Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
openSUSE:Factory
syft
syft.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File syft.changes of Package syft
------------------------------------------------------------------- Thu Nov 21 14:50:55 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.17.0: * chore(deps): update stereoscope to aa3a3ef4efe8d8759c9aa87261b405cc003bfc9a (#3472) * chore(deps): bump github.com/charmbracelet/bubbletea from 1.2.2 to 1.2.3 (#3467) * fix: bump clio to pull in logging fix (#3466) * 3122 valid license url characters (#3449) * 3030 license declared spdx correction (#3461) * chore(deps): update tools to latest versions (#3463) * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.1 to 6.6.2 (#3465) * chore(deps): bump modernc.org/sqlite from 1.33.1 to 1.34.1 (#3460) * chore(deps): update CPE dictionary index (#3453) * chore(deps): update tools to latest versions (#3454) * chore(deps): update tools to latest versions (#3448) * chore(deps): update tools to latest versions (#3444) * chore(deps): bump github/codeql-action from 3.27.3 to 3.27.4 (#3446) * feat: emit dependency relationships found in Cargo.lock (#3443) * chore(deps): update stereoscope to aa3a3ef4efe8d8759c9aa87261b405cc003bfc9a (#3442) * chore(deps): bump github/codeql-action from 3.27.2 to 3.27.3 (#3438) * chore(deps): bump github.com/charmbracelet/bubbletea from 1.2.1 to 1.2.2 (#3439) * chore(deps): bump github.com/saferwall/pe from 1.5.4 to 1.5.5 (#3440) * chore(deps): update tools to latest versions (#3413) * chore(deps): bump github/codeql-action from 3.27.1 to 3.27.2 (#3436) * chore(deps): bump golang.org/x/mod from 0.21.0 to 0.22.0 (#3426) * update node classifier (#3419) * chore(deps): update stereoscope to 120d9ea511e2f7a9887b443c52e66cd19bb80b43 (#3424) * chore(deps): update CPE dictionary index (#3429) * chore(deps): bump github/codeql-action from 3.27.0 to 3.27.1 (#3431) * chore(deps): bump golang.org/x/net from 0.30.0 to 0.31.0 (#3432) * chore(deps): bump github.com/charmbracelet/bubbletea from 1.1.2 to 1.2.1 (#3433) * restore log on ui teardown (#3427) * doc: Add official Syft logo license information (#3421) * chore(deps): bump anchore/sbom-action from 0.17.6 to 0.17.7 (#3418) * chore: build release sbom from go.mod (#3417) ------------------------------------------------------------------- Tue Nov 05 09:43:28 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.16.0: * chore: prevent file resolver from bubbling errors in binary cataloger (#3410) * chore(deps): update stereoscope to cbd43fb4e5d348fe680066ee6329385fd6a4f827 (#3411) * chore(deps): update CPE dictionary index (#3414) * chore(deps): bump github.com/adrg/xdg from 0.5.2 to 0.5.3 (#3408) * chore(deps): bump github.com/charmbracelet/lipgloss from 0.13.1 to 1.0.0 (#3409) * chore(deps): update stereoscope to 2ce1e520983b1c21d5150d7fae2b39e8e5ab9063 (#3405) * Issue #3143 – fixed format conversion docs link (#3407) * feat: support dependencies and purl for Native Image SBOMs (#3399) * chore(deps): update stereoscope to 9c92fe30492ffeba14ed2e23ad1fd923341dda4f (#3398) * feat: exclude devDependencies from package-lock.json parsing (#3371) * chore(deps): bump github.com/adrg/xdg from 0.5.1 to 0.5.2 (#3394) * chore(deps): bump anchore/sbom-action from 0.17.5 to 0.17.6 (#3393) * fix: stack overflow in spyingIoReadCloser (#3392) * fix: bad pom files may cause infinite loop (#3391) ------------------------------------------------------------------- Tue Oct 29 14:02:45 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.15.0: * chore(deps): update stereoscope to bcc40c6817524718277256d6b774ce643f98640a (#3388) * chore(deps): bump actions/setup-go from 5.0.2 to 5.1.0 (#3384) * chore(deps): bump github.com/charmbracelet/bubbletea from 1.1.1 to 1.1.2 (#3385) * chore(deps): update tools to latest versions (#3383) * chore(deps): update CPE dictionary index (#3387) * chore(deps): bump actions/checkout from 4.2.1 to 4.2.2 (#3380) * feat: multi-level configuration and profiles (#3337) * feat: Java dependency graph information (#3363) * Expanded dpkg cataloger globs (#3373) * Enable cargo-auditable-binary-cataloger for files/directories (#3376) * chore(deps): bump github/codeql-action from 3.26.13 to 3.27.0 (#3374) * chore(deps): bump github.com/charmbracelet/lipgloss (#3375) * chore(deps): update stereoscope to 6db3c175f1f836e552b01ee70e5d5528cc04bce4 (#3362) * chore(deps): bump actions/cache from 4.1.1 to 4.1.2 (#3364) * chore(deps): bump anchore/sbom-action from 0.17.4 to 0.17.5 (#3365) * chore(deps): bump github.com/go-git/go-billy/v5 from 5.5.0 to 5.6.0 (#3367) ------------------------------------------------------------------- Tue Oct 22 07:09:11 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.14.2: * Create single license scanner for all catalogers (#3348) * chore(deps): update stereoscope to a38c93517fc7d67ca1af826ac529a06c05b571d2 (#3357) * chore(deps): update CPE dictionary index (#3358) * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.0 to 6.6.1 (#3361) * update to latest packageurl-go (#3347) * chore(deps): update tools to latest versions (#3342) * chore(deps): update stereoscope to 9e57bce5efeb0ffe27770dd0b8eb2eef8b38512f (#3338) * chore(deps): bump github.com/adrg/xdg from 0.5.0 to 0.5.1 (#3344) * fix: use official CPE for linux kernel (#3343) * chore(deps): bump anchore/sbom-action from 0.17.3 to 0.17.4 (#3340) * fix: improve mariadb binary classifer to detect older versions (#3339) ------------------------------------------------------------------- Tue Oct 15 15:36:18 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.14.1: * fix: stop some log.Warn spam due parsing an empty string as a CPE (#3330) * chore(deps): update stereoscope to 1cc8a41d447d0d092699be2b700b8ba62e870434 (#3334) * chore(deps): update stereoscope to 1cc8a41d447d0d092699be2b700b8ba62e870434 (#3332) * chore(deps): update stereoscope to 93f8a11331e3d50f751e4d0ec5b63f3df309e9e5 (#3331) * chore(deps): bump anchore/sbom-action from 0.17.2 to 0.17.3 (#3326) * chore(deps): bump github/codeql-action from 3.26.12 to 3.26.13 (#3327) * chore(deps): update CPE dictionary index (#3323) * fix: improve go binary semver extraction for traefik (#3325) * chore(deps): update stereoscope to 92e97a1cf36d162bad51ccc6aba0cce7a4dcfbf4 (#3322) * chore(deps): update stereoscope to c04af061af62ab3ba6ab6760613526eaa7fcb163 (#3319) * chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.6.1 to 4.7.0 (#3321) * chore(deps): bump actions/upload-artifact from 4.4.1 to 4.4.3 (#3314) * shorten release docs (#3318) * docs: clearer deprecation message for --file (#3310) * [docs] Add mastodon link to README.md (#3306) * chore(deps): update stereoscope to 5bc91bf166769e43d8d0f86c02e877c55eb04aed (#3313) * chore(deps): bump actions/cache from 4.1.0 to 4.1.1 (#3312) * chore(deps): bump github/codeql-action from 3.26.11 to 3.26.12 (#3307) * chore(deps): bump actions/checkout from 4.2.0 to 4.2.1 (#3308) * chore(deps): bump actions/upload-artifact from 4.4.0 to 4.4.1 (#3309) ------------------------------------------------------------------- Wed Oct 09 04:42:52 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.14.0: * feat: report unknowns in sbom (#2998) * chore(deps): bump sigstore/cosign-installer from 3.6.0 to 3.7.0 (#3299) * chore(deps): update stereoscope to efa76446cc1c7e6c4117350943a2754b2453aec4 (#3301) * chore(deps): bump golang.org/x/net from 0.29.0 to 0.30.0 (#3304) * chore(deps): bump actions/cache from 4.0.2 to 4.1.0 (#3305) * chore(deps): update CPE dictionary index (#3302) * Fix: Parse package.json with non-standard fields in 'author' section (#3300) * chore(deps): bump github/codeql-action from 3.26.10 to 3.26.11 (#3298) * chore: add pull request template (#3294) * chore(deps): update tools to latest versions (#3296) * Track supporting DPKG evidence (#3228) * Fix: make failed CPE validation correctly return error (#2762) * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.9 to 6.6.0 (#3293) * feat: update haproxy classifier (#3277) * chore(deps): update tools to latest versions (#3291) * fix: don't use builtin scanner in licensecheck (#3290) * chore(deps): update CPE dictionary index (#3288) * chore(deps): bump github/codeql-action from 3.26.9 to 3.26.10 (#3289) * update redis classifier (#3281) * fix: improve node classifier version matching (#3284) * fix: update ruby classifier for -rc, -dev, etc. versions (#3285) * chore(deps): update CPE dictionary index (#3262) * chore(deps): bump github.com/docker/docker (#3264) * chore(deps): bump github/codeql-action from 3.26.8 to 3.26.9 (#3275) * chore(deps): update stereoscope to dc10ea61fd18efa45b516eda4de8bc19d8322429 (#3280) * chore(deps): bump actions/checkout from 4.1.7 to 4.2.0 (#3283) * add awaiting response management (#3272) * fix: correct excluded mount point comparison to file paths (#3269) ------------------------------------------------------------------- Tue Sep 24 17:39:53 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.13.0: * Add JVM cataloger (#3217) * feat: classifier for Dart lang binaries (#3265) * Add compliance policy for empty name and version (#3257) * chore(deps): bump github.com/github/go-spdx/v2 from 2.3.1 to 2.3.2 (#3254) * chore(deps): bump peter-evans/create-pull-request from 7.0.3 to 7.0.5 (#3255) * chore(deps): bump github/codeql-action from 3.26.7 to 3.26.8 (#3256) * chore(deps): update tools to latest versions (#3259) * chore(deps): bump github.com/docker/docker (#3260) * feat: add binary classifiers for lighttp, proftpd, zstd, xz, gzip, jq, and sqlcipher (#3252) * fix: capture-snippet.sh can handle leading whitespaces now (#3249) (#3250) * chore(deps): update tools to latest versions (#3251) * chore(deps): update tools to latest versions (#3247) * chore(deps): update tools to latest versions (#3243) * chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.9.0 to 0.9.1 (#3242) * chore(deps): bump github/codeql-action from 3.26.6 to 3.26.7 (#3241) * chore(deps): bump peter-evans/create-pull-request from 7.0.2 to 7.0.3 (#3240) * chore(deps): update tools to latest versions (#3231) * chore(deps): update CPE dictionary index (#3232) * chore(deps): update tools to latest versions (#3205) * chore(deps): bump github.com/charmbracelet/bubbletea from 1.1.0 to 1.1.1 (#3225) * chore(deps): bump peter-evans/create-pull-request from 7.0.1 to 7.0.2 (#3226) * chore(deps): bump modernc.org/sqlite from 1.33.0 to 1.33.1 (#3229) * feat: --enrich flag for data enrichment feature enablement (#3182) ------------------------------------------------------------------- Thu Sep 12 04:56:01 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.12.2 (no releases between 1.11.1 and this one): * chore: make ci-check.sh an executable file (#3220) * chore(deps): bump github.com/opencontainers/runc from 1.1.12 to 1.1.14 (#3219) * chore: restore ci-check.sh script (#3218) * Add haskell binaries cataloger (#3078) * chore(deps): update CPE dictionary index (#3206) * chore(deps): bump golang.org/x/net from 0.28.0 to 0.29.0 (#3203) * Add the Ocaml ecosystem (#3112) * chore(deps): bump github.com/charmbracelet/bubbles from 0.19.0 to 0.20.0 (#3209) * chore(deps): bump modernc.org/sqlite from 1.32.0 to 1.33.0 (#3210) * chore(deps): bump github.com/docker/docker (#3211) * chore(deps): bump github.com/dave/jennifer from 1.7.0 to 1.7.1 (#3212) * dont cleanup cache in forks (#3214) * less verbose java logging when non-fatal issues arise (#3208) * Slim down docker cache size (#3190) * chore(deps): bump peter-evans/create-pull-request from 7.0.0 to 7.0.1 (#3196) * chore(deps): bump golang.org/x/mod from 0.20.0 to 0.21.0 (#3197) * fix: haproxy classifier for versions with -dev suffix (#3180) * chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.3 to 3.3.0 (#3177) * chore(deps): update CPE dictionary index (#3183) * chore(deps): bump actions/upload-artifact from 4.3.6 to 4.4.0 (#3184) * chore(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.0 (#3187) * fix: properly decode SPDX license expressions in CycloneDX format (#3175) * chore(deps): bump github.com/docker/docker (#3168) * chore(deps): bump github.com/charmbracelet/bubbletea (#3171) * chore(deps): bump github/codeql-action from 3.26.5 to 3.26.6 (#3173) * fix: cycles resolving relative path parent poms with parent-defined variables (#3170) * fix: improve generated cpes for binaries with existing classifiers (#3169) * fix: add log time of task (#3105) * fix: improve known CPEs and set NVD as source for all current binary classifiers (#3167) * respond to authoratative CPEs from catalogers (#3166) * set cataloger names within package cataloger task (#3165) * fix: use official CPE for curl binary cataloger (#3164) * chore(deps): update tools to latest versions (#3160) * chore(deps): update CPE dictionary index (#3161) * chore(deps): bump github/codeql-action from 3.26.4 to 3.26.5 (#3162) * fix ELF package correlations (#3151) * chore(deps): update tools to latest versions (#3144) * feat: detect curl binaries (#3146) * chore(deps): bump anchore/sbom-action from 0.17.1 to 0.17.2 (#3155) * chore(deps): bump github/codeql-action from 3.26.3 to 3.26.4 (#3154) * chore(deps): update stereoscope to e6d086e8bef5fab4fcfbd60c9a759c4cb229decf (#3152) * chore(deps): bump github.com/charmbracelet/bubbles from 0.18.0 to 0.19.0 (#3148) * chore(deps): bump github.com/charmbracelet/lipgloss (#3147) * chore(deps): bump github.com/anchore/stereoscope (#3153) * fix: mysql 8.0.3x binary detection (#3142) * chore(deps): bump github/codeql-action from 3.26.2 to 3.26.3 (#3139) ------------------------------------------------------------------- Tue Aug 20 16:41:18 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.11.1: * fix: logging for remote network calls (#3140) * chore(deps): update CPE dictionary index (#3135) * chore(deps): bump github.com/charmbracelet/bubbletea (#3137) * chore(deps): update tools to latest versions (#3121) * chore(deps): bump github.com/docker/docker (#3123) * chore(deps): bump anchore/sbom-action from 0.17.0 to 0.17.1 (#3124) * chore(deps): bump github/codeql-action from 3.26.0 to 3.26.2 (#3129) * fix: add nil check to CycloneDX toBomProperties (#3119) * fix: read CycloneDX BOM components from metadata (#3092) * fix: improve groupid extraction for Jenkins plugins (#2815) * chore(deps): update CPE dictionary index (#3116) * support .kar files (#3113) * chore: fix some comments (#3114) * chore: fix failing python relationship test (#3117) * update-slack-to-discourse (#3111) ------------------------------------------------------------------- Fri Aug 09 18:12:40 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.11.0: * test: increase java purl generation test coverage (#3110) * chore(deps): bump modernc.org/sqlite from 1.31.1 to 1.32.0 (#3106) * chore(deps): bump sigstore/cosign-installer from 3.5.0 to 3.6.0 (#3107) * chore(deps): update tools to latest versions (#3099) * chore(deps): bump github/codeql-action from 3.25.15 to 3.26.0 (#3101) * chore(deps): bump actions/upload-artifact from 4.3.5 to 4.3.6 (#3102) * chore(deps): bump github.com/google/go-containerregistry (#3103) * chore(deps): bump golang.org/x/net from 0.27.0 to 0.28.0 (#3104) * chore(deps): bump actions/upload-artifact from 4.3.4 to 4.3.5 (#3095) * chore(deps): update CPE dictionary index (#3094) * chore(deps): bump golang.org/x/mod from 0.19.0 to 0.20.0 (#3096) * chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.6 to 0.5.7 (#3097) * feat: improved java maven property resolution (#2769) * fix: use organization for package supplier when reading Java vendor fields (#3093) * chore(deps): update tools to latest versions (#3091) * fix: update 'guessMainPackageNameAndVersionFromPomInfo' and 'artifactIDMatchesFilename' (#3054) * fix: update mainModuleVersion function to always prefix `v` to findings (#3087) * chore: update release script to use gh from binny (#3084) * Added the SWI Prolog (swipl) ecosystem (#3076) ------------------------------------------------------------------- Thu Aug 01 07:20:34 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.10.0: * fix: improve determinism in java archive identification (#3085) * chore(deps): update stereoscope to 50ce3be7aa1fb8829234ae648215e7907196bfa5 (#3075) * chore(deps): update CPE dictionary index (#3079) * chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.5 to 0.5.6 (#3082) * chore(deps): bump github/codeql-action from 3.25.14 to 3.25.15 (#3083) * fix: traefik classifier (#3077) * python-cataloger: fix normalization test (#3073) * Only match ldflag version if it matches the main module or targets main.version (#3062) * python cataloger: allow dots in python package names (#3070) * python-cataloger: normalize package names (#3069) * chore(deps): bump github.com/docker/docker (#3066) * chore(deps): bump github/codeql-action from 3.25.13 to 3.25.14 (#3072) * fix: SPDX output performance with many relationships (#3053) * better go mod detection from partial package builds (#3060) * chore(deps): update tools to latest versions (#3061) * chore(deps): bump github.com/charmbracelet/lipgloss from 0.11.1 to 0.12.1 (#3040) * chore: add debug logging for errors reading RPM files (#3051) * chore(deps): update CPE dictionary index (#3035) * chore(deps): bump github.com/docker/docker (#3055) * chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.4 to 0.5.5 (#3056) * chore(deps): bump modernc.org/sqlite from 1.30.2 to 1.31.1 (#3057) * chore(deps): bump docker/login-action from 3.2.0 to 3.3.0 (#3058) * chore(deps): bump github/codeql-action from 3.25.12 to 3.25.13 (#3059) * chore(deps): update stereoscope to 487b11e5ba2622d976acda10c605da63b4fbbb0a (#3032) * chore(deps): update tools to latest versions (#3050) * docs: CODE_OF_CONDUCT.md (#3046) * fix: include CPEs with Maven groupId as vendor (#3045) * chore(deps): bump github.com/google/go-containerregistry (#3047) * chore(deps): bump github.com/moby/sys/mountinfo from 0.7.1 to 0.7.2 (#3048) * chore(deps): bump modernc.org/sqlite from 1.30.1 to 1.30.2 (#3039) * docs: link to contrib/dev docs in readme (#3029) * chore: Fix apache shield in readme (#3021) * chore(deps): update tools to latest versions (#3031) * chore(deps): bump github/codeql-action from 3.25.11 to 3.25.12 (#3034) * chore(deps): bump anchore/sbom-action from 0.16.1 to 0.17.0 (#3044) * fix: stop panicking on "devel" version go stdlib (#3043) * chore: pin fedora image for elf binary test (#3041) * chore(deps): bump anchore/sbom-action from 0.16.0 to 0.16.1 (#3023) * chore(deps): update stereoscope to 27b66b76fc6686fcf6bde656aa09e1f0e047fec1 (#3026) ------------------------------------------------------------------- Thu Jul 11 18:41:11 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.9.0: * chore(deps): bump actions/setup-go from 5.0.1 to 5.0.2 (#3027) * chore(deps): bump github.com/charmbracelet/lipgloss (#3028) * fix: stabilize cpe sorting during collection sort (#3009) * Map the downloadLocation field for PHP Composer packages (#3011) * chore(deps): update stereoscope to e46739e217969fa67cbe8834b64bb165a10a1548 (#3013) * chore(deps): bump golang.org/x/net from 0.26.0 to 0.27.0 (#3015) * chore(deps): bump golang.org/x/mod from 0.18.0 to 0.19.0 (#3014) * chore(deps): bump actions/upload-artifact from 4.3.3 to 4.3.4 (#3017) * chore(deps): bump github.com/google/go-containerregistry (#3019) * chore(deps): bump github.com/adrg/xdg from 0.4.0 to 0.5.0 (#3020) * chore(deps): update CPE dictionary index (#3016) * Infer the package type from ELF package notes (#3008) * chore(deps): update tools to latest versions (#3003) * chore(deps): update CPE dictionary index (#3002) * chore(deps): bump github.com/docker/docker (#3006) * chore(deps): bump github/codeql-action from 3.25.10 to 3.25.11 (#3004) * chore(deps): bump github.com/saferwall/pe from 1.5.3 to 1.5.4 (#3005) * feat: version 3 support for swift package manager of the resolved files (#3001) * chore(deps): bump github.com/spdx/tools-golang from 0.5.4 to 0.5.5 (#2999) * chore(deps): bump github.com/docker/docker (#2994) * Add detection of Erlang in Alpine linux (#2996) * chore(deps): update tools to latest versions (#2991) * chore(deps): update stereoscope to 753b5576fe42bc007b22108ad7911d1729957a46 (#2992) * chore(deps): bump github.com/charmbracelet/bubbletea (#2995) ------------------------------------------------------------------- Tue Jun 25 04:58:18 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.8.0: * chore(deps): update CPE dictionary index (#2986) * chore(deps): bump github.com/go-test/deep from 1.1.0 to 1.1.1 (#2988) * fix: handle errors reading go licenses (#2985) * docs: update cyclone-dx documentation (#2983) * feat: update syft to generate cyclone-dx 1.6 by default (#2978) * chore(deps): bump github.com/charmbracelet/bubbletea (#2982) * chore(deps): bump peter-evans/create-pull-request from 6.0.5 to 6.1.0 (#2975) * fix: detection of arangodb 3.12 (#2979) * chore: enable dependabot to keep boostrap action updated (#2976) * chore(deps): bump github.com/github/go-spdx/v2 from 2.2.0 to 2.3.1 (#2973) * chore(deps): bump github.com/google/go-containerregistry (#2971) * chore(deps): bump github.com/spf13/cobra from 1.8.0 to 1.8.1 (#2972) ------------------------------------------------------------------- Sat Jun 15 16:14:00 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.7.0: * Added Features - index known CPEs for wordpress plugins and themes [#2963 @westonsteimel] - Consider Author field for wordpress plugins when generating CPEs [#2946 @wagoodman] * Bug Fixes - improve version extraction from ldflags for pingcap TiDB [#2962 @westonsteimel] - Trim whitespace from wordpress values [#2945 @wagoodman] - Issue scanning Poetry Project with Syft 1.6 and cataloger=python-package-cataloger [#2954 #2965 @spiffcs] - Poetry's multiple constraints seems to break the parser [#2947 #2965 @spiffcs] - Golang: Search remote licenses not working in a CI pipeline when scanning Docker image [#2798 #2852 @kzantow] ------------------------------------------------------------------- Mon Jun 10 19:52:37 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.6.0: * Added Features - Add relationships for go binary packages [#2912 @wagoodman] - Add classifier for util-linux [#2933 @LaurentGoderre] - Lua: Add support for more advanced syntax [#2908 @LaurentGoderre] - add license field to ELF binary package metadata [#2890 @brian-ebarb] - install.sh: check checksums file's signature [#2884 #2941 @wagoodman] - Detect ELF package notes from fedora binaries [#2713 #2939 @wagoodman] * Bug Fixes - Use redhat as namespace for redhat rpms [#2914 @ralphbean] - Close sqlite driver after testing sqlite availability [#2922 @ttc0419] - syft does not find anything in archives if /tmp is a tmpfs [#2894 #2918 @willmurphyscode] - Scanning a git repository folder present in /tmp produce an empty sbom [#2847 #2918 @willmurphyscode] * Additional Changes - update unit tests to use pinned patch version [#2932 @spiffcs] - fix comments and spelling [#2920 @dufucun] ------------------------------------------------------------------- Fri May 31 14:28:58 UTC 2024 - andrea.manzini@suse.com - Update to version 1.5.0: * feat: detect fluent-bit binaries (#2905) * bump dependencies * Add python wheel egg relationships (#2903) * feat: Add Lua cataloger (#2613) * feat: add config command (#2892) * feat: Added functionality to convert major, minor, patch to version for binary classifier (#2864) * Go Mod Cataloger: Remove Replaced Packages (#2891) * chore: Reduce length of readme, moving lengthy content to the wiki (#2882) * fix: DecoderCollection discarding input from non-seekable Readers (#2878) * Fix outdated spdx links (#2865) * Use values in relationship To/From fields (#2871) * add support for RPM DB package relationships (#2872) * fix: capture dependencies when parsing SPDX SBOMs (#2869) * Add abstraction for adding relationships from package cataloger results (#2853) * chore: fix small tooling error for go.mod (#2868) ------------------------------------------------------------------- Sun May 12 07:42:00 UTC 2024 - opensuse_buildservice@ojkastl.de - add completion subpackages - fix version output ------------------------------------------------------------------- Fri May 10 04:54:24 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.4.1: * fix pruning binary packages when considering ELF packages (#2862) ------------------------------------------------------------------- Thu May 09 18:59:36 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.4.0: * feat: add relationships to ELF package discovery (#2715) * README.md: link to official wiki (#2858) * fix Windows file paths in local go mod cache (#2654) * chore(deps): bump github.com/docker/docker (#2859) * chore(deps): bump github.com/charmbracelet/bubbletea (#2860) * chore(deps): bump github/codeql-action from 3.25.3 to 3.25.4 (#2855) * chore(deps): bump github.com/sassoftware/go-rpmutils from 0.3.0 to 0.4.0 (#2856) * Add relationships for ALPM packages (arch linux) (#2851) * Add binary classifier for ArangoDB (#2830) * chore(deps): bump golang.org/x/net from 0.24.0 to 0.25.0 (#2849) * chore(deps): bump actions/checkout from 4.1.4 to 4.1.5 (#2850) * chore: use ruleguard to test for missing defer statements (#2837) * remove homebrew update workflow (#2846) * Restore version file update on release (#2844) * fix: Add missing CPE for traefik, memcached, and postgres binaries (#2845) * Add detection for newer version of ErLang/OTP (#2829) * fix ui race for package count (#2839) * chore(deps): update CPE dictionary index (#2841) * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.8 to 6.5.9 (#2842) * chore(deps): bump modernc.org/sqlite from 1.29.8 to 1.29.9 (#2843) * chore(deps): bump github.com/charmbracelet/bubbletea (#2838) * add security policy (#2835) * chore(deps): bump actions/setup-go from 5.0.0 to 5.0.1 (#2834) * chore(deps): update stereoscope to 2e9894674185d121917b283f773c2b5830f8b360 (#2831) * chore(deps): bump github.com/charmbracelet/bubbletea (#2833) * chore: fix function name in comment (#2771) * chore: enable go-critic deferInLoop lint (#2825) * fix: better clean up of file handles (#2823) * chore(deps): bump github.com/docker/docker (#2827) * fix(spdx): include required fields (#2168) * fix: add correct vendor for dnsmasq CPE (#2659) * fix: close temp rpmdb file (#2792) * chore(deps): bump github/codeql-action from 3.25.2 to 3.25.3 (#2817) * Fill in SPDX originator for all supported package types (#2822) * chore(deps): bump anchore/sbom-action from 0.15.10 to 0.15.11 (#2821) ------------------------------------------------------------------- Fri Apr 26 16:46:01 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.3.0: * update spdx license list to 3.23 (#2818) * fix: re-use embedded union reader if possible (#2814) * feat: index known CPEs for go modules (#2816) * chore(deps): bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 (#2812) * feat: support multiple known CPEs in index (#2813) * chore(deps): update stereoscope to 8b297badafd5d81fa1187b26ae34dd2a7ce7e425 (#2807) * chore(deps): bump actions/checkout from 4.1.3 to 4.1.4 (#2809) * chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.3 to 0.5.4 (#2810) * Fix removing labels in 'Detect schema changes' job (#2772) * chore(deps): bump github.com/docker/docker (#2805) * Display which provider caused which error in output (#2757) * fix: prefer non-deprecated CPEs and include jenkins plugins from plugins.jenkins.io (#2806) * feat: index known CPEs for PHP Composer packagist.org packages (#2804) * chore(deps): bump github/codeql-action from 3.25.1 to 3.25.2 (#2802) * chore(deps): bump actions/upload-artifact from 4.3.2 to 4.3.3 (#2803) * fix: improvements to known CPE index construction (#2801) * fix: exclude known instrumentation jars from being erroneously identified (#2796) * feat: index known cpes for PHP extensions (#2777) * chore(deps): bump actions/checkout from 4.1.2 to 4.1.3 (#2799) * fix: return empty string if dereferncing pom var fails (#2797) * chore(deps): bump github.com/docker/docker (#2793) * chore(deps): bump modernc.org/sqlite from 1.29.7 to 1.29.8 (#2794) * chore(deps): bump actions/upload-artifact from 4.3.1 to 4.3.2 (#2795) * chore: cleanup redundant code (#2791) * chore(deps): update tools to latest versions (#2789) * chore(deps): bump github.com/spdx/tools-golang from 0.5.3 to 0.5.4 (#2790) * chore(deps): bump github/codeql-action from 3.25.0 to 3.25.1 (#2786) * chore(deps): bump peter-evans/create-pull-request from 6.0.3 to 6.0.4 (#2787) * Fix: repeatedly dereference pom variables (#2781) * chore(deps): bump modernc.org/sqlite from 1.29.6 to 1.29.7 (#2783) * chore(deps): update CPE dictionary index (#2780) * chore(deps): bump github/codeql-action from 3.24.10 to 3.25.0 (#2779) * chore: fix broken cpe index generation task (#2778) * chore(deps): bump github.com/docker/docker (#2773) * chore(deps): bump peter-evans/create-pull-request from 6.0.2 to 6.0.3 (#2774) ------------------------------------------------------------------- Sat Apr 13 09:32:58 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.2.0: * fix: more robust go main version extraction (#2767) * chore(deps): update tools to latest versions (#2768) * fix: binary character in java version (#2766) * chore(deps): update tools to latest versions (#2760) * chore(deps): bump modernc.org/sqlite from 1.29.5 to 1.29.6 (#2761) * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.6 to 6.5.8 (#2754) * chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.2 to 0.5.3 (#2755) * chore(deps): bump github/codeql-action from 3.24.9 to 3.24.10 (#2756) * chore(deps): bump golang.org/x/mod from 0.16.0 to 0.17.0 (#2751) * Differentiate between JRE and JDK (#2748) * chore(deps): bump golang.org/x/net from 0.23.0 to 0.24.0 (#2752) ------------------------------------------------------------------- Thu Apr 04 16:55:06 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.1.1: * chore(deps): update tools to latest versions (#2744) * chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 (#2747) * chore: update anchore/packageurl-go to use latest commits (#2746) * feat: cataloger for PHP Pecl and PEAR packages (#2604) * chore(deps): bump github.com/go-git/go-git/v5 from 5.11.0 to 5.12.0 (#2743) * chore(deps): update tools to latest versions (#2741) * fix: conan poco project cpe (#2740) * chore(deps): bump github.com/distribution/reference from 0.5.0 to 0.6.0 (#2738) * chore(deps): bump anchore/sbom-action from 0.15.9 to 0.15.10 (#2737) * fix: panic scanning binaries without symtab (#2739) * chore: remove useless code (#2716) * chore(deps): bump google.golang.org/protobuf from 1.31.0 to 1.33.0 (#2731) * chore(deps): bump github/codeql-action from 3.24.8 to 3.24.9 (#2732) * chore(deps): update tools to latest versions (#2733) * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.5 to 6.5.6 (#2734) * update release token from readonly to write token (#2735) ------------------------------------------------------------------- Tue Mar 26 07:19:30 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 1.1.0: * Adding the ability to retrieve remote licenses from package.lock (#2708) * dont include labels for dependabot ecosystems (#2720) * chore(deps): bump fountainhead/action-wait-for-check from 1.1.0 to 1.2.0 (#2717) * chore(deps): update tools to latest versions (#2726) * chore(deps): bump github/codeql-action from 3.24.7 to 3.24.8 (#2725) * chore(deps): bump actions/cache from 4.0.1 to 4.0.2 (#2728) * chore(deps): bump github.com/docker/docker (#2730) * updating credentials to scoped permissions (#2722) * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.4 to 6.5.5 (#2718) * chore(deps): bump github.com/google/go-containerregistry (#2719) * Add detection for Oracle GraalVM (#2705) * chore(deps): bump docker/login-action from 3.0.0 to 3.1.0 (#2714) * Add ELF binary package cataloger (#2396) * chore(deps): bump modernc.org/sqlite from 1.29.3 to 1.29.5 (#2710) * chore(deps): bump github/codeql-action from 3.24.6 to 3.24.7 (#2711) * chore(deps): bump peter-evans/create-pull-request from 6.0.1 to 6.0.2 (#2712) * Show binary exports, entrypoint, and imports (#2626) * chore(deps): bump actions/checkout from 4.1.1 to 4.1.2 (#2703) * chore(deps): bump github.com/knqyf263/go-rpmdb (#2701) * chore: reduce duplicate case SwiftPkg (#2696) * chore: remove deprecated os.SEEK_SET os.SEEK_CUR (#2693) * chore(deps): bump github.com/docker/docker (#2698) * chore(deps): bump modernc.org/sqlite from 1.29.2 to 1.29.3 (#2699) ------------------------------------------------------------------- Sat Mar 09 08:54:20 UTC 2024 - andrea.manzini@suse.com - Update to version 1.0.1: * bump dependencies * docs: add simplest example from registry (#2691) * fix: Unable to scan OCI images with syft v0.105.1 [#2678 #2683 @spiffcs] ------------------------------------------------------------------- Fri Mar 01 13:59:28 UTC 2024 - andrea.manzini@suse.com - Update to version 1.0.0: * fix: match OpenSSL letter releases (#2682) * Mark duplicated rows in table output (#2679) * fix: trim path from deps.json in portable way (#2674) * chore(deps): update tools to latest versions (#2680) * enforce breaking change bump major version (#2635) * docs: fix incorrect flag name in readme (#2677) * Consider filesystem types for mount points when ignoring system paths (#2675) * fix: stop emitting bus events on go mod events (#2673) * chore(deps): bump peter-evans/create-pull-request from 6.0.0 to 6.0.1 (#2676) * feat: add `--from` flag, refactor source providers (#2610) ------------------------------------------------------------------- Tue Feb 27 12:40:20 UTC 2024 - andrea.manzini@suse.com - Update to version 0.105.1: * bump deps and build tools * fix: SPDX tag value version selector (#2665) * fix(install): return appropriate error codes (#2664) * chore: update busybox image for acceptance tests (#2663) * rename binary classifier cataloger name (#2643) * add cataloger selection example (#2646) * add syft version used to SBOM tool info by default (#2647) ------------------------------------------------------------------- Thu Feb 15 06:10:35 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.105.0: * Survive indexing dead symlinks (#2645) * fix considering base path when ignoring known bad unix paths (#2644) * test for field conventions in json schema (#2642) * feat: Add Wordpress cataloger (#2218) * rename binary cataloger to be more unique (#2633) * fix: update runner size to use larger HD for codeql (#2641) * chore(deps): update tools to latest versions (#2616) * chore(deps): bump github/codeql-action from 3.24.0 to 3.24.1 (#2638) * chore(deps): bump dawidd6/action-homebrew-bump-formula (#2639) * chore(deps): bump modernc.org/sqlite from 1.29.0 to 1.29.1 (#2640) * fix: add BOMRef to CycloneDX OS Component (#2634) * chore(deps): bump github.com/saferwall/pe from 1.5.0 to 1.5.2 (#2629) * chore(deps): bump modernc.org/sqlite from 1.28.0 to 1.29.0 (#2630) * fix getting union reader for sif images (#2631) * chore(deps): bump golang.org/x/net from 0.20.0 to 0.21.0 (#2607) * chore(deps): bump github.com/saferwall/pe from 1.4.8 to 1.5.0 (#2625) * fix: ensure version output to stdout (#2621) * Guess go main module version based on binary contents (#2608) * chore(deps): update stereoscope to 681f6715b0e35686d6e6f40bce109176de1ee274 (#2617) * fix readme around templating options (#2612) * suppress executable parsing issues (#2614) * chore: update license list, cpe dictionary (#2620) * chore(deps): update tools to latest versions (#2606) ------------------------------------------------------------------- Thu Feb 08 06:37:11 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.104.0: * fix: incorrect conversion between integer types (#2605) * chore(deps): bump golang.org/x/mod from 0.14.0 to 0.15.0 (#2602) * chore(deps): bump github.com/docker/docker (#2601) * Fix: unmarshal key values in Java, Go, and Conan metadata (#2603) * fix(dotnet): prefer portable executable product version when semantically greater than file version (#2600) * Finalize Conan v2 support (#2587) * chore(deps): update tools to latest versions (#2595) * chore(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 (#2597) * chore(deps): update stereoscope to bfa15e446f061bda7f68305d2d6240b053f17e0c (#2589) * chore(deps): bump actions/cache from 3.3.2 to 4.0.0 (#2592) * chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.0 to 0.5.2 (#2591) * chore(deps): bump github/codeql-action from 3.23.2 to 3.24.0 (#2593) * labeler should ignore latest version (#2588) * chore: copy latest schema to stable path for easier diff (#2586) * Adding metadata fields when parsing yarn.lock and poetry.lock (#2350) * Add Erlang OTP Application cataloger (#2403) * Detect ELF security features (#2443) * Add API examples (#2517) * feat: Record where CPEs come from (#2552) * chore(deps): update stereoscope to 37291e81936d2b43b3cef56667a741ef715fbfe4 (#2583) * chore(deps): bump github.com/charmbracelet/bubbles from 0.17.1 to 0.18.0 (#2584) * swap format readseekers for readers (#2581) * translate maps to sequences in pkg metadata (#2553) * chore(deps): update tools to latest versions (#2576) * chore(deps): bump anchore/sbom-action from 0.15.7 to 0.15.8 (#2578) * chore(deps): bump marocchino/sticky-pull-request-comment (#2579) * chore(deps): bump github.com/docker/docker (#2580) * chore(deps): update stereoscope to db7a4bedaba6ad93becf22ce794f306dfb07fcb9 (#2577) * Fix attest with --key (#2551) * fix(java): improve identification for org.apache.kafka artifacts (#2573) * chore: pluralize the flag (#2564) * chore(deps): update tools to latest versions (#2566) * chore(deps): bump peter-evans/create-pull-request from 5.0.2 to 6.0.0 (#2567) * chore(deps): bump anchore/sbom-action from 0.15.6 to 0.15.7 (#2568) * re-add cosign signing checksums file (#2572) ------------------------------------------------------------------- Wed Jan 31 17:29:57 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.103.1: * revert cosign signing of release checksums file (#2571) ------------------------------------------------------------------- Wed Jan 31 17:26:17 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.103.0: * bump archiver and stereoscope (#2570) * fix: Better test for group ID in filename (#2565) * Sign checksums file and add SBOMs on release (#2548) * chore(deps): bump anchore/sbom-action from 0.15.5 to 0.15.6 (#2560) * chore(deps): bump github.com/google/go-containerregistry (#2561) * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.3 to 6.5.4 (#2562) * chore(deps): update tools to latest versions (#2554) * chore(deps): bump github.com/sassoftware/go-rpmutils from 0.2.0 to 0.3.0 (#2556) * chore(deps): bump 8398a7/action-slack from 3.15.1 to 3.16.2 (#2557) * chore(deps): bump github/codeql-action from 3.23.1 to 3.23.2 (#2558) * internalize format helpers (#2543) * Internalize CPE generation logic (#2541) * chore(deps): update tools to latest versions (#2550) ------------------------------------------------------------------- Fri Jan 26 19:26:34 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.102.0: * Implement golang Purl subpath (#2547) * fix migration of integration test (#2546) * Use the json schema as input for templating (#2542) * Unexport types and functions cataloger packages (#2530) * Internalize majority of cmd package (#2533) * allow for RPM modularity to be optional (#2540) * chore(deps): bump actions/upload-artifact from 4.2.0 to 4.3.0 (#2536) * chore(deps): bump github.com/google/uuid from 1.5.0 to 1.6.0 (#2538) * chore(deps): bump github.com/docker/docker (#2537) * chore: stop re-exporting wfn.Attributes (#2534) * swap format readseekers for readers (#2515) * chore(deps): bump anchore/sbom-action from 0.15.4 to 0.15.5 (#2531) * chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.12 to 0.5.0 (#2532) * plumb context through catalogers (#2528) * Remove CLI and API deprecations (#2508) * Turn off the SBOM cataloger by default (#2527) * Re-introduce linux kernel cataloger (#2526) * make AllLocations accept a context (#2518) * chore(deps): update CPE dictionary index (#2523) * fix: minor cataloger and docs nits (#2519) ------------------------------------------------------------------- Sat Jan 20 17:00:30 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.101.1: * Deduplicate digests from user configuration (#2522) * update readme and help output to be accurate to syft api (#2520) * fix: remove second call to finalize as the task handles it (#2516) * chore(deps): update stereoscope to eb656fc717935ad5abeb8e1379a5c4e11c957120 (#2510) * chore(deps): bump github.com/docker/docker (#2512) * chore(deps): bump actions/upload-artifact from 4.1.0 to 4.2.0 (#2513) * chore(deps): bump anchore/sbom-action from 0.15.3 to 0.15.4 (#2514) * chore(deps): bump github/codeql-action from 3.23.0 to 3.23.1 (#2506) * chore(deps): bump github.com/google/go-containerregistry (#2507) * chore: enable automatic approval of dependabot PRs (#2505) ------------------------------------------------------------------- Thu Jan 18 08:10:11 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 0.101.0: * include binary cataloger configuration defaults (#2504) * feat: classifier for wordpress cli binary (#2473) * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.2 to 6.5.3 (#2502) * chore(deps): bump actions/cache from 3.3.3 to 4.0.0 (#2503) * chore(deps): update tools to latest versions (#2500) * chore(deps): bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 (#2501) * Add cataloger list command (#2366) * condense binary cataloger config in JSON output (#2499) * chore(deps): bump actions/upload-artifact from 4.0.0 to 4.1.0 (#2495) * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.2 to 6.5.3 (#2494) * chore(deps): update CPE dictionary index (#2491) * Replace core SBOM-creation API with builder pattern (#1383) * chore(deps): update tools to latest versions (#2488) * chore(deps): bump actions/cache from 3.3.2 to 3.3.3 (#2489) * chore(deps): bump anchore/sbom-action from 0.15.2 to 0.15.3 (#2481) * chore(deps): bump github.com/charmbracelet/bubbles from 0.16.1 to 0.17.1 (#2475) * feat: binary classifiers for Percona Software For MySQL (#2478) * feat: binary classifier for pypy (#2474) * chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.4.9 to 6.5.2 (#2476) * fix: support traefik binary from the official Docker image (#2484) * feat: binary classifier for GCC (#2479) * chore(deps): update tools to latest versions (#2480) * chore(deps): bump golang.org/x/net from 0.19.0 to 0.20.0 (#2482) * chore(deps): bump github/codeql-action from 3.22.12 to 3.23.0 (#2477) * Upgrade binary test fixtures management (#2444) ------------------------------------------------------------------- Sat Jan 06 15:26:12 UTC 2024 - andrea.manzini@suse.com - Update to version 0.100.0: * Add ability to extend the binaries cataloguers (#2469) * chore(deps): bump anchore/sbom-action from 0.15.1 to 0.15.2 (#2464) * fix: add missing purl for busybox (#2457) * Fix diff error obfuscating binary test failures message (#2468) * Replace `packages` command with `scan` (#2446) * fix: PURLs with "nuget" type are dotnet packages (#2466) * chore(deps): update tools to latest versions (#2459) * chore(deps): update CPE dictionary index (#2458) * chore: update binary to -x (#2456) * Add more functionality to the ErLang parser (#2390) * Added OpenSSL binary matcher (#2416) * chore(deps): update stereoscope to 590920dabc5479216e755983d41367b6be3544f3 (#2452) * chore(deps): update tools to latest versions (#2451) * chore(deps): bump github/codeql-action from 3.22.11 to 3.22.12 (#2455) ------------------------------------------------------------------- Thu Dec 21 16:26:53 UTC 2023 - opensuse_buildservice@ojkastl.de - Update to version 0.99.0: * chore: remove execute from test fixtures (#2450) * chore(deps): update tools to latest versions (#2447) * fix: don't panic when hackage missing in haskell stack yaml lock (#2448) * Add binary classifier for the ERLang interpretter (#2417) * Add binary classifier for Julia lang (#2427) * Add binary detection for PHP composer (#2432) * chore(deps): bump actions/upload-artifact from 3.1.3 to 4.0.0 (#2433) * chore(deps): update CPE dictionary index (#2442) * chore(deps): update stereoscope to 4b999b76ca8901d15bb97aef445dc94c38d11d5c (#2440) * fix syft-json test to use pretty json for snapshot testing (#2441) * refactor pkg.Collection (#2439) * refactor javascript cataloger to use configuration options when creating packages (#2438) * use single source of truth for archive options (#2437) * fix file digest cataloger when passed coordinates (#2436) * chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.2 to 0.8.0 (#2413) * Look for a maven version in a pom from a parent dependency management section (#2423) * Parse Python licenses from LicenseExpression entry in the Wheel Metadata (#2431) * chore(deps): bump github/codeql-action from 2.22.10 to 3.22.11 (#2430) * chore(deps): bump modernc.org/sqlite from 1.27.0 to 1.28.0 (#2429) * chore(deps): update tools to latest versions (#2428) * Parse Python licenses from LicenseFile entry in the Wheel Metadata (#2331) * fix: use filepath instead of path for file source exclusions (#2411) * chore(deps): bump github.com/charmbracelet/bubbletea (#2424) * chore(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0 (#2425) * chore(deps): bump github/codeql-action from 2.22.9 to 2.22.10 (#2426) * chore(deps): bump dawidd6/action-homebrew-bump-formula (#2420) * feat: add the option to retrieve remote licenses for projects defined in a maven pom (#2409) * chore(deps): bump github/codeql-action from 2.22.8 to 2.22.9 (#2400) * chore(deps): bump github.com/saferwall/pe from 1.4.7 to 1.4.8 (#2415) * chore(deps): bump github.com/go-git/go-git/v5 from 5.10.1 to 5.11.0 (#2414) * chore(deps): bump actions/setup-go from 4.1.0 to 5.0.0 (#2401) * chore(deps): update tools to latest versions (#2408) * chore(deps): update CPE dictionary index (#2412) * fix(java): improve identification for org.codehaus.groovy artifacts (#2404) * fix(java): improve identification for commons-jelly artifacts (#2399) * fix(java): improve identification for io.minio artifacts (#2398) * fix(java): improve identification for com.graphql-java artifacts (#2397) * chore(deps): update tools to latest versions (#2395) * chore: enhance java purl generation integration test (#2393) * feat: add ability to retrieve remote licenses for yarn.lock (#2338) * chore(deps): bump anchore/sbom-action from 0.15.0 to 0.15.1 (#2392) * Retrieve remote licenses using pom.properties when there is no pom.xml (#2315) * fix(java): improve identification for org.apache.tapestry artifacts (#2384) * fix(java): improve identification for io.ratpack artifacts (#2379) * fix(java): improve identification for org.apache.cassandra artifacts (#2386) * fix(java): improve identification for org.neo4j.procedure artifacts (#2388) * fix: bump fangs for ptr summarize fix (#2387) * fix(java): improve identification for org.elasticsearch artifacts (#2383) * fix(java): improve identification for org.apache.geode artifacts (#2382) * fix(java): improve identification for org.apache.tomcat.embed artifacts (#2381) * fix(java): improve identification for io.projectreactor.netty artifacts (#2378) * fix(java): improve identification for org.eclipse.platform artifacts (#2349) * Generalize UI events for cataloging tasks (#2369) * chore(deps): update tools to latest versions (#2376) * chore(deps): bump github.com/google/go-containerregistry (#2377) * chore: fix tests failing due to Mac Rosetta cache (#2374) * fix: improve dotnet portable executable identification (#2133) ------------------------------------------------------------------- Thu Nov 30 08:14:13 UTC 2023 - andrea.manzini@suse.com - Update to version 0.98.0: * fix file metadata cataloger to use resolved locations (#2370) * fix: logging level for parsing potential PE files (#2367) * only remove breaking-change label when there are schema changes (#2371) * fix: capture root command stdout (#2364) * fix: hardcode xalan group ID (#2368) * Normalize cataloger configuration patterns (#2365) * normalize enums to lowercase with hyphens (#2363) * bump deps version * fix: index file itself when file scan path has symlink (#2359) * use read lock in pkg collection (#2341) * Fix the `attest` command (#2337) * fix: add manual namespace mapping for org.springframework jars (#2345) * Add binary classifiers for MySQL and MariaDB (#2316) * Enhance redis binary classifier (#2329) * fix: add manual namespace mapping for org.springframework.security jars (#2343) * fix: add manual namespace mapping for org.bouncycastle jars (#2342) * Update developer docs to represent the current package layout (#2340) * Remove the power-user command and related catalogers (#2306) * Add "pretty" json configuration and change default behavior to be space-efficient (#2275) ------------------------------------------------------------------- Sat Nov 18 08:51:36 UTC 2023 - kastl@b1-systems.de - Update to version 0.97.1: * chore(deps): update stereoscope to 3610f4ef3e83e8ff2edf8859e8916bce326fa260 (#2336) * feat: allow for stdout to be buffered on each command (#2335) ------------------------------------------------------------------- Fri Nov 17 05:46:54 UTC 2023 - kastl@b1-systems.de - Update to version 0.97.0: * fix: prevent writing non-report output to stdout (#2324) * chore(deps): bump github/codeql-action from 2.22.6 to 2.22.7 (#2332) * export metadata type helper (#2328) * fix(java): add manual groupid mappings for org.apache.velocity jars (#2327) * fix(java): skip maven bundle plugin logic if vendor id and symbolic name match (#2326) * Refine license searching from groupIDFromJavaMetadata to allow for having the artfactId in the groupId (#2313) * chore(deps): update tools to latest versions (#2325) * chore(deps): update tools to latest versions (#2318) * Add license for golang stdlib (#2317) * chore(deps): bump github/codeql-action from 2.22.5 to 2.22.6 (#2321) * docs: Update README.md for dotnet-portable-executable (#2322) * Fall back to searching maven central using groupIDFromJavaMetadata (#2295) * rename file.Location.VirtualPath to AccessPath (#2288) * chore(deps): update tools to latest versions (#2308) * chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.11 to 0.4.12 (#2310) * chore(deps): bump golang.org/x/net from 0.17.0 to 0.18.0 (#2311) ------------------------------------------------------------------- Thu Nov 09 14:48:04 UTC 2023 - kastl@b1-systems.de - Update to version 0.96.0: * include image labels in cycloneDX SBOM (#2294) * Add accessPath on Location objects to syft-json output (#2287) * SPDX file has duplicate sha256 tag in versionInfo (#2300) * Check maven central as well for licenses in parents poms for nested jars (#2302) * chore(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0 (#2293) * chore(deps): update tools to latest versions (#2301) * fix: identify cyclone-json without $schema (#2303) ------------------------------------------------------------------- Tue Nov 07 20:40:41 UTC 2023 - kastl@b1-systems.de - Update to version 0.95.0: * chore: setup release task before calling go releaser (#2297) * chore(deps): update tools to latest versions (#2296) * chore(deps): update tools to latest versions (#2289) * chore(deps): update CPE dictionary index (#2290) * chore(deps): bump golang.org/x/mod from 0.13.0 to 0.14.0 (#2292) * Wire though maven-url to java config (#2291) * Use case-insensitive matching for Go license files (#2286) * Add a new Java configuration option to recursively search parent poms… (#2274) * chore(deps): update tools to latest versions (#2280) * Follow convention for naming catalogers (#2277) * change dir resolver to include virtual path (#2259) * fix: syft does not handle the case of parsing a jar with multiple poms (#2231) * add PURLs when scanning Gradle lock files (#2278) * chore(deps): bump modernc.org/sqlite from 1.26.0 to 1.27.0 (#2279) * test: remove dll files and updates tests to use versionResources (#2276) * fix: update dot net binary parsing logic to remove empty space (#2273) * Read a license from a parent pom stored in Maven Central (#2228) * Update README.md to use canonical output format names (fixes #2269) (#2272) * Remove MetadataType from core package object and normalize JSON metadataType values (#1983) * chore(deps): bump github.com/docker/docker (#2263) * chore(deps): update stereoscope to 5909e353ee88d7809f0e646c79f110a0e6b1d80d (#2265) * chore(deps): update CPE dictionary index (#2271) * chore: fix cpe generation task (#2270) * chore(deps): bump github.com/google/uuid from 1.3.1 to 1.4.0 (#2262) * chore(deps): bump github/codeql-action from 2.22.4 to 2.22.5 (#2261) * chore(deps): update tools to latest versions (#2258) * chore(deps): bump github.com/go-git/go-git/v5 from 5.9.0 to 5.10.0 (#2256) * feat: Perform case insensitive matching on Java license files (#2235) * Split the sbom.Format interface by encode and decode use cases (#2186) * Upgrade tool management (#2188) * fix: 2179 jar chokes empty lines (#2254) * chore(deps): update CPE dictionary index (#2253) * fix CPE workflow (#2252) * feat: add conaninfo.txt parser to detect conan packages in docker images (#2234) * chore(deps): update bootstrap tools to latest versions (#2245) * chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.6.0 to 4.6.1 (#2248) * chore(deps): bump github/codeql-action from 2.22.3 to 2.22.4 (#2249) * fill version info from release and git directly (#2244) * Add ruby.NewGemSpecCataloger to DirectoryCatalogers. (#1971) * change homebrew release trigger (#2242) ------------------------------------------------------------------- Fri Nov 3 09:12:53 UTC 2023 - Johannes Kastl <kastl@b1-systems.de> - BuildRequire go1.21 ------------------------------------------------------------------- Sat Oct 21 18:16:53 UTC 2023 - kastl@b1-systems.de - Update to version 0.94.0: * Label PRs when the json schema changes (#2240) * Add download location when cataloging directory npm package lock (#2238) * fix: allow packages to be captured from DIST/EGG case (#2239) * Account for maven bundle plugin and fix filename matching (#2220) * chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 (#2236) * Remove internal string set (#2219) * bump clio to get stderr reporting fix (#2232) * Fix panic for empty input to Swift cataloger (#2226) * Add additional license filenames (#2227) * chore(deps): bump github/codeql-action from 2.22.2 to 2.22.3 (#2229) * chore(deps): bump github.com/charmbracelet/lipgloss from 0.9.0 to 0.9.1 (#2222) * chore(deps): bump github/codeql-action from 2.22.1 to 2.22.2 (#2224) * Detect a license file in the root directory or META-INF of a jar (#2213) * Parse donet dependency trees (#2143) * chore(deps): bump golang.org/x/net from 0.16.0 to 0.17.0 (#2214) * chore(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#2215) * chore(deps): bump github.com/charmbracelet/lipgloss from 0.8.0 to 0.9.0 (#2216) * chore: add automated homebrew action (#2164) * Add relationships for dpkg packages (#2212) ------------------------------------------------------------------- Wed Oct 11 04:22:21 UTC 2023 - kastl@b1-systems.de - Update to version 0.93.0: * Parse the Maven license from the pom.xml if not contained in the mani… (#2115) * Refine the docs for building a cataloger (#2175) * Fix algo lookup by converting key to lower case (#2207) * chore(deps): bump github/codeql-action from 2.22.0 to 2.22.1 (#2208) * feat: add package for go compiler given binary detection (#2195) * chore(deps): bump github.com/docker/distribution from 2.8.2+incompatible to 2.8.3+incompatible (#2193) * chore(deps): bump github/codeql-action from 2.21.9 to 2.22.0 (#2202) * chore(deps): bump golang.org/x/net from 0.15.0 to 0.16.0 (#2204) * chore: update license list to 3.22 (#2201) * Add exact syntax of the conversion formats (#2196) * chore(deps): bump github.com/saferwall/pe from 1.4.6 to 1.4.7 (#2198) * chore(deps): bump golang.org/x/mod from 0.12.0 to 0.13.0 (#2199) * chore: removes unnecessary conditional (#2194) * chore: improve --output help text and deprecate --file (#2187) * chore(deps): bump modernc.org/sqlite from 1.25.0 to 1.26.0 (#2189) * chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.10 to 0.4.11 (#2191) * chore(deps): bump github/codeql-action from 2.21.8 to 2.21.9 (#2182) * chore(deps): update bootstrap tools to latest versions (#2178) * chore(deps): bump github.com/saferwall/pe from 1.4.5 to 1.4.6 (#2180) ------------------------------------------------------------------- Thu Oct 05 06:32:34 UTC 2023 - andrea.manzini@suse.com - Update to version 0.92.0: * bump deps to latest version * fix: deterministic java purls (#2170) - Update to version 0.91.0: * fix: prevent errors from clobbering terminal (#2161) * Require ordering of relationships when comparing parser output (#2160) * Add containerd support (#1793) * feat: add dependency information to conan lockfile parser (#2131) * fix: encode and decode FileLicenses and FileContents in Syft JSON (#2083) * feat: add cyclonedx schema version selection (#2123) * fix: allow cyclonedx json input with no components (#2127) * fix source-version typo in flag description (#2126) - Update to version 0.90.0: * fix(help): power-user help text to indicate it supports file-system (#2113) * fix: update codeql-analysis for go 1.21 (#2108) * feat(cmd/update): add UA header with current ver when check for update (#2100) * fix(cdx): validate external refs before encoding (#2091) * fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation (#2075) ------------------------------------------------------------------- Tue Sep 05 14:57:48 UTC 2023 - kastl@b1-systems.de - Update to version 0.89.0: * tidy gomod and gitignore (#2082) * fix quiet flag (#2081) * fix: in some cases, try to use pom info to guess name and version to top level jar (#2080) * fix: don't panic on universal go binaries (#2078) * chore: update CLI to CLIO (#2001) * Add registry certificate verification support (#1734) * fix: CPE generation for django (#2068) ------------------------------------------------------------------- Tue Sep 05 14:54:29 UTC 2023 - kastl@b1-systems.de - Update to version 0.88.0: * chore: update quill to the latest version (#2065) * fix: duplicate entries in cyclonedx dependency list (#2063) * Fix panic in pom parsing (#2064) * Fix: don't validate pom declared group (#2054) * chore: trace log pom property reflect usage (#2059) * fix: do not double-prefix symlink paths that already contain volume names (#2051) * feat: add bash classifier (#2055) * Detect golang boring crypto and fipsonly modules (#2021) * fix: properly parse conan ref and include user and channel (#2034) * chore(deps): bump github.com/charmbracelet/lipgloss from 0.7.1 to 0.8.0 (#2053) * Enable reading non-utf-8 encodings for java pom.xml files (#2047) * feat: 1944 - update purl generation to use a consistent groupID (#2033) * chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 (#2049) * chore(deps): update bootstrap tools to latest versions (#2048) * chore(deps): bump github.com/jinzhu/copier from 0.3.5 to 0.4.0 (#2045) * chore(deps): update CPE dictionary index (#2043) * fill out new version notice (#2042) ------------------------------------------------------------------- Tue Sep 05 14:49:59 UTC 2023 - kastl@b1-systems.de - Update to version 0.87.1: * feat: use java package names to determine known groupids (#2032) * fix: inconsistent removal of binaries by overlap (#2036) * fix: CycloneDX relationships not output or decoded properly (#1974) * chore: restore cataloger.DefaultConfig (#2028) ------------------------------------------------------------------- Tue Sep 05 14:31:00 UTC 2023 - kastl@b1-systems.de - Update to version 0.87.0: * fix: read direct package files when decoding SPDX tag-value (#2014) * chore(deps): update bootstrap tools to latest versions (#2022) * chore(deps): update CPE dictionary index (#2025) * chore(deps): update bootstrap tools to latest versions (#2012) * chore(deps): bump github.com/vifraa/gopom from 0.2.2 to 1.0.0 (#2008) * 1948-filter-pkg-by-type (#2011) * chore(deps): bump github.com/dave/jennifer from 1.6.1 to 1.7.0 (#2009) * fix: SPDX license values and download location (#2007) * 931: binary cataloger exclusion defaults for ownership by overlap (#1948) * chore(deps): bump golang.org/x/net from 0.13.0 to 0.14.0 (#2004) * chore(deps): bump modernc.org/sqlite from 1.24.0 to 1.25.0 (#1998) * test: add coverage for new rpmdb paths (#1999) * chore: improve spdx purl decoding (#1996) * fix: gradle lockfile parser groupId handling (#1995) * fix: update glob to use newer usr/lib/sysimage path (#1997) * fix: opkg search glob (#1994) * feat: nginx binary classifier (#1988) * Expand deb cataloger to include opkg (#1985) * chore(deps): update bootstrap tools to latest versions (#1991) * chore(deps): bump github.com/google/go-containerregistry (#1993) * chore: update bubbly to fix hanging (#1990) * chore(deps): bump golang.org/x/net from 0.12.0 to 0.13.0 (#1989) * feat: use originator logic to fill supplier (#1980) * add metadata types to all cpe test fixtures (#1982) ------------------------------------------------------------------- Tue Aug 01 10:30:23 UTC 2023 - kastl@b1-systems.de - Update to version 0.86.1: * fix: default image source name to user input (#1979) ------------------------------------------------------------------- Tue Aug 01 10:17:13 UTC 2023 - kastl@b1-systems.de - Update to version 0.86.0: * chore(deps): update stereoscope to d1f3d766295ed3c8362ac1be68070e2a1dba4d03 (#1975) * chore: update to latest commit in tools-golang (#1969) * Guess unpinned versions in python requirements.txt (#1966) * chore(deps): bump github.com/vifraa/gopom from 0.2.1 to 0.2.2 (#1965) * Fix panic condition on docker pull failure (#1968) * bump JSON schema to account for simplified python env markers (#1967) * feat: support top-level SPDX package and graph (#1934) * chore(deps): bump github.com/go-git/go-git/v5 from 5.8.0 to 5.8.1 (#1959) * Add cataloger for Swift Package Manager. (#1919) * chore(deps): update stereoscope to d515761c6ca2743a67d7d08053db69235ae76d1d (#1953) * chore(deps): bump github.com/docker/docker (#1955) * chore(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.0 (#1951) * Introduce indexed embedded CPE dictionary (#1897) * chore(deps): bump github.com/gookit/color from 1.5.3 to 1.5.4 (#1949) * Add support for parsing .NET assemblies (#1943) * docs: capture artifactory dev settings from 1895 (#1947) * remove build binary and add explicit git ignore * docs: update docs with new docker specific instructions (#1941) * remove jotframe UI (#1932) * fix: remove indirect dependency of circl v1.1.0 (#1940) * chore: move wait before iteration to guarantee read before tea (#1931) ------------------------------------------------------------------- Thu Jul 13 04:49:43 UTC 2023 - kastl@b1-systems.de - Update to version 0.85.0: * implement ui handle waiter (#1930) * fix: background reader apart from global handler for testing (#1929) * chore(deps): bump modernc.org/sqlite from 1.23.1 to 1.24.0 (#1928) * fix: allow valid cyclonedx input with no components (#1873) * fix: "or-later" suffix updated to consider deprecated "+" operator (#1907) * feat: CLI flag for directory base (#1867) * Fix CPE gen for k8s python client (#1921) * chore: update iterations to protect against race (#1927) * chore(deps): update bootstrap tools to latest versions (#1922) * fix: Don't use the actual redis or grpc CPEs for gems (#1926) * fix(install): return with right error code (#1915) * Remove erroneous Java CPEs from generation (#1918) * chore(deps): bump golang.org/x/net from 0.11.0 to 0.12.0 (#1916) * Switch UI to bubbletea (#1888) * fix: use filepath.EvalSymlinks if os.Readlink fails to evaluate the link (#1884) * add file source digest support (#1914) * chore(deps): update bootstrap tools to latest versions (#1908) * chore(deps): bump golang.org/x/mod from 0.11.0 to 0.12.0 (#1912) * chore(deps): bump golang.org/x/term from 0.9.0 to 0.10.0 (#1913) * doc(readme): add installation section with scoop (#1909) * Refactor source API (#1846) * chore(deps): update bootstrap tools to latest versions (#1905) ------------------------------------------------------------------- Fri Jun 30 04:42:50 UTC 2023 - kastl@b1-systems.de - Update to version 0.84.1: * chore(deps): update stereoscope to cd49355d934e9e09339e0b690398afe7bd9f63f1 (#1903) * chore(deps): update bootstrap tools to latest versions (#1902) * fix: discover deb file relationships in distroless images (#1901) * add oss community board auto-add workflow (#1898) * chore(deps): update stereoscope to 8c7173ebcf69187d480d4d8b0c6cafaa7aef7024 (#1890) * chore(deps): update bootstrap tools to latest versions (#1894) * fix: add support for Dart SDK package dependencies (#1891) * Simplify the SBOM writer interface (#1892) * fix: improve version detection in Java archive name parsing (#1889) * fix: only output valid cyclonedx license choices (#1879) * docs: clarify reasoning of default catalogers for images or directories (#1887) ------------------------------------------------------------------- Wed Jun 21 04:48:16 UTC 2023 - kastl@b1-systems.de - Update to version 0.84.0: * Configure chronicle to pre-1.0 mode (#1886) * chore: update SPDX license list to 3.21 (#1885) * chore(deps): update bootstrap tools to latest versions (#1880) * Pad artifact IDs (#1882) * chore(deps): bump golang.org/x/mod from 0.10.0 to 0.11.0 (#1878) ------------------------------------------------------------------- Wed Jun 14 18:11:48 UTC 2023 - kastl@b1-systems.de - Update to version 0.83.1: * chore(deps): bump modernc.org/sqlite from 1.23.0 to 1.23.1 (#1874) * chore(deps): update stereoscope to 5b5049bf4d3a99df9a2b1c31d5d52ddff7b5cec2 (#1871) * chore(deps): bump golang.org/x/net from 0.10.0 to 0.11.0 (#1876) * fix: pom properties not setting artifact id (#1870) * chore(deps): bump github.com/spdx/tools-golang from 0.5.1 to 0.5.2 (#1868) ------------------------------------------------------------------- Mon Jun 12 19:35:49 UTC 2023 - kastl@b1-systems.de - Update to version 0.83.0: * fix: handle invalid symlinks (#1861) * chore(deps): bump github.com/spdx/tools-golang from 0.5.0 to 0.5.1 (#1850) * chore(deps): update bootstrap tools to latest versions (#1857) * Pr 1825 (#1865) * chore(deps): bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#1862) * chore(deps): bump modernc.org/sqlite from 1.22.1 to 1.23.0 (#1863) * feat: source-version flag (#1859) * chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 (#1851) * accept main.version ldflags even without vcs (#1855) * feat: add scope to pom properties (#1779) * chore(deps): bump github.com/stretchr/testify from 1.8.3 to 1.8.4 (#1852) * chore(deps): bump github.com/docker/docker (#1849) * Add test to ensure package metadata is represented in the JSON schema (#1841) * Fix directory resolver to consider CWD and root path input correctly (#1840) * Migrate location-related structs to the file package (#1751) * chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#1843) ------------------------------------------------------------------- Tue May 23 17:54:05 UTC 2023 - kastl@b1-systems.de - Update to version 0.82.0: * fix: add panic recovery for license parse (#1839) * chore: return both failures when failed to retrieve an image with a scheme (#1801) * Extract go module versions from ldflags for binaries built by go (#1832) * fix: duplicate packages, support pnpm lockfile v6 (#1778) * chore(deps): update stereoscope to e14bc4437b2eac481c5b6f101890b22df4f33596 (#1834) * chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#1829) * chore(deps): bump github.com/docker/docker (#1833) ------------------------------------------------------------------- Tue May 23 07:31:00 UTC 2023 - kastl@b1-systems.de - Update to version 0.81.0: * Keep original FileInfo persisted on file.Metadata structs (#1794) * chore(deps): bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#1827) * chore(deps): bump github.com/google/go-containerregistry (#1823) * chore(deps): bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1 (#1822) * chore(deps): bump github.com/docker/docker (#1824) * fix: update field plurality of 8.0.0 schema before release (#1820) * fix: update cataloger to check for expressions before split (#1819) * feat: update syft license concept to complex struct (#1743) * fix: cyclonedx depends-on relationship inverted (#1816) * fix: retain sbom cataloger relationships (#1509) * feat: warn if parsing newer SBOM (#1810) * feat: Add R cataloger (#1790) * update cosign to v2 release (different go module) (#1805) * fix: Reduce log spam on unknown relationship type (#1797) * chore(deps): update bootstrap tools to latest versions (#1807) * chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 (#1802) * chore(deps): bump github.com/docker/docker (#1795) * chore(deps): bump github.com/google/go-containerregistry (#1796) * chore(deps): update bootstrap tools to latest versions (#1792) * Print package list when extra packages found (#1791) * chore(deps): update bootstrap tools to latest versions (#1786) * chore(deps): bump golang.org/x/term from 0.7.0 to 0.8.0 (#1787) ------------------------------------------------------------------- Fri May 05 19:51:00 UTC 2023 - kastl@b1-systems.de - Update to version 0.80.0: * Update the CPE generation for spring-security-core (#1789) * chore: do not HTML escape PackageURLs (#1782) * chore: do not include kernel module cataloger by default (#1784) * chore(docs): Update lists of catalogers (#1780) * chore: add more detail on SPDX file IDs (#1769) * Search /usr/share for rpmdb to fix scan on ostree-managed images (#1756) * chore(deps): bump github.com/docker/docker (#1767) * rename sbom.PackageCatalog to sbom.Packages (#1773) * chore(deps): bump modernc.org/sqlite from 1.22.0 to 1.22.1 (#1768) * Create python requirements metadata (#1759) * chore: update test redactor ordering (#1765) * rename pkg.Catalog to pkg.Collection (#1764) * chore(deps): bump modernc.org/sqlite from 1.21.2 to 1.22.0 (#1758) * chore: go-rpmdb update (#1757) * chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.1-0.20221222100750-41a1ac565cce to 0.7.1 (#1706) * fix: Improve pnpm support (#1752) ------------------------------------------------------------------- Sat Apr 22 14:33:37 UTC 2023 - kastl@b1-systems.de - Update to version 0.79.0: * feat: Add template func `hasField` (#1754) * fix: only cache java packages and not source content (#1750) * Add sections of interest for Gemfile.lock cataloger (#1749) * fix: update cache.fingerprint file to java-builds dir (#1748) * Add ALPM Metadata to CYCLONEDX and SPDX output formats (#1747) * chore: bump stereoscope to latest version (#1741) * chore(deps): update bootstrap tools to latest versions (#1744) * chore(deps): bump github.com/docker/docker (#1746) ------------------------------------------------------------------- Tue Apr 18 04:55:15 UTC 2023 - kastl@b1-systems.de - Update to version 0.78.0: * Create consul binary classifier (#1738) * chore(deps): update bootstrap tools to latest versions (#1740) * Fix kernel cataloger test fixtures (#1742) * feat: Support scanning license files in golang packages over the network (#1630) * Add package-to-file location evidence relationships (#1698) * Add Linux Kernel cataloger (#1694) * Add annotations for evidence on package locations (#1723) * add format make target (#1733) * Update tests to not fail on Mac M1's. (#1730) ------------------------------------------------------------------- Thu Apr 13 07:22:19 UTC 2023 - kastl@b1-systems.de - Update to version 0.77.0: * chore(deps): update bootstrap tools to latest versions (#1728) * Add support for nar files. (#1727) * add highlevel details about catalogers (#1726) * chore(deps): bump golang.org/x/net from 0.8.0 to 0.9.0 (#1722) * chore(deps): update stereoscope to e95d60a265e384df29b7a139f5c5402d6ad72e06 (#1721) * feat: gradle lockfile support (#1719) * chore(deps): bump github.com/docker/docker (#1715) * chore(deps): bump golang.org/x/mod from 0.9.0 to 0.10.0 (#1713) * chore(deps): bump golang.org/x/term from 0.6.0 to 0.7.0 (#1714) * chore(deps): bump github.com/spf13/cobra from 1.6.1 to 1.7.0 (#1716) * chore(deps): bump peter-evans/create-pull-request from 4 to 5 (#1712) ------------------------------------------------------------------- Thu Apr 06 03:25:22 UTC 2023 - kastl@b1-systems.de - Update to version 0.76.1: * chore: update tools-golang to v0.5.0 (#1717) * Add Nix cataloger (#1696) * refactor spdx tooling test to reduce intermittent failures (#1707) * Capture file ownership relationships from portage ecosystem (#1702) * chore: update deprecated set-output calls (#1705) ------------------------------------------------------------------- Mon Apr 03 12:04:58 UTC 2023 - kastl@b1-systems.de - Update to version 0.76.0: * feat: Add config option to allow user to select the default image source location * chore(deps): bump github.com/docker/docker (#1699) * chore(deps): update bootstrap tools to latest versions (#1697) * chore(deps): update stereoscope to d7551b7f46f53179922d6229709d3d1602881080 (#1693) * 1577 spdxlicense generate (#1691) * chore(deps): bump github.com/vbatts/go-mtree from 0.5.2 to 0.5.3 (#1692) * feat: scan local go mod cache for licenses of golang packages (#1645) * chore: fix flaky license sorting (#1690) * chore(deps): bump github.com/gookit/color from 1.5.2 to 1.5.3 (#1689) * fix: shell completion by adding missing usage message required by spf13/cobra (#1688) * chore(deps): update bootstrap tools to latest versions (#1686) * chore: tweak some workflow text (#1685) * Remove more side effects from application config testing (#1684) * Deprecate config.yaml as valid config source; Add unit regression for correct config paths (#1640) * chore: Update syft bootstrap tools to latest versions. (#1682) * Update documentation: (#1680) * chore: Update Stereoscope to 7928713c391e20abaede6a029f4ce37b628a4c8b (#1681) * fix: reduce logging for bad dpkg lines (#1675) * fix ruby classifier (#1678) * feat: add shared dir for easier cleanup (#1676) * chore(deps): bump github.com/google/go-containerregistry (#1672) * chore(deps): bump actions/setup-go from 3 to 4 (#1671) * fix: move defer after error to protect panic case (#1670) * feat: add argocd, helm, kustomize and kubectl binary classifiers (#1663) * defer closing file (#1668) * fix: remove author contributing to javascript CPEs (#1669) ------------------------------------------------------------------- Mon Mar 13 19:15:25 UTC 2023 - kastl@b1-systems.de - Update to version 0.75.0: * fix: more python matching support (#1667) * Update syft bootstrap tools to latest versions. (#1666) * feat: add ruby classifier (#1665) ------------------------------------------------------------------- Thu Mar 09 15:31:12 UTC 2023 - kastl@b1-systems.de - Update to version 0.74.1: * Update syft bootstrap tools to latest versions. (#1658) * fix: improved Python binary detection (#1648) * fix: suppress some known incorrect vendor candidates for npm CPEs (#1659) * fix: sanitize SPDX LicenseRefs (#1657) * chore(deps): bump golang.org/x/mod from 0.8.0 to 0.9.0 (#1655) * chore(deps): bump golang.org/x/net from 0.7.0 to 0.8.0 (#1653) * chore(deps): bump github.com/spf13/afero from 1.9.4 to 1.9.5 (#1654) * chore(deps): bump golang.org/x/term from 0.5.0 to 0.6.0 (#1656) * fix: dotnet PURL types are invalid (#1649) * feat: disable cpe vendor wildcards to reduce false positives (#1647) * read relative etc/apk/repositories for alpine version when no OS provided (#1615) ------------------------------------------------------------------- Fri Mar 03 05:40:08 UTC 2023 - kastl@b1-systems.de - Update to version 0.74.0: * fix: possible race condition (#1639) * fix: remove APK OriginPackage cpe candidates (#1637) * fix: rebar lock file decoding panic (#1628) * fix: handle individual cataloger panics (#1636) * fix: apk product/vendor generation for old metadata (#1635) * feat: rust toolchain binary cataloger (#1601) * feat: retain go package info when no module declared (#1632) * fix: improved CPE-generation for several more APK packages (#1631) * chore: update deprecated release flag (#1629) * chore(deps): bump actions/upload-artifact from 2 to 3 (#1627) * feat: add support for SUPPORT_END in /etc/os-release (#1612) * fix: further improvements to CPE generation for apk packages (#1623) * chore(deps): bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (#1625) * chore(deps): bump actions/checkout from 2 to 3 (#1626) * feat: set cosign attest predicate type based on Syft output type (#1598) * chore(deps): bump github.com/spf13/afero from 1.9.3 to 1.9.4 (#1609) * fix: correct apk purls for other distros (#1620) * refactor: move apk upstream logic to apk metadata (#1619) * fix: decoding null apk metadata pullDependencies (#1614) * feat: haproxy binary matcher (#1591) * fix: determine upstream for apk version streams (#1610) * fix: improve CPE generation for curl APK (#1608) * Revert "add workaround for macos github actions cache issue (#1584)" (#1605) ------------------------------------------------------------------- Thu Feb 23 10:37:37 UTC 2023 - kastl@b1-systems.de - Update to version 0.73.0: * Update Stereoscope to fab1c9638abc2c21cd53dca1f205f37d71148ee0 (#1604) * chore: fix cataloger_test (#1603) * fix: merging of binary packages (#1583) * fix: issue when matching format versions (#1585) * chore: update syft bootstrap tools to latest versions. (#1593) * feat: add perl binary classifier (#1592) * Update Stereoscope to 529924d6d5aa6c708cceffc651883b6e1e27f5df (#1602) * Update SPDX license list to 3.20 (#1600) * chore: update SPDX license list (#1599) * fix cataloger selection to be more specific (#1582) * add workaround for macos github actions cache issue (#1584) ------------------------------------------------------------------- Thu Feb 16 17:31:12 UTC 2023 - kastl@b1-systems.de - Update to version 0.72.0: * Update Stereoscope to 4b5ebf8c7f4b81ca79c4c3f0af1d0723eab87d42 (#1576) * chore(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 (#1574) * chore: update bug issue template (#1571) * allow convert to take stdin (#1570) * fix: improve CPE and upstream generation logic for Alpine packages (#1567) * fix: missing APK node vulnerabilities (#1565) * fix: python CPE generation for alpine (#1564) * chore(deps): bump github.com/docker/docker (#1563) ------------------------------------------------------------------- Fri Feb 10 06:19:19 UTC 2023 - kastl@b1-systems.de - Update to version 0.71.0: * switch from trigger-release target to release target (#1560) * Speed up cataloging by replacing globs searching with index lookups (#1510) * Update syft bootstrap tools to latest versions. (#1549) * Fix installed versions (#1556) * chore(deps): bump golang.org/x/net from 0.5.0 to 0.6.0 (#1558) * feat: add postgresql classifier (#1536) * Add release trigger (#1501) * chore(deps): bump golang.org/x/mod from 0.7.0 to 0.8.0 (#1552) * chore(deps): bump golang.org/x/term from 0.4.0 to 0.5.0 (#1551) * fix: add support for licenses not found on list (#1540) * Update syft bootstrap tools to latest versions. (#1541) * feat: Allow specific versions of formats to be specified (#1543) * Update Stereoscope to c49244e4d66f1ee789027ea23acc746968799c3b (#1539) * source: when base is set, responsePath should be absolute (#1542) ------------------------------------------------------------------- Sat Feb 04 07:45:37 UTC 2023 - kastl@b1-systems.de - Update to version 0.70.0: * fix: update config struct to not decode password/key (#1538) * Update syft bootstrap tools to latest versions. (#1537) * feat: add traefik classifier (#1504) * fix: don't hardcode Cosign attest type (#1533) * chore(deps): bump github.com/docker/docker (#1531) * Update syft bootstrap tools to latest versions. (#1530) ------------------------------------------------------------------- Thu Feb 02 06:48:23 UTC 2023 - kastl@b1-systems.de - Update to version 0.69.1: * chore: update spdx/tools-golang to v0.5.0-rc1 (#1503) * feat: update golang to 1.19 (#1526) * Update syft bootstrap tools to latest versions. (#1525) ------------------------------------------------------------------- Tue Jan 31 15:04:23 UTC 2023 - kastl@b1-systems.de - Update to version 0.69.0: * Allow scanning unpacked container filesystems (#1485) * fix: allow template for syft convert (#1521) * 1465 attestation with private key (#1502) ------------------------------------------------------------------- Thu Jan 26 06:37:19 UTC 2023 - kastl@b1-systems.de - Update to version 0.68.1: * fix: add relevant CPEs to python and busybox classifiers (#1517) * Update syft bootstrap tools to latest versions. (#1515) * chore: correct bootstrap tool script (#1514) * chore(deps): bump github.com/google/go-containerregistry (#1513) * Fix AssertEncoderAgainstGoldenSnapshot calls to conditionally update (#1511) * chore(deps): bump golang.org/x/mod from 0.6.0 to 0.7.0 (#1505) * chore(deps): bump github.com/docker/docker (#1506) * chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.2 to 3.2.3 (#1507) * chore(deps): bump github.com/dustin/go-humanize from 1.0.0 to 1.0.1 (#1508) * Bump github.com/spdx/tools-golang to v0.4.0 (#1450) ------------------------------------------------------------------- Sat Jan 21 07:53:06 UTC 2023 - kastl@b1-systems.de - Update to version 0.68.0: * Fix panic in apkdb parsing on empty "provides" values (#1494) * push detailed log statements to trace-level (#1500) * npm: package-lock license decoding to accept string or array (#1482) * always set the package ID for java packages (#1493) * fix: skip filling in empty fields in APK metadata (#1484) * chore(deps): bump github.com/facebookincubator/nvdtools (#1499) * chore(deps): bump github.com/jinzhu/copier from 0.3.2 to 0.3.5 (#1498) * chore(deps): bump github.com/vbatts/go-mtree from 0.5.0 to 0.5.2 (#1497) * chore(deps): bump github.com/gookit/color from 1.4.2 to 1.5.2 (#1496) * chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#1495) * Relax error conditions for catalogers (#1492) * feat: add memcached classifier (#1486) * chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#1488) * chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.0.2 to 4.6.0 (#1489) * chore(deps): bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#1490) * chore(deps): bump github.com/go-test/deep from 1.0.8 to 1.1.0 (#1491) * chore(deps): bump github.com/google/go-containerregistry (#1487) * chore(deps): bump golang.org/x/net from 0.4.0 to 0.5.0 (#1475) * chore(deps): bump github.com/adrg/xdg from 0.3.3 to 0.4.0 (#1477) * chore(deps): bump github.com/sergi/go-diff from 1.2.0 to 1.3.1 (#1476) * chore(deps): bump github.com/vifraa/gopom from 0.1.0 to 0.2.1 (#1474) * chore(deps): bump github/codeql-action from 1 to 2 (#1473) * chore(deps): bump actions/setup-go from 2 to 3 (#1472) * Add dependabot (#1451) - skip non-existent release 0.67.x ------------------------------------------------------------------- Fri Jan 20 09:56:19 UTC 2023 - kastl@b1-systems.de - Update to version 0.66.2: * chore: use checkout v3 with new depth (#1471) * chore: use checkout v2 for tag depth (#1470) * fix: nil panic in graalvm cataloger (#1468) * add linter for type assertion checks (#1469) * fix: bump golang.org/x/net to v0.4.0 (#1467) * fix: bump golang.org/x/text to v0.3.8 (#1466) * bootstrap within composite action (#1461) * chore: revert GolangBinMetadata name and make analogous GolangModMetadata (#1458) * README: update Nix installation instructions (#1455) ------------------------------------------------------------------- Fri Jan 13 06:11:18 UTC 2023 - kastl@b1-systems.de - Update to version 0.66.1: * fix: update graalvm cataloger to fix panic (#1454) * chore: remove bumping cosign in go.mod when updating bootstrap tools (#1452) ------------------------------------------------------------------- Fri Jan 13 06:09:05 UTC 2023 - kastl@b1-systems.de - Update to version 0.66.0: * feat: Add the origin field to the output format of syftjson (#1327) * chore: update schema (#1449) * feat: prefer known CPE vendors over other candidates (#1294) * fix: update attestation code to remove library dependencies and shellout for keyless flow (#1442) * feat: add BeamVM Hex support (#1073) * feat: add apache httpd binary classifier (#1448) * chore: claim artifacthub package ownership from developer-guy (#881) * Parallel package catalog processing (#1355) * feat: Add php binary catalogers (#1444) * Update syft bootstrap tools to latest versions. (#1443) * fix: duplicate file in tar archive causes read to fail (#1445) * Add support for GraalVM Native Image executables. (#1276) * Add redis binary classifier (#1438) * docs: add cataloger construction summary (#1434) * chore: update bootstrap tools to latest versions. (#1428) * Add alpine type to purl (#1431) ------------------------------------------------------------------- Thu Jan 05 14:00:02 UTC 2023 - kastl@b1-systems.de - Update to version 0.65.0: * adding purl types for binary classifiers (#1435) * chore: refactor basic CPE functionality to its own package (#1436) * fix: typo in os.Getwd error message (#1433) * fix: additional excessive go binary warnings (#1432) * docs: migrate to homebrew-core (#1427) ------------------------------------------------------------------- Wed Jan 04 15:47:49 UTC 2023 - kastl@b1-systems.de - Update to version 0.64.0: * fix: unicode output in cyclonedx-json format (#1420) * fix: excessive go binary warnings (#1424) * feat: update spdx format model to produce valid spdx json documents (#1418) * clean package names in python parsers (#1417) * docs: update schema name to 2.3 (#1416) * feat: add h1digest when scanning go.mod (#1405) * feat: Add license parsing for java (#1385) * fix: cyclonedx component type for binaries (#1406) * fix: openjdk detection pattern (#1415) * bug: spdx checksum empty array; allow syft to generate SHA1 for spdx-tag-value documents (#1404) * Add NetBSD support. (#1412) ------------------------------------------------------------------- Fri Dec 16 12:37:58 UTC 2022 - kastl@b1-systems.de - Update to version 0.63.0: * feat: add catalog delete (#1377) * docs: remove file classifier (#1397) * chore: update latest cyclonedx library (#1390) * feat: Add Java binary catalogers (#1392) * chore: Update SPDX license list to 3.19 (#1389) * fix: add manual vendor/product removal to fix false flags (#1070) * Update Stereoscope to c5ff155d72f166e2332e160a75c3ff2b8e9c7e2e (#1395) * chore: fix test busybox image sha (#1393) * fix: go version not properly identified in binary (#1384) ------------------------------------------------------------------- Thu Dec 01 05:41:03 UTC 2022 - kastl@b1-systems.de - Update to version 0.62.3: * Update Stereoscope to 3b80d983223f6e6fc2d33b0ffa003d30268418e9 (#1376) * fix: Update node binary package name (#1375) * feat: Generic Binary Cataloger (#1336) * recover from bad parsing of golang binary (#1371) * Fix parsing of apk databases with large entries (#1365) * Update syft bootstrap tools to latest versions. (#1369) ------------------------------------------------------------------- Mon Nov 28 18:06:04 UTC 2022 - kastl@b1-systems.de - Update to version 0.62.2: * fix: guard for locations < 1 in alpmdb parse (#1366) * fix: remove cabal.project.freeze panic on last pkg (#1363) * fix: requirements.txt - return unicode only letter/num for version (#1361) * Update syft bootstrap tools to latest versions. (#1356) ------------------------------------------------------------------- Mon Nov 21 15:12:29 UTC 2022 - kastl@b1-systems.de - Update to version 0.62.1: * fix: sort relationships in SPDX output (#1350) * chore: add debug logging for decode errors (#1352) * feat(npm): handle aliases in package-lock.json (#1349) ------------------------------------------------------------------- Sat Nov 19 12:04:28 UTC 2022 - kastl@b1-systems.de - Update to version 0.62.0: * fix: spdx java checksum correctness (#1348) * feat: Add support for npm lockfile version 3 (#1206) ------------------------------------------------------------------- Fri Nov 18 15:38:51 UTC 2022 - kastl@b1-systems.de - Update to version 0.61.0: * 1111 clean name bug (#1347) * Add spdx relationship encoding for dependencies (#1342) * feat: SPDX 2.3 support (#1311) * SBOM cataloger (#1029) * chore: clean up linting configuration (#1343) * fix: Unmarshal Syft JSON with missing metadata (#1338) * fix apk decode for older data shapes (#1341) * chore: add unit test for wolfi os release identification (#1340) * fix: Output only valid CPEs for CycloneDX OS components (#1339) * feat: Add `--name` option to override name in output (#1269) * Add support for dependency relationships for alpine (apk) (#1063) * normalize alpm md5 refs (#1333) * Update java generic cataloger (#1329) * Support encoding map types to CycloneDX properties (#1332) * Update swift cataloger to generic cataloger (#1324) * port rust cataloger to new generic cataloger pattern (#1323) * port ruby cataloger to new generic cataloger pattern (#1322) * port rpm cataloger to new generic cataloger pattern (#1321) * port python cataloger to new generic cataloger pattern (#1319) * Update portage cataloger to new generic cataloger (#1316) * port php cataloger to new generic cataloger pattern (#1315) ------------------------------------------------------------------- Tue Nov 15 09:52:45 UTC 2022 - kastl@b1-systems.de - Update to version 0.60.3: * javascript cataloger: node binary: nil pointer dereference (#1313) * Fix: Include version information in binary cataloger CPEs (#1310) * fix: only generate PURL on empty string (#1312) * add s3 credentials to release (#1309) * port javascript cataloger to new generic cataloger pattern (#1308) ------------------------------------------------------------------- Tue Nov 15 09:44:11 UTC 2022 - kastl@b1-systems.de - Update to version 0.60.2: * chore: update goreleaser brew token (#1306) * fix: Decode binary and unknown metadata (#1307) ------------------------------------------------------------------- Tue Nov 15 09:39:47 UTC 2022 - kastl@b1-systems.de - Update to version 0.60.1: * chore: update github token permissions for goreleaser (#1305) ------------------------------------------------------------------- Tue Nov 15 09:29:12 UTC 2022 - kastl@b1-systems.de - Update to version 0.60.0: * fix: update ci secret to use new password (#1304) * fix: update secret value to use new cert cahin (#1303) * fix: verbose quill release failures (#1302) * fix: unterminated quoted string (#1300) * fix: update Makefile to remove old signing arch (#1299) * feat: add nodejs-binary package classifier (#1296) * update go-rpmdb to improve parsing of installed files (#1297) * docs: update attestation directions with new cosign changes * fix: Continue parsing Python RECORD files when bad lines encountered (#1295) * Fix #1245 Update SPDX license list to 3.18 (#1259) * fix: Resolve Maven POM expressions (#1251) (#1278) * port haskell cataloger to new generic cataloger pattern (#1290) * port golang cataloger to new generic cataloger pattern (#1289) * port deb/dpkg cataloger to new generic cataloger pattern (#1288) * update cataloger tests to use pkgtest utils (#1287) * port dotnet cataloger to new generic cataloger pattern (#1286) * port dart cataloger to new generic cataloger pattern (#1285) * port conan cataloger to new generic cataloger pattern (#1284) * port apk cataloger to new generic cataloger pattern (#1283) * replace signing tooling with quill (#1280) * Upgrade generic cataloger (#1281) * Update syft bootstrap tools to latest versions. (#1282) * replace logger interface with anchore/go-logger (#1279) * Update syft bootstrap tools to latest versions. (#1267) * Add go binary h1 digest to SPDX (#1265) * fix: move reproduction to top of issue (#1264) * fix: update syftjson ID to match major schema version (#1274) * Use in-toto CycloneDX predicate to be compatible with cosign (#1270) * chore: handle deprecated SPDX license: StandardML-NJ (#1266) ------------------------------------------------------------------- Tue Oct 18 05:11:08 UTC 2022 - kastl@b1-systems.de - Update to version 0.59.0: * Fixes #1179 Deprecated SPDX license (#1263) * feat: add RelationshipsBySourceOwnership to syft json output (#1248) * fix: reset merged package into map; (#1258) * refactor: Remove experimental Anchore Enterprise upload functionality (#1257) * Update syft bootstrap tools to latest versions. (#1254) * Update Stereoscope to d24c9d626b33fa720210b007a20767801827b532 (#1253) * Update syft bootstrap tools to latest versions. (#1244) * fix apkdb checksum representation (#1247) * feat: add identifiable field to source object (#1243) * feat: attest support for Singularity images (#1201) * Update syft bootstrap tools to latest versions. (#1239) * Update Stereoscope to 1b1b744a919964f38d14e1416fb3f25221b761ce (#1240) * fix: Follow symlinks when searching for globs in all-layers scope (#1221) * update requires to use list; remove field (#1234) ------------------------------------------------------------------- Fri Sep 30 05:10:45 UTC 2022 - kastl@b1-systems.de - Update to version 0.58.0: * Add Conan (C/C++) conan.lock file support (#1230) * add sequence diagrams and flesh out TODO notes (#1233) * Do not fail if unable to parse `.rpm` file (#1232) * fix: support exclude patterns on Windows (#1228) * Update syft bootstrap tools to latest versions. (#1225) * Update Stereoscope to 56552770e555d764ea72b99d3c810326b27ead4a (#1224) * Update syft bootstrap tools to latest versions. (#1223) * Update syft bootstrap tools to latest versions. (#1220) ------------------------------------------------------------------- Wed Sep 21 08:27:42 UTC 2022 - kastl@b1-systems.de - Update to version 0.57.0: * feat: catalog python files for installed-files.txt file metadata (#1217) * Stabilize SPDX JSON output sorting (#1216) * bug: remove chance for panic; provide default attestation path (#1214) * refactor: update Makefile organization; update DEVELOPING.md instructions (#1212) * refactor: replace ioutil=>io; update linter (#1211) * Update bootstrap tools to latest versions. (#1204) * Add gosimports (#1205) * refactor: move formats from internal into syft module (#1172) ------------------------------------------------------------------- Tue Sep 13 12:42:32 UTC 2022 - kastl@b1-systems.de - Update to version 0.56.0: * warn on errors from RPM DB parsing (#1200) * docs: improve Singularity image source docs (#1190) * Add RPM file scanning support (#1188) * Normalize syft-json output (#1194) * Revert "External sources configuration (#1158)" (#1191) * Update syft bootstrap tools to latest versions. (#1186) * Fix RPM DB license handling (#1184) * Update syft bootstrap tools to latest versions. (#1182) ------------------------------------------------------------------- Wed Sep 07 05:42:57 UTC 2022 - kastl@b1-systems.de - Update to version 0.55.0: * update stereoscope to latest (#1181) * Update syft bootstrap tools to latest versions. (#1180) * Bug fix for 1095 - syft conversion option error (#1177) * Update syft bootstrap tools to latest versions. (#1176) * enhance development support on macOS ARM (#1163) * Capture if a node module is private (#1161) * Find version numbers from jars with different naming conventions (#1174) * Update syft bootstrap tools to latest versions. (#1171) * Fix update-bootstrap-tools workflow (#1170) * workflow to create automated PRs to update bootstrap tools (#1167) * feat: add support for licenses in package-lock json v2 (#1164) * External sources configuration (#1158) * feat: add support for pnpm (#1166) * Prevent symlinks causing duplicate package-file relationships (#1168) ------------------------------------------------------------------- Wed Sep 07 05:38:56 UTC 2022 - kastl@b1-systems.de - Update to version 0.54.0: * Associate node package licenses from node_modules (#1152) * Give the contributing guide a substantial rework (#1155) * fix: extract file ids correctly for spdx-json (#1156) * metadata decoding should be optional (#1154) * Update Stereoscope to 84004345484edb881f1cc1d841115da8abda06c3 (#1151) * Add modularitylabel metadata to RPM type records generated by syft (#1148) * Update Stereoscope to 1c79d5c84abcc54466417fcc17c844a4875888a1 (#1149) * retraction for mispublished versions (#1147) * cataloger configuration is respected regardless of source (#1142) * Update README.md (#1146) * bump cosign to v1.10.1 (#1144) ------------------------------------------------------------------- Wed Sep 07 05:35:58 UTC 2022 - kastl@b1-systems.de - Update to version 0.53.4: * Update stereoscope to get rid of the replace directive (#1140) ------------------------------------------------------------------- Wed Sep 07 05:33:24 UTC 2022 - kastl@b1-systems.de - Update to version 0.53.3: * Correct squashfs import and fix incorrect bouncer configuration (#1138) ------------------------------------------------------------------- Wed Sep 07 05:31:12 UTC 2022 - kastl@b1-systems.de - Update to version 0.53.2: * Overwrite deprecated SPDX licenses automatically (#1009) * disable release for docker assets (#1137) ------------------------------------------------------------------- Wed Sep 07 05:29:04 UTC 2022 - kastl@b1-systems.de - Update to version 0.53.1: * improve docker release bootstrap (#1136) * Singularity Image Support (#974) ------------------------------------------------------------------- Wed Sep 07 05:25:20 UTC 2022 - kastl@b1-systems.de - Update to version 0.53.0: * remove docker login from keychain (#1135) * remove ENV checks from siging script (#1134) * remove docker assets from main goreleaser configuration to reduce mac-os runner friction (#1133) * remove prefixed v from tag to match release (#1131) * rollback actions-setup-docker to earlier version (#1130) * Bump go-rustaudit to support rustaudit 0.2.0 (#1127) * bump bouncer to v0.4.0 (#1125) * Added ppc64le supported to the syft:debug image (#1124) * add a cataloger for binaries built with rust-audit (#1116) * bump goreleaser to v1.10.3 (#1123) * bump golangci-lint to v1.47.2 (#1122) * bump cosign in bootstrap-tools to v1.10.0 (#1121) * Added s390x support (#1117) * Delete pr_action.yaml (#1120) * fix: use generic instead of not generating purl (#1119) * bump cosign to v1.10.0 (#1114) ------------------------------------------------------------------- Thu Jul 21 15:12:29 UTC 2022 - kastl@b1-systems.de - Update to version 0.52.0: * Update sigstore/rekor dependency (#1112) * Added ppc64le support (#1099) * patch-distroless-ghcr (#1110) * add distroless debug image to published release (#1106) * update help formatting (#1105) * feat: implement haskell support (#1096) * Add the -r argument for gnu xargs (#1103) * fix: -o output option to include formats (#1102) * moves go-rpmdb to latest; libc => v1.16.7 (#1098) ------------------------------------------------------------------- Sat Jul 16 19:00:04 UTC 2022 - kastl@b1-systems.de - Update to version 0.51.0: * feat: add support for cocoapods (Swift/Objective-C) (#1081) * Fix package url for Go modules with no / (#1092) * Update Stereoscope to 777471f38c5b2f15c19d6cffe093ce6392d8040c (#1090) * feat: output attestation to file (#1087) * Update Stereoscope to cfbd966e5a8d11d73cd17adc8b8ab8468a086f1e (#1089) * Add portage support for Gentoo Linux (#1076) * Add PR action back to workflow with new token (#1086) ------------------------------------------------------------------- Wed Jul 06 18:12:23 UTC 2022 - kastl@b1-systems.de - Update to version 0.50.0: * feat: add new login cmd (#1068) * update AltRpmDbGlob with comment and context (#1085) * feat: add support for conan packages (C/C++) (#1083) * add golang main module and pseudo-version (#916) * fix: add glob to filter list to ensure rpm metadata files are matched… (#1079) * remove pr automation until service account creation (#1080) * fix: purl generation for pom.xml (#1078) * Update Stereoscope to 5bd627c0f9ce7facbd63ed1f0cf894d97021aa5e (#1072) * fix: add new languages found in cpes (#1069) * fix: add php catalogers to all catalogers (#1065) * feat: add use-all-catalogers flag (#1050) ------------------------------------------------------------------- Mon Jun 27 13:20:51 UTC 2022 - kastl@b1-systems.de - Update to version 0.49.0: * Updates parsing of `yarn.lock` to use `resolved` URLs that are pulled from yarn and npm registries (#926) * remove OSS Meetup message (#1057) * add pom.xml cataloger (#1055) * Add support for CBL-Mariner distroless images (#1045) * Add catalogers configuration (#1038) * add template output (#1051) ------------------------------------------------------------------- Wed Jun 22 08:47:26 UTC 2022 - kastl@b1-systems.de - Update to version 0.48.1: * update stereoscope to latest version (#1052) ------------------------------------------------------------------- Wed Jun 22 08:34:13 UTC 2022 - kastl@b1-systems.de - Update to version 0.48.0: * update zip_read_closer to incorporate zip64 support (#1041) * Add pacman (alpm) parser support (#943) ------------------------------------------------------------------- Wed Jun 22 08:23:30 UTC 2022 - kastl@b1-systems.de - Update to version 0.47.0: * Update of README.md (#1027) * bump cosign to v1.9.0 to resolve reporting of GHSA-66x3-6cw3-v5gj (#1025) * add workflows to test new project automation (#1023) * improve LanguageByName and add unit tests (#1034) * Read Description from dpkg status files (#996) * Add announcement for Anchore OSS Virtual Meetup (#1033) * add main module field to go bin metadata (#1026) * Add filters to package cataloger (#1021) * change draft to false for release process (#1016) * Support RPM distros with newer RPM db formats (#1018) * fix: add component list to prevent cyclone-dx panic (#1015) ------------------------------------------------------------------- Mon Jun 6 19:43:54 UTC 2022 - Johannes Kastl <kastl@b1-systems.de> - first version of package syft at version 0.46.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
