chore(deps): update dependency trivy to v0.70.0-3.azl3

[renovate]

This PR contains the following updates:

Package	Update	Change
trivy	patch	0.70.0-2.azl3 → 0.70.0-3.azl3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[aks-node-assistant]

AgentBaker Linux PR gate — VHD scanning failure (likely ARM64 PMC publish lag)

• Run: 166931956 (failed)
• Failed job/task: buildAzureLinuxV3ARM64gen2fips → Test, Scan, and Cleanup → vhdbuilder/packer/vhd-scanning.sh (2 retries, exit 1)
• Signature (on the scan VM): ERROR: The specified blob does not exist. … ErrorCode:BlobNotFound after the trivy install/repo step — Azure-Blob-backed download failure from packages.microsoft.com. ARM64 FIPS is the only SKU that failed (other SKUs show only the unrelated recurring CIS 6.1.4.1 succeededWithIssues).

Likely cause (change-caused, medium-high confidence): this PR bumps TRIVY_RPM_VERSION from 0.70.0-2.azl3 to 0.70.0-3.azl3 in vhdbuilder/packer/trivy-scan.sh. The renovate datasource comment on that line pins to the x86_64 repo only:

# renovate: datasource=rpm depName=trivy registryUrl=https://packages.microsoft.com/azurelinux/3.0/prod/cloud-native/x86_64/repodata
TRIVY_RPM_VERSION="0.70.0-3.azl3"

But the same version is then installed on the ARM64 scan VM (buildAzureLinuxV3ARM64gen2fips), which pulls from …/aarch64/repodata. PMC commonly publishes ARM64 RPMs slightly later than x86_64; if 0.70.0-3.azl3 hasn't landed in the ARM64 repo yet, dnf install fetches the package URL, the underlying Azure Blob hasn't been written, and you get exactly the BlobNotFound shape seen here.

Build-vs-test: build (post-Packer vhd-scanning gate, runs on a per-SKU scan VM).
Confidence: Medium-high — fits perfectly (ARM64-only failure, version is the exact PR delta, deterministic across 2 retries) but I haven't directly queried the ARM64 PMC repodata to confirm 0.70.0-3.azl3 is absent there.

Strongest alternative (less likely): transient PMC / Azure Storage outage — refuted by (a) only the ARM64 SKU failing, (b) deterministic 2-retry failure, (c) the version that errors is exactly the one this PR introduces, (d) the failing fetch is package-specific (not generic blob).

Recommended next action (owner: PR author / renovate config maintainer):

1. Verify ARM64 availability: curl -s https://packages.microsoft.com/azurelinux/3.0/prod/cloud-native/aarch64/repodata/repomd.xml | grep -i primary then check the resolved primary xml for trivy-0.70.0-3.azl3. If absent, wait for PMC to publish the ARM64 build before merging, or hold this renovate bump.
2. Longer-term: add a second # renovate: datasource line for aarch64/repodata so renovate only opens the PR once both archs are published.
3. Don't blanket-rerun — deterministic.

Side-channel (not the cause, FYI): build2204gen2containerd and build2204arm64gen2containerd flagged succeededWithIssues with CIS 6.1.4.1 — same recurring 24.04 baseline drift already tracked under #8652 / #8294. Non-gating here.

Posted by Clawpilot AgentBaker gate detective.

[mxj220]

As of 06/08, the ARM version of the pkg is not in PMC yet, so the VHD build is failing

[mxj220]

ARM version of the package is now present. The VHD build should succeed