chore(deps): update dependency trivy to v0.49.1

[renovate]

This PR contains the following updates:

Package	Update	Change
trivy	minor	0.48.2 -> 0.49.1

---

Release Notes

aquasecurity/trivy (trivy)

v0.49.1

Compare Source

Changelog

• 6ccc0a5 fix: check unescaped BomRef when matching PkgIdentifier (#​6025)
• 458c5d9 docs: Fix broken link to "pronunciation" (#​6057)
• 5c0ff6d chore(deps): bump actions/upload-artifact from 3 to 4 (#​6047)
• e2bd7f7 chore(deps): bump github.com/spf13/viper from 1.16.0 to 1.18.2 (#​6042)
• f95fbcb chore(deps): bump k8s.io/api from 0.29.0 to 0.29.1 (#​6043)
• 7651bf5 ci: reduce root-reserve-mb size for maximize-build-space (#​6064)
• fc20dfd chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.0 to 1.48.1 (#​6041)
• 3bd80e7 chore(deps): bump github.com/open-policy-agent/opa from 0.60.0 to 0.61.0 (#​6039)
• 2900a21 fix: fix cursor usage in Redis Clear function (#​6056)
• 85cb9a7 chore(deps): bump github.com/go-openapi/runtime from 0.26.0 to 0.27.1 (#​6037)
• 4e962c0 fix(nodejs): add local packages support for pnpm-lock.yaml files (#​6034)
• aa48a7b chore(deps): bump sigstore/cosign-installer from 3.3.0 to 3.4.0 (#​6046)
• 8aabbea chore(deps): bump github.com/go-openapi/strfmt from 0.21.7 to 0.22.0 (#​6044)
• ec02a65 chore(deps): bump actions/cache from 3.3.2 to 4.0.0 (#​6048)
• 27d35ba test: fix flaky TestDockerEngine (#​6054)
• c3a66da chore(deps): bump github.com/google/go-containerregistry from 0.17.0 to 0.19.0 (#​6040)
• 2000fe2 chore(deps): bump easimon/maximize-build-space from 9 to 10 (#​6049)
• 2be6421 chore(deps): bump alpine from 3.19.0 to 3.19.1 (#​6051)
• 41c0ef6 chore(deps): bump github.com/moby/buildkit from 0.11.6 to 0.12.5 (#​6028)

v0.49.0

Compare Source

⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/6033

Changelog

• 729a051 fix(java): recursive check all nested depManagements with import scope for pom.xml files (#​5982)
• 884745b chore(deps): bump github.com/opencontainers/runc from 1.1.5 to 1.1.12 (#​6029)
• 59e5433 fix(cli): inconsistent behavior across CLI flags, environment variables, and config files (#​5843)
• 5924c02 feat(rust): Support workspace.members parsing for Cargo.toml analysis (#​5285)
• 4df9363 docs: add note about Bun (#​6001)
• 70dd572 fix(report): use AWS_REGION env for secrets in asff template (#​6011)
• 13f797f fix: check returned error before deferring f.Close() (#​6007)
• adfde63 feat(misconf): add support of buildkit instructions when building dockerfile from image config (#​5990)
• e2eb70e feat(vuln): enable --vex for all targets (#​5992)
• f9da021 docs: update link to data sources (#​6000)
• b4b90cf feat(java): add support for line numbers for pom.xml files (#​5991)
• fb36c4e refactor(sbom): use new metadata.tools struct for CycloneDX (#​5981)
• f6be42b docs: Update troubleshooting guide with image not found error (#​5983)
• bb6caea style: update band logos (#​5968)
• 189a46a chore(deps): Update misconfig deps (#​5956)
• 91a2547 docs: update cosign tutorial and commands, update kyverno policy (#​5929)
• a96f66f docs: update command to scan go binary (#​5969)
• 2212d14 fix: handle non-parsable images names (#​5965)
• 7cad04b chore(deps): bump aquaproj/aqua-installer from 2.1.2 to 2.2.0 (#​5693)
• fbc1a83 fix(amazon): save system files for pkgs containing amzn in src (#​5951)
• 260aa28 fix(alpine): Add EOL support for alpine 3.19. (#​5938)
• 2c9d7c6 feat: allow end-users to adjust K8S client QPS and burst (#​5910)
• ffe2ca7 chore(deps): bump go-ebs-file (#​5934)
• f90d4ee fix(nodejs): find licenses for packages with slash (#​5836)
• c75143f fix(sbom): use group field for pom.xml and nodejs files for CycloneDX reports (#​5922)
• a3fac90 fix: ignore no init containers (#​5939)
• b1b4734 docs: Fix documentation of ecosystem (#​5940)
• a2b6549 docs(misconf): multiple ignores in comment (#​5926)
• ae134a9 fix(secret): find aws secrets ending with a comma or dot (#​5921)
• c8c55fe chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.11.90 to 1.15.11 (#​5885)
• 4d2e785 docs: ✨ Updated ecosystem docs with reference to new community app (#​5918)
• 7895657 fix(java): don't remove excluded deps from upper pom's (#​5838)
• 37e7e3e fix(java): check if a version exists when determining GAV by file name for jar files (#​5630)
• d0c81e2 feat(vex): add PURL matching for CSAF VEX (#​5890)
• 958e1f1 fix(secret): AWS Secret Access Key must include only secrets with aws text. (#​5901)
• 56c4e24 revert(report): don't escape new line characters for sarif format (#​5897)
• 92d9b3d docs: improve filter by rego (#​5402)
• a626cdf chore(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7 (#​5892)
• 47b6c28 docs: add_scan2html_to_trivy_ecosystem (#​5875)
• 0ebb6c4 fix(vm): update ext4-filesystem fix reading groupdescriptor in 32bit mode (#​5888)
• c47ed0d feat(vex): Add support for CSAF format (#​5535)
• 2cdd65d chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts from 1.26.2 to 1.26.7 (#​5880)
• cba67d1 chore(deps): bump actions/setup-go from 4 to 5 (#​5845)
• d990e70 chore(deps): bump actions/stale from 8 to 9 (#​5846)
• c72dfbf chore(deps): bump github.com/open-policy-agent/opa from 0.58.0 to 0.60.0 (#​5853)
• 1218984 chore(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 (#​5847)
• 682210a chore(deps): bump modernc.org/sqlite from 1.23.1 to 1.28.0 (#​5854)
• e1a60cc chore(deps): bump alpine from 3.18.5 to 3.19.0 (#​5849)
• b508414 chore(deps): bump actions/setup-python from 4 to 5 (#​5848)
• df3e90a feat(python): parse licenses from dist-info folder (#​4724)
• fa2e883 chore(deps): bump github.com/secure-systems-lab/go-securesystemslib from 0.7.0 to 0.8.0 (#​5852)
• 30eff9c feat(nodejs): add yarn alias support (#​5818)
• 013df4c chore(deps): bump github.com/samber/lo from 1.38.1 to 1.39.0 (#​5850)
• b1489f3 chore(deps): bump github.com/hashicorp/go-getter from 1.7.2 to 1.7.3 (#​5856)
• 7f2e422 chore(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0 (#​5855)
• da597c4 refactor: propagate time through context values (#​5858)
• 1607eee refactor: move PkgRef under PkgIdentifier (#​5831)
• b3d516e fix(cyclonedx): fix unmarshal for licenses (#​5828)
• c17b660 chore(deps): bump github.com/go-git/go-git/v5 from 5.10.1 to 5.11.0 (#​5830)
• 1f0d629 feat(vuln): include pkg identifier on detected vulnerabilities (#​5439)

v0.48.3

Compare Source

Changelog

• eac7513 chore(deps): bump github.com/cloudflare/circl from 1.3.6 to 1.3.7 (#​5892)
• d866b71 chore(deps): bump google.golang.org/protobuf from 1.31.0 to 1.32.0 (#​5855)
• 34ba96e chore(deps): bump github.com/go-git/go-git/v5 from 5.10.1 to 5.11.0 (#​5830)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. If the pull request still needs attention, please leave a comment and it will be reopened.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (0.49.1). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.