Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): bump github.com/aquasecurity/trivy from 0.50.1 to 0.51.1 #1912

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 6, 2024

Bumps github.com/aquasecurity/trivy from 0.50.1 to 0.51.1.

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.51.1

Changelog

  • 8016b821a fix(fs): handle default skip dirs properly (#6628)
  • 7a25dadb4 fix(misconf): load cached tf modules (#6607)
  • 9c794c0ff fix(misconf): do not use semver for parsing tf module versions (#6614)

v0.51.0

⚡Release highlights and summary⚡

👉 aquasecurity/trivy#6622

Changelog

  • 14c1024b4 refactor: move setting scanners when using compliance reports to flag parsing (#6619)
  • 998f75043 feat: introduce package UIDs for improved vulnerability mapping (#6583)
  • 770b14113 perf(misconf): Improve cause performance (#6586)
  • 3ccb1a0f1 docs: trivy-k8s new experiance remove un-used section (#6608)
  • 58cfd1b07 chore(deps): bump github.com/docker/docker from 26.0.1+incompatible to 26.0.2+incompatible (#6612)
  • 715963d75 docs: remove mention of GitLab Gold because it doesn't exist anymore (#6609)
  • 37da98df4 feat(misconf): Use updated terminology for misconfiguration checks (#6476)
  • cdee7030a chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.15 to 1.16.15 (#6593)
  • 6a2225b42 docs: use generic link from trivy-repo (#6606)
  • a2a02de7c docs: update trivy k8s with new experience (#6465)
  • e739ab850 feat: support --skip-images scanning flag (#6334)
  • c6d5d856c BREAKING: add support for k8s disable-node-collector flag (#6311)
  • 194a81468 chore(deps): bump github.com/zclconf/go-cty from 1.14.1 to 1.14.4 (#6601)
  • 03830c50c chore(deps): bump github.com/sigstore/rekor from 1.2.2 to 1.3.6 (#6599)
  • 8e814fa23 chore(deps): bump google.golang.org/protobuf from 1.33.0 to 1.34.0 (#6597)
  • 2dc76ba78 chore(deps): bump sigstore/cosign-installer from 3.4.0 to 3.5.0 (#6588)
  • c17176ba9 chore(deps): bump github.com/testcontainers/testcontainers-go from 0.28.0 to 0.30.0 (#6595)
  • bce70af36 chore(deps): bump github.com/open-policy-agent/opa from 0.62.0 to 0.64.1 (#6596)
  • 4369a19af feat: add ubuntu 23.10 and 24.04 support (#6573)
  • 5566548b7 chore(deps): bump azure/setup-helm from 3.5 to 4 (#6590)
  • a8af76a47 chore(deps): bump actions/checkout from 4.1.2 to 4.1.4 (#6587)
  • c8ed432f2 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.24.6 to 1.27.4 (#6598)
  • 551a46efc docs(go): add stdlib (#6580)
  • 261649b11 chore(deps): bump github.com/containerd/containerd from 1.7.13 to 1.7.16 (#6592)
  • acfddd457 chore(deps): bump github.com/go-openapi/runtime from 0.27.1 to 0.28.0 (#6600)
  • 419e3d202 feat(go): parse main mod version from build info settings (#6564)
  • f0961d54f feat: respect custom exit code from plugin (#6584)
  • a5d485cf8 docs: add asdf and mise installation method (#6063)
  • 29b8faf5f feat(vuln): Handle scanning conan v2.x lockfiles (#6357)
  • e3bef0201 feat: add support environment.yaml files (#6569)
  • 916f6c66f fix: close plugin.yaml (#6577)
  • 8e6cd0e91 fix: trivy k8s avoid deleting non-default node collector namespace (#6559)
  • 060d0bb64 BREAKING: support exclude kinds/namespaces and include kinds/namespaces (#6323)
  • 2d090ef2d feat(go): add main module (#6574)
  • 6343e4fc7 feat: add relationships (#6563)
  • a018ee1f9 ci: disable Go cache for reusable-release.yaml (#6572)
  • 5da053f30 docs: mention --show-suppressed is available in table (#6571)
  • 3d66cb8d8 chore: fix sqlite to support loong64 (#6511)

... (truncated)

Commits
  • 8016b82 fix(fs): handle default skip dirs properly (#6628)
  • 7a25dad fix(misconf): load cached tf modules (#6607)
  • 9c794c0 fix(misconf): do not use semver for parsing tf module versions (#6614)
  • 14c1024 refactor: move setting scanners when using compliance reports to flag parsing...
  • 998f750 feat: introduce package UIDs for improved vulnerability mapping (#6583)
  • 770b141 perf(misconf): Improve cause performance (#6586)
  • 3ccb1a0 docs: trivy-k8s new experiance remove un-used section (#6608)
  • 58cfd1b chore(deps): bump github.com/docker/docker from 26.0.1+incompatible to 26.0.2...
  • 715963d docs: remove mention of GitLab Gold because it doesn't exist anymore (#6609)
  • 37da98d feat(misconf): Use updated terminology for misconfiguration checks (#6476)
  • Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request
Dependency Name Ignore Conditions
github.com/aquasecurity/trivy [>= 0.50.2.a, < 0.50.3]
github.com/aquasecurity/trivy [< 0.51, > 0.50.1]

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels May 6, 2024
@dependabot dependabot bot force-pushed the dependabot/go_modules/master/github.com/aquasecurity/trivy-0.51.1 branch from 0d7dacf to 8a13039 Compare May 7, 2024 17:31
@MaineK00n MaineK00n requested a review from shino May 7, 2024 22:06
@dependabot dependabot bot force-pushed the dependabot/go_modules/master/github.com/aquasecurity/trivy-0.51.1 branch from 8a13039 to 67e790f Compare May 7, 2024 22:13
@MaineK00n MaineK00n force-pushed the dependabot/go_modules/master/github.com/aquasecurity/trivy-0.51.1 branch from 67e790f to 5ff6e01 Compare May 10, 2024 03:33
@MaineK00n
Copy link
Collaborator

MaineK00n commented May 10, 2024

Detecting Vulnerabilities in Standard Packages for Go Binaries

[servers.pseudo]
type = "pseudo"
lockfiles = ["integration/data/lockfile/gobinary"]

before

$ vuls scan
...
Scan Summary
================
pseudo	pseudo	0 installed, 0 updatable	1 libs





To view the detail, vuls tui is useful.
To send a report, run vuls report -h.

$ cat results/2024-05-10T14-41-34+0900/pseudo.json | jq .libraries[0].Libs[]
{
  "Name": "golang.org/x/text",
  "Version": "v0.3.2",
  "PURL": "pkg:golang/golang.org/x/text@v0.3.2",
  "FilePath": "",
  "Digest": ""
}

$ vuls report
...
===============
Total: 3 (Critical:0 High:3 Medium:0 Low:0 ?:0)
3/3 Fixed, 0 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 1 libs

+----------------+------+--------+-----+-----------+---------+-------------------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |     PACKAGES      |
+----------------+------+--------+-----+-----------+---------+-------------------+
| CVE-2020-14040 |  8.9 |  AV:N  |     |           |   fixed | golang.org/x/text |
+----------------+------+--------+-----+-----------+---------+-------------------+
| CVE-2021-38561 |  8.9 |  AV:N  |     |           |   fixed | golang.org/x/text |
+----------------+------+--------+-----+-----------+---------+-------------------+
| CVE-2022-32149 |  8.9 |  AV:N  |     |           |   fixed | golang.org/x/text |
+----------------+------+--------+-----+-----------+---------+-------------------+

after

$ vuls scan
...
Scan Summary
================
pseudo	pseudo	0 installed, 0 updatable	3 libs





To view the detail, vuls tui is useful.
To send a report, run vuls report -h.

$ cat results/2024-05-10T14-41-39+0900/pseudo.json | jq .libraries[0].Libs[]
{
  "Name": "example",
  "Version": "",
  "PURL": "pkg:golang/example",
  "FilePath": "",
  "Digest": ""
}
{
  "Name": "golang.org/x/text",
  "Version": "v0.3.2",
  "PURL": "pkg:golang/golang.org/x/text@v0.3.2",
  "FilePath": "",
  "Digest": ""
}
{
  "Name": "stdlib",
  "Version": "1.17",
  "PURL": "pkg:golang/stdlib@1.17",
  "FilePath": "",
  "Digest": ""
}

$ vuls report
...
pseudo (pseudo)
===============
Total: 63 (Critical:3 High:41 Medium:18 Low:1 ?:0)
63/63 Fixed, 8 poc, 0 exploits, cisa: 0, uscert: 0, jpcert: 0 alerts
0 installed, 3 libs

+----------------+------+--------+-----+-----------+---------+-------------------+
|     CVE-ID     | CVSS | ATTACK | POC |   ALERT   |  FIXED  |     PACKAGES      |
+----------------+------+--------+-----+-----------+---------+-------------------+
| CVE-2022-23806 | 10.0 |  AV:N  |     |           |   fixed | stdlib            |
+----------------+------+--------+-----+-----------+---------+-------------------+
| CVE-2023-24538 | 10.0 |  AV:N  |     |           |   fixed | stdlib            |
+----------------+------+--------+-----+-----------+---------+-------------------+
| CVE-2023-24540 | 10.0 |  AV:N  |     |           |   fixed | stdlib            |
+----------------+------+--------+-----+-----------+---------+-------------------+
| CVE-2020-14040 |  8.9 |  AV:N  |     |           |   fixed | golang.org/x/text |
+----------------+------+--------+-----+-----------+---------+-------------------+
| CVE-2021-38561 |  8.9 |  AV:N  |     |           |   fixed | golang.org/x/text |
+----------------+------+--------+-----+-----------+---------+-------------------+
| CVE-2021-39293 |  8.9 |  AV:N  |     |           |   fixed | stdlib            |
+----------------+------+--------+-----+-----------+---------+-------------------+
...

Conan v2.x Lockfile Support

[servers.pseudo]
type = "pseudo"
lockfiles = ["integration/data/lockfile/conan-v2/conan.lock"]

before

$ vuls scan
...
Scan Summary
================
pseudo	pseudo	0 installed, 0 updatable





To view the detail, vuls tui is useful.
To send a report, run vuls report -h.

after

$ vuls scan
...
Scan Summary
================
pseudo	pseudo	0 installed, 0 updatable	2 libs





To view the detail, vuls tui is useful.
To send a report, run vuls report -h.

@MaineK00n MaineK00n self-assigned this May 10, 2024
@MaineK00n MaineK00n force-pushed the dependabot/go_modules/master/github.com/aquasecurity/trivy-0.51.1 branch from 5ff6e01 to 91d1a79 Compare May 10, 2024 06:24
Copy link
Collaborator

@shino shino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perfect!

Bumps [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) from 0.50.1 to 0.51.1.
- [Release notes](https://github.com/aquasecurity/trivy/releases)
- [Changelog](https://github.com/aquasecurity/trivy/blob/main/goreleaser.yml)
- [Commits](aquasecurity/trivy@v0.50.1...v0.51.1)

---
updated-dependencies:
- dependency-name: github.com/aquasecurity/trivy
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@MaineK00n MaineK00n force-pushed the dependabot/go_modules/master/github.com/aquasecurity/trivy-0.51.1 branch from 91d1a79 to 480387a Compare May 15, 2024 13:22
@MaineK00n MaineK00n merged commit f1c3848 into master May 15, 2024
7 checks passed
@MaineK00n MaineK00n deleted the dependabot/go_modules/master/github.com/aquasecurity/trivy-0.51.1 branch May 15, 2024 13:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants