From 3cd40d47a4e80fec9e44dad11a4cabd225c05c799aa6fea47815cc40ea3e3cac Mon Sep 17 00:00:00 2001 From: Andrea Manzini Date: Fri, 22 Nov 2024 08:21:30 +0000 Subject: [PATCH] update to 1.17.0 OBS-URL: https://build.opensuse.org/package/show/devel:kubic/syft?expand=0&rev=181 --- .gitattributes | 23 + .gitignore | 1 + _service | 21 + _servicedata | 4 + syft-1.10.0.obscpio | 3 + syft-1.11.0.obscpio | 3 + syft-1.11.1.obscpio | 3 + syft-1.12.2.obscpio | 3 + syft-1.14.0.obscpio | 3 + syft-1.14.1.obscpio | 3 + syft-1.14.2.obscpio | 3 + syft-1.15.0.obscpio | 3 + syft-1.16.0.obscpio | 3 + syft-1.17.0.obscpio | 3 + syft-1.8.0.obscpio | 3 + syft-1.9.0.obscpio | 3 + syft.changes | 2417 +++++++++++++++++++++++++++++++++++++++++++ syft.obsinfo | 4 + syft.spec | 119 +++ vendor.tar.gz | 3 + 20 files changed, 2628 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 syft-1.10.0.obscpio create mode 100644 syft-1.11.0.obscpio create mode 100644 syft-1.11.1.obscpio create mode 100644 syft-1.12.2.obscpio create mode 100644 syft-1.14.0.obscpio create mode 100644 syft-1.14.1.obscpio create mode 100644 syft-1.14.2.obscpio create mode 100644 syft-1.15.0.obscpio create mode 100644 syft-1.16.0.obscpio create mode 100644 syft-1.17.0.obscpio create mode 100644 syft-1.8.0.obscpio create mode 100644 syft-1.9.0.obscpio create mode 100644 syft.changes create mode 100644 syft.obsinfo create mode 100644 syft.spec create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..ebfe47a --- /dev/null +++ b/_service @@ -0,0 +1,21 @@ + + + https://github.com/anchore/syft + git + .git + v1.17.0 + @PARENT_TAG@ + v(.*) + enable + + + syft + + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..3e01e82 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/anchore/syft + a8d4202d77b6b31e75ce5af09a8b03ad14e533d3 \ No newline at end of file diff --git a/syft-1.10.0.obscpio b/syft-1.10.0.obscpio new file mode 100644 index 0000000..e8183f0 --- /dev/null +++ b/syft-1.10.0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:750f2aaf5011a1b5155c0ac5f11a43cf9c68ec484d7c43d6ccd5b6d6c045aeef +size 25953805 diff --git a/syft-1.11.0.obscpio b/syft-1.11.0.obscpio new file mode 100644 index 0000000..c171384 --- /dev/null +++ b/syft-1.11.0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:89f386966dfe7a980777c52204ec65e90da673d945540f7d2a4bb5593d65dccf +size 26077709 diff --git a/syft-1.11.1.obscpio b/syft-1.11.1.obscpio new file mode 100644 index 0000000..0788f67 --- /dev/null +++ b/syft-1.11.1.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4eb07b043a0d04b537b0101c43896e6581fb851f67e77a125e22befc5ab43da5 +size 26157581 diff --git a/syft-1.12.2.obscpio b/syft-1.12.2.obscpio new file mode 100644 index 0000000..8896b2b --- /dev/null +++ b/syft-1.12.2.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3d55f10d26bf4db63d0a32fd737ac5d83c00809b822f44f64ce4ff68ec631b3e +size 26290189 diff --git a/syft-1.14.0.obscpio b/syft-1.14.0.obscpio new file mode 100644 index 0000000..454c36e --- /dev/null +++ b/syft-1.14.0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5ba905939c45f7f4679be69ffa0b7d9dd96e69e46527a3ea3d29c564d0184919 +size 26562573 diff --git a/syft-1.14.1.obscpio b/syft-1.14.1.obscpio new file mode 100644 index 0000000..cf0f25c --- /dev/null +++ b/syft-1.14.1.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eefc0cec9db00f232dfefedaf4286efcbae1e924c1e4d7fa34518fcc8562911a +size 26564109 diff --git a/syft-1.14.2.obscpio b/syft-1.14.2.obscpio new file mode 100644 index 0000000..356d188 --- /dev/null +++ b/syft-1.14.2.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9a026a256beb316951d44dd8178d189cd643ede6bff88a3d11acd610ecf1eb4c +size 26572301 diff --git a/syft-1.15.0.obscpio b/syft-1.15.0.obscpio new file mode 100644 index 0000000..1778442 --- /dev/null +++ b/syft-1.15.0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fae93fd6d5c0746ba0e312451847028284e0b1a8b3be815cc87d6e339e7b54d0 +size 26598413 diff --git a/syft-1.16.0.obscpio b/syft-1.16.0.obscpio new file mode 100644 index 0000000..a7478bd --- /dev/null +++ b/syft-1.16.0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:50d3ac043756c2b60b84cc2e1e7062128f8459cb5d6b5be3cd5a04877321d518 +size 26614285 diff --git a/syft-1.17.0.obscpio b/syft-1.17.0.obscpio new file mode 100644 index 0000000..9b9113c --- /dev/null +++ b/syft-1.17.0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e543165eaba2a78c734171db49997ea72a44b49a8fea3c5ef52f18c835dc4051 +size 26627597 diff --git a/syft-1.8.0.obscpio b/syft-1.8.0.obscpio new file mode 100644 index 0000000..7b8f5b5 --- /dev/null +++ b/syft-1.8.0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f9be11b5aa77e02f6f5fd42b41d89262f78e28c877801928380e222fbb940106 +size 25907213 diff --git a/syft-1.9.0.obscpio b/syft-1.9.0.obscpio new file mode 100644 index 0000000..f243fdb --- /dev/null +++ b/syft-1.9.0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2b005543f13e07ec24249e51696cb571398e9e4dea2aa02fb8af724828c374f4 +size 25916429 diff --git a/syft.changes b/syft.changes new file mode 100644 index 0000000..737780a --- /dev/null +++ b/syft.changes @@ -0,0 +1,2417 @@ +------------------------------------------------------------------- +Thu Nov 21 14:50:55 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.17.0: + * chore(deps): update stereoscope to + aa3a3ef4efe8d8759c9aa87261b405cc003bfc9a (#3472) + * chore(deps): bump github.com/charmbracelet/bubbletea from 1.2.2 + to 1.2.3 (#3467) + * fix: bump clio to pull in logging fix (#3466) + * 3122 valid license url characters (#3449) + * 3030 license declared spdx correction (#3461) + * chore(deps): update tools to latest versions (#3463) + * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.1 to + 6.6.2 (#3465) + * chore(deps): bump modernc.org/sqlite from 1.33.1 to 1.34.1 + (#3460) + * chore(deps): update CPE dictionary index (#3453) + * chore(deps): update tools to latest versions (#3454) + * chore(deps): update tools to latest versions (#3448) + * chore(deps): update tools to latest versions (#3444) + * chore(deps): bump github/codeql-action from 3.27.3 to 3.27.4 + (#3446) + * feat: emit dependency relationships found in Cargo.lock (#3443) + * chore(deps): update stereoscope to + aa3a3ef4efe8d8759c9aa87261b405cc003bfc9a (#3442) + * chore(deps): bump github/codeql-action from 3.27.2 to 3.27.3 + (#3438) + * chore(deps): bump github.com/charmbracelet/bubbletea from 1.2.1 + to 1.2.2 (#3439) + * chore(deps): bump github.com/saferwall/pe from 1.5.4 to 1.5.5 + (#3440) + * chore(deps): update tools to latest versions (#3413) + * chore(deps): bump github/codeql-action from 3.27.1 to 3.27.2 + (#3436) + * chore(deps): bump golang.org/x/mod from 0.21.0 to 0.22.0 + (#3426) + * update node classifier (#3419) + * chore(deps): update stereoscope to + 120d9ea511e2f7a9887b443c52e66cd19bb80b43 (#3424) + * chore(deps): update CPE dictionary index (#3429) + * chore(deps): bump github/codeql-action from 3.27.0 to 3.27.1 + (#3431) + * chore(deps): bump golang.org/x/net from 0.30.0 to 0.31.0 + (#3432) + * chore(deps): bump github.com/charmbracelet/bubbletea from 1.1.2 + to 1.2.1 (#3433) + * restore log on ui teardown (#3427) + * doc: Add official Syft logo license information (#3421) + * chore(deps): bump anchore/sbom-action from 0.17.6 to 0.17.7 + (#3418) + * chore: build release sbom from go.mod (#3417) + +------------------------------------------------------------------- +Tue Nov 05 09:43:28 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.16.0: + * chore: prevent file resolver from bubbling errors in binary + cataloger (#3410) + * chore(deps): update stereoscope to + cbd43fb4e5d348fe680066ee6329385fd6a4f827 (#3411) + * chore(deps): update CPE dictionary index (#3414) + * chore(deps): bump github.com/adrg/xdg from 0.5.2 to 0.5.3 + (#3408) + * chore(deps): bump github.com/charmbracelet/lipgloss from 0.13.1 + to 1.0.0 (#3409) + * chore(deps): update stereoscope to + 2ce1e520983b1c21d5150d7fae2b39e8e5ab9063 (#3405) + * Issue #3143 – fixed format conversion docs link (#3407) + * feat: support dependencies and purl for Native Image SBOMs + (#3399) + * chore(deps): update stereoscope to + 9c92fe30492ffeba14ed2e23ad1fd923341dda4f (#3398) + * feat: exclude devDependencies from package-lock.json parsing + (#3371) + * chore(deps): bump github.com/adrg/xdg from 0.5.1 to 0.5.2 + (#3394) + * chore(deps): bump anchore/sbom-action from 0.17.5 to 0.17.6 + (#3393) + * fix: stack overflow in spyingIoReadCloser (#3392) + * fix: bad pom files may cause infinite loop (#3391) + +------------------------------------------------------------------- +Tue Oct 29 14:02:45 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.15.0: + * chore(deps): update stereoscope to + bcc40c6817524718277256d6b774ce643f98640a (#3388) + * chore(deps): bump actions/setup-go from 5.0.2 to 5.1.0 (#3384) + * chore(deps): bump github.com/charmbracelet/bubbletea from 1.1.1 + to 1.1.2 (#3385) + * chore(deps): update tools to latest versions (#3383) + * chore(deps): update CPE dictionary index (#3387) + * chore(deps): bump actions/checkout from 4.2.1 to 4.2.2 (#3380) + * feat: multi-level configuration and profiles (#3337) + * feat: Java dependency graph information (#3363) + * Expanded dpkg cataloger globs (#3373) + * Enable cargo-auditable-binary-cataloger for files/directories + (#3376) + * chore(deps): bump github/codeql-action from 3.26.13 to 3.27.0 + (#3374) + * chore(deps): bump github.com/charmbracelet/lipgloss (#3375) + * chore(deps): update stereoscope to + 6db3c175f1f836e552b01ee70e5d5528cc04bce4 (#3362) + * chore(deps): bump actions/cache from 4.1.1 to 4.1.2 (#3364) + * chore(deps): bump anchore/sbom-action from 0.17.4 to 0.17.5 + (#3365) + * chore(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to + 5.6.0 (#3367) + +------------------------------------------------------------------- +Tue Oct 22 07:09:11 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.14.2: + * Create single license scanner for all catalogers (#3348) + * chore(deps): update stereoscope to + a38c93517fc7d67ca1af826ac529a06c05b571d2 (#3357) + * chore(deps): update CPE dictionary index (#3358) + * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.0 to + 6.6.1 (#3361) + * update to latest packageurl-go (#3347) + * chore(deps): update tools to latest versions (#3342) + * chore(deps): update stereoscope to + 9e57bce5efeb0ffe27770dd0b8eb2eef8b38512f (#3338) + * chore(deps): bump github.com/adrg/xdg from 0.5.0 to 0.5.1 + (#3344) + * fix: use official CPE for linux kernel (#3343) + * chore(deps): bump anchore/sbom-action from 0.17.3 to 0.17.4 + (#3340) + * fix: improve mariadb binary classifer to detect older versions + (#3339) + +------------------------------------------------------------------- +Tue Oct 15 15:36:18 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.14.1: + * fix: stop some log.Warn spam due parsing an empty string as a + CPE (#3330) + * chore(deps): update stereoscope to + 1cc8a41d447d0d092699be2b700b8ba62e870434 (#3334) + * chore(deps): update stereoscope to + 1cc8a41d447d0d092699be2b700b8ba62e870434 (#3332) + * chore(deps): update stereoscope to + 93f8a11331e3d50f751e4d0ec5b63f3df309e9e5 (#3331) + * chore(deps): bump anchore/sbom-action from 0.17.2 to 0.17.3 + (#3326) + * chore(deps): bump github/codeql-action from 3.26.12 to 3.26.13 + (#3327) + * chore(deps): update CPE dictionary index (#3323) + * fix: improve go binary semver extraction for traefik (#3325) + * chore(deps): update stereoscope to + 92e97a1cf36d162bad51ccc6aba0cce7a4dcfbf4 (#3322) + * chore(deps): update stereoscope to + c04af061af62ab3ba6ab6760613526eaa7fcb163 (#3319) + * chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.6.1 + to 4.7.0 (#3321) + * chore(deps): bump actions/upload-artifact from 4.4.1 to 4.4.3 + (#3314) + * shorten release docs (#3318) + * docs: clearer deprecation message for --file (#3310) + * [docs] Add mastodon link to README.md (#3306) + * chore(deps): update stereoscope to + 5bc91bf166769e43d8d0f86c02e877c55eb04aed (#3313) + * chore(deps): bump actions/cache from 4.1.0 to 4.1.1 (#3312) + * chore(deps): bump github/codeql-action from 3.26.11 to 3.26.12 + (#3307) + * chore(deps): bump actions/checkout from 4.2.0 to 4.2.1 (#3308) + * chore(deps): bump actions/upload-artifact from 4.4.0 to 4.4.1 + (#3309) + +------------------------------------------------------------------- +Wed Oct 09 04:42:52 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.14.0: + * feat: report unknowns in sbom (#2998) + * chore(deps): bump sigstore/cosign-installer from 3.6.0 to 3.7.0 + (#3299) + * chore(deps): update stereoscope to + efa76446cc1c7e6c4117350943a2754b2453aec4 (#3301) + * chore(deps): bump golang.org/x/net from 0.29.0 to 0.30.0 + (#3304) + * chore(deps): bump actions/cache from 4.0.2 to 4.1.0 (#3305) + * chore(deps): update CPE dictionary index (#3302) + * Fix: Parse package.json with non-standard fields in 'author' + section (#3300) + * chore(deps): bump github/codeql-action from 3.26.10 to 3.26.11 + (#3298) + * chore: add pull request template (#3294) + * chore(deps): update tools to latest versions (#3296) + * Track supporting DPKG evidence (#3228) + * Fix: make failed CPE validation correctly return error (#2762) + * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.9 to + 6.6.0 (#3293) + * feat: update haproxy classifier (#3277) + * chore(deps): update tools to latest versions (#3291) + * fix: don't use builtin scanner in licensecheck (#3290) + * chore(deps): update CPE dictionary index (#3288) + * chore(deps): bump github/codeql-action from 3.26.9 to 3.26.10 + (#3289) + * update redis classifier (#3281) + * fix: improve node classifier version matching (#3284) + * fix: update ruby classifier for -rc, -dev, etc. versions + (#3285) + * chore(deps): update CPE dictionary index (#3262) + * chore(deps): bump github.com/docker/docker (#3264) + * chore(deps): bump github/codeql-action from 3.26.8 to 3.26.9 + (#3275) + * chore(deps): update stereoscope to + dc10ea61fd18efa45b516eda4de8bc19d8322429 (#3280) + * chore(deps): bump actions/checkout from 4.1.7 to 4.2.0 (#3283) + * add awaiting response management (#3272) + * fix: correct excluded mount point comparison to file paths + (#3269) + +------------------------------------------------------------------- +Tue Sep 24 17:39:53 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.13.0: + * Add JVM cataloger (#3217) + * feat: classifier for Dart lang binaries (#3265) + * Add compliance policy for empty name and version (#3257) + * chore(deps): bump github.com/github/go-spdx/v2 from 2.3.1 to + 2.3.2 (#3254) + * chore(deps): bump peter-evans/create-pull-request from 7.0.3 to + 7.0.5 (#3255) + * chore(deps): bump github/codeql-action from 3.26.7 to 3.26.8 + (#3256) + * chore(deps): update tools to latest versions (#3259) + * chore(deps): bump github.com/docker/docker (#3260) + * feat: add binary classifiers for lighttp, proftpd, zstd, xz, + gzip, jq, and sqlcipher (#3252) + * fix: capture-snippet.sh can handle leading whitespaces now + (#3249) (#3250) + * chore(deps): update tools to latest versions (#3251) + * chore(deps): update tools to latest versions (#3247) + * chore(deps): update tools to latest versions (#3243) + * chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.9.0 + to 0.9.1 (#3242) + * chore(deps): bump github/codeql-action from 3.26.6 to 3.26.7 + (#3241) + * chore(deps): bump peter-evans/create-pull-request from 7.0.2 to + 7.0.3 (#3240) + * chore(deps): update tools to latest versions (#3231) + * chore(deps): update CPE dictionary index (#3232) + * chore(deps): update tools to latest versions (#3205) + * chore(deps): bump github.com/charmbracelet/bubbletea from 1.1.0 + to 1.1.1 (#3225) + * chore(deps): bump peter-evans/create-pull-request from 7.0.1 to + 7.0.2 (#3226) + * chore(deps): bump modernc.org/sqlite from 1.33.0 to 1.33.1 + (#3229) + * feat: --enrich flag for data enrichment feature enablement + (#3182) + +------------------------------------------------------------------- +Thu Sep 12 04:56:01 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.12.2 (no releases between 1.11.1 and this + one): + * chore: make ci-check.sh an executable file (#3220) + * chore(deps): bump github.com/opencontainers/runc from 1.1.12 to + 1.1.14 (#3219) + * chore: restore ci-check.sh script (#3218) + * Add haskell binaries cataloger (#3078) + * chore(deps): update CPE dictionary index (#3206) + * chore(deps): bump golang.org/x/net from 0.28.0 to 0.29.0 + (#3203) + * Add the Ocaml ecosystem (#3112) + * chore(deps): bump github.com/charmbracelet/bubbles from 0.19.0 + to 0.20.0 (#3209) + * chore(deps): bump modernc.org/sqlite from 1.32.0 to 1.33.0 + (#3210) + * chore(deps): bump github.com/docker/docker (#3211) + * chore(deps): bump github.com/dave/jennifer from 1.7.0 to 1.7.1 + (#3212) + * dont cleanup cache in forks (#3214) + * less verbose java logging when non-fatal issues arise (#3208) + * Slim down docker cache size (#3190) + * chore(deps): bump peter-evans/create-pull-request from 7.0.0 to + 7.0.1 (#3196) + * chore(deps): bump golang.org/x/mod from 0.20.0 to 0.21.0 + (#3197) + * fix: haproxy classifier for versions with -dev suffix (#3180) + * chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.3 to + 3.3.0 (#3177) + * chore(deps): update CPE dictionary index (#3183) + * chore(deps): bump actions/upload-artifact from 4.3.6 to 4.4.0 + (#3184) + * chore(deps): bump peter-evans/create-pull-request from 6.1.0 to + 7.0.0 (#3187) + * fix: properly decode SPDX license expressions in CycloneDX + format (#3175) + * chore(deps): bump github.com/docker/docker (#3168) + * chore(deps): bump github.com/charmbracelet/bubbletea (#3171) + * chore(deps): bump github/codeql-action from 3.26.5 to 3.26.6 + (#3173) + * fix: cycles resolving relative path parent poms with + parent-defined variables (#3170) + * fix: improve generated cpes for binaries with existing + classifiers (#3169) + * fix: add log time of task (#3105) + * fix: improve known CPEs and set NVD as source for all current + binary classifiers (#3167) + * respond to authoratative CPEs from catalogers (#3166) + * set cataloger names within package cataloger task (#3165) + * fix: use official CPE for curl binary cataloger (#3164) + * chore(deps): update tools to latest versions (#3160) + * chore(deps): update CPE dictionary index (#3161) + * chore(deps): bump github/codeql-action from 3.26.4 to 3.26.5 + (#3162) + * fix ELF package correlations (#3151) + * chore(deps): update tools to latest versions (#3144) + * feat: detect curl binaries (#3146) + * chore(deps): bump anchore/sbom-action from 0.17.1 to 0.17.2 + (#3155) + * chore(deps): bump github/codeql-action from 3.26.3 to 3.26.4 + (#3154) + * chore(deps): update stereoscope to + e6d086e8bef5fab4fcfbd60c9a759c4cb229decf (#3152) + * chore(deps): bump github.com/charmbracelet/bubbles from 0.18.0 + to 0.19.0 (#3148) + * chore(deps): bump github.com/charmbracelet/lipgloss (#3147) + * chore(deps): bump github.com/anchore/stereoscope (#3153) + * fix: mysql 8.0.3x binary detection (#3142) + * chore(deps): bump github/codeql-action from 3.26.2 to 3.26.3 + (#3139) + +------------------------------------------------------------------- +Tue Aug 20 16:41:18 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.11.1: + * fix: logging for remote network calls (#3140) + * chore(deps): update CPE dictionary index (#3135) + * chore(deps): bump github.com/charmbracelet/bubbletea (#3137) + * chore(deps): update tools to latest versions (#3121) + * chore(deps): bump github.com/docker/docker (#3123) + * chore(deps): bump anchore/sbom-action from 0.17.0 to 0.17.1 + (#3124) + * chore(deps): bump github/codeql-action from 3.26.0 to 3.26.2 + (#3129) + * fix: add nil check to CycloneDX toBomProperties (#3119) + * fix: read CycloneDX BOM components from metadata (#3092) + * fix: improve groupid extraction for Jenkins plugins (#2815) + * chore(deps): update CPE dictionary index (#3116) + * support .kar files (#3113) + * chore: fix some comments (#3114) + * chore: fix failing python relationship test (#3117) + * update-slack-to-discourse (#3111) + +------------------------------------------------------------------- +Fri Aug 09 18:12:40 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.11.0: + * test: increase java purl generation test coverage (#3110) + * chore(deps): bump modernc.org/sqlite from 1.31.1 to 1.32.0 + (#3106) + * chore(deps): bump sigstore/cosign-installer from 3.5.0 to 3.6.0 + (#3107) + * chore(deps): update tools to latest versions (#3099) + * chore(deps): bump github/codeql-action from 3.25.15 to 3.26.0 + (#3101) + * chore(deps): bump actions/upload-artifact from 4.3.5 to 4.3.6 + (#3102) + * chore(deps): bump github.com/google/go-containerregistry + (#3103) + * chore(deps): bump golang.org/x/net from 0.27.0 to 0.28.0 + (#3104) + * chore(deps): bump actions/upload-artifact from 4.3.4 to 4.3.5 + (#3095) + * chore(deps): update CPE dictionary index (#3094) + * chore(deps): bump golang.org/x/mod from 0.19.0 to 0.20.0 + (#3096) + * chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.6 to + 0.5.7 (#3097) + * feat: improved java maven property resolution (#2769) + * fix: use organization for package supplier when reading Java + vendor fields (#3093) + * chore(deps): update tools to latest versions (#3091) + * fix: update 'guessMainPackageNameAndVersionFromPomInfo' and + 'artifactIDMatchesFilename' (#3054) + * fix: update mainModuleVersion function to always prefix `v` to + findings (#3087) + * chore: update release script to use gh from binny (#3084) + * Added the SWI Prolog (swipl) ecosystem (#3076) + +------------------------------------------------------------------- +Thu Aug 01 07:20:34 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.10.0: + * fix: improve determinism in java archive identification (#3085) + * chore(deps): update stereoscope to + 50ce3be7aa1fb8829234ae648215e7907196bfa5 (#3075) + * chore(deps): update CPE dictionary index (#3079) + * chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.5 to + 0.5.6 (#3082) + * chore(deps): bump github/codeql-action from 3.25.14 to 3.25.15 + (#3083) + * fix: traefik classifier (#3077) + * python-cataloger: fix normalization test (#3073) + * Only match ldflag version if it matches the main module or + targets main.version (#3062) + * python cataloger: allow dots in python package names (#3070) + * python-cataloger: normalize package names (#3069) + * chore(deps): bump github.com/docker/docker (#3066) + * chore(deps): bump github/codeql-action from 3.25.13 to 3.25.14 + (#3072) + * fix: SPDX output performance with many relationships (#3053) + * better go mod detection from partial package builds (#3060) + * chore(deps): update tools to latest versions (#3061) + * chore(deps): bump github.com/charmbracelet/lipgloss from 0.11.1 + to 0.12.1 (#3040) + * chore: add debug logging for errors reading RPM files (#3051) + * chore(deps): update CPE dictionary index (#3035) + * chore(deps): bump github.com/docker/docker (#3055) + * chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.4 to + 0.5.5 (#3056) + * chore(deps): bump modernc.org/sqlite from 1.30.2 to 1.31.1 + (#3057) + * chore(deps): bump docker/login-action from 3.2.0 to 3.3.0 + (#3058) + * chore(deps): bump github/codeql-action from 3.25.12 to 3.25.13 + (#3059) + * chore(deps): update stereoscope to + 487b11e5ba2622d976acda10c605da63b4fbbb0a (#3032) + * chore(deps): update tools to latest versions (#3050) + * docs: CODE_OF_CONDUCT.md (#3046) + * fix: include CPEs with Maven groupId as vendor (#3045) + * chore(deps): bump github.com/google/go-containerregistry + (#3047) + * chore(deps): bump github.com/moby/sys/mountinfo from 0.7.1 to + 0.7.2 (#3048) + * chore(deps): bump modernc.org/sqlite from 1.30.1 to 1.30.2 + (#3039) + * docs: link to contrib/dev docs in readme (#3029) + * chore: Fix apache shield in readme (#3021) + * chore(deps): update tools to latest versions (#3031) + * chore(deps): bump github/codeql-action from 3.25.11 to 3.25.12 + (#3034) + * chore(deps): bump anchore/sbom-action from 0.16.1 to 0.17.0 + (#3044) + * fix: stop panicking on "devel" version go stdlib (#3043) + * chore: pin fedora image for elf binary test (#3041) + * chore(deps): bump anchore/sbom-action from 0.16.0 to 0.16.1 + (#3023) + * chore(deps): update stereoscope to + 27b66b76fc6686fcf6bde656aa09e1f0e047fec1 (#3026) + +------------------------------------------------------------------- +Thu Jul 11 18:41:11 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.9.0: + * chore(deps): bump actions/setup-go from 5.0.1 to 5.0.2 (#3027) + * chore(deps): bump github.com/charmbracelet/lipgloss (#3028) + * fix: stabilize cpe sorting during collection sort (#3009) + * Map the downloadLocation field for PHP Composer packages + (#3011) + * chore(deps): update stereoscope to + e46739e217969fa67cbe8834b64bb165a10a1548 (#3013) + * chore(deps): bump golang.org/x/net from 0.26.0 to 0.27.0 + (#3015) + * chore(deps): bump golang.org/x/mod from 0.18.0 to 0.19.0 + (#3014) + * chore(deps): bump actions/upload-artifact from 4.3.3 to 4.3.4 + (#3017) + * chore(deps): bump github.com/google/go-containerregistry + (#3019) + * chore(deps): bump github.com/adrg/xdg from 0.4.0 to 0.5.0 + (#3020) + * chore(deps): update CPE dictionary index (#3016) + * Infer the package type from ELF package notes (#3008) + * chore(deps): update tools to latest versions (#3003) + * chore(deps): update CPE dictionary index (#3002) + * chore(deps): bump github.com/docker/docker (#3006) + * chore(deps): bump github/codeql-action from 3.25.10 to 3.25.11 + (#3004) + * chore(deps): bump github.com/saferwall/pe from 1.5.3 to 1.5.4 + (#3005) + * feat: version 3 support for swift package manager of the + resolved files (#3001) + * chore(deps): bump github.com/spdx/tools-golang from 0.5.4 to + 0.5.5 (#2999) + * chore(deps): bump github.com/docker/docker (#2994) + * Add detection of Erlang in Alpine linux (#2996) + * chore(deps): update tools to latest versions (#2991) + * chore(deps): update stereoscope to + 753b5576fe42bc007b22108ad7911d1729957a46 (#2992) + * chore(deps): bump github.com/charmbracelet/bubbletea (#2995) + +------------------------------------------------------------------- +Tue Jun 25 04:58:18 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.8.0: + * chore(deps): update CPE dictionary index (#2986) + * chore(deps): bump github.com/go-test/deep from 1.1.0 to 1.1.1 + (#2988) + * fix: handle errors reading go licenses (#2985) + * docs: update cyclone-dx documentation (#2983) + * feat: update syft to generate cyclone-dx 1.6 by default (#2978) + * chore(deps): bump github.com/charmbracelet/bubbletea (#2982) + * chore(deps): bump peter-evans/create-pull-request from 6.0.5 to + 6.1.0 (#2975) + * fix: detection of arangodb 3.12 (#2979) + * chore: enable dependabot to keep boostrap action updated + (#2976) + * chore(deps): bump github.com/github/go-spdx/v2 from 2.2.0 to + 2.3.1 (#2973) + * chore(deps): bump github.com/google/go-containerregistry + (#2971) + * chore(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 + (#2972) + +------------------------------------------------------------------- +Sat Jun 15 16:14:00 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.7.0: + * Added Features + - index known CPEs for wordpress plugins and themes [#2963 + @westonsteimel] + - Consider Author field for wordpress plugins when generating + CPEs [#2946 @wagoodman] + * Bug Fixes + - improve version extraction from ldflags for pingcap TiDB + [#2962 @westonsteimel] + - Trim whitespace from wordpress values [#2945 @wagoodman] + - Issue scanning Poetry Project with Syft 1.6 and + cataloger=python-package-cataloger [#2954 #2965 @spiffcs] + - Poetry's multiple constraints seems to break the parser + [#2947 #2965 @spiffcs] + - Golang: Search remote licenses not working in a CI pipeline + when scanning Docker image [#2798 #2852 @kzantow] + +------------------------------------------------------------------- +Mon Jun 10 19:52:37 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.6.0: + * Added Features + - Add relationships for go binary packages [#2912 @wagoodman] + - Add classifier for util-linux [#2933 @LaurentGoderre] + - Lua: Add support for more advanced syntax [#2908 + @LaurentGoderre] + - add license field to ELF binary package metadata [#2890 + @brian-ebarb] + - install.sh: check checksums file's signature [#2884 #2941 + @wagoodman] + - Detect ELF package notes from fedora binaries [#2713 #2939 + @wagoodman] + * Bug Fixes + - Use redhat as namespace for redhat rpms [#2914 @ralphbean] + - Close sqlite driver after testing sqlite availability [#2922 + @ttc0419] + - syft does not find anything in archives if /tmp is a tmpfs + [#2894 #2918 @willmurphyscode] + - Scanning a git repository folder present in /tmp produce an + empty sbom [#2847 #2918 @willmurphyscode] + * Additional Changes + - update unit tests to use pinned patch version [#2932 + @spiffcs] + - fix comments and spelling [#2920 @dufucun] + +------------------------------------------------------------------- +Fri May 31 14:28:58 UTC 2024 - andrea.manzini@suse.com + +- Update to version 1.5.0: + * feat: detect fluent-bit binaries (#2905) + * bump dependencies + * Add python wheel egg relationships (#2903) + * feat: Add Lua cataloger (#2613) + * feat: add config command (#2892) + * feat: Added functionality to convert major, minor, patch to version for binary classifier (#2864) + * Go Mod Cataloger: Remove Replaced Packages (#2891) + * chore: Reduce length of readme, moving lengthy content to the wiki (#2882) + * fix: DecoderCollection discarding input from non-seekable Readers (#2878) + * Fix outdated spdx links (#2865) + * Use values in relationship To/From fields (#2871) + * add support for RPM DB package relationships (#2872) + * fix: capture dependencies when parsing SPDX SBOMs (#2869) + * Add abstraction for adding relationships from package cataloger results (#2853) + * chore: fix small tooling error for go.mod (#2868) + +------------------------------------------------------------------- +Sun May 12 07:42:00 UTC 2024 - opensuse_buildservice@ojkastl.de + +- add completion subpackages +- fix version output + +------------------------------------------------------------------- +Fri May 10 04:54:24 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.4.1: + * fix pruning binary packages when considering ELF packages + (#2862) + +------------------------------------------------------------------- +Thu May 09 18:59:36 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.4.0: + * feat: add relationships to ELF package discovery (#2715) + * README.md: link to official wiki (#2858) + * fix Windows file paths in local go mod cache (#2654) + * chore(deps): bump github.com/docker/docker (#2859) + * chore(deps): bump github.com/charmbracelet/bubbletea (#2860) + * chore(deps): bump github/codeql-action from 3.25.3 to 3.25.4 + (#2855) + * chore(deps): bump github.com/sassoftware/go-rpmutils from 0.3.0 + to 0.4.0 (#2856) + * Add relationships for ALPM packages (arch linux) (#2851) + * Add binary classifier for ArangoDB (#2830) + * chore(deps): bump golang.org/x/net from 0.24.0 to 0.25.0 + (#2849) + * chore(deps): bump actions/checkout from 4.1.4 to 4.1.5 (#2850) + * chore: use ruleguard to test for missing defer statements + (#2837) + * remove homebrew update workflow (#2846) + * Restore version file update on release (#2844) + * fix: Add missing CPE for traefik, memcached, and postgres + binaries (#2845) + * Add detection for newer version of ErLang/OTP (#2829) + * fix ui race for package count (#2839) + * chore(deps): update CPE dictionary index (#2841) + * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.8 to + 6.5.9 (#2842) + * chore(deps): bump modernc.org/sqlite from 1.29.8 to 1.29.9 + (#2843) + * chore(deps): bump github.com/charmbracelet/bubbletea (#2838) + * add security policy (#2835) + * chore(deps): bump actions/setup-go from 5.0.0 to 5.0.1 (#2834) + * chore(deps): update stereoscope to + 2e9894674185d121917b283f773c2b5830f8b360 (#2831) + * chore(deps): bump github.com/charmbracelet/bubbletea (#2833) + * chore: fix function name in comment (#2771) + * chore: enable go-critic deferInLoop lint (#2825) + * fix: better clean up of file handles (#2823) + * chore(deps): bump github.com/docker/docker (#2827) + * fix(spdx): include required fields (#2168) + * fix: add correct vendor for dnsmasq CPE (#2659) + * fix: close temp rpmdb file (#2792) + * chore(deps): bump github/codeql-action from 3.25.2 to 3.25.3 + (#2817) + * Fill in SPDX originator for all supported package types (#2822) + * chore(deps): bump anchore/sbom-action from 0.15.10 to 0.15.11 + (#2821) + +------------------------------------------------------------------- +Fri Apr 26 16:46:01 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.3.0: + * update spdx license list to 3.23 (#2818) + * fix: re-use embedded union reader if possible (#2814) + * feat: index known CPEs for go modules (#2816) + * chore(deps): bump peter-evans/create-pull-request from 6.0.4 to + 6.0.5 (#2812) + * feat: support multiple known CPEs in index (#2813) + * chore(deps): update stereoscope to + 8b297badafd5d81fa1187b26ae34dd2a7ce7e425 (#2807) + * chore(deps): bump actions/checkout from 4.1.3 to 4.1.4 (#2809) + * chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.3 to + 0.5.4 (#2810) + * Fix removing labels in 'Detect schema changes' job (#2772) + * chore(deps): bump github.com/docker/docker (#2805) + * Display which provider caused which error in output (#2757) + * fix: prefer non-deprecated CPEs and include jenkins plugins + from plugins.jenkins.io (#2806) + * feat: index known CPEs for PHP Composer packagist.org packages + (#2804) + * chore(deps): bump github/codeql-action from 3.25.1 to 3.25.2 + (#2802) + * chore(deps): bump actions/upload-artifact from 4.3.2 to 4.3.3 + (#2803) + * fix: improvements to known CPE index construction (#2801) + * fix: exclude known instrumentation jars from being erroneously + identified (#2796) + * feat: index known cpes for PHP extensions (#2777) + * chore(deps): bump actions/checkout from 4.1.2 to 4.1.3 (#2799) + * fix: return empty string if dereferncing pom var fails (#2797) + * chore(deps): bump github.com/docker/docker (#2793) + * chore(deps): bump modernc.org/sqlite from 1.29.7 to 1.29.8 + (#2794) + * chore(deps): bump actions/upload-artifact from 4.3.1 to 4.3.2 + (#2795) + * chore: cleanup redundant code (#2791) + * chore(deps): update tools to latest versions (#2789) + * chore(deps): bump github.com/spdx/tools-golang from 0.5.3 to + 0.5.4 (#2790) + * chore(deps): bump github/codeql-action from 3.25.0 to 3.25.1 + (#2786) + * chore(deps): bump peter-evans/create-pull-request from 6.0.3 to + 6.0.4 (#2787) + * Fix: repeatedly dereference pom variables (#2781) + * chore(deps): bump modernc.org/sqlite from 1.29.6 to 1.29.7 + (#2783) + * chore(deps): update CPE dictionary index (#2780) + * chore(deps): bump github/codeql-action from 3.24.10 to 3.25.0 + (#2779) + * chore: fix broken cpe index generation task (#2778) + * chore(deps): bump github.com/docker/docker (#2773) + * chore(deps): bump peter-evans/create-pull-request from 6.0.2 to + 6.0.3 (#2774) + +------------------------------------------------------------------- +Sat Apr 13 09:32:58 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.2.0: + * fix: more robust go main version extraction (#2767) + * chore(deps): update tools to latest versions (#2768) + * fix: binary character in java version (#2766) + * chore(deps): update tools to latest versions (#2760) + * chore(deps): bump modernc.org/sqlite from 1.29.5 to 1.29.6 + (#2761) + * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.6 to + 6.5.8 (#2754) + * chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.2 to + 0.5.3 (#2755) + * chore(deps): bump github/codeql-action from 3.24.9 to 3.24.10 + (#2756) + * chore(deps): bump golang.org/x/mod from 0.16.0 to 0.17.0 + (#2751) + * Differentiate between JRE and JDK (#2748) + * chore(deps): bump golang.org/x/net from 0.23.0 to 0.24.0 + (#2752) + +------------------------------------------------------------------- +Thu Apr 04 16:55:06 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.1.1: + * chore(deps): update tools to latest versions (#2744) + * chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 + (#2747) + * chore: update anchore/packageurl-go to use latest commits + (#2746) + * feat: cataloger for PHP Pecl and PEAR packages (#2604) + * chore(deps): bump github.com/go-git/go-git/v5 from 5.11.0 to + 5.12.0 (#2743) + * chore(deps): update tools to latest versions (#2741) + * fix: conan poco project cpe (#2740) + * chore(deps): bump github.com/distribution/reference from 0.5.0 + to 0.6.0 (#2738) + * chore(deps): bump anchore/sbom-action from 0.15.9 to 0.15.10 + (#2737) + * fix: panic scanning binaries without symtab (#2739) + * chore: remove useless code (#2716) + * chore(deps): bump google.golang.org/protobuf from 1.31.0 to + 1.33.0 (#2731) + * chore(deps): bump github/codeql-action from 3.24.8 to 3.24.9 + (#2732) + * chore(deps): update tools to latest versions (#2733) + * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.5 to + 6.5.6 (#2734) + * update release token from readonly to write token (#2735) + +------------------------------------------------------------------- +Tue Mar 26 07:19:30 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.1.0: + * Adding the ability to retrieve remote licenses from + package.lock (#2708) + * dont include labels for dependabot ecosystems (#2720) + * chore(deps): bump fountainhead/action-wait-for-check from 1.1.0 + to 1.2.0 (#2717) + * chore(deps): update tools to latest versions (#2726) + * chore(deps): bump github/codeql-action from 3.24.7 to 3.24.8 + (#2725) + * chore(deps): bump actions/cache from 4.0.1 to 4.0.2 (#2728) + * chore(deps): bump github.com/docker/docker (#2730) + * updating credentials to scoped permissions (#2722) + * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.4 to + 6.5.5 (#2718) + * chore(deps): bump github.com/google/go-containerregistry + (#2719) + * Add detection for Oracle GraalVM (#2705) + * chore(deps): bump docker/login-action from 3.0.0 to 3.1.0 + (#2714) + * Add ELF binary package cataloger (#2396) + * chore(deps): bump modernc.org/sqlite from 1.29.3 to 1.29.5 + (#2710) + * chore(deps): bump github/codeql-action from 3.24.6 to 3.24.7 + (#2711) + * chore(deps): bump peter-evans/create-pull-request from 6.0.1 to + 6.0.2 (#2712) + * Show binary exports, entrypoint, and imports (#2626) + * chore(deps): bump actions/checkout from 4.1.1 to 4.1.2 (#2703) + * chore(deps): bump github.com/knqyf263/go-rpmdb (#2701) + * chore: reduce duplicate case SwiftPkg (#2696) + * chore: remove deprecated os.SEEK_SET os.SEEK_CUR (#2693) + * chore(deps): bump github.com/docker/docker (#2698) + * chore(deps): bump modernc.org/sqlite from 1.29.2 to 1.29.3 + (#2699) + +------------------------------------------------------------------- +Sat Mar 09 08:54:20 UTC 2024 - andrea.manzini@suse.com + +- Update to version 1.0.1: + * bump dependencies + * docs: add simplest example from registry (#2691) + * fix: Unable to scan OCI images with syft v0.105.1 [#2678 #2683 + @spiffcs] + +------------------------------------------------------------------- +Fri Mar 01 13:59:28 UTC 2024 - andrea.manzini@suse.com + +- Update to version 1.0.0: + * fix: match OpenSSL letter releases (#2682) + * Mark duplicated rows in table output (#2679) + * fix: trim path from deps.json in portable way (#2674) + * chore(deps): update tools to latest versions (#2680) + * enforce breaking change bump major version (#2635) + * docs: fix incorrect flag name in readme (#2677) + * Consider filesystem types for mount points when ignoring system + paths (#2675) + * fix: stop emitting bus events on go mod events (#2673) + * chore(deps): bump peter-evans/create-pull-request from 6.0.0 to + 6.0.1 (#2676) + * feat: add `--from` flag, refactor source providers (#2610) + +------------------------------------------------------------------- +Tue Feb 27 12:40:20 UTC 2024 - andrea.manzini@suse.com + +- Update to version 0.105.1: + * bump deps and build tools + * fix: SPDX tag value version selector (#2665) + * fix(install): return appropriate error codes (#2664) + * chore: update busybox image for acceptance tests (#2663) + * rename binary classifier cataloger name (#2643) + * add cataloger selection example (#2646) + * add syft version used to SBOM tool info by default (#2647) + +------------------------------------------------------------------- +Thu Feb 15 06:10:35 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.105.0: + * Survive indexing dead symlinks (#2645) + * fix considering base path when ignoring known bad unix paths + (#2644) + * test for field conventions in json schema (#2642) + * feat: Add Wordpress cataloger (#2218) + * rename binary cataloger to be more unique (#2633) + * fix: update runner size to use larger HD for codeql (#2641) + * chore(deps): update tools to latest versions (#2616) + * chore(deps): bump github/codeql-action from 3.24.0 to 3.24.1 + (#2638) + * chore(deps): bump dawidd6/action-homebrew-bump-formula (#2639) + * chore(deps): bump modernc.org/sqlite from 1.29.0 to 1.29.1 + (#2640) + * fix: add BOMRef to CycloneDX OS Component (#2634) + * chore(deps): bump github.com/saferwall/pe from 1.5.0 to 1.5.2 + (#2629) + * chore(deps): bump modernc.org/sqlite from 1.28.0 to 1.29.0 + (#2630) + * fix getting union reader for sif images (#2631) + * chore(deps): bump golang.org/x/net from 0.20.0 to 0.21.0 + (#2607) + * chore(deps): bump github.com/saferwall/pe from 1.4.8 to 1.5.0 + (#2625) + * fix: ensure version output to stdout (#2621) + * Guess go main module version based on binary contents (#2608) + * chore(deps): update stereoscope to + 681f6715b0e35686d6e6f40bce109176de1ee274 (#2617) + * fix readme around templating options (#2612) + * suppress executable parsing issues (#2614) + * chore: update license list, cpe dictionary (#2620) + * chore(deps): update tools to latest versions (#2606) + +------------------------------------------------------------------- +Thu Feb 08 06:37:11 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.104.0: + * fix: incorrect conversion between integer types (#2605) + * chore(deps): bump golang.org/x/mod from 0.14.0 to 0.15.0 + (#2602) + * chore(deps): bump github.com/docker/docker (#2601) + * Fix: unmarshal key values in Java, Go, and Conan metadata + (#2603) + * fix(dotnet): prefer portable executable product version when + semantically greater than file version (#2600) + * Finalize Conan v2 support (#2587) + * chore(deps): update tools to latest versions (#2595) + * chore(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 + (#2597) + * chore(deps): update stereoscope to + bfa15e446f061bda7f68305d2d6240b053f17e0c (#2589) + * chore(deps): bump actions/cache from 3.3.2 to 4.0.0 (#2592) + * chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.0 to + 0.5.2 (#2591) + * chore(deps): bump github/codeql-action from 3.23.2 to 3.24.0 + (#2593) + * labeler should ignore latest version (#2588) + * chore: copy latest schema to stable path for easier diff + (#2586) + * Adding metadata fields when parsing yarn.lock and poetry.lock + (#2350) + * Add Erlang OTP Application cataloger (#2403) + * Detect ELF security features (#2443) + * Add API examples (#2517) + * feat: Record where CPEs come from (#2552) + * chore(deps): update stereoscope to + 37291e81936d2b43b3cef56667a741ef715fbfe4 (#2583) + * chore(deps): bump github.com/charmbracelet/bubbles from 0.17.1 + to 0.18.0 (#2584) + * swap format readseekers for readers (#2581) + * translate maps to sequences in pkg metadata (#2553) + * chore(deps): update tools to latest versions (#2576) + * chore(deps): bump anchore/sbom-action from 0.15.7 to 0.15.8 + (#2578) + * chore(deps): bump marocchino/sticky-pull-request-comment + (#2579) + * chore(deps): bump github.com/docker/docker (#2580) + * chore(deps): update stereoscope to + db7a4bedaba6ad93becf22ce794f306dfb07fcb9 (#2577) + * Fix attest with --key (#2551) + * fix(java): improve identification for org.apache.kafka + artifacts (#2573) + * chore: pluralize the flag (#2564) + * chore(deps): update tools to latest versions (#2566) + * chore(deps): bump peter-evans/create-pull-request from 5.0.2 to + 6.0.0 (#2567) + * chore(deps): bump anchore/sbom-action from 0.15.6 to 0.15.7 + (#2568) + * re-add cosign signing checksums file (#2572) + +------------------------------------------------------------------- +Wed Jan 31 17:29:57 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.103.1: + * revert cosign signing of release checksums file (#2571) + +------------------------------------------------------------------- +Wed Jan 31 17:26:17 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.103.0: + * bump archiver and stereoscope (#2570) + * fix: Better test for group ID in filename (#2565) + * Sign checksums file and add SBOMs on release (#2548) + * chore(deps): bump anchore/sbom-action from 0.15.5 to 0.15.6 + (#2560) + * chore(deps): bump github.com/google/go-containerregistry + (#2561) + * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.3 to + 6.5.4 (#2562) + * chore(deps): update tools to latest versions (#2554) + * chore(deps): bump github.com/sassoftware/go-rpmutils from 0.2.0 + to 0.3.0 (#2556) + * chore(deps): bump 8398a7/action-slack from 3.15.1 to 3.16.2 + (#2557) + * chore(deps): bump github/codeql-action from 3.23.1 to 3.23.2 + (#2558) + * internalize format helpers (#2543) + * Internalize CPE generation logic (#2541) + * chore(deps): update tools to latest versions (#2550) + +------------------------------------------------------------------- +Fri Jan 26 19:26:34 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.102.0: + * Implement golang Purl subpath (#2547) + * fix migration of integration test (#2546) + * Use the json schema as input for templating (#2542) + * Unexport types and functions cataloger packages (#2530) + * Internalize majority of cmd package (#2533) + * allow for RPM modularity to be optional (#2540) + * chore(deps): bump actions/upload-artifact from 4.2.0 to 4.3.0 + (#2536) + * chore(deps): bump github.com/google/uuid from 1.5.0 to 1.6.0 + (#2538) + * chore(deps): bump github.com/docker/docker (#2537) + * chore: stop re-exporting wfn.Attributes (#2534) + * swap format readseekers for readers (#2515) + * chore(deps): bump anchore/sbom-action from 0.15.4 to 0.15.5 + (#2531) + * chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.12 + to 0.5.0 (#2532) + * plumb context through catalogers (#2528) + * Remove CLI and API deprecations (#2508) + * Turn off the SBOM cataloger by default (#2527) + * Re-introduce linux kernel cataloger (#2526) + * make AllLocations accept a context (#2518) + * chore(deps): update CPE dictionary index (#2523) + * fix: minor cataloger and docs nits (#2519) + +------------------------------------------------------------------- +Sat Jan 20 17:00:30 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.101.1: + * Deduplicate digests from user configuration (#2522) + * update readme and help output to be accurate to syft api + (#2520) + * fix: remove second call to finalize as the task handles it + (#2516) + * chore(deps): update stereoscope to + eb656fc717935ad5abeb8e1379a5c4e11c957120 (#2510) + * chore(deps): bump github.com/docker/docker (#2512) + * chore(deps): bump actions/upload-artifact from 4.1.0 to 4.2.0 + (#2513) + * chore(deps): bump anchore/sbom-action from 0.15.3 to 0.15.4 + (#2514) + * chore(deps): bump github/codeql-action from 3.23.0 to 3.23.1 + (#2506) + * chore(deps): bump github.com/google/go-containerregistry + (#2507) + * chore: enable automatic approval of dependabot PRs (#2505) + +------------------------------------------------------------------- +Thu Jan 18 08:10:11 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 0.101.0: + * include binary cataloger configuration defaults (#2504) + * feat: classifier for wordpress cli binary (#2473) + * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.2 to + 6.5.3 (#2502) + * chore(deps): bump actions/cache from 3.3.3 to 4.0.0 (#2503) + * chore(deps): update tools to latest versions (#2500) + * chore(deps): bump github.com/cloudflare/circl from 1.3.3 to + 1.3.7 (#2501) + * Add cataloger list command (#2366) + * condense binary cataloger config in JSON output (#2499) + * chore(deps): bump actions/upload-artifact from 4.0.0 to 4.1.0 + (#2495) + * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.2 to + 6.5.3 (#2494) + * chore(deps): update CPE dictionary index (#2491) + * Replace core SBOM-creation API with builder pattern (#1383) + * chore(deps): update tools to latest versions (#2488) + * chore(deps): bump actions/cache from 3.3.2 to 3.3.3 (#2489) + * chore(deps): bump anchore/sbom-action from 0.15.2 to 0.15.3 + (#2481) + * chore(deps): bump github.com/charmbracelet/bubbles from 0.16.1 + to 0.17.1 (#2475) + * feat: binary classifiers for Percona Software For MySQL (#2478) + * feat: binary classifier for pypy (#2474) + * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.4.9 to + 6.5.2 (#2476) + * fix: support traefik binary from the official Docker image + (#2484) + * feat: binary classifier for GCC (#2479) + * chore(deps): update tools to latest versions (#2480) + * chore(deps): bump golang.org/x/net from 0.19.0 to 0.20.0 + (#2482) + * chore(deps): bump github/codeql-action from 3.22.12 to 3.23.0 + (#2477) + * Upgrade binary test fixtures management (#2444) + +------------------------------------------------------------------- +Sat Jan 06 15:26:12 UTC 2024 - andrea.manzini@suse.com + +- Update to version 0.100.0: + * Add ability to extend the binaries cataloguers (#2469) + * chore(deps): bump anchore/sbom-action from 0.15.1 to 0.15.2 + (#2464) + * fix: add missing purl for busybox (#2457) + * Fix diff error obfuscating binary test failures message (#2468) + * Replace `packages` command with `scan` (#2446) + * fix: PURLs with "nuget" type are dotnet packages (#2466) + * chore(deps): update tools to latest versions (#2459) + * chore(deps): update CPE dictionary index (#2458) + * chore: update binary to -x (#2456) + * Add more functionality to the ErLang parser (#2390) + * Added OpenSSL binary matcher (#2416) + * chore(deps): update stereoscope to + 590920dabc5479216e755983d41367b6be3544f3 (#2452) + * chore(deps): update tools to latest versions (#2451) + * chore(deps): bump github/codeql-action from 3.22.11 to 3.22.12 + (#2455) + +------------------------------------------------------------------- +Thu Dec 21 16:26:53 UTC 2023 - opensuse_buildservice@ojkastl.de + +- Update to version 0.99.0: + * chore: remove execute from test fixtures (#2450) + * chore(deps): update tools to latest versions (#2447) + * fix: don't panic when hackage missing in haskell stack yaml + lock (#2448) + * Add binary classifier for the ERLang interpretter (#2417) + * Add binary classifier for Julia lang (#2427) + * Add binary detection for PHP composer (#2432) + * chore(deps): bump actions/upload-artifact from 3.1.3 to 4.0.0 + (#2433) + * chore(deps): update CPE dictionary index (#2442) + * chore(deps): update stereoscope to + 4b999b76ca8901d15bb97aef445dc94c38d11d5c (#2440) + * fix syft-json test to use pretty json for snapshot testing + (#2441) + * refactor pkg.Collection (#2439) + * refactor javascript cataloger to use configuration options when + creating packages (#2438) + * use single source of truth for archive options (#2437) + * fix file digest cataloger when passed coordinates (#2436) + * chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.2 + to 0.8.0 (#2413) + * Look for a maven version in a pom from a parent dependency + management section (#2423) + * Parse Python licenses from LicenseExpression entry in the Wheel + Metadata (#2431) + * chore(deps): bump github/codeql-action from 2.22.10 to 3.22.11 + (#2430) + * chore(deps): bump modernc.org/sqlite from 1.27.0 to 1.28.0 + (#2429) + * chore(deps): update tools to latest versions (#2428) + * Parse Python licenses from LicenseFile entry in the Wheel + Metadata (#2331) + * fix: use filepath instead of path for file source exclusions + (#2411) + * chore(deps): bump github.com/charmbracelet/bubbletea (#2424) + * chore(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0 + (#2425) + * chore(deps): bump github/codeql-action from 2.22.9 to 2.22.10 + (#2426) + * chore(deps): bump dawidd6/action-homebrew-bump-formula (#2420) + * feat: add the option to retrieve remote licenses for projects + defined in a maven pom (#2409) + * chore(deps): bump github/codeql-action from 2.22.8 to 2.22.9 + (#2400) + * chore(deps): bump github.com/saferwall/pe from 1.4.7 to 1.4.8 + (#2415) + * chore(deps): bump github.com/go-git/go-git/v5 from 5.10.1 to + 5.11.0 (#2414) + * chore(deps): bump actions/setup-go from 4.1.0 to 5.0.0 (#2401) + * chore(deps): update tools to latest versions (#2408) + * chore(deps): update CPE dictionary index (#2412) + * fix(java): improve identification for org.codehaus.groovy + artifacts (#2404) + * fix(java): improve identification for commons-jelly artifacts + (#2399) + * fix(java): improve identification for io.minio artifacts + (#2398) + * fix(java): improve identification for com.graphql-java + artifacts (#2397) + * chore(deps): update tools to latest versions (#2395) + * chore: enhance java purl generation integration test (#2393) + * feat: add ability to retrieve remote licenses for yarn.lock + (#2338) + * chore(deps): bump anchore/sbom-action from 0.15.0 to 0.15.1 + (#2392) + * Retrieve remote licenses using pom.properties when there is no + pom.xml (#2315) + * fix(java): improve identification for org.apache.tapestry + artifacts (#2384) + * fix(java): improve identification for io.ratpack artifacts + (#2379) + * fix(java): improve identification for org.apache.cassandra + artifacts (#2386) + * fix(java): improve identification for org.neo4j.procedure + artifacts (#2388) + * fix: bump fangs for ptr summarize fix (#2387) + * fix(java): improve identification for org.elasticsearch + artifacts (#2383) + * fix(java): improve identification for org.apache.geode + artifacts (#2382) + * fix(java): improve identification for org.apache.tomcat.embed + artifacts (#2381) + * fix(java): improve identification for io.projectreactor.netty + artifacts (#2378) + * fix(java): improve identification for org.eclipse.platform + artifacts (#2349) + * Generalize UI events for cataloging tasks (#2369) + * chore(deps): update tools to latest versions (#2376) + * chore(deps): bump github.com/google/go-containerregistry + (#2377) + * chore: fix tests failing due to Mac Rosetta cache (#2374) + * fix: improve dotnet portable executable identification (#2133) + +------------------------------------------------------------------- +Thu Nov 30 08:14:13 UTC 2023 - andrea.manzini@suse.com + +- Update to version 0.98.0: + * fix file metadata cataloger to use resolved locations (#2370) + * fix: logging level for parsing potential PE files (#2367) + * only remove breaking-change label when there are schema changes (#2371) + * fix: capture root command stdout (#2364) + * fix: hardcode xalan group ID (#2368) + * Normalize cataloger configuration patterns (#2365) + * normalize enums to lowercase with hyphens (#2363) + * bump deps version + * fix: index file itself when file scan path has symlink (#2359) + * use read lock in pkg collection (#2341) + * Fix the `attest` command (#2337) + * fix: add manual namespace mapping for org.springframework jars (#2345) + * Add binary classifiers for MySQL and MariaDB (#2316) + * Enhance redis binary classifier (#2329) + * fix: add manual namespace mapping for org.springframework.security jars (#2343) + * fix: add manual namespace mapping for org.bouncycastle jars (#2342) + * Update developer docs to represent the current package layout (#2340) + * Remove the power-user command and related catalogers (#2306) + * Add "pretty" json configuration and change default behavior to be space-efficient (#2275) + +------------------------------------------------------------------- +Sat Nov 18 08:51:36 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.97.1: + * chore(deps): update stereoscope to + 3610f4ef3e83e8ff2edf8859e8916bce326fa260 (#2336) + * feat: allow for stdout to be buffered on each command (#2335) + +------------------------------------------------------------------- +Fri Nov 17 05:46:54 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.97.0: + * fix: prevent writing non-report output to stdout (#2324) + * chore(deps): bump github/codeql-action from 2.22.6 to 2.22.7 + (#2332) + * export metadata type helper (#2328) + * fix(java): add manual groupid mappings for org.apache.velocity + jars (#2327) + * fix(java): skip maven bundle plugin logic if vendor id and + symbolic name match (#2326) + * Refine license searching from groupIDFromJavaMetadata to allow + for having the artfactId in the groupId (#2313) + * chore(deps): update tools to latest versions (#2325) + * chore(deps): update tools to latest versions (#2318) + * Add license for golang stdlib (#2317) + * chore(deps): bump github/codeql-action from 2.22.5 to 2.22.6 + (#2321) + * docs: Update README.md for dotnet-portable-executable (#2322) + * Fall back to searching maven central using + groupIDFromJavaMetadata (#2295) + * rename file.Location.VirtualPath to AccessPath (#2288) + * chore(deps): update tools to latest versions (#2308) + * chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.11 + to 0.4.12 (#2310) + * chore(deps): bump golang.org/x/net from 0.17.0 to 0.18.0 + (#2311) + +------------------------------------------------------------------- +Thu Nov 09 14:48:04 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.96.0: + * include image labels in cycloneDX SBOM (#2294) + * Add accessPath on Location objects to syft-json output (#2287) + * SPDX file has duplicate sha256 tag in versionInfo (#2300) + * Check maven central as well for licenses in parents poms for + nested jars (#2302) + * chore(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0 + (#2293) + * chore(deps): update tools to latest versions (#2301) + * fix: identify cyclone-json without $schema (#2303) + +------------------------------------------------------------------- +Tue Nov 07 20:40:41 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.95.0: + * chore: setup release task before calling go releaser (#2297) + * chore(deps): update tools to latest versions (#2296) + * chore(deps): update tools to latest versions (#2289) + * chore(deps): update CPE dictionary index (#2290) + * chore(deps): bump golang.org/x/mod from 0.13.0 to 0.14.0 + (#2292) + * Wire though maven-url to java config (#2291) + * Use case-insensitive matching for Go license files (#2286) + * Add a new Java configuration option to recursively search + parent poms… (#2274) + * chore(deps): update tools to latest versions (#2280) + * Follow convention for naming catalogers (#2277) + * change dir resolver to include virtual path (#2259) + * fix: syft does not handle the case of parsing a jar with + multiple poms (#2231) + * add PURLs when scanning Gradle lock files (#2278) + * chore(deps): bump modernc.org/sqlite from 1.26.0 to 1.27.0 + (#2279) + * test: remove dll files and updates tests to use + versionResources (#2276) + * fix: update dot net binary parsing logic to remove empty space + (#2273) + * Read a license from a parent pom stored in Maven Central + (#2228) + * Update README.md to use canonical output format names (fixes + #2269) (#2272) + * Remove MetadataType from core package object and normalize JSON + metadataType values (#1983) + * chore(deps): bump github.com/docker/docker (#2263) + * chore(deps): update stereoscope to + 5909e353ee88d7809f0e646c79f110a0e6b1d80d (#2265) + * chore(deps): update CPE dictionary index (#2271) + * chore: fix cpe generation task (#2270) + * chore(deps): bump github.com/google/uuid from 1.3.1 to 1.4.0 + (#2262) + * chore(deps): bump github/codeql-action from 2.22.4 to 2.22.5 + (#2261) + * chore(deps): update tools to latest versions (#2258) + * chore(deps): bump github.com/go-git/go-git/v5 from 5.9.0 to + 5.10.0 (#2256) + * feat: Perform case insensitive matching on Java license files + (#2235) + * Split the sbom.Format interface by encode and decode use cases + (#2186) + * Upgrade tool management (#2188) + * fix: 2179 jar chokes empty lines (#2254) + * chore(deps): update CPE dictionary index (#2253) + * fix CPE workflow (#2252) + * feat: add conaninfo.txt parser to detect conan packages in + docker images (#2234) + * chore(deps): update bootstrap tools to latest versions (#2245) + * chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.6.0 + to 4.6.1 (#2248) + * chore(deps): bump github/codeql-action from 2.22.3 to 2.22.4 + (#2249) + * fill version info from release and git directly (#2244) + * Add ruby.NewGemSpecCataloger to DirectoryCatalogers. (#1971) + * change homebrew release trigger (#2242) + +------------------------------------------------------------------- +Fri Nov 3 09:12:53 UTC 2023 - Johannes Kastl + +- BuildRequire go1.21 + +------------------------------------------------------------------- +Sat Oct 21 18:16:53 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.94.0: + * Label PRs when the json schema changes (#2240) + * Add download location when cataloging directory npm package + lock (#2238) + * fix: allow packages to be captured from DIST/EGG case (#2239) + * Account for maven bundle plugin and fix filename matching + (#2220) + * chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 (#2236) + * Remove internal string set (#2219) + * bump clio to get stderr reporting fix (#2232) + * Fix panic for empty input to Swift cataloger (#2226) + * Add additional license filenames (#2227) + * chore(deps): bump github/codeql-action from 2.22.2 to 2.22.3 + (#2229) + * chore(deps): bump github.com/charmbracelet/lipgloss from 0.9.0 + to 0.9.1 (#2222) + * chore(deps): bump github/codeql-action from 2.22.1 to 2.22.2 + (#2224) + * Detect a license file in the root directory or META-INF of a + jar (#2213) + * Parse donet dependency trees (#2143) + * chore(deps): bump golang.org/x/net from 0.16.0 to 0.17.0 + (#2214) + * chore(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 + (#2215) + * chore(deps): bump github.com/charmbracelet/lipgloss from 0.8.0 + to 0.9.0 (#2216) + * chore: add automated homebrew action (#2164) + * Add relationships for dpkg packages (#2212) + +------------------------------------------------------------------- +Wed Oct 11 04:22:21 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.93.0: + * Parse the Maven license from the pom.xml if not contained in + the mani… (#2115) + * Refine the docs for building a cataloger (#2175) + * Fix algo lookup by converting key to lower case (#2207) + * chore(deps): bump github/codeql-action from 2.22.0 to 2.22.1 + (#2208) + * feat: add package for go compiler given binary detection + (#2195) + * chore(deps): bump github.com/docker/distribution from + 2.8.2+incompatible to 2.8.3+incompatible (#2193) + * chore(deps): bump github/codeql-action from 2.21.9 to 2.22.0 + (#2202) + * chore(deps): bump golang.org/x/net from 0.15.0 to 0.16.0 + (#2204) + * chore: update license list to 3.22 (#2201) + * Add exact syntax of the conversion formats (#2196) + * chore(deps): bump github.com/saferwall/pe from 1.4.6 to 1.4.7 + (#2198) + * chore(deps): bump golang.org/x/mod from 0.12.0 to 0.13.0 + (#2199) + * chore: removes unnecessary conditional (#2194) + * chore: improve --output help text and deprecate --file (#2187) + * chore(deps): bump modernc.org/sqlite from 1.25.0 to 1.26.0 + (#2189) + * chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.10 + to 0.4.11 (#2191) + * chore(deps): bump github/codeql-action from 2.21.8 to 2.21.9 + (#2182) + * chore(deps): update bootstrap tools to latest versions (#2178) + * chore(deps): bump github.com/saferwall/pe from 1.4.5 to 1.4.6 + (#2180) + +------------------------------------------------------------------- +Thu Oct 05 06:32:34 UTC 2023 - andrea.manzini@suse.com + +- Update to version 0.92.0: + * bump deps to latest version + * fix: deterministic java purls (#2170) + +- Update to version 0.91.0: + * fix: prevent errors from clobbering terminal (#2161) + * Require ordering of relationships when comparing parser output (#2160) + * Add containerd support (#1793) + * feat: add dependency information to conan lockfile parser (#2131) + * fix: encode and decode FileLicenses and FileContents in Syft JSON (#2083) + * feat: add cyclonedx schema version selection (#2123) + * fix: allow cyclonedx json input with no components (#2127) + * fix source-version typo in flag description (#2126) + +- Update to version 0.90.0: + * fix(help): power-user help text to indicate it supports file-system (#2113) + * fix: update codeql-analysis for go 1.21 (#2108) + * feat(cmd/update): add UA header with current ver when check for update (#2100) + * fix(cdx): validate external refs before encoding (#2091) + * fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation (#2075) + +------------------------------------------------------------------- +Tue Sep 05 14:57:48 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.89.0: + * tidy gomod and gitignore (#2082) + * fix quiet flag (#2081) + * fix: in some cases, try to use pom info to guess name and + version to top level jar (#2080) + * fix: don't panic on universal go binaries (#2078) + * chore: update CLI to CLIO (#2001) + * Add registry certificate verification support (#1734) + * fix: CPE generation for django (#2068) + +------------------------------------------------------------------- +Tue Sep 05 14:54:29 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.88.0: + * chore: update quill to the latest version (#2065) + * fix: duplicate entries in cyclonedx dependency list (#2063) + * Fix panic in pom parsing (#2064) + * Fix: don't validate pom declared group (#2054) + * chore: trace log pom property reflect usage (#2059) + * fix: do not double-prefix symlink paths that already contain + volume names (#2051) + * feat: add bash classifier (#2055) + * Detect golang boring crypto and fipsonly modules (#2021) + * fix: properly parse conan ref and include user and channel + (#2034) + * chore(deps): bump github.com/charmbracelet/lipgloss from 0.7.1 + to 0.8.0 (#2053) + * Enable reading non-utf-8 encodings for java pom.xml files + (#2047) + * feat: 1944 - update purl generation to use a consistent groupID + (#2033) + * chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 + (#2049) + * chore(deps): update bootstrap tools to latest versions (#2048) + * chore(deps): bump github.com/jinzhu/copier from 0.3.5 to 0.4.0 + (#2045) + * chore(deps): update CPE dictionary index (#2043) + * fill out new version notice (#2042) + +------------------------------------------------------------------- +Tue Sep 05 14:49:59 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.87.1: + * feat: use java package names to determine known groupids + (#2032) + * fix: inconsistent removal of binaries by overlap (#2036) + * fix: CycloneDX relationships not output or decoded properly + (#1974) + * chore: restore cataloger.DefaultConfig (#2028) + +------------------------------------------------------------------- +Tue Sep 05 14:31:00 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.87.0: + * fix: read direct package files when decoding SPDX tag-value + (#2014) + * chore(deps): update bootstrap tools to latest versions (#2022) + * chore(deps): update CPE dictionary index (#2025) + * chore(deps): update bootstrap tools to latest versions (#2012) + * chore(deps): bump github.com/vifraa/gopom from 0.2.2 to 1.0.0 + (#2008) + * 1948-filter-pkg-by-type (#2011) + * chore(deps): bump github.com/dave/jennifer from 1.6.1 to 1.7.0 + (#2009) + * fix: SPDX license values and download location (#2007) + * 931: binary cataloger exclusion defaults for ownership by + overlap (#1948) + * chore(deps): bump golang.org/x/net from 0.13.0 to 0.14.0 + (#2004) + * chore(deps): bump modernc.org/sqlite from 1.24.0 to 1.25.0 + (#1998) + * test: add coverage for new rpmdb paths (#1999) + * chore: improve spdx purl decoding (#1996) + * fix: gradle lockfile parser groupId handling (#1995) + * fix: update glob to use newer usr/lib/sysimage path (#1997) + * fix: opkg search glob (#1994) + * feat: nginx binary classifier (#1988) + * Expand deb cataloger to include opkg (#1985) + * chore(deps): update bootstrap tools to latest versions (#1991) + * chore(deps): bump github.com/google/go-containerregistry + (#1993) + * chore: update bubbly to fix hanging (#1990) + * chore(deps): bump golang.org/x/net from 0.12.0 to 0.13.0 + (#1989) + * feat: use originator logic to fill supplier (#1980) + * add metadata types to all cpe test fixtures (#1982) + +------------------------------------------------------------------- +Tue Aug 01 10:30:23 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.86.1: + * fix: default image source name to user input (#1979) + +------------------------------------------------------------------- +Tue Aug 01 10:17:13 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.86.0: + * chore(deps): update stereoscope to + d1f3d766295ed3c8362ac1be68070e2a1dba4d03 (#1975) + * chore: update to latest commit in tools-golang (#1969) + * Guess unpinned versions in python requirements.txt (#1966) + * chore(deps): bump github.com/vifraa/gopom from 0.2.1 to 0.2.2 + (#1965) + * Fix panic condition on docker pull failure (#1968) + * bump JSON schema to account for simplified python env markers + (#1967) + * feat: support top-level SPDX package and graph (#1934) + * chore(deps): bump github.com/go-git/go-git/v5 from 5.8.0 to + 5.8.1 (#1959) + * Add cataloger for Swift Package Manager. (#1919) + * chore(deps): update stereoscope to + d515761c6ca2743a67d7d08053db69235ae76d1d (#1953) + * chore(deps): bump github.com/docker/docker (#1955) + * chore(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to + 5.8.0 (#1951) + * Introduce indexed embedded CPE dictionary (#1897) + * chore(deps): bump github.com/gookit/color from 1.5.3 to 1.5.4 + (#1949) + * Add support for parsing .NET assemblies (#1943) + * docs: capture artifactory dev settings from 1895 (#1947) + * remove build binary and add explicit git ignore + * docs: update docs with new docker specific instructions (#1941) + * remove jotframe UI (#1932) + * fix: remove indirect dependency of circl v1.1.0 (#1940) + * chore: move wait before iteration to guarantee read before tea + (#1931) + +------------------------------------------------------------------- +Thu Jul 13 04:49:43 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.85.0: + * implement ui handle waiter (#1930) + * fix: background reader apart from global handler for testing + (#1929) + * chore(deps): bump modernc.org/sqlite from 1.23.1 to 1.24.0 + (#1928) + * fix: allow valid cyclonedx input with no components (#1873) + * fix: "or-later" suffix updated to consider deprecated "+" + operator (#1907) + * feat: CLI flag for directory base (#1867) + * Fix CPE gen for k8s python client (#1921) + * chore: update iterations to protect against race (#1927) + * chore(deps): update bootstrap tools to latest versions (#1922) + * fix: Don't use the actual redis or grpc CPEs for gems (#1926) + * fix(install): return with right error code (#1915) + * Remove erroneous Java CPEs from generation (#1918) + * chore(deps): bump golang.org/x/net from 0.11.0 to 0.12.0 + (#1916) + * Switch UI to bubbletea (#1888) + * fix: use filepath.EvalSymlinks if os.Readlink fails to evaluate + the link (#1884) + * add file source digest support (#1914) + * chore(deps): update bootstrap tools to latest versions (#1908) + * chore(deps): bump golang.org/x/mod from 0.11.0 to 0.12.0 + (#1912) + * chore(deps): bump golang.org/x/term from 0.9.0 to 0.10.0 + (#1913) + * doc(readme): add installation section with scoop (#1909) + * Refactor source API (#1846) + * chore(deps): update bootstrap tools to latest versions (#1905) + +------------------------------------------------------------------- +Fri Jun 30 04:42:50 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.84.1: + * chore(deps): update stereoscope to + cd49355d934e9e09339e0b690398afe7bd9f63f1 (#1903) + * chore(deps): update bootstrap tools to latest versions (#1902) + * fix: discover deb file relationships in distroless images + (#1901) + * add oss community board auto-add workflow (#1898) + * chore(deps): update stereoscope to + 8c7173ebcf69187d480d4d8b0c6cafaa7aef7024 (#1890) + * chore(deps): update bootstrap tools to latest versions (#1894) + * fix: add support for Dart SDK package dependencies (#1891) + * Simplify the SBOM writer interface (#1892) + * fix: improve version detection in Java archive name parsing + (#1889) + * fix: only output valid cyclonedx license choices (#1879) + * docs: clarify reasoning of default catalogers for images or + directories (#1887) + +------------------------------------------------------------------- +Wed Jun 21 04:48:16 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.84.0: + * Configure chronicle to pre-1.0 mode (#1886) + * chore: update SPDX license list to 3.21 (#1885) + * chore(deps): update bootstrap tools to latest versions (#1880) + * Pad artifact IDs (#1882) + * chore(deps): bump golang.org/x/mod from 0.10.0 to 0.11.0 + (#1878) + +------------------------------------------------------------------- +Wed Jun 14 18:11:48 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.83.1: + * chore(deps): bump modernc.org/sqlite from 1.23.0 to 1.23.1 + (#1874) + * chore(deps): update stereoscope to + 5b5049bf4d3a99df9a2b1c31d5d52ddff7b5cec2 (#1871) + * chore(deps): bump golang.org/x/net from 0.10.0 to 0.11.0 + (#1876) + * fix: pom properties not setting artifact id (#1870) + * chore(deps): bump github.com/spdx/tools-golang from 0.5.1 to + 0.5.2 (#1868) + +------------------------------------------------------------------- +Mon Jun 12 19:35:49 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.83.0: + * fix: handle invalid symlinks (#1861) + * chore(deps): bump github.com/spdx/tools-golang from 0.5.0 to + 0.5.1 (#1850) + * chore(deps): update bootstrap tools to latest versions (#1857) + * Pr 1825 (#1865) + * chore(deps): bump github.com/sirupsen/logrus from 1.9.2 to + 1.9.3 (#1862) + * chore(deps): bump modernc.org/sqlite from 1.22.1 to 1.23.0 + (#1863) + * feat: source-version flag (#1859) + * chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 + (#1851) + * accept main.version ldflags even without vcs (#1855) + * feat: add scope to pom properties (#1779) + * chore(deps): bump github.com/stretchr/testify from 1.8.3 to + 1.8.4 (#1852) + * chore(deps): bump github.com/docker/docker (#1849) + * Add test to ensure package metadata is represented in the JSON + schema (#1841) + * Fix directory resolver to consider CWD and root path input + correctly (#1840) + * Migrate location-related structs to the file package (#1751) + * chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to + 5.7.0 (#1843) + +------------------------------------------------------------------- +Tue May 23 17:54:05 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.82.0: + * fix: add panic recovery for license parse (#1839) + * chore: return both failures when failed to retrieve an image + with a scheme (#1801) + * Extract go module versions from ldflags for binaries built by + go (#1832) + * fix: duplicate packages, support pnpm lockfile v6 (#1778) + * chore(deps): update stereoscope to + e14bc4437b2eac481c5b6f101890b22df4f33596 (#1834) + * chore(deps): bump github.com/stretchr/testify from 1.8.2 to + 1.8.3 (#1829) + * chore(deps): bump github.com/docker/docker (#1833) + +------------------------------------------------------------------- +Tue May 23 07:31:00 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.81.0: + * Keep original FileInfo persisted on file.Metadata structs + (#1794) + * chore(deps): bump github.com/sirupsen/logrus from 1.9.1 to + 1.9.2 (#1827) + * chore(deps): bump github.com/google/go-containerregistry + (#1823) + * chore(deps): bump github.com/sirupsen/logrus from 1.9.0 to + 1.9.1 (#1822) + * chore(deps): bump github.com/docker/docker (#1824) + * fix: update field plurality of 8.0.0 schema before release + (#1820) + * fix: update cataloger to check for expressions before split + (#1819) + * feat: update syft license concept to complex struct (#1743) + * fix: cyclonedx depends-on relationship inverted (#1816) + * fix: retain sbom cataloger relationships (#1509) + * feat: warn if parsing newer SBOM (#1810) + * feat: Add R cataloger (#1790) + * update cosign to v2 release (different go module) (#1805) + * fix: Reduce log spam on unknown relationship type (#1797) + * chore(deps): update bootstrap tools to latest versions (#1807) + * chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 (#1802) + * chore(deps): bump github.com/docker/docker (#1795) + * chore(deps): bump github.com/google/go-containerregistry + (#1796) + * chore(deps): update bootstrap tools to latest versions (#1792) + * Print package list when extra packages found (#1791) + * chore(deps): update bootstrap tools to latest versions (#1786) + * chore(deps): bump golang.org/x/term from 0.7.0 to 0.8.0 (#1787) + +------------------------------------------------------------------- +Fri May 05 19:51:00 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.80.0: + * Update the CPE generation for spring-security-core (#1789) + * chore: do not HTML escape PackageURLs (#1782) + * chore: do not include kernel module cataloger by default + (#1784) + * chore(docs): Update lists of catalogers (#1780) + * chore: add more detail on SPDX file IDs (#1769) + * Search /usr/share for rpmdb to fix scan on ostree-managed + images (#1756) + * chore(deps): bump github.com/docker/docker (#1767) + * rename sbom.PackageCatalog to sbom.Packages (#1773) + * chore(deps): bump modernc.org/sqlite from 1.22.0 to 1.22.1 + (#1768) + * Create python requirements metadata (#1759) + * chore: update test redactor ordering (#1765) + * rename pkg.Catalog to pkg.Collection (#1764) + * chore(deps): bump modernc.org/sqlite from 1.21.2 to 1.22.0 + (#1758) + * chore: go-rpmdb update (#1757) + * chore(deps): bump github.com/CycloneDX/cyclonedx-go from + 0.7.1-0.20221222100750-41a1ac565cce to 0.7.1 (#1706) + * fix: Improve pnpm support (#1752) + +------------------------------------------------------------------- +Sat Apr 22 14:33:37 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.79.0: + * feat: Add template func `hasField` (#1754) + * fix: only cache java packages and not source content (#1750) + * Add sections of interest for Gemfile.lock cataloger (#1749) + * fix: update cache.fingerprint file to java-builds dir (#1748) + * Add ALPM Metadata to CYCLONEDX and SPDX output formats (#1747) + * chore: bump stereoscope to latest version (#1741) + * chore(deps): update bootstrap tools to latest versions (#1744) + * chore(deps): bump github.com/docker/docker (#1746) + +------------------------------------------------------------------- +Tue Apr 18 04:55:15 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.78.0: + * Create consul binary classifier (#1738) + * chore(deps): update bootstrap tools to latest versions (#1740) + * Fix kernel cataloger test fixtures (#1742) + * feat: Support scanning license files in golang packages over + the network (#1630) + * Add package-to-file location evidence relationships (#1698) + * Add Linux Kernel cataloger (#1694) + * Add annotations for evidence on package locations (#1723) + * add format make target (#1733) + * Update tests to not fail on Mac M1's. (#1730) + +------------------------------------------------------------------- +Thu Apr 13 07:22:19 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.77.0: + * chore(deps): update bootstrap tools to latest versions (#1728) + * Add support for nar files. (#1727) + * add highlevel details about catalogers (#1726) + * chore(deps): bump golang.org/x/net from 0.8.0 to 0.9.0 (#1722) + * chore(deps): update stereoscope to + e95d60a265e384df29b7a139f5c5402d6ad72e06 (#1721) + * feat: gradle lockfile support (#1719) + * chore(deps): bump github.com/docker/docker (#1715) + * chore(deps): bump golang.org/x/mod from 0.9.0 to 0.10.0 (#1713) + * chore(deps): bump golang.org/x/term from 0.6.0 to 0.7.0 (#1714) + * chore(deps): bump github.com/spf13/cobra from 1.6.1 to 1.7.0 + (#1716) + * chore(deps): bump peter-evans/create-pull-request from 4 to 5 + (#1712) + +------------------------------------------------------------------- +Thu Apr 06 03:25:22 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.76.1: + * chore: update tools-golang to v0.5.0 (#1717) + * Add Nix cataloger (#1696) + * refactor spdx tooling test to reduce intermittent failures + (#1707) + * Capture file ownership relationships from portage ecosystem + (#1702) + * chore: update deprecated set-output calls (#1705) + +------------------------------------------------------------------- +Mon Apr 03 12:04:58 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.76.0: + * feat: Add config option to allow user to select the default + image source location + * chore(deps): bump github.com/docker/docker (#1699) + * chore(deps): update bootstrap tools to latest versions (#1697) + * chore(deps): update stereoscope to + d7551b7f46f53179922d6229709d3d1602881080 (#1693) + * 1577 spdxlicense generate (#1691) + * chore(deps): bump github.com/vbatts/go-mtree from 0.5.2 to + 0.5.3 (#1692) + * feat: scan local go mod cache for licenses of golang packages + (#1645) + * chore: fix flaky license sorting (#1690) + * chore(deps): bump github.com/gookit/color from 1.5.2 to 1.5.3 + (#1689) + * fix: shell completion by adding missing usage message required + by spf13/cobra (#1688) + * chore(deps): update bootstrap tools to latest versions (#1686) + * chore: tweak some workflow text (#1685) + * Remove more side effects from application config testing + (#1684) + * Deprecate config.yaml as valid config source; Add unit + regression for correct config paths (#1640) + * chore: Update syft bootstrap tools to latest versions. (#1682) + * Update documentation: (#1680) + * chore: Update Stereoscope to + 7928713c391e20abaede6a029f4ce37b628a4c8b (#1681) + * fix: reduce logging for bad dpkg lines (#1675) + * fix ruby classifier (#1678) + * feat: add shared dir for easier cleanup (#1676) + * chore(deps): bump github.com/google/go-containerregistry + (#1672) + * chore(deps): bump actions/setup-go from 3 to 4 (#1671) + * fix: move defer after error to protect panic case (#1670) + * feat: add argocd, helm, kustomize and kubectl binary + classifiers (#1663) + * defer closing file (#1668) + * fix: remove author contributing to javascript CPEs (#1669) + +------------------------------------------------------------------- +Mon Mar 13 19:15:25 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.75.0: + * fix: more python matching support (#1667) + * Update syft bootstrap tools to latest versions. (#1666) + * feat: add ruby classifier (#1665) + +------------------------------------------------------------------- +Thu Mar 09 15:31:12 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.74.1: + * Update syft bootstrap tools to latest versions. (#1658) + * fix: improved Python binary detection (#1648) + * fix: suppress some known incorrect vendor candidates for npm + CPEs (#1659) + * fix: sanitize SPDX LicenseRefs (#1657) + * chore(deps): bump golang.org/x/mod from 0.8.0 to 0.9.0 (#1655) + * chore(deps): bump golang.org/x/net from 0.7.0 to 0.8.0 (#1653) + * chore(deps): bump github.com/spf13/afero from 1.9.4 to 1.9.5 + (#1654) + * chore(deps): bump golang.org/x/term from 0.5.0 to 0.6.0 (#1656) + * fix: dotnet PURL types are invalid (#1649) + * feat: disable cpe vendor wildcards to reduce false positives + (#1647) + * read relative etc/apk/repositories for alpine version when no + OS provided (#1615) + +------------------------------------------------------------------- +Fri Mar 03 05:40:08 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.74.0: + * fix: possible race condition (#1639) + * fix: remove APK OriginPackage cpe candidates (#1637) + * fix: rebar lock file decoding panic (#1628) + * fix: handle individual cataloger panics (#1636) + * fix: apk product/vendor generation for old metadata (#1635) + * feat: rust toolchain binary cataloger (#1601) + * feat: retain go package info when no module declared (#1632) + * fix: improved CPE-generation for several more APK packages + (#1631) + * chore: update deprecated release flag (#1629) + * chore(deps): bump actions/upload-artifact from 2 to 3 (#1627) + * feat: add support for SUPPORT_END in /etc/os-release (#1612) + * fix: further improvements to CPE generation for apk packages + (#1623) + * chore(deps): bump github.com/stretchr/testify from 1.8.1 to + 1.8.2 (#1625) + * chore(deps): bump actions/checkout from 2 to 3 (#1626) + * feat: set cosign attest predicate type based on Syft output + type (#1598) + * chore(deps): bump github.com/spf13/afero from 1.9.3 to 1.9.4 + (#1609) + * fix: correct apk purls for other distros (#1620) + * refactor: move apk upstream logic to apk metadata (#1619) + * fix: decoding null apk metadata pullDependencies (#1614) + * feat: haproxy binary matcher (#1591) + * fix: determine upstream for apk version streams (#1610) + * fix: improve CPE generation for curl APK (#1608) + * Revert "add workaround for macos github actions cache issue + (#1584)" (#1605) + +------------------------------------------------------------------- +Thu Feb 23 10:37:37 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.73.0: + * Update Stereoscope to fab1c9638abc2c21cd53dca1f205f37d71148ee0 (#1604) + * chore: fix cataloger_test (#1603) + * fix: merging of binary packages (#1583) + * fix: issue when matching format versions (#1585) + * chore: update syft bootstrap tools to latest versions. (#1593) + * feat: add perl binary classifier (#1592) + * Update Stereoscope to 529924d6d5aa6c708cceffc651883b6e1e27f5df (#1602) + * Update SPDX license list to 3.20 (#1600) + * chore: update SPDX license list (#1599) + * fix cataloger selection to be more specific (#1582) + * add workaround for macos github actions cache issue (#1584) + +------------------------------------------------------------------- +Thu Feb 16 17:31:12 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.72.0: + * Update Stereoscope to 4b5ebf8c7f4b81ca79c4c3f0af1d0723eab87d42 (#1576) + * chore(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 (#1574) + * chore: update bug issue template (#1571) + * allow convert to take stdin (#1570) + * fix: improve CPE and upstream generation logic for Alpine packages (#1567) + * fix: missing APK node vulnerabilities (#1565) + * fix: python CPE generation for alpine (#1564) + * chore(deps): bump github.com/docker/docker (#1563) + +------------------------------------------------------------------- +Fri Feb 10 06:19:19 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.71.0: + * switch from trigger-release target to release target (#1560) + * Speed up cataloging by replacing globs searching with index lookups (#1510) + * Update syft bootstrap tools to latest versions. (#1549) + * Fix installed versions (#1556) + * chore(deps): bump golang.org/x/net from 0.5.0 to 0.6.0 (#1558) + * feat: add postgresql classifier (#1536) + * Add release trigger (#1501) + * chore(deps): bump golang.org/x/mod from 0.7.0 to 0.8.0 (#1552) + * chore(deps): bump golang.org/x/term from 0.4.0 to 0.5.0 (#1551) + * fix: add support for licenses not found on list (#1540) + * Update syft bootstrap tools to latest versions. (#1541) + * feat: Allow specific versions of formats to be specified (#1543) + * Update Stereoscope to c49244e4d66f1ee789027ea23acc746968799c3b (#1539) + * source: when base is set, responsePath should be absolute (#1542) + +------------------------------------------------------------------- +Sat Feb 04 07:45:37 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.70.0: + * fix: update config struct to not decode password/key (#1538) + * Update syft bootstrap tools to latest versions. (#1537) + * feat: add traefik classifier (#1504) + * fix: don't hardcode Cosign attest type (#1533) + * chore(deps): bump github.com/docker/docker (#1531) + * Update syft bootstrap tools to latest versions. (#1530) + +------------------------------------------------------------------- +Thu Feb 02 06:48:23 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.69.1: + * chore: update spdx/tools-golang to v0.5.0-rc1 (#1503) + * feat: update golang to 1.19 (#1526) + * Update syft bootstrap tools to latest versions. (#1525) + +------------------------------------------------------------------- +Tue Jan 31 15:04:23 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.69.0: + * Allow scanning unpacked container filesystems (#1485) + * fix: allow template for syft convert (#1521) + * 1465 attestation with private key (#1502) + +------------------------------------------------------------------- +Thu Jan 26 06:37:19 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.68.1: + * fix: add relevant CPEs to python and busybox classifiers (#1517) + * Update syft bootstrap tools to latest versions. (#1515) + * chore: correct bootstrap tool script (#1514) + * chore(deps): bump github.com/google/go-containerregistry (#1513) + * Fix AssertEncoderAgainstGoldenSnapshot calls to conditionally update (#1511) + * chore(deps): bump golang.org/x/mod from 0.6.0 to 0.7.0 (#1505) + * chore(deps): bump github.com/docker/docker (#1506) + * chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.2 to 3.2.3 (#1507) + * chore(deps): bump github.com/dustin/go-humanize from 1.0.0 to 1.0.1 (#1508) + * Bump github.com/spdx/tools-golang to v0.4.0 (#1450) + +------------------------------------------------------------------- +Sat Jan 21 07:53:06 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.68.0: + * Fix panic in apkdb parsing on empty "provides" values (#1494) + * push detailed log statements to trace-level (#1500) + * npm: package-lock license decoding to accept string or array (#1482) + * always set the package ID for java packages (#1493) + * fix: skip filling in empty fields in APK metadata (#1484) + * chore(deps): bump github.com/facebookincubator/nvdtools (#1499) + * chore(deps): bump github.com/jinzhu/copier from 0.3.2 to 0.3.5 (#1498) + * chore(deps): bump github.com/vbatts/go-mtree from 0.5.0 to 0.5.2 (#1497) + * chore(deps): bump github.com/gookit/color from 1.4.2 to 1.5.2 (#1496) + * chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#1495) + * Relax error conditions for catalogers (#1492) + * feat: add memcached classifier (#1486) + * chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#1488) + * chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.0.2 to 4.6.0 (#1489) + * chore(deps): bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#1490) + * chore(deps): bump github.com/go-test/deep from 1.0.8 to 1.1.0 (#1491) + * chore(deps): bump github.com/google/go-containerregistry (#1487) + * chore(deps): bump golang.org/x/net from 0.4.0 to 0.5.0 (#1475) + * chore(deps): bump github.com/adrg/xdg from 0.3.3 to 0.4.0 (#1477) + * chore(deps): bump github.com/sergi/go-diff from 1.2.0 to 1.3.1 (#1476) + * chore(deps): bump github.com/vifraa/gopom from 0.1.0 to 0.2.1 (#1474) + * chore(deps): bump github/codeql-action from 1 to 2 (#1473) + * chore(deps): bump actions/setup-go from 2 to 3 (#1472) + * Add dependabot (#1451) +- skip non-existent release 0.67.x + +------------------------------------------------------------------- +Fri Jan 20 09:56:19 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.66.2: + * chore: use checkout v3 with new depth (#1471) + * chore: use checkout v2 for tag depth (#1470) + * fix: nil panic in graalvm cataloger (#1468) + * add linter for type assertion checks (#1469) + * fix: bump golang.org/x/net to v0.4.0 (#1467) + * fix: bump golang.org/x/text to v0.3.8 (#1466) + * bootstrap within composite action (#1461) + * chore: revert GolangBinMetadata name and make analogous GolangModMetadata (#1458) + * README: update Nix installation instructions (#1455) + +------------------------------------------------------------------- +Fri Jan 13 06:11:18 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.66.1: + * fix: update graalvm cataloger to fix panic (#1454) + * chore: remove bumping cosign in go.mod when updating bootstrap tools (#1452) + +------------------------------------------------------------------- +Fri Jan 13 06:09:05 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.66.0: + * feat: Add the origin field to the output format of syftjson (#1327) + * chore: update schema (#1449) + * feat: prefer known CPE vendors over other candidates (#1294) + * fix: update attestation code to remove library dependencies and shellout for keyless flow (#1442) + * feat: add BeamVM Hex support (#1073) + * feat: add apache httpd binary classifier (#1448) + * chore: claim artifacthub package ownership from developer-guy (#881) + * Parallel package catalog processing (#1355) + * feat: Add php binary catalogers (#1444) + * Update syft bootstrap tools to latest versions. (#1443) + * fix: duplicate file in tar archive causes read to fail (#1445) + * Add support for GraalVM Native Image executables. (#1276) + * Add redis binary classifier (#1438) + * docs: add cataloger construction summary (#1434) + * chore: update bootstrap tools to latest versions. (#1428) + * Add alpine type to purl (#1431) + +------------------------------------------------------------------- +Thu Jan 05 14:00:02 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.65.0: + * adding purl types for binary classifiers (#1435) + * chore: refactor basic CPE functionality to its own package (#1436) + * fix: typo in os.Getwd error message (#1433) + * fix: additional excessive go binary warnings (#1432) + * docs: migrate to homebrew-core (#1427) + +------------------------------------------------------------------- +Wed Jan 04 15:47:49 UTC 2023 - kastl@b1-systems.de + +- Update to version 0.64.0: + * fix: unicode output in cyclonedx-json format (#1420) + * fix: excessive go binary warnings (#1424) + * feat: update spdx format model to produce valid spdx json documents (#1418) + * clean package names in python parsers (#1417) + * docs: update schema name to 2.3 (#1416) + * feat: add h1digest when scanning go.mod (#1405) + * feat: Add license parsing for java (#1385) + * fix: cyclonedx component type for binaries (#1406) + * fix: openjdk detection pattern (#1415) + * bug: spdx checksum empty array; allow syft to generate SHA1 for spdx-tag-value documents (#1404) + * Add NetBSD support. (#1412) + +------------------------------------------------------------------- +Fri Dec 16 12:37:58 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.63.0: + * feat: add catalog delete (#1377) + * docs: remove file classifier (#1397) + * chore: update latest cyclonedx library (#1390) + * feat: Add Java binary catalogers (#1392) + * chore: Update SPDX license list to 3.19 (#1389) + * fix: add manual vendor/product removal to fix false flags (#1070) + * Update Stereoscope to c5ff155d72f166e2332e160a75c3ff2b8e9c7e2e (#1395) + * chore: fix test busybox image sha (#1393) + * fix: go version not properly identified in binary (#1384) + +------------------------------------------------------------------- +Thu Dec 01 05:41:03 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.62.3: + * Update Stereoscope to 3b80d983223f6e6fc2d33b0ffa003d30268418e9 (#1376) + * fix: Update node binary package name (#1375) + * feat: Generic Binary Cataloger (#1336) + * recover from bad parsing of golang binary (#1371) + * Fix parsing of apk databases with large entries (#1365) + * Update syft bootstrap tools to latest versions. (#1369) + +------------------------------------------------------------------- +Mon Nov 28 18:06:04 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.62.2: + * fix: guard for locations < 1 in alpmdb parse (#1366) + * fix: remove cabal.project.freeze panic on last pkg (#1363) + * fix: requirements.txt - return unicode only letter/num for version (#1361) + * Update syft bootstrap tools to latest versions. (#1356) + +------------------------------------------------------------------- +Mon Nov 21 15:12:29 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.62.1: + * fix: sort relationships in SPDX output (#1350) + * chore: add debug logging for decode errors (#1352) + * feat(npm): handle aliases in package-lock.json (#1349) + +------------------------------------------------------------------- +Sat Nov 19 12:04:28 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.62.0: + * fix: spdx java checksum correctness (#1348) + * feat: Add support for npm lockfile version 3 (#1206) + +------------------------------------------------------------------- +Fri Nov 18 15:38:51 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.61.0: + * 1111 clean name bug (#1347) + * Add spdx relationship encoding for dependencies (#1342) + * feat: SPDX 2.3 support (#1311) + * SBOM cataloger (#1029) + * chore: clean up linting configuration (#1343) + * fix: Unmarshal Syft JSON with missing metadata (#1338) + * fix apk decode for older data shapes (#1341) + * chore: add unit test for wolfi os release identification (#1340) + * fix: Output only valid CPEs for CycloneDX OS components (#1339) + * feat: Add `--name` option to override name in output (#1269) + * Add support for dependency relationships for alpine (apk) (#1063) + * normalize alpm md5 refs (#1333) + * Update java generic cataloger (#1329) + * Support encoding map types to CycloneDX properties (#1332) + * Update swift cataloger to generic cataloger (#1324) + * port rust cataloger to new generic cataloger pattern (#1323) + * port ruby cataloger to new generic cataloger pattern (#1322) + * port rpm cataloger to new generic cataloger pattern (#1321) + * port python cataloger to new generic cataloger pattern (#1319) + * Update portage cataloger to new generic cataloger (#1316) + * port php cataloger to new generic cataloger pattern (#1315) + +------------------------------------------------------------------- +Tue Nov 15 09:52:45 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.60.3: + * javascript cataloger: node binary: nil pointer dereference (#1313) + * Fix: Include version information in binary cataloger CPEs (#1310) + * fix: only generate PURL on empty string (#1312) + * add s3 credentials to release (#1309) + * port javascript cataloger to new generic cataloger pattern (#1308) + +------------------------------------------------------------------- +Tue Nov 15 09:44:11 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.60.2: + * chore: update goreleaser brew token (#1306) + * fix: Decode binary and unknown metadata (#1307) + +------------------------------------------------------------------- +Tue Nov 15 09:39:47 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.60.1: + * chore: update github token permissions for goreleaser (#1305) + +------------------------------------------------------------------- +Tue Nov 15 09:29:12 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.60.0: + * fix: update ci secret to use new password (#1304) + * fix: update secret value to use new cert cahin (#1303) + * fix: verbose quill release failures (#1302) + * fix: unterminated quoted string (#1300) + * fix: update Makefile to remove old signing arch (#1299) + * feat: add nodejs-binary package classifier (#1296) + * update go-rpmdb to improve parsing of installed files (#1297) + * docs: update attestation directions with new cosign changes + * fix: Continue parsing Python RECORD files when bad lines encountered (#1295) + * Fix #1245 Update SPDX license list to 3.18 (#1259) + * fix: Resolve Maven POM expressions (#1251) (#1278) + * port haskell cataloger to new generic cataloger pattern (#1290) + * port golang cataloger to new generic cataloger pattern (#1289) + * port deb/dpkg cataloger to new generic cataloger pattern (#1288) + * update cataloger tests to use pkgtest utils (#1287) + * port dotnet cataloger to new generic cataloger pattern (#1286) + * port dart cataloger to new generic cataloger pattern (#1285) + * port conan cataloger to new generic cataloger pattern (#1284) + * port apk cataloger to new generic cataloger pattern (#1283) + * replace signing tooling with quill (#1280) + * Upgrade generic cataloger (#1281) + * Update syft bootstrap tools to latest versions. (#1282) + * replace logger interface with anchore/go-logger (#1279) + * Update syft bootstrap tools to latest versions. (#1267) + * Add go binary h1 digest to SPDX (#1265) + * fix: move reproduction to top of issue (#1264) + * fix: update syftjson ID to match major schema version (#1274) + * Use in-toto CycloneDX predicate to be compatible with cosign (#1270) + * chore: handle deprecated SPDX license: StandardML-NJ (#1266) + +------------------------------------------------------------------- +Tue Oct 18 05:11:08 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.59.0: + * Fixes #1179 Deprecated SPDX license (#1263) + * feat: add RelationshipsBySourceOwnership to syft json output (#1248) + * fix: reset merged package into map; (#1258) + * refactor: Remove experimental Anchore Enterprise upload functionality (#1257) + * Update syft bootstrap tools to latest versions. (#1254) + * Update Stereoscope to d24c9d626b33fa720210b007a20767801827b532 (#1253) + * Update syft bootstrap tools to latest versions. (#1244) + * fix apkdb checksum representation (#1247) + * feat: add identifiable field to source object (#1243) + * feat: attest support for Singularity images (#1201) + * Update syft bootstrap tools to latest versions. (#1239) + * Update Stereoscope to 1b1b744a919964f38d14e1416fb3f25221b761ce (#1240) + * fix: Follow symlinks when searching for globs in all-layers scope (#1221) + * update requires to use list; remove field (#1234) + +------------------------------------------------------------------- +Fri Sep 30 05:10:45 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.58.0: + * Add Conan (C/C++) conan.lock file support (#1230) + * add sequence diagrams and flesh out TODO notes (#1233) + * Do not fail if unable to parse `.rpm` file (#1232) + * fix: support exclude patterns on Windows (#1228) + * Update syft bootstrap tools to latest versions. (#1225) + * Update Stereoscope to 56552770e555d764ea72b99d3c810326b27ead4a (#1224) + * Update syft bootstrap tools to latest versions. (#1223) + * Update syft bootstrap tools to latest versions. (#1220) + +------------------------------------------------------------------- +Wed Sep 21 08:27:42 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.57.0: + * feat: catalog python files for installed-files.txt file metadata (#1217) + * Stabilize SPDX JSON output sorting (#1216) + * bug: remove chance for panic; provide default attestation path (#1214) + * refactor: update Makefile organization; update DEVELOPING.md instructions (#1212) + * refactor: replace ioutil=>io; update linter (#1211) + * Update bootstrap tools to latest versions. (#1204) + * Add gosimports (#1205) + * refactor: move formats from internal into syft module (#1172) + +------------------------------------------------------------------- +Tue Sep 13 12:42:32 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.56.0: + * warn on errors from RPM DB parsing (#1200) + * docs: improve Singularity image source docs (#1190) + * Add RPM file scanning support (#1188) + * Normalize syft-json output (#1194) + * Revert "External sources configuration (#1158)" (#1191) + * Update syft bootstrap tools to latest versions. (#1186) + * Fix RPM DB license handling (#1184) + * Update syft bootstrap tools to latest versions. (#1182) + +------------------------------------------------------------------- +Wed Sep 07 05:42:57 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.55.0: + * update stereoscope to latest (#1181) + * Update syft bootstrap tools to latest versions. (#1180) + * Bug fix for 1095 - syft conversion option error (#1177) + * Update syft bootstrap tools to latest versions. (#1176) + * enhance development support on macOS ARM (#1163) + * Capture if a node module is private (#1161) + * Find version numbers from jars with different naming conventions (#1174) + * Update syft bootstrap tools to latest versions. (#1171) + * Fix update-bootstrap-tools workflow (#1170) + * workflow to create automated PRs to update bootstrap tools (#1167) + * feat: add support for licenses in package-lock json v2 (#1164) + * External sources configuration (#1158) + * feat: add support for pnpm (#1166) + * Prevent symlinks causing duplicate package-file relationships (#1168) + +------------------------------------------------------------------- +Wed Sep 07 05:38:56 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.54.0: + * Associate node package licenses from node_modules (#1152) + * Give the contributing guide a substantial rework (#1155) + * fix: extract file ids correctly for spdx-json (#1156) + * metadata decoding should be optional (#1154) + * Update Stereoscope to 84004345484edb881f1cc1d841115da8abda06c3 (#1151) + * Add modularitylabel metadata to RPM type records generated by syft (#1148) + * Update Stereoscope to 1c79d5c84abcc54466417fcc17c844a4875888a1 (#1149) + * retraction for mispublished versions (#1147) + * cataloger configuration is respected regardless of source (#1142) + * Update README.md (#1146) + * bump cosign to v1.10.1 (#1144) + +------------------------------------------------------------------- +Wed Sep 07 05:35:58 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.53.4: + * Update stereoscope to get rid of the replace directive (#1140) + +------------------------------------------------------------------- +Wed Sep 07 05:33:24 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.53.3: + * Correct squashfs import and fix incorrect bouncer configuration (#1138) + +------------------------------------------------------------------- +Wed Sep 07 05:31:12 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.53.2: + * Overwrite deprecated SPDX licenses automatically (#1009) + * disable release for docker assets (#1137) + +------------------------------------------------------------------- +Wed Sep 07 05:29:04 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.53.1: + * improve docker release bootstrap (#1136) + * Singularity Image Support (#974) + +------------------------------------------------------------------- +Wed Sep 07 05:25:20 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.53.0: + * remove docker login from keychain (#1135) + * remove ENV checks from siging script (#1134) + * remove docker assets from main goreleaser configuration to reduce mac-os runner friction (#1133) + * remove prefixed v from tag to match release (#1131) + * rollback actions-setup-docker to earlier version (#1130) + * Bump go-rustaudit to support rustaudit 0.2.0 (#1127) + * bump bouncer to v0.4.0 (#1125) + * Added ppc64le supported to the syft:debug image (#1124) + * add a cataloger for binaries built with rust-audit (#1116) + * bump goreleaser to v1.10.3 (#1123) + * bump golangci-lint to v1.47.2 (#1122) + * bump cosign in bootstrap-tools to v1.10.0 (#1121) + * Added s390x support (#1117) + * Delete pr_action.yaml (#1120) + * fix: use generic instead of not generating purl (#1119) + * bump cosign to v1.10.0 (#1114) + +------------------------------------------------------------------- +Thu Jul 21 15:12:29 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.52.0: + * Update sigstore/rekor dependency (#1112) + * Added ppc64le support (#1099) + * patch-distroless-ghcr (#1110) + * add distroless debug image to published release (#1106) + * update help formatting (#1105) + * feat: implement haskell support (#1096) + * Add the -r argument for gnu xargs (#1103) + * fix: -o output option to include formats (#1102) + * moves go-rpmdb to latest; libc => v1.16.7 (#1098) + +------------------------------------------------------------------- +Sat Jul 16 19:00:04 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.51.0: + * feat: add support for cocoapods (Swift/Objective-C) (#1081) + * Fix package url for Go modules with no / (#1092) + * Update Stereoscope to 777471f38c5b2f15c19d6cffe093ce6392d8040c (#1090) + * feat: output attestation to file (#1087) + * Update Stereoscope to cfbd966e5a8d11d73cd17adc8b8ab8468a086f1e (#1089) + * Add portage support for Gentoo Linux (#1076) + * Add PR action back to workflow with new token (#1086) + +------------------------------------------------------------------- +Wed Jul 06 18:12:23 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.50.0: + * feat: add new login cmd (#1068) + * update AltRpmDbGlob with comment and context (#1085) + * feat: add support for conan packages (C/C++) (#1083) + * add golang main module and pseudo-version (#916) + * fix: add glob to filter list to ensure rpm metadata files are matched… (#1079) + * remove pr automation until service account creation (#1080) + * fix: purl generation for pom.xml (#1078) + * Update Stereoscope to 5bd627c0f9ce7facbd63ed1f0cf894d97021aa5e (#1072) + * fix: add new languages found in cpes (#1069) + * fix: add php catalogers to all catalogers (#1065) + * feat: add use-all-catalogers flag (#1050) + +------------------------------------------------------------------- +Mon Jun 27 13:20:51 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.49.0: + * Updates parsing of `yarn.lock` to use `resolved` URLs that are pulled from yarn and npm registries (#926) + * remove OSS Meetup message (#1057) + * add pom.xml cataloger (#1055) + * Add support for CBL-Mariner distroless images (#1045) + * Add catalogers configuration (#1038) + * add template output (#1051) + +------------------------------------------------------------------- +Wed Jun 22 08:47:26 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.48.1: + * update stereoscope to latest version (#1052) + +------------------------------------------------------------------- +Wed Jun 22 08:34:13 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.48.0: + * update zip_read_closer to incorporate zip64 support (#1041) + * Add pacman (alpm) parser support (#943) + +------------------------------------------------------------------- +Wed Jun 22 08:23:30 UTC 2022 - kastl@b1-systems.de + +- Update to version 0.47.0: + * Update of README.md (#1027) + * bump cosign to v1.9.0 to resolve reporting of GHSA-66x3-6cw3-v5gj (#1025) + * add workflows to test new project automation (#1023) + * improve LanguageByName and add unit tests (#1034) + * Read Description from dpkg status files (#996) + * Add announcement for Anchore OSS Virtual Meetup (#1033) + * add main module field to go bin metadata (#1026) + * Add filters to package cataloger (#1021) + * change draft to false for release process (#1016) + * Support RPM distros with newer RPM db formats (#1018) + * fix: add component list to prevent cyclone-dx panic (#1015) + +------------------------------------------------------------------- +Mon Jun 6 19:43:54 UTC 2022 - Johannes Kastl + +- first version of package syft at version 0.46.3 diff --git a/syft.obsinfo b/syft.obsinfo new file mode 100644 index 0000000..9c966ec --- /dev/null +++ b/syft.obsinfo @@ -0,0 +1,4 @@ +name: syft +version: 1.17.0 +mtime: 1732199331 +commit: a8d4202d77b6b31e75ce5af09a8b03ad14e533d3 diff --git a/syft.spec b/syft.spec new file mode 100644 index 0000000..af40f87 --- /dev/null +++ b/syft.spec @@ -0,0 +1,119 @@ +# +# spec file for package syft +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define __arch_install_post export NO_BRP_STRIP_DEBUG=true + +Name: syft +Version: 1.17.0 +Release: 0 +Summary: CLI tool and library for generating a Software Bill of Materials +License: Apache-2.0 +URL: https://github.com/anchore/syft +Source: syft-%{version}.tar.gz +Source1: vendor.tar.gz +BuildRequires: bash-completion +BuildRequires: fish +BuildRequires: go >= 1.22 +BuildRequires: zsh + +%description +A CLI tool and Go library for generating a Software Bill of Materials (SBOM) +from container images and filesystems. Exceptional for vulnerability detection +when used with a scanner like Grype. + +%package -n %{name}-bash-completion +Summary: Bash Completion for %{name} +Group: System/Shells +Requires: %{name} = %{version} +Requires: bash-completion +Supplements: (%{name} and bash-completion) +BuildArch: noarch + +%description -n %{name}-bash-completion +Bash command line completion support for %{name}. + +%package -n %{name}-fish-completion +Summary: Fish Completion for %{name} +Group: System/Shells +Requires: %{name} = %{version} +Supplements: (%{name} and fish) +BuildArch: noarch + +%description -n %{name}-fish-completion +Fish command line completion support for %{name}. + +%package -n %{name}-zsh-completion +Summary: Zsh Completion for %{name} +Group: System/Shells +Requires: %{name} = %{version} +Supplements: (%{name} and zsh) +BuildArch: noarch + +%description -n %{name}-zsh-completion +zsh command line completion support for %{name}. + +%prep +%autosetup -p 1 -a 1 + +%build +COMMIT_HASH="$(sed -n 's/commit: \(.*\)/\1/p' %_sourcedir/%{name}.obsinfo)" + +DATE_FMT="+%%Y-%%m-%%dT%%H:%%M:%%SZ" +BUILD_DATE=$(date -u -d "@${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || date -u -r "${SOURCE_DATE_EPOCH}" "${DATE_FMT}" 2>/dev/null || date -u "${DATE_FMT}") + +go build \ + -mod=vendor \ + -buildmode=pie \ + -ldflags=" \ + -X main.version=%{version} \ + -X main.gitCommit=${COMMIT_HASH} \ + -X main.gitDescription=v%{version} \ + -X main.buildDate=$BUILD_DATE" \ + -o bin/syft ./cmd/syft + +%install +# Install the binary. +install -D -m 0755 bin/%{name} "%{buildroot}/%{_bindir}/%{name}" + +# create the bash completion file +mkdir -p %{buildroot}%{_datarootdir}/bash-completion/completions/ +%{buildroot}/%{_bindir}/%{name} completion bash > %{buildroot}%{_datarootdir}/bash-completion/completions/%{name} + +# create the fish completion file +mkdir -p %{buildroot}%{_datarootdir}/fish/vendor_completions.d/ +%{buildroot}/%{_bindir}/%{name} completion fish > %{buildroot}%{_datarootdir}/fish/vendor_completions.d/%{name}.fish + +# create the zsh completion file +mkdir -p %{buildroot}%{_datarootdir}/zsh/site-functions/ +%{buildroot}/%{_bindir}/%{name} completion zsh > %{buildroot}%{_datarootdir}/zsh/site-functions/_%{name} + +%files +%doc README.md +%license LICENSE +%{_bindir}/%{name} + +%files -n %{name}-bash-completion +%{_datarootdir}/bash-completion/completions/%{name} + +%files -n %{name}-fish-completion +%{_datarootdir}/fish/vendor_completions.d/%{name}.fish + +%files -n %{name}-zsh-completion +%{_datarootdir}/zsh/site-functions/_%{name} + +%changelog diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..c08162f --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b828da659e4819887c5e62078edee7a73073e26ca30d5291262e52d4903cc235 +size 51807829