feat(scanner/python/uv): add python uv support with trivy 0.59.0

[dependabot]

Since Trivy 0.59.0, it supports python uv.
cf https://trivy.dev/latest/docs/coverage/language/python/#uv

This PR enables detecting them by vuls through trivy.

• Auto detection is enabled
• dev dependencies are excluded

---

Original description by dependabot:

Bumps github.com/aquasecurity/trivy from 0.58.1 to 0.59.0.

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.59.0

⚡Release highlights and summary⚡

👉 aquasecurity/trivy#8312

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0590-2025-01-30

v0.58.2

Changelog

• 936f06a57864d073aa77b38f77fe76c4fcb1f7c1 release: v0.58.2 [release/v0.58] (#8216)
• f72d2bce8d3418dbcb670434bc15bb857b421f98 fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)
• 289636758eccf990f36ea2be34f6db2c02cfab6b fix(suse): SUSE - update OSType constants and references for compatility [backport: release/v0.58] (#8237)
• b733ecc7bc752d61837d08f2650bd480b645bb1d fix: CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field [backport: release/v0.58] (#8215)

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.59.0 (2025-01-30)

Features

• add --distro flag to manually specify OS distribution for vulnerability scanning (#8070) (da17dc7)
• add a examples field to check metadata (#8068) (6d84e0c)
• add support for registry mirrors (#8244) (4316bcb)
• fs: use git commit hash as cache key for clean repositories (#8278) (b5062f3)
• image: prevent scanning oversized container images (#8178) (509e030)
• image: return error early if total size of layers exceeds limit (#8294) (73bd20d)
• k8s: improve artifact selections for specific namespaces (#8248) (db9e57a)
• misconf: generate placeholders for random provider resources (#8051) (ffe24e1)
• misconf: support for ignoring by inline comments for Dockerfile (#8115) (c002327)
• misconf: support for ignoring by inline comments for Helm (#8138) (a0429f7)
• nodejs: respect peer dependencies for dependency tree (#7989) (7389961)
• python: add support for poetry dev dependencies (#8152) (774e04d)
• python: add support for uv (#8080) (c4a4a5f)
• python: add support for uv dev and optional dependencies (#8134) (49c54b4)

Bug Fixes

• CVE-2024-45337: Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass (#8088) (d7ac286)
• CVE-2025-21613 and CVE-2025-21614 : go-git: argument injection via the URL field (#8207) (670fbf2)
• de-duplicate same dpkg packages with different filePaths from different layers (#8298) (846498d)
• enable err-error and errorf rules from perfsprint linter (#7859) (156a2aa)
• flag: skip hidden flags for --generate-default-config command (#8046) (5e68bdc)
• fs: fix cache key generation to use UUID (#8275) (eafd810)
• handle BLOW_UNKNOWN error to download DBs (#8060) (51f2123)
• improve conversion of image config to Dockerfile (#8308) (2e8e38a)
• java: correctly overwrite version from depManagement if dependency uses project.* props (#8050) (9d9f80d)
• license: always trim leading and trailing spaces for licenses (#8095) (f5e4291)
• misconf: allow null values only for tf variables (#8112) (23dc3a6)
• misconf: correctly handle all YAML tags in K8S templates (#8259) (f12054e)
• misconf: disable git terminal prompt on tf module load (#8026) (bbc5a85)
• misconf: handle heredocs in dockerfile instructions (#8284) (0a3887c)
• misconf: use log instead of fmt for logging (#8033) (07b2d7f)
• oracle: add architectures support for advisories (#4809) (90f1d8d)
• python: skip dev group's deps for poetry (#8106) (a034d26)
• redhat: check usr/share/buildinfo/ dir to detect content sets (#8222) (f352f6b)
• redhat: correct rewriting of recommendations for the same vulnerability (#8063) (4202c4b)
• respect GITHUB_TOKEN to download artifacts from GHCR (#7580) (21b68e1)
• sbom: attach nested packages to Application (#8144) (735335f)
• sbom: fix wrong overwriting of applications obtained from different sbom files but having same app type (#8052) (fd07074)
• sbom: scan results of SBOMs generated from container images are missing layers (#7635) (f9fceb5)
• sbom: use root package for unknown dependencies (if exists) (#8104) (7558df7)
• spdx: use the hasExtractedLicensingInfos field for licenses that are not listed in the SPDX (#8077) (aec8885)
• suse: SUSE - update OSType constants and references for compatility (#8236) (ae28398)
• Updated twitter icon (#7772) (2c41ac8)

... (truncated)

Commits

• a58d685 release: v0.59.0 [main] (#8041)
• 73bd20d feat(image): return error early if total size of layers exceeds limit (#8294)
• 0031a38 chore(deps): Bump trivy-checks (#8310)
• 87f3751 chore(terraform): add accessors to underlying raw hcl values (#8306)
• 2e8e38a fix: improve conversion of image config to Dockerfile (#8308)
• f258fd5 docs: replace short codes with Unicode emojis (#8296)
• db9e57a feat(k8s): improve artifact selections for specific namespaces (#8248)
• da7bba9 chore: update code owners (#8303)
• 0a3887c fix(misconf): handle heredocs in dockerfile instructions (#8284)
• 846498d fix: de-duplicate same dpkg packages with different filePaths from differen...
• Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
github.com/aquasecurity/trivy	[>= 0.50.2.a, < 0.50.3]
github.com/aquasecurity/trivy	[< 0.51, > 0.50.1]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[shino]

@dependabot rebase

[dependabot]

A newer version of github.com/aquasecurity/trivy exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.