auth support oci download server subcommand (#4008)\n* chore: install.sh support for armv7 (#3985)\n\nUpdate to version 0.39.1:\n\n* fix(rust): fix panic when 'dependencies' field is not used in cargo.toml (#3997)\n* fix(sbom): fix infinite loop for cyclonedx (#3998)\n* fix: use warning for errors from enrichment files for post-analyzers (#3972)\n* fix(helm): added annotation to psp configurable from values (#3893)\n* fix(secret): update built-in rule `tests`  (#3855)\n* test: rewrite scripts in Go (#3968)\n* docs(cli): Improve glob documentation (#3945)\n\nUpdate to version 0.39.0:\n\n* docs(cli): added makefile and go file to create docs (#3930)\n* feat(cyclonedx): support dependency graph (#3177)\n* feat(server): redis with public TLS certs support (#3783)\n* feat(flag): Add glob support to `--skip-dirs` and `--skip-files`  (#3866)\n* chore: replace make with mage (#3932)\n* fix(sbom): add checksum to files (#3888)\n* chore: remove unused mount volumes (#3927)\n* feat: add auth support for downloading OCI artifacts (#3915)\n* refactor(purl): use epoch in qualifier (#3913)\n* feat(image): add registry options (#3906)\n* feat(rust): dependency tree and line numbers support for cargo lock file (#3746)\n* feat(php): add support for location, licenses and graph for composer.lock files (#3873)\n* feat(image): discover SBOM in OCI referrers (#3768)\n* docs: change cache-dir key in config file (#3897)\n* fix(sbom): use release and epoch for SPDX package version (#3896)\n* docs: Update incorrect comment for skip-update flag (#3878)\n* refactor(misconf): simplify policy filesystem (#3875)\n* feat(nodejs): parse package.json alongside yarn.lock (#3757)\n* fix(spdx): add PkgDownloadLocation field (#3879)\n* chore(amazon): update EOL (#3876)\n* fix(nodejs): improvement logic for package-lock.json v2-v3 (#3877)\n* feat(amazon): add al2023 support (#3854)\n* docs(misconf): Add information about selectors (#3703)\n* docs(cli): update CLI docs with cobra (#3815)\n* feat: k8s parallel processing (#3693)\n* docs: add DefectDojo in the Security Management section (#3871)\n* refactor: add pipeline (#3868)\n* feat(cli): add javadb metadata to version info (#3835)\n* feat(sbom): add support for CycloneDX JSON Attestation of the correct specification (#3849)\n* feat: add node toleration option (#3823)\n* fix: allow mapfs to open dirs (#3867)\n* fix(report): update uri only for os class targets (#3846)\n* feat(nodejs): Add v3 npm lock file support (#3826)\n* feat(nodejs): parse package.json files alongside package-lock.json (#2916)\n* docs(misconf): Fix links to built in policies (#3841)\n\nUpdate to version 0.38.3:\n\n  from 1.86.1 to 1.89.1\n* fix(java): skip empty files for jar post analyzer\n* fix(docker): build healthcheck command for line without\n  /bin/sh prefix\n* refactor(license): use goyacc for license parser (#3824)\n  23.0.0-rc.1+incompatible to 23.0.1+incompatible\n* fix: populate timeout context to node-collector\n* fix: exclude node collector scanning (#3771)\n* fix: display correct flag in error message when skipping\n  java db update #3808\n* fix: disable jar analyzer for scanners other than vuln (#3810)\n* fix(sbom): fix incompliant license format for spdx (#3335)\n* fix(java): the project props take precedence over the\n  parent's props (#3320)\n* docs: add canary build info to README.md (#3799)\n* docs: adding link to gh token generation (#3784)\n* docs: changing docs in accordance with #3460 (#3787)\n\nUpdate to version 0.38.2:\n\n* fix(license): disable jar analyzer for licence scan only (#3780)\n* bump trivy-issue-action to v0.0.0; skip `pkg` dir (#3781)\n* fix: skip checking dirs for required post-analyzers (#3773)\n* docs: add information about plugin format (#3749)\n* fix(sbom): add trivy version to spdx creators tool field (#3756)\n\nUpdate to version 0.38.1:\n\n* feat(misconf): Add support to show policy bundle version (#3743)\n* fix(python): fix error with optional dependencies in pyproject.toml (#3741)\n* add id for package.json files (#3750)\n\nUpdate to version 0.38.0:\n\n* fix(cli): pass integer to exit-on-eol (#3716)\n* feat: add kubernetes pss compliance (#3498)\n* feat: Adding --module-dir and --enable-modules (#3677)\n* feat: add special IDs for filtering secrets (#3702)\n* docs(misconf): Add guide on input schema (#3692)\n* feat(go): support dependency graph and show only direct dependencies in the tree (#3691)\n* feat: docker multi credential support (#3631)\n* feat: summarize vulnerabilities in compliance reports (#3651)\n* feat(python): parse pyproject.toml alongside poetry.lock (#3695)\n* feat(python): add dependency tree for poetry lock file (#3665)\n* fix(cyclonedx): incompliant affect ref (#3679)\n* chore(helm): update skip-db-update environment variable (#3657)\n* fix(spdx): change CreationInfo timestamp format RFC3336Nano to RFC3336 (#3675)\n* fix(sbom): export empty dependencies in CycloneDX (#3664)\n* docs: java-db air-gap doc tweaks (#3561)\n* feat(go): license support (#3683)\n* feat(ruby): add dependency tree/location support for Gemfile.lock (#3669)\n* fix(k8s): k8s label size (#3678)\n* fix(cyclondx): fix array empty value, null to [] (#3676)\n* refactor: rewrite gomod analyzer as post-analyzer (#3674)\n* feat: config outdated-api result filtered by k8s version (#3578)\n* fix: Update to Alpine 3.17.2 (#3655)\n* feat: add support for virtual files (#3654)\n* feat: add post-analyzers (#3640)\n* feat(python): add dependency locations for Pipfile.lock (#3614)\n* fix(java): fix groupID selection by ArtifactID for jar files. (#3644)\n* fix(aws): Adding a fix for update-cache flag that is not applied on AWS scans. (#3619)\n* feat(cli): add command completion (#3061)\n* docs(misconf): update dockerfile link (#3627)\n* feat(flag): add exit-on-eosl option (#3423)\n* fix(cli): make java db repository configurable (#3595)\n* chore: bump trivy-kubernetes (#3613)\n  ","id":"openSUSE-SU-2024:0268-1","modified":"2024-08-30T08:00:39Z","published":"2024-08-30T08:00:39Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/6XAQOEGAUMX4BBTNYDJHKA4H3VD5H2PQ/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1224781"},{"type":"REPORT","url":"https://bugzilla.suse.com/1227022"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-42363"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-35192"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-6257"}],"related":["CVE-2023-42363","CVE-2024-35192","CVE-2024-6257"],"summary":"Security update for trivy","upstream":["CVE-2023-42363","CVE-2024-35192","CVE-2024-6257"]}