openSUSE Local Security Checks : openSUSE Security Advisory (openSUSE-SU-2024:0268-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.18.1.2024.0268.1

Category: openSUSE Local Security Checks

Title: openSUSE Security Advisory (openSUSE-SU-2024:0268-1)

Summary: The remote host is missing an update for the 'trivy' package(s) announced via the openSUSE-SU-2024:0268-1 advisory.

Description: Summary:
The remote host is missing an update for the 'trivy' package(s) announced via the openSUSE-SU-2024:0268-1 advisory.

Vulnerability Insight:
trivy was updated to fix the following issues:

Update to version 0.54.1:

* fix(flag): incorrect behavior for deprected flag `--clear-cache` [backport: release/v0.54] (#7285)
* fix(java): Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#7283)
* fix(plugin): do not call GitHub content API for releases and tags [backport: release/v0.54] (#7279)
* docs: update ecosystem page reporting with plopsec.com app (#7262)
* feat(vex): retrieve VEX attestations from OCI registries (#7249)
* feat(sbom): add image labels into `SPDX` and `CycloneDX` reports (#7257)
* refactor(flag): return error if both `--download-db-only` and `--download-java-db-only` are specified (#7259)
* fix(nodejs): detect direct dependencies when using `latest` version for files `yarn.lock` + `package.json` (#7110)
* chore: show VEX notice for OSS maintainers in CI environments (#7246)
* feat(vuln): add `--pkg-relationships` (#7237)
* docs: show VEX cli pages + update config file page for VEX flags (#7244)
* fix(dotnet): show `nuget package dir not found` log only when checking `nuget` packages (#7194)
* feat(vex): VEX Repository support (#7206)
* fix(secret): skip regular strings contain secret patterns (#7182)
* feat: share build-in rules (#7207)
* fix(report): hide empty table when all secrets/license/misconfigs are ignored (#7171)
* fix(cli): error on missing config file (#7154)
* fix(secret): update length of `hugging-face-access-token` (#7216)
* feat(sbom): add vulnerability support for SPDX formats (#7213)
* fix(secret): trim excessively long lines (#7192)
* chore(vex): update subcomponents for CVE-2023-42363/42364/42365/42366 (#7201)
* fix(server): pass license categories to options (#7203)
* feat(mariner): Add support for Azure Linux (#7186)
* docs: updates config file (#7188)
* refactor(fs): remove unused field for CompositeFS (#7195)
* fix: add missing platform and type to spec (#7149)
* feat(misconf): enabled China configuration for ACRs (#7156)
* fix: close file when failed to open gzip (#7164)
* docs: Fix PR documentation to use GitHub Discussions, not Issues (#7141)
* docs(misconf): add info about limitations for terraform plan json (#7143)
* chore: add VEX for Trivy images (#7140)
* chore: add VEX document and generator for Trivy (#7128)
* fix(misconf): do not evaluate TF when a load error occurs (#7109)
* feat(cli): rename `--vuln-type` flag to `--pkg-types` flag (#7104)
* refactor(secret): move warning about file size after `IsBinary` check (#7123)
* feat: add openSUSE tumbleweed detection and scanning (#6965)
* test: add missing advisory details for integration tests database (#7122)
* fix: Add dependencyManagement exclusions to the child exclusions (#6969)
* fix: ignore nodes when listing permission is not allowed (#7107)
* fix(java): use `go-mvn-version` to remove `Package` duplicates (#7088)
* refactor(secret): add warning about large files ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'trivy' package(s) on openSUSE Leap 15.5.

Solution:
Please install the updated package(s).

CVSS Score:
4.9

CVSS Vector:
AV:L/AC:L/Au:N/C:N/I:N/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2023-42363
https://bugs.busybox.net/show_bug.cgi?id=15865
Common Vulnerability Exposure (CVE) ID: CVE-2024-35192
https://github.com/aquasecurity/trivy/commit/e7f14f729de259551203f313e57d2d9d3aa2ff87
https://github.com/aquasecurity/trivy/security/advisories/GHSA-xcq4-m2r3-cmrj
Common Vulnerability Exposure (CVE) ID: CVE-2024-6257

Copyright Copyright (C) 2025 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.18.1.2024.0268.1
Category:	openSUSE Local Security Checks
Title:	openSUSE Security Advisory (openSUSE-SU-2024:0268-1)
Summary:	The remote host is missing an update for the 'trivy' package(s) announced via the openSUSE-SU-2024:0268-1 advisory.
Description:	Summary: The remote host is missing an update for the 'trivy' package(s) announced via the openSUSE-SU-2024:0268-1 advisory. Vulnerability Insight: trivy was updated to fix the following issues: Update to version 0.54.1: * fix(flag): incorrect behavior for deprected flag `--clear-cache` [backport: release/v0.54] (#7285) * fix(java): Return error when trying to find a remote pom to avoid segfault [backport: release/v0.54] (#7283) * fix(plugin): do not call GitHub content API for releases and tags [backport: release/v0.54] (#7279) * docs: update ecosystem page reporting with plopsec.com app (#7262) * feat(vex): retrieve VEX attestations from OCI registries (#7249) * feat(sbom): add image labels into `SPDX` and `CycloneDX` reports (#7257) * refactor(flag): return error if both `--download-db-only` and `--download-java-db-only` are specified (#7259) * fix(nodejs): detect direct dependencies when using `latest` version for files `yarn.lock` + `package.json` (#7110) * chore: show VEX notice for OSS maintainers in CI environments (#7246) * feat(vuln): add `--pkg-relationships` (#7237) * docs: show VEX cli pages + update config file page for VEX flags (#7244) * fix(dotnet): show `nuget package dir not found` log only when checking `nuget` packages (#7194) * feat(vex): VEX Repository support (#7206) * fix(secret): skip regular strings contain secret patterns (#7182) * feat: share build-in rules (#7207) * fix(report): hide empty table when all secrets/license/misconfigs are ignored (#7171) * fix(cli): error on missing config file (#7154) * fix(secret): update length of `hugging-face-access-token` (#7216) * feat(sbom): add vulnerability support for SPDX formats (#7213) * fix(secret): trim excessively long lines (#7192) * chore(vex): update subcomponents for CVE-2023-42363/42364/42365/42366 (#7201) * fix(server): pass license categories to options (#7203) * feat(mariner): Add support for Azure Linux (#7186) * docs: updates config file (#7188) * refactor(fs): remove unused field for CompositeFS (#7195) * fix: add missing platform and type to spec (#7149) * feat(misconf): enabled China configuration for ACRs (#7156) * fix: close file when failed to open gzip (#7164) * docs: Fix PR documentation to use GitHub Discussions, not Issues (#7141) * docs(misconf): add info about limitations for terraform plan json (#7143) * chore: add VEX for Trivy images (#7140) * chore: add VEX document and generator for Trivy (#7128) * fix(misconf): do not evaluate TF when a load error occurs (#7109) * feat(cli): rename `--vuln-type` flag to `--pkg-types` flag (#7104) * refactor(secret): move warning about file size after `IsBinary` check (#7123) * feat: add openSUSE tumbleweed detection and scanning (#6965) * test: add missing advisory details for integration tests database (#7122) * fix: Add dependencyManagement exclusions to the child exclusions (#6969) * fix: ignore nodes when listing permission is not allowed (#7107) * fix(java): use `go-mvn-version` to remove `Package` duplicates (#7088) * refactor(secret): add warning about large files ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'trivy' package(s) on openSUSE Leap 15.5. Solution: Please install the updated package(s). CVSS Score: 4.9 CVSS Vector: AV:L/AC:L/Au:N/C:N/I:N/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2023-42363 https://bugs.busybox.net/show_bug.cgi?id=15865 Common Vulnerability Exposure (CVE) ID: CVE-2024-35192 https://github.com/aquasecurity/trivy/commit/e7f14f729de259551203f313e57d2d9d3aa2ff87 https://github.com/aquasecurity/trivy/security/advisories/GHSA-xcq4-m2r3-cmrj Common Vulnerability Exposure (CVE) ID: CVE-2024-6257
Copyright	Copyright (C) 2025 Greenbone AG