gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-23 15:37:50 -08:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: gitea-mirror:v0.68.1
Branches Tags
gitea-mirror:main gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/common-d3694a467e gitea-mirror:gh-pages gitea-mirror:release-please--branches--main gitea-mirror:dependabot/go_modules/docker-db43af7bd4 gitea-mirror:release/v0.68 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.2 gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1
..
compare: gitea-mirror:dependabot/go_modules/common-d3694a467e
Branches Tags
gitea-mirror:dependabot/go_modules/aws-9d2ed512d3 gitea-mirror:dependabot/go_modules/common-d3694a467e gitea-mirror:gh-pages gitea-mirror:release-please--branches--main gitea-mirror:main gitea-mirror:dependabot/go_modules/docker-db43af7bd4 gitea-mirror:release/v0.68 gitea-mirror:dependabot/docker/docker-b99cc7e132 gitea-mirror:release/v0.67 gitea-mirror:release/v0.66 gitea-mirror:release/v0.65 gitea-mirror:release/v0.64 gitea-mirror:feat/rootio-support gitea-mirror:release/v0.63 gitea-mirror:release/v0.62 gitea-mirror:release/v0.61 gitea-mirror:refactor/custom_flags gitea-mirror:release/v0.60 gitea-mirror:release/v0.59 gitea-mirror:release/v0.58 gitea-mirror:release/v0.57 gitea-mirror:release/v0.56 gitea-mirror:release/v0.55 gitea-mirror:release/v0.54 gitea-mirror:release/v0.53 gitea-mirror:release/v0.52 gitea-mirror:v0.51 gitea-mirror:v0.48 gitea-mirror:v0.43
gitea-mirror:v0.68.2 gitea-mirror:v0.68.1 gitea-mirror:v0.68.0 gitea-mirror:v0.67.2 gitea-mirror:v0.67.1 gitea-mirror:v0.67.0 gitea-mirror:v0.66.0 gitea-mirror:v0.65.0 gitea-mirror:v0.64.1 gitea-mirror:v0.64.0 gitea-mirror:v0.63.0 gitea-mirror:v0.62.1 gitea-mirror:v0.62.0 gitea-mirror:v0.61.1 gitea-mirror:v0.61.0 gitea-mirror:v0.60.0 gitea-mirror:v0.59.1 gitea-mirror:v0.59.0 gitea-mirror:v0.58.2 gitea-mirror:v0.58.1 gitea-mirror:v0.58.0 gitea-mirror:v0.57.1 gitea-mirror:v0.57.0 gitea-mirror:v0.56.2 gitea-mirror:v0.56.1 gitea-mirror:v0.56.0 gitea-mirror:v0.55.2 gitea-mirror:v0.55.1 gitea-mirror:v0.55.0 gitea-mirror:v0.54.1 gitea-mirror:v0.54.0 gitea-mirror:v0.53.0 gitea-mirror:v0.52.2 gitea-mirror:v0.52.1 gitea-mirror:v0.52.0 gitea-mirror:v0.51.4 gitea-mirror:v0.51.2 gitea-mirror:v0.51.1 gitea-mirror:v0.51.0 gitea-mirror:v0.50.4 gitea-mirror:v0.50.2 gitea-mirror:v0.50.1 gitea-mirror:v0.50.0 gitea-mirror:v0.49.1 gitea-mirror:v0.49.0 gitea-mirror:v0.48.3 gitea-mirror:v0.48.2 gitea-mirror:v0.48.1 gitea-mirror:v0.48.0 gitea-mirror:v0.47.0 gitea-mirror:v0.46.1 gitea-mirror:v0.46.0 gitea-mirror:v0.45.1 gitea-mirror:v0.45.0 gitea-mirror:v0.44.1 gitea-mirror:v0.44.0 gitea-mirror:v0.43.1 gitea-mirror:v0.43.0 gitea-mirror:v0.42.1 gitea-mirror:v0.42.0 gitea-mirror:v0.41.0 gitea-mirror:v0.40.0 gitea-mirror:v0.39.1 gitea-mirror:v0.39.0 gitea-mirror:v0.38.3 gitea-mirror:v0.38.2 gitea-mirror:v0.38.1 gitea-mirror:v0.38.0 gitea-mirror:v0.37.3 gitea-mirror:v0.37.2 gitea-mirror:v0.37.1 gitea-mirror:v0.37.0 gitea-mirror:v0.36.1 gitea-mirror:v0.36.0 gitea-mirror:v0.35.0 gitea-mirror:v0.34.0 gitea-mirror:v0.33.0 gitea-mirror:v0.32.1 gitea-mirror:v0.32.0 gitea-mirror:v0.31.3 gitea-mirror:v0.31.2 gitea-mirror:v0.31.1 gitea-mirror:v0.31.0 gitea-mirror:v0.30.4 gitea-mirror:v0.30.3 gitea-mirror:v0.30.2 gitea-mirror:v0.30.1 gitea-mirror:v0.30.0 gitea-mirror:v0.29.2 gitea-mirror:v0.29.1 gitea-mirror:v0.29.0 gitea-mirror:v0.28.1 gitea-mirror:v0.28.0 gitea-mirror:v0.27.1 gitea-mirror:v0.27.0 gitea-mirror:v0.26.0 gitea-mirror:v0.25.4 gitea-mirror:v0.25.3 gitea-mirror:v0.25.2 gitea-mirror:v0.25.1 gitea-mirror:v0.25.0 gitea-mirror:v0.24.4 gitea-mirror:v0.24.3 gitea-mirror:v0.24.2 gitea-mirror:v0.24.1 gitea-mirror:v0.24.0 gitea-mirror:v0.23.0 gitea-mirror:v0.22.0 gitea-mirror:v0.21.3 gitea-mirror:v0.21.2 gitea-mirror:v0.21.1 gitea-mirror:v0.21.0 gitea-mirror:v0.20.2 gitea-mirror:v0.20.1 gitea-mirror:v0.20.0 gitea-mirror:v0.19.2 gitea-mirror:v0.19.1 gitea-mirror:v0.19.0 gitea-mirror:v0.18.3 gitea-mirror:v0.18.2 gitea-mirror:v0.18.1 gitea-mirror:v0.18.0 gitea-mirror:v0.17.2 gitea-mirror:v0.17.1 gitea-mirror:v0.17.0 gitea-mirror:v0.16.0 gitea-mirror:v0.15.0 gitea-mirror:v0.14.0 gitea-mirror:v0.13.0 gitea-mirror:v0.12.0 gitea-mirror:v0.11.0 gitea-mirror:v0.10.2 gitea-mirror:v0.10.1 gitea-mirror:v0.10.0 gitea-mirror:v0.9.2 gitea-mirror:v0.9.1 gitea-mirror:v0.9.0 gitea-mirror:v0.8.0 gitea-mirror:v0.7.0 gitea-mirror:v0.6.0 gitea-mirror:v0.5.4 gitea-mirror:v0.5.3 gitea-mirror:v0.5.2 gitea-mirror:v0.5.1 gitea-mirror:v0.5.0 gitea-mirror:v0.4.4 gitea-mirror:v0.4.3 gitea-mirror:v0.4.2 gitea-mirror:v0.4.1 gitea-mirror:v0.4.0 gitea-mirror:v0.3.1 gitea-mirror:v0.3.0 gitea-mirror:v0.2.1 gitea-mirror:v0.2.0 gitea-mirror:v0.1.7 gitea-mirror:v0.1.6 gitea-mirror:v0.1.5 gitea-mirror:v0.1.4 gitea-mirror:v0.1.3 gitea-mirror:v0.1.2 gitea-mirror:v0.1.1 gitea-mirror:v0.1.0 gitea-mirror:v0.0.16 gitea-mirror:v0.0.15 gitea-mirror:v0.0.14 gitea-mirror:v0.0.13 gitea-mirror:v0.0.12 gitea-mirror:v0.0.11 gitea-mirror:v0.0.10 gitea-mirror:v0.0.9 gitea-mirror:v0.0.8 gitea-mirror:v0.0.7 gitea-mirror:v0.0.6 gitea-mirror:v0.0.5 gitea-mirror:v0.0.4 gitea-mirror:v0.0.3 gitea-mirror:v0.0.2 gitea-mirror:v0.0.1

29 Commits
v0.68.1 ... dependabot

Author SHA1 Message Date
dependabot[bot]
fe03414596 chore(deps): bump the common group across 1 directory with 13 updates 
Bumps the common group with 12 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/BurntSushi/toml](https://github.com/BurntSushi/toml) | `1.5.0` | `1.6.0` |
| [github.com/GoogleCloudPlatform/docker-credential-gcr/v2](https://github.com/GoogleCloudPlatform/docker-credential-gcr) | `2.1.30` | `2.1.31` |
| [github.com/containerd/containerd/v2](https://github.com/containerd/containerd) | `2.2.0` | `2.2.1` |
| [github.com/gocsaf/csaf/v3](https://github.com/gocsaf/csaf) | `3.5.0` | `3.5.1` |
| [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) | `1.11.0` | `1.12.1` |
| [github.com/tetratelabs/wazero](https://github.com/tetratelabs/wazero) | `1.10.1` | `1.11.0` |
| [github.com/zclconf/go-cty-yaml](https://github.com/zclconf/go-cty-yaml) | `1.1.0` | `1.2.0` |
| google.golang.org/protobuf | `1.36.10` | `1.36.11` |
| [helm.sh/helm/v3](https://github.com/helm/helm) | `3.19.2` | `3.19.4` |
| [k8s.io/api](https://github.com/kubernetes/api) | `0.34.2` | `0.35.0` |
| [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) | `1.40.1` | `1.41.0` |
| [github.com/nikolalohinski/gonja/v2](https://github.com/nikolalohinski/gonja) | `2.4.2` | `2.5.1` |



Updates `github.com/BurntSushi/toml` from 1.5.0 to 1.6.0
- [Release notes](https://github.com/BurntSushi/toml/releases)
- [Commits](https://github.com/BurntSushi/toml/compare/v1.5.0...v1.6.0)

Updates `github.com/GoogleCloudPlatform/docker-credential-gcr/v2` from 2.1.30 to 2.1.31
- [Release notes](https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases)
- [Commits](https://github.com/GoogleCloudPlatform/docker-credential-gcr/compare/v2.1.30...v2.1.31)

Updates `github.com/containerd/containerd/v2` from 2.2.0 to 2.2.1
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](https://github.com/containerd/containerd/compare/v2.2.0...v2.2.1)

Updates `github.com/gocsaf/csaf/v3` from 3.5.0 to 3.5.1
- [Release notes](https://github.com/gocsaf/csaf/releases)
- [Changelog](https://github.com/gocsaf/csaf/blob/main/docs/release-process-hints.md)
- [Commits](https://github.com/gocsaf/csaf/compare/v3.5.0...v3.5.1)

Updates `github.com/open-policy-agent/opa` from 1.11.0 to 1.12.1
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v1.11.0...v1.12.1)

Updates `github.com/tetratelabs/wazero` from 1.10.1 to 1.11.0
- [Release notes](https://github.com/tetratelabs/wazero/releases)
- [Commits](https://github.com/tetratelabs/wazero/compare/v1.10.1...v1.11.0)

Updates `github.com/zclconf/go-cty-yaml` from 1.1.0 to 1.2.0
- [Changelog](https://github.com/zclconf/go-cty-yaml/blob/master/CHANGELOG.md)
- [Commits](https://github.com/zclconf/go-cty-yaml/compare/v1.1.0...v1.2.0)

Updates `google.golang.org/protobuf` from 1.36.10 to 1.36.11

Updates `helm.sh/helm/v3` from 3.19.2 to 3.19.4
- [Release notes](https://github.com/helm/helm/releases)
- [Commits](https://github.com/helm/helm/compare/v3.19.2...v3.19.4)

Updates `k8s.io/api` from 0.34.2 to 0.35.0
- [Commits](https://github.com/kubernetes/api/compare/v0.34.2...v0.35.0)

Updates `k8s.io/utils` from 0.0.0-20250604170112-4c0f3b243397 to 0.0.0-20251002143259-bc988d571ff4
- [Commits](https://github.com/kubernetes/utils/commits)

Updates `modernc.org/sqlite` from 1.40.1 to 1.41.0
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.40.1...v1.41.0)

Updates `github.com/nikolalohinski/gonja/v2` from 2.4.2 to 2.5.1
- [Commits](https://github.com/nikolalohinski/gonja/compare/v2.4.2...v2.5.1)

---
updated-dependencies:
- dependency-name: github.com/BurntSushi/toml
  dependency-version: 1.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
- dependency-name: github.com/GoogleCloudPlatform/docker-credential-gcr/v2
  dependency-version: 2.1.31
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: common
- dependency-name: github.com/containerd/containerd/v2
  dependency-version: 2.2.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: common
- dependency-name: github.com/gocsaf/csaf/v3
  dependency-version: 3.5.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: common
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.12.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
- dependency-name: github.com/tetratelabs/wazero
  dependency-version: 1.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
- dependency-name: github.com/zclconf/go-cty-yaml
  dependency-version: 1.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
- dependency-name: google.golang.org/protobuf
  dependency-version: 1.36.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: common
- dependency-name: helm.sh/helm/v3
  dependency-version: 3.19.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: common
- dependency-name: k8s.io/api
  dependency-version: 0.35.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
- dependency-name: k8s.io/utils
  dependency-version: 0.0.0-20251002143259-bc988d571ff4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: common
- dependency-name: modernc.org/sqlite
  dependency-version: 1.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
- dependency-name: github.com/nikolalohinski/gonja/v2
  dependency-version: 2.5.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: common
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-12-23 09:29:19 +00:00
Teppei Fukuda
4caf7312b6 feat(flag): add JSON Schema for trivy.yaml configuration file (#9971) 2025-12-23 09:05:17 +00:00
Teppei Fukuda
517365caa3 refactor(debian): use txtar format for test data (#9957) 2025-12-23 06:55:13 +00:00
DmitriyLewen
7a6594c745 chore(deps): bump golang.org/x/tools to v0.40.0 + gopls to v0.21.0 (#9973) 2025-12-22 12:20:10 +00:00
urimils
d3096e7617 feat(rootio): Update trivy db to support usage of Severity from root.io feed (#9930) 
Co-authored-by: urimils <urimils@users.noreply.github.com>
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
 2025-12-22 11:45:49 +00:00
Teppei Fukuda
74819bf457 feat(vuln): skip vulnerability scanning for third-party packages in Debian/Ubuntu (#9932) 2025-12-22 10:56:30 +00:00
DmitriyLewen
56f93a1bcf docs: add info that --file-pattern flag doesn't disable default behaviuor (#9961) 2025-12-22 08:55:26 +00:00
Ankit Pramanik
10a50a7429 perf(misconf): optimize string concatenation in azure scanner (#9969) 2025-12-22 05:37:36 +00:00
Owen Rumney
75c4dc0f45 chore: add client option to install script (#9962) 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
 2025-12-19 09:49:08 +00:00
Aqua Security automated builds
87772521b6 ci(helm): bump Trivy version to 0.68.2 for Trivy Helm Chart 0.20.1 (#9956) 
Co-authored-by: GitHub Actions <actions@github.com>
 2025-12-17 07:13:29 +00:00
dependabot[bot]
5eda0a4e85 chore(deps): bump github.com/quic-go/quic-go from 0.54.1 to 0.57.0 (#9952) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-12-17 06:07:48 +00:00
Igor Adulyan
718ec29ec6 docs: update binary signature verification for sigstore bundles (#9929) 2025-12-12 06:56:26 +00:00
DmitriyLewen
d528250a1d chore(deps): bump alpine from 3.22.1 to 3.23.0 (#9935) 2025-12-12 06:55:39 +00:00
DmitriyLewen
f50b96a815 chore(alpine): add EOL date for alpine 3.23 (#9934) 2025-12-12 06:55:09 +00:00
Nikita Pivkin
d65b504cb2 feat(cloudformation): add support for Fn::ForEach (#9508) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-12-11 18:53:03 +00:00
DmitriyLewen
1a901e5c75 ci: enable check-latest for setup-go (#9931) 2025-12-11 08:17:40 +00:00
Teppei Fukuda
effc1c0d4d feat(debian): detect third-party packages using maintainer list (#9917) 2025-12-11 05:18:31 +00:00
DmitriyLewen
335cc993fa fix(vex): add CVE-2025-66564 as not_affected into Trivy VEX file (#9924) 2025-12-10 12:16:31 +00:00
Kélian Saint-Bonnet
879e4fca12 feat(helm): add sslCertDir parameter (#9697) 2025-12-09 23:15:31 +00:00
Nikita Pivkin
18ecf75176 fix(misconf): respect .yml files when Helm charts are detected (#9912) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-12-09 23:07:39 +00:00
Teppei Fukuda
56b59e8abb feat(php): add support for dev dependencies in Composer (#9910) 2025-12-09 12:40:05 +00:00
dependabot[bot]
f58826fb2a chore(deps): bump the common group across 1 directory with 9 updates (#9903) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-12-09 05:35:08 +00:00
dependabot[bot]
39273f34cc chore(deps): bump github.com/docker/cli from 29.0.3+incompatible to 29.1.1+incompatible in the docker group (#9859) 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
 2025-12-08 10:25:32 +00:00
Thomas Hille
9db123ccf8 fix: remove trailing tab in statefulset template (#9889) 2025-12-08 06:17:59 +00:00
Matt Bauman
c2f82add3a feat(julia): enable vulnerability scanning for the Julia language ecosystem (#9800) 
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
 2025-12-05 10:15:16 +00:00
Nikita Pivkin
9275e1532b feat(misconf): initial ansible scanning support (#9332) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: Simar <simar@linux.com>
Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>
 2025-12-05 06:20:37 +00:00
yagreut
48dfedeb1e feat(misconf): Update Azure Database schema (#9811) 
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: nikpivkin <nikita.pivkin@smartforce.io>
 2025-12-05 05:28:25 +00:00
Aqua Security automated builds
75171128a4 ci(helm): bump Trivy version to 0.68.1 for Trivy Helm Chart 0.20.0 (#9869) 
Co-authored-by: GitHub Actions <actions@github.com>
 2025-12-04 01:06:08 +00:00
Owen Rumney
32f3df11a2 chore: update the install script (#9874) 
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
 2025-12-03 17:12:33 +00:00
180 changed files with 14722 additions and 1829 deletions
Expand all files Collapse all files

1
.github/workflows/apidiff.yaml vendored
View File

@@ -65,6 +65,7 @@ jobs:
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: go.mod
check-latest: true # Ensure we use the latest Go patch version
cache: false
# Ensure the base commit exists locally for go-apidiff to compare against.

1
.github/workflows/auto-update-labels.yaml vendored
View File

@@ -18,6 +18,7 @@ jobs:
with:
go-version-file: go.mod
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action

3
.github/workflows/cache-test-assets.yaml vendored
View File

@@ -22,6 +22,7 @@ jobs:
with:
go-version-file: go.mod
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
@@ -55,6 +56,7 @@ jobs:
with:
go-version-file: go.mod
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
@@ -88,6 +90,7 @@ jobs:
with:
go-version-file: go.mod
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Run golangci-lint for caching
uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0

1
.github/workflows/release.yaml vendored
View File

@@ -74,6 +74,7 @@ jobs:
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: go.mod
check-latest: true # Ensure we use the latest Go patch version
cache: false
- name: Install Go tools

1
.github/workflows/reusable-release.yaml vendored
View File

@@ -69,6 +69,7 @@ jobs:
with:
go-version-file: go.mod
cache: false # Disable cache to avoid free space issues during `Post Setup Go` step.
check-latest: true # Ensure we use the latest Go patch version
- name: Generate SBOM
uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0

2
.github/workflows/spdx-cron.yaml vendored
View File

@@ -16,6 +16,8 @@ jobs:
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: go.mod
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action

7
.github/workflows/test.yaml vendored
View File

@@ -26,6 +26,7 @@ jobs:
with:
go-version-file: go.mod
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: go mod tidy
run: |
@@ -80,6 +81,7 @@ jobs:
with:
go-version-file: go.mod
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
@@ -113,6 +115,7 @@ jobs:
with:
go-version-file: go.mod
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
@@ -132,6 +135,7 @@ jobs:
with:
go-version-file: go.mod
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Install tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
@@ -167,6 +171,7 @@ jobs:
with:
go-version-file: go.mod
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
@@ -201,6 +206,7 @@ jobs:
with:
go-version-file: go.mod
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Install Go tools
run: go install tool # GOBIN is added to the PATH by the setup-go action
@@ -236,6 +242,7 @@ jobs:
with:
go-version-file: go.mod
cache: false
check-latest: true # Ensure we use the latest Go patch version
- name: Determine GoReleaser ID
id: goreleaser_id

30
.vex/trivy.openvex.json
View File

@@ -599,6 +599,36 @@
"status": "not_affected",
"justification": "vulnerable_code_not_in_execute_path",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
},
{
"vulnerability": {
"@id": "https://pkg.go.dev/vuln/GO-2025-4192",
"name": "GO-2025-4192",
"description": "Sigstore Timestamp Authority allocates excessive memory during request parsing in github.com/sigstore/timestamp-authority",
"aliases": [
"CVE-2025-66564",
"GHSA-4qg8-fj49-pxjh"
]
},
"products": [
{
"@id": "pkg:golang/github.com/aquasecurity/trivy",
"identifiers": {
"purl": "pkg:golang/github.com/aquasecurity/trivy"
},
"subcomponents": [
{
"@id": "pkg:golang/github.com/sigstore/timestamp-authority@v1.2.2",
"identifiers": {
"purl": "pkg:golang/github.com/sigstore/timestamp-authority@v1.2.2"
}
}
]
}
],
"status": "not_affected",
"justification": "vulnerable_code_not_present",
"impact_statement": "Govulncheck determined that the vulnerable code isn't called"
}
]
}

2
Dockerfile
View File

@@ -1,4 +1,4 @@
FROM alpine:3.22.1
FROM alpine:3.23.0
RUN apk --no-cache add ca-certificates git
COPY trivy /usr/local/bin/trivy
COPY contrib/*.tpl contrib/

2
Dockerfile.canary
View File

@@ -1,4 +1,4 @@
FROM alpine:3.22.1
FROM alpine:3.23.0
RUN apk --no-cache add ca-certificates git
# binaries were created with GoReleaser

69
contrib/install.sh
View File

@@ -8,9 +8,11 @@ usage() {
cat <<EOF
$this: download go binaries for aquasecurity/trivy
Usage: $this [-b] bindir [-d] [tag]
Usage: $this [-b] bindir [-c] client [-d] [tag]
-b sets bindir or installation directory, Defaults to ./bin
-c sets client identifier for download tracking (letters, digits, and '-' characters are allowed), Defaults to install-script
-d turns on debug logging
-x turns on verbose logging
[tag] is a tag from
https://github.com/aquasecurity/trivy/releases
If tag is missing, then the latest will be used.
@@ -27,9 +29,18 @@ parse_args() {
# over-ridden by flag below
BINDIR=${BINDIR:-./bin}
while getopts "b:dh?x" arg; do
CLIENT=${CLIENT:-install-script}
while getopts "b:c:dh?x" arg; do
case "$arg" in
b) BINDIR="$OPTARG" ;;
c)
if printf '%s' "$OPTARG" | grep -Eq '^[A-Za-z0-9-]+$'; then
CLIENT="$OPTARG"
else
log_crit "invalid client identifier '${OPTARG}'; allowed characters are: letters, digits, and '-'"
exit 1
fi
;;
d) log_set_priority 10 ;;
h | \?) usage "$0" ;;
x) set -x ;;
@@ -51,42 +62,14 @@ execute() {
srcdir="${tmpdir}"
(cd "${tmpdir}" && untar "${TARBALL}")
test ! -d "${BINDIR}" && install -d "${BINDIR}"
for binexe in $BINARIES; do
if [ "$OS" = "windows" ]; then
binexe="${binexe}.exe"
fi
install "${srcdir}/${binexe}" "${BINDIR}/"
log_info "installed ${BINDIR}/${binexe}"
done
binexe="trivy"
if [ "$OS" = "windows" ]; then
binexe="${binexe}.exe"
fi
install "${srcdir}/${binexe}" "${BINDIR}/"
log_info "installed ${BINDIR}/${binexe}"
rm -rf "${tmpdir}"
}
get_binaries() {
case "$PLATFORM" in
darwin/386) BINARIES="trivy" ;;
darwin/amd64) BINARIES="trivy" ;;
darwin/arm64) BINARIES="trivy" ;;
darwin/armv7) BINARIES="trivy" ;;
freebsd/386) BINARIES="trivy" ;;
freebsd/amd64) BINARIES="trivy" ;;
freebsd/arm64) BINARIES="trivy" ;;
freebsd/armv7) BINARIES="trivy" ;;
linux/386) BINARIES="trivy" ;;
linux/amd64) BINARIES="trivy" ;;
linux/ppc64le) BINARIES="trivy" ;;
linux/arm64) BINARIES="trivy" ;;
linux/armv7) BINARIES="trivy" ;;
linux/s390x) BINARIES="trivy" ;;
openbsd/386) BINARIES="trivy" ;;
openbsd/amd64) BINARIES="trivy" ;;
openbsd/arm64) BINARIES="trivy" ;;
openbsd/armv7) BINARIES="trivy" ;;
windows/amd64) BINARIES="trivy" ;;
*)
log_crit "platform $PLATFORM is not supported. Make sure this script is up-to-date and file request at https://github.com/${PREFIX}/issues/new"
exit 1
;;
esac
}
tag_to_version() {
if [ -z "${TAG}" ]; then
log_info "checking GitHub for latest tag"
@@ -137,12 +120,6 @@ adjust_arch() {
arm64) ARCH=ARM64 ;;
ppc64le) ARCH=PPC64LE ;;
s390x) ARCH=s390x ;;
darwin) ARCH=macOS ;;
dragonfly) ARCH=DragonFlyBSD ;;
freebsd) ARCH=FreeBSD ;;
linux) ARCH=Linux ;;
netbsd) ARCH=NetBSD ;;
openbsd) ARCH=OpenBSD ;;
esac
true
}
@@ -382,7 +359,6 @@ EOF
PROJECT_NAME="trivy"
OWNER=aquasecurity
REPO="trivy"
BINARY=trivy
FORMAT=tar.gz
OS=$(uname_os)
ARCH=$(uname_arch)
@@ -392,16 +368,15 @@ PREFIX="$OWNER/$REPO"
log_prefix() {
echo "$PREFIX"
}
PLATFORM="${OS}/${ARCH}"
GITHUB_DOWNLOAD=https://github.com/${OWNER}/${REPO}/releases/download
GET_DOWNLOAD=https://get.trivy.dev/trivy
uname_os_check "$OS"
uname_arch_check "$ARCH"
parse_args "$@"
get_binaries
tag_to_version
adjust_format
@@ -414,7 +389,7 @@ log_info "found version: ${VERSION} for ${TAG}/${OS}/${ARCH}"
NAME=${PROJECT_NAME}_${VERSION}_${OS}-${ARCH}
TARBALL=${NAME}.${FORMAT}
TARBALL_URL=${GITHUB_DOWNLOAD}/${TAG}/${TARBALL}
TARBALL_URL="${GET_DOWNLOAD}?os=${OS}&arch=${ARCH}&version=${VERSION}&type=${FORMAT}&client=${CLIENT}"
CHECKSUM=${PROJECT_NAME}_${VERSION}_checksums.txt
CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM}

22
docs/getting-started/signature-verification.md
View File

@@ -26,16 +26,26 @@ The following checks were performed on each of these signatures:
## Verifying binary
Download the required tarball, associated signature and certificate files from the [GitHub Release](https://github.com/aquasecurity/trivy/releases).
Since Trivy v0.68.1, GitHub Releases provide [sigstore signature bundles](https://docs.sigstore.dev/cosign/bundle/). Separate `.sig` and certificate (`.pem`) files are no longer published.
Download the required tarball and its associated `.sigstore.json` bundle file from the [GitHub Release](https://github.com/aquasecurity/trivy/releases).
Use the following command for keyless verification:
```shell
cosign verify-blob <path to binary> \
--certificate <path to cert> \
--signature <path to sig> \
--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
cosign verify-blob-attestation <path to tarball> \
--bundle <path to tarball>.sigstore.json \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity 'https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/<release tag>'
```
Example for `trivy_0.68.1_Linux-64bit.tar.gz`:
```shell
cosign verify-blob-attestation trivy_0.68.1_Linux-64bit.tar.gz \
--bundle trivy_0.68.1_Linux-64bit.tar.gz.sigstore.json \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity 'https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/v0.68.1'
```
You should get the following output

9
docs/guide/configuration/skipping.md
View File

@@ -68,10 +68,13 @@ image:
You can customize which files Trivy scans and how it interprets them with the `--file-patterns` flag.
A file pattern configuration takes the following form: `<analyzer>:<path>`, such that files matching the `<path>` will be processed with the respective `<analyzer>`.
!!! Note
`--file-patterns` flag doesn't disable the default file detection behavior of Trivy. It only adds the file detection based on the specified patterns.
For example:
```bash
trivy fs --file-patterns "pip:.requirements-test.txt ."
trivy fs --file-patterns "pip:.requirements-test.txt" .
```
This feature is relevant for the following scanners:
@@ -91,14 +94,14 @@ The file path can use a [regular expression](https://pkg.go.dev/regexp/syntax).
```bash
# interpret any file with .txt extension as a python pip requirements file
trivy fs --file-patterns "pip:requirements-.*\.txt .
trivy fs --file-patterns "pip:requirements-.*\.txt" .
```
The flag can be repeated for specifying multiple file patterns. For example:
```bash
# look for Dockerfile called production.docker and a python pip requirements file called requirements-test.txt
trivy fs --scanners misconfig,vuln --file-patterns "dockerfile:.production.docker" --file-patterns "pip:.requirements-test.txt ."
trivy fs --scanners misconfig,vuln --file-patterns "dockerfile:.production.docker" --file-patterns "pip:.requirements-test.txt" .
```
[^1]: Only work with the [license-full](../scanner/license.md) flag

177
docs/guide/coverage/iac/ansible.md Normal file
View File

@@ -0,0 +1,177 @@
# Ansible
Trivy analyzes tasks in playbooks and roles for misconfigurations in cloud resources.
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
!!! warning "LIMITATIONS"
Not all Ansible features are supported. See the [Limitations](#limitations) section for a detailed list.
## Misconfigurations
Trivy recursively scans directories starting from the root and detects Ansible projects by the presence of key files and folders:
- `ansible.cfg`, `inventory`, `group_vars`, `host_vars`, `roles` and `playbooks`
- YAML files that resemble playbooks
For each project, Trivy performs the following steps:
- **Playbook discovery** — determines entry points, i.e., playbooks that are not used as imports in other playbooks.
- **Task and variable resolution** — Trivy resolves tasks and variables from plays, imports, and roles.
- **Module analysis** — modules used in tasks are scanned for insecure configurations. Currently, only cloud resource modules are supported.
### Project scanning
The Ansible scanner is enabled by default. To run only this scanner, use the `--misconfig-scanners ansible` flag:
```bash
trivy conf --misconfig-scanners ansible .
```
Example playbook:
```yaml
- name: Example playbook
hosts: localhost
connection: local
tasks:
- name: Create S3 bucket
amazon.aws.s3_bucket:
name: "{{ bucket_name }}"
region: "{{ bucket_region }}"
state: present
```
Scan result:
```bash
AVD-AWS-0093 (HIGH): Public access block does not restrict public buckets
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.
See https://avd.aquasec.com/misconfig/avd-aws-0093
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
test.yaml:6-9
via test.yaml:5-9 (tasks)
via test.yaml:1-9 (play)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 - name: Example playbook
2 hosts: localhost
3 connection: local
4 tasks:
5 - name: Create S3 bucket
6 ┌ amazon.aws.s3_bucket:
7 │ name: "{{ bucket_name }}"
8 │ region: "{{ bucket_region }}"
9 └ state: present
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
```
If the project defines a collection (contains a `galaxy.yaml` file), Trivy can resolve roles using the full name `namespace.collection.role` within the project.
Example `galaxy.yaml`:
```yaml
namespace: myorg
name: mycollection
version: 1.0.0
```
Project structure:
```bash
roles/
myrole/
tasks/
main.yml
galaxy.yaml
```
Using the role in a playbook:
```yaml
- name: Apply custom role
hosts: localhost
tasks:
- name: Run role from collection
include_role:
name: myorg.mycollection.myrole
```
Trivy can correctly locate and analyze the `myrole` role via the full collection name.
### Scanning specific playbooks
To limit scanning to specific playbooks instead of automatically discovering them, use the `--ansible-playbook` flag (can be repeated) with the path to the playbook:
```bash
trivy config --ansible-playbook playbooks/main.yaml .
```
### Using inventory
By default, Trivy searches for inventory [in the default location](https://docs.ansible.com/ansible/latest/inventory_guide/intro_inventory.html#how-to-build-your-inventory): `/etc/ansible/hosts`. If an `ansible.cfg` file exists at the project root, the inventory path is taken from it.
To specify a custom inventory source, use the `--ansible-inventory` flag (same as Ansibles `--inventory`). The flag can be repeated:
```bash
trivy config --ansible-inventory hosts.ini \
--ansible-inventory inventory .
```
### Passing extra variables
To pass extra variables, use the `--ansible-extra-vars` flag (same as Ansibles `--extra-vars`). The flag can be repeated:
```bash
trivy config --ansible-extra-vars region=us-east-1 \
--ansible-extra-vars @vars.json .
```
### Rendering misconfiguration snippet
To display the rendered snippet, use the `--render-cause` flag.
Example output for an S3 bucket task using the `amazon.aws.s3_bucket` module:
```bash
trivy config --render-cause ansible .
...
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
447 - name: "Hetzner Cloud: Create Object Storage (S3 bucket) {{ hetzner_object_storage_name }}"
448 ┌ amazon.aws.s3_bucket:
449 │ endpoint_url: "{{ hetzner_object_storage_endpoint }}"
450 │ ceph: true
451 │ aws_access_key: "{{ hetzner_object_storage_access_key }}"
452 │ aws_secret_key: "{{ hetzner_object_storage_secret_key }}"
453 │ name: "{{ hetzner_object_storage_name }}"
454 │ region: "{{ hetzner_object_storage_region }}"
455 └ requester_pays: false
...
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Rendered cause:
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
amazon.aws.s3_bucket:
endpoint_url: https://us-east-1.your-objectstorage.com
ceph: true
aws_access_key: ""
aws_secret_key: ""
name: test-pgcluster-backup
region: us-east-1
requester_pays: false
state: present
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
```
## Limitations
Ansible scanning has several limitations and does not support the following:
- Resolving remote collections
- Inventory, lookup, and filter plugins (except `dirname`)
- Setting facts (`set_fact`)
- Loops: `loop`, `with_<lookup>`, etc.
- Patterns in a plays hosts field
- Host ranges in inventory, e.g., `www[01:50:2].example.com`
- Only supports the following services: AWS S3. If you have other services or clouds that you would like to see support for, please open a discussion in the Trivy project.

23
docs/guide/coverage/iac/index.md
View File

@@ -8,17 +8,18 @@ Trivy scans Infrastructure as Code (IaC) files for
## Supported configurations
| Config type | File patterns |
|-------------------------------------|----------------------------------|
| [Kubernetes](kubernetes.md) | \*.yml, \*.yaml, \*.json |
| [Docker](docker.md) | Dockerfile, Containerfile |
| [Terraform](terraform.md) | \*.tf, \*.tf.json, \*.tfvars |
| [Terraform Plan](terraform.md) | tfplan, \*.tfplan, \*.json |
| [CloudFormation](cloudformation.md) | \*.yml, \*.yaml, \*.json |
| [Azure ARM Template](azure-arm.md) | \*.json |
| [Helm](helm.md) | \*.yaml, \*.tpl, \*.tar.gz, etc. |
| [YAML][json-and-yaml] | \*.yaml, \*.yml |
| [JSON][json-and-yaml] | \*.json |
| Config type | File patterns |
|-------------------------------------|-----------------------------------------------------|
| [Kubernetes](kubernetes.md) | \*.yml, \*.yaml, \*.json |
| [Docker](docker.md) | Dockerfile, Containerfile |
| [Terraform](terraform.md) | \*.tf, \*.tf.json, \*.tfvars |
| [Terraform Plan](terraform.md) | tfplan, \*.tfplan, \*.json |
| [CloudFormation](cloudformation.md) | \*.yml, \*.yaml, \*.json |
| [Azure ARM Template](azure-arm.md) | \*.json |
| [Helm](helm.md) | \*.yml, \*.yaml, \*.tpl, \*.tar.gz, etc. |
| [YAML][json-and-yaml] | \*.yaml, \*.yml |
| [JSON][json-and-yaml] | \*.json |
| [Ansible](ansible.md) | \*.yml, \*.yaml, \*.json, \*.ini, without extension |
[misconf]: ../../scanner/misconfiguration/index.md
[secret]: ../../scanner/secret.md

2
docs/guide/coverage/language/julia.md
View File

@@ -7,7 +7,7 @@ The following scanners are supported.
| Package manager | SBOM | Vulnerability | License |
|-----------------|:----:|:-------------:|:-------:|
| Pkg.jl | ✓ | - | - |
| Pkg.jl | ✓ | | - |
The following table provides an outline of the features Trivy offers.

14
docs/guide/coverage/language/php.md
View File

@@ -11,10 +11,10 @@ The following scanners are supported.
The following table provides an outline of the features Trivy offers.
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
|-----------------|----------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|
| Composer | composer.lock | ✓ | Excluded | ✓ | ✓ |
| Composer | installed.json | ✓ | Excluded | - | ✓ |
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
|-----------------|----------------|:-----------------------:|:----------------------------------:|:------------------------------------:|:--------:|
| Composer | composer.lock | ✓ | [Excluded](#development-dependencies) | ✓ | ✓ |
| Composer | installed.json | ✓ | Excluded | - | ✓ |
## composer.lock
In order to detect dependencies, Trivy searches for `composer.lock`.
@@ -23,6 +23,12 @@ Trivy also supports dependency trees; however, to display an accurate tree, it n
Since this information is not included in `composer.lock`, Trivy parses `composer.json`, which should be located next to `composer.lock`.
If you want to see the dependency tree, please ensure that `composer.json` is present.
### Development dependencies
By default, Trivy doesn't report development dependencies (`packages-dev` in `composer.lock`).
Use the `--include-dev-deps` flag to include them.
To correctly identify direct development dependencies, Trivy parses `require-dev` from `composer.json`, which should be located next to `composer.lock`.
## installed.json
Trivy also supports dependency detection for `installed.json` files. By default, you can find this file at `path_to_app/vendor/composer/installed.json`.

7
docs/guide/references/configuration/cli/trivy_config.md
View File

@@ -9,6 +9,9 @@ trivy config [flags] DIR
### Options
```
--ansible-extra-vars strings set additional variables as key=value or @file (YAML/JSON)
--ansible-inventory strings specify inventory host path or comma separated host list
--ansible-playbook strings specify playbook file path(s) to scan
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
--cache-ttl duration cache TTL when using redis as cache backend
--cf-params strings specify paths to override the CloudFormation parameters files
@@ -46,7 +49,7 @@ trivy config [flags] DIR
--include-deprecated-checks include deprecated checks
--include-non-failures include successes, available with '--scanners misconfig'
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot,ansible])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
-o, --output string output file name
--output-plugin-arg string [EXPERIMENTAL] output plugin arguments
@@ -59,7 +62,7 @@ trivy config [flags] DIR
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--registry-token string registry token
--rego-error-limit int maximum number of compile errors allowed during Rego policy evaluation (default 10)
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform,ansible)
--report string specify a compliance report format for the output (allowed values: all,summary) (default "all")
-s, --severity strings severities of security issues to be displayed
Allowed values:

8
docs/guide/references/configuration/cli/trivy_filesystem.md
View File

@@ -19,6 +19,9 @@ trivy filesystem [flags] PATH
### Options
```
--ansible-extra-vars strings set additional variables as key=value or @file (YAML/JSON)
--ansible-inventory strings specify inventory host path or comma separated host list
--ansible-playbook strings specify playbook file path(s) to scan
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
--cache-ttl duration cache TTL when using redis as cache backend
--cf-params strings specify paths to override the CloudFormation parameters files
@@ -82,7 +85,7 @@ trivy filesystem [flags] PATH
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot,ansible])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
@@ -108,7 +111,7 @@ trivy filesystem [flags] PATH
--registry-token string registry token
--rego-error-limit int maximum number of compile errors allowed during Rego policy evaluation (default 10)
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform,ansible)
--report string specify a compliance report format for the output (allowed values: all,summary) (default "all")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
@@ -168,6 +171,7 @@ trivy filesystem [flags] PATH
- chainguard
- bitnami
- govulndb
- julia
- echo
- minimos
- rootio

8
docs/guide/references/configuration/cli/trivy_image.md
View File

@@ -34,6 +34,9 @@ trivy image [flags] IMAGE_NAME
### Options
```
--ansible-extra-vars strings set additional variables as key=value or @file (YAML/JSON)
--ansible-inventory strings specify inventory host path or comma separated host list
--ansible-playbook strings specify playbook file path(s) to scan
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--check-namespaces strings Rego namespaces
@@ -101,7 +104,7 @@ trivy image [flags] IMAGE_NAME
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)
--max-image-size string [EXPERIMENTAL] maximum image size to process, specified in a human-readable format (e.g., '44kB', '17MB'); an error will be returned if the image exceeds this size
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot,ansible])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
@@ -130,7 +133,7 @@ trivy image [flags] IMAGE_NAME
--rego-error-limit int maximum number of compile errors allowed during Rego policy evaluation (default 10)
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--removed-pkgs detect vulnerabilities of removed packages (only for Alpine)
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform,ansible)
--report string specify a format for the compliance report. (allowed values: all,summary) (default "summary")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
@@ -189,6 +192,7 @@ trivy image [flags] IMAGE_NAME
- chainguard
- bitnami
- govulndb
- julia
- echo
- minimos
- rootio

8
docs/guide/references/configuration/cli/trivy_kubernetes.md
View File

@@ -29,6 +29,9 @@ trivy kubernetes [flags] [CONTEXT]
### Options
```
--ansible-extra-vars strings set additional variables as key=value or @file (YAML/JSON)
--ansible-inventory strings specify inventory host path or comma separated host list
--ansible-playbook strings specify playbook file path(s) to scan
--burst int specify the maximum burst for throttle (default 10)
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
@@ -92,7 +95,7 @@ trivy kubernetes [flags] [CONTEXT]
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
--kubeconfig string specify the kubeconfig file path to use
--list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot,ansible])
--no-progress suppress progress bar
--node-collector-imageref string indicate the image reference for the node-collector scan job (default "ghcr.io/aquasecurity/node-collector:0.3.1")
--node-collector-namespace string specify the namespace in which the node-collector job should be deployed (default "trivy-temp")
@@ -120,7 +123,7 @@ trivy kubernetes [flags] [CONTEXT]
--registry-token string registry token
--rego-error-limit int maximum number of compile errors allowed during Rego policy evaluation (default 10)
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform,ansible)
--report string specify a report format for the output (allowed values: all,summary) (default "all")
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,rbac) (default [vuln,misconfig,secret,rbac])
@@ -177,6 +180,7 @@ trivy kubernetes [flags] [CONTEXT]
- chainguard
- bitnami
- govulndb
- julia
- echo
- minimos
- rootio

8
docs/guide/references/configuration/cli/trivy_repository.md
View File

@@ -18,6 +18,9 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
### Options
```
--ansible-extra-vars strings set additional variables as key=value or @file (YAML/JSON)
--ansible-inventory strings specify inventory host path or comma separated host list
--ansible-playbook strings specify playbook file path(s) to scan
--branch string pass the branch name to be scanned
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
@@ -81,7 +84,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot,ansible])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
@@ -107,7 +110,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--registry-token string registry token
--rego-error-limit int maximum number of compile errors allowed during Rego policy evaluation (default 10)
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform,ansible)
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
@@ -167,6 +170,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
- chainguard
- bitnami
- govulndb
- julia
- echo
- minimos
- rootio

8
docs/guide/references/configuration/cli/trivy_rootfs.md
View File

@@ -22,6 +22,9 @@ trivy rootfs [flags] ROOTDIR
### Options
```
--ansible-extra-vars strings set additional variables as key=value or @file (YAML/JSON)
--ansible-inventory strings specify inventory host path or comma separated host list
--ansible-playbook strings specify playbook file path(s) to scan
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
--cache-ttl duration cache TTL when using redis as cache backend
--cf-params strings specify paths to override the CloudFormation parameters files
@@ -84,7 +87,7 @@ trivy rootfs [flags] ROOTDIR
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot,ansible])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
@@ -110,7 +113,7 @@ trivy rootfs [flags] ROOTDIR
--registry-token string registry token
--rego-error-limit int maximum number of compile errors allowed during Rego policy evaluation (default 10)
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform,ansible)
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
@@ -169,6 +172,7 @@ trivy rootfs [flags] ROOTDIR
- chainguard
- bitnami
- govulndb
- julia
- echo
- minimos
- rootio

1
docs/guide/references/configuration/cli/trivy_sbom.md
View File

@@ -137,6 +137,7 @@ trivy sbom [flags] SBOM_PATH
- chainguard
- bitnami
- govulndb
- julia
- echo
- minimos
- rootio

8
docs/guide/references/configuration/cli/trivy_vm.md
View File

@@ -20,6 +20,9 @@ trivy vm [flags] VM_IMAGE
### Options
```
--ansible-extra-vars strings set additional variables as key=value or @file (YAML/JSON)
--ansible-inventory strings specify inventory host path or comma separated host list
--ansible-playbook strings specify playbook file path(s) to scan
--aws-region string AWS region to scan
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
@@ -76,7 +79,7 @@ trivy vm [flags] VM_IMAGE
--include-non-failures include successes, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--list-all-pkgs output all packages in the JSON report regardless of vulnerability (default true)
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot,ansible])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
@@ -98,7 +101,7 @@ trivy vm [flags] VM_IMAGE
--redis-key string redis key file location, if using redis as cache backend
--redis-tls enable redis TLS with public certificates, if using redis as cache backend
--rekor-url string [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform)
--render-cause strings specify configuration types for which the rendered causes will be shown in the table report (allowed values: terraform,ansible)
--sbom-sources strings [EXPERIMENTAL] try to retrieve SBOM from the specified sources (allowed values: oci,rekor)
--scanners strings comma-separated list of what security issues to detect (allowed values: vuln,misconfig,secret,license) (default [vuln,secret])
--secret-config string specify a path to config file for secret scanning (default "trivy-secret.yaml")
@@ -153,6 +156,7 @@ trivy vm [flags] VM_IMAGE
- chainguard
- bitnami
- govulndb
- julia
- echo
- minimos
- rootio

16
docs/guide/references/configuration/config-file.md
View File

@@ -3,7 +3,7 @@
Trivy can be customized by tweaking a `trivy.yaml` file.
The config path can be overridden by the `--config` flag.
An example is [here][example].
An example is [here][example] and a [JSON Schema][schema] is also available.
These samples contain default values for flags.
## Global options
@@ -379,6 +379,16 @@ license:
## Misconfiguration options
```yaml
ansible:
# Same as '--ansible-extra-vars'
extra-vars: []
# Same as '--ansible-inventory'
inventories: []
# Same as '--ansible-playbook'
playbooks: []
misconfiguration:
# Same as '--checks-bundle-repository'
checks-bundle-repository: "mirror.gcr.io/aquasec/trivy-checks:1"
@@ -428,6 +438,7 @@ misconfiguration:
- terraform
- terraformplan-json
- terraformplan-snapshot
- ansible
terraform:
# Same as '--tf-exclude-downloaded-modules'
@@ -657,4 +668,5 @@ vulnerability:
vex: []
```
[example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml
[example]: https://github.com/aquasecurity/trivy/blob/{{ git.tag }}/examples/trivy-conf/trivy.yaml
[schema]: https://github.com/aquasecurity/trivy/blob/{{ git.tag }}/schema/trivy-config.json

4
docs/guide/scanner/vulnerability.md
View File

@@ -137,6 +137,7 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
| Dart | [GitHub Advisory Database (Pub)][pub-ghsa] | ✅ | - |
| Elixir | [GitHub Advisory Database (Erlang)][erlang-ghsa] | ✅ | - |
| Swift | [GitHub Advisory Database (Swift)][swift-ghsa] | ✅ | - |
| Julia | [Open Source Vulnerabilities (Julia)][julia-osv] | ✅ | - |
[^1]: Intentional delay between vulnerability disclosure and registration in the DB
@@ -426,13 +427,14 @@ Example logic for the following vendor severity levels when scanning an Alpine i
[python-osv]: https://osv.dev/list?q=&ecosystem=PyPI
[rust-osv]: https://osv.dev/list?q=&ecosystem=crates.io
[julia-osv]: https://osv.dev/list?q=&ecosystem=Julia
[nvd]: https://nvd.nist.gov/vuln
[k8s-cve]: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/
[CVE-2023-32681]: https://nvd.nist.gov/vuln/detail/CVE-2023-32681
[RHSA-2023:4520]: https://access.redhat.com/errata/RHSA-2023:4520
[RHSA-2023:4520]: https://access.redhat.com/errata/RHSA-2023:4520
[ghsa]: https://github.com/advisories
[requests]: https://pypi.org/project/requests/
[precision-recall]: https://developers.google.com/machine-learning/crash-course/classification/precision-and-recall

140
go.mod
View File

@@ -1,14 +1,14 @@
module github.com/aquasecurity/trivy
go 1.25
go 1.25.0
require (
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1
github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry v0.2.3
github.com/BurntSushi/toml v1.5.0
github.com/BurntSushi/toml v1.6.0
github.com/CycloneDX/cyclonedx-go v0.9.3
github.com/GoogleCloudPlatform/docker-credential-gcr/v2 v2.1.30
github.com/GoogleCloudPlatform/docker-credential-gcr/v2 v2.1.31
github.com/Masterminds/sprig/v3 v3.3.0
github.com/NYTimes/gziphandler v1.1.1
github.com/alecthomas/chroma v0.10.0
@@ -24,7 +24,7 @@ require (
github.com/aquasecurity/testdocker v0.0.0-20250616060700-ba6845ac6d17
github.com/aquasecurity/tml v0.6.1
github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169
github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a
github.com/aquasecurity/trivy-db v0.0.0-20251222105351-a833f47f8f0d
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
github.com/aquasecurity/trivy-kubernetes v0.9.1
github.com/aws/aws-sdk-go-v2 v1.40.0
@@ -38,20 +38,20 @@ require (
github.com/bmatcuk/doublestar/v4 v4.9.1
github.com/cenkalti/backoff/v4 v4.3.0
github.com/cheggaaa/pb/v3 v3.1.7
github.com/containerd/containerd/v2 v2.2.0
github.com/containerd/containerd/v2 v2.2.1
github.com/containerd/platforms v1.0.0-rc.2
github.com/distribution/reference v0.6.0
github.com/docker/cli v29.0.3+incompatible
github.com/docker/cli v29.1.1+incompatible
github.com/docker/docker v28.5.2+incompatible
github.com/docker/go-connections v0.6.0
github.com/docker/go-units v0.5.0
github.com/fatih/color v1.18.0
github.com/go-git/go-git/v5 v5.16.3
github.com/go-git/go-git/v5 v5.16.4
github.com/go-redis/redis/v8 v8.11.5
github.com/go-viper/mapstructure/v2 v2.4.0
github.com/gocsaf/csaf/v3 v3.4.0
github.com/gocsaf/csaf/v3 v3.5.1
github.com/golang-jwt/jwt/v5 v5.3.0
github.com/google/go-containerregistry v0.20.6
github.com/google/go-containerregistry v0.20.7
github.com/google/go-github/v62 v62.0.0
github.com/google/licenseclassifier/v2 v2.0.0
github.com/google/uuid v1.6.0
@@ -59,7 +59,7 @@ require (
github.com/hashicorp/go-multierror v1.1.1
github.com/hashicorp/go-retryablehttp v0.7.8
github.com/hashicorp/go-uuid v1.0.3
github.com/hashicorp/go-version v1.7.0
github.com/hashicorp/go-version v1.8.0
github.com/hashicorp/golang-lru/v2 v2.0.7
github.com/hashicorp/hc-install v0.9.2
github.com/hashicorp/hcl/v2 v2.24.0
@@ -83,7 +83,8 @@ require (
github.com/mitchellh/hashstructure/v2 v2.0.2
github.com/moby/buildkit v0.26.2
github.com/moby/docker-image-spec v1.3.1
github.com/open-policy-agent/opa v1.10.1
github.com/moby/moby/client v0.2.1 // indirect
github.com/open-policy-agent/opa v1.12.1
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.1.1
github.com/openvex/discovery v0.1.1-0.20240802171711-7c54efc57553
@@ -101,35 +102,41 @@ require (
github.com/sosedoff/gitkit v0.4.0
github.com/spdx/tools-golang v0.5.5 // v0.5.3 with necessary changes. Can be upgraded to version 0.5.4 after release.
github.com/spf13/cast v1.10.0
github.com/spf13/cobra v1.10.1
github.com/spf13/cobra v1.10.2
github.com/spf13/pflag v1.0.10
github.com/spf13/viper v1.21.0
github.com/stretchr/testify v1.11.1
github.com/testcontainers/testcontainers-go v0.40.0
github.com/testcontainers/testcontainers-go/modules/localstack v0.40.0
github.com/tetratelabs/wazero v1.10.1
github.com/tetratelabs/wazero v1.11.0
github.com/twitchtv/twirp v8.1.3+incompatible
github.com/xeipuuv/gojsonschema v1.2.0
github.com/xlab/treeprint v1.2.0
github.com/zalando/go-keyring v0.2.6 // indirect
github.com/zclconf/go-cty v1.17.0
github.com/zclconf/go-cty-yaml v1.1.0
github.com/zclconf/go-cty-yaml v1.2.0
go.etcd.io/bbolt v1.4.3
golang.org/x/crypto v0.45.0
golang.org/x/mod v0.30.0
golang.org/x/net v0.47.0
golang.org/x/sync v0.18.0
golang.org/x/term v0.37.0
golang.org/x/text v0.31.0
golang.org/x/tools v0.38.0
golang.org/x/crypto v0.46.0
golang.org/x/mod v0.31.0
golang.org/x/net v0.48.0
golang.org/x/sync v0.19.0
golang.org/x/term v0.38.0
golang.org/x/text v0.32.0
golang.org/x/tools v0.40.0
golang.org/x/vuln v1.1.4
golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9
google.golang.org/protobuf v1.36.10
google.golang.org/protobuf v1.36.11
gopkg.in/yaml.v3 v3.0.1
helm.sh/helm/v3 v3.19.2
k8s.io/api v0.34.2
k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
modernc.org/sqlite v1.40.1
helm.sh/helm/v3 v3.19.4
k8s.io/api v0.35.0
k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
modernc.org/sqlite v1.41.0
)
require (
github.com/go-ini/ini v1.67.0
github.com/invopop/jsonschema v0.13.0
github.com/nikolalohinski/gonja/v2 v2.5.1
)
require (
@@ -161,7 +168,7 @@ require (
github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
github.com/DataDog/zstd v1.5.5 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.53.0 // indirect
github.com/Intevation/gval v1.3.0 // indirect
@@ -197,6 +204,7 @@ require (
github.com/aws/aws-sdk-go-v2/service/sso v1.30.4 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.8 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.41.1 // indirect
github.com/bahlo/generic-list-go v0.2.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
@@ -205,12 +213,13 @@ require (
github.com/bufbuild/buf v1.56.0 // indirect
github.com/bufbuild/protocompile v0.14.1 // indirect
github.com/bufbuild/protoplugin v0.0.0-20250218205857-750e09ce93e1 // indirect
github.com/buger/jsonparser v1.1.1 // indirect
github.com/cenkalti/backoff/v5 v5.0.3 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/chai2010/gettext-go v1.0.2 // indirect
github.com/cloudflare/circl v1.6.1 // indirect
github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect
github.com/containerd/cgroups/v3 v3.1.0 // indirect
github.com/cncf/xds/go v0.0.0-20251022180443-0feb69152e9f // indirect
github.com/containerd/cgroups/v3 v3.1.2 // indirect
github.com/containerd/containerd v1.7.29 // indirect
github.com/containerd/containerd/api v1.10.0 // indirect
github.com/containerd/continuity v0.4.5 // indirect
@@ -219,13 +228,13 @@ require (
github.com/containerd/fifo v1.1.0 // indirect
github.com/containerd/log v0.1.0 // indirect
github.com/containerd/plugin v1.0.0 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.17.0 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.18.1 // indirect
github.com/containerd/ttrpc v1.2.7 // indirect
github.com/containerd/typeurl/v2 v2.2.3 // indirect
github.com/cpuguy83/dockercfg v0.3.2 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.7 // indirect
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
github.com/cyphar/filepath-securejoin v0.6.0 // indirect
github.com/cyphar/filepath-securejoin v0.6.1 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
@@ -239,7 +248,7 @@ require (
github.com/ebitengine/purego v0.8.4 // indirect
github.com/emicklei/go-restful/v3 v3.13.0 // indirect
github.com/emirpasic/gods v1.18.1 // indirect
github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
github.com/envoyproxy/go-control-plane/envoy v1.35.0 // indirect
github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
github.com/evanphx/json-patch v5.9.11+incompatible // indirect
github.com/evanphx/json-patch/v5 v5.6.0 // indirect
@@ -253,8 +262,7 @@ require (
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
github.com/go-git/go-billy/v5 v5.6.2 // indirect
github.com/go-gorp/gorp/v3 v3.1.0 // indirect
github.com/go-ini/ini v1.67.0 // indirect
github.com/go-jose/go-jose/v4 v4.1.2 // indirect
github.com/go-jose/go-jose/v4 v4.1.3 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-ole/go-ole v1.3.0 // indirect
@@ -281,7 +289,7 @@ require (
github.com/go-openapi/validate v0.25.1 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/goccy/go-json v0.10.5 // indirect
github.com/goccy/go-yaml v1.15.23 // indirect
github.com/goccy/go-yaml v1.19.0 // indirect
github.com/gofrs/flock v0.13.0 // indirect
github.com/gofrs/uuid v4.3.1+incompatible // indirect
github.com/gogo/protobuf v1.3.2 // indirect
@@ -314,6 +322,7 @@ require (
github.com/jdx/go-netrc v1.0.0 // indirect
github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
github.com/jmoiron/sqlx v1.4.0 // indirect
github.com/josephburnett/jd/v2 v2.3.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/kevinburke/ssh_config v1.2.0 // indirect
github.com/klauspost/compress v1.18.1 // indirect
@@ -326,7 +335,7 @@ require (
github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect
github.com/lestrrat-go/httpcc v1.0.1 // indirect
github.com/lestrrat-go/httprc/v3 v3.0.1 // indirect
github.com/lestrrat-go/jwx/v3 v3.0.11 // indirect
github.com/lestrrat-go/jwx/v3 v3.0.12 // indirect
github.com/lestrrat-go/option v1.0.1 // indirect
github.com/lestrrat-go/option/v2 v2.0.0 // indirect
github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
@@ -335,6 +344,7 @@ require (
github.com/lufia/plan9stats v0.0.0-20240226150601-1dcf7310316a // indirect
github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 // indirect
github.com/magiconair/properties v1.8.10 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/mattn/go-colorable v0.1.14 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mattn/go-runewidth v0.0.16 // indirect
@@ -345,7 +355,6 @@ require (
github.com/moby/go-archive v0.1.0 // indirect
github.com/moby/locker v1.0.1 // indirect
github.com/moby/moby/api v1.52.0 // indirect
github.com/moby/moby/client v0.1.0 // indirect
github.com/moby/patternmatcher v0.6.0 // indirect
github.com/moby/spdystream v0.5.0 // indirect
github.com/moby/sys/atomicwriter v0.1.0 // indirect
@@ -365,10 +374,8 @@ require (
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/oklog/ulid/v2 v2.1.1 // indirect
github.com/onsi/ginkgo/v2 v2.23.4 // indirect
github.com/onsi/gomega v1.36.3 // indirect
github.com/opencontainers/runtime-spec v1.2.1 // indirect
github.com/opencontainers/selinux v1.13.0 // indirect
github.com/opencontainers/runtime-spec v1.3.0 // indirect
github.com/opencontainers/selinux v1.13.1 // indirect
github.com/owenrumney/squealer v1.2.11 // indirect
github.com/pandatix/go-cvss v0.6.2 // indirect
github.com/pelletier/go-toml v1.9.5 // indirect
@@ -384,8 +391,8 @@ require (
github.com/prometheus/client_model v0.6.2 // indirect
github.com/prometheus/common v0.66.1 // indirect
github.com/prometheus/procfs v0.17.0 // indirect
github.com/quic-go/qpack v0.5.1 // indirect
github.com/quic-go/quic-go v0.54.1 // indirect
github.com/quic-go/qpack v0.6.0 // indirect
github.com/quic-go/quic-go v0.57.0 // indirect
github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 // indirect
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
github.com/rivo/uniseg v0.4.7 // indirect
@@ -396,7 +403,7 @@ require (
github.com/samber/oops v1.18.1 // indirect
github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
github.com/sassoftware/relic v7.2.1+incompatible // indirect
github.com/segmentio/asm v1.2.0 // indirect
github.com/segmentio/asm v1.2.1 // indirect
github.com/segmentio/encoding v0.5.3 // indirect
github.com/sergi/go-diff v1.4.0 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
@@ -409,7 +416,7 @@ require (
github.com/skeema/knownhosts v1.3.1 // indirect
github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
github.com/spf13/afero v1.15.0 // indirect
github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect
github.com/spiffe/go-spiffe/v2 v2.6.0 // indirect
github.com/stoewer/go-strcase v1.3.1 // indirect
github.com/stretchr/objx v0.5.2 // indirect
github.com/subosito/gotenv v1.6.0 // indirect
@@ -426,9 +433,10 @@ require (
github.com/ulikunitz/xz v0.5.15 // indirect
github.com/valyala/fastjson v1.6.4 // indirect
github.com/vbatts/tar-split v0.12.2 // indirect
github.com/vektah/gqlparser/v2 v2.5.30 // indirect
github.com/vektah/gqlparser/v2 v2.5.31 // indirect
github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect
github.com/x448/float16 v0.8.4 // indirect
github.com/xanzy/ssh-agent v0.3.3 // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
@@ -437,7 +445,6 @@ require (
github.com/yashtewari/glob-intersection v0.2.0 // indirect
github.com/yuin/gopher-lua v1.1.1 // indirect
github.com/yusufpapurcu/wmi v1.2.4 // indirect
github.com/zeebo/errs v1.4.0 // indirect
go.lsp.dev/jsonrpc2 v0.10.0 // indirect
go.lsp.dev/pkg v0.0.0-20210717090340-384b27a52fb2 // indirect
go.lsp.dev/protocol v0.12.0 // indirect
@@ -445,7 +452,7 @@ require (
go.mongodb.org/mongo-driver v1.17.6 // indirect
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
go.opentelemetry.io/contrib/detectors/gcp v1.36.0 // indirect
go.opentelemetry.io/contrib/detectors/gcp v1.38.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
go.opentelemetry.io/otel v1.38.0 // indirect
@@ -457,43 +464,42 @@ require (
go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect
go.opentelemetry.io/otel/trace v1.38.0 // indirect
go.opentelemetry.io/proto/otlp v1.7.1 // indirect
go.uber.org/mock v0.5.2 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
go.yaml.in/yaml/v2 v2.4.2 // indirect
go.yaml.in/yaml/v2 v2.4.3 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
go.yaml.in/yaml/v4 v4.0.0-rc.3 // indirect
golang.org/x/exp v0.0.0-20250911091902-df9299821621 // indirect
golang.org/x/oauth2 v0.32.0 // indirect
golang.org/x/sys v0.38.0 // indirect
golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8 // indirect
golang.org/x/oauth2 v0.33.0 // indirect
golang.org/x/sys v0.39.0 // indirect
golang.org/x/telemetry v0.0.0-20251203150158-8fff8a5912fc // indirect
golang.org/x/time v0.14.0 // indirect
golang.org/x/tools/gopls v0.0.0-20251008221726-a22b5e8a9b8d // indirect
golang.org/x/tools/gopls v0.21.0 // indirect
google.golang.org/api v0.254.0 // indirect
google.golang.org/genproto v0.0.0-20250603155806-513f23925822 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
google.golang.org/grpc v1.76.0 // indirect
gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
google.golang.org/grpc v1.77.0 // indirect
gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
k8s.io/apiextensions-apiserver v0.34.0 // indirect
k8s.io/apimachinery v0.34.2 // indirect
k8s.io/apiserver v0.34.0 // indirect
k8s.io/cli-runtime v0.34.0 // indirect
k8s.io/client-go v0.34.1 // indirect
k8s.io/component-base v0.34.0 // indirect
k8s.io/apiextensions-apiserver v0.34.2 // indirect
k8s.io/apimachinery v0.35.0 // indirect
k8s.io/apiserver v0.34.2 // indirect
k8s.io/cli-runtime v0.34.2 // indirect
k8s.io/client-go v0.34.2 // indirect
k8s.io/component-base v0.34.2 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
k8s.io/kubectl v0.34.0 // indirect
k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
k8s.io/kubectl v0.34.2 // indirect
modernc.org/libc v1.66.10 // indirect
modernc.org/mathutil v1.7.1 // indirect
modernc.org/memory v1.11.0 // indirect
mvdan.cc/sh/v3 v3.11.0 // indirect
oras.land/oras-go/v2 v2.6.0 // indirect
pluginrpc.com/pluginrpc v0.5.0 // indirect
sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
sigs.k8s.io/kind v0.19.0 // indirect
sigs.k8s.io/kustomize/api v0.20.1 // indirect
sigs.k8s.io/kustomize/kyaml v0.20.1 // indirect

279
go.sum
View File

@@ -109,18 +109,18 @@ github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgv
github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/BurntSushi/toml v1.0.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
github.com/CycloneDX/cyclonedx-go v0.9.3 h1:Pyk/lwavPz7AaZNvugKFkdWOm93MzaIyWmBwmBo3aUI=
github.com/CycloneDX/cyclonedx-go v0.9.3/go.mod h1:vcK6pKgO1WanCdd61qx4bFnSsDJQ6SbM2ZuMIgq86Jg=
github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU=
github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU=
github.com/DataDog/zstd v1.5.5 h1:oWf5W7GtOLgp6bciQYDmhHHjdhYkALu6S/5Ni9ZgSvQ=
github.com/DataDog/zstd v1.5.5/go.mod h1:g4AWEaM3yOg3HYfnJ3YIawPnVdXJh9QME85blwSAmyw=
github.com/GoogleCloudPlatform/docker-credential-gcr/v2 v2.1.30 h1:LZKiFW/Mmr5ohlGs/2UmNlv+E0sWoa3lXqbJ8ZKwwDY=
github.com/GoogleCloudPlatform/docker-credential-gcr/v2 v2.1.30/go.mod h1:eJtvl30kUrfVmOufsO74vEF32KP0EJBTmpFelxprmVU=
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0 h1:UQUsRi8WTzhZntp5313l+CHIAT95ojUI2lpP/ExlZa4=
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.29.0/go.mod h1:Cz6ft6Dkn3Et6l2v2a9/RpN7epQ1GtDlO6lj8bEcOvw=
github.com/GoogleCloudPlatform/docker-credential-gcr/v2 v2.1.31 h1:Zw6Ahy7WYGLrjDnpfwD6uHGqdNuF5/VmMWse8EdrNdM=
github.com/GoogleCloudPlatform/docker-credential-gcr/v2 v2.1.31/go.mod h1:gpV8+EIzfZlF+d64UpPBv7KwaqLhV82bZfOf2wMNl1E=
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0 h1:sBEjpZlNHzK1voKq9695PJSX2o5NEXl7/OL3coiIY0c=
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.30.0/go.mod h1:P4WPRUkOhJC13W//jWpyfJNDAIpvRbAUIYLX/4jtlE0=
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0 h1:owcC2UnmsZycprQ5RfRgjydWhuoxg71LUfyiQdijZuM=
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.53.0/go.mod h1:ZPpqegjbE99EPKsu3iUWV22A04wzGPcAY/ziSIQEEgs=
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.53.0 h1:4LP6hvB4I5ouTbGgWtixJhgED6xdf67twf9PoY96Tbg=
@@ -222,8 +222,8 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw
github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169 h1:TckzIxUX7lZaU9f2lNxCN0noYYP8fzmSQf6a4JdV83w=
github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169/go.mod h1:nT69xgRcBD4NlHwTBpWMYirpK5/Zpl8M+XDOgmjMn2k=
github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a h1:Wmvjq3zQGsZ8Wlqh75zvujh7LZNTXU4YoEf8tyL1LoM=
github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a/go.mod h1:upAJqDQkN5FdIJbtJMpokncGNhYAPGkpoCbaGciWPt4=
github.com/aquasecurity/trivy-db v0.0.0-20251222105351-a833f47f8f0d h1:mwCxwhDRnW5UkSQdZfekTCjaLyWp1rqfIa6KKRdMDAo=
github.com/aquasecurity/trivy-db v0.0.0-20251222105351-a833f47f8f0d/go.mod h1:B0cbg/BEHbJg2RcS7PLdlbGCzz2TkChcZAiI4oSs0VI=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
github.com/aquasecurity/trivy-kubernetes v0.9.1 h1:bSErQcavKXDh7XMwbGX7Vy//jR5+xhe/bOgfn9G+9lQ=
@@ -286,6 +286,8 @@ github.com/aws/smithy-go v1.23.2 h1:Crv0eatJUQhaManss33hS5r40CG3ZFH+21XSkqMrIUM=
github.com/aws/smithy-go v1.23.2/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 h1:SoFYaT9UyGkR0+nogNyD/Lj+bsixB+SNuAS4ABlEs6M=
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8/go.mod h1:2JF49jcDOrLStIXN/j/K1EKRq8a8R2qRnlZA6/o/c7c=
github.com/bahlo/generic-list-go v0.2.0 h1:5sz/EEAK+ls5wF+NeqDpk5+iNdMDXrh3z3nPnH1Wvgk=
github.com/bahlo/generic-list-go v0.2.0/go.mod h1:2KvAjgMlE5NNynlg/5iLrrCCZ2+5xWbdbCW3pNTGyYg=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d h1:xDfNPAt8lFiC1UJrqV3uuy861HCTo708pDMbjHHdCas=
@@ -310,14 +312,16 @@ github.com/bufbuild/protocompile v0.14.1 h1:iA73zAf/fyljNjQKwYzUHD6AD4R8KMasmwa/
github.com/bufbuild/protocompile v0.14.1/go.mod h1:ppVdAIhbr2H8asPk6k4pY7t9zB1OU5DoEw9xY/FUi1c=
github.com/bufbuild/protoplugin v0.0.0-20250218205857-750e09ce93e1 h1:V1xulAoqLqVg44rY97xOR+mQpD2N+GzhMHVwJ030WEU=
github.com/bufbuild/protoplugin v0.0.0-20250218205857-750e09ce93e1/go.mod h1:c5D8gWRIZ2HLWO3gXYTtUfw/hbJyD8xikv2ooPxnklQ=
github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs=
github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0=
github.com/buildkite/agent/v3 v3.62.0 h1:yvzSjI8Lgifw883I8m9u8/L/Thxt4cLFd5aWPn3gg70=
github.com/buildkite/agent/v3 v3.62.0/go.mod h1:jN6SokGXrVNNIpI0BGQ+j5aWeI3gin8F+3zwA5Q6gqM=
github.com/buildkite/go-pipeline v0.3.2 h1:SW4EaXNwfjow7xDRPGgX0Rcx+dPj5C1kV9LKCLjWGtM=
github.com/buildkite/go-pipeline v0.3.2/go.mod h1:iY5jzs3Afc8yHg6KDUcu3EJVkfaUkd9x/v/OH98qyUA=
github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251 h1:k6UDF1uPYOs0iy1HPeotNa155qXRWrzKnqAaGXHLZCE=
github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251/go.mod h1:gbPR1gPu9dB96mucYIR7T3B7p/78hRVSOuzIWLHK2Y4=
github.com/bytecodealliance/wasmtime-go/v37 v37.0.0 h1:DPjdn2V3JhXHMoZ2ymRqGK+y1bDyr9wgpyYCvhjMky8=
github.com/bytecodealliance/wasmtime-go/v37 v37.0.0/go.mod h1:Pf1l2JCTUFMnOqDIwkjzx1qfVJ09xbaXETKgRVE4jZ0=
github.com/bytecodealliance/wasmtime-go/v39 v39.0.1 h1:RibaT47yiyCRxMOj/l2cvL8cWiWBSqDXHyqsa9sGcCE=
github.com/bytecodealliance/wasmtime-go/v39 v39.0.1/go.mod h1:miR4NYIEBXeDNamZIzpskhJ0z/p8al+lwMWylQ/ZJb4=
github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
@@ -340,22 +344,22 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 h1:aQ3y1lwWyqYPiWZThqv1aFbZMiM9vblcSArJRf2Irls=
github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
github.com/cncf/xds/go v0.0.0-20251022180443-0feb69152e9f h1:Y8xYupdHxryycyPlc9Y+bSQAYZnetRJ70VMVKm5CKI0=
github.com/cncf/xds/go v0.0.0-20251022180443-0feb69152e9f/go.mod h1:HlzOvOjVBOfTGSRXRyY0OiCS/3J1akRGQQpRO/7zyF4=
github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg=
github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc=
github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE=
github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4=
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ=
github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w=
github.com/containerd/cgroups/v3 v3.1.0 h1:azxYVj+91ZgSnIBp2eI3k9y2iYQSR/ZQIgh9vKO+HSY=
github.com/containerd/cgroups/v3 v3.1.0/go.mod h1:SA5DLYnXO8pTGYiAHXz94qvLQTKfVM5GEVisn4jpins=
github.com/containerd/cgroups/v3 v3.1.2 h1:OSosXMtkhI6Qove637tg1XgK4q+DhR0mX8Wi8EhrHa4=
github.com/containerd/cgroups/v3 v3.1.2/go.mod h1:PKZ2AcWmSBsY/tJUVhtS/rluX0b1uq1GmPO1ElCmbOw=
github.com/containerd/containerd v1.7.29 h1:90fWABQsaN9mJhGkoVnuzEY+o1XDPbg9BTC9QTAHnuE=
github.com/containerd/containerd v1.7.29/go.mod h1:azUkWcOvHrWvaiUjSQH0fjzuHIwSPg1WL5PshGP4Szs=
github.com/containerd/containerd/api v1.10.0 h1:5n0oHYVBwN4VhoX9fFykCV9dF1/BvAXeg2F8W6UYq1o=
github.com/containerd/containerd/api v1.10.0/go.mod h1:NBm1OAk8ZL+LG8R0ceObGxT5hbUYj7CzTmR3xh0DlMM=
github.com/containerd/containerd/v2 v2.2.0 h1:K7TqcXy+LnFmZaui2DgHsnp2gAHhVNWYaHlx7HXfys8=
github.com/containerd/containerd/v2 v2.2.0/go.mod h1:YCMjKjA4ZA7egdHNi3/93bJR1+2oniYlnS+c0N62HdE=
github.com/containerd/containerd/v2 v2.2.1 h1:TpyxcY4AL5A+07dxETevunVS5zxqzuq7ZqJXknM11yk=
github.com/containerd/containerd/v2 v2.2.1/go.mod h1:NR70yW1iDxe84F2iFWbR9xfAN0N2F0NcjTi1OVth4nU=
github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4=
github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
@@ -370,8 +374,8 @@ github.com/containerd/platforms v1.0.0-rc.2 h1:0SPgaNZPVWGEi4grZdV8VRYQn78y+nm6a
github.com/containerd/platforms v1.0.0-rc.2/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4=
github.com/containerd/plugin v1.0.0 h1:c8Kf1TNl6+e2TtMHZt+39yAPDbouRH9WAToRjex483Y=
github.com/containerd/plugin v1.0.0/go.mod h1:hQfJe5nmWfImiqT1q8Si3jLv3ynMUIBB47bQ+KexvO8=
github.com/containerd/stargz-snapshotter/estargz v0.17.0 h1:+TyQIsR/zSFI1Rm31EQBwpAA1ovYgIKHy7kctL3sLcE=
github.com/containerd/stargz-snapshotter/estargz v0.17.0/go.mod h1:s06tWAiJcXQo9/8AReBCIo/QxcXFZ2n4qfsRnpl71SM=
github.com/containerd/stargz-snapshotter/estargz v0.18.1 h1:cy2/lpgBXDA3cDKSyEfNOFMA/c10O1axL69EU7iirO8=
github.com/containerd/stargz-snapshotter/estargz v0.18.1/go.mod h1:ALIEqa7B6oVDsrF37GkGN20SuvG/pIMm7FwP7ZmRb0Q=
github.com/containerd/ttrpc v1.2.7 h1:qIrroQvuOL9HQ1X6KHe2ohc7p+HP/0VE6XPU7elJRqQ=
github.com/containerd/ttrpc v1.2.7/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o=
github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40=
@@ -392,8 +396,8 @@ github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 h1:2Dx4IHfC1yHWI12AxQDJM1QbRCDfk6M+blLzlZCXdrc=
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
github.com/cyphar/filepath-securejoin v0.6.0 h1:BtGB77njd6SVO6VztOHfPxKitJvd/VPT+OFBFMOi1Is=
github.com/cyphar/filepath-securejoin v0.6.0/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
github.com/danieljoos/wincred v1.2.2 h1:774zMFJrqaeYCK2W57BgAem/MLi6mtSE47MB6BOJ0i0=
github.com/danieljoos/wincred v1.2.2/go.mod h1:w7w4Utbrz8lqeMbDAK0lkNJUv5sAOkFi7nd/ogr0Uh8=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -424,8 +428,8 @@ github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5
github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc=
github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI=
github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
github.com/docker/cli v29.0.3+incompatible h1:8J+PZIcF2xLd6h5sHPsp5pvvJA+Sr2wGQxHkRl53a1E=
github.com/docker/cli v29.0.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/cli v29.1.1+incompatible h1:gGQk5qx62yPKRm3bUdKBzmDBSQzp17hlSLbV1F7jjys=
github.com/docker/cli v29.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM=
@@ -458,10 +462,10 @@ github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FM
github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
github.com/envoyproxy/go-control-plane v0.13.4 h1:zEqyPVyku6IvWCFwux4x9RxkLOMUL+1vC9xUFv5l2/M=
github.com/envoyproxy/go-control-plane v0.13.4/go.mod h1:kDfuBlDVsSj2MjrLEtRWtHlsWIFcGyB2RMO44Dc5GZA=
github.com/envoyproxy/go-control-plane/envoy v1.32.4 h1:jb83lalDRZSpPWW2Z7Mck/8kXZ5CQAFYVjQcdVIr83A=
github.com/envoyproxy/go-control-plane/envoy v1.32.4/go.mod h1:Gzjc5k8JcJswLjAx1Zm+wSYE20UrLtt7JZMWiWQXQEw=
github.com/envoyproxy/go-control-plane v0.13.5-0.20251024222203-75eaa193e329 h1:K+fnvUM0VZ7ZFJf0n4L/BRlnsb9pL/GuDG6FqaH+PwM=
github.com/envoyproxy/go-control-plane v0.13.5-0.20251024222203-75eaa193e329/go.mod h1:Alz8LEClvR7xKsrq3qzoc4N0guvVNSS8KmSChGYr9hs=
github.com/envoyproxy/go-control-plane/envoy v1.35.0 h1:ixjkELDE+ru6idPxcHLj8LBVc2bFP7iBytj353BoHUo=
github.com/envoyproxy/go-control-plane/envoy v1.35.0/go.mod h1:09qwbGVuSWWAyN5t/b3iyVfz5+z8QWGrzkoqm/8SbEs=
github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI=
github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4=
github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
@@ -508,16 +512,16 @@ github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UN
github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU=
github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
github.com/go-git/go-git/v5 v5.16.3 h1:Z8BtvxZ09bYm/yYNgPKCzgWtaRqDTgIKRgIRHBfU6Z8=
github.com/go-git/go-git/v5 v5.16.3/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
github.com/go-git/go-git/v5 v5.16.4 h1:7ajIEZHZJULcyJebDLo99bGgS0jRrOxzZG4uCk2Yb2Y=
github.com/go-git/go-git/v5 v5.16.4/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs=
github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw=
github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY=
github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
github.com/go-jose/go-jose/v4 v4.1.2 h1:TK/7NqRQZfgAh+Td8AlsrvtPoUyiHh0LqVvokh+1vHI=
github.com/go-jose/go-jose/v4 v4.1.2/go.mod h1:22cg9HWM1pOlnRiY+9cQYJ9XHmya1bYW8OeDM6Ku6Oo=
github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -598,10 +602,10 @@ github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJA
github.com/goccy/go-json v0.10.5 h1:Fq85nIqj+gXn/S5ahsiTlK3TmC85qgirsdTP/+DeaC4=
github.com/goccy/go-json v0.10.5/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
github.com/goccy/go-yaml v1.8.1/go.mod h1:wS4gNoLalDSJxo/SpngzPQ2BN4uuZVLCmbM4S3vd4+Y=
github.com/goccy/go-yaml v1.15.23 h1:WS0GAX1uNPDLUvLkNU2vXq6oTnsmfVFocjQ/4qA48qo=
github.com/goccy/go-yaml v1.15.23/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
github.com/gocsaf/csaf/v3 v3.4.0 h1:rzVTiA5WmzTHumgGfK/823h0zQ0y4WAS+Rorhcm2LDE=
github.com/gocsaf/csaf/v3 v3.4.0/go.mod h1:MmKPoT9IhckqbC590XvKbCkRstuba9vbL+HT3bsuQLk=
github.com/goccy/go-yaml v1.19.0 h1:EmkZ9RIsX+Uq4DYFowegAuJo8+xdX3T/2dwNPXbxEYE=
github.com/goccy/go-yaml v1.19.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
github.com/gocsaf/csaf/v3 v3.5.1 h1:jTA1fLrK0/JIczPs7itTD53qANoO4tn2VaGvUeitePc=
github.com/gocsaf/csaf/v3 v3.5.1/go.mod h1:pga89lE+iWJm7smTdzYcXuetYUbgY8caXfaIP4BJG98=
github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
github.com/gofrs/flock v0.13.0 h1:95JolYOvGMqeH31+FC7D2+uULf6mG61mEZ/A8dRYMzw=
@@ -662,8 +666,8 @@ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
github.com/google/go-containerregistry v0.20.6 h1:cvWX87UxxLgaH76b4hIvya6Dzz9qHB31qAwjAohdSTU=
github.com/google/go-containerregistry v0.20.6/go.mod h1:T0x8MuoAoKX/873bkeSfLD2FAkwCDf9/HZgsFJ02E2Y=
github.com/google/go-containerregistry v0.20.7 h1:24VGNpS0IwrOZ2ms2P1QE3Xa5X9p4phx0aUgzYzHW6I=
github.com/google/go-containerregistry v0.20.7/go.mod h1:Lx5LCZQjLH1QBaMPeGwsME9biPeo1lPx6lbGj/UmzgM=
github.com/google/go-github/v31 v31.0.0 h1:JJUxlP9lFK+ziXKimTCprajMApV1ecWD4NB6CCb0plo=
github.com/google/go-github/v31 v31.0.0/go.mod h1:NQPZol8/1sMoWYGN2yaALIBytu17gAWfhbweiEed3pM=
github.com/google/go-github/v55 v55.0.0 h1:4pp/1tNMB9X/LuAhs5i0KQAE40NmiR/y6prLNb9x9cg=
@@ -737,8 +741,8 @@ github.com/hashicorp/go-sockaddr v1.0.5 h1:dvk7TIXCZpmfOlM+9mlcrWmWjw/wlKT+VDq2w
github.com/hashicorp/go-sockaddr v1.0.5/go.mod h1:uoUUmtwU7n9Dv3O4SNLeFvg0SxQ3lyjsj6+CCykpaxI=
github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
github.com/hashicorp/go-version v1.8.0 h1:KAkNb1HAiZd1ukkxDFGmokVZe1Xy9HG6NUp+bPle2i4=
github.com/hashicorp/go-version v1.8.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
github.com/hashicorp/golang-lru/arc/v2 v2.0.5 h1:l2zaLDubNhW4XO3LnliVj0GXO3+/CGNJAg1dcN2Fpfw=
github.com/hashicorp/golang-lru/arc/v2 v2.0.5/go.mod h1:ny6zBSQZi2JxIeYcv7kt2sH2PXJtirBN7RDhRpxPkxU=
github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
@@ -766,6 +770,8 @@ github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3
github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
github.com/invopop/jsonschema v0.13.0 h1:KvpoAJWEjR3uD9Kbm2HWJmqsEaHt8lBUpd0qHcIi21E=
github.com/invopop/jsonschema v0.13.0/go.mod h1:ffZ5Km5SWWRAIN6wbDXItl95euhFz2uON45H2qjYt+0=
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
github.com/jdx/go-netrc v1.0.0 h1:QbLMLyCZGj0NA8glAhxUpf1zDg6cxnWgMBbjq40W0gQ=
@@ -784,6 +790,9 @@ github.com/jmhodges/clock v1.2.0 h1:eq4kys+NI0PLngzaHEe7AmPT90XMGIEySD1JfV1PDIs=
github.com/jmhodges/clock v1.2.0/go.mod h1:qKjhA7x7u/lQpPB1XAqX1b1lCI/w3/fNuYpI/ZjLynI=
github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
github.com/josephburnett/jd/v2 v2.3.0 h1:AyNT0zSStJ2j28zutWDO4fkc95JoICryWQRmDTRzPTQ=
github.com/josephburnett/jd/v2 v2.3.0/go.mod h1:0I5+gbo7y8diuajJjm79AF44eqTheSJy1K7DSbIUFAQ=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
@@ -834,8 +843,8 @@ github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZ
github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
github.com/lestrrat-go/httprc/v3 v3.0.1 h1:3n7Es68YYGZb2Jf+k//llA4FTZMl3yCwIjFIk4ubevI=
github.com/lestrrat-go/httprc/v3 v3.0.1/go.mod h1:2uAvmbXE4Xq8kAUjVrZOq1tZVYYYs5iP62Cmtru00xk=
github.com/lestrrat-go/jwx/v3 v3.0.11 h1:yEeUGNUuNjcez/Voxvr7XPTYNraSQTENJgtVTfwvG/w=
github.com/lestrrat-go/jwx/v3 v3.0.11/go.mod h1:XSOAh2SiXm0QgRe3DulLZLyt+wUuEdFo81zuKTLcvgQ=
github.com/lestrrat-go/jwx/v3 v3.0.12 h1:p25r68Y4KrbBdYjIsQweYxq794CtGCzcrc5dGzJIRjg=
github.com/lestrrat-go/jwx/v3 v3.0.12/go.mod h1:HiUSaNmMLXgZ08OmGBaPVvoZQgJVOQphSrGr5zMamS8=
github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
github.com/lestrrat-go/option/v2 v2.0.0 h1:XxrcaJESE1fokHy3FpaQ/cXW8ZsIdWcdFzzLOcID3Ss=
@@ -854,6 +863,8 @@ github.com/magefile/mage v1.15.0 h1:BvGheCMAsG3bWUDbZ8AyXXpCNwU9u5CB6sM+HNb9HYg=
github.com/magefile/mage v1.15.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8SYxI99mE=
github.com/magiconair/properties v1.8.10/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
github.com/masahiro331/go-disk v0.0.0-20240625071113-56c933208fee h1:cgm8mE25x5XXX2oyvJDlyJ72K+rDu/4ZCYce2worNb8=
github.com/masahiro331/go-disk v0.0.0-20240625071113-56c933208fee/go.mod h1:rojbW5tVhH1cuVYFKZS+QX+VGXK45JVsRO+jW92kkKM=
github.com/masahiro331/go-ebs-file v0.0.0-20240917043618-e6d2bea5c32e h1:nCgF1JEYIS8KNuJtIeUrmjjhktIMKWNmASZqwK2ynu0=
@@ -910,8 +921,8 @@ github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
github.com/moby/moby/api v1.52.0 h1:00BtlJY4MXkkt84WhUZPRqt5TvPbgig2FZvTbe3igYg=
github.com/moby/moby/api v1.52.0/go.mod h1:8mb+ReTlisw4pS6BRzCMts5M49W5M7bKt1cJy/YbAqc=
github.com/moby/moby/client v0.1.0 h1:nt+hn6O9cyJQqq5UWnFGqsZRTS/JirUqzPjEl0Bdc/8=
github.com/moby/moby/client v0.1.0/go.mod h1:O+/tw5d4a1Ha/ZA/tPxIZJapJRUS6LNZ1wiVRxYHyUE=
github.com/moby/moby/client v0.2.1 h1:1Grh1552mvv6i+sYOdY+xKKVTvzJegcVMhuXocyDz/k=
github.com/moby/moby/client v0.2.1/go.mod h1:O+/tw5d4a1Ha/ZA/tPxIZJapJRUS6LNZ1wiVRxYHyUE=
github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU=
@@ -949,6 +960,8 @@ github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+
github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
github.com/nikolalohinski/gonja/v2 v2.5.1 h1:DZ1sWF/BHOkQYjHHm1OZ609pAhlX0mSRoGtuUfSbjs4=
github.com/nikolalohinski/gonja/v2 v2.5.1/go.mod h1:UIzXPVuOsr5h7dZ5DUbqk3/Z7oFA/NLGQGMjqT4L2aU=
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 h1:Up6+btDp321ZG5/zdSLo48H9Iaq0UQGthrhWC6pCxzE=
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481/go.mod h1:yKZQO8QE2bHlgozqWDiRVqTFlLQSj30K/6SAK8EeYFw=
github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
@@ -967,24 +980,24 @@ github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vv
github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns=
github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
github.com/onsi/gomega v1.36.3 h1:hID7cr8t3Wp26+cYnfcjR6HpJ00fdogN6dqZ1t6IylU=
github.com/onsi/gomega v1.36.3/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
github.com/open-policy-agent/opa v1.10.1 h1:haIvxZSPky8HLjRrvQwWAjCPLg8JDFSZMbbG4yyUHgY=
github.com/open-policy-agent/opa v1.10.1/go.mod h1:7uPI3iRpOalJ0BhK6s1JALWPU9HvaV1XeBSSMZnr/PM=
github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
github.com/open-policy-agent/opa v1.12.1 h1:MWfmXuXB119O7rSOJ5GdKAaW15yBirjnLkFRBGy0EX0=
github.com/open-policy-agent/opa v1.12.1/go.mod h1:RnDgm04GA1RjEXJvrsG9uNT/+FyBNmozcPvA2qz60M4=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww=
github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/selinux v1.13.0 h1:Zza88GWezyT7RLql12URvoxsbLfjFx988+LGaWfbL84=
github.com/opencontainers/selinux v1.13.0/go.mod h1:XxWTed+A/s5NNq4GmYScVy+9jzXhGBVEOAyucdRUY8s=
github.com/opencontainers/runtime-spec v1.3.0 h1:YZupQUdctfhpZy3TM39nN9Ika5CBWT5diQ8ibYCRkxg=
github.com/opencontainers/runtime-spec v1.3.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
github.com/opencontainers/selinux v1.13.1 h1:A8nNeceYngH9Ow++M+VVEwJVpdFmrlxsN22F+ISDCJE=
github.com/opencontainers/selinux v1.13.1/go.mod h1:S10WXZ/osk2kWOYKy1x2f/eXF5ZHJoUs8UU/2caNRbg=
github.com/openvex/discovery v0.1.1-0.20240802171711-7c54efc57553 h1:c4u0GIH0w2Q57Pm2Oldrq6EiHFnLCCnRs98A+ggj/YQ=
github.com/openvex/discovery v0.1.1-0.20240802171711-7c54efc57553/go.mod h1:z4b//Qi7p7zcM/c41ogeTy+/nqfMbbeYnfZ+EMCTCD0=
github.com/openvex/go-vex v0.2.7 h1:/pN3bqvS4QOc6WkkL0hbKzJuAtsUD9vmvk9IZkzD3Zc=
@@ -1039,10 +1052,10 @@ github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf h1:014O62
github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c=
github.com/quasilyte/go-ruleguard/dsl v0.3.23 h1:lxjt5B6ZCiBeeNO8/oQsegE6fLeCzuMRoVWSkXC4uvY=
github.com/quasilyte/go-ruleguard/dsl v0.3.23/go.mod h1:KeCP03KrjuSO0H1kTuZQCWlQPulDV6YMIXmpQss17rU=
github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
github.com/quic-go/quic-go v0.54.1 h1:4ZAWm0AhCb6+hE+l5Q1NAL0iRn/ZrMwqHRGQiFwj2eg=
github.com/quic-go/quic-go v0.54.1/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY=
github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
github.com/quic-go/quic-go v0.57.0 h1:AsSSrrMs4qI/hLrKlTH/TGQeTMY0ib1pAOX7vA3AdqE=
github.com/quic-go/quic-go v0.57.0/go.mod h1:ly4QBAjHA2VhdnxhojRsCUOeJwKYg+taDlos92xb1+s=
github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 h1:bsUq1dX0N8AOIL7EB/X911+m4EHsnWEHeJ0c+3TTBrg=
github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5 h1:EaDatTxkdHG+U3Bk4EUr+DZ7fOGwTfezUiUJMaIcaho=
@@ -1085,8 +1098,8 @@ github.com/sassoftware/relic/v7 v7.6.2 h1:rS44Lbv9G9eXsukknS4mSjIAuuX+lMq/FnStgm
github.com/sassoftware/relic/v7 v7.6.2/go.mod h1:kjmP0IBVkJZ6gXeAu35/KCEfca//+PKM6vTAsyDPY+k=
github.com/secure-systems-lab/go-securesystemslib v0.9.1 h1:nZZaNz4DiERIQguNy0cL5qTdn9lR8XKHf4RUyG1Sx3g=
github.com/secure-systems-lab/go-securesystemslib v0.9.1/go.mod h1:np53YzT0zXGMv6x4iEWc9Z59uR+x+ndLwCLqPYpLXVU=
github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
github.com/segmentio/asm v1.2.1 h1:DTNbBqs57ioxAD4PrArqftgypG4/qNpXoJx8TVXxPR0=
github.com/segmentio/asm v1.2.1/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
github.com/segmentio/encoding v0.5.3 h1:OjMgICtcSFuNvQCdwqMCv9Tg7lEOXGwm1J5RPQccx6w=
github.com/segmentio/encoding v0.5.3/go.mod h1:HS1ZKa3kSN32ZHVZ7ZLPLXWvOVIiZtyJnO1gPH1sKt0=
github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c=
@@ -1142,8 +1155,8 @@ github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
github.com/spf13/cobra v0.0.0-20170130214531-35136c09d8da/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g=
github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
@@ -1151,8 +1164,8 @@ github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
github.com/spiffe/go-spiffe/v2 v2.5.0 h1:N2I01KCUkv1FAjZXJMwh95KK1ZIQLYbPfhaxw8WS0hE=
github.com/spiffe/go-spiffe/v2 v2.5.0/go.mod h1:P+NxobPc6wXhVtINNtFjNWGBTreew1GBUCwT2wPmb7g=
github.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo=
github.com/spiffe/go-spiffe/v2 v2.6.0/go.mod h1:gm2SeUoMZEtpnzPNs2Csc0D/gX33k1xIx7lEzqblHEs=
github.com/stoewer/go-strcase v1.3.1 h1:iS0MdW+kVTxgMoE1LAZyMiYJFKlOzLooE4MxjirtkAs=
github.com/stoewer/go-strcase v1.3.1/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -1188,8 +1201,8 @@ github.com/testcontainers/testcontainers-go/modules/k3s v0.37.0 h1:lqwknybf56hBL
github.com/testcontainers/testcontainers-go/modules/k3s v0.37.0/go.mod h1:RIsXAxAUiaDNfsGsYcZB1TyDn2mqy52lO0HrGFts8cs=
github.com/testcontainers/testcontainers-go/modules/localstack v0.40.0 h1:b+lN2Ch4J/6EwqB+Af+QQbSfv4sFGetHlBHpXi+1yJU=
github.com/testcontainers/testcontainers-go/modules/localstack v0.40.0/go.mod h1:8LuTSboTo2MJKFKV5xH6z4ZH1s3jhRJWwvtPJzKogj4=
github.com/tetratelabs/wazero v1.10.1 h1:2DugeJf6VVk58KTPszlNfeeN8AhhpwcZqkJj2wwFuH8=
github.com/tetratelabs/wazero v1.10.1/go.mod h1:DRm5twOQ5Gr1AoEdSi0CLjDQF1J9ZAuyqFIjl1KKfQU=
github.com/tetratelabs/wazero v1.11.0 h1:+gKemEuKCTevU4d7ZTzlsvgd1uaToIDtlQlmNbwqYhA=
github.com/tetratelabs/wazero v1.11.0/go.mod h1:eV28rsN8Q+xwjogd7f4/Pp4xFxO7uOGbLcD/LzB1wiU=
github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg=
github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU=
github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
@@ -1226,14 +1239,16 @@ github.com/valyala/fastjson v1.6.4 h1:uAUNq9Z6ymTgGhcm0UynUAB6tlbakBrz6CQFax3BXV
github.com/valyala/fastjson v1.6.4/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
github.com/vbatts/tar-split v0.12.2 h1:w/Y6tjxpeiFMR47yzZPlPj/FcPLpXbTUi/9H7d3CPa4=
github.com/vbatts/tar-split v0.12.2/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=
github.com/vektah/gqlparser/v2 v2.5.30 h1:EqLwGAFLIzt1wpx1IPpY67DwUujF1OfzgEyDsLrN6kE=
github.com/vektah/gqlparser/v2 v2.5.30/go.mod h1:D1/VCZtV3LPnQrcPBeR/q5jkSQIPti0uYCP/RI0gIeo=
github.com/vektah/gqlparser/v2 v2.5.31 h1:YhWGA1mfTjID7qJhd1+Vxhpk5HTgydrGU9IgkWBTJ7k=
github.com/vektah/gqlparser/v2 v2.5.31/go.mod h1:c1I28gSOVNzlfc4WuDlqU7voQnsqI6OG2amkBAFmgts=
github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IUPn0Bjt8=
github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok=
github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds=
github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc=
github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw=
github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
github.com/xanzy/go-gitlab v0.102.0 h1:ExHuJ1OTQ2yt25zBMMj0G96ChBirGYv8U7HyUiYkZ+4=
@@ -1266,10 +1281,8 @@ github.com/zclconf/go-cty v1.17.0 h1:seZvECve6XX4tmnvRzWtJNHdscMtYEx5R7bnnVyd/d0
github.com/zclconf/go-cty v1.17.0/go.mod h1:wqFzcImaLTI6A5HfsRwB0nj5n0MRZFwmey8YoFPPs3U=
github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6ZMSMNJFMOjqrGHynW3DIBuR2H9j0ug+Mo=
github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmBdvvj3nqzfzJ6nTCIwDTPZ56aVGvDrmztiO5g3qrM=
github.com/zclconf/go-cty-yaml v1.1.0 h1:nP+jp0qPHv2IhUVqmQSzjvqAWcObN0KBkUl2rWBdig0=
github.com/zclconf/go-cty-yaml v1.1.0/go.mod h1:9YLUH4g7lOhVWqUbctnVlZ5KLpg7JAprQNgxSZ1Gyxs=
github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM=
github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
github.com/zclconf/go-cty-yaml v1.2.0 h1:GDyL4+e/Qe/S0B7YaecMLbVvAR/Mp21CXMOSiCTOi1M=
github.com/zclconf/go-cty-yaml v1.2.0/go.mod h1:9YLUH4g7lOhVWqUbctnVlZ5KLpg7JAprQNgxSZ1Gyxs=
go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
go.etcd.io/bbolt v1.4.3 h1:dEadXpI6G79deX5prL3QRNP6JB8UxVkqo4UPnHaNXJo=
go.etcd.io/bbolt v1.4.3/go.mod h1:tKQlpPaYCVFctUIgFKFnAlvbmB3tpy1vkTnDWohtc0E=
@@ -1289,8 +1302,8 @@ go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ
go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
go.opentelemetry.io/contrib/bridges/prometheus v0.57.0 h1:UW0+QyeyBVhn+COBec3nGhfnFe5lwB0ic1JBVjzhk0w=
go.opentelemetry.io/contrib/bridges/prometheus v0.57.0/go.mod h1:ppciCHRLsyCio54qbzQv0E4Jyth/fLWDTJYfvWpcSVk=
go.opentelemetry.io/contrib/detectors/gcp v1.36.0 h1:F7q2tNlCaHY9nMKHR6XH9/qkp8FktLnIcy6jJNyOCQw=
go.opentelemetry.io/contrib/detectors/gcp v1.36.0/go.mod h1:IbBN8uAIIx734PTonTPxAxnjc2pQTxWNkwfstZ+6H2k=
go.opentelemetry.io/contrib/detectors/gcp v1.38.0 h1:ZoYbqX7OaA/TAikspPl3ozPI6iY6LiIY9I8cUfm+pJs=
go.opentelemetry.io/contrib/detectors/gcp v1.38.0/go.mod h1:SU+iU7nu5ud4oCb3LQOhIZ3nRLj6FNVrKgtflbaf2ts=
go.opentelemetry.io/contrib/exporters/autoexport v0.57.0 h1:jmTVJ86dP60C01K3slFQa2NQ/Aoi7zA+wy7vMOKD9H4=
go.opentelemetry.io/contrib/exporters/autoexport v0.57.0/go.mod h1:EJBheUMttD/lABFyLXhce47Wr6DPWYReCzaZiXadH7g=
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
@@ -1337,8 +1350,6 @@ go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOV
go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE=
go.step.sm/crypto v0.74.0 h1:/APBEv45yYR4qQFg47HA8w1nesIGcxh44pGyQNw6JRA=
go.step.sm/crypto v0.74.0/go.mod h1:UoXqCAJjjRgzPte0Llaqen7O9P7XjPmgjgTHQGkKCDk=
go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
@@ -1347,17 +1358,19 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
go.yaml.in/yaml/v4 v4.0.0-rc.3 h1:3h1fjsh1CTAPjW7q/EMe+C8shx5d8ctzZTrLcs/j8Go=
go.yaml.in/yaml/v4 v4.0.0-rc.3/go.mod h1:aZqd9kCMsGL7AuUv/m/PvWLdg5sjJsZ4oHDEnfPPfY0=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20250911091902-df9299821621 h1:2id6c1/gto0kaHYyrixvknJ8tUK/Qs5IsmBtrc+FtgU=
golang.org/x/exp v0.0.0-20250911091902-df9299821621/go.mod h1:TwQYMMnGpvZyc+JpB/UAuTNIsVJifOlSkrZkhcvpVUk=
@@ -1366,8 +1379,8 @@ golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvx
golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1386,18 +1399,18 @@ golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
golang.org/x/oauth2 v0.33.0 h1:4Q+qn+E5z8gPRJfmRy7C2gGG3T4jIprK6aSYgTXGRpo=
golang.org/x/oauth2 v0.33.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1431,22 +1444,22 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8 h1:LvzTn0GQhWuvKH/kVRS3R3bVAsdQWI7hvfLHGgh9+lU=
golang.org/x/telemetry v0.0.0-20251008203120-078029d740a8/go.mod h1:Pi4ztBfryZoJEkyFTI5/Ocsu2jXyDr6iSdgJiYE/uwE=
golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
golang.org/x/telemetry v0.0.0-20251203150158-8fff8a5912fc h1:bH6xUXay0AIFMElXG2rQ4uiE+7ncwtiOdPfYK1NK2XA=
golang.org/x/telemetry v0.0.0-20251203150158-8fff8a5912fc/go.mod h1:hKdjCMrbv9skySur+Nek8Hd0uJ0GuxJIoIX2payrIdQ=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -1458,14 +1471,14 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
golang.org/x/tools/gopls v0.0.0-20251008221726-a22b5e8a9b8d h1:6bY3I4SaYYyjRr2TVIK+OHCsZi4p+/JML81sG2SQqV0=
golang.org/x/tools/gopls v0.0.0-20251008221726-a22b5e8a9b8d/go.mod h1:X0eOMgDrjTIsou7ZNWeP60nlRFUVEtxFuzXzwUa2e8s=
golang.org/x/tools/gopls v0.21.0 h1:k8RlBm3ES+GVe+fbTSkzwKgarmNwN+6aDalb0T0xfag=
golang.org/x/tools/gopls v0.21.0/go.mod h1:x/34IonzHuKpDDlMUjYezcjbwNOJ32FtrYOLqAuOmNo=
golang.org/x/vuln v1.1.4 h1:Ju8QsuyhX3Hk8ma3CesTbO8vfJD9EvUBgHvkxHBzj0I=
golang.org/x/vuln v1.1.4/go.mod h1:F+45wmU18ym/ca5PLTPLsSzr2KppzswxPP603ldA67s=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1487,8 +1500,8 @@ google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98
google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s=
google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 h1:BIRfGDEjiHRrk0QKZe3Xv2ieMhtgRGeLcZQ0mIVn4EY=
google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5/go.mod h1:j3QtIyytwqGr1JUDtYXwtMXWPKsEa5LtzIFN1Wn5WvE=
google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 h1:mepRgnBZa07I4TRuomDE4sTIYieg/osKmzIf4USdWS4=
google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8/go.mod h1:fDMmzKV90WSg1NbozdqrE64fkuTv6mlq2zxo9ad+3yo=
google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 h1:M1rk8KBnUsBDg1oPGHNCxG4vc1f49epmTO7xscSajMk=
google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
@@ -1496,8 +1509,8 @@ google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyac
google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM=
google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -1509,8 +1522,8 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD
google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -1518,10 +1531,8 @@ gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8
gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/cheggaaa/pb.v1 v1.0.28 h1:n1tBJnnK2r7g9OW2btFH91V92STTUevLXYFb8gy9EMk=
gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE=
gopkg.in/go-playground/validator.v9 v9.30.0/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ=
@@ -1545,32 +1556,32 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
helm.sh/helm/v3 v3.19.2 h1:psQjaM8aIWrSVEly6PgYtLu/y6MRSmok4ERiGhZmtUY=
helm.sh/helm/v3 v3.19.2/go.mod h1:gX10tB5ErM+8fr7bglUUS/UfTOO8UUTYWIBH1IYNnpE=
helm.sh/helm/v3 v3.19.4 h1:E2yFBejmZBczWr5LblhjZbvAOAwVumfBO1AtN3nqI30=
helm.sh/helm/v3 v3.19.4/go.mod h1:PC1rk7PqacpkV4acUFMLStOOis7QM9Jq3DveHBInu4s=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
k8s.io/api v0.34.2 h1:fsSUNZhV+bnL6Aqrp6O7lMTy6o5x2C4XLjnh//8SLYY=
k8s.io/api v0.34.2/go.mod h1:MMBPaWlED2a8w4RSeanD76f7opUoypY8TFYkSM+3XHw=
k8s.io/apiextensions-apiserver v0.34.0 h1:B3hiB32jV7BcyKcMU5fDaDxk882YrJ1KU+ZSkA9Qxoc=
k8s.io/apiextensions-apiserver v0.34.0/go.mod h1:hLI4GxE1BDBy9adJKxUxCEHBGZtGfIg98Q+JmTD7+g0=
k8s.io/apimachinery v0.34.2 h1:zQ12Uk3eMHPxrsbUJgNF8bTauTVR2WgqJsTmwTE/NW4=
k8s.io/apimachinery v0.34.2/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
k8s.io/apiserver v0.34.0 h1:Z51fw1iGMqN7uJ1kEaynf2Aec1Y774PqU+FVWCFV3Jg=
k8s.io/apiserver v0.34.0/go.mod h1:52ti5YhxAvewmmpVRqlASvaqxt0gKJxvCeW7ZrwgazQ=
k8s.io/cli-runtime v0.34.0 h1:N2/rUlJg6TMEBgtQ3SDRJwa8XyKUizwjlOknT1mB2Cw=
k8s.io/cli-runtime v0.34.0/go.mod h1:t/skRecS73Piv+J+FmWIQA2N2/rDjdYSQzEE67LUUs8=
k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY=
k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8=
k8s.io/component-base v0.34.0 h1:bS8Ua3zlJzapklsB1dZgjEJuJEeHjj8yTu1gxE2zQX8=
k8s.io/component-base v0.34.0/go.mod h1:RSCqUdvIjjrEm81epPcjQ/DS+49fADvGSCkIP3IC6vg=
k8s.io/api v0.35.0 h1:iBAU5LTyBI9vw3L5glmat1njFK34srdLmktWwLTprlY=
k8s.io/api v0.35.0/go.mod h1:AQ0SNTzm4ZAczM03QH42c7l3bih1TbAXYo0DkF8ktnA=
k8s.io/apiextensions-apiserver v0.34.2 h1:WStKftnGeoKP4AZRz/BaAAEJvYp4mlZGN0UCv+uvsqo=
k8s.io/apiextensions-apiserver v0.34.2/go.mod h1:398CJrsgXF1wytdaanynDpJ67zG4Xq7yj91GrmYN2SE=
k8s.io/apimachinery v0.35.0 h1:Z2L3IHvPVv/MJ7xRxHEtk6GoJElaAqDCCU0S6ncYok8=
k8s.io/apimachinery v0.35.0/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns=
k8s.io/apiserver v0.34.2 h1:2/yu8suwkmES7IzwlehAovo8dDE07cFRC7KMDb1+MAE=
k8s.io/apiserver v0.34.2/go.mod h1:gqJQy2yDOB50R3JUReHSFr+cwJnL8G1dzTA0YLEqAPI=
k8s.io/cli-runtime v0.34.2 h1:cct1GEuWc3IyVT8MSCoIWzRGw9HJ/C5rgP32H60H6aE=
k8s.io/cli-runtime v0.34.2/go.mod h1:X13tsrYexYUCIq8MarCBy8lrm0k0weFPTpcaNo7lms4=
k8s.io/client-go v0.34.2 h1:Co6XiknN+uUZqiddlfAjT68184/37PS4QAzYvQvDR8M=
k8s.io/client-go v0.34.2/go.mod h1:2VYDl1XXJsdcAxw7BenFslRQX28Dxz91U9MWKjX97fE=
k8s.io/component-base v0.34.2 h1:HQRqK9x2sSAsd8+R4xxRirlTjowsg6fWCPwWYeSvogQ=
k8s.io/component-base v0.34.2/go.mod h1:9xw2FHJavUHBFpiGkZoKuYZ5pdtLKe97DEByaA+hHbM=
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
k8s.io/kubectl v0.34.0 h1:NcXz4TPTaUwhiX4LU+6r6udrlm0NsVnSkP3R9t0dmxs=
k8s.io/kubectl v0.34.0/go.mod h1:bmd0W5i+HuG7/p5sqicr0Li0rR2iIhXL0oUyLF3OjR4=
k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
k8s.io/kubectl v0.34.2 h1:+fWGrVlDONMUmmQLDaGkQ9i91oszjjRAa94cr37hzqA=
k8s.io/kubectl v0.34.2/go.mod h1:X2KTOdtZZNrTWmUD4oHApJ836pevSl+zvC5sI6oO2YQ=
k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
modernc.org/cc/v4 v4.26.5 h1:xM3bX7Mve6G8K8b+T11ReenJOT+BmVqQj0FY5T4+5Y4=
modernc.org/cc/v4 v4.26.5/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
modernc.org/ccgo/v4 v4.28.1 h1:wPKYn5EC/mYTqBO373jKjvX2n+3+aK7+sICCv4Fjy1A=
@@ -1591,8 +1602,8 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
modernc.org/sqlite v1.40.1 h1:VfuXcxcUWWKRBuP8+BR9L7VnmusMgBNNnBYGEe9w/iY=
modernc.org/sqlite v1.40.1/go.mod h1:9fjQZ0mB1LLP0GYrp39oOJXx/I2sxEnZtzCmEQIKvGE=
modernc.org/sqlite v1.41.0 h1:bJXddp4ZpsqMsNN1vS0jWo4IJTZzb8nWpcgvyCFG9Ck=
modernc.org/sqlite v1.41.0/go.mod h1:9fjQZ0mB1LLP0GYrp39oOJXx/I2sxEnZtzCmEQIKvGE=
modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
@@ -1605,8 +1616,8 @@ pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
pluginrpc.com/pluginrpc v0.5.0 h1:tOQj2D35hOmvHyPu8e7ohW2/QvAnEtKscy2IJYWQ2yo=
pluginrpc.com/pluginrpc v0.5.0/go.mod h1:UNWZ941hcVAoOZUn8YZsMmOZBzbUjQa3XMns8RQLp9o=
sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
sigs.k8s.io/kind v0.19.0 h1:ZSUh6/kpab6fiowT6EqL4k8xSbedI2NWxyuUOtoPFe4=
sigs.k8s.io/kind v0.19.0/go.mod h1:aBlbxg08cauDgZ612shr017/rZwqd7AS563FvpWKPVs=
sigs.k8s.io/kustomize/api v0.20.1 h1:iWP1Ydh3/lmldBnH/S5RXgT98vWYMaTUL1ADcr+Sv7I=

4
helm/trivy/Chart.yaml
View File

@@ -1,7 +1,7 @@
apiVersion: v2
name: trivy
version: 0.19.1
appVersion: 0.67.2
version: 0.20.1
appVersion: 0.68.2
description: Trivy helm chart
keywords:
- scanner

1
helm/trivy/README.md
View File

@@ -78,6 +78,7 @@ The following table lists the configurable parameters of the Trivy chart and the
| `trivy.existingSecret` | existingSecret if an existing secret has been created outside the chart. Overrides gitHubToken, registryUsername, registryPassword, serverToken | `` |
| `trivy.podAnnotations` | Annotations for pods created by statefulset | `{}` |
| `trivy.extraEnvVars` | extraEnvVars to be set on the container | `{}` |
| `trivy.sslCertDir` | Can be used to override the system default locations for SSL certificate files directory, example: `/ssl/certs` | `` |
| `service.name` | If specified, the name used for the Trivy service | |
| `service.type` | Kubernetes service type | `ClusterIP` |
| `service.port` | Kubernetes service port | `4954` |

3
helm/trivy/templates/configmap.yaml
View File

@@ -27,3 +27,6 @@ data:
{{- with .Values.trivy.extraEnvVars }}
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- if .Values.trivy.sslCertDir }}
SSL_CERT_DIR: {{ .Values.trivy.sslCertDir | quote }}
{{- end }}

12
helm/trivy/templates/statefulset.yaml
View File

@@ -17,7 +17,7 @@ spec:
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.persistence.enabled }}
volumeClaimTemplates:
- apiVersion: v1
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
@@ -125,6 +125,11 @@ spec:
- mountPath: /home/scanner/.cache
name: data
readOnly: false
{{- with .Values.trivy.sslCertDir }}
- mountPath: {{ . }}
name: ssl-cert-dir
readOnly: true
{{- end }}
{{- if .Values.resources }}
resources:
{{ toYaml .Values.resources | indent 12 }}
@@ -136,3 +141,8 @@ spec:
- name: data
emptyDir: {}
{{- end }}
{{- with .Values.trivy.sslCertDir }}
- name: ssl-cert-dir
hostPath:
path: {{ . }}
{{- end }}

2
helm/trivy/values.yaml
View File

@@ -128,6 +128,8 @@ trivy:
existingSecret: ""
# extraEnvVars to be set on the container
extraEnvVars: {}
# sslCertDir can be used to override the system default locations for SSL certificate files directory, example: /ssl/certs
sslCertDir: ""
service:
# If specified, the name used for the Trivy service.

2
integration/testdata/almalinux-8.json.golden vendored
View File

@@ -72,7 +72,7 @@
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/alma/openssl-libs@1.1.1k-4.el8?arch=x86_64\u0026distro=alma-8.5\u0026epoch=1",
"UID": "3f965238234faa63"
"UID": "3ff1aff39832f37f"
},
"InstalledVersion": "1:1.1.1k-4.el8",
"FixedVersion": "1:1.1.1k-5.el8_5",

2
integration/testdata/amazon-1.json.golden vendored
View File

@@ -73,7 +73,7 @@
"PkgName": "curl",
"PkgIdentifier": {
"PURL": "pkg:rpm/amazon/curl@7.61.1-11.91.amzn1?arch=x86_64\u0026distro=amazon-AMI+release+2018.03",
"UID": "9fafb1be522b1e7"
"UID": "6120700171ade460"
},
"InstalledVersion": "7.61.1-11.91.amzn1",
"FixedVersion": "7.61.1-12.93.amzn1",

4
integration/testdata/amazon-2.json.golden vendored
View File

@@ -73,7 +73,7 @@
"PkgName": "curl",
"PkgIdentifier": {
"PURL": "pkg:rpm/amazon/curl@7.61.1-9.amzn2.0.1?arch=x86_64\u0026distro=amazon-2+%28Karoo%29",
"UID": "c5998529d683c5c3"
"UID": "6ae14ab68a9937a4"
},
"InstalledVersion": "7.61.1-9.amzn2.0.1",
"FixedVersion": "7.61.1-12.amzn2.0.1",
@@ -146,7 +146,7 @@
"PkgName": "curl",
"PkgIdentifier": {
"PURL": "pkg:rpm/amazon/curl@7.61.1-9.amzn2.0.1?arch=x86_64\u0026distro=amazon-2+%28Karoo%29",
"UID": "c5998529d683c5c3"
"UID": "6ae14ab68a9937a4"
},
"InstalledVersion": "7.61.1-9.amzn2.0.1",
"FixedVersion": "7.61.1-11.amzn2.0.2",

4
integration/testdata/centos-6.json.golden vendored
View File

@@ -95,7 +95,7 @@
"PkgName": "glibc",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/glibc@2.12-1.212.el6?arch=x86_64\u0026distro=centos-6.10",
"UID": "24b11591bb7262c4"
"UID": "8a375d9a81c8ed09"
},
"InstalledVersion": "2.12-1.212.el6",
"Status": "end_of_life",
@@ -153,7 +153,7 @@
"PkgName": "openssl",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/openssl@1.0.1e-57.el6?arch=x86_64\u0026distro=centos-6.10",
"UID": "935959fd0ed81eb9"
"UID": "3250412c84ceb835"
},
"InstalledVersion": "1.0.1e-57.el6",
"FixedVersion": "1.0.1e-58.el6_10",

4
integration/testdata/centos-7-ignore-unfixed.json.golden vendored
View File

@@ -88,7 +88,7 @@
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
"UID": "20f09cdcea6545a2"
"UID": "74d0a3456f5c43a3"
},
"InstalledVersion": "1:1.0.2k-16.el7",
"FixedVersion": "1:1.0.2k-19.el7",
@@ -183,7 +183,7 @@
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
"UID": "20f09cdcea6545a2"
"UID": "74d0a3456f5c43a3"
},
"InstalledVersion": "1:1.0.2k-16.el7",
"FixedVersion": "1:1.0.2k-19.el7",

2
integration/testdata/centos-7-medium.json.golden vendored
View File

@@ -88,7 +88,7 @@
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
"UID": "20f09cdcea6545a2"
"UID": "74d0a3456f5c43a3"
},
"InstalledVersion": "1:1.0.2k-16.el7",
"FixedVersion": "1:1.0.2k-19.el7",

6
integration/testdata/centos-7.json.golden vendored
View File

@@ -85,7 +85,7 @@
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64\u0026distro=centos-7.6.1810",
"UID": "64aff37eb11b9c25"
"UID": "1e73732cad16e536"
},
"InstalledVersion": "4.2.46-31.el7",
"Status": "will_not_fix",
@@ -147,7 +147,7 @@
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
"UID": "20f09cdcea6545a2"
"UID": "74d0a3456f5c43a3"
},
"InstalledVersion": "1:1.0.2k-16.el7",
"FixedVersion": "1:1.0.2k-19.el7",
@@ -242,7 +242,7 @@
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64\u0026distro=centos-7.6.1810\u0026epoch=1",
"UID": "20f09cdcea6545a2"
"UID": "74d0a3456f5c43a3"
},
"InstalledVersion": "1:1.0.2k-16.el7",
"FixedVersion": "1:1.0.2k-19.el7",

2
integration/testdata/debian-buster-ignore-unfixed.json.golden vendored
View File

@@ -76,7 +76,7 @@
"PkgName": "libidn2-0",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.1",
"UID": "24f9b08969c58720"
"UID": "ba4e8c27afaa206c"
},
"InstalledVersion": "2.0.5-1",
"FixedVersion": "2.0.5-1+deb10u1",

4
integration/testdata/debian-buster.json.golden vendored
View File

@@ -73,7 +73,7 @@
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/bash@5.0-4?arch=amd64\u0026distro=debian-10.1",
"UID": "170e4e5a30145f9c"
"UID": "ccac7cdb2b01effd"
},
"InstalledVersion": "5.0-4",
"Status": "affected",
@@ -141,7 +141,7 @@
"PkgName": "libidn2-0",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.1",
"UID": "24f9b08969c58720"
"UID": "ba4e8c27afaa206c"
},
"InstalledVersion": "2.0.5-1",
"FixedVersion": "2.0.5-1+deb10u1",

10
integration/testdata/debian-stretch.json.golden vendored
View File

@@ -73,7 +73,7 @@
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/bash@4.4-5?arch=amd64\u0026distro=debian-9.9",
"UID": "17a77561513a84ba"
"UID": "5050d6cecedb6b16"
},
"InstalledVersion": "4.4-5",
"Status": "end_of_life",
@@ -141,7 +141,7 @@
"PkgName": "e2fslibs",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/e2fslibs@1.43.4-2?arch=amd64\u0026distro=debian-9.9",
"UID": "f7397849f56886cf"
"UID": "4fbd6c91e1a18086"
},
"InstalledVersion": "1.43.4-2",
"FixedVersion": "1.43.4-2+deb9u1",
@@ -216,7 +216,7 @@
"PkgName": "e2fsprogs",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/e2fsprogs@1.43.4-2?arch=amd64\u0026distro=debian-9.9",
"UID": "84536029ca820a6c"
"UID": "b0c2238df13ced7c"
},
"InstalledVersion": "1.43.4-2",
"FixedVersion": "1.43.4-2+deb9u1",
@@ -291,7 +291,7 @@
"PkgName": "libcomerr2",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libcomerr2@1.43.4-2?arch=amd64\u0026distro=debian-9.9",
"UID": "d911133b560d334c"
"UID": "fb99250ee0ffc0d0"
},
"InstalledVersion": "1.43.4-2",
"FixedVersion": "1.43.4-2+deb9u1",
@@ -366,7 +366,7 @@
"PkgName": "libss2",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libss2@1.43.4-2?arch=amd64\u0026distro=debian-9.9",
"UID": "d9396c7f91558633"
"UID": "c5648e376c234084"
},
"InstalledVersion": "1.43.4-2",
"FixedVersion": "1.43.4-2+deb9u1",

8
integration/testdata/distroless-base.json.golden vendored
View File

@@ -76,7 +76,7 @@
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
"UID": "96b92444b87304a5"
"UID": "4115f1455e5bd09d"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"Status": "affected",
@@ -162,7 +162,7 @@
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
"UID": "96b92444b87304a5"
"UID": "4115f1455e5bd09d"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",
@@ -254,7 +254,7 @@
"PkgName": "openssl",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
"UID": "ed86402b9a8c2be6"
"UID": "c007f47f4b22b5a9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"Status": "affected",
@@ -340,7 +340,7 @@
"PkgName": "openssl",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
"UID": "ed86402b9a8c2be6"
"UID": "c007f47f4b22b5a9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",

8
integration/testdata/distroless-python27.json.golden vendored
View File

@@ -103,7 +103,7 @@
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
"UID": "96b92444b87304a5"
"UID": "4115f1455e5bd09d"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"Status": "affected",
@@ -189,7 +189,7 @@
"PkgName": "libssl1.1",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libssl1.1@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
"UID": "96b92444b87304a5"
"UID": "4115f1455e5bd09d"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",
@@ -281,7 +281,7 @@
"PkgName": "openssl",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
"UID": "ed86402b9a8c2be6"
"UID": "c007f47f4b22b5a9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"Status": "affected",
@@ -367,7 +367,7 @@
"PkgName": "openssl",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/openssl@1.1.0k-1~deb9u1?arch=amd64\u0026distro=debian-9.9",
"UID": "ed86402b9a8c2be6"
"UID": "c007f47f4b22b5a9"
},
"InstalledVersion": "1.1.0k-1~deb9u1",
"FixedVersion": "1.1.0l-1~deb9u1",

2
integration/testdata/fluentd-gems.json.golden vendored
View File

@@ -154,7 +154,7 @@
"PkgName": "libidn2-0",
"PkgIdentifier": {
"PURL": "pkg:deb/debian/libidn2-0@2.0.5-1?arch=amd64\u0026distro=debian-10.2",
"UID": "14f80a7091a08e71"
"UID": "cd3028817db3f25a"
},
"InstalledVersion": "2.0.5-1",
"FixedVersion": "2.0.5-1+deb10u1",

4
integration/testdata/mariner-1.0.json.golden vendored
View File

@@ -57,7 +57,7 @@
"PkgName": "vim",
"PkgIdentifier": {
"PURL": "pkg:rpm/cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64\u0026distro=cbl-mariner-1.0",
"UID": "3f08cd76fa5ba73d"
"UID": "437a9a3c0d29deb9"
},
"InstalledVersion": "8.2.4081-1.cm1",
"Status": "affected",
@@ -95,7 +95,7 @@
"PkgName": "vim",
"PkgIdentifier": {
"PURL": "pkg:rpm/cbl-mariner/vim@8.2.4081-1.cm1?arch=x86_64\u0026distro=cbl-mariner-1.0",
"UID": "3f08cd76fa5ba73d"
"UID": "437a9a3c0d29deb9"
},
"InstalledVersion": "8.2.4081-1.cm1",
"FixedVersion": "8.2.4082-1.cm1",

4
integration/testdata/opensuse-leap-151.json.golden vendored
View File

@@ -81,7 +81,7 @@
"PkgName": "libopenssl1_1",
"PkgIdentifier": {
"PURL": "pkg:rpm/opensuse/libopenssl1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse-leap-15.1",
"UID": "898b73ddd0412f57"
"UID": "a5c414d06155f471"
},
"InstalledVersion": "1.1.0i-lp151.8.3.1",
"FixedVersion": "1.1.0i-lp151.8.6.1",
@@ -115,7 +115,7 @@
"PkgName": "openssl-1_1",
"PkgIdentifier": {
"PURL": "pkg:rpm/opensuse/openssl-1_1@1.1.0i-lp151.8.3.1?arch=x86_64\u0026distro=opensuse-leap-15.1",
"UID": "58980d005de43f54"
"UID": "937f6db3d7249e11"
},
"InstalledVersion": "1.1.0i-lp151.8.3.1",
"FixedVersion": "1.1.0i-lp151.8.6.1",

2
integration/testdata/opensuse-tumbleweed.json.golden vendored
View File

@@ -84,7 +84,7 @@
"PkgName": "libopenssl3",
"PkgIdentifier": {
"PURL": "pkg:rpm/opensuse/libopenssl3@3.1.4-9.1?arch=x86_64\u0026distro=opensuse-tumbleweed-20240607",
"UID": "f051425f385d2b99"
"UID": "f71b3dc2f2cc0d84"
},
"InstalledVersion": "3.1.4-9.1",
"FixedVersion": "3.1.5-9.1",

4
integration/testdata/oraclelinux-8.json.golden vendored
View File

@@ -82,7 +82,7 @@
"PkgName": "curl",
"PkgIdentifier": {
"PURL": "pkg:rpm/oracle/curl@7.61.1-8.el8?arch=x86_64\u0026distro=oracle-8.0",
"UID": "6837a94bd82971ac"
"UID": "a8682a2156651fbe"
},
"InstalledVersion": "7.61.1-8.el8",
"FixedVersion": "7.61.1-11.el8",
@@ -154,7 +154,7 @@
"PkgName": "curl",
"PkgIdentifier": {
"PURL": "pkg:rpm/oracle/curl@7.61.1-8.el8?arch=x86_64\u0026distro=oracle-8.0",
"UID": "6837a94bd82971ac"
"UID": "a8682a2156651fbe"
},
"InstalledVersion": "7.61.1-8.el8",
"FixedVersion": "7.61.1-12.el8",

6
integration/testdata/photon-30.json.golden vendored
View File

@@ -83,7 +83,7 @@
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:rpm/photon/bash@4.4.18-1.ph3?arch=x86_64\u0026distro=photon-3.0",
"UID": "a092142482df7886"
"UID": "8bd74904a15c7d6d"
},
"InstalledVersion": "4.4.18-1.ph3",
"FixedVersion": "4.4.18-2.ph3",
@@ -148,7 +148,7 @@
"PkgName": "curl",
"PkgIdentifier": {
"PURL": "pkg:rpm/photon/curl@7.61.1-4.ph3?arch=x86_64\u0026distro=photon-3.0",
"UID": "1f44492024a630e8"
"UID": "6b6a4de732e563ee"
},
"InstalledVersion": "7.61.1-4.ph3",
"FixedVersion": "7.61.1-5.ph3",
@@ -221,7 +221,7 @@
"PkgName": "curl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/photon/curl-libs@7.61.1-4.ph3?arch=x86_64\u0026distro=photon-3.0",
"UID": "434cc417a46529a9"
"UID": "b33cf1cac05c76c2"
},
"InstalledVersion": "7.61.1-4.ph3",
"FixedVersion": "7.61.1-5.ph3",

2
integration/testdata/rockylinux-8.json.golden vendored
View File

@@ -72,7 +72,7 @@
"PkgName": "openssl-libs",
"PkgIdentifier": {
"PURL": "pkg:rpm/rocky/openssl-libs@1.1.1k-4.el8?arch=x86_64\u0026distro=rocky-8.5\u0026epoch=1",
"UID": "2a2f49f9bf5fc512"
"UID": "cb8148bafbe15690"
},
"InstalledVersion": "1:1.1.1k-4.el8",
"FixedVersion": "1:1.1.1k-5.el8_5",

2
integration/testdata/ubi-7-comprehensive.json.golden vendored
View File

@@ -101,7 +101,7 @@
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:rpm/redhat/bash@4.2.46-33.el7?arch=x86_64\u0026distro=redhat-7.7",
"UID": "f5b786381193ad1b"
"UID": "12819dd4d4181abf"
},
"InstalledVersion": "4.2.46-33.el7",
"Status": "will_not_fix",

2
integration/testdata/ubi-7.json.golden vendored
View File

@@ -101,7 +101,7 @@
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:rpm/redhat/bash@4.2.46-33.el7?arch=x86_64\u0026distro=redhat-7.7",
"UID": "f5b786381193ad1b"
"UID": "12819dd4d4181abf"
},
"InstalledVersion": "4.2.46-33.el7",
"Status": "will_not_fix",

8
integration/testdata/ubuntu-1804-ignore-unfixed.json.golden vendored
View File

@@ -106,7 +106,7 @@
"PkgName": "e2fsprogs",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/e2fsprogs@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04",
"UID": "f43bbfe1f933f718"
"UID": "eddde4dbdb2df58c"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",
@@ -178,7 +178,7 @@
"PkgName": "libcom-err2",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/libcom-err2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04",
"UID": "e7d11d906afeb678"
"UID": "87ee4bdeca236f23"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",
@@ -250,7 +250,7 @@
"PkgName": "libext2fs2",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/libext2fs2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04",
"UID": "19d89bf66d83962e"
"UID": "f5dac6a49dfab96c"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",
@@ -322,7 +322,7 @@
"PkgName": "libss2",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/libss2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04",
"UID": "231804324b8f13c6"
"UID": "119f1602425ea3a0"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",

10
integration/testdata/ubuntu-1804.json.golden vendored
View File

@@ -106,7 +106,7 @@
"PkgName": "bash",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/bash@4.4.18-2ubuntu1.2?arch=amd64\u0026distro=ubuntu-18.04",
"UID": "55652e248d848fa2"
"UID": "c9e621778b151be2"
},
"InstalledVersion": "4.4.18-2ubuntu1.2",
"Status": "affected",
@@ -170,7 +170,7 @@
"PkgName": "e2fsprogs",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/e2fsprogs@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04",
"UID": "f43bbfe1f933f718"
"UID": "eddde4dbdb2df58c"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",
@@ -242,7 +242,7 @@
"PkgName": "libcom-err2",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/libcom-err2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04",
"UID": "e7d11d906afeb678"
"UID": "87ee4bdeca236f23"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",
@@ -314,7 +314,7 @@
"PkgName": "libext2fs2",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/libext2fs2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04",
"UID": "19d89bf66d83962e"
"UID": "f5dac6a49dfab96c"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",
@@ -386,7 +386,7 @@
"PkgName": "libss2",
"PkgIdentifier": {
"PURL": "pkg:deb/ubuntu/libss2@1.44.1-1ubuntu1.1?arch=amd64\u0026distro=ubuntu-18.04",
"UID": "231804324b8f13c6"
"UID": "119f1602425ea3a0"
},
"InstalledVersion": "1.44.1-1ubuntu1.1",
"FixedVersion": "1.44.1-1ubuntu1.2",

148
magefiles/config_schema.go Normal file
View File

@@ -0,0 +1,148 @@
//go:build mage_docs
package main
import (
"encoding/json"
"fmt"
"os"
"strings"
"time"
"github.com/invopop/jsonschema"
"github.com/aquasecurity/trivy/pkg/flag"
)
// JSON Schema type constants
const (
schemaTypeString = "string"
schemaTypeBoolean = "boolean"
schemaTypeInteger = "integer"
schemaTypeNumber = "number"
schemaTypeArray = "array"
schemaTypeObject = "object"
)
const configSchemaPath = "schema/trivy-config.json"
// generateConfigSchema generates a JSON schema for trivy.yaml configuration file.
func generateConfigSchema(outputPath string, allFlagGroups []flag.FlagGroup) error {
root := &jsonschema.Schema{
Version: jsonschema.Version,
Type: schemaTypeObject,
Title: "Trivy Configuration",
Description: "Configuration file for Trivy security scanner (trivy.yaml)",
Properties: jsonschema.NewProperties(),
}
for _, group := range allFlagGroups {
for _, f := range group.Flags() {
configName := f.GetConfigName()
if configName == "" || f.Hidden() {
continue
}
if err := addFlagToSchema(root, f); err != nil {
return err
}
}
}
data, err := json.MarshalIndent(root, "", " ")
if err != nil {
return err
}
// Ensure directory exists
if err := os.MkdirAll("schema", 0755); err != nil {
return err
}
return os.WriteFile(outputPath, data, 0644)
}
// addFlagToSchema adds a flag to the schema, creating nested objects as needed.
func addFlagToSchema(root *jsonschema.Schema, f flag.Flagger) error {
configName := f.GetConfigName()
parts := strings.Split(configName, ".")
// Split into parent path and leaf name
parentParts, leafName := parts[:len(parts)-1], parts[len(parts)-1]
// Navigate/create intermediate objects
current := root
for _, part := range parentParts {
if existing, ok := current.Properties.Get(part); ok {
current = existing
} else {
newSchema := &jsonschema.Schema{
Type: schemaTypeObject,
Properties: jsonschema.NewProperties(),
}
current.Properties.Set(part, newSchema)
current = newSchema
}
}
// Add the leaf property
schema, err := schemaFromFlag(f)
if err != nil {
return err
}
current.Properties.Set(leafName, schema)
return nil
}
// schemaFromFlag creates a JSON schema based on the flag's type, description, and allowed values.
func schemaFromFlag(f flag.Flagger) (*jsonschema.Schema, error) {
schema, err := schemaFromFlagValue(f.GetDefaultValue())
if err != nil {
return nil, fmt.Errorf("flag %q: %w", f.GetConfigName(), err)
}
// Add description from Usage
if usage := f.GetUsage(); usage != "" {
schema.Description = usage
}
// Add enum if Values is set
if values := f.GetValues(); len(values) > 0 {
schema.Enum = make([]any, len(values))
for i, v := range values {
schema.Enum[i] = v
}
}
return schema, nil
}
// schemaFromFlagValue creates a JSON schema based on the flag's default value type.
func schemaFromFlagValue(val any) (*jsonschema.Schema, error) {
switch val.(type) {
case string:
return &jsonschema.Schema{Type: schemaTypeString}, nil
case bool:
return &jsonschema.Schema{Type: schemaTypeBoolean}, nil
case int:
return &jsonschema.Schema{Type: schemaTypeInteger}, nil
case float64:
return &jsonschema.Schema{Type: schemaTypeNumber}, nil
case []string:
return &jsonschema.Schema{
Type: schemaTypeArray,
Items: &jsonschema.Schema{Type: schemaTypeString},
}, nil
case time.Duration:
return &jsonschema.Schema{Type: schemaTypeString}, nil
case map[string][]string:
return &jsonschema.Schema{
Type: schemaTypeObject,
AdditionalProperties: &jsonschema.Schema{
Type: schemaTypeArray,
Items: &jsonschema.Schema{Type: schemaTypeString},
},
}, nil
default:
return nil, fmt.Errorf("unknown type %T, please update schemaFromFlagValue()", val)
}
}

8
magefiles/docs.go
View File

@@ -20,9 +20,10 @@ const (
title = "Config file"
description = "Trivy can be customized by tweaking a `trivy.yaml` file.\n" +
"The config path can be overridden by the `--config` flag.\n\n" +
"An example is [here][example].\n\n" +
"An example is [here][example] and a [JSON Schema][schema] is also available.\n\n" +
"These samples contain default values for flags."
footer = "[example]: https://github.com/aquasecurity/trivy/tree/{{ git.tag }}/examples/trivy-conf/trivy.yaml"
footer = "[example]: https://github.com/aquasecurity/trivy/blob/{{ git.tag }}/examples/trivy-conf/trivy.yaml\n" +
"[schema]: https://github.com/aquasecurity/trivy/blob/{{ git.tag }}/schema/trivy-config.json"
)
// Generate CLI references
@@ -47,6 +48,9 @@ func main() {
if err := generateTelemetryFlagDocs("./docs/guide/advanced/telemetry-flags.md", allFlagGroups); err != nil {
log.Fatal("Fatal error in telemetry docs generation", log.Err(err))
}
if err := generateConfigSchema(configSchemaPath, allFlagGroups); err != nil {
log.Fatal("Fatal error in config schema generation", log.Err(err))
}
}
// generateTelemetryFlagDocs updates the telemetry section in the documentation file

3
mkdocs.yml
View File

@@ -99,15 +99,16 @@ nav:
- Elixir: guide/coverage/language/elixir.md
- Go: guide/coverage/language/golang.md
- Java: guide/coverage/language/java.md
- Julia: guide/coverage/language/julia.md
- Node.js: guide/coverage/language/nodejs.md
- PHP: guide/coverage/language/php.md
- Python: guide/coverage/language/python.md
- Ruby: guide/coverage/language/ruby.md
- Rust: guide/coverage/language/rust.md
- Swift: guide/coverage/language/swift.md
- Julia: guide/coverage/language/julia.md
- IaC:
- Overview: guide/coverage/iac/index.md
- Ansible: guide/coverage/iac/ansible.md
- Azure ARM Template: guide/coverage/iac/azure-arm.md
- CloudFormation: guide/coverage/iac/cloudformation.md
- Docker: guide/coverage/iac/docker.md

54
pkg/commands/artifact/run.go
View File

@@ -1,9 +1,12 @@
package artifact
import (
"bytes"
"context"
"encoding/json"
"errors"
"fmt"
"maps"
"os"
"slices"
"strings"
@@ -12,6 +15,7 @@ import (
"github.com/samber/lo"
"github.com/spf13/viper"
"golang.org/x/xerrors"
"gopkg.in/yaml.v3"
"github.com/aquasecurity/trivy/pkg/cache"
"github.com/aquasecurity/trivy/pkg/commands/operation"
@@ -734,6 +738,12 @@ func initMisconfScannerOption(ctx context.Context, opts flag.Options) (misconf.S
return misconf.ScannerOption{}, xerrors.Errorf("load schemas error: %w", err)
}
ansibleExtraVars, err := resolveAnsibleExtraVars(opts.AnsibleExtraVars)
if err != nil {
log.DebugContext(ctx, "Failed to resolve Ansible extra-vars", log.Err(err))
ansibleExtraVars = make(map[string]any)
}
misconfOpts := misconf.ScannerOption{
Trace: opts.RegoOptions.Trace,
Namespaces: append(opts.CheckNamespaces, rego.BuiltinNamespaces()...),
@@ -758,6 +768,9 @@ func initMisconfScannerOption(ctx context.Context, opts flag.Options) (misconf.S
ConfigFileSchemas: configSchemas,
SkipFiles: opts.SkipFiles,
SkipDirs: opts.SkipDirs,
AnsiblePlaybooks: opts.AnsiblePlaybooks,
AnsibleInventories: opts.AnsibleInventories,
AnsibleExtraVars: ansibleExtraVars,
}
regoScanner, err := misconf.InitRegoScanner(misconfOpts)
@@ -768,3 +781,44 @@ func initMisconfScannerOption(ctx context.Context, opts flag.Options) (misconf.S
misconfOpts.RegoScanner = regoScanner
return misconfOpts, nil
}
func resolveAnsibleExtraVars(inputs []string) (map[string]any, error) {
result := make(map[string]any)
for _, input := range inputs {
var vars map[string]any
switch {
case strings.HasPrefix(input, "@"):
data, err := os.ReadFile(input[1:])
if err != nil {
return nil, fmt.Errorf("read extra-vars file %s: %w", input[1:], err)
}
trimmed := bytes.TrimSpace(data)
if len(trimmed) > 0 && trimmed[0] == '{' {
// parse as JSON object
if err := json.Unmarshal(trimmed, &vars); err != nil {
return nil, fmt.Errorf("parse extra-vars JSON file %s: %w", input[1:], err)
}
} else {
// parse as YAML
if err := yaml.Unmarshal(trimmed, &vars); err != nil {
return nil, fmt.Errorf("parse extra-vars YAML file %s: %w", input[1:], err)
}
}
case strings.Contains(input, "="):
kv := strings.SplitN(input, "=", 2)
var val string
if len(kv) == 2 {
val = kv[1]
}
vars = map[string]any{kv[0]: val}
default:
return nil, fmt.Errorf("invalid extra-vars input: %s", input)
}
maps.Copy(result, vars)
}
return result, nil
}

74
pkg/dependency/parser/php/composer/parse.go
View File

@@ -17,7 +17,8 @@ import (
)
type LockFile struct {
Packages []packageInfo `json:"packages"`
Packages []packageInfo `json:"packages"`
PackagesDev []packageInfo `json:"packages-dev"`
}
type packageInfo struct {
Name string `json:"name"`
@@ -45,30 +46,11 @@ func (p *Parser) Parse(_ context.Context, r xio.ReadSeekerAt) ([]ftypes.Package,
pkgs := make(map[string]ftypes.Package)
foundDeps := make(map[string][]string)
for _, lpkg := range lockFile.Packages {
pkg := ftypes.Package{
ID: dependency.ID(ftypes.Composer, lpkg.Name, lpkg.Version),
Name: lpkg.Name,
Version: lpkg.Version,
Relationship: ftypes.RelationshipUnknown, // composer.lock file doesn't have info about direct/indirect dependencies
Licenses: licenses(lpkg.License),
Locations: []ftypes.Location{ftypes.Location(lpkg.Location)},
}
pkgs[pkg.Name] = pkg
var dependsOn []string
for depName := range lpkg.Require {
// Require field includes required php version, skip this
// Also skip PHP extensions
if depName == "php" || strings.HasPrefix(depName, "ext") {
continue
}
dependsOn = append(dependsOn, depName) // field uses range of versions, so later we will fill in the versions from the packages
}
if len(dependsOn) > 0 {
foundDeps[pkg.ID] = dependsOn
}
}
// Production packages are parsed first to ensure they take precedence
// when the same package exists in both "packages" and "packages-dev".
p.parseProdPackages(lockFile, pkgs, foundDeps)
p.parseDevPackages(lockFile, pkgs, foundDeps)
// fill deps versions
var deps ftypes.Dependencies
@@ -95,6 +77,50 @@ func (p *Parser) Parse(_ context.Context, r xio.ReadSeekerAt) ([]ftypes.Package,
return pkgSlice, deps, nil
}
// parseProdPackages parses packages from the "packages" field in composer.lock.
func (p *Parser) parseProdPackages(lockFile LockFile, pkgs map[string]ftypes.Package, foundDeps map[string][]string) {
p.parsePackages(lockFile.Packages, false, pkgs, foundDeps)
}
// parseDevPackages parses packages from the "packages-dev" field in composer.lock.
// Packages already present in pkgs (i.e., production packages) are skipped.
func (p *Parser) parseDevPackages(lockFile LockFile, pkgs map[string]ftypes.Package, foundDeps map[string][]string) {
p.parsePackages(lockFile.PackagesDev, true, pkgs, foundDeps)
}
func (p *Parser) parsePackages(lockPkgs []packageInfo, isDev bool, pkgs map[string]ftypes.Package, foundDeps map[string][]string) {
for _, lpkg := range lockPkgs {
// Skip if the package already exists (production packages take precedence over dev packages)
if _, ok := pkgs[lpkg.Name]; ok {
continue
}
pkg := ftypes.Package{
ID: dependency.ID(ftypes.Composer, lpkg.Name, lpkg.Version),
Name: lpkg.Name,
Version: lpkg.Version,
Relationship: ftypes.RelationshipUnknown, // composer.lock file doesn't have info about direct/indirect dependencies
Licenses: licenses(lpkg.License),
Locations: []ftypes.Location{ftypes.Location(lpkg.Location)},
Dev: isDev,
}
pkgs[pkg.Name] = pkg
var dependsOn []string
for depName := range lpkg.Require {
// Require field includes required php version, skip this
// Also skip PHP extensions
if depName == "php" || strings.HasPrefix(depName, "ext") {
continue
}
dependsOn = append(dependsOn, depName) // field uses range of versions, so later we will fill in the versions from the packages
}
if len(dependsOn) > 0 {
foundDeps[pkg.ID] = dependsOn
}
}
}
// licenses returns slice of licenses from string, string with separators (`or`, `and`, etc.) or string array
// cf. https://getcomposer.org/doc/04-schema.md#license
func licenses(val any) []string {

32
pkg/dependency/parser/php/composer/parse_test.go
View File

@@ -54,6 +54,32 @@ var (
},
},
},
{
ID: "pear/log@1.13.3",
Name: "pear/log",
Version: "1.13.3",
Dev: true,
Licenses: []string{"MIT"},
Locations: []ftypes.Location{
{
StartLine: 660,
EndLine: 719,
},
},
},
{
ID: "pear/pear_exception@v1.0.2",
Name: "pear/pear_exception",
Version: "v1.0.2",
Dev: true,
Licenses: []string{"BSD-2-Clause"},
Locations: []ftypes.Location{
{
StartLine: 720,
EndLine: 778,
},
},
},
{
ID: "psr/http-message@1.0.1",
Name: "psr/http-message",
@@ -132,6 +158,12 @@ var (
"ralouphie/getallheaders@3.0.3",
},
},
{
ID: "pear/log@1.13.3",
DependsOn: []string{
"pear/pear_exception@v1.0.2",
},
},
{
ID: "symfony/polyfill-intl-idn@v1.27.0",
DependsOn: []string{

5
pkg/detector/library/driver.go
View File

@@ -83,8 +83,8 @@ func NewDriver(libType ftypes.LangType) (Driver, bool) {
eco = ecosystem.Kubernetes
comparer = compare.GenericComparer{}
case ftypes.Julia:
log.Warn("Julia is supported for SBOM, not for vulnerability scanning")
return Driver{}, false
eco = ecosystem.Julia
comparer = compare.GenericComparer{}
default:
log.Warn("The library type is not supported for vulnerability scanning",
log.String("type", string(libType)))
@@ -129,6 +129,7 @@ func (d *Driver) DetectVulnerabilities(pkgID, pkgName, pkgVer string) ([]types.D
vuln := types.DetectedVulnerability{
VulnerabilityID: adv.VulnerabilityID,
VendorIDs: adv.VendorIDs, // Any vendors have specific IDs, e.g. GHSA, JLSEC
PkgID: pkgID,
PkgName: pkgName,
InstalledVersion: pkgVer,

33
pkg/detector/library/driver_test.go
View File

@@ -66,7 +66,10 @@ func TestDriver_Detect(t *testing.T) {
},
want: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2022-21235",
VulnerabilityID: "CVE-2022-21235",
VendorIDs: []string{
"GHSA-6635-c626-vj4r",
},
PkgName: "github.com/Masterminds/vcs",
InstalledVersion: "v1.13.1",
FixedVersion: "v1.13.2",
@@ -78,6 +81,34 @@ func TestDriver_Detect(t *testing.T) {
},
},
},
{
name: "julia package",
fixtures: []string{
"testdata/fixtures/julia.yaml",
"testdata/fixtures/data-source.yaml",
},
libType: ftypes.Julia,
args: args{
pkgName: "HTTP",
pkgVer: "1.10.16",
},
want: []types.DetectedVulnerability{
{
VulnerabilityID: "CVE-2025-52479",
PkgName: "HTTP",
InstalledVersion: "1.10.16",
FixedVersion: "1.10.17",
DataSource: &dbTypes.DataSource{
ID: vulnerability.Julia,
Name: "Julia Ecosystem Security Advisories",
URL: "https://github.com/JuliaLang/SecurityAdvisories.jl",
},
VendorIDs: []string{
"JLSEC-2025-1",
},
},
},
},
{
name: "non-prefixed buckets",
fixtures: []string{"testdata/fixtures/php-without-prefix.yaml"},

5
pkg/detector/library/testdata/fixtures/data-source.yaml vendored
View File

@@ -30,3 +30,8 @@
ID: "ghsa"
Name: "GitHub Security Advisory Go"
URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
- key: "julia::Julia Ecosystem Security Advisories"
value:
ID: "julia"
Name: "Julia Ecosystem Security Advisories"
URL: "https://github.com/JuliaLang/SecurityAdvisories.jl"

2
pkg/detector/library/testdata/fixtures/go.yaml vendored
View File

@@ -8,3 +8,5 @@
- v1.13.2
VulnerableVersions:
- "<v1.13.2"
VendorIDs:
- "GHSA-6635-c626-vj4r"

12
pkg/detector/library/testdata/fixtures/julia.yaml vendored Normal file
View File

@@ -0,0 +1,12 @@
- bucket: "julia::Julia Ecosystem Security Advisories"
pairs:
- bucket: HTTP
pairs:
- key: CVE-2025-52479
value:
PatchedVersions:
- 1.10.17
VulnerableVersions:
- "<1.10.17"
VendorIDs:
- "JLSEC-2025-1"

1
pkg/detector/ospkg/alpine/alpine.go
View File

@@ -50,6 +50,7 @@ var eolDates = map[string]time.Time{
"3.20": time.Date(2026, 4, 1, 23, 59, 59, 0, time.UTC),
"3.21": time.Date(2026, 12, 5, 23, 59, 59, 0, time.UTC),
"3.22": time.Date(2027, 4, 30, 23, 59, 59, 0, time.UTC),
"3.23": time.Date(2027, 11, 1, 23, 59, 59, 0, time.UTC),
"edge": time.Date(9999, 1, 1, 0, 0, 0, 0, time.UTC),
}

5
pkg/detector/ospkg/debian/debian.go
View File

@@ -63,6 +63,11 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository
var vulns []types.DetectedVulnerability
for _, pkg := range pkgs {
// Skip third-party packages as they are not covered by Debian security advisories
if pkg.Repository.Class == ftypes.RepositoryClassThirdParty {
continue
}
sourceVersion, err := version.NewVersion(utils.FormatSrcVersion(pkg))
if err != nil {
log.DebugContext(ctx, "Installed package version error", log.Err(err))

5
pkg/detector/ospkg/rootio/rootio.go
View File

@@ -1,7 +1,6 @@
package rootio
import (
"cmp"
"context"
"strings"
@@ -104,9 +103,7 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository
Severity: adv.Severity.String(),
}
// Datasource contains BaseID + ID for root.io advisories,
// But baseOS (e.g. Debian) advisories use ID only.
vuln.SeveritySource = cmp.Or(adv.DataSource.BaseID, adv.DataSource.ID)
vuln.SeveritySource = adv.DataSource.ID
}
vulns = append(vulns, vuln)

6
pkg/detector/ospkg/rootio/rootio_test.go
View File

@@ -51,7 +51,7 @@ func TestScanner_Detect(t *testing.T) {
VulnerabilityID: "CVE-2024-13176", // Debian and Root.io contain this CVE
InstalledVersion: "3.0.15-1~deb12u1.root.io.0",
FixedVersion: "3.0.15-1~deb12u1.root.io.1, 3.0.16-1~deb12u1",
SeveritySource: vulnerability.Debian,
SeveritySource: vulnerability.RootIO,
DataSource: &dbTypes.DataSource{
ID: vulnerability.RootIO,
BaseID: vulnerability.Debian,
@@ -103,12 +103,16 @@ func TestScanner_Detect(t *testing.T) {
VulnerabilityID: "CVE-2023-44487",
InstalledVersion: "1.22.1-9+deb12u2.root.io.0",
FixedVersion: "1.22.1-9+deb12u2.root.io.1",
SeveritySource: vulnerability.RootIO,
DataSource: &dbTypes.DataSource{
ID: vulnerability.RootIO,
BaseID: vulnerability.Ubuntu,
Name: "Root.io Security Patches (ubuntu)",
URL: "https://api.root.io/external/patch_feed",
},
Vulnerability: dbTypes.Vulnerability{
Severity: dbTypes.SeverityHigh.String(),
},
},
},
},

2
pkg/detector/ospkg/rootio/testdata/fixtures/rootio.yaml vendored
View File

@@ -28,6 +28,7 @@
PatchedVersions:
- "3.0.15-1~deb12u1.root.io.1"
- "3.0.16-1~deb12u1"
Severity: 2
- bucket: root.io ubuntu 20.04
pairs:
- bucket: nginx
@@ -38,6 +39,7 @@
- "<1.22.1-9+deb12u2.root.io.1"
PatchedVersions:
- "1.22.1-9+deb12u2.root.io.1"
Severity: 3
- bucket: root.io alpine 3.19
pairs:
- bucket: less

5
pkg/detector/ospkg/ubuntu/ubuntu.go
View File

@@ -105,6 +105,11 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository
var vulns []types.DetectedVulnerability
for _, pkg := range pkgs {
// Skip third-party packages as they are not covered by Ubuntu security advisories
if pkg.Repository.Class == ftypes.RepositoryClassThirdParty {
continue
}
osVer = s.versionFromEolDates(ctx, osVer)
advisories, err := s.vs.Get(db.GetParams{
Release: osVer,

2
pkg/fanal/analyzer/analyzer_test.go
View File

@@ -676,7 +676,7 @@ func TestAnalyzerGroup_AnalyzerVersions(t *testing.T) {
"ubuntu-esm": 1,
},
PostAnalyzers: map[string]int{
"dpkg": 5,
"dpkg": 6,
"jar": 1,
"poetry": 1,
},

1
pkg/fanal/analyzer/config/all/import.go
View File

@@ -1,6 +1,7 @@
package all
import (
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/ansible"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/azurearm"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/cloudformation"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/config/dockerfile"

37
pkg/fanal/analyzer/config/ansible/ansible.go Normal file
View File

@@ -0,0 +1,37 @@
package ansible
import (
"os"
"path/filepath"
"slices"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer/config"
"github.com/aquasecurity/trivy/pkg/iac/detection"
)
const (
version = 1
analyzerType = analyzer.TypeAnsible
)
func init() {
analyzer.RegisterPostAnalyzer(analyzerType, newAnsibleConfigAnalyzer)
}
type ansibleConfigAnalyzer struct {
*config.Analyzer
}
func newAnsibleConfigAnalyzer(opts analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, error) {
a, err := config.NewAnalyzer(analyzerType, version, detection.FileTypeAnsible, opts)
if err != nil {
return nil, err
}
return &ansibleConfigAnalyzer{Analyzer: a}, nil
}
func (a *ansibleConfigAnalyzer) Required(filePath string, _ os.FileInfo) bool {
return filepath.Base(filePath) == "ansible.cfg" ||
slices.Contains([]string{"", ".yml", ".yaml", ".json", ".ini"}, filepath.Ext(filePath))
}

61
pkg/fanal/analyzer/config/ansible/ansible_test.go Normal file
View File

@@ -0,0 +1,61 @@
package ansible
import (
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
)
func Test_ansibleConfigAnalyzer_Required(t *testing.T) {
tests := []struct {
name string
filePath string
want bool
}{
{
name: "yaml",
filePath: "test.yaml",
want: true,
},
{
name: "yml",
filePath: "test.yml",
want: true,
},
{
name: "json",
filePath: "test.json",
want: true,
},
{
name: "init",
filePath: "test.ini",
want: true,
},
{
name: "without extension",
filePath: "test",
want: true,
},
{
name: "config file",
filePath: "ansible.cfg",
want: true,
},
{
name: "just cfg",
filePath: "test.cfg",
want: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
a, err := newAnsibleConfigAnalyzer(analyzer.AnalyzerOptions{})
require.NoError(t, err)
assert.Equal(t, tt.want, a.Required(tt.filePath, nil))
})
}
}

2
pkg/fanal/analyzer/const.go
View File

@@ -132,6 +132,7 @@ const (
TypeTerraformPlanSnapshot Type = Type(detection.FileTypeTerraformPlanSnapshot)
TypeYAML Type = Type(detection.FileTypeYAML)
TypeJSON Type = Type(detection.FileTypeJSON)
TypeAnsible Type = Type(detection.FileTypeAnsible)
// ========
// License
@@ -266,5 +267,6 @@ var (
TypeTerraformPlanSnapshot,
TypeYAML,
TypeJSON,
TypeAnsible,
}
)

19
pkg/fanal/analyzer/language/php/composer/composer.go
View File

@@ -106,7 +106,7 @@ func (a composerAnalyzer) parseComposerLock(ctx context.Context, path string, r
func (a composerAnalyzer) mergeComposerJson(fsys fs.FS, dir string, app *types.Application) error {
// Parse composer.json to identify the direct dependencies
path := filepath.Join(dir, types.ComposerJson)
p, err := a.parseComposerJson(fsys, path)
cj, err := a.parseComposerJson(fsys, path)
if errors.Is(err, fs.ErrNotExist) {
// Assume all the packages are direct dependencies as it cannot identify them from composer.lock
log.Debug("Unable to determine the direct dependencies, composer.json not found", log.FilePath(path))
@@ -117,7 +117,9 @@ func (a composerAnalyzer) mergeComposerJson(fsys fs.FS, dir string, app *types.A
for i, pkg := range app.Packages {
// Identify the direct/transitive dependencies
if _, ok := p[pkg.Name]; ok {
if _, ok := cj.Require[pkg.Name]; ok {
app.Packages[i].Relationship = types.RelationshipDirect
} else if _, ok := cj.RequireDev[pkg.Name]; ok {
app.Packages[i].Relationship = types.RelationshipDirect
} else {
app.Packages[i].Indirect = true
@@ -129,21 +131,22 @@ func (a composerAnalyzer) mergeComposerJson(fsys fs.FS, dir string, app *types.A
}
type composerJson struct {
Require map[string]string `json:"require"`
Require map[string]string `json:"require"`
RequireDev map[string]string `json:"require-dev"`
}
func (a composerAnalyzer) parseComposerJson(fsys fs.FS, path string) (map[string]string, error) {
func (a composerAnalyzer) parseComposerJson(fsys fs.FS, path string) (composerJson, error) {
// Parse composer.json
f, err := fsys.Open(path)
if err != nil {
return nil, xerrors.Errorf("file open error: %w", err)
return composerJson{}, xerrors.Errorf("file open error: %w", err)
}
defer func() { _ = f.Close() }()
jsonFile := composerJson{}
var jsonFile composerJson
err = json.NewDecoder(f).Decode(&jsonFile)
if err != nil {
return nil, xerrors.Errorf("json decode error: %w", err)
return composerJson{}, xerrors.Errorf("json decode error: %w", err)
}
return jsonFile.Require, nil
return jsonFile, nil
}

59
pkg/fanal/analyzer/language/php/composer/composer_test.go
View File

@@ -151,6 +151,65 @@ func Test_composerAnalyzer_PostAnalyze(t *testing.T) {
dir: "testdata/composer/sad",
want: &analyzer.AnalysisResult{},
},
{
name: "with dev dependencies",
dir: "testdata/composer/with-dev",
want: &analyzer.AnalysisResult{
Applications: []types.Application{
{
Type: types.Composer,
FilePath: "composer.lock",
Packages: types.Packages{
{
ID: "pear/log@1.14.6",
Name: "pear/log",
Version: "1.14.6",
Dev: true,
Indirect: false,
Relationship: types.RelationshipDirect,
Licenses: []string{"MIT"},
Locations: []types.Location{
{
StartLine: 61,
EndLine: 121,
},
},
DependsOn: []string{"pear/pear_exception@v1.0.2"},
},
{
ID: "psr/log@1.1.4",
Name: "psr/log",
Version: "1.1.4",
Indirect: false,
Relationship: types.RelationshipDirect,
Licenses: []string{"MIT"},
Locations: []types.Location{
{
StartLine: 9,
EndLine: 58,
},
},
},
{
ID: "pear/pear_exception@v1.0.2",
Name: "pear/pear_exception",
Version: "v1.0.2",
Dev: true,
Indirect: true,
Relationship: types.RelationshipIndirect,
Licenses: []string{"BSD-2-Clause"},
Locations: []types.Location{
{
StartLine: 122,
EndLine: 180,
},
},
},
},
},
},
},
},
}
for _, tt := range tests {

8
pkg/fanal/analyzer/language/php/composer/testdata/composer/with-dev/composer.json vendored Normal file
View File

@@ -0,0 +1,8 @@
{
"require": {
"psr/log": "^1.0"
},
"require-dev": {
"pear/log": "^1.13"
}
}

190
pkg/fanal/analyzer/language/php/composer/testdata/composer/with-dev/composer.lock generated vendored Normal file
View File

@@ -0,0 +1,190 @@
{
"_readme": [
"This file locks the dependencies of your project to a known state",
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "2c9e13a2460669ca09226814c0aefb51",
"packages": [
{
"name": "psr/log",
"version": "1.1.4",
"source": {
"type": "git",
"url": "https://github.com/php-fig/log.git",
"reference": "d49695b909c3b7628b6289db5479a1c204601f11"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/php-fig/log/zipball/d49695b909c3b7628b6289db5479a1c204601f11",
"reference": "d49695b909c3b7628b6289db5479a1c204601f11",
"shasum": ""
},
"require": {
"php": ">=5.3.0"
},
"type": "library",
"extra": {
"branch-alias": {
"dev-master": "1.1.x-dev"
}
},
"autoload": {
"psr-4": {
"Psr\\Log\\": "Psr/Log/"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "PHP-FIG",
"homepage": "https://www.php-fig.org/"
}
],
"description": "Common interface for logging libraries",
"homepage": "https://github.com/php-fig/log",
"keywords": [
"log",
"psr",
"psr-3"
],
"support": {
"source": "https://github.com/php-fig/log/tree/1.1.4"
},
"time": "2021-05-03T11:20:27+00:00"
}
],
"packages-dev": [
{
"name": "pear/log",
"version": "1.14.6",
"source": {
"type": "git",
"url": "https://github.com/pear/Log.git",
"reference": "e136d31ff6d5991e9707862f5fbfb97d40cd37a3"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/pear/Log/zipball/e136d31ff6d5991e9707862f5fbfb97d40cd37a3",
"reference": "e136d31ff6d5991e9707862f5fbfb97d40cd37a3",
"shasum": ""
},
"require": {
"pear/pear_exception": "1.0.1 || 1.0.2",
"php": ">=7.4"
},
"require-dev": {
"phpunit/phpunit": "*",
"rector/rector": "*"
},
"suggest": {
"pear/db": "Install optionally via your project's composer.json"
},
"type": "library",
"autoload": {
"psr-0": {
"Log": "./"
},
"exclude-from-classmap": [
"/examples/"
]
},
"notification-url": "https://packagist.org/downloads/",
"include-path": [
""
],
"license": [
"MIT"
],
"authors": [
{
"name": "Jon Parise",
"email": "jon@php.net",
"homepage": "https://www.indelible.org/",
"role": "Developer"
}
],
"description": "PEAR Logging Framework",
"homepage": "https://pear.github.io/Log/",
"keywords": [
"log",
"logging"
],
"support": {
"issues": "https://github.com/pear/Log/issues",
"source": "https://github.com/pear/Log"
},
"time": "2025-07-27T00:25:20+00:00"
},
{
"name": "pear/pear_exception",
"version": "v1.0.2",
"source": {
"type": "git",
"url": "https://github.com/pear/PEAR_Exception.git",
"reference": "b14fbe2ddb0b9f94f5b24cf08783d599f776fff0"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/pear/PEAR_Exception/zipball/b14fbe2ddb0b9f94f5b24cf08783d599f776fff0",
"reference": "b14fbe2ddb0b9f94f5b24cf08783d599f776fff0",
"shasum": ""
},
"require": {
"php": ">=5.2.0"
},
"require-dev": {
"phpunit/phpunit": "<9"
},
"type": "class",
"extra": {
"branch-alias": {
"dev-master": "1.0.x-dev"
}
},
"autoload": {
"classmap": [
"PEAR/"
]
},
"notification-url": "https://packagist.org/downloads/",
"include-path": [
"."
],
"license": [
"BSD-2-Clause"
],
"authors": [
{
"name": "Helgi Thormar",
"email": "dufuz@php.net"
},
{
"name": "Greg Beaver",
"email": "cellog@php.net"
}
],
"description": "The PEAR Exception base class.",
"homepage": "https://github.com/pear/PEAR_Exception",
"keywords": [
"exception"
],
"support": {
"issues": "http://pear.php.net/bugs/search.php?cmd=display&package_name[]=PEAR_Exception",
"source": "https://github.com/pear/PEAR_Exception"
},
"time": "2021-03-21T15:43:46+00:00"
}
],
"aliases": [],
"minimum-stability": "stable",
"stability-flags": {},
"prefer-stable": false,
"prefer-lowest": false,
"platform": {},
"platform-dev": {},
"plugin-api-version": "2.9.0"
}

89
pkg/fanal/analyzer/pkg/dpkg/dpkg.go
View File

@@ -41,7 +41,7 @@ func newDpkgAnalyzer(_ analyzer.AnalyzerOptions) (analyzer.PostAnalyzer, error)
}
const (
analyzerVersion = 5
analyzerVersion = 6
statusFile = "var/lib/dpkg/status"
statusDir = "var/lib/dpkg/status.d/"
@@ -54,6 +54,56 @@ const (
var (
dpkgSrcCaptureRegexp = regexp.MustCompile(`(?P<name>[^\s]*)( \((?P<version>.*)\))?`)
dpkgSrcCaptureRegexpNames = dpkgSrcCaptureRegexp.SubexpNames()
// thirdPartyMaintainerPatterns contains patterns that indicate a package is from a third-party repository.
// Packages with maintainers matching these patterns will NOT have their InstalledFiles tracked,
// allowing language scanners to properly analyze files installed by those packages.
// See https://github.com/aquasecurity/trivy/issues/9916 for more details.
thirdPartyMaintainerPatterns = []string{
// Container & orchestration
"support@docker.com", // Docker
// Cloud providers & infrastructure
"@nvidia.com", // NVIDIA CUDA
"Google Cloud CLI Authors", // Google Cloud SDK
"sapmachine@sap.com", // SAP Machine JDK
"@hashicorp.com", // HashiCorp (Terraform, Vault, Consul, etc.)
"@microsoft.com", // Microsoft (VS Code, Azure CLI, .NET, etc.)
// Databases
"@mongodb.com", // MongoDB
"developers@lists.mariadb.org", // MariaDB
"dev@couchdb.apache.org", // Apache CouchDB
"info@elastic.co", // Elastic (Elasticsearch, Kibana, etc.)
// Web servers & API gateways
"nginx-packaging@f5.com", // NGINX (from nginx.org, not Debian)
"@konghq.com", // Kong
"@cloudflare.com", // Cloudflare (cloudflared, WARP)
// Monitoring & observability
"support@influxdb.com", // InfluxData (InfluxDB, Telegraf)
"support@gitlab.com", // GitLab
"contact@grafana.com", // Grafana Labs
"@datadoghq.com", // Datadog
// Language runtimes (third-party repos)
"@nodesource.com", // NodeSource (Node.js)
// Networking & VPN
"info@tailscale.com", // Tailscale
// Robotics
"@openrobotics.org", // ROS (Robot Operating System)
"@osrfoundation.org", // ROS (Robot Operating System)
}
// thirdPartyMaintainerExact contains maintainer strings that require exact match.
// These are too short or generic for substring matching.
thirdPartyMaintainerExact = []string{
"GitHub", // GitHub CLI
"HashiCorp", // HashiCorp (Terraform, Vault, Consul, etc.)
}
)
func (a dpkgAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnalysisInput) (*analyzer.AnalysisResult, error) {
@@ -82,7 +132,7 @@ func (a dpkgAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnalysis
return xerrors.Errorf("failed to parse %s file: %w", path, err)
}
packageFiles[strings.TrimSuffix(filepath.Base(path), md5sumsExtension)] = systemFiles
systemInstalledFiles = append(systemInstalledFiles, systemFiles...)
// Note: systemInstalledFiles will be populated later based on maintainer check
return nil
}
// parse status files
@@ -97,14 +147,32 @@ func (a dpkgAnalyzer) PostAnalyze(_ context.Context, input analyzer.PostAnalysis
return nil, xerrors.Errorf("dpkg walk error: %w", err)
}
// map the packages to their respective files
// Map packages to their respective files.
// Third-party packages will NOT have their InstalledFiles populated to avoid filtering out
// language packages (npm, pip, etc.) installed by those third-party OS packages.
for i, pkgInfo := range packageInfos {
for j, pkg := range pkgInfo.Packages {
installedFiles, found := packageFiles[pkg.Name]
if !found {
installedFiles = packageFiles[pkg.Name+":"+pkg.Arch]
}
// Skip InstalledFiles for third-party packages
if isThirdPartyPackage(pkg.Maintainer) {
a.logger.Debug("Third-party package detected",
log.String("package", pkg.Name),
log.String("maintainer", pkg.Maintainer))
packageInfos[i].Packages[j].Repository = types.PackageRepository{
Class: types.RepositoryClassThirdParty,
}
continue
}
packageInfos[i].Packages[j].Repository = types.PackageRepository{
Class: types.RepositoryClassOfficial,
}
packageInfos[i].Packages[j].InstalledFiles = installedFiles
systemInstalledFiles = append(systemInstalledFiles, installedFiles...)
}
}
@@ -349,6 +417,21 @@ func (a dpkgAnalyzer) isMd5SumsFile(dir, fileName string) bool {
return strings.HasSuffix(fileName, md5sumsExtension)
}
// isThirdPartyPackage checks if a package is from a third-party repository
// by examining the Maintainer field against known third-party patterns.
//
// Unlike RPM which has a dedicated "Vendor" field, dpkg packages don't have a reliable
// way to identify their origin. We use a heuristic approach based on maintainer patterns.
// See https://github.com/aquasecurity/trivy/issues/9916 for more details.
func isThirdPartyPackage(maintainer string) bool {
if slices.Contains(thirdPartyMaintainerExact, maintainer) {
return true
}
return slices.ContainsFunc(thirdPartyMaintainerPatterns, func(pattern string) bool {
return strings.Contains(maintainer, pattern)
})
}
func (a dpkgAnalyzer) Type() analyzer.Type {
return analyzer.TypeDpkg
}

236
pkg/fanal/analyzer/pkg/dpkg/dpkg_test.go
View File

@@ -1,31 +1,27 @@
package dpkg
import (
"os"
"path/filepath"
"sort"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/aquasecurity/trivy/internal/testutil"
"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
"github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/mapfs"
)
func Test_dpkgAnalyzer_Analyze(t *testing.T) {
tests := []struct {
name string
// testFiles contains path in testdata and path in OS
// e.g. tar.md5sums => var/lib/dpkg/info/tar.md5sums
testFiles map[string]string
want *analyzer.AnalysisResult
wantErr bool
name string
txtar string
want *analyzer.AnalysisResult
wantErr bool
}{
{
name: "valid",
testFiles: map[string]string{"./testdata/dpkg": "var/lib/dpkg/status"},
name: "valid",
txtar: "testdata/valid.txtar",
want: &analyzer.AnalysisResult{
PackageInfos: []types.PackageInfo{
{
@@ -43,6 +39,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Core Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "all",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "apt@1.6.3ubuntu0.1",
@@ -63,6 +60,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "base-files@10.1ubuntu2.2",
@@ -72,6 +70,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcVersion: "10.1ubuntu2.2",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "base-passwd@3.5.44",
@@ -85,6 +84,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Colin Watson <cjwatson@debian.org>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "bash@4.4.18-2ubuntu1",
@@ -100,6 +100,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "bsdutils@1:2.31.1-0.4ubuntu3.1",
@@ -112,6 +113,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "0.4ubuntu3.1",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "bzip2@1.0.6-8.1",
@@ -127,6 +129,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "coreutils@8.28-1ubuntu1",
@@ -138,6 +141,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "1ubuntu1",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "dash@0.5.8-2.10",
@@ -153,6 +157,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "debconf@1.5.66",
@@ -162,6 +167,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcVersion: "1.5.66",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "all",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "debianutils@4.8.4",
@@ -171,6 +177,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcVersion: "4.8.4",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "diffutils@1:3.6-1",
@@ -184,6 +191,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "1",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "dpkg@1.19.0.5ubuntu2",
@@ -196,6 +204,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "e2fsprogs@1.44.1-1",
@@ -207,6 +216,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "1",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "fdisk@2.31.1-0.4ubuntu3.1",
@@ -226,6 +236,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "findutils@4.6.0+git+20170828-2",
@@ -237,6 +248,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "2",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "gcc-8-base@8-20180414-1ubuntu2",
@@ -248,6 +260,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "1ubuntu2",
Maintainer: "Ubuntu Core developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "gpgv@2.2.4-1ubuntu1.1",
@@ -266,6 +279,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "grep@3.1-2",
@@ -280,6 +294,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "gzip@1.6-5ubuntu1",
@@ -294,6 +309,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "hostname@3.20",
@@ -303,6 +319,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcVersion: "3.20",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "init-system-helpers@1.51",
@@ -315,6 +332,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "all",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libacl1@2.2.52-3build1",
@@ -330,6 +348,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libapt-pkg5.0@1.6.3ubuntu0.1",
@@ -350,6 +369,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libattr1@1:2.4.47-2build1",
@@ -366,6 +386,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libaudit-common@1:2.8.2-1ubuntu1",
@@ -379,6 +400,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "1ubuntu1",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "all",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libaudit1@1:2.8.2-1ubuntu1",
@@ -397,6 +419,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libblkid1@2.31.1-0.4ubuntu3.1",
@@ -412,6 +435,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libbz2-1.0@1.0.6-8.1",
@@ -426,6 +450,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libc-bin@2.27-3ubuntu1",
@@ -440,6 +465,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libc6@2.27-3ubuntu1",
@@ -454,6 +480,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libcap-ng0@0.7.7-3.1",
@@ -468,6 +495,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libcom-err2@1.44.1-1",
@@ -482,6 +510,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libdb5.3@5.3.28-13.1ubuntu1",
@@ -496,6 +525,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libdebconfclient0@0.213ubuntu1",
@@ -508,6 +538,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libext2fs2@1.44.1-1",
@@ -522,6 +553,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libfdisk1@2.31.1-0.4ubuntu3.1",
@@ -538,6 +570,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libffi6@3.2.1-8",
@@ -552,6 +585,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libgcc1@1:8-20180414-1ubuntu2",
@@ -568,6 +602,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Core developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libgcrypt20@1.8.1-4ubuntu1.1",
@@ -583,6 +618,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libgmp10@2:6.1.2+dfsg-2",
@@ -599,6 +635,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libgnutls30@3.5.18-1ubuntu1",
@@ -621,6 +658,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libgpg-error0@1.27-6",
@@ -636,6 +674,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libhogweed4@3.4-1",
@@ -652,6 +691,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libidn2-0@2.0.4-1.1build2",
@@ -667,6 +707,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "liblz4-1@0.0~r131-2ubuntu3",
@@ -681,6 +722,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "liblzma5@5.1.1alpha+20120614-2+b3",
@@ -695,6 +737,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Jonathan Nieder <jrnieder@gmail.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libmount1@2.31.1-0.4ubuntu3.1",
@@ -711,6 +754,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libncurses5@6.1-1ubuntu1.18.04",
@@ -726,6 +770,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libncursesw5@6.1-1ubuntu1.18.04",
@@ -741,6 +786,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libnettle6@3.4-1",
@@ -755,6 +801,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libp11-kit0@0.23.9-2",
@@ -770,6 +817,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libpam-modules@1.1.8-3.6ubuntu2",
@@ -781,6 +829,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "3.6ubuntu2",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libpam-modules-bin@1.1.8-3.6ubuntu2",
@@ -798,6 +847,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libpam-runtime@1.1.8-3.6ubuntu2",
@@ -813,6 +863,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "all",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libpam0g@1.1.8-3.6ubuntu2",
@@ -829,6 +880,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libpcre3@2:8.39-9",
@@ -845,6 +897,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libprocps6@2:3.3.12-3ubuntu1.1",
@@ -862,6 +915,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libseccomp2@2.3.1-2.1ubuntu4",
@@ -876,6 +930,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libselinux1@2.7-2build2",
@@ -891,6 +946,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libsemanage-common@2.7-2build2",
@@ -902,6 +958,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "2build2",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "all",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libsemanage1@2.7-2build2",
@@ -921,6 +978,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libsepol1@2.7-1",
@@ -935,6 +993,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libsmartcols1@2.31.1-0.4ubuntu3.1",
@@ -949,6 +1008,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libss2@1.44.1-1",
@@ -964,6 +1024,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libstdc++6@8-20180414-1ubuntu2",
@@ -980,6 +1041,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Core developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libsystemd0@237-3ubuntu10.3",
@@ -991,6 +1053,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "3ubuntu10.3",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libtasn1-6@4.13-2",
@@ -1005,6 +1068,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libtinfo5@6.1-1ubuntu1.18.04",
@@ -1019,6 +1083,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libudev1@237-3ubuntu10.3",
@@ -1033,6 +1098,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libunistring2@0.9.9-0ubuntu1",
@@ -1047,6 +1113,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libustr-1.0-1@1.0.4-3+b2",
@@ -1061,6 +1128,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Vaclav Ovsik <vaclav.ovsik@i.cz>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libuuid1@2.31.1-0.4ubuntu3.1",
@@ -1075,6 +1143,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libzstd1@1.3.3+dfsg-2ubuntu1",
@@ -1089,6 +1158,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "login@1:4.5-1ubuntu1",
@@ -1102,6 +1172,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "1ubuntu1",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "lsb-base@9.20170808ubuntu1",
@@ -1111,6 +1182,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcVersion: "9.20170808ubuntu1",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "all",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "mawk@1.3.3-17ubuntu3",
@@ -1122,6 +1194,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "17ubuntu3",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "mount@2.31.1-0.4ubuntu3.1",
@@ -1136,6 +1209,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "ncurses-base@6.1-1ubuntu1.18.04",
@@ -1147,6 +1221,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "1ubuntu1.18.04",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "all",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "ncurses-bin@6.1-1ubuntu1.18.04",
@@ -1158,6 +1233,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "1ubuntu1.18.04",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "passwd@1:4.5-1ubuntu1",
@@ -1179,6 +1255,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "perl-base@5.26.1-6ubuntu0.2",
@@ -1190,6 +1267,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "6ubuntu0.2",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "procps@2:3.3.12-3ubuntu1.1",
@@ -1212,6 +1290,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "sed@4.4-2",
@@ -1223,6 +1302,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "2",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "sensible-utils@0.0.12",
@@ -1232,6 +1312,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcVersion: "0.0.12",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "all",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "sysvinit-utils@2.88dsf-59.10ubuntu1",
@@ -1248,6 +1329,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "tar@1.29b-2",
@@ -1259,6 +1341,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "2",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "ubuntu-keyring@2018.02.28",
@@ -1268,6 +1351,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcVersion: "2018.02.28",
Maintainer: "Dimitri John Ledkov <dimitri.ledkov@canonical.com>",
Arch: "all",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "util-linux@2.31.1-0.4ubuntu3.1",
@@ -1282,6 +1366,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "zlib1g@1:1.2.11.dfsg-0ubuntu2",
@@ -1298,6 +1383,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
},
},
@@ -1305,8 +1391,8 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
},
{
name: "corrupsed",
testFiles: map[string]string{"./testdata/corrupsed": "var/lib/dpkg/status"},
name: "corrupsed",
txtar: "testdata/corrupsed.txtar",
want: &analyzer.AnalysisResult{
PackageInfos: []types.PackageInfo{
{
@@ -1323,6 +1409,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "12ubuntu1",
Maintainer: "Ubuntu Core developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libpam-modules-bin@1.1.8-3.1ubuntu3",
@@ -1334,6 +1421,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "3.1ubuntu3",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "libpam-runtime@1.1.8-3.1ubuntu3",
@@ -1345,6 +1433,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "3.1ubuntu3",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "all",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "makedev@2.3.1-93ubuntu1",
@@ -1356,6 +1445,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "93ubuntu1",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "all",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
},
},
@@ -1363,8 +1453,8 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
},
{
name: "only apt",
testFiles: map[string]string{"./testdata/dpkg_apt": "var/lib/dpkg/status"},
name: "only apt",
txtar: "testdata/only-apt.txtar",
want: &analyzer.AnalysisResult{
PackageInfos: []types.PackageInfo{
{
@@ -1374,6 +1464,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
ID: "apt@1.6.3ubuntu0.1", Name: "apt", Version: "1.6.3ubuntu0.1",
SrcName: "apt", SrcVersion: "1.6.3ubuntu0.1",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>", Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
},
},
@@ -1381,11 +1472,8 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
},
{
name: "happy path with digests",
testFiles: map[string]string{
"./testdata/digest-status": "var/lib/dpkg/status",
"./testdata/digest-available": "var/lib/dpkg/available",
},
name: "happy path with digests",
txtar: "testdata/digest.txtar",
want: &analyzer.AnalysisResult{
PackageInfos: []types.PackageInfo{
{
@@ -1401,6 +1489,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "2",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "tar@1.34+dfsg-1",
@@ -1412,6 +1501,7 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
SrcRelease: "1",
Maintainer: "Janos Lenart <ocsi@debian.org>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
Digest: "sha256:bd8e963c6edcf1c806df97cd73560794c347aa94b9aaaf3b88eea585bb2d2f3c",
},
},
@@ -1420,9 +1510,43 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
},
{
name: "md5sums",
testFiles: map[string]string{"./testdata/tar.md5sums": "var/lib/dpkg/info/tar.md5sums"},
name: "md5sums",
txtar: "testdata/md5sums.txtar",
want: &analyzer.AnalysisResult{
PackageInfos: []types.PackageInfo{
{
FilePath: "var/lib/dpkg/status",
Packages: types.Packages{
{
ID: "tar@1.29b-2",
Name: "tar",
Version: "1.29b",
Release: "2",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
SrcName: "tar",
SrcVersion: "1.29b",
SrcRelease: "2",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
InstalledFiles: []string{
"/usr/bin/tar",
"/usr/lib/mime/packages/tar",
"/usr/sbin/rmt-tar",
"/usr/sbin/tarcat",
"/usr/share/doc/tar/AUTHORS",
"/usr/share/doc/tar/NEWS.gz",
"/usr/share/doc/tar/README.Debian",
"/usr/share/doc/tar/THANKS.gz",
"/usr/share/doc/tar/changelog.Debian.gz",
"/usr/share/doc/tar/copyright",
"/usr/share/man/man1/tar.1.gz",
"/usr/share/man/man1/tarcat.1.gz",
"/usr/share/man/man8/rmt-tar.8.gz",
},
},
},
},
},
SystemInstalledFiles: []string{
"/usr/bin/tar",
"/usr/lib/mime/packages/tar",
@@ -1440,23 +1564,52 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
},
},
},
{
name: "third-party package",
txtar: "testdata/third-party.txtar",
want: &analyzer.AnalysisResult{
PackageInfos: []types.PackageInfo{
{
FilePath: "var/lib/dpkg/status",
Packages: []types.Package{
{
ID: "apt@1.6.3ubuntu0.1",
Name: "apt",
Version: "1.6.3ubuntu0.1",
SrcName: "apt",
SrcVersion: "1.6.3ubuntu0.1",
Maintainer: "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
{
ID: "docker-ce@5:20.10.7~3-0~debian-buster",
Name: "docker-ce",
Version: "20.10.7~3-0~debian",
Release: "buster",
Epoch: 5,
SrcName: "docker-ce",
SrcVersion: "20.10.7~3-0~debian",
SrcRelease: "buster",
SrcEpoch: 5,
Maintainer: "Docker <support@docker.com>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassThirdParty},
},
},
},
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
a, err := newDpkgAnalyzer(analyzer.AnalyzerOptions{})
require.NoError(t, err)
ctx := t.Context()
mfs := mapfs.New()
for testPath, osPath := range tt.testFiles {
err = mfs.MkdirAll(filepath.Dir(osPath), os.ModePerm)
require.NoError(t, err)
err = mfs.WriteFile(osPath, testPath)
require.NoError(t, err)
}
got, err := a.PostAnalyze(ctx, analyzer.PostAnalysisInput{
FS: mfs,
fsys := testutil.TxtarToFS(t, tt.txtar)
got, err := a.PostAnalyze(t.Context(), analyzer.PostAnalysisInput{
FS: fsys,
})
require.NoError(t, err)
@@ -1470,6 +1623,23 @@ func Test_dpkgAnalyzer_Analyze(t *testing.T) {
}
}
func Test_isThirdPartyPackage(t *testing.T) {
tests := []struct {
name string
maintainer string
want bool
}{
{"third-party (Docker)", "Docker <support@docker.com>", true},
{"third-party (GitHub - exact match)", "GitHub", true},
{"official (Ubuntu)", "Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>", false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
assert.Equal(t, tt.want, isThirdPartyPackage(tt.maintainer))
})
}
}
func Test_dpkgAnalyzer_Required(t *testing.T) {
tests := []struct {
name string

3
pkg/fanal/analyzer/pkg/dpkg/testdata/corrupsed → pkg/fanal/analyzer/pkg/dpkg/testdata/corrupsed.txtar vendored
View File

@@ -1,3 +1,6 @@
Test data for corrupted dpkg status file parsing.
-- var/lib/dpkg/status --
Package: libpam-runtime
Status: install ok installed
Priority: required

41
pkg/fanal/analyzer/pkg/dpkg/testdata/digest-status vendored
View File

@@ -1,41 +0,0 @@
Package: sed
Essential: yes
Status: install ok installed
Priority: required
Section: utils
Installed-Size: 320
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Multi-Arch: foreign
Version: 4.4-2
Pre-Depends: libc6 (>= 2.14), libselinux1 (>= 1.32)
Description: GNU stream editor for filtering/transforming text
sed reads the specified files or the standard input if no
files are specified, makes editing changes according to a
list of commands, and writes the results to the standard
output.
Original-Maintainer: Clint Adams <clint@debian.org>
Homepage: https://www.gnu.org/software/sed/
Package: tar
Essential: yes
Status: install ok installed
Priority: required
Section: utils
Installed-Size: 3152
Maintainer: Janos Lenart <ocsi@debian.org>
Architecture: amd64
Multi-Arch: foreign
Version: 1.34+dfsg-1
Replaces: cpio (<< 2.4.2-39)
Pre-Depends: libacl1 (>= 2.2.23), libc6 (>= 2.28), libselinux1 (>= 3.1~)
Suggests: bzip2, ncompress, xz-utils, tar-scripts, tar-doc
Breaks: dpkg-dev (<< 1.14.26)
Conflicts: cpio (<= 2.4.2-38)
Description: GNU version of the tar archiving utility
Tar is a program for packaging a set of files as a single archive in tar
format. The function it performs is conceptually similar to cpio, and to
things like PKZIP in the DOS world. It is heavily used by the Debian package
management system, and is useful for performing system backups and exchanging
sets of files with others.
Homepage: https://www.gnu.org/software/tar/

46
pkg/fanal/analyzer/pkg/dpkg/testdata/digest-available → pkg/fanal/analyzer/pkg/dpkg/testdata/digest.txtar vendored
View File

@@ -1,3 +1,49 @@
Test data for dpkg status with digests from available file.
-- var/lib/dpkg/status --
Package: sed
Essential: yes
Status: install ok installed
Priority: required
Section: utils
Installed-Size: 320
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Multi-Arch: foreign
Version: 4.4-2
Pre-Depends: libc6 (>= 2.14), libselinux1 (>= 1.32)
Description: GNU stream editor for filtering/transforming text
sed reads the specified files or the standard input if no
files are specified, makes editing changes according to a
list of commands, and writes the results to the standard
output.
Original-Maintainer: Clint Adams <clint@debian.org>
Homepage: https://www.gnu.org/software/sed/
Package: tar
Essential: yes
Status: install ok installed
Priority: required
Section: utils
Installed-Size: 3152
Maintainer: Janos Lenart <ocsi@debian.org>
Architecture: amd64
Multi-Arch: foreign
Version: 1.34+dfsg-1
Replaces: cpio (<< 2.4.2-39)
Pre-Depends: libacl1 (>= 2.2.23), libc6 (>= 2.28), libselinux1 (>= 3.1~)
Suggests: bzip2, ncompress, xz-utils, tar-scripts, tar-doc
Breaks: dpkg-dev (<< 1.14.26)
Conflicts: cpio (<= 2.4.2-38)
Description: GNU version of the tar archiving utility
Tar is a program for packaging a set of files as a single archive in tar
format. The function it performs is conceptually similar to cpio, and to
things like PKZIP in the DOS world. It is heavily used by the Debian package
management system, and is useful for performing system backups and exchanging
sets of files with others.
Homepage: https://www.gnu.org/software/tar/
-- var/lib/dpkg/available --
Package: tar
Version: 1.34+dfsg-1
Essential: yes

21
pkg/fanal/analyzer/pkg/dpkg/testdata/tar.md5sums → pkg/fanal/analyzer/pkg/dpkg/testdata/md5sums.txtar vendored
View File

@@ -1,3 +1,24 @@
Test data for dpkg with md5sums file.
-- var/lib/dpkg/status --
Package: tar
Essential: yes
Status: install ok installed
Priority: required
Section: utils
Installed-Size: 864
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Multi-Arch: foreign
Version: 1.29b-2
Replaces: cpio (<< 2.4.2-39)
Pre-Depends: libacl1 (>= 2.2.51-8), libc6 (>= 2.17), libselinux1 (>= 1.32)
Suggests: bzip2, ncompress, xz-utils, tar-scripts, tar-doc
Breaks: dpkg-dev (<< 1.14.26)
Conflicts: cpio (<= 2.4.2-38)
Description: GNU version of the tar archiving utility
-- var/lib/dpkg/info/tar.md5sums --
25de5fcdc3c8ebd9c9f599fb7a899b40 usr/bin/tar
5bf0e62990e0b668830ceb2c8615b497 usr/lib/mime/packages/tar
de1096fbccdc14324196fc6829324ebc usr/sbin/rmt-tar

3
pkg/fanal/analyzer/pkg/dpkg/testdata/dpkg_apt → pkg/fanal/analyzer/pkg/dpkg/testdata/only-apt.txtar vendored
View File

@@ -1,3 +1,6 @@
Test data for single apt package.
-- var/lib/dpkg/status --
Package: apt
Status: install ok installed
Priority: important

30
pkg/fanal/analyzer/pkg/dpkg/testdata/third-party.txtar vendored Normal file
View File

@@ -0,0 +1,30 @@
Test data for third-party package detection.
-- var/lib/dpkg/status --
Package: docker-ce
Status: install ok installed
Priority: optional
Section: admin
Installed-Size: 83560
Maintainer: Docker <support@docker.com>
Architecture: amd64
Version: 5:20.10.7~3-0~debian-buster
Replaces: docker, docker-ce
Depends: containerd.io (>= 1.4.1), docker-ce-cli, iptables, libc6 (>= 2.8), libseccomp2 (>= 2.4.1), libc6 (>= 2.17), libdevmapper1.02.1 (>= 2:1.02.97)
Recommends: ca-certificates, docker-ce-rootless-extras, git, pigz, xz-utils
Description: Docker: the open-source application container engine
Docker is a product for you to build, ship and run any application as a
lightweight container.
Homepage: https://www.docker.com
Package: apt
Status: install ok installed
Priority: important
Section: admin
Installed-Size: 4148
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Version: 1.6.3ubuntu0.1
Depends: base-files (>= 7.2ubuntu5.6)
Description: commandline package manager

3
pkg/fanal/analyzer/pkg/dpkg/testdata/dpkg → pkg/fanal/analyzer/pkg/dpkg/testdata/valid.txtar vendored
View File

@@ -1,3 +1,6 @@
Test data for valid dpkg status file parsing.
-- var/lib/dpkg/status --
Package: fdisk
Status: install ok installed
Priority: important

5
pkg/fanal/analyzer/pkg/rpm/rpm.go
View File

@@ -140,8 +140,12 @@ func (a rpmPkgAnalyzer) listPkgs(ctx context.Context, db RPMDB) (types.Packages,
// Check if the package is vendor-provided.
// If the package is not provided by vendor, the installed files should not be skipped.
repo := types.PackageRepository{
Class: types.RepositoryClassThirdParty,
}
var files []string
if packageProvidedByVendor(pkg) {
repo.Class = types.RepositoryClassOfficial
files, err = pkg.InstalledFileNames()
if err != nil {
return nil, nil, xerrors.Errorf("unable to get installed files: %w", err)
@@ -179,6 +183,7 @@ func (a rpmPkgAnalyzer) listPkgs(ctx context.Context, db RPMDB) (types.Packages,
Licenses: licenses,
DependsOn: pkg.Requires, // Will be replaced with package IDs
Maintainer: pkg.Vendor,
Repository: repo,
Digest: d,
InstalledFiles: files,
}

13
pkg/fanal/analyzer/pkg/rpm/rpm_test.go
View File

@@ -158,6 +158,7 @@ func Test_rpmPkgAnalyzer_listPkgs(t *testing.T) {
SrcVersion: "2.17",
SrcRelease: "317.el7",
Maintainer: "Red Hat",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
InstalledFiles: []string{
"/etc/ld.so.conf",
"/etc/rpc",
@@ -216,6 +217,7 @@ func Test_rpmPkgAnalyzer_listPkgs(t *testing.T) {
SrcName: "curl",
SrcVersion: "8.3.0",
SrcRelease: "1.amzn2023.0.2",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
InstalledFiles: []string{
"/usr/bin/curl",
"/usr/lib/.build-id",
@@ -248,11 +250,12 @@ func Test_rpmPkgAnalyzer_listPkgs(t *testing.T) {
},
wantPkgs: types.Packages{
{
ID: "glibc@2.17-307.el7.1.x86_64",
Name: "glibc",
Version: "2.17",
Release: "307.el7.1",
Arch: "x86_64",
ID: "glibc@2.17-307.el7.1.x86_64",
Name: "glibc",
Version: "2.17",
Release: "307.el7.1",
Arch: "x86_64",
Repository: types.PackageRepository{Class: types.RepositoryClassThirdParty},
},
},
},

40
pkg/fanal/artifact/image/image_test.go
View File

@@ -36,7 +36,7 @@ import (
// Common blob IDs used across multiple test cases to reduce duplication
const (
alpineBaseLayerID = "sha256:be60f1fe61fc63ab50b10fe0779614e605a973a38cd7d2a02f3f20b081e56d4a"
alpineBaseLayerID = "sha256:6c42077a82b21707f581759b12a99cc9a593ce35a0d7be4c19c01eb48bd5ba33"
alpineBaseLayerDiffID = "sha256:beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203"
alpineArtifactID = "sha256:3c709d2a158be3a97051e10cd0e30f047225cb9505101feb3fadcd395c2e0408"
composerImageID = "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72"
@@ -510,7 +510,7 @@ func TestArtifact_Inspect(t *testing.T) {
},
wantBlobs: []cachetest.WantBlob{
{
ID: "sha256:f2a647dcf780c603f864e491dca1a042b1e98062b530c813681d1bb4a85bcb18",
ID: "sha256:75a461ca76eecc6cea981889d69aa1c2dd78c436108be8be1bbc29295520c7d4",
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
Size: 3061760,
@@ -533,6 +533,7 @@ func TestArtifact_Inspect(t *testing.T) {
SrcVersion: "9.9+deb9u9",
Maintainer: "Santiago Vila <sanvila@debian.org>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
},
},
@@ -547,6 +548,7 @@ func TestArtifact_Inspect(t *testing.T) {
SrcVersion: "5.4",
Maintainer: "Marco d'Itri <md@linux.it>",
Arch: "all",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
},
},
@@ -563,6 +565,7 @@ func TestArtifact_Inspect(t *testing.T) {
SrcRelease: "0+deb9u1",
Maintainer: "GNU Libc Maintainers <debian-glibc@lists.debian.org>",
Arch: "all",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
},
},
@@ -598,7 +601,7 @@ func TestArtifact_Inspect(t *testing.T) {
},
},
{
ID: "sha256:c988cc5a0b8f3dc542c15c303d9200dee47d4fbed0e498a5bfbf3b4bef7a5af7",
ID: "sha256:81afc1747d0fdec7a606c27570313634ae331fab6f13566b23d0f6b3e498c050",
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
Size: 15441920,
@@ -619,6 +622,7 @@ func TestArtifact_Inspect(t *testing.T) {
SrcRelease: "11+deb9u4",
Maintainer: "GNU Libc Maintainers <debian-glibc@lists.debian.org>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
},
},
@@ -635,6 +639,7 @@ func TestArtifact_Inspect(t *testing.T) {
SrcRelease: "1~deb9u1",
Maintainer: "Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
},
},
@@ -651,6 +656,7 @@ func TestArtifact_Inspect(t *testing.T) {
SrcRelease: "1~deb9u1",
Maintainer: "Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>",
Arch: "amd64",
Repository: types.PackageRepository{Class: types.RepositoryClassOfficial},
},
},
},
@@ -693,7 +699,7 @@ func TestArtifact_Inspect(t *testing.T) {
},
},
{
ID: "sha256:05c19ffd5d898588400522070abd98c770b2965a7f4867d5c882c2a8783e40cc",
ID: "sha256:0778c3e388c54f736a3d6e74ed390a91fdb42c6809f8fb743d4f72acb41a5d6d",
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
Size: 29696,
@@ -900,7 +906,7 @@ func TestArtifact_Inspect(t *testing.T) {
},
},
{
ID: "sha256:c737743c0f8b35906650a02125f05c8b35916c0febf64984f4dfaacd0f72509d",
ID: "sha256:5a3e3f25fdc97a14d69d99c63dd640cd2d38af5b987b7a95084cce3d835970fb",
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
Size: 6656,
@@ -1763,10 +1769,10 @@ func TestArtifact_Inspect(t *testing.T) {
Type: types.TypeContainerImage,
ID: "sha256:0bebf0773ffd87baa7c64fbdbdf79a24ae125e3f99a8adebe52d1ccbe6bed16b",
BlobIDs: []string{
"sha256:f2a647dcf780c603f864e491dca1a042b1e98062b530c813681d1bb4a85bcb18",
"sha256:c988cc5a0b8f3dc542c15c303d9200dee47d4fbed0e498a5bfbf3b4bef7a5af7",
"sha256:05c19ffd5d898588400522070abd98c770b2965a7f4867d5c882c2a8783e40cc",
"sha256:c737743c0f8b35906650a02125f05c8b35916c0febf64984f4dfaacd0f72509d",
"sha256:75a461ca76eecc6cea981889d69aa1c2dd78c436108be8be1bbc29295520c7d4",
"sha256:81afc1747d0fdec7a606c27570313634ae331fab6f13566b23d0f6b3e498c050",
"sha256:0778c3e388c54f736a3d6e74ed390a91fdb42c6809f8fb743d4f72acb41a5d6d",
"sha256:5a3e3f25fdc97a14d69d99c63dd640cd2d38af5b987b7a95084cce3d835970fb",
},
ImageMetadata: artifact.ImageMetadata{
ID: "sha256:58701fd185bda36cab0557bb6438661831267aa4a9e0b54211c4d5317a48aff4",
@@ -1874,7 +1880,7 @@ func TestArtifact_Inspect(t *testing.T) {
},
wantBlobs: []cachetest.WantBlob{
{
ID: "sha256:48b4a983ef1ec8f0d19934ccf7fca3d2114466ad32207e16371620628f149984",
ID: "sha256:a83985cade3970577a9af328db9c88c0bf15cad40f7d2cf6d76e83882bc8146d",
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
Size: 3061760,
@@ -1884,7 +1890,7 @@ func TestArtifact_Inspect(t *testing.T) {
},
},
{
ID: "sha256:a4d2820bd2c076f6153a9053843d4a56d31147ce486ec5e4a2c0405cec506d6c",
ID: "sha256:b109622c2d106193db505762f1f3e78cf0035a69e559caf07c305c92ddb89356",
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
Size: 15441920,
@@ -1894,7 +1900,7 @@ func TestArtifact_Inspect(t *testing.T) {
},
},
{
ID: "sha256:c5fa5e736cee843c563c222963eb89fc775f0620020ff9d51d5e5db8ef62eec4",
ID: "sha256:115f689385cb66077c338c52f2c9d6f3018a18c89be7fe7d23f1645422d7d59d",
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
Size: 29696,
@@ -1905,7 +1911,7 @@ func TestArtifact_Inspect(t *testing.T) {
},
},
{
ID: "sha256:7e223b95d6d589cdb196e29ef6c6ac0acdd2c471350dd9880a420b4249f6e7bb",
ID: "sha256:60129d309cd4f16d69262106d6074f37c6d37f6c9089a9710ec96ae067716636",
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
Size: 6656,
@@ -1921,10 +1927,10 @@ func TestArtifact_Inspect(t *testing.T) {
Type: types.TypeContainerImage,
ID: "sha256:0bebf0773ffd87baa7c64fbdbdf79a24ae125e3f99a8adebe52d1ccbe6bed16b",
BlobIDs: []string{
"sha256:48b4a983ef1ec8f0d19934ccf7fca3d2114466ad32207e16371620628f149984",
"sha256:a4d2820bd2c076f6153a9053843d4a56d31147ce486ec5e4a2c0405cec506d6c",
"sha256:c5fa5e736cee843c563c222963eb89fc775f0620020ff9d51d5e5db8ef62eec4",
"sha256:7e223b95d6d589cdb196e29ef6c6ac0acdd2c471350dd9880a420b4249f6e7bb",
"sha256:a83985cade3970577a9af328db9c88c0bf15cad40f7d2cf6d76e83882bc8146d",
"sha256:b109622c2d106193db505762f1f3e78cf0035a69e559caf07c305c92ddb89356",
"sha256:115f689385cb66077c338c52f2c9d6f3018a18c89be7fe7d23f1645422d7d59d",
"sha256:60129d309cd4f16d69262106d6074f37c6d37f6c9089a9710ec96ae067716636",
},
ImageMetadata: artifact.ImageMetadata{
ID: "sha256:58701fd185bda36cab0557bb6438661831267aa4a9e0b54211c4d5317a48aff4",

12
pkg/fanal/artifact/local/fs_test.go
View File

@@ -226,7 +226,7 @@ func TestArtifact_Inspect(t *testing.T) {
wantBlobs: []cachetest.WantBlob{
{
// Cache key is based on commit hash (8a19b492a589955c3e70c6ad8efd1e4ec6ae0d35)
ID: "sha256:c7173e152a268c038257b877794285986c52ac569de7e516b2963f557f4e26ee",
ID: "sha256:d37c788d6fe832712cce9020943746b8764c04f7e323ed4ad68de36c5bf7d846",
BlobInfo: types.BlobInfo{
SchemaVersion: types.BlobJSONSchemaVersion,
},
@@ -235,9 +235,9 @@ func TestArtifact_Inspect(t *testing.T) {
want: artifact.Reference{
Name: "../../../../internal/gittest/testdata/test-repo",
Type: types.TypeRepository,
ID: "sha256:c7173e152a268c038257b877794285986c52ac569de7e516b2963f557f4e26ee",
ID: "sha256:d37c788d6fe832712cce9020943746b8764c04f7e323ed4ad68de36c5bf7d846",
BlobIDs: []string{
"sha256:c7173e152a268c038257b877794285986c52ac569de7e516b2963f557f4e26ee",
"sha256:d37c788d6fe832712cce9020943746b8764c04f7e323ed4ad68de36c5bf7d846",
},
RepoMetadata: artifact.RepoMetadata{
RepoURL: "https://github.com/aquasecurity/trivy-test-repo/",
@@ -2383,7 +2383,7 @@ func TestYAMLConfigScan(t *testing.T) {
Severity: "LOW",
},
CauseMetadata: types.CauseMetadata{
Provider: "Generic",
Provider: "Yaml",
Service: "general",
},
},
@@ -2405,7 +2405,7 @@ func TestYAMLConfigScan(t *testing.T) {
Severity: "LOW",
},
CauseMetadata: types.CauseMetadata{
Provider: "Generic",
Provider: "Yaml",
Service: "general",
},
},
@@ -2454,7 +2454,7 @@ func TestYAMLConfigScan(t *testing.T) {
Severity: "LOW",
},
CauseMetadata: types.CauseMetadata{
Provider: "Generic",
Provider: "Yaml",
Service: "general",
},
},

3
pkg/fanal/artifact/local/testdata/misconfig/yaml/passed/checks/test.rego vendored
View File

@@ -4,6 +4,9 @@
# id: TEST001
# avd_id: TEST001
# severity: LOW
# input:
# selector:
# - type: yaml
package user.test_yaml_check
deny[res] {

3
pkg/fanal/artifact/local/testdata/misconfig/yaml/with-schema/checks/test.rego vendored
View File

@@ -4,6 +4,9 @@
# id: TEST001
# avd_id: TEST001
# severity: LOW
# input:
# selector:
# - type: yaml
package user.test_yaml_check
deny[res] {

14
pkg/fanal/artifact/repo/git_test.go
View File

@@ -183,9 +183,9 @@ func TestArtifact_Inspect(t *testing.T) {
want: artifact.Reference{
Name: ts.URL + "/test-repo.git",
Type: types.TypeRepository,
ID: "sha256:dc7c6039424c9fce969d3c2972d261af442a33f13e7494464386dbe280612d4c", // Calculated from commit hash
ID: "sha256:1587f4be90cf95b3e1b733512d674301f5fe4200055f10efa4dbf0d5e590d32d", // Calculated from commit hash
BlobIDs: []string{
"sha256:dc7c6039424c9fce969d3c2972d261af442a33f13e7494464386dbe280612d4c", // Calculated from commit hash
"sha256:1587f4be90cf95b3e1b733512d674301f5fe4200055f10efa4dbf0d5e590d32d", // Calculated from commit hash
},
RepoMetadata: artifact.RepoMetadata{
RepoURL: ts.URL + "/test-repo.git",
@@ -207,9 +207,9 @@ func TestArtifact_Inspect(t *testing.T) {
want: artifact.Reference{
Name: "../../../../internal/gittest/testdata/test-repo",
Type: types.TypeRepository,
ID: "sha256:dc7c6039424c9fce969d3c2972d261af442a33f13e7494464386dbe280612d4c", // Calculated from commit hash
ID: "sha256:1587f4be90cf95b3e1b733512d674301f5fe4200055f10efa4dbf0d5e590d32d", // Calculated from commit hash
BlobIDs: []string{
"sha256:dc7c6039424c9fce969d3c2972d261af442a33f13e7494464386dbe280612d4c", // Calculated from commit hash
"sha256:1587f4be90cf95b3e1b733512d674301f5fe4200055f10efa4dbf0d5e590d32d", // Calculated from commit hash
},
RepoMetadata: artifact.RepoMetadata{
RepoURL: "https://github.com/aquasecurity/trivy-test-repo/",
@@ -267,16 +267,16 @@ func TestArtifact_Inspect(t *testing.T) {
},
}
// Store the blob info in the cache to test cache hit
cacheKey := "sha256:dc7c6039424c9fce969d3c2972d261af442a33f13e7494464386dbe280612d4c"
cacheKey := "sha256:1587f4be90cf95b3e1b733512d674301f5fe4200055f10efa4dbf0d5e590d32d"
err := c.PutBlob(t.Context(), cacheKey, blobInfo)
require.NoError(t, err)
},
want: artifact.Reference{
Name: "../../../../internal/gittest/testdata/test-repo",
Type: types.TypeRepository,
ID: "sha256:dc7c6039424c9fce969d3c2972d261af442a33f13e7494464386dbe280612d4c",
ID: "sha256:1587f4be90cf95b3e1b733512d674301f5fe4200055f10efa4dbf0d5e590d32d",
BlobIDs: []string{
"sha256:dc7c6039424c9fce969d3c2972d261af442a33f13e7494464386dbe280612d4c",
"sha256:1587f4be90cf95b3e1b733512d674301f5fe4200055f10efa4dbf0d5e590d32d",
},
RepoMetadata: artifact.RepoMetadata{
RepoURL: "https://github.com/aquasecurity/trivy-test-repo/",

520
pkg/fanal/test/integration/testdata/goldens/packages/amazon-2.json.golden vendored
View File

File diff suppressed because it is too large Load Diff

Some files were not shown because too many files have changed in this diff Show More