openSUSE Security Update: Security update for trivy
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2024:0269-1
Rating:             moderate
References:         #1224781 #1227022 
Cross-References:   CVE-2023-42363 CVE-2024-35192 CVE-2024-6257
                   
CVSS scores:
                    CVE-2023-42363 (NVD) : 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
                    CVE-2023-42363 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Affected Products:
                    openSUSE Backports SLE-15-SP6
______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:

   trivy was updated to fix the following issues:

   Update to version 0.54.1:

   * fix(flag): incorrect behavior for deprected flag `--clear-cache`
     [backport: release/v0.54] (#7285)
   * fix(java): Return error when trying to find a remote pom to avoid
     segfault [backport: release/v0.54] (#7283)
   * fix(plugin): do not call GitHub content API for releases and tags
     [backport: release/v0.54] (#7279)
   * release: v0.54.0 [main] (#7075)
   * docs: update ecosystem page reporting with plopsec.com app (#7262)
   * feat(vex): retrieve VEX attestations from OCI registries (#7249)
   * feat(sbom): add image labels into `SPDX` and `CycloneDX` reports (#7257)
   * refactor(flag): return error if both `--download-db-only` and
     `--download-java-db-only` are specified (#7259)
   * fix(nodejs): detect direct dependencies when using `latest` version for
     files `yarn.lock` + `package.json` (#7110)
   * chore: show VEX notice for OSS maintainers in CI environments (#7246)
   * feat(vuln): add `--pkg-relationships` (#7237)
   * docs: show VEX cli pages + update config file page for VEX flags (#7244)
   * fix(dotnet): show `nuget package dir not found` log only when checking
     `nuget` packages (#7194)
   * feat(vex): VEX Repository support (#7206)
   * fix(secret): skip regular strings contain secret patterns (#7182)
   * feat: share build-in rules (#7207)
   * fix(report): hide empty table when all secrets/license/misconfigs are
     ignored (#7171)
   * fix(cli): error on missing config file (#7154)
   * fix(secret): update length of `hugging-face-access-token` (#7216)
   * feat(sbom): add vulnerability support for SPDX formats (#7213)
   * fix(secret): trim excessively long lines (#7192)
   * chore(vex): update subcomponents for CVE-2023-42363/42364/42365/42366
     (#7201)
   * fix(server): pass license categories to options (#7203)
   * feat(mariner): Add support for Azure Linux (#7186)
   * docs: updates config file (#7188)
   * refactor(fs): remove unused field for CompositeFS (#7195)
   * fix: add missing platform and type to spec (#7149)
   * feat(misconf): enabled China configuration for ACRs (#7156)
   * fix: close file when failed to open gzip (#7164)
   * docs: Fix PR documentation to use GitHub Discussions, not Issues (#7141)
   * docs(misconf): add info about limitations for terraform plan json (#7143)
   * chore: add VEX for Trivy images (#7140)
   * chore: add VEX document and generator for Trivy  (#7128)
   * fix(misconf): do not evaluate TF when a load error occurs (#7109)
   * feat(cli): rename `--vuln-type` flag to `--pkg-types` flag (#7104)
   * refactor(secret): move warning about file size after `IsBinary` check
     (#7123)
   * feat: add openSUSE tumbleweed detection and scanning (#6965)
   * test: add missing advisory details for integration tests database (#7122)
   * fix: Add dependencyManagement exclusions to the child exclusions (#6969)
   * fix: ignore nodes when listing permission is not allowed (#7107)
   * fix(java): use `go-mvn-version` to remove `Package` duplicates (#7088)
   * refactor(secret): add warning about large files (#7085)
   * feat(nodejs): add license parser to pnpm analyser (#7036)
   * refactor(sbom): add sbom prefix + filepaths for decode log messages
     (#7074)
   * feat: add `log.FilePath()` function for logger (#7080)
   * chore: bump golangci-lint from v1.58 to v1.59 (#7077)
   * perf(debian): use `bytes.Index` in `emptyLineSplit` to cut allocation
     (#7065)
   * refactor: pass DB dir to trivy-db (#7057)
   * docs: navigate to the release highlights and summary (#7072)

   Update to version 0.53.0 (bsc#1227022, CVE-2024-6257):
   * release: v0.53.0 [main] (#6855)
   * feat(conda): add licenses support for `environment.yml` files (#6953)
   * fix(sbom): fix panic when scanning SBOM file without root component into
     SBOM format (#7051)
   * feat: add memory cache backend (#7048)
   * fix(sbom): use package UIDs for uniqueness (#7042)
   * feat(php): add installed.json file support (#4865)
   * docs: ✨ Updated ecosystem docs with reference to new community app
     (#7041)
   * fix: use embedded when command path not found (#7037)
   * refactor: use google/wire for cache (#7024)
   * fix(cli): show info message only when --scanners is available (#7032)
   * chore: enable float-compare rule from testifylint (#6967)
   * docs: Add sudo on commands, chmod before mv on install docs (#7009)
   * fix(plugin): respect `--insecure` (#7022)
   * feat(k8s)!: node-collector dynamic commands support (#6861)
   * fix(sbom): take pkg name from `purl` for maven pkgs (#7008)
   * feat!: add clean subcommand (#6993)
   * chore: use `!` for breaking changes (#6994)
   * feat(aws)!: Remove aws subcommand (#6995)
   * refactor: replace global cache directory with parameter passing (#6986)
   * fix(sbom): use `purl` for `bitnami` pkg names (#6982)
   * chore: bump Go toolchain version (#6984)
   * refactor: unify cache implementations (#6977)
   * docs: non-packaged and sbom clarifications (#6975)
   * BREAKING(aws): Deprecate `trivy aws` as subcmd in favour of a plugin
     (#6819)
   * docs: delete unknown URL (#6972)
   * refactor: use version-specific URLs for documentation references (#6966)
   * refactor: delete db mock (#6940)
   * refactor: add warning if severity not from vendor (or NVD or GH) is used
     (#6726)
   * feat: Add local ImageID to SARIF metadata (#6522)
   * fix(suse): Add SLES 15.6 and Leap 15.6 (#6964)
   * feat(java): add support for sbt projects using sbt-dependency-lock
     (#6882)
   * feat(java): add support for `maven-metadata.xml` files for remote
     snapshot repositories. (#6950)
   * fix(purl): add missed os types (#6955)
   * fix(cyclonedx): trim non-URL info for `advisory.url` (#6952)
   * fix(c): don't skip conan files from `file-patterns` and scan `.conan2`
     cache dir (#6949)
   * fix(image): parse `image.inspect.Created` field only for non-empty
     values (#6948)
   * fix(misconf): handle source prefix to ignore (#6945)
   * fix(misconf): fix parsing of engine links and frameworks (#6937)
   * feat(misconf): support of selectors for all providers for Rego (#6905)
   * fix(license): return license separation using separators  `,`, `or`,
     etc. (#6916)
   * feat(misconf): add support for AWS::EC2::SecurityGroupIngress/Egress
     (#6755)
   * BREAKING(misconf): flatten recursive types (#6862)
   * test: bump docker API to 1.45  (#6914)
   * feat(sbom): migrate to `CycloneDX v1.6` (#6903)
   * feat(image): Set User-Agent header for Trivy container registry requests
     (#6868)
   * fix(debian): take installed files from the origin layer (#6849)
   * fix(nodejs): fix infinite loop when package link from
     `package-lock.json` file is broken (#6858)
   * feat(misconf): API Gateway V1 support for CloudFormation (#6874)
   * feat(plugin): add support for nested archives (#6845)
   * fix(sbom): don't overwrite `srcEpoch` when decoding SBOM files (#6866)
   * fix(secret): `Asymmetric Private Key` shouldn't start with space (#6867)
   * chore: auto label discussions (#5259)
   * docs: explain how VEX is applied (#6864)
   * fix(python): compare pkg names from `poetry.lock` and `pyproject.toml`
     in lowercase (#6852)
   * fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)
   * feat(dart): use first version of constraint for dependencies using SDK
     version (#6239)
   * fix(misconf): parsing numbers without fraction as int (#6834)
   * fix(misconf): fix caching of modules in subdirectories (#6814)
   * feat(misconf): add metadata to Cloud schema (#6831)
   * test: replace embedded Git repository with dynamically created
     repository (#6824)

   Update to version 0.52.2:

   * test: bump docker API to 1.45  [backport: release/v0.52] (#6922)
   * fix(debian): take installed files from the origin layer [backport:
     release/v0.52] (#6892)

   Update to version 0.52.1:

   * release: v0.52.1 [release/v0.52] (#6877)
   * fix(nodejs): fix infinite loop when package link from
     `package-lock.json` file is broken [backport: release/v0.52] (#6888)
   * fix(sbom): don't overwrite `srcEpoch` when decoding SBOM files
     [backport: release/v0.52] (#6881)
   * fix(python): compare pkg names from `poetry.lock` and `pyproject.toml`
     in lowercase [backport: release/v0.52] (#6878)
   * docs: explain how VEX is applied (#6864)
   * fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)

   Update to version 0.52.0 (bsc#1224781, CVE-2024-35192):

   * release: v0.52.0 [main] (#6809)
   * fix(plugin): initialize logger (#6836)
   * fix(cli): always output fatal errors to stderr (#6827)
   * fix: close testfile (#6830)
   * docs(julia): add scanner table (#6826)
   * feat(python): add license support for `requirement.txt` files (#6782)
   * docs: add more workarounds for out-of-disk (#6821)
   * chore: improve error message for image not found (#6822)
   * fix(sbom): fix panic for `convert` mode when scanning json file derived
     from sbom file (#6808)
   * fix: clean up golangci lint configuration (#6797)
   * fix(python): add package name and version validation for
     `requirements.txt` files. (#6804)
   * feat(vex): improve relationship support in CSAF VEX (#6735)
   * chore(alpine): add eol date for Alpine 3.20 (#6800)
   * docs(plugin): add missed `plugin` section (#6799)
   * fix: include packages unless it is not needed (#6765)
   * feat(misconf): support for VPC resources for inbound/outbound rules
     (#6779)
   * chore: replace interface{} with any (#6751)
   * fix: close settings.xml (#6768)
   * refactor(go): add priority for gobinary module versions from `ldflags`
     (#6745)
   * build: use main package instead of main.go (#6766)
   * feat(misconf): resolve tf module from OpenTofu compatible registry
     (#6743)
   * docs: add info on adding compliance checks (#6275)
   * docs: Add documentation for contributing additional checks to the trivy
     policies repo (#6234)
   * feat(nodejs): add v9 pnpm lock file support (#6617)
   * feat(vex): support non-root components for products in OpenVEX (#6728)
   * feat(python): add line number support for `requirement.txt` files (#6729)
   * chore: respect timeout value in .golangci.yaml (#6724)
   * fix: node-collector high and critical cves (#6707)
   * Merge pull request from GHSA-xcq4-m2r3-cmrj
   * chore: auto-bump golang patch versions (#6711)
   * fix(misconf): don't shift ignore rule related to code (#6708)
   * feat(plugin): specify plugin version (#6683)
   * chore: enforce golangci-lint version (#6700)
   * fix(go): include only `.version`|`.ver` (no prefixes) ldflags for
     `gobinaries` (#6705)
   * fix(go): add only non-empty root modules for `gobinaries` (#6710)
   * refactor: unify package addition and vulnerability scanning (#6579)
   * fix: Golang version parsing from binaries w/GOEXPERIMENT (#6696)
   * feat(misconf): Add support for deprecating a check (#6664)
   * feat: Add Julia language analyzer support (#5635)
   * feat(misconf): register builtin Rego funcs from trivy-checks (#6616)
   * fix(report): hide empty tables if all vulns has been filtered (#6352)
   * feat(report): Include licenses and secrets filtered by rego to
     ModifiedFindings (#6483)
   * feat: add support for plugin index (#6674)
   * docs: add support table for client server mode (#6498)
   * fix: close APKINDEX archive file (#6672)
   * fix(misconf): skip Rego errors with a nil location (#6666)
   * refactor: move artifact types under artifact package to avoid import
     cycles (#6652)
   * refactor(misconf): remove extrafs (#6656)
   * refactor: re-define module structs for serialization (#6655)
   * chore(misconf): Clean up iac logger (#6642)
   * feat(misconf): support symlinks inside of Helm archives (#6621)
   * feat(misconf): add Terraform 'removed' block to schema (#6640)
   * refactor: unify Library and Package structs (#6633)
   * fix: use of specified context to obtain cluster name (#6645)
   * perf(misconf): parse rego input once (#6615)
   * fix(misconf): skip Rego errors with a nil location (#6638)
   * docs: link warning to both timeout config options (#6620)
   * docs: fix usage of image-config-scanners (#6635)

   Update to version 0.51.1:

   * fix(fs): handle default skip dirs properly (#6628)
   * fix(misconf): load cached tf modules (#6607)
   * fix(misconf): do not use semver for parsing tf module versions (#6614)
   * refactor: move setting scanners when using compliance reports to flag
     parsing (#6619)
   * feat: introduce package UIDs for improved vulnerability mapping (#6583)
   * perf(misconf): Improve cause performance (#6586)
   * docs: trivy-k8s new experiance remove un-used section (#6608)
   * docs: remove mention of GitLab Gold because it doesn't exist anymore
     (#6609)
   * feat(misconf): Use updated terminology for misconfiguration checks
     (#6476)
   * docs: use `generic` link from `trivy-repo` (#6606)
   * docs: update trivy k8s with new experience (#6465)
   * feat: support `--skip-images` scanning flag (#6334)
   * BREAKING: add support for k8s `disable-node-collector` flag (#6311)
   * feat: add ubuntu 23.10 and 24.04 support (#6573)
   * docs(go): add stdlib (#6580)
   * feat(go): parse main mod version from build info settings (#6564)
   * feat: respect custom exit code from plugin (#6584)
   * docs: add asdf and mise installation method (#6063)
   * feat(vuln): Handle scanning conan v2.x lockfiles (#6357)
   * feat: add support `environment.yaml` files (#6569)
   * fix: close plugin.yaml (#6577)
   * fix: trivy k8s avoid deleting non-default node collector namespace
     (#6559)
   * BREAKING: support exclude `kinds/namespaces` and include
     `kinds/namespaces` (#6323)
   * feat(go): add main module (#6574)
   * feat: add relationships (#6563)
   * docs: mention `--show-suppressed` is available in table (#6571)
   * chore: fix sqlite to support loong64 (#6511)
   * fix(debian): sort dpkg info before parsing due to exclude directories
     (#6551)
   * docs: update info about config file (#6547)
   * docs: remove RELEASE_VERSION from trivy.repo (#6546)
   * fix(sbom): change error to warning for multiple OSes (#6541)
   * fix(vuln): skip empty versions (#6542)
   * feat(c): add license support for conan lock files (#6329)
   * fix(terraform): Attribute and fileset fixes (#6544)
   * refactor: change warning if no vulnerability details are found (#6230)
   * refactor(misconf): improve error handling in the Rego scanner (#6527)
   * feat(go): parse main module of go binary files (#6530)
   * refactor(misconf): simplify the retrieval of module annotations (#6528)
   * docs(nodejs): add info about supported versions of pnpm lock files
     (#6510)
   * feat(misconf): loading embedded checks as a fallback (#6502)
   * fix(misconf): Parse JSON k8s manifests properly (#6490)
   * refactor: remove parallel walk (#5180)
   * fix: close pom.xml (#6507)
   * fix(secret): convert severity for custom rules (#6500)
   * fix(java): update logic to detect `pom.xml` file snapshot artifacts from
     remote repositories (#6412)
   * fix: typo (#6283)
   * docs(k8s,image): fix command-line syntax issues (#6403)
   * fix(misconf): avoid panic if the scheme is not valid (#6496)
   * feat(image): goversion as stdlib (#6277)
   * fix: add color for error inside of log message (#6493)
   * docs: fix links to OPA docs (#6480)
   * refactor: replace zap with slog (#6466)
   * docs: update links to IaC schemas (#6477)
   * chore: bump Go to 1.22 (#6075)
   * refactor(terraform): sync funcs with Terraform (#6415)
   * feat(misconf): add helm-api-version and helm-kube-version flag (#6332)
   * fix(terraform): eval submodules (#6411)
   * refactor(terraform): remove unused options (#6446)
   * refactor(terraform): remove unused file (#6445)
   * fix(misconf): Escape template value correctly (#6292)
   * feat(misconf): add support for wildcard ignores (#6414)
   * fix(cloudformation): resolve `DedicatedMasterEnabled` parsing issue
     (#6439)
   * refactor(terraform): remove metrics collection (#6444)
   * feat(cloudformation): add support for logging and endpoint access for
     EKS (#6440)
   * fix(db): check schema version for image name only (#6410)
   * feat(misconf): Support private registries for misconf check bundle
     (#6327)
   * feat(cloudformation): inline ignore support for YAML templates (#6358)
   * feat(terraform): ignore resources by nested attributes (#6302)
   * perf(helm): load in-memory files (#6383)
   * feat(aws): apply filter options to result (#6367)
   * feat(aws): quiet flag support (#6331)
   * fix(misconf): clear location URI for SARIF (#6405)
   * test(cloudformation): add CF tests (#6315)
   * fix(cloudformation): infer type after resolving a function (#6406)
   * fix(sbom): fix error when parent of SPDX Relationships is not a package.
     (#6399)
   * docs: add info about support for package license detection in
     `fs`/`repo` modes (#6381)
   * fix(nodejs): add support for parsing `workspaces` from `package.json` as
     an object (#6231)
   * fix: use `0600` perms for tmp files for post analyzers (#6386)
   * fix(helm): scan the subcharts once (#6382)
   * docs(terraform): add file patterns for Terraform Plan (#6393)
   * fix(terraform): сhecking SSE encryption algorithm validity (#6341)
   * fix(java): parse modules from `pom.xml` files once (#6312)
   * fix(server): add Locations for `Packages` in client/server mode (#6366)
   * fix(sbom): add check for `CreationInfo` to nil when detecting SPDX
     created using Trivy (#6346)
   * fix(report): don't include empty strings in
     `.vulnerabilities[].identifiers[].url` when `gitlab.tpl` is used (#6348)
   * chore(ubuntu): Add Ubuntu 22.04 EOL date (#6371)
   * feat(java): add support licenses and graph for gradle lock files (#6140)
   * feat(vex): consider root component for relationships (#6313)
   * fix: increase the default buffer size for scanning dpkg status files by
     2 times (#6298)
   * chore: updates wazero to v1.7.0 (#6301)
   * feat(sbom): Support license detection for SBOM scan (#6072)
   * refactor(sbom): use intermediate representation for SPDX (#6310)
   * docs(terraform): improve documentation for filtering by inline comments
     (#6284)
   * fix(terraform): fix policy document retrieval (#6276)
   * refactor(terraform): remove unused custom error (#6303)
   * refactor(sbom): add intermediate representation for BOM (#6240)
   * fix(amazon): check only major version of AL to find advisories (#6295)
   * fix(db): use schema version as tag only for `trivy-db` and
     `trivy-java-db` registries by default (#6219)
   * fix(nodejs): add name validation for package name from `package.json`
     (#6268)
   * docs: Added install instructions for FreeBSD (#6293)
   * feat(image): customer podman host or socket option (#6256)
   * feat(java): mark dependencies from `maven-invoker-plugin` integration
     tests pom.xml files as `Dev` (#6213)
   * fix(license): reorder logic of how python package licenses are acquired
     (#6220)
   * test(terraform): skip cached modules (#6281)
   * feat(secret): Support for detecting Hugging Face Access Tokens (#6236)
   * fix(cloudformation): support of all SSE algorithms for s3 (#6270)
   * feat(terraform): Terraform Plan snapshot scanning support (#6176)
   * fix: typo function name and comment optimization (#6200)
   * fix(java): don't ignore runtime scope for pom.xml files (#6223)
   * fix(license): add FilePath to results to allow for license path
     filtering via trivyignore file (#6215)
   * test(k8s): use test-db for k8s integration tests (#6222)
   * fix(terraform): fix root module search (#6160)
   * test(parser): squash test data for yarn (#6203)
   * fix(terraform): do not re-expand dynamic blocks (#6151)
   * docs: update ecosystem page reporting with db app (#6201)
   * fix: k8s summary separate infra and user finding results (#6120)
   * fix: add context to target finding on k8s table view (#6099)
   * fix: Printf format err (#6198)
   * refactor: better integration of the parser into Trivy (#6183)
   * feat(terraform): Add hyphen and non-ASCII support for domain names in
     credential extraction (#6108)
   * fix(vex): CSAF filtering should consider relationships (#5923)
   * refactor(report): Replacing `source_location` in `github` report when
     scanning an image (#5999)
   * feat(vuln): ignore vulnerabilities by PURL (#6178)
   * feat(java): add support for fetching packages from repos mentioned in
     pom.xml (#6171)
   * feat(k8s): rancher rke2 version support (#5988)
   * docs: update kbom distribution for scanning (#6019)
   * chore: update CODEOWNERS (#6173)
   * fix(swift): try to use branch to resolve version (#6168)
   * fix(terraform): ensure consistent path handling across OS (#6161)
   * fix(java): add only valid libs from `pom.properties` files from `jars`
     (#6164)
   * fix(sbom): skip executable file analysis if Rekor isn't a specified SBOM
     source (#6163)
   * docs(report): add remark about `path` to filter licenses using
     `.trivyignore.yaml` file (#6145)
   * docs: update template path for gitlab-ci tutorial (#6144)
   * feat(report): support for filtering licenses and secrets via rego policy
     files (#6004)
   * fix(cyclonedx): move root component from scanned cyclonedx file to
     output cyclonedx file (#6113)
   * docs: add SecObserve in CI/CD and reporting (#6139)
   * fix(alpine): exclude empty licenses for apk packages (#6130)
   * docs: add docs tutorial on custom policies with rego (#6104)
   * fix(nodejs): use project dir when searching for workspaces for Yarn.lock
     files (#6102)
   * feat(vuln): show suppressed vulnerabilities in table (#6084)
   * docs: rename governance to principles (#6107)
   * docs: add governance (#6090)
   * feat(java): add dependency location support for `gradle` files (#6083)
   * fix(misconf): get `user` from `Config.User` (#6070)

   Update to version 0.49.1:

   * fix: check unescaped `BomRef` when matching `PkgIdentifier` (#6025)
   * docs: Fix broken link to "pronunciation" (#6057)
   * fix: fix cursor usage in Redis Clear function (#6056)
   * fix(nodejs): add local packages support for `pnpm-lock.yaml` files
     (#6034)
   * test: fix flaky `TestDockerEngine` (#6054)
   * fix(java): recursive check all nested depManagements with import scope
     for pom.xml files (#5982)
   * fix(cli): inconsistent behavior across CLI flags, environment variables,
     and config files (#5843)
   * feat(rust): Support workspace.members parsing for Cargo.toml analysis
     (#5285)
   * docs: add note about Bun (#6001)
   * fix(report): use `AWS_REGION` env for secrets in `asff` template (#6011)
   * fix: check returned error before deferring f.Close() (#6007)
   * feat(misconf): add support of buildkit instructions when building
     dockerfile from image config (#5990)
   * feat(vuln): enable `--vex` for all targets (#5992)
   * docs: update link to data sources (#6000)
   * feat(java): add support for line numbers for pom.xml files (#5991)
   * refactor(sbom): use new `metadata.tools` struct for CycloneDX (#5981)
   * docs: Update troubleshooting guide with image not found error (#5983)
   * style: update band logos (#5968)
   * docs: update cosign tutorial and commands, update kyverno policy (#5929)
   * docs: update command to scan go binary (#5969)
   * fix: handle non-parsable images names (#5965)
   * fix(amazon): save system files for pkgs containing `amzn` in src (#5951)
   * fix(alpine): Add EOL support for alpine 3.19. (#5938)
   * feat: allow end-users to adjust K8S client QPS and burst (#5910)
   * fix(nodejs): find licenses for packages with slash (#5836)
   * fix(sbom): use `group` field for pom.xml and nodejs files for CycloneDX
     reports (#5922)
   * fix: ignore no init containers (#5939)
   * docs: Fix documentation of ecosystem (#5940)
   * docs(misconf): multiple ignores in comment (#5926)
   * fix(secret): find aws secrets ending with a comma or dot (#5921)
   * docs: ✨ Updated ecosystem docs with reference to new community app
     (#5918)
   * fix(java): check if a version exists when determining GAV by file name
     for `jar` files (#5630)
   * feat(vex): add PURL matching for CSAF VEX (#5890)
   * fix(secret): `AWS Secret Access Key` must include only secrets with
     `aws` text. (#5901)
   * revert(report): don't escape new line characters for sarif format (#5897)
   * docs: improve filter by rego (#5402)
   * docs: add_scan2html_to_trivy_ecosystem (#5875)
   * fix(vm): update ext4-filesystem fix reading groupdescriptor in 32bit
     mode (#5888)
   * feat(vex): Add support for CSAF format (#5535)
   * feat(python): parse licenses from dist-info folder (#4724)
   * feat(nodejs): add yarn alias support (#5818)
   * refactor: propagate time through context values (#5858)
   * refactor: move PkgRef under PkgIdentifier (#5831)
   * fix(cyclonedx): fix unmarshal for licenses (#5828)
   * feat(vuln): include pkg identifier on detected vulnerabilities (#5439)

   Update to version 0.48.1:

   * fix(bitnami): use a different comparer for detecting vulnerabilities
     (#5633)
   * refactor(sbom): disable html escaping for CycloneDX (#5764)
   * refactor(purl): use `pub` from `package-url` (#5784)
   * docs(python): add note to using `pip freeze` for `compatible releases`
     (#5760)
   * fix(report): use OS information for OS packages purl in `github`
     template (#5783)
   * fix(report): fix error if miconfigs are empty (#5782)
   * refactor(vuln): don't remove VendorSeverity in JSON report (#5761)
   * fix(report): don't mark misconfig passed tests as failed in junit.tpl
     (#5767)
   * docs(k8s): replace --scanners config with --scanners misconfig in docs
     (#5746)
   * fix(report): update Gitlab template (#5721)
   * feat(secret): add support of GitHub fine-grained tokens (#5740)
   * fix(misconf): add an image misconf to result (#5731)
   * feat(secret): added support of Docker registry credentials (#5720)

   Update to version 0.48.0:

   * feat: filter k8s core components vuln results (#5713)
   * feat(vuln): remove duplicates in Fixed Version (#5596)
   * feat(report): output plugin (#4863)
   * docs: typo in modules.md (#5712)
   * feat: Add flag to configure node-collector image ref (#5710)
   * feat(misconf): Add `--misconfig-scanners` option (#5670)
   * chore: bump Go to 1.21 (#5662)
   * feat: Packagesprops support (#5605)
   * docs: update adopters discussion template (#5632)
   * docs: terraform tutorial links updated to point to correct loc (#5661)
   * fix(secret): add `sec` and space to secret prefix for
     `aws-secret-access-key` (#5647)
   * fix(nodejs): support protocols for dependency section in yarn.lock files
     (#5612)
   * fix(secret): exclude upper case before secret for
     `alibaba-access-key-id` (#5618)
   * docs: Update Arch Linux package URL in installation.md (#5619)
   * chore: add prefix to image errors (#5601)
   * docs(vuln): fix link anchor (#5606)
   * docs: Add Dagger integration section and cleanup Ecosystem CICD docs
     page (#5608)
   * fix: k8s friendly error messages kbom non cluster scans (#5594)
   * feat: set InstalledFiles for DEB and RPM packages (#5488)
   * fix(report): use time.Time for CreatedAt (#5598)
   * test: retry containerd initialization (#5597)
   * feat(misconf): Expose misconf engine debug logs with `--debug` option
     (#5550)
   * test: mock VM walker (#5589)
   * chore: bump node-collector v0.0.9 (#5591)
   * feat(misconf): Add support for `--cf-params` for CFT (#5507)
   * feat(flag): replace '--slow' with '--parallel' (#5572)
   * fix(report): add escaping for Sarif format (#5568)
   * chore: show a deprecation notice for `--scanners config` (#5587)
   * feat(report): Add CreatedAt to the JSON report. (#5542) (#5549)
   * test: mock RPM DB (#5567)
   * feat: add aliases to '--scanners' (#5558)
   * refactor: reintroduce output writer (#5564)
   * chore: not load plugins for auto-generating docs (#5569)
   * chore: sort supported AWS services (#5570)
   * fix: no schedule toleration (#5562)
   * fix(cli): set correct `scanners` for `k8s` target (#5561)
   * fix(sbom): add `FilesAnalyzed` and `PackageVerificationCode` fields for
     SPDX (#5533)
   * refactor(misconf): Update refactored dependencies (#5245)
   * feat(secret): add built-in rule for JWT tokens (#5480)
   * fix: trivy k8s parse ecr image with arn (#5537)
   * fix: fail k8s resource scanning (#5529)
   * refactor(misconf): don't remove Highlighted in json format (#5531)
   * docs(k8s): fix link in kubernetes.md (#5524)
   * docs(k8s): fix whitespace in list syntax (#5525)

   Update to version 0.47.0:

   * docs: add info that license scanning supports file-patterns flag (#5484)
   * docs: add Zora integration into Ecosystem session (#5490)
   * fix(sbom): Use UUID as BomRef for packages with empty purl (#5448)
   * fix: correct error mismatch causing race in fast walks (#5516)
   * docs: k8s vulnerability scanning (#5515)
   * docs: remove glad for java datasources (#5508)
   * chore: remove unused logger attribute in amazon detector (#5476)
   * fix: correct error mismatch causing race in fast walks (#5482)
   * fix(server): add licenses to `BlobInfo` message (#5382)
   * feat: scan vulns on k8s core component apps (#5418)
   * fix(java): fix infinite loop when `relativePath` field points to
     `pom.xml` being scanned (#5470)
   * fix(sbom): save digests for package/application when scanning SBOM files
     (#5432)
   * docs: fix the broken link (#5454)
   * docs: fix error when installing `PyYAML` for gh pages (#5462)
   * fix(java): download java-db once (#5442)
   * docs(misconf): Update `--tf-exclude-downloaded-modules` description
     (#5419)
   * feat(misconf): Support `--ignore-policy` in config scans (#5359)
   * docs(misconf): fix broken table for `Use container image` section (#5425)
   * feat(dart): add graph support (#5374)
   * refactor: define a new struct for scan targets (#5397)
   * fix(sbom): add missed `primaryURL` and `source severity` for CycloneDX
     (#5399)
   * fix: correct invalid MD5 hashes for rpms ending with one or more zero
     bytes (#5393)
   * docs: remove --scanners none (#5384)
   * docs: Update container_image.md #5182 (#5193)
   * feat(report): Add `InstalledFiles` field to Package (#4706)
   * feat(k8s): add support for vulnerability detection (#5268)
   * fix(python): override BOM in `requirements.txt` files (#5375)
   * docs: add kbom documentation (#5363)
   * test: use maximize build space for VM tests (#5362)
   * fix(report): add escaping quotes in misconfig Title for asff template
     (#5351)
   * fix: Report error when os.CreateTemp fails (to be consistent with other
     uses) (#5342)
   * fix: add config files to FS for post-analyzers (#5333)
   * fix: fix MIME warnings after updating to Go 1.20 (#5336)
   * build: fix a compile error with Go 1.21 (#5339)
   * feat: added `Metadata` into the k8s resource's scan report (#5322)
   * chore: update adopters template (#5330)
   * fix(sbom): use PURL or Group and Name in case of Java  (#5154)
   * docs: add buildkite repository to ecosystem page (#5316)
   * chore: enable go-critic (#5302)
   * close java-db client (#5273)
   * fix(report): removes git::http from uri in sarif (#5244)
   * Improve the meaning of  sentence (#5301)
   * add app nil check (#5274)
   * typo: in secret.md (#5281)
   * docs: add info about `github` format (#5265)
   * feat(dotnet): add license support for NuGet (#5217)
   * docs: correctly export variables (#5260)
   * chore: Add line numbers for lint output (#5247)
   * chore(cli): disable java-db flags in server mode (#5263)
   * feat(db): allow passing registry options (#5226)
   * refactor(purl): use TypeApk from purl (#5232)
   * chore: enable more linters (#5228)
   * Fix typo on ide.md (#5239)
   * refactor: use defined types (#5225)
   * fix(purl): skip local Go packages (#5190)
   * docs: update info about license scanning in Yarn projects (#5207)
   * fix link (#5203)
   * fix(purl): handle rust types (#5186)
   * chore: auto-close issues (#5177)
   * fix(k8s): kbom support addons labels (#5178)
   * test: validate SPDX with the JSON schema (#5124)
   * chore: bump trivy-kubernetes-latest (#5161)
   * docs: add 'Signature Verification' guide (#4731)
   * docs: add image-scanner-with-trivy for ecosystem (#5159)
   * fix(fs): assign the absolute path to be inspected to ROOTPATH when
     filesystem (#5158)
   * Update filtering.md (#5131)
   * chaging adopters discussion tempalte (#5091)
   * docs: add Bitnami (#5078)
   * feat(docker): add support for scanning Bitnami components (#5062)
   * feat: add support for .trivyignore.yaml (#5070)
   * fix(terraform): improve detection of terraform files (#4984)
   * feat: filter artifacts on --exclude-owned flag (#5059)
   * fix(sbom): cyclonedx advisory should omit `null` value (#5041)
   * build: maximize build space for build tests (#5072)
   * feat: improve kbom component name (#5058)
   * fix(pom): add licenses for pom artifacts (#5071)
   * chore: bump Go to `1.20` (#5067)
   * feat: PURL matching with qualifiers in OpenVEX (#5061)
   * feat(java): add graph support for pom.xml (#4902)
   * feat(swift): add vulns for cocoapods (#5037)
   * fix: support image pull secret for additional workloads (#5052)
   * fix: #5033 Superfluous double quote in html.tpl (#5036)
   * docs(repo): update trivy repo usage and example (#5049)
   * perf: Optimize Dockerfile for reduced layers and size (#5038)
   * feat: scan K8s Resources Kind with --all-namespaces (#5043)
   * fix: vulnerability typo (#5044)
   * docs: adding a terraform tutorial to the docs (#3708)
   * feat(report): add licenses to sarif format (#4866)
   * feat(misconf): show the resource name in the report (#4806)
   * chore: update alpine base images (#5015)
   * feat: add Package.resolved swift files support (#4932)
   * feat(nodejs): parse licenses in yarn projects (#4652)
   * fix: k8s private registries support (#5021)
   * bump github.com/testcontainers/testcontainers-go from 0.21.0 to 0.23.0
     (#5018)
   * feat(vuln): support last_affected field from osv (#4944)
   * feat(server): add version endpoint (#4869)
   * feat: k8s private registries support (#4987)
   * fix(server): add indirect prop to package (#4974)
   * docs: add coverage (#4954)
   * feat(c): add location for lock file dependencies. (#4994)
   * docs: adding blog post on ec2 (#4813)
   * revert 32bit bins (#4977)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP6:

      zypper in -t patch openSUSE-2024-269=1



Package List:

   - openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64):

      trivy-0.54.1-bp156.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2023-42363.html
   https://www.suse.com/security/cve/CVE-2024-35192.html
   https://www.suse.com/security/cve/CVE-2024-6257.html
   https://bugzilla.suse.com/1224781
   https://bugzilla.suse.com/1227022

openSUSE: 2024:0269-1 moderate: trivy Advisory Security Update

August 30, 2024
An update that fixes three vulnerabilities is now available

Description

trivy was updated to fix the following issues: Update to version 0.54.1: * fix(flag): incorrect behavior for deprected flag `--clear-cache` [backport: release/v0.54] (#7285) * fix(java): Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#7283) * fix(plugin): do not call GitHub content API for releases and tags [backport: release/v0.54] (#7279) * release: v0.54.0 [main] (#7075) * docs: update ecosystem page reporting with plopsec.com app (#7262) * feat(vex): retrieve VEX attestations from OCI registries (#7249) * feat(sbom): add image labels into `SPDX` and `CycloneDX` reports (#7257) * refactor(flag): return error if both `--download-db-only` and `--download-java-db-only` are specified (#7259) * fix(nodejs): detect direct dependencies when using `latest` version for files `yarn.lock` + `package.json` (#7110) * chore: show VEX notice for OSS maintainers in CI environments (#7246) * feat(vuln): add `--pkg-relationships` (#7237) * docs: show VEX cli pages + update config file page for VEX flags (#7244) * fix(dotnet): show `nuget package dir not found` log only when checking `nuget` packages (#7194) * feat(vex): VEX Repository support (#7206) * fix(secret): skip regular strings contain secret patterns (#7182) * feat: share build-in rules (#7207) * fix(report): hide empty table when all secrets/license/misconfigs are ignored (#7171) * fix(cli): error on missing config file (#7154) * fix(secret): update length of `hugging-face-access-token` (#7216) * feat(sbom): add vulnerability support for SPDX formats (#7213) * fix(secret): trim excessively long lines (#7192) * chore(vex): update subcomponents for CVE-2023-42363/42364/42365/42366 (#7201) * fix(server): pass license categories to options (#7203) * feat(mariner): Add support for Azure Linux (#7186) * docs: updates config file (#7188) * refactor(fs): remove unused field for CompositeFS (#7195) * fix: add missing platform and type to spec (#7149) * feat(misconf): enabled China configuration for ACRs (#7156) * fix: close file when failed to open gzip (#7164) * docs: Fix PR documentation to use GitHub Discussions, not Issues (#7141) * docs(misconf): add info about limitations for terraform plan json (#7143) * chore: add VEX for Trivy images (#7140) * chore: add VEX document and generator for Trivy (#7128) * fix(misconf): do not evaluate TF when a load error occurs (#7109) * feat(cli): rename `--vuln-type` flag to `--pkg-types` flag (#7104) * refactor(secret): move warning about file size after `IsBinary` check (#7123) * feat: add openSUSE tumbleweed detection and scanning (#6965) * test: add missing advisory details for integration tests database (#7122) * fix: Add dependencyManagement exclusions to the child exclusions (#6969) * fix: ignore nodes when listing permission is not allowed (#7107) * fix(java): use `go-mvn-version` to remove `Package` duplicates (#7088) * refactor(secret): add warning about large files (#7085) * feat(nodejs): add license parser to pnpm analyser (#7036) * refactor(sbom): add sbom prefix + filepaths for decode log messages (#7074) * feat: add `log.FilePath()` function for logger (#7080) * chore: bump golangci-lint from v1.58 to v1.59 (#7077) * perf(debian): use `bytes.Index` in `emptyLineSplit` to cut allocation (#7065) * refactor: pass DB dir to trivy-db (#7057) * docs: navigate to the release highlights and summary (#7072) Update to version 0.53.0 (bsc#1227022, CVE-2024-6257): * release: v0.53.0 [main] (#6855) * feat(conda): add licenses support for `environment.yml` files (#6953) * fix(sbom): fix panic when scanning SBOM file without root component into SBOM format (#7051) * feat: add memory cache backend (#7048) * fix(sbom): use package UIDs for uniqueness (#7042) * feat(php): add installed.json file support (#4865) * docs: ✨ Updated ecosystem docs with reference to new community app (#7041) * fix: use embedded when command path not found (#7037) * refactor: use google/wire for cache (#7024) * fix(cli): show info message only when --scanners is available (#7032) * chore: enable float-compare rule from testifylint (#6967) * docs: Add sudo on commands, chmod before mv on install docs (#7009) * fix(plugin): respect `--insecure` (#7022) * feat(k8s)!: node-collector dynamic commands support (#6861) * fix(sbom): take pkg name from `purl` for maven pkgs (#7008) * feat!: add clean subcommand (#6993) * chore: use `!` for breaking changes (#6994) * feat(aws)!: Remove aws subcommand (#6995) * refactor: replace global cache directory with parameter passing (#6986) * fix(sbom): use `purl` for `bitnami` pkg names (#6982) * chore: bump Go toolchain version (#6984) * refactor: unify cache implementations (#6977) * docs: non-packaged and sbom clarifications (#6975) * BREAKING(aws): Deprecate `trivy aws` as subcmd in favour of a plugin (#6819) * docs: delete unknown URL (#6972) * refactor: use version-specific URLs for documentation references (#6966) * refactor: delete db mock (#6940) * refactor: add warning if severity not from vendor (or NVD or GH) is used (#6726) * feat: Add local ImageID to SARIF metadata (#6522) * fix(suse): Add SLES 15.6 and Leap 15.6 (#6964) * feat(java): add support for sbt projects using sbt-dependency-lock (#6882) * feat(java): add support for `maven-metadata.xml` files for remote snapshot repositories. (#6950) * fix(purl): add missed os types (#6955) * fix(cyclonedx): trim non-URL info for `advisory.url` (#6952) * fix(c): don't skip conan files from `file-patterns` and scan `.conan2` cache dir (#6949) * fix(image): parse `image.inspect.Created` field only for non-empty values (#6948) * fix(misconf): handle source prefix to ignore (#6945) * fix(misconf): fix parsing of engine links and frameworks (#6937) * feat(misconf): support of selectors for all providers for Rego (#6905) * fix(license): return license separation using separators `,`, `or`, etc. (#6916) * feat(misconf): add support for AWS::EC2::SecurityGroupIngress/Egress (#6755) * BREAKING(misconf): flatten recursive types (#6862) * test: bump docker API to 1.45 (#6914) * feat(sbom): migrate to `CycloneDX v1.6` (#6903) * feat(image): Set User-Agent header for Trivy container registry requests (#6868) * fix(debian): take installed files from the origin layer (#6849) * fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken (#6858) * feat(misconf): API Gateway V1 support for CloudFormation (#6874) * feat(plugin): add support for nested archives (#6845) * fix(sbom): don't overwrite `srcEpoch` when decoding SBOM files (#6866) * fix(secret): `Asymmetric Private Key` shouldn't start with space (#6867) * chore: auto label discussions (#5259) * docs: explain how VEX is applied (#6864) * fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase (#6852) * fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857) * feat(dart): use first version of constraint for dependencies using SDK version (#6239) * fix(misconf): parsing numbers without fraction as int (#6834) * fix(misconf): fix caching of modules in subdirectories (#6814) * feat(misconf): add metadata to Cloud schema (#6831) * test: replace embedded Git repository with dynamically created repository (#6824) Update to version 0.52.2: * test: bump docker API to 1.45 [backport: release/v0.52] (#6922) * fix(debian): take installed files from the origin layer [backport: release/v0.52] (#6892) Update to version 0.52.1: * release: v0.52.1 [release/v0.52] (#6877) * fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken [backport: release/v0.52] (#6888) * fix(sbom): don't overwrite `srcEpoch` when decoding SBOM files [backport: release/v0.52] (#6881) * fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase [backport: release/v0.52] (#6878) * docs: explain how VEX is applied (#6864) * fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857) Update to version 0.52.0 (bsc#1224781, CVE-2024-35192): * release: v0.52.0 [main] (#6809) * fix(plugin): initialize logger (#6836) * fix(cli): always output fatal errors to stderr (#6827) * fix: close testfile (#6830) * docs(julia): add scanner table (#6826) * feat(python): add license support for `requirement.txt` files (#6782) * docs: add more workarounds for out-of-disk (#6821) * chore: improve error message for image not found (#6822) * fix(sbom): fix panic for `convert` mode when scanning json file derived from sbom file (#6808) * fix: clean up golangci lint configuration (#6797) * fix(python): add package name and version validation for `requirements.txt` files. (#6804) * feat(vex): improve relationship support in CSAF VEX (#6735) * chore(alpine): add eol date for Alpine 3.20 (#6800) * docs(plugin): add missed `plugin` section (#6799) * fix: include packages unless it is not needed (#6765) * feat(misconf): support for VPC resources for inbound/outbound rules (#6779) * chore: replace interface{} with any (#6751) * fix: close settings.xml (#6768) * refactor(go): add priority for gobinary module versions from `ldflags` (#6745) * build: use main package instead of main.go (#6766) * feat(misconf): resolve tf module from OpenTofu compatible registry (#6743) * docs: add info on adding compliance checks (#6275) * docs: Add documentation for contributing additional checks to the trivy policies repo (#6234) * feat(nodejs): add v9 pnpm lock file support (#6617) * feat(vex): support non-root components for products in OpenVEX (#6728) * feat(python): add line number support for `requirement.txt` files (#6729) * chore: respect timeout value in .golangci.yaml (#6724) * fix: node-collector high and critical cves (#6707) * Merge pull request from GHSA-xcq4-m2r3-cmrj * chore: auto-bump golang patch versions (#6711) * fix(misconf): don't shift ignore rule related to code (#6708) * feat(plugin): specify plugin version (#6683) * chore: enforce golangci-lint version (#6700) * fix(go): include only `.version`|`.ver` (no prefixes) ldflags for `gobinaries` (#6705) * fix(go): add only non-empty root modules for `gobinaries` (#6710) * refactor: unify package addition and vulnerability scanning (#6579) * fix: Golang version parsing from binaries w/GOEXPERIMENT (#6696) * feat(misconf): Add support for deprecating a check (#6664) * feat: Add Julia language analyzer support (#5635) * feat(misconf): register builtin Rego funcs from trivy-checks (#6616) * fix(report): hide empty tables if all vulns has been filtered (#6352) * feat(report): Include licenses and secrets filtered by rego to ModifiedFindings (#6483) * feat: add support for plugin index (#6674) * docs: add support table for client server mode (#6498) * fix: close APKINDEX archive file (#6672) * fix(misconf): skip Rego errors with a nil location (#6666) * refactor: move artifact types under artifact package to avoid import cycles (#6652) * refactor(misconf): remove extrafs (#6656) * refactor: re-define module structs for serialization (#6655) * chore(misconf): Clean up iac logger (#6642) * feat(misconf): support symlinks inside of Helm archives (#6621) * feat(misconf): add Terraform 'removed' block to schema (#6640) * refactor: unify Library and Package structs (#6633) * fix: use of specified context to obtain cluster name (#6645) * perf(misconf): parse rego input once (#6615) * fix(misconf): skip Rego errors with a nil location (#6638) * docs: link warning to both timeout config options (#6620) * docs: fix usage of image-config-scanners (#6635) Update to version 0.51.1: * fix(fs): handle default skip dirs properly (#6628) * fix(misconf): load cached tf modules (#6607) * fix(misconf): do not use semver for parsing tf module versions (#6614) * refactor: move setting scanners when using compliance reports to flag parsing (#6619) * feat: introduce package UIDs for improved vulnerability mapping (#6583) * perf(misconf): Improve cause performance (#6586) * docs: trivy-k8s new experiance remove un-used section (#6608) * docs: remove mention of GitLab Gold because it doesn't exist anymore (#6609) * feat(misconf): Use updated terminology for misconfiguration checks (#6476) * docs: use `generic` link from `trivy-repo` (#6606) * docs: update trivy k8s with new experience (#6465) * feat: support `--skip-images` scanning flag (#6334) * BREAKING: add support for k8s `disable-node-collector` flag (#6311) * feat: add ubuntu 23.10 and 24.04 support (#6573) * docs(go): add stdlib (#6580) * feat(go): parse main mod version from build info settings (#6564) * feat: respect custom exit code from plugin (#6584) * docs: add asdf and mise installation method (#6063) * feat(vuln): Handle scanning conan v2.x lockfiles (#6357) * feat: add support `environment.yaml` files (#6569) * fix: close plugin.yaml (#6577) * fix: trivy k8s avoid deleting non-default node collector namespace (#6559) * BREAKING: support exclude `kinds/namespaces` and include `kinds/namespaces` (#6323) * feat(go): add main module (#6574) * feat: add relationships (#6563) * docs: mention `--show-suppressed` is available in table (#6571) * chore: fix sqlite to support loong64 (#6511) * fix(debian): sort dpkg info before parsing due to exclude directories (#6551) * docs: update info about config file (#6547) * docs: remove RELEASE_VERSION from trivy.repo (#6546) * fix(sbom): change error to warning for multiple OSes (#6541) * fix(vuln): skip empty versions (#6542) * feat(c): add license support for conan lock files (#6329) * fix(terraform): Attribute and fileset fixes (#6544) * refactor: change warning if no vulnerability details are found (#6230) * refactor(misconf): improve error handling in the Rego scanner (#6527) * feat(go): parse main module of go binary files (#6530) * refactor(misconf): simplify the retrieval of module annotations (#6528) * docs(nodejs): add info about supported versions of pnpm lock files (#6510) * feat(misconf): loading embedded checks as a fallback (#6502) * fix(misconf): Parse JSON k8s manifests properly (#6490) * refactor: remove parallel walk (#5180) * fix: close pom.xml (#6507) * fix(secret): convert severity for custom rules (#6500) * fix(java): update logic to detect `pom.xml` file snapshot artifacts from remote repositories (#6412) * fix: typo (#6283) * docs(k8s,image): fix command-line syntax issues (#6403) * fix(misconf): avoid panic if the scheme is not valid (#6496) * feat(image): goversion as stdlib (#6277) * fix: add color for error inside of log message (#6493) * docs: fix links to OPA docs (#6480) * refactor: replace zap with slog (#6466) * docs: update links to IaC schemas (#6477) * chore: bump Go to 1.22 (#6075) * refactor(terraform): sync funcs with Terraform (#6415) * feat(misconf): add helm-api-version and helm-kube-version flag (#6332) * fix(terraform): eval submodules (#6411) * refactor(terraform): remove unused options (#6446) * refactor(terraform): remove unused file (#6445) * fix(misconf): Escape template value correctly (#6292) * feat(misconf): add support for wildcard ignores (#6414) * fix(cloudformation): resolve `DedicatedMasterEnabled` parsing issue (#6439) * refactor(terraform): remove metrics collection (#6444) * feat(cloudformation): add support for logging and endpoint access for EKS (#6440) * fix(db): check schema version for image name only (#6410) * feat(misconf): Support private registries for misconf check bundle (#6327) * feat(cloudformation): inline ignore support for YAML templates (#6358) * feat(terraform): ignore resources by nested attributes (#6302) * perf(helm): load in-memory files (#6383) * feat(aws): apply filter options to result (#6367) * feat(aws): quiet flag support (#6331) * fix(misconf): clear location URI for SARIF (#6405) * test(cloudformation): add CF tests (#6315) * fix(cloudformation): infer type after resolving a function (#6406) * fix(sbom): fix error when parent of SPDX Relationships is not a package. (#6399) * docs: add info about support for package license detection in `fs`/`repo` modes (#6381) * fix(nodejs): add support for parsing `workspaces` from `package.json` as an object (#6231) * fix: use `0600` perms for tmp files for post analyzers (#6386) * fix(helm): scan the subcharts once (#6382) * docs(terraform): add file patterns for Terraform Plan (#6393) * fix(terraform): сhecking SSE encryption algorithm validity (#6341) * fix(java): parse modules from `pom.xml` files once (#6312) * fix(server): add Locations for `Packages` in client/server mode (#6366) * fix(sbom): add check for `CreationInfo` to nil when detecting SPDX created using Trivy (#6346) * fix(report): don't include empty strings in `.vulnerabilities[].identifiers[].url` when `gitlab.tpl` is used (#6348) * chore(ubuntu): Add Ubuntu 22.04 EOL date (#6371) * feat(java): add support licenses and graph for gradle lock files (#6140) * feat(vex): consider root component for relationships (#6313) * fix: increase the default buffer size for scanning dpkg status files by 2 times (#6298) * chore: updates wazero to v1.7.0 (#6301) * feat(sbom): Support license detection for SBOM scan (#6072) * refactor(sbom): use intermediate representation for SPDX (#6310) * docs(terraform): improve documentation for filtering by inline comments (#6284) * fix(terraform): fix policy document retrieval (#6276) * refactor(terraform): remove unused custom error (#6303) * refactor(sbom): add intermediate representation for BOM (#6240) * fix(amazon): check only major version of AL to find advisories (#6295) * fix(db): use schema version as tag only for `trivy-db` and `trivy-java-db` registries by default (#6219) * fix(nodejs): add name validation for package name from `package.json` (#6268) * docs: Added install instructions for FreeBSD (#6293) * feat(image): customer podman host or socket option (#6256) * feat(java): mark dependencies from `maven-invoker-plugin` integration tests pom.xml files as `Dev` (#6213) * fix(license): reorder logic of how python package licenses are acquired (#6220) * test(terraform): skip cached modules (#6281) * feat(secret): Support for detecting Hugging Face Access Tokens (#6236) * fix(cloudformation): support of all SSE algorithms for s3 (#6270) * feat(terraform): Terraform Plan snapshot scanning support (#6176) * fix: typo function name and comment optimization (#6200) * fix(java): don't ignore runtime scope for pom.xml files (#6223) * fix(license): add FilePath to results to allow for license path filtering via trivyignore file (#6215) * test(k8s): use test-db for k8s integration tests (#6222) * fix(terraform): fix root module search (#6160) * test(parser): squash test data for yarn (#6203) * fix(terraform): do not re-expand dynamic blocks (#6151) * docs: update ecosystem page reporting with db app (#6201) * fix: k8s summary separate infra and user finding results (#6120) * fix: add context to target finding on k8s table view (#6099) * fix: Printf format err (#6198) * refactor: better integration of the parser into Trivy (#6183) * feat(terraform): Add hyphen and non-ASCII support for domain names in credential extraction (#6108) * fix(vex): CSAF filtering should consider relationships (#5923) * refactor(report): Replacing `source_location` in `github` report when scanning an image (#5999) * feat(vuln): ignore vulnerabilities by PURL (#6178) * feat(java): add support for fetching packages from repos mentioned in pom.xml (#6171) * feat(k8s): rancher rke2 version support (#5988) * docs: update kbom distribution for scanning (#6019) * chore: update CODEOWNERS (#6173) * fix(swift): try to use branch to resolve version (#6168) * fix(terraform): ensure consistent path handling across OS (#6161) * fix(java): add only valid libs from `pom.properties` files from `jars` (#6164) * fix(sbom): skip executable file analysis if Rekor isn't a specified SBOM source (#6163) * docs(report): add remark about `path` to filter licenses using `.trivyignore.yaml` file (#6145) * docs: update template path for gitlab-ci tutorial (#6144) * feat(report): support for filtering licenses and secrets via rego policy files (#6004) * fix(cyclonedx): move root component from scanned cyclonedx file to output cyclonedx file (#6113) * docs: add SecObserve in CI/CD and reporting (#6139) * fix(alpine): exclude empty licenses for apk packages (#6130) * docs: add docs tutorial on custom policies with rego (#6104) * fix(nodejs): use project dir when searching for workspaces for Yarn.lock files (#6102) * feat(vuln): show suppressed vulnerabilities in table (#6084) * docs: rename governance to principles (#6107) * docs: add governance (#6090) * feat(java): add dependency location support for `gradle` files (#6083) * fix(misconf): get `user` from `Config.User` (#6070) Update to version 0.49.1: * fix: check unescaped `BomRef` when matching `PkgIdentifier` (#6025) * docs: Fix broken link to "pronunciation" (#6057) * fix: fix cursor usage in Redis Clear function (#6056) * fix(nodejs): add local packages support for `pnpm-lock.yaml` files (#6034) * test: fix flaky `TestDockerEngine` (#6054) * fix(java): recursive check all nested depManagements with import scope for pom.xml files (#5982) * fix(cli): inconsistent behavior across CLI flags, environment variables, and config files (#5843) * feat(rust): Support workspace.members parsing for Cargo.toml analysis (#5285) * docs: add note about Bun (#6001) * fix(report): use `AWS_REGION` env for secrets in `asff` template (#6011) * fix: check returned error before deferring f.Close() (#6007) * feat(misconf): add support of buildkit instructions when building dockerfile from image config (#5990) * feat(vuln): enable `--vex` for all targets (#5992) * docs: update link to data sources (#6000) * feat(java): add support for line numbers for pom.xml files (#5991) * refactor(sbom): use new `metadata.tools` struct for CycloneDX (#5981) * docs: Update troubleshooting guide with image not found error (#5983) * style: update band logos (#5968) * docs: update cosign tutorial and commands, update kyverno policy (#5929) * docs: update command to scan go binary (#5969) * fix: handle non-parsable images names (#5965) * fix(amazon): save system files for pkgs containing `amzn` in src (#5951) * fix(alpine): Add EOL support for alpine 3.19. (#5938) * feat: allow end-users to adjust K8S client QPS and burst (#5910) * fix(nodejs): find licenses for packages with slash (#5836) * fix(sbom): use `group` field for pom.xml and nodejs files for CycloneDX reports (#5922) * fix: ignore no init containers (#5939) * docs: Fix documentation of ecosystem (#5940) * docs(misconf): multiple ignores in comment (#5926) * fix(secret): find aws secrets ending with a comma or dot (#5921) * docs: ✨ Updated ecosystem docs with reference to new community app (#5918) * fix(java): check if a version exists when determining GAV by file name for `jar` files (#5630) * feat(vex): add PURL matching for CSAF VEX (#5890) * fix(secret): `AWS Secret Access Key` must include only secrets with `aws` text. (#5901) * revert(report): don't escape new line characters for sarif format (#5897) * docs: improve filter by rego (#5402) * docs: add_scan2html_to_trivy_ecosystem (#5875) * fix(vm): update ext4-filesystem fix reading groupdescriptor in 32bit mode (#5888) * feat(vex): Add support for CSAF format (#5535) * feat(python): parse licenses from dist-info folder (#4724) * feat(nodejs): add yarn alias support (#5818) * refactor: propagate time through context values (#5858) * refactor: move PkgRef under PkgIdentifier (#5831) * fix(cyclonedx): fix unmarshal for licenses (#5828) * feat(vuln): include pkg identifier on detected vulnerabilities (#5439) Update to version 0.48.1: * fix(bitnami): use a different comparer for detecting vulnerabilities (#5633) * refactor(sbom): disable html escaping for CycloneDX (#5764) * refactor(purl): use `pub` from `package-url` (#5784) * docs(python): add note to using `pip freeze` for `compatible releases` (#5760) * fix(report): use OS information for OS packages purl in `github` template (#5783) * fix(report): fix error if miconfigs are empty (#5782) * refactor(vuln): don't remove VendorSeverity in JSON report (#5761) * fix(report): don't mark misconfig passed tests as failed in junit.tpl (#5767) * docs(k8s): replace --scanners config with --scanners misconfig in docs (#5746) * fix(report): update Gitlab template (#5721) * feat(secret): add support of GitHub fine-grained tokens (#5740) * fix(misconf): add an image misconf to result (#5731) * feat(secret): added support of Docker registry credentials (#5720) Update to version 0.48.0: * feat: filter k8s core components vuln results (#5713) * feat(vuln): remove duplicates in Fixed Version (#5596) * feat(report): output plugin (#4863) * docs: typo in modules.md (#5712) * feat: Add flag to configure node-collector image ref (#5710) * feat(misconf): Add `--misconfig-scanners` option (#5670) * chore: bump Go to 1.21 (#5662) * feat: Packagesprops support (#5605) * docs: update adopters discussion template (#5632) * docs: terraform tutorial links updated to point to correct loc (#5661) * fix(secret): add `sec` and space to secret prefix for `aws-secret-access-key` (#5647) * fix(nodejs): support protocols for dependency section in yarn.lock files (#5612) * fix(secret): exclude upper case before secret for `alibaba-access-key-id` (#5618) * docs: Update Arch Linux package URL in installation.md (#5619) * chore: add prefix to image errors (#5601) * docs(vuln): fix link anchor (#5606) * docs: Add Dagger integration section and cleanup Ecosystem CICD docs page (#5608) * fix: k8s friendly error messages kbom non cluster scans (#5594) * feat: set InstalledFiles for DEB and RPM packages (#5488) * fix(report): use time.Time for CreatedAt (#5598) * test: retry containerd initialization (#5597) * feat(misconf): Expose misconf engine debug logs with `--debug` option (#5550) * test: mock VM walker (#5589) * chore: bump node-collector v0.0.9 (#5591) * feat(misconf): Add support for `--cf-params` for CFT (#5507) * feat(flag): replace '--slow' with '--parallel' (#5572) * fix(report): add escaping for Sarif format (#5568) * chore: show a deprecation notice for `--scanners config` (#5587) * feat(report): Add CreatedAt to the JSON report. (#5542) (#5549) * test: mock RPM DB (#5567) * feat: add aliases to '--scanners' (#5558) * refactor: reintroduce output writer (#5564) * chore: not load plugins for auto-generating docs (#5569) * chore: sort supported AWS services (#5570) * fix: no schedule toleration (#5562) * fix(cli): set correct `scanners` for `k8s` target (#5561) * fix(sbom): add `FilesAnalyzed` and `PackageVerificationCode` fields for SPDX (#5533) * refactor(misconf): Update refactored dependencies (#5245) * feat(secret): add built-in rule for JWT tokens (#5480) * fix: trivy k8s parse ecr image with arn (#5537) * fix: fail k8s resource scanning (#5529) * refactor(misconf): don't remove Highlighted in json format (#5531) * docs(k8s): fix link in kubernetes.md (#5524) * docs(k8s): fix whitespace in list syntax (#5525) Update to version 0.47.0: * docs: add info that license scanning supports file-patterns flag (#5484) * docs: add Zora integration into Ecosystem session (#5490) * fix(sbom): Use UUID as BomRef for packages with empty purl (#5448) * fix: correct error mismatch causing race in fast walks (#5516) * docs: k8s vulnerability scanning (#5515) * docs: remove glad for java datasources (#5508) * chore: remove unused logger attribute in amazon detector (#5476) * fix: correct error mismatch causing race in fast walks (#5482) * fix(server): add licenses to `BlobInfo` message (#5382) * feat: scan vulns on k8s core component apps (#5418) * fix(java): fix infinite loop when `relativePath` field points to `pom.xml` being scanned (#5470) * fix(sbom): save digests for package/application when scanning SBOM files (#5432) * docs: fix the broken link (#5454) * docs: fix error when installing `PyYAML` for gh pages (#5462) * fix(java): download java-db once (#5442) * docs(misconf): Update `--tf-exclude-downloaded-modules` description (#5419) * feat(misconf): Support `--ignore-policy` in config scans (#5359) * docs(misconf): fix broken table for `Use container image` section (#5425) * feat(dart): add graph support (#5374) * refactor: define a new struct for scan targets (#5397) * fix(sbom): add missed `primaryURL` and `source severity` for CycloneDX (#5399) * fix: correct invalid MD5 hashes for rpms ending with one or more zero bytes (#5393) * docs: remove --scanners none (#5384) * docs: Update container_image.md #5182 (#5193) * feat(report): Add `InstalledFiles` field to Package (#4706) * feat(k8s): add support for vulnerability detection (#5268) * fix(python): override BOM in `requirements.txt` files (#5375) * docs: add kbom documentation (#5363) * test: use maximize build space for VM tests (#5362) * fix(report): add escaping quotes in misconfig Title for asff template (#5351) * fix: Report error when os.CreateTemp fails (to be consistent with other uses) (#5342) * fix: add config files to FS for post-analyzers (#5333) * fix: fix MIME warnings after updating to Go 1.20 (#5336) * build: fix a compile error with Go 1.21 (#5339) * feat: added `Metadata` into the k8s resource's scan report (#5322) * chore: update adopters template (#5330) * fix(sbom): use PURL or Group and Name in case of Java (#5154) * docs: add buildkite repository to ecosystem page (#5316) * chore: enable go-critic (#5302) * close java-db client (#5273) * fix(report): removes git::http from uri in sarif (#5244) * Improve the meaning of sentence (#5301) * add app nil check (#5274) * typo: in secret.md (#5281) * docs: add info about `github` format (#5265) * feat(dotnet): add license support for NuGet (#5217) * docs: correctly export variables (#5260) * chore: Add line numbers for lint output (#5247) * chore(cli): disable java-db flags in server mode (#5263) * feat(db): allow passing registry options (#5226) * refactor(purl): use TypeApk from purl (#5232) * chore: enable more linters (#5228) * Fix typo on ide.md (#5239) * refactor: use defined types (#5225) * fix(purl): skip local Go packages (#5190) * docs: update info about license scanning in Yarn projects (#5207) * fix link (#5203) * fix(purl): handle rust types (#5186) * chore: auto-close issues (#5177) * fix(k8s): kbom support addons labels (#5178) * test: validate SPDX with the JSON schema (#5124) * chore: bump trivy-kubernetes-latest (#5161) * docs: add 'Signature Verification' guide (#4731) * docs: add image-scanner-with-trivy for ecosystem (#5159) * fix(fs): assign the absolute path to be inspected to ROOTPATH when filesystem (#5158) * Update filtering.md (#5131) * chaging adopters discussion tempalte (#5091) * docs: add Bitnami (#5078) * feat(docker): add support for scanning Bitnami components (#5062) * feat: add support for .trivyignore.yaml (#5070) * fix(terraform): improve detection of terraform files (#4984) * feat: filter artifacts on --exclude-owned flag (#5059) * fix(sbom): cyclonedx advisory should omit `null` value (#5041) * build: maximize build space for build tests (#5072) * feat: improve kbom component name (#5058) * fix(pom): add licenses for pom artifacts (#5071) * chore: bump Go to `1.20` (#5067) * feat: PURL matching with qualifiers in OpenVEX (#5061) * feat(java): add graph support for pom.xml (#4902) * feat(swift): add vulns for cocoapods (#5037) * fix: support image pull secret for additional workloads (#5052) * fix: #5033 Superfluous double quote in html.tpl (#5036) * docs(repo): update trivy repo usage and example (#5049) * perf: Optimize Dockerfile for reduced layers and size (#5038) * feat: scan K8s Resources Kind with --all-namespaces (#5043) * fix: vulnerability typo (#5044) * docs: adding a terraform tutorial to the docs (#3708) * feat(report): add licenses to sarif format (#4866) * feat(misconf): show the resource name in the report (#4806) * chore: update alpine base images (#5015) * feat: add Package.resolved swift files support (#4932) * feat(nodejs): parse licenses in yarn projects (#4652) * fix: k8s private registries support (#5021) * bump github.com/testcontainers/testcontainers-go from 0.21.0 to 0.23.0 (#5018) * feat(vuln): support last_affected field from osv (#4944) * feat(server): add version endpoint (#4869) * feat: k8s private registries support (#4987) * fix(server): add indirect prop to package (#4974) * docs: add coverage (#4954) * feat(c): add location for lock file dependencies. (#4994) * docs: adding blog post on ec2 (#4813) * revert 32bit bins (#4977)

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP6: zypper in -t patch openSUSE-2024-269=1


Package List

- openSUSE Backports SLE-15-SP6 (aarch64 i586 ppc64le s390x x86_64): trivy-0.54.1-bp156.2.3.1


References

https://www.suse.com/security/cve/CVE-2023-42363.html https://www.suse.com/security/cve/CVE-2024-35192.html https://www.suse.com/security/cve/CVE-2024-6257.html https://bugzilla.suse.com/1224781 https://bugzilla.suse.com/1227022


Severity
Announcement ID: openSUSE-SU-2024:0269-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP6 .

Related News

CISA Sounds Alarm on Newly Exploited Vulnerabilities: Is Your System at Risk?
3 - 5 min read
CISA regularly publishes updates regarding vulnerabilities that present severe threats to global cybersecurity. Recently, CISA added three
Defending Against Remote Code Execution in Google Chrome: A Critical Update
2 - 3 min read
Google Chrome, a widely used web browser, serves millions of internet users by connecting them to the online world. Unfortunately, severe
Fighting Back Against Hadooken Malware by Strengthening WebLogic Security
2 - 4 min read
Cybercriminals have been relentlessly attacking the digital landscape, aiming to exploit vulnerabilities in well-known systems. One such exploit is
Navigating the Linux Kernel
2 - 4 min read
The Linux operating system, widely acclaimed for its robustness and security , recently received widespread media attention due to a significant
Staying a Step Ahead of Adversaries: Mitigating Chromium
2 - 4 min read
Google Chrome, one of the world's most widely used web browsers, has recently been scrutinized due to the discovery of multiple Chromium
Unmasking Cicada3301: Examining the Threat of the New Rust-Based Ransomware
2 - 4 min read
Ransomware has long been a severe threat to organizations and admins alike. Recently, cybersecurity researchers discovered a new variant called
Buffer Overflow Exploits in Linux: Origins, Impact, and Countermeasures
3 - 6 min read
Buffer overflow vulnerabilities have long been one of the biggest headaches in computer security, especially on Linux operating systems that power
8 Expert-Recommended Security Practices to Fortify Your Linux Systems
4 - 8 min read
As a Linux admin or an infosec professional, you understand how the security landscape changes due to evolving threats, newly discovered

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved