Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump github.com/aquasecurity/trivy from 0.45.1 to 0.51.2 #23

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 20, 2024

Bumps github.com/aquasecurity/trivy from 0.45.1 to 0.51.2.

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.51.2

Changelog

  • eadc6fb64 fix: node-collector high and critical cves (#6707)
  • cc489b1af Merge pull request from GHSA-xcq4-m2r3-cmrj
  • 013f71a6a chore: auto-bump golang patch versions (#6711)
  • 113a5b216 fix(misconf): don't shift ignore rule related to code (#6708)
  • 733e5ac1f fix(go): include only .version|.ver (no prefixes) ldflags for gobinaries (#6705)
  • d311e49bc fix(go): add only non-empty root modules for gobinaries (#6710)
  • cf1a7bf30 refactor: unify package addition and vulnerability scanning (#6579)
  • d465d9d1e fix: Golang version parsing from binaries w/GOEXPERIMENT (#6696)
  • 0af225ccf fix(conda): add support pip deps for environment.yml files (#6675)
  • 6f64d5518 fix(misconf): skip Rego errors with a nil location (#6666)
  • 8c27430a2 fix(misconf): skip Rego errors with a nil location (#6638)
  • c2b46d3c2 refactor: unify Library and Package structs (#6633)
  • 4368f11e0 fix: use of specified context to obtain cluster name (#6645)
  • 5ec62f863 docs: fix usage of image-config-scanners (#6635)

v0.51.1

Changelog

  • 8016b821a fix(fs): handle default skip dirs properly (#6628)
  • 7a25dadb4 fix(misconf): load cached tf modules (#6607)
  • 9c794c0ff fix(misconf): do not use semver for parsing tf module versions (#6614)

v0.51.0

⚡Release highlights and summary⚡

👉 aquasecurity/trivy#6622

Changelog

  • 14c1024b4 refactor: move setting scanners when using compliance reports to flag parsing (#6619)
  • 998f75043 feat: introduce package UIDs for improved vulnerability mapping (#6583)
  • 770b14113 perf(misconf): Improve cause performance (#6586)
  • 3ccb1a0f1 docs: trivy-k8s new experiance remove un-used section (#6608)
  • 58cfd1b07 chore(deps): bump github.com/docker/docker from 26.0.1+incompatible to 26.0.2+incompatible (#6612)
  • 715963d75 docs: remove mention of GitLab Gold because it doesn't exist anymore (#6609)
  • 37da98df4 feat(misconf): Use updated terminology for misconfiguration checks (#6476)
  • cdee7030a chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.15 to 1.16.15 (#6593)
  • 6a2225b42 docs: use generic link from trivy-repo (#6606)
  • a2a02de7c docs: update trivy k8s with new experience (#6465)
  • e739ab850 feat: support --skip-images scanning flag (#6334)
  • c6d5d856c BREAKING: add support for k8s disable-node-collector flag (#6311)
  • 194a81468 chore(deps): bump github.com/zclconf/go-cty from 1.14.1 to 1.14.4 (#6601)
  • 03830c50c chore(deps): bump github.com/sigstore/rekor from 1.2.2 to 1.3.6 (#6599)
  • 8e814fa23 chore(deps): bump google.golang.org/protobuf from 1.33.0 to 1.34.0 (#6597)
  • 2dc76ba78 chore(deps): bump sigstore/cosign-installer from 3.4.0 to 3.5.0 (#6588)
  • c17176ba9 chore(deps): bump github.com/testcontainers/testcontainers-go from 0.28.0 to 0.30.0 (#6595)
  • bce70af36 chore(deps): bump github.com/open-policy-agent/opa from 0.62.0 to 0.64.1 (#6596)
  • 4369a19af feat: add ubuntu 23.10 and 24.04 support (#6573)
  • 5566548b7 chore(deps): bump azure/setup-helm from 3.5 to 4 (#6590)
  • a8af76a47 chore(deps): bump actions/checkout from 4.1.2 to 4.1.4 (#6587)

... (truncated)

Commits
  • eadc6fb fix: node-collector high and critical cves (#6707)
  • cc489b1 Merge pull request from GHSA-xcq4-m2r3-cmrj
  • 013f71a chore: auto-bump golang patch versions (#6711)
  • 113a5b2 fix(misconf): don't shift ignore rule related to code (#6708)
  • 733e5ac fix(go): include only .version|.ver (no prefixes) ldflags for `gobinaries...
  • d311e49 fix(go): add only non-empty root modules for gobinaries (#6710)
  • cf1a7bf refactor: unify package addition and vulnerability scanning (#6579)
  • d465d9d fix: Golang version parsing from binaries w/GOEXPERIMENT (#6696)
  • 0af225c fix(conda): add support pip deps for environment.yml files (#6675)
  • 6f64d55 fix(misconf): skip Rego errors with a nil location (#6666)
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label May 20, 2024
@ChristofferNissen
Copy link
Owner

Copacetic is keeping us from upgrading Trivy to fix the vulnerability. Follow here project-copacetic/copacetic#397

@ChristofferNissen
Copy link
Owner

PR merged in Copacetic, waiting for release of 6.3

updated-dependencies:
- dependency-name: github.com/aquasecurity/trivy
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/aquasecurity/trivy-0.51.2 branch from ef7a608 to 87f8c8a Compare June 18, 2024 20:00
Copy link
Contributor Author

dependabot bot commented on behalf of github Jul 25, 2024

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot bot deleted the dependabot/go_modules/github.com/aquasecurity/trivy-0.51.2 branch July 25, 2024 23:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant