Merge remote-tracking branch 'origin' into poetry-dev-deps-2

aquasecurity · Dec 23, 2024 · 551a7ba · 551a7ba
2 parents dc14db8 + e6d0ba5
commit 551a7ba
Show file tree

Hide file tree

Showing 38 changed files with 2,035 additions and 778 deletions.
diff --git a/.github/workflows/auto-update-labels.yaml b/.github/workflows/auto-update-labels.yaml
@@ -6,7 +6,7 @@ on:
     branches:
       - main
 env:
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
 jobs:
   deploy:
     name: Auto-update labels

diff --git a/.github/workflows/reusable-release.yaml b/.github/workflows/reusable-release.yaml
@@ -14,7 +14,7 @@ on:
 
 env:
   GH_USER: "aqua-bot"
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
 
 jobs:
   release:

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -12,7 +12,7 @@ on:
   workflow_dispatch:
 
 env:
-  GO_VERSION: '1.22'
+  GO_VERSION: '1.23'
 jobs:
   test:
     name: Test

diff --git a/.golangci.yaml b/.golangci.yaml
@@ -121,7 +121,7 @@ linters:
     - usestdlibvars
 
 run:
-  go: '1.22'
+  go: '1.23'
   timeout: 30m
 
 issues:

diff --git a/.vex/trivy.openvex.json b/.vex/trivy.openvex.json
@@ -570,6 +570,35 @@
       "status": "not_affected",
       "justification": "vulnerable_code_not_in_execute_path",
       "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
+    },
+    {
+      "vulnerability": {
+        "@id": "https://pkg.go.dev/vuln/GO-2024-3333",
+        "name": "GO-2024-3333",
+        "description": "Non-linear parsing of case-insensitive content in golang.org/x/net/html",
+        "aliases": [
+          "CVE-2024-45338"
+        ]
+      },
+      "products": [
+        {
+          "@id": "pkg:golang/github.com/aquasecurity/trivy",
+          "identifiers": {
+            "purl": "pkg:golang/github.com/aquasecurity/trivy"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:golang/golang.org/x/net",
+              "identifiers": {
+                "purl": "pkg:golang/golang.org/x/net"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "Govulncheck determined that the vulnerable code isn't called"
     }
   ]
 }
diff --git a/Dockerfile.protoc b/Dockerfile.protoc
@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 golang:1.22
+FROM --platform=linux/amd64 golang:1.23
 
 # Set environment variable for protoc
 ENV PROTOC_ZIP=protoc-3.19.4-linux-x86_64.zip

diff --git a/aqua.yaml b/aqua.yaml
@@ -5,6 +5,6 @@ registries:
 - type: standard
   ref: v3.157.0 # renovate: depName=aquaproj/aqua-registry
 packages:
-- name: tinygo-org/tinygo@v0.31.1
+- name: tinygo-org/tinygo@v0.33.0
 - name: WebAssembly/binaryen@version_112
 - name: magefile/mage@v1.14.0
diff --git a/docs/docs/configuration/reporting.md b/docs/docs/configuration/reporting.md
@@ -58,6 +58,7 @@ The following languages are currently supported:
 |          | [yarn.lock][yarn-lock]                     |
 | .NET     | [packages.lock.json][dotnet-packages-lock] |
 | Python   | [poetry.lock][poetry-lock]                 |
+|          | [uv.lock][uv-lock]                         |
 | Ruby     | [Gemfile.lock][gemfile-lock]               |
 | Rust     | [cargo-auditable binaries][cargo-binaries] |
 | Go       | [go.mod][go-mod]                           |
@@ -449,6 +450,7 @@ $ trivy convert --format table --severity CRITICAL result.json
 [yarn-lock]: ../coverage/language/nodejs.md#yarn
 [dotnet-packages-lock]: ../coverage/language/dotnet.md#packageslockjson
 [poetry-lock]: ../coverage/language/python.md#poetry
+[uv-lock]: ../coverage/language/python.md#uv
 [gemfile-lock]: ../coverage/language/ruby.md#bundler
 [go-mod]: ../coverage/language/golang.md#go-module
 [composer-lock]: ../coverage/language/php.md#composerlock

diff --git a/docs/docs/coverage/language/index.md b/docs/docs/coverage/language/index.md
@@ -22,6 +22,7 @@ On the other hand, when the target is a post-build artifact, like a container im
 |                      | gemspec                                                                                    |     ✅     |     ✅      |       -        |       -        |
 | [Python](python.md)  | Pipfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 |                      | poetry.lock                                                                                |     -     |     -      |       ✅        |       ✅        |
+|                      | uv.lock                                                                                    |     -     |     -      |       ✅        |       ✅        |
 |                      | requirements.txt                                                                           |     -     |     -      |       ✅        |       ✅        |
 |                      | egg package[^1]                                                                            |     ✅     |     ✅      |       -        |       -        |
 |                      | wheel package[^2]                                                                          |     ✅     |     ✅      |       -        |       -        |

diff --git a/docs/docs/coverage/language/python.md b/docs/docs/coverage/language/python.md
@@ -8,6 +8,7 @@ The following scanners are supported for package managers.
 | pip             |  ✓   |       ✓       |    ✓    |
 | Pipenv          |  ✓   |       ✓       |    -    |
 | Poetry          |  ✓   |       ✓       |    -    |
+| uv              |  ✓   |       ✓       |    -    |
 
 In addition, Trivy supports three formats of Python packages: `egg`, `wheel` and `conda`.
 The following scanners are supported for Python packages.
@@ -26,6 +27,7 @@ The following table provides an outline of the features Trivy offers.
 | pip             | requirements.txt |            -            |     Include      |                  -                   |    ✓     |                    ✓                     |
 | Pipenv          | Pipfile.lock     |            ✓            |     Include      |                  -                   |    ✓     |                Not needed                |
 | Poetry          | poetry.lock      |            ✓            |     Include      |                  ✓                   |    -     |                Not needed                |
+| uv              | uv.lock          |            ✓            |     Exclude      |                  ✓                   |    -     |                Not needed                |
 
 
 | Packaging | Dependency graph |
@@ -126,6 +128,11 @@ To build the correct dependency graph, `pyproject.toml` also needs to be present
 
 License detection is not supported for `Poetry`.
 
+### uv
+Trivy uses `uv.lock` to identify dependencies and find vulnerabilities.
+
+License detection is not supported for `uv`.
+
 ## Packaging
 Trivy parses the manifest files of installed packages in container image scanning and so on.
 See [here](https://packaging.python.org/en/latest/discussions/package-formats/) for the detail.