chore(deps): update dependency trivy to v0.60.0

[renovate]

This PR contains the following updates:

Package	Update	New value	References	Sourcegraph
trivy	minor	0.60.0	source

Test plan: CI should pass with updated dependencies. No review required: this is an automated dependency update PR.

---

Release Notes

aquasecurity/trivy (trivy)

v0.60.0

Compare Source

Features

• add --vuln-severity-source flag (#​8269) (d464807)
• add report summary table (#​8177) (dd54f80)
• cyclonedx: Add initial support for loading external VEX files from SBOM references (#​8254) (4820eb7)
• go: fix parsing main module version for go >= 1.24 (#​8433) (e58dcfc)
• misconf: render causes for Terraform (#​8360) (a99498c)

Bug Fixes

• db: fix case when 2 trivy-db were copied at the same time (#​8452) (bb3cca6)
• don't use scope for trivy registry login command (#​8393) (8715e5d)
• go: merge nested flags into string for ldflags for Go binaries (#​8368) (b675b06)
• image: disable AVD-DS-0007 for history scanning (#​8366) (a3cd693)
• k8s: add missed option PkgRelationships (#​8442) (f987e41)
• misconf: do not log scanners when misconfig scanning is disabled (#​8345) (5695eb2)
• misconf: ecs include enhanced for container insights (#​8326) (39789ff)
• misconf: fix incorrect k8s locations due to JSON to YAML conversion (#​8073) (a994453)
• os: add mapping OS aliases (#​8466) (6b4cebe)
• python: add poetry v2 support (#​8323) (10cd98c)
• report: remove html escaping for shortDescription and fullDescription fields for sarif reports (#​8344) (3eb0b03)
• sbom: add SBOM file's filePath as Application FilePath if we can't detect its path (#​8346) (ecc01bb)
• sbom: improve logic for binding direct dependency to parent component (#​8489) (85cca8c)
• sbom: preserve OS packages from multiple SBOMs (#​8325) (bd5baaf)
• server: secrets inspectation for the config analyzer in client server mode (#​8418) (a1c4bd7)
• spdx: init pkgFilePaths map for all formats (#​8380) (72ea4b0)
• terraform: apply parser options to submodule parsing (#​8377) (398620b)
• update all documentation links (#​8045) (49456ba)

v0.59.1

Compare Source

Changelog

• 9aabfd2 release: v0.59.1 [release/v0.59] (#​8334)
• 412c690 fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#​8349)
• 98f9ba2 chore(deps): bump Go to v1.23.5 [backport: release/v0.59] (#​8343)
• 1741fdd fix(python): add poetry v2 support [backport: release/v0.59] (#​8335)
• 3fd8e27 fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#​8333)

v0.59.0

Compare Source

Features

• add --distro flag to manually specify OS distribution for vulnerability scanning (#​8070) (da17dc7)
• add a examples field to check metadata (#​8068) (6d84e0c)
• add support for registry mirrors (#​8244) (4316bcb)
• fs: use git commit hash as cache key for clean repositories (#​8278) (b5062f3)
• image: prevent scanning oversized container images (#​8178) (509e030)
• image: return error early if total size of layers exceeds limit (#​8294) (73bd20d)
• k8s: improve artifact selections for specific namespaces (#​8248) (db9e57a)
• misconf: generate placeholders for random provider resources (#​8051) (ffe24e1)
• misconf: support for ignoring by inline comments for Dockerfile (#​8115) (c002327)
• misconf: support for ignoring by inline comments for Helm (#​8138) (a0429f7)
• nodejs: respect peer dependencies for dependency tree (#​7989) (7389961)
• python: add support for poetry dev dependencies (#​8152) (774e04d)
• python: add support for uv (#​8080) (c4a4a5f)
• python: add support for uv dev and optional dependencies (#​8134) (49c54b4)

Bug Fixes

• CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass (#​8088) (d7ac286)
• CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field (#​8207) (670fbf2)
• de-duplicate same dpkg packages with different filePaths from different layers (#​8298) (846498d)
• enable err-error and errorf rules from perfsprint linter (#​7859) (156a2aa)
• flag: skip hidden flags for --generate-default-config command (#​8046) (5e68bdc)
• fs: fix cache key generation to use UUID (#​8275) (eafd810)
• handle BLOW_UNKNOWN error to download DBs (#​8060) (51f2123)
• improve conversion of image config to Dockerfile (#​8308) (2e8e38a)
• java: correctly overwrite version from depManagement if dependency uses project.* props (#​8050) (9d9f80d)
• license: always trim leading and trailing spaces for licenses (#​8095) (f5e4291)
• misconf: allow null values only for tf variables (#​8112) (23dc3a6)
• misconf: correctly handle all YAML tags in K8S templates (#​8259) (f12054e)
• misconf: disable git terminal prompt on tf module load (#​8026) (bbc5a85)
• misconf: handle heredocs in dockerfile instructions (#​8284) (0a3887c)
• misconf: use log instead of fmt for logging (#​8033) (07b2d7f)
• oracle: add architectures support for advisories (#​4809) (90f1d8d)
• python: skip dev group's deps for poetry (#​8106) (a034d26)
• redhat: check usr/share/buildinfo/ dir to detect content sets (#​8222) (f352f6b)
• redhat: correct rewriting of recommendations for the same vulnerability (#​8063) (4202c4b)
• respect GITHUB_TOKEN to download artifacts from GHCR (#​7580) (21b68e1)
• sbom: attach nested packages to Application (#​8144) (735335f)
• sbom: fix wrong overwriting of applications obtained from different sbom files but having same app type (#​8052) (fd07074)
• sbom: scan results of SBOMs generated from container images are missing layers (#​7635) (f9fceb5)
• sbom: use root package for unknown dependencies (if exists) (#​8104) (7558df7)
• spdx: use the hasExtractedLicensingInfos field for licenses that are not listed in the SPDX (#​8077) (aec8885)
• suse: SUSE - update OSType constants and references for compatility (#​8236) (ae28398)
• Updated twitter icon (#​7772) (2c41ac8)
• wasm module test (#​8099) (2200f38)

Performance Improvements

• avoid heap allocation in applier findPackage (#​7883) (9bd6ed7)

v0.58.2

Compare Source

Changelog

• 936f06a release: v0.58.2 [release/v0.58] (#​8216)
• f72d2bc fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#​8238)
• 2896367 fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#​8237)
• b733ecc fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#​8215)

v0.58.1

Compare Source

⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/8171

Changelog

https://github.com/aquasecurity/trivy/blob/release/v0.58/CHANGELOG.md#0581-2024-12-24

v0.58.0

Compare Source

Features

• add workspaceRelationship (#​7889) (d622ca2)
• add cvss v4 score and vector in scan response (#​7968) (e0f2054)
• go: construct dependencies in the parser (#​7973) (bcdc0bb)
• go: construct dependencies of go.mod main module in the parser (#​7977) (5448ba2)
• k8s: add default commands for unknown platform (#​7863) (b1c7f55)
• misconf: log causes of HCL file parsing errors (#​7634) (e9a899a)
• oracle: add flavors support (#​7858) (b9b383e)
• secret: Add built-in secrets rules for Private Packagist (#​7826) (132d9df)
• suse: Align SUSE/OpenSUSE OS Identifiers (#​7965) (45d3b40)
• Update registry fallbacks (#​7679) (5ba9a83)

Bug Fixes

• alpine: add UID for removed packages (#​7887) (07915da)
• aws: change CPU and Memory type of ContainerDefinition to a string (#​7995) (aeeba70)
• cli: Handle empty ignore files more gracefully (#​7962) (4cfb2a9)
• debian: infinite loop (#​7928) (d982e6a)
• fs: add missing defered Cleanup() call to post analyzer fs (#​7882) (ab32297)
• Improve version comparisons when build identifiers are present (#​7873) (eda4d76)
• k8s: check all results for vulnerabilities (#​7946) (797b36f)
• misconf: do not erase variable type for child modules (#​7941) (de3b7ea)
• misconf: handle null properties in CloudFormation templates (#​7813) (99b2db3)
• misconf: load full Terraform module (#​7925) (fbc42a0)
• misconf: properly resolve local Terraform cache (#​7983) (fe3a897)
• misconf: Update trivy-checks default repo to mirror.gcr.io (#​7953) (9988147)
• misconf: wrap AWS EnvVar to iac types (#​7407) (54130dc)
• redhat: don't return error if root/buildinfo/content_manifests/ contains files that are not contentSets files (#​7912) (38775a5)
• report: handle [email protected] schema for misconfigs in sarif report (#​7898) (19aea4b)
• sbom: Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#​7871) (461a68a)
• terraform: set null value as fallback for missing variables (#​7669) (611558e)

v0.57.1

Compare Source

⚡Release highlights and summary⚡

👉https://github.com/aquasecurity/trivy/discussions/7951

Changelog

https://github.com/aquasecurity/trivy/blob/release/v0.57/CHANGELOG.md#0571-2024-11-18

v0.57.0

Compare Source

⚠ BREAKING CHANGES

• k8s: support k8s multi container (#​7444)

Features

• add end of life date for Ubuntu 24.10 (#​7787) (ad3c09e)
• cli: add trivy auth (#​7664) (27117f8)
• cli: error out when ignore file cannot be found (#​7624) (cb0b3a9)
• cli: rename trivy auth to trivy registry (#​7727) (633a7ab)
• cyclonedx: add file checksums to CycloneDX reports (#​7507) (c225883)
• db: append errors (#​7843) (5e78b6c)
• misconf: export unresolvable field of IaC types to Rego (#​7765) (9514148)
• misconf: public network support for Azure Storage Account (#​7601) (ad91412)
• misconf: Show misconfig ID in output (#​7762) (f75c0d1)
• misconf: ssl_mode support for GCP SQL DB instance (#​7564) (2eaa17e)
• parser: ignore white space in pom.xml files (#​7747) (a7baa93)
• report: update gitlab template to populate operating_system value (#​7735) (c0d79fa)

Bug Fixes

• cli: clean --all deletes only relevant dirs (#​7704) (672e886)
• cli: add config name to skip-policy-update alias (#​7820) (b661d68)
• db: fix javadb downloading error handling (#​7642) (2c87f0c)
• enable usestdlibvars linter (#​7770) (57e24aa)
• go: Do not trim v prefix from versions in Go Mod Analyzer (#​7733) (e872ec0)
• helm: properly handle multiple archived dependencies (#​7782) (6fab88d)
• java: correctly inherit version and scope from upper/root depManagement and dependencies into parents (#​7541) (778df82)
• k8s: skip resources without misconfigs (#​7797) (7882776)
• k8s: support k8s multi container (#​7444) (c434775)
• k8s: support kubernetes v1.31 (#​7810) (7a4f4d8)
• license: fix license normalization for Universal Permissive License (#​7766) (f6acdf7)
• misconf: change default ACL of digitalocean_spaces_bucket to private (#​7577) (9da84f5)
• misconf: check if property is not nil before conversion (#​7578) (c8c14d3)
• misconf: fix for Azure Storage Account network acls adaptation (#​7602) (35fd018)
• misconf: properly expand dynamic blocks (#​7612) (8d5dbc9)
• redhat: include arch in PURL qualifiers (#​7654) (a585e95)
• repo: git clone output to Stderr (#​7561) (fdf203c)
• report: Fix invalid URI in SARIF report (#​7645) (015bb88)
• sbom: add options for DBs in private registries (#​7660) (1f2e91b)
• sbom: use Annotation instead of AttributionTexts for SPDX formats (#​7811) (f2bb9c6)

v0.56.2

Compare Source

Changelog

• f2252c8 release: v0.56.2 [release/v0.56] (#​7694)
• f6700ec fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#​7702)
• 25d2540 fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#​7691)

v0.56.1

Compare Source

Changelog

• 95dbf11 release: v0.56.1 [release/v0.56] (#​7648)
• 5dbdadf fix(db): fix javadb downloading error handling [backport: release/v0.56] (#​7646)

v0.56.0

Compare Source

Features

• java: add empty versions if pom.xml dependency versions can't be detected (#​7520) (b836232)
• license: improve license normalization (#​7131) (6472e3c)
• misconf: add ability to disable checks by ID (#​7536) (ef0a27d)
• misconf: Register checks only when needed (#​7435) (f768d3a)
• misconf: Support --skip-* for all included modules (#​7579) (c0e8da3)
• secret: enhance secret scanning for python binary files (#​7223) (60725f8)
• support multiple DB repositories for vulnerability and Java DB (#​7605) (3562529)
• support RPM archives (#​7628) (69bf7e0)
• suse: added SUSE Linux Enterprise Micro support (#​7294) (efdb68d)

Bug Fixes

• allow access to '..' in mapfs (#​7575) (a8fbe46)
• db: check DownloadedAt for trivy-java-db (#​7592) (13ef3e7)
• java: use dependencyManagement from root/child pom's for dependencies from parents (#​7497) (5442949)
• license: stop spliting a long license text (#​7336) (4926da7)
• misconf: Disable deprecated checks by default (#​7632) (82e2adc)
• misconf: disable DS016 check for image history analyzer (#​7540) (de40df9)
• misconf: escape all special sequences (#​7558) (ea0cf03)
• misconf: Fix logging typo (#​7473) (56db43c)
• misconf: Fixed scope for China Cloud (#​7560) (37d549e)
• misconf: not to warn about missing selectors of libraries (#​7638) (fcaea74)
• oracle: Update EOL date for Oracle 7 (#​7480) (dd0a64a)
• report: change a receiver of MarshalJSON (#​7483) (927c6e0)
• report: fix error with unmarshal of ExperimentalModifiedFindings (#​7463) (7ff9aff)
• sbom: export bom-ref when converting a package to a component (#​7340) (5dd94eb)
• sbom: parse type framework as library when unmarshalling CycloneDX files (#​7527) (aeb7039)
• secret: change grafana token regex to find them without unquoted (#​7627) (3e1fa21)

Performance Improvements

• misconf: use port ranges instead of enumeration (#​7549) (1f9fc13)

Reverts

• java: stop supporting of test scope for pom.xml files (#​7488) (b0222fe)

v0.55.2

Compare Source

Changelog

• 928c7c0 release: v0.55.2 [release/v0.55] (#​7523)
• 14a058f fix(java): use dependencyManagement from root/child pom's for dependencies from parents [backport: release/v0.55] (#​7521)
• 990bc4e chore(deps): bump alpine from 3.20.0 to 3.20.3 [backport: release/v0.55] (#​7516)

v0.55.1

Compare Source

⚡Release highlights and summary⚡

👉https://github.com/aquasecurity/trivy/discussions/7494

Changelog

https://github.com/aquasecurity/trivy/blob/release/v0.55/CHANGELOG.md#0551-2024-09-12

v0.55.0

Compare Source

⚠ BREAKING CHANGES

• cli: delete deprecated SBOM flags (#​7266)

Features

• cli: delete deprecated SBOM flags (#​7266) (7024572)
• go: use toolchain as stdlib version for go.mod files (#​7163) (2d80769)
• java: add test scope support for pom.xml files (#​7414) (2d97700)
• misconf: Add support for using spec from on-disk bundle (#​7179) (be86126)
• misconf: ignore duplicate checks (#​7317) (9ef05fc)
• misconf: iterator argument support for dynamic blocks (#​7236) (fe92072)
• misconf: port and protocol support for EC2 networks (#​7146) (98e136e)
• misconf: scanning support for YAML and JSON (#​7311) (efdbd8f)
• misconf: support for ignore by nested attributes (#​7205) (44e4686)
• misconf: support for policy and bucket grants (#​7284) (a817fae)
• misconf: variable support for Terraform Plan (#​7228) (db2c955)
• python: use minimum version for pip packages (#​7348) (e9b43f8)
• report: export modified findings in JSON (#​7383) (7aea79d)
• sbom: set User-Agent header on requests to Rekor (#​7396) (af1d257)
• server: add internal --path-prefix flag for client/server mode (#​7321) (24a4563)
• server: Make Trivy Server Multiplexer Exported (#​7389) (4c6e8ca)
• vm: Support direct filesystem (#​7058) (45b3f34)
• vm: support the Ext2/Ext3 filesystems (#​6983) (35c60f0)
• vuln: Add --detection-priority flag for accuracy tuning (#​7288) (fd8348d)

Bug Fixes

• aws: handle ECR repositories in different regions (#​6217) (feaef96)
• flag: incorrect behavior for deprected flag --clear-cache (#​7281) (2a0e529)
• helm: explicitly define kind and apiVersion of volumeClaimTemplate element (#​7362) (da4ebfa)
• java: Return error when trying to find a remote pom to avoid segfault (#​7275) (49d5270)
• license: add license handling to JUnit template (#​7409) (f80183c)
• logger initialization before flags parsing (#​7372) (c929290)
• misconf: change default TLS values for the Azure storage account (#​7345) (aadb090)
• misconf: do not filter Terraform plan JSON by name (#​7406) (9d7264a)
• misconf: do not recreate filesystem map (#​7416) (3a5d091)
• misconf: do not register Rego libs in checks registry (#​7420) (a5aa63e)
• misconf: do not set default value for default_cache_behavior (#​7234) (f0ed5e4)
• misconf: fix infer type for null value (#​7424) (0cac3ac)
• misconf: init frameworks before updating them (#​7376) (b65b32d)
• misconf: load only submodule if it is specified in source (#​7112) (a4180bd)
• misconf: support deprecating for Go checks (#​7377) (2a6c7ab)
• misconf: use module to log when metadata retrieval fails (#​7405) (0799770)
• misconf: wrap Azure PortRange in iac types (#​7357) (c5c62d5)
• nodejs: check all importers to detect dev deps from pnpm-lock.yaml file (#​7387) (fd9ed3a)
• plugin: do not call GitHub content API for releases and tags (#​7274) (b3ee6da)
• report: escape Message field in asff.tpl template (#​7401) (dd9733e)
• safely check if the directory exists (#​7353) (05a8297)
• sbom: use NOASSERTION for licenses fields in SPDX formats (#​7403) (c96dcdd)
• secret: use .eyJ keyword for JWT secret (#​7410) (bf64003)
• secret: use only line with secret for long secret lines (#​7412) (391448a)
• terraform: add aws_region name to presets (#​7184) (bb2e26a)

Performance Improvements

• misconf: do not convert contents of a YAML file to string (#​7292) (85dadf5)
• misconf: optimize work with context (#​6968) (2b6d8d9)
• misconf: use json.Valid to check validity of JSON (#​7308) (c766831)

v0.54.1

Compare Source

Changelog

• 854c61d release: v0.54.1 [release/v0.54] (#​7282)
• 334a1c2 fix(flag): incorrect behavior for deprected flag --clear-cache [backport: release/v0.54] (#​7285)
• f61725c fix(java): Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#​7283)
• a7b7117 fix(plugin): do not call GitHub conten

---

Configuration

📅 Schedule: Branch creation - "on the 1st through 7th day of the month" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.