🚀 aquasecurity/trivy - Release Notes

## ⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/8639

## Changelog
https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0610-2025-03-28

## ⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/8495

## Changelog
https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0600-2025-03-05

## Changelog
* 9aabfd2a91e7278384bce7ccc6841a1d2851feb0 release: v0.59.1 [release/v0.59] (#8334)
* 412c690924d4414ef6d8a5f37b293969bc245d32 fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#8349)
* 98f9ba295a55da34914b849c73b2d003d57d238a chore(deps): bump Go to `v1.23.5` [backport: release/v0.59] (#8343)
* 1741fddbe07d166dffbfb9b6f768940e52d08487 fix(python): add `poetry` v2 support [backport: release/v0.59] (#8335)
* 3fd8e2785b2b838327a80cdc8b489583c3664944 fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#8333)

## ⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/8312

## Changelog
https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0590-2025-01-30

## Changelog
* 936f06a57864d073aa77b38f77fe76c4fcb1f7c1 release: v0.58.2 [release/v0.58] (#8216)
* f72d2bce8d3418dbcb670434bc15bb857b421f98 fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)
* 289636758eccf990f36ea2be34f6db2c02cfab6b fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)
* b733ecc7bc752d61837d08f2650bd480b645bb1d fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215)

## ⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/8171

## Changelog
https://github.com/aquasecurity/trivy/blob/release/v0.58/CHANGELOG.md#0581-2024-12-24

## ⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/8039

## Changelog
https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0580-2024-12-02

## ⚡Release highlights and summary⚡

👉https://github.com/aquasecurity/trivy/discussions/7951

## Changelog
https://github.com/aquasecurity/trivy/blob/release/v0.57/CHANGELOG.md#0571-2024-11-18

## ⚡Release highlights and summary⚡

👉https://github.com/aquasecurity/trivy/discussions/7857

## Changelog
https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0570-2024-10-31

## Changelog
* f2252c833d4dee18546577f0c32ceb83c8bf20ae release: v0.56.2 [release/v0.56] (#7694)
* f6700ec10e819fb2fc0573782e87d2d31d2c50f1 fix(redhat): include arch in PURL qualifiers [backport: release/v0.56] (#7702)
* 25d2540f12272603bf27eb67f4b3fba52b1ddab8 fix(sbom): add options for DBs in private registries [backport: release/v0.56] (#7691)

## Changelog
* 95dbf1152b2049a6ae2ae90a507630df01798bf1 release: v0.56.1 [release/v0.56] (#7648)
* 5dbdadfe4578288d5c3f2a5b625fff4a3580f8c5 fix(db): fix javadb downloading error handling [backport: release/v0.56] (#7646)

## ⚡Release highlights and summary⚡

👉https://github.com/aquasecurity/trivy/discussions/7640

## Changelog
https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0560-2024-10-03

## Changelog
* 928c7c0f1a5c9432a2ba2daa5268dae53dc8eb7b release: v0.55.2 [release/v0.55] (#7523)
* 14a058f608be403a53019775c8308f4f5718afd7 fix(java): use `dependencyManagement` from root/child pom's for dependencies from parents [backport: release/v0.55] (#7521)
* 990bc4e8287889a18ebb59332b40db3e4586fed4 chore(deps): bump alpine from 3.20.0 to 3.20.3 [backport: release/v0.55] (#7516)

## ⚡Release highlights and summary⚡

👉https://github.com/aquasecurity/trivy/discussions/7494

## Changelog
https://github.com/aquasecurity/trivy/blob/release/v0.55/CHANGELOG.md#0551-2024-09-12

## ⚡Release highlights and summary⚡

👉https://github.com/aquasecurity/trivy/discussions/7440

## Changelog
https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0550-2024-09-03

## Changelog
* 854c61d34a550a9fcbab3bc59e55b868c15d1962 release: v0.54.1 [release/v0.54] (#7282)
* 334a1c293bb3d490af2a6d80732f399efaac22f7 fix(flag): incorrect behavior for deprected flag `--clear-cache` [backport: release/v0.54] (#7285)
* f61725c28b56d80fb46395479842a2ab0c517c5f fix(java): Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#7283)
* a7b7117fe2c9608e990b42e702cc83675c48f888 fix(plugin): do not call GitHub content API for releases and tags [backport: release/v0.54] (#7279)

## ⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/7268 

## Changelog
https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0540-2024-07-30

## ⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/7061 

## Changelog
https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0530-2024-07-01

## Changelog
* 8709d4f9c release: v0.52.2 [release/v0.52] (#6896)
* a4b8ad767 ci: use `ubuntu-latest-m` runner [backport: release/v0.52] (#6933)
* 2b711bc26 chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5.2 to 1.6.0 [backport: release/v0.52] (#6919)
* 191d31ef8 test: bump docker API to 1.45  [backport: release/v0.52] (#6922)
* 3f5874c8a ci: bump `github.com/goreleaser/goreleaser` to `v2.0.0` [backport: release/v0.52] (#6893)
* 8f8c76a2a fix(debian): take installed files from the origin layer [backport: release/v0.52] (#6892)

## Changelog
* a3caf0658 release: v0.52.1 [release/v0.52] (#6877)
* 01dbb42ae fix(nodejs): fix infinite loop when package link from `package-lock.json` file is broken [backport: release/v0.52] (#6888)
* f186d22bf fix(sbom): don't overwrite `srcEpoch` when decoding SBOM files [backport: release/v0.52] (#6881)
* 093c0ae02 fix(python): compare pkg names from `poetry.lock` and `pyproject.toml` in lowercase [backport: release/v0.52] (#6878)
* 6bfda7602 Merge pull request #6879 from aquasecurity/backport-pr-6864-to-release/v0.52
* 53850c8b2 docs: explain how VEX is applied (#6864)
* 221196202 Merge pull request #6875 from aquasecurity/backport-pr-6857-to-release/v0.52
* a614b693d fix(nodejs): fix infinity loops for `pnpm` with cyclic imports (#6857)

## ⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/6838

## Changelog
https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0520-2024-06-03

## Changelog
* c06f467e6 chore: downgrade trivy-checks and trivy-aws
* df4f7604a build: use main package instead of main.go (#6766)
* bf7a8ede3 chore(deps): bump the common group across 1 directory with 29 updates (#6756)
* acb22c60a chore(deps): bump the aws group with 8 updates (#6738)
* 9a3510ffd chore(deps): bump the docker group with 2 updates (#6739)
* 7806b37e2 ci: add `generic` dir to deb deploy script (#6636)

## Changelog
* eadc6fb64 fix: node-collector high and critical cves (#6707)
* cc489b1af Merge pull request from GHSA-xcq4-m2r3-cmrj
* 013f71a6a chore: auto-bump golang patch versions (#6711)
* 113a5b216 fix(misconf): don't shift ignore rule related to code (#6708)
* 733e5ac1f fix(go): include only `.version`|`.ver` (no prefixes) ldflags for `gobinaries` (#6705)
* d311e49bc fix(go): add only non-empty root modules for `gobinaries` (#6710)
* cf1a7bf30 refactor: unify package addition and vulnerability scanning (#6579)
* d465d9d1e fix: Golang version parsing from binaries w/GOEXPERIMENT (#6696)
* 0af225ccf fix(conda): add support `pip` deps for `environment.yml` files (#6675)
* 6f64d5518 fix(misconf): skip Rego errors with a nil location (#6666)
* 8c27430a2 fix(misconf): skip Rego errors with a nil location (#6638)
* c2b46d3c2 refactor: unify Library and Package structs (#6633)
* 4368f11e0 fix: use of specified context to obtain cluster name (#6645)
* 5ec62f863 docs: fix usage of image-config-scanners (#6635)

## Changelog
* 8016b821a fix(fs): handle default skip dirs properly (#6628)
* 7a25dadb4 fix(misconf): load cached tf modules (#6607)
* 9c794c0ff fix(misconf): do not use semver for parsing tf module versions (#6614)

## ⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/6622

## Changelog
* 14c1024b4 refactor: move setting scanners when using compliance reports to flag parsing (#6619)
* 998f75043 feat: introduce package UIDs for improved vulnerability mapping (#6583)
* 770b14113 perf(misconf): Improve cause performance (#6586)
* 3ccb1a0f1 docs: trivy-k8s new experiance remove un-used section (#6608)
* 58cfd1b07 chore(deps): bump github.com/docker/docker from 26.0.1+incompatible to 26.0.2+incompatible (#6612)
* 715963d75 docs: remove mention of GitLab Gold because it doesn't exist anymore (#6609)
* 37da98df4 feat(misconf): Use updated terminology for misconfiguration checks (#6476)
* cdee7030a chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.15 to 1.16.15 (#6593)
* 6a2225b42 docs: use `generic` link from `trivy-repo` (#6606)
* a2a02de7c docs: update trivy k8s with new experience (#6465)
* e739ab850 feat: support `--skip-images` scanning flag (#6334)
* c6d5d856c BREAKING: add support for k8s `disable-node-collector` flag (#6311)
* 194a81468 chore(deps): bump github.com/zclconf/go-cty from 1.14.1 to 1.14.4 (#6601)
* 03830c50c chore(deps): bump github.com/sigstore/rekor from 1.2.2 to 1.3.6 (#6599)
* 8e814fa23 chore(deps): bump google.golang.org/protobuf from 1.33.0 to 1.34.0 (#6597)
* 2dc76ba78 chore(deps): bump sigstore/cosign-installer from 3.4.0 to 3.5.0 (#6588)
* c17176ba9 chore(deps): bump github.com/testcontainers/testcontainers-go from 0.28.0 to 0.30.0 (#6595)
* bce70af36 chore(deps): bump github.com/open-policy-agent/opa from 0.62.0 to 0.64.1 (#6596)
* 4369a19af feat: add ubuntu 23.10 and 24.04 support (#6573)
* 5566548b7 chore(deps): bump azure/setup-helm from 3.5 to 4 (#6590)
* a8af76a47 chore(deps): bump actions/checkout from 4.1.2 to 4.1.4 (#6587)
* c8ed432f2 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.24.6 to 1.27.4 (#6598)
* 551a46efc docs(go): add stdlib (#6580)
* 261649b11 chore(deps): bump github.com/containerd/containerd from 1.7.13 to 1.7.16 (#6592)
* acfddd457 chore(deps): bump github.com/go-openapi/runtime from 0.27.1 to 0.28.0 (#6600)
* 419e3d202 feat(go): parse main mod version from build info settings (#6564)
* f0961d54f feat: respect custom exit code from plugin (#6584)
* a5d485cf8 docs: add asdf and mise installation method (#6063)
* 29b8faf5f feat(vuln): Handle scanning conan v2.x lockfiles (#6357)
* e3bef0201 feat: add support `environment.yaml` files (#6569)
* 916f6c66f fix: close plugin.yaml (#6577)
* 8e6cd0e91 fix: trivy k8s avoid deleting non-default node collector namespace  (#6559)
* 060d0bb64 BREAKING: support exclude `kinds/namespaces` and include `kinds/namespaces` (#6323)
* 2d090ef2d feat(go): add main module (#6574)
* 6343e4fc7 feat: add relationships (#6563)
* a018ee1f9 ci: disable `Go` cache for `reusable-release.yaml` (#6572)
* 5da053f30 docs: mention `--show-suppressed` is available in table (#6571)
* 3d66cb8d8 chore: fix sqlite to support loong64 (#6511)
* 9aca98cca fix(debian): sort dpkg info before parsing due to exclude directories (#6551)
* 7811ad0d2 docs: update info about config file (#6547)
* fae710db8 docs: remove RELEASE_VERSION from trivy.repo (#6546)
* d2d4022ef fix(sbom): change error to warning for multiple OSes (#6541)
* 164b02541 fix(vuln): skip empty versions (#6542)
* 5dd9bd470 feat(c): add license support for conan lock files (#6329)
* 7c2017fa7 fix(terraform): Attribute and fileset fixes (#6544)
* 63c9469bd refactor: change warning if no vulnerability details are found (#6230)
* aa822c260 refactor(misconf): improve error handling in the Rego scanner (#6527)
* 30cc88fa8 ci: use tmp dir inside Trivy repo dir for GoReleaser (#6533)
* e32215c99 feat(go): parse main module of go binary files (#6530)
* d4da83c63 chore(deps): bump golang.org/x/net from 0.21.0 to 0.23.0 (#6526)
* 0d7d97d13 refactor(misconf): simplify the retrieval of module annotations (#6528)
* 9873cf3b9 chore(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 (#6523)
* 95c8fd912 docs(nodejs): add info about supported versions of pnpm lock files (#6510)
* 12ec0dfe9 feat(misconf): loading embedded checks as a fallback (#6502)
* 9b7d7132b fix(misconf): Parse JSON k8s manifests properly (#6490)
* 13e72eca5 refactor: remove parallel walk (#5180)
* a9861994e fix: close pom.xml (#6507)
* 46d5abad4 fix(secret): convert severity for custom rules (#6500)
* 34ab09d55 fix(java): update logic to detect `pom.xml` file snapshot artifacts from remote repositories (#6412)
* 1ba5b5952 fix: typo (#6283)
* 4fab0f8b9 docs(k8s,image): fix command-line syntax issues (#6403)
* d7709816c chore(deps): bump actions/checkout from 4.1.1 to 4.1.2 (#6435)
* 433706820 fix(misconf): avoid panic if the scheme is not valid (#6496)
* d82d6cb73 feat(image): goversion as stdlib (#6277)
* cfddfb33c fix: add color for error inside of log message (#6493)
* dfcb0f90d chore(deps): bump actions/add-to-project from 0.4.1 to 1.0.0 (#6438)
* 183eaafb4 docs: fix links to OPA docs (#6480)
* 94d6e8ced refactor: replace zap with slog (#6466)
* 336c47ecc docs: update links to IaC schemas (#6477)
* 06b44738e chore: bump Go to 1.22 (#6075)
* a51ceddad refactor(terraform): sync funcs with Terraform (#6415)
* 53517d622 feat(misconf): add helm-api-version and helm-kube-version flag (#6332)
* ad544e97c chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.4.0 to 1.5.1 (#6426)
* 089368d96 chore(deps): bump github.com/go-openapi/strfmt from 0.22.0 to 0.23.0 (#6452)
* 116356500 chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.6 to 2.0.7 (#6430)
* 637da2b17 chore(deps): bump aquaproj/aqua-installer from 2.2.0 to 3.0.0 (#6437)
* 13190e92d fix(terraform): eval submodules (#6411)
* 6bca7c3c7 refactor(terraform): remove unused options (#6446)
* 8e4279b86 refactor(terraform): remove unused file (#6445)
* e98c873ed chore(deps): bump github.com/testcontainers/testcontainers-go to v0.28.0 (#6387)
* b1c2eab5a chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.9.0 to 1.10.0 (#6427)
* 1c49a16c6 fix(misconf): Escape template value correctly (#6292)
* 8dd0fcd61 feat(misconf): add support for wildcard ignores (#6414)
* 74e4c6e01 fix(cloudformation): resolve `DedicatedMasterEnabled` parsing issue (#6439)
* 245c12053 refactor(terraform): remove metrics collection (#6444)
* 86714bf6b feat(cloudformation): add support for logging and endpoint access for EKS (#6440)
* a75839212 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.51.1 to 1.53.1 (#6424)
* 4d00d8b52 chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.27.4 to 1.27.10 (#6428)
* 3ad2b3e25 chore(deps): bump go.etcd.io/bbolt from 1.3.8 to 1.3.9 (#6429)
* 8baccd790 fix(db): check schema version for image name only (#6410)
* e75a90f2e chore(deps): bump github.com/google/wire from 0.5.0 to 0.6.0 (#6425)
* 6625bd32e chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.149.1 to 1.155.1 (#6433)
* 826fe6073 chore(deps): bump actions/cache from 4.0.0 to 4.0.2 (#6436)
* f23ed7759 feat(misconf): Support private registries for misconf check bundle (#6327)
* df024e88d feat(cloudformation): inline ignore support for YAML templates (#6358)
* 29dee3281 feat(terraform): ignore resources by nested attributes (#6302)
* 1a67472d2 perf(helm): load in-memory files (#6383)
* 09e37b7c6 feat(aws): apply filter options to result (#6367)
* 87a9aa60d feat(aws): quiet flag support (#6331)
* 712dcd300 fix(misconf): clear location URI for SARIF (#6405)
* 625f22b81 test(cloudformation): add CF tests (#6315)
* 6a2f6fde4 fix(cloudformation): infer type after resolving a function (#6406)

## Note
v0.50.3 hads a critical problem, and we deleted it and released v0.50.4.

## Changelog
* e47fd487c fix(sbom): change error to warning for multiple OSes (#6541)

## Changelog
* 9aa9e173b ci: use tmp dir inside Trivy repo dir for GoReleaser (#6533)
* 058f4839d chore(deps): bump golang.org/x/net from 0.21.0 to 0.23.0 (#6526)
* 9e3d2c5f9 chore(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 (#6523)
* 2ad8e332e fix(java): update logic to detect `pom.xml` file snapshot artifacts from remote repositories (#6412)

## Changelog
* 5f69937cc fix(sbom): fix error when parent of SPDX Relationships is not a package. (#6399)
* 258d15346 fix(nodejs): merge `Indirect`, `Dev`, `ExternalReferences` fields for same deps from `package-lock.json` files v2 or later (#6356)
* ade033a83 docs: add info about support for package license detection in `fs`/`repo` modes (#6381)
* f85c9fac6 fix(nodejs): add support for parsing `workspaces` from `package.json` as an object (#6231)
* 9d7f5c948 fix: use `0600` perms for tmp files for post analyzers (#6386)
* f148eb10f fix(helm): scan the subcharts once (#6382)
* 97f95c4dd docs(terraform): add file patterns for Terraform Plan (#6393)
* abd62ae74 fix(terraform): сhecking SSE encryption algorithm validity (#6341)
* 7c409fd27 fix(java): parse modules from `pom.xml` files once (#6312)
* 1b68327b6 chore(deps): bump github.com/docker/docker from 25.0.3+incompatible to 25.0.5+incompatible (#6364)
* a2482c14e fix(server): add Locations for `Packages` in client/server mode (#6366)
* e866bd5b5 fix(sbom): add check for `CreationInfo` to nil when detecting SPDX created using Trivy (#6346)
* 1870f2846 fix(report): don't include empty strings in `.vulnerabilities[].identifiers[].url` when `gitlab.tpl` is used (#6348)
* 6c81e5505 chore(ubuntu): Add Ubuntu 22.04 EOL date (#6371)

⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/6340

## Changelog
* 8ec3938e0 chore(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (#6321)
* f6c5d5800 feat(java): add support licenses and graph for gradle lock files (#6140)
* c4022d61b feat(vex): consider root component for relationships (#6313)
* 317792433 fix: increase the default buffer size for scanning dpkg status files by 2 times (#6298)
* dd9620ef3 chore: updates wazero to v1.7.0 (#6301)
* eb3ceb323 feat(sbom): Support license detection for SBOM scan (#6072)
* ab74caa87 refactor(sbom): use intermediate representation for SPDX (#6310)
* 71da44f7e docs(terraform): improve documentation for filtering by inline comments (#6284)
* 102b6df73 fix(terraform): fix policy document retrieval (#6276)
* aa19aaf4e refactor(terraform): remove unused custom error (#6303)
* 8fcef352b refactor(sbom): add intermediate representation for BOM (#6240)
* fb8c516de fix(amazon): check only major version of AL to find advisories (#6295)
* 96bd7ac59 fix(db): use schema version as tag only for `trivy-db` and `trivy-java-db` registries by default (#6219)
* 12c5bf080 fix(nodejs): add name validation for package name from `package.json`  (#6268)
* d6c40ce05 docs: Added install instructions for FreeBSD (#6293)
* 9d2057a7c feat(image): customer podman host or socket option (#6256)
* 2a9d9bd21 chore(deps): bump wazero from 1.2.1 to 1.6.0 (#6290)
* 617c3e31b feat(java): mark dependencies from `maven-invoker-plugin` integration tests pom.xml files as `Dev` (#6213)
* 56cedc0d6 fix(license): reorder logic of how python package licenses are acquired (#6220)
* d7d7265eb test(terraform): skip cached modules (#6281)
* 663991166 feat(secret): Support for detecting Hugging Face Access Tokens (#6236)
* 337cb7535 fix(cloudformation): support of all SSE algorithms for s3 (#6270)
* 9361cdb7e feat(terraform): Terraform Plan snapshot scanning support (#6176)
* ee01e6e2f chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.26.6 to 1.27.4 (#6249)
* 3d2f583ec fix: typo function name and comment optimization (#6200)
* c4b5ab788 fix(java): don't ignore runtime scope for pom.xml files (#6223)
* 355c1b583 chore(deps): bump helm/kind-action from 1.8.0 to 1.9.0 (#6242)
* 7244ece53 chore(deps): bump golangci/golangci-lint-action from 3.7.0 to 4.0.0 (#6243)
* 5cd056684 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.1 to 1.51.1 (#6251)
* ebb74a5de chore(deps): bump github.com/hashicorp/go-uuid from 1.0.1 to 1.0.3 (#6253)
* 24a8d6aaa chore(deps): bump github.com/open-policy-agent/opa from 0.61.0 to 0.62.0 (#6250)
* 9d0d7ad88 chore(deps): bump github.com/containerd/containerd from 1.7.12 to 1.7.13 (#6247)
* e8230e19d chore(deps): bump go.uber.org/zap from 1.26.0 to 1.27.0 (#6246)
* 04535b554 fix(license): add FilePath to results to allow for license path filtering via trivyignore file (#6215)
* 939e34e37 chore(deps): Upgrade iac deps (#6255)
* 7cb6c02a4 feat: add info log message about dev deps suppression (#6211)
* c1d26ec33 test(k8s): use test-db for k8s integration tests (#6222)
* 4f70468bd ci: add maximize-build-space for `Test` job (#6221)
* 1dfece89d fix(terraform): fix root module search (#6160)
* e1ea02c7b test(parser): squash test data for yarn (#6203)
* 64926d842 fix(terraform): do not re-expand dynamic blocks (#6151)
* eb54bb5da docs: update ecosystem page reporting with db app (#6201)
* dc76c6e4f fix: k8s summary separate infra and user finding results (#6120)
* 1b7e47424 fix: add context to target finding on k8s table view (#6099)
* 876ab84b3 fix: Printf format err (#6198)
* eef7c4fb4 refactor: better integration of the parser into Trivy (#6183)
* 069aae59e chore(deps): bump helm.sh/helm/v3 from 3.14.1 to 3.14.2 (#6189)
* 4a9ac6d19 feat(terraform): Add hyphen and non-ASCII support for domain names in credential extraction (#6108)
* 9c5e5a04e fix(vex): CSAF filtering should consider relationships (#5923)
* 388f47669 refactor(report): Replacing `source_location` in `github` report when scanning an image (#5999)
* cd3e4bcac feat(vuln): ignore vulnerabilities by PURL (#6178)
* ce81c0585 feat(java): add support for fetching packages from repos mentioned in pom.xml (#6171)
* cf0f0d00c feat(k8s): rancher rke2 version support (#5988)
* 8a3a113ee docs: update kbom distribution for scanning (#6019)
* 19495ba7c chore: update CODEOWNERS (#6173)
* e787e1af0 fix(swift): try to use branch to resolve version (#6168)
* 327cf8839 fix(terraform): ensure consistent path handling across OS (#6161)
* 82214736a fix(java): add only valid libs from `pom.properties` files from `jars` (#6164)
* 7694df11f fix(sbom): skip executable file analysis if Rekor isn't a specified SBOM source (#6163)
* 74dc5b680 chore(deps): merge go-dep-parser into Trivy (#6094)
* 32a02a95d docs(report): add remark about `path` to filter licenses using `.trivyignore.yaml` file (#6145)
* fb79ea7c9 docs: update template path for gitlab-ci tutorial (#6144)
* c6844a73f feat(report): support for filtering licenses and secrets via rego policy files (#6004)
* a813506f4 fix(cyclonedx): move root component from scanned cyclonedx file to output cyclonedx file (#6113)
* 14adbb446 refactor(deps): Merge defsec into trivy (#6109)
* efe0e0f8f chore(deps): bump helm.sh/helm/v3 from 3.14.0 to 3.14.1 (#6142)
* 73dde3263 docs: add SecObserve in CI/CD and reporting (#6139)
* aadbad1d7 fix(alpine): exclude empty licenses for apk packages (#6130)
* 14a0981ef docs: add docs tutorial on custom policies with rego (#6104)
* 3ac63887d fix(nodejs): use project dir when searching for workspaces for Yarn.lock files (#6102)
* 3c1601b6c feat(vuln): show suppressed vulnerabilities in table (#6084)
* c107e1af2 docs: rename governance to principles (#6107)
* b26f21717 docs: add governance (#6090)
* 7bd3b630b refactor(deps): Merge trivy-iac into Trivy (#6005)
* 535b5a96d feat(java): add dependency location support for `gradle` files (#6083)
* 428420ee8 chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.11 to 1.15.15 (#6038)
* 7fec991c5 fix(misconf): get `user` from `Config.User` (#6070)

## Changelog
* 6ccc0a554 fix: check unescaped `BomRef` when matching `PkgIdentifier` (#6025)
* 458c5d95e docs: Fix broken link to "pronunciation" (#6057)
* 5c0ff6dad chore(deps): bump actions/upload-artifact from 3 to 4 (#6047)
* e2bd7f75d chore(deps): bump github.com/spf13/viper from 1.16.0 to 1.18.2 (#6042)
* f95fbcb67 chore(deps): bump k8s.io/api from 0.29.0 to 0.29.1 (#6043)
* 7651bf59b ci: reduce `root-reserve-mb` size for `maximize-build-space` (#6064)
* fc20dfdd8 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.48.0 to 1.48.1 (#6041)
* 3bd80e7c2 chore(deps): bump github.com/open-policy-agent/opa from 0.60.0 to 0.61.0 (#6039)
* 2900a2117 fix: fix cursor usage in Redis Clear function (#6056)
* 85cb9a763 chore(deps): bump github.com/go-openapi/runtime from 0.26.0 to 0.27.1 (#6037)
* 4e962c02a fix(nodejs): add local packages support for `pnpm-lock.yaml` files (#6034)
* aa48a7b86 chore(deps): bump sigstore/cosign-installer from 3.3.0 to 3.4.0 (#6046)
* 8aabbea2d chore(deps): bump github.com/go-openapi/strfmt from 0.21.7 to 0.22.0 (#6044)
* ec02a655a chore(deps): bump actions/cache from 3.3.2 to 4.0.0 (#6048)
* 27d35baa4 test: fix flaky `TestDockerEngine` (#6054)
* c3a66da9c chore(deps): bump github.com/google/go-containerregistry from 0.17.0 to 0.19.0 (#6040)
* 2000fe24c chore(deps): bump easimon/maximize-build-space from 9 to 10 (#6049)
* 2be642154 chore(deps): bump alpine from 3.19.0 to 3.19.1 (#6051)
* 41c0ef642 chore(deps): bump github.com/moby/buildkit from 0.11.6 to 0.12.5 (#6028)