release: v0.59.0 [main]

[aqua-bot]

🤖 I have created a release beep boop

0.59.0 (2025-01-30)

Features

• add --distro flag to manually specify OS distribution for vulnerability scanning (#8070) (da17dc7)
• add a examples field to check metadata (#8068) (6d84e0c)
• add support for registry mirrors (#8244) (4316bcb)
• fs: use git commit hash as cache key for clean repositories (#8278) (b5062f3)
• image: prevent scanning oversized container images (#8178) (509e030)
• image: return error early if total size of layers exceeds limit (#8294) (73bd20d)
• k8s: improve artifact selections for specific namespaces (#8248) (db9e57a)
• misconf: generate placeholders for random provider resources (#8051) (ffe24e1)
• misconf: support for ignoring by inline comments for Dockerfile (#8115) (c002327)
• misconf: support for ignoring by inline comments for Helm (#8138) (a0429f7)
• nodejs: respect peer dependencies for dependency tree (#7989) (7389961)
• python: add support for poetry dev dependencies (#8152) (774e04d)
• python: add support for uv (#8080) (c4a4a5f)
• python: add support for uv dev and optional dependencies (#8134) (49c54b4)

Bug Fixes

• CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass (#8088) (d7ac286)
• CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field (#8207) (670fbf2)
• de-duplicate same dpkg packages with different filePaths from different layers (#8298) (846498d)
• enable err-error and errorf rules from perfsprint linter (#7859) (156a2aa)
• flag: skip hidden flags for --generate-default-config command (#8046) (5e68bdc)
• fs: fix cache key generation to use UUID (#8275) (eafd810)
• handle BLOW_UNKNOWN error to download DBs (#8060) (51f2123)
• improve conversion of image config to Dockerfile (#8308) (2e8e38a)
• java: correctly overwrite version from depManagement if dependency uses project.* props (#8050) (9d9f80d)
• license: always trim leading and trailing spaces for licenses (#8095) (f5e4291)
• misconf: allow null values only for tf variables (#8112) (23dc3a6)
• misconf: correctly handle all YAML tags in K8S templates (#8259) (f12054e)
• misconf: disable git terminal prompt on tf module load (#8026) (bbc5a85)
• misconf: handle heredocs in dockerfile instructions (#8284) (0a3887c)
• misconf: use log instead of fmt for logging (#8033) (07b2d7f)
• oracle: add architectures support for advisories (#4809) (90f1d8d)
• python: skip dev group's deps for poetry (#8106) (a034d26)
• redhat: check usr/share/buildinfo/ dir to detect content sets (#8222) (f352f6b)
• redhat: correct rewriting of recommendations for the same vulnerability (#8063) (4202c4b)
• respect GITHUB_TOKEN to download artifacts from GHCR (#7580) (21b68e1)
• sbom: attach nested packages to Application (#8144) (735335f)
• sbom: fix wrong overwriting of applications obtained from different sbom files but having same app type (#8052) (fd07074)
• sbom: scan results of SBOMs generated from container images are missing layers (#7635) (f9fceb5)
• sbom: use root package for unknown dependencies (if exists) (#8104) (7558df7)
• spdx: use the hasExtractedLicensingInfos field for licenses that are not listed in the SPDX (#8077) (aec8885)
• suse: SUSE - update OSType constants and references for compatility (#8236) (ae28398)
• Updated twitter icon (#7772) (2c41ac8)
• wasm module test (#8099) (2200f38)

Performance Improvements

• avoid heap allocation in applier findPackage (#7883) (9bd6ed7)

---

This PR was generated with Release Please. See documentation.

[simar7]

[simar7]

@DmitriyLewen #8310 is in the merge queue just an FYI.

[knqyf263]

@DmitriyLewen #8294 will also be in the merge queue.