SUSE-CU-2026:5512-1: Security update of private-registry/harbor-trivy-adapter

sle-container-updates at lists.suse.com sle-container-updates at lists.suse.com
Sat Jun 6 07:19:40 UTC 2026 

SUSE Container Update Advisory: private-registry/harbor-trivy-adapter
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:5512-1
Container Tags        : private-registry/harbor-trivy-adapter:1.1.3 , private-registry/harbor-trivy-adapter:1.1.3-2.49 , private-registry/harbor-trivy-adapter:latest
Container Release     : 2.49
Severity              : important
Type                  : security
References            : 1266495 1267047 1267268 CVE-2026-25680 CVE-2026-25681 CVE-2026-27136
                        CVE-2026-39821 CVE-2026-42502 CVE-2026-42506 CVE-2026-44740 
-----------------------------------------------------------------

The container private-registry/harbor-trivy-adapter was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2026:2272-1
Released:    Fri Jun  5 08:49:11 2026
Summary:     Security update for trivy
Type:        security
Severity:    important
References:  1266495,1267047,1267268,CVE-2026-25680,CVE-2026-25681,CVE-2026-27136,CVE-2026-39821,CVE-2026-42502,CVE-2026-42506,CVE-2026-44740
This update for trivy fixes the following issues

Update to version 0.71.0:

- CVE-2026-25680,CVE-2026-25681,CVE-2026-27136,CVE-2026-42502,CVE-2026-42506: golang.org/x/net/html: multiple issues
  when parsing HTML files (bsc#1267047).
- CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation
  bypass and privilege escalation (bsc#1266495).
- CVE-2026-44740: github.com/go-git/go-billy/v5: improper input handling in many components can lead to DoS via infinite
  loops, panics or resource consumption (bsc#1267268).

Changes:

 * release: v0.71.0 [main] (#10638)
 * ci: use only the first line of commit message in release-please workflow (#10766)
 * feat: add WithDriver and WithProvider options to ospkg detector (#10740)
 * chore(deps): bump github.com/google/go-containerregistry to v0.21.6 (#10741)
 * refactor(secret): normalize configPath once in Init (#10702)
 * feat(secret): add Maven rules to detect passwords and passphrases in settings.xml and settings-security.xml files
   (#10704)
 * chore(deps): bump the common group across 1 directory with 25 updates (#10758)
 * chore: migrate from gomodguard to gomodguard_v2 (#10739)
 * chore(deps): bump the docker group across 1 directory with 2 updates (#10709)
 * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.302.0 to 1.303.0 in the aws group (#10752)
 * ci: scope GitHub App tokens to minimum required permissions (#10755)
 * chore(deps): upgrade go-redis from v8 to v9 (#10736)
 * fix(misconf): fix rendering of nested values in terraform plan lists (#10746)
 * fix(misconf): skip resources with no after changes (#10352)
 * fix(misconf): reject nil plays during playbook parsing (#10273)
 * fix(nodejs): silently skip subdirectory package.json files with invalid names (#10609)
 * fix(misconf): skip null cty values in AsMapValue to prevent panic (#10723)
 * refactor(misconf): replace custom Helm archive parsing with Helm SDK loaders (#10718)
 * chore(deps): bump github.com/containerd/containerd/v2 to v2.3.1 (#10738)
 * chore(deps): bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1 (#10686)
 * fix(report): don't produce trailing comma in gitlab.tpl links array (#10728)
 * fix(cloudformation): propagate AWS::EC2::Instance MetadataOptions (#10731)
 * chore(deps): upgrade github.com/cenkalti/backoff dependency to v5 (#10705)
 * chore: bump golangci-lint to v2.12 (#10726)
 * feat(spdx): add SHA-512 hash algorithm support to SPDX serializer (#10719)
 * feat(sbom): support for CycloneDX 1.7 (#10715)
 * chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.300.0 to 1.302.0 in the aws group (#10708)
 * chore: migrate from helm.sh/helm/v3 to helm.sh/helm/v4 (#10678)
 * fix(image): correctly reconstruct RUN instructions built without BuildKit (#10714)
 * feat(java): support <mirrors> from settings.xml (#10692)
 * fix(java): surface 429 from a remote Maven repository as a fatal error when scanning pom.xml files (#10693)
 * chore: bump go to 1.26.3 (#10683)
 * fix(nodejs): handle legacy license formats in npm lockfile parser (#10684)
 * fix(secret): correctly skip secret-scanner config file from scanning (#10666)
 * feat(ubuntu): detect Ubuntu 26.04 LTS (#10592)
 * refactor(nodejs): deduplicate license traversal across package managers (#10681)
 * fix: overwrite OS packages PURLs after overwrite OS (#10298)
 * feat(secret): add Azure secret detection rules (#10562)
 * fix(misconf): prevent path traversal in Terraform filesystem functions (#10664)
 * feat(secret): add a way to customize skipped folders, files and exts (#10550)
 * ci: migrate PAT tokens to GitHub App (#10628)
 * chore(deps): bump the aws group across 1 directory with 6 updates (#10598)
 * chore(deps): bump the docker group across 1 directory with 3 updates (#10596)
 * chore(deps): bump the github-actions group across 2 directories with 9 updates (#10608)
 * chore(deps): bump github.com/in-toto/in-toto-golang from 0.10.0 to 0.11.0 (#10641)
 * chore(deps): bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 (#10648)
 * ci: migrate PAT tokens to GITHUB_TOKEN for reusable-release workflow (#10655)
 * feat(seal): add vendor support for language file detection. (#10297)
 * fix(misconf): make identifiers in ignore rules case-insensitive (#10375)
 * fix: pull instead of clone when test repo already exists (#10636)
 * docs: document how to disable check.trivy.dev connections (#10623)
 * docs(misconf): fix typo in misconfiguration config (#10619)
 * ci: remove secrets from run block (#10590)
 * docs: fix typos (#10605)
 * refactor(deps): replace archived go-homedir with os.UserHomeDir (#10484)
 * chore(deps): Bump `go-ini` and fix the import path. (#10489)
 * chore(deps): bump the github-actions group across 2 directories with 9 updates (#10495)
 * chore(deps): bump github.com/aquasecurity/testdocker (#10543)
 * docs: convert README demonstration videos to mp4 (#10419)
 * chore(deps): upgrade vm scan dependency for bug fix (#10575)
 * docs(nodejs): clarify package.json behavior in image scanning (#10572)
 * chore(deps): replace xeipuuv/gojsonschema and invopop/jsonschema with google/jsonschema-go (#10528)
 * chore(deps): bump github.com/go-git/go-git/v5 from 5.17.2 to 5.18.0 (#10554)
 * chore(deps): bump alpine to 3.23.4 (#10552)
 * ci(helm): bump Trivy version to 0.70.0 for Trivy Helm Chart 0.22.0 (#10547)


The following package changes have been done:

- trivy-0.71.0-150000.1.21.1 updated

More information about the sle-container-updates mailing list