v0.40.0

[DmitriyLewen]

Changelog

• 77bb6bb update CI/CD settings for release
• 7811ad0 docs: update info about config file (docs: update info about config file aquasecurity/trivy#6547)
• fae710d docs: remove RELEASE_VERSION from trivy.repo (docs: remove RELEASE_VERSION from trivy.repo aquasecurity/trivy#6546)
• d2d4022 fix(sbom): change error to warning for multiple OSes (fix(sbom): change error to warning for multiple OSes aquasecurity/trivy#6541)
• 164b025 fix(vuln): skip empty versions (fix(vuln): skip empty versions aquasecurity/trivy#6542)
• 5dd9bd4 feat(c): add license support for conan lock files (feat(c): add license support for conan lock files aquasecurity/trivy#6329)
• 7c2017f fix(terraform): Attribute and fileset fixes (fix(terraform): Attribute and fileset fixes aquasecurity/trivy#6544)
• 63c9469 refactor: change warning if no vulnerability details are found (refactor: change warning if no vulnerability details are found aquasecurity/trivy#6230)
• aa822c2 refactor(misconf): improve error handling in the Rego scanner (refactor(misconf): improve error handling in the Rego scanner aquasecurity/trivy#6527)
• 30cc88f ci: use tmp dir inside Trivy repo dir for GoReleaser (ci: use tmp dir inside Trivy repo dir for GoReleaser aquasecurity/trivy#6533)
• e32215c feat(go): parse main module of go binary files (feat(go): parse main module of go binary files aquasecurity/trivy#6530)
• d4da83c chore(deps): bump golang.org/x/net from 0.21.0 to 0.23.0 (chore(deps): bump golang.org/x/net from 0.21.0 to 0.23.0 aquasecurity/trivy#6526)
• 0d7d97d refactor(misconf): simplify the retrieval of module annotations (refactor(misconf): simplify the retrieval of module annotations aquasecurity/trivy#6528)
• 9873cf3 chore(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 (chore(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 aquasecurity/trivy#6523)
• 95c8fd9 docs(nodejs): add info about supported versions of pnpm lock files (docs(nodejs): add info about supported versions of pnpm lock files aquasecurity/trivy#6510)
• 12ec0df feat(misconf): loading embedded checks as a fallback (feat(misconf): loading embedded checks as a fallback aquasecurity/trivy#6502)
• 9b7d713 fix(misconf): Parse JSON k8s manifests properly (fix(misconf): Parse JSON k8s manifests properly aquasecurity/trivy#6490)
• 13e72ec refactor: remove parallel walk (refactor: remove parallel walk aquasecurity/trivy#5180)
• a986199 fix: close pom.xml (fix: close pom.xml aquasecurity/trivy#6507)
• 46d5aba fix(secret): convert severity for custom rules (fix(secret): convert severity for custom rules aquasecurity/trivy#6500)
• 34ab09d fix(java): update logic to detect pom.xml file snapshot artifacts from remote repositories (fix(java): update logic to detect pom.xml file snapshot artifacts from remote repositories aquasecurity/trivy#6412)
• 1ba5b59 fix: typo (fix: typo aquasecurity/trivy#6283)
• 4fab0f8 docs(k8s,image): fix command-line syntax issues (docs(k8s,image): fix command-line syntax issues aquasecurity/trivy#6403)
• d770981 chore(deps): bump actions/checkout from 4.1.1 to 4.1.2 (chore(deps): bump actions/checkout from 4.1.1 to 4.1.2 aquasecurity/trivy#6435)
• 4337068 fix(misconf): avoid panic if the scheme is not valid (fix(misconf): avoid panic if the scheme is not valid aquasecurity/trivy#6496)
• d82d6cb feat(image): goversion as stdlib (feat(image): goversion as stdlib aquasecurity/trivy#6277)
• cfddfb3 fix: add color for error inside of log message (fix: add color for error inside of log message aquasecurity/trivy#6493)
• dfcb0f9 chore(deps): bump actions/add-to-project from 0.4.1 to 1.0.0 (chore(deps): bump actions/add-to-project from 0.4.1 to 1.0.0 aquasecurity/trivy#6438)
• 183eaaf docs: fix links to OPA docs (docs: fix links to OPA docs aquasecurity/trivy#6480)
• 94d6e8c refactor: replace zap with slog (refactor: replace zap with slog aquasecurity/trivy#6466)
• 336c47e docs: update links to IaC schemas (docs: update links to IaC schemas aquasecurity/trivy#6477)
• 06b4473 chore: bump Go to 1.22 (chore: bump Go to 1.22 aquasecurity/trivy#6075)
• a51cedd refactor(terraform): sync funcs with Terraform (refactor(terraform): sync funcs with Terraform aquasecurity/trivy#6415)
• 53517d6 feat(misconf): add helm-api-version and helm-kube-version flag (feat(misconf): add helm-api-version and helm-kube-version flag aquasecurity/trivy#6332)
• ad544e9 chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.4.0 to 1.5.1 (chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.4.0 to 1.5.1 aquasecurity/trivy#6426)
• 089368d chore(deps): bump github.com/go-openapi/strfmt from 0.22.0 to 0.23.0 (chore(deps): bump github.com/go-openapi/strfmt from 0.22.0 to 0.23.0 aquasecurity/trivy#6452)
• 1163565 chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.6 to 2.0.7 (chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.6 to 2.0.7 aquasecurity/trivy#6430)
• 637da2b chore(deps): bump aquaproj/aqua-installer from 2.2.0 to 3.0.0 (chore(deps): bump aquaproj/aqua-installer from 2.2.0 to 3.0.0 aquasecurity/trivy#6437)
• 13190e9 fix(terraform): eval submodules (fix(terraform): eval submodules aquasecurity/trivy#6411)
• 6bca7c3 refactor(terraform): remove unused options (refactor(terraform): remove unused options aquasecurity/trivy#6446)
• 8e4279b refactor(terraform): remove unused file (refactor(terraform): remove unused file aquasecurity/trivy#6445)
• e98c873 chore(deps): bump github.com/testcontainers/testcontainers-go to v0.28.0 (chore(deps): bump github.com/testcontainers/testcontainers-go to v0.28.0 aquasecurity/trivy#6387)
• b1c2eab chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.9.0 to 1.10.0 (chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.9.0 to 1.10.0 aquasecurity/trivy#6427)
• 1c49a16 fix(misconf): Escape template value correctly (fix(misconf): Escape template value correctly aquasecurity/trivy#6292)
• 8dd0fcd feat(misconf): add support for wildcard ignores (feat(misconf): add support for wildcard ignores aquasecurity/trivy#6414)
• 74e4c6e fix(cloudformation): resolve DedicatedMasterEnabled parsing issue (fix(cloudformation): resolve DedicatedMasterEnabled parsing issue aquasecurity/trivy#6439)
• 245c120 refactor(terraform): remove metrics collection (refactor(terraform): remove metrics collection aquasecurity/trivy#6444)
• 86714bf feat(cloudformation): add support for logging and endpoint access for EKS (feat(cloudformation): add support for logging and endpoint access for EKS aquasecurity/trivy#6440)
• a758392 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.51.1 to 1.53.1 (chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.51.1 to 1.53.1 aquasecurity/trivy#6424)
• 4d00d8b chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.27.4 to 1.27.10 (chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.27.4 to 1.27.10 aquasecurity/trivy#6428)
• 3ad2b3e chore(deps): bump go.etcd.io/bbolt from 1.3.8 to 1.3.9 (chore(deps): bump go.etcd.io/bbolt from 1.3.8 to 1.3.9 aquasecurity/trivy#6429)
• 8baccd7 fix(db): check schema version for image name only (fix(db): check schema version for image name only aquasecurity/trivy#6410)
• e75a90f chore(deps): bump github.com/google/wire from 0.5.0 to 0.6.0 (chore(deps): bump github.com/google/wire from 0.5.0 to 0.6.0 aquasecurity/trivy#6425)
• 6625bd3 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.149.1 to 1.155.1 (chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.149.1 to 1.155.1 aquasecurity/trivy#6433)
• 826fe60 chore(deps): bump actions/cache from 4.0.0 to 4.0.2 (chore(deps): bump actions/cache from 4.0.0 to 4.0.2 aquasecurity/trivy#6436)
• f23ed77 feat(misconf): Support private registries for misconf check bundle (feat(misconf): Support private registries for misconf check bundle aquasecurity/trivy#6327)
• df024e8 feat(cloudformation): inline ignore support for YAML templates (feat(cloudformation): inline ignore support for YAML templates aquasecurity/trivy#6358)
• 29dee32 feat(terraform): ignore resources by nested attributes (feat(terraform): ignore resources by nested attributes aquasecurity/trivy#6302)
• 1a67472 perf(helm): load in-memory files (perf(helm): load in-memory files aquasecurity/trivy#6383)
• 09e37b7 feat(aws): apply filter options to result (feat(aws): apply filter options to result aquasecurity/trivy#6367)
• 87a9aa6 feat(aws): quiet flag support (feat(aws): quiet flag support aquasecurity/trivy#6331)
• 712dcd3 fix(misconf): clear location URI for SARIF (fix(misconf): clear location URI for SARIF aquasecurity/trivy#6405)
• 625f22b test(cloudformation): add CF tests (test(cloudformation): add CF tests aquasecurity/trivy#6315)
• 6a2f6fd fix(cloudformation): infer type after resolving a function (fix(cloudformation): infer type after resolving a function aquasecurity/trivy#6406)
• 5f69937 fix(sbom): fix error when parent of SPDX Relationships is not a package. (fix(sbom): fix error when parent of SPDX Relationships is not a package. aquasecurity/trivy#6399)
• 258d153 fix(nodejs): merge Indirect, Dev, ExternalReferences fields for same deps from package-lock.json files v2 or later (fix(nodejs): merge Indirect, Dev, ExternalReferences fields for same deps from package-lock.json files v2 or later aquasecurity/trivy#6356)
• ade033a docs: add info about support for package license detection in fs/repo modes (docs: add info about support for package license detection in fs/repo modes aquasecurity/trivy#6381)
• f85c9fa fix(nodejs): add support for parsing workspaces from package.json as an object (fix(nodejs): add support for parsing workspaces from package.json as an object aquasecurity/trivy#6231)
• 9d7f5c9 fix: use 0600 perms for tmp files for post analyzers (fix: use 0600 perms for tmp files for post analyzers aquasecurity/trivy#6386)
• f148eb1 fix(helm): scan the subcharts once (fix(helm): scan the subcharts once aquasecurity/trivy#6382)
• 97f95c4 docs(terraform): add file patterns for Terraform Plan (docs(terraform): add file patterns for Terraform Plan aquasecurity/trivy#6393)
• abd62ae fix(terraform): сhecking SSE encryption algorithm validity (fix(terraform): сhecking SSE encryption algorithm validity aquasecurity/trivy#6341)
• 7c409fd fix(java): parse modules from pom.xml files once (fix(java): parse modules from pom.xml files once aquasecurity/trivy#6312)
• 1b68327 chore(deps): bump github.com/docker/docker from 25.0.3+incompatible to 25.0.5+incompatible (chore(deps): bump github.com/docker/docker from 25.0.3+incompatible to 25.0.5+incompatible aquasecurity/trivy#6364)
• a2482c1 fix(server): add Locations for Packages in client/server mode (fix(server): add Locations for Packages in client/server mode aquasecurity/trivy#6366)
• e866bd5 fix(sbom): add check for CreationInfo to nil when detecting SPDX created using Trivy (fix(sbom): add check for CreationInfo to nil when detecting SPDX created using Trivy aquasecurity/trivy#6346)
• 1870f28 fix(report): don't include empty strings in .vulnerabilities[].identifiers[].url when gitlab.tpl is used (fix(report): don't include empty strings in .vulnerabilities[].identifiers[].url when gitlab.tpl is used aquasecurity/trivy#6348)
• 6c81e55 chore(ubuntu): Add Ubuntu 22.04 EOL date (chore(ubuntu): Add Ubuntu 22.04 EOL date aquasecurity/trivy#6371)
• 8ec3938 chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 aquasecurity/trivy#6321)
• f6c5d58 feat(java): add support licenses and graph for gradle lock files (feat(java): add support licenses and graph for gradle lock files aquasecurity/trivy#6140)
• c4022d6 feat(vex): consider root component for relationships (feat(vex): consider root component for relationships aquasecurity/trivy#6313)
• 3177924 fix: increase the default buffer size for scanning dpkg status files by 2 times (fix: increase the default buffer size for scanning dpkg status files by 2 times aquasecurity/trivy#6298)
• dd9620e chore: updates wazero to v1.7.0 (chore: updates wazero to v1.7.0 aquasecurity/trivy#6301)
• eb3ceb3 feat(sbom): Support license detection for SBOM scan (feat(sbom): Support license detection for SBOM scan aquasecurity/trivy#6072)
• ab74caa refactor(sbom): use intermediate representation for SPDX (refactor(sbom): use intermediate representation for SPDX aquasecurity/trivy#6310)
• 71da44f docs(terraform): improve documentation for filtering by inline comments (docs(terraform): improve documentation for filtering by inline comments aquasecurity/trivy#6284)
• 102b6df fix(terraform): fix policy document retrieval (fix(terraform): fix policy document retrieval aquasecurity/trivy#6276)
• aa19aaf refactor(terraform): remove unused custom error (refactor(terraform): remove unused custom error aquasecurity/trivy#6303)
• 8fcef35 refactor(sbom): add intermediate representation for BOM (refactor(sbom): add intermediate representation for BOM aquasecurity/trivy#6240)
• fb8c516 fix(amazon): check only major version of AL to find advisories (fix(amazon): check only major version of AL to find advisories aquasecurity/trivy#6295)
• 96bd7ac fix(db): use schema version as tag only for trivy-db and trivy-java-db registries by default (fix(db): use schema version as tag only for trivy-db and trivy-java-db registries by default aquasecurity/trivy#6219)
• 12c5bf0 fix(nodejs): add name validation for package name from package.json (fix(nodejs): add name validation for package name from package.json  aquasecurity/trivy#6268)
• d6c40ce docs: Added install instructions for FreeBSD (docs: Added install instructions for FreeBSD aquasecurity/trivy#6293)
• 9d2057a feat(image): customer podman host or socket option (feat(image): customer podman host or socket option aquasecurity/trivy#6256)
• 2a9d9bd chore(deps): bump wazero from 1.2.1 to 1.6.0 (chore(deps): bump wazero from 1.2.1 to 1.6.0 aquasecurity/trivy#6290)
• 617c3e3 feat(java): mark dependencies from maven-invoker-plugin integration tests pom.xml files as Dev (feat(java): mark dependencies from maven-invoker-plugin integration tests pom.xml files as Dev aquasecurity/trivy#6213)
• 56cedc0 fix(license): reorder logic of how python package licenses are acquired (fix(license): reorder logic of how python package licenses are acquired aquasecurity/trivy#6220)
• d7d7265 test(terraform): skip cached modules (test(terraform): skip cached modules aquasecurity/trivy#6281)
• 6639911 feat(secret): Support for detecting Hugging Face Access Tokens (feat(secret): Support for detecting Hugging Face Access Tokens aquasecurity/trivy#6236)
• 337cb75 fix(cloudformation): support of all SSE algorithms for s3 (fix(cloudformation): support of all SSE algorithms for s3 aquasecurity/trivy#6270)
• 9361cdb feat(terraform): Terraform Plan snapshot scanning support (feat(terraform): Terraform Plan snapshot scanning support aquasecurity/trivy#6176)
• ee01e6e chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.6 to 1.27.4 (chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.6 to 1.27.4 aquasecurity/trivy#6249)
• 3d2f583 fix: typo function name and comment optimization (fix: typo function name and comment optimization aquasecurity/trivy#6200)
• c4b5ab7 fix(java): don't ignore runtime scope for pom.xml files (fix(java): don't ignore runtime scope for pom.xml files aquasecurity/trivy#6223)
• 355c1b5 chore(deps): bump helm/kind-action from 1.8.0 to 1.9.0 (chore(deps): bump helm/kind-action from 1.8.0 to 1.9.0 aquasecurity/trivy#6242)
• 7244ece chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 aquasecurity/trivy#6243)
• 5cd0566 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.1 to 1.51.1 (chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.1 to 1.51.1 aquasecurity/trivy#6251)
• ebb74a5 chore(deps): bump github.com/hashicorp/go-uuid from 1.0.1 to 1.0.3 (chore(deps): bump github.com/hashicorp/go-uuid from 1.0.1 to 1.0.3 aquasecurity/trivy#6253)
• 24a8d6a chore(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.62.0 (chore(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.62.0 aquasecurity/trivy#6250)
• 9d0d7ad chore(deps): bump github.com/containerd/containerd from 1.7.12 to 1.7.13 (chore(deps): bump github.com/containerd/containerd from 1.7.12 to 1.7.13 aquasecurity/trivy#6247)
• e8230e1 chore(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 (chore(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 aquasecurity/trivy#6246)
• 04535b5 fix(license): add FilePath to results to allow for license path filtering via trivyignore file (fix(license): add FilePath to results to allow for license path filtering via trivyignore file aquasecurity/trivy#6215)
• 939e34e chore(deps): Upgrade iac deps (chore(deps): Upgrade iac deps aquasecurity/trivy#6255)
• 7cb6c02 feat: add info log message about dev deps suppression (feat: add info log message about dev deps suppression aquasecurity/trivy#6211)
• c1d26ec test(k8s): use test-db for k8s integration tests (test(k8s): use test-db for k8s integration tests aquasecurity/trivy#6222)
• 4f70468 ci: add maximize-build-space for Test job (ci: add maximize-build-space for Test job aquasecurity/trivy#6221)
• 1dfece8 fix(terraform): fix root module search (fix(terraform): fix root module search aquasecurity/trivy#6160)
• e1ea02c test(parser): squash test data for yarn (test(parser): squash test data for yarn aquasecurity/trivy#6203)
• 64926d8 fix(terraform): do not re-expand dynamic blocks (fix(terraform): do not re-expand dynamic blocks aquasecurity/trivy#6151)
• eb54bb5 docs: update ecosystem page reporting with db app (docs: update ecosystem page reporting with db app aquasecurity/trivy#6201)
• dc76c6e fix: k8s summary separate infra and user finding results (fix: k8s summary separate infra and user finding results aquasecurity/trivy#6120)
• 1b7e474 fix: add context to target finding on k8s table view (fix: add context to target finding on k8s table view aquasecurity/trivy#6099)
• 876ab84 fix: Printf format err (fix: Printf format err aquasecurity/trivy#6198)
• eef7c4f refactor: better integration of the parser into Trivy (refactor: better integration of the parser into Trivy aquasecurity/trivy#6183)
• 069aae5 chore(deps): bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 (chore(deps): bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 aquasecurity/trivy#6189)
• 4a9ac6d feat(terraform): Add hyphen and non-ASCII support for domain names in credential extraction (feat(terraform): Add hyphen and non-ASCII support for domain names in credential extraction aquasecurity/trivy#6108)
• 9c5e5a0 fix(vex): CSAF filtering should consider relationships (fix(vex): CSAF filtering should consider relationships aquasecurity/trivy#5923)
• 388f476 refactor(report): Replacing source_location in github report when scanning an image (refactor(report): Replacing source_location in github report when scanning an image aquasecurity/trivy#5999)
• cd3e4bc feat(vuln): ignore vulnerabilities by PURL (feat(vuln): ignore vulnerabilities by PURL aquasecurity/trivy#6178)
• ce81c05 feat(java): add support for fetching packages from repos mentioned in pom.xml (feat(java): add support for fetching packages from repos mentioned in pom.xml aquasecurity/trivy#6171)
• cf0f0d0 feat(k8s): rancher rke2 version support (feat(k8s): rancher rke2 version support aquasecurity/trivy#5988)
• 8a3a113 docs: update kbom distribution for scanning (docs: update kbom distribution for scanning aquasecurity/trivy#6019)
• 19495ba chore: update CODEOWNERS (chore: update CODEOWNERS aquasecurity/trivy#6173)
• e787e1a fix(swift): try to use branch to resolve version (fix(swift): try to use branch to resolve version aquasecurity/trivy#6168)
• 327cf88 fix(terraform): ensure consistent path handling across OS (fix(terraform): ensure consistent path handling across OS aquasecurity/trivy#6161)
• 8221473 fix(java): add only valid libs from pom.properties files from jars (fix(java): add only valid libs from pom.properties files from jars aquasecurity/trivy#6164)
• 7694df1 fix(sbom): skip executable file analysis if Rekor isn't a specified SBOM source (fix(sbom): skip executable file analysis if Rekor isn't a specified SBOM source aquasecurity/trivy#6163)
• 74dc5b6 chore(deps): merge go-dep-parser into Trivy (chore(deps): merge go-dep-parser into Trivy aquasecurity/trivy#6094)
• 32a02a9 docs(report): add remark about path to filter licenses using .trivyignore.yaml file (docs(report): add remark about path to filter licenses using .trivyignore.yaml file aquasecurity/trivy#6145)
• fb79ea7 docs: update template path for gitlab-ci tutorial (docs: update template path for gitlab-ci tutorial aquasecurity/trivy#6144)
• c6844a7 feat(report): support for filtering licenses and secrets via rego policy files (feat(report): support for filtering licenses and secrets via rego policy files aquasecurity/trivy#6004)
• a813506 fix(cyclonedx): move root component from scanned cyclonedx file to output cyclonedx file (fix(cyclonedx): move root component from scanned cyclonedx file to output cyclonedx file aquasecurity/trivy#6113)
• 14adbb4 refactor(deps): Merge defsec into trivy (refactor(deps): Merge defsec into trivy aquasecurity/trivy#6109)
• efe0e0f chore(deps): bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 (chore(deps): bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 aquasecurity/trivy#6142)
• 73dde32 docs: add SecObserve in CI/CD and reporting (docs: add SecObserve in CI/CD and reporting aquasecurity/trivy#6139)
• aadbad1 fix(alpine): exclude empty licenses for apk packages (fix(alpine): exclude empty licenses for apk packages aquasecurity/trivy#6130)
• 14a0981 docs: add docs tutorial on custom policies with rego (docs: add docs tutorial on custom policies with rego aquasecurity/trivy#6104)
• 3ac6388 fix(nodejs): use project dir when searching for workspaces for Yarn.lock files (fix(nodejs): use project dir when searching for workspaces for Yarn.lock files aquasecurity/trivy#6102)
• 3c1601b feat(vuln): show suppressed vulnerabilities in table (feat(vuln): show suppressed vulnerabilities in table aquasecurity/trivy#6084)
• c107e1a docs: rename governance to principles (docs: rename governance to principles aquasecurity/trivy#6107)
• b26f217 docs: add governance (docs: add governance aquasecurity/trivy#6090)
• 7bd3b63 refactor(deps): Merge trivy-iac into Trivy (refactor(deps): Merge trivy-iac into Trivy aquasecurity/trivy#6005)
• 535b5a9 feat(java): add dependency location support for gradle files (feat(java): add dependency location support for gradle files aquasecurity/trivy#6083)
• 428420e chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.11 to 1.15.15 (chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.11 to 1.15.15 aquasecurity/trivy#6038)
• 7fec991 fix(misconf): get user from Config.User (fix(misconf): get user from Config.User aquasecurity/trivy#6070)
• 6ccc0a5 fix: check unescaped BomRef when matching PkgIdentifier (fix: check unescaped BomRef when matching PkgIdentifier aquasecurity/trivy#6025)
• 458c5d9 docs: Fix broken link to "pronunciation" (docs: Fix broken link to "pronunciation" aquasecurity/trivy#6057)
• 5c0ff6d chore(deps): bump actions/upload-artifact from 3 to 4 (chore(deps): bump actions/upload-artifact from 3 to 4 aquasecurity/trivy#6047)
• e2bd7f7 chore(deps): bump github.com/spf13/viper from 1.16.0 to 1.18.2 (chore(deps): bump github.com/spf13/viper from 1.16.0 to 1.18.2 aquasecurity/trivy#6042)
• f95fbcb chore(deps): bump k8s.io/api from 0.29.0 to 0.29.1 (chore(deps): bump k8s.io/api from 0.29.0 to 0.29.1 aquasecurity/trivy#6043)
• 7651bf5 ci: reduce root-reserve-mb size for maximize-build-space (ci: reduce root-reserve-mb size for maximize-build-space aquasecurity/trivy#6064)
• fc20dfd chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.0 to 1.48.1 (chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.0 to 1.48.1 aquasecurity/trivy#6041)
• 3bd80e7 chore(deps): bump github.com/open-policy-agent/opa from 0.60.0 to 0.61.0 (chore(deps): bump github.com/open-policy-agent/opa from 0.60.0 to 0.61.0 aquasecurity/trivy#6039)
• 2900a21 fix: fix cursor usage in Redis Clear function (fix: fix cursor usage in Redis Clear function aquasecurity/trivy#6056)
• 85cb9a7 chore(deps): bump github.com/go-openapi/runtime from 0.26.0 to 0.27.1 (chore(deps): bump github.com/go-openapi/runtime from 0.26.0 to 0.27.1 aquasecurity/trivy#6037)
• 4e962c0 fix(nodejs): add local packages support for pnpm-lock.yaml files (fix(nodejs): add local packages support for pnpm-lock.yaml files aquasecurity/trivy#6034)
• aa48a7b chore(deps): bump sigstore/cosign-installer from 3.3.0 to 3.4.0 (chore(deps): bump sigstore/cosign-installer from 3.3.0 to 3.4.0 aquasecurity/trivy#6046)
• 8aabbea chore(deps): bump github.com/go-openapi/strfmt from 0.21.7 to 0.22.0 (chore(deps): bump github.com/go-openapi/strfmt from 0.21.7 to 0.22.0 aquasecurity/trivy#6044)
• ec02a65 chore(deps): bump actions/cache from 3.3.2 to 4.0.0 (chore(deps): bump actions/cache from 3.3.2 to 4.0.0 aquasecurity/trivy#6048)
• 27d35ba test: fix flaky TestDockerEngine (test: fix flaky TestDockerEngine aquasecurity/trivy#6054)
• c3a66da chore(deps): bump github.com/google/go-containerregistry from 0.17.0 to 0.19.0 (chore(deps): bump github.com/google/go-containerregistry from 0.17.0 to 0.19.0 aquasecurity/trivy#6040)
• 2000fe2 chore(deps): bump easimon/maximize-build-space from 9 to 10 (chore(deps): bump easimon/maximize-build-space from 9 to 10 aquasecurity/trivy#6049)
• 2be6421 chore(deps): bump alpine from 3.19.0 to 3.19.1 (chore(deps): bump alpine from 3.19.0 to 3.19.1 aquasecurity/trivy#6051)
• 41c0ef6 chore(deps): bump github.com/moby/buildkit from 0.11.6 to 0.12.5 (chore(deps): bump github.com/moby/buildkit from 0.11.6 to 0.12.5 aquasecurity/trivy#6028)
• 729a051 fix(java): recursive check all nested depManagements with import scope for pom.xml files (fix(java): recursive check all nested depManagements with import scope for pom.xml files aquasecurity/trivy#5982)
• 884745b chore(deps): bump github.com/opencontainers/runc from 1.1.5 to 1.1.12 (chore(deps): bump github.com/opencontainers/runc from 1.1.5 to 1.1.12 aquasecurity/trivy#6029)
• 59e5433 fix(cli): inconsistent behavior across CLI flags, environment variables, and config files (fix(cli): inconsistent behavior across CLI flags, environment variables, and config files aquasecurity/trivy#5843)
• 5924c02 feat(rust): Support workspace.members parsing for Cargo.toml analysis (feat(rust): Support workspace.members parsing for Cargo.toml analysis aquasecurity/trivy#5285)
• 4df9363 docs: add note about Bun (docs: add note about Bun aquasecurity/trivy#6001)
• 70dd572 fix(report): use AWS_REGION env for secrets in asff template (fix(report): use AWS_REGION env for secrets in asff template aquasecurity/trivy#6011)
• 13f797f fix: check returned error before deferring f.Close() (fix: check returned error before deferring f.Close() aquasecurity/trivy#6007)
• adfde63 feat(misconf): add support of buildkit instructions when building dockerfile from image config (feat(misconf): add support of buildkit instructions when building dockerfile from image config aquasecurity/trivy#5990)
• e2eb70e feat(vuln): enable --vex for all targets (feat(vuln): enable --vex for all targets aquasecurity/trivy#5992)
• f9da021 docs: update link to data sources (docs: update link to data sources aquasecurity/trivy#6000)
• b4b90cf feat(java): add support for line numbers for pom.xml files (feat(java): add support for line numbers for pom.xml files aquasecurity/trivy#5991)
• fb36c4e refactor(sbom): use new metadata.tools struct for CycloneDX (refactor(sbom): use new metadata.tools struct for CycloneDX aquasecurity/trivy#5981)
• f6be42b docs: Update troubleshooting guide with image not found error (docs: Update troubleshooting guide with image not found error aquasecurity/trivy#5983)
• bb6caea style: update band logos (style: update band logos aquasecurity/trivy#5968)
• 189a46a chore(deps): Update misconfig deps (chore(deps): Update misconfig deps aquasecurity/trivy#5956)
• 91a2547 docs: update cosign tutorial and commands, update kyverno policy (docs: update cosign tutorial and commands, update kyverno policy aquasecurity/trivy#5929)
• a96f66f docs: update command to scan go binary (docs: update command to scan go binary aquasecurity/trivy#5969)
• 2212d14 fix: handle non-parsable images names (fix: handle non-parsable images names aquasecurity/trivy#5965)
• 7cad04b chore(deps): bump aquaproj/aqua-installer from 2.1.2 to 2.2.0 (chore(deps): bump aquaproj/aqua-installer from 2.1.2 to 2.2.0 aquasecurity/trivy#5693)
• fbc1a83 fix(amazon): save system files for pkgs containing amzn in src (fix(amazon): save system files for pkgs containing amzn in src aquasecurity/trivy#5951)
• 260aa28 fix(alpine): Add EOL support for alpine 3.19. (fix(alpine): Add EOL support for alpine 3.19. aquasecurity/trivy#5938)
• 2c9d7c6 feat: allow end-users to adjust K8S client QPS and burst (feat: allow adjustment of Trivy K8S Client QPS/Burst with --qps and --burst flags aquasecurity/trivy#5910)
• ffe2ca7 chore(deps): bump go-ebs-file (chore(deps): bump go-ebs-file aquasecurity/trivy#5934)
• f90d4ee fix(nodejs): find licenses for packages with slash (fix(nodejs): find licenses for packages with slash aquasecurity/trivy#5836)
• c75143f fix(sbom): use group field for pom.xml and nodejs files for CycloneDX reports (fix(sbom): use group field for pom.xml and nodejs files for CycloneDX reports aquasecurity/trivy#5922)
• a3fac90 fix: ignore no init containers (fix: ignore no init containers aquasecurity/trivy#5939)
• b1b4734 docs: Fix documentation of ecosystem (docs: Fix documentation of ecosystem aquasecurity/trivy#5940)
• a2b6549 docs(misconf): multiple ignores in comment (docs(misconf): multiple ignores in comment aquasecurity/trivy#5926)
• ae134a9 fix(secret): find aws secrets ending with a comma or dot (fix(secret): find aws secrets ending with a comma or dot aquasecurity/trivy#5921)
• c8c55fe chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.11.90 to 1.15.11 (chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.11.90 to 1.15.11 aquasecurity/trivy#5885)
• 4d2e785 docs: ✨ Updated ecosystem docs with reference to new community app (docs: ✨ Updated ecosystem docs with reference to new community app aquasecurity/trivy#5918)
• 7895657 fix(java): don't remove excluded deps from upper pom's (fix(java): don't remove excluded deps from upper pom's aquasecurity/trivy#5838)
• 37e7e3e fix(java): check if a version exists when determining GAV by file name for jar files (fix(java): check if a version exists when determining GAV by file name for jar files aquasecurity/trivy#5630)
• d0c81e2 feat(vex): add PURL matching for CSAF VEX (feat(vex): add PURL matching for CSAF VEX aquasecurity/trivy#5890)
• 958e1f1 fix(secret): AWS Secret Access Key must include only secrets with aws text. (fix(secret): AWS Secret Access Key must include only secrets with aws text. aquasecurity/trivy#5901)
• 56c4e24 revert(report): don't escape new line characters for sarif format (revert(report): don't escape new line characters for sarif format aquasecurity/trivy#5897)
• 92d9b3d docs: improve filter by rego (docs: improve filter by rego aquasecurity/trivy#5402)
• a626cdf chore(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7 (chore(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7 aquasecurity/trivy#5892)
• 47b6c28 docs: add_scan2html_to_trivy_ecosystem (docs: add_scan2html_to_trivy_ecosystem aquasecurity/trivy#5875)
• 0ebb6c4 fix(vm): update ext4-filesystem fix reading groupdescriptor in 32bit mode (fix(vm): update ext4-filesystem fix reading groupdescriptor in 32bit mode aquasecurity/trivy#5888)
• c47ed0d feat(vex): Add support for CSAF format (feat(vex): Add support for CSAF format aquasecurity/trivy#5535)
• 2cdd65d chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts from 1.26.2 to 1.26.7 (chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts from 1.26.2 to 1.26.7 aquasecurity/trivy#5880)
• cba67d1 chore(deps): bump actions/setup-go from 4 to 5 (chore(deps): bump actions/setup-go from 4 to 5 aquasecurity/trivy#5845)
• d990e70 chore(deps): bump actions/stale from 8 to 9 (chore(deps): bump actions/stale from 8 to 9 aquasecurity/trivy#5846)
• c72dfbf chore(deps): bump github.com/open-policy-agent/opa from 0.58.0 to 0.60.0 (chore(deps): bump github.com/open-policy-agent/opa from 0.58.0 to 0.60.0 aquasecurity/trivy#5853)
• 1218984 chore(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 (chore(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 aquasecurity/trivy#5847)
• 682210a chore(deps): bump modernc.org/sqlite from 1.23.1 to 1.28.0 (chore(deps): bump modernc.org/sqlite from 1.23.1 to 1.28.0 aquasecurity/trivy#5854)
• e1a60cc chore(deps): bump alpine from 3.18.5 to 3.19.0 (chore(deps): bump alpine from 3.18.5 to 3.19.0 aquasecurity/trivy#5849)
• b508414 chore(deps): bump actions/setup-python from 4 to 5 (chore(deps): bump actions/setup-python from 4 to 5 aquasecurity/trivy#5848)
• df3e90a feat(python): parse licenses from dist-info folder (feat(python): parse licenses from dist-info folder aquasecurity/trivy#4724)
• fa2e883 chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.7.0 to 0.8.0 (chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.7.0 to 0.8.0 aquasecurity/trivy#5852)
• 30eff9c feat(nodejs): add yarn alias support (feat(nodejs): add yarn alias support aquasecurity/trivy#5818)
• 013df4c chore(deps): bump github.com/samber/lo from 1.38.1 to 1.39.0 (chore(deps): bump github.com/samber/lo from 1.38.1 to 1.39.0 aquasecurity/trivy#5850)
• b1489f3 chore(deps): bump github.com/hashicorp/go-getter from 1.7.2 to 1.7.3 (chore(deps): bump github.com/hashicorp/go-getter from 1.7.2 to 1.7.3 aquasecurity/trivy#5856)
• 7f2e422 chore(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0 (chore(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0 aquasecurity/trivy#5855)
• da597c4 refactor: propagate time through context values (refactor: propagate time through context values aquasecurity/trivy#5858)
• 1607eee refactor: move PkgRef under PkgIdentifier (refactor: move PkgRef under PkgIdentifier aquasecurity/trivy#5831)
• b3d516e fix(cyclonedx): fix unmarshal for licenses (fix(cyclonedx): fix unmarshal for licenses aquasecurity/trivy#5828)
• c17b660 chore(deps): bump github.com/go-git/go-git/v5 from 5.10.1 to 5.11.0 (chore(deps): bump github.com/go-git/go-git/v5 from 5.10.1 to 5.11.0 aquasecurity/trivy#5830)
• 1f0d629 feat(vuln): include pkg identifier on detected vulnerabilities (feat(vuln): include pkg identifier on detected vulnerabilities aquasecurity/trivy#5439)
• 4cdff0e chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from v1.116.0 to v1.134.0 (chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from v1.116.0 to v1.134.0 aquasecurity/trivy#5822)
• be969d4 chore(deps): bump github.com/containerd/containerd from 1.7.7 to 1.7.11 (chore(deps): bump github.com/containerd/containerd from 1.7.7 to 1.7.11 aquasecurity/trivy#5809)

---

This discussion was created from the release v0.40.0.