Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [DelineaXPM/dsv-cli](https://togithub.com/DelineaXPM/dsv-cli) | patch | `v1.40.1` -> `v1.40.5` | | [anchore/grype](https://togithub.com/anchore/grype) | minor | `v0.57.1` -> `v0.65.1` | | [anchore/quill](https://togithub.com/anchore/quill) | minor | `v0.2.0` -> `v0.4.0` | | [anchore/syft](https://togithub.com/anchore/syft) | minor | `v0.73.0` -> `v0.87.0` | | [aquaproj/aqua-registry](https://togithub.com/aquaproj/aqua-registry) | minor | `v3.138.0` -> `v3.162.0` | | [charmbracelet/glow](https://togithub.com/charmbracelet/glow) | patch | `v1.5.0` -> `v1.5.1` | | [charmbracelet/gum](https://togithub.com/charmbracelet/gum) | minor | `v0.9.0` -> `v0.11.0` | | [charmbracelet/vhs](https://togithub.com/charmbracelet/vhs) | minor | `v0.3.0` -> `v0.6.0` | | [direnv/direnv](https://togithub.com/direnv/direnv) | patch | `v2.32.2` -> `v2.32.3` | | [goreleaser/goreleaser](https://togithub.com/goreleaser/goreleaser) | minor | `v1.15.2` -> `v1.20.0` | | [gotestyourself/gotestsum](https://togithub.com/gotestyourself/gotestsum) | minor | `v1.9.0` -> `v1.10.1` | | [magefile/mage](https://togithub.com/magefile/mage) | minor | `v1.14.0` -> `v1.15.0` | | [mikefarah/yq](https://togithub.com/mikefarah/yq) | minor | `v4.31.1` -> `v4.35.1` | | [miniscruff/changie](https://togithub.com/miniscruff/changie) | minor | `v1.11.1` -> `v1.12.0` | | [mvdan/gofumpt](https://togithub.com/mvdan/gofumpt) | minor | `v0.4.0` -> `v0.5.0` | | [sharkdp/hyperfine](https://togithub.com/sharkdp/hyperfine) | minor | `v1.15.0` -> `v1.17.0` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>DelineaXPM/dsv-cli</summary> ### [`v1.40.5`](https://togithub.com/DelineaXPM/dsv-cli/blob/HEAD/CHANGELOG.md#v1405---2023-05-12) [Compare Source](https://togithub.com/DelineaXPM/dsv-cli/compare/v1.40.4...v1.40.5) ##### 🐛 Bug Fix - Windows cli version update check was looking for a binary with `windows` in the name, while the actual artifact is `win`. ### [`v1.40.4`](https://togithub.com/DelineaXPM/dsv-cli/blob/HEAD/CHANGELOG.md#v1404---2023-04-25) [Compare Source](https://togithub.com/DelineaXPM/dsv-cli/compare/v1.40.3...v1.40.4) ##### 🎉 Feature - `dsv pool list`: new `--limit`, `-l`, `--cursor` flags. See `dsv pool list --help` for more details. ##### Related - fixes [AB#​495586](https://togithub.com/AB/dsv-cli/issues/495586) - related [AB#​495586](https://togithub.com/AB/dsv-cli/issues/495586) - <https://github.com/andrii-zakurenyi> ##### Contributors - [andrii-zakurenyi](https://togithub.com/andrii-zakurenyi) ### [`v1.40.3`](https://togithub.com/DelineaXPM/dsv-cli/blob/HEAD/CHANGELOG.md#v1403---2023-04-04) [Compare Source](https://togithub.com/DelineaXPM/dsv-cli/compare/v1.40.2...v1.40.3) ##### 🐛 Bug Fix - Fix the format of links to pre-built binaries. ##### Contributors - [andrii-zakurenyi](https://togithub.com/andrii-zakurenyi) ### [`v1.40.2`](https://togithub.com/DelineaXPM/dsv-cli/blob/HEAD/CHANGELOG.md#v1402---2023-03-03) [Compare Source](https://togithub.com/DelineaXPM/dsv-cli/compare/v1.40.1...v1.40.2) ##### 🔨 Refactor - Allow defining command handlers which could return an error instead of exit code. - Move store package to internal/store. Do not use custom ApiError in the store package. - Reduce number of API calls in E2E tests by using CLI configuration profile instead of requesting a new token on each CLI run. ##### 🐛 Bug Fix - Remove "v" prefix from https://dsv.secretsvaultcloud.com/cli-version.json which causes error messages in log. ##### Contributors - [andrii-zakurenyi](https://togithub.com/andrii-zakurenyi) - [mariiatuzovska](https://togithub.com/mariiatuzovska) </details> <details> <summary>anchore/grype</summary> ### [`v0.65.1`](https://togithub.com/anchore/grype/releases/tag/v0.65.1) [Compare Source](https://togithub.com/anchore/grype/compare/v0.65.0...v0.65.1) ### #### [v0.65.1](https://togithub.com/anchore/grype/tree/v0.65.1) (2023-08-04) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.65.0...v0.65.1) ##### Bug Fixes - Grype cannot read SPDX documents generated by SPDX-maven-plugin \[[Issue #​1306](https://togithub.com/anchore/grype/issues/1306)] ### [`v0.65.0`](https://togithub.com/anchore/grype/releases/tag/v0.65.0) [Compare Source](https://togithub.com/anchore/grype/compare/v0.64.2...v0.65.0) ### Changelog #### [v0.65.0](https://togithub.com/anchore/grype/tree/v0.65.0) (2023-07-31) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.64.2...v0.65.0) ##### Added Features - feat: implement secondary sorting for default json output \[[PR #​1403](https://togithub.com/anchore/grype/pull/1403)] \[[spiffcs](https://togithub.com/spiffcs)] - Consistent sort order for grype output \[[Issue #​709](https://togithub.com/anchore/grype/issues/709)] \[[PR #​1400](https://togithub.com/anchore/grype/pull/1400)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Bug Fixes - Grype reading SPDX file with json output gets UnknownScheme error \[[Issue #​948](https://togithub.com/anchore/grype/issues/948)] - grype 0.64.0 doesn't list vulnerabilties if `--fail-on` fails \[[Issue #​1392](https://togithub.com/anchore/grype/issues/1392)] \[[PR #​1395](https://togithub.com/anchore/grype/pull/1395)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ##### Additional Changes - chore: bump quality gate label dataset \[[PR #​1404](https://togithub.com/anchore/grype/pull/1404)] \[[westonsteimel](https://togithub.com/westonsteimel)] ### [`v0.64.2`](https://togithub.com/anchore/grype/releases/tag/v0.64.2) [Compare Source](https://togithub.com/anchore/grype/compare/v0.64.1...v0.64.2) ### Changelog #### [v0.64.2](https://togithub.com/anchore/grype/tree/v0.64.2) (2023-07-20) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.64.1...v0.64.2) ##### Bug Fixes - grype 0.64.0 doesn't list vulnerabilties if `--fail-on` fails \[[Issue #​1392](https://togithub.com/anchore/grype/issues/1392)] \[[PR #​1395](https://togithub.com/anchore/grype/pull/1395)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ### [`v0.64.1`](https://togithub.com/anchore/grype/releases/tag/v0.64.1) [Compare Source](https://togithub.com/anchore/grype/compare/v0.64.0...v0.64.1) ### Changelog #### [v0.64.1](https://togithub.com/anchore/grype/tree/v0.64.1) (2023-07-17) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.64.0...v0.64.1) ##### Bug Fixes - stop truncating template files [Issue #​1388](https://togithub.com/anchore/grype/issues/1388) [PR #​1391](https://togithub.com/anchore/grype/pull/1391) [willmurphyscode](https://togithub.com/willmurphyscode) ##### Additional Changes - Port UI to bubbletea \[[PR #​1385](https://togithub.com/anchore/grype/pull/1385)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.64.0`](https://togithub.com/anchore/grype/releases/tag/v0.64.0) [Compare Source](https://togithub.com/anchore/grype/compare/v0.63.1...v0.64.0) ### Changelog #### [v0.64.0](https://togithub.com/anchore/grype/tree/v0.64.0) (2023-07-13) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.63.1...v0.64.0) ##### Added Features - You can now list multiple output formats and files to write to disk with one command, like Syft: "-o format1=file1 -o format1=file2" \[[Issue #​648](https://togithub.com/anchore/grype/issues/648)] \[[PR #​1346](https://togithub.com/anchore/grype/pull/1346)] \[[olivierboudet](https://togithub.com/olivierboudet)] ##### Bug Fixes - Correctly detect format of CycloneDX XML SBOM with no components \[[Issue #​1005](https://togithub.com/anchore/grype/issues/1005)] - Fix vulnerability summary counts to be less confusing. \[[Issue #​1360](https://togithub.com/anchore/grype/issues/1360)] ##### Additional Changes - Port to new Syft source API \[[PR #​1376](https://togithub.com/anchore/grype/pull/1376)] \[[wagoodman](https://togithub.com/wagoodman)] - Include Syft 0.85.0 ### [`v0.63.1`](https://togithub.com/anchore/grype/releases/tag/v0.63.1) [Compare Source](https://togithub.com/anchore/grype/compare/v0.63.0...v0.63.1) ### Changelog #### [v0.63.1](https://togithub.com/anchore/grype/tree/v0.63.1) (2023-06-30) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.63.0...v0.63.1) ##### Bug Fixes - Add more log4j-adjacent package ignore rules \[[PR #​1358](https://togithub.com/anchore/grype/pull/1358)] \[[luhring](https://togithub.com/luhring)] - The summary by severity is confusing \[[Issue #​1312](https://togithub.com/anchore/grype/issues/1312)] \[[PR #​1359](https://togithub.com/anchore/grype/pull/1359)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.63.0`](https://togithub.com/anchore/grype/releases/tag/v0.63.0) [Compare Source](https://togithub.com/anchore/grype/compare/v0.62.3...v0.63.0) ### Changelog #### [v0.63.0](https://togithub.com/anchore/grype/tree/v0.63.0) (2023-06-21) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.62.3...v0.63.0) ##### Added Features - Always include the specific package name and version used in the vulnerability search in the matchDetails section of the output \[[PR #​1339](https://togithub.com/anchore/grype/pull/1339)] \[[westonsteimel](https://togithub.com/westonsteimel)] - Expose Go template file that produces the table report \[[Issue #​629](https://togithub.com/anchore/grype/issues/629)] \[[PR #​1343](https://togithub.com/anchore/grype/pull/1343)] \[[jneate](https://togithub.com/jneate)] - Add a folder for community Go templates (see templates/README.md for more details) \[[Issue #​1316](https://togithub.com/anchore/grype/issues/1316)] ##### Breaking Changes - update Syft to v0.84.0: stereoscope platform fix and artifact ID padding \[[PR #​1354](https://togithub.com/anchore/grype/pull/1354)] \[[anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)] ### [`v0.62.3`](https://togithub.com/anchore/grype/releases/tag/v0.62.3) [Compare Source](https://togithub.com/anchore/grype/compare/v0.62.2...v0.62.3) ### Changelog #### [v0.62.3](https://togithub.com/anchore/grype/tree/v0.62.3) (2023-06-05) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.62.2...v0.62.3) ##### Bug Fixes - Suppressed vulnerabilties are now correctly hidden, unless the --show-suppressed option is provided. \[[Issue #​1053](https://togithub.com/anchore/grype/issues/1053)] \[[Issue #​1278](https://togithub.com/anchore/grype/issues/1278)] \[[PR #​1322](https://togithub.com/anchore/grype/pull/1322)] \[[jamestran201](https://togithub.com/jamestran201)] ### [`v0.62.2`](https://togithub.com/anchore/grype/releases/tag/v0.62.2) [Compare Source](https://togithub.com/anchore/grype/compare/v0.62.1...v0.62.2) ### Changelog #### [v0.62.2](https://togithub.com/anchore/grype/tree/v0.62.2) (2023-05-26) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.62.1...v0.62.2) ### [`v0.62.1`](https://togithub.com/anchore/grype/releases/tag/v0.62.1) [Compare Source](https://togithub.com/anchore/grype/compare/v0.62.0...v0.62.1) ### Changelog #### [v0.62.1](https://togithub.com/anchore/grype/tree/v0.62.1) (2023-05-24) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.62.0...v0.62.1) #### Bug Fixes - Updated syft to v0.82.0 to address license parsing logic that may result in a panic \[[PR #​1313](https://togithub.com/anchore/grype/pull/1313)] ### [`v0.62.0`](https://togithub.com/anchore/grype/releases/tag/v0.62.0) [Compare Source](https://togithub.com/anchore/grype/compare/v0.61.1...v0.62.0) ### Changelog #### [v0.62.0](https://togithub.com/anchore/grype/tree/v0.62.0) (2023-05-22) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.61.1...v0.62.0) ##### Added Features - Add package qualifier for platform CPE \[[PR #​1291](https://togithub.com/anchore/grype/pull/1291)] \[[westonsteimel](https://togithub.com/westonsteimel)] - Include timestamp and image name in reports \[[Issue #​1170](https://togithub.com/anchore/grype/issues/1170)] \[[PR #​1249](https://togithub.com/anchore/grype/pull/1249)] \[[jneate](https://togithub.com/jneate)] - Document command line flag for config file location \[[Issue #​1271](https://togithub.com/anchore/grype/issues/1271)] \[[PR #​1274](https://togithub.com/anchore/grype/pull/1274)] \[[jneate](https://togithub.com/jneate)] - Add support for Mariner distribution \[[Issue #​1220](https://togithub.com/anchore/grype/issues/1220)] - Add support for Syft IDs in JSON output \[[PR #​1266](https://togithub.com/anchore/grype/pull/1266)] \[[luhring](https://togithub.com/luhring)] ##### Bug Fixes - False positive with pkg:rpm PURLs \[[Issue #​1031](https://togithub.com/anchore/grype/issues/1031)] \[[PR #​1237](https://togithub.com/anchore/grype/pull/1237)] \[[Shanedell](https://togithub.com/Shanedell)] - Specifying "extras" in pip / requirements.txt results in false negative \[[Issue #​1246](https://togithub.com/anchore/grype/issues/1246)] - CycloneDX dependencies relationships inverted \[[Issue #​1294](https://togithub.com/anchore/grype/issues/1294)] ##### Additional Changes - docs: add "cyclonedx-json" to output formats \[[PR #​1252](https://togithub.com/anchore/grype/pull/1252)] \[[HNKNTA](https://togithub.com/HNKNTA)] - chore: update quality gate labels and add keycloak \[[PR #​1255](https://togithub.com/anchore/grype/pull/1255)] \[[westonsteimel](https://togithub.com/westonsteimel)] - Install skopeo during bootstrap \[[PR #​1260](https://togithub.com/anchore/grype/pull/1260)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Replace deprecated io/ioutil calls \[[PR #​1296](https://togithub.com/anchore/grype/pull/1296)] \[[testwill](https://togithub.com/testwill)] - Fix reading syft json from stdin by redirect \[[PR #​1299](https://togithub.com/anchore/grype/pull/1299)] \[[devfbe](https://togithub.com/devfbe)] - Add gitignore for default build target \[[PR #​1305](https://togithub.com/anchore/grype/pull/1305)] \[[testwill](https://togithub.com/testwill)] ### [`v0.61.1`](https://togithub.com/anchore/grype/releases/tag/v0.61.1) [Compare Source](https://togithub.com/anchore/grype/compare/v0.61.0...v0.61.1) ### Changelog #### [v0.61.1](https://togithub.com/anchore/grype/tree/v0.61.1) (2023-04-21) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.61.0...v0.61.1) ##### Bug Fixes - :grey_question: Parsing dpkg status: extracting key-value from line: usr/lib/os-release err: cannot parse field \[[Issue #​1195](https://togithub.com/anchore/grype/issues/1195)] - Grype suggesting to upgrade to a version already used. \[[Issue #​1209](https://togithub.com/anchore/grype/issues/1209)] ##### Additional Changes - feat: add timestamp to json output ([#​1170](https://togithub.com/anchore/grype/issues/1170)) \[[PR #​1249](https://togithub.com/anchore/grype/pull/1249)] \[[jneate](https://togithub.com/jneate)] ### [`v0.61.0`](https://togithub.com/anchore/grype/releases/tag/v0.61.0) [Compare Source](https://togithub.com/anchore/grype/compare/v0.60.0...v0.61.0) ### Changelog #### [v0.61.0](https://togithub.com/anchore/grype/tree/v0.61.0) (2023-04-04) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.60.0...v0.61.0) ##### Added Features - feat: Add config option to prefer registry over local Docker when scanning an image \[[Issue #​1204](https://togithub.com/anchore/grype/issues/1204)] \[[PR #​1215](https://togithub.com/anchore/grype/pull/1215)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Additional Changes - chore: update quality gate dataset \[[PR #​1206](https://togithub.com/anchore/grype/pull/1206)] \[[westonsteimel](https://togithub.com/westonsteimel)] - chore: update deprecated set-output calls \[[PR #​1210](https://togithub.com/anchore/grype/pull/1210)] \[[kzantow](https://togithub.com/kzantow)] - chore: update syft \[[PR #​1211](https://togithub.com/anchore/grype/pull/1211)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.60.0`](https://togithub.com/anchore/grype/releases/tag/v0.60.0) [Compare Source](https://togithub.com/anchore/grype/compare/v0.59.1...v0.60.0) ### Changelog #### [v0.60.0](https://togithub.com/anchore/grype/tree/v0.60.0) (2023-03-28) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.59.1...v0.60.0) ##### Added Features - feat: disable CPE-based matching by default for javascript \[[PR #​1180](https://togithub.com/anchore/grype/pull/1180)] \[[westonsteimel](https://togithub.com/westonsteimel)] ##### Additional Changes - Improve --by-cve report performance \[[Issue #​1185](https://togithub.com/anchore/grype/issues/1185)] \[[PR #​1188](https://togithub.com/anchore/grype/pull/1188)] \[[westonsteimel](https://togithub.com/westonsteimel)] ### [`v0.59.1`](https://togithub.com/anchore/grype/releases/tag/v0.59.1) [Compare Source](https://togithub.com/anchore/grype/compare/v0.59.0...v0.59.1) ### Changelog #### [v0.59.1](https://togithub.com/anchore/grype/tree/v0.59.1) (2023-03-09) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.59.0...v0.59.1) ##### Bug Fixes - fix: correct APK CPE version comparison logic \[[PR #​1165](https://togithub.com/anchore/grype/pull/1165)] \[[westonsteimel](https://togithub.com/westonsteimel)] ### [`v0.59.0`](https://togithub.com/anchore/grype/releases/tag/v0.59.0) [Compare Source](https://togithub.com/anchore/grype/compare/v0.58.0...v0.59.0) ### Changelog #### [v0.59.0](https://togithub.com/anchore/grype/tree/v0.59.0) (2023-03-03) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.58.0...v0.59.0) ##### Added Features - Add the total types of vulnerabilities in Grype output \[[Issue #​877](https://togithub.com/anchore/grype/issues/877)] \[[PR #​946](https://togithub.com/anchore/grype/pull/946)] \[[zhiburt](https://togithub.com/zhiburt)] ##### Additional Changes - chore: bump quality gate labels and syft version \[[PR #​1156](https://togithub.com/anchore/grype/pull/1156)] \[[westonsteimel](https://togithub.com/westonsteimel)] ### [`v0.58.0`](https://togithub.com/anchore/grype/releases/tag/v0.58.0) [Compare Source](https://togithub.com/anchore/grype/compare/v0.57.1...v0.58.0) ### Changelog #### [v0.58.0](https://togithub.com/anchore/grype/tree/v0.58.0) (2023-03-02) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.57.1...v0.58.0) ##### Security Fixes - chore(deps): bump github.com/hashicorp/go-getter from 1.6.2 to 1.7.0 \[[PR #​1134](https://togithub.com/anchore/grype/pull/1134)] \[[dependabot](https://togithub.com/dependabot)] ##### Added Features - add grype image to ArtifactHub \[[Issue #​613](https://togithub.com/anchore/grype/issues/613)] \[[PR #​639](https://togithub.com/anchore/grype/pull/639)] \[[developer-guy](https://togithub.com/developer-guy)] ##### Bug Fixes - Grype with version v.0.55 take 3 hour to scan the image \[[Issue #​1063](https://togithub.com/anchore/grype/issues/1063)] - Unable to install Grype \[[Issue #​1102](https://togithub.com/anchore/grype/issues/1102)] ##### Additional Changes - chore: update progress monitor handling \[[PR #​1149](https://togithub.com/anchore/grype/pull/1149)] \[[kzantow](https://togithub.com/kzantow)] - distro: Disable support for Arch Linux \[[PR #​1152](https://togithub.com/anchore/grype/pull/1152)] \[[Foxboron](https://togithub.com/Foxboron)] </details> <details> <summary>anchore/quill</summary> ### [`v0.4.0`](https://togithub.com/anchore/quill/releases/tag/v0.4.0) [Compare Source](https://togithub.com/anchore/quill/compare/v0.2.0...v0.4.0) ### Changelog #### [v0.4.0](https://togithub.com/anchore/quill/tree/v0.4.0) (2023-04-12) [Full Changelog](https://togithub.com/anchore/quill/compare/v0.2.0...v0.4.0) ##### Added Features - Embed the Apple root and intermediate certificates directly into quill \[[Issue #​8](https://togithub.com/anchore/quill/issues/8)] \[[PR #​34](https://togithub.com/anchore/quill/pull/34)] \[[wagoodman](https://togithub.com/wagoodman)] - Add netbsd/amd64 release binaries \[[Issue #​17](https://togithub.com/anchore/quill/issues/17)] \[[PR #​39](https://togithub.com/anchore/quill/pull/39)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Don't attempt to notarize unsigned binaries \[[Issue #​14](https://togithub.com/anchore/quill/issues/14)] \[[PR #​41](https://togithub.com/anchore/quill/pull/41)] \[[wagoodman](https://togithub.com/wagoodman)] - Signing Is Failing for P12 With Chain File \[[Issue #​16](https://togithub.com/anchore/quill/issues/16)] \[[PR #​34](https://togithub.com/anchore/quill/pull/34)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - fix: bump golang.org/x/net to v0.4.0 \[[PR #​19](https://togithub.com/anchore/quill/pull/19)] \[[westonsteimel](https://togithub.com/westonsteimel)] </details> <details> <summary>anchore/syft</summary> ### [`v0.87.0`](https://togithub.com/anchore/syft/releases/tag/v0.87.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0) ### #### [v0.87.0](https://togithub.com/anchore/syft/tree/v0.87.0) (2023-08-14) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0) ##### Added Features - feat: use originator logic to fill supplier \[[PR #​1980](https://togithub.com/anchore/syft/pull/1980)] \[[spiffcs](https://togithub.com/spiffcs)] - Expand deb cataloger to include opkg \[[PR #​1985](https://togithub.com/anchore/syft/pull/1985)] \[[johnDeSilencio](https://togithub.com/johnDeSilencio)] - Package duplicated by different cataloger \[[Issue #​931](https://togithub.com/anchore/syft/issues/931)] \[[PR #​1948](https://togithub.com/anchore/syft/pull/1948)] \[[spiffcs](https://togithub.com/spiffcs)] - Add binary cataloger for Nginx built from source \[[Issue #​1945](https://togithub.com/anchore/syft/issues/1945)] \[[PR #​1988](https://togithub.com/anchore/syft/pull/1988)] \[[SemProvoost](https://togithub.com/SemProvoost)] ##### Bug Fixes - chore: update bubbly to fix hanging \[[PR #​1990](https://togithub.com/anchore/syft/pull/1990)] \[[kzantow](https://togithub.com/kzantow)] - fix: update glob to use newer usr/lib/sysimage path \[[PR #​1997](https://togithub.com/anchore/syft/pull/1997)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: SPDX license values and download location \[[PR #​2007](https://togithub.com/anchore/syft/pull/2007)] \[[kzantow](https://togithub.com/kzantow)] - Different CPEs between java-cataloger and java-gradle-lockfile-cataloger \[[Issue #​1957](https://togithub.com/anchore/syft/issues/1957)] \[[PR #​1995](https://togithub.com/anchore/syft/pull/1995)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.86.1`](https://togithub.com/anchore/syft/releases/tag/v0.86.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1) ### Changelog #### [v0.86.1](https://togithub.com/anchore/syft/tree/v0.86.1) (2023-07-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1) ##### Bug Fixes - Source requires default image name as user input for unparsable reference \[[PR #​1979](https://togithub.com/anchore/syft/pull/1979)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.86.0`](https://togithub.com/anchore/syft/releases/tag/v0.86.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0) ### Changelog #### [v0.86.0](https://togithub.com/anchore/syft/tree/v0.86.0) (2023-07-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0) ##### Added Features - Introduce indexed embedded CPE dictionary \[[PR #​1897](https://togithub.com/anchore/syft/pull/1897)] \[[luhring](https://togithub.com/luhring)] - Add cataloger for Swift Package Manager. \[[PR #​1919](https://togithub.com/anchore/syft/pull/1919)] \[[trilleplay](https://togithub.com/trilleplay)] - Guess unpinned versions in python requirements.txt \[[PR #​1597](https://togithub.com/anchore/syft/pull/1597)] \[[PR #​1966](https://togithub.com/anchore/syft/pull/1966)] \[[manifestori](https://togithub.com/manifestori)] \[[wagoodman](https://togithub.com/wagoodman)] - Create a package record for the artifact an SBOM described when creating a SPDX SBOM \[[Issue #​1661](https://togithub.com/anchore/syft/issues/1661)] \[[Issue #​1241](https://togithub.com/anchore/syft/issues/1241)] \[[PR #​1934](https://togithub.com/anchore/syft/pull/1934)] \[[kzantow](https://togithub.com/kzantow)] ##### Bug Fixes - Fix panic condition on docker pull failure \[[PR #​1968](https://togithub.com/anchore/syft/pull/1968)] \[[wagoodman](https://togithub.com/wagoodman)] - Syft reports the "minimum required version" of .NET assemblies rather than the "assembly version" \[[Issue #​1799](https://togithub.com/anchore/syft/issues/1799)] \[[PR #​1943](https://togithub.com/anchore/syft/pull/1943)] \[[luhring](https://togithub.com/luhring)] - Grype cannot read SPDX documents generated by SPDX-maven-plugin \[[PR #​1969](https://togithub.com/anchore/syft/pull/1969)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Breaking Changes - Remove jotframe UI \[[PR #​1932](https://togithub.com/anchore/syft/pull/1932)] \[[wagoodman](https://togithub.com/wagoodman)] - Simplify python env markers \[[PR #​1967](https://togithub.com/anchore/syft/pull/1967)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.85.0`](https://togithub.com/anchore/syft/releases/tag/v0.85.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0) ### Changelog #### [v0.85.0](https://togithub.com/anchore/syft/tree/v0.85.0) (2023-07-12) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0) ##### Added Features - Add a --base-path command line flag to set the directory base for scans (this option was previously exposed via API only) \[[PR #​1867](https://togithub.com/anchore/syft/pull/1867)] \[[deitch](https://togithub.com/deitch)] - Add file source digest support \[[PR #​1914](https://togithub.com/anchore/syft/pull/1914)] \[[wagoodman](https://togithub.com/wagoodman)] - Remove erroneous Java CPEs from generation \[[PR #​1918](https://togithub.com/anchore/syft/pull/1918)] \[[luhring](https://togithub.com/luhring)] - Fix CPE generation for k8s python client \[[PR #​1921](https://togithub.com/anchore/syft/pull/1921)] \[[luhring](https://togithub.com/luhring)] - Don't use the actual redis or grpc CPEs for gems \[[PR #​1926](https://togithub.com/anchore/syft/pull/1926)] \[[luhring](https://togithub.com/luhring)] - The text user interface is now provided by the bubbletea library \[[Issue #​1441](https://togithub.com/anchore/syft/issues/1441)] \[[PR #​1888](https://togithub.com/anchore/syft/pull/1888)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Install script returns exit code 0 even if install fails \[[Issue #​1566](https://togithub.com/anchore/syft/issues/1566)] \[[PR #​1915](https://togithub.com/anchore/syft/pull/1915)] \[[lorsatti](https://togithub.com/lorsatti)] - \[Windows] Not able to scan volume mounted to folder \[[Issue #​1828](https://togithub.com/anchore/syft/issues/1828)] \[[PR #​1884](https://togithub.com/anchore/syft/pull/1884)] \[[dd-cws](https://togithub.com/dd-cws)] - Deprecated license: GFDL-1.2+ \[[Issue #​1899](https://togithub.com/anchore/syft/issues/1899)] \[[PR #​1907](https://togithub.com/anchore/syft/pull/1907)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Breaking Changes - Refactor the `source` API and syft-json `source` block data shape \[[Issue #​1866](https://togithub.com/anchore/syft/issues/1866)] \[[PR #​1846](https://togithub.com/anchore/syft/pull/1846)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - chore: update iterations to protect against race \[[PR #​1927](https://togithub.com/anchore/syft/pull/1927)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: background reader apart from global handler for testing \[[PR #​1929](https://togithub.com/anchore/syft/pull/1929)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.84.1`](https://togithub.com/anchore/syft/releases/tag/v0.84.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1) ### Changelog #### [v0.84.1](https://togithub.com/anchore/syft/tree/v0.84.1) (2023-06-29) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1) ##### Bug Fixes - Fix version detection in Java archive name parsing \[[PR #​1889](https://togithub.com/anchore/syft/pull/1889)] \[[luhring](https://togithub.com/luhring)] - Improve support for Dart SDK package dependency lockfiles \[[PR #​1891](https://togithub.com/anchore/syft/pull/1891)] \[[rufman](https://togithub.com/rufman)] - Fix license output for some CycloneDX JSON SBOMs \[[Issue #​1877](https://togithub.com/anchore/syft/issues/1877)] \[[PR #​1879](https://togithub.com/anchore/syft/pull/1879)] \[[kzantow](https://togithub.com/kzantow)] - Correctly discover Debian file relationships in distroless images \[[Issue #​1900](https://togithub.com/anchore/syft/issues/1900)] \[[PR #​1901](https://togithub.com/anchore/syft/pull/1901)] \[[westonsteimel](https://togithub.com/westonsteimel)] ##### Additional Changes - Simplify the SBOM writer interface \[[PR #​1892](https://togithub.com/anchore/syft/pull/1892)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.84.0`](https://togithub.com/anchore/syft/releases/tag/v0.84.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0) ### Changelog #### [v0.84.0](https://togithub.com/anchore/syft/tree/v0.84.0) (2023-06-20) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0) ##### Breaking Changes - Pad artifact IDs \[[PR #​1882](https://togithub.com/anchore/syft/pull/1882)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ##### Additional Changes - chore: update SPDX license list to 3.21 \[[PR #​1885](https://togithub.com/anchore/syft/pull/1885)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.83.1`](https://togithub.com/anchore/syft/releases/tag/v0.83.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1) ### Changelog #### [v0.83.1](https://togithub.com/anchore/syft/tree/v0.83.1) (2023-06-14) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1) ##### Bug Fixes - fix: pom properties not setting artifact id \[[PR #​1870](https://togithub.com/anchore/syft/pull/1870)] \[[jneate](https://togithub.com/jneate)] - fix(deps): pull in platform selection fix from stereoscope \[[PR #​1871](https://togithub.com/anchore/syft/pull/1871)] \[[anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)] - pulling in an image with a digest that does not match the platform and architecture of the host no longer fails with an error, see [https://github.com/anchore/stereoscope/issues/188](https://togithub.com/anchore/stereoscope/issues/188) - symlinks within a scanned directory tree are parsed outside the tree, failing if target does not exist \[[Issue #​1860](https://togithub.com/anchore/syft/issues/1860)] \[[PR #​1861](https://togithub.com/anchore/syft/pull/1861)] \[[deitch](https://togithub.com/deitch)] ### [`v0.83.0`](https://togithub.com/anchore/syft/releases/tag/v0.83.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.82.0...v0.83.0) ### Changelog #### [v0.83.0](https://togithub.com/anchore/syft/tree/v0.83.0) (2023-06-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.82.0...v0.83.0) ##### Added Features - Add new '--source-version' and '--source-name' options to set the name and version of the target being analyzed for reference in resulting syft-json format SBOMs (more formats will support these flags soon). \[[Issue #​1399](https://togithub.com/anchore/syft/issues/1399)] \[[PR #​1859](https://togithub.com/anchore/syft/pull/1859)] \[[kzantow](https://togithub.com/kzantow)] - Add scope to POM properties \[[PR #​1779](https://togithub.com/anchore/syft/pull/1779)] \[[jneate](https://togithub.com/jneate)] - Accept main.version ldflags even without vcs \[[PR #​1855](https://togithub.com/anchore/syft/pull/1855)] \[[deitch](https://togithub.com/deitch)] ##### Bug Fixes - Fix directory resolver to consider CWD and root path input correctly \[[PR #​1840](https://togithub.com/anchore/syft/pull/1840)] \[[wagoodman](https://togithub.com/wagoodman)] - Show all error messages if there is a failure retrieving an image with a specified scheme \[[Issue #​1569](https://togithub.com/anchore/syft/issues/1569)] \[[PR #​1801](https://togithub.com/anchore/syft/pull/1801)] \[[FrimIdan](https://togithub.com/FrimIdan)] - v0.81.0 crashing parsing some images \[[Issue #​1837](https://togithub.com/anchore/syft/issues/1837)] \[[PR #​1839](https://togithub.com/anchore/syft/pull/1839)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Deprecated Features - Migrate location-related structs to the file package \[[PR #​1751](https://togithub.com/anchore/syft/pull/1751)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - chore: code cleanup \[[PR #​1865](https://togithub.com/anchore/syft/pull/1865)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.82.0`](https://togithub.com/anchore/syft/releases/tag/v0.82.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.81.0...v0.82.0) ### Changelog #### [v0.82.0](https://togithub.com/anchore/syft/tree/v0.82.0) (2023-05-23) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.81.0...v0.82.0) ##### Added Features - Improve Go main module version detection by attempting to parse available ldflags \[[Issue #​1785](https://togithub.com/anchore/syft/issues/1785)] \[[PR #​1832](https://togithub.com/anchore/syft/pull/1832)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Fix a problem in the license parsing logic that may result in a panic \[[PR #​1839](https://togithub.com/anchore/syft/pull/1839)] - Return all relevant error messages if an image retrieval fails when a scheme is specified \[[PR #​1801](https://togithub.com/anchore/syft/pull/1801)] \[[FrimIdan](https://togithub.com/FrimIdan)] - Fix a problem with PNPM scanning where v6 lockfiles might result in duplicated packages \[[Issue #​1762](https://togithub.com/anchore/syft/issues/1762)] \[[PR #​1778](https://togithub.com/anchore/syft/pull/1778)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.81.0`](https://togithub.com/anchore/syft/releases/tag/v0.81.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.80.0...v0.81.0) ### Changelog #### [v0.81.0](https://togithub.com/anchore/syft/tree/v0.81.0) (2023-05-22) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.80.0...v0.81.0) ##### Added Features - Support cataloging R packages \[[Issue #​730](https://togithub.com/anchore/syft/issues/730)] \[[PR #​1790](https://togithub.com/anchore/syft/pull/1790)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Support describing license properties and SPDX expression assertions \[[Issue #​1577](https://togithub.com/anchore/syft/issues/1577)] \[[PR #​1743](https://togithub.com/anchore/syft/pull/1743)] \[[spiffcs](https://togithub.com/spiffcs)] - Warn if parsing a newer SBOM \[[PR #​1810](https://togithub.com/anchore/syft/pull/1810)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ##### Bug Fixes - Retain cataloged SBOM relationships \[[PR #​1509](https://togithub.com/anchore/syft/pull/1509)] \[[houdini91](https://togithub.com/houdini91)] - fix: update field plurality of 8.0.0 schema before release \[[PR #​1820](https://togithub.com/anchore/syft/pull/1820)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: remove spurious warnings - unknown relationship type: evident-by form-lib=syft \[[Issue #​1812](https://togithub.com/anchore/syft/issues/1812)] \[[PR #​1797](https://togithub.com/anchore/syft/pull/1797)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - CycloneDX Dependencies Relationships Inverted \[[Issue #​1815](https://togithub.com/anchore/syft/issues/1815)] \[[PR #​1816](https://togithub.com/anchore/syft/pull/1816)] \[[shanealv](https://togithub.com/shanealv)] - Alpine: license expression should be complete and not parsed out \[[Issue #​1817](https://togithub.com/anchore/syft/issues/1817)] \[[PR #​1819](https://togithub.com/anchore/syft/pull/1819)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Additional Changes - Print package list when extra packages found \[[PR #​1791](https://togithub.com/anchore/syft/pull/1791)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - update cosign to v2 release (different go module) \[[PR #​1805](https://togithub.com/anchore/syft/pull/1805)] \[[bobcallaway](https://togithub.com/bobcallaway)] ### [`v0.80.0`](https://togithub.com/anchore/syft/releases/tag/v0.80.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.79.0...v0.80.0) ### Changelog #### [v0.80.0](https://togithub.com/anchore/syft/tree/v0.80.0) (2023-05-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.79.0...v0.80.0) ##### Added Features - Improve pnpm support \[[Issue #​1535](https://togithub.com/anchore/syft/issues/1535)] \[[PR #​1752](https://togithub.com/anchore/syft/pull/1752)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Bug Fixes - chore: add more detail on SPDX file IDs \[[PR #​1769](https://togithub.com/anchore/syft/pull/1769)] \[[kzantow](https://togithub.com/kzantow)] - chore: do not HTML escape PackageURLs \[[PR #​1782](https://togithub.com/anchore/syft/pull/1782)] \[[kzantow](https://togithub.com/kzantow)] - RPM database not found on ostree-managed systems \[[Issue #​1755](https://togithub.com/anchore/syft/issues/1755)] \[[PR #​1756](https://togithub.com/anchore/syft/pull/1756)] \[[fpytloun](https://togithub.com/fpytloun)] - Unable to use syft for private azure container registry \[[Issue #​1777](https://togithub.com/anchore/syft/issues/1777)] - linux-kernel-cataloger produces thousands of version-less components. \[[Issue #​1781](https://togithub.com/anchore/syft/issues/1781)] \[[PR #​1784](https://togithub.com/anchore/syft/pull/1784)] \[[kzantow](https://togithub.com/kzantow)] ##### Deprecated Features - Rename pkg.Catalog to pkg.Collection \[[PR #​1764](https://togithub.com/anchore/syft/pull/1764)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.79.0`](https://togithub.com/anchore/syft/releases/tag/v0.79.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.78.0...v0.79.0) ### Changelog #### [v0.79.0](https://togithub.com/anchore/syft/tree/v0.79.0) (2023-04-21) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.78.0...v0.79.0) ##### Added Features - Add ALPM Metadata to CYCLONEDX and SPDX output formats \[[Issue #​1037](https://togithub.com/anchore/syft/issues/1037)] \[[PR #​1747](https://togithub.com/anchore/syft/pull/1747)] \[[Shanedell](https://togithub.com/Shanedell)] - consul binary classifier \[[Issue #​1590](https://togithub.com/anchore/syft/issues/1590)] \[[PR #​1738](https://togithub.com/anchore/syft/pull/1738)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Bug Fixes - Syft missing direct dependencies from the gemfile.lock \[[Issue #​1660](https://togithub.com/anchore/syft/issues/1660)] \[[PR #​1749](https://togithub.com/anchore/syft/pull/1749)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Additional Changes - chore: bump stereoscope to latest version \[[PR #​1741](https://togithub.com/anchore/syft/pull/1741)] \[[westonsteimel](https://togithub.com/westonsteimel)] ### [`v0.78.0`](https://togithub.com/anchore/syft/releases/tag/v0.78.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.77.0...v0.78.0) ### Changelog #### [v0.78.0](https://togithub.com/anchore/syft/tree/v0.78.0) (2023-04-17) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.77.0...v0.78.0) ##### Added Features - Add Linux Kernel cataloger \[[PR #​1694](https://togithub.com/anchore/syft/pull/1694)] \[[deitch](https://togithub.com/deitch) & [wagoodman](https://togithub.com/wagoodman)] - Support scanning license files in golang packages over the network \[[Issue #​1056](https://togithub.com/anchore/syft/issues/1056)] \[[PR #​1630](https://togithub.com/anchore/syft/pull/1630)] \[[deitch](https://togithub.com/deitch) & [kzantow](https://togithub.com/kzantow)] - Add consul binary classifier \[[Issue #​1590](https://togithub.com/anchore/syft/issues/1590)] \[[PR #​1738](https://togithub.com/anchore/syft/pull/1738)] \[[Shanedell](https://togithub.com/Shanedell)] - Add annotations for evidence on package locations \[[PR #​1723](https://togithub.com/anchore/syft/pull/1723)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Decoding of the syft-json format does not handle files \[[Issue #​1534](https://togithub.com/anchore/syft/issues/1534)] \[[PR #​1698](https://togithub.com/anchore/syft/pull/1698)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.77.0`](https://togithub.com/anchore/syft/releases/tag/v0.77.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.76.1...v0.77.0) ### Changelog #### [v0.77.0](https://togithub.com/anchore/syft/tree/v0.77.0) (2023-04-11) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.76.1...v0.77.0) ##### Added Features - feat: gradle lockfile support \[[PR #​1719](https://togithub.com/anchore/syft/pull/1719)] \[[henrysachs](https://togithub.com/henrysachs)] - feat: support for java "nar" files \[[PR #​1727](https://togithub.com/anchore/syft/pull/1727)] \[[Shanedell](https://togithub.com/Shanedell)] ### [`v0.76.1`](https://togithub.com/anchore/syft/releases/tag/v0.76.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.76.0...v0.76.1) ### Changelog #### [v0.76.1](https://togithub.com/anchore/syft/tree/v0.76.1) (2023-04-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.76.0...v0.76.1) ##### Added Features - Capture file ownership relationships from portage ecosystem \[[PR #​1702](https://togithub.com/anchore/syft/pull/1702)] \[[wagoodman](https://togithub.com/wagoodman)] - Add Nix Cataloger \[[Issue #​462](https://togithub.com/anchore/syft/issues/462)] \[[PR #​1107](https://togithub.com/anchore/syft/pull/1107)] \[[juliosueiras](https://togithub.com/juliosueiras)] \[[PR #​1696](https://togithub.com/anchore/syft/pull/1696)] \[[wagoodman](https://togithub.com/wagoodman)] \[[flokli](https://togithub.com/flokli)] ### [`v0.76.0`](https://togithub.com/anchore/syft/releases/tag/v0.76.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.75.0...v0.76.0) ### Changelog #### [v0.76.0](https://togithub.com/anchore/syft/tree/v0.76.0) (2023-03-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.75.0...v0.76.0) ##### Added Features - Scan local go mod licenses for golang packages \[[PR #​1645](https://togithub.com/anchore/syft/pull/1645)] \[[deitch](https://togithub.com/deitch)] - update and clean license list generation to return more SPDXID for more inputs \[[PR #​1691](https://togithub.com/anchore/syft/pull/1691)] \[[spiffcs](https://togithub.com/spiffcs)] - argocd binary classifier \[[Issue #​1606](https://togithub.com/anchore/syft/issues/1606)] \[[PR #​1663](https://togithub.com/anchore/syft/pull/1663)] \[[y12studio](https://togithub.com/y12studio)] - Add config option to allow user to select the default image source location \[[Issue #​1703](https://togithub.com/anchore/syft/pull/1703)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Bug Fixes - Defer closing the opened file when using FileScheme \[[PR #​1668](https://togithub.com/anchore/syft/pull/1668)] \[[Noxsios](https://togithub.com/Noxsios)] - fix: remove author contributing to javascript CPEs \[[PR #​1669](https://togithub.com/anchore/syft/pull/1669)] \[[kzantow](https://togithub.com/kzantow)] - fix: reduce logging for bad dpkg lines \[[PR #​1675](https://togithub.com/anchore/syft/pull/1675)] \[[kzantow](https://togithub.com/kzantow)] - Broken shell completion - Bash \[[Issue #​962](https://togithub.com/anchore/syft/issues/962)] \[[PR #​1688](https://togithub.com/anchore/syft/pull/1688)] \[[DanHam](https://togithub.com/DanHam)] - syft produces different output when run with sudo \[[Issue #​1391](https://togithub.com/anchore/syft/issues/1391)] \[[PR #​1693](https://togithub.com/anchore/syft/pull/1693)] \[[anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)] - some binary ruby are not detected \[[Issue #​1677](https://togithub.com/anchore/syft/issues/1677)] \[[PR #​1678](https://togithub.com/anchore/syft/pull/1678)] \[[witchcraze](https://togithub.com/witchcraze)] - Documentation says that output is SPDX 2.2 \[[Issue #​1679](https://togithub.com/anchore/syft/issues/1679)] \[[PR #​1680](https://togithub.com/anchore/syft/pull/1680)] \[[vargenau](https://togithub.com/vargenau)] - fix: move defer after error to protect panic case \[[PR #​1670](https://togithub.com/anchore/syft/pull/1670)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Additional Changes - Deprecate config.yaml as valid config source; Add unit regression for correct config paths \[[PR #​1640](https://togithub.com/anchore/syft/pull/1640)] \[[AidanDelaney](https://togithub.com/AidanDelaney)] - Remove more side effects from application config testing \[[PR #​1684](https://togithub.com/anchore/syft/pull/1684)] \[[wagoodman](https://togithub.com/wagoodman)] - chore: tweak some workflow text \[[PR #​1685](https://togithub.com/anchore/syft/pull/1685)] \[[kzantow](https://togithub.com/kzantow)] - chore: fix flaky license sorting \[[PR #​1690](https://togithub.com/anchore/syft/pull/1690)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.75.0`](https://togithub.com/anchore/syft/releases/tag/v0.75.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.74.1...v0.75.0) ### Changelog #### [v0.75.0](https://togithub.com/anchore/syft/tree/v0.75.0) (2023-03-13) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.74.1...v0.75.0) ##### Added Features - Catalog ruby binary \[[Issue #​1650](https://togithub.com/anchore/syft/issues/1650)] \[[PR #​1665](https://togithub.com/anchore/syft/pull/1665)] \[[witchcraze](https://togithub.com/witchcraze)] ##### Bug Fixes - more python matching support \[[PR #​1667](https://togithub.com/anchore/syft/pull/1667)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.74.1`](https://togithub.com/anchore/syft/releases/tag/v0.74.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.74.0...v0.74.1) ### Changelog #### [v0.74.1](https://togithub.com/anchore/syft/tree/v0.74.1) (2023-03-09) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.74.0...v0.74.1) ##### Bug Fixes - purl for apk packages missing when installed db file is not in root \[[Issue #​1572](https://togithub.com/anchore/syft/issues/1572)] \[[PR #​1615](https://togithub.com/anchore/syft/pull/1615)] \[[deitch](https://togithub.com/deitch)] - invalid package url type: dotnet \[[Issue #​1622](https://togithub.com/anchore/syft/issues/1622)] \[[PR #​1649](https://togithub.com/anchore/syft/pull/1649)] \[[kzantow](https://togithub.com/kzantow)] - Go tests detecting race cataloging packages \[[Issue #​1633](https://togithub.com/anchore/syft/issues/1633)] \[[PR #​1639](https://togithub.com/anchore/syft/pull/1639)] \[[kzantow](https://togithub.com/kzantow)] - Improve Python binary scanning \[[Issue #​1643](https://togithub.com/anchore/syft/issues/1643)] \[[PR #​1648](https://togithub.com/anchore/syft/pull/1648)] \[[kzantow](https://togithub.com/kzantow)] - Update haproxy binary matcher \[[Issue #​1646](https://togithub.com/anchore/syft/issues/1646)] \[[PR #​1648](https://togithub.com/anchore/syft/pull/1648)] \[[kzantow](https://togithub.com/kzantow)] - SPDX tag-value SBOM value format is incorrect for LicenseID \[[Issue #​1651](https://togithub.com/anchore/syft/issues/1651)] \[[PR #​1657](https://togithub.com/anchore/syft/pull/1657)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.74.0`](https://togithub.com/anchore/syft/releases/tag/v0.74.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.73.0...v0.74.0) ### Changelog #### [(v0.74.0)](https://togithub.com/anchore/syft/tree/v0.74.0) (2023-03-02) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.73.0...v0.74.0) ##### Added Features - rust toolchain binary cataloger \[[PR #​1601](https://togithub.com/anchore/syft/pull/1601)] \[[westonsteimel](https://togithub.com/westonsteimel)] - Add support for SUPPORT_END in distro \[[PR #​1612](https://togithub.com/anchore/syft/pull/1612)] \[[noqcks](https://togithub.com/noqcks)] - Catalog haproxy binary \[[Issue #​1512](https://togithub.com/anchore/syft/issues/1512)] \[[PR #​1591](https://togithub.com/anchore/syft/pull/1591)] \[[noqcks](https://togithub.com/noqcks)] - Handle cataloger panics \[[Issue #​1624](https://togithub.com/anchore/syft/issues/1624)] \[[PR #​1636](https://togithub.com/anchore/syft/pull/1636)] \[[kzantow](https://togithub.com/kzantow)] - set cosign attest predicate type based on Syft output type \[[PR #​1598](https://togithub.com/anchore/syft/pull/1598)] \[[Nirusu](https://togithub.com/Nirusu)] - retain go package info when no module declared \[[PR #​1632](https://togithub.com/anchore/syft/pull/1632)] \[[westonsteimel](https://togithub.com/westonsteimel)] ##### Bug Fixes - improve CPE generation for curl APK \[[PR #​1608](https://togithub.com/anchore/syft/pull/1608)] \[[westonsteimel](https://togithub.com/westonsteimel)] - determine upstream for apk version streams \[[PR #​1610](https://togithub.com/anchore/syft/pull/1610)] \[[westonsteimel](https://togithub.com/westonsteimel)] - decoding null apk metadata pullDependencies \[[PR #​1614](https://togithub.com/anchore/syft/pull/1614)] \[[kzantow](https://togithub.com/kzantow)] - correct apk purls for other distros \[[PR #​1620](https://togithub.com/anchore/syft/pull/1620)] \[[westonsteimel](https://togithub.com/westonsteimel)] - further improvements to CPE generation for apk packages \[[PR #​1623](https://togithub.com/anchore/syft/pull/1623)] \[[westonsteimel](https://togithub.com/westonsteimel)] - improved CPE-generation for several more APK packages \[[PR #​1631](https://togithub.com/anchore/syft/pull/1631)] \[[westonsteimel](https://togithub.com/westonsteimel)] - apk product/vendor generation for old metadata \[[PR #​1635](https://togithub.com/anchore/syft/pull/1635)] \[[westonsteimel](https://togithub.com/westonsteimel)] - Encountering "cycle during symlink resolution" with syft version 0.71.0 onwards \[[Issue #​1586](https://togithub.com/anchore/syft/issues/1586)] \[[PR #​1604](https://togithub.com/anchore/syft/pull/1604)] \[[wagoodman](https://togithub.com/wagoodman)] - syft erlang cataloger can segfault when analyzing an erlang project containing rebar.lock with nested deps \[[Issue #​1621](https://togithub.com/anchore/syft/issues/1621)] \[[PR #​1628](https://togithub.com/anchore/syft/pull/1628)] \[[kzantow](https://togithub.com/kzantow)] - Go tests detecting race cataloging packages \[[Issue #​1633](https://togithub.com/anchore/syft/issues/1633)] \[[PR #​1639](https://togithub.com/anchore/syft/pull/1639)] \[[kzantow](https://togithub.com/kzantow)] </details> <details> <summary>aquaproj/aqua-registry</summary> ### [`v3.162.0`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v3.162.0) [Compare Source](https://togithub.com/aquaproj/aqua-registry/compare/v3.161.0...v3.162.0) [Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av3.162.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av3.162.0) | https://github.com/aquaproj/aqua-registry/compare/v3.161.0...v3.162.0 #### 🎉 New Packages [#​11839](https://togithub.com/aquaproj/aqua-registry/issues/11839) [Madh93/tpm](https://togithub.com/Madh93/tpm): A package manager for Terraform providers [@​ponkio-o](https://togithub.com/ponkio-o) ### [`v3.161.0`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v3.161.0) [Compare Source](https://togithub.com/aquaproj/aqua-registry/compare/v3.160.0...v3.161.0) [Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av3.161.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av3.161.0) | https://github.com/aquaproj/aqua-registry/compare/v3.160.0...v3.161.0 #### 🎉 New Packages [#​11838](https://togithub.com/aquaproj/aqua-registry/issues/11838) [gopinath-langote/1build](https://togithub.com/gopinath-langote/1build): Frictionless way of managing project-specific commands ### [`v3.160.0`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v3.160.0) [Compare Source](https://togithub.com/aquaproj/aqua-registry/compare/v3.159.0...v3.160.0) [Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av3.160.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av3.160.0) | https://github.com/aquaproj/aqua-registry/compare/v3.159.0...v3.160.0 #### 🎉 New Packages [#​11817](https://togithub.com/aquaproj/aqua-registry/issues/11817) [abice/go-enum](https://togithub.com/abice/go-enum): An enum generator for go #### Fixes [#​11837](https://togithub.com/aquaproj/aqua-registry/issues/11837) ysugimoto/falco: Use tar.gz from falco v0.20.2 [@​ponkio-o](https://togithub.com/ponkio-o) ### [`v3.159.0`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v3.159.0) [Compare Source](https://togithub.com/aquaproj/aqua-registry/compare/v3.158.1...v3.159.0) [Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av3.159.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av3.159.0) | https://github.com/aquaproj/aqua-registry/compare/v3.158.0...v3.159.0 #### 🎉 New Packages [#​11807](https://togithub.com/aquaproj/aqua-registry/issues/11807) [kubecfg/kubecfg](https://togithub.com/kubecfg/kubecfg): A tool for managing complex enterprise Kubernetes environments as code [#​11808](https://togithub.com/aquaproj/aqua-registry/issues/11808) [loov/goda](https://togithub.com/loov/goda): Go Dependency Analysis toolkit #### Fixes [#​11806](https://togithub.com/aquaproj/aqua-registry/issues/11806) solidiquis/erdtree: Follow up changes of erdtree v2.0.0 https://github.com/solidiquis/erdtree/releases/tag/v2.0.0 > Perhaps the most important change to note is that the compiled binary has been renamed from et to erd in order to address the following issue > regarding name collisions with other programs > > - [https://github.com/solidiquis/erdtree/issues/23](https://togithub.com/solidiquis/erdtree/issues/23) ### [`v3.158.1`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v3.158.1) [Compare Source](https://togithub.com/aquaproj/aqua-registry/compare/v3.158.0...v3.158.1) [Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av3.158.1) | [Pull Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av3.158.1) | https://github.com/aquaproj/aqua-registry/compare/v3.158.0...v3.158.1 #### Fixes [#​11790](https://togithub.com/aquaproj/aqua-registry/issues/11790) Follow up changes of cli/cli v2.28.0 [@​kyontan](https://togithub.com/kyontan) GitHub's CLI (cli/cli) changed format for macOS to zip (from tar.gz) since v2.28.0 See https://github.com/cli/cli/releases/tag/v2.28.0 for details. ### [`v3.158.0`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v3.158.0) [Compare Source](https://togithub.com/aquaproj/aqua-registry/compare/v3.157.0...v3.158.0) [Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av3.158.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av3.158.0) | https://github.com/aquaproj/aqua-registry/compare/v3.157.0...v3.158.0 #### 🎉 New Packages [#​11692](https://togithub.com/aquaproj/aqua-registry/issues/11692) [hexdigest/gowrap](https://togithub.com/hexdigest/gowrap): GoWrap is a command line tool for generating decorators for Go interfaces [#​11691](https://togithub.com/aquaproj/aqua-registry/issues/11691) [knqyf263/go-plugin](https://togithub.com/knqyf263/go-plugin): Go Plugin System over WebAssembly [#​11667](https://togithub.com/aquaproj/aqua-registry/issues/11667) [wasmerio/wasmer](https://togithub.com/wasmerio/wasmer): The leading WebAssembly Runtime supporting WASI and Emscripten ### [`v3.157.0`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v3.157.0) [Compare Source](https://togithub.com/aquaproj/aqua-registry/compare/v3.156.0...v3.157.0) [Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av3.157.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av3.157.0) | https://github.com/aquaproj/aqua-registry/compare/v3.156.0...v3.157.0 #### 🎉 New Packages [#​11604](https://togithub.com/aquaproj/aqua-registry/issues/11604) [WebAssembly/binaryen](https://togithub.com/WebAssembly/binaryen): Optimizer and compiler/toolchain library for WebAssembly [@​knqyf263](https://togithub.com/knqyf263) :tada: New Contributor # </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xMTQuMiIsInVwZGF0ZWRJblZlciI6IjM1LjExNC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: mend-for-github-com[bot] <50673670+mend-for-github-com[bot]@users.noreply.github.com>
- Loading branch information
1 parent
1d9d1bb
commit 9957ee4