DmitriyLewen

## Description Trivy has unsupported OSes (e.g. Fedora). To avoid cases where the user doesn't see a log about this (e.g. when the `-q` flag is enabled) and to make...

## Description CycloneDX recommends using the `Compositions` field for dependencies with `unknown` relationships: ``` It is RECOMMENDED to leverage compositions to indicate unknown dependency graphs. ```

## Description IIUC `mvn` checks dependency version without regard to scope. it means that if you add test dependency (as example), transitive dependency of another dependency will use version of...

## Description We update the `DownloadAt` field after downloading (and copying) the DB to the cache folder. Instead of deleting `metadata.json` before each download - we will check the field....

## Description This PR impoves work with custom classification of licenses from config file: 1. Check license name before and after normalize (e.g. `LGPL-2.0-only` and `LGPL-2.0`). 2. Check license text...

enhancement(license): improve work with custom classification of licenses from config file

5

## Description Trivy supports to set custom classifications using config file - https://trivy.dev/latest/docs/scanner/license/#custom-classification But there are 2 problems with that: ### 1. Trivy checks licenses after normalize. So it can...

bug(sbom): Packages with infinite loop dependencies are not associated with an OS component

4

## Description If there are 2 (or more) components that depend on each other (infinite loop): Trivy thinks the component has a parent component and does not link it to...

Support environment variables in Maven settings.xml

1

## Description maven settings file supports envs - https://maven.apache.org/settings.html#Properties e.g. ``` ${user.home}/.ssh/id_dsa ``` So we need to add support for decoding `${env.*}` ### Discussed in https://github.com/aquasecurity/trivy/discussions/7070

## Description By default, Trivy removes duplicates by Application type + filepath: https://github.com/aquasecurity/trivy/blob/906b037cff97060267d20f8947f429e078419d66/pkg/fanal/applier/docker.go#L126-L129 So for cases when two same `Application` have different filepath (e.g. from SBOM and from file (see...

feat(ubuntu) Add support for Ubuntu plucky (25.04)

1

## Description Ubuntu released ubuntu 25.04 (plucky) - https://releases.ubuntu.com/plucky/ ### Required changes: - [ ] Create a PR to add Ubuntu 25.04 to Trivy-db. - Add new release into [mapping](https://github.com/aquasecurity/trivy-db/blob/506491433259edce2cd48786b05f365b7e839429/pkg/vulnsrc/ubuntu/ubuntu.go#L27)....