🌱 Update Builder Image group

[cluster-stack-bot]

This PR contains the following updates:

Package	Type	Update	Change
docker.io/aquasec/trivy (source)	stage	minor	0.51.3 -> 0.59.1
docker.io/hadolint/hadolint	stage	digest	7dba9a9 -> 3c206a4
docker.io/library/alpine	stage	minor	3.20.0 -> 3.21.3
docker.io/library/golang	final	digest	a8712f2 -> c62751a
golangci/golangci-lint		minor	v1.58.2 -> v1.64.5

---

Release Notes

aquasecurity/trivy (docker.io/aquasec/trivy)

v0.59.1

Compare Source

Changelog

• 9aabfd2 release: v0.59.1 [release/v0.59] (#​8334)
• 412c690 fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#​8349)
• 98f9ba2 chore(deps): bump Go to v1.23.5 [backport: release/v0.59] (#​8343)
• 1741fdd fix(python): add poetry v2 support [backport: release/v0.59] (#​8335)
• 3fd8e27 fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#​8333)

v0.59.0

Compare Source

Features

• add --distro flag to manually specify OS distribution for vulnerability scanning (#​8070) (da17dc7)
• add a examples field to check metadata (#​8068) (6d84e0c)
• add support for registry mirrors (#​8244) (4316bcb)
• fs: use git commit hash as cache key for clean repositories (#​8278) (b5062f3)
• image: prevent scanning oversized container images (#​8178) (509e030)
• image: return error early if total size of layers exceeds limit (#​8294) (73bd20d)
• k8s: improve artifact selections for specific namespaces (#​8248) (db9e57a)
• misconf: generate placeholders for random provider resources (#​8051) (ffe24e1)
• misconf: support for ignoring by inline comments for Dockerfile (#​8115) (c002327)
• misconf: support for ignoring by inline comments for Helm (#​8138) (a0429f7)
• nodejs: respect peer dependencies for dependency tree (#​7989) (7389961)
• python: add support for poetry dev dependencies (#​8152) (774e04d)
• python: add support for uv (#​8080) (c4a4a5f)
• python: add support for uv dev and optional dependencies (#​8134) (49c54b4)

Bug Fixes

• CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass (#​8088) (d7ac286)
• CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field (#​8207) (670fbf2)
• de-duplicate same dpkg packages with different filePaths from different layers (#​8298) (846498d)
• enable err-error and errorf rules from perfsprint linter (#​7859) (156a2aa)
• flag: skip hidden flags for --generate-default-config command (#​8046) (5e68bdc)
• fs: fix cache key generation to use UUID (#​8275) (eafd810)
• handle BLOW_UNKNOWN error to download DBs (#​8060) (51f2123)
• improve conversion of image config to Dockerfile (#​8308) (2e8e38a)
• java: correctly overwrite version from depManagement if dependency uses project.* props (#​8050) (9d9f80d)
• license: always trim leading and trailing spaces for licenses (#​8095) (f5e4291)
• misconf: allow null values only for tf variables (#​8112) (23dc3a6)
• misconf: correctly handle all YAML tags in K8S templates (#​8259) (f12054e)
• misconf: disable git terminal prompt on tf module load (#​8026) (bbc5a85)
• misconf: handle heredocs in dockerfile instructions (#​8284) (0a3887c)
• misconf: use log instead of fmt for logging (#​8033) (07b2d7f)
• oracle: add architectures support for advisories (#​4809) (90f1d8d)
• python: skip dev group's deps for poetry (#​8106) (a034d26)
• redhat: check usr/share/buildinfo/ dir to detect content sets (#​8222) (f352f6b)
• redhat: correct rewriting of recommendations for the same vulnerability (#​8063) (4202c4b)
• respect GITHUB_TOKEN to download artifacts from GHCR (#​7580) (21b68e1)
• sbom: attach nested packages to Application (#​8144) (735335f)
• sbom: fix wrong overwriting of applications obtained from different sbom files but having same app type (#​8052) (fd07074)
• sbom: scan results of SBOMs generated from container images are missing layers (#​7635) (f9fceb5)
• sbom: use root package for unknown dependencies (if exists) (#​8104) (7558df7)
• spdx: use the hasExtractedLicensingInfos field for licenses that are not listed in the SPDX (#​8077) (aec8885)
• suse: SUSE - update OSType constants and references for compatility (#​8236) (ae28398)
• Updated twitter icon (#​7772) (2c41ac8)
• wasm module test (#​8099) (2200f38)

Performance Improvements

• avoid heap allocation in applier findPackage (#​7883) (9bd6ed7)

v0.58.2

Compare Source

Changelog

• 936f06a release: v0.58.2 [release/v0.58] (#​8216)
• f72d2bc fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#​8238)
• 2896367 fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#​8237)
• b733ecc fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#​8215)

v0.58.1

Compare Source

⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/8171

Changelog

https://github.com/aquasecurity/trivy/blob/release/v0.58/CHANGELOG.md#0581-2024-12-24

v0.58.0

Compare Source

Features

• add workspaceRelationship (#​7889) (d622ca2)
• add cvss v4 score and vector in scan response (#​7968) (e0f2054)
• go: construct dependencies in the parser (#​7973) (bcdc0bb)
• go: construct dependencies of go.mod main module in the parser (#​7977) (5448ba2)
• k8s: add default commands for unknown platform (#​7863) (b1c7f55)
• misconf: log causes of HCL file parsing errors (#​7634) (e9a899a)
• oracle: add flavors support (#​7858) (b9b383e)
• secret: Add built-in secrets rules for Private Packagist (#​7826) (132d9df)
• suse: Align SUSE/OpenSUSE OS Identifiers (#​7965) (45d3b40)
• Update registry fallbacks (#​7679) (5ba9a83)

Bug Fixes

• alpine: add UID for removed packages (#​7887) (07915da)
• aws: change CPU and Memory type of ContainerDefinition to a string (#​7995) (aeeba70)
• cli: Handle empty ignore files more gracefully (#​7962) (4cfb2a9)
• debian: infinite loop (#​7928) (d982e6a)
• fs: add missing defered Cleanup() call to post analyzer fs (#​7882) (ab32297)
• Improve version comparisons when build identifiers are present (#​7873) (eda4d76)
• k8s: check all results for vulnerabilities (#​7946) (797b36f)
• misconf: do not erase variable type for child modules (#​7941) (de3b7ea)
• misconf: handle null properties in CloudFormation templates (#​7813) (99b2db3)
• misconf: load full Terraform module (#​7925) (fbc42a0)
• misconf: properly resolve local Terraform cache (#​7983) (fe3a897)
• misconf: Update trivy-checks default repo to mirror.gcr.io (#​7953) (9988147)
• misconf: wrap AWS EnvVar to iac types (#​7407) (54130dc)
• redhat: don't return error if root/buildinfo/content_manifests/ contains files that are not contentSets files (#​7912) (38775a5)
• report: handle [email protected] schema for misconfigs in sarif report (#​7898) (19aea4b)
• sbom: Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#​7871) (461a68a)
• terraform: set null value as fallback for missing variables (#​7669) (611558e)

v0.57.1

Compare Source

⚡Release highlights and summary⚡

👉https://github.com/aquasecurity/trivy/discussions/7951

Changelog

https://github.com/aquasecurity/trivy/blob/release/v0.57/CHANGELOG.md#0571-2024-11-18

v0.57.0

Compare Source

⚠ BREAKING CHANGES

• k8s: support k8s multi container (#​7444)

Features

• add end of life date for Ubuntu 24.10 (#​7787) (ad3c09e)
• cli: add trivy auth (#​7664) (27117f8)
• cli: error out when ignore file cannot be found (#​7624) (cb0b3a9)
• cli: rename trivy auth to trivy registry (#​7727) (633a7ab)
• cyclonedx: add file checksums to CycloneDX reports (#​7507) (c225883)
• db: append errors (#​7843) (5e78b6c)
• misconf: export unresolvable field of IaC types to Rego (#​7765) (9514148)
• misconf: public network support for Azure Storage Account (#​7601) (ad91412)
• misconf: Show misconfig ID in output (#​7762) (f75c0d1)
• misconf: ssl_mode support for GCP SQL DB instance (#​7564) (2eaa17e)
• parser: ignore white space in pom.xml files (#​7747) (a7baa93)
• report: update gitlab template to populate operating_system value (#​7735) (c0d79fa)

Bug Fixes

• cli: clean --all deletes only relevant dirs (#​7704) (672e886)
• cli: add config name to skip-policy-update alias (#​7820) (b661d68)
• db: fix javadb downloading error handling (#​7642) (2c87f0c)
• enable usestdlibvars linter (#​7770) (57e24aa)
• go: Do not trim v prefix from versions in Go Mod Analyzer (#​7733) (e872ec0)
• helm: properly handle multiple archived dependencies (#​7782) (6fab88d)
• java: correctly inherit version and scope from upper/root depManagement and dependencies into parents (#​7541) (778df82)
• k8s: skip resources without misconfigs (#​7797) (7882776)
• k8s: support k8s multi container (#​7444) (c434775)
• k8s: support kubernetes v1.31 (#​7810) (7a4f4d8)
• license: fix license normalization for Universal Permissive License (#​7766) (f6acdf7)
• misconf: change default ACL of digitalocean_spaces_bucket to private (#​7577) (9da84f5)
• misconf: check if property is not nil before conversion (#​7578) (c8c14d3)
• misconf: fix for Azure Storage Account network acls adaptation (#​7602) (35fd018)
• misconf: properly expand dynamic blocks (#​7612) (8d5dbc9)
• redhat: include arch in PURL qualifiers (#​7654) (a585e95)
• repo: git clone output to Stderr (#​7561) (fdf203c)
• report: Fix invalid URI in SARIF report (#​7645) (015bb88)
• sbom: add options for DBs in private registries (#​7660) (1f2e91b)
• sbom: use Annotation instead of AttributionTexts for SPDX formats (#​7811) (f2bb9c6)

v0.56.2

Compare Source

Changelog

• f2252c8 release: v0.56.2 [release/v0.56] (#​7694)
• f6700ec fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#​7702)
• 25d2540 fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#​7691)

v0.56.1

Compare Source

Changelog

• 95dbf11 release: v0.56.1 [release/v0.56] (#​7648)
• 5dbdadf fix(db): fix javadb downloading error handling [backport: release/v0.56] (#​7646)

v0.56.0

Compare Source

Features

• java: add empty versions if pom.xml dependency versions can't be detected (#​7520) (b836232)
• license: improve license normalization (#​7131) (6472e3c)
• misconf: add ability to disable checks by ID (#​7536) (ef0a27d)
• misconf: Register checks only when needed (#​7435) (f768d3a)
• misconf: Support --skip-* for all included modules (#​7579) (c0e8da3)
• secret: enhance secret scanning for python binary files (#​7223) (60725f8)
• support multiple DB repositories for vulnerability and Java DB (#​7605) (3562529)
• support RPM archives (#​7628) (69bf7e0)
• suse: added SUSE Linux Enterprise Micro support (#​7294) (efdb68d)

Bug Fixes

• allow access to '..' in mapfs (#​7575) (a8fbe46)
• db: check DownloadedAt for trivy-java-db (#​7592) (13ef3e7)
• java: use dependencyManagement from root/child pom's for dependencies from parents (#​7497) (5442949)
• license: stop spliting a long license text (#​7336) (4926da7)
• misconf: Disable deprecated checks by default (#​7632) (82e2adc)
• misconf: disable DS016 check for image history analyzer (#​7540) (de40df9)
• misconf: escape all special sequences (#​7558) (ea0cf03)
• misconf: Fix logging typo (#​7473) (56db43c)
• misconf: Fixed scope for China Cloud (#​7560) (37d549e)
• misconf: not to warn about missing selectors of libraries (#​7638) (fcaea74)
• oracle: Update EOL date for Oracle 7 (#​7480) (dd0a64a)
• report: change a receiver of MarshalJSON (#​7483) (927c6e0)
• report: fix error with unmarshal of ExperimentalModifiedFindings (#​7463) (7ff9aff)
• sbom: export bom-ref when converting a package to a component (#​7340) (5dd94eb)
• sbom: parse type framework as library when unmarshalling CycloneDX files (#​7527) (aeb7039)
• secret: change grafana token regex to find them without unquoted (#​7627) (3e1fa21)

Performance Improvements

• misconf: use port ranges instead of enumeration (#​7549) (1f9fc13)

Reverts

• java: stop supporting of test scope for pom.xml files (#​7488) (b0222fe)

v0.55.2

Compare Source

Changelog

• 928c7c0 release: v0.55.2 [release/v0.55] (#​7523)
• 14a058f fix(java): use dependencyManagement from root/child pom's for dependencies from parents [backport: release/v0.55] (#​7521)
• 990bc4e chore(deps): bump alpine from 3.20.0 to 3.20.3 [backport: release/v0.55] (#​7516)

v0.55.1

Compare Source

⚡Release highlights and summary⚡

👉https://github.com/aquasecurity/trivy/discussions/7494

Changelog

https://github.com/aquasecurity/trivy/blob/release/v0.55/CHANGELOG.md#0551-2024-09-12

v0.55.0

Compare Source

⚠ BREAKING CHANGES

• cli: delete deprecated SBOM flags (#​7266)

Features

• cli: delete deprecated SBOM flags (#​7266) (7024572)
• go: use toolchain as stdlib version for go.mod files (#​7163) (2d80769)
• java: add test scope support for pom.xml files (#​7414) (2d97700)
• misconf: Add support for using spec from on-disk bundle (#​7179) (be86126)
• misconf: ignore duplicate checks (#​7317) (9ef05fc)
• misconf: iterator argument support for dynamic blocks (#​7236) (fe92072)
• misconf: port and protocol support for EC2 networks (#​7146) (98e136e)
• misconf: scanning support for YAML and JSON (#​7311) (efdbd8f)
• misconf: support for ignore by nested attributes (#​7205) (44e4686)
• misconf: support for policy and bucket grants (#​7284) (a817fae)
• misconf: variable support for Terraform Plan (#​7228) (db2c955)
• python: use minimum version for pip packages (#​7348) (e9b43f8)
• report: export modified findings in JSON (#​7383) (7aea79d)
• sbom: set User-Agent header on requests to Rekor (#​7396) (af1d257)
• server: add internal --path-prefix flag for client/server mode (#​7321) (24a4563)
• server: Make Trivy Server Multiplexer Exported (#​7389) (4c6e8ca)
• vm: Support direct filesystem (#​7058) (45b3f34)
• vm: support the Ext2/Ext3 filesystems (#​6983) (35c60f0)
• vuln: Add --detection-priority flag for accuracy tuning (#​7288) (fd8348d)

Bug Fixes

• aws: handle ECR repositories in different regions (#​6217) (feaef96)
• flag: incorrect behavior for deprected flag --clear-cache (#​7281) (2a0e529)
• helm: explicitly define kind and apiVersion of volumeClaimTemplate element (#​7362) (da4ebfa)
• java: Return error when trying to find a remote pom to avoid segfault (#​7275) (49d5270)
• license: add license handling to JUnit template (#​7409) (f80183c)
• logger initialization before flags parsing (#​7372) (c929290)
• misconf: change default TLS values for the Azure storage account (#​7345) (aadb090)
• misconf: do not filter Terraform plan JSON by name (#​7406) (9d7264a)
• misconf: do not recreate filesystem map (#​7416) (3a5d091)
• misconf: do not register Rego libs in checks registry (#​7420) (a5aa63e)
• misconf: do not set default value for default_cache_behavior (#​7234) (f0ed5e4)
• misconf: fix infer type for null value (#​7424) (0cac3ac)
• misconf: init frameworks before updating them (#​7376) (b65b32d)
• misconf: load only submodule if it is specified in source (#​7112) (a4180bd)
• misconf: support deprecating for Go checks (#​7377) (2a6c7ab)
• misconf: use module to log when metadata retrieval fails (#​7405) (0799770)
• misconf: wrap Azure PortRange in iac types (#​7357) (c5c62d5)
• nodejs: check all importers to detect dev deps from pnpm-lock.yaml file (#​7387) (fd9ed3a)
• plugin: do not call GitHub content API for releases and tags (#​7274) (b3ee6da)
• report: escape Message field in asff.tpl template (#​7401) (dd9733e)
• safely check if the directory exists (#​7353) (05a8297)
• sbom: use NOASSERTION for licenses fields in SPDX formats (#​7403) (c96dcdd)
• secret: use .eyJ keyword for JWT secret (#​7410) (bf64003)
• secret: use only line with secret for long secret lines (#​7412) (391448a)
• terraform: add aws_region name to presets (#​7184) (bb2e26a)

Performance Improvements

• misconf: do not convert contents of a YAML file to string (#​7292) (85dadf5)
• misconf: optimize work with context (#​6968) (2b6d8d9)
• misconf: use json.Valid to check validity of JSON (#​7308) (c766831)

v0.54.1

Compare Source

Changelog

• 854c61d release: v0.54.1 [release/v0.54] (#​7282)
• 334a1c2 fix(flag): incorrect behavior for deprected flag --clear-cache [backport: release/v0.54] (#​7285)
• f61725c fix(java): Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#​7283)
• a7b7117 fix(plugin): do not call GitHub content API for releases and tags [backport: release/v0.54] (#​7279)

v0.54.0

Compare Source

Features

• add log.FilePath() function for logger (#​7080) (1f5f348)
• add openSUSE tumbleweed detection and scanning (#​6965) (17b5dbf)
• cli: rename --vuln-type flag to --pkg-types flag (#​7104) (7cbdb0a)
• mariner: Add support for Azure Linux (#​7186) (5cbc452)
• misconf: enabled China configuration for ACRs (#​7156) (d1ec89d)
• nodejs: add license parser to pnpm analyser (#​7036) (03ac93d)
• sbom: add image labels into SPDX and CycloneDX reports (#​7257) (4a2f492)
• sbom: add vulnerability support for SPDX formats (#​7213) (efb1f69)
• share build-in rules (#​7207) (bff317c)
• vex: retrieve VEX attestations from OCI registries (#​7249) (c2fd2e0)
• vex: VEX Repository support (#​7206) (88ba460)
• vuln: add --pkg-relationships (#​7237) (5c37361)

Bug Fixes

• Add dependencyManagement exclusions to the child exclusions (#​6969) (dc68a66)
• add missing platform and type to spec (#​7149) (c8a7abd)
• cli: error on missing config file (#​7154) (7fa5e7d)
• close file when failed to open gzip (#​7164) (2a577a7)
• dotnet: don't include non-runtime libraries into report for *.deps.json files (#​7039) (5bc662b)
• dotnet: show nuget package dir not found log only when checking nuget packages (#​7194) (d76feba)
• ignore nodes when listing permission is not allowed (#​7107) (25f8143)
• java: avoid panic if deps from pom in it dir are not found (#​7245) (4e54a7e)
• java: use go-mvn-version to remove Package duplicates (#​7088) (a7a304d)
• misconf: do not evaluate TF when a load error occurs (#​7109) (f27c236)
• nodejs: detect direct dependencies when using latest version for files yarn.lock + package.json (#​7110) (54bb8bd)
• report: hide empty table when all secrets/license/misconfigs are ignored ([#​7171](https://redirect.github.c

---

Configuration

📅 Schedule: Branch creation - "on the first day of the month" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

[cluster-stack-bot]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.