fix(deps): update module github.com/aquasecurity/trivy to v0.51.2 [security] #1686

renovate · 2024-05-21T02:01:54Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/aquasecurity/trivy	`v0.50.4` -> `v0.51.2`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-35192

Impact

If a malicious actor is able to trigger Trivy to scan container images from a crafted malicious registry, it could result in the leakage of credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR). These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access.

Taking AWS as an example, the leakage only occurs when Trivy is able to transparently obtain registry credentials from the default credential provider chain. You are affected if Trivy is executed in any of the following situations:

The environment variables contain static AWS credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN) that have access to ECR.
Within a Pod running on an EKS cluster that has been assigned a role with access to ECR using an IAM Roles for Service Accounts (IRSA) annotation.
etc.

You are not affected if the default credential provider chain is unable to obtain valid credentials. The same applies to GCP and Azure.

Workarounds

If you are using Trivy v0.51.2 or later, you are not affected. If you are using Trivy v0.51.1 or prior, you should ensure you only scan images from trusted registries.

This vulnerability only applies when scanning container images directly from a registry. If you use Docker, containerd or other runtime to pull images locally and scan them with Trivy, you are not affected. To enforce this behavior, you can use the --image-src flag to select which sources you trust.

Trivy possibly leaks registry credential when scanning images from malicious registries

CVE-2024-35192 / GHSA-xcq4-m2r3-cmrj / GO-2024-2870

More information

Details

Impact

If a malicious actor is able to trigger Trivy to scan container images from a crafted malicious registry, it could result in the leakage of credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR). These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access.

Taking AWS as an example, the leakage only occurs when Trivy is able to transparently obtain registry credentials from the default credential provider chain. You are affected if Trivy is executed in any of the following situations:

The environment variables contain static AWS credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN) that have access to ECR.
Within a Pod running on an EKS cluster that has been assigned a role with access to ECR using an IAM Roles for Service Accounts (IRSA) annotation.
etc.

You are not affected if the default credential provider chain is unable to obtain valid credentials. The same applies to GCP and Azure.

Workarounds

If you are using Trivy v0.51.2 or later, you are not affected. If you are using Trivy v0.51.1 or prior, you should ensure you only scan images from trusted registries.

This vulnerability only applies when scanning container images directly from a registry. If you use Docker, containerd or other runtime to pull images locally and scan them with Trivy, you are not affected. To enforce this behavior, you can use the --image-src flag to select which sources you trust.

Severity

CVSS Score: 5.5 / 10 (Medium)
Vector String: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Credential leakage in github.com/aquasecurity/trivy

CVE-2024-35192 / GHSA-xcq4-m2r3-cmrj / GO-2024-2870

More information

Details

A malicious registry can cause Trivy to leak credentials for legitimate registries such as AWS Elastic Container Registry (ECR), Google Cloud Artifact/Container Registry, or Azure Container Registry (ACR) if the registry is scanned from directly using Trivy. These tokens can then be used to push/pull images from those registries to which the identity/user running Trivy has access. This vulnerability only applies when scanning container images directly from a registry. If you use Docker, containerd or other runtime to pull images locally and scan them with Trivy, you are not affected. To enforce this behavior, you can use the --image-src flag to select which sources you trust.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Release Notes

aquasecurity/trivy (github.com/aquasecurity/trivy)

`v0.51.2`

Compare Source

Changelog

eadc6fb fix: node-collector high and critical cves (#6707)
cc489b1 Merge pull request from GHSA-xcq4-m2r3-cmrj
013f71a chore: auto-bump golang patch versions (#6711)
113a5b2 fix(misconf): don't shift ignore rule related to code (#6708)
733e5ac fix(go): include only .version|.ver (no prefixes) ldflags for gobinaries (#6705)
d311e49 fix(go): add only non-empty root modules for gobinaries (#6710)
cf1a7bf refactor: unify package addition and vulnerability scanning (#6579)
d465d9d fix: Golang version parsing from binaries w/GOEXPERIMENT (#6696)
0af225c fix(conda): add support pip deps for environment.yml files (#6675)
6f64d55 fix(misconf): skip Rego errors with a nil location (#6666)
8c27430 fix(misconf): skip Rego errors with a nil location (#6638)
c2b46d3 refactor: unify Library and Package structs (#6633)
4368f11 fix: use of specified context to obtain cluster name (#6645)
5ec62f8 docs: fix usage of image-config-scanners (#6635)

`v0.51.1`

Compare Source

Changelog

8016b82 fix(fs): handle default skip dirs properly (#6628)
7a25dad fix(misconf): load cached tf modules (#6607)
9c794c0 fix(misconf): do not use semver for parsing tf module versions (#6614)

`v0.51.0`

Compare Source

⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/6622

Changelog

14c1024 refactor: move setting scanners when using compliance reports to flag parsing (#6619)
998f750 feat: introduce package UIDs for improved vulnerability mapping (#6583)
770b141 perf(misconf): Improve cause performance (#6586)
3ccb1a0 docs: trivy-k8s new experiance remove un-used section (#6608)
58cfd1b chore(deps): bump github.com/docker/docker from 26.0.1+incompatible to 26.0.2+incompatible (#6612)
715963d docs: remove mention of GitLab Gold because it doesn't exist anymore (#6609)
37da98d feat(misconf): Use updated terminology for misconfiguration checks (#6476)
cdee703 chore(deps): bump github.com/aws/aws-sdk-go-v2/feature/s3/manager from 1.15.15 to 1.16.15 (#6593)
6a2225b docs: use generic link from trivy-repo (#6606)
a2a02de docs: update trivy k8s with new experience (#6465)
e739ab8 feat: support --skip-images scanning flag (#6334)
c6d5d85 BREAKING: add support for k8s disable-node-collector flag (#6311)
194a814 chore(deps): bump github.com/zclconf/go-cty from 1.14.1 to 1.14.4 (#6601)
03830c5 chore(deps): bump github.com/sigstore/rekor from 1.2.2 to 1.3.6 (#6599)
8e814fa chore(deps): bump google.golang.org/protobuf from 1.33.0 to 1.34.0 (#6597)
2dc76ba chore(deps): bump sigstore/cosign-installer from 3.4.0 to 3.5.0 (#6588)
c17176b chore(deps): bump github.com/testcontainers/testcontainers-go from 0.28.0 to 0.30.0 (#6595)
bce70af chore(deps): bump github.com/open-policy-agent/opa from 0.62.0 to 0.64.1 (#6596)
4369a19 feat: add ubuntu 23.10 and 24.04 support (#6573)
5566548 chore(deps): bump azure/setup-helm from 3.5 to 4 (#6590)
a8af76a chore(deps): bump actions/checkout from 4.1.2 to 4.1.4 (#6587)
c8ed432 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ecr from 1.24.6 to 1.27.4 (#6598)
551a46e docs(go): add stdlib (#6580)
261649b chore(deps): bump github.com/containerd/containerd from 1.7.13 to 1.7.16 (#6592)
acfddd4 chore(deps): bump github.com/go-openapi/runtime from 0.27.1 to 0.28.0 (#6600)
419e3d2 feat(go): parse main mod version from build info settings (#6564)
f0961d5 feat: respect custom exit code from plugin (#6584)
a5d485c docs: add asdf and mise installation method (#6063)
29b8faf feat(vuln): Handle scanning conan v2.x lockfiles (#6357)
e3bef02 feat: add support environment.yaml files (#6569)
916f6c6 fix: close plugin.yaml (#6577)
8e6cd0e fix: trivy k8s avoid deleting non-default node collector namespace (#6559)
060d0bb BREAKING: support exclude kinds/namespaces and include kinds/namespaces (#6323)
2d090ef feat(go): add main module (#6574)
6343e4f feat: add relationships (#6563)
a018ee1 ci: disable Go cache for reusable-release.yaml (#6572)
5da053f docs: mention --show-suppressed is available in table (#6571)
3d66cb8 chore: fix sqlite to support loong64 (#6511)
9aca98c fix(debian): sort dpkg info before parsing due to exclude directories (#6551)
7811ad0 docs: update info about config file (#6547)
fae710d docs: remove RELEASE_VERSION from trivy.repo (#6546)
d2d4022 fix(sbom): change error to warning for multiple OSes (#6541)
164b025 fix(vuln): skip empty versions (#6542)
5dd9bd4 feat(c): add license support for conan lock files (#6329)
7c2017f fix(terraform): Attribute and fileset fixes (#6544)
63c9469 refactor: change warning if no vulnerability details are found (#6230)
aa822c2 refactor(misconf): improve error handling in the Rego scanner (#6527)
30cc88f ci: use tmp dir inside Trivy repo dir for GoReleaser (#6533)
e32215c feat(go): parse main module of go binary files (#6530)
d4da83c chore(deps): bump golang.org/x/net from 0.21.0 to 0.23.0 (#6526)
0d7d97d refactor(misconf): simplify the retrieval of module annotations (#6528)
9873cf3 chore(deps): bump github.com/hashicorp/go-getter from 1.7.3 to 1.7.4 (#6523)
95c8fd9 docs(nodejs): add info about supported versions of pnpm lock files (#6510)
12ec0df feat(misconf): loading embedded checks as a fallback (#6502)
9b7d713 fix(misconf): Parse JSON k8s manifests properly (#6490)
13e72ec refactor: remove parallel walk (#5180)
a986199 fix: close pom.xml (#6507)
46d5aba fix(secret): convert severity for custom rules (#6500)
34ab09d fix(java): update logic to detect pom.xml file snapshot artifacts from remote repositories (#6412)
1ba5b59 fix: typo (#6283)
4fab0f8 docs(k8s,image): fix command-line syntax issues (#6403)
d770981 chore(deps): bump actions/checkout from 4.1.1 to 4.1.2 (#6435)
4337068 fix(misconf): avoid panic if the scheme is not valid (#6496)
d82d6cb feat(image): goversion as stdlib (#6277)
cfddfb3 fix: add color for error inside of log message (#6493)
dfcb0f9 chore(deps): bump actions/add-to-project from 0.4.1 to 1.0.0 (#6438)
183eaaf docs: fix links to OPA docs (#6480)
94d6e8c refactor: replace zap with slog (#6466)
336c47e docs: update links to IaC schemas (#6477)
06b4473 chore: bump Go to 1.22 (#6075)
a51cedd refactor(terraform): sync funcs with Terraform (#6415)
53517d6 feat(misconf): add helm-api-version and helm-kube-version flag (#6332)
ad544e9 chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.4.0 to 1.5.1 (#6426)
089368d chore(deps): bump github.com/go-openapi/strfmt from 0.22.0 to 0.23.0 (#6452)
1163565 chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.6 to 2.0.7 (#6430)
637da2b chore(deps): bump aquaproj/aqua-installer from 2.2.0 to 3.0.0 (#6437)
13190e9 fix(terraform): eval submodules (#6411)
6bca7c3 refactor(terraform): remove unused options (#6446)
8e4279b refactor(terraform): remove unused file (#6445)
e98c873 chore(deps): bump github.com/testcontainers/testcontainers-go to v0.28.0 (#6387)
b1c2eab chore(deps): bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.9.0 to 1.10.0 (#6427)
1c49a16 fix(misconf): Escape template value correctly (#6292)
8dd0fcd feat(misconf): add support for wildcard ignores (#6414)
74e4c6e fix(cloudformation): resolve DedicatedMasterEnabled parsing issue (#6439)
245c120 refactor(terraform): remove metrics collection (#6444)
86714bf feat(cloudformation): add support for logging and endpoint access for EKS (#6440)
a758392 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.51.1 to 1.53.1 (#6424)
4d00d8b chore(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.27.4 to 1.27.10 (#6428)
3ad2b3e chore(deps): bump go.etcd.io/bbolt from 1.3.8 to 1.3.9 (#6429)
8baccd7 fix(db): check schema version for image name only (#6410)
e75a90f chore(deps): bump github.com/google/wire from 0.5.0 to 0.6.0 (#6425)
6625bd3 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.149.1 to 1.155.1 (#6433)
826fe60 chore(deps): bump actions/cache from 4.0.0 to 4.0.2 (#6436)
f23ed77 feat(misconf): Support private registries for misconf check bundle (#6327)
df024e8 feat(cloudformation): inline ignore support for YAML templates (#6358)
29dee32 feat(terraform): ignore resources by nested attributes (#6302)
1a67472 perf(helm): load in-memory files (#6383)
09e37b7 feat(aws): apply filter options to result (#6367)
87a9aa6 feat(aws): quiet flag support (#6331)
712dcd3 fix(misconf): clear location URI for SARIF (#6405)
625f22b test(cloudformation): add CF tests (#6315)
6a2f6fd fix(cloudformation): infer type after resolving a function (#6406)

Configuration

📅 Schedule: Branch creation - "" in timezone Etc/UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

renovate · 2024-05-21T02:01:56Z

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: scanner/go.sum

Command failed: go get -d -t ./...
go: downloading github.com/anchore/syft v1.4.1
go: downloading github.com/sirupsen/logrus v1.9.3
go: downloading github.com/CycloneDX/cyclonedx-go v0.8.0
go: downloading github.com/aquasecurity/trivy v0.51.2
go: downloading github.com/google/uuid v1.6.0
go: downloading www.velocidex.com/golang/regparser v0.0.0-20240404115756-2169ac0e3c09
go: downloading gotest.tools/v3 v3.5.1
go: downloading gotest.tools v2.2.0+incompatible
go: downloading github.com/tdewolff/parse/v2 v2.7.14
go: downloading github.com/anchore/stereoscope v0.0.3-0.20240501181043-2e9894674185
go: downloading github.com/cenkalti/backoff v2.2.1+incompatible
go: downloading github.com/vulsio/go-exploitdb v0.4.6
go: downloading github.com/google/go-cmp v0.6.0
go: downloading github.com/openclarity/yara-rule-server v0.3.0
go: downloading github.com/onsi/gomega v1.33.1
go: downloading github.com/Portshift/dockle v0.3.2-0.20240508131533-4f3b165086b7
go: downloading github.com/hashicorp/go-multierror v1.1.1
go: downloading github.com/yudai/gojsondiff v1.0.0
go: downloading github.com/anchore/clio v0.0.0-20240507184749-d03a6187e649
go: downloading github.com/anchore/grype v0.77.4
go: downloading github.com/go-openapi/runtime v0.28.0
go: downloading github.com/go-openapi/strfmt v0.23.0
go: downloading github.com/openclarity/grype-server/api v0.0.0-20240502131359-2f1a56ef9b22
go: downloading github.com/jinzhu/copier v0.4.0
go: downloading github.com/aquasecurity/go-dep-parser v0.0.0-20240213093706-423cd04548a5
go: downloading github.com/aquasecurity/trivy-db v0.0.0-20240516042723-b8fe1376ffcd
go: downloading go.uber.org/zap v1.27.0
go: downloading golang.org/x/sync v0.7.0
go: downloading k8s.io/client-go v0.30.1
go: downloading github.com/package-url/packageurl-go v0.1.3
go: downloading github.com/containers/image/v5 v5.30.1
go: downloading github.com/anchore/go-collections v0.0.0-20240216171411-9321230ce537
go: downloading github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a
go: downloading github.com/dustin/go-humanize v1.0.1
go: downloading github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e
go: downloading github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651
go: downloading golang.org/x/sys v0.20.0
go: downloading github.com/google/go-containerregistry v0.19.1
go: downloading github.com/samber/lo v1.39.0
go: downloading golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028
go: downloading github.com/mattn/go-shellwords v1.0.12
go: downloading github.com/spf13/cast v1.6.0
go: downloading github.com/spf13/cobra v1.8.0
go: downloading github.com/spf13/pflag v1.0.5
go: downloading github.com/spf13/viper v1.18.2
go: downloading golang.org/x/exp v0.0.0-20240222234643-814bf88cf225
go: downloading k8s.io/api v0.30.1
go: downloading github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
go: downloading github.com/google/wire v0.6.0
go: downloading github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc
go: downloading github.com/spdx/tools-golang v0.5.4
go: downloading github.com/Masterminds/semver v1.5.0
go: downloading github.com/bmatcuk/doublestar/v4 v4.6.1
go: downloading github.com/containerd/containerd v1.7.16
go: downloading github.com/docker/go-connections v0.5.0
go: downloading github.com/sylabs/squashfs v0.6.1
go: downloading github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0
go: downloading gorm.io/gorm v1.25.10
go: downloading github.com/go-co-op/gocron v1.37.0
go: downloading github.com/urfave/cli v1.22.15
go: downloading github.com/deepmap/oapi-codegen/v2 v2.1.0
go: downloading github.com/oapi-codegen/runtime v1.1.1
go: downloading github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3
go: downloading github.com/yudai/golcs v0.0.0-20170316035057-ecda9a501e82
go: downloading github.com/anchore/fangs v0.0.0-20231201140849-5075d28d6d8b
go: downloading github.com/gookit/color v1.5.4
go: downloading github.com/iancoleman/strcase v0.3.0
go: downloading github.com/pborman/indent v1.2.1
go: downloading github.com/pkg/profile v1.7.0
go: downloading golang.org/x/term v0.20.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading github.com/hashicorp/errwrap v1.1.0
go: downloading github.com/facebookincubator/nvdtools v0.1.5
go: downloading github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b
go: downloading github.com/hashicorp/go-cleanhttp v0.5.2
go: downloading github.com/mholt/archiver/v3 v3.5.1
go: downloading github.com/spf13/afero v1.11.0
go: downloading github.com/anchore/packageurl-go v0.1.1-0.20240312213626-055233e539b4
go: downloading github.com/bmatcuk/doublestar/v2 v2.0.4
go: downloading github.com/gabriel-vasile/mimetype v1.4.3
go: downloading github.com/mitchellh/go-homedir v1.1.0
go: downloading github.com/mitchellh/hashstructure/v2 v2.0.2
go: downloading github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
go: downloading github.com/go-openapi/errors v0.22.0
go: downloading github.com/go-viper/mapstructure/v2 v2.0.0-alpha.1
go: downloading github.com/oklog/ulid v1.3.1
go: downloading go.mongodb.org/mongo-driver v1.14.0
go: downloading github.com/go-openapi/swag v0.23.0
go: downloading github.com/opentracing/opentracing-go v1.2.0
go: downloading go.opentelemetry.io/otel v1.24.0
go: downloading go.opentelemetry.io/otel/trace v1.24.0
go: downloading github.com/fatih/color v1.16.0
go: downloading go.uber.org/multierr v1.11.0
go: downloading github.com/containers/storage v1.53.0
go: downloading github.com/opencontainers/go-digest v1.0.0
go: downloading github.com/acobaugh/osrelease v0.1.0
go: downloading github.com/aquasecurity/trivy-checks v0.10.5-0.20240430045208-6cc735de6b9e
go: downloading github.com/stretchr/testify v1.9.0
go: downloading k8s.io/utils v0.0.0-20231127182322-b307cd553661
go: downloading github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
go: downloading github.com/google/licenseclassifier/v2 v2.0.0
go: downloading github.com/tetratelabs/wazero v1.7.0
go: downloading github.com/open-policy-agent/opa v0.64.1
go: downloading github.com/inconshreveable/mousetrap v1.1.0
go: downloading github.com/fsnotify/fsnotify v1.7.0
go: downloading github.com/sagikazarmark/locafero v0.4.0
go: downloading github.com/sagikazarmark/slog-shim v0.1.0
go: downloading go.etcd.io/bbolt v1.3.9
go: downloading github.com/go-redis/redis/v8 v8.11.5
go: downloading github.com/knqyf263/nested v0.0.1
go: downloading github.com/go-git/go-git/v5 v5.12.0
go: downloading github.com/aws/aws-sdk-go-v2 v1.26.1
go: downloading github.com/aws/aws-sdk-go-v2/service/ec2 v1.155.1
go: downloading github.com/hashicorp/golang-lru/v2 v2.0.7
go: downloading github.com/masahiro331/go-ebs-file v0.0.0-20240112135404-d5fbb1d46323
go: downloading github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.15
go: downloading github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1
go: downloading golang.org/x/mod v0.17.0
go: downloading github.com/opencontainers/image-spec v1.1.0
go: downloading github.com/masahiro331/go-disk v0.0.0-20220919035250-c8da316f91ac
go: downloading github.com/Masterminds/sprig/v3 v3.2.3
go: downloading github.com/owenrumney/go-sarif/v2 v2.3.0
go: downloading github.com/owenrumney/go-sarif v1.1.2-0.20231003122901-1000f5e05554
go: downloading github.com/twitchtv/twirp v8.1.2+incompatible
go: downloading github.com/charmbracelet/lipgloss v0.10.0
go: downloading github.com/olekukonko/tablewriter v0.0.5
go: downloading github.com/distribution/reference v0.6.0
go: downloading github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092
go: downloading github.com/becheran/wildmatch-go v1.0.0
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading k8s.io/apimachinery v0.30.1
go: downloading github.com/docker/cli v25.0.5+incompatible
go: downloading github.com/jinzhu/now v1.1.5
go: downloading github.com/robfig/cron/v3 v3.0.1
go: downloading go.uber.org/atomic v1.11.0
go: downloading golang.org/x/net v0.25.0
go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.4
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading github.com/docker/docker v26.1.3+incompatible
go: downloading github.com/apapsch/go-jsonmerge/v2 v2.0.0
go: downloading github.com/pkg/errors v0.9.1
go: downloading github.com/adrg/xdg v0.4.0
go: downloading github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d
go: downloading github.com/felixge/fgprof v0.9.3
go: downloading github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778
go: downloading github.com/hashicorp/go-version v1.6.0
go: downloading github.com/openvex/go-vex v0.2.5
go: downloading github.com/glebarez/sqlite v1.11.0
go: downloading github.com/go-test/deep v1.1.0
go: downloading github.com/hashicorp/go-getter v1.7.4
go: downloading github.com/andybalholm/brotli v1.0.5
go: downloading github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5
go: downloading github.com/golang/snappy v0.0.4
go: downloading github.com/klauspost/compress v1.17.8
go: downloading github.com/klauspost/pgzip v1.2.6
go: downloading github.com/nwaples/rardecode v1.1.0
go: downloading github.com/pierrec/lz4/v4 v4.1.15
go: downloading github.com/ulikunitz/xz v0.5.12
go: downloading github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8
go: downloading golang.org/x/text v0.15.0
go: downloading google.golang.org/grpc v1.63.2
go: downloading github.com/github/go-spdx/v2 v2.2.0
go: downloading github.com/mailru/easyjson v0.7.7
go: downloading github.com/go-openapi/analysis v0.23.0
go: downloading github.com/go-openapi/loads v0.22.0
go: downloading github.com/go-openapi/spec v0.21.0
go: downloading github.com/go-openapi/validate v0.24.0
go: downloading github.com/go-logr/logr v1.4.1
go: downloading go.opentelemetry.io/otel/metric v1.24.0
go: downloading github.com/mattn/go-colorable v0.1.13
go: downloading github.com/mattn/go-isatty v0.0.20
go: downloading github.com/sylabs/sif/v2 v2.15.1
go: downloading github.com/vbatts/go-mtree v0.5.3
go: downloading github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4
go: downloading github.com/saferwall/pe v1.5.2
go: downloading github.com/go-git/go-billy/v5 v5.5.0
go: downloading github.com/kastenhq/goversion v0.0.0-20230811215019-93b2f8823953
go: downloading github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d
go: downloading github.com/vifraa/gopom v1.0.0
go: downloading github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da
go: downloading github.com/elliotchance/phpserialize v1.4.0
go: downloading github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
go: downloading github.com/pelletier/go-toml v1.9.5
go: downloading github.com/knqyf263/go-rpmdb v0.1.0
go: downloading github.com/sassoftware/go-rpmutils v0.4.0
go: downloading github.com/microsoft/go-rustaudit v0.0.0-20220808201409-204dfee52032
go: downloading github.com/cheggaaa/pb/v3 v3.1.4
go: downloading github.com/docker/distribution v2.8.3+incompatible
go: downloading github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
go: downloading github.com/stretchr/objx v0.5.2
go: downloading github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075
go: downloading github.com/knqyf263/go-deb-version v0.0.0-20230223133812-3ed183d23422
go: downloading github.com/csaf-poc/csaf_distribution/v3 v3.0.0
go: downloading github.com/gobwas/glob v0.2.3
go: downloading github.com/sourcegraph/conc v0.3.0
go: downloading github.com/subosito/gotenv v1.6.0
go: downloading github.com/hashicorp/hcl v1.0.0
go: downloading gopkg.in/ini.v1 v1.67.0
go: downloading github.com/magiconair/properties v1.8.7
go: downloading github.com/pelletier/go-toml/v2 v2.1.1
go: downloading google.golang.org/protobuf v1.34.0
go: downloading github.com/cespare/xxhash/v2 v2.2.0
go: downloading github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f
go: downloading github.com/in-toto/in-toto-golang v0.9.0
go: downloading github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
go: downloading github.com/aws/aws-sdk-go-v2/config v1.27.11
go: downloading github.com/masahiro331/go-vmdk-parser v0.0.0-20221225061455-612096e4bbbd
go: downloading dario.cat/mergo v1.0.0
go: downloading github.com/ProtonMail/go-crypto v1.1.0-alpha.0
go: downloading github.com/aws/smithy-go v1.20.2
go: downloading github.com/aws/aws-sdk-go-v2/service/ebs v1.21.7
go: downloading github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2
go: downloading github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5
go: downloading github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7
go: downloading github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5
go: downloading github.com/containerd/stargz-snapshotter/estargz v0.15.1
go: downloading github.com/masahiro331/go-ext4-filesystem v0.0.0-20231208112839-4339555a0cd4
go: downloading github.com/masahiro331/go-xfs-filesystem v0.0.0-20230608043311-a335f4599b70
go: downloading github.com/alecthomas/chroma v0.10.0
go: downloading github.com/OneOfOne/xxhash v1.2.8
go: downloading sigs.k8s.io/yaml v1.4.0
go: downloading github.com/apparentlymart/go-cidr v1.1.0
go: downloading github.com/liamg/jfather v0.0.7
go: downloading github.com/liamg/memoryfs v1.6.0
go: downloading github.com/jmespath/go-jmespath v0.4.0
go: downloading github.com/aquasecurity/table v1.8.0
go: downloading github.com/aquasecurity/tml v0.6.1
go: downloading github.com/xlab/treeprint v1.2.0
go: downloading github.com/Masterminds/goutils v1.1.1
go: downloading github.com/Masterminds/semver/v3 v3.2.1
go: downloading github.com/huandu/xstrings v1.4.0
go: downloading github.com/imdario/mergo v0.3.16
go: downloading github.com/mitchellh/copystructure v1.2.0
go: downloading github.com/shopspring/decimal v1.3.1
go: downloading golang.org/x/crypto v0.23.0
go: downloading github.com/muesli/reflow v0.3.0
go: downloading github.com/muesli/termenv v0.15.2
go: downloading github.com/rivo/uniseg v0.4.7
go: downloading github.com/mattn/go-runewidth v0.0.15
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading k8s.io/klog/v2 v2.120.1
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.4.1
go: downloading github.com/google/gofuzz v1.2.0
go: downloading github.com/therootcompany/xz v1.0.1
go: downloading github.com/jinzhu/inflection v1.0.0
go: downloading github.com/russross/blackfriday/v2 v2.1.0
go: downloading github.com/zclconf/go-cty v1.14.4
go: downloading github.com/opencontainers/selinux v1.11.0
go: downloading github.com/ostreedev/ostree-go v0.0.0-20210805093236-719684c64e4f
go: downloading github.com/vbatts/tar-split v0.11.5
go: downloading github.com/getkin/kin-openapi v0.123.0
go: downloading golang.org/x/tools v0.20.0
go: downloading github.com/docker/go-units v0.5.0
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0
go: downloading github.com/go-playground/validator/v10 v10.20.0
go: downloading github.com/labstack/echo/v4 v4.12.0
go: downloading github.com/moby/docker-image-spec v1.3.1
go: downloading github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6
go: downloading github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
go: downloading github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
go: downloading github.com/glebarez/go-sqlite v1.21.2
go: downloading modernc.org/sqlite v1.29.9
go: downloading cloud.google.com/go/storage v1.39.1
go: downloading cloud.google.com/go v0.112.1
go: downloading github.com/aws/aws-sdk-go v1.53.0
go: downloading github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d
go: downloading github.com/hashicorp/go-safetemp v1.0.0
go: downloading github.com/mitchellh/go-testing-interface v1.14.1
go: downloading golang.org/x/oauth2 v0.19.0
go: downloading google.golang.org/api v0.172.0
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237
go: downloading github.com/josharian/intern v1.0.0
go: downloading google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7
go: downloading github.com/go-openapi/jsonpointer v0.21.0
go: downloading github.com/go-openapi/jsonreference v0.21.0
go: downloading github.com/go-logr/stdr v1.2.2
go: downloading github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0
go: downloading github.com/containerd/fifo v1.1.0
go: downloading github.com/containerd/typeurl/v2 v2.1.1
go: downloading github.com/moby/sys/signal v0.7.0
go: downloading github.com/opencontainers/runtime-spec v1.2.0
go: downloading github.com/containerd/ttrpc v1.2.3
go: downloading github.com/containerd/log v0.1.0
go: downloading github.com/Microsoft/hcsshim v0.12.3
go: downloading github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24
go: downloading github.com/moby/locker v1.0.1
go: downloading github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb
go: downloading github.com/google/licensecheck v0.3.1
go: downloading github.com/moby/sys/mountinfo v0.7.1
go: downloading github.com/edsrzf/mmap-go v1.1.0
go: downloading go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
go: downloading github.com/DataDog/zstd v1.5.5
go: downloading github.com/VividCortex/ewma v1.2.0
go: downloading github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
go: downloading github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475
go: downloading github.com/gorilla/mux v1.8.1
go: downloading github.com/prometheus/client_golang v1.19.0
go: downloading go.opentelemetry.io/otel/sdk v1.24.0
go: downloading github.com/tchap/go-patricia/v2 v2.3.1
go: downloading github.com/yashtewari/glob-intersection v0.2.0
go: downloading github.com/secure-systems-lab/go-securesystemslib v0.8.0
go: downloading github.com/sigstore/rekor v1.3.6
go: downloading github.com/shibumi/go-pathspec v1.3.0
go: downloading github.com/pjbgf/sha1cd v0.3.0
go: downloading github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99
go: downloading github.com/aws/aws-sdk-go-v2/credentials v1.17.11
go: downloading github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1
go: downloading github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0
go: downloading github.com/aws/aws-sdk-go-v2/service/sso v1.20.5
go: downloading github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4
go: downloading github.com/aws/aws-sdk-go-v2/service/sts v1.28.6
go: downloading github.com/cyphar/filepath-securejoin v0.2.4
go: downloading github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376
go: downloading github.com/emirpasic/gods v1.18.1
go: downloading github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5
go: downloading github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40
go: downloading github.com/owenrumney/squealer v1.2.2
go: downloading github.com/liamg/iamgo v0.0.9
go: downloading github.com/dlclark/regexp2 v1.4.0
go: downloading github.com/hashicorp/hcl/v2 v2.19.1
go: downloading github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415
go: downloading github.com/moby/buildkit v0.13.0-rc3
go: downloading github.com/zregvart/helm/v3 v3.0.0-20240515095300-29fcbe1d0a74
go: downloading github.com/zclconf/go-cty-yaml v1.0.3
go: downloading github.com/mitchellh/reflectwalk v1.0.2
go: downloading github.com/bitnami/go-version v0.0.0-20231130084017-bb00604d650c
go: downloading github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
go: downloading github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
go: downloading github.com/BurntSushi/toml v1.3.2
go: downloading github.com/aymanbagabas/go-osc52/v2 v2.0.1
go: downloading github.com/lucasb-eyer/go-colorful v1.2.0
go: downloading sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd
go: downloading github.com/json-iterator/go v1.1.12
go: downloading github.com/docker/docker-credential-helpers v0.8.1
go: downloading github.com/containers/ocicrypt v1.1.9
go: downloading github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01
go: downloading github.com/moby/sys/user v0.1.0
go: downloading github.com/google/go-intervals v0.0.2
go: downloading github.com/invopop/yaml v0.2.0
go: downloading github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
go: downloading github.com/perimeterx/marshmallow v1.1.5
go: downloading github.com/Microsoft/go-winio v0.6.2
go: downloading github.com/felixge/httpsnoop v1.0.4
go: downloading github.com/go-playground/universal-translator v0.18.1
go: downloading github.com/leodido/go-urn v1.4.0
go: downloading github.com/labstack/gommon v0.4.2
go: downloading github.com/golang-jwt/jwt v3.2.2+incompatible
go: downloading github.com/valyala/fasttemplate v1.2.2
go: downloading golang.org/x/time v0.5.0
go: downloading modernc.org/libc v1.49.3
go: downloading cloud.google.com/go/compute/metadata v0.2.3
go: downloading cloud.google.com/go/iam v1.1.6
go: downloading cloud.google.com/go/compute v1.25.0
go: downloading github.com/googleapis/gax-go/v2 v2.12.3
go: downloading github.com/containerd/continuity v0.4.3
go: downloading github.com/moby/sys/sequential v0.5.0
go: downloading github.com/go-restruct/restruct v1.2.0-alpha
go: downloading github.com/Intevation/gval v1.3.0
go: downloading github.com/Intevation/jsonpath v0.2.1
go: downloading github.com/go-ini/ini v1.67.0
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/prometheus/client_model v0.6.1
go: downloading github.com/prometheus/common v0.48.0
go: downloading github.com/prometheus/procfs v0.12.0
go: downloading github.com/agnivade/levenshtein v1.1.1
go: downloading github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1
go: downloading github.com/aws/aws-sdk-go-v2/service/ecr v1.27.4
go: downloading github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
go: downloading github.com/cloudflare/circl v1.3.8
go: downloading gopkg.in/warnings.v0 v0.1.2
go: downloading github.com/kevinburke/ssh_config v1.2.0
go: downloading github.com/skeema/knownhosts v1.2.2
go: downloading github.com/xanzy/ssh-agent v0.3.3
go: downloading github.com/agext/levenshtein v1.2.3
go: downloading github.com/apparentlymart/go-textseg/v15 v15.0.0
go: downloading github.com/mitchellh/go-wordwrap v1.0.1
go: downloading github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb
go: downloading github.com/gosuri/uitable v0.0.4
go: downloading k8s.io/cli-runtime v0.30.0
go: downloading github.com/xeipuuv/gojsonschema v1.2.0
go: downloading k8s.io/apiextensions-apiserver v0.30.0
go: downloading github.com/hashicorp/go-uuid v1.0.3
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635
go: downloading github.com/go-playground/locales v0.14.1
go: downloading github.com/valyala/bytebufferpool v1.0.0
go: downloading github.com/ncruces/go-strftime v0.1.9
go: downloading modernc.org/mathutil v1.6.0
go: downloading modernc.org/memory v1.8.0
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7
go: downloading go.opencensus.io v0.24.0
go: downloading github.com/google/s2a-go v0.1.7
go: downloading github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c
go: downloading github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2
go: downloading github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2
go: downloading github.com/evanphx/json-patch v5.9.0+incompatible
go: downloading k8s.io/kubectl v0.30.0
go: downloading oras.land/oras-go/v2 v2.5.0
go: downloading github.com/Masterminds/squirrel v1.5.4
go: downloading github.com/jmoiron/sqlx v1.3.5
go: downloading github.com/lib/pq v1.10.9
go: downloading github.com/rubenv/sql-migrate v1.5.2
go: downloading github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de
go: downloading github.com/moby/term v0.5.0
go: downloading github.com/google/gnostic-models v0.6.8
go: downloading k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340
go: downloading sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3
go: downloading sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3
go: downloading github.com/golang/protobuf v1.5.4
go: downloading github.com/briandowns/spinner v1.23.0
go: downloading gopkg.in/cheggaaa/pb.v1 v1.0.28
go: downloading github.com/mistifyio/go-zfs/v3 v3.0.1
go: downloading github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec
go: downloading go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.3.2
go: downloading github.com/Azure/go-autorest/autorest v0.11.29
go: downloading github.com/Azure/go-autorest v14.2.0+incompatible
go: downloading github.com/Azure/go-autorest/autorest/date v0.3.0
go: downloading github.com/Azure/go-autorest/tracing v0.6.0
go: downloading github.com/kylelemons/godebug v1.1.0
go: downloading github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
go: downloading k8s.io/component-base v0.30.0
go: downloading github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d
go: downloading k8s.io/apiserver v0.30.0
go: downloading github.com/lann/builder v0.0.0-20180802200727-47ae307949d0
go: downloading github.com/go-gorp/gorp/v3 v3.1.0
go: downloading github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79
go: downloading github.com/peterbourgon/diskv v2.0.1+incompatible
go: downloading github.com/containerd/errdefs v0.1.0
go: downloading github.com/containerd/cgroups/v3 v3.0.3
go: downloading github.com/Azure/go-autorest/autorest/adal v0.9.23
go: downloading github.com/Azure/go-autorest/logger v0.2.1
go: downloading github.com/golang-jwt/jwt/v5 v5.2.1
go: downloading github.com/chai2010/gettext-go v1.0.2
go: downloading github.com/MakeNowJust/heredoc v1.0.0
go: downloading github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0
go: downloading github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading github.com/go-errors/errors v1.4.2
go: downloading github.com/google/btree v1.1.2
go: downloading github.com/golang-jwt/jwt/v4 v4.5.0
go: downloading github.com/emicklei/go-restful/v3 v3.11.0
go: downloading github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00
go: downloading github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
go: downloading github.com/gorilla/websocket v1.5.0
go: downloading go.starlark.net v0.0.0-20230525235612-a134d8f9ddca
go: downloading github.com/moby/spdystream v0.2.0
go: downloading github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f
go: github.com/openclarity/vmclarity/scanner/scanner/trivy imports
	github.com/aquasecurity/trivy/pkg/fanal/log: cannot find module providing package github.com/aquasecurity/trivy/pkg/fanal/log

File name: provider/go.sum

Command failed: go get -d -t ./...
go: downloading github.com/aws/aws-sdk-go-v2/service/ec2 v1.157.0
go: downloading github.com/aws/aws-sdk-go-v2/service/pricing v1.28.1
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.2
go: downloading github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v5 v5.7.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v5 v5.1.1
go: downloading github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1
go: downloading github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.3.2
go: downloading google.golang.org/protobuf v1.34.1
go: downloading cloud.google.com/go/compute v1.25.1
go: downloading google.golang.org/api v0.174.0
go: downloading github.com/Azure/azure-sdk-for-go/sdk/internal v1.6.0
go: downloading github.com/moby/patternmatcher v0.6.0
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20240415180920-8c6c420018be
go: downloading cloud.google.com/go/auth v0.2.0
go: downloading cloud.google.com/go/auth/oauth2adapt v0.2.0
go: downloading cloud.google.com/go/compute/metadata v0.3.0
go: github.com/openclarity/vmclarity/provider/docker/scanner imports
	github.com/openclarity/vmclarity/scanner/families imports
	github.com/openclarity/vmclarity/scanner/families/vulnerabilities imports
	github.com/openclarity/vmclarity/scanner/scanner/job imports
	github.com/openclarity/vmclarity/scanner/scanner/trivy imports
	github.com/aquasecurity/trivy/pkg/fanal/log: cannot find module providing package github.com/aquasecurity/trivy/pkg/fanal/log

File name: orchestrator/go.sum

Command failed: go get -d -t ./...
go: downloading github.com/aptible/supercronic v0.2.29
go: downloading github.com/Portshift/go-utils v0.0.0-20220421083203-89265d8a6487
go: github.com/openclarity/vmclarity/orchestrator/watcher/assetscan imports
	github.com/openclarity/vmclarity/scanner/families/vulnerabilities imports
	github.com/openclarity/vmclarity/scanner/scanner/job imports
	github.com/openclarity/vmclarity/scanner/scanner/trivy imports
	github.com/aquasecurity/trivy/pkg/fanal/log: cannot find module providing package github.com/aquasecurity/trivy/pkg/fanal/log

File name: cli/go.sum

Command failed: go get -d -t ./...
go: downloading github.com/ghodss/yaml v1.0.0
go: github.com/openclarity/vmclarity/cli/presenter imports
	github.com/openclarity/vmclarity/scanner/families/vulnerabilities imports
	github.com/openclarity/vmclarity/scanner/scanner/job imports
	github.com/openclarity/vmclarity/scanner/scanner/trivy imports
	github.com/aquasecurity/trivy/pkg/fanal/log: cannot find module providing package github.com/aquasecurity/trivy/pkg/fanal/log

paralta · 2024-05-21T07:56:33Z

Blocked since bump requires Go 1.22

…curity]

renovate · 2024-05-23T11:10:26Z

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

github-actions · 2024-05-23T11:26:01Z

Hey!

Your images are ready:

ghcr.io/openclarity/vmclarity-apiserver-dev:pr1686-2b727fe15c88842c687eb71b2296311a95948240
ghcr.io/openclarity/vmclarity-cli-dev:pr1686-2b727fe15c88842c687eb71b2296311a95948240
ghcr.io/openclarity/vmclarity-cr-discovery-server-dev:pr1686-2b727fe15c88842c687eb71b2296311a95948240
ghcr.io/openclarity/vmclarity-orchestrator-dev:pr1686-2b727fe15c88842c687eb71b2296311a95948240
ghcr.io/openclarity/vmclarity-plugin-kics-dev:pr1686-2b727fe15c88842c687eb71b2296311a95948240
ghcr.io/openclarity/vmclarity-ui-dev:pr1686-2b727fe15c88842c687eb71b2296311a95948240
ghcr.io/openclarity/vmclarity-ui-backend-dev:pr1686-2b727fe15c88842c687eb71b2296311a95948240

renovate bot requested a review from a team as a code owner May 21, 2024 02:01

renovate bot added go Pull requests that update Go code security labels May 21, 2024

paralta added the blocked label May 21, 2024

renovate bot force-pushed the renovate/go-git.luolix.top/aquasecurity/trivy-vulnerability branch 3 times, most recently from bd66caf to f4eb42a Compare May 22, 2024 14:54

paralta self-assigned this May 22, 2024

paralta removed the blocked label May 23, 2024

This comment has been minimized.

Sign in to view

renovate bot force-pushed the renovate/go-git.luolix.top/aquasecurity/trivy-vulnerability branch from d02bddf to d256b9b Compare May 23, 2024 09:42

This comment has been minimized.

Sign in to view

paralta previously approved these changes May 23, 2024

View reviewed changes

fix(deps): update module github.com/aquasecurity/trivy to v0.51.2 [se…

8882319

…curity]

renovate bot dismissed paralta’s stale review via 8882319 May 23, 2024 10:59

renovate bot force-pushed the renovate/go-git.luolix.top/aquasecurity/trivy-vulnerability branch from fe2ea97 to 8882319 Compare May 23, 2024 10:59

fix: dependencies and breaking changes

95c20fa

paralta approved these changes May 23, 2024

View reviewed changes

paralta requested a review from ramizpolic May 23, 2024 12:48

ramizpolic approved these changes May 24, 2024

View reviewed changes

paralta added this pull request to the merge queue May 24, 2024

Merged via the queue into main with commit a43b796 May 24, 2024
40 checks passed

paralta deleted the renovate/go-git.luolix.top/aquasecurity/trivy-vulnerability branch May 24, 2024 09:56

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(deps): update module github.com/aquasecurity/trivy to v0.51.2 [security] #1686

fix(deps): update module github.com/aquasecurity/trivy to v0.51.2 [security] #1686

renovate bot commented May 21, 2024 •

edited

Loading

renovate bot commented May 21, 2024 •

edited

Loading

paralta commented May 21, 2024

This comment has been minimized.

This comment has been minimized.

renovate bot commented May 23, 2024

github-actions bot commented May 23, 2024

fix(deps): update module github.com/aquasecurity/trivy to v0.51.2 [security] #1686

fix(deps): update module github.com/aquasecurity/trivy to v0.51.2 [security] #1686

Conversation

renovate bot commented May 21, 2024 • edited Loading

GitHub Vulnerability Alerts

CVE-2024-35192

Impact

Workarounds

Trivy possibly leaks registry credential when scanning images from malicious registries

Details

Impact

Workarounds

Severity

References

Credential leakage in github.com/aquasecurity/trivy

Details

Severity

References

Release Notes

v0.51.2

Changelog

v0.51.1

Changelog

v0.51.0

⚡Release highlights and summary⚡

Changelog

Configuration

renovate bot commented May 21, 2024 • edited Loading

⚠️ Artifact update problem

File name: scanner/go.sum

File name: provider/go.sum

File name: orchestrator/go.sum

File name: cli/go.sum

paralta commented May 21, 2024

This comment has been minimized.

This comment has been minimized.

renovate bot commented May 23, 2024

Edited/Blocked Notification

github-actions bot commented May 23, 2024

renovate bot commented May 21, 2024 •

edited

Loading

`v0.51.2`

`v0.51.1`

`v0.51.0`

renovate bot commented May 21, 2024 •

edited

Loading