🌱 Update Builder Image group

[syself-bot]

This PR contains the following updates:

Package	Type	Update	Change
docker.io/aquasec/trivy (source)	stage	minor	0.54.1 -> 0.56.2
docker.io/library/alpine	stage	patch	3.20.2 -> 3.20.3
docker.io/library/golang	final	digest	825f815 -> 3bc1984
golangci/golangci-lint		minor	v1.59.1 -> v1.61.0

---

Release Notes

aquasecurity/trivy (docker.io/aquasec/trivy)

v0.56.2

Compare Source

Changelog

• f2252c8 release: v0.56.2 [release/v0.56] (#​7694)
• f6700ec fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#​7702)
• 25d2540 fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#​7691)

v0.56.1

Compare Source

Changelog

• 95dbf11 release: v0.56.1 [release/v0.56] (#​7648)
• 5dbdadf fix(db): fix javadb downloading error handling [backport: release/v0.56] (#​7646)

v0.56.0

Compare Source

Features

• java: add empty versions if pom.xml dependency versions can't be detected (#​7520) (b836232)
• license: improve license normalization (#​7131) (6472e3c)
• misconf: add ability to disable checks by ID (#​7536) (ef0a27d)
• misconf: Register checks only when needed (#​7435) (f768d3a)
• misconf: Support --skip-* for all included modules (#​7579) (c0e8da3)
• secret: enhance secret scanning for python binary files (#​7223) (60725f8)
• support multiple DB repositories for vulnerability and Java DB (#​7605) (3562529)
• support RPM archives (#​7628) (69bf7e0)
• suse: added SUSE Linux Enterprise Micro support (#​7294) (efdb68d)

Bug Fixes

• allow access to '..' in mapfs (#​7575) (a8fbe46)
• db: check DownloadedAt for trivy-java-db (#​7592) (13ef3e7)
• java: use dependencyManagement from root/child pom's for dependencies from parents (#​7497) (5442949)
• license: stop spliting a long license text (#​7336) (4926da7)
• misconf: Disable deprecated checks by default (#​7632) (82e2adc)
• misconf: disable DS016 check for image history analyzer (#​7540) (de40df9)
• misconf: escape all special sequences (#​7558) (ea0cf03)
• misconf: Fix logging typo (#​7473) (56db43c)
• misconf: Fixed scope for China Cloud (#​7560) (37d549e)
• misconf: not to warn about missing selectors of libraries (#​7638) (fcaea74)
• oracle: Update EOL date for Oracle 7 (#​7480) (dd0a64a)
• report: change a receiver of MarshalJSON (#​7483) (927c6e0)
• report: fix error with unmarshal of ExperimentalModifiedFindings (#​7463) (7ff9aff)
• sbom: export bom-ref when converting a package to a component (#​7340) (5dd94eb)
• sbom: parse type framework as library when unmarshalling CycloneDX files (#​7527) (aeb7039)
• secret: change grafana token regex to find them without unquoted (#​7627) (3e1fa21)

Performance Improvements

• misconf: use port ranges instead of enumeration (#​7549) (1f9fc13)

Reverts

• java: stop supporting of test scope for pom.xml files (#​7488) (b0222fe)

v0.55.2

Compare Source

Changelog

• 928c7c0 release: v0.55.2 [release/v0.55] (#​7523)
• 14a058f fix(java): use dependencyManagement from root/child pom's for dependencies from parents [backport: release/v0.55] (#​7521)
• 990bc4e chore(deps): bump alpine from 3.20.0 to 3.20.3 [backport: release/v0.55] (#​7516)

v0.55.1

Compare Source

⚡Release highlights and summary⚡

👉https://github.com/aquasecurity/trivy/discussions/7494

Changelog

https://github.com/aquasecurity/trivy/blob/release/v0.55/CHANGELOG.md#0551-2024-09-12

v0.55.0

Compare Source

⚠ BREAKING CHANGES

• cli: delete deprecated SBOM flags (#​7266)

Features

• cli: delete deprecated SBOM flags (#​7266) (7024572)
• go: use toolchain as stdlib version for go.mod files (#​7163) (2d80769)
• java: add test scope support for pom.xml files (#​7414) (2d97700)
• misconf: Add support for using spec from on-disk bundle (#​7179) (be86126)
• misconf: ignore duplicate checks (#​7317) (9ef05fc)
• misconf: iterator argument support for dynamic blocks (#​7236) (fe92072)
• misconf: port and protocol support for EC2 networks (#​7146) (98e136e)
• misconf: scanning support for YAML and JSON (#​7311) (efdbd8f)
• misconf: support for ignore by nested attributes (#​7205) (44e4686)
• misconf: support for policy and bucket grants (#​7284) (a817fae)
• misconf: variable support for Terraform Plan (#​7228) (db2c955)
• python: use minimum version for pip packages (#​7348) (e9b43f8)
• report: export modified findings in JSON (#​7383) (7aea79d)
• sbom: set User-Agent header on requests to Rekor (#​7396) (af1d257)
• server: add internal --path-prefix flag for client/server mode (#​7321) (24a4563)
• server: Make Trivy Server Multiplexer Exported (#​7389) (4c6e8ca)
• vm: Support direct filesystem (#​7058) (45b3f34)
• vm: support the Ext2/Ext3 filesystems (#​6983) (35c60f0)
• vuln: Add --detection-priority flag for accuracy tuning (#​7288) (fd8348d)

Bug Fixes

• aws: handle ECR repositories in different regions (#​6217) (feaef96)
• flag: incorrect behavior for deprected flag --clear-cache (#​7281) (2a0e529)
• helm: explicitly define kind and apiVersion of volumeClaimTemplate element (#​7362) (da4ebfa)
• java: Return error when trying to find a remote pom to avoid segfault (#​7275) (49d5270)
• license: add license handling to JUnit template (#​7409) (f80183c)
• logger initialization before flags parsing (#​7372) (c929290)
• misconf: change default TLS values for the Azure storage account (#​7345) (aadb090)
• misconf: do not filter Terraform plan JSON by name (#​7406) (9d7264a)
• misconf: do not recreate filesystem map (#​7416) (3a5d091)
• misconf: do not register Rego libs in checks registry (#​7420) (a5aa63e)
• misconf: do not set default value for default_cache_behavior (#​7234) (f0ed5e4)
• misconf: fix infer type for null value (#​7424) (0cac3ac)
• misconf: init frameworks before updating them (#​7376) (b65b32d)
• misconf: load only submodule if it is specified in source (#​7112) (a4180bd)
• misconf: support deprecating for Go checks (#​7377) (2a6c7ab)
• misconf: use module to log when metadata retrieval fails (#​7405) (0799770)
• misconf: wrap Azure PortRange in iac types (#​7357) (c5c62d5)
• nodejs: check all importers to detect dev deps from pnpm-lock.yaml file (#​7387) (fd9ed3a)
• plugin: do not call GitHub content API for releases and tags (#​7274) (b3ee6da)
• report: escape Message field in asff.tpl template (#​7401) (dd9733e)
• safely check if the directory exists (#​7353) (05a8297)
• sbom: use NOASSERTION for licenses fields in SPDX formats (#​7403) (c96dcdd)
• secret: use .eyJ keyword for JWT secret (#​7410) (bf64003)
• secret: use only line with secret for long secret lines (#​7412) (391448a)
• terraform: add aws_region name to presets (#​7184) (bb2e26a)

Performance Improvements

• misconf: do not convert contents of a YAML file to string (#​7292) (85dadf5)
• misconf: optimize work with context (#​6968) (2b6d8d9)
• misconf: use json.Valid to check validity of JSON (#​7308) (c766831)

golangci/golangci-lint (golangci/golangci-lint)

v1.61.0

Compare Source

1. Enhancements
   • Add junit-xml-extended format
   • Exclude Swagger Codegen files by default
2. Updated linters
   • dupword: from 0.0.14 to 0.1.1
   • fatcontext: from 0.4.0 to 0.5.2
   • gci: from 0.13.4 to 0.13.5 (new option no-lex-order)
   • go-ruleguard: from 0.4.2 to 0fe6f58 (fix panic with custom linters)
   • godot: from 1.4.16 to 1.4.17
   • gomodguard: from 1.3.3 to 1.3.5
   • gosec: disable temporarily G407
   • gosec: from ab3f6c1 to 2.21.2 (partially fix G115)
   • intrange: from 0.1.2 to 0.2.0
   • nolintlint: remove the empty line in the directive replacement
3. Misc.
   • Improve runtime version parsing
4. Documentation
   • Add additional info about typecheck

v1.60.3

Compare Source

1. Updated linters
   • gosec: from 81cda2f to ab3f6c1 (fix G115 false positives)
2. Misc.
   • Check that the Go version use to build is greater or equals to the Go version of the project

v1.60.2

Compare Source

1. Updated linters

• gofmt: update to HEAD (go1.22)
• gofumpt: from 0.6.0 to 0.7.0
• gosec: fix G602 analyzer
• gosec: from 5f0084e to 81cda2f (adds G115, G405, G406, G506, G507)
• staticcheck: from 0.5.0 to 0.5.1
• staticcheck: propagate Go version
• wrapcheck: from 2.8.3 to 2.9.0
• ⚠️ exportloopref: deprecation

v1.60.1

Compare Source

1. Updated linters
   • errorlint: from 1.5.2 to 1.6.0
   • exhaustruct: from 3.2.0 to 3.3.0 (recognize custom error values in return)
   • fatcontext: from 0.2.2 to 0.4.0 (fix false positives for context stored in structs)
   • gocognit: from 1.1.2 to 1.1.3
   • gomodguard: from 1.3.2 to 1.3.3
   • govet (printf): report non-constant format, no args
   • lll: advertise max line length instead of just reporting failure
   • revive: from 1.3.7 to 1.3.9 (new rule: comments-density)
   • sloglint: from 0.7.1 to 0.7.2
   • spancheck: from 0.6.1 to 0.6.2
   • staticcheck: from 0.4.7 to 0.5.0
   • tenv: from 1.7.1 to 1.10.0 (remove reports on fuzzing)
   • testifylint: from 1.3.1 to 1.4.3 (new options: formatter, suite-broken-parallel, suite-subtest-run)
   • tparallel: from 0.3.1 to 0.3.2
   • usestdlibvars: from 1.26.0 to 1.27.0 (fix false-positive with number used inside a mathematical operations)
   • wsl: from 4.2.1 to 4.4.1
   • ️⚠️ unused: remove exported-is-used option
2. Fixes
   • SARIF: sanitize level property
   • ️⚠️ typecheck issues should never be ignored
3. Documentation
   • Add link on linter without configuration
   • Remove 'trusted by' page
   • wsl update documentation of the configuration
4. misc.
   • 🎉 go1.23 support

v1.60.0

Compare Source

Cancelled due to a CI problem.

---

Configuration

📅 Schedule: Branch creation - "on the first day of the month" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box