🌱 Update Builder Image group

[syself-bot]

This PR contains the following updates:

Package	Type	Update	Change
docker.io/aquasec/trivy (source)	stage	minor	0.56.2 -> 0.59.1
docker.io/library/alpine	stage	minor	3.20.3 -> 3.21.3
golangci/golangci-lint		minor	v1.61.0 -> v1.64.5

---

Release Notes

aquasecurity/trivy (docker.io/aquasec/trivy)

v0.59.1

Compare Source

Changelog

• 9aabfd2 release: v0.59.1 [release/v0.59] (#​8334)
• 412c690 fix(misconf): do not log scanners when misconfig scanning is disabled [backport: release/v0.59] (#​8349)
• 98f9ba2 chore(deps): bump Go to v1.23.5 [backport: release/v0.59] (#​8343)
• 1741fdd fix(python): add poetry v2 support [backport: release/v0.59] (#​8335)
• 3fd8e27 fix(sbom): preserve OS packages from multiple SBOMs [backport: release/v0.59] (#​8333)

v0.59.0

Compare Source

Features

• add --distro flag to manually specify OS distribution for vulnerability scanning (#​8070) (da17dc7)
• add a examples field to check metadata (#​8068) (6d84e0c)
• add support for registry mirrors (#​8244) (4316bcb)
• fs: use git commit hash as cache key for clean repositories (#​8278) (b5062f3)
• image: prevent scanning oversized container images (#​8178) (509e030)
• image: return error early if total size of layers exceeds limit (#​8294) (73bd20d)
• k8s: improve artifact selections for specific namespaces (#​8248) (db9e57a)
• misconf: generate placeholders for random provider resources (#​8051) (ffe24e1)
• misconf: support for ignoring by inline comments for Dockerfile (#​8115) (c002327)
• misconf: support for ignoring by inline comments for Helm (#​8138) (a0429f7)
• nodejs: respect peer dependencies for dependency tree (#​7989) (7389961)
• python: add support for poetry dev dependencies (#​8152) (774e04d)
• python: add support for uv (#​8080) (c4a4a5f)
• python: add support for uv dev and optional dependencies (#​8134) (49c54b4)

Bug Fixes

• CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass (#​8088) (d7ac286)
• CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field (#​8207) (670fbf2)
• de-duplicate same dpkg packages with different filePaths from different layers (#​8298) (846498d)
• enable err-error and errorf rules from perfsprint linter (#​7859) (156a2aa)
• flag: skip hidden flags for --generate-default-config command (#​8046) (5e68bdc)
• fs: fix cache key generation to use UUID (#​8275) (eafd810)
• handle BLOW_UNKNOWN error to download DBs (#​8060) (51f2123)
• improve conversion of image config to Dockerfile (#​8308) (2e8e38a)
• java: correctly overwrite version from depManagement if dependency uses project.* props (#​8050) (9d9f80d)
• license: always trim leading and trailing spaces for licenses (#​8095) (f5e4291)
• misconf: allow null values only for tf variables (#​8112) (23dc3a6)
• misconf: correctly handle all YAML tags in K8S templates (#​8259) (f12054e)
• misconf: disable git terminal prompt on tf module load (#​8026) (bbc5a85)
• misconf: handle heredocs in dockerfile instructions (#​8284) (0a3887c)
• misconf: use log instead of fmt for logging (#​8033) (07b2d7f)
• oracle: add architectures support for advisories (#​4809) (90f1d8d)
• python: skip dev group's deps for poetry (#​8106) (a034d26)
• redhat: check usr/share/buildinfo/ dir to detect content sets (#​8222) (f352f6b)
• redhat: correct rewriting of recommendations for the same vulnerability (#​8063) (4202c4b)
• respect GITHUB_TOKEN to download artifacts from GHCR (#​7580) (21b68e1)
• sbom: attach nested packages to Application (#​8144) (735335f)
• sbom: fix wrong overwriting of applications obtained from different sbom files but having same app type (#​8052) (fd07074)
• sbom: scan results of SBOMs generated from container images are missing layers (#​7635) (f9fceb5)
• sbom: use root package for unknown dependencies (if exists) (#​8104) (7558df7)
• spdx: use the hasExtractedLicensingInfos field for licenses that are not listed in the SPDX (#​8077) (aec8885)
• suse: SUSE - update OSType constants and references for compatility (#​8236) (ae28398)
• Updated twitter icon (#​7772) (2c41ac8)
• wasm module test (#​8099) (2200f38)

Performance Improvements

• avoid heap allocation in applier findPackage (#​7883) (9bd6ed7)

v0.58.2

Compare Source

Changelog

• 936f06a release: v0.58.2 [release/v0.58] (#​8216)
• f72d2bc fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#​8238)
• 2896367 fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#​8237)
• b733ecc fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#​8215)

v0.58.1

Compare Source

⚡Release highlights and summary⚡

👉 https://github.com/aquasecurity/trivy/discussions/8171

Changelog

https://github.com/aquasecurity/trivy/blob/release/v0.58/CHANGELOG.md#0581-2024-12-24

v0.58.0

Compare Source

Features

• add workspaceRelationship (#​7889) (d622ca2)
• add cvss v4 score and vector in scan response (#​7968) (e0f2054)
• go: construct dependencies in the parser (#​7973) (bcdc0bb)
• go: construct dependencies of go.mod main module in the parser (#​7977) (5448ba2)
• k8s: add default commands for unknown platform (#​7863) (b1c7f55)
• misconf: log causes of HCL file parsing errors (#​7634) (e9a899a)
• oracle: add flavors support (#​7858) (b9b383e)
• secret: Add built-in secrets rules for Private Packagist (#​7826) (132d9df)
• suse: Align SUSE/OpenSUSE OS Identifiers (#​7965) (45d3b40)
• Update registry fallbacks (#​7679) (5ba9a83)

Bug Fixes

• alpine: add UID for removed packages (#​7887) (07915da)
• aws: change CPU and Memory type of ContainerDefinition to a string (#​7995) (aeeba70)
• cli: Handle empty ignore files more gracefully (#​7962) (4cfb2a9)
• debian: infinite loop (#​7928) (d982e6a)
• fs: add missing defered Cleanup() call to post analyzer fs (#​7882) (ab32297)
• Improve version comparisons when build identifiers are present (#​7873) (eda4d76)
• k8s: check all results for vulnerabilities (#​7946) (797b36f)
• misconf: do not erase variable type for child modules (#​7941) (de3b7ea)
• misconf: handle null properties in CloudFormation templates (#​7813) (99b2db3)
• misconf: load full Terraform module (#​7925) (fbc42a0)
• misconf: properly resolve local Terraform cache (#​7983) (fe3a897)
• misconf: Update trivy-checks default repo to mirror.gcr.io (#​7953) (9988147)
• misconf: wrap AWS EnvVar to iac types (#​7407) (54130dc)
• redhat: don't return error if root/buildinfo/content_manifests/ contains files that are not contentSets files (#​7912) (38775a5)
• report: handle [email protected] schema for misconfigs in sarif report (#​7898) (19aea4b)
• sbom: Fixes for Programming Language Vulnerabilities and SBOM Package Maintainer Details (#​7871) (461a68a)
• terraform: set null value as fallback for missing variables (#​7669) (611558e)

v0.57.1

Compare Source

⚡Release highlights and summary⚡

👉https://github.com/aquasecurity/trivy/discussions/7951

Changelog

https://github.com/aquasecurity/trivy/blob/release/v0.57/CHANGELOG.md#0571-2024-11-18

v0.57.0

Compare Source

⚠ BREAKING CHANGES

• k8s: support k8s multi container (#​7444)

Features

• add end of life date for Ubuntu 24.10 (#​7787) (ad3c09e)
• cli: add trivy auth (#​7664) (27117f8)
• cli: error out when ignore file cannot be found (#​7624) (cb0b3a9)
• cli: rename trivy auth to trivy registry (#​7727) (633a7ab)
• cyclonedx: add file checksums to CycloneDX reports (#​7507) (c225883)
• db: append errors (#​7843) (5e78b6c)
• misconf: export unresolvable field of IaC types to Rego (#​7765) (9514148)
• misconf: public network support for Azure Storage Account (#​7601) (ad91412)
• misconf: Show misconfig ID in output (#​7762) (f75c0d1)
• misconf: ssl_mode support for GCP SQL DB instance (#​7564) (2eaa17e)
• parser: ignore white space in pom.xml files (#​7747) (a7baa93)
• report: update gitlab template to populate operating_system value (#​7735) (c0d79fa)

Bug Fixes

• cli: clean --all deletes only relevant dirs (#​7704) (672e886)
• cli: add config name to skip-policy-update alias (#​7820) (b661d68)
• db: fix javadb downloading error handling (#​7642) (2c87f0c)
• enable usestdlibvars linter (#​7770) (57e24aa)
• go: Do not trim v prefix from versions in Go Mod Analyzer (#​7733) (e872ec0)
• helm: properly handle multiple archived dependencies (#​7782) (6fab88d)
• java: correctly inherit version and scope from upper/root depManagement and dependencies into parents (#​7541) (778df82)
• k8s: skip resources without misconfigs (#​7797) (7882776)
• k8s: support k8s multi container (#​7444) (c434775)
• k8s: support kubernetes v1.31 (#​7810) (7a4f4d8)
• license: fix license normalization for Universal Permissive License (#​7766) (f6acdf7)
• misconf: change default ACL of digitalocean_spaces_bucket to private (#​7577) (9da84f5)
• misconf: check if property is not nil before conversion (#​7578) (c8c14d3)
• misconf: fix for Azure Storage Account network acls adaptation (#​7602) (35fd018)
• misconf: properly expand dynamic blocks (#​7612) (8d5dbc9)
• redhat: include arch in PURL qualifiers (#​7654) (a585e95)
• repo: git clone output to Stderr (#​7561) (fdf203c)
• report: Fix invalid URI in SARIF report (#​7645) (015bb88)
• sbom: add options for DBs in private registries (#​7660) (1f2e91b)
• sbom: use Annotation instead of AttributionTexts for SPDX formats (#​7811) (f2bb9c6)

golangci/golangci-lint (golangci/golangci-lint)

v1.64.5

Compare Source

1. Bug fixes
   • Add missing flag new-from-merge-base-flag
2. Linters bug fixes
   • asciicheck: from 0.3.0 to 0.4.0
   • forcetypeassert: from 0.1.0 to 0.2.0
   • gosec: from 2.22.0 to 2.22.1

v1.64.4

Compare Source

1. Linters bug fixes
   • gci: fix standard packages list for go1.24

v1.64.3

Compare Source

1. Linters bug fixes
   • ginkgolinter: from 0.18.4 to 0.19.0
   • go-critic: from 0.11.5 to 0.12.0
   • revive: from 1.6.0 to 1.6.1
   • gci: fix standard packages list for go1.24
2. Misc.
   • Build Docker images with go1.24

v1.64.2

Compare Source

This is the last minor release of golangci-lint v1.
The next release will be golangci-lint v2.

1. Enhancements
   • 🎉 go1.24 support
   • New issues.new-from-merge-base option
   • New run.relative-path-mode option
2. Linters new features
   • copyloopvar: from 1.1.0 to 1.2.1 (support suggested fixes)
   • exptostd: from 0.3.1 to 0.4.1 (handles golang.org/x/exp/constraints.Ordered)
   • fatcontext: from 0.5.3 to 0.7.1 (new option: check-struct-pointers)
   • perfsprint: from 0.7.1 to 0.8.1 (new options: integer-format, error-format, string-format, bool-format, and hex-format)
   • revive: from 1.5.1 to 1.6.0 (new rules: redundant-build-tag, use-errors-new. New option early-return.early-return)
3. Linters bug fixes
   • go-errorlint: from 1.7.0 to 1.7.1
   • gochecknoglobals: from 0.2.1 to 0.2.2
   • godox: from 006bad1 to 1.1.0
   • gosec: from 2.21.4 to 2.22.0
   • iface: from 1.3.0 to 1.3.1
   • nilnesserr: from 0.1.1 to 0.1.2
   • protogetter: from 0.3.8 to 0.3.9
   • sloglint: from 0.7.2 to 0.9.0
   • spancheck: fix default StartSpanMatchersSlice values
   • staticcheck: from 0.5.1 to 0.6.0
4. Deprecations
   • ⚠️ tenv is deprecated and replaced by usetesting.os-setenv: true.
5. Misc.
   • Sanitize severities by output format
   • Avoid panic with plugin without description
6. Documentation
   • Clarify depguard configuration

v1.64.1

Compare Source

Cancelled due to CI failure.

v1.64.0

Compare Source

Cancelled due to CI failure.

v1.63.4

Compare Source

1. Linters bug fixes
   • dupl, gomodguard, revive: keep only Go-files.

v1.63.3

Compare Source

1. Linters bug fixes
   • gofmt, gofumpt, goimports, gci: panic with several trailing EOL
   • goheader: skip issues with invalid positions

v1.63.2

Compare Source

1. Linters bug fixes
   • gofmt, gofumpt, goimports, gci: panic with missing trailing EOL

v1.63.1

Compare Source

1. Linters bug fixes
   • cgi: invalid reports with cgo
   • gofumpt: panic with autofix and cgo

v1.63.0

Compare Source

1. Enhancements
   • Add support for SuggestedFixes 🎉 (35 linters can "autofix" reports).
   • Formatters (gofmt, goimports, gofumpt, gci) are applied after the suggested fixes.
2. New linters
   • Add exptostd linter https://github.com/ldez/exptostd
   • Add nilnesserr linter https://github.com/alingse/nilnesserr
   • Add usetesting linter https://github.com/ldez/usetesting
3. Linters new features
   • gci: new options: no-inline-comments, no-prefix-comments
   • gomoddirectives: from 0.2.4 to 0.6.0 (new options: go-version-pattern, toolchain-pattern,toolchain-forbidden, tool-forbidden, go-debug-forbidden)
   • govet: new stdversion, waitgroup analyzers
   • importas: allow multiple empty aliases
   • loggercheck: new slog option
   • recvcheck: from 0.1.2 to 0.2.0 (new options: disable-builtin, exclusions)
   • tagliatelle: from 0.5.0 to 0.7.1 (new options: ignored-fields, extended-rules,overrides, pkg, ignore)
   • usestdlibvars: from 1.27.0 to 1.28.0 (autofix)
   • wrapcheck: from 2.9.0 to 2.10.0 (new option: extra-ignore-sigs)
4. Linters bug fixes
   • asciicheck: from 0.2.0 to 0.3.0
   • bodyclose: from 5742072 to ed6a65f
   • funlen: from 0.1.0 to 0.2.0
   • ginkgolinter: from 0.18.3 to 0.18.4
   • gochecksumtype: from 0.2.0 to 0.3.1
   • gocognit: from 1.1.3 to 1.2.0
   • godot: from 1.4.18 to 1.4.20
   • goheader: report position improvement
   • gosec: handling of global nosec option when it is false
   • iface: from 1.2.1 to 1.3.0
   • importas: from 0.1.0 to 0.2.0
   • intrange: from 0.2.1 to 0.3.0
   • makezero: from 1.1.1 to 1.2.0
   • mirror: from 1.2.0 to 1.3.0
   • nilnil: from 1.0.0 to 1.0.1
   • nosprintfhostport: from 0.1.1 to 0.2.0
   • reassign: from 0.2.0 to 0.3.0
   • spancheck: from 0.6.2 to 0.6.4
   • tagalign: from 1.3.4 to 1.4.1
   • wastedassign: from 2.0.7 to 2.1.0
   • whitespace: from 0.1.1 to 0.2.0
   • wsl: from 4.4.1 to 4.5.0
5. Deprecations
   • ⚠️ output.uniq-by-line is deprecated and replaced by issues.uniq-by-line.
6. Misc.
   • Improvements of the help command (color and JSON support).
   • Removes decoder, sloglint, tagalign from format preset.
   • Enables paths with junction inside Windows.
   • The timeout is disabled if run.timeout <= 0.

v1.62.2

Compare Source

1. Linters bug fixes
   • fatcontext: from 0.5.2 to 0.5.3
   • ginkgolinter: from 0.18.0 to 0.18.3
   • errorlint: from 1.6.0 to 1.7.0
   • iface: from 1.2.0 to 1.2.1
   • revive: from 1.5.0 to 1.5.1
   • testifylint: from 1.5.0 to 1.5.2
2. Misc.
   • fix: ignore cache error when file not found

v1.62.1

Compare Source

Cancelled due to CI failure.

v1.62.0

Compare Source

1. New linters
   • Add recvcheck linter https://github.com/raeperd/recvcheck
   • Add iface linter https://github.com/uudashr/iface
2. Linters new features
   • ginkgolinter: from 0.17.0 to 0.18.0 (new option: force-succeed)
   • gochecksumtype: from 0.1.4 to 0.2.0 (new option: default-signifies-exhaustive)
   • loggercheck: from 0.9.4 to 0.10.1 (log/slog support)
   • nilnil: from 0.1.9 to 1.0.0 (new option: detect-opposite)
   • revive: from 1.3.9 to 1.5.0 (new rules: filename-format, and file-length-limit)
   • tenv: from 1.10.0 to 1.12.1 (handle dot import)
   • testifylint: from 1.4.3 to 1.5.0 (new checkers: contains, encoded-compare, regexp)
3. Linters bug fixes
   • bidichk: from 0.2.7 to 0.3.2 (important performance improvement)
   • canonicalheader: from 1.1.1 to 1.1.2
   • cyclop: from 1.2.1 to 1.2.3
   • dupword: from 0.1.1 to 0.1.3
   • errcheck: from 1.7.0 to 1.8.0
   • errchkjson: from 0.3.6 to 0.4.0
   • errname: from 0.1.13 to 1.0.0
   • gocritic: from 0.11.4 to 0.11.5
   • goprintffuncname: from 7558a9e to v0.1.0
   • godot: from 1.4.17 to 1.4.18
   • gosec: from 2.21.2 to 2.21.4
   • intrange: from 0.2.0 to 0.2.1
   • musttag: from 0.12.2 to 0.13.0
   • nakedret: from 2.0.4 to 2.0.5
   • noctx: from 0.0.2 to 0.1.0
   • protogetter: from 0.3.6 to 0.3.8
4. Deprecations
   • ⚠️ execinquery: deprecation step 2
   • ⚠️ gomnd: deprecation step 2 (replaced by mnd)
5. Misc.
   • Type sizing when cross-compiling (32-bit).
   • code-climate: add check_name field
   • Improve Go version detection
   • Fix Go version propagation
6. Documentation
   • Adds a section about exclude-dirs-use-default
   • Improve 'install from sources' section
   • Improve FAQ about Go versions
   • Improve linter/rule/check docs
   • Improve new linter section
   • Improve forbidigo pattern examples for built-in functions

---

Configuration

📅 Schedule: Branch creation - "on the first day of the month" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box