File syft.changes of Package syft
-------------------------------------------------------------------
Fri Jun 13 04:42:17 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.27.1:
* fix: provide separate nonroot image (#3998)
* account for non-import shapes (#3997)
* Allow decoding of anchorectl json files (#3973)
* chore(deps): bump github.com/anchore/stereoscope (#3991)
-------------------------------------------------------------------
Mon Jun 09 19:34:07 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.27.0:
* Added Features
- add syft schema version to version command [#3949 @spiffcs]
* Bug Fixes
- Remove CPE product candidates for phf, prometheus, hyper and
Rust crates [#3967 @jayvdb]
- Remove CPE product candidates for opentelemetry and redis
Rust crates [#3962 @jayvdb]
- Harden Container Runtime with Non-Root User [#3941
@MikeTheCyberGuy]
- terraform provider lock entries should not require
constraints [#3934 @ghouscht]
- sbom cataloger returning upstream package [#3662 #3981
@kzantow]
- Syft missing md5 sums and list data for dpkg packages under
status.d/ [#3912]
- Failure to detect dependency relationships between Python
packages [#3958 #3965 @christoph-blessing]
- Heavy memory consumption when directory scanning deb source
[#3928 #3953 @kzantow]
- In versions 1.25.0 and later, graalvm-native-image-cataloger
adds 3-6 hours to Syft [#3942 #3944 @kzantow]
- Syft incorrectly reports multiple APKs as parents of
symlinked files [#3847 #3923 @luhring]
* Dependencies
- chore(deps): bump modernc.org/sqlite from 1.37.1 to 1.38.0
(#3979)
- chore(deps): bump github.com/go-git/go-git/v5 from 5.16.1 to
5.16.2 (#3978)
- chore(deps): update tools to latest versions (#3977)
- chore(deps): update CPE dictionary index (#3976)
- chore(deps): bump golang.org/x/net from 0.40.0 to 0.41.0
(#3970)
- chore(deps): bump github.com/sergi/go-diff (#3971)
- chore(deps): bump golang.org/x/mod from 0.24.0 to 0.25.0
(#3963)
- chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.12
to 0.5.13 (#3964)
- chore(deps): bump github.com/go-git/go-git/v5 from 5.16.0 to
5.16.1 (#3960)
- chore(deps): bump github/codeql-action from 3.28.18 to
3.28.19 (#3952)
- chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.11
to 0.5.12 (#3943)
- chore(deps): update tools to latest versions (#3945)
- chore(deps): update CPE dictionary index (#3947)
- chore(deps): bump github.com/google/go-containerregistry
(#3933)
- chore(deps): update CPE dictionary index (#3935)
- chore(deps): bump modernc.org/sqlite from 1.37.0 to 1.37.1
(#3926)
-------------------------------------------------------------------
Thu May 22 13:31:35 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.26.1:
* fix(dotnet-deps-cataloger): avoid repeated dependency
resolution (#3930)
* chore(deps): update tools to latest versions (#3921)
* chore(deps): bump github.com/google/go-containerregistry
(#3925)
-------------------------------------------------------------------
Wed May 21 04:30:19 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.26.0:
* Added Features
- Read version resources from non-.NET DLLs and executables
[#3842 #3911 @wagoodman]
* Bug Fixes
- pkg.JavaArchive.PomProperties is being populated even though
no pom.properties file was present for analysis [#3922
@wagoodman]
- syft 1.24.0 debug container - wget fails TLS [#3891 #3915
@spiffcs]
* Dependencies
- chore(deps): update CPE dictionary index (#3913)
-------------------------------------------------------------------
Sat May 17 07:14:25 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.25.1:
* remove go-rpmdb replace directive [#3908 @wagoodman]
-------------------------------------------------------------------
Sat May 17 07:05:40 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.25.0:
* Added Features
- Add PHP interpreter + extensions cataloger [#2585
@LaurentGoderre]
* Bug Fixes
- update license content filtering default case to be 'none'
for no content [#3903 @spiffcs]
- Distinguish openjdk vs jdk when using file source [#3895
@adammcclenaghan]
- Make it discoverable if Native Image contains no embedded
SBOM [#3731 #3805 @sathiya06]
* Dependencies
- chore(deps): bump github/codeql-action from 3.28.17 to
3.28.18 (#3905)
- chore(deps): bump github.com/mholt/archives from 0.1.1 to
0.1.2 (#3898)
- chore(deps): bump anchore/sbom-action from 0.19.0 to 0.20.0
(#3899)
-------------------------------------------------------------------
Thu May 15 04:47:08 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.24.0:
https://github.com/anchore/syft/compare/v1.23.1...v1.24.0
* Added Features
- Add cataloger for Dart pubspec [#3292 @LaurentGoderre]
- Translate Portage license strings to SPDX expressions [#1763
@wagoodman]
- Use package ID from decoded SBOMs when provided [#1872
@jneate]
- Annotate visible/hidden paths when all-layers scope [#3855
@wagoodman]
- Add support for PHP Pear [#2775 @LaurentGoderre]
- Detect whether full license text or a license name has been
provided [#3088 #3876 @spiffcs #3450 @spiffcs]
- Add Cataloger for Homebrew on macOS [#3632 #3724 @rezmoss]
- Provide a way to get the LayerID the package was first found
in [#435 #3858 @wagoodman #3138 @tomersein]
- Go binaries that currently get (devel) as the version should
instead stub UNKNOWN based on the compliance policy [#3324
#3873 @wagoodman]
- Upgrade base Docker image to
gcr.io/distroless/static-debian12 [#3840 #3862 @bgoareguer]
- Return full license string instead of SHA256 hash when
license string exceeds 64 characters [#3780 #3844 @spiffcs]
- Detect nix dependencies [#3814 #3837 @wagoodman]
* Bug Fixes
- update license sort to be stable with contents field [#3860
@spiffcs]
- Improve detection of erlang binary in alpine Linux [#3839
@avodotiiets]
- Do not search for main module versions within binary contents
by default [#3874 @wagoodman]
- dpkg license improvement for non SPDX licenses [#3090 #3888
@spiffcs]
- CycloneDX group field not symmetrically handled by
encoder/decoders [#2981 #3853 @kzantow]
- Syft crash [signal SIGSEGV: segmentation violation code=0x80
addr=0x0 pc=0x123a0da] [#3872 #3875 @wagoodman]
- Syft 1.23.1 shows version (devel) for grafana 12.0.0 [#3864]
- .NET cataloger does not always pair up PE binaries and
deps.json packages, resulting in duplicate packages on some
runs [#3866 #3869 @wagoodman]
- Propagate error in FileSourceProvider instead of warn log
[#3831 #3845 @Rupikz]
- Update github.com/Masterminds/semver package [#3829 #3836
@popey]
- go-module-file-cataloger fails if symlinks in path [#3614
#3783 @VictorHuu]
- Support fluent-bit some versions of arm/s390x images [#3793
#3817 @VictorHuu]
* Additional Changes
- update rust test fixtures to latest [#3852 @spiffcs]
-------------------------------------------------------------------
Fri Apr 25 18:25:31 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.23.1:
* chore(deps): update tools to latest versions (#3830)
* Resolve owned file paths when searching for overlaps (#3828)
-------------------------------------------------------------------
Fri Apr 25 06:06:26 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.23.0:
* Added Features
- Support skipping archive extraction with file source [#3795
@adammcclenaghan]
- Use the R cataloger in directory scans [#3774 @spiffcs]
- Add support for detecting javascript assets in .NET projects
using libman [#3825 @wagoodman]
- Parse GitHub actions comments [#3776 @wagoodman]
- Support chrome binary detection [#3174 #3136 @lem-onade]
- Add support for detecting undeclared license files scanning
from python installations [#2624 #3779 @wagoodman]
* Bug Fixes
- .NET cataloger should consider compile target paths from
deps.json [#3821 @wagoodman]
- Skip license scanner injection [#3796 @adammcclenaghan]
- Delete collection name/type key entries when empty [#3797
@adammcclenaghan]
- Use module name over relative paths in go.mod replace
directives [#3812 @VictorHuu]
- Correct variable names for Conan lock parsing version
handling [#3802 @musangk]
- Consider DLL claims for dependencies of .NET packages from
deps.json [#3822 @wagoodman]
- Empty source during decoding an SBOM document should not be
fatal [#3791 @wagoodman]
- Dpkg are not detected when scanning a directory [#3726 #3820
@VictorHuu]
- Support golang tip image [#3681 #3757 @VictorHuu]
- syft cataloger list should flatten options [#3801 #3804
@kzantow]
- Unable to generate a correct SBOM for C++ project [#3755]
* Dependencies
- chore(deps): update anchore dependencies (#3827)
- chore(deps): update tools to latest versions (#3823)
- chore(deps): bump sigstore/cosign-installer from 3.8.1 to
3.8.2 (#3818)
- chore(deps): bump github/codeql-action from 3.28.15 to
3.28.16 (#3819)
- chore(deps): update tools to latest versions (#3815)
- chore(deps): update CPE dictionary index (#3813)
- chore(deps): update tools to latest versions (#3806)
- chore(deps): bump github.com/go-git/go-git/v5 from 5.15.0 to
5.16.0 (#3807)
- chore(deps): bump github.com/anchore/stereoscope from 0.1.2
to 0.1.3 (#3803)
- chore(deps): update tools to latest versions (#3798)
- chore(deps): update CPE dictionary index (#3799)
- chore(deps): bump github.com/mholt/archives from 0.1.0 to
0.1.1 (#3778)
- chore(deps): bump marocchino/sticky-pull-request-comment
(#3788)
- chore(deps): bump github.com/magiconair/properties from 1.8.9
to 1.8.10 (#3789)
- chore(deps): bump github.com/charmbracelet/bubbles from
0.20.0 to 0.21.0 (#3790)
- chore(deps): bump github.com/go-git/go-git/v5 from 5.14.0 to
5.15.0 (#3792)
- chore(deps): update tools to latest versions (#3785)
- chore(deps): bump github/codeql-action from 3.28.13 to
3.28.15 (#3786)
- chore(deps): bump golang.org/x/net from 0.38.0 to 0.39.0
(#3787)
- chore(deps): update CPE dictionary index (#3782)
- chore(deps): update tools to latest versions (#3775)
-------------------------------------------------------------------
Tue Apr 01 17:31:08 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 1.22.0:
* Added Features
- Improve .NET package CPE generation [#3764 @wagoodman]
- Catalog deb archives directly [#3315 #3704 @popey]
* Bug Fixes
- Dotnet-Portable-Executable-Cataloger uses wrong component
version for dotnet runtime libraries [#3282 #3768 @wagoodman]
- Dotnet deps cataloger returns "wrong" dotnet-framework
dependencies and misses out on the runtime (for applications)
[#2347 #3768 @wagoodman]
- .NET deps.json should be considered as installation evidence
[#3570 #3563 @wagoodman]
- Dotnet PE binary cataloger is detecting false positives
[#3469 #3563 @wagoodman]
- Long Processing Time in dpkg-db-cataloger with all-layers
Option (Syft 1.20.0) [#3683 #3636 @kzantow]
* Dependencies
- chore(deps): update anchore dependencies (#3772)
- chore(deps): bump golang.org/x/net from 0.37.0 to 0.38.0
(#3766)
- chore(deps): bump 8398a7/action-slack from 3.16.2 to 3.18.0
(#3767)
- chore(deps): bump modernc.org/sqlite from 1.36.1 to 1.37.0
(#3771)
- chore(deps): update CPE dictionary index (#3769)
- chore(deps): bump github/codeql-action from 3.28.12 to
3.28.13 (#3758)
- chore(deps): update CPE dictionary index (#3756)
- chore(deps): update tools to latest versions (#3747)
- chore(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2
(#3750)
- chore(deps): bump github.com/docker/docker (#3749)
- chore(deps): bump actions/cache from 4.2.2 to 4.2.3 (#3751)
- chore(deps): bump actions/cache in /.github/actions/bootstrap
(#3752)
- chore(deps): bump actions/setup-go in
/.github/actions/bootstrap (#3742)
- chore(deps): bump actions/setup-go from 5.3.0 to 5.4.0
(#3743)
- chore(deps): bump github/codeql-action from 3.28.11 to
3.28.12 (#3744)
- chore(deps): bump github.com/BurntSushi/toml from 1.4.0 to
1.5.0 (#3740)
- chore(deps): bump github.com/containerd/containerd from
1.7.26 to 1.7.27 (#3738)
- chore(deps): update tools to latest versions (#3739)
-------------------------------------------------------------------
Mon Mar 17 19:49:13 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 1.21.0:
* chore(deps): update anchore dependencies (#3727)
* chore(deps): update CPE dictionary index (#3735)
* chore(deps): update tools to latest versions (#3722)
* chore(deps): bump github.com/spf13/afero from 1.12.0 to 1.14.0
(#3736)
* chore(deps): bump modernc.org/sqlite from 1.36.0 to 1.36.1
(#3737)
* chore(deps): bump github.com/charmbracelet/lipgloss from 1.0.0
to 1.1.0 (#3732)
* chore(deps): bump docker/login-action from 3.3.0 to 3.4.0
(#3733)
* fix(performance): reduce memory allocation in containsPath
(#3730)
* chore: upload individual binaries as artifacts (#3714)
* fix: fetch Dart package versions from sdk entries (#3572)
* chore(deps): update tools to latest versions (#3713)
* chore(deps): update CPE dictionary index (#3715)
* Add set ID to dotnet packages (#3719)
* chore(deps): bump github/codeql-action from 3.28.10 to 3.28.11
(#3716)
* Location order on packages should consider evidence annotations
when sorting (#3720)
* chore: fix some function names in comment (#3717)
* fix: improve fluent-bit binary detection regex pattern (#3701)
* chore: updates for go 1.24.1 (#3712)
* chore(deps): bump golang.org/x/mod from 0.23.0 to 0.24.0
(#3708)
* Update rustaudit module name (#3689)
* chore(deps): bump golang.org/x/net from 0.35.0 to 0.37.0
(#3711)
* chore(deps): bump github.com/charmbracelet/bubbletea from 1.2.4
to 1.3.4 (#3690)
* Add downloadLocation URI validation (#3697)
* Native Image SBOM: support extracting symbols in .dynsym
section for ELF files (#3647)
* chore(deps): bump github.com/google/go-cmp from 0.6.0 to 0.7.0
(#3687)
* chore(deps): bump modernc.org/sqlite from 1.35.0 to 1.36.0
(#3692)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.13.2 to
5.14.0 (#3693)
* chore(deps): bump github.com/docker/docker (#3694)
* chore(deps): bump actions/cache from 4.2.1 to 4.2.2 (#3698)
* chore(deps): bump actions/cache in /.github/actions/bootstrap
(#3699)
* chore(deps): update CPE dictionary index (#3702)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.6 to
6.6.7 (#3703)
* chore(deps): bump golang.org/x/net from 0.35.0 to 0.36.0
(#3709)
* chore(deps): bump peter-evans/create-pull-request from 7.0.7 to
7.0.8 (#3706)
* suppress file already closed errors (#3695)
* Fix /etc/redhat-release file parsing when resolving distro
details (#3688)
* chore(deps): bump sigstore/cosign-installer from 3.8.0 to 3.8.1
(#3675)
* chore: disable line wrapping glow output (#3679)
* chore(deps): update CPE dictionary index (#3682)
* chore(deps): bump peter-evans/create-pull-request from 7.0.6 to
7.0.7 (#3684)
* chore(deps): bump github/codeql-action from 3.28.9 to 3.28.10
(#3685)
* chore(deps): bump actions/upload-artifact from 4.6.0 to 4.6.1
(#3686)
-------------------------------------------------------------------
Sat Feb 22 09:40:22 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 1.20.0:
* Added Features
- Add file catalogers to selection configuration [#3505
@wagoodman]
- Configuration for including license contents in SBOM [#3626
#3631 @spiffcs]
- Support Bitnami embedded SBOMs [#3065 #3341 @juan131]
* Bug Fixes
- Version parse caused by line breaks on different platforms
[#3672 @idhyt]
- find bitnami files even when no relationships [#3676
@willmurphyscode]
- License files which do not match an SPDX expression are
erroneously handled as 'unlicensed' [#3412 #3366
@HeyeOpenSource]
- Incorrect URL encoding of package url (purl) [#3533 #3678
@kzantow]
- syft should not warn on known bad package.json [#3470 #3645
@kzantow]
- Scanning a project with many DLLs is slow [#3455 #3677
@rogueai]
- cyclone-dx presenter drops files, includes only packages
[#3435 #3539 @spiffcs]
- "syft config" output swaps comments for
search-indexed-archives / search-unindexed-archives [#3624
#3630 @spiffcs]
- dpkg license improvement for non SPDX licenses [#3090 #3366
@HeyeOpenSource]
- RPM-based PURLs sometimes have incorrect namespace
(specifically OpenSUSE) [#3534 #3615 @mprpic]
* Additional Changes
- update to go 1.24.x [#3660 @westonsteimel]
- replace all shorthand tags of mapstruct -> mapstructure
[#3633 @spiffcs]
-------------------------------------------------------------------
Thu Jan 23 05:36:08 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 1.19.0:
* chore(deps): update tools to latest versions (#3602)
* chore(deps): bump github/codeql-action from 3.28.1 to 3.28.2
(#3604)
* chore(deps): bump github.com/hashicorp/hcl/v2 from 2.22.0 to
2.23.0 (#3605)
* chore(deps): bump github.com/aquasecurity/go-pep440-version
(#3606)
* chore: bump stereoscope to v0.0.13 (#3601)
* feat(cataloger): add a terraform provider cataloger (#3378)
* chore(deps): update tools to latest versions (#3597)
* chore(deps): update CPE dictionary index (#3599)
* chore(deps): bump actions/setup-go from 5.2.0 to 5.3.0 (#3600)
* feat(golang): add license parsing from vendor dirs (#3522)
* chore: bump packageurl-go with new parsing rules (#3596)
* chore(deps): bump marocchino/sticky-pull-request-comment
(#3595)
* feat: add cataloger for NuGet packages (#3484)
* allow disabling all package catalogers (#3468)
* chore(deps): bump github.com/google/go-containerregistry
(#3592)
* chore(deps): bump modernc.org/sqlite from 1.34.4 to 1.34.5
(#3593)
* chore(deps): update tools to latest versions (#3582)
* chore: update README.md's link to Nixpkgs (#3578)
* chore(deps): bump github.com/sanity-io/litter from 1.5.5 to
1.5.6 (#3579)
* chore(deps): bump github.com/spf13/afero from 1.11.0 to 1.12.0
(#3580)
* chore(deps): bump actions/upload-artifact from 4.5.0 to 4.6.0
(#3581)
* chore(deps): update CPE dictionary index (#3583)
* chore(deps): bump github/codeql-action from 3.28.0 to 3.28.1
(#3584)
* chore(deps): bump github.com/go-git/go-billy/v5 from 5.6.1 to
5.6.2 (#3585)
* chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.7.1
to 4.8.0 (#3586)
* chore(deps): bump github.com/docker/docker (#3587)
* chore(deps): update anchore dependencies (#3571)
* chore(deps): update tools to latest versions (#3567)
* chore(deps): bump golang.org/x/net from 0.33.0 to 0.34.0
(#3568)
* fix: golang remote license search not executing when error
reading local mod dir (#3549)
* chore(deps): update tools to latest versions (#3564)
* chore(deps): update CPE dictionary index (#3565)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.7 to
0.5.8 (#3548)
* chore(deps): update tools to latest versions (#3560)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.13.0 to
5.13.1 (#3561)
* Use reader when scanning for package versions over reading
entire binary into memory (#3558)
* chore(deps): bump github.com/go-git/go-billy/v5 from 5.6.0 to
5.6.1 (#3551)
* chore(deps): update tools to latest versions (#3556)
* test: removes latest license list test (#3559)
* chore(deps): bump peter-evans/create-pull-request from 7.0.5 to
7.0.6 (#3547)
* chore(deps): update CPE dictionary index (#3550)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.12.0 to
5.13.0 (#3552)
* chore(deps): update tools to latest versions (#3543)
* chore(deps): update CPE dictionary index (#3544)
* chore(deps): bump modernc.org/sqlite from 1.34.3 to 1.34.4
(#3545)
* chore(deps): bump github/codeql-action from 3.27.9 to 3.28.0
(#3546)
* chore(deps): bump golang.org/x/net from 0.32.0 to 0.33.0
(#3541)
* chore(deps): bump modernc.org/sqlite from 1.34.2 to 1.34.3
(#3542)
* chore(deps): bump actions/upload-artifact from 4.4.3 to 4.5.0
(#3537)
* chore(deps): bump github.com/docker/docker (#3538)
* chore(deps): update CPE dictionary index (#3526)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.9.1
to 0.9.2 (#3530)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.4 to
6.6.5 (#3531)
* chore(deps): bump anchore/sbom-action from 0.17.8 to 0.17.9
(#3532)
-------------------------------------------------------------------
Sat Dec 14 21:15:40 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.18.1:
* chore(deps): update anchore dependencies (#3525)
* chore(deps): bump github/codeql-action from 3.27.7 to 3.27.9
(#3524)
* chore(deps): bump golang.org/x/crypto from 0.30.0 to 0.31.0
(#3523)
* chore(deps): bump actions/setup-go from 5.1.0 to 5.2.0 (#3519)
* chore(deps): bump actions/checkout from 4.2.1 to 4.2.2 (#3518)
* chore: make fixes field in PR template match auto-close regex
(#3520)
* fix: stop omitting redundantly parenthesized licenses in CDX
formatter (#3517)
* chore: migrate syft to use the anchore fork of archiver without
replace (#3516)
* Make pre-release integration PRs (#3370)
* chore(deps): bump github.com/docker/docker (#3512)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.3 to
6.6.4 (#3513)
* chore(deps): bump github/codeql-action from 3.27.6 to 3.27.7
(#3514)
-------------------------------------------------------------------
Tue Dec 10 08:48:44 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.18.0:
* chore(deps): update anchore dependencies (#3510)
* fix: convert file paths for spdx formats from absolute to
relative (#3509)
* chore(deps): update CPE dictionary index (#3507)
* chore(deps): update tools to latest versions (#3506)
* chore(deps): bump github.com/magiconair/properties from 1.8.7
to 1.8.9 (#3508)
* chore(deps): bump actions/cache from 4.1.2 to 4.2.0 (#3503)
* Add relationships for rust audit binary packages (#3500)
* fix order of rust dependencies and support git sources in
Cargo.lock dependencies (#3502)
* chore(deps): update tools to latest versions (#3501)
* chore(deps): bump golang.org/x/net from 0.31.0 to 0.32.0
(#3499)
* chore: add and document target for updating unit snapshots
(#3498)
* fix: emit NOASSERTION for copyright text to fix SPDX 2.2
validation failure (#3495)
* chore(deps): update tools to latest versions (#3496)
* chore(deps): update tools to latest versions (#3487)
* chore(deps): bump github/codeql-action from 3.27.5 to 3.27.6
(#3494)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.2 to
6.6.3 (#3489)
* feat: set max layer size (#3464)
* chore(deps): update CPE dictionary index (#3491)
* chore(deps): bump modernc.org/sqlite from 1.34.1 to 1.34.2
(#3492)
* chore(deps): bump github.com/saferwall/pe from 1.5.5 to 1.5.6
(#3493)
* chore(deps): update tools to latest versions (#3478)
* chore(deps): update CPE dictionary index (#3479)
* chore(deps): bump github.com/stretchr/testify from 1.9.0 to
1.10.0 (#3480)
* chore(deps): bump github.com/charmbracelet/bubbletea from 1.2.3
to 1.2.4 (#3482)
* chore(deps): update stereoscope to
be5deed44b7c03fcbfa6f1f42fb67202d31636a9 (#3483)
* fix: dart classifier for 2.x and ARM (#3475)
* Use file indexer directly when scanning with file source
(#3333)
* chore(deps): bump anchore/sbom-action from 0.17.7 to 0.17.8
(#3476)
* chore(deps): bump github/codeql-action from 3.27.4 to 3.27.5
(#3473)
-------------------------------------------------------------------
Thu Nov 21 14:50:55 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.17.0:
* chore(deps): update stereoscope to
aa3a3ef4efe8d8759c9aa87261b405cc003bfc9a (#3472)
* chore(deps): bump github.com/charmbracelet/bubbletea from 1.2.2
to 1.2.3 (#3467)
* fix: bump clio to pull in logging fix (#3466)
* 3122 valid license url characters (#3449)
* 3030 license declared spdx correction (#3461)
* chore(deps): update tools to latest versions (#3463)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.1 to
6.6.2 (#3465)
* chore(deps): bump modernc.org/sqlite from 1.33.1 to 1.34.1
(#3460)
* chore(deps): update CPE dictionary index (#3453)
* chore(deps): update tools to latest versions (#3454)
* chore(deps): update tools to latest versions (#3448)
* chore(deps): update tools to latest versions (#3444)
* chore(deps): bump github/codeql-action from 3.27.3 to 3.27.4
(#3446)
* feat: emit dependency relationships found in Cargo.lock (#3443)
* chore(deps): update stereoscope to
aa3a3ef4efe8d8759c9aa87261b405cc003bfc9a (#3442)
* chore(deps): bump github/codeql-action from 3.27.2 to 3.27.3
(#3438)
* chore(deps): bump github.com/charmbracelet/bubbletea from 1.2.1
to 1.2.2 (#3439)
* chore(deps): bump github.com/saferwall/pe from 1.5.4 to 1.5.5
(#3440)
* chore(deps): update tools to latest versions (#3413)
* chore(deps): bump github/codeql-action from 3.27.1 to 3.27.2
(#3436)
* chore(deps): bump golang.org/x/mod from 0.21.0 to 0.22.0
(#3426)
* update node classifier (#3419)
* chore(deps): update stereoscope to
120d9ea511e2f7a9887b443c52e66cd19bb80b43 (#3424)
* chore(deps): update CPE dictionary index (#3429)
* chore(deps): bump github/codeql-action from 3.27.0 to 3.27.1
(#3431)
* chore(deps): bump golang.org/x/net from 0.30.0 to 0.31.0
(#3432)
* chore(deps): bump github.com/charmbracelet/bubbletea from 1.1.2
to 1.2.1 (#3433)
* restore log on ui teardown (#3427)
* doc: Add official Syft logo license information (#3421)
* chore(deps): bump anchore/sbom-action from 0.17.6 to 0.17.7
(#3418)
* chore: build release sbom from go.mod (#3417)
-------------------------------------------------------------------
Tue Nov 05 09:43:28 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.16.0:
* chore: prevent file resolver from bubbling errors in binary
cataloger (#3410)
* chore(deps): update stereoscope to
cbd43fb4e5d348fe680066ee6329385fd6a4f827 (#3411)
* chore(deps): update CPE dictionary index (#3414)
* chore(deps): bump github.com/adrg/xdg from 0.5.2 to 0.5.3
(#3408)
* chore(deps): bump github.com/charmbracelet/lipgloss from 0.13.1
to 1.0.0 (#3409)
* chore(deps): update stereoscope to
2ce1e520983b1c21d5150d7fae2b39e8e5ab9063 (#3405)
* Issue #3143 – fixed format conversion docs link (#3407)
* feat: support dependencies and purl for Native Image SBOMs
(#3399)
* chore(deps): update stereoscope to
9c92fe30492ffeba14ed2e23ad1fd923341dda4f (#3398)
* feat: exclude devDependencies from package-lock.json parsing
(#3371)
* chore(deps): bump github.com/adrg/xdg from 0.5.1 to 0.5.2
(#3394)
* chore(deps): bump anchore/sbom-action from 0.17.5 to 0.17.6
(#3393)
* fix: stack overflow in spyingIoReadCloser (#3392)
* fix: bad pom files may cause infinite loop (#3391)
-------------------------------------------------------------------
Tue Oct 29 14:02:45 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.15.0:
* chore(deps): update stereoscope to
bcc40c6817524718277256d6b774ce643f98640a (#3388)
* chore(deps): bump actions/setup-go from 5.0.2 to 5.1.0 (#3384)
* chore(deps): bump github.com/charmbracelet/bubbletea from 1.1.1
to 1.1.2 (#3385)
* chore(deps): update tools to latest versions (#3383)
* chore(deps): update CPE dictionary index (#3387)
* chore(deps): bump actions/checkout from 4.2.1 to 4.2.2 (#3380)
* feat: multi-level configuration and profiles (#3337)
* feat: Java dependency graph information (#3363)
* Expanded dpkg cataloger globs (#3373)
* Enable cargo-auditable-binary-cataloger for files/directories
(#3376)
* chore(deps): bump github/codeql-action from 3.26.13 to 3.27.0
(#3374)
* chore(deps): bump github.com/charmbracelet/lipgloss (#3375)
* chore(deps): update stereoscope to
6db3c175f1f836e552b01ee70e5d5528cc04bce4 (#3362)
* chore(deps): bump actions/cache from 4.1.1 to 4.1.2 (#3364)
* chore(deps): bump anchore/sbom-action from 0.17.4 to 0.17.5
(#3365)
* chore(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to
5.6.0 (#3367)
-------------------------------------------------------------------
Tue Oct 22 07:09:11 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.14.2:
* Create single license scanner for all catalogers (#3348)
* chore(deps): update stereoscope to
a38c93517fc7d67ca1af826ac529a06c05b571d2 (#3357)
* chore(deps): update CPE dictionary index (#3358)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.0 to
6.6.1 (#3361)
* update to latest packageurl-go (#3347)
* chore(deps): update tools to latest versions (#3342)
* chore(deps): update stereoscope to
9e57bce5efeb0ffe27770dd0b8eb2eef8b38512f (#3338)
* chore(deps): bump github.com/adrg/xdg from 0.5.0 to 0.5.1
(#3344)
* fix: use official CPE for linux kernel (#3343)
* chore(deps): bump anchore/sbom-action from 0.17.3 to 0.17.4
(#3340)
* fix: improve mariadb binary classifer to detect older versions
(#3339)
-------------------------------------------------------------------
Tue Oct 15 15:36:18 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.14.1:
* fix: stop some log.Warn spam due parsing an empty string as a
CPE (#3330)
* chore(deps): update stereoscope to
1cc8a41d447d0d092699be2b700b8ba62e870434 (#3334)
* chore(deps): update stereoscope to
1cc8a41d447d0d092699be2b700b8ba62e870434 (#3332)
* chore(deps): update stereoscope to
93f8a11331e3d50f751e4d0ec5b63f3df309e9e5 (#3331)
* chore(deps): bump anchore/sbom-action from 0.17.2 to 0.17.3
(#3326)
* chore(deps): bump github/codeql-action from 3.26.12 to 3.26.13
(#3327)
* chore(deps): update CPE dictionary index (#3323)
* fix: improve go binary semver extraction for traefik (#3325)
* chore(deps): update stereoscope to
92e97a1cf36d162bad51ccc6aba0cce7a4dcfbf4 (#3322)
* chore(deps): update stereoscope to
c04af061af62ab3ba6ab6760613526eaa7fcb163 (#3319)
* chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.6.1
to 4.7.0 (#3321)
* chore(deps): bump actions/upload-artifact from 4.4.1 to 4.4.3
(#3314)
* shorten release docs (#3318)
* docs: clearer deprecation message for --file (#3310)
* [docs] Add mastodon link to README.md (#3306)
* chore(deps): update stereoscope to
5bc91bf166769e43d8d0f86c02e877c55eb04aed (#3313)
* chore(deps): bump actions/cache from 4.1.0 to 4.1.1 (#3312)
* chore(deps): bump github/codeql-action from 3.26.11 to 3.26.12
(#3307)
* chore(deps): bump actions/checkout from 4.2.0 to 4.2.1 (#3308)
* chore(deps): bump actions/upload-artifact from 4.4.0 to 4.4.1
(#3309)
-------------------------------------------------------------------
Wed Oct 09 04:42:52 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.14.0:
* feat: report unknowns in sbom (#2998)
* chore(deps): bump sigstore/cosign-installer from 3.6.0 to 3.7.0
(#3299)
* chore(deps): update stereoscope to
efa76446cc1c7e6c4117350943a2754b2453aec4 (#3301)
* chore(deps): bump golang.org/x/net from 0.29.0 to 0.30.0
(#3304)
* chore(deps): bump actions/cache from 4.0.2 to 4.1.0 (#3305)
* chore(deps): update CPE dictionary index (#3302)
* Fix: Parse package.json with non-standard fields in 'author'
section (#3300)
* chore(deps): bump github/codeql-action from 3.26.10 to 3.26.11
(#3298)
* chore: add pull request template (#3294)
* chore(deps): update tools to latest versions (#3296)
* Track supporting DPKG evidence (#3228)
* Fix: make failed CPE validation correctly return error (#2762)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.9 to
6.6.0 (#3293)
* feat: update haproxy classifier (#3277)
* chore(deps): update tools to latest versions (#3291)
* fix: don't use builtin scanner in licensecheck (#3290)
* chore(deps): update CPE dictionary index (#3288)
* chore(deps): bump github/codeql-action from 3.26.9 to 3.26.10
(#3289)
* update redis classifier (#3281)
* fix: improve node classifier version matching (#3284)
* fix: update ruby classifier for -rc, -dev, etc. versions
(#3285)
* chore(deps): update CPE dictionary index (#3262)
* chore(deps): bump github.com/docker/docker (#3264)
* chore(deps): bump github/codeql-action from 3.26.8 to 3.26.9
(#3275)
* chore(deps): update stereoscope to
dc10ea61fd18efa45b516eda4de8bc19d8322429 (#3280)
* chore(deps): bump actions/checkout from 4.1.7 to 4.2.0 (#3283)
* add awaiting response management (#3272)
* fix: correct excluded mount point comparison to file paths
(#3269)
-------------------------------------------------------------------
Tue Sep 24 17:39:53 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.13.0:
* Add JVM cataloger (#3217)
* feat: classifier for Dart lang binaries (#3265)
* Add compliance policy for empty name and version (#3257)
* chore(deps): bump github.com/github/go-spdx/v2 from 2.3.1 to
2.3.2 (#3254)
* chore(deps): bump peter-evans/create-pull-request from 7.0.3 to
7.0.5 (#3255)
* chore(deps): bump github/codeql-action from 3.26.7 to 3.26.8
(#3256)
* chore(deps): update tools to latest versions (#3259)
* chore(deps): bump github.com/docker/docker (#3260)
* feat: add binary classifiers for lighttp, proftpd, zstd, xz,
gzip, jq, and sqlcipher (#3252)
* fix: capture-snippet.sh can handle leading whitespaces now
(#3249) (#3250)
* chore(deps): update tools to latest versions (#3251)
* chore(deps): update tools to latest versions (#3247)
* chore(deps): update tools to latest versions (#3243)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.9.0
to 0.9.1 (#3242)
* chore(deps): bump github/codeql-action from 3.26.6 to 3.26.7
(#3241)
* chore(deps): bump peter-evans/create-pull-request from 7.0.2 to
7.0.3 (#3240)
* chore(deps): update tools to latest versions (#3231)
* chore(deps): update CPE dictionary index (#3232)
* chore(deps): update tools to latest versions (#3205)
* chore(deps): bump github.com/charmbracelet/bubbletea from 1.1.0
to 1.1.1 (#3225)
* chore(deps): bump peter-evans/create-pull-request from 7.0.1 to
7.0.2 (#3226)
* chore(deps): bump modernc.org/sqlite from 1.33.0 to 1.33.1
(#3229)
* feat: --enrich flag for data enrichment feature enablement
(#3182)
-------------------------------------------------------------------
Thu Sep 12 04:56:01 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.12.2 (no releases between 1.11.1 and this
one):
* chore: make ci-check.sh an executable file (#3220)
* chore(deps): bump github.com/opencontainers/runc from 1.1.12 to
1.1.14 (#3219)
* chore: restore ci-check.sh script (#3218)
* Add haskell binaries cataloger (#3078)
* chore(deps): update CPE dictionary index (#3206)
* chore(deps): bump golang.org/x/net from 0.28.0 to 0.29.0
(#3203)
* Add the Ocaml ecosystem (#3112)
* chore(deps): bump github.com/charmbracelet/bubbles from 0.19.0
to 0.20.0 (#3209)
* chore(deps): bump modernc.org/sqlite from 1.32.0 to 1.33.0
(#3210)
* chore(deps): bump github.com/docker/docker (#3211)
* chore(deps): bump github.com/dave/jennifer from 1.7.0 to 1.7.1
(#3212)
* dont cleanup cache in forks (#3214)
* less verbose java logging when non-fatal issues arise (#3208)
* Slim down docker cache size (#3190)
* chore(deps): bump peter-evans/create-pull-request from 7.0.0 to
7.0.1 (#3196)
* chore(deps): bump golang.org/x/mod from 0.20.0 to 0.21.0
(#3197)
* fix: haproxy classifier for versions with -dev suffix (#3180)
* chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.3 to
3.3.0 (#3177)
* chore(deps): update CPE dictionary index (#3183)
* chore(deps): bump actions/upload-artifact from 4.3.6 to 4.4.0
(#3184)
* chore(deps): bump peter-evans/create-pull-request from 6.1.0 to
7.0.0 (#3187)
* fix: properly decode SPDX license expressions in CycloneDX
format (#3175)
* chore(deps): bump github.com/docker/docker (#3168)
* chore(deps): bump github.com/charmbracelet/bubbletea (#3171)
* chore(deps): bump github/codeql-action from 3.26.5 to 3.26.6
(#3173)
* fix: cycles resolving relative path parent poms with
parent-defined variables (#3170)
* fix: improve generated cpes for binaries with existing
classifiers (#3169)
* fix: add log time of task (#3105)
* fix: improve known CPEs and set NVD as source for all current
binary classifiers (#3167)
* respond to authoratative CPEs from catalogers (#3166)
* set cataloger names within package cataloger task (#3165)
* fix: use official CPE for curl binary cataloger (#3164)
* chore(deps): update tools to latest versions (#3160)
* chore(deps): update CPE dictionary index (#3161)
* chore(deps): bump github/codeql-action from 3.26.4 to 3.26.5
(#3162)
* fix ELF package correlations (#3151)
* chore(deps): update tools to latest versions (#3144)
* feat: detect curl binaries (#3146)
* chore(deps): bump anchore/sbom-action from 0.17.1 to 0.17.2
(#3155)
* chore(deps): bump github/codeql-action from 3.26.3 to 3.26.4
(#3154)
* chore(deps): update stereoscope to
e6d086e8bef5fab4fcfbd60c9a759c4cb229decf (#3152)
* chore(deps): bump github.com/charmbracelet/bubbles from 0.18.0
to 0.19.0 (#3148)
* chore(deps): bump github.com/charmbracelet/lipgloss (#3147)
* chore(deps): bump github.com/anchore/stereoscope (#3153)
* fix: mysql 8.0.3x binary detection (#3142)
* chore(deps): bump github/codeql-action from 3.26.2 to 3.26.3
(#3139)
-------------------------------------------------------------------
Tue Aug 20 16:41:18 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.11.1:
* fix: logging for remote network calls (#3140)
* chore(deps): update CPE dictionary index (#3135)
* chore(deps): bump github.com/charmbracelet/bubbletea (#3137)
* chore(deps): update tools to latest versions (#3121)
* chore(deps): bump github.com/docker/docker (#3123)
* chore(deps): bump anchore/sbom-action from 0.17.0 to 0.17.1
(#3124)
* chore(deps): bump github/codeql-action from 3.26.0 to 3.26.2
(#3129)
* fix: add nil check to CycloneDX toBomProperties (#3119)
* fix: read CycloneDX BOM components from metadata (#3092)
* fix: improve groupid extraction for Jenkins plugins (#2815)
* chore(deps): update CPE dictionary index (#3116)
* support .kar files (#3113)
* chore: fix some comments (#3114)
* chore: fix failing python relationship test (#3117)
* update-slack-to-discourse (#3111)
-------------------------------------------------------------------
Fri Aug 09 18:12:40 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.11.0:
* test: increase java purl generation test coverage (#3110)
* chore(deps): bump modernc.org/sqlite from 1.31.1 to 1.32.0
(#3106)
* chore(deps): bump sigstore/cosign-installer from 3.5.0 to 3.6.0
(#3107)
* chore(deps): update tools to latest versions (#3099)
* chore(deps): bump github/codeql-action from 3.25.15 to 3.26.0
(#3101)
* chore(deps): bump actions/upload-artifact from 4.3.5 to 4.3.6
(#3102)
* chore(deps): bump github.com/google/go-containerregistry
(#3103)
* chore(deps): bump golang.org/x/net from 0.27.0 to 0.28.0
(#3104)
* chore(deps): bump actions/upload-artifact from 4.3.4 to 4.3.5
(#3095)
* chore(deps): update CPE dictionary index (#3094)
* chore(deps): bump golang.org/x/mod from 0.19.0 to 0.20.0
(#3096)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.6 to
0.5.7 (#3097)
* feat: improved java maven property resolution (#2769)
* fix: use organization for package supplier when reading Java
vendor fields (#3093)
* chore(deps): update tools to latest versions (#3091)
* fix: update 'guessMainPackageNameAndVersionFromPomInfo' and
'artifactIDMatchesFilename' (#3054)
* fix: update mainModuleVersion function to always prefix `v` to
findings (#3087)
* chore: update release script to use gh from binny (#3084)
* Added the SWI Prolog (swipl) ecosystem (#3076)
-------------------------------------------------------------------
Thu Aug 01 07:20:34 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.10.0:
* fix: improve determinism in java archive identification (#3085)
* chore(deps): update stereoscope to
50ce3be7aa1fb8829234ae648215e7907196bfa5 (#3075)
* chore(deps): update CPE dictionary index (#3079)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.5 to
0.5.6 (#3082)
* chore(deps): bump github/codeql-action from 3.25.14 to 3.25.15
(#3083)
* fix: traefik classifier (#3077)
* python-cataloger: fix normalization test (#3073)
* Only match ldflag version if it matches the main module or
targets main.version (#3062)
* python cataloger: allow dots in python package names (#3070)
* python-cataloger: normalize package names (#3069)
* chore(deps): bump github.com/docker/docker (#3066)
* chore(deps): bump github/codeql-action from 3.25.13 to 3.25.14
(#3072)
* fix: SPDX output performance with many relationships (#3053)
* better go mod detection from partial package builds (#3060)
* chore(deps): update tools to latest versions (#3061)
* chore(deps): bump github.com/charmbracelet/lipgloss from 0.11.1
to 0.12.1 (#3040)
* chore: add debug logging for errors reading RPM files (#3051)
* chore(deps): update CPE dictionary index (#3035)
* chore(deps): bump github.com/docker/docker (#3055)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.4 to
0.5.5 (#3056)
* chore(deps): bump modernc.org/sqlite from 1.30.2 to 1.31.1
(#3057)
* chore(deps): bump docker/login-action from 3.2.0 to 3.3.0
(#3058)
* chore(deps): bump github/codeql-action from 3.25.12 to 3.25.13
(#3059)
* chore(deps): update stereoscope to
487b11e5ba2622d976acda10c605da63b4fbbb0a (#3032)
* chore(deps): update tools to latest versions (#3050)
* docs: CODE_OF_CONDUCT.md (#3046)
* fix: include CPEs with Maven groupId as vendor (#3045)
* chore(deps): bump github.com/google/go-containerregistry
(#3047)
* chore(deps): bump github.com/moby/sys/mountinfo from 0.7.1 to
0.7.2 (#3048)
* chore(deps): bump modernc.org/sqlite from 1.30.1 to 1.30.2
(#3039)
* docs: link to contrib/dev docs in readme (#3029)
* chore: Fix apache shield in readme (#3021)
* chore(deps): update tools to latest versions (#3031)
* chore(deps): bump github/codeql-action from 3.25.11 to 3.25.12
(#3034)
* chore(deps): bump anchore/sbom-action from 0.16.1 to 0.17.0
(#3044)
* fix: stop panicking on "devel" version go stdlib (#3043)
* chore: pin fedora image for elf binary test (#3041)
* chore(deps): bump anchore/sbom-action from 0.16.0 to 0.16.1
(#3023)
* chore(deps): update stereoscope to
27b66b76fc6686fcf6bde656aa09e1f0e047fec1 (#3026)
-------------------------------------------------------------------
Thu Jul 11 18:41:11 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.9.0:
* chore(deps): bump actions/setup-go from 5.0.1 to 5.0.2 (#3027)
* chore(deps): bump github.com/charmbracelet/lipgloss (#3028)
* fix: stabilize cpe sorting during collection sort (#3009)
* Map the downloadLocation field for PHP Composer packages
(#3011)
* chore(deps): update stereoscope to
e46739e217969fa67cbe8834b64bb165a10a1548 (#3013)
* chore(deps): bump golang.org/x/net from 0.26.0 to 0.27.0
(#3015)
* chore(deps): bump golang.org/x/mod from 0.18.0 to 0.19.0
(#3014)
* chore(deps): bump actions/upload-artifact from 4.3.3 to 4.3.4
(#3017)
* chore(deps): bump github.com/google/go-containerregistry
(#3019)
* chore(deps): bump github.com/adrg/xdg from 0.4.0 to 0.5.0
(#3020)
* chore(deps): update CPE dictionary index (#3016)
* Infer the package type from ELF package notes (#3008)
* chore(deps): update tools to latest versions (#3003)
* chore(deps): update CPE dictionary index (#3002)
* chore(deps): bump github.com/docker/docker (#3006)
* chore(deps): bump github/codeql-action from 3.25.10 to 3.25.11
(#3004)
* chore(deps): bump github.com/saferwall/pe from 1.5.3 to 1.5.4
(#3005)
* feat: version 3 support for swift package manager of the
resolved files (#3001)
* chore(deps): bump github.com/spdx/tools-golang from 0.5.4 to
0.5.5 (#2999)
* chore(deps): bump github.com/docker/docker (#2994)
* Add detection of Erlang in Alpine linux (#2996)
* chore(deps): update tools to latest versions (#2991)
* chore(deps): update stereoscope to
753b5576fe42bc007b22108ad7911d1729957a46 (#2992)
* chore(deps): bump github.com/charmbracelet/bubbletea (#2995)
-------------------------------------------------------------------
Tue Jun 25 04:58:18 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.8.0:
* chore(deps): update CPE dictionary index (#2986)
* chore(deps): bump github.com/go-test/deep from 1.1.0 to 1.1.1
(#2988)
* fix: handle errors reading go licenses (#2985)
* docs: update cyclone-dx documentation (#2983)
* feat: update syft to generate cyclone-dx 1.6 by default (#2978)
* chore(deps): bump github.com/charmbracelet/bubbletea (#2982)
* chore(deps): bump peter-evans/create-pull-request from 6.0.5 to
6.1.0 (#2975)
* fix: detection of arangodb 3.12 (#2979)
* chore: enable dependabot to keep boostrap action updated
(#2976)
* chore(deps): bump github.com/github/go-spdx/v2 from 2.2.0 to
2.3.1 (#2973)
* chore(deps): bump github.com/google/go-containerregistry
(#2971)
* chore(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1
(#2972)
-------------------------------------------------------------------
Sat Jun 15 16:14:00 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.7.0:
* Added Features
- index known CPEs for wordpress plugins and themes [#2963
@westonsteimel]
- Consider Author field for wordpress plugins when generating
CPEs [#2946 @wagoodman]
* Bug Fixes
- improve version extraction from ldflags for pingcap TiDB
[#2962 @westonsteimel]
- Trim whitespace from wordpress values [#2945 @wagoodman]
- Issue scanning Poetry Project with Syft 1.6 and
cataloger=python-package-cataloger [#2954 #2965 @spiffcs]
- Poetry's multiple constraints seems to break the parser
[#2947 #2965 @spiffcs]
- Golang: Search remote licenses not working in a CI pipeline
when scanning Docker image [#2798 #2852 @kzantow]
-------------------------------------------------------------------
Mon Jun 10 19:52:37 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.6.0:
* Added Features
- Add relationships for go binary packages [#2912 @wagoodman]
- Add classifier for util-linux [#2933 @LaurentGoderre]
- Lua: Add support for more advanced syntax [#2908
@LaurentGoderre]
- add license field to ELF binary package metadata [#2890
@brian-ebarb]
- install.sh: check checksums file's signature [#2884 #2941
@wagoodman]
- Detect ELF package notes from fedora binaries [#2713 #2939
@wagoodman]
* Bug Fixes
- Use redhat as namespace for redhat rpms [#2914 @ralphbean]
- Close sqlite driver after testing sqlite availability [#2922
@ttc0419]
- syft does not find anything in archives if /tmp is a tmpfs
[#2894 #2918 @willmurphyscode]
- Scanning a git repository folder present in /tmp produce an
empty sbom [#2847 #2918 @willmurphyscode]
* Additional Changes
- update unit tests to use pinned patch version [#2932
@spiffcs]
- fix comments and spelling [#2920 @dufucun]
-------------------------------------------------------------------
Fri May 31 14:28:58 UTC 2024 - andrea.manzini@suse.com
- Update to version 1.5.0:
* feat: detect fluent-bit binaries (#2905)
* bump dependencies
* Add python wheel egg relationships (#2903)
* feat: Add Lua cataloger (#2613)
* feat: add config command (#2892)
* feat: Added functionality to convert major, minor, patch to version for binary classifier (#2864)
* Go Mod Cataloger: Remove Replaced Packages (#2891)
* chore: Reduce length of readme, moving lengthy content to the wiki (#2882)
* fix: DecoderCollection discarding input from non-seekable Readers (#2878)
* Fix outdated spdx links (#2865)
* Use values in relationship To/From fields (#2871)
* add support for RPM DB package relationships (#2872)
* fix: capture dependencies when parsing SPDX SBOMs (#2869)
* Add abstraction for adding relationships from package cataloger results (#2853)
* chore: fix small tooling error for go.mod (#2868)
-------------------------------------------------------------------
Sun May 12 07:42:00 UTC 2024 - opensuse_buildservice@ojkastl.de
- add completion subpackages
- fix version output
-------------------------------------------------------------------
Fri May 10 04:54:24 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.4.1:
* fix pruning binary packages when considering ELF packages
(#2862)
-------------------------------------------------------------------
Thu May 09 18:59:36 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.4.0:
* feat: add relationships to ELF package discovery (#2715)
* README.md: link to official wiki (#2858)
* fix Windows file paths in local go mod cache (#2654)
* chore(deps): bump github.com/docker/docker (#2859)
* chore(deps): bump github.com/charmbracelet/bubbletea (#2860)
* chore(deps): bump github/codeql-action from 3.25.3 to 3.25.4
(#2855)
* chore(deps): bump github.com/sassoftware/go-rpmutils from 0.3.0
to 0.4.0 (#2856)
* Add relationships for ALPM packages (arch linux) (#2851)
* Add binary classifier for ArangoDB (#2830)
* chore(deps): bump golang.org/x/net from 0.24.0 to 0.25.0
(#2849)
* chore(deps): bump actions/checkout from 4.1.4 to 4.1.5 (#2850)
* chore: use ruleguard to test for missing defer statements
(#2837)
* remove homebrew update workflow (#2846)
* Restore version file update on release (#2844)
* fix: Add missing CPE for traefik, memcached, and postgres
binaries (#2845)
* Add detection for newer version of ErLang/OTP (#2829)
* fix ui race for package count (#2839)
* chore(deps): update CPE dictionary index (#2841)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.8 to
6.5.9 (#2842)
* chore(deps): bump modernc.org/sqlite from 1.29.8 to 1.29.9
(#2843)
* chore(deps): bump github.com/charmbracelet/bubbletea (#2838)
* add security policy (#2835)
* chore(deps): bump actions/setup-go from 5.0.0 to 5.0.1 (#2834)
* chore(deps): update stereoscope to
2e9894674185d121917b283f773c2b5830f8b360 (#2831)
* chore(deps): bump github.com/charmbracelet/bubbletea (#2833)
* chore: fix function name in comment (#2771)
* chore: enable go-critic deferInLoop lint (#2825)
* fix: better clean up of file handles (#2823)
* chore(deps): bump github.com/docker/docker (#2827)
* fix(spdx): include required fields (#2168)
* fix: add correct vendor for dnsmasq CPE (#2659)
* fix: close temp rpmdb file (#2792)
* chore(deps): bump github/codeql-action from 3.25.2 to 3.25.3
(#2817)
* Fill in SPDX originator for all supported package types (#2822)
* chore(deps): bump anchore/sbom-action from 0.15.10 to 0.15.11
(#2821)
-------------------------------------------------------------------
Fri Apr 26 16:46:01 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.3.0:
* update spdx license list to 3.23 (#2818)
* fix: re-use embedded union reader if possible (#2814)
* feat: index known CPEs for go modules (#2816)
* chore(deps): bump peter-evans/create-pull-request from 6.0.4 to
6.0.5 (#2812)
* feat: support multiple known CPEs in index (#2813)
* chore(deps): update stereoscope to
8b297badafd5d81fa1187b26ae34dd2a7ce7e425 (#2807)
* chore(deps): bump actions/checkout from 4.1.3 to 4.1.4 (#2809)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.3 to
0.5.4 (#2810)
* Fix removing labels in 'Detect schema changes' job (#2772)
* chore(deps): bump github.com/docker/docker (#2805)
* Display which provider caused which error in output (#2757)
* fix: prefer non-deprecated CPEs and include jenkins plugins
from plugins.jenkins.io (#2806)
* feat: index known CPEs for PHP Composer packagist.org packages
(#2804)
* chore(deps): bump github/codeql-action from 3.25.1 to 3.25.2
(#2802)
* chore(deps): bump actions/upload-artifact from 4.3.2 to 4.3.3
(#2803)
* fix: improvements to known CPE index construction (#2801)
* fix: exclude known instrumentation jars from being erroneously
identified (#2796)
* feat: index known cpes for PHP extensions (#2777)
* chore(deps): bump actions/checkout from 4.1.2 to 4.1.3 (#2799)
* fix: return empty string if dereferncing pom var fails (#2797)
* chore(deps): bump github.com/docker/docker (#2793)
* chore(deps): bump modernc.org/sqlite from 1.29.7 to 1.29.8
(#2794)
* chore(deps): bump actions/upload-artifact from 4.3.1 to 4.3.2
(#2795)
* chore: cleanup redundant code (#2791)
* chore(deps): update tools to latest versions (#2789)
* chore(deps): bump github.com/spdx/tools-golang from 0.5.3 to
0.5.4 (#2790)
* chore(deps): bump github/codeql-action from 3.25.0 to 3.25.1
(#2786)
* chore(deps): bump peter-evans/create-pull-request from 6.0.3 to
6.0.4 (#2787)
* Fix: repeatedly dereference pom variables (#2781)
* chore(deps): bump modernc.org/sqlite from 1.29.6 to 1.29.7
(#2783)
* chore(deps): update CPE dictionary index (#2780)
* chore(deps): bump github/codeql-action from 3.24.10 to 3.25.0
(#2779)
* chore: fix broken cpe index generation task (#2778)
* chore(deps): bump github.com/docker/docker (#2773)
* chore(deps): bump peter-evans/create-pull-request from 6.0.2 to
6.0.3 (#2774)
-------------------------------------------------------------------
Sat Apr 13 09:32:58 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.2.0:
* fix: more robust go main version extraction (#2767)
* chore(deps): update tools to latest versions (#2768)
* fix: binary character in java version (#2766)
* chore(deps): update tools to latest versions (#2760)
* chore(deps): bump modernc.org/sqlite from 1.29.5 to 1.29.6
(#2761)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.6 to
6.5.8 (#2754)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.2 to
0.5.3 (#2755)
* chore(deps): bump github/codeql-action from 3.24.9 to 3.24.10
(#2756)
* chore(deps): bump golang.org/x/mod from 0.16.0 to 0.17.0
(#2751)
* Differentiate between JRE and JDK (#2748)
* chore(deps): bump golang.org/x/net from 0.23.0 to 0.24.0
(#2752)
-------------------------------------------------------------------
Thu Apr 04 16:55:06 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.1.1:
* chore(deps): update tools to latest versions (#2744)
* chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0
(#2747)
* chore: update anchore/packageurl-go to use latest commits
(#2746)
* feat: cataloger for PHP Pecl and PEAR packages (#2604)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.11.0 to
5.12.0 (#2743)
* chore(deps): update tools to latest versions (#2741)
* fix: conan poco project cpe (#2740)
* chore(deps): bump github.com/distribution/reference from 0.5.0
to 0.6.0 (#2738)
* chore(deps): bump anchore/sbom-action from 0.15.9 to 0.15.10
(#2737)
* fix: panic scanning binaries without symtab (#2739)
* chore: remove useless code (#2716)
* chore(deps): bump google.golang.org/protobuf from 1.31.0 to
1.33.0 (#2731)
* chore(deps): bump github/codeql-action from 3.24.8 to 3.24.9
(#2732)
* chore(deps): update tools to latest versions (#2733)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.5 to
6.5.6 (#2734)
* update release token from readonly to write token (#2735)
-------------------------------------------------------------------
Tue Mar 26 07:19:30 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.1.0:
* Adding the ability to retrieve remote licenses from
package.lock (#2708)
* dont include labels for dependabot ecosystems (#2720)
* chore(deps): bump fountainhead/action-wait-for-check from 1.1.0
to 1.2.0 (#2717)
* chore(deps): update tools to latest versions (#2726)
* chore(deps): bump github/codeql-action from 3.24.7 to 3.24.8
(#2725)
* chore(deps): bump actions/cache from 4.0.1 to 4.0.2 (#2728)
* chore(deps): bump github.com/docker/docker (#2730)
* updating credentials to scoped permissions (#2722)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.4 to
6.5.5 (#2718)
* chore(deps): bump github.com/google/go-containerregistry
(#2719)
* Add detection for Oracle GraalVM (#2705)
* chore(deps): bump docker/login-action from 3.0.0 to 3.1.0
(#2714)
* Add ELF binary package cataloger (#2396)
* chore(deps): bump modernc.org/sqlite from 1.29.3 to 1.29.5
(#2710)
* chore(deps): bump github/codeql-action from 3.24.6 to 3.24.7
(#2711)
* chore(deps): bump peter-evans/create-pull-request from 6.0.1 to
6.0.2 (#2712)
* Show binary exports, entrypoint, and imports (#2626)
* chore(deps): bump actions/checkout from 4.1.1 to 4.1.2 (#2703)
* chore(deps): bump github.com/knqyf263/go-rpmdb (#2701)
* chore: reduce duplicate case SwiftPkg (#2696)
* chore: remove deprecated os.SEEK_SET os.SEEK_CUR (#2693)
* chore(deps): bump github.com/docker/docker (#2698)
* chore(deps): bump modernc.org/sqlite from 1.29.2 to 1.29.3
(#2699)
-------------------------------------------------------------------
Sat Mar 09 08:54:20 UTC 2024 - andrea.manzini@suse.com
- Update to version 1.0.1:
* bump dependencies
* docs: add simplest example from registry (#2691)
* fix: Unable to scan OCI images with syft v0.105.1 [#2678 #2683
@spiffcs]
-------------------------------------------------------------------
Fri Mar 01 13:59:28 UTC 2024 - andrea.manzini@suse.com
- Update to version 1.0.0:
* fix: match OpenSSL letter releases (#2682)
* Mark duplicated rows in table output (#2679)
* fix: trim path from deps.json in portable way (#2674)
* chore(deps): update tools to latest versions (#2680)
* enforce breaking change bump major version (#2635)
* docs: fix incorrect flag name in readme (#2677)
* Consider filesystem types for mount points when ignoring system
paths (#2675)
* fix: stop emitting bus events on go mod events (#2673)
* chore(deps): bump peter-evans/create-pull-request from 6.0.0 to
6.0.1 (#2676)
* feat: add `--from` flag, refactor source providers (#2610)
-------------------------------------------------------------------
Tue Feb 27 12:40:20 UTC 2024 - andrea.manzini@suse.com
- Update to version 0.105.1:
* bump deps and build tools
* fix: SPDX tag value version selector (#2665)
* fix(install): return appropriate error codes (#2664)
* chore: update busybox image for acceptance tests (#2663)
* rename binary classifier cataloger name (#2643)
* add cataloger selection example (#2646)
* add syft version used to SBOM tool info by default (#2647)
-------------------------------------------------------------------
Thu Feb 15 06:10:35 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.105.0:
* Survive indexing dead symlinks (#2645)
* fix considering base path when ignoring known bad unix paths
(#2644)
* test for field conventions in json schema (#2642)
* feat: Add Wordpress cataloger (#2218)
* rename binary cataloger to be more unique (#2633)
* fix: update runner size to use larger HD for codeql (#2641)
* chore(deps): update tools to latest versions (#2616)
* chore(deps): bump github/codeql-action from 3.24.0 to 3.24.1
(#2638)
* chore(deps): bump dawidd6/action-homebrew-bump-formula (#2639)
* chore(deps): bump modernc.org/sqlite from 1.29.0 to 1.29.1
(#2640)
* fix: add BOMRef to CycloneDX OS Component (#2634)
* chore(deps): bump github.com/saferwall/pe from 1.5.0 to 1.5.2
(#2629)
* chore(deps): bump modernc.org/sqlite from 1.28.0 to 1.29.0
(#2630)
* fix getting union reader for sif images (#2631)
* chore(deps): bump golang.org/x/net from 0.20.0 to 0.21.0
(#2607)
* chore(deps): bump github.com/saferwall/pe from 1.4.8 to 1.5.0
(#2625)
* fix: ensure version output to stdout (#2621)
* Guess go main module version based on binary contents (#2608)
* chore(deps): update stereoscope to
681f6715b0e35686d6e6f40bce109176de1ee274 (#2617)
* fix readme around templating options (#2612)
* suppress executable parsing issues (#2614)
* chore: update license list, cpe dictionary (#2620)
* chore(deps): update tools to latest versions (#2606)
-------------------------------------------------------------------
Thu Feb 08 06:37:11 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.104.0:
* fix: incorrect conversion between integer types (#2605)
* chore(deps): bump golang.org/x/mod from 0.14.0 to 0.15.0
(#2602)
* chore(deps): bump github.com/docker/docker (#2601)
* Fix: unmarshal key values in Java, Go, and Conan metadata
(#2603)
* fix(dotnet): prefer portable executable product version when
semantically greater than file version (#2600)
* Finalize Conan v2 support (#2587)
* chore(deps): update tools to latest versions (#2595)
* chore(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1
(#2597)
* chore(deps): update stereoscope to
bfa15e446f061bda7f68305d2d6240b053f17e0c (#2589)
* chore(deps): bump actions/cache from 3.3.2 to 4.0.0 (#2592)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.0 to
0.5.2 (#2591)
* chore(deps): bump github/codeql-action from 3.23.2 to 3.24.0
(#2593)
* labeler should ignore latest version (#2588)
* chore: copy latest schema to stable path for easier diff
(#2586)
* Adding metadata fields when parsing yarn.lock and poetry.lock
(#2350)
* Add Erlang OTP Application cataloger (#2403)
* Detect ELF security features (#2443)
* Add API examples (#2517)
* feat: Record where CPEs come from (#2552)
* chore(deps): update stereoscope to
37291e81936d2b43b3cef56667a741ef715fbfe4 (#2583)
* chore(deps): bump github.com/charmbracelet/bubbles from 0.17.1
to 0.18.0 (#2584)
* swap format readseekers for readers (#2581)
* translate maps to sequences in pkg metadata (#2553)
* chore(deps): update tools to latest versions (#2576)
* chore(deps): bump anchore/sbom-action from 0.15.7 to 0.15.8
(#2578)
* chore(deps): bump marocchino/sticky-pull-request-comment
(#2579)
* chore(deps): bump github.com/docker/docker (#2580)
* chore(deps): update stereoscope to
db7a4bedaba6ad93becf22ce794f306dfb07fcb9 (#2577)
* Fix attest with --key (#2551)
* fix(java): improve identification for org.apache.kafka
artifacts (#2573)
* chore: pluralize the flag (#2564)
* chore(deps): update tools to latest versions (#2566)
* chore(deps): bump peter-evans/create-pull-request from 5.0.2 to
6.0.0 (#2567)
* chore(deps): bump anchore/sbom-action from 0.15.6 to 0.15.7
(#2568)
* re-add cosign signing checksums file (#2572)
-------------------------------------------------------------------
Wed Jan 31 17:29:57 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.103.1:
* revert cosign signing of release checksums file (#2571)
-------------------------------------------------------------------
Wed Jan 31 17:26:17 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.103.0:
* bump archiver and stereoscope (#2570)
* fix: Better test for group ID in filename (#2565)
* Sign checksums file and add SBOMs on release (#2548)
* chore(deps): bump anchore/sbom-action from 0.15.5 to 0.15.6
(#2560)
* chore(deps): bump github.com/google/go-containerregistry
(#2561)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.3 to
6.5.4 (#2562)
* chore(deps): update tools to latest versions (#2554)
* chore(deps): bump github.com/sassoftware/go-rpmutils from 0.2.0
to 0.3.0 (#2556)
* chore(deps): bump 8398a7/action-slack from 3.15.1 to 3.16.2
(#2557)
* chore(deps): bump github/codeql-action from 3.23.1 to 3.23.2
(#2558)
* internalize format helpers (#2543)
* Internalize CPE generation logic (#2541)
* chore(deps): update tools to latest versions (#2550)
-------------------------------------------------------------------
Fri Jan 26 19:26:34 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.102.0:
* Implement golang Purl subpath (#2547)
* fix migration of integration test (#2546)
* Use the json schema as input for templating (#2542)
* Unexport types and functions cataloger packages (#2530)
* Internalize majority of cmd package (#2533)
* allow for RPM modularity to be optional (#2540)
* chore(deps): bump actions/upload-artifact from 4.2.0 to 4.3.0
(#2536)
* chore(deps): bump github.com/google/uuid from 1.5.0 to 1.6.0
(#2538)
* chore(deps): bump github.com/docker/docker (#2537)
* chore: stop re-exporting wfn.Attributes (#2534)
* swap format readseekers for readers (#2515)
* chore(deps): bump anchore/sbom-action from 0.15.4 to 0.15.5
(#2531)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.12
to 0.5.0 (#2532)
* plumb context through catalogers (#2528)
* Remove CLI and API deprecations (#2508)
* Turn off the SBOM cataloger by default (#2527)
* Re-introduce linux kernel cataloger (#2526)
* make AllLocations accept a context (#2518)
* chore(deps): update CPE dictionary index (#2523)
* fix: minor cataloger and docs nits (#2519)
-------------------------------------------------------------------
Sat Jan 20 17:00:30 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.101.1:
* Deduplicate digests from user configuration (#2522)
* update readme and help output to be accurate to syft api
(#2520)
* fix: remove second call to finalize as the task handles it
(#2516)
* chore(deps): update stereoscope to
eb656fc717935ad5abeb8e1379a5c4e11c957120 (#2510)
* chore(deps): bump github.com/docker/docker (#2512)
* chore(deps): bump actions/upload-artifact from 4.1.0 to 4.2.0
(#2513)
* chore(deps): bump anchore/sbom-action from 0.15.3 to 0.15.4
(#2514)
* chore(deps): bump github/codeql-action from 3.23.0 to 3.23.1
(#2506)
* chore(deps): bump github.com/google/go-containerregistry
(#2507)
* chore: enable automatic approval of dependabot PRs (#2505)
-------------------------------------------------------------------
Thu Jan 18 08:10:11 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.101.0:
* include binary cataloger configuration defaults (#2504)
* feat: classifier for wordpress cli binary (#2473)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.2 to
6.5.3 (#2502)
* chore(deps): bump actions/cache from 3.3.3 to 4.0.0 (#2503)
* chore(deps): update tools to latest versions (#2500)
* chore(deps): bump github.com/cloudflare/circl from 1.3.3 to
1.3.7 (#2501)
* Add cataloger list command (#2366)
* condense binary cataloger config in JSON output (#2499)
* chore(deps): bump actions/upload-artifact from 4.0.0 to 4.1.0
(#2495)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.2 to
6.5.3 (#2494)
* chore(deps): update CPE dictionary index (#2491)
* Replace core SBOM-creation API with builder pattern (#1383)
* chore(deps): update tools to latest versions (#2488)
* chore(deps): bump actions/cache from 3.3.2 to 3.3.3 (#2489)
* chore(deps): bump anchore/sbom-action from 0.15.2 to 0.15.3
(#2481)
* chore(deps): bump github.com/charmbracelet/bubbles from 0.16.1
to 0.17.1 (#2475)
* feat: binary classifiers for Percona Software For MySQL (#2478)
* feat: binary classifier for pypy (#2474)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.4.9 to
6.5.2 (#2476)
* fix: support traefik binary from the official Docker image
(#2484)
* feat: binary classifier for GCC (#2479)
* chore(deps): update tools to latest versions (#2480)
* chore(deps): bump golang.org/x/net from 0.19.0 to 0.20.0
(#2482)
* chore(deps): bump github/codeql-action from 3.22.12 to 3.23.0
(#2477)
* Upgrade binary test fixtures management (#2444)
-------------------------------------------------------------------
Sat Jan 06 15:26:12 UTC 2024 - andrea.manzini@suse.com
- Update to version 0.100.0:
* Add ability to extend the binaries cataloguers (#2469)
* chore(deps): bump anchore/sbom-action from 0.15.1 to 0.15.2
(#2464)
* fix: add missing purl for busybox (#2457)
* Fix diff error obfuscating binary test failures message (#2468)
* Replace `packages` command with `scan` (#2446)
* fix: PURLs with "nuget" type are dotnet packages (#2466)
* chore(deps): update tools to latest versions (#2459)
* chore(deps): update CPE dictionary index (#2458)
* chore: update binary to -x (#2456)
* Add more functionality to the ErLang parser (#2390)
* Added OpenSSL binary matcher (#2416)
* chore(deps): update stereoscope to
590920dabc5479216e755983d41367b6be3544f3 (#2452)
* chore(deps): update tools to latest versions (#2451)
* chore(deps): bump github/codeql-action from 3.22.11 to 3.22.12
(#2455)
-------------------------------------------------------------------
Thu Dec 21 16:26:53 UTC 2023 - opensuse_buildservice@ojkastl.de
- Update to version 0.99.0:
* chore: remove execute from test fixtures (#2450)
* chore(deps): update tools to latest versions (#2447)
* fix: don't panic when hackage missing in haskell stack yaml
lock (#2448)
* Add binary classifier for the ERLang interpretter (#2417)
* Add binary classifier for Julia lang (#2427)
* Add binary detection for PHP composer (#2432)
* chore(deps): bump actions/upload-artifact from 3.1.3 to 4.0.0
(#2433)
* chore(deps): update CPE dictionary index (#2442)
* chore(deps): update stereoscope to
4b999b76ca8901d15bb97aef445dc94c38d11d5c (#2440)
* fix syft-json test to use pretty json for snapshot testing
(#2441)
* refactor pkg.Collection (#2439)
* refactor javascript cataloger to use configuration options when
creating packages (#2438)
* use single source of truth for archive options (#2437)
* fix file digest cataloger when passed coordinates (#2436)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.2
to 0.8.0 (#2413)
* Look for a maven version in a pom from a parent dependency
management section (#2423)
* Parse Python licenses from LicenseExpression entry in the Wheel
Metadata (#2431)
* chore(deps): bump github/codeql-action from 2.22.10 to 3.22.11
(#2430)
* chore(deps): bump modernc.org/sqlite from 1.27.0 to 1.28.0
(#2429)
* chore(deps): update tools to latest versions (#2428)
* Parse Python licenses from LicenseFile entry in the Wheel
Metadata (#2331)
* fix: use filepath instead of path for file source exclusions
(#2411)
* chore(deps): bump github.com/charmbracelet/bubbletea (#2424)
* chore(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0
(#2425)
* chore(deps): bump github/codeql-action from 2.22.9 to 2.22.10
(#2426)
* chore(deps): bump dawidd6/action-homebrew-bump-formula (#2420)
* feat: add the option to retrieve remote licenses for projects
defined in a maven pom (#2409)
* chore(deps): bump github/codeql-action from 2.22.8 to 2.22.9
(#2400)
* chore(deps): bump github.com/saferwall/pe from 1.4.7 to 1.4.8
(#2415)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.10.1 to
5.11.0 (#2414)
* chore(deps): bump actions/setup-go from 4.1.0 to 5.0.0 (#2401)
* chore(deps): update tools to latest versions (#2408)
* chore(deps): update CPE dictionary index (#2412)
* fix(java): improve identification for org.codehaus.groovy
artifacts (#2404)
* fix(java): improve identification for commons-jelly artifacts
(#2399)
* fix(java): improve identification for io.minio artifacts
(#2398)
* fix(java): improve identification for com.graphql-java
artifacts (#2397)
* chore(deps): update tools to latest versions (#2395)
* chore: enhance java purl generation integration test (#2393)
* feat: add ability to retrieve remote licenses for yarn.lock
(#2338)
* chore(deps): bump anchore/sbom-action from 0.15.0 to 0.15.1
(#2392)
* Retrieve remote licenses using pom.properties when there is no
pom.xml (#2315)
* fix(java): improve identification for org.apache.tapestry
artifacts (#2384)
* fix(java): improve identification for io.ratpack artifacts
(#2379)
* fix(java): improve identification for org.apache.cassandra
artifacts (#2386)
* fix(java): improve identification for org.neo4j.procedure
artifacts (#2388)
* fix: bump fangs for ptr summarize fix (#2387)
* fix(java): improve identification for org.elasticsearch
artifacts (#2383)
* fix(java): improve identification for org.apache.geode
artifacts (#2382)
* fix(java): improve identification for org.apache.tomcat.embed
artifacts (#2381)
* fix(java): improve identification for io.projectreactor.netty
artifacts (#2378)
* fix(java): improve identification for org.eclipse.platform
artifacts (#2349)
* Generalize UI events for cataloging tasks (#2369)
* chore(deps): update tools to latest versions (#2376)
* chore(deps): bump github.com/google/go-containerregistry
(#2377)
* chore: fix tests failing due to Mac Rosetta cache (#2374)
* fix: improve dotnet portable executable identification (#2133)
-------------------------------------------------------------------
Thu Nov 30 08:14:13 UTC 2023 - andrea.manzini@suse.com
- Update to version 0.98.0:
* fix file metadata cataloger to use resolved locations (#2370)
* fix: logging level for parsing potential PE files (#2367)
* only remove breaking-change label when there are schema changes (#2371)
* fix: capture root command stdout (#2364)
* fix: hardcode xalan group ID (#2368)
* Normalize cataloger configuration patterns (#2365)
* normalize enums to lowercase with hyphens (#2363)
* bump deps version
* fix: index file itself when file scan path has symlink (#2359)
* use read lock in pkg collection (#2341)
* Fix the `attest` command (#2337)
* fix: add manual namespace mapping for org.springframework jars (#2345)
* Add binary classifiers for MySQL and MariaDB (#2316)
* Enhance redis binary classifier (#2329)
* fix: add manual namespace mapping for org.springframework.security jars (#2343)
* fix: add manual namespace mapping for org.bouncycastle jars (#2342)
* Update developer docs to represent the current package layout (#2340)
* Remove the power-user command and related catalogers (#2306)
* Add "pretty" json configuration and change default behavior to be space-efficient (#2275)
-------------------------------------------------------------------
Sat Nov 18 08:51:36 UTC 2023 - kastl@b1-systems.de
- Update to version 0.97.1:
* chore(deps): update stereoscope to
3610f4ef3e83e8ff2edf8859e8916bce326fa260 (#2336)
* feat: allow for stdout to be buffered on each command (#2335)
-------------------------------------------------------------------
Fri Nov 17 05:46:54 UTC 2023 - kastl@b1-systems.de
- Update to version 0.97.0:
* fix: prevent writing non-report output to stdout (#2324)
* chore(deps): bump github/codeql-action from 2.22.6 to 2.22.7
(#2332)
* export metadata type helper (#2328)
* fix(java): add manual groupid mappings for org.apache.velocity
jars (#2327)
* fix(java): skip maven bundle plugin logic if vendor id and
symbolic name match (#2326)
* Refine license searching from groupIDFromJavaMetadata to allow
for having the artfactId in the groupId (#2313)
* chore(deps): update tools to latest versions (#2325)
* chore(deps): update tools to latest versions (#2318)
* Add license for golang stdlib (#2317)
* chore(deps): bump github/codeql-action from 2.22.5 to 2.22.6
(#2321)
* docs: Update README.md for dotnet-portable-executable (#2322)
* Fall back to searching maven central using
groupIDFromJavaMetadata (#2295)
* rename file.Location.VirtualPath to AccessPath (#2288)
* chore(deps): update tools to latest versions (#2308)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.11
to 0.4.12 (#2310)
* chore(deps): bump golang.org/x/net from 0.17.0 to 0.18.0
(#2311)
-------------------------------------------------------------------
Thu Nov 09 14:48:04 UTC 2023 - kastl@b1-systems.de
- Update to version 0.96.0:
* include image labels in cycloneDX SBOM (#2294)
* Add accessPath on Location objects to syft-json output (#2287)
* SPDX file has duplicate sha256 tag in versionInfo (#2300)
* Check maven central as well for licenses in parents poms for
nested jars (#2302)
* chore(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0
(#2293)
* chore(deps): update tools to latest versions (#2301)
* fix: identify cyclone-json without $schema (#2303)
-------------------------------------------------------------------
Tue Nov 07 20:40:41 UTC 2023 - kastl@b1-systems.de
- Update to version 0.95.0:
* chore: setup release task before calling go releaser (#2297)
* chore(deps): update tools to latest versions (#2296)
* chore(deps): update tools to latest versions (#2289)
* chore(deps): update CPE dictionary index (#2290)
* chore(deps): bump golang.org/x/mod from 0.13.0 to 0.14.0
(#2292)
* Wire though maven-url to java config (#2291)
* Use case-insensitive matching for Go license files (#2286)
* Add a new Java configuration option to recursively search
parent poms… (#2274)
* chore(deps): update tools to latest versions (#2280)
* Follow convention for naming catalogers (#2277)
* change dir resolver to include virtual path (#2259)
* fix: syft does not handle the case of parsing a jar with
multiple poms (#2231)
* add PURLs when scanning Gradle lock files (#2278)
* chore(deps): bump modernc.org/sqlite from 1.26.0 to 1.27.0
(#2279)
* test: remove dll files and updates tests to use
versionResources (#2276)
* fix: update dot net binary parsing logic to remove empty space
(#2273)
* Read a license from a parent pom stored in Maven Central
(#2228)
* Update README.md to use canonical output format names (fixes
#2269) (#2272)
* Remove MetadataType from core package object and normalize JSON
metadataType values (#1983)
* chore(deps): bump github.com/docker/docker (#2263)
* chore(deps): update stereoscope to
5909e353ee88d7809f0e646c79f110a0e6b1d80d (#2265)
* chore(deps): update CPE dictionary index (#2271)
* chore: fix cpe generation task (#2270)
* chore(deps): bump github.com/google/uuid from 1.3.1 to 1.4.0
(#2262)
* chore(deps): bump github/codeql-action from 2.22.4 to 2.22.5
(#2261)
* chore(deps): update tools to latest versions (#2258)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.9.0 to
5.10.0 (#2256)
* feat: Perform case insensitive matching on Java license files
(#2235)
* Split the sbom.Format interface by encode and decode use cases
(#2186)
* Upgrade tool management (#2188)
* fix: 2179 jar chokes empty lines (#2254)
* chore(deps): update CPE dictionary index (#2253)
* fix CPE workflow (#2252)
* feat: add conaninfo.txt parser to detect conan packages in
docker images (#2234)
* chore(deps): update bootstrap tools to latest versions (#2245)
* chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.6.0
to 4.6.1 (#2248)
* chore(deps): bump github/codeql-action from 2.22.3 to 2.22.4
(#2249)
* fill version info from release and git directly (#2244)
* Add ruby.NewGemSpecCataloger to DirectoryCatalogers. (#1971)
* change homebrew release trigger (#2242)
-------------------------------------------------------------------
Fri Nov 3 09:12:53 UTC 2023 - Johannes Kastl <kastl@b1-systems.de>
- BuildRequire go1.21
-------------------------------------------------------------------
Sat Oct 21 18:16:53 UTC 2023 - kastl@b1-systems.de
- Update to version 0.94.0:
* Label PRs when the json schema changes (#2240)
* Add download location when cataloging directory npm package
lock (#2238)
* fix: allow packages to be captured from DIST/EGG case (#2239)
* Account for maven bundle plugin and fix filename matching
(#2220)
* chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 (#2236)
* Remove internal string set (#2219)
* bump clio to get stderr reporting fix (#2232)
* Fix panic for empty input to Swift cataloger (#2226)
* Add additional license filenames (#2227)
* chore(deps): bump github/codeql-action from 2.22.2 to 2.22.3
(#2229)
* chore(deps): bump github.com/charmbracelet/lipgloss from 0.9.0
to 0.9.1 (#2222)
* chore(deps): bump github/codeql-action from 2.22.1 to 2.22.2
(#2224)
* Detect a license file in the root directory or META-INF of a
jar (#2213)
* Parse donet dependency trees (#2143)
* chore(deps): bump golang.org/x/net from 0.16.0 to 0.17.0
(#2214)
* chore(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0
(#2215)
* chore(deps): bump github.com/charmbracelet/lipgloss from 0.8.0
to 0.9.0 (#2216)
* chore: add automated homebrew action (#2164)
* Add relationships for dpkg packages (#2212)
-------------------------------------------------------------------
Wed Oct 11 04:22:21 UTC 2023 - kastl@b1-systems.de
- Update to version 0.93.0:
* Parse the Maven license from the pom.xml if not contained in
the mani… (#2115)
* Refine the docs for building a cataloger (#2175)
* Fix algo lookup by converting key to lower case (#2207)
* chore(deps): bump github/codeql-action from 2.22.0 to 2.22.1
(#2208)
* feat: add package for go compiler given binary detection
(#2195)
* chore(deps): bump github.com/docker/distribution from
2.8.2+incompatible to 2.8.3+incompatible (#2193)
* chore(deps): bump github/codeql-action from 2.21.9 to 2.22.0
(#2202)
* chore(deps): bump golang.org/x/net from 0.15.0 to 0.16.0
(#2204)
* chore: update license list to 3.22 (#2201)
* Add exact syntax of the conversion formats (#2196)
* chore(deps): bump github.com/saferwall/pe from 1.4.6 to 1.4.7
(#2198)
* chore(deps): bump golang.org/x/mod from 0.12.0 to 0.13.0
(#2199)
* chore: removes unnecessary conditional (#2194)
* chore: improve --output help text and deprecate --file (#2187)
* chore(deps): bump modernc.org/sqlite from 1.25.0 to 1.26.0
(#2189)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.10
to 0.4.11 (#2191)
* chore(deps): bump github/codeql-action from 2.21.8 to 2.21.9
(#2182)
* chore(deps): update bootstrap tools to latest versions (#2178)
* chore(deps): bump github.com/saferwall/pe from 1.4.5 to 1.4.6
(#2180)
-------------------------------------------------------------------
Thu Oct 05 06:32:34 UTC 2023 - andrea.manzini@suse.com
- Update to version 0.92.0:
* bump deps to latest version
* fix: deterministic java purls (#2170)
- Update to version 0.91.0:
* fix: prevent errors from clobbering terminal (#2161)
* Require ordering of relationships when comparing parser output (#2160)
* Add containerd support (#1793)
* feat: add dependency information to conan lockfile parser (#2131)
* fix: encode and decode FileLicenses and FileContents in Syft JSON (#2083)
* feat: add cyclonedx schema version selection (#2123)
* fix: allow cyclonedx json input with no components (#2127)
* fix source-version typo in flag description (#2126)
- Update to version 0.90.0:
* fix(help): power-user help text to indicate it supports file-system (#2113)
* fix: update codeql-analysis for go 1.21 (#2108)
* feat(cmd/update): add UA header with current ver when check for update (#2100)
* fix(cdx): validate external refs before encoding (#2091)
* fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation (#2075)
-------------------------------------------------------------------
Tue Sep 05 14:57:48 UTC 2023 - kastl@b1-systems.de
- Update to version 0.89.0:
* tidy gomod and gitignore (#2082)
* fix quiet flag (#2081)
* fix: in some cases, try to use pom info to guess name and
version to top level jar (#2080)
* fix: don't panic on universal go binaries (#2078)
* chore: update CLI to CLIO (#2001)
* Add registry certificate verification support (#1734)
* fix: CPE generation for django (#2068)
-------------------------------------------------------------------
Tue Sep 05 14:54:29 UTC 2023 - kastl@b1-systems.de
- Update to version 0.88.0:
* chore: update quill to the latest version (#2065)
* fix: duplicate entries in cyclonedx dependency list (#2063)
* Fix panic in pom parsing (#2064)
* Fix: don't validate pom declared group (#2054)
* chore: trace log pom property reflect usage (#2059)
* fix: do not double-prefix symlink paths that already contain
volume names (#2051)
* feat: add bash classifier (#2055)
* Detect golang boring crypto and fipsonly modules (#2021)
* fix: properly parse conan ref and include user and channel
(#2034)
* chore(deps): bump github.com/charmbracelet/lipgloss from 0.7.1
to 0.8.0 (#2053)
* Enable reading non-utf-8 encodings for java pom.xml files
(#2047)
* feat: 1944 - update purl generation to use a consistent groupID
(#2033)
* chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1
(#2049)
* chore(deps): update bootstrap tools to latest versions (#2048)
* chore(deps): bump github.com/jinzhu/copier from 0.3.5 to 0.4.0
(#2045)
* chore(deps): update CPE dictionary index (#2043)
* fill out new version notice (#2042)
-------------------------------------------------------------------
Tue Sep 05 14:49:59 UTC 2023 - kastl@b1-systems.de
- Update to version 0.87.1:
* feat: use java package names to determine known groupids
(#2032)
* fix: inconsistent removal of binaries by overlap (#2036)
* fix: CycloneDX relationships not output or decoded properly
(#1974)
* chore: restore cataloger.DefaultConfig (#2028)
-------------------------------------------------------------------
Tue Sep 05 14:31:00 UTC 2023 - kastl@b1-systems.de
- Update to version 0.87.0:
* fix: read direct package files when decoding SPDX tag-value
(#2014)
* chore(deps): update bootstrap tools to latest versions (#2022)
* chore(deps): update CPE dictionary index (#2025)
* chore(deps): update bootstrap tools to latest versions (#2012)
* chore(deps): bump github.com/vifraa/gopom from 0.2.2 to 1.0.0
(#2008)
* 1948-filter-pkg-by-type (#2011)
* chore(deps): bump github.com/dave/jennifer from 1.6.1 to 1.7.0
(#2009)
* fix: SPDX license values and download location (#2007)
* 931: binary cataloger exclusion defaults for ownership by
overlap (#1948)
* chore(deps): bump golang.org/x/net from 0.13.0 to 0.14.0
(#2004)
* chore(deps): bump modernc.org/sqlite from 1.24.0 to 1.25.0
(#1998)
* test: add coverage for new rpmdb paths (#1999)
* chore: improve spdx purl decoding (#1996)
* fix: gradle lockfile parser groupId handling (#1995)
* fix: update glob to use newer usr/lib/sysimage path (#1997)
* fix: opkg search glob (#1994)
* feat: nginx binary classifier (#1988)
* Expand deb cataloger to include opkg (#1985)
* chore(deps): update bootstrap tools to latest versions (#1991)
* chore(deps): bump github.com/google/go-containerregistry
(#1993)
* chore: update bubbly to fix hanging (#1990)
* chore(deps): bump golang.org/x/net from 0.12.0 to 0.13.0
(#1989)
* feat: use originator logic to fill supplier (#1980)
* add metadata types to all cpe test fixtures (#1982)
-------------------------------------------------------------------
Tue Aug 01 10:30:23 UTC 2023 - kastl@b1-systems.de
- Update to version 0.86.1:
* fix: default image source name to user input (#1979)
-------------------------------------------------------------------
Tue Aug 01 10:17:13 UTC 2023 - kastl@b1-systems.de
- Update to version 0.86.0:
* chore(deps): update stereoscope to
d1f3d766295ed3c8362ac1be68070e2a1dba4d03 (#1975)
* chore: update to latest commit in tools-golang (#1969)
* Guess unpinned versions in python requirements.txt (#1966)
* chore(deps): bump github.com/vifraa/gopom from 0.2.1 to 0.2.2
(#1965)
* Fix panic condition on docker pull failure (#1968)
* bump JSON schema to account for simplified python env markers
(#1967)
* feat: support top-level SPDX package and graph (#1934)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.8.0 to
5.8.1 (#1959)
* Add cataloger for Swift Package Manager. (#1919)
* chore(deps): update stereoscope to
d515761c6ca2743a67d7d08053db69235ae76d1d (#1953)
* chore(deps): bump github.com/docker/docker (#1955)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to
5.8.0 (#1951)
* Introduce indexed embedded CPE dictionary (#1897)
* chore(deps): bump github.com/gookit/color from 1.5.3 to 1.5.4
(#1949)
* Add support for parsing .NET assemblies (#1943)
* docs: capture artifactory dev settings from 1895 (#1947)
* remove build binary and add explicit git ignore
* docs: update docs with new docker specific instructions (#1941)
* remove jotframe UI (#1932)
* fix: remove indirect dependency of circl v1.1.0 (#1940)
* chore: move wait before iteration to guarantee read before tea
(#1931)
-------------------------------------------------------------------
Thu Jul 13 04:49:43 UTC 2023 - kastl@b1-systems.de
- Update to version 0.85.0:
* implement ui handle waiter (#1930)
* fix: background reader apart from global handler for testing
(#1929)
* chore(deps): bump modernc.org/sqlite from 1.23.1 to 1.24.0
(#1928)
* fix: allow valid cyclonedx input with no components (#1873)
* fix: "or-later" suffix updated to consider deprecated "+"
operator (#1907)
* feat: CLI flag for directory base (#1867)
* Fix CPE gen for k8s python client (#1921)
* chore: update iterations to protect against race (#1927)
* chore(deps): update bootstrap tools to latest versions (#1922)
* fix: Don't use the actual redis or grpc CPEs for gems (#1926)
* fix(install): return with right error code (#1915)
* Remove erroneous Java CPEs from generation (#1918)
* chore(deps): bump golang.org/x/net from 0.11.0 to 0.12.0
(#1916)
* Switch UI to bubbletea (#1888)
* fix: use filepath.EvalSymlinks if os.Readlink fails to evaluate
the link (#1884)
* add file source digest support (#1914)
* chore(deps): update bootstrap tools to latest versions (#1908)
* chore(deps): bump golang.org/x/mod from 0.11.0 to 0.12.0
(#1912)
* chore(deps): bump golang.org/x/term from 0.9.0 to 0.10.0
(#1913)
* doc(readme): add installation section with scoop (#1909)
* Refactor source API (#1846)
* chore(deps): update bootstrap tools to latest versions (#1905)
-------------------------------------------------------------------
Fri Jun 30 04:42:50 UTC 2023 - kastl@b1-systems.de
- Update to version 0.84.1:
* chore(deps): update stereoscope to
cd49355d934e9e09339e0b690398afe7bd9f63f1 (#1903)
* chore(deps): update bootstrap tools to latest versions (#1902)
* fix: discover deb file relationships in distroless images
(#1901)
* add oss community board auto-add workflow (#1898)
* chore(deps): update stereoscope to
8c7173ebcf69187d480d4d8b0c6cafaa7aef7024 (#1890)
* chore(deps): update bootstrap tools to latest versions (#1894)
* fix: add support for Dart SDK package dependencies (#1891)
* Simplify the SBOM writer interface (#1892)
* fix: improve version detection in Java archive name parsing
(#1889)
* fix: only output valid cyclonedx license choices (#1879)
* docs: clarify reasoning of default catalogers for images or
directories (#1887)
-------------------------------------------------------------------
Wed Jun 21 04:48:16 UTC 2023 - kastl@b1-systems.de
- Update to version 0.84.0:
* Configure chronicle to pre-1.0 mode (#1886)
* chore: update SPDX license list to 3.21 (#1885)
* chore(deps): update bootstrap tools to latest versions (#1880)
* Pad artifact IDs (#1882)
* chore(deps): bump golang.org/x/mod from 0.10.0 to 0.11.0
(#1878)
-------------------------------------------------------------------
Wed Jun 14 18:11:48 UTC 2023 - kastl@b1-systems.de
- Update to version 0.83.1:
* chore(deps): bump modernc.org/sqlite from 1.23.0 to 1.23.1
(#1874)
* chore(deps): update stereoscope to
5b5049bf4d3a99df9a2b1c31d5d52ddff7b5cec2 (#1871)
* chore(deps): bump golang.org/x/net from 0.10.0 to 0.11.0
(#1876)
* fix: pom properties not setting artifact id (#1870)
* chore(deps): bump github.com/spdx/tools-golang from 0.5.1 to
0.5.2 (#1868)
-------------------------------------------------------------------
Mon Jun 12 19:35:49 UTC 2023 - kastl@b1-systems.de
- Update to version 0.83.0:
* fix: handle invalid symlinks (#1861)
* chore(deps): bump github.com/spdx/tools-golang from 0.5.0 to
0.5.1 (#1850)
* chore(deps): update bootstrap tools to latest versions (#1857)
* Pr 1825 (#1865)
* chore(deps): bump github.com/sirupsen/logrus from 1.9.2 to
1.9.3 (#1862)
* chore(deps): bump modernc.org/sqlite from 1.22.1 to 1.23.0
(#1863)
* feat: source-version flag (#1859)
* chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0
(#1851)
* accept main.version ldflags even without vcs (#1855)
* feat: add scope to pom properties (#1779)
* chore(deps): bump github.com/stretchr/testify from 1.8.3 to
1.8.4 (#1852)
* chore(deps): bump github.com/docker/docker (#1849)
* Add test to ensure package metadata is represented in the JSON
schema (#1841)
* Fix directory resolver to consider CWD and root path input
correctly (#1840)
* Migrate location-related structs to the file package (#1751)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to
5.7.0 (#1843)
-------------------------------------------------------------------
Tue May 23 17:54:05 UTC 2023 - kastl@b1-systems.de
- Update to version 0.82.0:
* fix: add panic recovery for license parse (#1839)
* chore: return both failures when failed to retrieve an image
with a scheme (#1801)
* Extract go module versions from ldflags for binaries built by
go (#1832)
* fix: duplicate packages, support pnpm lockfile v6 (#1778)
* chore(deps): update stereoscope to
e14bc4437b2eac481c5b6f101890b22df4f33596 (#1834)
* chore(deps): bump github.com/stretchr/testify from 1.8.2 to
1.8.3 (#1829)
* chore(deps): bump github.com/docker/docker (#1833)
-------------------------------------------------------------------
Tue May 23 07:31:00 UTC 2023 - kastl@b1-systems.de
- Update to version 0.81.0:
* Keep original FileInfo persisted on file.Metadata structs
(#1794)
* chore(deps): bump github.com/sirupsen/logrus from 1.9.1 to
1.9.2 (#1827)
* chore(deps): bump github.com/google/go-containerregistry
(#1823)
* chore(deps): bump github.com/sirupsen/logrus from 1.9.0 to
1.9.1 (#1822)
* chore(deps): bump github.com/docker/docker (#1824)
* fix: update field plurality of 8.0.0 schema before release
(#1820)
* fix: update cataloger to check for expressions before split
(#1819)
* feat: update syft license concept to complex struct (#1743)
* fix: cyclonedx depends-on relationship inverted (#1816)
* fix: retain sbom cataloger relationships (#1509)
* feat: warn if parsing newer SBOM (#1810)
* feat: Add R cataloger (#1790)
* update cosign to v2 release (different go module) (#1805)
* fix: Reduce log spam on unknown relationship type (#1797)
* chore(deps): update bootstrap tools to latest versions (#1807)
* chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 (#1802)
* chore(deps): bump github.com/docker/docker (#1795)
* chore(deps): bump github.com/google/go-containerregistry
(#1796)
* chore(deps): update bootstrap tools to latest versions (#1792)
* Print package list when extra packages found (#1791)
* chore(deps): update bootstrap tools to latest versions (#1786)
* chore(deps): bump golang.org/x/term from 0.7.0 to 0.8.0 (#1787)
-------------------------------------------------------------------
Fri May 05 19:51:00 UTC 2023 - kastl@b1-systems.de
- Update to version 0.80.0:
* Update the CPE generation for spring-security-core (#1789)
* chore: do not HTML escape PackageURLs (#1782)
* chore: do not include kernel module cataloger by default
(#1784)
* chore(docs): Update lists of catalogers (#1780)
* chore: add more detail on SPDX file IDs (#1769)
* Search /usr/share for rpmdb to fix scan on ostree-managed
images (#1756)
* chore(deps): bump github.com/docker/docker (#1767)
* rename sbom.PackageCatalog to sbom.Packages (#1773)
* chore(deps): bump modernc.org/sqlite from 1.22.0 to 1.22.1
(#1768)
* Create python requirements metadata (#1759)
* chore: update test redactor ordering (#1765)
* rename pkg.Catalog to pkg.Collection (#1764)
* chore(deps): bump modernc.org/sqlite from 1.21.2 to 1.22.0
(#1758)
* chore: go-rpmdb update (#1757)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from
0.7.1-0.20221222100750-41a1ac565cce to 0.7.1 (#1706)
* fix: Improve pnpm support (#1752)
-------------------------------------------------------------------
Sat Apr 22 14:33:37 UTC 2023 - kastl@b1-systems.de
- Update to version 0.79.0:
* feat: Add template func `hasField` (#1754)
* fix: only cache java packages and not source content (#1750)
* Add sections of interest for Gemfile.lock cataloger (#1749)
* fix: update cache.fingerprint file to java-builds dir (#1748)
* Add ALPM Metadata to CYCLONEDX and SPDX output formats (#1747)
* chore: bump stereoscope to latest version (#1741)
* chore(deps): update bootstrap tools to latest versions (#1744)
* chore(deps): bump github.com/docker/docker (#1746)
-------------------------------------------------------------------
Tue Apr 18 04:55:15 UTC 2023 - kastl@b1-systems.de
- Update to version 0.78.0:
* Create consul binary classifier (#1738)
* chore(deps): update bootstrap tools to latest versions (#1740)
* Fix kernel cataloger test fixtures (#1742)
* feat: Support scanning license files in golang packages over
the network (#1630)
* Add package-to-file location evidence relationships (#1698)
* Add Linux Kernel cataloger (#1694)
* Add annotations for evidence on package locations (#1723)
* add format make target (#1733)
* Update tests to not fail on Mac M1's. (#1730)
-------------------------------------------------------------------
Thu Apr 13 07:22:19 UTC 2023 - kastl@b1-systems.de
- Update to version 0.77.0:
* chore(deps): update bootstrap tools to latest versions (#1728)
* Add support for nar files. (#1727)
* add highlevel details about catalogers (#1726)
* chore(deps): bump golang.org/x/net from 0.8.0 to 0.9.0 (#1722)
* chore(deps): update stereoscope to
e95d60a265e384df29b7a139f5c5402d6ad72e06 (#1721)
* feat: gradle lockfile support (#1719)
* chore(deps): bump github.com/docker/docker (#1715)
* chore(deps): bump golang.org/x/mod from 0.9.0 to 0.10.0 (#1713)
* chore(deps): bump golang.org/x/term from 0.6.0 to 0.7.0 (#1714)
* chore(deps): bump github.com/spf13/cobra from 1.6.1 to 1.7.0
(#1716)
* chore(deps): bump peter-evans/create-pull-request from 4 to 5
(#1712)
-------------------------------------------------------------------
Thu Apr 06 03:25:22 UTC 2023 - kastl@b1-systems.de
- Update to version 0.76.1:
* chore: update tools-golang to v0.5.0 (#1717)
* Add Nix cataloger (#1696)
* refactor spdx tooling test to reduce intermittent failures
(#1707)
* Capture file ownership relationships from portage ecosystem
(#1702)
* chore: update deprecated set-output calls (#1705)
-------------------------------------------------------------------
Mon Apr 03 12:04:58 UTC 2023 - kastl@b1-systems.de
- Update to version 0.76.0:
* feat: Add config option to allow user to select the default
image source location
* chore(deps): bump github.com/docker/docker (#1699)
* chore(deps): update bootstrap tools to latest versions (#1697)
* chore(deps): update stereoscope to
d7551b7f46f53179922d6229709d3d1602881080 (#1693)
* 1577 spdxlicense generate (#1691)
* chore(deps): bump github.com/vbatts/go-mtree from 0.5.2 to
0.5.3 (#1692)
* feat: scan local go mod cache for licenses of golang packages
(#1645)
* chore: fix flaky license sorting (#1690)
* chore(deps): bump github.com/gookit/color from 1.5.2 to 1.5.3
(#1689)
* fix: shell completion by adding missing usage message required
by spf13/cobra (#1688)
* chore(deps): update bootstrap tools to latest versions (#1686)
* chore: tweak some workflow text (#1685)
* Remove more side effects from application config testing
(#1684)
* Deprecate config.yaml as valid config source; Add unit
regression for correct config paths (#1640)
* chore: Update syft bootstrap tools to latest versions. (#1682)
* Update documentation: (#1680)
* chore: Update Stereoscope to
7928713c391e20abaede6a029f4ce37b628a4c8b (#1681)
* fix: reduce logging for bad dpkg lines (#1675)
* fix ruby classifier (#1678)
* feat: add shared dir for easier cleanup (#1676)
* chore(deps): bump github.com/google/go-containerregistry
(#1672)
* chore(deps): bump actions/setup-go from 3 to 4 (#1671)
* fix: move defer after error to protect panic case (#1670)
* feat: add argocd, helm, kustomize and kubectl binary
classifiers (#1663)
* defer closing file (#1668)
* fix: remove author contributing to javascript CPEs (#1669)
-------------------------------------------------------------------
Mon Mar 13 19:15:25 UTC 2023 - kastl@b1-systems.de
- Update to version 0.75.0:
* fix: more python matching support (#1667)
* Update syft bootstrap tools to latest versions. (#1666)
* feat: add ruby classifier (#1665)
-------------------------------------------------------------------
Thu Mar 09 15:31:12 UTC 2023 - kastl@b1-systems.de
- Update to version 0.74.1:
* Update syft bootstrap tools to latest versions. (#1658)
* fix: improved Python binary detection (#1648)
* fix: suppress some known incorrect vendor candidates for npm
CPEs (#1659)
* fix: sanitize SPDX LicenseRefs (#1657)
* chore(deps): bump golang.org/x/mod from 0.8.0 to 0.9.0 (#1655)
* chore(deps): bump golang.org/x/net from 0.7.0 to 0.8.0 (#1653)
* chore(deps): bump github.com/spf13/afero from 1.9.4 to 1.9.5
(#1654)
* chore(deps): bump golang.org/x/term from 0.5.0 to 0.6.0 (#1656)
* fix: dotnet PURL types are invalid (#1649)
* feat: disable cpe vendor wildcards to reduce false positives
(#1647)
* read relative etc/apk/repositories for alpine version when no
OS provided (#1615)
-------------------------------------------------------------------
Fri Mar 03 05:40:08 UTC 2023 - kastl@b1-systems.de
- Update to version 0.74.0:
* fix: possible race condition (#1639)
* fix: remove APK OriginPackage cpe candidates (#1637)
* fix: rebar lock file decoding panic (#1628)
* fix: handle individual cataloger panics (#1636)
* fix: apk product/vendor generation for old metadata (#1635)
* feat: rust toolchain binary cataloger (#1601)
* feat: retain go package info when no module declared (#1632)
* fix: improved CPE-generation for several more APK packages
(#1631)
* chore: update deprecated release flag (#1629)
* chore(deps): bump actions/upload-artifact from 2 to 3 (#1627)
* feat: add support for SUPPORT_END in /etc/os-release (#1612)
* fix: further improvements to CPE generation for apk packages
(#1623)
* chore(deps): bump github.com/stretchr/testify from 1.8.1 to
1.8.2 (#1625)
* chore(deps): bump actions/checkout from 2 to 3 (#1626)
* feat: set cosign attest predicate type based on Syft output
type (#1598)
* chore(deps): bump github.com/spf13/afero from 1.9.3 to 1.9.4
(#1609)
* fix: correct apk purls for other distros (#1620)
* refactor: move apk upstream logic to apk metadata (#1619)
* fix: decoding null apk metadata pullDependencies (#1614)
* feat: haproxy binary matcher (#1591)
* fix: determine upstream for apk version streams (#1610)
* fix: improve CPE generation for curl APK (#1608)
* Revert "add workaround for macos github actions cache issue
(#1584)" (#1605)
-------------------------------------------------------------------
Thu Feb 23 10:37:37 UTC 2023 - kastl@b1-systems.de
- Update to version 0.73.0:
* Update Stereoscope to fab1c9638abc2c21cd53dca1f205f37d71148ee0 (#1604)
* chore: fix cataloger_test (#1603)
* fix: merging of binary packages (#1583)
* fix: issue when matching format versions (#1585)
* chore: update syft bootstrap tools to latest versions. (#1593)
* feat: add perl binary classifier (#1592)
* Update Stereoscope to 529924d6d5aa6c708cceffc651883b6e1e27f5df (#1602)
* Update SPDX license list to 3.20 (#1600)
* chore: update SPDX license list (#1599)
* fix cataloger selection to be more specific (#1582)
* add workaround for macos github actions cache issue (#1584)
-------------------------------------------------------------------
Thu Feb 16 17:31:12 UTC 2023 - kastl@b1-systems.de
- Update to version 0.72.0:
* Update Stereoscope to 4b5ebf8c7f4b81ca79c4c3f0af1d0723eab87d42 (#1576)
* chore(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 (#1574)
* chore: update bug issue template (#1571)
* allow convert to take stdin (#1570)
* fix: improve CPE and upstream generation logic for Alpine packages (#1567)
* fix: missing APK node vulnerabilities (#1565)
* fix: python CPE generation for alpine (#1564)
* chore(deps): bump github.com/docker/docker (#1563)
-------------------------------------------------------------------
Fri Feb 10 06:19:19 UTC 2023 - kastl@b1-systems.de
- Update to version 0.71.0:
* switch from trigger-release target to release target (#1560)
* Speed up cataloging by replacing globs searching with index lookups (#1510)
* Update syft bootstrap tools to latest versions. (#1549)
* Fix installed versions (#1556)
* chore(deps): bump golang.org/x/net from 0.5.0 to 0.6.0 (#1558)
* feat: add postgresql classifier (#1536)
* Add release trigger (#1501)
* chore(deps): bump golang.org/x/mod from 0.7.0 to 0.8.0 (#1552)
* chore(deps): bump golang.org/x/term from 0.4.0 to 0.5.0 (#1551)
* fix: add support for licenses not found on list (#1540)
* Update syft bootstrap tools to latest versions. (#1541)
* feat: Allow specific versions of formats to be specified (#1543)
* Update Stereoscope to c49244e4d66f1ee789027ea23acc746968799c3b (#1539)
* source: when base is set, responsePath should be absolute (#1542)
-------------------------------------------------------------------
Sat Feb 04 07:45:37 UTC 2023 - kastl@b1-systems.de
- Update to version 0.70.0:
* fix: update config struct to not decode password/key (#1538)
* Update syft bootstrap tools to latest versions. (#1537)
* feat: add traefik classifier (#1504)
* fix: don't hardcode Cosign attest type (#1533)
* chore(deps): bump github.com/docker/docker (#1531)
* Update syft bootstrap tools to latest versions. (#1530)
-------------------------------------------------------------------
Thu Feb 02 06:48:23 UTC 2023 - kastl@b1-systems.de
- Update to version 0.69.1:
* chore: update spdx/tools-golang to v0.5.0-rc1 (#1503)
* feat: update golang to 1.19 (#1526)
* Update syft bootstrap tools to latest versions. (#1525)
-------------------------------------------------------------------
Tue Jan 31 15:04:23 UTC 2023 - kastl@b1-systems.de
- Update to version 0.69.0:
* Allow scanning unpacked container filesystems (#1485)
* fix: allow template for syft convert (#1521)
* 1465 attestation with private key (#1502)
-------------------------------------------------------------------
Thu Jan 26 06:37:19 UTC 2023 - kastl@b1-systems.de
- Update to version 0.68.1:
* fix: add relevant CPEs to python and busybox classifiers (#1517)
* Update syft bootstrap tools to latest versions. (#1515)
* chore: correct bootstrap tool script (#1514)
* chore(deps): bump github.com/google/go-containerregistry (#1513)
* Fix AssertEncoderAgainstGoldenSnapshot calls to conditionally update (#1511)
* chore(deps): bump golang.org/x/mod from 0.6.0 to 0.7.0 (#1505)
* chore(deps): bump github.com/docker/docker (#1506)
* chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.2 to 3.2.3 (#1507)
* chore(deps): bump github.com/dustin/go-humanize from 1.0.0 to 1.0.1 (#1508)
* Bump github.com/spdx/tools-golang to v0.4.0 (#1450)
-------------------------------------------------------------------
Sat Jan 21 07:53:06 UTC 2023 - kastl@b1-systems.de
- Update to version 0.68.0:
* Fix panic in apkdb parsing on empty "provides" values (#1494)
* push detailed log statements to trace-level (#1500)
* npm: package-lock license decoding to accept string or array (#1482)
* always set the package ID for java packages (#1493)
* fix: skip filling in empty fields in APK metadata (#1484)
* chore(deps): bump github.com/facebookincubator/nvdtools (#1499)
* chore(deps): bump github.com/jinzhu/copier from 0.3.2 to 0.3.5 (#1498)
* chore(deps): bump github.com/vbatts/go-mtree from 0.5.0 to 0.5.2 (#1497)
* chore(deps): bump github.com/gookit/color from 1.4.2 to 1.5.2 (#1496)
* chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#1495)
* Relax error conditions for catalogers (#1492)
* feat: add memcached classifier (#1486)
* chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#1488)
* chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.0.2 to 4.6.0 (#1489)
* chore(deps): bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#1490)
* chore(deps): bump github.com/go-test/deep from 1.0.8 to 1.1.0 (#1491)
* chore(deps): bump github.com/google/go-containerregistry (#1487)
* chore(deps): bump golang.org/x/net from 0.4.0 to 0.5.0 (#1475)
* chore(deps): bump github.com/adrg/xdg from 0.3.3 to 0.4.0 (#1477)
* chore(deps): bump github.com/sergi/go-diff from 1.2.0 to 1.3.1 (#1476)
* chore(deps): bump github.com/vifraa/gopom from 0.1.0 to 0.2.1 (#1474)
* chore(deps): bump github/codeql-action from 1 to 2 (#1473)
* chore(deps): bump actions/setup-go from 2 to 3 (#1472)
* Add dependabot (#1451)
- skip non-existent release 0.67.x
-------------------------------------------------------------------
Fri Jan 20 09:56:19 UTC 2023 - kastl@b1-systems.de
- Update to version 0.66.2:
* chore: use checkout v3 with new depth (#1471)
* chore: use checkout v2 for tag depth (#1470)
* fix: nil panic in graalvm cataloger (#1468)
* add linter for type assertion checks (#1469)
* fix: bump golang.org/x/net to v0.4.0 (#1467)
* fix: bump golang.org/x/text to v0.3.8 (#1466)
* bootstrap within composite action (#1461)
* chore: revert GolangBinMetadata name and make analogous GolangModMetadata (#1458)
* README: update Nix installation instructions (#1455)
-------------------------------------------------------------------
Fri Jan 13 06:11:18 UTC 2023 - kastl@b1-systems.de
- Update to version 0.66.1:
* fix: update graalvm cataloger to fix panic (#1454)
* chore: remove bumping cosign in go.mod when updating bootstrap tools (#1452)
-------------------------------------------------------------------
Fri Jan 13 06:09:05 UTC 2023 - kastl@b1-systems.de
- Update to version 0.66.0:
* feat: Add the origin field to the output format of syftjson (#1327)
* chore: update schema (#1449)
* feat: prefer known CPE vendors over other candidates (#1294)
* fix: update attestation code to remove library dependencies and shellout for keyless flow (#1442)
* feat: add BeamVM Hex support (#1073)
* feat: add apache httpd binary classifier (#1448)
* chore: claim artifacthub package ownership from developer-guy (#881)
* Parallel package catalog processing (#1355)
* feat: Add php binary catalogers (#1444)
* Update syft bootstrap tools to latest versions. (#1443)
* fix: duplicate file in tar archive causes read to fail (#1445)
* Add support for GraalVM Native Image executables. (#1276)
* Add redis binary classifier (#1438)
* docs: add cataloger construction summary (#1434)
* chore: update bootstrap tools to latest versions. (#1428)
* Add alpine type to purl (#1431)
-------------------------------------------------------------------
Thu Jan 05 14:00:02 UTC 2023 - kastl@b1-systems.de
- Update to version 0.65.0:
* adding purl types for binary classifiers (#1435)
* chore: refactor basic CPE functionality to its own package (#1436)
* fix: typo in os.Getwd error message (#1433)
* fix: additional excessive go binary warnings (#1432)
* docs: migrate to homebrew-core (#1427)
-------------------------------------------------------------------
Wed Jan 04 15:47:49 UTC 2023 - kastl@b1-systems.de
- Update to version 0.64.0:
* fix: unicode output in cyclonedx-json format (#1420)
* fix: excessive go binary warnings (#1424)
* feat: update spdx format model to produce valid spdx json documents (#1418)
* clean package names in python parsers (#1417)
* docs: update schema name to 2.3 (#1416)
* feat: add h1digest when scanning go.mod (#1405)
* feat: Add license parsing for java (#1385)
* fix: cyclonedx component type for binaries (#1406)
* fix: openjdk detection pattern (#1415)
* bug: spdx checksum empty array; allow syft to generate SHA1 for spdx-tag-value documents (#1404)
* Add NetBSD support. (#1412)
-------------------------------------------------------------------
Fri Dec 16 12:37:58 UTC 2022 - kastl@b1-systems.de
- Update to version 0.63.0:
* feat: add catalog delete (#1377)
* docs: remove file classifier (#1397)
* chore: update latest cyclonedx library (#1390)
* feat: Add Java binary catalogers (#1392)
* chore: Update SPDX license list to 3.19 (#1389)
* fix: add manual vendor/product removal to fix false flags (#1070)
* Update Stereoscope to c5ff155d72f166e2332e160a75c3ff2b8e9c7e2e (#1395)
* chore: fix test busybox image sha (#1393)
* fix: go version not properly identified in binary (#1384)
-------------------------------------------------------------------
Thu Dec 01 05:41:03 UTC 2022 - kastl@b1-systems.de
- Update to version 0.62.3:
* Update Stereoscope to 3b80d983223f6e6fc2d33b0ffa003d30268418e9 (#1376)
* fix: Update node binary package name (#1375)
* feat: Generic Binary Cataloger (#1336)
* recover from bad parsing of golang binary (#1371)
* Fix parsing of apk databases with large entries (#1365)
* Update syft bootstrap tools to latest versions. (#1369)
-------------------------------------------------------------------
Mon Nov 28 18:06:04 UTC 2022 - kastl@b1-systems.de
- Update to version 0.62.2:
* fix: guard for locations < 1 in alpmdb parse (#1366)
* fix: remove cabal.project.freeze panic on last pkg (#1363)
* fix: requirements.txt - return unicode only letter/num for version (#1361)
* Update syft bootstrap tools to latest versions. (#1356)
-------------------------------------------------------------------
Mon Nov 21 15:12:29 UTC 2022 - kastl@b1-systems.de
- Update to version 0.62.1:
* fix: sort relationships in SPDX output (#1350)
* chore: add debug logging for decode errors (#1352)
* feat(npm): handle aliases in package-lock.json (#1349)
-------------------------------------------------------------------
Sat Nov 19 12:04:28 UTC 2022 - kastl@b1-systems.de
- Update to version 0.62.0:
* fix: spdx java checksum correctness (#1348)
* feat: Add support for npm lockfile version 3 (#1206)
-------------------------------------------------------------------
Fri Nov 18 15:38:51 UTC 2022 - kastl@b1-systems.de
- Update to version 0.61.0:
* 1111 clean name bug (#1347)
* Add spdx relationship encoding for dependencies (#1342)
* feat: SPDX 2.3 support (#1311)
* SBOM cataloger (#1029)
* chore: clean up linting configuration (#1343)
* fix: Unmarshal Syft JSON with missing metadata (#1338)
* fix apk decode for older data shapes (#1341)
* chore: add unit test for wolfi os release identification (#1340)
* fix: Output only valid CPEs for CycloneDX OS components (#1339)
* feat: Add `--name` option to override name in output (#1269)
* Add support for dependency relationships for alpine (apk) (#1063)
* normalize alpm md5 refs (#1333)
* Update java generic cataloger (#1329)
* Support encoding map types to CycloneDX properties (#1332)
* Update swift cataloger to generic cataloger (#1324)
* port rust cataloger to new generic cataloger pattern (#1323)
* port ruby cataloger to new generic cataloger pattern (#1322)
* port rpm cataloger to new generic cataloger pattern (#1321)
* port python cataloger to new generic cataloger pattern (#1319)
* Update portage cataloger to new generic cataloger (#1316)
* port php cataloger to new generic cataloger pattern (#1315)
-------------------------------------------------------------------
Tue Nov 15 09:52:45 UTC 2022 - kastl@b1-systems.de
- Update to version 0.60.3:
* javascript cataloger: node binary: nil pointer dereference (#1313)
* Fix: Include version information in binary cataloger CPEs (#1310)
* fix: only generate PURL on empty string (#1312)
* add s3 credentials to release (#1309)
* port javascript cataloger to new generic cataloger pattern (#1308)
-------------------------------------------------------------------
Tue Nov 15 09:44:11 UTC 2022 - kastl@b1-systems.de
- Update to version 0.60.2:
* chore: update goreleaser brew token (#1306)
* fix: Decode binary and unknown metadata (#1307)
-------------------------------------------------------------------
Tue Nov 15 09:39:47 UTC 2022 - kastl@b1-systems.de
- Update to version 0.60.1:
* chore: update github token permissions for goreleaser (#1305)
-------------------------------------------------------------------
Tue Nov 15 09:29:12 UTC 2022 - kastl@b1-systems.de
- Update to version 0.60.0:
* fix: update ci secret to use new password (#1304)
* fix: update secret value to use new cert cahin (#1303)
* fix: verbose quill release failures (#1302)
* fix: unterminated quoted string (#1300)
* fix: update Makefile to remove old signing arch (#1299)
* feat: add nodejs-binary package classifier (#1296)
* update go-rpmdb to improve parsing of installed files (#1297)
* docs: update attestation directions with new cosign changes
* fix: Continue parsing Python RECORD files when bad lines encountered (#1295)
* Fix #1245 Update SPDX license list to 3.18 (#1259)
* fix: Resolve Maven POM expressions (#1251) (#1278)
* port haskell cataloger to new generic cataloger pattern (#1290)
* port golang cataloger to new generic cataloger pattern (#1289)
* port deb/dpkg cataloger to new generic cataloger pattern (#1288)
* update cataloger tests to use pkgtest utils (#1287)
* port dotnet cataloger to new generic cataloger pattern (#1286)
* port dart cataloger to new generic cataloger pattern (#1285)
* port conan cataloger to new generic cataloger pattern (#1284)
* port apk cataloger to new generic cataloger pattern (#1283)
* replace signing tooling with quill (#1280)
* Upgrade generic cataloger (#1281)
* Update syft bootstrap tools to latest versions. (#1282)
* replace logger interface with anchore/go-logger (#1279)
* Update syft bootstrap tools to latest versions. (#1267)
* Add go binary h1 digest to SPDX (#1265)
* fix: move reproduction to top of issue (#1264)
* fix: update syftjson ID to match major schema version (#1274)
* Use in-toto CycloneDX predicate to be compatible with cosign (#1270)
* chore: handle deprecated SPDX license: StandardML-NJ (#1266)
-------------------------------------------------------------------
Tue Oct 18 05:11:08 UTC 2022 - kastl@b1-systems.de
- Update to version 0.59.0:
* Fixes #1179 Deprecated SPDX license (#1263)
* feat: add RelationshipsBySourceOwnership to syft json output (#1248)
* fix: reset merged package into map; (#1258)
* refactor: Remove experimental Anchore Enterprise upload functionality (#1257)
* Update syft bootstrap tools to latest versions. (#1254)
* Update Stereoscope to d24c9d626b33fa720210b007a20767801827b532 (#1253)
* Update syft bootstrap tools to latest versions. (#1244)
* fix apkdb checksum representation (#1247)
* feat: add identifiable field to source object (#1243)
* feat: attest support for Singularity images (#1201)
* Update syft bootstrap tools to latest versions. (#1239)
* Update Stereoscope to 1b1b744a919964f38d14e1416fb3f25221b761ce (#1240)
* fix: Follow symlinks when searching for globs in all-layers scope (#1221)
* update requires to use list; remove field (#1234)
-------------------------------------------------------------------
Fri Sep 30 05:10:45 UTC 2022 - kastl@b1-systems.de
- Update to version 0.58.0:
* Add Conan (C/C++) conan.lock file support (#1230)
* add sequence diagrams and flesh out TODO notes (#1233)
* Do not fail if unable to parse `.rpm` file (#1232)
* fix: support exclude patterns on Windows (#1228)
* Update syft bootstrap tools to latest versions. (#1225)
* Update Stereoscope to 56552770e555d764ea72b99d3c810326b27ead4a (#1224)
* Update syft bootstrap tools to latest versions. (#1223)
* Update syft bootstrap tools to latest versions. (#1220)
-------------------------------------------------------------------
Wed Sep 21 08:27:42 UTC 2022 - kastl@b1-systems.de
- Update to version 0.57.0:
* feat: catalog python files for installed-files.txt file metadata (#1217)
* Stabilize SPDX JSON output sorting (#1216)
* bug: remove chance for panic; provide default attestation path (#1214)
* refactor: update Makefile organization; update DEVELOPING.md instructions (#1212)
* refactor: replace ioutil=>io; update linter (#1211)
* Update bootstrap tools to latest versions. (#1204)
* Add gosimports (#1205)
* refactor: move formats from internal into syft module (#1172)
-------------------------------------------------------------------
Tue Sep 13 12:42:32 UTC 2022 - kastl@b1-systems.de
- Update to version 0.56.0:
* warn on errors from RPM DB parsing (#1200)
* docs: improve Singularity image source docs (#1190)
* Add RPM file scanning support (#1188)
* Normalize syft-json output (#1194)
* Revert "External sources configuration (#1158)" (#1191)
* Update syft bootstrap tools to latest versions. (#1186)
* Fix RPM DB license handling (#1184)
* Update syft bootstrap tools to latest versions. (#1182)
-------------------------------------------------------------------
Wed Sep 07 05:42:57 UTC 2022 - kastl@b1-systems.de
- Update to version 0.55.0:
* update stereoscope to latest (#1181)
* Update syft bootstrap tools to latest versions. (#1180)
* Bug fix for 1095 - syft conversion option error (#1177)
* Update syft bootstrap tools to latest versions. (#1176)
* enhance development support on macOS ARM (#1163)
* Capture if a node module is private (#1161)
* Find version numbers from jars with different naming conventions (#1174)
* Update syft bootstrap tools to latest versions. (#1171)
* Fix update-bootstrap-tools workflow (#1170)
* workflow to create automated PRs to update bootstrap tools (#1167)
* feat: add support for licenses in package-lock json v2 (#1164)
* External sources configuration (#1158)
* feat: add support for pnpm (#1166)
* Prevent symlinks causing duplicate package-file relationships (#1168)
-------------------------------------------------------------------
Wed Sep 07 05:38:56 UTC 2022 - kastl@b1-systems.de
- Update to version 0.54.0:
* Associate node package licenses from node_modules (#1152)
* Give the contributing guide a substantial rework (#1155)
* fix: extract file ids correctly for spdx-json (#1156)
* metadata decoding should be optional (#1154)
* Update Stereoscope to 84004345484edb881f1cc1d841115da8abda06c3 (#1151)
* Add modularitylabel metadata to RPM type records generated by syft (#1148)
* Update Stereoscope to 1c79d5c84abcc54466417fcc17c844a4875888a1 (#1149)
* retraction for mispublished versions (#1147)
* cataloger configuration is respected regardless of source (#1142)
* Update README.md (#1146)
* bump cosign to v1.10.1 (#1144)
-------------------------------------------------------------------
Wed Sep 07 05:35:58 UTC 2022 - kastl@b1-systems.de
- Update to version 0.53.4:
* Update stereoscope to get rid of the replace directive (#1140)
-------------------------------------------------------------------
Wed Sep 07 05:33:24 UTC 2022 - kastl@b1-systems.de
- Update to version 0.53.3:
* Correct squashfs import and fix incorrect bouncer configuration (#1138)
-------------------------------------------------------------------
Wed Sep 07 05:31:12 UTC 2022 - kastl@b1-systems.de
- Update to version 0.53.2:
* Overwrite deprecated SPDX licenses automatically (#1009)
* disable release for docker assets (#1137)
-------------------------------------------------------------------
Wed Sep 07 05:29:04 UTC 2022 - kastl@b1-systems.de
- Update to version 0.53.1:
* improve docker release bootstrap (#1136)
* Singularity Image Support (#974)
-------------------------------------------------------------------
Wed Sep 07 05:25:20 UTC 2022 - kastl@b1-systems.de
- Update to version 0.53.0:
* remove docker login from keychain (#1135)
* remove ENV checks from siging script (#1134)
* remove docker assets from main goreleaser configuration to reduce mac-os runner friction (#1133)
* remove prefixed v from tag to match release (#1131)
* rollback actions-setup-docker to earlier version (#1130)
* Bump go-rustaudit to support rustaudit 0.2.0 (#1127)
* bump bouncer to v0.4.0 (#1125)
* Added ppc64le supported to the syft:debug image (#1124)
* add a cataloger for binaries built with rust-audit (#1116)
* bump goreleaser to v1.10.3 (#1123)
* bump golangci-lint to v1.47.2 (#1122)
* bump cosign in bootstrap-tools to v1.10.0 (#1121)
* Added s390x support (#1117)
* Delete pr_action.yaml (#1120)
* fix: use generic instead of not generating purl (#1119)
* bump cosign to v1.10.0 (#1114)
-------------------------------------------------------------------
Thu Jul 21 15:12:29 UTC 2022 - kastl@b1-systems.de
- Update to version 0.52.0:
* Update sigstore/rekor dependency (#1112)
* Added ppc64le support (#1099)
* patch-distroless-ghcr (#1110)
* add distroless debug image to published release (#1106)
* update help formatting (#1105)
* feat: implement haskell support (#1096)
* Add the -r argument for gnu xargs (#1103)
* fix: -o output option to include formats (#1102)
* moves go-rpmdb to latest; libc => v1.16.7 (#1098)
-------------------------------------------------------------------
Sat Jul 16 19:00:04 UTC 2022 - kastl@b1-systems.de
- Update to version 0.51.0:
* feat: add support for cocoapods (Swift/Objective-C) (#1081)
* Fix package url for Go modules with no / (#1092)
* Update Stereoscope to 777471f38c5b2f15c19d6cffe093ce6392d8040c (#1090)
* feat: output attestation to file (#1087)
* Update Stereoscope to cfbd966e5a8d11d73cd17adc8b8ab8468a086f1e (#1089)
* Add portage support for Gentoo Linux (#1076)
* Add PR action back to workflow with new token (#1086)
-------------------------------------------------------------------
Wed Jul 06 18:12:23 UTC 2022 - kastl@b1-systems.de
- Update to version 0.50.0:
* feat: add new login cmd (#1068)
* update AltRpmDbGlob with comment and context (#1085)
* feat: add support for conan packages (C/C++) (#1083)
* add golang main module and pseudo-version (#916)
* fix: add glob to filter list to ensure rpm metadata files are matched… (#1079)
* remove pr automation until service account creation (#1080)
* fix: purl generation for pom.xml (#1078)
* Update Stereoscope to 5bd627c0f9ce7facbd63ed1f0cf894d97021aa5e (#1072)
* fix: add new languages found in cpes (#1069)
* fix: add php catalogers to all catalogers (#1065)
* feat: add use-all-catalogers flag (#1050)
-------------------------------------------------------------------
Mon Jun 27 13:20:51 UTC 2022 - kastl@b1-systems.de
- Update to version 0.49.0:
* Updates parsing of `yarn.lock` to use `resolved` URLs that are pulled from yarn and npm registries (#926)
* remove OSS Meetup message (#1057)
* add pom.xml cataloger (#1055)
* Add support for CBL-Mariner distroless images (#1045)
* Add catalogers configuration (#1038)
* add template output (#1051)
-------------------------------------------------------------------
Wed Jun 22 08:47:26 UTC 2022 - kastl@b1-systems.de
- Update to version 0.48.1:
* update stereoscope to latest version (#1052)
-------------------------------------------------------------------
Wed Jun 22 08:34:13 UTC 2022 - kastl@b1-systems.de
- Update to version 0.48.0:
* update zip_read_closer to incorporate zip64 support (#1041)
* Add pacman (alpm) parser support (#943)
-------------------------------------------------------------------
Wed Jun 22 08:23:30 UTC 2022 - kastl@b1-systems.de
- Update to version 0.47.0:
* Update of README.md (#1027)
* bump cosign to v1.9.0 to resolve reporting of GHSA-66x3-6cw3-v5gj (#1025)
* add workflows to test new project automation (#1023)
* improve LanguageByName and add unit tests (#1034)
* Read Description from dpkg status files (#996)
* Add announcement for Anchore OSS Virtual Meetup (#1033)
* add main module field to go bin metadata (#1026)
* Add filters to package cataloger (#1021)
* change draft to false for release process (#1016)
* Support RPM distros with newer RPM db formats (#1018)
* fix: add component list to prevent cyclone-dx panic (#1015)
-------------------------------------------------------------------
Mon Jun 6 19:43:54 UTC 2022 - Johannes Kastl <kastl@b1-systems.de>
- first version of package syft at version 0.46.3
