chore(deps): update dependency trivy to v0.67.2

[renovate]

This PR contains the following updates:

Package	Update	New value	References	Sourcegraph
trivy	minor	0.67.2	source

Test plan: CI should pass with updated dependencies. No review required: this is an automated dependency update PR.

---

Release Notes

aquasecurity/trivy (trivy)

v0.67.2

Compare Source

Changelog

• 60c57ad release: v0.67.2 [release/v0.67] (#​9639)
• f3ee80c fix: Use fetch-level: 1 to check out trivy-repo in the release workflow [backport: release/v0.67] (#​9638)

v0.67.1

Compare Source

Changelog

• cbed239 release: v0.67.1 [release/v0.67] (#​9614)
• 1a84093 fix: restore compatibility for google.protobuf.Value [backport: release/v0.67] (#​9631)
• 3bc1490 fix: using SrcVersion instead of Version for echo detector [backport: release/v0.67] (#​9629)
• 542eee7 fix: add buildInfo for BlobInfo in rpc package [backport: release/v0.67] (#​9615)
• f65dd05 fix(vex): don't use reused BOM [backport: release/v0.67] (#​9612)

v0.67.0

Compare Source

Features

• add documentation URL for database lock errors (#​9531) (eba48af)
• cli: change --list-all-pkgs default to true (#​9510) (7b663d8)
• cloudformation: support default values and list results in Fn::FindInMap (#​9515) (42b3bf3)
• cyclonedx: preserve SBOM structure when scanning SBOM files with vulnerability updates (#​9439) (aff03eb)
• redhat: add os-release detection for RHEL-based images (#​9458) (cb25a07)
• sbom: added support for CoreOS (#​9448) (6d562a3)
• seal: add seal support (#​9370) (e4af279)

Bug Fixes

• aws: use BuildableClient insead of xhttp.Client (#​9436) (fa6f1bf)
• close file descriptors and pipes on error paths (#​9536) (a4cbd6a)
• db: Dowload database when missing but metadata still exists (#​9393) (92ebc7e)
• k8s: disable parallel traversal with fs cache for k8s images (#​9534) (c0c7a6b)
• misconf: handle tofu files in module detection (#​9486) (bfd2f6b)
• misconf: strip build metadata suffixes from image history (#​9498) (c938806)
• misconf: unmark cty values before access (#​9495) (8e40d27)
• misconf: wrap legacy ENV values in quotes to preserve spaces (#​9497) (267a970)
• nodejs: parse workspaces as objects for package-lock.json files (#​9518) (404abb3)
• nodejs: use snapshot string as Package.ID for pnpm packages (#​9330) (4517e8c)
• vex: don't suppress vulns for packages with infinity loop (#​9465) (78f0d4a)
• vuln: compare nuget package names in lower case (#​9456) (1ff9ac7)

v0.66.0

Compare Source

Features

• add timeout handling for cache database operations (#​9307) (235c24e)
• misconf: added audit config attribute (#​9249) (4d4a244)
• secret: implement streaming secret scanner with byte offset tracking (#​9264) (5a5e097)
• terraform: use .terraform cache for remote modules in plan scanning (#​9277) (298a994)

Bug Fixes

• conda: memory leak by adding closure method for package.json file (#​9349) (03d039f)
• create temp file under composite fs dir (#​9387) (ce22f54)
• cyclonedx: handle multiple license types (#​9378) (46ab76a)
• fs: avoid shadowing errors in file.glob (#​9286) (b51c789)
• image: use standardized HTTP client for ECR authentication (#​9322) (84fbf86)
• misconf: ensure ignore rules respect subdirectory chart paths (#​9324) (d3cd101)
• misconf: ensure module source is known (#​9404) (81d9425)
• misconf: preserve original paths of remote submodules from .terraform (#​9294) (1319d8d)
• misconf: use correct field log_bucket instead of target_bucket in gcp bucket (#​9296) (04ad0c4)
• persistent flag option typo (#​9374) (6e99dd3)
• plugin: don't remove plugins when updating index.yaml file (#​9358) (5f067ac)
• python: impove package name normalization (#​9290) (1473e88)
• repo: preserve RepoMetadata on FS cache hit (#​9389) (4f2a44e)
• repo: sanitize git repo URL before inserting into report metadata (#​9391) (1ac9b1f)
• sbom: add support for file component type of CycloneDX (#​9372) (aa7cf43)
• suppress debug log for context cancellation errors (#​9298) (2458d5e)

v0.65.0

Compare Source

Features

• add graceful shutdown with signal handling (#​9242) (2c05882)
• add HTTP request/response tracing support (#​9125) (aa5b32a)
• alma: add AlmaLinux 10 support (#​9207) (861d51e)
• flag: add schema validation for --server flag (#​9270) (ed4640e)
• image: add Docker context resolution (#​9166) (99cd4e7)
• license: observe pkg types option in license scanner (#​9091) (d44af8c)
• misconf: add private ip google access attribute to subnetwork (#​9199) (263845c)
• misconf: added logging and versioning to the gcp storage bucket (#​9226) (110f80e)
• repo: add git repository metadata to reports (#​9252) (f4b2cf1)
• report: add CVSS vectors in sarif report (#​9157) (60723e6)
• sbom: add SHA-512 hash support for CycloneDX SBOM (#​9126) (12d6706)

Bug Fixes

• alma: parse epochs from rpmqa file (#​9101) (82db2fc)
• also check filepath when removing duplicate packages (#​9142) (4d10a81)
• aws: update amazon linux 2 EOL date (#​9176) (0ecfed6)
• cli: Add more non-sensitive flags to telemetry (#​9110) (7041a39)
• cli: ensure correct command is picked by telemetry (#​9260) (b4ad00f)
• cli: panic: attempt to get os.Args[1] when len(os.Args) < 2 (#​9206) (adfa879)
• license: add missed GFDL-NIV-1.1 and GFDL-NIV-1.2 into Trivy mapping (#​9116) (a692f29)
• license: handle WITH operator for LaxSplitLicenses (#​9232) (b4193d0)
• migrate from *.list to *.md5sums files for dpkg (#​9131) (f224de3)
• misconf: correctly adapt azure storage account (#​9138) (51aa022)
• misconf: correctly parse empty port ranges in google_compute_firewall (#​9237) (77bab7b)
• misconf: fix log bucket in schema (#​9235) (7ebc129)
• misconf: skip rewriting expr if attr is nil (#​9113) (42ccd3d)
• nodejs: don't use prerelease logic for compare npm constraints (#​9208) (fe96436)
• prevent graceful shutdown message on normal exit (#​9244) (6095984)
• rootio: check full version to detect root.io packages (#​9117) (c2ddd44)
• rootio: fix severity selection (#​9181) (6fafbeb)
• sbom: merge in-graph and out-of-graph OS packages in scan results (#​9194) (aa944cc)
• sbom: use correct field for licenses in CycloneDX reports (#​9057) (143da88)
• secret: add UTF-8 validation in secret scanner to prevent protobuf marshalling errors (#​9253) (54832a7)
• secret: fix line numbers for multiple-line secrets (#​9104) (e579746)
• server: add HTTP transport setup to server mode (#​9217) (1163b04)
• supporting .egg-info/METADATA in python.Packaging analyzer (#​9151) (e306e2d)
• terraform: for_each on a map returns a resource for every key (#​9156) (153318f)

v0.64.1

Compare Source

Changelog

• 86ee3c1 release: v0.64.1 [release/v0.64] (#​9122)
• 4e12722 fix(misconf): skip rewriting expr if attr is nil [backport: release/v0.64] (#​9127)
• 9a7d384 fix(cli): Add more non-sensitive flags to telemetry [backport: release/v0.64] (#​9124)
• 53adfba fix(rootio): check full version to detect root.io packages [backport: release/v0.64] (#​9120)
• 8cf1bf9 fix(alma): parse epochs from rpmqa file [backport: release/v0.64] (#​9119)

v0.64.0

Compare Source

Features

• cli: add version constraints to annoucements (#​9023) (19efa9f)
• java: dereference all maven settings.xml env placeholders (#​9024) (5aade69)
• misconf: add OpenTofu file extension support (#​8747) (57801d0)
• misconf: normalize CreatedBy for buildah and legacy docker builder (#​8953) (65e155f)
• redhat: Add EOL date for RHEL 10. (#​8910) (48258a7)
• reject unsupported artifact types in remote image retrieval (#​9052) (1e1e1b5)
• sbom: add manufacturer field to CycloneDX tools metadata (#​9019) (41d0f94)
• terraform: add partial evaluation for policy templates (#​8967) (a9f7dcd)
• ubuntu: add end of life date for Ubuntu 25.04 (#​9077) (367564a)
• ubuntu: add eol date for 20.04-ESM (#​8981) (87118a0)
• vuln: add Root.io support for container image scanning (#​9073) (3a0ec0f)

Bug Fixes

• Add missing version check flags (#​8951) (ef5f8de)
• cli: add some values to the telemetry call (#​9056) (fd2bc91)
• Correctly check for semver versions for trivy version check (#​8948) (b813527)
• don't show corrupted trivy-db warning for first run (#​8991) (4ed78e3)
• misconf: .Config.User always takes precedence over USER in .History (#​9050) (371b8cc)
• misconf: correct Azure value-to-time conversion in AsTimeValue (#​9015) (40d017b)
• misconf: move disabled checks filtering after analyzer scan (#​9002) (a58c36d)
• misconf: reduce log noise on incompatible check (#​9029) (99c5151)
• nodejs: correctly parse packages array of bun.lock file (#​8998) (875ec3a)
• report: don't panic when report contains vulns, but doesn't contain packages for table format (#​8549) (87fda76)
• sbom: remove unnecessary OS detection check in SBOM decoding (#​9034) (198789a)

v0.63.0

Compare Source

Features

• add Bottlerocket OS package analyzer (#​8653) (07ef63b)
• add JSONC support for comments and trailing commas (#​8862) (0b0e406)
• alpine: add maintainer field extraction for APK packages (#​8930) (104bbc1)
• cli: Add available version checking (#​8553) (5a0bf9e)
• echo: Add Echo Support (#​8833) (c7b8cc3)
• go: support license scanning in both GOPATH and vendor (#​8843) (26437be)
• k8s: get components from namespaced resources (#​8918) (4f1ab23)
• license: improve work text licenses with custom classification (#​8888) (ee52230)
• license: improve work with custom classification of licenses from config file (#​8861) (c321fdf)
• license: scan vendor directory for license for go.mod files (#​8689) (dd6a6e5)
• license: Support compound licenses (licenses using SPDX operators) (#​8816) (39f9ed1)
• minimos: Add support for MinimOS (#​8792) (c2dde33)
• misconf: add misconfiguration location to junit template (#​8793) (a516775)
• misconf: Add support for Minimum Trivy Version (#​8880) (3b2a397)
• misconf: export raw Terraform data to Rego (#​8741) (aaecc29)
• nodejs: add a bun.lock analyzer (#​8897) (7ca656d)
• nodejs: add bun.lock parser (#​8851) (1dcf816)
• terraform parser option to set current working directory (#​8909) (8939451)

Bug Fixes

• check post-analyzers for StaticPaths (#​8904) (93e6680)
• cli: disable --skip-dir and --skip-files flags for sbom command (#​8886) (69a5fa1)
• cli: don't use allow values for --compliance flag (#​8881) (35e8889)
• filter all files when processing files installed from package managers (#​8842) (6ebde88)
• java: exclude dev dependencies in gradle lockfile (#​8803) (8995838)
• julia parser panicing (#​8883) (be8c7b7)
• julia: add Relationship field support (#​8939) (22f040f)
• k8s: use in-memory cache backend during misconfig scanning (#​8873) (fe12771)
• misconf: check if for-each is known when expanding dyn block (#​8808) (5706603)
• misconf: use argument value in WithIncludeDeprecatedChecks (#​8942) (7e9a54c)
• more revive rules (#​8814) (3ab459e)
• octalLiteral from go-critic (#​8811) (a19e0aa)
• redhat: Also try to find buildinfo in root layer (layer 0) (#​8924) (906b037)
• redhat: save contentSets for OS packages in fs/vm modes (#​8820) (9256804)
• redhat: trim invalid suffix from content_sets in manifest parsing (#​8818) (fa1077b)
• server: add missed Relationship field for rpc (#​8872) (38f17c9)
• use-any from revive (#​8810) (883c63b)
• vex: use lo.IsNil to check VEX from OCI artifact (#​8858) (e97af98)
• wolfi: support new APK database location (#​8937) (b15d9a6)

Performance Improvements

• secret: only match secrets of meaningful length, allow example strings to not be matched (#​8602) (60fef1b)

v0.62.1

Compare Source

Changelog

• c75ed21 release: v0.62.1 [release/v0.62] (#​8825)
• aafebeb chore(deps): bump the common group across 1 directory with 10 updates [backport: release/v0.62] (#​8831)
• 99485cf fix(misconf): check if for-each is known when expanding dyn block [backport: release/v0.62] (#​8826)
• b4fc9e8 fix(redhat): trim invalid suffix from content_sets in manifest parsing [backport: release/v0.62] (#​8824)

v0.62.0

Compare Source

Features

• image: save layers metadata into report (#​8394) (a95cab0)
• misconf: add option to pass Rego scanner to IaC scanner (#​8369) (890a360)
• misconf: convert AWS managed policy to document (#​8757) (7abf5f0)
• misconf: support auto_provisioning_defaults in google_container_cluster (#​8705) (9792611)
• nodejs: add root and workspace for yarn packages (#​8535) (bf4cd4f)
• rust: add root and workspace relationships/package for cargo lock files (#​8676) (93efe07)

Bug Fixes

• early-return, indent-error-flow and superfluous-else rules from revive (#​8796) (43350dd)
• k8s: correct compare artifact versions (#​8682) (cc47711)
• k8s: remove using last-applied-configuration (#​8791) (7a58ccb)
• k8s: skip passed misconfigs for the summary report (#​8684) (bff0e9b)
• misconf: add missing variable as unknown (#​8683) (9dcd06f)
• misconf: check if metadata is not nil (#​8647) (b7dfd64)
• misconf: filter null nodes when parsing json manifest (#​8785) (e10929a)
• misconf: perform operations on attribute safely (#​8774) (3ce7d59)
• misconf: populate context correctly for module instances (#​8656) (efd177b)
• report: clean buffer after flushing (#​8725) (9a5383e)
• secret: ignore .dist-info directories during secret scanning (#​8646) (a032ad6)
• server: fix redis key when trying to delete blob (#​8649) (36f8d0f)
• terraform: evaluateStep to correctly set EvalContext for multiple instances of blocks (#​8555) (e25de25)
• terraform: hcl object expressions to return references (#​8271) (0d3efa5)
• testifylint last issues (#​8768) (ee4f7dc)
• unused-parameter rule from revive (#​8794) (6562082)

v0.61.1

Compare Source

Changelog

• 7d3b4ff release: v0.61.1 [release/v0.61] (#​8704)
• 80d120f fix(k8s): skip passed misconfigs for the summary report [backport: release/v0.61] (#​8748)
• 9d6290b fix(k8s): correct compare artifact versions [backport: release/v0.61] (#​8699)
• 3799ebb test: use aquasecurity repository for test images [backport: release/v0.61] (#​8698)

v0.61.0

Compare Source

Features

• fs: optimize scanning performance by direct file access for known paths (#​8525) (8bf6caf)
• k8s: add support for controllers (#​8614) (1bf0117)
• misconf: adapt aws_default_security_group (#​8538) (b57eccb)
• misconf: adapt aws_opensearch_domain (#​8550) (9913465)
• misconf: adapt AWS::DynamoDB::Table (#​8529) (8112cdf)
• misconf: adapt AWS::EC2::VPC (#​8534) (0d9865f)
• misconf: Add support for aws_ami (#​8499) (573502e)
• replace TinyGo with standard Go for WebAssembly modules (#​8496) (529957e)

Bug Fixes

• debian: don't include empty licenses for dpkgs (#​8623) (346f5b3)
• fs: check postAnalyzers for StaticPaths (#​8543) (c228307)
• k8s: show report for --report all (#​8613) (dbb6f28)
• misconf: add ephemeral block type to config schema (#​8513) (41512f8)
• misconf: Check values wholly prior to evalution (#​8604) (ad58cf4)
• misconf: do not skip loading documents from subdirectories (#​8526) (de7eb13)
• misconf: do not use cty.NilVal for non-nil values (#​8567) (400a79c)
• misconf: identify the chart file exactly by name (#​8590) (ba77dbe)
• misconf: Improve logging for unsupported checks (#​8634) (5b7704d)
• misconf: set default values for AWS::EKS::Cluster.ResourcesVpcConfig (#​8548) (1f05b45)
• misconf: skip Azure CreateUiDefinition (#​8503) (c7814f1)
• spdx: save text licenses into otherLicenses without normalize (#​8502) (e5072f1)
• use --file-patterns flag for all post analyzers (#​7365) (8b88238)

Performance Improvements

• misconf: parse input for Rego once (#​8483) (0e5e909)
• misconf: retrieve check metadata from annotations once (#​8478) (7b96351)

v0.60.0

Compare Source

Features

• add --vuln-severity-source flag (#​8269) (d464807)
• add report summary table (#​8177) (dd54f80)
• cyclonedx: Add initial support for loading external VEX files from SBOM references (#​8254) (4820eb7)
• go: fix parsing main module version for go >= 1.24 (#​8433) (e58dcfc)
• misconf: render causes for Terraform (#​8360) (a99498c)

Bug Fixes

• db: fix case when 2 trivy-db were copied at the same time (#​8452) (bb3cca6)
• don't use scope for trivy registry login command (#​8393) (8715e5d)
• go: merge nested flags into string for ldflags for Go binaries (#​8368) (b675b06)
• image: disable AVD-DS-0007 for history scanning (#​8366) (a3cd693)
• k8s: add missed option PkgRelationships (#​8442) (f987e41)
• misconf: do not log scanners when misconfig scanning is disabled (#​8345) (5695eb2)
• misconf: ecs include enhanced for container insights (#​8326) (39789ff)
• misconf: fix incorrect k8s locations due to JSON to YAML conversion (#​8073) (a994453)
• os: add mapping OS aliases (#​8466) (6b4cebe)
• python: add poetry v2 support (#​8323) (10cd98c)
• report: remove html escaping for shortDescription and fullDescription fields for sarif reports (#​8344) (3eb0b03)
• sbom: add SBOM file's filePath as Application FilePath if we can't detect its path (#​8346) (ecc01bb)
• sbom: improve logic for binding direct dependency to parent component (#​8489) (85cca8c)
• sbom: preserve OS packages from multiple SBOMs (#​8325) (bd5baaf)
• server: secrets inspectation for the config analyzer in client server mode (#​8418) (a1c4bd7)
• spdx: init pkgFilePaths map for all formats ([#​8380](https://redirect.github.com/aquasecurity/trivy/issues

---

Configuration

📅 Schedule: Branch creation - "on the 1st through 7th day of the month" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.