v0.43.1

Changelog

• 5d76aba chore(deps): Update defsec to v0.90.3 (#4793)
• fed446c chore(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0 (#4752)
• df62927 chore(deps): bump alpine from 3.18.0 to 3.18.2 (#4748)
• 1b9b9a8 chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.3 to 2.30.4 (#4758)
• 3c16ca8 docs(image): fix the comment on the soft/hard link (#4740)
• e5bee5c check Type when filling pkgs in vulns (#4776)
• 4b9f310 feat: add support of linux/ppc64le and linux/s390x architectures for Install.sh script (#4770)
• 8e7fb7c chore(deps): bump modernc.org/sqlite from 1.20.3 to 1.23.1 (#4756)
• a9badea fix(rocky): add architectures support for advisories (#4691)
• f8ebccc chore(deps): bump github.com/opencontainers/image-spec (#4751)
• 1c81948 chore(deps): bump github.com/package-url/packageurl-go (#4754)
• 497cc10 chore(deps): bump golang.org/x/sync from 0.2.0 to 0.3.0 (#4750)
• 065f0af chore(deps): bump github.com/tetratelabs/wazero from 1.2.0 to 1.2.1 (#4755)
• e260305 chore(deps): bump github.com/testcontainers/testcontainers-go (#4759)
• 0621402 fix: documentation about reseting trivy image (#4733)
• 798fdbc fix(suse): Add openSUSE Leap 15.5 eol date as well (#4744)
• 34a8929 fix: update Amazon Linux 1 EOL (#4761)

v0.43.0

⚡Release highlights and summary⚡

👉 #4741

Changelog

• 6008192 chore(deps): Update defsec to v0.90.1 (#4739)
• 73734ea feat(nodejs): support yarn workspaces (#4664)
• 22463ab feat(cli): add include-dev-deps flag (#4700)
• 790c805 fix(image): pass the secret scanner option to scan the img config (#4735)
• 86fec9c fix: scan job pod it not found on k8s-1.27.x (#4729)
• 26bc911 feat(docker): add support for mTLS authentication when connecting to registry (#4649)
• d699e8c chore(deps): Update defsec to v0.90.0 (#4723)
• 1777878 fix: skip scanning the gpg-pubkey package (#4720)
• 9be0825 Fix http registry oci pull (#4701)
• 5d73b47 feat(misconf): Support skipping services (#4686)
• 46e784c docs: fix supported modes for pubspec.lock files (#4713)
• 0f61a84 fix(misconf): disable the terraform plan analyzer for other scanners (#4714)
• 8a1aa44 clarifying a dir path is required for custom policies (#4716)
• fbab9ee chore: update alpine base images (#4715)
• f84417b fix last-history-created (#4697)
• 85c681d feat: kbom and cyclonedx v1.5 spec support (#4708)
• 46748ce docs: add information about Aqua (#4590)
• c6741bd fix: k8s escape resource filename on windows os (#4693)
• a21acc7 ci: ignore merge queue branches (#4696)
• 32a3a33 chore(deps): bump actions/checkout from 2.4.0 to 3.5.3 (#4695)
• cbb47dc chore(deps): bump aquaproj/aqua-installer from 2.1.1 to 2.1.2 (#4694)
• e3d10d2 feat: cyclondx sbom custom property support (#4688)
• e1770e0 ci: do not trigger tests in main (#4692)
• 337c0b7 add SUSE Linux Enterprise Server 15 SP5 and update SP4 eol date (#4690)
• 5ccee14 use group field for jar in cyclonedx (#4674)
• 96db52c feat(java): capture licenses from pom.xml (#4681)
• 3e902a5 feat(helm): make sessionAffinity configurable (#4623)
• 904f1cf fix: Show the correct URL of the secret scanning (#4682)
• 7d48c5d document expected file pattern definition format (#4654)
• dcc73e9 fix: format arg error (#4642)
• 35c4262 feat(k8s): cyclonedx kbom support (#4557)
• 0e01851 fix(nodejs): remove unused fields for the pnpm lockfile (#4630)
• 4d9b444 fix(vm): update ext4-filesystem parser for parse multi block extents (#4616)
• c29197a ci: update build IDs (#4641)
• d7637ad fix(debian): update EOL for Debian 12 (#4647)
• ef39eee chore(deps): bump go-containerregistry (#4639)
• 1ce8bb5 chore: unnecessary use of fmt.Sprintf (S1039) (#4637)
• bc9513f fix(db): change argument order in Exists query for JavaDB (#4595)
• aecd2f0 feat(aws): Add support to see successes in results (#4427)
• 2cbf402 chore(deps): bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 (#4613)
• 0099b20 ci: do not trigger tests in main (#4614)
• a597a54 chore(deps): bump sigstore/cosign-installer (#4609)
• b453fbe chore(deps): bump CycloneDX/gh-gomod-generate-sbom from 1 to 2 (#4608)
• 0e876d5 ci: bypass the required status checks (#4611)
• a4f27d2 ci: support merge queue (#3652)
• 9e6411e ci: matrix build for testing (#4587)
• ef6538a feat: trivy k8s private registry support (#4567)
• 139f3e1 docs: add general coverage page (#3859)
• 479cfdd chore: create SECURITY.md (#4601)

v0.42.1

Changelog

• 9a279fa ci: remove 32bit packages (#4585)
• d52b0b7 fix(misconf): deduplicate misconf results (#4588)
• 9b531fa fix(vm): support sector size of 4096 (#4564)
• 8ca1bfd fix(misconf): terraform relative paths (#4571)
• c20d466 fix(purl): skip unsupported library type (#4577)
• 52cbe79 fix(terraform): recursively detect all Root Modules (#4457)
• 4a5b915 fix(vm): support post analyzer for vm command (#4544)
• 56cdc55 fix(nodejs): change the type of the devDependencies field (#4560)
• 17d7536 fix(sbom): export empty dependencies in CycloneDX (#4568)
• 2796abe refactor: add composite fs for post-analyzers (#4556)
• 22a1573 chore(deps): bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 (#4554)
• 4358665 chore(deps): bump helm/kind-action from 1.5.0 to 1.7.0 (#4526)
• 5081399 chore(deps): bump github.com/BurntSushi/toml from 1.2.1 to 1.3.0 (#4528)
• e1a3812 chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.2 to 2.30.3 (#4529)
• 283eef6 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 (#4536)
• bbd7b98 chore(deps): bump github.com/tetratelabs/wazero from 1.0.0 to 1.2.0 (#4549)
• 11c81bf chore(deps): bump github.com/spf13/cast from 1.5.0 to 1.5.1 (#4532)
• 2d8d63e chore(deps): bump github.com/testcontainers/testcontainers-go (#4537)
• a46839b chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#4530)
• 19715f5 chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#4534)

v0.42.0

⚡Release highlights and summary⚡

👉 #4541

Changelog

• 854b639 chore(deps): bump github.com/sigstore/rekor from 1.2.0 to 1.2.1 (#4533)
• 59e1a86 chore(deps): bump alpine from 3.17.3 to 3.18.0 (#4525)
• 9ef0113 feat: add SBOM analyzer (#4210)
• dadd1e1 fix(sbom): update logic for work with files in spdx format (#4513)
• 1a65821 feat: azure workload identity support (#4489)
• 411862c feat(ubuntu): add eol date for 18.04 ESM (#4524)
• 62a1aaf fix(misconf): Update required extensions for terraformplan (#4523)
• 48b2e15 refactor(cyclonedx): add intermediate representation (#4490)
• c15f269 fix(misconf): Remove debug print while scanning (#4521)
• b6ee08e fix(java): remove duplicates of jar libs (#4515)
• d474040 fix(java): fix overwriting project props in pom.xml (#4498)
• 4cf2f94 docs: Update compilation instructions (#4512)
• 18ce1c3 fix(nodejs): update logic for parsing pnpm lock files (#4502)
• 87eed38 fix(secret): remove aws-account-id rule (#4494)
• b0c591e feat(oci): add support for referencing an input image by digest (#4470)
• b84b5ec chore(deps): bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 (#4338)
• 305255a docs: fixed the format (#4503)
• d586de5 fix(java): add support of * for exclusions for pom.xml files (#4501)
• de6eef3 feat: adding issue template for documentation (#4453)
• 83a9c4a docs: switch glad to ghsa for Go (#4493)
• 5372722 chore(deps): Update defsec to v0.89.0 (#4474)
• 6fcd153 feat(misconf): Add terraformplan support (#4342)
• 72e302c feat(debian): add digests for dpkg (#4445)
• 7e99d08 chore(deps): bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 (#4478)
• 12a1789 feat(k8s): exclude node scanning by node labels (#4459)
• 919e8c9 docs: add info about multi-line mode for regexp from custom secret rules (#4159)
• 50fe43f feat(cli): convert JSON reports into a different format (#4452)
• 09db1d4 feat(image): add logic to guess base layer for docker-cis scan (#4344)
• 3f0721f fix(cyclonedx): set original names for packages (#4306)
• 0ef0dad feat: group subcommands (#4449)
• 3a7717f feat(cli): add retry to cache operations (#4189)
• 63cfb27 fix(vuln): report architecture for apk packages (#4247)
• e136136 refactor: enable cases where return values are not needed in pipeline (#4443)
• 29b5f7e fix(image): resolve scan deadlock when error occurs in slow mode (#4336)
• 92ed344 docs(misconf): Update docs for kubernetes file patterns (#4435)
• 16af41b test: k8s integration tests (#4423)
• cab8569 feat(redhat): add package digest for rpm (#4410)
• 92f9e98 feat(misconf): Add --reset-policy-bundle for policy bundle (#4167)
• 33fb047 fix: typo (#4431)
• 8b162f2 add user instruction to imgconf (#4429)
• 3b7c919 fix(k8s): add image sources (#4411)
• c75d35f docs(scanning): Add versioning banner (#4415)
• d298415 feat(cli): add mage command to update golden integration test files (#4380)
• 1a56295 feat: node-collector custom namespace support (#4407)
• 864ad10 chore(deps): bump owenrumney/go-sarif from v2.1.3 to v2.2.0 (#4378)
• 7a20d96 refactor(sbom): use multiline json for spdx-json format (#4404)
• ea5fd75 fix(ubuntu): add EOL date for Ubuntu 23.04 (#4347)
• 56a01ec refactor: code-optimization (#4214)
• 6a0e152 feat(image): Add image-src flag to specify which runtime(s) to use (#4047)
• 50c8b41 test: skip wrong update of test golden files (#4379)
• 51ca653 refactor: don't return error for package.json without version/name (#4377)
• e5e7ebc docs: cmd error (#4376)
• 6ee4960 test(cli): add test for config file and env combination (#2666)
• c067b02 fix(report): set a correct file location for license scan output (#4326)
• ff63748 ci: rpm repository for all versions and aarch64 (#4077)
• 0009b02 chore(alpine): Update Alpine to 3.18 (#4351)
• d61ae8c fix(alpine): add EOL date for Alpine 3.18 (#4308)
• 636ce80 chore(deps): bump github.com/docker/distribution (#4337)
• e859d10 feat: allow root break for mapfs (#4094)
• a6ef37f docs(misconf): Remove examples.md (#4256)
• dca8c03 fix(ubuntu): update eol dates for Ubuntu (#4258)
• b003f58 feat(alpine): add digests for apk packages (#4168)
• 86f0016 chore: add discussion templates (#4190)
• 2f318ce fix(terraform): Support tfvars (#4123)
• ec3906c chore: separate docs:generate (#4242)
• 37b25d2 chore(deps): bump github.com/aws/aws-sdk-go-v2/config (#4246)
• 45d5edb refactor: define vulnerability scanner interfaces (#4117)
• 090a00e feat: unified k8s scan resources (#4188)
• f2188eb chore(deps): Update defsec to v0.88.1 (#4178)
• b79850f chore(deps): bump github.com/alicebob/miniredis/v2 from 2.30.1 to 2.30.2 (#4141)
• 36acdfa chore: trivy bin ignore (#4212)
• 55fb723 feat(image): enforce image platform (#4083)
• 9c87cb2 chore(deps): bump github.com/owenrumney/go-sarif/v2 from 2.1.2 to 2.1.3 (#4143)
• 21cf179 chore(deps): bump github.com/docker/docker (#4144)
• fbf7a77 chore(deps): bump github.com/hashicorp/golang-lru/v2 from 2.0.1 to 2.0.2 (#4146)
• 547391c chore(deps): bump aquaproj/aqua-installer from 2.0.2 to 2.1.1 (#4140)
• 882bfdd fix(ubuntu): fix version selection logic for ubuntu esm (#4171)
• 949cd10 chore(deps): bump github.com/samber/lo from 1.37.0 to 1.38.1 (#4147)
• 93bc162 chore(deps): bump github.com/hashicorp/go-getter from 1.7.0 to 1.7.1 (#4145)
• 57993ef chore(deps): bump sigstore/cosign-installer from 3.0.1 to 3.0.3 (#4138)
• dc4baeb chore(deps): bump github.com/testcontainers/testcontainers-go (#4150)
• 25d0255 chore: install.sh support for windows (#4155)
• 73e5454 chore(deps): bump github.com/sigstore/rekor from 1.1.0 to 1.1.1 (#4166)
• 08de7c6 chore(deps): bump golang.org/x/crypto from 0.7.0 to 0.8.0 (#4149)
• ade4730 docs: moving skipping files out of others (#4154)

v0.41.0

⚡Release highlights and summary⚡

👉 #4135

Changelog

• 1be1e2e fix(spdx): add workaround for no src packages (#4118)
• 45bc9e0 test(golang): rename broken go.mod (#4129)
• 3334e78 feat(sbom): add supplier field (#4122)
• 27fb1bf test(misconf): skip downloading of policies for tests #4126
• 845ae31 refactor: use debug message for post-analyze errors (#4037)
• 11a5b91 feat(sbom): add VEX support (#4053)
• 5eab464 feat(sbom): add primary package purpose field for SPDX (#4119)
• a00d00e fix(k8s): fix quiet flag (#4120)
• 9bc3269 fix(python): parse of pip extras (#4103)
• 8559841 feat(java): use full path for nested jars (#3992)
• 0650e0e feat(license): add new flag for classifier confidence level (#4073)
• 43b6496 feat: config and fs compliance support (#4097)
• 9181bc1 chore(deps): bump sigstore/cosign-installer from 2.8.1 to 3.0.1 (#3952)
• 48e021e feat(spdx): add support for SPDX 2.3 (#4058)
• 107752d fix: k8s all-namespaces support (#4096)
• bd0c603 perf(misconf): replace with post-analyzers (#4090)
• 76662d5 fix(helm): update networking API version detection (#4106)
• be47b68 feat(image): custom docker host option (#3599)
• cc18f92 style: debug flag is incorrect and needs extra - (#4087)
• 572a619 docs(vuln): Document inline vulnerability filtering comments (#4024)
• 914c6f0 feat(fs): customize error callback during fs walk (#4038)
• 3f02fee fix(ubuntu): skip copyright files from subfolders (#4076)
• 57bb77c docs: restructure scanners (#3977)
• b19b56c fix: fix file does not exist error for post-analyzers (#4061)

v0.40.0

⚡Release highlights and summary⚡

👉 #4074

Changelog

• b43b19b feat(flag): Support globstar for --skip-files and --skip-directories (#4026)
• 1480500 chore(deps): bump actions/stale from 7 to 8 (#3955)
• 83bb97a fix: return insecure option to download javadb (#4064)
• 79a1ba3 fix(nodejs): don't stop parsing when unsupported yarn.lock protocols are found (#4052)
• ff1c43a ci: add gpg signing for RPM packages (#4056)
• b608b11 fix(k8s): current context title (#4055)
• 2c3b60f fix(k8s): quit support on k8s progress bar (#4021)
• a6b8642 chore: add a note about Dockerfile.canary (#4050)
• 90b8066 ci: fix path to canary binaries (#4045)
• dcefc6b fix(vuln): report architecture for debian packages (#4032)
• 601e25f feat: add support for Chainguard's commercial distro (#3641)
• 0bebec1 ci: bump goreleaser for Github Action from 1.4.1 to 1.16.2 (#3979)
• 707ea94 fix(vuln): fix error message for remote scanners (#4031)
• 8e1fe76 feat(report): add image metadata to SARIF (#4020)
• 4b36e97 docs: fix broken cache link on Installation page (#3999)
• f0df725 fix: lock downloading policies and database (#4017)
• 009675c fix: avoid concurrent access to the global map (#4014)
• 3ed86aa feat(rust): add Cargo.lock v3 support (#4012)
• f31dea4 feat: auth support oci download server subcommand (#4008)
• d37c50a chore(deps): bump github.com/docker/docker (#4009)
• 693d205 chore: install.sh support for armv7 (#3985)
• 65d89b9 chore(deps): bump github.com/Azure/go-autorest/autorest/adal (#3961)

v0.39.1

Changelog

• a119ef8 fix(rust): fix panic when 'dependencies' field is not used in cargo.toml (#3997)
• c8283ce fix(sbom): fix infinite loop for cyclonedx (#3998)
• 6c8b042 chore(deps): bump helm/chart-testing-action from 2.3.1 to 2.4.0 (#3954)
• c42f360 fix: use warning for errors from enrichment files for post-analyzers (#3972)
• 20c21ca chore(deps): bump github.com/docker/docker (#3963)
• 54388ff fix(helm): added annotation to psp configurable from values (#3893)
• 99a2519 chore(deps): bump github.com/go-git/go-git/v5 from 5.5.2 to 5.6.1 (#3962)
• d113b93 fix(secret): update built-in rule tests (#3855)
• 5ab6d25 chore(deps): bump github.com/alicebob/miniredis/v2 from 2.23.0 to 2.30.1 (#3957)
• 0767cb8 test: rewrite scripts in Go (#3968)
• 428ee19 docs(cli): Improve glob documentation (#3945)
• 3e00dc3 chore(deps): bump github.com/aws/aws-sdk-go-v2/service/sts (#3959)
• cf2f0b2 ci: check CLI references (#3967)
• 70f507e chore(deps): bump alpine from 3.17.2 to 3.17.3 (#3951)
• befabc6 chore(deps): bump github.com/aws/aws-sdk-go from 1.44.212 to 1.44.234 (#3956)
• ee69abb chore(deps): bump github.com/moby/buildkit from 0.11.4 to 0.11.5 (#3958)
• 8901f7b chore(deps): bump actions/setup-go from 3 to 4 (#3953)
• 4e6bbbc chore(deps): bump actions/cache from 3.2.6 to 3.3.1 (#3950)
• d70f346 chore(deps): bump github.com/containerd/containerd from 1.6.19 to 1.7.0 (#3965)
• 3efb2fd chore(deps): bump github.com/sigstore/rekor from 1.0.1 to 1.1.0 (#3964)

v0.39.0

⚡Release highlights and summary⚡

👉 #3949

Changelog

• ed59096 docs(cli): added makefile and go file to create docs (#3930)
• a2f39a3 chore: Revert "ci: add gpg signing for RPM packages (#3612)" (#3946)
• 5a10631 chore: ignore gpg key (#3943)
• 4072115 feat(cyclonedx): support dependency graph (#3177)
• 7cad265 chore(deps): Bump defsec to v0.85.0 (#3940)
• f8b5733 feat(rust): remove dev deps and find direct deps for Cargo.lock (#3919)
• 10796a2 feat(server): redis with public TLS certs support (#3783)
• abff139 feat(flag): Add glob support to --skip-dirs and --skip-files (#3866)
• b40f60c chore: replace make with mage (#3932)
• 67236f6 fix(sbom): add checksum to files (#3888)
• 00de24b chore(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 (#3928)
• 5976d1f chore: remove unused mount volumes (#3927)
• f14bed4 feat: add auth support for downloading OCI artifacts (#3915)
• 1ee0518 refactor(purl): use epoch in qualifier (#3913)
• 0000252 chore(deps): bump github.com/in-toto/in-toto-golang from 0.5.0 to 0.7.0 (#3727)
• ca0d972 feat(image): add registry options (#3906)
• 0336555 feat(rust): dependency tree and line numbers support for cargo lock file (#3746)
• dd9cd95 chore(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1 (#3905)
• edb0682 feat(php): add support for location, licenses and graph for composer.lock files (#3873)
• c02b15b chore(deps): updates wazero to 1.0.0 (#3904)
• 63ef760 feat(image): discover SBOM in OCI referrers (#3768)
• 3fa703c docs: change cache-dir key in config file (#3897)
• 4d78747 fix(sbom): use release and epoch for SPDX package version (#3896)
• 67572df ci: add gpg signing for RPM packages (#3612)
• e76d5ff docs: Update incorrect comment for skip-update flag (#3878)
• 011ea60 refactor(misconf): simplify policy filesystem (#3875)
• 6445309 feat(nodejs): parse package.json alongside yarn.lock (#3757)
• 6e9c2c3 fix(spdx): add PkgDownloadLocation field (#3879)
• 18eeea2 fix(report): try to guess direct deps for dependency tree (#3852)
• 02b6914 chore(amazon): update EOL (#3876)
• 79096e1 fix(nodejs): improvement logic for package-lock.json v2-v3 (#3877)
• fc2e80c feat(amazon): add al2023 support (#3854)
• 5f8d69d chore(deps): bump github.com/cheggaaa/pb/v3 from 3.1.0 to 3.1.2 (#3736)
• 7916aaf docs(misconf): Add information about selectors (#3703)
• 1b1ed39 docs(cli): update CLI docs with cobra (#3815)
• 234a360 feat: k8s parallel processing (#3693)
• b864b3b docs: add DefectDojo in the Security Management section (#3871)
• ad34c98 chore(deps): updates wazero to 1.0.0-rc.2 (#3853)
• 7148de3 refactor: add pipeline (#3868)
• 927acf9 feat(cli): add javadb metadata to version info (#3835)
• 33074cf chore(deps): Move compliance types to defsec (#3842)
• ba9b041 feat(sbom): add support for CycloneDX JSON Attestation of the correct specification (#3849)
• a754a04 feat: add node toleration option (#3823)
• 9e4b57f fix: allow mapfs to open dirs (#3867)
• 09fd299 fix(report): update uri only for os class targets (#3846)
• 09e1302 feat(nodejs): Add v3 npm lock file support (#3826)
• 52cbfeb feat(nodejs): parse package.json files alongside package-lock.json (#2916)
• d6a2d63 docs(misconf): Fix links to built in policies (#3841)

v0.38.3

Changelog

• a12f58b chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.86.1 to 1.89.1 (#3827)
• ee51835 fix(java): skip empty files for jar post analyzer (#3832)
• 3987a67 fix(docker): build healthcheck command for line without /bin/sh prefix (#3831)
• 2bb25e7 refactor(license): use goyacc for license parser (#3824)
• 00c763b chore(deps): bump github.com/docker/docker from 23.0.0-rc.1+incompatible to 23.0.1+incompatible (#3586)
• cac5881 fix: populate timeout context to node-collector (#3766)
• bd9c6e6 fix: exclude node collector scanning (#3771)
• 20f1067 fix: display correct flag in error message when skipping java db update #3808
• 1fac7bf fix: disable jar analyzer for scanners other than vuln (#3810)
• aaf2658 fix(sbom): fix incompliant license format for spdx (#3335)
• f830763 fix(java): the project props take precedence over the parent's props (#3320)
• 1aa3b7d docs: add canary build info to README.md (#3799)
• 57904c0 docs: adding link to gh token generation (#3784)
• bdccf72 docs: changing docs in accordance with #3460 (#3787)

v0.38.2

Changelog

• 800473a chore(deps): bump github.com/moby/buildkit from 0.11.0 to 0.11.4 (#3789)
• e6ab389 chore(deps): bump actions/add-to-project from 0.4.0 to 0.4.1 (#3724)
• 6614398 fix(license): disable jar analyzer for licence scan only (#3780)
• 1dc6fee bump trivy-issue-action to v0.0.0; skip pkg dir (#3781)
• 3357ed0 fix: skip checking dirs for required post-analyzers (#3773)
• 1064636 docs: add information about plugin format (#3749)
• 60b7ef5 fix(sbom): add trivy version to spdx creators tool field (#3756)