chore(deps): update dependency aquasecurity/trivy to v0.54.1

[secustor]

This PR contains the following updates:

Package	Update	Change	OpenSSF
aquasecurity/trivy	minor	0.40.0 -> 0.54.1

---

Release Notes

aquasecurity/trivy (aquasecurity/trivy)

v0.54.1

Compare Source

Changelog

• 854c61d release: v0.54.1 [release/v0.54] (#​7282)
• 334a1c2 fix(flag): incorrect behavior for deprected flag --clear-cache [backport: release/v0.54] (#​7285)
• f61725c fix(java): Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#​7283)
• a7b7117 fix(plugin): do not call GitHub content API for releases and tags [backport: release/v0.54] (#​7279)

v0.54.0

Compare Source

Features

• add log.FilePath() function for logger (#​7080) (1f5f348)
• add openSUSE tumbleweed detection and scanning (#​6965) (17b5dbf)
• cli: rename --vuln-type flag to --pkg-types flag (#​7104) (7cbdb0a)
• mariner: Add support for Azure Linux (#​7186) (5cbc452)
• misconf: enabled China configuration for ACRs (#​7156) (d1ec89d)
• nodejs: add license parser to pnpm analyser (#​7036) (03ac93d)
• sbom: add image labels into SPDX and CycloneDX reports (#​7257) (4a2f492)
• sbom: add vulnerability support for SPDX formats (#​7213) (efb1f69)
• share build-in rules (#​7207) (bff317c)
• vex: retrieve VEX attestations from OCI registries (#​7249) (c2fd2e0)
• vex: VEX Repository support (#​7206) (88ba460)
• vuln: add --pkg-relationships (#​7237) (5c37361)

Bug Fixes

• Add dependencyManagement exclusions to the child exclusions (#​6969) (dc68a66)
• add missing platform and type to spec (#​7149) (c8a7abd)
• cli: error on missing config file (#​7154) (7fa5e7d)
• close file when failed to open gzip (#​7164) (2a577a7)
• dotnet: don't include non-runtime libraries into report for *.deps.json files (#​7039) (5bc662b)
• dotnet: show nuget package dir not found log only when checking nuget packages (#​7194) (d76feba)
• ignore nodes when listing permission is not allowed (#​7107) (25f8143)
• java: avoid panic if deps from pom in it dir are not found (#​7245) (4e54a7e)
• java: use go-mvn-version to remove Package duplicates (#​7088) (a7a304d)
• misconf: do not evaluate TF when a load error occurs (#​7109) (f27c236)
• nodejs: detect direct dependencies when using latest version for files yarn.lock + package.json (#​7110) (54bb8bd)
• report: hide empty table when all secrets/license/misconfigs are ignored (#​7171) (c3036de)
• secret: skip regular strings contain secret patterns (#​7182) (174b1e3)
• secret: trim excessively long lines (#​7192) (92b13be)
• secret: update length of hugging-face-access-token (#​7216) (8c87194)
• server: pass license categories to options (#​7203) (9d52018)

Performance Improvements

• debian: use bytes.Index in emptyLineSplit to cut allocation (#​7065) (acbec05)

v0.53.0

Compare Source

⚠ BREAKING CHANGES

• k8s: node-collector dynamic commands support (#​6861)
• add clean subcommand (#​6993)
• aws: Remove aws subcommand (#​6995)

Features

• add clean subcommand (#​6993) (8d0ae1f)
• Add local ImageID to SARIF metadata (#​6522) (f144e91)
• add memory cache backend (#​7048) (55ccd06)
• aws: Remove aws subcommand (#​6995) (979e118)
• conda: add licenses support for environment.yml files (#​6953) (654217a)
• dart: use first version of constraint for dependencies using SDK version (#​6239) (042d6b0)
• image: Set User-Agent header for Trivy container registry requests (#​6868) (9b31697)
• java: add support for maven-metadata.xml files for remote snapshot repositories. (#​6950) (1f8fca1)
• java: add support for sbt projects using sbt-dependency-lock (#​6882) (f18d035)
• k8s: node-collector dynamic commands support (#​6861) (8d618e4)
• misconf: add metadata to Cloud schema (#​6831) (02d5404)
• misconf: add support for AWS::EC2::SecurityGroupIngress/Egress (#​6755) (55fa610)
• misconf: API Gateway V1 support for CloudFormation (#​6874) (8491469)
• misconf: support of selectors for all providers for Rego (#​6905) (bc3741a)
• php: add installed.json file support (#​4865) (edc556b)
• plugin: add support for nested archives (#​6845) (622c67b)
• sbom: migrate to CycloneDX v1.6 (#​6903) (09e50ce)

Bug Fixes

• c: don't skip conan files from file-patterns and scan .conan2 cache dir (#​6949) (38b35dd)
• cli: show info message only when --scanners is available (#​7032) (e9fc3e3)
• cyclonedx: trim non-URL info for advisory.url (#​6952) (417212e)
• debian: take installed files from the origin layer (#​6849) (089b953)
• image: parse image.inspect.Created field only for non-empty values (#​6948) (0af5730)
• license: return license separation using separators ,, or, etc. (#​6916) (52f7aa5)
• misconf: fix caching of modules in subdirectories (#​6814) (0bcfedb)
• misconf: fix parsing of engine links and frameworks (#​6937) (ec68c9a)
• misconf: handle source prefix to ignore (#​6945) (c3192f0)
• misconf: parsing numbers without fraction as int (#​6834) (8141a13)
• nodejs: fix infinite loop when package link from package-lock.json file is broken (#​6858) (cf5aa33)
• nodejs: fix infinity loops for pnpm with cyclic imports (#​6857) (7d083bc)
• plugin: respect --insecure (#​7022) (3d02a31)
• purl: add missed os types (#​6955) (2d85a00)
• python: compare pkg names from poetry.lock and pyproject.toml in lowercase (#​6852) (faa9d92)
• sbom: don't overwrite srcEpoch when decoding SBOM files (#​6866) (04af59c)
• sbom: fix panic when scanning SBOM file without root component into SBOM format (#​7051) (3d4ae8b)
• sbom: take pkg name from purl for maven pkgs (#​7008) (a76e328)
• sbom: use purl for bitnami pkg names (#​6982) (7eabb92)
• sbom: use package UIDs for uniqueness (#​7042) (14d71ba)
• secret: Asymmetric Private Key shouldn't start with space (#​6867) (bb26445)
• suse: Add SLES 15.6 and Leap 15.6 (#​6964) (5ee4e9d)
• use embedded when command path not found (#​7037) (137c916)

v0.52.2

Compare Source

Changelog

• 8709d4f release: v0.52.2 [release/v0.52] (#​6896)
• a4b8ad7 ci: use ubuntu-latest-m runner [backport: release/v0.52] (#​6933)
• 2b711bc chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.2 to 1.6.0 [backport: release/v0.52] (#​6919)
• 191d31e test: bump docker API to 1.45 [backport: release/v0.52] (#​6922)
• 3f5874c ci: bump github.com/goreleaser/goreleaser to v2.0.0 [backport: release/v0.52] (#​6893)
• 8f8c76a fix(debian): take installed files from the origin layer [backport: release/v0.52] (#​6892)

v0.52.1

Compare Source

Changelog

• a3caf06 release: v0.52.1 [release/v0.52] (#​6877)
• 01dbb42 fix(nodejs): fix infinite loop when package link from package-lock.json file is broken [backport: release/v0.52] (#​6888)
• f186d22 fix(sbom): don't overwrite srcEpoch when decoding SBOM files [backport: release/v0.52] (#​6881)
• 093c0ae fix(python): compare pkg names from poetry.lock and pyproject.toml in lowercase [backport: release/v0.52] (#​6878)
• 6bfda76 Merge pull request #​6879 from aquasecurity/backport-pr-6864-to-release/v0.52
• 53850c8 docs: explain how VEX is applied (#​6864)
• 2211962 Merge pull request #​6875 from aquasecurity/backport-pr-6857-to-release/v0.52
• a614b69 fix(nodejs): fix infinity loops for pnpm with cyclic imports (#​6857)

v0.52.0

Compare Source

Features

• Add Julia language analyzer support (#​5635) (fecafb1)
• add support for plugin index (#​6674) (26faf8f)
• misconf: Add support for deprecating a check (#​6664) (88702cf)
• misconf: add Terraform 'removed' block to schema (#​6640) (b7a0a13)
• misconf: register builtin Rego funcs from trivy-checks (#​6616) (7c22ee3)
• misconf: resolve tf module from OpenTofu compatible registry (#​6743) (ac74520)
• misconf: support for VPC resources for inbound/outbound rules (#​6779) (349caf9)
• misconf: support symlinks inside of Helm archives (#​6621) (4eae37c)
• nodejs: add v9 pnpm lock file support (#​6617) (1e08648)
• plugin: specify plugin version (#​6683) (d6dc567)
• python: add license support for requirement.txt files (#​6782) (29615be)
• python: add line number support for requirement.txt files (#​6729) (2bc54ad)
• report: Include licenses and secrets filtered by rego to ModifiedFindings (#​6483) (fa3cf99)
• vex: improve relationship support in CSAF VEX (#​6735) (a447f6b)
• vex: support non-root components for products in OpenVEX (#​6728) (9515695)

Bug Fixes

• clean up golangci lint configuration (#​6797) (62de6f3)
• cli: always output fatal errors to stderr (#​6827) (c2b9132)
• close APKINDEX archive file (#​6672) (5caf437)
• close settings.xml (#​6768) (9c3e895)
• close testfile (#​6830) (aa0c413)
• conda: add support pip deps for environment.yml files (#​6675) (150a773)
• go: add only non-empty root modules for gobinaries (#​6710) (c96f2a5)
• go: include only .version|.ver (no prefixes) ldflags for gobinaries (#​6705) (afb4f9d)
• Golang version parsing from binaries w/GOEXPERIMENT (#​6696) (696f2ae)
• include packages unless it is not needed (#​6765) (56dbe1f)
• misconf: don't shift ignore rule related to code (#​6708) (39a746c)
• misconf: skip Rego errors with a nil location (#​6638) (a2c522d)
• misconf: skip Rego errors with a nil location (#​6666) (a126e10)
• node-collector high and critical cves (#​6707) (ff32deb)
• plugin: initialize logger (#​6836) (728e77a)
• python: add package name and version validation for requirements.txt files. (#​6804) (ea3a124)
• report: hide empty tables if all vulns has been filtered (#​6352) (3d388d8)
• sbom: fix panic for convert mode when scanning json file derived from sbom file (#​6808) (f92ea09)
• use of specified context to obtain cluster name (#​6645) (39ebed4)

Performance Improvements

• misconf: parse rego input once (#​6615) (67c6b1d)

v0.51.4

Compare Source

Changelog

• c06f467 chore: downgrade trivy-checks and trivy-aws
• df4f760 build: use main package instead of main.go (#​6766)
• bf7a8ed chore(deps): bump the common group across 1 directory with 29 updates (#​6756)
• acb22c6 chore(deps): bump the aws group with 8 updates (#​6738)
• 9a3510f chore(deps): bump the docker group with 2 updates (#​6739)
• 7806b37 ci: add generic dir to deb deploy script (#​6636)

v0.51.2

Compare Source

Changelog

• eadc6fb fix: node-collector high and critical cves (#​6707)
• cc489b1 Merge pull request from GHSA-xcq4-m2r3-cmrj
• 013f71a chore: auto-bump golang patch versions (#​6711)
• 113a5b2 fix(misconf): don't shift ignore rule related to code (#​6708)
• 733e5ac fix(go): include only .version|.ver (no prefixes) ldflags for gobinaries (#​6705)
• d311e49 fix(go): add only non-empty root modules for gobinaries (#​6710)
• cf1a7bf refactor: unify package addition and vulnerability scanning (#​6579)
• d465d9d fix: Golang version parsing from binaries w/GOEXPERIMENT (#​6696)
• 0af225c fix(conda): add support pip deps for environment.yml files (#​6675)
• 6f64d55 fix(misconf): skip Rego errors with a nil location (#​6666)
• 8c27430 fix(misconf): skip Rego errors with a nil location (#​6638)
• c2b46d3 refactor: unify Library and Package structs (#​6633)
• 4368f11 fix: use of specified context to obtain cluster name (#​6645)
• 5ec62f8 docs: fix usage of image-config-scanners (#​6635)

v0.51.1

Compare Source

Changelog

• 8016b82 fix(fs): handle default skip dirs properly (#​6628)
• 7a25dad fix(misconf): load cached tf modules (#​6607)
• 9c794c0 fix(misconf): do not use semver for parsing tf module versions (#​6614)

v0.51.0

Compare Source

⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/6622

Changelog

• 14c1024 refactor: move setting scanners when using compliance reports to flag parsing (#​6619)
• 998f750 feat: introduce package UIDs for improved vulnerability mapping (#​6583)
• 770b141 perf(misconf): Improve cause performance (#​6586)
• 3ccb1a0 docs: trivy-k8s new experiance remove un-used section (#​6608)
• 58cfd1b chore(deps): bump github.com/docker/docker from 26.0.1+incompatible to 26.0.2+incompatible (#​6612)
• 715963d docs: remove mention of GitLab Gold because it doesn't exist anymore (#​6609)
• 37da98d feat(misconf): Use updated terminology for misconfiguration checks (#​6476)
• cdee703 chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.15 to 1.16.15 (#​6593)
• 6a2225b docs: use generic link from trivy-repo (#​6606)
• a2a02de docs: update trivy k8s with new experience (#​6465)
• e739ab8 feat: support --skip-images scanning flag (#​6334)
• c6d5d85 BREAKING: add support for k8s disable-node-collector flag (#​6311)
• 194a814 chore(deps): bump github.com/zclconf/go-cty from 1.14.1 to 1.14.4 (#​6601)
• 03830c5 chore(deps): bump github.com/sigstore/rekor from 1.2.2 to 1.3.6 (#​6599)
• 8e814fa chore(deps): bump google.golang.org/protobuf from 1.33.0 to 1.34.0 (#​6597)
• 2dc76ba chore(deps): bump sigstore/cosign-installer from 3.4.0 to 3.5.0 (#​6588)
• c17176b chore(deps): bump github.com/testcontainers/testcontainers-go from 0.28.0 to 0.30.0 (#​6595)
• bce70af chore(deps): bump github.com/open-policy-agent/opa from 0.62.0 to 0.64.1 (#​6596)
• 4369a19 feat: add ubuntu 23.10 and 24.04 support (#​6573)
• 5566548 chore(deps): bump azure/setup-helm from 3.5 to 4 (#​6590)
• a8af76a chore(deps): bump actions/checkout from 4.1.2 to 4.1.4 (#​6587)
• c8ed432 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.24.6 to 1.27.4 (#​6598)
• 551a46e docs(go): add stdlib (#​6580)
• 261649b chore(deps): bump github.com/containerd/containerd from 1.7.13 to 1.7.16 (#​6592)
• acfddd4 chore(deps): bump github.com/go-openapi/runtime from 0.27.1 to 0.28.0 (#​6600)
• 419e3d2 feat(go): parse main mod version from build info settings (#​6564)
• f0961d5 feat: respect custom exit code from plugin (#​6584)
• a5d485c docs: add asdf and mise installation method (#​6063)
• 29b8faf feat(vuln): Handle scanning conan v2.x lockfiles (#​6357)
• e3bef02 feat: add support environment.yaml files (#​6569)
• 916f6c6 fix: close plugin.yaml (#​6577)
• 8e6cd0e fix: trivy k8s avoid deleting non-default node collector namespace (#​6559)
• 060d0bb BREAKING: support exclude kinds/namespaces and include kinds/namespaces (#​6323)
• 2d090ef feat(go): add main module (#​6574)
• 6343e4f feat: add relationships (#​6563)
• a018ee1 ci: disable Go cache for reusable-release.yaml (#​6572)
• 5da053f docs: mention --show-suppressed is available in table (#​6571)
• 3d66cb8 chore: fix sqlite to support loong64 (#​6511)
• 9aca98c fix(debian): sort dpkg info before parsing due to exclude directories (#​6551)
• 7811ad0 docs: update info about config file (#​6547)
• fae710d docs: remove RELEASE_VERSION from trivy.repo (#​6546)
• d2d4022 fix(sbom): change error to warning for multiple OSes (#​6541)
• 164b025 fix(vuln): skip empty versions (#​6542)
• 5dd9bd4 feat(c): add license support for conan lock files (#​6329)
• 7c2017f fix(terraform): Attribute and fileset fixes (#​6544)
• 63c9469 refactor: change warning if no vulnerability details are found (#​6230)
• aa822c2 refactor(misconf): improve error handling in the Rego scanner (#​6527)
• 30cc88f ci: use tmp dir inside Trivy repo dir for GoReleaser (#​6533)
• e32215c feat(go): parse main module of go binary files (#​6530)
• d4da83c chore(deps): bump golang.org/x/net from 0.21.0 to 0.23.0 (#​6526)
• 0d7d97d refactor(misconf): simplify the retrieval of module annotations (#​6528)
• 9873cf3 chore(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 (#​6523)
• 95c8fd9 docs(nodejs): add info about supported versions of pnpm lock files (#​6510)
• 12ec0df feat(misconf): loading embedded checks as a fallback (#​6502)
• 9b7d713 fix(misconf): Parse JSON k8s manifests properly (#​6490)
• 13e72ec refactor: remove parallel walk (#​5180)
• a986199 fix: close pom.xml (#​6507)
• 46d5aba fix(secret): convert severity for custom rules (#​6500)
• 34ab09d fix(java): update logic to detect pom.xml file snapshot artifacts from remote repositories (#​6412)
• 1ba5b59 fix: typo (#​6283)
• 4fab0f8 docs(k8s,image): fix command-line syntax issues (#​6403)
• d770981 chore(deps): bump actions/checkout from 4.1.1 to 4.1.2 (#​6435)
• 4337068 fix(misconf): avoid panic if the scheme is not valid (#​6496)
• d82d6cb feat(image): goversion as stdlib (#​6277)
• cfddfb3 fix: add color for error inside of log message (#​6493)
• dfcb0f9 chore(deps): bump actions/add-to-project from 0.4.1 to 1.0.0 (#​6438)
• 183eaaf docs: fix links to OPA docs (#​6480)
• 94d6e8c refactor: replace zap with slog (#​6466)
• 336c47e docs: update links to IaC schemas (#​6477)
• 06b4473 chore: bump Go to 1.22 (#​6075)
• a51cedd refactor(terraform): sync funcs with Terraform (#​6415)
• 53517d6 feat(misconf): add helm-api-version and helm-kube-version flag (#​6332)
• ad544e9 chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.4.0 to 1.5.1 (#​6426)
• 089368d chore(deps): bump github.com/go-openapi/strfmt from 0.22.0 to 0.23.0 (#​6452)
• 1163565 chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.6 to 2.0.7 (#​6430)
• 637da2b chore(deps): bump aquaproj/aqua-installer from 2.2.0 to 3.0.0 (#​6437)
• 13190e9 fix(terraform): eval submodules (#​6411)
• 6bca7c3 refactor(terraform): remove unused options (#​6446)
• 8e4279b refactor(terraform): remove unused file (#​6445)
• e98c873 chore(deps): bump github.com/testcontainers/testcontainers-go to v0.28.0 (#​6387)
• b1c2eab chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.9.0 to 1.10.0 (#​6427)
• 1c49a16 fix(misconf): Escape template value correctly (#​6292)
• 8dd0fcd feat(misconf): add support for wildcard ignores (#​6414)
• 74e4c6e fix(cloudformation): resolve DedicatedMasterEnabled parsing issue (#​6439)
• 245c120 refactor(terraform): remove metrics collection (#​6444)
• 86714bf feat(cloudformation): add support for logging and endpoint access for EKS (#​6440)
• a758392 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.51.1 to 1.53.1 (#​6424)
• 4d00d8b chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.27.4 to 1.27.10 (#​6428)
• 3ad2b3e chore(deps): bump go.etcd.io/bbolt from 1.3.8 to 1.3.9 (#​6429)
• 8baccd7 fix(db): check schema version for image name only (#​6410)
• e75a90f chore(deps): bump github.com/google/wire from 0.5.0 to 0.6.0 (#​6425)
• 6625bd3 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.149.1 to 1.155.1 (#​6433)
• 826fe60 chore(deps): bump actions/cache from 4.0.0 to 4.0.2 (#​6436)
• f23ed77 feat(misconf): Support private registries for misconf check bundle (#​6327)
• df024e8 feat(cloudformation): inline ignore support for YAML templates (#​6358)
• 29dee32 feat(terraform): ignore resources by nested attributes (#​6302)
• 1a67472 perf(helm): load in-memory files (#​6383)
• 09e37b7 feat(aws): apply filter options to result (#​6367)
• 87a9aa6 feat(aws): quiet flag support (#​6331)
• 712dcd3 fix(misconf): clear location URI for SARIF (#​6405)
• 625f22b test(cloudformation): add CF tests (#​6315)
• 6a2f6fd fix(cloudformation): infer type after resolving a function (#​6406)

v0.50.4

Compare Source

Note

v0.50.3 hads a critical problem, and we deleted it and released v0.50.4.

Changelog

• [e47fd48](https://re

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.