chore(deps): update dependency kubescape/kubescape to v3.0.47

[uniget-bot]

This PR contains the following updates:

Package	Update	Change
kubescape/kubescape	patch	3.0.46 → 3.0.47

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

kubescape/kubescape (kubescape/kubescape)

v3.0.47

Compare Source

Changelog

• be250ff Add debug listing and adjust JUnit report options
• 893bb86 Add production secrets to release workflow
• d74803a Add skip flag and collect system test results
• 8d7c595 Address code review feedback: Extract helper function and improve comments
• 6a72851 Bump github.com/containerd/containerd/v2 from 2.1.4 to 2.1.5
• 47442f9 Bump github.com/sigstore/fulcio from 1.6.6 to 1.8.3
• 5fed9cc Enhance installation scripts for cross-platform support and improve error handling
• 621ffd3 Fix: Prevent URLs from being treated as local file paths
• 5dee6d0 Initial plan
• 5d16992 Install system dependencies in release workflow
• 62a1433 Merge pull request #​1816 from kubescape/goreleaser
• adb9b80 Merge pull request #​1903 from Mujib-Ahasan/skip-persistence
• f88a374 Merge pull request #​1904 from kubescape/dependabot/go_modules/github.com/sigstore/fulcio-1.8.3
• 0b44e94 Merge pull request #​1905 from kubescape/cosign
• e4962fe Merge pull request #​1906 from kubescape/cosign
• fff663b Merge pull request #​1907 from kubescape/dependabot/go_modules/github.com/containerd/containerd/v2-2.1.5
• 66fbca8 Merge pull request #​1911 from kubescape/copilot/fix-local-file-path-issue
• 082edf5 Refactor GitHub Actions workflow for system tests and update smoke test logging
• 06241fc Refactor release workflow to simplify tagging and remove unnecessary inputs
• bfca19b Remove pip cache from release workflow
• 1b94d27 Require Python 3.11 for system tests
• 314a74b Require Python 3.9 for system tests
• dac3af1 Update cosign package to v3 and adjust go.mod dependencies
• df37457 Update cosign package to v3 and adjust go.mod dependencies
• 66e970a Update go-git-url to v0.0.31 for improved URL parsing
• 2b91023 Update release workflow to include tagging in arguments
• 997bc2d Use python3-dev in release workflow
• dce1ee4 cleaning up release action
• d382402 feat: add QEMU and Docker Buildx setup steps in release workflow
• 5013f91 feat: add Syft setup step in release workflow
• d20ec9e feat: add kubescape krew index to goreleaser configuration
• efbb8e8 feature: skipPersistence request parameter added
• acf7ad0 fix go mod tidy
• f38bec9 fix go mod tidy
• 0d01329 fix: add commit author information to goreleaser configuration
• acfe986 fix: add cosign.key to .gitignore
• 89478ea fix: add k8s Kind cluster creation step and clean up post-e2e script
• 771fc4a fix: correct kubescape repository owner in goreleaser configuration
• 3255127 fix: correct post-build hook syntax for setting GOARCH environment variable
• 54dda8b fix: enable end-to-end tests in release workflow
• fa17ca2 fix: enhance release workflow with optional skip publish input and add system tests execution
• 270b3b3 fix: enhance release workflow with optional skip publish input and add system tests execution
• cb7cca7 fix: log added and minor fixes applied
• 0f57750 fix: prefer Python 3.11 for system-tests and update environment setup
• abafa9e fix: remove unnecessary secrets inheritance in release configuration
• 68a9d0c fix: update GITHUB_TOKEN handling and correct kubescape repository owner in configuration
• d10d08c fix: update e2e script to enforce fatal failures and improve artifact detection
• 5a0f5f9 fix: update krew index pull request configuration to specify owner and name
• f516853 fix: update kubescape krew configuration to skip upload
• d2bc957 fix: update kubescape krew configuration to use repository field
• 1f8de23 fix: update post-build hook to conditionally execute script for amd64 architecture
• 4ee6238 fix: update post-build hook to set GOARCH environment variable
• 41e47c3 fix: update runner to ubuntu-large in release configuration
• 6be9aec fix: update test_command and test_scan to remove deprecated scan commands and adjust file paths
• d72a600 use goreleaser for all builds and release publication

---

Released by GoReleaser.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[nicholasdille-bot]

Auto-approved because label type/renovate is present.

[github-actions]

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/kubescape:3.0.47

📦 Image Reference ghcr.io/uniget-org/tools/kubescape:3.0.47

digest	sha256:977ac817dc0cccb514c62cae48595459cb45a0eca0cf6912f98303acf4896d47
vulnerabilities
platform	linux/amd64
size	53 MB
packages	566

github.com/anchore/grype 0.99.1 (golang) pkg:golang/github.com/anchore/grype@0.99.1 Improper Removal of Sensitive Information Before Storage or Transfer Affected range >=0.68.0 <0.104.1 Fixed version 0.104.1 CVSS Score 8.2 CVSS Vector CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N Description A credential disclosure vulnerability was found in Grype, affecting versions v0.68.0 through v0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<file> option, the registry credentials will be included unsanitized in the output file. Impact In Grype versions v0.68.0 through v0.104.0, when registry authentication is configured, those credentials can be incorrectly included in the output of a Grype scan (regardless of whether those credentials are actively being used for the current scan). Users that do not have registry authentication configured are not affected by this issue. Registry credentials can be set via the Grype configuration file (e.g. registry.auth[].username, registry.auth[].password, registry.auth[].token) or environment variables (e.g., GRYPE_REGISTRY_AUTH_USERNAME, GRYPE_REGISTRY_AUTH_PASSWORD, GRYPE_REGISTRY_AUTH_TOKEN). In order for the authentication details to be improperly included, the Grype file output format must be set to json with output target set to a file. For example --output json=file.json or --output json --file file.json. When these conditions are met, the configured credentials are not sanitized as they should be in the resulting JSON output file. The authentication details could also be leaked via a malformed Grype Template. A Grype Template that includes the Descriptor.Registry.Auth fields would also include the unsanitized registry credentials. There are no known templates that include these fields. Patches The patch has been released in v0.104.1. Workaround Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the --file or --output options. For example, replacing the command: # using `--output json=path` (or `--file`) leaks credentials grype --output json=test.json alpine:latest with # no use of `--output json=path` or `--file`. Output is sanitized... grype --output json alpine:latest > test.json ...results in the same test.json output, but the credentials will be properly sanitized. Resources Patch pull request: anchore/grype#3068

github.com/aws/aws-sdk-go 1.55.8 (golang) pkg:golang/github.com/aws/aws-sdk-go@1.55.8 Affected range >=0 Fixed version Not Fixed Description A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files. Affected range >=0 Fixed version Not Fixed Description A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.

github.com/nwaples/rardecode 1.1.3 (golang) pkg:golang/github.com/nwaples/rardecode@1.1.3 Memory Allocation with Excessive Size Value Affected range <=1.1.3 Fixed version Not Fixed CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Description rardecode versions <= 2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.

[github-actions]

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/20363638343.

[github-actions]

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/20363638343.