Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🌱 Update Builder Image group #132

Merged
merged 1 commit into from
May 8, 2024
Merged

🌱 Update Builder Image group #132

merged 1 commit into from
May 8, 2024

Conversation

cluster-stack-bot[bot]
Copy link
Contributor

@cluster-stack-bot cluster-stack-bot bot commented Apr 1, 2024
edited
Loading

This PR contains the following updates:

Package Type Update Change
docker.io/aquasec/trivy (source) stage minor 0.49.1 -> 0.51.1
golangci/golangci-lint minor v1.56.2 -> v1.58.0
lycheeverse/lychee minor v0.14.3 -> v0.15.1

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

aquasecurity/trivy (docker.io/aquasec/trivy)

v0.51.1

Compare Source

Changelog

v0.51.0

Compare Source

⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/6622

Changelog

v0.50.4

Compare Source

Note

v0.50.3 hads a critical problem, and we deleted it and released v0.50.4.

Changelog

v0.50.2

Compare Source

Changelog

  • 9aa9e17 ci: use tmp dir inside Trivy repo dir for GoReleaser (#​6533)
  • 058f483 chore(deps): bump golang.org/x/net from 0.21.0 to 0.23.0 (#​6526)
  • 9e3d2c5 chore(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 (#​6523)
  • 2ad8e33 fix(java): update logic to detect pom.xml file snapshot artifacts from remote repositories (#​6412)

v0.50.1

Compare Source

Changelog

  • 5f69937 fix(sbom): fix error when parent of SPDX Relationships is not a package. (#​6399)
  • 258d153 fix(nodejs): merge Indirect, Dev, ExternalReferences fields for same deps from package-lock.json files v2 or later (#​6356)
  • ade033a docs: add info about support for package license detection in fs/repo modes (#​6381)
  • f85c9fa fix(nodejs): add support for parsing workspaces from package.json as an object (#​6231)
  • 9d7f5c9 fix: use 0600 perms for tmp files for post analyzers (#​6386)
  • f148eb1 fix(helm): scan the subcharts once (#​6382)
  • 97f95c4 docs(terraform): add file patterns for Terraform Plan (#​6393)
  • abd62ae fix(terraform): сhecking SSE encryption algorithm validity (#​6341)
  • 7c409fd fix(java): parse modules from pom.xml files once (#​6312)
  • 1b68327 chore(deps): bump github.com/docker/docker from 25.0.3+incompatible to 25.0.5+incompatible (#​6364)
  • a2482c1 fix(server): add Locations for Packages in client/server mode (#​6366)
  • e866bd5 fix(sbom): add check for CreationInfo to nil when detecting SPDX created using Trivy (#​6346)
  • 1870f28 fix(report): don't include empty strings in .vulnerabilities[].identifiers[].url when gitlab.tpl is used (#​6348)
  • 6c81e55 chore(ubuntu): Add Ubuntu 22.04 EOL date (#​6371)

v0.50.0

Compare Source

⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/6340

Changelog

  • 8ec3938 chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (#​6321)
  • f6c5d58 feat(java): add support licenses and graph for gradle lock files (#​6140)
  • c4022d6 feat(vex): consider root component for relationships (#​6313)
  • 3177924 fix: increase the default buffer size for scanning dpkg status files by 2 times (#​6298)
  • dd9620e chore: updates wazero to v1.7.0 (#​6301)
  • eb3ceb3 feat(sbom): Support license detection for SBOM scan (#​6072)
  • ab74caa refactor(sbom): use intermediate representation for SPDX (#​6310)
  • 71da44f docs(terraform): improve documentation for filtering by inline comments (#​6284)
  • 102b6df fix(terraform): fix policy document retrieval (#​6276)
  • aa19aaf refactor(terraform): remove unused custom error (#​6303)
  • 8fcef35 refactor(sbom): add intermediate representation for BOM (#​6240)
  • fb8c516 fix(amazon): check only major version of AL to find advisories (#​6295)
  • 96bd7ac fix(db): use schema version as tag only for trivy-db and trivy-java-db registries by default (#​6219)
  • 12c5bf0 fix(nodejs): add name validation for package name from package.json (#​6268)
  • d6c40ce docs: Added install instructions for FreeBSD (#​6293)
  • 9d2057a feat(image): customer podman host or socket option (#​6256)
  • 2a9d9bd chore(deps): bump wazero from 1.2.1 to 1.6.0 (#​6290)
  • 617c3e3 feat(java): mark dependencies from maven-invoker-plugin integration tests pom.xml files as Dev (#​6213)
  • 56cedc0 fix(license): reorder logic of how python package licenses are acquired (#​6220)
  • d7d7265 test(terraform): skip cached modules (#​6281)
  • 6639911 feat(secret): Support for detecting Hugging Face Access Tokens (#​6236)
  • 337cb75 fix(cloudformation): support of all SSE algorithms for s3 (#​6270)
  • 9361cdb feat(terraform): Terraform Plan snapshot scanning support (#​6176)
  • ee01e6e chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.6 to 1.27.4 (#​6249)
  • 3d2f583 fix: typo function name and comment optimization (#​6200)
  • c4b5ab7 fix(java): don't ignore runtime scope for pom.xml files (#​6223)
  • 355c1b5 chore(deps): bump helm/kind-action from 1.8.0 to 1.9.0 (#​6242)
  • 7244ece chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (#​6243)
  • 5cd0566 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.1 to 1.51.1 (#​6251)
  • ebb74a5 chore(deps): bump github.com/hashicorp/go-uuid from 1.0.1 to 1.0.3 (#​6253)
  • 24a8d6a chore(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.62.0 (#​6250)
  • 9d0d7ad chore(deps): bump github.com/containerd/containerd from 1.7.12 to 1.7.13 (#​6247)
  • e8230e1 chore(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 (#​6246)
  • 04535b5 fix(license): add FilePath to results to allow for license path filtering via trivyignore file (#​6215)
  • 939e34e chore(deps): Upgrade iac deps (#​6255)
  • 7cb6c02 feat: add info log message about dev deps suppression (#​6211)
  • c1d26ec test(k8s): use test-db for k8s integration tests (#​6222)
  • 4f70468 ci: add maximize-build-space for Test job (#​6221)
  • 1dfece8 fix(terraform): fix root module search (#​6160)
  • e1ea02c test(parser): squash test data for yarn (#​6203)
  • 64926d8 fix(terraform): do not re-expand dynamic blocks (#​6151)
  • eb54bb5 docs: update ecosystem page reporting with db app (#​6201)
  • dc76c6e fix: k8s summary separate infra and user finding results (#​6120)
  • 1b7e474 fix: add context to target finding on k8s table view (#​6099)
  • 876ab84 fix: Printf format err (#​6198)
  • eef7c4f refactor: better integration of the parser into Trivy (#​6183)
  • 069aae5 chore(deps): bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 (#​6189)
  • 4a9ac6d feat(terraform): Add hyphen and non-ASCII support for domain names in credential extraction (#​6108)
  • 9c5e5a0 fix(vex): CSAF filtering should consider relationships (#​5923)
  • 388f476 refactor(report): Replacing source_location in github report when scanning an image (#​5999)
  • cd3e4bc feat(vuln): ignore vulnerabilities by PURL (#​6178)
  • ce81c05 feat(java): add support for fetching packages from repos mentioned in pom.xml (#​6171)
  • cf0f0d0 feat(k8s): rancher rke2 version support (#​5988)
  • 8a3a113 docs: update kbom distribution for scanning (#​6019)
  • 19495ba chore: update CODEOWNERS (#​6173)
  • e787e1a fix(swift): try to use branch to resolve version (#​6168)
  • 327cf88 fix(terraform): ensure consistent path handling across OS (#​6161)
  • 8221473 fix(java): add only valid libs from pom.properties files from jars (#​6164)
  • 7694df1 fix(sbom): skip executable file analysis if Rekor isn't a specified SBOM source (#​6163)
  • 74dc5b6 chore(deps): merge go-dep-parser into Trivy (#​6094)
  • 32a02a9 docs(report): add remark about path to filter licenses using .trivyignore.yaml file (#​6145)
  • fb79ea7 docs: update template path for gitlab-ci tutorial (#​6144)
  • c6844a7 feat(report): support for filtering licenses and secrets via rego policy files (#​6004)
  • a813506 fix(cyclonedx): move root component from scanned cyclonedx file to output cyclonedx file (#​6113)
  • 14adbb4 refactor(deps): Merge defsec into trivy (#​6109)
  • efe0e0f chore(deps): bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 (#​6142)
  • 73dde32 docs: add SecObserve in CI/CD and reporting (#​6139)
  • aadbad1 fix(alpine): exclude empty licenses for apk packages (#​6130)
  • 14a0981 docs: add docs tutorial on custom policies with rego (#​6104)
  • 3ac6388 fix(nodejs): use project dir when searching for workspaces for Yarn.lock files (#​6102)
  • 3c1601b feat(vuln): show suppressed vulnerabilities in table (#​6084)
  • c107e1a docs: rename governance to principles (#​6107)
  • b26f217 docs: add governance (#​6090)
  • 7bd3b63 refactor(deps): Merge trivy-iac into Trivy (#​6005)
  • 535b5a9 feat(java): add dependency location support for gradle files (#​6083)
  • 428420e chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.11 to 1.15.15 (#​6038)
  • 7fec991 fix(misconf): get user from Config.User (#​6070)
golangci/golangci-lint (golangci/golangci-lint)

v1.58.0

Compare Source

  1. New linters
  2. Updated linters
    • copyloopvar: from 1.0.10 to 1.1.0 (ignore-alias is replaced by check-alias with the opposite behavior)
    • decorder: from 0.4.1 to 0.4.2
    • errname: from 0.1.12 to 0.1.13
    • errorlint: from 1.4.8 to 1.5.1 (new options allowed-errors and allowed-errors-wildcard)
    • execinquery: deprecate linter ⚠️
    • gci: from 0.12.3 to 0.13.4 (new section localModule)
    • gocritic: from 0.11.2 to 0.11.3
    • spancheck: from 0.5.3 to 0.6.1
    • goerr113 is replaced by err113 ⚠️
    • gomnd is replaced by mnd ⚠️
    • gomodguard: from 1.3.1 to 1.3.2
    • grouper: from 1.1.1 to 1.1.2
    • intrange: from 0.1.1 to 0.1.2
    • mirror: from 1.1.0 to 1.2.0
    • misspell: from 0.4.1 to 0.5.1
    • musttag: from 0.9.0 to 0.12.1
    • nilnil: from 0.1.7 to 0.1.8
    • nonamedreturns: from 1.0.4 to 1.0.5
    • promlinter: from 0.2.0 to 0.3.0
    • sloglint: from 0.5.0 to 0.6.0
    • unparam: bump to HEAD (063aff9)
    • whitespace: from 0.1.0 to 0.1.1
  3. Enhancements
    • Speed up "fast" linters when only "fast" linters are run: between 40% and 80% faster at first run (i.e. without cache)
  4. Fixes
    • Use version with module plugins
    • Skip go.mod report inside autogenerated processor
    • Keep only typecheck issues when needed
    • Don't hide typecheck errors inside diff processor
  5. Misc.
    • ⚠️ log an error when using previously deprecated linters (Linter Deprecation Cycle)
      • deadcode: deprecated since v1.49.0 (2022-08-23).
      • exhaustivestruct: deprecated since v1.46.0 (2022-05-08).
      • golint: deprecated since v1.41.0 (2021-06-15).
      • ifshort: deprecated since v1.48.0 (2022-08-04).
      • interfacer: deprecated since v1.38.0 (2021-03-03).
      • maligned: deprecated since v1.38.0 (2021-03-03).
      • nosnakecase: deprecated since v1.48.0 (2022-08-04).
      • scopelint: deprecated since v1.39.0 (2021-03-25).
      • structcheck: deprecated since v1.49.0 (2022-08-23).
      • varcheck: deprecated since v1.49.0 (2022-08-23).
    • ⚠️ Deprecate usage of linter alternative names
    • Remove help display on errors with config verify command
    • Add pre-commit hook to run config verify
    • Improve github-action output
  6. Documentation
    • docs: remove deprecated Atom from Editor Integrations

GitHub Action (v5.1.0) for golangci-lint:

  • supports for pull, pull_request_target, and merge_group events with the option only-new-issues.
  • ️️⚠️ skip-pkg-cache and skip-build-cache have been removed because the cache related to Go itself is already handled by actions/setup-go.
  • with golangci-lint v1.58, the file information (path and position) will be displayed on the log.

v1.57.2

Compare Source

  1. Updated linters
    • contextcheck: from 1.1.4 to 1.1.5
    • copyloopvar: from 1.0.8 to 1.0.10
    • ginkgolinter: from 0.16.1 to 0.16.2
    • goconst: from 1.7.0 to 1.7.1
    • gomoddirectives: from 0.2.3 to 0.2.4
    • intrange: from 0.1.0 to 0.1.1
  2. Misc.
    • Display warnings on deprecated linter options
    • Fix missing colored-tab output format
    • Fix TeamCity inspectionType service message
  3. Documentation
    • Remove invalid example about mixing files and directory
    • Improve linters page

v1.57.1

Compare Source

  1. Fixes
    • Ignore issues with invalid position (e.g. contextcheck).

v1.57.0

Compare Source

  1. New linters
  2. Updated linters
    • dupword: from 0.0.13 to 0.0.14
    • gci: from 0.12.1 to 0.12.3
    • ginkgolinter: from 0.15.2 to 0.16.1 (new option force-expect-to, validate-async-intervals, and forbid-spec-pollution)
    • go-critic: from 0.11.1 to 0.11.2
    • go-critic: support of enable-all and disable-all options
    • go-spancheck: from 0.5.2 to 0.5.3
    • gomodguard: from 1.3.0 to 1.3.1
    • govet: deprecation of check-shadowing ⚠️
    • govet: disable temporarily httpresponse because of a bug https://github.com/golang/go/issues/66259
    • misspell: add extra-words
    • musttag: from 0.8.0 to 0.9.0
    • nakedret: from 2.0.2 to 2.0.4
    • paralleltest: from 1.0.9 to 1.0.10
    • perfsprint: from 0.6.0 to 0.7.1 (new option strconcat)
    • protogetter: from 0.3.4 to 0.3.5
    • revive: add exclude option
    • sloglint: from 0.4.0 to 0.5.0 (new option no-global)
    • staticcheck: from 0.4.6 to 0.4.7
    • testifylint: from 1.1.2 to 1.2.0 (new option bool-compare)
    • unconvert: to HEAD (new options fast-math and safe)
    • wrapcheck: from 2.8.1 to 2.8.3
    • Disable copyloopvar and intrange on Go < 1.22
  3. Enhancements
    • 🧩 New custom linters system https://golangci-lint.run/plugins/module-plugins/
    • 🎉 Allow running only a specific linter without modifying the file configuration (--enable-only)
    • Allow custom sort order for the reports (output.sort-order)
    • Automatically adjust the maximum concurrency to the container CPU quota if run.concurrency=0
    • Add config verify command to check the configuration against the JSON Schema
    • Option to strictly follow Go generated file convention (issues.exclude-generated-strict)
    • Syntax to not override severity from linters (@linter)
    • Use severities from gosec
    • Create automatically directory related to output.formats.path
    • Use the first issue without inline on mergeLineIssues on multiple issues
  4. Misc.
    • ⚠️ Inactivate deprecated linters (deadcode, exhaustivestruct, golint, ifshort, interfacer, maligned, nosnakecase, scopelint, structcheck, varcheck)
    • ⚠️ Deprecated CLI flags have been removed (deprecated since 2018)
    • ⚠️ Move show-stats option from run to output configuration section
    • ⚠️ Replace run.skip-xxx options by issues.exclude-xxx options
    • ⚠️ Replace output.format by output.formats with a new file configuration syntax
    • Internal rewrite of the CLI
    • Improve 'no go files to analyze' message
    • Use GOTOOLCHAIN=auto inside the Docker images
  5. Documentation

⚠️ Important ⚠️

  1. Deprecated linters are inactivated, you still need to disable them if you are using enable-all.
  2. Deprecated CLI flags (about linter settings and deadline) have been removed.
lycheeverse/lychee (lycheeverse/lychee)

v0.15.1: Version 0.15.1

Compare Source

Overview

Minor improvements. The plugin request chain is ready for use. Take a look at examples/chain/chain.rs to see how it can be used.

What's Changed
Miscellaneous and Others 🔔
New Contributors

Full Changelog: lycheeverse/lychee@v0.15.0...v0.15.1

v0.15.0: Version 0.15.0

Compare Source

What's Changed
Miscellaneous and Others 🔔
New Contributors

Full Changelog: lycheeverse/lychee@v0.14.3...v0.15.0

Configuration

📅 Schedule: Branch creation - "on the first day of the month" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

@cluster-stack-bot cluster-stack-bot bot force-pushed the renovate/cso-builder-image branch 3 times, most recently from d76e77f to 879b3bd Compare April 29, 2024 11:18
@kranurag7 kranurag7 force-pushed the renovate/cso-builder-image branch from 81efcbc to c8bffe5 Compare May 8, 2024 14:54
@cluster-stack-bot @kranurag7
🌱 Update Builder Image group
a3facdd 
| datasource  | package                 | from    | to      |
| ----------- | ----------------------- | ------- | ------- |
| docker      | docker.io/aquasec/trivy | 0.49.1  | 0.51.1  |
| github-tags | golangci/golangci-lint  | v1.56.2 | v1.58.0 |
| github-tags | lycheeverse/lychee      | v0.14.3 | v0.15.1 |
@kranurag7 kranurag7 force-pushed the renovate/cso-builder-image branch from c8bffe5 to a3facdd Compare May 8, 2024 14:59
@kranurag7 kranurag7 merged commit 537d937 into main May 8, 2024
5 checks passed
@kranurag7 kranurag7 deleted the renovate/cso-builder-image branch May 8, 2024 15:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kranurag7 kranurag7 kranurag7 approved these changes

Assignees
No one assigned
Labels
type/minor update/container
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@kranurag7