For your awareness:

As the tools are not a PoC (even since the first release), the long overdue change was conducted: The repo https://github.com/csaf-poc/csaf_distribution moved to https://github.com/gocsaf/csaf. The old URL can still be used for a couple month before it is sunsetted for security reasons.
Also, the license changed from MIT to Apache 2.0 (on the main branch, there is no new release yet).

Currently, that is mentioned in

I guess that this is imported through Trivy so there is the possibility that you might not need to change anything.

@tschmidtb51 Thanks for highlighting this migration!

As you mentioned, this is a indirect dependency for us. I noticed that this issue is already being tracked in Trivy, so we will wait for the dependency bump in that repository.

Hi @paralta , could you please assign to me? Thanks!

@thiha-min-thant thanks for your interest in contributing!

We have a bot to manage our dependencies, which should be enough to cover this. However, if there are some breaking changes in the Trivy update, we need to fix those manually. Please feel free to assign yourself to this issue if you want to cover any fixes required 😄