-------------------------------------------------------------------
Sat Jan 06 15:26:12 UTC 2024 - andrea.manzini@suse.com
- Update to version 0.100.0:
* Add ability to extend the binaries cataloguers (#2469)
* chore(deps): bump anchore/sbom-action from 0.15.1 to 0.15.2
(#2464)
* fix: add missing purl for busybox (#2457)
* Fix diff error obfuscating binary test failures message (#2468)
* Replace `packages` command with `scan` (#2446)
* fix: PURLs with "nuget" type are dotnet packages (#2466)
* chore(deps): update tools to latest versions (#2459)
* chore(deps): update CPE dictionary index (#2458)
* chore: update binary to -x (#2456)
* Add more functionality to the ErLang parser (#2390)
* Added OpenSSL binary matcher (#2416)
* chore(deps): update stereoscope to
590920dabc5479216e755983d41367b6be3544f3 (#2452)
* chore(deps): update tools to latest versions (#2451)
* chore(deps): bump github/codeql-action from 3.22.11 to 3.22.12
(#2455)
-------------------------------------------------------------------
Thu Dec 21 16:26:53 UTC 2023 - opensuse_buildservice@ojkastl.de
- Update to version 0.99.0:
* chore: remove execute from test fixtures (#2450)
* chore(deps): update tools to latest versions (#2447)
* fix: don't panic when hackage missing in haskell stack yaml
lock (#2448)
* Add binary classifier for the ERLang interpretter (#2417)
* Add binary classifier for Julia lang (#2427)
* Add binary detection for PHP composer (#2432)
* chore(deps): bump actions/upload-artifact from 3.1.3 to 4.0.0
(#2433)
* chore(deps): update CPE dictionary index (#2442)
* chore(deps): update stereoscope to
4b999b76ca8901d15bb97aef445dc94c38d11d5c (#2440)
* fix syft-json test to use pretty json for snapshot testing
(#2441)
* refactor pkg.Collection (#2439)
* refactor javascript cataloger to use configuration options when
creating packages (#2438)
* use single source of truth for archive options (#2437)
* fix file digest cataloger when passed coordinates (#2436)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.2
to 0.8.0 (#2413)
* Look for a maven version in a pom from a parent dependency
management section (#2423)
* Parse Python licenses from LicenseExpression entry in the Wheel
Metadata (#2431)
* chore(deps): bump github/codeql-action from 2.22.10 to 3.22.11
(#2430)
* chore(deps): bump modernc.org/sqlite from 1.27.0 to 1.28.0
(#2429)
* chore(deps): update tools to latest versions (#2428)
* Parse Python licenses from LicenseFile entry in the Wheel
Metadata (#2331)
* fix: use filepath instead of path for file source exclusions
(#2411)
* chore(deps): bump github.com/charmbracelet/bubbletea (#2424)
* chore(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0
(#2425)
* chore(deps): bump github/codeql-action from 2.22.9 to 2.22.10
(#2426)
* chore(deps): bump dawidd6/action-homebrew-bump-formula (#2420)
* feat: add the option to retrieve remote licenses for projects
defined in a maven pom (#2409)
* chore(deps): bump github/codeql-action from 2.22.8 to 2.22.9
(#2400)
* chore(deps): bump github.com/saferwall/pe from 1.4.7 to 1.4.8
(#2415)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.10.1 to
5.11.0 (#2414)
* chore(deps): bump actions/setup-go from 4.1.0 to 5.0.0 (#2401)
* chore(deps): update tools to latest versions (#2408)
* chore(deps): update CPE dictionary index (#2412)
* fix(java): improve identification for org.codehaus.groovy
artifacts (#2404)
* fix(java): improve identification for commons-jelly artifacts
(#2399)
* fix(java): improve identification for io.minio artifacts
(#2398)
* fix(java): improve identification for com.graphql-java
artifacts (#2397)
* chore(deps): update tools to latest versions (#2395)
* chore: enhance java purl generation integration test (#2393)
* feat: add ability to retrieve remote licenses for yarn.lock
(#2338)
* chore(deps): bump anchore/sbom-action from 0.15.0 to 0.15.1
(#2392)
* Retrieve remote licenses using pom.properties when there is no
pom.xml (#2315)
* fix(java): improve identification for org.apache.tapestry
artifacts (#2384)
* fix(java): improve identification for io.ratpack artifacts
(#2379)
* fix(java): improve identification for org.apache.cassandra
artifacts (#2386)
* fix(java): improve identification for org.neo4j.procedure
artifacts (#2388)
* fix: bump fangs for ptr summarize fix (#2387)
* fix(java): improve identification for org.elasticsearch
artifacts (#2383)
* fix(java): improve identification for org.apache.geode
artifacts (#2382)
* fix(java): improve identification for org.apache.tomcat.embed
artifacts (#2381)
* fix(java): improve identification for io.projectreactor.netty
artifacts (#2378)
* fix(java): improve identification for org.eclipse.platform
artifacts (#2349)
* Generalize UI events for cataloging tasks (#2369)
* chore(deps): update tools to latest versions (#2376)
* chore(deps): bump github.com/google/go-containerregistry
(#2377)
* chore: fix tests failing due to Mac Rosetta cache (#2374)
* fix: improve dotnet portable executable identification (#2133)
-------------------------------------------------------------------
Thu Nov 30 08:14:13 UTC 2023 - andrea.manzini@suse.com
- Update to version 0.98.0:
* fix file metadata cataloger to use resolved locations (#2370)
* fix: logging level for parsing potential PE files (#2367)
* only remove breaking-change label when there are schema changes (#2371)
* fix: capture root command stdout (#2364)
* fix: hardcode xalan group ID (#2368)
* Normalize cataloger configuration patterns (#2365)
* normalize enums to lowercase with hyphens (#2363)
* bump deps version
* fix: index file itself when file scan path has symlink (#2359)
* use read lock in pkg collection (#2341)
* Fix the `attest` command (#2337)
* fix: add manual namespace mapping for org.springframework jars (#2345)
* Add binary classifiers for MySQL and MariaDB (#2316)
* Enhance redis binary classifier (#2329)
* fix: add manual namespace mapping for org.springframework.security jars (#2343)
* fix: add manual namespace mapping for org.bouncycastle jars (#2342)
* Update developer docs to represent the current package layout (#2340)
* Remove the power-user command and related catalogers (#2306)
* Add "pretty" json configuration and change default behavior to be space-efficient (#2275)
-------------------------------------------------------------------
Sat Nov 18 08:51:36 UTC 2023 - kastl@b1-systems.de
- Update to version 0.97.1:
* chore(deps): update stereoscope to
3610f4ef3e83e8ff2edf8859e8916bce326fa260 (#2336)
* feat: allow for stdout to be buffered on each command (#2335)
-------------------------------------------------------------------
Fri Nov 17 05:46:54 UTC 2023 - kastl@b1-systems.de
- Update to version 0.97.0:
* fix: prevent writing non-report output to stdout (#2324)
* chore(deps): bump github/codeql-action from 2.22.6 to 2.22.7
(#2332)
* export metadata type helper (#2328)
* fix(java): add manual groupid mappings for org.apache.velocity
jars (#2327)
* fix(java): skip maven bundle plugin logic if vendor id and
symbolic name match (#2326)
* Refine license searching from groupIDFromJavaMetadata to allow
for having the artfactId in the groupId (#2313)
* chore(deps): update tools to latest versions (#2325)
* chore(deps): update tools to latest versions (#2318)
* Add license for golang stdlib (#2317)
* chore(deps): bump github/codeql-action from 2.22.5 to 2.22.6
(#2321)
* docs: Update README.md for dotnet-portable-executable (#2322)
* Fall back to searching maven central using
groupIDFromJavaMetadata (#2295)
* rename file.Location.VirtualPath to AccessPath (#2288)
* chore(deps): update tools to latest versions (#2308)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.11
to 0.4.12 (#2310)
* chore(deps): bump golang.org/x/net from 0.17.0 to 0.18.0
(#2311)
-------------------------------------------------------------------
Thu Nov 09 14:48:04 UTC 2023 - kastl@b1-systems.de
- Update to version 0.96.0:
* include image labels in cycloneDX SBOM (#2294)
* Add accessPath on Location objects to syft-json output (#2287)
* SPDX file has duplicate sha256 tag in versionInfo (#2300)
* Check maven central as well for licenses in parents poms for
nested jars (#2302)
* chore(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0
(#2293)
* chore(deps): update tools to latest versions (#2301)
* fix: identify cyclone-json without $schema (#2303)
-------------------------------------------------------------------
Tue Nov 07 20:40:41 UTC 2023 - kastl@b1-systems.de
- Update to version 0.95.0:
* chore: setup release task before calling go releaser (#2297)
* chore(deps): update tools to latest versions (#2296)
* chore(deps): update tools to latest versions (#2289)
* chore(deps): update CPE dictionary index (#2290)
* chore(deps): bump golang.org/x/mod from 0.13.0 to 0.14.0
(#2292)
* Wire though maven-url to java config (#2291)
* Use case-insensitive matching for Go license files (#2286)
* Add a new Java configuration option to recursively search
parent poms… (#2274)
* chore(deps): update tools to latest versions (#2280)
* Follow convention for naming catalogers (#2277)
* change dir resolver to include virtual path (#2259)
* fix: syft does not handle the case of parsing a jar with
multiple poms (#2231)
* add PURLs when scanning Gradle lock files (#2278)
* chore(deps): bump modernc.org/sqlite from 1.26.0 to 1.27.0
(#2279)
* test: remove dll files and updates tests to use
versionResources (#2276)
* fix: update dot net binary parsing logic to remove empty space
(#2273)
* Read a license from a parent pom stored in Maven Central
(#2228)
* Update README.md to use canonical output format names (fixes
#2269) (#2272)
* Remove MetadataType from core package object and normalize JSON
metadataType values (#1983)
* chore(deps): bump github.com/docker/docker (#2263)
* chore(deps): update stereoscope to
5909e353ee88d7809f0e646c79f110a0e6b1d80d (#2265)
* chore(deps): update CPE dictionary index (#2271)
* chore: fix cpe generation task (#2270)
* chore(deps): bump github.com/google/uuid from 1.3.1 to 1.4.0
(#2262)
* chore(deps): bump github/codeql-action from 2.22.4 to 2.22.5
(#2261)
* chore(deps): update tools to latest versions (#2258)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.9.0 to
5.10.0 (#2256)
* feat: Perform case insensitive matching on Java license files
(#2235)
* Split the sbom.Format interface by encode and decode use cases
(#2186)
* Upgrade tool management (#2188)
* fix: 2179 jar chokes empty lines (#2254)
* chore(deps): update CPE dictionary index (#2253)
* fix CPE workflow (#2252)
* feat: add conaninfo.txt parser to detect conan packages in
docker images (#2234)
* chore(deps): update bootstrap tools to latest versions (#2245)
* chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.6.0
to 4.6.1 (#2248)
* chore(deps): bump github/codeql-action from 2.22.3 to 2.22.4
(#2249)
* fill version info from release and git directly (#2244)
* Add ruby.NewGemSpecCataloger to DirectoryCatalogers. (#1971)
* change homebrew release trigger (#2242)
-------------------------------------------------------------------
Fri Nov 3 09:12:53 UTC 2023 - Johannes Kastl <kastl@b1-systems.de>
- BuildRequire go1.21
-------------------------------------------------------------------
Sat Oct 21 18:16:53 UTC 2023 - kastl@b1-systems.de
- Update to version 0.94.0:
* Label PRs when the json schema changes (#2240)
* Add download location when cataloging directory npm package
lock (#2238)
* fix: allow packages to be captured from DIST/EGG case (#2239)
* Account for maven bundle plugin and fix filename matching
(#2220)
* chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 (#2236)
* Remove internal string set (#2219)
* bump clio to get stderr reporting fix (#2232)
* Fix panic for empty input to Swift cataloger (#2226)
* Add additional license filenames (#2227)
* chore(deps): bump github/codeql-action from 2.22.2 to 2.22.3
(#2229)
* chore(deps): bump github.com/charmbracelet/lipgloss from 0.9.0
to 0.9.1 (#2222)
* chore(deps): bump github/codeql-action from 2.22.1 to 2.22.2
(#2224)
* Detect a license file in the root directory or META-INF of a
jar (#2213)
* Parse donet dependency trees (#2143)
* chore(deps): bump golang.org/x/net from 0.16.0 to 0.17.0
(#2214)
* chore(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0
(#2215)
* chore(deps): bump github.com/charmbracelet/lipgloss from 0.8.0
to 0.9.0 (#2216)
* chore: add automated homebrew action (#2164)
* Add relationships for dpkg packages (#2212)
-------------------------------------------------------------------
Wed Oct 11 04:22:21 UTC 2023 - kastl@b1-systems.de
- Update to version 0.93.0:
* Parse the Maven license from the pom.xml if not contained in
the mani… (#2115)
* Refine the docs for building a cataloger (#2175)
* Fix algo lookup by converting key to lower case (#2207)
* chore(deps): bump github/codeql-action from 2.22.0 to 2.22.1
(#2208)
* feat: add package for go compiler given binary detection
(#2195)
* chore(deps): bump github.com/docker/distribution from
2.8.2+incompatible to 2.8.3+incompatible (#2193)
* chore(deps): bump github/codeql-action from 2.21.9 to 2.22.0
(#2202)
* chore(deps): bump golang.org/x/net from 0.15.0 to 0.16.0
(#2204)
* chore: update license list to 3.22 (#2201)
* Add exact syntax of the conversion formats (#2196)
* chore(deps): bump github.com/saferwall/pe from 1.4.6 to 1.4.7
(#2198)
* chore(deps): bump golang.org/x/mod from 0.12.0 to 0.13.0
(#2199)
* chore: removes unnecessary conditional (#2194)
* chore: improve --output help text and deprecate --file (#2187)
* chore(deps): bump modernc.org/sqlite from 1.25.0 to 1.26.0
(#2189)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.10
to 0.4.11 (#2191)
* chore(deps): bump github/codeql-action from 2.21.8 to 2.21.9
(#2182)
* chore(deps): update bootstrap tools to latest versions (#2178)
* chore(deps): bump github.com/saferwall/pe from 1.4.5 to 1.4.6
(#2180)
-------------------------------------------------------------------
Thu Oct 05 06:32:34 UTC 2023 - andrea.manzini@suse.com
- Update to version 0.92.0:
* bump deps to latest version
* fix: deterministic java purls (#2170)
- Update to version 0.91.0:
* fix: prevent errors from clobbering terminal (#2161)
* Require ordering of relationships when comparing parser output (#2160)
* Add containerd support (#1793)
* feat: add dependency information to conan lockfile parser (#2131)
* fix: encode and decode FileLicenses and FileContents in Syft JSON (#2083)
* feat: add cyclonedx schema version selection (#2123)
* fix: allow cyclonedx json input with no components (#2127)
* fix source-version typo in flag description (#2126)
- Update to version 0.90.0:
* fix(help): power-user help text to indicate it supports file-system (#2113)
* fix: update codeql-analysis for go 1.21 (#2108)
* feat(cmd/update): add UA header with current ver when check for update (#2100)
* fix(cdx): validate external refs before encoding (#2091)
* fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation (#2075)
-------------------------------------------------------------------
Tue Sep 05 14:57:48 UTC 2023 - kastl@b1-systems.de
- Update to version 0.89.0:
* tidy gomod and gitignore (#2082)
* fix quiet flag (#2081)
* fix: in some cases, try to use pom info to guess name and
version to top level jar (#2080)
* fix: don't panic on universal go binaries (#2078)
* chore: update CLI to CLIO (#2001)
* Add registry certificate verification support (#1734)
* fix: CPE generation for django (#2068)
-------------------------------------------------------------------
Tue Sep 05 14:54:29 UTC 2023 - kastl@b1-systems.de
- Update to version 0.88.0:
* chore: update quill to the latest version (#2065)
* fix: duplicate entries in cyclonedx dependency list (#2063)
* Fix panic in pom parsing (#2064)
* Fix: don't validate pom declared group (#2054)
* chore: trace log pom property reflect usage (#2059)
* fix: do not double-prefix symlink paths that already contain
volume names (#2051)
* feat: add bash classifier (#2055)
* Detect golang boring crypto and fipsonly modules (#2021)
* fix: properly parse conan ref and include user and channel
(#2034)
* chore(deps): bump github.com/charmbracelet/lipgloss from 0.7.1
to 0.8.0 (#2053)
* Enable reading non-utf-8 encodings for java pom.xml files
(#2047)
* feat: 1944 - update purl generation to use a consistent groupID
(#2033)
* chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1
(#2049)
* chore(deps): update bootstrap tools to latest versions (#2048)
* chore(deps): bump github.com/jinzhu/copier from 0.3.5 to 0.4.0
(#2045)
* chore(deps): update CPE dictionary index (#2043)
* fill out new version notice (#2042)
-------------------------------------------------------------------
Tue Sep 05 14:49:59 UTC 2023 - kastl@b1-systems.de
- Update to version 0.87.1:
* feat: use java package names to determine known groupids
(#2032)
* fix: inconsistent removal of binaries by overlap (#2036)
* fix: CycloneDX relationships not output or decoded properly
(#1974)
* chore: restore cataloger.DefaultConfig (#2028)
-------------------------------------------------------------------
Tue Sep 05 14:31:00 UTC 2023 - kastl@b1-systems.de
- Update to version 0.87.0:
* fix: read direct package files when decoding SPDX tag-value
(#2014)
* chore(deps): update bootstrap tools to latest versions (#2022)
* chore(deps): update CPE dictionary index (#2025)
* chore(deps): update bootstrap tools to latest versions (#2012)
* chore(deps): bump github.com/vifraa/gopom from 0.2.2 to 1.0.0
(#2008)
* 1948-filter-pkg-by-type (#2011)
* chore(deps): bump github.com/dave/jennifer from 1.6.1 to 1.7.0
(#2009)
* fix: SPDX license values and download location (#2007)
* 931: binary cataloger exclusion defaults for ownership by
overlap (#1948)
* chore(deps): bump golang.org/x/net from 0.13.0 to 0.14.0
(#2004)
* chore(deps): bump modernc.org/sqlite from 1.24.0 to 1.25.0
(#1998)
* test: add coverage for new rpmdb paths (#1999)
* chore: improve spdx purl decoding (#1996)
* fix: gradle lockfile parser groupId handling (#1995)
* fix: update glob to use newer usr/lib/sysimage path (#1997)
* fix: opkg search glob (#1994)
* feat: nginx binary classifier (#1988)
* Expand deb cataloger to include opkg (#1985)
* chore(deps): update bootstrap tools to latest versions (#1991)
* chore(deps): bump github.com/google/go-containerregistry
(#1993)
* chore: update bubbly to fix hanging (#1990)
* chore(deps): bump golang.org/x/net from 0.12.0 to 0.13.0
(#1989)
* feat: use originator logic to fill supplier (#1980)
* add metadata types to all cpe test fixtures (#1982)
-------------------------------------------------------------------
Tue Aug 01 10:30:23 UTC 2023 - kastl@b1-systems.de
- Update to version 0.86.1:
* fix: default image source name to user input (#1979)
-------------------------------------------------------------------
Tue Aug 01 10:17:13 UTC 2023 - kastl@b1-systems.de
- Update to version 0.86.0:
* chore(deps): update stereoscope to
d1f3d766295ed3c8362ac1be68070e2a1dba4d03 (#1975)
* chore: update to latest commit in tools-golang (#1969)
* Guess unpinned versions in python requirements.txt (#1966)
* chore(deps): bump github.com/vifraa/gopom from 0.2.1 to 0.2.2
(#1965)
* Fix panic condition on docker pull failure (#1968)
* bump JSON schema to account for simplified python env markers
(#1967)
* feat: support top-level SPDX package and graph (#1934)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.8.0 to
5.8.1 (#1959)
* Add cataloger for Swift Package Manager. (#1919)
* chore(deps): update stereoscope to
d515761c6ca2743a67d7d08053db69235ae76d1d (#1953)
* chore(deps): bump github.com/docker/docker (#1955)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to
5.8.0 (#1951)
* Introduce indexed embedded CPE dictionary (#1897)
* chore(deps): bump github.com/gookit/color from 1.5.3 to 1.5.4
(#1949)
* Add support for parsing .NET assemblies (#1943)
* docs: capture artifactory dev settings from 1895 (#1947)
* remove build binary and add explicit git ignore
* docs: update docs with new docker specific instructions (#1941)
* remove jotframe UI (#1932)
* fix: remove indirect dependency of circl v1.1.0 (#1940)
* chore: move wait before iteration to guarantee read before tea
(#1931)
-------------------------------------------------------------------
Thu Jul 13 04:49:43 UTC 2023 - kastl@b1-systems.de
- Update to version 0.85.0:
* implement ui handle waiter (#1930)
* fix: background reader apart from global handler for testing
(#1929)
* chore(deps): bump modernc.org/sqlite from 1.23.1 to 1.24.0
(#1928)
* fix: allow valid cyclonedx input with no components (#1873)
* fix: "or-later" suffix updated to consider deprecated "+"
operator (#1907)
* feat: CLI flag for directory base (#1867)
* Fix CPE gen for k8s python client (#1921)
* chore: update iterations to protect against race (#1927)
* chore(deps): update bootstrap tools to latest versions (#1922)
* fix: Don't use the actual redis or grpc CPEs for gems (#1926)
* fix(install): return with right error code (#1915)
* Remove erroneous Java CPEs from generation (#1918)
* chore(deps): bump golang.org/x/net from 0.11.0 to 0.12.0
(#1916)
* Switch UI to bubbletea (#1888)
* fix: use filepath.EvalSymlinks if os.Readlink fails to evaluate
the link (#1884)
* add file source digest support (#1914)
* chore(deps): update bootstrap tools to latest versions (#1908)
* chore(deps): bump golang.org/x/mod from 0.11.0 to 0.12.0
(#1912)
* chore(deps): bump golang.org/x/term from 0.9.0 to 0.10.0
(#1913)
* doc(readme): add installation section with scoop (#1909)
* Refactor source API (#1846)
* chore(deps): update bootstrap tools to latest versions (#1905)
-------------------------------------------------------------------
Fri Jun 30 04:42:50 UTC 2023 - kastl@b1-systems.de
- Update to version 0.84.1:
* chore(deps): update stereoscope to
cd49355d934e9e09339e0b690398afe7bd9f63f1 (#1903)
* chore(deps): update bootstrap tools to latest versions (#1902)
* fix: discover deb file relationships in distroless images
(#1901)
* add oss community board auto-add workflow (#1898)
* chore(deps): update stereoscope to
8c7173ebcf69187d480d4d8b0c6cafaa7aef7024 (#1890)
* chore(deps): update bootstrap tools to latest versions (#1894)
* fix: add support for Dart SDK package dependencies (#1891)
* Simplify the SBOM writer interface (#1892)
* fix: improve version detection in Java archive name parsing
(#1889)
* fix: only output valid cyclonedx license choices (#1879)
* docs: clarify reasoning of default catalogers for images or
directories (#1887)
-------------------------------------------------------------------
Wed Jun 21 04:48:16 UTC 2023 - kastl@b1-systems.de
- Update to version 0.84.0:
* Configure chronicle to pre-1.0 mode (#1886)
* chore: update SPDX license list to 3.21 (#1885)
* chore(deps): update bootstrap tools to latest versions (#1880)
* Pad artifact IDs (#1882)
* chore(deps): bump golang.org/x/mod from 0.10.0 to 0.11.0
(#1878)
-------------------------------------------------------------------
Wed Jun 14 18:11:48 UTC 2023 - kastl@b1-systems.de
- Update to version 0.83.1:
* chore(deps): bump modernc.org/sqlite from 1.23.0 to 1.23.1
(#1874)
* chore(deps): update stereoscope to
5b5049bf4d3a99df9a2b1c31d5d52ddff7b5cec2 (#1871)
* chore(deps): bump golang.org/x/net from 0.10.0 to 0.11.0
(#1876)
* fix: pom properties not setting artifact id (#1870)
* chore(deps): bump github.com/spdx/tools-golang from 0.5.1 to
0.5.2 (#1868)
-------------------------------------------------------------------
Mon Jun 12 19:35:49 UTC 2023 - kastl@b1-systems.de
- Update to version 0.83.0:
* fix: handle invalid symlinks (#1861)
* chore(deps): bump github.com/spdx/tools-golang from 0.5.0 to
0.5.1 (#1850)
* chore(deps): update bootstrap tools to latest versions (#1857)
* Pr 1825 (#1865)
* chore(deps): bump github.com/sirupsen/logrus from 1.9.2 to
1.9.3 (#1862)
* chore(deps): bump modernc.org/sqlite from 1.22.1 to 1.23.0
(#1863)
* feat: source-version flag (#1859)
* chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0
(#1851)
* accept main.version ldflags even without vcs (#1855)
* feat: add scope to pom properties (#1779)
* chore(deps): bump github.com/stretchr/testify from 1.8.3 to
1.8.4 (#1852)
* chore(deps): bump github.com/docker/docker (#1849)
* Add test to ensure package metadata is represented in the JSON
schema (#1841)
* Fix directory resolver to consider CWD and root path input
correctly (#1840)
* Migrate location-related structs to the file package (#1751)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to
5.7.0 (#1843)
-------------------------------------------------------------------
Tue May 23 17:54:05 UTC 2023 - kastl@b1-systems.de
- Update to version 0.82.0:
* fix: add panic recovery for license parse (#1839)
* chore: return both failures when failed to retrieve an image
with a scheme (#1801)
* Extract go module versions from ldflags for binaries built by
go (#1832)
* fix: duplicate packages, support pnpm lockfile v6 (#1778)
* chore(deps): update stereoscope to
e14bc4437b2eac481c5b6f101890b22df4f33596 (#1834)
* chore(deps): bump github.com/stretchr/testify from 1.8.2 to
1.8.3 (#1829)
* chore(deps): bump github.com/docker/docker (#1833)
-------------------------------------------------------------------
Tue May 23 07:31:00 UTC 2023 - kastl@b1-systems.de
- Update to version 0.81.0:
* Keep original FileInfo persisted on file.Metadata structs
(#1794)
* chore(deps): bump github.com/sirupsen/logrus from 1.9.1 to
1.9.2 (#1827)
* chore(deps): bump github.com/google/go-containerregistry
(#1823)
* chore(deps): bump github.com/sirupsen/logrus from 1.9.0 to
1.9.1 (#1822)
* chore(deps): bump github.com/docker/docker (#1824)
* fix: update field plurality of 8.0.0 schema before release
(#1820)
* fix: update cataloger to check for expressions before split
(#1819)
* feat: update syft license concept to complex struct (#1743)
* fix: cyclonedx depends-on relationship inverted (#1816)
* fix: retain sbom cataloger relationships (#1509)
* feat: warn if parsing newer SBOM (#1810)
* feat: Add R cataloger (#1790)
* update cosign to v2 release (different go module) (#1805)
* fix: Reduce log spam on unknown relationship type (#1797)
* chore(deps): update bootstrap tools to latest versions (#1807)
* chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 (#1802)
* chore(deps): bump github.com/docker/docker (#1795)
* chore(deps): bump github.com/google/go-containerregistry
(#1796)
* chore(deps): update bootstrap tools to latest versions (#1792)
* Print package list when extra packages found (#1791)
* chore(deps): update bootstrap tools to latest versions (#1786)
* chore(deps): bump golang.org/x/term from 0.7.0 to 0.8.0 (#1787)
-------------------------------------------------------------------
Fri May 05 19:51:00 UTC 2023 - kastl@b1-systems.de
- Update to version 0.80.0:
* Update the CPE generation for spring-security-core (#1789)
* chore: do not HTML escape PackageURLs (#1782)
* chore: do not include kernel module cataloger by default
(#1784)
* chore(docs): Update lists of catalogers (#1780)
* chore: add more detail on SPDX file IDs (#1769)
* Search /usr/share for rpmdb to fix scan on ostree-managed
images (#1756)
* chore(deps): bump github.com/docker/docker (#1767)
* rename sbom.PackageCatalog to sbom.Packages (#1773)
* chore(deps): bump modernc.org/sqlite from 1.22.0 to 1.22.1
(#1768)
* Create python requirements metadata (#1759)
* chore: update test redactor ordering (#1765)
* rename pkg.Catalog to pkg.Collection (#1764)
* chore(deps): bump modernc.org/sqlite from 1.21.2 to 1.22.0
(#1758)
* chore: go-rpmdb update (#1757)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from
0.7.1-0.20221222100750-41a1ac565cce to 0.7.1 (#1706)
* fix: Improve pnpm support (#1752)
-------------------------------------------------------------------
Sat Apr 22 14:33:37 UTC 2023 - kastl@b1-systems.de
- Update to version 0.79.0:
* feat: Add template func `hasField` (#1754)
* fix: only cache java packages and not source content (#1750)
* Add sections of interest for Gemfile.lock cataloger (#1749)
* fix: update cache.fingerprint file to java-builds dir (#1748)
* Add ALPM Metadata to CYCLONEDX and SPDX output formats (#1747)
* chore: bump stereoscope to latest version (#1741)
* chore(deps): update bootstrap tools to latest versions (#1744)
* chore(deps): bump github.com/docker/docker (#1746)
-------------------------------------------------------------------
Tue Apr 18 04:55:15 UTC 2023 - kastl@b1-systems.de
- Update to version 0.78.0:
* Create consul binary classifier (#1738)
* chore(deps): update bootstrap tools to latest versions (#1740)
* Fix kernel cataloger test fixtures (#1742)
* feat: Support scanning license files in golang packages over
the network (#1630)
* Add package-to-file location evidence relationships (#1698)
* Add Linux Kernel cataloger (#1694)
* Add annotations for evidence on package locations (#1723)
* add format make target (#1733)
* Update tests to not fail on Mac M1's. (#1730)
-------------------------------------------------------------------
Thu Apr 13 07:22:19 UTC 2023 - kastl@b1-systems.de
- Update to version 0.77.0:
* chore(deps): update bootstrap tools to latest versions (#1728)
* Add support for nar files. (#1727)
* add highlevel details about catalogers (#1726)
* chore(deps): bump golang.org/x/net from 0.8.0 to 0.9.0 (#1722)
* chore(deps): update stereoscope to
e95d60a265e384df29b7a139f5c5402d6ad72e06 (#1721)
* feat: gradle lockfile support (#1719)
* chore(deps): bump github.com/docker/docker (#1715)
* chore(deps): bump golang.org/x/mod from 0.9.0 to 0.10.0 (#1713)
* chore(deps): bump golang.org/x/term from 0.6.0 to 0.7.0 (#1714)
* chore(deps): bump github.com/spf13/cobra from 1.6.1 to 1.7.0
(#1716)
* chore(deps): bump peter-evans/create-pull-request from 4 to 5
(#1712)
-------------------------------------------------------------------
Thu Apr 06 03:25:22 UTC 2023 - kastl@b1-systems.de
- Update to version 0.76.1:
* chore: update tools-golang to v0.5.0 (#1717)
* Add Nix cataloger (#1696)
* refactor spdx tooling test to reduce intermittent failures
(#1707)
* Capture file ownership relationships from portage ecosystem
(#1702)
* chore: update deprecated set-output calls (#1705)
-------------------------------------------------------------------
Mon Apr 03 12:04:58 UTC 2023 - kastl@b1-systems.de
- Update to version 0.76.0:
* feat: Add config option to allow user to select the default
image source location
* chore(deps): bump github.com/docker/docker (#1699)
* chore(deps): update bootstrap tools to latest versions (#1697)
* chore(deps): update stereoscope to
d7551b7f46f53179922d6229709d3d1602881080 (#1693)
* 1577 spdxlicense generate (#1691)
* chore(deps): bump github.com/vbatts/go-mtree from 0.5.2 to
0.5.3 (#1692)
* feat: scan local go mod cache for licenses of golang packages
(#1645)
* chore: fix flaky license sorting (#1690)
* chore(deps): bump github.com/gookit/color from 1.5.2 to 1.5.3
(#1689)
* fix: shell completion by adding missing usage message required
by spf13/cobra (#1688)
* chore(deps): update bootstrap tools to latest versions (#1686)
* chore: tweak some workflow text (#1685)
* Remove more side effects from application config testing
(#1684)
* Deprecate config.yaml as valid config source; Add unit
regression for correct config paths (#1640)
* chore: Update syft bootstrap tools to latest versions. (#1682)
* Update documentation: (#1680)
* chore: Update Stereoscope to
7928713c391e20abaede6a029f4ce37b628a4c8b (#1681)
* fix: reduce logging for bad dpkg lines (#1675)
* fix ruby classifier (#1678)
* feat: add shared dir for easier cleanup (#1676)
* chore(deps): bump github.com/google/go-containerregistry
(#1672)
* chore(deps): bump actions/setup-go from 3 to 4 (#1671)
* fix: move defer after error to protect panic case (#1670)
* feat: add argocd, helm, kustomize and kubectl binary
classifiers (#1663)
* defer closing file (#1668)
* fix: remove author contributing to javascript CPEs (#1669)
-------------------------------------------------------------------
Mon Mar 13 19:15:25 UTC 2023 - kastl@b1-systems.de
- Update to version 0.75.0:
* fix: more python matching support (#1667)
* Update syft bootstrap tools to latest versions. (#1666)
* feat: add ruby classifier (#1665)
-------------------------------------------------------------------
Thu Mar 09 15:31:12 UTC 2023 - kastl@b1-systems.de
- Update to version 0.74.1:
* Update syft bootstrap tools to latest versions. (#1658)
* fix: improved Python binary detection (#1648)
* fix: suppress some known incorrect vendor candidates for npm
CPEs (#1659)
* fix: sanitize SPDX LicenseRefs (#1657)
* chore(deps): bump golang.org/x/mod from 0.8.0 to 0.9.0 (#1655)
* chore(deps): bump golang.org/x/net from 0.7.0 to 0.8.0 (#1653)
* chore(deps): bump github.com/spf13/afero from 1.9.4 to 1.9.5
(#1654)
* chore(deps): bump golang.org/x/term from 0.5.0 to 0.6.0 (#1656)
* fix: dotnet PURL types are invalid (#1649)
* feat: disable cpe vendor wildcards to reduce false positives
(#1647)
* read relative etc/apk/repositories for alpine version when no
OS provided (#1615)
-------------------------------------------------------------------
Fri Mar 03 05:40:08 UTC 2023 - kastl@b1-systems.de
- Update to version 0.74.0:
* fix: possible race condition (#1639)
* fix: remove APK OriginPackage cpe candidates (#1637)
* fix: rebar lock file decoding panic (#1628)
* fix: handle individual cataloger panics (#1636)
* fix: apk product/vendor generation for old metadata (#1635)
* feat: rust toolchain binary cataloger (#1601)
* feat: retain go package info when no module declared (#1632)
* fix: improved CPE-generation for several more APK packages
(#1631)
* chore: update deprecated release flag (#1629)
* chore(deps): bump actions/upload-artifact from 2 to 3 (#1627)
* feat: add support for SUPPORT_END in /etc/os-release (#1612)
* fix: further improvements to CPE generation for apk packages
(#1623)
* chore(deps): bump github.com/stretchr/testify from 1.8.1 to
1.8.2 (#1625)
* chore(deps): bump actions/checkout from 2 to 3 (#1626)
* feat: set cosign attest predicate type based on Syft output
type (#1598)
* chore(deps): bump github.com/spf13/afero from 1.9.3 to 1.9.4
(#1609)
* fix: correct apk purls for other distros (#1620)
* refactor: move apk upstream logic to apk metadata (#1619)
* fix: decoding null apk metadata pullDependencies (#1614)
* feat: haproxy binary matcher (#1591)
* fix: determine upstream for apk version streams (#1610)
* fix: improve CPE generation for curl APK (#1608)
* Revert "add workaround for macos github actions cache issue
(#1584)" (#1605)
-------------------------------------------------------------------
Thu Feb 23 10:37:37 UTC 2023 - kastl@b1-systems.de
- Update to version 0.73.0:
* Update Stereoscope to fab1c9638abc2c21cd53dca1f205f37d71148ee0 (#1604)
* chore: fix cataloger_test (#1603)
* fix: merging of binary packages (#1583)
* fix: issue when matching format versions (#1585)
* chore: update syft bootstrap tools to latest versions. (#1593)
* feat: add perl binary classifier (#1592)
* Update Stereoscope to 529924d6d5aa6c708cceffc651883b6e1e27f5df (#1602)
* Update SPDX license list to 3.20 (#1600)
* chore: update SPDX license list (#1599)
* fix cataloger selection to be more specific (#1582)
* add workaround for macos github actions cache issue (#1584)
-------------------------------------------------------------------
Thu Feb 16 17:31:12 UTC 2023 - kastl@b1-systems.de
- Update to version 0.72.0:
* Update Stereoscope to 4b5ebf8c7f4b81ca79c4c3f0af1d0723eab87d42 (#1576)
* chore(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 (#1574)
* chore: update bug issue template (#1571)
* allow convert to take stdin (#1570)
* fix: improve CPE and upstream generation logic for Alpine packages (#1567)
* fix: missing APK node vulnerabilities (#1565)
* fix: python CPE generation for alpine (#1564)
* chore(deps): bump github.com/docker/docker (#1563)
-------------------------------------------------------------------
Fri Feb 10 06:19:19 UTC 2023 - kastl@b1-systems.de
- Update to version 0.71.0:
* switch from trigger-release target to release target (#1560)
* Speed up cataloging by replacing globs searching with index lookups (#1510)
* Update syft bootstrap tools to latest versions. (#1549)
* Fix installed versions (#1556)
* chore(deps): bump golang.org/x/net from 0.5.0 to 0.6.0 (#1558)
* feat: add postgresql classifier (#1536)
* Add release trigger (#1501)
* chore(deps): bump golang.org/x/mod from 0.7.0 to 0.8.0 (#1552)
* chore(deps): bump golang.org/x/term from 0.4.0 to 0.5.0 (#1551)
* fix: add support for licenses not found on list (#1540)
* Update syft bootstrap tools to latest versions. (#1541)
* feat: Allow specific versions of formats to be specified (#1543)
* Update Stereoscope to c49244e4d66f1ee789027ea23acc746968799c3b (#1539)
* source: when base is set, responsePath should be absolute (#1542)
-------------------------------------------------------------------
Sat Feb 04 07:45:37 UTC 2023 - kastl@b1-systems.de
- Update to version 0.70.0:
* fix: update config struct to not decode password/key (#1538)
* Update syft bootstrap tools to latest versions. (#1537)
* feat: add traefik classifier (#1504)
* fix: don't hardcode Cosign attest type (#1533)
* chore(deps): bump github.com/docker/docker (#1531)
* Update syft bootstrap tools to latest versions. (#1530)
-------------------------------------------------------------------
Thu Feb 02 06:48:23 UTC 2023 - kastl@b1-systems.de
- Update to version 0.69.1:
* chore: update spdx/tools-golang to v0.5.0-rc1 (#1503)
* feat: update golang to 1.19 (#1526)
* Update syft bootstrap tools to latest versions. (#1525)
-------------------------------------------------------------------
Tue Jan 31 15:04:23 UTC 2023 - kastl@b1-systems.de
- Update to version 0.69.0:
* Allow scanning unpacked container filesystems (#1485)
* fix: allow template for syft convert (#1521)
* 1465 attestation with private key (#1502)
-------------------------------------------------------------------
Thu Jan 26 06:37:19 UTC 2023 - kastl@b1-systems.de
- Update to version 0.68.1:
* fix: add relevant CPEs to python and busybox classifiers (#1517)
* Update syft bootstrap tools to latest versions. (#1515)
* chore: correct bootstrap tool script (#1514)
* chore(deps): bump github.com/google/go-containerregistry (#1513)
* Fix AssertEncoderAgainstGoldenSnapshot calls to conditionally update (#1511)
* chore(deps): bump golang.org/x/mod from 0.6.0 to 0.7.0 (#1505)
* chore(deps): bump github.com/docker/docker (#1506)
* chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.2 to 3.2.3 (#1507)
* chore(deps): bump github.com/dustin/go-humanize from 1.0.0 to 1.0.1 (#1508)
* Bump github.com/spdx/tools-golang to v0.4.0 (#1450)
-------------------------------------------------------------------
Sat Jan 21 07:53:06 UTC 2023 - kastl@b1-systems.de
- Update to version 0.68.0:
* Fix panic in apkdb parsing on empty "provides" values (#1494)
* push detailed log statements to trace-level (#1500)
* npm: package-lock license decoding to accept string or array (#1482)
* always set the package ID for java packages (#1493)
* fix: skip filling in empty fields in APK metadata (#1484)
* chore(deps): bump github.com/facebookincubator/nvdtools (#1499)
* chore(deps): bump github.com/jinzhu/copier from 0.3.2 to 0.3.5 (#1498)
* chore(deps): bump github.com/vbatts/go-mtree from 0.5.0 to 0.5.2 (#1497)
* chore(deps): bump github.com/gookit/color from 1.4.2 to 1.5.2 (#1496)
* chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#1495)
* Relax error conditions for catalogers (#1492)
* feat: add memcached classifier (#1486)
* chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#1488)
* chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.0.2 to 4.6.0 (#1489)
* chore(deps): bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#1490)
* chore(deps): bump github.com/go-test/deep from 1.0.8 to 1.1.0 (#1491)
* chore(deps): bump github.com/google/go-containerregistry (#1487)
* chore(deps): bump golang.org/x/net from 0.4.0 to 0.5.0 (#1475)
* chore(deps): bump github.com/adrg/xdg from 0.3.3 to 0.4.0 (#1477)
* chore(deps): bump github.com/sergi/go-diff from 1.2.0 to 1.3.1 (#1476)
* chore(deps): bump github.com/vifraa/gopom from 0.1.0 to 0.2.1 (#1474)
* chore(deps): bump github/codeql-action from 1 to 2 (#1473)
* chore(deps): bump actions/setup-go from 2 to 3 (#1472)
* Add dependabot (#1451)
- skip non-existent release 0.67.x
-------------------------------------------------------------------
Fri Jan 20 09:56:19 UTC 2023 - kastl@b1-systems.de
- Update to version 0.66.2:
* chore: use checkout v3 with new depth (#1471)
* chore: use checkout v2 for tag depth (#1470)
* fix: nil panic in graalvm cataloger (#1468)
* add linter for type assertion checks (#1469)
* fix: bump golang.org/x/net to v0.4.0 (#1467)
* fix: bump golang.org/x/text to v0.3.8 (#1466)
* bootstrap within composite action (#1461)
* chore: revert GolangBinMetadata name and make analogous GolangModMetadata (#1458)
* README: update Nix installation instructions (#1455)
-------------------------------------------------------------------
Fri Jan 13 06:11:18 UTC 2023 - kastl@b1-systems.de
- Update to version 0.66.1:
* fix: update graalvm cataloger to fix panic (#1454)
* chore: remove bumping cosign in go.mod when updating bootstrap tools (#1452)
-------------------------------------------------------------------
Fri Jan 13 06:09:05 UTC 2023 - kastl@b1-systems.de
- Update to version 0.66.0:
* feat: Add the origin field to the output format of syftjson (#1327)
* chore: update schema (#1449)
* feat: prefer known CPE vendors over other candidates (#1294)
* fix: update attestation code to remove library dependencies and shellout for keyless flow (#1442)
* feat: add BeamVM Hex support (#1073)
* feat: add apache httpd binary classifier (#1448)
* chore: claim artifacthub package ownership from developer-guy (#881)
* Parallel package catalog processing (#1355)
* feat: Add php binary catalogers (#1444)
* Update syft bootstrap tools to latest versions. (#1443)
* fix: duplicate file in tar archive causes read to fail (#1445)
* Add support for GraalVM Native Image executables. (#1276)
* Add redis binary classifier (#1438)
* docs: add cataloger construction summary (#1434)
* chore: update bootstrap tools to latest versions. (#1428)
* Add alpine type to purl (#1431)
-------------------------------------------------------------------
Thu Jan 05 14:00:02 UTC 2023 - kastl@b1-systems.de
- Update to version 0.65.0:
* adding purl types for binary classifiers (#1435)
* chore: refactor basic CPE functionality to its own package (#1436)
* fix: typo in os.Getwd error message (#1433)
* fix: additional excessive go binary warnings (#1432)
* docs: migrate to homebrew-core (#1427)
-------------------------------------------------------------------
Wed Jan 04 15:47:49 UTC 2023 - kastl@b1-systems.de
- Update to version 0.64.0:
* fix: unicode output in cyclonedx-json format (#1420)
* fix: excessive go binary warnings (#1424)
* feat: update spdx format model to produce valid spdx json documents (#1418)
* clean package names in python parsers (#1417)
* docs: update schema name to 2.3 (#1416)
* feat: add h1digest when scanning go.mod (#1405)
* feat: Add license parsing for java (#1385)
* fix: cyclonedx component type for binaries (#1406)
* fix: openjdk detection pattern (#1415)
* bug: spdx checksum empty array; allow syft to generate SHA1 for spdx-tag-value documents (#1404)
* Add NetBSD support. (#1412)
-------------------------------------------------------------------
Fri Dec 16 12:37:58 UTC 2022 - kastl@b1-systems.de
- Update to version 0.63.0:
* feat: add catalog delete (#1377)
* docs: remove file classifier (#1397)
* chore: update latest cyclonedx library (#1390)
* feat: Add Java binary catalogers (#1392)
* chore: Update SPDX license list to 3.19 (#1389)
* fix: add manual vendor/product removal to fix false flags (#1070)
* Update Stereoscope to c5ff155d72f166e2332e160a75c3ff2b8e9c7e2e (#1395)
* chore: fix test busybox image sha (#1393)
* fix: go version not properly identified in binary (#1384)
-------------------------------------------------------------------
Thu Dec 01 05:41:03 UTC 2022 - kastl@b1-systems.de
- Update to version 0.62.3:
* Update Stereoscope to 3b80d983223f6e6fc2d33b0ffa003d30268418e9 (#1376)
* fix: Update node binary package name (#1375)
* feat: Generic Binary Cataloger (#1336)
* recover from bad parsing of golang binary (#1371)
* Fix parsing of apk databases with large entries (#1365)
* Update syft bootstrap tools to latest versions. (#1369)
-------------------------------------------------------------------
Mon Nov 28 18:06:04 UTC 2022 - kastl@b1-systems.de
- Update to version 0.62.2:
* fix: guard for locations < 1 in alpmdb parse (#1366)
* fix: remove cabal.project.freeze panic on last pkg (#1363)
* fix: requirements.txt - return unicode only letter/num for version (#1361)
* Update syft bootstrap tools to latest versions. (#1356)
-------------------------------------------------------------------
Mon Nov 21 15:12:29 UTC 2022 - kastl@b1-systems.de
- Update to version 0.62.1:
* fix: sort relationships in SPDX output (#1350)
* chore: add debug logging for decode errors (#1352)
* feat(npm): handle aliases in package-lock.json (#1349)
-------------------------------------------------------------------
Sat Nov 19 12:04:28 UTC 2022 - kastl@b1-systems.de
- Update to version 0.62.0:
* fix: spdx java checksum correctness (#1348)
* feat: Add support for npm lockfile version 3 (#1206)
-------------------------------------------------------------------
Fri Nov 18 15:38:51 UTC 2022 - kastl@b1-systems.de
- Update to version 0.61.0:
* 1111 clean name bug (#1347)
* Add spdx relationship encoding for dependencies (#1342)
* feat: SPDX 2.3 support (#1311)
* SBOM cataloger (#1029)
* chore: clean up linting configuration (#1343)
* fix: Unmarshal Syft JSON with missing metadata (#1338)
* fix apk decode for older data shapes (#1341)
* chore: add unit test for wolfi os release identification (#1340)
* fix: Output only valid CPEs for CycloneDX OS components (#1339)
* feat: Add `--name` option to override name in output (#1269)
* Add support for dependency relationships for alpine (apk) (#1063)
* normalize alpm md5 refs (#1333)
* Update java generic cataloger (#1329)
* Support encoding map types to CycloneDX properties (#1332)
* Update swift cataloger to generic cataloger (#1324)
* port rust cataloger to new generic cataloger pattern (#1323)
* port ruby cataloger to new generic cataloger pattern (#1322)
* port rpm cataloger to new generic cataloger pattern (#1321)
* port python cataloger to new generic cataloger pattern (#1319)
* Update portage cataloger to new generic cataloger (#1316)
* port php cataloger to new generic cataloger pattern (#1315)
-------------------------------------------------------------------
Tue Nov 15 09:52:45 UTC 2022 - kastl@b1-systems.de
- Update to version 0.60.3:
* javascript cataloger: node binary: nil pointer dereference (#1313)
* Fix: Include version information in binary cataloger CPEs (#1310)
* fix: only generate PURL on empty string (#1312)
* add s3 credentials to release (#1309)
* port javascript cataloger to new generic cataloger pattern (#1308)
-------------------------------------------------------------------
Tue Nov 15 09:44:11 UTC 2022 - kastl@b1-systems.de
- Update to version 0.60.2:
* chore: update goreleaser brew token (#1306)
* fix: Decode binary and unknown metadata (#1307)
-------------------------------------------------------------------
Tue Nov 15 09:39:47 UTC 2022 - kastl@b1-systems.de
- Update to version 0.60.1:
* chore: update github token permissions for goreleaser (#1305)
-------------------------------------------------------------------
Tue Nov 15 09:29:12 UTC 2022 - kastl@b1-systems.de
- Update to version 0.60.0:
* fix: update ci secret to use new password (#1304)
* fix: update secret value to use new cert cahin (#1303)
* fix: verbose quill release failures (#1302)
* fix: unterminated quoted string (#1300)
* fix: update Makefile to remove old signing arch (#1299)
* feat: add nodejs-binary package classifier (#1296)
* update go-rpmdb to improve parsing of installed files (#1297)
* docs: update attestation directions with new cosign changes
* fix: Continue parsing Python RECORD files when bad lines encountered (#1295)
* Fix #1245 Update SPDX license list to 3.18 (#1259)
* fix: Resolve Maven POM expressions (#1251) (#1278)
* port haskell cataloger to new generic cataloger pattern (#1290)
* port golang cataloger to new generic cataloger pattern (#1289)
* port deb/dpkg cataloger to new generic cataloger pattern (#1288)
* update cataloger tests to use pkgtest utils (#1287)
* port dotnet cataloger to new generic cataloger pattern (#1286)
* port dart cataloger to new generic cataloger pattern (#1285)
* port conan cataloger to new generic cataloger pattern (#1284)
* port apk cataloger to new generic cataloger pattern (#1283)
* replace signing tooling with quill (#1280)
* Upgrade generic cataloger (#1281)
* Update syft bootstrap tools to latest versions. (#1282)
* replace logger interface with anchore/go-logger (#1279)
* Update syft bootstrap tools to latest versions. (#1267)
* Add go binary h1 digest to SPDX (#1265)
* fix: move reproduction to top of issue (#1264)
* fix: update syftjson ID to match major schema version (#1274)
* Use in-toto CycloneDX predicate to be compatible with cosign (#1270)
* chore: handle deprecated SPDX license: StandardML-NJ (#1266)
-------------------------------------------------------------------
Tue Oct 18 05:11:08 UTC 2022 - kastl@b1-systems.de
- Update to version 0.59.0:
* Fixes #1179 Deprecated SPDX license (#1263)
* feat: add RelationshipsBySourceOwnership to syft json output (#1248)
* fix: reset merged package into map; (#1258)
* refactor: Remove experimental Anchore Enterprise upload functionality (#1257)
* Update syft bootstrap tools to latest versions. (#1254)
* Update Stereoscope to d24c9d626b33fa720210b007a20767801827b532 (#1253)
* Update syft bootstrap tools to latest versions. (#1244)
* fix apkdb checksum representation (#1247)
* feat: add identifiable field to source object (#1243)
* feat: attest support for Singularity images (#1201)
* Update syft bootstrap tools to latest versions. (#1239)
* Update Stereoscope to 1b1b744a919964f38d14e1416fb3f25221b761ce (#1240)
* fix: Follow symlinks when searching for globs in all-layers scope (#1221)
* update requires to use list; remove field (#1234)
-------------------------------------------------------------------
Fri Sep 30 05:10:45 UTC 2022 - kastl@b1-systems.de
- Update to version 0.58.0:
* Add Conan (C/C++) conan.lock file support (#1230)
* add sequence diagrams and flesh out TODO notes (#1233)
* Do not fail if unable to parse `.rpm` file (#1232)
* fix: support exclude patterns on Windows (#1228)
* Update syft bootstrap tools to latest versions. (#1225)
* Update Stereoscope to 56552770e555d764ea72b99d3c810326b27ead4a (#1224)
* Update syft bootstrap tools to latest versions. (#1223)
* Update syft bootstrap tools to latest versions. (#1220)
-------------------------------------------------------------------
Wed Sep 21 08:27:42 UTC 2022 - kastl@b1-systems.de
- Update to version 0.57.0:
* feat: catalog python files for installed-files.txt file metadata (#1217)
* Stabilize SPDX JSON output sorting (#1216)
* bug: remove chance for panic; provide default attestation path (#1214)
* refactor: update Makefile organization; update DEVELOPING.md instructions (#1212)
* refactor: replace ioutil=>io; update linter (#1211)
* Update bootstrap tools to latest versions. (#1204)
* Add gosimports (#1205)
* refactor: move formats from internal into syft module (#1172)
-------------------------------------------------------------------
Tue Sep 13 12:42:32 UTC 2022 - kastl@b1-systems.de
- Update to version 0.56.0:
* warn on errors from RPM DB parsing (#1200)
* docs: improve Singularity image source docs (#1190)
* Add RPM file scanning support (#1188)
* Normalize syft-json output (#1194)
* Revert "External sources configuration (#1158)" (#1191)
* Update syft bootstrap tools to latest versions. (#1186)
* Fix RPM DB license handling (#1184)
* Update syft bootstrap tools to latest versions. (#1182)
-------------------------------------------------------------------
Wed Sep 07 05:42:57 UTC 2022 - kastl@b1-systems.de
- Update to version 0.55.0:
* update stereoscope to latest (#1181)
* Update syft bootstrap tools to latest versions. (#1180)
* Bug fix for 1095 - syft conversion option error (#1177)
* Update syft bootstrap tools to latest versions. (#1176)
* enhance development support on macOS ARM (#1163)
* Capture if a node module is private (#1161)
* Find version numbers from jars with different naming conventions (#1174)
* Update syft bootstrap tools to latest versions. (#1171)
* Fix update-bootstrap-tools workflow (#1170)
* workflow to create automated PRs to update bootstrap tools (#1167)
* feat: add support for licenses in package-lock json v2 (#1164)
* External sources configuration (#1158)
* feat: add support for pnpm (#1166)
* Prevent symlinks causing duplicate package-file relationships (#1168)
-------------------------------------------------------------------
Wed Sep 07 05:38:56 UTC 2022 - kastl@b1-systems.de
- Update to version 0.54.0:
* Associate node package licenses from node_modules (#1152)
* Give the contributing guide a substantial rework (#1155)
* fix: extract file ids correctly for spdx-json (#1156)
* metadata decoding should be optional (#1154)
* Update Stereoscope to 84004345484edb881f1cc1d841115da8abda06c3 (#1151)
* Add modularitylabel metadata to RPM type records generated by syft (#1148)
* Update Stereoscope to 1c79d5c84abcc54466417fcc17c844a4875888a1 (#1149)
* retraction for mispublished versions (#1147)
* cataloger configuration is respected regardless of source (#1142)
* Update README.md (#1146)
* bump cosign to v1.10.1 (#1144)
-------------------------------------------------------------------
Wed Sep 07 05:35:58 UTC 2022 - kastl@b1-systems.de
- Update to version 0.53.4:
* Update stereoscope to get rid of the replace directive (#1140)
-------------------------------------------------------------------
Wed Sep 07 05:33:24 UTC 2022 - kastl@b1-systems.de
- Update to version 0.53.3:
* Correct squashfs import and fix incorrect bouncer configuration (#1138)
-------------------------------------------------------------------
Wed Sep 07 05:31:12 UTC 2022 - kastl@b1-systems.de
- Update to version 0.53.2:
* Overwrite deprecated SPDX licenses automatically (#1009)
* disable release for docker assets (#1137)
-------------------------------------------------------------------
Wed Sep 07 05:29:04 UTC 2022 - kastl@b1-systems.de
- Update to version 0.53.1:
* improve docker release bootstrap (#1136)
* Singularity Image Support (#974)
-------------------------------------------------------------------
Wed Sep 07 05:25:20 UTC 2022 - kastl@b1-systems.de
- Update to version 0.53.0:
* remove docker login from keychain (#1135)
* remove ENV checks from siging script (#1134)
* remove docker assets from main goreleaser configuration to reduce mac-os runner friction (#1133)
* remove prefixed v from tag to match release (#1131)
* rollback actions-setup-docker to earlier version (#1130)
* Bump go-rustaudit to support rustaudit 0.2.0 (#1127)
* bump bouncer to v0.4.0 (#1125)
* Added ppc64le supported to the syft:debug image (#1124)
* add a cataloger for binaries built with rust-audit (#1116)
* bump goreleaser to v1.10.3 (#1123)
* bump golangci-lint to v1.47.2 (#1122)
* bump cosign in bootstrap-tools to v1.10.0 (#1121)
* Added s390x support (#1117)
* Delete pr_action.yaml (#1120)
* fix: use generic instead of not generating purl (#1119)
* bump cosign to v1.10.0 (#1114)
-------------------------------------------------------------------
Thu Jul 21 15:12:29 UTC 2022 - kastl@b1-systems.de
- Update to version 0.52.0:
* Update sigstore/rekor dependency (#1112)
* Added ppc64le support (#1099)
* patch-distroless-ghcr (#1110)
* add distroless debug image to published release (#1106)
* update help formatting (#1105)
* feat: implement haskell support (#1096)
* Add the -r argument for gnu xargs (#1103)
* fix: -o output option to include formats (#1102)
* moves go-rpmdb to latest; libc => v1.16.7 (#1098)
-------------------------------------------------------------------
Sat Jul 16 19:00:04 UTC 2022 - kastl@b1-systems.de
- Update to version 0.51.0:
* feat: add support for cocoapods (Swift/Objective-C) (#1081)
* Fix package url for Go modules with no / (#1092)
* Update Stereoscope to 777471f38c5b2f15c19d6cffe093ce6392d8040c (#1090)
* feat: output attestation to file (#1087)
* Update Stereoscope to cfbd966e5a8d11d73cd17adc8b8ab8468a086f1e (#1089)
* Add portage support for Gentoo Linux (#1076)
* Add PR action back to workflow with new token (#1086)
-------------------------------------------------------------------
Wed Jul 06 18:12:23 UTC 2022 - kastl@b1-systems.de
- Update to version 0.50.0:
* feat: add new login cmd (#1068)
* update AltRpmDbGlob with comment and context (#1085)
* feat: add support for conan packages (C/C++) (#1083)
* add golang main module and pseudo-version (#916)
* fix: add glob to filter list to ensure rpm metadata files are matched… (#1079)
* remove pr automation until service account creation (#1080)
* fix: purl generation for pom.xml (#1078)
* Update Stereoscope to 5bd627c0f9ce7facbd63ed1f0cf894d97021aa5e (#1072)
* fix: add new languages found in cpes (#1069)
* fix: add php catalogers to all catalogers (#1065)
* feat: add use-all-catalogers flag (#1050)
-------------------------------------------------------------------
Mon Jun 27 13:20:51 UTC 2022 - kastl@b1-systems.de
- Update to version 0.49.0:
* Updates parsing of `yarn.lock` to use `resolved` URLs that are pulled from yarn and npm registries (#926)
* remove OSS Meetup message (#1057)
* add pom.xml cataloger (#1055)
* Add support for CBL-Mariner distroless images (#1045)
* Add catalogers configuration (#1038)
* add template output (#1051)
-------------------------------------------------------------------
Wed Jun 22 08:47:26 UTC 2022 - kastl@b1-systems.de
- Update to version 0.48.1:
* update stereoscope to latest version (#1052)
-------------------------------------------------------------------
Wed Jun 22 08:34:13 UTC 2022 - kastl@b1-systems.de
- Update to version 0.48.0:
* update zip_read_closer to incorporate zip64 support (#1041)
* Add pacman (alpm) parser support (#943)
-------------------------------------------------------------------
Wed Jun 22 08:23:30 UTC 2022 - kastl@b1-systems.de
- Update to version 0.47.0:
* Update of README.md (#1027)
* bump cosign to v1.9.0 to resolve reporting of GHSA-66x3-6cw3-v5gj (#1025)
* add workflows to test new project automation (#1023)
* improve LanguageByName and add unit tests (#1034)
* Read Description from dpkg status files (#996)
* Add announcement for Anchore OSS Virtual Meetup (#1033)
* add main module field to go bin metadata (#1026)
* Add filters to package cataloger (#1021)
* change draft to false for release process (#1016)
* Support RPM distros with newer RPM db formats (#1018)
* fix: add component list to prevent cyclone-dx panic (#1015)
-------------------------------------------------------------------
Mon Jun 6 19:43:54 UTC 2022 - Johannes Kastl <kastl@b1-systems.de>
- first version of package syft at version 0.46.3