chore(deps): bump the trivy group with 2 updates #2224

dependabot · 2025-06-01T00:52:37Z

Bumps the trivy group with 2 updates: github.com/aquasecurity/trivy and github.com/aquasecurity/trivy-db.

Updates github.com/aquasecurity/trivy from 0.62.1 to 0.63.0

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.63.0

👉 Trivy v.63.0 release notes (click here)

⬇️ Download Trivy

MacOS Apple Silicon

MacOS Intel

Linux Intel

Linux ARM

Windows Intel

Full changelog

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.63.0 (2025-05-29)

Features

add Bottlerocket OS package analyzer (#8653) (07ef63b)

add JSONC support for comments and trailing commas (#8862) (0b0e406)

alpine: add maintainer field extraction for APK packages (#8930) (104bbc1)

cli: Add available version checking (#8553) (5a0bf9e)

echo: Add Echo Support (#8833) (c7b8cc3)

go: support license scanning in both GOPATH and vendor (#8843) (26437be)

k8s: get components from namespaced resources (#8918) (4f1ab23)

license: improve work text licenses with custom classification (#8888) (ee52230)

license: improve work with custom classification of licenses from config file (#8861) (c321fdf)

license: scan vendor directory for license for go.mod files (#8689) (dd6a6e5)

license: Support compound licenses (licenses using SPDX operators) (#8816) (39f9ed1)

minimos: Add support for MinimOS (#8792) (c2dde33)

misconf: add misconfiguration location to junit template (#8793) (a516775)

misconf: Add support for Minimum Trivy Version (#8880) (3b2a397)

misconf: export raw Terraform data to Rego (#8741) (aaecc29)

nodejs: add a bun.lock analyzer (#8897) (7ca656d)

nodejs: add bun.lock parser (#8851) (1dcf816)

terraform parser option to set current working directory (#8909) (8939451)

Bug Fixes

check post-analyzers for StaticPaths (#8904) (93e6680)

cli: disable --skip-dir and --skip-files flags for sbom command (#8886) (69a5fa1)

cli: don't use allow values for --compliance flag (#8881) (35e8889)

filter all files when processing files installed from package managers (#8842) (6ebde88)

java: exclude dev dependencies in gradle lockfile (#8803) (8995838)

julia parser panicing (#8883) (be8c7b7)

julia: add Relationship field support (#8939) (22f040f)

k8s: use in-memory cache backend during misconfig scanning (#8873) (fe12771)

misconf: check if for-each is known when expanding dyn block (#8808) (5706603)

misconf: use argument value in WithIncludeDeprecatedChecks (#8942) (7e9a54c)

more revive rules (#8814) (3ab459e)

octalLiteral from go-critic (#8811) (a19e0aa)

redhat: Also try to find buildinfo in root layer (layer 0) (#8924) (906b037)

redhat: save contentSets for OS packages in fs/vm modes (#8820) (9256804)

redhat: trim invalid suffix from content_sets in manifest parsing (#8818) (fa1077b)

server: add missed Relationship field for rpc (#8872) (38f17c9)

use-any from revive (#8810) (883c63b)

vex: use lo.IsNil to check VEX from OCI artifact (#8858) (e97af98)

wolfi: support new APK database location (#8937) (b15d9a6)

Performance Improvements

... (truncated)

Commits

69093d2 release: v0.63.0 [main] (#8809)
7e9a54c fix(misconf): use argument value in WithIncludeDeprecatedChecks (#8942)
78e3304 chore(deps): Bump trivy-checks (#8934)
22f040f fix(julia): add Relationship field support (#8939)
c2dde33 feat(minimos): Add support for MinimOS (#8792)
104bbc1 feat(alpine): add maintainer field extraction for APK packages (#8930)
c7b8cc3 feat(echo): Add Echo Support (#8833)
906b037 fix(redhat): Also try to find buildinfo in root layer (layer 0) (#8924)
b15d9a6 fix(wolfi): support new APK database location (#8937)
4f1ab23 feat(k8s): get components from namespaced resources (#8918)
Additional commits viewable in compare view

Updates github.com/aquasecurity/trivy-db from 0.0.0-20250512105550-319ae10c5abf to 0.0.0-20250529093513-a12dfc204b6e

Commits

See full diff in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
github.com/aquasecurity/trivy	[>= 0.50.2.a, < 0.50.3]
github.com/aquasecurity/trivy	[< 0.51, > 0.50.1]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the trivy group with 2 updates: [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) and [github.com/aquasecurity/trivy-db](https://github.com/aquasecurity/trivy-db). Updates `github.com/aquasecurity/trivy` from 0.62.1 to 0.63.0 - [Release notes](https://github.com/aquasecurity/trivy/releases) - [Changelog](https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md) - [Commits](aquasecurity/trivy@v0.62.1...v0.63.0) Updates `github.com/aquasecurity/trivy-db` from 0.0.0-20250512105550-319ae10c5abf to 0.0.0-20250529093513-a12dfc204b6e - [Release notes](https://github.com/aquasecurity/trivy-db/releases) - [Commits](https://github.com/aquasecurity/trivy-db/commits) --- updated-dependencies: - dependency-name: github.com/aquasecurity/trivy dependency-version: 0.63.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: trivy - dependency-name: github.com/aquasecurity/trivy-db dependency-version: 0.0.0-20250529093513-a12dfc204b6e dependency-type: direct:production update-type: version-update:semver-patch dependency-group: trivy ... Signed-off-by: dependabot[bot] <[email protected]>

shino · 2025-06-03T02:10:08Z

Some manual test.

bun.lock by lockFiles:

% go run ./cmd/vuls/ scan -config integration/int-config.toml bun
[Jun  3 11:04:58]  INFO [localhost] vuls-`make build` or `make install` will show the version-
[Jun  3 11:04:58]  INFO [localhost] Start scanning
[Jun  3 11:04:58]  INFO [localhost] config: integration/int-config.toml
[Jun  3 11:04:58]  INFO [localhost] Validating config...
[Jun  3 11:04:58]  INFO [localhost] Detecting Server/Container OS...
[Jun  3 11:04:58]  INFO [localhost] Detecting OS of servers...
[Jun  3 11:04:58]  INFO [localhost] (1/1) Detected: bun: pseudo
[Jun  3 11:04:58]  INFO [localhost] Detecting OS of containers...
[Jun  3 11:04:58]  INFO [localhost] Checking Scan Modes...
[Jun  3 11:04:58]  INFO [localhost] Detecting Platforms...
[Jun  3 11:04:58]  INFO [localhost] (1/1) bun is running on other
[Jun  3 11:04:58]  INFO [bun] Scanning listen port...
[Jun  3 11:04:58]  INFO [bun] Using Port Scanner: Vuls built-in Scanner
[Jun  3 11:04:58]  INFO [bun] Scanning Language-specific Packages...
2025-06-03T11:04:58+09:00       INFO    [bun] To collect the license information of packages, "bun install" needs to be performed beforehand    dir="home/shino/g/vuls/integration/data/lockfile/node_modules"


Scan Summary
================
bun     pseudo  0 installed, 0 updatable        2 libs





To view the detail, vuls tui is useful.
To send a report, run vuls report -h.
% go run ./cmd/vuls/ report -config integration/int-config.toml
[Jun  3 11:05:05]  INFO [localhost] vuls-`make build` or `make install` will show the version-
[Jun  3 11:05:05]  INFO [localhost] Validating config...
[Jun  3 11:05:05]  INFO [localhost] cveDict.type=sqlite3, cveDict.url=, cveDict.SQLite3Path=/data/vulsctl/docker/cve.sqlite3
[Jun  3 11:05:05]  INFO [localhost] ovalDict.type=sqlite3, ovalDict.url=, ovalDict.SQLite3Path=/data/vulsctl/docker/oval.sqlite3
[Jun  3 11:05:05]  INFO [localhost] gost.type=sqlite3, gost.url=, gost.SQLite3Path=/data/vulsctl/docker/gost.sqlite3
[Jun  3 11:05:05]  INFO [localhost] exploit.type=sqlite3, exploit.url=, exploit.SQLite3Path=/data/vulsctl/docker/go-exploitdb.sqlite3
[Jun  3 11:05:05]  INFO [localhost] metasploit.type=sqlite3, metasploit.url=, metasploit.SQLite3Path=/data/vulsctl/docker/go-msfdb.sqlite3
[Jun  3 11:05:05]  INFO [localhost] kevuln.type=sqlite3, kevuln.url=, kevuln.SQLite3Path=/data/vulsctl/docker/go-kev.sqlite3
[Jun  3 11:05:05]  INFO [localhost] cti.type=sqlite3, cti.url=, cti.SQLite3Path=/data/vulsctl/docker/go-cti.sqlite3
[Jun  3 11:05:05]  INFO [localhost] Loaded: /home/shino/g/vuls/results/2025-06-03T11-04-58+0900
[Jun  3 11:05:05]  INFO [localhost] Updating library db...
[Jun  3 11:05:05]  INFO [localhost] bun: 4 CVEs are detected with Library
[Jun  3 11:05:05]  INFO [localhost] pseudo type. Skip OVAL and gost detection
[Jun  3 11:05:05]  INFO [localhost] bun: 0 CVEs are detected with CPE
[Jun  3 11:05:05]  INFO [localhost] bun: 0 PoC are detected
[Jun  3 11:05:05]  INFO [localhost] bun: 0 exploits are detected
[Jun  3 11:05:05]  INFO [localhost] bun: Known Exploited Vulnerabilities are detected for 0 CVEs
[Jun  3 11:05:05]  INFO [localhost] bun: Cyber Threat Intelligences are detected for 0 CVEs
[Jun  3 11:05:05]  INFO [localhost] bun: total 4 CVEs detected
[Jun  3 11:05:05]  INFO [localhost] bun: 0 CVEs filtered by --confidence-over=80
bun (pseudo)
============
Total: 4 (Critical:0 High:3 Medium:1 Low:0 ?:0)
4/4 Fixed, 0 poc, 0 exploits, 0 kevs, uscert: 0, jpcert: 0 alerts
0 installed, 2 libs

+----------------+------+--------+-----+-----+-------+-------+----------+
|     CVE-ID     | CVSS | Attack | PoC | KEV | Alert | Fixed | Packages |
+----------------+------+--------+-----+-----+-------+-------+----------+
| CVE-2019-11358 | 8.9  | AV:N   |     |     |       | fixed | jquery   |
| CVE-2020-11022 | 8.9  | AV:N   |     |     |       | fixed | jquery   |
| CVE-2020-11023 | 8.9  | AV:N   |     |     |       | fixed | jquery   |
| CVE-2019-5428  | 6.9  |        |     |     |       | fixed | jquery   |
+----------------+------+--------+-----+-----+-------+-------+----------+

bun.lock by findLocks=true via ssh:

remote:

[root@d9c66dcee252 /]# ls -al /locks
total 12
drwxr-xr-x 2 root root 4096 Jun  3 01:48 .
drwxr-xr-x 1 root root 4096 Jun  3 01:47 ..
-rw-r--r-- 1 root root 1382 Jun  3 01:48 bun.lock

config:

[servers.vt-alma8]
host = "127.0.0.1"
keyPath = "/path/to/id_rsa"
port = "2338"
scanMode = ["fast-root"]
user = "root"
findLock = true
findLockDirs = ["/locks"]

% go run ./cmd/vuls/ scan -config config.toml vt-alma8
[Jun  3 11:07:36]  INFO [localhost] vuls-`make build` or `make install` will show the version-
[Jun  3 11:07:36]  INFO [localhost] Start scanning
[Jun  3 11:07:36]  INFO [localhost] config: config.toml
[Jun  3 11:07:36]  INFO [localhost] Validating config...
[Jun  3 11:07:36]  INFO [localhost] Detecting Server/Container OS...
[Jun  3 11:07:36]  INFO [localhost] Detecting OS of servers...
[Jun  3 11:07:36]  INFO [localhost] (1/1) Detected: vt-alma8: alma 8.10
[Jun  3 11:07:36]  INFO [localhost] Detecting OS of containers...
[Jun  3 11:07:36]  INFO [localhost] Checking Scan Modes...
[Jun  3 11:07:36]  INFO [localhost] Detecting Platforms...
[Jun  3 11:07:38]  INFO [localhost] (1/1) vt-alma8 is running on other
[Jun  3 11:07:38]  INFO [vt-alma8] Scanning OS pkg in fast-root mode
[Jun  3 11:07:40]  WARN [vt-alma8] Failed to detect a init system: File: /proc/1/exe -> /usr/sbin/sshd
[Jun  3 11:07:41]  INFO [vt-alma8] Scanning listen port...
[Jun  3 11:07:41]  INFO [vt-alma8] Using Port Scanner: Vuls built-in Scanner
[Jun  3 11:07:41]  INFO [vt-alma8] Scanning Language-specific Packages...
[Jun  3 11:07:41]  INFO [vt-alma8] Finding files under /locks
2025-06-03T11:07:41+09:00       INFO    [bun] To collect the license information of packages, "bun install" needs to be performed beforehand    dir="locks/node_modules"


Scan Summary
================
vt-alma8        alma8.10        175 installed, 37 updatable     2 libs





To view the detail, vuls tui is useful.
To send a report, run vuls report -h.

Partial output of report, some jquery's CVE's are included:

vt-alma8 (alma8.10)
===================
Total: 12 (Critical:0 High:5 Medium:7 Low:0 ?:0)
12/12 Fixed, 0 poc, 0 exploits, 0 kevs, uscert: 0, jpcert: 0 alerts
175 installed, 2 libs

+----------------+------+--------+-----+-----+-------+-------+------------------------+
|     CVE-ID     | CVSS | Attack | PoC | KEV | Alert | Fixed |        Packages        |
+----------------+------+--------+-----+-----+-------+-------+------------------------+
| CVE-2019-11358 | 8.9  | AV:N   |     |     |       | fixed | jquery                 |
| CVE-2020-11022 | 8.9  | AV:N   |     |     |       | fixed | jquery                 |
| CVE-2020-11023 | 8.9  | AV:N   |     |     |       | fixed | libgcc,                |
|                |      |        |     |     |       |       | libstdc++, jquery      |
| CVE-2024-56171 | 8.9  |        |     |     |       | fixed | libxml2                |
| CVE-2025-24928 | 8.9  |        |     |     |       | fixed | libxml2                |
| CVE-2019-12900 | 6.9  |        |     |     |       | fixed | bzip2-libs             |
| CVE-2019-5428  | 6.9  |        |     |     |       | fixed | jquery                 |
| CVE-2022-49043 | 6.9  |        |     |     |       | fixed | libxml2                |
| CVE-2024-12243 | 6.9  |        |     |     |       | fixed | gnutls                 |
| CVE-2024-8176  | 6.9  |        |     |     |       | fixed | expat                  |
| CVE-2025-0395  | 6.9  |        |     |     |       | fixed | glibc, glibc-common,   |
|                |      |        |     |     |       |       | glibc-gconv-extra,     |
|                |      |        |     |     |       |       | glibc-langpack-en,     |
|                |      |        |     |     |       |       | glibc-minimal-langpack |
| CVE-2025-24528 | 6.9  |        |     |     |       | fixed | krb5-libs              |
+----------------+------+--------+-----+-----+-------+-------+------------------------+

war (in integration)

Partial output of vuls report:

war (pseudo)
============
Total: 37 (Critical:6 High:21 Medium:8 Low:2 ?:0)
37/37 Fixed, 0 poc, 0 exploits, 0 kevs, uscert: 0, jpcert: 0 alerts
0 installed, 79 libs

+------------------+------+--------+-----+-----+-------+-------+---------------------------------------------+
|      CVE-ID      | CVSS | Attack | PoC | KEV | Alert | Fixed |                  Packages                   |
+------------------+------+--------+-----+-----+-------+-------+---------------------------------------------+
| CVE-2016-1000027 | 10.0 | AV:N   |     |     |       | fixed | org.springframework:spring-web              |
| CVE-2019-17571   | 10.0 | AV:N   |     |     |       | fixed | log4j:log4j                                 |
| CVE-2020-10683   | 10.0 | AV:N   |     |     |       | fixed | dom4j:dom4j                                 |
| CVE-2022-22965   | 10.0 | AV:N   |     |     |       | fixed | org.springframework:spring-beans            |
| CVE-2022-23305   | 10.0 | AV:N   |     |     |       | fixed | log4j:log4j                                 |
| CVE-2022-23307   | 10.0 | AV:N   |     |     |       | fixed | log4j:log4j                                 |
| CVE-2016-5007    | 8.9  | AV:N   |     |     |       | fixed | org.springframework:spring-core             |
| CVE-2018-1000632 | 8.9  | AV:N   |     |     |       | fixed | dom4j:dom4j                                 |
| CVE-2018-1272    | 8.9  | AV:N   |     |     |       | fixed | org.springframework:spring-core             |
[snip]

MaineK00n

Is this change necessary?

:160000 160000 f1e40a2 0000000 M	integration
:100644 100644 a939a32 0000000 M	reporter/sbom/purl.go

diff --git a/integration b/integration
index f1e40a2..d8bb88d 160000
--- a/integration
+++ b/integration
@@ -1 +1 @@
-Subproject commit f1e40a24330ec32876ef0622d3d4a2c6ee70e207
+Subproject commit d8bb88de257cf8d122932be74726e31ef02c1efa
diff --git a/reporter/sbom/purl.go b/reporter/sbom/purl.go
index a939a32..c2dab1b 100644
--- a/reporter/sbom/purl.go
+++ b/reporter/sbom/purl.go
@@ -126,7 +126,7 @@ func ghEcosystemToPurlType(t string) string {
 		return packageurl.TypeGolang
 	case "pom", "gradle":
 		return packageurl.TypeMaven
-	case "npm", "yarn", "pnpm":
+	case "npm", "yarn", "pnpm", "bun":
 		return packageurl.TypeNPM
 	case "nuget":
 		return packageurl.TypeNuget

shino · 2025-06-03T05:05:39Z

Is this change necessary?

Thanks for pointing out!
The function is related to Github Security Alert, and bun is not yet supported:
https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/dependency-graph-supported-package-ecosystems#package-ecosystems-supported-via-dependency-submission-actions

Anyway, no bad things happen by adding "bun", I will add it!

shino · 2025-06-03T05:23:14Z

Added along with some missing parts.
9a00038

dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 1, 2025

dependabot bot force-pushed the dependabot/go_modules/master/trivy-b2760f260b branch from 90d6c89 to 7365da0 Compare June 2, 2025 07:57

Merge branch 'master' into dependabot/go_modules/master/trivy-b2760f260b

9a94515

shino mentioned this pull request Jun 3, 2025

feat: add bun.lock vulsio/integration#22

Merged

Add bun.lock

2e19280

Update integration

64fb26a

shino requested a review from MaineK00n June 3, 2025 02:28

MaineK00n reviewed Jun 3, 2025

View reviewed changes

Add bun to GH ecosystem to PURL type

9a00038

shino force-pushed the dependabot/go_modules/master/trivy-b2760f260b branch from 3cce0a4 to 9a00038 Compare June 3, 2025 05:10

shino requested a review from MaineK00n June 3, 2025 05:23

shino self-assigned this Jun 3, 2025

MaineK00n approved these changes Jun 3, 2025

View reviewed changes

shino merged commit 758fb13 into master Jun 3, 2025
7 checks passed

shino deleted the dependabot/go_modules/master/trivy-b2760f260b branch June 3, 2025 06:57

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

chore(deps): bump the trivy group with 2 updates #2224

chore(deps): bump the trivy group with 2 updates #2224

Uh oh!

dependabot bot commented on behalf of github Jun 1, 2025 •

edited

Loading

Uh oh!

shino commented Jun 3, 2025

Uh oh!

MaineK00n left a comment

Uh oh!

shino commented Jun 3, 2025

Uh oh!

shino commented Jun 3, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

chore(deps): bump the trivy group with 2 updates #2224

chore(deps): bump the trivy group with 2 updates #2224

Uh oh!

Conversation

dependabot bot commented on behalf of github Jun 1, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v0.63.0

👉 Trivy v.63.0 release notes (click here)

⬇️ Download Trivy

Full changelog

0.63.0 (2025-05-29)

Features

Bug Fixes

Performance Improvements

Uh oh!

shino commented Jun 3, 2025

bun.lock by lockFiles:

bun.lock by findLocks=true via ssh:

war (in integration)

Uh oh!

MaineK00n left a comment

Choose a reason for hiding this comment

Uh oh!

shino commented Jun 3, 2025

Uh oh!

shino commented Jun 3, 2025

Uh oh!

Uh oh!

Uh oh!

dependabot bot commented on behalf of github Jun 1, 2025 •

edited

Loading