pool/syft
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
devel
syft/syft.changes

2468 lines
107 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

-------------------------------------------------------------------
Tue Dec 10 08:48:44 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.18.0:
* chore(deps): update anchore dependencies (#3510)
* fix: convert file paths for spdx formats from absolute to
relative (#3509)
* chore(deps): update CPE dictionary index (#3507)
* chore(deps): update tools to latest versions (#3506)
* chore(deps): bump github.com/magiconair/properties from 1.8.7
to 1.8.9 (#3508)
* chore(deps): bump actions/cache from 4.1.2 to 4.2.0 (#3503)
* Add relationships for rust audit binary packages (#3500)
* fix order of rust dependencies and support git sources in
Cargo.lock dependencies (#3502)
* chore(deps): update tools to latest versions (#3501)
* chore(deps): bump golang.org/x/net from 0.31.0 to 0.32.0
(#3499)
* chore: add and document target for updating unit snapshots
(#3498)
* fix: emit NOASSERTION for copyright text to fix SPDX 2.2
validation failure (#3495)
* chore(deps): update tools to latest versions (#3496)
* chore(deps): update tools to latest versions (#3487)
* chore(deps): bump github/codeql-action from 3.27.5 to 3.27.6
(#3494)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.2 to
6.6.3 (#3489)
* feat: set max layer size (#3464)
* chore(deps): update CPE dictionary index (#3491)
* chore(deps): bump modernc.org/sqlite from 1.34.1 to 1.34.2
(#3492)
* chore(deps): bump github.com/saferwall/pe from 1.5.5 to 1.5.6
(#3493)
* chore(deps): update tools to latest versions (#3478)
* chore(deps): update CPE dictionary index (#3479)
* chore(deps): bump github.com/stretchr/testify from 1.9.0 to
1.10.0 (#3480)
* chore(deps): bump github.com/charmbracelet/bubbletea from 1.2.3
to 1.2.4 (#3482)
* chore(deps): update stereoscope to
be5deed44b7c03fcbfa6f1f42fb67202d31636a9 (#3483)
* fix: dart classifier for 2.x and ARM (#3475)
* Use file indexer directly when scanning with file source
(#3333)
* chore(deps): bump anchore/sbom-action from 0.17.7 to 0.17.8
(#3476)
* chore(deps): bump github/codeql-action from 3.27.4 to 3.27.5
(#3473)
-------------------------------------------------------------------
Thu Nov 21 14:50:55 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.17.0:
* chore(deps): update stereoscope to
aa3a3ef4efe8d8759c9aa87261b405cc003bfc9a (#3472)
* chore(deps): bump github.com/charmbracelet/bubbletea from 1.2.2
to 1.2.3 (#3467)
* fix: bump clio to pull in logging fix (#3466)
* 3122 valid license url characters (#3449)
* 3030 license declared spdx correction (#3461)
* chore(deps): update tools to latest versions (#3463)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.1 to
6.6.2 (#3465)
* chore(deps): bump modernc.org/sqlite from 1.33.1 to 1.34.1
(#3460)
* chore(deps): update CPE dictionary index (#3453)
* chore(deps): update tools to latest versions (#3454)
* chore(deps): update tools to latest versions (#3448)
* chore(deps): update tools to latest versions (#3444)
* chore(deps): bump github/codeql-action from 3.27.3 to 3.27.4
(#3446)
* feat: emit dependency relationships found in Cargo.lock (#3443)
* chore(deps): update stereoscope to
aa3a3ef4efe8d8759c9aa87261b405cc003bfc9a (#3442)
* chore(deps): bump github/codeql-action from 3.27.2 to 3.27.3
(#3438)
* chore(deps): bump github.com/charmbracelet/bubbletea from 1.2.1
to 1.2.2 (#3439)
* chore(deps): bump github.com/saferwall/pe from 1.5.4 to 1.5.5
(#3440)
* chore(deps): update tools to latest versions (#3413)
* chore(deps): bump github/codeql-action from 3.27.1 to 3.27.2
(#3436)
* chore(deps): bump golang.org/x/mod from 0.21.0 to 0.22.0
(#3426)
* update node classifier (#3419)
* chore(deps): update stereoscope to
120d9ea511e2f7a9887b443c52e66cd19bb80b43 (#3424)
* chore(deps): update CPE dictionary index (#3429)
* chore(deps): bump github/codeql-action from 3.27.0 to 3.27.1
(#3431)
* chore(deps): bump golang.org/x/net from 0.30.0 to 0.31.0
(#3432)
* chore(deps): bump github.com/charmbracelet/bubbletea from 1.1.2
to 1.2.1 (#3433)
* restore log on ui teardown (#3427)
* doc: Add official Syft logo license information (#3421)
* chore(deps): bump anchore/sbom-action from 0.17.6 to 0.17.7
(#3418)
* chore: build release sbom from go.mod (#3417)
-------------------------------------------------------------------
Tue Nov 05 09:43:28 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.16.0:
* chore: prevent file resolver from bubbling errors in binary
cataloger (#3410)
* chore(deps): update stereoscope to
cbd43fb4e5d348fe680066ee6329385fd6a4f827 (#3411)
* chore(deps): update CPE dictionary index (#3414)
* chore(deps): bump github.com/adrg/xdg from 0.5.2 to 0.5.3
(#3408)
* chore(deps): bump github.com/charmbracelet/lipgloss from 0.13.1
to 1.0.0 (#3409)
* chore(deps): update stereoscope to
2ce1e520983b1c21d5150d7fae2b39e8e5ab9063 (#3405)
* Issue #3143 fixed format conversion docs link (#3407)
* feat: support dependencies and purl for Native Image SBOMs
(#3399)
* chore(deps): update stereoscope to
9c92fe30492ffeba14ed2e23ad1fd923341dda4f (#3398)
* feat: exclude devDependencies from package-lock.json parsing
(#3371)
* chore(deps): bump github.com/adrg/xdg from 0.5.1 to 0.5.2
(#3394)
* chore(deps): bump anchore/sbom-action from 0.17.5 to 0.17.6
(#3393)
* fix: stack overflow in spyingIoReadCloser (#3392)
* fix: bad pom files may cause infinite loop (#3391)
-------------------------------------------------------------------
Tue Oct 29 14:02:45 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.15.0:
* chore(deps): update stereoscope to
bcc40c6817524718277256d6b774ce643f98640a (#3388)
* chore(deps): bump actions/setup-go from 5.0.2 to 5.1.0 (#3384)
* chore(deps): bump github.com/charmbracelet/bubbletea from 1.1.1
to 1.1.2 (#3385)
* chore(deps): update tools to latest versions (#3383)
* chore(deps): update CPE dictionary index (#3387)
* chore(deps): bump actions/checkout from 4.2.1 to 4.2.2 (#3380)
* feat: multi-level configuration and profiles (#3337)
* feat: Java dependency graph information (#3363)
* Expanded dpkg cataloger globs (#3373)
* Enable cargo-auditable-binary-cataloger for files/directories
(#3376)
* chore(deps): bump github/codeql-action from 3.26.13 to 3.27.0
(#3374)
* chore(deps): bump github.com/charmbracelet/lipgloss (#3375)
* chore(deps): update stereoscope to
6db3c175f1f836e552b01ee70e5d5528cc04bce4 (#3362)
* chore(deps): bump actions/cache from 4.1.1 to 4.1.2 (#3364)
* chore(deps): bump anchore/sbom-action from 0.17.4 to 0.17.5
(#3365)
* chore(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to
5.6.0 (#3367)
-------------------------------------------------------------------
Tue Oct 22 07:09:11 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.14.2:
* Create single license scanner for all catalogers (#3348)
* chore(deps): update stereoscope to
a38c93517fc7d67ca1af826ac529a06c05b571d2 (#3357)
* chore(deps): update CPE dictionary index (#3358)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.0 to
6.6.1 (#3361)
* update to latest packageurl-go (#3347)
* chore(deps): update tools to latest versions (#3342)
* chore(deps): update stereoscope to
9e57bce5efeb0ffe27770dd0b8eb2eef8b38512f (#3338)
* chore(deps): bump github.com/adrg/xdg from 0.5.0 to 0.5.1
(#3344)
* fix: use official CPE for linux kernel (#3343)
* chore(deps): bump anchore/sbom-action from 0.17.3 to 0.17.4
(#3340)
* fix: improve mariadb binary classifer to detect older versions
(#3339)
-------------------------------------------------------------------
Tue Oct 15 15:36:18 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.14.1:
* fix: stop some log.Warn spam due parsing an empty string as a
CPE (#3330)
* chore(deps): update stereoscope to
1cc8a41d447d0d092699be2b700b8ba62e870434 (#3334)
* chore(deps): update stereoscope to
1cc8a41d447d0d092699be2b700b8ba62e870434 (#3332)
* chore(deps): update stereoscope to
93f8a11331e3d50f751e4d0ec5b63f3df309e9e5 (#3331)
* chore(deps): bump anchore/sbom-action from 0.17.2 to 0.17.3
(#3326)
* chore(deps): bump github/codeql-action from 3.26.12 to 3.26.13
(#3327)
* chore(deps): update CPE dictionary index (#3323)
* fix: improve go binary semver extraction for traefik (#3325)
* chore(deps): update stereoscope to
92e97a1cf36d162bad51ccc6aba0cce7a4dcfbf4 (#3322)
* chore(deps): update stereoscope to
c04af061af62ab3ba6ab6760613526eaa7fcb163 (#3319)
* chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.6.1
to 4.7.0 (#3321)
* chore(deps): bump actions/upload-artifact from 4.4.1 to 4.4.3
(#3314)
* shorten release docs (#3318)
* docs: clearer deprecation message for --file (#3310)
* [docs] Add mastodon link to README.md (#3306)
* chore(deps): update stereoscope to
5bc91bf166769e43d8d0f86c02e877c55eb04aed (#3313)
* chore(deps): bump actions/cache from 4.1.0 to 4.1.1 (#3312)
* chore(deps): bump github/codeql-action from 3.26.11 to 3.26.12
(#3307)
* chore(deps): bump actions/checkout from 4.2.0 to 4.2.1 (#3308)
* chore(deps): bump actions/upload-artifact from 4.4.0 to 4.4.1
(#3309)
-------------------------------------------------------------------
Wed Oct 09 04:42:52 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.14.0:
* feat: report unknowns in sbom (#2998)
* chore(deps): bump sigstore/cosign-installer from 3.6.0 to 3.7.0
(#3299)
* chore(deps): update stereoscope to
efa76446cc1c7e6c4117350943a2754b2453aec4 (#3301)
* chore(deps): bump golang.org/x/net from 0.29.0 to 0.30.0
(#3304)
* chore(deps): bump actions/cache from 4.0.2 to 4.1.0 (#3305)
* chore(deps): update CPE dictionary index (#3302)
* Fix: Parse package.json with non-standard fields in 'author'
section (#3300)
* chore(deps): bump github/codeql-action from 3.26.10 to 3.26.11
(#3298)
* chore: add pull request template (#3294)
* chore(deps): update tools to latest versions (#3296)
* Track supporting DPKG evidence (#3228)
* Fix: make failed CPE validation correctly return error (#2762)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.9 to
6.6.0 (#3293)
* feat: update haproxy classifier (#3277)
* chore(deps): update tools to latest versions (#3291)
* fix: don't use builtin scanner in licensecheck (#3290)
* chore(deps): update CPE dictionary index (#3288)
* chore(deps): bump github/codeql-action from 3.26.9 to 3.26.10
(#3289)
* update redis classifier (#3281)
* fix: improve node classifier version matching (#3284)
* fix: update ruby classifier for -rc, -dev, etc. versions
(#3285)
* chore(deps): update CPE dictionary index (#3262)
* chore(deps): bump github.com/docker/docker (#3264)
* chore(deps): bump github/codeql-action from 3.26.8 to 3.26.9
(#3275)
* chore(deps): update stereoscope to
dc10ea61fd18efa45b516eda4de8bc19d8322429 (#3280)
* chore(deps): bump actions/checkout from 4.1.7 to 4.2.0 (#3283)
* add awaiting response management (#3272)
* fix: correct excluded mount point comparison to file paths
(#3269)
-------------------------------------------------------------------
Tue Sep 24 17:39:53 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.13.0:
* Add JVM cataloger (#3217)
* feat: classifier for Dart lang binaries (#3265)
* Add compliance policy for empty name and version (#3257)
* chore(deps): bump github.com/github/go-spdx/v2 from 2.3.1 to
2.3.2 (#3254)
* chore(deps): bump peter-evans/create-pull-request from 7.0.3 to
7.0.5 (#3255)
* chore(deps): bump github/codeql-action from 3.26.7 to 3.26.8
(#3256)
* chore(deps): update tools to latest versions (#3259)
* chore(deps): bump github.com/docker/docker (#3260)
* feat: add binary classifiers for lighttp, proftpd, zstd, xz,
gzip, jq, and sqlcipher (#3252)
* fix: capture-snippet.sh can handle leading whitespaces now
(#3249) (#3250)
* chore(deps): update tools to latest versions (#3251)
* chore(deps): update tools to latest versions (#3247)
* chore(deps): update tools to latest versions (#3243)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.9.0
to 0.9.1 (#3242)
* chore(deps): bump github/codeql-action from 3.26.6 to 3.26.7
(#3241)
* chore(deps): bump peter-evans/create-pull-request from 7.0.2 to
7.0.3 (#3240)
* chore(deps): update tools to latest versions (#3231)
* chore(deps): update CPE dictionary index (#3232)
* chore(deps): update tools to latest versions (#3205)
* chore(deps): bump github.com/charmbracelet/bubbletea from 1.1.0
to 1.1.1 (#3225)
* chore(deps): bump peter-evans/create-pull-request from 7.0.1 to
7.0.2 (#3226)
* chore(deps): bump modernc.org/sqlite from 1.33.0 to 1.33.1
(#3229)
* feat: --enrich flag for data enrichment feature enablement
(#3182)
-------------------------------------------------------------------
Thu Sep 12 04:56:01 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.12.2 (no releases between 1.11.1 and this
one):
* chore: make ci-check.sh an executable file (#3220)
* chore(deps): bump github.com/opencontainers/runc from 1.1.12 to
1.1.14 (#3219)
* chore: restore ci-check.sh script (#3218)
* Add haskell binaries cataloger (#3078)
* chore(deps): update CPE dictionary index (#3206)
* chore(deps): bump golang.org/x/net from 0.28.0 to 0.29.0
(#3203)
* Add the Ocaml ecosystem (#3112)
* chore(deps): bump github.com/charmbracelet/bubbles from 0.19.0
to 0.20.0 (#3209)
* chore(deps): bump modernc.org/sqlite from 1.32.0 to 1.33.0
(#3210)
* chore(deps): bump github.com/docker/docker (#3211)
* chore(deps): bump github.com/dave/jennifer from 1.7.0 to 1.7.1
(#3212)
* dont cleanup cache in forks (#3214)
* less verbose java logging when non-fatal issues arise (#3208)
* Slim down docker cache size (#3190)
* chore(deps): bump peter-evans/create-pull-request from 7.0.0 to
7.0.1 (#3196)
* chore(deps): bump golang.org/x/mod from 0.20.0 to 0.21.0
(#3197)
* fix: haproxy classifier for versions with -dev suffix (#3180)
* chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.3 to
3.3.0 (#3177)
* chore(deps): update CPE dictionary index (#3183)
* chore(deps): bump actions/upload-artifact from 4.3.6 to 4.4.0
(#3184)
* chore(deps): bump peter-evans/create-pull-request from 6.1.0 to
7.0.0 (#3187)
* fix: properly decode SPDX license expressions in CycloneDX
format (#3175)
* chore(deps): bump github.com/docker/docker (#3168)
* chore(deps): bump github.com/charmbracelet/bubbletea (#3171)
* chore(deps): bump github/codeql-action from 3.26.5 to 3.26.6
(#3173)
* fix: cycles resolving relative path parent poms with
parent-defined variables (#3170)
* fix: improve generated cpes for binaries with existing
classifiers (#3169)
* fix: add log time of task (#3105)
* fix: improve known CPEs and set NVD as source for all current
binary classifiers (#3167)
* respond to authoratative CPEs from catalogers (#3166)
* set cataloger names within package cataloger task (#3165)
* fix: use official CPE for curl binary cataloger (#3164)
* chore(deps): update tools to latest versions (#3160)
* chore(deps): update CPE dictionary index (#3161)
* chore(deps): bump github/codeql-action from 3.26.4 to 3.26.5
(#3162)
* fix ELF package correlations (#3151)
* chore(deps): update tools to latest versions (#3144)
* feat: detect curl binaries (#3146)
* chore(deps): bump anchore/sbom-action from 0.17.1 to 0.17.2
(#3155)
* chore(deps): bump github/codeql-action from 3.26.3 to 3.26.4
(#3154)
* chore(deps): update stereoscope to
e6d086e8bef5fab4fcfbd60c9a759c4cb229decf (#3152)
* chore(deps): bump github.com/charmbracelet/bubbles from 0.18.0
to 0.19.0 (#3148)
* chore(deps): bump github.com/charmbracelet/lipgloss (#3147)
* chore(deps): bump github.com/anchore/stereoscope (#3153)
* fix: mysql 8.0.3x binary detection (#3142)
* chore(deps): bump github/codeql-action from 3.26.2 to 3.26.3
(#3139)
-------------------------------------------------------------------
Tue Aug 20 16:41:18 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.11.1:
* fix: logging for remote network calls (#3140)
* chore(deps): update CPE dictionary index (#3135)
* chore(deps): bump github.com/charmbracelet/bubbletea (#3137)
* chore(deps): update tools to latest versions (#3121)
* chore(deps): bump github.com/docker/docker (#3123)
* chore(deps): bump anchore/sbom-action from 0.17.0 to 0.17.1
(#3124)
* chore(deps): bump github/codeql-action from 3.26.0 to 3.26.2
(#3129)
* fix: add nil check to CycloneDX toBomProperties (#3119)
* fix: read CycloneDX BOM components from metadata (#3092)
* fix: improve groupid extraction for Jenkins plugins (#2815)
* chore(deps): update CPE dictionary index (#3116)
* support .kar files (#3113)
* chore: fix some comments (#3114)
* chore: fix failing python relationship test (#3117)
* update-slack-to-discourse (#3111)
-------------------------------------------------------------------
Fri Aug 09 18:12:40 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.11.0:
* test: increase java purl generation test coverage (#3110)
* chore(deps): bump modernc.org/sqlite from 1.31.1 to 1.32.0
(#3106)
* chore(deps): bump sigstore/cosign-installer from 3.5.0 to 3.6.0
(#3107)
* chore(deps): update tools to latest versions (#3099)
* chore(deps): bump github/codeql-action from 3.25.15 to 3.26.0
(#3101)
* chore(deps): bump actions/upload-artifact from 4.3.5 to 4.3.6
(#3102)
* chore(deps): bump github.com/google/go-containerregistry
(#3103)
* chore(deps): bump golang.org/x/net from 0.27.0 to 0.28.0
(#3104)
* chore(deps): bump actions/upload-artifact from 4.3.4 to 4.3.5
(#3095)
* chore(deps): update CPE dictionary index (#3094)
* chore(deps): bump golang.org/x/mod from 0.19.0 to 0.20.0
(#3096)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.6 to
0.5.7 (#3097)
* feat: improved java maven property resolution (#2769)
* fix: use organization for package supplier when reading Java
vendor fields (#3093)
* chore(deps): update tools to latest versions (#3091)
* fix: update 'guessMainPackageNameAndVersionFromPomInfo' and
'artifactIDMatchesFilename' (#3054)
* fix: update mainModuleVersion function to always prefix `v` to
findings (#3087)
* chore: update release script to use gh from binny (#3084)
* Added the SWI Prolog (swipl) ecosystem (#3076)
-------------------------------------------------------------------
Thu Aug 01 07:20:34 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.10.0:
* fix: improve determinism in java archive identification (#3085)
* chore(deps): update stereoscope to
50ce3be7aa1fb8829234ae648215e7907196bfa5 (#3075)
* chore(deps): update CPE dictionary index (#3079)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.5 to
0.5.6 (#3082)
* chore(deps): bump github/codeql-action from 3.25.14 to 3.25.15
(#3083)
* fix: traefik classifier (#3077)
* python-cataloger: fix normalization test (#3073)
* Only match ldflag version if it matches the main module or
targets main.version (#3062)
* python cataloger: allow dots in python package names (#3070)
* python-cataloger: normalize package names (#3069)
* chore(deps): bump github.com/docker/docker (#3066)
* chore(deps): bump github/codeql-action from 3.25.13 to 3.25.14
(#3072)
* fix: SPDX output performance with many relationships (#3053)
* better go mod detection from partial package builds (#3060)
* chore(deps): update tools to latest versions (#3061)
* chore(deps): bump github.com/charmbracelet/lipgloss from 0.11.1
to 0.12.1 (#3040)
* chore: add debug logging for errors reading RPM files (#3051)
* chore(deps): update CPE dictionary index (#3035)
* chore(deps): bump github.com/docker/docker (#3055)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.4 to
0.5.5 (#3056)
* chore(deps): bump modernc.org/sqlite from 1.30.2 to 1.31.1
(#3057)
* chore(deps): bump docker/login-action from 3.2.0 to 3.3.0
(#3058)
* chore(deps): bump github/codeql-action from 3.25.12 to 3.25.13
(#3059)
* chore(deps): update stereoscope to
487b11e5ba2622d976acda10c605da63b4fbbb0a (#3032)
* chore(deps): update tools to latest versions (#3050)
* docs: CODE_OF_CONDUCT.md (#3046)
* fix: include CPEs with Maven groupId as vendor (#3045)
* chore(deps): bump github.com/google/go-containerregistry
(#3047)
* chore(deps): bump github.com/moby/sys/mountinfo from 0.7.1 to
0.7.2 (#3048)
* chore(deps): bump modernc.org/sqlite from 1.30.1 to 1.30.2
(#3039)
* docs: link to contrib/dev docs in readme (#3029)
* chore: Fix apache shield in readme (#3021)
* chore(deps): update tools to latest versions (#3031)
* chore(deps): bump github/codeql-action from 3.25.11 to 3.25.12
(#3034)
* chore(deps): bump anchore/sbom-action from 0.16.1 to 0.17.0
(#3044)
* fix: stop panicking on "devel" version go stdlib (#3043)
* chore: pin fedora image for elf binary test (#3041)
* chore(deps): bump anchore/sbom-action from 0.16.0 to 0.16.1
(#3023)
* chore(deps): update stereoscope to
27b66b76fc6686fcf6bde656aa09e1f0e047fec1 (#3026)
-------------------------------------------------------------------
Thu Jul 11 18:41:11 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.9.0:
* chore(deps): bump actions/setup-go from 5.0.1 to 5.0.2 (#3027)
* chore(deps): bump github.com/charmbracelet/lipgloss (#3028)
* fix: stabilize cpe sorting during collection sort (#3009)
* Map the downloadLocation field for PHP Composer packages
(#3011)
* chore(deps): update stereoscope to
e46739e217969fa67cbe8834b64bb165a10a1548 (#3013)
* chore(deps): bump golang.org/x/net from 0.26.0 to 0.27.0
(#3015)
* chore(deps): bump golang.org/x/mod from 0.18.0 to 0.19.0
(#3014)
* chore(deps): bump actions/upload-artifact from 4.3.3 to 4.3.4
(#3017)
* chore(deps): bump github.com/google/go-containerregistry
(#3019)
* chore(deps): bump github.com/adrg/xdg from 0.4.0 to 0.5.0
(#3020)
* chore(deps): update CPE dictionary index (#3016)
* Infer the package type from ELF package notes (#3008)
* chore(deps): update tools to latest versions (#3003)
* chore(deps): update CPE dictionary index (#3002)
* chore(deps): bump github.com/docker/docker (#3006)
* chore(deps): bump github/codeql-action from 3.25.10 to 3.25.11
(#3004)
* chore(deps): bump github.com/saferwall/pe from 1.5.3 to 1.5.4
(#3005)
* feat: version 3 support for swift package manager of the
resolved files (#3001)
* chore(deps): bump github.com/spdx/tools-golang from 0.5.4 to
0.5.5 (#2999)
* chore(deps): bump github.com/docker/docker (#2994)
* Add detection of Erlang in Alpine linux (#2996)
* chore(deps): update tools to latest versions (#2991)
* chore(deps): update stereoscope to
753b5576fe42bc007b22108ad7911d1729957a46 (#2992)
* chore(deps): bump github.com/charmbracelet/bubbletea (#2995)
-------------------------------------------------------------------
Tue Jun 25 04:58:18 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.8.0:
* chore(deps): update CPE dictionary index (#2986)
* chore(deps): bump github.com/go-test/deep from 1.1.0 to 1.1.1
(#2988)
* fix: handle errors reading go licenses (#2985)
* docs: update cyclone-dx documentation (#2983)
* feat: update syft to generate cyclone-dx 1.6 by default (#2978)
* chore(deps): bump github.com/charmbracelet/bubbletea (#2982)
* chore(deps): bump peter-evans/create-pull-request from 6.0.5 to
6.1.0 (#2975)
* fix: detection of arangodb 3.12 (#2979)
* chore: enable dependabot to keep boostrap action updated
(#2976)
* chore(deps): bump github.com/github/go-spdx/v2 from 2.2.0 to
2.3.1 (#2973)
* chore(deps): bump github.com/google/go-containerregistry
(#2971)
* chore(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1
(#2972)
-------------------------------------------------------------------
Sat Jun 15 16:14:00 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.7.0:
* Added Features
- index known CPEs for wordpress plugins and themes [#2963
@westonsteimel]
- Consider Author field for wordpress plugins when generating
CPEs [#2946 @wagoodman]
* Bug Fixes
- improve version extraction from ldflags for pingcap TiDB
[#2962 @westonsteimel]
- Trim whitespace from wordpress values [#2945 @wagoodman]
- Issue scanning Poetry Project with Syft 1.6 and
cataloger=python-package-cataloger [#2954 #2965 @spiffcs]
- Poetry's multiple constraints seems to break the parser
[#2947 #2965 @spiffcs]
- Golang: Search remote licenses not working in a CI pipeline
when scanning Docker image [#2798 #2852 @kzantow]
-------------------------------------------------------------------
Mon Jun 10 19:52:37 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.6.0:
* Added Features
- Add relationships for go binary packages [#2912 @wagoodman]
- Add classifier for util-linux [#2933 @LaurentGoderre]
- Lua: Add support for more advanced syntax [#2908
@LaurentGoderre]
- add license field to ELF binary package metadata [#2890
@brian-ebarb]
- install.sh: check checksums file's signature [#2884 #2941
@wagoodman]
- Detect ELF package notes from fedora binaries [#2713 #2939
@wagoodman]
* Bug Fixes
- Use redhat as namespace for redhat rpms [#2914 @ralphbean]
- Close sqlite driver after testing sqlite availability [#2922
@ttc0419]
- syft does not find anything in archives if /tmp is a tmpfs
[#2894 #2918 @willmurphyscode]
- Scanning a git repository folder present in /tmp produce an
empty sbom [#2847 #2918 @willmurphyscode]
* Additional Changes
- update unit tests to use pinned patch version [#2932
@spiffcs]
- fix comments and spelling [#2920 @dufucun]
-------------------------------------------------------------------
Fri May 31 14:28:58 UTC 2024 - andrea.manzini@suse.com
- Update to version 1.5.0:
* feat: detect fluent-bit binaries (#2905)
* bump dependencies
* Add python wheel egg relationships (#2903)
* feat: Add Lua cataloger (#2613)
* feat: add config command (#2892)
* feat: Added functionality to convert major, minor, patch to version for binary classifier (#2864)
* Go Mod Cataloger: Remove Replaced Packages (#2891)
* chore: Reduce length of readme, moving lengthy content to the wiki (#2882)
* fix: DecoderCollection discarding input from non-seekable Readers (#2878)
* Fix outdated spdx links (#2865)
* Use values in relationship To/From fields (#2871)
* add support for RPM DB package relationships (#2872)
* fix: capture dependencies when parsing SPDX SBOMs (#2869)
* Add abstraction for adding relationships from package cataloger results (#2853)
* chore: fix small tooling error for go.mod (#2868)
-------------------------------------------------------------------
Sun May 12 07:42:00 UTC 2024 - opensuse_buildservice@ojkastl.de
- add completion subpackages
- fix version output
-------------------------------------------------------------------
Fri May 10 04:54:24 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.4.1:
* fix pruning binary packages when considering ELF packages
(#2862)
-------------------------------------------------------------------
Thu May 09 18:59:36 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.4.0:
* feat: add relationships to ELF package discovery (#2715)
* README.md: link to official wiki (#2858)
* fix Windows file paths in local go mod cache (#2654)
* chore(deps): bump github.com/docker/docker (#2859)
* chore(deps): bump github.com/charmbracelet/bubbletea (#2860)
* chore(deps): bump github/codeql-action from 3.25.3 to 3.25.4
(#2855)
* chore(deps): bump github.com/sassoftware/go-rpmutils from 0.3.0
to 0.4.0 (#2856)
* Add relationships for ALPM packages (arch linux) (#2851)
* Add binary classifier for ArangoDB (#2830)
* chore(deps): bump golang.org/x/net from 0.24.0 to 0.25.0
(#2849)
* chore(deps): bump actions/checkout from 4.1.4 to 4.1.5 (#2850)
* chore: use ruleguard to test for missing defer statements
(#2837)
* remove homebrew update workflow (#2846)
* Restore version file update on release (#2844)
* fix: Add missing CPE for traefik, memcached, and postgres
binaries (#2845)
* Add detection for newer version of ErLang/OTP (#2829)
* fix ui race for package count (#2839)
* chore(deps): update CPE dictionary index (#2841)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.8 to
6.5.9 (#2842)
* chore(deps): bump modernc.org/sqlite from 1.29.8 to 1.29.9
(#2843)
* chore(deps): bump github.com/charmbracelet/bubbletea (#2838)
* add security policy (#2835)
* chore(deps): bump actions/setup-go from 5.0.0 to 5.0.1 (#2834)
* chore(deps): update stereoscope to
2e9894674185d121917b283f773c2b5830f8b360 (#2831)
* chore(deps): bump github.com/charmbracelet/bubbletea (#2833)
* chore: fix function name in comment (#2771)
* chore: enable go-critic deferInLoop lint (#2825)
* fix: better clean up of file handles (#2823)
* chore(deps): bump github.com/docker/docker (#2827)
* fix(spdx): include required fields (#2168)
* fix: add correct vendor for dnsmasq CPE (#2659)
* fix: close temp rpmdb file (#2792)
* chore(deps): bump github/codeql-action from 3.25.2 to 3.25.3
(#2817)
* Fill in SPDX originator for all supported package types (#2822)
* chore(deps): bump anchore/sbom-action from 0.15.10 to 0.15.11
(#2821)
-------------------------------------------------------------------
Fri Apr 26 16:46:01 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.3.0:
* update spdx license list to 3.23 (#2818)
* fix: re-use embedded union reader if possible (#2814)
* feat: index known CPEs for go modules (#2816)
* chore(deps): bump peter-evans/create-pull-request from 6.0.4 to
6.0.5 (#2812)
* feat: support multiple known CPEs in index (#2813)
* chore(deps): update stereoscope to
8b297badafd5d81fa1187b26ae34dd2a7ce7e425 (#2807)
* chore(deps): bump actions/checkout from 4.1.3 to 4.1.4 (#2809)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.3 to
0.5.4 (#2810)
* Fix removing labels in 'Detect schema changes' job (#2772)
* chore(deps): bump github.com/docker/docker (#2805)
* Display which provider caused which error in output (#2757)
* fix: prefer non-deprecated CPEs and include jenkins plugins
from plugins.jenkins.io (#2806)
* feat: index known CPEs for PHP Composer packagist.org packages
(#2804)
* chore(deps): bump github/codeql-action from 3.25.1 to 3.25.2
(#2802)
* chore(deps): bump actions/upload-artifact from 4.3.2 to 4.3.3
(#2803)
* fix: improvements to known CPE index construction (#2801)
* fix: exclude known instrumentation jars from being erroneously
identified (#2796)
* feat: index known cpes for PHP extensions (#2777)
* chore(deps): bump actions/checkout from 4.1.2 to 4.1.3 (#2799)
* fix: return empty string if dereferncing pom var fails (#2797)
* chore(deps): bump github.com/docker/docker (#2793)
* chore(deps): bump modernc.org/sqlite from 1.29.7 to 1.29.8
(#2794)
* chore(deps): bump actions/upload-artifact from 4.3.1 to 4.3.2
(#2795)
* chore: cleanup redundant code (#2791)
* chore(deps): update tools to latest versions (#2789)
* chore(deps): bump github.com/spdx/tools-golang from 0.5.3 to
0.5.4 (#2790)
* chore(deps): bump github/codeql-action from 3.25.0 to 3.25.1
(#2786)
* chore(deps): bump peter-evans/create-pull-request from 6.0.3 to
6.0.4 (#2787)
* Fix: repeatedly dereference pom variables (#2781)
* chore(deps): bump modernc.org/sqlite from 1.29.6 to 1.29.7
(#2783)
* chore(deps): update CPE dictionary index (#2780)
* chore(deps): bump github/codeql-action from 3.24.10 to 3.25.0
(#2779)
* chore: fix broken cpe index generation task (#2778)
* chore(deps): bump github.com/docker/docker (#2773)
* chore(deps): bump peter-evans/create-pull-request from 6.0.2 to
6.0.3 (#2774)
-------------------------------------------------------------------
Sat Apr 13 09:32:58 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.2.0:
* fix: more robust go main version extraction (#2767)
* chore(deps): update tools to latest versions (#2768)
* fix: binary character in java version (#2766)
* chore(deps): update tools to latest versions (#2760)
* chore(deps): bump modernc.org/sqlite from 1.29.5 to 1.29.6
(#2761)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.6 to
6.5.8 (#2754)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.2 to
0.5.3 (#2755)
* chore(deps): bump github/codeql-action from 3.24.9 to 3.24.10
(#2756)
* chore(deps): bump golang.org/x/mod from 0.16.0 to 0.17.0
(#2751)
* Differentiate between JRE and JDK (#2748)
* chore(deps): bump golang.org/x/net from 0.23.0 to 0.24.0
(#2752)
-------------------------------------------------------------------
Thu Apr 04 16:55:06 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.1.1:
* chore(deps): update tools to latest versions (#2744)
* chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0
(#2747)
* chore: update anchore/packageurl-go to use latest commits
(#2746)
* feat: cataloger for PHP Pecl and PEAR packages (#2604)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.11.0 to
5.12.0 (#2743)
* chore(deps): update tools to latest versions (#2741)
* fix: conan poco project cpe (#2740)
* chore(deps): bump github.com/distribution/reference from 0.5.0
to 0.6.0 (#2738)
* chore(deps): bump anchore/sbom-action from 0.15.9 to 0.15.10
(#2737)
* fix: panic scanning binaries without symtab (#2739)
* chore: remove useless code (#2716)
* chore(deps): bump google.golang.org/protobuf from 1.31.0 to
1.33.0 (#2731)
* chore(deps): bump github/codeql-action from 3.24.8 to 3.24.9
(#2732)
* chore(deps): update tools to latest versions (#2733)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.5 to
6.5.6 (#2734)
* update release token from readonly to write token (#2735)
-------------------------------------------------------------------
Tue Mar 26 07:19:30 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.1.0:
* Adding the ability to retrieve remote licenses from
package.lock (#2708)
* dont include labels for dependabot ecosystems (#2720)
* chore(deps): bump fountainhead/action-wait-for-check from 1.1.0
to 1.2.0 (#2717)
* chore(deps): update tools to latest versions (#2726)
* chore(deps): bump github/codeql-action from 3.24.7 to 3.24.8
(#2725)
* chore(deps): bump actions/cache from 4.0.1 to 4.0.2 (#2728)
* chore(deps): bump github.com/docker/docker (#2730)
* updating credentials to scoped permissions (#2722)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.4 to
6.5.5 (#2718)
* chore(deps): bump github.com/google/go-containerregistry
(#2719)
* Add detection for Oracle GraalVM (#2705)
* chore(deps): bump docker/login-action from 3.0.0 to 3.1.0
(#2714)
* Add ELF binary package cataloger (#2396)
* chore(deps): bump modernc.org/sqlite from 1.29.3 to 1.29.5
(#2710)
* chore(deps): bump github/codeql-action from 3.24.6 to 3.24.7
(#2711)
* chore(deps): bump peter-evans/create-pull-request from 6.0.1 to
6.0.2 (#2712)
* Show binary exports, entrypoint, and imports (#2626)
* chore(deps): bump actions/checkout from 4.1.1 to 4.1.2 (#2703)
* chore(deps): bump github.com/knqyf263/go-rpmdb (#2701)
* chore: reduce duplicate case SwiftPkg (#2696)
* chore: remove deprecated os.SEEK_SET os.SEEK_CUR (#2693)
* chore(deps): bump github.com/docker/docker (#2698)
* chore(deps): bump modernc.org/sqlite from 1.29.2 to 1.29.3
(#2699)
-------------------------------------------------------------------
Sat Mar 09 08:54:20 UTC 2024 - andrea.manzini@suse.com
- Update to version 1.0.1:
* bump dependencies
* docs: add simplest example from registry (#2691)
* fix: Unable to scan OCI images with syft v0.105.1 [#2678 #2683
@spiffcs]
-------------------------------------------------------------------
Fri Mar 01 13:59:28 UTC 2024 - andrea.manzini@suse.com
- Update to version 1.0.0:
* fix: match OpenSSL letter releases (#2682)
* Mark duplicated rows in table output (#2679)
* fix: trim path from deps.json in portable way (#2674)
* chore(deps): update tools to latest versions (#2680)
* enforce breaking change bump major version (#2635)
* docs: fix incorrect flag name in readme (#2677)
* Consider filesystem types for mount points when ignoring system
paths (#2675)
* fix: stop emitting bus events on go mod events (#2673)
* chore(deps): bump peter-evans/create-pull-request from 6.0.0 to
6.0.1 (#2676)
* feat: add `--from` flag, refactor source providers (#2610)
-------------------------------------------------------------------
Tue Feb 27 12:40:20 UTC 2024 - andrea.manzini@suse.com
- Update to version 0.105.1:
* bump deps and build tools
* fix: SPDX tag value version selector (#2665)
* fix(install): return appropriate error codes (#2664)
* chore: update busybox image for acceptance tests (#2663)
* rename binary classifier cataloger name (#2643)
* add cataloger selection example (#2646)
* add syft version used to SBOM tool info by default (#2647)
-------------------------------------------------------------------
Thu Feb 15 06:10:35 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.105.0:
* Survive indexing dead symlinks (#2645)
* fix considering base path when ignoring known bad unix paths
(#2644)
* test for field conventions in json schema (#2642)
* feat: Add Wordpress cataloger (#2218)
* rename binary cataloger to be more unique (#2633)
* fix: update runner size to use larger HD for codeql (#2641)
* chore(deps): update tools to latest versions (#2616)
* chore(deps): bump github/codeql-action from 3.24.0 to 3.24.1
(#2638)
* chore(deps): bump dawidd6/action-homebrew-bump-formula (#2639)
* chore(deps): bump modernc.org/sqlite from 1.29.0 to 1.29.1
(#2640)
* fix: add BOMRef to CycloneDX OS Component (#2634)
* chore(deps): bump github.com/saferwall/pe from 1.5.0 to 1.5.2
(#2629)
* chore(deps): bump modernc.org/sqlite from 1.28.0 to 1.29.0
(#2630)
* fix getting union reader for sif images (#2631)
* chore(deps): bump golang.org/x/net from 0.20.0 to 0.21.0
(#2607)
* chore(deps): bump github.com/saferwall/pe from 1.4.8 to 1.5.0
(#2625)
* fix: ensure version output to stdout (#2621)
* Guess go main module version based on binary contents (#2608)
* chore(deps): update stereoscope to
681f6715b0e35686d6e6f40bce109176de1ee274 (#2617)
* fix readme around templating options (#2612)
* suppress executable parsing issues (#2614)
* chore: update license list, cpe dictionary (#2620)
* chore(deps): update tools to latest versions (#2606)
-------------------------------------------------------------------
Thu Feb 08 06:37:11 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.104.0:
* fix: incorrect conversion between integer types (#2605)
* chore(deps): bump golang.org/x/mod from 0.14.0 to 0.15.0
(#2602)
* chore(deps): bump github.com/docker/docker (#2601)
* Fix: unmarshal key values in Java, Go, and Conan metadata
(#2603)
* fix(dotnet): prefer portable executable product version when
semantically greater than file version (#2600)
* Finalize Conan v2 support (#2587)
* chore(deps): update tools to latest versions (#2595)
* chore(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1
(#2597)
* chore(deps): update stereoscope to
bfa15e446f061bda7f68305d2d6240b053f17e0c (#2589)
* chore(deps): bump actions/cache from 3.3.2 to 4.0.0 (#2592)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.0 to
0.5.2 (#2591)
* chore(deps): bump github/codeql-action from 3.23.2 to 3.24.0
(#2593)
* labeler should ignore latest version (#2588)
* chore: copy latest schema to stable path for easier diff
(#2586)
* Adding metadata fields when parsing yarn.lock and poetry.lock
(#2350)
* Add Erlang OTP Application cataloger (#2403)
* Detect ELF security features (#2443)
* Add API examples (#2517)
* feat: Record where CPEs come from (#2552)
* chore(deps): update stereoscope to
37291e81936d2b43b3cef56667a741ef715fbfe4 (#2583)
* chore(deps): bump github.com/charmbracelet/bubbles from 0.17.1
to 0.18.0 (#2584)
* swap format readseekers for readers (#2581)
* translate maps to sequences in pkg metadata (#2553)
* chore(deps): update tools to latest versions (#2576)
* chore(deps): bump anchore/sbom-action from 0.15.7 to 0.15.8
(#2578)
* chore(deps): bump marocchino/sticky-pull-request-comment
(#2579)
* chore(deps): bump github.com/docker/docker (#2580)
* chore(deps): update stereoscope to
db7a4bedaba6ad93becf22ce794f306dfb07fcb9 (#2577)
* Fix attest with --key (#2551)
* fix(java): improve identification for org.apache.kafka
artifacts (#2573)
* chore: pluralize the flag (#2564)
* chore(deps): update tools to latest versions (#2566)
* chore(deps): bump peter-evans/create-pull-request from 5.0.2 to
6.0.0 (#2567)
* chore(deps): bump anchore/sbom-action from 0.15.6 to 0.15.7
(#2568)
* re-add cosign signing checksums file (#2572)
-------------------------------------------------------------------
Wed Jan 31 17:29:57 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.103.1:
* revert cosign signing of release checksums file (#2571)
-------------------------------------------------------------------
Wed Jan 31 17:26:17 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.103.0:
* bump archiver and stereoscope (#2570)
* fix: Better test for group ID in filename (#2565)
* Sign checksums file and add SBOMs on release (#2548)
* chore(deps): bump anchore/sbom-action from 0.15.5 to 0.15.6
(#2560)
* chore(deps): bump github.com/google/go-containerregistry
(#2561)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.3 to
6.5.4 (#2562)
* chore(deps): update tools to latest versions (#2554)
* chore(deps): bump github.com/sassoftware/go-rpmutils from 0.2.0
to 0.3.0 (#2556)
* chore(deps): bump 8398a7/action-slack from 3.15.1 to 3.16.2
(#2557)
* chore(deps): bump github/codeql-action from 3.23.1 to 3.23.2
(#2558)
* internalize format helpers (#2543)
* Internalize CPE generation logic (#2541)
* chore(deps): update tools to latest versions (#2550)
-------------------------------------------------------------------
Fri Jan 26 19:26:34 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.102.0:
* Implement golang Purl subpath (#2547)
* fix migration of integration test (#2546)
* Use the json schema as input for templating (#2542)
* Unexport types and functions cataloger packages (#2530)
* Internalize majority of cmd package (#2533)
* allow for RPM modularity to be optional (#2540)
* chore(deps): bump actions/upload-artifact from 4.2.0 to 4.3.0
(#2536)
* chore(deps): bump github.com/google/uuid from 1.5.0 to 1.6.0
(#2538)
* chore(deps): bump github.com/docker/docker (#2537)
* chore: stop re-exporting wfn.Attributes (#2534)
* swap format readseekers for readers (#2515)
* chore(deps): bump anchore/sbom-action from 0.15.4 to 0.15.5
(#2531)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.12
to 0.5.0 (#2532)
* plumb context through catalogers (#2528)
* Remove CLI and API deprecations (#2508)
* Turn off the SBOM cataloger by default (#2527)
* Re-introduce linux kernel cataloger (#2526)
* make AllLocations accept a context (#2518)
* chore(deps): update CPE dictionary index (#2523)
* fix: minor cataloger and docs nits (#2519)
-------------------------------------------------------------------
Sat Jan 20 17:00:30 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.101.1:
* Deduplicate digests from user configuration (#2522)
* update readme and help output to be accurate to syft api
(#2520)
* fix: remove second call to finalize as the task handles it
(#2516)
* chore(deps): update stereoscope to
eb656fc717935ad5abeb8e1379a5c4e11c957120 (#2510)
* chore(deps): bump github.com/docker/docker (#2512)
* chore(deps): bump actions/upload-artifact from 4.1.0 to 4.2.0
(#2513)
* chore(deps): bump anchore/sbom-action from 0.15.3 to 0.15.4
(#2514)
* chore(deps): bump github/codeql-action from 3.23.0 to 3.23.1
(#2506)
* chore(deps): bump github.com/google/go-containerregistry
(#2507)
* chore: enable automatic approval of dependabot PRs (#2505)
-------------------------------------------------------------------
Thu Jan 18 08:10:11 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 0.101.0:
* include binary cataloger configuration defaults (#2504)
* feat: classifier for wordpress cli binary (#2473)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.2 to
6.5.3 (#2502)
* chore(deps): bump actions/cache from 3.3.3 to 4.0.0 (#2503)
* chore(deps): update tools to latest versions (#2500)
* chore(deps): bump github.com/cloudflare/circl from 1.3.3 to
1.3.7 (#2501)
* Add cataloger list command (#2366)
* condense binary cataloger config in JSON output (#2499)
* chore(deps): bump actions/upload-artifact from 4.0.0 to 4.1.0
(#2495)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.2 to
6.5.3 (#2494)
* chore(deps): update CPE dictionary index (#2491)
* Replace core SBOM-creation API with builder pattern (#1383)
* chore(deps): update tools to latest versions (#2488)
* chore(deps): bump actions/cache from 3.3.2 to 3.3.3 (#2489)
* chore(deps): bump anchore/sbom-action from 0.15.2 to 0.15.3
(#2481)
* chore(deps): bump github.com/charmbracelet/bubbles from 0.16.1
to 0.17.1 (#2475)
* feat: binary classifiers for Percona Software For MySQL (#2478)
* feat: binary classifier for pypy (#2474)
* chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.4.9 to
6.5.2 (#2476)
* fix: support traefik binary from the official Docker image
(#2484)
* feat: binary classifier for GCC (#2479)
* chore(deps): update tools to latest versions (#2480)
* chore(deps): bump golang.org/x/net from 0.19.0 to 0.20.0
(#2482)
* chore(deps): bump github/codeql-action from 3.22.12 to 3.23.0
(#2477)
* Upgrade binary test fixtures management (#2444)
-------------------------------------------------------------------
Sat Jan 06 15:26:12 UTC 2024 - andrea.manzini@suse.com
- Update to version 0.100.0:
* Add ability to extend the binaries cataloguers (#2469)
* chore(deps): bump anchore/sbom-action from 0.15.1 to 0.15.2
(#2464)
* fix: add missing purl for busybox (#2457)
* Fix diff error obfuscating binary test failures message (#2468)
* Replace `packages` command with `scan` (#2446)
* fix: PURLs with "nuget" type are dotnet packages (#2466)
* chore(deps): update tools to latest versions (#2459)
* chore(deps): update CPE dictionary index (#2458)
* chore: update binary to -x (#2456)
* Add more functionality to the ErLang parser (#2390)
* Added OpenSSL binary matcher (#2416)
* chore(deps): update stereoscope to
590920dabc5479216e755983d41367b6be3544f3 (#2452)
* chore(deps): update tools to latest versions (#2451)
* chore(deps): bump github/codeql-action from 3.22.11 to 3.22.12
(#2455)
-------------------------------------------------------------------
Thu Dec 21 16:26:53 UTC 2023 - opensuse_buildservice@ojkastl.de
- Update to version 0.99.0:
* chore: remove execute from test fixtures (#2450)
* chore(deps): update tools to latest versions (#2447)
* fix: don't panic when hackage missing in haskell stack yaml
lock (#2448)
* Add binary classifier for the ERLang interpretter (#2417)
* Add binary classifier for Julia lang (#2427)
* Add binary detection for PHP composer (#2432)
* chore(deps): bump actions/upload-artifact from 3.1.3 to 4.0.0
(#2433)
* chore(deps): update CPE dictionary index (#2442)
* chore(deps): update stereoscope to
4b999b76ca8901d15bb97aef445dc94c38d11d5c (#2440)
* fix syft-json test to use pretty json for snapshot testing
(#2441)
* refactor pkg.Collection (#2439)
* refactor javascript cataloger to use configuration options when
creating packages (#2438)
* use single source of truth for archive options (#2437)
* fix file digest cataloger when passed coordinates (#2436)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.2
to 0.8.0 (#2413)
* Look for a maven version in a pom from a parent dependency
management section (#2423)
* Parse Python licenses from LicenseExpression entry in the Wheel
Metadata (#2431)
* chore(deps): bump github/codeql-action from 2.22.10 to 3.22.11
(#2430)
* chore(deps): bump modernc.org/sqlite from 1.27.0 to 1.28.0
(#2429)
* chore(deps): update tools to latest versions (#2428)
* Parse Python licenses from LicenseFile entry in the Wheel
Metadata (#2331)
* fix: use filepath instead of path for file source exclusions
(#2411)
* chore(deps): bump github.com/charmbracelet/bubbletea (#2424)
* chore(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0
(#2425)
* chore(deps): bump github/codeql-action from 2.22.9 to 2.22.10
(#2426)
* chore(deps): bump dawidd6/action-homebrew-bump-formula (#2420)
* feat: add the option to retrieve remote licenses for projects
defined in a maven pom (#2409)
* chore(deps): bump github/codeql-action from 2.22.8 to 2.22.9
(#2400)
* chore(deps): bump github.com/saferwall/pe from 1.4.7 to 1.4.8
(#2415)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.10.1 to
5.11.0 (#2414)
* chore(deps): bump actions/setup-go from 4.1.0 to 5.0.0 (#2401)
* chore(deps): update tools to latest versions (#2408)
* chore(deps): update CPE dictionary index (#2412)
* fix(java): improve identification for org.codehaus.groovy
artifacts (#2404)
* fix(java): improve identification for commons-jelly artifacts
(#2399)
* fix(java): improve identification for io.minio artifacts
(#2398)
* fix(java): improve identification for com.graphql-java
artifacts (#2397)
* chore(deps): update tools to latest versions (#2395)
* chore: enhance java purl generation integration test (#2393)
* feat: add ability to retrieve remote licenses for yarn.lock
(#2338)
* chore(deps): bump anchore/sbom-action from 0.15.0 to 0.15.1
(#2392)
* Retrieve remote licenses using pom.properties when there is no
pom.xml (#2315)
* fix(java): improve identification for org.apache.tapestry
artifacts (#2384)
* fix(java): improve identification for io.ratpack artifacts
(#2379)
* fix(java): improve identification for org.apache.cassandra
artifacts (#2386)
* fix(java): improve identification for org.neo4j.procedure
artifacts (#2388)
* fix: bump fangs for ptr summarize fix (#2387)
* fix(java): improve identification for org.elasticsearch
artifacts (#2383)
* fix(java): improve identification for org.apache.geode
artifacts (#2382)
* fix(java): improve identification for org.apache.tomcat.embed
artifacts (#2381)
* fix(java): improve identification for io.projectreactor.netty
artifacts (#2378)
* fix(java): improve identification for org.eclipse.platform
artifacts (#2349)
* Generalize UI events for cataloging tasks (#2369)
* chore(deps): update tools to latest versions (#2376)
* chore(deps): bump github.com/google/go-containerregistry
(#2377)
* chore: fix tests failing due to Mac Rosetta cache (#2374)
* fix: improve dotnet portable executable identification (#2133)
-------------------------------------------------------------------
Thu Nov 30 08:14:13 UTC 2023 - andrea.manzini@suse.com
- Update to version 0.98.0:
* fix file metadata cataloger to use resolved locations (#2370)
* fix: logging level for parsing potential PE files (#2367)
* only remove breaking-change label when there are schema changes (#2371)
* fix: capture root command stdout (#2364)
* fix: hardcode xalan group ID (#2368)
* Normalize cataloger configuration patterns (#2365)
* normalize enums to lowercase with hyphens (#2363)
* bump deps version
* fix: index file itself when file scan path has symlink (#2359)
* use read lock in pkg collection (#2341)
* Fix the `attest` command (#2337)
* fix: add manual namespace mapping for org.springframework jars (#2345)
* Add binary classifiers for MySQL and MariaDB (#2316)
* Enhance redis binary classifier (#2329)
* fix: add manual namespace mapping for org.springframework.security jars (#2343)
* fix: add manual namespace mapping for org.bouncycastle jars (#2342)
* Update developer docs to represent the current package layout (#2340)
* Remove the power-user command and related catalogers (#2306)
* Add "pretty" json configuration and change default behavior to be space-efficient (#2275)
-------------------------------------------------------------------
Sat Nov 18 08:51:36 UTC 2023 - kastl@b1-systems.de
- Update to version 0.97.1:
* chore(deps): update stereoscope to
3610f4ef3e83e8ff2edf8859e8916bce326fa260 (#2336)
* feat: allow for stdout to be buffered on each command (#2335)
-------------------------------------------------------------------
Fri Nov 17 05:46:54 UTC 2023 - kastl@b1-systems.de
- Update to version 0.97.0:
* fix: prevent writing non-report output to stdout (#2324)
* chore(deps): bump github/codeql-action from 2.22.6 to 2.22.7
(#2332)
* export metadata type helper (#2328)
* fix(java): add manual groupid mappings for org.apache.velocity
jars (#2327)
* fix(java): skip maven bundle plugin logic if vendor id and
symbolic name match (#2326)
* Refine license searching from groupIDFromJavaMetadata to allow
for having the artfactId in the groupId (#2313)
* chore(deps): update tools to latest versions (#2325)
* chore(deps): update tools to latest versions (#2318)
* Add license for golang stdlib (#2317)
* chore(deps): bump github/codeql-action from 2.22.5 to 2.22.6
(#2321)
* docs: Update README.md for dotnet-portable-executable (#2322)
* Fall back to searching maven central using
groupIDFromJavaMetadata (#2295)
* rename file.Location.VirtualPath to AccessPath (#2288)
* chore(deps): update tools to latest versions (#2308)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.11
to 0.4.12 (#2310)
* chore(deps): bump golang.org/x/net from 0.17.0 to 0.18.0
(#2311)
-------------------------------------------------------------------
Thu Nov 09 14:48:04 UTC 2023 - kastl@b1-systems.de
- Update to version 0.96.0:
* include image labels in cycloneDX SBOM (#2294)
* Add accessPath on Location objects to syft-json output (#2287)
* SPDX file has duplicate sha256 tag in versionInfo (#2300)
* Check maven central as well for licenses in parents poms for
nested jars (#2302)
* chore(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0
(#2293)
* chore(deps): update tools to latest versions (#2301)
* fix: identify cyclone-json without $schema (#2303)
-------------------------------------------------------------------
Tue Nov 07 20:40:41 UTC 2023 - kastl@b1-systems.de
- Update to version 0.95.0:
* chore: setup release task before calling go releaser (#2297)
* chore(deps): update tools to latest versions (#2296)
* chore(deps): update tools to latest versions (#2289)
* chore(deps): update CPE dictionary index (#2290)
* chore(deps): bump golang.org/x/mod from 0.13.0 to 0.14.0
(#2292)
* Wire though maven-url to java config (#2291)
* Use case-insensitive matching for Go license files (#2286)
* Add a new Java configuration option to recursively search
parent poms… (#2274)
* chore(deps): update tools to latest versions (#2280)
* Follow convention for naming catalogers (#2277)
* change dir resolver to include virtual path (#2259)
* fix: syft does not handle the case of parsing a jar with
multiple poms (#2231)
* add PURLs when scanning Gradle lock files (#2278)
* chore(deps): bump modernc.org/sqlite from 1.26.0 to 1.27.0
(#2279)
* test: remove dll files and updates tests to use
versionResources (#2276)
* fix: update dot net binary parsing logic to remove empty space
(#2273)
* Read a license from a parent pom stored in Maven Central
(#2228)
* Update README.md to use canonical output format names (fixes
#2269) (#2272)
* Remove MetadataType from core package object and normalize JSON
metadataType values (#1983)
* chore(deps): bump github.com/docker/docker (#2263)
* chore(deps): update stereoscope to
5909e353ee88d7809f0e646c79f110a0e6b1d80d (#2265)
* chore(deps): update CPE dictionary index (#2271)
* chore: fix cpe generation task (#2270)
* chore(deps): bump github.com/google/uuid from 1.3.1 to 1.4.0
(#2262)
* chore(deps): bump github/codeql-action from 2.22.4 to 2.22.5
(#2261)
* chore(deps): update tools to latest versions (#2258)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.9.0 to
5.10.0 (#2256)
* feat: Perform case insensitive matching on Java license files
(#2235)
* Split the sbom.Format interface by encode and decode use cases
(#2186)
* Upgrade tool management (#2188)
* fix: 2179 jar chokes empty lines (#2254)
* chore(deps): update CPE dictionary index (#2253)
* fix CPE workflow (#2252)
* feat: add conaninfo.txt parser to detect conan packages in
docker images (#2234)
* chore(deps): update bootstrap tools to latest versions (#2245)
* chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.6.0
to 4.6.1 (#2248)
* chore(deps): bump github/codeql-action from 2.22.3 to 2.22.4
(#2249)
* fill version info from release and git directly (#2244)
* Add ruby.NewGemSpecCataloger to DirectoryCatalogers. (#1971)
* change homebrew release trigger (#2242)
-------------------------------------------------------------------
Fri Nov 3 09:12:53 UTC 2023 - Johannes Kastl <kastl@b1-systems.de>
- BuildRequire go1.21
-------------------------------------------------------------------
Sat Oct 21 18:16:53 UTC 2023 - kastl@b1-systems.de
- Update to version 0.94.0:
* Label PRs when the json schema changes (#2240)
* Add download location when cataloging directory npm package
lock (#2238)
* fix: allow packages to be captured from DIST/EGG case (#2239)
* Account for maven bundle plugin and fix filename matching
(#2220)
* chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 (#2236)
* Remove internal string set (#2219)
* bump clio to get stderr reporting fix (#2232)
* Fix panic for empty input to Swift cataloger (#2226)
* Add additional license filenames (#2227)
* chore(deps): bump github/codeql-action from 2.22.2 to 2.22.3
(#2229)
* chore(deps): bump github.com/charmbracelet/lipgloss from 0.9.0
to 0.9.1 (#2222)
* chore(deps): bump github/codeql-action from 2.22.1 to 2.22.2
(#2224)
* Detect a license file in the root directory or META-INF of a
jar (#2213)
* Parse donet dependency trees (#2143)
* chore(deps): bump golang.org/x/net from 0.16.0 to 0.17.0
(#2214)
* chore(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0
(#2215)
* chore(deps): bump github.com/charmbracelet/lipgloss from 0.8.0
to 0.9.0 (#2216)
* chore: add automated homebrew action (#2164)
* Add relationships for dpkg packages (#2212)
-------------------------------------------------------------------
Wed Oct 11 04:22:21 UTC 2023 - kastl@b1-systems.de
- Update to version 0.93.0:
* Parse the Maven license from the pom.xml if not contained in
the mani… (#2115)
* Refine the docs for building a cataloger (#2175)
* Fix algo lookup by converting key to lower case (#2207)
* chore(deps): bump github/codeql-action from 2.22.0 to 2.22.1
(#2208)
* feat: add package for go compiler given binary detection
(#2195)
* chore(deps): bump github.com/docker/distribution from
2.8.2+incompatible to 2.8.3+incompatible (#2193)
* chore(deps): bump github/codeql-action from 2.21.9 to 2.22.0
(#2202)
* chore(deps): bump golang.org/x/net from 0.15.0 to 0.16.0
(#2204)
* chore: update license list to 3.22 (#2201)
* Add exact syntax of the conversion formats (#2196)
* chore(deps): bump github.com/saferwall/pe from 1.4.6 to 1.4.7
(#2198)
* chore(deps): bump golang.org/x/mod from 0.12.0 to 0.13.0
(#2199)
* chore: removes unnecessary conditional (#2194)
* chore: improve --output help text and deprecate --file (#2187)
* chore(deps): bump modernc.org/sqlite from 1.25.0 to 1.26.0
(#2189)
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.10
to 0.4.11 (#2191)
* chore(deps): bump github/codeql-action from 2.21.8 to 2.21.9
(#2182)
* chore(deps): update bootstrap tools to latest versions (#2178)
* chore(deps): bump github.com/saferwall/pe from 1.4.5 to 1.4.6
(#2180)
-------------------------------------------------------------------
Thu Oct 05 06:32:34 UTC 2023 - andrea.manzini@suse.com
- Update to version 0.92.0:
* bump deps to latest version
* fix: deterministic java purls (#2170)
- Update to version 0.91.0:
* fix: prevent errors from clobbering terminal (#2161)
* Require ordering of relationships when comparing parser output (#2160)
* Add containerd support (#1793)
* feat: add dependency information to conan lockfile parser (#2131)
* fix: encode and decode FileLicenses and FileContents in Syft JSON (#2083)
* feat: add cyclonedx schema version selection (#2123)
* fix: allow cyclonedx json input with no components (#2127)
* fix source-version typo in flag description (#2126)
- Update to version 0.90.0:
* fix(help): power-user help text to indicate it supports file-system (#2113)
* fix: update codeql-analysis for go 1.21 (#2108)
* feat(cmd/update): add UA header with current ver when check for update (#2100)
* fix(cdx): validate external refs before encoding (#2091)
* fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation (#2075)
-------------------------------------------------------------------
Tue Sep 05 14:57:48 UTC 2023 - kastl@b1-systems.de
- Update to version 0.89.0:
* tidy gomod and gitignore (#2082)
* fix quiet flag (#2081)
* fix: in some cases, try to use pom info to guess name and
version to top level jar (#2080)
* fix: don't panic on universal go binaries (#2078)
* chore: update CLI to CLIO (#2001)
* Add registry certificate verification support (#1734)
* fix: CPE generation for django (#2068)
-------------------------------------------------------------------
Tue Sep 05 14:54:29 UTC 2023 - kastl@b1-systems.de
- Update to version 0.88.0:
* chore: update quill to the latest version (#2065)
* fix: duplicate entries in cyclonedx dependency list (#2063)
* Fix panic in pom parsing (#2064)
* Fix: don't validate pom declared group (#2054)
* chore: trace log pom property reflect usage (#2059)
* fix: do not double-prefix symlink paths that already contain
volume names (#2051)
* feat: add bash classifier (#2055)
* Detect golang boring crypto and fipsonly modules (#2021)
* fix: properly parse conan ref and include user and channel
(#2034)
* chore(deps): bump github.com/charmbracelet/lipgloss from 0.7.1
to 0.8.0 (#2053)
* Enable reading non-utf-8 encodings for java pom.xml files
(#2047)
* feat: 1944 - update purl generation to use a consistent groupID
(#2033)
* chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1
(#2049)
* chore(deps): update bootstrap tools to latest versions (#2048)
* chore(deps): bump github.com/jinzhu/copier from 0.3.5 to 0.4.0
(#2045)
* chore(deps): update CPE dictionary index (#2043)
* fill out new version notice (#2042)
-------------------------------------------------------------------
Tue Sep 05 14:49:59 UTC 2023 - kastl@b1-systems.de
- Update to version 0.87.1:
* feat: use java package names to determine known groupids
(#2032)
* fix: inconsistent removal of binaries by overlap (#2036)
* fix: CycloneDX relationships not output or decoded properly
(#1974)
* chore: restore cataloger.DefaultConfig (#2028)
-------------------------------------------------------------------
Tue Sep 05 14:31:00 UTC 2023 - kastl@b1-systems.de
- Update to version 0.87.0:
* fix: read direct package files when decoding SPDX tag-value
(#2014)
* chore(deps): update bootstrap tools to latest versions (#2022)
* chore(deps): update CPE dictionary index (#2025)
* chore(deps): update bootstrap tools to latest versions (#2012)
* chore(deps): bump github.com/vifraa/gopom from 0.2.2 to 1.0.0
(#2008)
* 1948-filter-pkg-by-type (#2011)
* chore(deps): bump github.com/dave/jennifer from 1.6.1 to 1.7.0
(#2009)
* fix: SPDX license values and download location (#2007)
* 931: binary cataloger exclusion defaults for ownership by
overlap (#1948)
* chore(deps): bump golang.org/x/net from 0.13.0 to 0.14.0
(#2004)
* chore(deps): bump modernc.org/sqlite from 1.24.0 to 1.25.0
(#1998)
* test: add coverage for new rpmdb paths (#1999)
* chore: improve spdx purl decoding (#1996)
* fix: gradle lockfile parser groupId handling (#1995)
* fix: update glob to use newer usr/lib/sysimage path (#1997)
* fix: opkg search glob (#1994)
* feat: nginx binary classifier (#1988)
* Expand deb cataloger to include opkg (#1985)
* chore(deps): update bootstrap tools to latest versions (#1991)
* chore(deps): bump github.com/google/go-containerregistry
(#1993)
* chore: update bubbly to fix hanging (#1990)
* chore(deps): bump golang.org/x/net from 0.12.0 to 0.13.0
(#1989)
* feat: use originator logic to fill supplier (#1980)
* add metadata types to all cpe test fixtures (#1982)
-------------------------------------------------------------------
Tue Aug 01 10:30:23 UTC 2023 - kastl@b1-systems.de
- Update to version 0.86.1:
* fix: default image source name to user input (#1979)
-------------------------------------------------------------------
Tue Aug 01 10:17:13 UTC 2023 - kastl@b1-systems.de
- Update to version 0.86.0:
* chore(deps): update stereoscope to
d1f3d766295ed3c8362ac1be68070e2a1dba4d03 (#1975)
* chore: update to latest commit in tools-golang (#1969)
* Guess unpinned versions in python requirements.txt (#1966)
* chore(deps): bump github.com/vifraa/gopom from 0.2.1 to 0.2.2
(#1965)
* Fix panic condition on docker pull failure (#1968)
* bump JSON schema to account for simplified python env markers
(#1967)
* feat: support top-level SPDX package and graph (#1934)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.8.0 to
5.8.1 (#1959)
* Add cataloger for Swift Package Manager. (#1919)
* chore(deps): update stereoscope to
d515761c6ca2743a67d7d08053db69235ae76d1d (#1953)
* chore(deps): bump github.com/docker/docker (#1955)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to
5.8.0 (#1951)
* Introduce indexed embedded CPE dictionary (#1897)
* chore(deps): bump github.com/gookit/color from 1.5.3 to 1.5.4
(#1949)
* Add support for parsing .NET assemblies (#1943)
* docs: capture artifactory dev settings from 1895 (#1947)
* remove build binary and add explicit git ignore
* docs: update docs with new docker specific instructions (#1941)
* remove jotframe UI (#1932)
* fix: remove indirect dependency of circl v1.1.0 (#1940)
* chore: move wait before iteration to guarantee read before tea
(#1931)
-------------------------------------------------------------------
Thu Jul 13 04:49:43 UTC 2023 - kastl@b1-systems.de
- Update to version 0.85.0:
* implement ui handle waiter (#1930)
* fix: background reader apart from global handler for testing
(#1929)
* chore(deps): bump modernc.org/sqlite from 1.23.1 to 1.24.0
(#1928)
* fix: allow valid cyclonedx input with no components (#1873)
* fix: "or-later" suffix updated to consider deprecated "+"
operator (#1907)
* feat: CLI flag for directory base (#1867)
* Fix CPE gen for k8s python client (#1921)
* chore: update iterations to protect against race (#1927)
* chore(deps): update bootstrap tools to latest versions (#1922)
* fix: Don't use the actual redis or grpc CPEs for gems (#1926)
* fix(install): return with right error code (#1915)
* Remove erroneous Java CPEs from generation (#1918)
* chore(deps): bump golang.org/x/net from 0.11.0 to 0.12.0
(#1916)
* Switch UI to bubbletea (#1888)
* fix: use filepath.EvalSymlinks if os.Readlink fails to evaluate
the link (#1884)
* add file source digest support (#1914)
* chore(deps): update bootstrap tools to latest versions (#1908)
* chore(deps): bump golang.org/x/mod from 0.11.0 to 0.12.0
(#1912)
* chore(deps): bump golang.org/x/term from 0.9.0 to 0.10.0
(#1913)
* doc(readme): add installation section with scoop (#1909)
* Refactor source API (#1846)
* chore(deps): update bootstrap tools to latest versions (#1905)
-------------------------------------------------------------------
Fri Jun 30 04:42:50 UTC 2023 - kastl@b1-systems.de
- Update to version 0.84.1:
* chore(deps): update stereoscope to
cd49355d934e9e09339e0b690398afe7bd9f63f1 (#1903)
* chore(deps): update bootstrap tools to latest versions (#1902)
* fix: discover deb file relationships in distroless images
(#1901)
* add oss community board auto-add workflow (#1898)
* chore(deps): update stereoscope to
8c7173ebcf69187d480d4d8b0c6cafaa7aef7024 (#1890)
* chore(deps): update bootstrap tools to latest versions (#1894)
* fix: add support for Dart SDK package dependencies (#1891)
* Simplify the SBOM writer interface (#1892)
* fix: improve version detection in Java archive name parsing
(#1889)
* fix: only output valid cyclonedx license choices (#1879)
* docs: clarify reasoning of default catalogers for images or
directories (#1887)
-------------------------------------------------------------------
Wed Jun 21 04:48:16 UTC 2023 - kastl@b1-systems.de
- Update to version 0.84.0:
* Configure chronicle to pre-1.0 mode (#1886)
* chore: update SPDX license list to 3.21 (#1885)
* chore(deps): update bootstrap tools to latest versions (#1880)
* Pad artifact IDs (#1882)
* chore(deps): bump golang.org/x/mod from 0.10.0 to 0.11.0
(#1878)
-------------------------------------------------------------------
Wed Jun 14 18:11:48 UTC 2023 - kastl@b1-systems.de
- Update to version 0.83.1:
* chore(deps): bump modernc.org/sqlite from 1.23.0 to 1.23.1
(#1874)
* chore(deps): update stereoscope to
5b5049bf4d3a99df9a2b1c31d5d52ddff7b5cec2 (#1871)
* chore(deps): bump golang.org/x/net from 0.10.0 to 0.11.0
(#1876)
* fix: pom properties not setting artifact id (#1870)
* chore(deps): bump github.com/spdx/tools-golang from 0.5.1 to
0.5.2 (#1868)
-------------------------------------------------------------------
Mon Jun 12 19:35:49 UTC 2023 - kastl@b1-systems.de
- Update to version 0.83.0:
* fix: handle invalid symlinks (#1861)
* chore(deps): bump github.com/spdx/tools-golang from 0.5.0 to
0.5.1 (#1850)
* chore(deps): update bootstrap tools to latest versions (#1857)
* Pr 1825 (#1865)
* chore(deps): bump github.com/sirupsen/logrus from 1.9.2 to
1.9.3 (#1862)
* chore(deps): bump modernc.org/sqlite from 1.22.1 to 1.23.0
(#1863)
* feat: source-version flag (#1859)
* chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0
(#1851)
* accept main.version ldflags even without vcs (#1855)
* feat: add scope to pom properties (#1779)
* chore(deps): bump github.com/stretchr/testify from 1.8.3 to
1.8.4 (#1852)
* chore(deps): bump github.com/docker/docker (#1849)
* Add test to ensure package metadata is represented in the JSON
schema (#1841)
* Fix directory resolver to consider CWD and root path input
correctly (#1840)
* Migrate location-related structs to the file package (#1751)
* chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to
5.7.0 (#1843)
-------------------------------------------------------------------
Tue May 23 17:54:05 UTC 2023 - kastl@b1-systems.de
- Update to version 0.82.0:
* fix: add panic recovery for license parse (#1839)
* chore: return both failures when failed to retrieve an image
with a scheme (#1801)
* Extract go module versions from ldflags for binaries built by
go (#1832)
* fix: duplicate packages, support pnpm lockfile v6 (#1778)
* chore(deps): update stereoscope to
e14bc4437b2eac481c5b6f101890b22df4f33596 (#1834)
* chore(deps): bump github.com/stretchr/testify from 1.8.2 to
1.8.3 (#1829)
* chore(deps): bump github.com/docker/docker (#1833)
-------------------------------------------------------------------
Tue May 23 07:31:00 UTC 2023 - kastl@b1-systems.de
- Update to version 0.81.0:
* Keep original FileInfo persisted on file.Metadata structs
(#1794)
* chore(deps): bump github.com/sirupsen/logrus from 1.9.1 to
1.9.2 (#1827)
* chore(deps): bump github.com/google/go-containerregistry
(#1823)
* chore(deps): bump github.com/sirupsen/logrus from 1.9.0 to
1.9.1 (#1822)
* chore(deps): bump github.com/docker/docker (#1824)
* fix: update field plurality of 8.0.0 schema before release
(#1820)
* fix: update cataloger to check for expressions before split
(#1819)
* feat: update syft license concept to complex struct (#1743)
* fix: cyclonedx depends-on relationship inverted (#1816)
* fix: retain sbom cataloger relationships (#1509)
* feat: warn if parsing newer SBOM (#1810)
* feat: Add R cataloger (#1790)
* update cosign to v2 release (different go module) (#1805)
* fix: Reduce log spam on unknown relationship type (#1797)
* chore(deps): update bootstrap tools to latest versions (#1807)
* chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 (#1802)
* chore(deps): bump github.com/docker/docker (#1795)
* chore(deps): bump github.com/google/go-containerregistry
(#1796)
* chore(deps): update bootstrap tools to latest versions (#1792)
* Print package list when extra packages found (#1791)
* chore(deps): update bootstrap tools to latest versions (#1786)
* chore(deps): bump golang.org/x/term from 0.7.0 to 0.8.0 (#1787)
-------------------------------------------------------------------
Fri May 05 19:51:00 UTC 2023 - kastl@b1-systems.de
- Update to version 0.80.0:
* Update the CPE generation for spring-security-core (#1789)
* chore: do not HTML escape PackageURLs (#1782)
* chore: do not include kernel module cataloger by default
(#1784)
* chore(docs): Update lists of catalogers (#1780)
* chore: add more detail on SPDX file IDs (#1769)
* Search /usr/share for rpmdb to fix scan on ostree-managed
images (#1756)
* chore(deps): bump github.com/docker/docker (#1767)
* rename sbom.PackageCatalog to sbom.Packages (#1773)
* chore(deps): bump modernc.org/sqlite from 1.22.0 to 1.22.1
(#1768)
* Create python requirements metadata (#1759)
* chore: update test redactor ordering (#1765)
* rename pkg.Catalog to pkg.Collection (#1764)
* chore(deps): bump modernc.org/sqlite from 1.21.2 to 1.22.0
(#1758)
* chore: go-rpmdb update (#1757)
* chore(deps): bump github.com/CycloneDX/cyclonedx-go from
0.7.1-0.20221222100750-41a1ac565cce to 0.7.1 (#1706)
* fix: Improve pnpm support (#1752)
-------------------------------------------------------------------
Sat Apr 22 14:33:37 UTC 2023 - kastl@b1-systems.de
- Update to version 0.79.0:
* feat: Add template func `hasField` (#1754)
* fix: only cache java packages and not source content (#1750)
* Add sections of interest for Gemfile.lock cataloger (#1749)
* fix: update cache.fingerprint file to java-builds dir (#1748)
* Add ALPM Metadata to CYCLONEDX and SPDX output formats (#1747)
* chore: bump stereoscope to latest version (#1741)
* chore(deps): update bootstrap tools to latest versions (#1744)
* chore(deps): bump github.com/docker/docker (#1746)
-------------------------------------------------------------------
Tue Apr 18 04:55:15 UTC 2023 - kastl@b1-systems.de
- Update to version 0.78.0:
* Create consul binary classifier (#1738)
* chore(deps): update bootstrap tools to latest versions (#1740)
* Fix kernel cataloger test fixtures (#1742)
* feat: Support scanning license files in golang packages over
the network (#1630)
* Add package-to-file location evidence relationships (#1698)
* Add Linux Kernel cataloger (#1694)
* Add annotations for evidence on package locations (#1723)
* add format make target (#1733)
* Update tests to not fail on Mac M1's. (#1730)
-------------------------------------------------------------------
Thu Apr 13 07:22:19 UTC 2023 - kastl@b1-systems.de
- Update to version 0.77.0:
* chore(deps): update bootstrap tools to latest versions (#1728)
* Add support for nar files. (#1727)
* add highlevel details about catalogers (#1726)
* chore(deps): bump golang.org/x/net from 0.8.0 to 0.9.0 (#1722)
* chore(deps): update stereoscope to
e95d60a265e384df29b7a139f5c5402d6ad72e06 (#1721)
* feat: gradle lockfile support (#1719)
* chore(deps): bump github.com/docker/docker (#1715)
* chore(deps): bump golang.org/x/mod from 0.9.0 to 0.10.0 (#1713)
* chore(deps): bump golang.org/x/term from 0.6.0 to 0.7.0 (#1714)
* chore(deps): bump github.com/spf13/cobra from 1.6.1 to 1.7.0
(#1716)
* chore(deps): bump peter-evans/create-pull-request from 4 to 5
(#1712)
-------------------------------------------------------------------
Thu Apr 06 03:25:22 UTC 2023 - kastl@b1-systems.de
- Update to version 0.76.1:
* chore: update tools-golang to v0.5.0 (#1717)
* Add Nix cataloger (#1696)
* refactor spdx tooling test to reduce intermittent failures
(#1707)
* Capture file ownership relationships from portage ecosystem
(#1702)
* chore: update deprecated set-output calls (#1705)
-------------------------------------------------------------------
Mon Apr 03 12:04:58 UTC 2023 - kastl@b1-systems.de
- Update to version 0.76.0:
* feat: Add config option to allow user to select the default
image source location
* chore(deps): bump github.com/docker/docker (#1699)
* chore(deps): update bootstrap tools to latest versions (#1697)
* chore(deps): update stereoscope to
d7551b7f46f53179922d6229709d3d1602881080 (#1693)
* 1577 spdxlicense generate (#1691)
* chore(deps): bump github.com/vbatts/go-mtree from 0.5.2 to
0.5.3 (#1692)
* feat: scan local go mod cache for licenses of golang packages
(#1645)
* chore: fix flaky license sorting (#1690)
* chore(deps): bump github.com/gookit/color from 1.5.2 to 1.5.3
(#1689)
* fix: shell completion by adding missing usage message required
by spf13/cobra (#1688)
* chore(deps): update bootstrap tools to latest versions (#1686)
* chore: tweak some workflow text (#1685)
* Remove more side effects from application config testing
(#1684)
* Deprecate config.yaml as valid config source; Add unit
regression for correct config paths (#1640)
* chore: Update syft bootstrap tools to latest versions. (#1682)
* Update documentation: (#1680)
* chore: Update Stereoscope to
7928713c391e20abaede6a029f4ce37b628a4c8b (#1681)
* fix: reduce logging for bad dpkg lines (#1675)
* fix ruby classifier (#1678)
* feat: add shared dir for easier cleanup (#1676)
* chore(deps): bump github.com/google/go-containerregistry
(#1672)
* chore(deps): bump actions/setup-go from 3 to 4 (#1671)
* fix: move defer after error to protect panic case (#1670)
* feat: add argocd, helm, kustomize and kubectl binary
classifiers (#1663)
* defer closing file (#1668)
* fix: remove author contributing to javascript CPEs (#1669)
-------------------------------------------------------------------
Mon Mar 13 19:15:25 UTC 2023 - kastl@b1-systems.de
- Update to version 0.75.0:
* fix: more python matching support (#1667)
* Update syft bootstrap tools to latest versions. (#1666)
* feat: add ruby classifier (#1665)
-------------------------------------------------------------------
Thu Mar 09 15:31:12 UTC 2023 - kastl@b1-systems.de
- Update to version 0.74.1:
* Update syft bootstrap tools to latest versions. (#1658)
* fix: improved Python binary detection (#1648)
* fix: suppress some known incorrect vendor candidates for npm
CPEs (#1659)
* fix: sanitize SPDX LicenseRefs (#1657)
* chore(deps): bump golang.org/x/mod from 0.8.0 to 0.9.0 (#1655)
* chore(deps): bump golang.org/x/net from 0.7.0 to 0.8.0 (#1653)
* chore(deps): bump github.com/spf13/afero from 1.9.4 to 1.9.5
(#1654)
* chore(deps): bump golang.org/x/term from 0.5.0 to 0.6.0 (#1656)
* fix: dotnet PURL types are invalid (#1649)
* feat: disable cpe vendor wildcards to reduce false positives
(#1647)
* read relative etc/apk/repositories for alpine version when no
OS provided (#1615)
-------------------------------------------------------------------
Fri Mar 03 05:40:08 UTC 2023 - kastl@b1-systems.de
- Update to version 0.74.0:
* fix: possible race condition (#1639)
* fix: remove APK OriginPackage cpe candidates (#1637)
* fix: rebar lock file decoding panic (#1628)
* fix: handle individual cataloger panics (#1636)
* fix: apk product/vendor generation for old metadata (#1635)
* feat: rust toolchain binary cataloger (#1601)
* feat: retain go package info when no module declared (#1632)
* fix: improved CPE-generation for several more APK packages
(#1631)
* chore: update deprecated release flag (#1629)
* chore(deps): bump actions/upload-artifact from 2 to 3 (#1627)
* feat: add support for SUPPORT_END in /etc/os-release (#1612)
* fix: further improvements to CPE generation for apk packages
(#1623)
* chore(deps): bump github.com/stretchr/testify from 1.8.1 to
1.8.2 (#1625)
* chore(deps): bump actions/checkout from 2 to 3 (#1626)
* feat: set cosign attest predicate type based on Syft output
type (#1598)
* chore(deps): bump github.com/spf13/afero from 1.9.3 to 1.9.4
(#1609)
* fix: correct apk purls for other distros (#1620)
* refactor: move apk upstream logic to apk metadata (#1619)
* fix: decoding null apk metadata pullDependencies (#1614)
* feat: haproxy binary matcher (#1591)
* fix: determine upstream for apk version streams (#1610)
* fix: improve CPE generation for curl APK (#1608)
* Revert "add workaround for macos github actions cache issue
(#1584)" (#1605)
-------------------------------------------------------------------
Thu Feb 23 10:37:37 UTC 2023 - kastl@b1-systems.de
- Update to version 0.73.0:
* Update Stereoscope to fab1c9638abc2c21cd53dca1f205f37d71148ee0 (#1604)
* chore: fix cataloger_test (#1603)
* fix: merging of binary packages (#1583)
* fix: issue when matching format versions (#1585)
* chore: update syft bootstrap tools to latest versions. (#1593)
* feat: add perl binary classifier (#1592)
* Update Stereoscope to 529924d6d5aa6c708cceffc651883b6e1e27f5df (#1602)
* Update SPDX license list to 3.20 (#1600)
* chore: update SPDX license list (#1599)
* fix cataloger selection to be more specific (#1582)
* add workaround for macos github actions cache issue (#1584)
-------------------------------------------------------------------
Thu Feb 16 17:31:12 UTC 2023 - kastl@b1-systems.de
- Update to version 0.72.0:
* Update Stereoscope to 4b5ebf8c7f4b81ca79c4c3f0af1d0723eab87d42 (#1576)
* chore(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 (#1574)
* chore: update bug issue template (#1571)
* allow convert to take stdin (#1570)
* fix: improve CPE and upstream generation logic for Alpine packages (#1567)
* fix: missing APK node vulnerabilities (#1565)
* fix: python CPE generation for alpine (#1564)
* chore(deps): bump github.com/docker/docker (#1563)
-------------------------------------------------------------------
Fri Feb 10 06:19:19 UTC 2023 - kastl@b1-systems.de
- Update to version 0.71.0:
* switch from trigger-release target to release target (#1560)
* Speed up cataloging by replacing globs searching with index lookups (#1510)
* Update syft bootstrap tools to latest versions. (#1549)
* Fix installed versions (#1556)
* chore(deps): bump golang.org/x/net from 0.5.0 to 0.6.0 (#1558)
* feat: add postgresql classifier (#1536)
* Add release trigger (#1501)
* chore(deps): bump golang.org/x/mod from 0.7.0 to 0.8.0 (#1552)
* chore(deps): bump golang.org/x/term from 0.4.0 to 0.5.0 (#1551)
* fix: add support for licenses not found on list (#1540)
* Update syft bootstrap tools to latest versions. (#1541)
* feat: Allow specific versions of formats to be specified (#1543)
* Update Stereoscope to c49244e4d66f1ee789027ea23acc746968799c3b (#1539)
* source: when base is set, responsePath should be absolute (#1542)
-------------------------------------------------------------------
Sat Feb 04 07:45:37 UTC 2023 - kastl@b1-systems.de
- Update to version 0.70.0:
* fix: update config struct to not decode password/key (#1538)
* Update syft bootstrap tools to latest versions. (#1537)
* feat: add traefik classifier (#1504)
* fix: don't hardcode Cosign attest type (#1533)
* chore(deps): bump github.com/docker/docker (#1531)
* Update syft bootstrap tools to latest versions. (#1530)
-------------------------------------------------------------------
Thu Feb 02 06:48:23 UTC 2023 - kastl@b1-systems.de
- Update to version 0.69.1:
* chore: update spdx/tools-golang to v0.5.0-rc1 (#1503)
* feat: update golang to 1.19 (#1526)
* Update syft bootstrap tools to latest versions. (#1525)
-------------------------------------------------------------------
Tue Jan 31 15:04:23 UTC 2023 - kastl@b1-systems.de
- Update to version 0.69.0:
* Allow scanning unpacked container filesystems (#1485)
* fix: allow template for syft convert (#1521)
* 1465 attestation with private key (#1502)
-------------------------------------------------------------------
Thu Jan 26 06:37:19 UTC 2023 - kastl@b1-systems.de
- Update to version 0.68.1:
* fix: add relevant CPEs to python and busybox classifiers (#1517)
* Update syft bootstrap tools to latest versions. (#1515)
* chore: correct bootstrap tool script (#1514)
* chore(deps): bump github.com/google/go-containerregistry (#1513)
* Fix AssertEncoderAgainstGoldenSnapshot calls to conditionally update (#1511)
* chore(deps): bump golang.org/x/mod from 0.6.0 to 0.7.0 (#1505)
* chore(deps): bump github.com/docker/docker (#1506)
* chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.2 to 3.2.3 (#1507)
* chore(deps): bump github.com/dustin/go-humanize from 1.0.0 to 1.0.1 (#1508)
* Bump github.com/spdx/tools-golang to v0.4.0 (#1450)
-------------------------------------------------------------------
Sat Jan 21 07:53:06 UTC 2023 - kastl@b1-systems.de
- Update to version 0.68.0:
* Fix panic in apkdb parsing on empty "provides" values (#1494)
* push detailed log statements to trace-level (#1500)
* npm: package-lock license decoding to accept string or array (#1482)
* always set the package ID for java packages (#1493)
* fix: skip filling in empty fields in APK metadata (#1484)
* chore(deps): bump github.com/facebookincubator/nvdtools (#1499)
* chore(deps): bump github.com/jinzhu/copier from 0.3.2 to 0.3.5 (#1498)
* chore(deps): bump github.com/vbatts/go-mtree from 0.5.0 to 0.5.2 (#1497)
* chore(deps): bump github.com/gookit/color from 1.4.2 to 1.5.2 (#1496)
* chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#1495)
* Relax error conditions for catalogers (#1492)
* feat: add memcached classifier (#1486)
* chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#1488)
* chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.0.2 to 4.6.0 (#1489)
* chore(deps): bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#1490)
* chore(deps): bump github.com/go-test/deep from 1.0.8 to 1.1.0 (#1491)
* chore(deps): bump github.com/google/go-containerregistry (#1487)
* chore(deps): bump golang.org/x/net from 0.4.0 to 0.5.0 (#1475)
* chore(deps): bump github.com/adrg/xdg from 0.3.3 to 0.4.0 (#1477)
* chore(deps): bump github.com/sergi/go-diff from 1.2.0 to 1.3.1 (#1476)
* chore(deps): bump github.com/vifraa/gopom from 0.1.0 to 0.2.1 (#1474)
* chore(deps): bump github/codeql-action from 1 to 2 (#1473)
* chore(deps): bump actions/setup-go from 2 to 3 (#1472)
* Add dependabot (#1451)
- skip non-existent release 0.67.x
-------------------------------------------------------------------
Fri Jan 20 09:56:19 UTC 2023 - kastl@b1-systems.de
- Update to version 0.66.2:
* chore: use checkout v3 with new depth (#1471)
* chore: use checkout v2 for tag depth (#1470)
* fix: nil panic in graalvm cataloger (#1468)
* add linter for type assertion checks (#1469)
* fix: bump golang.org/x/net to v0.4.0 (#1467)
* fix: bump golang.org/x/text to v0.3.8 (#1466)
* bootstrap within composite action (#1461)
* chore: revert GolangBinMetadata name and make analogous GolangModMetadata (#1458)
* README: update Nix installation instructions (#1455)
-------------------------------------------------------------------
Fri Jan 13 06:11:18 UTC 2023 - kastl@b1-systems.de
- Update to version 0.66.1:
* fix: update graalvm cataloger to fix panic (#1454)
* chore: remove bumping cosign in go.mod when updating bootstrap tools (#1452)
-------------------------------------------------------------------
Fri Jan 13 06:09:05 UTC 2023 - kastl@b1-systems.de
- Update to version 0.66.0:
* feat: Add the origin field to the output format of syftjson (#1327)
* chore: update schema (#1449)
* feat: prefer known CPE vendors over other candidates (#1294)
* fix: update attestation code to remove library dependencies and shellout for keyless flow (#1442)
* feat: add BeamVM Hex support (#1073)
* feat: add apache httpd binary classifier (#1448)
* chore: claim artifacthub package ownership from developer-guy (#881)
* Parallel package catalog processing (#1355)
* feat: Add php binary catalogers (#1444)
* Update syft bootstrap tools to latest versions. (#1443)
* fix: duplicate file in tar archive causes read to fail (#1445)
* Add support for GraalVM Native Image executables. (#1276)
* Add redis binary classifier (#1438)
* docs: add cataloger construction summary (#1434)
* chore: update bootstrap tools to latest versions. (#1428)
* Add alpine type to purl (#1431)
-------------------------------------------------------------------
Thu Jan 05 14:00:02 UTC 2023 - kastl@b1-systems.de
- Update to version 0.65.0:
* adding purl types for binary classifiers (#1435)
* chore: refactor basic CPE functionality to its own package (#1436)
* fix: typo in os.Getwd error message (#1433)
* fix: additional excessive go binary warnings (#1432)
* docs: migrate to homebrew-core (#1427)
-------------------------------------------------------------------
Wed Jan 04 15:47:49 UTC 2023 - kastl@b1-systems.de
- Update to version 0.64.0:
* fix: unicode output in cyclonedx-json format (#1420)
* fix: excessive go binary warnings (#1424)
* feat: update spdx format model to produce valid spdx json documents (#1418)
* clean package names in python parsers (#1417)
* docs: update schema name to 2.3 (#1416)
* feat: add h1digest when scanning go.mod (#1405)
* feat: Add license parsing for java (#1385)
* fix: cyclonedx component type for binaries (#1406)
* fix: openjdk detection pattern (#1415)
* bug: spdx checksum empty array; allow syft to generate SHA1 for spdx-tag-value documents (#1404)
* Add NetBSD support. (#1412)
-------------------------------------------------------------------
Fri Dec 16 12:37:58 UTC 2022 - kastl@b1-systems.de
- Update to version 0.63.0:
* feat: add catalog delete (#1377)
* docs: remove file classifier (#1397)
* chore: update latest cyclonedx library (#1390)
* feat: Add Java binary catalogers (#1392)
* chore: Update SPDX license list to 3.19 (#1389)
* fix: add manual vendor/product removal to fix false flags (#1070)
* Update Stereoscope to c5ff155d72f166e2332e160a75c3ff2b8e9c7e2e (#1395)
* chore: fix test busybox image sha (#1393)
* fix: go version not properly identified in binary (#1384)
-------------------------------------------------------------------
Thu Dec 01 05:41:03 UTC 2022 - kastl@b1-systems.de
- Update to version 0.62.3:
* Update Stereoscope to 3b80d983223f6e6fc2d33b0ffa003d30268418e9 (#1376)
* fix: Update node binary package name (#1375)
* feat: Generic Binary Cataloger (#1336)
* recover from bad parsing of golang binary (#1371)
* Fix parsing of apk databases with large entries (#1365)
* Update syft bootstrap tools to latest versions. (#1369)
-------------------------------------------------------------------
Mon Nov 28 18:06:04 UTC 2022 - kastl@b1-systems.de
- Update to version 0.62.2:
* fix: guard for locations < 1 in alpmdb parse (#1366)
* fix: remove cabal.project.freeze panic on last pkg (#1363)
* fix: requirements.txt - return unicode only letter/num for version (#1361)
* Update syft bootstrap tools to latest versions. (#1356)
-------------------------------------------------------------------
Mon Nov 21 15:12:29 UTC 2022 - kastl@b1-systems.de
- Update to version 0.62.1:
* fix: sort relationships in SPDX output (#1350)
* chore: add debug logging for decode errors (#1352)
* feat(npm): handle aliases in package-lock.json (#1349)
-------------------------------------------------------------------
Sat Nov 19 12:04:28 UTC 2022 - kastl@b1-systems.de
- Update to version 0.62.0:
* fix: spdx java checksum correctness (#1348)
* feat: Add support for npm lockfile version 3 (#1206)
-------------------------------------------------------------------
Fri Nov 18 15:38:51 UTC 2022 - kastl@b1-systems.de
- Update to version 0.61.0:
* 1111 clean name bug (#1347)
* Add spdx relationship encoding for dependencies (#1342)
* feat: SPDX 2.3 support (#1311)
* SBOM cataloger (#1029)
* chore: clean up linting configuration (#1343)
* fix: Unmarshal Syft JSON with missing metadata (#1338)
* fix apk decode for older data shapes (#1341)
* chore: add unit test for wolfi os release identification (#1340)
* fix: Output only valid CPEs for CycloneDX OS components (#1339)
* feat: Add `--name` option to override name in output (#1269)
* Add support for dependency relationships for alpine (apk) (#1063)
* normalize alpm md5 refs (#1333)
* Update java generic cataloger (#1329)
* Support encoding map types to CycloneDX properties (#1332)
* Update swift cataloger to generic cataloger (#1324)
* port rust cataloger to new generic cataloger pattern (#1323)
* port ruby cataloger to new generic cataloger pattern (#1322)
* port rpm cataloger to new generic cataloger pattern (#1321)
* port python cataloger to new generic cataloger pattern (#1319)
* Update portage cataloger to new generic cataloger (#1316)
* port php cataloger to new generic cataloger pattern (#1315)
-------------------------------------------------------------------
Tue Nov 15 09:52:45 UTC 2022 - kastl@b1-systems.de
- Update to version 0.60.3:
* javascript cataloger: node binary: nil pointer dereference (#1313)
* Fix: Include version information in binary cataloger CPEs (#1310)
* fix: only generate PURL on empty string (#1312)
* add s3 credentials to release (#1309)
* port javascript cataloger to new generic cataloger pattern (#1308)
-------------------------------------------------------------------
Tue Nov 15 09:44:11 UTC 2022 - kastl@b1-systems.de
- Update to version 0.60.2:
* chore: update goreleaser brew token (#1306)
* fix: Decode binary and unknown metadata (#1307)
-------------------------------------------------------------------
Tue Nov 15 09:39:47 UTC 2022 - kastl@b1-systems.de
- Update to version 0.60.1:
* chore: update github token permissions for goreleaser (#1305)
-------------------------------------------------------------------
Tue Nov 15 09:29:12 UTC 2022 - kastl@b1-systems.de
- Update to version 0.60.0:
* fix: update ci secret to use new password (#1304)
* fix: update secret value to use new cert cahin (#1303)
* fix: verbose quill release failures (#1302)
* fix: unterminated quoted string (#1300)
* fix: update Makefile to remove old signing arch (#1299)
* feat: add nodejs-binary package classifier (#1296)
* update go-rpmdb to improve parsing of installed files (#1297)
* docs: update attestation directions with new cosign changes
* fix: Continue parsing Python RECORD files when bad lines encountered (#1295)
* Fix #1245 Update SPDX license list to 3.18 (#1259)
* fix: Resolve Maven POM expressions (#1251) (#1278)
* port haskell cataloger to new generic cataloger pattern (#1290)
* port golang cataloger to new generic cataloger pattern (#1289)
* port deb/dpkg cataloger to new generic cataloger pattern (#1288)
* update cataloger tests to use pkgtest utils (#1287)
* port dotnet cataloger to new generic cataloger pattern (#1286)
* port dart cataloger to new generic cataloger pattern (#1285)
* port conan cataloger to new generic cataloger pattern (#1284)
* port apk cataloger to new generic cataloger pattern (#1283)
* replace signing tooling with quill (#1280)
* Upgrade generic cataloger (#1281)
* Update syft bootstrap tools to latest versions. (#1282)
* replace logger interface with anchore/go-logger (#1279)
* Update syft bootstrap tools to latest versions. (#1267)
* Add go binary h1 digest to SPDX (#1265)
* fix: move reproduction to top of issue (#1264)
* fix: update syftjson ID to match major schema version (#1274)
* Use in-toto CycloneDX predicate to be compatible with cosign (#1270)
* chore: handle deprecated SPDX license: StandardML-NJ (#1266)
-------------------------------------------------------------------
Tue Oct 18 05:11:08 UTC 2022 - kastl@b1-systems.de
- Update to version 0.59.0:
* Fixes #1179 Deprecated SPDX license (#1263)
* feat: add RelationshipsBySourceOwnership to syft json output (#1248)
* fix: reset merged package into map; (#1258)
* refactor: Remove experimental Anchore Enterprise upload functionality (#1257)
* Update syft bootstrap tools to latest versions. (#1254)
* Update Stereoscope to d24c9d626b33fa720210b007a20767801827b532 (#1253)
* Update syft bootstrap tools to latest versions. (#1244)
* fix apkdb checksum representation (#1247)
* feat: add identifiable field to source object (#1243)
* feat: attest support for Singularity images (#1201)
* Update syft bootstrap tools to latest versions. (#1239)
* Update Stereoscope to 1b1b744a919964f38d14e1416fb3f25221b761ce (#1240)
* fix: Follow symlinks when searching for globs in all-layers scope (#1221)
* update requires to use list; remove field (#1234)
-------------------------------------------------------------------
Fri Sep 30 05:10:45 UTC 2022 - kastl@b1-systems.de
- Update to version 0.58.0:
* Add Conan (C/C++) conan.lock file support (#1230)
* add sequence diagrams and flesh out TODO notes (#1233)
* Do not fail if unable to parse `.rpm` file (#1232)
* fix: support exclude patterns on Windows (#1228)
* Update syft bootstrap tools to latest versions. (#1225)
* Update Stereoscope to 56552770e555d764ea72b99d3c810326b27ead4a (#1224)
* Update syft bootstrap tools to latest versions. (#1223)
* Update syft bootstrap tools to latest versions. (#1220)
-------------------------------------------------------------------
Wed Sep 21 08:27:42 UTC 2022 - kastl@b1-systems.de
- Update to version 0.57.0:
* feat: catalog python files for installed-files.txt file metadata (#1217)
* Stabilize SPDX JSON output sorting (#1216)
* bug: remove chance for panic; provide default attestation path (#1214)
* refactor: update Makefile organization; update DEVELOPING.md instructions (#1212)
* refactor: replace ioutil=>io; update linter (#1211)
* Update bootstrap tools to latest versions. (#1204)
* Add gosimports (#1205)
* refactor: move formats from internal into syft module (#1172)
-------------------------------------------------------------------
Tue Sep 13 12:42:32 UTC 2022 - kastl@b1-systems.de
- Update to version 0.56.0:
* warn on errors from RPM DB parsing (#1200)
* docs: improve Singularity image source docs (#1190)
* Add RPM file scanning support (#1188)
* Normalize syft-json output (#1194)
* Revert "External sources configuration (#1158)" (#1191)
* Update syft bootstrap tools to latest versions. (#1186)
* Fix RPM DB license handling (#1184)
* Update syft bootstrap tools to latest versions. (#1182)
-------------------------------------------------------------------
Wed Sep 07 05:42:57 UTC 2022 - kastl@b1-systems.de
- Update to version 0.55.0:
* update stereoscope to latest (#1181)
* Update syft bootstrap tools to latest versions. (#1180)
* Bug fix for 1095 - syft conversion option error (#1177)
* Update syft bootstrap tools to latest versions. (#1176)
* enhance development support on macOS ARM (#1163)
* Capture if a node module is private (#1161)
* Find version numbers from jars with different naming conventions (#1174)
* Update syft bootstrap tools to latest versions. (#1171)
* Fix update-bootstrap-tools workflow (#1170)
* workflow to create automated PRs to update bootstrap tools (#1167)
* feat: add support for licenses in package-lock json v2 (#1164)
* External sources configuration (#1158)
* feat: add support for pnpm (#1166)
* Prevent symlinks causing duplicate package-file relationships (#1168)
-------------------------------------------------------------------
Wed Sep 07 05:38:56 UTC 2022 - kastl@b1-systems.de
- Update to version 0.54.0:
* Associate node package licenses from node_modules (#1152)
* Give the contributing guide a substantial rework (#1155)
* fix: extract file ids correctly for spdx-json (#1156)
* metadata decoding should be optional (#1154)
* Update Stereoscope to 84004345484edb881f1cc1d841115da8abda06c3 (#1151)
* Add modularitylabel metadata to RPM type records generated by syft (#1148)
* Update Stereoscope to 1c79d5c84abcc54466417fcc17c844a4875888a1 (#1149)
* retraction for mispublished versions (#1147)
* cataloger configuration is respected regardless of source (#1142)
* Update README.md (#1146)
* bump cosign to v1.10.1 (#1144)
-------------------------------------------------------------------
Wed Sep 07 05:35:58 UTC 2022 - kastl@b1-systems.de
- Update to version 0.53.4:
* Update stereoscope to get rid of the replace directive (#1140)
-------------------------------------------------------------------
Wed Sep 07 05:33:24 UTC 2022 - kastl@b1-systems.de
- Update to version 0.53.3:
* Correct squashfs import and fix incorrect bouncer configuration (#1138)
-------------------------------------------------------------------
Wed Sep 07 05:31:12 UTC 2022 - kastl@b1-systems.de
- Update to version 0.53.2:
* Overwrite deprecated SPDX licenses automatically (#1009)
* disable release for docker assets (#1137)
-------------------------------------------------------------------
Wed Sep 07 05:29:04 UTC 2022 - kastl@b1-systems.de
- Update to version 0.53.1:
* improve docker release bootstrap (#1136)
* Singularity Image Support (#974)
-------------------------------------------------------------------
Wed Sep 07 05:25:20 UTC 2022 - kastl@b1-systems.de
- Update to version 0.53.0:
* remove docker login from keychain (#1135)
* remove ENV checks from siging script (#1134)
* remove docker assets from main goreleaser configuration to reduce mac-os runner friction (#1133)
* remove prefixed v from tag to match release (#1131)
* rollback actions-setup-docker to earlier version (#1130)
* Bump go-rustaudit to support rustaudit 0.2.0 (#1127)
* bump bouncer to v0.4.0 (#1125)
* Added ppc64le supported to the syft:debug image (#1124)
* add a cataloger for binaries built with rust-audit (#1116)
* bump goreleaser to v1.10.3 (#1123)
* bump golangci-lint to v1.47.2 (#1122)
* bump cosign in bootstrap-tools to v1.10.0 (#1121)
* Added s390x support (#1117)
* Delete pr_action.yaml (#1120)
* fix: use generic instead of not generating purl (#1119)
* bump cosign to v1.10.0 (#1114)
-------------------------------------------------------------------
Thu Jul 21 15:12:29 UTC 2022 - kastl@b1-systems.de
- Update to version 0.52.0:
* Update sigstore/rekor dependency (#1112)
* Added ppc64le support (#1099)
* patch-distroless-ghcr (#1110)
* add distroless debug image to published release (#1106)
* update help formatting (#1105)
* feat: implement haskell support (#1096)
* Add the -r argument for gnu xargs (#1103)
* fix: -o output option to include formats (#1102)
* moves go-rpmdb to latest; libc => v1.16.7 (#1098)
-------------------------------------------------------------------
Sat Jul 16 19:00:04 UTC 2022 - kastl@b1-systems.de
- Update to version 0.51.0:
* feat: add support for cocoapods (Swift/Objective-C) (#1081)
* Fix package url for Go modules with no / (#1092)
* Update Stereoscope to 777471f38c5b2f15c19d6cffe093ce6392d8040c (#1090)
* feat: output attestation to file (#1087)
* Update Stereoscope to cfbd966e5a8d11d73cd17adc8b8ab8468a086f1e (#1089)
* Add portage support for Gentoo Linux (#1076)
* Add PR action back to workflow with new token (#1086)
-------------------------------------------------------------------
Wed Jul 06 18:12:23 UTC 2022 - kastl@b1-systems.de
- Update to version 0.50.0:
* feat: add new login cmd (#1068)
* update AltRpmDbGlob with comment and context (#1085)
* feat: add support for conan packages (C/C++) (#1083)
* add golang main module and pseudo-version (#916)
* fix: add glob to filter list to ensure rpm metadata files are matched… (#1079)
* remove pr automation until service account creation (#1080)
* fix: purl generation for pom.xml (#1078)
* Update Stereoscope to 5bd627c0f9ce7facbd63ed1f0cf894d97021aa5e (#1072)
* fix: add new languages found in cpes (#1069)
* fix: add php catalogers to all catalogers (#1065)
* feat: add use-all-catalogers flag (#1050)
-------------------------------------------------------------------
Mon Jun 27 13:20:51 UTC 2022 - kastl@b1-systems.de
- Update to version 0.49.0:
* Updates parsing of `yarn.lock` to use `resolved` URLs that are pulled from yarn and npm registries (#926)
* remove OSS Meetup message (#1057)
* add pom.xml cataloger (#1055)
* Add support for CBL-Mariner distroless images (#1045)
* Add catalogers configuration (#1038)
* add template output (#1051)
-------------------------------------------------------------------
Wed Jun 22 08:47:26 UTC 2022 - kastl@b1-systems.de
- Update to version 0.48.1:
* update stereoscope to latest version (#1052)
-------------------------------------------------------------------
Wed Jun 22 08:34:13 UTC 2022 - kastl@b1-systems.de
- Update to version 0.48.0:
* update zip_read_closer to incorporate zip64 support (#1041)
* Add pacman (alpm) parser support (#943)
-------------------------------------------------------------------
Wed Jun 22 08:23:30 UTC 2022 - kastl@b1-systems.de
- Update to version 0.47.0:
* Update of README.md (#1027)
* bump cosign to v1.9.0 to resolve reporting of GHSA-66x3-6cw3-v5gj (#1025)
* add workflows to test new project automation (#1023)
* improve LanguageByName and add unit tests (#1034)
* Read Description from dpkg status files (#996)
* Add announcement for Anchore OSS Virtual Meetup (#1033)
* add main module field to go bin metadata (#1026)
* Add filters to package cataloger (#1021)
* change draft to false for release process (#1016)
* Support RPM distros with newer RPM db formats (#1018)
* fix: add component list to prevent cyclone-dx panic (#1015)
-------------------------------------------------------------------
Mon Jun 6 19:43:54 UTC 2022 - Johannes Kastl <kastl@b1-systems.de>
- first version of package syft at version 0.46.3
Reference in New Issue View Git Blame Copy Permalink