------------------------------------------------------------------- Wed Jan 04 15:47:49 UTC 2023 - kastl@b1-systems.de - Update to version 0.64.0: * fix: unicode output in cyclonedx-json format (#1420) * fix: excessive go binary warnings (#1424) * feat: update spdx format model to produce valid spdx json documents (#1418) * clean package names in python parsers (#1417) * docs: update schema name to 2.3 (#1416) * feat: add h1digest when scanning go.mod (#1405) * feat: Add license parsing for java (#1385) * fix: cyclonedx component type for binaries (#1406) * fix: openjdk detection pattern (#1415) * bug: spdx checksum empty array; allow syft to generate SHA1 for spdx-tag-value documents (#1404) * Add NetBSD support. (#1412) ------------------------------------------------------------------- Fri Dec 16 12:37:58 UTC 2022 - kastl@b1-systems.de - Update to version 0.63.0: * feat: add catalog delete (#1377) * docs: remove file classifier (#1397) * chore: update latest cyclonedx library (#1390) * feat: Add Java binary catalogers (#1392) * chore: Update SPDX license list to 3.19 (#1389) * fix: add manual vendor/product removal to fix false flags (#1070) * Update Stereoscope to c5ff155d72f166e2332e160a75c3ff2b8e9c7e2e (#1395) * chore: fix test busybox image sha (#1393) * fix: go version not properly identified in binary (#1384) ------------------------------------------------------------------- Thu Dec 01 05:41:03 UTC 2022 - kastl@b1-systems.de - Update to version 0.62.3: * Update Stereoscope to 3b80d983223f6e6fc2d33b0ffa003d30268418e9 (#1376) * fix: Update node binary package name (#1375) * feat: Generic Binary Cataloger (#1336) * recover from bad parsing of golang binary (#1371) * Fix parsing of apk databases with large entries (#1365) * Update syft bootstrap tools to latest versions. (#1369) ------------------------------------------------------------------- Mon Nov 28 18:06:04 UTC 2022 - kastl@b1-systems.de - Update to version 0.62.2: * fix: guard for locations < 1 in alpmdb parse (#1366) * fix: remove cabal.project.freeze panic on last pkg (#1363) * fix: requirements.txt - return unicode only letter/num for version (#1361) * Update syft bootstrap tools to latest versions. (#1356) ------------------------------------------------------------------- Mon Nov 21 15:12:29 UTC 2022 - kastl@b1-systems.de - Update to version 0.62.1: * fix: sort relationships in SPDX output (#1350) * chore: add debug logging for decode errors (#1352) * feat(npm): handle aliases in package-lock.json (#1349) ------------------------------------------------------------------- Sat Nov 19 12:04:28 UTC 2022 - kastl@b1-systems.de - Update to version 0.62.0: * fix: spdx java checksum correctness (#1348) * feat: Add support for npm lockfile version 3 (#1206) ------------------------------------------------------------------- Fri Nov 18 15:38:51 UTC 2022 - kastl@b1-systems.de - Update to version 0.61.0: * 1111 clean name bug (#1347) * Add spdx relationship encoding for dependencies (#1342) * feat: SPDX 2.3 support (#1311) * SBOM cataloger (#1029) * chore: clean up linting configuration (#1343) * fix: Unmarshal Syft JSON with missing metadata (#1338) * fix apk decode for older data shapes (#1341) * chore: add unit test for wolfi os release identification (#1340) * fix: Output only valid CPEs for CycloneDX OS components (#1339) * feat: Add `--name` option to override name in output (#1269) * Add support for dependency relationships for alpine (apk) (#1063) * normalize alpm md5 refs (#1333) * Update java generic cataloger (#1329) * Support encoding map types to CycloneDX properties (#1332) * Update swift cataloger to generic cataloger (#1324) * port rust cataloger to new generic cataloger pattern (#1323) * port ruby cataloger to new generic cataloger pattern (#1322) * port rpm cataloger to new generic cataloger pattern (#1321) * port python cataloger to new generic cataloger pattern (#1319) * Update portage cataloger to new generic cataloger (#1316) * port php cataloger to new generic cataloger pattern (#1315) ------------------------------------------------------------------- Tue Nov 15 09:52:45 UTC 2022 - kastl@b1-systems.de - Update to version 0.60.3: * javascript cataloger: node binary: nil pointer dereference (#1313) * Fix: Include version information in binary cataloger CPEs (#1310) * fix: only generate PURL on empty string (#1312) * add s3 credentials to release (#1309) * port javascript cataloger to new generic cataloger pattern (#1308) ------------------------------------------------------------------- Tue Nov 15 09:44:11 UTC 2022 - kastl@b1-systems.de - Update to version 0.60.2: * chore: update goreleaser brew token (#1306) * fix: Decode binary and unknown metadata (#1307) ------------------------------------------------------------------- Tue Nov 15 09:39:47 UTC 2022 - kastl@b1-systems.de - Update to version 0.60.1: * chore: update github token permissions for goreleaser (#1305) ------------------------------------------------------------------- Tue Nov 15 09:29:12 UTC 2022 - kastl@b1-systems.de - Update to version 0.60.0: * fix: update ci secret to use new password (#1304) * fix: update secret value to use new cert cahin (#1303) * fix: verbose quill release failures (#1302) * fix: unterminated quoted string (#1300) * fix: update Makefile to remove old signing arch (#1299) * feat: add nodejs-binary package classifier (#1296) * update go-rpmdb to improve parsing of installed files (#1297) * docs: update attestation directions with new cosign changes * fix: Continue parsing Python RECORD files when bad lines encountered (#1295) * Fix #1245 Update SPDX license list to 3.18 (#1259) * fix: Resolve Maven POM expressions (#1251) (#1278) * port haskell cataloger to new generic cataloger pattern (#1290) * port golang cataloger to new generic cataloger pattern (#1289) * port deb/dpkg cataloger to new generic cataloger pattern (#1288) * update cataloger tests to use pkgtest utils (#1287) * port dotnet cataloger to new generic cataloger pattern (#1286) * port dart cataloger to new generic cataloger pattern (#1285) * port conan cataloger to new generic cataloger pattern (#1284) * port apk cataloger to new generic cataloger pattern (#1283) * replace signing tooling with quill (#1280) * Upgrade generic cataloger (#1281) * Update syft bootstrap tools to latest versions. (#1282) * replace logger interface with anchore/go-logger (#1279) * Update syft bootstrap tools to latest versions. (#1267) * Add go binary h1 digest to SPDX (#1265) * fix: move reproduction to top of issue (#1264) * fix: update syftjson ID to match major schema version (#1274) * Use in-toto CycloneDX predicate to be compatible with cosign (#1270) * chore: handle deprecated SPDX license: StandardML-NJ (#1266) ------------------------------------------------------------------- Tue Oct 18 05:11:08 UTC 2022 - kastl@b1-systems.de - Update to version 0.59.0: * Fixes #1179 Deprecated SPDX license (#1263) * feat: add RelationshipsBySourceOwnership to syft json output (#1248) * fix: reset merged package into map; (#1258) * refactor: Remove experimental Anchore Enterprise upload functionality (#1257) * Update syft bootstrap tools to latest versions. (#1254) * Update Stereoscope to d24c9d626b33fa720210b007a20767801827b532 (#1253) * Update syft bootstrap tools to latest versions. (#1244) * fix apkdb checksum representation (#1247) * feat: add identifiable field to source object (#1243) * feat: attest support for Singularity images (#1201) * Update syft bootstrap tools to latest versions. (#1239) * Update Stereoscope to 1b1b744a919964f38d14e1416fb3f25221b761ce (#1240) * fix: Follow symlinks when searching for globs in all-layers scope (#1221) * update requires to use list; remove field (#1234) ------------------------------------------------------------------- Fri Sep 30 05:10:45 UTC 2022 - kastl@b1-systems.de - Update to version 0.58.0: * Add Conan (C/C++) conan.lock file support (#1230) * add sequence diagrams and flesh out TODO notes (#1233) * Do not fail if unable to parse `.rpm` file (#1232) * fix: support exclude patterns on Windows (#1228) * Update syft bootstrap tools to latest versions. (#1225) * Update Stereoscope to 56552770e555d764ea72b99d3c810326b27ead4a (#1224) * Update syft bootstrap tools to latest versions. (#1223) * Update syft bootstrap tools to latest versions. (#1220) ------------------------------------------------------------------- Wed Sep 21 08:27:42 UTC 2022 - kastl@b1-systems.de - Update to version 0.57.0: * feat: catalog python files for installed-files.txt file metadata (#1217) * Stabilize SPDX JSON output sorting (#1216) * bug: remove chance for panic; provide default attestation path (#1214) * refactor: update Makefile organization; update DEVELOPING.md instructions (#1212) * refactor: replace ioutil=>io; update linter (#1211) * Update bootstrap tools to latest versions. (#1204) * Add gosimports (#1205) * refactor: move formats from internal into syft module (#1172) ------------------------------------------------------------------- Tue Sep 13 12:42:32 UTC 2022 - kastl@b1-systems.de - Update to version 0.56.0: * warn on errors from RPM DB parsing (#1200) * docs: improve Singularity image source docs (#1190) * Add RPM file scanning support (#1188) * Normalize syft-json output (#1194) * Revert "External sources configuration (#1158)" (#1191) * Update syft bootstrap tools to latest versions. (#1186) * Fix RPM DB license handling (#1184) * Update syft bootstrap tools to latest versions. (#1182) ------------------------------------------------------------------- Wed Sep 07 05:42:57 UTC 2022 - kastl@b1-systems.de - Update to version 0.55.0: * update stereoscope to latest (#1181) * Update syft bootstrap tools to latest versions. (#1180) * Bug fix for 1095 - syft conversion option error (#1177) * Update syft bootstrap tools to latest versions. (#1176) * enhance development support on macOS ARM (#1163) * Capture if a node module is private (#1161) * Find version numbers from jars with different naming conventions (#1174) * Update syft bootstrap tools to latest versions. (#1171) * Fix update-bootstrap-tools workflow (#1170) * workflow to create automated PRs to update bootstrap tools (#1167) * feat: add support for licenses in package-lock json v2 (#1164) * External sources configuration (#1158) * feat: add support for pnpm (#1166) * Prevent symlinks causing duplicate package-file relationships (#1168) ------------------------------------------------------------------- Wed Sep 07 05:38:56 UTC 2022 - kastl@b1-systems.de - Update to version 0.54.0: * Associate node package licenses from node_modules (#1152) * Give the contributing guide a substantial rework (#1155) * fix: extract file ids correctly for spdx-json (#1156) * metadata decoding should be optional (#1154) * Update Stereoscope to 84004345484edb881f1cc1d841115da8abda06c3 (#1151) * Add modularitylabel metadata to RPM type records generated by syft (#1148) * Update Stereoscope to 1c79d5c84abcc54466417fcc17c844a4875888a1 (#1149) * retraction for mispublished versions (#1147) * cataloger configuration is respected regardless of source (#1142) * Update README.md (#1146) * bump cosign to v1.10.1 (#1144) ------------------------------------------------------------------- Wed Sep 07 05:35:58 UTC 2022 - kastl@b1-systems.de - Update to version 0.53.4: * Update stereoscope to get rid of the replace directive (#1140) ------------------------------------------------------------------- Wed Sep 07 05:33:24 UTC 2022 - kastl@b1-systems.de - Update to version 0.53.3: * Correct squashfs import and fix incorrect bouncer configuration (#1138) ------------------------------------------------------------------- Wed Sep 07 05:31:12 UTC 2022 - kastl@b1-systems.de - Update to version 0.53.2: * Overwrite deprecated SPDX licenses automatically (#1009) * disable release for docker assets (#1137) ------------------------------------------------------------------- Wed Sep 07 05:29:04 UTC 2022 - kastl@b1-systems.de - Update to version 0.53.1: * improve docker release bootstrap (#1136) * Singularity Image Support (#974) ------------------------------------------------------------------- Wed Sep 07 05:25:20 UTC 2022 - kastl@b1-systems.de - Update to version 0.53.0: * remove docker login from keychain (#1135) * remove ENV checks from siging script (#1134) * remove docker assets from main goreleaser configuration to reduce mac-os runner friction (#1133) * remove prefixed v from tag to match release (#1131) * rollback actions-setup-docker to earlier version (#1130) * Bump go-rustaudit to support rustaudit 0.2.0 (#1127) * bump bouncer to v0.4.0 (#1125) * Added ppc64le supported to the syft:debug image (#1124) * add a cataloger for binaries built with rust-audit (#1116) * bump goreleaser to v1.10.3 (#1123) * bump golangci-lint to v1.47.2 (#1122) * bump cosign in bootstrap-tools to v1.10.0 (#1121) * Added s390x support (#1117) * Delete pr_action.yaml (#1120) * fix: use generic instead of not generating purl (#1119) * bump cosign to v1.10.0 (#1114) ------------------------------------------------------------------- Thu Jul 21 15:12:29 UTC 2022 - kastl@b1-systems.de - Update to version 0.52.0: * Update sigstore/rekor dependency (#1112) * Added ppc64le support (#1099) * patch-distroless-ghcr (#1110) * add distroless debug image to published release (#1106) * update help formatting (#1105) * feat: implement haskell support (#1096) * Add the -r argument for gnu xargs (#1103) * fix: -o output option to include formats (#1102) * moves go-rpmdb to latest; libc => v1.16.7 (#1098) ------------------------------------------------------------------- Sat Jul 16 19:00:04 UTC 2022 - kastl@b1-systems.de - Update to version 0.51.0: * feat: add support for cocoapods (Swift/Objective-C) (#1081) * Fix package url for Go modules with no / (#1092) * Update Stereoscope to 777471f38c5b2f15c19d6cffe093ce6392d8040c (#1090) * feat: output attestation to file (#1087) * Update Stereoscope to cfbd966e5a8d11d73cd17adc8b8ab8468a086f1e (#1089) * Add portage support for Gentoo Linux (#1076) * Add PR action back to workflow with new token (#1086) ------------------------------------------------------------------- Wed Jul 06 18:12:23 UTC 2022 - kastl@b1-systems.de - Update to version 0.50.0: * feat: add new login cmd (#1068) * update AltRpmDbGlob with comment and context (#1085) * feat: add support for conan packages (C/C++) (#1083) * add golang main module and pseudo-version (#916) * fix: add glob to filter list to ensure rpm metadata files are matched… (#1079) * remove pr automation until service account creation (#1080) * fix: purl generation for pom.xml (#1078) * Update Stereoscope to 5bd627c0f9ce7facbd63ed1f0cf894d97021aa5e (#1072) * fix: add new languages found in cpes (#1069) * fix: add php catalogers to all catalogers (#1065) * feat: add use-all-catalogers flag (#1050) ------------------------------------------------------------------- Mon Jun 27 13:20:51 UTC 2022 - kastl@b1-systems.de - Update to version 0.49.0: * Updates parsing of `yarn.lock` to use `resolved` URLs that are pulled from yarn and npm registries (#926) * remove OSS Meetup message (#1057) * add pom.xml cataloger (#1055) * Add support for CBL-Mariner distroless images (#1045) * Add catalogers configuration (#1038) * add template output (#1051) ------------------------------------------------------------------- Wed Jun 22 08:47:26 UTC 2022 - kastl@b1-systems.de - Update to version 0.48.1: * update stereoscope to latest version (#1052) ------------------------------------------------------------------- Wed Jun 22 08:34:13 UTC 2022 - kastl@b1-systems.de - Update to version 0.48.0: * update zip_read_closer to incorporate zip64 support (#1041) * Add pacman (alpm) parser support (#943) ------------------------------------------------------------------- Wed Jun 22 08:23:30 UTC 2022 - kastl@b1-systems.de - Update to version 0.47.0: * Update of README.md (#1027) * bump cosign to v1.9.0 to resolve reporting of GHSA-66x3-6cw3-v5gj (#1025) * add workflows to test new project automation (#1023) * improve LanguageByName and add unit tests (#1034) * Read Description from dpkg status files (#996) * Add announcement for Anchore OSS Virtual Meetup (#1033) * add main module field to go bin metadata (#1026) * Add filters to package cataloger (#1021) * change draft to false for release process (#1016) * Support RPM distros with newer RPM db formats (#1018) * fix: add component list to prevent cyclone-dx panic (#1015) ------------------------------------------------------------------- Mon Jun 6 19:43:54 UTC 2022 - Johannes Kastl - first version of package syft at version 0.46.3