Bump github.com/anchore/syft from 0.60.3 to 0.62.1 #427

dependabot · 2022-11-22T05:04:04Z

Bumps github.com/anchore/syft from 0.60.3 to 0.62.1.

Release notes

Sourced from github.com/anchore/syft's releases.

v0.62.1

Changelog

v0.62.1 (2022-11-21)

Full Changelog

Bug Fixes

fix(npm): handle aliases in package-lock.json [[Issue #1314](https://github-redirect.dependabot.com/syft fails to resolve npm package aliases anchore/syft#1314)] [Mikcl]

chore: add debug logging for decode errors [[PR #1352](https://github-redirect.dependabot.com/chore: add debug logging for decode errors anchore/syft#1352)] [kzantow]

fix: sort relationships in SPDX output [[Issue #1213](https://github-redirect.dependabot.com/SPDX-json output differs between cli and golang implementation anchore/syft#1213)] [kzantow]

v0.62.0

Changelog

v0.62.0 (2022-11-18)

Full Changelog

Added Features

NPM package-lock.json version 3 [[Issue #1203](https://github-redirect.dependabot.com/NPM package-lock.json version 3 anchore/syft#1203)]

Bug Fixes

Don't replace : with - in docker SPDX namespaces [[Issue #1111](https://github-redirect.dependabot.com/Don't replace : with - in docker SPDX namespaces anchore/syft#1111)]

v0.61.0

Changelog

v0.61.0 (2022-11-18)

Full Changelog

Added Features

Add support for map fields in CycloneDX (XML and JSON) [[Issue #1032](https://github-redirect.dependabot.com/Add support for map fields in CycloneDX (XML and JSON) anchore/syft#1032)]

Dependency's MIT license not picked up when scanning package-lock.json [[Issue #1113](https://github-redirect.dependabot.com/Dependency's MIT license not picked up when scanning package-lock.json anchore/syft#1113)]

Support SPDX 2.3 [[Issue #1292](https://github-redirect.dependabot.com/Support SPDX 2.3 anchore/syft#1292)]

Bug Fixes

Normalize alpm md5 refs [[PR #1333](https://github-redirect.dependabot.com/Normalize alpm md5 refs anchore/syft#1333)] [wagoodman]

APK Metadata decoding should be backwards compatible [[PR #1341](https://github-redirect.dependabot.com/APK Metadata decoding should be backwards compatible anchore/syft#1341)] [wagoodman]

Add spdx relationship encoding for dependencies [[PR #1342](https://github-redirect.dependabot.com/Add spdx relationship encoding for dependencies anchore/syft#1342)] [wagoodman]

v0.3.0 SPDX SBOM Does Not Have Unique SPDXID Package IDs [[Issue #923](https://github-redirect.dependabot.com/v0.3.0 SPDX SBOM Does Not Have Unique SPDXID Package IDs anchore/syft#923)]

Missing licenses and "skipping encoding of unsupported property: syft:metadata:goBuildSetting" [[Issue #1007](https://github-redirect.dependabot.com/Missing licenses and "skipping encoding of unsupported property: syft:metadata:goBuildSetting" anchore/syft#1007)]

System independent build not possible [[Issue #1084](https://github-redirect.dependabot.com/System independent build not possible anchore/syft#1084)]

Dependency's MIT license not picked up when scanning package-lock.json [[Issue #1113](https://github-redirect.dependabot.com/Dependency's MIT license not picked up when scanning package-lock.json anchore/syft#1113)]

... (truncated)

Commits

098e61d fix: sort relationships in SPDX output (#1350)
0dddf51 chore: add debug logging for decode errors (#1352)
04880c0 feat(npm): handle aliases in package-lock.json (#1349)
da4b2df fix: spdx java checksum correctness (#1348)
9d8244b feat: Add support for npm lockfile version 3 (#1206)
67888ee 1111 clean name bug (#1347)
9afc923 Add spdx relationship encoding for dependencies (#1342)
42cb0a4 feat: SPDX 2.3 support (#1311)
0c4b99c SBOM cataloger (#1029)
0774ad1 chore: clean up linting configuration (#1343)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/anchore/syft](https://github.com/anchore/syft) from 0.60.3 to 0.62.1. - [Release notes](https://github.com/anchore/syft/releases) - [Changelog](https://github.com/anchore/syft/blob/main/.goreleaser.yaml) - [Commits](anchore/syft@v0.60.3...v0.62.1) --- updated-dependencies: - dependency-name: github.com/anchore/syft dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

sophiewigmore · 2022-11-22T20:37:51Z

It seems like as of Syft v0.61.0, something has changed with the Syft tool formats such that the default Syft JSON schema version shipped by Syft is now getting used when a user tries to use the latest Syft version, rather than getting shoehorned into using 3.0.1 like before.

Specifically, this test fails:

packit/sbom/formatted_reader_test.go

Lines 275 to 300 in 1820200

    
           it("writes the SBOM in the latest Syft format (3.*)", func() { 
        
           	buffer := bytes.NewBuffer(nil) 
        
           	_, err := io.Copy(buffer, sbom.NewFormattedReader(bom, sbom.Format(syft.JSONFormatID))) 
        
           	Expect(err).NotTo(HaveOccurred()) 
        
           	var syftOutput syftOutput 
        
           	err = json.Unmarshal(buffer.Bytes(), &syftOutput) 
        
           	Expect(err).NotTo(HaveOccurred(), buffer.String()) 
        
           	Expect(syftOutput.Schema.Version).To(MatchRegexp(`3\.\d+\.\d+`), buffer.String()) 
        
           	Expect(syftOutput.Source.Type).To(Equal("directory"), buffer.String()) 
        
           	Expect(syftOutput.Source.Target).To(Equal("testdata/"), buffer.String()) 
        
           	Expect(syftOutput.Artifacts[0].Name).To(Equal("collapse-white-space"), buffer.String()) 
        
           	Expect(syftOutput.Artifacts[1].Name).To(Equal("end-of-stream"), buffer.String()) 
        
           	Expect(syftOutput.Artifacts[2].Name).To(Equal("insert-css"), buffer.String()) 
        
           	Expect(syftOutput.Artifacts[3].Name).To(Equal("once"), buffer.String()) 
        
           	Expect(syftOutput.Artifacts[4].Name).To(Equal("pump"), buffer.String()) 
        
           	Expect(syftOutput.Artifacts[5].Name).To(Equal("wrappy"), buffer.String()) 
        
           	rerunBuffer := bytes.NewBuffer(nil) 
        
           	_, err = io.Copy(rerunBuffer, sbom.NewFormattedReader(bom, sbom.Format(syft.JSONFormatID))) 
        
           	Expect(err).NotTo(HaveOccurred()) 
        
           	Expect(rerunBuffer.String()).To(Equal(buffer.String())) 
        
           })

because the schema version used is actually 6.0.0.

I think we need to invest some time into getting the new Syft versions working in packit. This also relates to this thread about Packit user ability to get latest schema versions: https://paketobuildpacks.slack.com/archives/C011S6EL49L/p1664913833543899

dependabot · 2022-11-29T05:01:37Z

Superseded by #429.

dependabot bot requested a review from a team as a code owner November 22, 2022 05:04

dependabot bot requested review from ForestEckhardt and paketo-bot-reviewer November 22, 2022 05:04

dependabot bot added the dependencies label Nov 22, 2022

dependabot bot mentioned this pull request Nov 22, 2022

Bump github.com/anchore/syft from 0.60.3 to 0.62.0 #426

Closed

dependabot bot requested review from robdimsdale and ryanmoran November 22, 2022 05:04

paketo-bot added the semver:patch A change requiring a patch version bump label Nov 22, 2022

dependabot bot closed this Nov 29, 2022

dependabot bot deleted the dependabot/go_modules/github.com/anchore/syft-0.62.1 branch November 29, 2022 05:01

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump github.com/anchore/syft from 0.60.3 to 0.62.1 #427

Bump github.com/anchore/syft from 0.60.3 to 0.62.1 #427

dependabot bot commented on behalf of github Nov 22, 2022

sophiewigmore commented Nov 22, 2022

dependabot bot commented on behalf of github Nov 29, 2022

Bump github.com/anchore/syft from 0.60.3 to 0.62.1 #427

Bump github.com/anchore/syft from 0.60.3 to 0.62.1 #427

Conversation

dependabot bot commented on behalf of github Nov 22, 2022

v0.62.1

Changelog

v0.62.1 (2022-11-21)

Bug Fixes

v0.62.0

Changelog

v0.62.0 (2022-11-18)

Added Features

Bug Fixes

v0.61.0

Changelog

v0.61.0 (2022-11-18)

Added Features

Bug Fixes

sophiewigmore commented Nov 22, 2022

dependabot bot commented on behalf of github Nov 29, 2022