chore(deps): bump github.com/aquasecurity/trivy from 0.59.1 to 0.60.0

[dependabot]

Bumps github.com/aquasecurity/trivy from 0.59.1 to 0.60.0.

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.60.0

⚡Release highlights and summary⚡

👉 aquasecurity/trivy#8495

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0600-2025-03-05

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.60.0 (2025-03-05)

Features

• add --vuln-severity-source flag (#8269) (d464807)
• add report summary table (#8177) (dd54f80)
• cyclonedx: Add initial support for loading external VEX files from SBOM references (#8254) (4820eb7)
• go: fix parsing main module version for go >= 1.24 (#8433) (e58dcfc)
• misconf: render causes for Terraform (#8360) (a99498c)

Bug Fixes

• db: fix case when 2 trivy-db were copied at the same time (#8452) (bb3cca6)
• don't use scope for trivy registry login command (#8393) (8715e5d)
• go: merge nested flags into string for ldflags for Go binaries (#8368) (b675b06)
• image: disable AVD-DS-0007 for history scanning (#8366) (a3cd693)
• k8s: add missed option PkgRelationships (#8442) (f987e41)
• misconf: do not log scanners when misconfig scanning is disabled (#8345) (5695eb2)
• misconf: ecs include enhanced for container insights (#8326) (39789ff)
• misconf: fix incorrect k8s locations due to JSON to YAML conversion (#8073) (a994453)
• os: add mapping OS aliases (#8466) (6b4cebe)
• python: add poetry v2 support (#8323) (10cd98c)
• report: remove html escaping for shortDescription and fullDescription fields for sarif reports (#8344) (3eb0b03)
• sbom: add SBOM file's filePath as Application FilePath if we can't detect its path (#8346) (ecc01bb)
• sbom: improve logic for binding direct dependency to parent component (#8489) (85cca8c)
• sbom: preserve OS packages from multiple SBOMs (#8325) (bd5baaf)
• server: secrets inspectation for the config analyzer in client server mode (#8418) (a1c4bd7)
• spdx: init pkgFilePaths map for all formats (#8380) (72ea4b0)
• terraform: apply parser options to submodule parsing (#8377) (398620b)
• update all documentation links (#8045) (49456ba)

0.59.0 (2025-01-30)

Features

• add --distro flag to manually specify OS distribution for vulnerability scanning (#8070) (da17dc7)
• add a examples field to check metadata (#8068) (6d84e0c)
• add support for registry mirrors (#8244) (4316bcb)
• fs: use git commit hash as cache key for clean repositories (#8278) (b5062f3)
• image: prevent scanning oversized container images (#8178) (509e030)
• image: return error early if total size of layers exceeds limit (#8294) (73bd20d)
• k8s: improve artifact selections for specific namespaces (#8248) (db9e57a)
• misconf: generate placeholders for random provider resources (#8051) (ffe24e1)
• misconf: support for ignoring by inline comments for Dockerfile (#8115) (c002327)
• misconf: support for ignoring by inline comments for Helm (#8138) (a0429f7)
• nodejs: respect peer dependencies for dependency tree (#7989) (7389961)
• python: add support for poetry dev dependencies (#8152) (774e04d)

... (truncated)

Commits

• a4009f6 release: v0.60.0 [main] (#8327)
• 85cca8c fix(sbom): improve logic for binding direct dependency to parent component (#...
• 9892d04 chore(deps): remove missed replace of trivy-db (#8492)
• 8a89b2b chore(deps): bump alpine from 3.21.0 to 3.21.3 in the docker group across 1 d...
• 57b08d6 chore(deps): update Go to 1.24 and switch to go-version-file (#8388)
• 453c66d docs: add abbreviation list (#8453)
• f670602 chore(terraform): assign *terraform.Module 'parent' field (#8444)
• dd54f80 feat: add report summary table (#8177)
• ab1cf03 chore(deps): bump the github-actions group with 3 updates (#8473)
• 1f85b27 refactor(vex): improve SBOM reference handling with project standards (#8457)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[afsmeira]

Superseded by #168.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.