chore(deps): bump github.com/aquasecurity/trivy from 0.59.1 to 0.60.0

[dependabot]

Bumps github.com/aquasecurity/trivy from 0.59.1 to 0.60.0.

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.60.0

⚡Release highlights and summary⚡

👉 aquasecurity/trivy#8495

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0600-2025-03-05

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.60.0 (2025-03-05)

Features

• add --vuln-severity-source flag (#8269) (d464807)
• add report summary table (#8177) (dd54f80)
• cyclonedx: Add initial support for loading external VEX files from SBOM references (#8254) (4820eb7)
• go: fix parsing main module version for go >= 1.24 (#8433) (e58dcfc)
• misconf: render causes for Terraform (#8360) (a99498c)

Bug Fixes

• db: fix case when 2 trivy-db were copied at the same time (#8452) (bb3cca6)
• don't use scope for trivy registry login command (#8393) (8715e5d)
• go: merge nested flags into string for ldflags for Go binaries (#8368) (b675b06)
• image: disable AVD-DS-0007 for history scanning (#8366) (a3cd693)
• k8s: add missed option PkgRelationships (#8442) (f987e41)
• misconf: do not log scanners when misconfig scanning is disabled (#8345) (5695eb2)
• misconf: ecs include enhanced for container insights (#8326) (39789ff)
• misconf: fix incorrect k8s locations due to JSON to YAML conversion (#8073) (a994453)
• os: add mapping OS aliases (#8466) (6b4cebe)
• python: add poetry v2 support (#8323) (10cd98c)
• report: remove html escaping for shortDescription and fullDescription fields for sarif reports (#8344) (3eb0b03)
• sbom: add SBOM file's filePath as Application FilePath if we can't detect its path (#8346) (ecc01bb)
• sbom: improve logic for binding direct dependency to parent component (#8489) (85cca8c)
• sbom: preserve OS packages from multiple SBOMs (#8325) (bd5baaf)
• server: secrets inspectation for the config analyzer in client server mode (#8418) (a1c4bd7)
• spdx: init pkgFilePaths map for all formats (#8380) (72ea4b0)
• terraform: apply parser options to submodule parsing (#8377) (398620b)
• update all documentation links (#8045) (49456ba)

0.59.0 (2025-01-30)

Features

• add --distro flag to manually specify OS distribution for vulnerability scanning (#8070) (da17dc7)
• add a examples field to check metadata (#8068) (6d84e0c)
• add support for registry mirrors (#8244) (4316bcb)
• fs: use git commit hash as cache key for clean repositories (#8278) (b5062f3)
• image: prevent scanning oversized container images (#8178) (509e030)
• image: return error early if total size of layers exceeds limit (#8294) (73bd20d)
• k8s: improve artifact selections for specific namespaces (#8248) (db9e57a)
• misconf: generate placeholders for random provider resources (#8051) (ffe24e1)
• misconf: support for ignoring by inline comments for Dockerfile (#8115) (c002327)
• misconf: support for ignoring by inline comments for Helm (#8138) (a0429f7)
• nodejs: respect peer dependencies for dependency tree (#7989) (7389961)
• python: add support for poetry dev dependencies (#8152) (774e04d)

... (truncated)

Commits

• a4009f6 release: v0.60.0 [main] (#8327)
• 85cca8c fix(sbom): improve logic for binding direct dependency to parent component (#...
• 9892d04 chore(deps): remove missed replace of trivy-db (#8492)
• 8a89b2b chore(deps): bump alpine from 3.21.0 to 3.21.3 in the docker group across 1 d...
• 57b08d6 chore(deps): update Go to 1.24 and switch to go-version-file (#8388)
• 453c66d docs: add abbreviation list (#8453)
• f670602 chore(terraform): assign *terraform.Module 'parent' field (#8444)
• dd54f80 feat: add report summary table (#8177)
• ab1cf03 chore(deps): bump the github-actions group with 3 updates (#8473)
• 1f85b27 refactor(vex): improve SBOM reference handling with project standards (#8457)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)