------------------------------------------------------------------- Sat Oct 21 18:16:53 UTC 2023 - kastl@b1-systems.de - Update to version 0.94.0: * Label PRs when the json schema changes (#2240) * Add download location when cataloging directory npm package lock (#2238) * fix: allow packages to be captured from DIST/EGG case (#2239) * Account for maven bundle plugin and fix filename matching (#2220) * chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 (#2236) * Remove internal string set (#2219) * bump clio to get stderr reporting fix (#2232) * Fix panic for empty input to Swift cataloger (#2226) * Add additional license filenames (#2227) * chore(deps): bump github/codeql-action from 2.22.2 to 2.22.3 (#2229) * chore(deps): bump github.com/charmbracelet/lipgloss from 0.9.0 to 0.9.1 (#2222) * chore(deps): bump github/codeql-action from 2.22.1 to 2.22.2 (#2224) * Detect a license file in the root directory or META-INF of a jar (#2213) * Parse donet dependency trees (#2143) * chore(deps): bump golang.org/x/net from 0.16.0 to 0.17.0 (#2214) * chore(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#2215) * chore(deps): bump github.com/charmbracelet/lipgloss from 0.8.0 to 0.9.0 (#2216) * chore: add automated homebrew action (#2164) * Add relationships for dpkg packages (#2212) ------------------------------------------------------------------- Wed Oct 11 04:22:21 UTC 2023 - kastl@b1-systems.de - Update to version 0.93.0: * Parse the Maven license from the pom.xml if not contained in the mani… (#2115) * Refine the docs for building a cataloger (#2175) * Fix algo lookup by converting key to lower case (#2207) * chore(deps): bump github/codeql-action from 2.22.0 to 2.22.1 (#2208) * feat: add package for go compiler given binary detection (#2195) * chore(deps): bump github.com/docker/distribution from 2.8.2+incompatible to 2.8.3+incompatible (#2193) * chore(deps): bump github/codeql-action from 2.21.9 to 2.22.0 (#2202) * chore(deps): bump golang.org/x/net from 0.15.0 to 0.16.0 (#2204) * chore: update license list to 3.22 (#2201) * Add exact syntax of the conversion formats (#2196) * chore(deps): bump github.com/saferwall/pe from 1.4.6 to 1.4.7 (#2198) * chore(deps): bump golang.org/x/mod from 0.12.0 to 0.13.0 (#2199) * chore: removes unnecessary conditional (#2194) * chore: improve --output help text and deprecate --file (#2187) * chore(deps): bump modernc.org/sqlite from 1.25.0 to 1.26.0 (#2189) * chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.10 to 0.4.11 (#2191) * chore(deps): bump github/codeql-action from 2.21.8 to 2.21.9 (#2182) * chore(deps): update bootstrap tools to latest versions (#2178) * chore(deps): bump github.com/saferwall/pe from 1.4.5 to 1.4.6 (#2180) ------------------------------------------------------------------- Thu Oct 05 06:32:34 UTC 2023 - andrea.manzini@suse.com - Update to version 0.92.0: * bump deps to latest version * fix: deterministic java purls (#2170) - Update to version 0.91.0: * fix: prevent errors from clobbering terminal (#2161) * Require ordering of relationships when comparing parser output (#2160) * Add containerd support (#1793) * feat: add dependency information to conan lockfile parser (#2131) * fix: encode and decode FileLicenses and FileContents in Syft JSON (#2083) * feat: add cyclonedx schema version selection (#2123) * fix: allow cyclonedx json input with no components (#2127) * fix source-version typo in flag description (#2126) - Update to version 0.90.0: * fix(help): power-user help text to indicate it supports file-system (#2113) * fix: update codeql-analysis for go 1.21 (#2108) * feat(cmd/update): add UA header with current ver when check for update (#2100) * fix(cdx): validate external refs before encoding (#2091) * fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation (#2075) ------------------------------------------------------------------- Tue Sep 05 14:57:48 UTC 2023 - kastl@b1-systems.de - Update to version 0.89.0: * tidy gomod and gitignore (#2082) * fix quiet flag (#2081) * fix: in some cases, try to use pom info to guess name and version to top level jar (#2080) * fix: don't panic on universal go binaries (#2078) * chore: update CLI to CLIO (#2001) * Add registry certificate verification support (#1734) * fix: CPE generation for django (#2068) ------------------------------------------------------------------- Tue Sep 05 14:54:29 UTC 2023 - kastl@b1-systems.de - Update to version 0.88.0: * chore: update quill to the latest version (#2065) * fix: duplicate entries in cyclonedx dependency list (#2063) * Fix panic in pom parsing (#2064) * Fix: don't validate pom declared group (#2054) * chore: trace log pom property reflect usage (#2059) * fix: do not double-prefix symlink paths that already contain volume names (#2051) * feat: add bash classifier (#2055) * Detect golang boring crypto and fipsonly modules (#2021) * fix: properly parse conan ref and include user and channel (#2034) * chore(deps): bump github.com/charmbracelet/lipgloss from 0.7.1 to 0.8.0 (#2053) * Enable reading non-utf-8 encodings for java pom.xml files (#2047) * feat: 1944 - update purl generation to use a consistent groupID (#2033) * chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 (#2049) * chore(deps): update bootstrap tools to latest versions (#2048) * chore(deps): bump github.com/jinzhu/copier from 0.3.5 to 0.4.0 (#2045) * chore(deps): update CPE dictionary index (#2043) * fill out new version notice (#2042) ------------------------------------------------------------------- Tue Sep 05 14:49:59 UTC 2023 - kastl@b1-systems.de - Update to version 0.87.1: * feat: use java package names to determine known groupids (#2032) * fix: inconsistent removal of binaries by overlap (#2036) * fix: CycloneDX relationships not output or decoded properly (#1974) * chore: restore cataloger.DefaultConfig (#2028) ------------------------------------------------------------------- Tue Sep 05 14:31:00 UTC 2023 - kastl@b1-systems.de - Update to version 0.87.0: * fix: read direct package files when decoding SPDX tag-value (#2014) * chore(deps): update bootstrap tools to latest versions (#2022) * chore(deps): update CPE dictionary index (#2025) * chore(deps): update bootstrap tools to latest versions (#2012) * chore(deps): bump github.com/vifraa/gopom from 0.2.2 to 1.0.0 (#2008) * 1948-filter-pkg-by-type (#2011) * chore(deps): bump github.com/dave/jennifer from 1.6.1 to 1.7.0 (#2009) * fix: SPDX license values and download location (#2007) * 931: binary cataloger exclusion defaults for ownership by overlap (#1948) * chore(deps): bump golang.org/x/net from 0.13.0 to 0.14.0 (#2004) * chore(deps): bump modernc.org/sqlite from 1.24.0 to 1.25.0 (#1998) * test: add coverage for new rpmdb paths (#1999) * chore: improve spdx purl decoding (#1996) * fix: gradle lockfile parser groupId handling (#1995) * fix: update glob to use newer usr/lib/sysimage path (#1997) * fix: opkg search glob (#1994) * feat: nginx binary classifier (#1988) * Expand deb cataloger to include opkg (#1985) * chore(deps): update bootstrap tools to latest versions (#1991) * chore(deps): bump github.com/google/go-containerregistry (#1993) * chore: update bubbly to fix hanging (#1990) * chore(deps): bump golang.org/x/net from 0.12.0 to 0.13.0 (#1989) * feat: use originator logic to fill supplier (#1980) * add metadata types to all cpe test fixtures (#1982) ------------------------------------------------------------------- Tue Aug 01 10:30:23 UTC 2023 - kastl@b1-systems.de - Update to version 0.86.1: * fix: default image source name to user input (#1979) ------------------------------------------------------------------- Tue Aug 01 10:17:13 UTC 2023 - kastl@b1-systems.de - Update to version 0.86.0: * chore(deps): update stereoscope to d1f3d766295ed3c8362ac1be68070e2a1dba4d03 (#1975) * chore: update to latest commit in tools-golang (#1969) * Guess unpinned versions in python requirements.txt (#1966) * chore(deps): bump github.com/vifraa/gopom from 0.2.1 to 0.2.2 (#1965) * Fix panic condition on docker pull failure (#1968) * bump JSON schema to account for simplified python env markers (#1967) * feat: support top-level SPDX package and graph (#1934) * chore(deps): bump github.com/go-git/go-git/v5 from 5.8.0 to 5.8.1 (#1959) * Add cataloger for Swift Package Manager. (#1919) * chore(deps): update stereoscope to d515761c6ca2743a67d7d08053db69235ae76d1d (#1953) * chore(deps): bump github.com/docker/docker (#1955) * chore(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.0 (#1951) * Introduce indexed embedded CPE dictionary (#1897) * chore(deps): bump github.com/gookit/color from 1.5.3 to 1.5.4 (#1949) * Add support for parsing .NET assemblies (#1943) * docs: capture artifactory dev settings from 1895 (#1947) * remove build binary and add explicit git ignore * docs: update docs with new docker specific instructions (#1941) * remove jotframe UI (#1932) * fix: remove indirect dependency of circl v1.1.0 (#1940) * chore: move wait before iteration to guarantee read before tea (#1931) ------------------------------------------------------------------- Thu Jul 13 04:49:43 UTC 2023 - kastl@b1-systems.de - Update to version 0.85.0: * implement ui handle waiter (#1930) * fix: background reader apart from global handler for testing (#1929) * chore(deps): bump modernc.org/sqlite from 1.23.1 to 1.24.0 (#1928) * fix: allow valid cyclonedx input with no components (#1873) * fix: "or-later" suffix updated to consider deprecated "+" operator (#1907) * feat: CLI flag for directory base (#1867) * Fix CPE gen for k8s python client (#1921) * chore: update iterations to protect against race (#1927) * chore(deps): update bootstrap tools to latest versions (#1922) * fix: Don't use the actual redis or grpc CPEs for gems (#1926) * fix(install): return with right error code (#1915) * Remove erroneous Java CPEs from generation (#1918) * chore(deps): bump golang.org/x/net from 0.11.0 to 0.12.0 (#1916) * Switch UI to bubbletea (#1888) * fix: use filepath.EvalSymlinks if os.Readlink fails to evaluate the link (#1884) * add file source digest support (#1914) * chore(deps): update bootstrap tools to latest versions (#1908) * chore(deps): bump golang.org/x/mod from 0.11.0 to 0.12.0 (#1912) * chore(deps): bump golang.org/x/term from 0.9.0 to 0.10.0 (#1913) * doc(readme): add installation section with scoop (#1909) * Refactor source API (#1846) * chore(deps): update bootstrap tools to latest versions (#1905) ------------------------------------------------------------------- Fri Jun 30 04:42:50 UTC 2023 - kastl@b1-systems.de - Update to version 0.84.1: * chore(deps): update stereoscope to cd49355d934e9e09339e0b690398afe7bd9f63f1 (#1903) * chore(deps): update bootstrap tools to latest versions (#1902) * fix: discover deb file relationships in distroless images (#1901) * add oss community board auto-add workflow (#1898) * chore(deps): update stereoscope to 8c7173ebcf69187d480d4d8b0c6cafaa7aef7024 (#1890) * chore(deps): update bootstrap tools to latest versions (#1894) * fix: add support for Dart SDK package dependencies (#1891) * Simplify the SBOM writer interface (#1892) * fix: improve version detection in Java archive name parsing (#1889) * fix: only output valid cyclonedx license choices (#1879) * docs: clarify reasoning of default catalogers for images or directories (#1887) ------------------------------------------------------------------- Wed Jun 21 04:48:16 UTC 2023 - kastl@b1-systems.de - Update to version 0.84.0: * Configure chronicle to pre-1.0 mode (#1886) * chore: update SPDX license list to 3.21 (#1885) * chore(deps): update bootstrap tools to latest versions (#1880) * Pad artifact IDs (#1882) * chore(deps): bump golang.org/x/mod from 0.10.0 to 0.11.0 (#1878) ------------------------------------------------------------------- Wed Jun 14 18:11:48 UTC 2023 - kastl@b1-systems.de - Update to version 0.83.1: * chore(deps): bump modernc.org/sqlite from 1.23.0 to 1.23.1 (#1874) * chore(deps): update stereoscope to 5b5049bf4d3a99df9a2b1c31d5d52ddff7b5cec2 (#1871) * chore(deps): bump golang.org/x/net from 0.10.0 to 0.11.0 (#1876) * fix: pom properties not setting artifact id (#1870) * chore(deps): bump github.com/spdx/tools-golang from 0.5.1 to 0.5.2 (#1868) ------------------------------------------------------------------- Mon Jun 12 19:35:49 UTC 2023 - kastl@b1-systems.de - Update to version 0.83.0: * fix: handle invalid symlinks (#1861) * chore(deps): bump github.com/spdx/tools-golang from 0.5.0 to 0.5.1 (#1850) * chore(deps): update bootstrap tools to latest versions (#1857) * Pr 1825 (#1865) * chore(deps): bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#1862) * chore(deps): bump modernc.org/sqlite from 1.22.1 to 1.23.0 (#1863) * feat: source-version flag (#1859) * chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 (#1851) * accept main.version ldflags even without vcs (#1855) * feat: add scope to pom properties (#1779) * chore(deps): bump github.com/stretchr/testify from 1.8.3 to 1.8.4 (#1852) * chore(deps): bump github.com/docker/docker (#1849) * Add test to ensure package metadata is represented in the JSON schema (#1841) * Fix directory resolver to consider CWD and root path input correctly (#1840) * Migrate location-related structs to the file package (#1751) * chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#1843) ------------------------------------------------------------------- Tue May 23 17:54:05 UTC 2023 - kastl@b1-systems.de - Update to version 0.82.0: * fix: add panic recovery for license parse (#1839) * chore: return both failures when failed to retrieve an image with a scheme (#1801) * Extract go module versions from ldflags for binaries built by go (#1832) * fix: duplicate packages, support pnpm lockfile v6 (#1778) * chore(deps): update stereoscope to e14bc4437b2eac481c5b6f101890b22df4f33596 (#1834) * chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#1829) * chore(deps): bump github.com/docker/docker (#1833) ------------------------------------------------------------------- Tue May 23 07:31:00 UTC 2023 - kastl@b1-systems.de - Update to version 0.81.0: * Keep original FileInfo persisted on file.Metadata structs (#1794) * chore(deps): bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#1827) * chore(deps): bump github.com/google/go-containerregistry (#1823) * chore(deps): bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1 (#1822) * chore(deps): bump github.com/docker/docker (#1824) * fix: update field plurality of 8.0.0 schema before release (#1820) * fix: update cataloger to check for expressions before split (#1819) * feat: update syft license concept to complex struct (#1743) * fix: cyclonedx depends-on relationship inverted (#1816) * fix: retain sbom cataloger relationships (#1509) * feat: warn if parsing newer SBOM (#1810) * feat: Add R cataloger (#1790) * update cosign to v2 release (different go module) (#1805) * fix: Reduce log spam on unknown relationship type (#1797) * chore(deps): update bootstrap tools to latest versions (#1807) * chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 (#1802) * chore(deps): bump github.com/docker/docker (#1795) * chore(deps): bump github.com/google/go-containerregistry (#1796) * chore(deps): update bootstrap tools to latest versions (#1792) * Print package list when extra packages found (#1791) * chore(deps): update bootstrap tools to latest versions (#1786) * chore(deps): bump golang.org/x/term from 0.7.0 to 0.8.0 (#1787) ------------------------------------------------------------------- Fri May 05 19:51:00 UTC 2023 - kastl@b1-systems.de - Update to version 0.80.0: * Update the CPE generation for spring-security-core (#1789) * chore: do not HTML escape PackageURLs (#1782) * chore: do not include kernel module cataloger by default (#1784) * chore(docs): Update lists of catalogers (#1780) * chore: add more detail on SPDX file IDs (#1769) * Search /usr/share for rpmdb to fix scan on ostree-managed images (#1756) * chore(deps): bump github.com/docker/docker (#1767) * rename sbom.PackageCatalog to sbom.Packages (#1773) * chore(deps): bump modernc.org/sqlite from 1.22.0 to 1.22.1 (#1768) * Create python requirements metadata (#1759) * chore: update test redactor ordering (#1765) * rename pkg.Catalog to pkg.Collection (#1764) * chore(deps): bump modernc.org/sqlite from 1.21.2 to 1.22.0 (#1758) * chore: go-rpmdb update (#1757) * chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.1-0.20221222100750-41a1ac565cce to 0.7.1 (#1706) * fix: Improve pnpm support (#1752) ------------------------------------------------------------------- Sat Apr 22 14:33:37 UTC 2023 - kastl@b1-systems.de - Update to version 0.79.0: * feat: Add template func `hasField` (#1754) * fix: only cache java packages and not source content (#1750) * Add sections of interest for Gemfile.lock cataloger (#1749) * fix: update cache.fingerprint file to java-builds dir (#1748) * Add ALPM Metadata to CYCLONEDX and SPDX output formats (#1747) * chore: bump stereoscope to latest version (#1741) * chore(deps): update bootstrap tools to latest versions (#1744) * chore(deps): bump github.com/docker/docker (#1746) ------------------------------------------------------------------- Tue Apr 18 04:55:15 UTC 2023 - kastl@b1-systems.de - Update to version 0.78.0: * Create consul binary classifier (#1738) * chore(deps): update bootstrap tools to latest versions (#1740) * Fix kernel cataloger test fixtures (#1742) * feat: Support scanning license files in golang packages over the network (#1630) * Add package-to-file location evidence relationships (#1698) * Add Linux Kernel cataloger (#1694) * Add annotations for evidence on package locations (#1723) * add format make target (#1733) * Update tests to not fail on Mac M1's. (#1730) ------------------------------------------------------------------- Thu Apr 13 07:22:19 UTC 2023 - kastl@b1-systems.de - Update to version 0.77.0: * chore(deps): update bootstrap tools to latest versions (#1728) * Add support for nar files. (#1727) * add highlevel details about catalogers (#1726) * chore(deps): bump golang.org/x/net from 0.8.0 to 0.9.0 (#1722) * chore(deps): update stereoscope to e95d60a265e384df29b7a139f5c5402d6ad72e06 (#1721) * feat: gradle lockfile support (#1719) * chore(deps): bump github.com/docker/docker (#1715) * chore(deps): bump golang.org/x/mod from 0.9.0 to 0.10.0 (#1713) * chore(deps): bump golang.org/x/term from 0.6.0 to 0.7.0 (#1714) * chore(deps): bump github.com/spf13/cobra from 1.6.1 to 1.7.0 (#1716) * chore(deps): bump peter-evans/create-pull-request from 4 to 5 (#1712) ------------------------------------------------------------------- Thu Apr 06 03:25:22 UTC 2023 - kastl@b1-systems.de - Update to version 0.76.1: * chore: update tools-golang to v0.5.0 (#1717) * Add Nix cataloger (#1696) * refactor spdx tooling test to reduce intermittent failures (#1707) * Capture file ownership relationships from portage ecosystem (#1702) * chore: update deprecated set-output calls (#1705) ------------------------------------------------------------------- Mon Apr 03 12:04:58 UTC 2023 - kastl@b1-systems.de - Update to version 0.76.0: * feat: Add config option to allow user to select the default image source location * chore(deps): bump github.com/docker/docker (#1699) * chore(deps): update bootstrap tools to latest versions (#1697) * chore(deps): update stereoscope to d7551b7f46f53179922d6229709d3d1602881080 (#1693) * 1577 spdxlicense generate (#1691) * chore(deps): bump github.com/vbatts/go-mtree from 0.5.2 to 0.5.3 (#1692) * feat: scan local go mod cache for licenses of golang packages (#1645) * chore: fix flaky license sorting (#1690) * chore(deps): bump github.com/gookit/color from 1.5.2 to 1.5.3 (#1689) * fix: shell completion by adding missing usage message required by spf13/cobra (#1688) * chore(deps): update bootstrap tools to latest versions (#1686) * chore: tweak some workflow text (#1685) * Remove more side effects from application config testing (#1684) * Deprecate config.yaml as valid config source; Add unit regression for correct config paths (#1640) * chore: Update syft bootstrap tools to latest versions. (#1682) * Update documentation: (#1680) * chore: Update Stereoscope to 7928713c391e20abaede6a029f4ce37b628a4c8b (#1681) * fix: reduce logging for bad dpkg lines (#1675) * fix ruby classifier (#1678) * feat: add shared dir for easier cleanup (#1676) * chore(deps): bump github.com/google/go-containerregistry (#1672) * chore(deps): bump actions/setup-go from 3 to 4 (#1671) * fix: move defer after error to protect panic case (#1670) * feat: add argocd, helm, kustomize and kubectl binary classifiers (#1663) * defer closing file (#1668) * fix: remove author contributing to javascript CPEs (#1669) ------------------------------------------------------------------- Mon Mar 13 19:15:25 UTC 2023 - kastl@b1-systems.de - Update to version 0.75.0: * fix: more python matching support (#1667) * Update syft bootstrap tools to latest versions. (#1666) * feat: add ruby classifier (#1665) ------------------------------------------------------------------- Thu Mar 09 15:31:12 UTC 2023 - kastl@b1-systems.de - Update to version 0.74.1: * Update syft bootstrap tools to latest versions. (#1658) * fix: improved Python binary detection (#1648) * fix: suppress some known incorrect vendor candidates for npm CPEs (#1659) * fix: sanitize SPDX LicenseRefs (#1657) * chore(deps): bump golang.org/x/mod from 0.8.0 to 0.9.0 (#1655) * chore(deps): bump golang.org/x/net from 0.7.0 to 0.8.0 (#1653) * chore(deps): bump github.com/spf13/afero from 1.9.4 to 1.9.5 (#1654) * chore(deps): bump golang.org/x/term from 0.5.0 to 0.6.0 (#1656) * fix: dotnet PURL types are invalid (#1649) * feat: disable cpe vendor wildcards to reduce false positives (#1647) * read relative etc/apk/repositories for alpine version when no OS provided (#1615) ------------------------------------------------------------------- Fri Mar 03 05:40:08 UTC 2023 - kastl@b1-systems.de - Update to version 0.74.0: * fix: possible race condition (#1639) * fix: remove APK OriginPackage cpe candidates (#1637) * fix: rebar lock file decoding panic (#1628) * fix: handle individual cataloger panics (#1636) * fix: apk product/vendor generation for old metadata (#1635) * feat: rust toolchain binary cataloger (#1601) * feat: retain go package info when no module declared (#1632) * fix: improved CPE-generation for several more APK packages (#1631) * chore: update deprecated release flag (#1629) * chore(deps): bump actions/upload-artifact from 2 to 3 (#1627) * feat: add support for SUPPORT_END in /etc/os-release (#1612) * fix: further improvements to CPE generation for apk packages (#1623) * chore(deps): bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (#1625) * chore(deps): bump actions/checkout from 2 to 3 (#1626) * feat: set cosign attest predicate type based on Syft output type (#1598) * chore(deps): bump github.com/spf13/afero from 1.9.3 to 1.9.4 (#1609) * fix: correct apk purls for other distros (#1620) * refactor: move apk upstream logic to apk metadata (#1619) * fix: decoding null apk metadata pullDependencies (#1614) * feat: haproxy binary matcher (#1591) * fix: determine upstream for apk version streams (#1610) * fix: improve CPE generation for curl APK (#1608) * Revert "add workaround for macos github actions cache issue (#1584)" (#1605) ------------------------------------------------------------------- Thu Feb 23 10:37:37 UTC 2023 - kastl@b1-systems.de - Update to version 0.73.0: * Update Stereoscope to fab1c9638abc2c21cd53dca1f205f37d71148ee0 (#1604) * chore: fix cataloger_test (#1603) * fix: merging of binary packages (#1583) * fix: issue when matching format versions (#1585) * chore: update syft bootstrap tools to latest versions. (#1593) * feat: add perl binary classifier (#1592) * Update Stereoscope to 529924d6d5aa6c708cceffc651883b6e1e27f5df (#1602) * Update SPDX license list to 3.20 (#1600) * chore: update SPDX license list (#1599) * fix cataloger selection to be more specific (#1582) * add workaround for macos github actions cache issue (#1584) ------------------------------------------------------------------- Thu Feb 16 17:31:12 UTC 2023 - kastl@b1-systems.de - Update to version 0.72.0: * Update Stereoscope to 4b5ebf8c7f4b81ca79c4c3f0af1d0723eab87d42 (#1576) * chore(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 (#1574) * chore: update bug issue template (#1571) * allow convert to take stdin (#1570) * fix: improve CPE and upstream generation logic for Alpine packages (#1567) * fix: missing APK node vulnerabilities (#1565) * fix: python CPE generation for alpine (#1564) * chore(deps): bump github.com/docker/docker (#1563) ------------------------------------------------------------------- Fri Feb 10 06:19:19 UTC 2023 - kastl@b1-systems.de - Update to version 0.71.0: * switch from trigger-release target to release target (#1560) * Speed up cataloging by replacing globs searching with index lookups (#1510) * Update syft bootstrap tools to latest versions. (#1549) * Fix installed versions (#1556) * chore(deps): bump golang.org/x/net from 0.5.0 to 0.6.0 (#1558) * feat: add postgresql classifier (#1536) * Add release trigger (#1501) * chore(deps): bump golang.org/x/mod from 0.7.0 to 0.8.0 (#1552) * chore(deps): bump golang.org/x/term from 0.4.0 to 0.5.0 (#1551) * fix: add support for licenses not found on list (#1540) * Update syft bootstrap tools to latest versions. (#1541) * feat: Allow specific versions of formats to be specified (#1543) * Update Stereoscope to c49244e4d66f1ee789027ea23acc746968799c3b (#1539) * source: when base is set, responsePath should be absolute (#1542) ------------------------------------------------------------------- Sat Feb 04 07:45:37 UTC 2023 - kastl@b1-systems.de - Update to version 0.70.0: * fix: update config struct to not decode password/key (#1538) * Update syft bootstrap tools to latest versions. (#1537) * feat: add traefik classifier (#1504) * fix: don't hardcode Cosign attest type (#1533) * chore(deps): bump github.com/docker/docker (#1531) * Update syft bootstrap tools to latest versions. (#1530) ------------------------------------------------------------------- Thu Feb 02 06:48:23 UTC 2023 - kastl@b1-systems.de - Update to version 0.69.1: * chore: update spdx/tools-golang to v0.5.0-rc1 (#1503) * feat: update golang to 1.19 (#1526) * Update syft bootstrap tools to latest versions. (#1525) ------------------------------------------------------------------- Tue Jan 31 15:04:23 UTC 2023 - kastl@b1-systems.de - Update to version 0.69.0: * Allow scanning unpacked container filesystems (#1485) * fix: allow template for syft convert (#1521) * 1465 attestation with private key (#1502) ------------------------------------------------------------------- Thu Jan 26 06:37:19 UTC 2023 - kastl@b1-systems.de - Update to version 0.68.1: * fix: add relevant CPEs to python and busybox classifiers (#1517) * Update syft bootstrap tools to latest versions. (#1515) * chore: correct bootstrap tool script (#1514) * chore(deps): bump github.com/google/go-containerregistry (#1513) * Fix AssertEncoderAgainstGoldenSnapshot calls to conditionally update (#1511) * chore(deps): bump golang.org/x/mod from 0.6.0 to 0.7.0 (#1505) * chore(deps): bump github.com/docker/docker (#1506) * chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.2 to 3.2.3 (#1507) * chore(deps): bump github.com/dustin/go-humanize from 1.0.0 to 1.0.1 (#1508) * Bump github.com/spdx/tools-golang to v0.4.0 (#1450) ------------------------------------------------------------------- Sat Jan 21 07:53:06 UTC 2023 - kastl@b1-systems.de - Update to version 0.68.0: * Fix panic in apkdb parsing on empty "provides" values (#1494) * push detailed log statements to trace-level (#1500) * npm: package-lock license decoding to accept string or array (#1482) * always set the package ID for java packages (#1493) * fix: skip filling in empty fields in APK metadata (#1484) * chore(deps): bump github.com/facebookincubator/nvdtools (#1499) * chore(deps): bump github.com/jinzhu/copier from 0.3.2 to 0.3.5 (#1498) * chore(deps): bump github.com/vbatts/go-mtree from 0.5.0 to 0.5.2 (#1497) * chore(deps): bump github.com/gookit/color from 1.4.2 to 1.5.2 (#1496) * chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#1495) * Relax error conditions for catalogers (#1492) * feat: add memcached classifier (#1486) * chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#1488) * chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.0.2 to 4.6.0 (#1489) * chore(deps): bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#1490) * chore(deps): bump github.com/go-test/deep from 1.0.8 to 1.1.0 (#1491) * chore(deps): bump github.com/google/go-containerregistry (#1487) * chore(deps): bump golang.org/x/net from 0.4.0 to 0.5.0 (#1475) * chore(deps): bump github.com/adrg/xdg from 0.3.3 to 0.4.0 (#1477) * chore(deps): bump github.com/sergi/go-diff from 1.2.0 to 1.3.1 (#1476) * chore(deps): bump github.com/vifraa/gopom from 0.1.0 to 0.2.1 (#1474) * chore(deps): bump github/codeql-action from 1 to 2 (#1473) * chore(deps): bump actions/setup-go from 2 to 3 (#1472) * Add dependabot (#1451) - skip non-existent release 0.67.x ------------------------------------------------------------------- Fri Jan 20 09:56:19 UTC 2023 - kastl@b1-systems.de - Update to version 0.66.2: * chore: use checkout v3 with new depth (#1471) * chore: use checkout v2 for tag depth (#1470) * fix: nil panic in graalvm cataloger (#1468) * add linter for type assertion checks (#1469) * fix: bump golang.org/x/net to v0.4.0 (#1467) * fix: bump golang.org/x/text to v0.3.8 (#1466) * bootstrap within composite action (#1461) * chore: revert GolangBinMetadata name and make analogous GolangModMetadata (#1458) * README: update Nix installation instructions (#1455) ------------------------------------------------------------------- Fri Jan 13 06:11:18 UTC 2023 - kastl@b1-systems.de - Update to version 0.66.1: * fix: update graalvm cataloger to fix panic (#1454) * chore: remove bumping cosign in go.mod when updating bootstrap tools (#1452) ------------------------------------------------------------------- Fri Jan 13 06:09:05 UTC 2023 - kastl@b1-systems.de - Update to version 0.66.0: * feat: Add the origin field to the output format of syftjson (#1327) * chore: update schema (#1449) * feat: prefer known CPE vendors over other candidates (#1294) * fix: update attestation code to remove library dependencies and shellout for keyless flow (#1442) * feat: add BeamVM Hex support (#1073) * feat: add apache httpd binary classifier (#1448) * chore: claim artifacthub package ownership from developer-guy (#881) * Parallel package catalog processing (#1355) * feat: Add php binary catalogers (#1444) * Update syft bootstrap tools to latest versions. (#1443) * fix: duplicate file in tar archive causes read to fail (#1445) * Add support for GraalVM Native Image executables. (#1276) * Add redis binary classifier (#1438) * docs: add cataloger construction summary (#1434) * chore: update bootstrap tools to latest versions. (#1428) * Add alpine type to purl (#1431) ------------------------------------------------------------------- Thu Jan 05 14:00:02 UTC 2023 - kastl@b1-systems.de - Update to version 0.65.0: * adding purl types for binary classifiers (#1435) * chore: refactor basic CPE functionality to its own package (#1436) * fix: typo in os.Getwd error message (#1433) * fix: additional excessive go binary warnings (#1432) * docs: migrate to homebrew-core (#1427) ------------------------------------------------------------------- Wed Jan 04 15:47:49 UTC 2023 - kastl@b1-systems.de - Update to version 0.64.0: * fix: unicode output in cyclonedx-json format (#1420) * fix: excessive go binary warnings (#1424) * feat: update spdx format model to produce valid spdx json documents (#1418) * clean package names in python parsers (#1417) * docs: update schema name to 2.3 (#1416) * feat: add h1digest when scanning go.mod (#1405) * feat: Add license parsing for java (#1385) * fix: cyclonedx component type for binaries (#1406) * fix: openjdk detection pattern (#1415) * bug: spdx checksum empty array; allow syft to generate SHA1 for spdx-tag-value documents (#1404) * Add NetBSD support. (#1412) ------------------------------------------------------------------- Fri Dec 16 12:37:58 UTC 2022 - kastl@b1-systems.de - Update to version 0.63.0: * feat: add catalog delete (#1377) * docs: remove file classifier (#1397) * chore: update latest cyclonedx library (#1390) * feat: Add Java binary catalogers (#1392) * chore: Update SPDX license list to 3.19 (#1389) * fix: add manual vendor/product removal to fix false flags (#1070) * Update Stereoscope to c5ff155d72f166e2332e160a75c3ff2b8e9c7e2e (#1395) * chore: fix test busybox image sha (#1393) * fix: go version not properly identified in binary (#1384) ------------------------------------------------------------------- Thu Dec 01 05:41:03 UTC 2022 - kastl@b1-systems.de - Update to version 0.62.3: * Update Stereoscope to 3b80d983223f6e6fc2d33b0ffa003d30268418e9 (#1376) * fix: Update node binary package name (#1375) * feat: Generic Binary Cataloger (#1336) * recover from bad parsing of golang binary (#1371) * Fix parsing of apk databases with large entries (#1365) * Update syft bootstrap tools to latest versions. (#1369) ------------------------------------------------------------------- Mon Nov 28 18:06:04 UTC 2022 - kastl@b1-systems.de - Update to version 0.62.2: * fix: guard for locations < 1 in alpmdb parse (#1366) * fix: remove cabal.project.freeze panic on last pkg (#1363) * fix: requirements.txt - return unicode only letter/num for version (#1361) * Update syft bootstrap tools to latest versions. (#1356) ------------------------------------------------------------------- Mon Nov 21 15:12:29 UTC 2022 - kastl@b1-systems.de - Update to version 0.62.1: * fix: sort relationships in SPDX output (#1350) * chore: add debug logging for decode errors (#1352) * feat(npm): handle aliases in package-lock.json (#1349) ------------------------------------------------------------------- Sat Nov 19 12:04:28 UTC 2022 - kastl@b1-systems.de - Update to version 0.62.0: * fix: spdx java checksum correctness (#1348) * feat: Add support for npm lockfile version 3 (#1206) ------------------------------------------------------------------- Fri Nov 18 15:38:51 UTC 2022 - kastl@b1-systems.de - Update to version 0.61.0: * 1111 clean name bug (#1347) * Add spdx relationship encoding for dependencies (#1342) * feat: SPDX 2.3 support (#1311) * SBOM cataloger (#1029) * chore: clean up linting configuration (#1343) * fix: Unmarshal Syft JSON with missing metadata (#1338) * fix apk decode for older data shapes (#1341) * chore: add unit test for wolfi os release identification (#1340) * fix: Output only valid CPEs for CycloneDX OS components (#1339) * feat: Add `--name` option to override name in output (#1269) * Add support for dependency relationships for alpine (apk) (#1063) * normalize alpm md5 refs (#1333) * Update java generic cataloger (#1329) * Support encoding map types to CycloneDX properties (#1332) * Update swift cataloger to generic cataloger (#1324) * port rust cataloger to new generic cataloger pattern (#1323) * port ruby cataloger to new generic cataloger pattern (#1322) * port rpm cataloger to new generic cataloger pattern (#1321) * port python cataloger to new generic cataloger pattern (#1319) * Update portage cataloger to new generic cataloger (#1316) * port php cataloger to new generic cataloger pattern (#1315) ------------------------------------------------------------------- Tue Nov 15 09:52:45 UTC 2022 - kastl@b1-systems.de - Update to version 0.60.3: * javascript cataloger: node binary: nil pointer dereference (#1313) * Fix: Include version information in binary cataloger CPEs (#1310) * fix: only generate PURL on empty string (#1312) * add s3 credentials to release (#1309) * port javascript cataloger to new generic cataloger pattern (#1308) ------------------------------------------------------------------- Tue Nov 15 09:44:11 UTC 2022 - kastl@b1-systems.de - Update to version 0.60.2: * chore: update goreleaser brew token (#1306) * fix: Decode binary and unknown metadata (#1307) ------------------------------------------------------------------- Tue Nov 15 09:39:47 UTC 2022 - kastl@b1-systems.de - Update to version 0.60.1: * chore: update github token permissions for goreleaser (#1305) ------------------------------------------------------------------- Tue Nov 15 09:29:12 UTC 2022 - kastl@b1-systems.de - Update to version 0.60.0: * fix: update ci secret to use new password (#1304) * fix: update secret value to use new cert cahin (#1303) * fix: verbose quill release failures (#1302) * fix: unterminated quoted string (#1300) * fix: update Makefile to remove old signing arch (#1299) * feat: add nodejs-binary package classifier (#1296) * update go-rpmdb to improve parsing of installed files (#1297) * docs: update attestation directions with new cosign changes * fix: Continue parsing Python RECORD files when bad lines encountered (#1295) * Fix #1245 Update SPDX license list to 3.18 (#1259) * fix: Resolve Maven POM expressions (#1251) (#1278) * port haskell cataloger to new generic cataloger pattern (#1290) * port golang cataloger to new generic cataloger pattern (#1289) * port deb/dpkg cataloger to new generic cataloger pattern (#1288) * update cataloger tests to use pkgtest utils (#1287) * port dotnet cataloger to new generic cataloger pattern (#1286) * port dart cataloger to new generic cataloger pattern (#1285) * port conan cataloger to new generic cataloger pattern (#1284) * port apk cataloger to new generic cataloger pattern (#1283) * replace signing tooling with quill (#1280) * Upgrade generic cataloger (#1281) * Update syft bootstrap tools to latest versions. (#1282) * replace logger interface with anchore/go-logger (#1279) * Update syft bootstrap tools to latest versions. (#1267) * Add go binary h1 digest to SPDX (#1265) * fix: move reproduction to top of issue (#1264) * fix: update syftjson ID to match major schema version (#1274) * Use in-toto CycloneDX predicate to be compatible with cosign (#1270) * chore: handle deprecated SPDX license: StandardML-NJ (#1266) ------------------------------------------------------------------- Tue Oct 18 05:11:08 UTC 2022 - kastl@b1-systems.de - Update to version 0.59.0: * Fixes #1179 Deprecated SPDX license (#1263) * feat: add RelationshipsBySourceOwnership to syft json output (#1248) * fix: reset merged package into map; (#1258) * refactor: Remove experimental Anchore Enterprise upload functionality (#1257) * Update syft bootstrap tools to latest versions. (#1254) * Update Stereoscope to d24c9d626b33fa720210b007a20767801827b532 (#1253) * Update syft bootstrap tools to latest versions. (#1244) * fix apkdb checksum representation (#1247) * feat: add identifiable field to source object (#1243) * feat: attest support for Singularity images (#1201) * Update syft bootstrap tools to latest versions. (#1239) * Update Stereoscope to 1b1b744a919964f38d14e1416fb3f25221b761ce (#1240) * fix: Follow symlinks when searching for globs in all-layers scope (#1221) * update requires to use list; remove field (#1234) ------------------------------------------------------------------- Fri Sep 30 05:10:45 UTC 2022 - kastl@b1-systems.de - Update to version 0.58.0: * Add Conan (C/C++) conan.lock file support (#1230) * add sequence diagrams and flesh out TODO notes (#1233) * Do not fail if unable to parse `.rpm` file (#1232) * fix: support exclude patterns on Windows (#1228) * Update syft bootstrap tools to latest versions. (#1225) * Update Stereoscope to 56552770e555d764ea72b99d3c810326b27ead4a (#1224) * Update syft bootstrap tools to latest versions. (#1223) * Update syft bootstrap tools to latest versions. (#1220) ------------------------------------------------------------------- Wed Sep 21 08:27:42 UTC 2022 - kastl@b1-systems.de - Update to version 0.57.0: * feat: catalog python files for installed-files.txt file metadata (#1217) * Stabilize SPDX JSON output sorting (#1216) * bug: remove chance for panic; provide default attestation path (#1214) * refactor: update Makefile organization; update DEVELOPING.md instructions (#1212) * refactor: replace ioutil=>io; update linter (#1211) * Update bootstrap tools to latest versions. (#1204) * Add gosimports (#1205) * refactor: move formats from internal into syft module (#1172) ------------------------------------------------------------------- Tue Sep 13 12:42:32 UTC 2022 - kastl@b1-systems.de - Update to version 0.56.0: * warn on errors from RPM DB parsing (#1200) * docs: improve Singularity image source docs (#1190) * Add RPM file scanning support (#1188) * Normalize syft-json output (#1194) * Revert "External sources configuration (#1158)" (#1191) * Update syft bootstrap tools to latest versions. (#1186) * Fix RPM DB license handling (#1184) * Update syft bootstrap tools to latest versions. (#1182) ------------------------------------------------------------------- Wed Sep 07 05:42:57 UTC 2022 - kastl@b1-systems.de - Update to version 0.55.0: * update stereoscope to latest (#1181) * Update syft bootstrap tools to latest versions. (#1180) * Bug fix for 1095 - syft conversion option error (#1177) * Update syft bootstrap tools to latest versions. (#1176) * enhance development support on macOS ARM (#1163) * Capture if a node module is private (#1161) * Find version numbers from jars with different naming conventions (#1174) * Update syft bootstrap tools to latest versions. (#1171) * Fix update-bootstrap-tools workflow (#1170) * workflow to create automated PRs to update bootstrap tools (#1167) * feat: add support for licenses in package-lock json v2 (#1164) * External sources configuration (#1158) * feat: add support for pnpm (#1166) * Prevent symlinks causing duplicate package-file relationships (#1168) ------------------------------------------------------------------- Wed Sep 07 05:38:56 UTC 2022 - kastl@b1-systems.de - Update to version 0.54.0: * Associate node package licenses from node_modules (#1152) * Give the contributing guide a substantial rework (#1155) * fix: extract file ids correctly for spdx-json (#1156) * metadata decoding should be optional (#1154) * Update Stereoscope to 84004345484edb881f1cc1d841115da8abda06c3 (#1151) * Add modularitylabel metadata to RPM type records generated by syft (#1148) * Update Stereoscope to 1c79d5c84abcc54466417fcc17c844a4875888a1 (#1149) * retraction for mispublished versions (#1147) * cataloger configuration is respected regardless of source (#1142) * Update README.md (#1146) * bump cosign to v1.10.1 (#1144) ------------------------------------------------------------------- Wed Sep 07 05:35:58 UTC 2022 - kastl@b1-systems.de - Update to version 0.53.4: * Update stereoscope to get rid of the replace directive (#1140) ------------------------------------------------------------------- Wed Sep 07 05:33:24 UTC 2022 - kastl@b1-systems.de - Update to version 0.53.3: * Correct squashfs import and fix incorrect bouncer configuration (#1138) ------------------------------------------------------------------- Wed Sep 07 05:31:12 UTC 2022 - kastl@b1-systems.de - Update to version 0.53.2: * Overwrite deprecated SPDX licenses automatically (#1009) * disable release for docker assets (#1137) ------------------------------------------------------------------- Wed Sep 07 05:29:04 UTC 2022 - kastl@b1-systems.de - Update to version 0.53.1: * improve docker release bootstrap (#1136) * Singularity Image Support (#974) ------------------------------------------------------------------- Wed Sep 07 05:25:20 UTC 2022 - kastl@b1-systems.de - Update to version 0.53.0: * remove docker login from keychain (#1135) * remove ENV checks from siging script (#1134) * remove docker assets from main goreleaser configuration to reduce mac-os runner friction (#1133) * remove prefixed v from tag to match release (#1131) * rollback actions-setup-docker to earlier version (#1130) * Bump go-rustaudit to support rustaudit 0.2.0 (#1127) * bump bouncer to v0.4.0 (#1125) * Added ppc64le supported to the syft:debug image (#1124) * add a cataloger for binaries built with rust-audit (#1116) * bump goreleaser to v1.10.3 (#1123) * bump golangci-lint to v1.47.2 (#1122) * bump cosign in bootstrap-tools to v1.10.0 (#1121) * Added s390x support (#1117) * Delete pr_action.yaml (#1120) * fix: use generic instead of not generating purl (#1119) * bump cosign to v1.10.0 (#1114) ------------------------------------------------------------------- Thu Jul 21 15:12:29 UTC 2022 - kastl@b1-systems.de - Update to version 0.52.0: * Update sigstore/rekor dependency (#1112) * Added ppc64le support (#1099) * patch-distroless-ghcr (#1110) * add distroless debug image to published release (#1106) * update help formatting (#1105) * feat: implement haskell support (#1096) * Add the -r argument for gnu xargs (#1103) * fix: -o output option to include formats (#1102) * moves go-rpmdb to latest; libc => v1.16.7 (#1098) ------------------------------------------------------------------- Sat Jul 16 19:00:04 UTC 2022 - kastl@b1-systems.de - Update to version 0.51.0: * feat: add support for cocoapods (Swift/Objective-C) (#1081) * Fix package url for Go modules with no / (#1092) * Update Stereoscope to 777471f38c5b2f15c19d6cffe093ce6392d8040c (#1090) * feat: output attestation to file (#1087) * Update Stereoscope to cfbd966e5a8d11d73cd17adc8b8ab8468a086f1e (#1089) * Add portage support for Gentoo Linux (#1076) * Add PR action back to workflow with new token (#1086) ------------------------------------------------------------------- Wed Jul 06 18:12:23 UTC 2022 - kastl@b1-systems.de - Update to version 0.50.0: * feat: add new login cmd (#1068) * update AltRpmDbGlob with comment and context (#1085) * feat: add support for conan packages (C/C++) (#1083) * add golang main module and pseudo-version (#916) * fix: add glob to filter list to ensure rpm metadata files are matched… (#1079) * remove pr automation until service account creation (#1080) * fix: purl generation for pom.xml (#1078) * Update Stereoscope to 5bd627c0f9ce7facbd63ed1f0cf894d97021aa5e (#1072) * fix: add new languages found in cpes (#1069) * fix: add php catalogers to all catalogers (#1065) * feat: add use-all-catalogers flag (#1050) ------------------------------------------------------------------- Mon Jun 27 13:20:51 UTC 2022 - kastl@b1-systems.de - Update to version 0.49.0: * Updates parsing of `yarn.lock` to use `resolved` URLs that are pulled from yarn and npm registries (#926) * remove OSS Meetup message (#1057) * add pom.xml cataloger (#1055) * Add support for CBL-Mariner distroless images (#1045) * Add catalogers configuration (#1038) * add template output (#1051) ------------------------------------------------------------------- Wed Jun 22 08:47:26 UTC 2022 - kastl@b1-systems.de - Update to version 0.48.1: * update stereoscope to latest version (#1052) ------------------------------------------------------------------- Wed Jun 22 08:34:13 UTC 2022 - kastl@b1-systems.de - Update to version 0.48.0: * update zip_read_closer to incorporate zip64 support (#1041) * Add pacman (alpm) parser support (#943) ------------------------------------------------------------------- Wed Jun 22 08:23:30 UTC 2022 - kastl@b1-systems.de - Update to version 0.47.0: * Update of README.md (#1027) * bump cosign to v1.9.0 to resolve reporting of GHSA-66x3-6cw3-v5gj (#1025) * add workflows to test new project automation (#1023) * improve LanguageByName and add unit tests (#1034) * Read Description from dpkg status files (#996) * Add announcement for Anchore OSS Virtual Meetup (#1033) * add main module field to go bin metadata (#1026) * Add filters to package cataloger (#1021) * change draft to false for release process (#1016) * Support RPM distros with newer RPM db formats (#1018) * fix: add component list to prevent cyclone-dx panic (#1015) ------------------------------------------------------------------- Mon Jun 6 19:43:54 UTC 2022 - Johannes Kastl - first version of package syft at version 0.46.3