{"affected":[{"ecosystem_specific":{"binaries":[{"trivy":"0.58.2-bp156.2.6.1"}]},"package":{"ecosystem":"SUSE:Package Hub 15 SP6","name":"trivy","purl":"pkg:rpm/suse/trivy&distro=SUSE%20Package%20Hub%2015%20SP6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.58.2-bp156.2.6.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"trivy":"0.58.2-bp156.2.6.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.6","name":"trivy","purl":"pkg:rpm/opensuse/trivy&distro=openSUSE%20Leap%2015.6"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"0.58.2-bp156.2.6.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for trivy fixes the following issues:\n\nUpdate to version 0.58.2 (\n\n      boo#1234512, CVE-2024-45337,\n      boo#1235265, CVE-2024-45338):\n\n  * fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)\n  * fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)\n  * fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215)\n  * fix(sbom): attach nested packages to Application [backport: release/v0.58] (#8168)\n  * fix(python): skip dev group's deps for poetry [backport: release/v0.58] (#8158)\n  * fix(sbom): use root package for `unknown` dependencies (if exists) [backport: release/v0.58] (#8156)\n  * chore(deps): bump `golang.org/x/net` from `v0.32.0` to `v0.33.0` [backport: release/v0.58] (#8142)\n  * chore(deps): bump `github.com/CycloneDX/cyclonedx-go` from `v0.9.1` to `v0.9.2` [backport: release/v0.58] (#8136)\n  * fix(redhat): correct rewriting of recommendations for the same vulnerability [backport: release/v0.58] (#8135)\n  * fix(oracle): add architectures support for advisories [backport: release/v0.58] (#8125)\n  * fix(sbom): fix wrong overwriting of applications obtained from different sbom files but having same app type [backport: release/v0.58] (#8124)\n  * chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0 [backport: release/v0.58] (#8122)\n  * fix: handle `BLOW_UNKNOWN` error to download DBs [backport: release/v0.58] (#8121)\n  * fix(java): correctly overwrite version from depManagement if dependency uses `project.*` props [backport: release/v0.58] (#8119)\n  * release: v0.58.0 [main] (#7874)\n  * fix(misconf): wrap AWS EnvVar to iac types (#7407)\n  * chore(deps): Upgrade trivy-checks (#8018)\n  * refactor(misconf): Remove unused options (#7896)\n  * docs: add terminology page to explain Trivy concepts (#7996)\n  * feat: add `workspaceRelationship` (#7889)\n  * refactor(sbom): simplify relationship generation (#7985)\n  * docs: improve databases documentation (#7732)\n  * refactor: remove support for custom Terraform checks (#7901)\n  * docs: drop AWS account scanning (#7997)\n  * fix(aws): change CPU and Memory type of ContainerDefinition to a string (#7995)\n  * fix(cli): Handle empty ignore files more gracefully (#7962)\n  * fix(misconf): load full Terraform module (#7925)\n  * fix(misconf): properly resolve local Terraform cache (#7983)\n  * refactor(k8s): add v prefix for Go packages (#7839)\n  * test: replace Go checks with Rego (#7867)\n  * feat(misconf): log causes of HCL file parsing errors (#7634)\n  * chore(deps): bump the aws group across 1 directory with 7 updates (#7991)\n  * chore(deps): bump github.com/moby/buildkit from 0.17.0 to 0.17.2 in the docker group across 1 directory (#7990)\n  * chore(deps): update csaf module dependency from csaf-poc to gocsaf (#7992)\n  * chore: downgrade the failed block expand message to debug (#7964)\n  * fix(misconf): do not erase variable type for child modules (#7941)\n  * feat(go): construct dependencies of `go.mod` main module in the parser (#7977)\n  * feat(go): construct dependencies in the parser (#7973)\n  * feat: add cvss v4 score and vector in scan response (#7968)\n  * docs: add `overview` page for `others` (#7972)\n  * fix(sbom): Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#7871)\n  * feat(suse): Align SUSE/OpenSUSE OS Identifiers (#7965)\n  * chore(deps): bump the common group with 4 updates (#7949)\n  * feat(oracle): add `flavors` support (#7858)\n  * fix(misconf): Update trivy-checks default repo to `mirror.gcr.io` (#7953)\n  * chore(deps): Bump up trivy-checks to v1.3.0 (#7959)\n  * fix(k8s): check all results for vulnerabilities (#7946)\n  * ci(helm): bump Trivy version to 0.57.1 for Trivy Helm Chart 0.9.0 (#7945)\n  * feat(secret): Add built-in secrets rules for Private Packagist (#7826)\n  * docs: Fix broken links (#7900)\n  * docs: fix mistakes/typos (#7942)\n  * feat: Update registry fallbacks (#7679)\n  * fix(alpine): add `UID` for removed packages (#7887)\n  * chore(deps): bump the aws group with 6 updates (#7902)\n  * chore(deps): bump the common group with 6 updates (#7904)\n  * fix(debian): infinite loop (#7928)\n  * fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files (#7912)\n  * docs: add note about temporary podman socket (#7921)\n  * docs: combine trivy.dev into trivy docs (#7884)\n  * test: change branch in spdx schema link to check in integration tests (#7935)\n  * docs: add Headlamp to the Trivy Ecosystem page (#7916)\n  * fix(report): handle `git@github.com` schema for misconfigs in `sarif` report (#7898)\n  * chore(k8s): enhance k8s scan log (#6997)\n  * fix(terraform): set null value as fallback for missing variables (#7669)\n  * fix(misconf): handle null properties in CloudFormation templates (#7813)\n  * fix(fs): add missing defered Cleanup() call to post analyzer fs (#7882)\n  * chore(deps): bump the common group across 1 directory with 20 updates (#7876)\n  * chore: bump containerd to v2.0.0 (#7875)\n  * fix: Improve version comparisons when build identifiers are present (#7873)\n  * feat(k8s): add default commands for unknown platform (#7863)\n  * chore(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#7868)\n  * refactor(secret): optimize performance by moving ToLower operation outside loop (#7862)\n  * test: save `containerd` image into archive and use in tests (#7816)\n  * chore(deps): bump the github-actions group across 1 directory with 2 updates (#7854)\n  * chore: bump golangci-lint to v1.61.0 (#7853)\n\n- Update to version 0.57.1:\n  * release: v0.57.1 [release/v0.57] (#7943)\n  * feat: Update registry fallbacks [backport: release/v0.57] (#7944)\n  * fix(redhat): don't return error if `root/buildinfo/content_manifests/` contains files that are not `contentSets` files [backport: release/v0.57] (#7939)\n  * test: change branch in spdx schema link to check in integration tests [backport: release/v0.57] (#7940)\n  * release: v0.57.0 [main] (#7710)\n  * chore: lint `errors.Join` (#7845)\n  * feat(db): append errors (#7843)\n  * docs(java): add info about supported scopes (#7842)\n  * docs: add example of creating whitelist of checks (#7821)\n  * chore(deps): Bump trivy-checks (#7819)\n  * fix(go): Do not trim v prefix from versions in Go Mod Analyzer (#7733)\n  * fix(k8s): skip resources without misconfigs (#7797)\n  * fix(sbom):  use `Annotation` instead of `AttributionTexts` for `SPDX` formats (#7811)\n  * fix(cli): add config name to skip-policy-update alias (#7820)\n  * fix(helm): properly handle multiple archived dependencies (#7782)\n  * refactor(misconf): Deprecate `EXCEPTIONS` for misconfiguration scanning (#7776)\n  * fix(k8s)!: support k8s multi container (#7444)\n  * fix(k8s): support kubernetes v1.31 (#7810)\n  * docs: add Windows install instructions (#7800)\n  * ci(helm): auto public Helm chart after PR merged (#7526)\n  * feat: add end of life date for Ubuntu 24.10 (#7787)\n  * feat(report): update gitlab template to populate operating_system value (#7735)\n  * feat(misconf): Show misconfig ID in output (#7762)\n  * feat(misconf): export unresolvable field of IaC types to Rego (#7765)\n  * refactor(k8s): scan config files as a folder (#7690)\n  * fix(license): fix license normalization for Universal Permissive License (#7766)\n  * fix: enable usestdlibvars linter (#7770)\n  * fix(misconf): properly expand dynamic blocks (#7612)\n  * feat(cyclonedx): add file checksums to `CycloneDX` reports (#7507)\n  * fix(misconf): fix for Azure Storage Account network acls adaptation (#7602)\n  * refactor(misconf): simplify k8s scanner (#7717)\n  * feat(parser): ignore white space in pom.xml files (#7747)\n  * test: use forked images (#7755)\n  * fix(java): correctly inherit `version` and `scope` from upper/root `depManagement` and `dependencies` into parents (#7541)\n  * fix(misconf): check if property is not nil before conversion (#7578)\n  * fix(misconf): change default ACL of digitalocean_spaces_bucket to private (#7577)\n  * feat(misconf): ssl_mode support for GCP SQL DB instance (#7564)\n  * test: define constants for test images (#7739)\n  * docs: add note about disabled DS016 check (#7724)\n  * feat(misconf): public network support for Azure Storage Account (#7601)\n  * feat(cli): rename `trivy auth` to `trivy registry` (#7727)\n  * docs: apt-transport-https is a transitional package (#7678)\n  * refactor(misconf): introduce generic scanner (#7515)\n  * fix(cli): `clean --all` deletes only relevant dirs (#7704)\n  * feat(cli): add `trivy auth` (#7664)\n  * fix(sbom): add options for DBs in private registries (#7660)\n  * docs(report): fix reporting doc format (#7671)\n  * fix(repo): `git clone` output to Stderr (#7561)\n  * fix(redhat): include arch in PURL qualifiers (#7654)\n  * fix(report): Fix invalid URI in SARIF report (#7645)\n  * docs(report): Improve SARIF reporting doc (#7655)\n  * fix(db): fix javadb downloading error handling (#7642)\n  * feat(cli): error out when ignore file cannot be found (#7624)\n\n- Update to version 0.56.2:\n  * release: v0.56.2 [release/v0.56] (#7694)\n  * fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#7702)\n  * fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#7691)\n\n- Update to version 0.56.1:\n  * release: v0.56.1 [release/v0.56] (#7648)\n  * fix(db): fix javadb downloading error handling [backport: release/v0.56] (#7646)\n  * release: v0.56.0 [main] (#7447)\n  * fix(misconf): not to warn about missing selectors of libraries (#7638)\n  * feat: support RPM archives (#7628)\n  * fix(secret): change grafana token regex to find them without unquoted (#7627)\n  * fix(misconf): Disable deprecated checks by default (#7632)\n  * chore: add prefixes to log messages (#7625)\n  * feat(misconf): Support `--skip-*` for all included modules  (#7579)\n  * feat: support multiple DB repositories for vulnerability and Java DB (#7605)\n  * ci: don't use cache for `setup-go` (#7622)\n  * test: use loaded image names (#7617)\n  * feat(java): add empty versions if `pom.xml` dependency versions can't be detected (#7520)\n  * feat(secret): enhance secret scanning for python binary files (#7223)\n  * refactor: fix auth error handling (#7615)\n  * ci: split `save` and `restore` cache actions (#7614)\n  * fix(misconf): disable DS016 check for image history analyzer (#7540)\n  * feat(suse): added SUSE Linux Enterprise Micro support (#7294)\n  * feat(misconf): add ability to disable checks by ID (#7536)\n  * fix(misconf): escape all special sequences (#7558)\n  * test: use a local registry for remote scanning (#7607)\n  * fix: allow access to '..' in mapfs (#7575)\n  * fix(db): check `DownloadedAt` for `trivy-java-db` (#7592)\n  * chore(deps): bump the common group across 1 directory with 20 updates (#7604)\n  * ci: add `workflow_dispatch` trigger for test workflow. (#7606)\n  * ci: cache test images for `integration`, `VM` and `module` tests (#7599)\n  * chore(deps): remove broken replaces for opa and discovery (#7600)\n  * docs(misconf): Add more info on how to use arbitrary JSON/YAML scan feat (#7458)\n  * fix(misconf): Fixed scope for China Cloud (#7560)\n  * perf(misconf): use port ranges instead of enumeration (#7549)\n  * fix(sbom): export bom-ref when converting a package to a component (#7340)\n  * refactor(misconf): pass options to Rego scanner as is (#7529)\n  * fix(sbom): parse type `framework` as `library` when unmarshalling `CycloneDX` files (#7527)\n  * chore(deps): bump go-ebs-file (#7513)\n  * fix(misconf): Fix logging typo (#7473)\n  * feat(misconf): Register checks only when needed (#7435)\n  * refactor: split `.egg` and `packaging` analyzers (#7514)\n  * fix(java): use `dependencyManagement` from root/child pom's for dependencies from parents (#7497)\n  * chore(vex): add `CVE-2024-34155`, `CVE-2024-34156` and `CVE-2024-34158` in `trivy.openvex.json` (#7510)\n  * chore(deps): bump alpine from 3.20.0 to 3.20.3 (#7508)\n  * chore(vex): suppress openssl vulnerabilities (#7500)\n  * revert(java): stop supporting of `test` scope for `pom.xml` files (#7488)\n  * docs(db): add a manifest example (#7485)\n  * feat(license): improve license normalization (#7131)\n  * docs(oci): Add a note About the expected Media Type for the Trivy-DB OCI Artifact (#7449)\n  * fix(report): fix error with unmarshal of `ExperimentalModifiedFindings` (#7463)\n  * fix(report): change a receiver of MarshalJSON (#7483)\n  * fix(oracle): Update EOL date for Oracle 7 (#7480)\n  * chore(deps): bump the aws group with 6 updates (#7468)\n  * chore(deps): bump the common group across 1 directory with 19 updates (#7436)\n  * chore(helm): bump up Trivy Helm chart (#7441)\n  * refactor(java): add error/statusCode for logs when we can't get pom.xml/maven-metadata.xml from remote repo (#7451)\n  * fix(license): stop spliting a long license text (#7336)\n  * release: v0.55.0 [main] (#7271)\n  * feat(go): use `toolchain` as `stdlib` version for `go.mod` files (#7163)\n  * fix(license): add license handling to JUnit template (#7409)\n  * feat(java): add `test` scope support for `pom.xml` files (#7414)\n  * chore(deps): Bump trivy-checks and pin OPA (#7427)\n  * fix(helm): explicitly define `kind` and `apiVersion` of `volumeClaimTemplate` element (#7362)\n  * feat(sbom): set User-Agent header on requests to Rekor (#7396)\n  * test: add integration plugin tests (#7299)\n  * fix(nodejs): check all `importers` to detect dev deps from pnpm-lock.yaml file (#7387)\n  * fix: logger initialization before flags parsing (#7372)\n  * fix(aws): handle ECR repositories in different regions (#6217)\n  * fix(misconf): fix infer type for null value (#7424)\n  * fix(secret): use `.eyJ` keyword for JWT secret (#7410)\n  * fix(misconf): do not recreate filesystem map (#7416)\n  * chore(deps): Bump trivy-checks (#7417)\n  * fix(misconf): do not register Rego libs in checks registry (#7420)\n  * fix(sbom): use `NOASSERTION` for licenses fields in SPDX formats (#7403)\n  * feat(report): export modified findings in JSON (#7383)\n  * feat(server): Make Trivy Server Multiplexer Exported (#7389)\n  * chore: update CODEOWNERS (#7398)\n  * fix(secret): use only line with secret for long secret lines (#7412)\n  * chore: fix allow rule of ignoring test files to make it case insensitive (#7415)\n  * feat(misconf): port and protocol support for EC2 networks (#7146)\n  * fix(misconf): do not filter Terraform plan JSON by name (#7406)\n  * feat(misconf): support for ignore by nested attributes (#7205)\n  * fix(misconf): use module to log when metadata retrieval fails (#7405)\n  * fix(report): escape `Message` field in `asff.tpl` template (#7401)\n  * feat(misconf): Add support for using spec from on-disk bundle (#7179)\n  * docs: add pkg flags to config file page (#7370)\n  * feat(python): use minimum version for pip packages (#7348)\n  * fix(misconf): support deprecating for Go checks (#7377)\n  * fix(misconf): init frameworks before updating them (#7376)\n  * feat(misconf): ignore duplicate checks (#7317)\n  * refactor(misconf): use slog (#7295)\n  * chore(deps): bump trivy-checks (#7350)\n  * feat(server): add internal `--path-prefix` flag for client/server mode (#7321)\n  * chore(deps): bump the aws group across 1 directory with 7 updates (#7358)\n  * fix: safely check if the directory exists (#7353)\n  * feat(misconf): variable support for Terraform Plan (#7228)\n  * feat(misconf): scanning support for YAML and JSON (#7311)\n  * fix(misconf): wrap Azure PortRange in iac types (#7357)\n  * refactor(misconf): highlight only affected rows (#7310)\n  * fix(misconf): change default TLS values for the Azure storage account (#7345)\n  * chore(deps): bump the common group with 9 updates (#7333)\n  * docs(misconf): Update callsites to use correct naming (#7335)\n  * docs: update air-gapped docs (#7160)\n  * refactor: replace ftypes.Gradle with packageurl.TypeGradle (#7323)\n  * perf(misconf): optimize work with context (#6968)\n  * docs: update links to packaging.python.org (#7318)\n  * docs: update client/server docs for misconf and license scanning (#7277)\n  * chore(deps): bump the common group across 1 directory with 7 updates (#7305)\n  * feat(misconf): iterator argument support for dynamic blocks (#7236)\n  * fix(misconf): do not set default value for default_cache_behavior (#7234)\n  * feat(misconf): support for policy and bucket grants (#7284)\n  * fix(misconf): load only submodule if it is specified in source (#7112)\n  * perf(misconf): use json.Valid to check validity of JSON (#7308)\n  * refactor(misconf): remove unused universal scanner (#7293)\n  * perf(misconf): do not convert contents of a YAML file to string (#7292)\n  * fix(terraform): add aws_region name to presets (#7184)\n  * docs: add auto-generated config (#7261)\n  * feat(vuln): Add `--detection-priority` flag for accuracy tuning (#7288)\n  * refactor(misconf): remove file filtering from parsers (#7289)\n  * fix(flag): incorrect behavior for deprected flag `--clear-cache` (#7281)\n  * fix(java): Return error when trying to find a remote pom to avoid segfault (#7275)\n  * fix(plugin): do not call GitHub content API for releases and tags (#7274)\n  * feat(vm): support the Ext2/Ext3 filesystems (#6983)\n  * feat(cli)!: delete deprecated SBOM flags (#7266)\n  * feat(vm): Support direct filesystem (#7058)\n\n- Update to version 0.51.1 (boo#1227010, CVE-2024-3817):","id":"openSUSE-SU-2025:0056-1","modified":"2025-02-07T11:01:31Z","published":"2025-02-07T11:01:31Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DUNHR7ATZWEF5LQKUNEXKL22CUQAND3A/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1227010"},{"type":"REPORT","url":"https://bugzilla.suse.com/1234512"},{"type":"REPORT","url":"https://bugzilla.suse.com/1235265"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-34155"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-34156"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-34158"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-3817"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-45337"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2024-45338"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-21613"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-21614"}],"related":["CVE-2024-34155","CVE-2024-34156","CVE-2024-34158","CVE-2024-3817","CVE-2024-45337","CVE-2024-45338","CVE-2025-21613","CVE-2025-21614"],"summary":"Security update for trivy","upstream":["CVE-2024-34155","CVE-2024-34156","CVE-2024-34158","CVE-2024-3817","CVE-2024-45337","CVE-2024-45338","CVE-2025-21613","CVE-2025-21614"]}