Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(deps): update ⬆️ aqua-packages (#37)
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [anchore/syft](https://togithub.com/anchore/syft) | minor | `v0.73.0` -> `v0.99.0` | | [aquaproj/aqua-registry](https://togithub.com/aquaproj/aqua-registry) | minor | `v3.138.0` -> `v3.162.0` | | [charmbracelet/glow](https://togithub.com/charmbracelet/glow) | patch | `v1.5.0` -> `v1.5.1` | | [direnv/direnv](https://togithub.com/direnv/direnv) | minor | `v2.32.2` -> `v2.33.0` | | golang.org/x/tools/gopls | minor | `v0.11.0` -> `v0.14.2` | | [golang/go](https://togithub.com/golang/go) | minor | `1.20.1` -> `1.21.5` | | [golang/tools](https://togithub.com/golang/tools) | minor | `v0.6.0` -> `v0.16.1` | | [goreleaser/goreleaser](https://togithub.com/goreleaser/goreleaser) | minor | `v1.15.2` -> `v1.22.1` | | [magefile/mage](https://togithub.com/magefile/mage) | minor | `v1.14.0` -> `v1.15.0` | | [miniscruff/changie](https://togithub.com/miniscruff/changie) | minor | `v1.11.1` -> `v1.17.0` | | [mvdan/gofumpt](https://togithub.com/mvdan/gofumpt) | minor | `v0.4.0` -> `v0.5.0` | | [thycotic/dsv-cli](https://togithub.com/thycotic/dsv-cli) | patch | `v1.40.1` -> `v1.40.5` | --- ### Release Notes <details> <summary>anchore/syft (anchore/syft)</summary> ### [`v0.99.0`](https://togithub.com/anchore/syft/releases/tag/v0.99.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.98.0...v0.99.0) ##### Added Features - Look for a maven version in a pom from a parent dependency management… \[[#​2423](https://togithub.com/anchore/syft/pull/2423) [@​coheigea](https://togithub.com/coheigea)] - Adding the ability to retrieve remote licenses for yarn.lock \[[#​2338](https://togithub.com/anchore/syft/pull/2338) [@​coheigea](https://togithub.com/coheigea)] - Retrieve remote licenses using pom.properties when there is no pom.xml \[[#​2315](https://togithub.com/anchore/syft/pull/2315) [@​coheigea](https://togithub.com/coheigea)] - Add the option to retrieve remote licenses for projects defined in a … \[[#​2409](https://togithub.com/anchore/syft/pull/2409) [@​coheigea](https://togithub.com/coheigea)] - Parse Python licenses from LicenseFile entry in the Wheel Metadata \[[#​2331](https://togithub.com/anchore/syft/pull/2331) [@​coheigea](https://togithub.com/coheigea)] - Add binary classifier for the ERLang interpreter \[[#​2417](https://togithub.com/anchore/syft/pull/2417) [@​LaurentGoderre](https://togithub.com/LaurentGoderre)] - Parse Python licenses from LicenseExpression entry in the Wheel Metadata \[[#​2431](https://togithub.com/anchore/syft/pull/2431) [@​coheigea](https://togithub.com/coheigea)] - Add binary classifier for Julia lang \[[#​2427](https://togithub.com/anchore/syft/pull/2427) [@​LaurentGoderre](https://togithub.com/LaurentGoderre)] - Add binary detection for PHP composer \[[#​2432](https://togithub.com/anchore/syft/pull/2432) [@​LaurentGoderre](https://togithub.com/LaurentGoderre)] ##### Bug Fixes - bump fangs for ptr summarize fix \[[#​2387](https://togithub.com/anchore/syft/pull/2387) [@​willmurphyscode](https://togithub.com/willmurphyscode)] - improve identification for org.codehaus.groovy artifacts \[[#​2404](https://togithub.com/anchore/syft/pull/2404) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for commons-jelly artifacts \[[#​2399](https://togithub.com/anchore/syft/pull/2399) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for io.minio artifacts \[[#​2398](https://togithub.com/anchore/syft/pull/2398) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for com.graphql-java artifacts \[[#​2397](https://togithub.com/anchore/syft/pull/2397) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.tapestry artifacts \[[#​2384](https://togithub.com/anchore/syft/pull/2384) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for io.ratpack artifacts \[[#​2379](https://togithub.com/anchore/syft/pull/2379) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.cassandra artifacts \[[#​2386](https://togithub.com/anchore/syft/pull/2386) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.neo4j.procedure artifacts \[[#​2388](https://togithub.com/anchore/syft/pull/2388) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.elasticsearch artifacts \[[#​2383](https://togithub.com/anchore/syft/pull/2383) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.geode artifacts \[[#​2382](https://togithub.com/anchore/syft/pull/2382) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.tomcat artifacts \[[#​2381](https://togithub.com/anchore/syft/pull/2381) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for io.projectreactor.netty artifacts \[[#​2378](https://togithub.com/anchore/syft/pull/2378) [@​westonsteimel](https://togithub.com/westonsteimel)] - stop panic when parsing Haskell stack.yaml.lock with missing `hackage` field \[[#​2421](https://togithub.com/anchore/syft/issues/2421) [#​2419](https://togithub.com/anchore/syft/pull/2419) [@​houdini91](https://togithub.com/houdini91)] - fix detecting the name of the eclipse OSGi artifact \[[#​2314](https://togithub.com/anchore/syft/issues/2314) [#​2349](https://togithub.com/anchore/syft/pull/2349) [@​westonsteimel](https://togithub.com/westonsteimel)] - File Sources incorrectly exclude files on Windows \[[#​2410](https://togithub.com/anchore/syft/issues/2410) [#​2411](https://togithub.com/anchore/syft/pull/2411) [@​Racer159](https://togithub.com/Racer159)] - Parser for dotnet_portable_executable using wrong attribute name \[[#​2029](https://togithub.com/anchore/syft/issues/2029) [#​2133](https://togithub.com/anchore/syft/pull/2133) [@​kzantow](https://togithub.com/kzantow)] ##### Breaking Changes - Generalize UI events for cataloging tasks \[[#​2369](https://togithub.com/anchore/syft/pull/2369) [@​wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - refactor pkg.Collection to remove "catalog" references \[[#​2439](https://togithub.com/anchore/syft/pull/2439) [@​wagoodman](https://togithub.com/wagoodman)] - Expose javascript fields in cataloger configuration \[[#​2438](https://togithub.com/anchore/syft/pull/2438) [@​wagoodman](https://togithub.com/wagoodman)] - Use common archive catalog configuration \[[#​2437](https://togithub.com/anchore/syft/pull/2437) [@​wagoodman](https://togithub.com/wagoodman)] - Fix file digest cataloger when passed explicit coordinates \[[#​2436](https://togithub.com/anchore/syft/pull/2436) [@​wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.98.0...v0.99.0)** ### [`v0.98.0`](https://togithub.com/anchore/syft/releases/tag/v0.98.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.97.1...v0.98.0) ##### Added Features - Add binary classifiers for MySQL and MariaDB \[[#​2316](https://togithub.com/anchore/syft/pull/2316) [@​duanemay](https://togithub.com/duanemay)] - Enhance redis binary classifier to support additional versions \[[#​2329](https://togithub.com/anchore/syft/pull/2329) [@​whalelines](https://togithub.com/whalelines)] - Expose compact JSON and XML format configuration \[[#​561](https://togithub.com/anchore/syft/issues/561) [#​2275](https://togithub.com/anchore/syft/pull/2275) [@​wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Fix file metadata cataloger when passed explicit coordinates \[[#​2370](https://togithub.com/anchore/syft/pull/2370) [@​wagoodman](https://togithub.com/wagoodman)] - hardcode xalan group ID \[[#​2368](https://togithub.com/anchore/syft/pull/2368) [@​willmurphyscode](https://togithub.com/willmurphyscode)] - logging level for parsing potential PE files \[[#​2367](https://togithub.com/anchore/syft/pull/2367) [@​kzantow](https://togithub.com/kzantow)] - Use read lock in `pkg.Collection` \[[#​2341](https://togithub.com/anchore/syft/pull/2341) [@​wagoodman](https://togithub.com/wagoodman)] - add manual namespace mapping for org.springframework jars \[[#​2345](https://togithub.com/anchore/syft/pull/2345) [@​westonsteimel](https://togithub.com/westonsteimel)] - add manual namespace mapping for org.springframework.security jars \[[#​2343](https://togithub.com/anchore/syft/pull/2343) [@​westonsteimel](https://togithub.com/westonsteimel)] - errors are printed into the stdout in syft 0.97.1 \[[#​2356](https://togithub.com/anchore/syft/issues/2356) [#​2364](https://togithub.com/anchore/syft/pull/2364) [@​kzantow](https://togithub.com/kzantow)] - `syft some-jar.jar` fails to find packages if PWD is a symlink \[[#​2355](https://togithub.com/anchore/syft/issues/2355) [#​2359](https://togithub.com/anchore/syft/pull/2359) [@​willmurphyscode](https://togithub.com/willmurphyscode)] - Default for recently added base path, `""`, disables detection of symlinked `*.jar` files \[[#​1962](https://togithub.com/anchore/syft/issues/1962) [#​2359](https://togithub.com/anchore/syft/pull/2359) [@​willmurphyscode](https://togithub.com/willmurphyscode)] - `syft attest` broken since 0.85.0 \[[#​2333](https://togithub.com/anchore/syft/issues/2333) [#​2337](https://togithub.com/anchore/syft/pull/2337) [@​wagoodman](https://togithub.com/wagoodman)] - Incorrect Java PURL for org.bouncycastle jars \[[#​2339](https://togithub.com/anchore/syft/issues/2339) [#​2342](https://togithub.com/anchore/syft/pull/2342) [@​westonsteimel](https://togithub.com/westonsteimel)] ##### Breaking Changes - Remove power-user command and related catalogers \[[#​1419](https://togithub.com/anchore/syft/issues/1419) [#​2306](https://togithub.com/anchore/syft/pull/2306) [@​wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Normalize cataloger configuration patterns \[[#​2365](https://togithub.com/anchore/syft/pull/2365) [@​wagoodman](https://togithub.com/wagoodman)] - Normalize enums to lowercase with hyphens \[[#​2363](https://togithub.com/anchore/syft/pull/2363) [@​wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.97.1...v0.98.0)** ##### Special Thanks Thanks [@​duanemay](https://togithub.com/duanemay) and [@​whalelines](https://togithub.com/whalelines) for the enhanced binary classifier support 👍 ### [`v0.97.1`](https://togithub.com/anchore/syft/releases/tag/v0.97.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.97.0...v0.97.1) ##### Bug Fixes - Syft does not use HTTP proxy when downloading the Docker image itself \[[#​2203](https://togithub.com/anchore/syft/issues/2203) [#​2336](https://togithub.com/anchore/syft/pull/2336) [@​anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)] ##### Additional Changes - `syft version` report is broken with 0.97.0 release \[[#​2334](https://togithub.com/anchore/syft/issues/2334) [#​2335](https://togithub.com/anchore/syft/pull/2335) [@​spiffcs](https://togithub.com/spiffcs)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.97.0...v0.97.1)** ### [`v0.97.0`](https://togithub.com/anchore/syft/releases/tag/v0.97.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.96.0...v0.97.0) ##### Added Features - Add license for golang stdlib package \[[#​2317](https://togithub.com/anchore/syft/pull/2317) [@​coheigea](https://togithub.com/coheigea)] - Fall back to searching maven central using groupIDFromJavaMetadata \[[#​2295](https://togithub.com/anchore/syft/pull/2295) [@​coheigea](https://togithub.com/coheigea)] ##### Bug Fixes - Refine license search from groupIDFromJavaMetadata to account for artfactId in the groupId \[[#​2313](https://togithub.com/anchore/syft/pull/2313) [@​coheigea](https://togithub.com/coheigea)] - capture content written to stdout outside of report \[[#​2324](https://togithub.com/anchore/syft/pull/2324) [@​kzantow](https://togithub.com/kzantow)] - add manual groupid mappings for org.apache.velocity jars \[[#​2327](https://togithub.com/anchore/syft/pull/2327) [@​westonsteimel](https://togithub.com/westonsteimel)] - skip maven bundle plugin logic if vendor id and symbolic name match \[[#​2326](https://togithub.com/anchore/syft/pull/2326) [@​westonsteimel](https://togithub.com/westonsteimel)] - cataloger `dpkg-db-cataloger` not working \[[#​2323](https://togithub.com/anchore/syft/issues/2323)] ##### Breaking Changes - Rename Location virtualPath to accessPath \[[#​1835](https://togithub.com/anchore/syft/issues/1835) [#​2288](https://togithub.com/anchore/syft/pull/2288) [@​wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Export syft-json format package metadata type helper \[[#​2328](https://togithub.com/anchore/syft/pull/2328) [@​wagoodman](https://togithub.com/wagoodman)] - Add dotnet-portable-executable-cataloger to README \[[#​2322](https://togithub.com/anchore/syft/pull/2322) [@​noqcks](https://togithub.com/noqcks)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.96.0...v0.97.0)** ### [`v0.96.0`](https://togithub.com/anchore/syft/releases/tag/v0.96.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.95.0...v0.96.0) ##### Added Features - Check maven central as well for licenses in parents poms for nested jars \[[#​2302](https://togithub.com/anchore/syft/pull/2302) [@​coheigea](https://togithub.com/coheigea)] - store image annotations inside the SBOM \[[#​2267](https://togithub.com/anchore/syft/issues/2267) [#​2294](https://togithub.com/anchore/syft/pull/2294) [@​noqcks](https://togithub.com/noqcks)] - Support parsing license information in Maven projects via parent poms \[[#​2103](https://togithub.com/anchore/syft/issues/2103)] ##### Bug Fixes - SPDX file has duplicate sha256 tag in versionInfo \[[#​2300](https://togithub.com/anchore/syft/pull/2300) [@​coheigea](https://togithub.com/coheigea)] - Report virtual path consistently between file.Resolvers \[[#​1836](https://togithub.com/anchore/syft/issues/1836) [#​2287](https://togithub.com/anchore/syft/pull/2287) [@​wagoodman](https://togithub.com/wagoodman)] - Unable to identify CycloneDX JSON documents without $schema property \[[#​2299](https://togithub.com/anchore/syft/issues/2299) [#​2303](https://togithub.com/anchore/syft/pull/2303) [@​kzantow](https://togithub.com/kzantow)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.95.0...v0.96.0)** ### [`v0.95.0`](https://togithub.com/anchore/syft/releases/tag/v0.95.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.94.0...v0.95.0) ##### Added Features - Use case-insensitive matching for Go license files \[[#​2286](https://togithub.com/anchore/syft/pull/2286) [@​miquella](https://togithub.com/miquella)] - Add conaninfo.txt parser to detect conan packages in docker images \[[#​2234](https://togithub.com/anchore/syft/pull/2234) [@​Pro](https://togithub.com/Pro)] - Perform case insensitive matching on Java License files \[[#​2235](https://togithub.com/anchore/syft/pull/2235) [@​coheigea](https://togithub.com/coheigea)] - Read a license from a parent pom stored in Maven Central \[[#​2228](https://togithub.com/anchore/syft/pull/2228) [@​coheigea](https://togithub.com/coheigea)] - Add PURLs when scanning Gradle lock files \[[#​2278](https://togithub.com/anchore/syft/pull/2278) [@​robbiev](https://togithub.com/robbiev)] ##### Bug Fixes - Fix CPE index workflow \[[#​2252](https://togithub.com/anchore/syft/pull/2252) [@​wagoodman](https://togithub.com/wagoodman)] - Fix cpe generation task \[[#​2270](https://togithub.com/anchore/syft/pull/2270) [@​willmurphyscode](https://togithub.com/willmurphyscode)] - Introduce cataloger naming conventions \[[#​1578](https://togithub.com/anchore/syft/issues/1578) [#​2277](https://togithub.com/anchore/syft/pull/2277) [@​wagoodman](https://togithub.com/wagoodman)] - .NET / nuget - invalid SBOM generated after parsing \[[#​2255](https://togithub.com/anchore/syft/issues/2255) [#​2273](https://togithub.com/anchore/syft/pull/2273) [@​spiffcs](https://togithub.com/spiffcs)] - Wrong parsing after v0.85.0 syft for some components \[[#​2241](https://togithub.com/anchore/syft/issues/2241) [#​2273](https://togithub.com/anchore/syft/pull/2273) [@​spiffcs](https://togithub.com/spiffcs)] - SPDX-2.3 is misidentified as SPDX-2.2 \[[#​2112](https://togithub.com/anchore/syft/issues/2112) [#​2186](https://togithub.com/anchore/syft/pull/2186) [@​wagoodman](https://togithub.com/wagoodman)] - Jar parser chokes on empty lines \[[#​2179](https://togithub.com/anchore/syft/issues/2179) [#​2254](https://togithub.com/anchore/syft/pull/2254) [@​spiffcs](https://togithub.com/spiffcs)] - Add a new Java configuration option to recursively search parent poms… \[[#​2274](https://togithub.com/anchore/syft/pull/2274) [@​coheigea](https://togithub.com/coheigea)] - Fix directory resolver to always return virtual path \[[#​2259](https://togithub.com/anchore/syft/pull/2259) [@​wagoodman](https://togithub.com/wagoodman)] - Syft can now handle the case of parsing a jar with multiple poms \[[#​2231](https://togithub.com/anchore/syft/pull/2231) [@​coheigea](https://togithub.com/coheigea)] - Add ruby.NewGemSpecCataloger to DirectoryCatalogers \[[#​1971](https://togithub.com/anchore/syft/pull/1971) [@​evanchaoli](https://togithub.com/evanchaoli)] ##### Breaking Changes - Introduce cataloger naming conventions \[[#​1578](https://togithub.com/anchore/syft/issues/1578) [#​2277](https://togithub.com/anchore/syft/pull/2277) [@​wagoodman](https://togithub.com/wagoodman)] - Remove MetadataType from the core package struct \[[#​1735](https://togithub.com/anchore/syft/issues/1735) [#​1983](https://togithub.com/anchore/syft/pull/1983) [@​wagoodman](https://togithub.com/wagoodman)] - Add convention for JSON metadata type names and port existing values to the new convention \[[#​1844](https://togithub.com/anchore/syft/issues/1844) [#​1983](https://togithub.com/anchore/syft/pull/1983) [@​wagoodman](https://togithub.com/wagoodman)] - Remove deprecated syft.Format functions \[[#​1344](https://togithub.com/anchore/syft/issues/1344) [#​2186](https://togithub.com/anchore/syft/pull/2186) [@​wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Upgrade tool management \[[#​2188](https://togithub.com/anchore/syft/pull/2188) [@​wagoodman](https://togithub.com/wagoodman)] - Fix homebrew post-release workflow \[[#​2242](https://togithub.com/anchore/syft/pull/2242) [@​wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.94.0...v0.95.0)** ### [`v0.94.0`](https://togithub.com/anchore/syft/releases/tag/v0.94.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.93.0...v0.94.0) ##### Added Features - Add additional license filenames \[[#​2227](https://togithub.com/anchore/syft/pull/2227) [@​coheigea](https://togithub.com/coheigea)] - Parse donet dependency trees \[[#​2143](https://togithub.com/anchore/syft/pull/2143) [@​noqcks](https://togithub.com/noqcks)] - Find license by embedded license text \[[#​2147](https://togithub.com/anchore/syft/issues/2147) [#​2213](https://togithub.com/anchore/syft/pull/2213) [@​coheigea](https://togithub.com/coheigea)] - Add support for dpkg dependency relationships \[[#​2040](https://togithub.com/anchore/syft/issues/2040) [#​2212](https://togithub.com/anchore/syft/pull/2212) [@​wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Report errors to stderr not stdout \[[#​2232](https://togithub.com/anchore/syft/pull/2232) [@​wagoodman](https://togithub.com/wagoodman)] - Python egg packages are not parsed for SBOM \[[#​1761](https://togithub.com/anchore/syft/issues/1761) [#​2239](https://togithub.com/anchore/syft/pull/2239) [@​spiffcs](https://togithub.com/spiffcs)] - Java archive is listed twice \[[#​2130](https://togithub.com/anchore/syft/issues/2130) [#​2220](https://togithub.com/anchore/syft/pull/2220) [@​wagoodman](https://togithub.com/wagoodman)] - Java archives not from Maven \[[#​2217](https://togithub.com/anchore/syft/issues/2217) [#​2220](https://togithub.com/anchore/syft/pull/2220) [@​wagoodman](https://togithub.com/wagoodman)] - Remove internal.StringSet \[[#​2209](https://togithub.com/anchore/syft/issues/2209) [#​2219](https://togithub.com/anchore/syft/pull/2219) [@​wagoodman](https://togithub.com/wagoodman)] - Invalid interface conversion in Swift cataloger \[[#​2225](https://togithub.com/anchore/syft/issues/2225) [#​2226](https://togithub.com/anchore/syft/pull/2226) [@​wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.93.0...v0.94.0)** ### [`v0.93.0`](https://togithub.com/anchore/syft/releases/tag/v0.93.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.92.0...v0.93.0) ##### Added Features - Parse license from the pom.xml if not contained in the manifest \[[#​2115](https://togithub.com/anchore/syft/pull/2115) [@​coheigea](https://togithub.com/coheigea)] - Add Golang STD library package given a Golang binary has been discovered compiled with that go binary \[[#​1853](https://togithub.com/anchore/syft/issues/1853) [#​2195](https://togithub.com/anchore/syft/pull/2195) [@​spiffcs](https://togithub.com/spiffcs)] - Improve --output CLI help and deprecate --file \[[#​2165](https://togithub.com/anchore/syft/issues/2165) [#​2187](https://togithub.com/anchore/syft/pull/2187) [@​sharief007](https://togithub.com/sharief007)] ##### Bug Fixes - Converting a SBOM looses the algorithm type for added checksums \[[#​2183](https://togithub.com/anchore/syft/issues/2183) [#​2207](https://togithub.com/anchore/syft/pull/2207) [@​sharief007](https://togithub.com/sharief007)] ##### Additional Changes - Refine the docs for building a cataloger \[[#​2175](https://togithub.com/anchore/syft/pull/2175) [@​wagoodman](https://togithub.com/wagoodman)] - update license list to 3.22 \[[#​2201](https://togithub.com/anchore/syft/pull/2201) [@​spiffcs](https://togithub.com/spiffcs)] - Add exact syntax of the conversion formats \[[#​2196](https://togithub.com/anchore/syft/pull/2196) [@​vargenau](https://togithub.com/vargenau)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.92.0...v0.93.0)** ### [`v0.92.0`](https://togithub.com/anchore/syft/releases/tag/v0.92.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.91.0...v0.92.0) ##### Added Features - Support for multiple image refs of same sha in OCI layout \[[#​1544](https://togithub.com/anchore/syft/issues/1544)] ##### Bug Fixes - Generated purls are different between runs of syft against the same image and artifact \[[#​2169](https://togithub.com/anchore/syft/issues/2169) [#​2170](https://togithub.com/anchore/syft/pull/2170) [@​willmurphyscode](https://togithub.com/willmurphyscode)] ##### Additional Changes - bump stereoscope to fix data race in UI code \[[#​2173](https://togithub.com/anchore/syft/pull/2173) [@​willmurphyscode](https://togithub.com/willmurphyscode)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.91.0...v0.92.0)** ### [`v0.91.0`](https://togithub.com/anchore/syft/releases/tag/v0.91.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.90.0...v0.91.0) ##### Added Features - Add support for CycloneDX 1.5 \[[#​2120](https://togithub.com/anchore/syft/issues/2120) [#​2123](https://togithub.com/anchore/syft/pull/2123) [@​spiffcs](https://togithub.com/spiffcs)] - Add support for containerd as an image source \[[#​201](https://togithub.com/anchore/syft/issues/201) [#​1793](https://togithub.com/anchore/syft/pull/1793) [@​shanedell](https://togithub.com/shanedell)] - Support cataloging github workflow & github action usages \[[#​1896](https://togithub.com/anchore/syft/issues/1896) [#​2140](https://togithub.com/anchore/syft/pull/2140) [@​wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Allow CycloneDX json input with no components \[[#​2127](https://togithub.com/anchore/syft/pull/2127) [@​ahoz](https://togithub.com/ahoz)] - Prevent errors from clobbering terminal \[[#​2161](https://togithub.com/anchore/syft/pull/2161) [@​kzantow](https://togithub.com/kzantow)] - Using syft as a go library to decode a syft json has incomplete data \[[#​2069](https://togithub.com/anchore/syft/issues/2069) [#​2083](https://togithub.com/anchore/syft/pull/2083) [@​kzantow](https://togithub.com/kzantow)] - SBOMs are not the same on multiple runs of syft \[[#​1944](https://togithub.com/anchore/syft/issues/1944)] ##### Additional Changes - Switch to stdlib's slices pkg \[[#​2148](https://togithub.com/anchore/syft/pull/2148) [@​hainenber](https://togithub.com/hainenber)] - Remove unneeded arch switch in unit test \[[#​2156](https://togithub.com/anchore/syft/pull/2156) [@​willmurphyscode](https://togithub.com/willmurphyscode)] - Update chronicle to v0.8.0 \[[#​2154](https://togithub.com/anchore/syft/pull/2154) [@​wagoodman](https://togithub.com/wagoodman)] - Update to latest stereoscope \[[#​2151](https://togithub.com/anchore/syft/pull/2151) [@​spiffcs](https://togithub.com/spiffcs)] - Pin workflow checkout for cpe update-cpe-dictionary-index \[[#​2141](https://togithub.com/anchore/syft/pull/2141) [@​spiffcs](https://togithub.com/spiffcs)] - Add dependency information to conan lockfile parser \[[#​2131](https://togithub.com/anchore/syft/pull/2131) [@​Pro](https://togithub.com/Pro)] - Pin and update all workflow dependencies; add permission scopes \[[#​2138](https://togithub.com/anchore/syft/pull/2138) [@​spiffcs](https://togithub.com/spiffcs)] - Enforce race detector \[[#​2122](https://togithub.com/anchore/syft/pull/2122) [@​willmurphyscode](https://togithub.com/willmurphyscode)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.90.0...v0.91.0)** ### [`v0.90.0`](https://togithub.com/anchore/syft/releases/tag/v0.90.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.89.0...v0.90.0) ### #### [v0.90.0](https://togithub.com/anchore/syft/tree/v0.90.0) (2023-09-11) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.89.0...v0.90.0) ##### Added Features - Expose cobra command in cli package \[[PR #​2097](https://togithub.com/anchore/syft/pull/2097)] \[[wagoodman](https://togithub.com/wagoodman)] - Explicitly test PURL generation against key packages \[[Issue #​2071](https://togithub.com/anchore/syft/issues/2071)] - Add User-Agent with Syft version during update check \[[Issue #​2072](https://togithub.com/anchore/syft/issues/2072)] \[[PR #​2100](https://togithub.com/anchore/syft/pull/2100)] \[[hainenber](https://togithub.com/hainenber)] ##### Bug Fixes - fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation \[[PR #​2075](https://togithub.com/anchore/syft/pull/2075)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Cyclonedx external reference URLs are not validated when encoding \[[Issue #​2079](https://togithub.com/anchore/syft/issues/2079)] \[[PR #​2091](https://togithub.com/anchore/syft/pull/2091)] \[[hainenber](https://togithub.com/hainenber)] ##### Additional Changes - Bump the golang.org/x/exp dependency and fix a build breakage. \[[PR #​2088](https://togithub.com/anchore/syft/pull/2088)] \[[dlorenc](https://togithub.com/dlorenc)] - fix: update codeql-analysis for go 1.21 \[[PR #​2108](https://togithub.com/anchore/syft/pull/2108)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.89.0`](https://togithub.com/anchore/syft/releases/tag/v0.89.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.88.0...v0.89.0) ### #### [v0.89.0](https://togithub.com/anchore/syft/tree/v0.89.0) (2023-08-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.88.0...v0.89.0) ##### Added Features - Add registry certificate verification support \[[PR #​1734](https://togithub.com/anchore/syft/pull/1734)] \[[5p2O5pe25ouT](https://togithub.com/5p2O5pe25ouT)] - Add SYFT_CONFIG environment variable for configuration file path \[[Issue #​1986](https://togithub.com/anchore/syft/issues/1986)] \[[PR #​2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] ##### Bug Fixes - Fix quiet flag \[[PR #​2081](https://togithub.com/anchore/syft/pull/2081)] \[[wagoodman](https://togithub.com/wagoodman)] - Command line flags not overriding configuration file values \[[Issue #​1143](https://togithub.com/anchore/syft/issues/1143)] \[[PR #​2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] - Django package CPE is not correct \[[Issue #​1298](https://togithub.com/anchore/syft/issues/1298)] \[[PR #​2068](https://togithub.com/anchore/syft/pull/2068)] \[[witchcraze](https://togithub.com/witchcraze)] - Config parsing includes `config.yaml` in working dir \[[Issue #​1634](https://togithub.com/anchore/syft/issues/1634)] \[[PR #​2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] - Fix a possible panic on universal go binaries \[[Issue #​2073](https://togithub.com/anchore/syft/issues/2073)] \[[PR #​2078](https://togithub.com/anchore/syft/pull/2078)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Disabling catalogers is not working in power user command \[[Issue #​2074](https://togithub.com/anchore/syft/issues/2074)] \[[PR #​2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] - Virtual path changes to java cataloger causing creation of extra incorrect packages when jars are renamed \[[Issue #​2077](https://togithub.com/anchore/syft/issues/2077)] \[[PR #​2080](https://togithub.com/anchore/syft/pull/2080)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ### [`v0.88.0`](https://togithub.com/anchore/syft/releases/tag/v0.88.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.87.1...v0.88.0) ### #### [v0.88.0](https://togithub.com/anchore/syft/tree/v0.88.0) (2023-08-25) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.87.1...v0.88.0) ##### Added Features - Detect golang boring crypto and fipsonly modules \[[PR #​2021](https://togithub.com/anchore/syft/pull/2021)] \[[bathina2](https://togithub.com/bathina2)] - feat: 1944 - update purl generation to use a consistent groupID \[[PR #​2033](https://togithub.com/anchore/syft/pull/2033)] \[[spiffcs](https://togithub.com/spiffcs)] - Add support to detect bash binaries \[[Issue #​1963](https://togithub.com/anchore/syft/issues/1963)] \[[PR #​2055](https://togithub.com/anchore/syft/pull/2055)] \[[witchcraze](https://togithub.com/witchcraze)] ##### Bug Fixes - fix: properly parse conan ref and include user and channel \[[PR #​2034](https://togithub.com/anchore/syft/pull/2034)] \[[Pro](https://togithub.com/Pro)] - New version notice only showing the version and no text \[[PR #​2042](https://togithub.com/anchore/syft/pull/2042)] \[[wagoodman](https://togithub.com/wagoodman)] - Fix: don't validate pom declared group \[[PR #​2054](https://togithub.com/anchore/syft/pull/2054)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Errors when handling symlinks on Windows with syft v0.85.0 \[[Issue #​1950](https://togithub.com/anchore/syft/issues/1950)] \[[PR #​2051](https://togithub.com/anchore/syft/pull/2051)] \[[selzoc](https://togithub.com/selzoc)] - Syft seems unable to parse non UTF-8 pom.xml files \[[Issue #​2044](https://togithub.com/anchore/syft/issues/2044)] \[[PR #​2047](https://togithub.com/anchore/syft/pull/2047)] \[[wagoodman](https://togithub.com/wagoodman)] - Error parsing pom.xml with v0.87.1 \[[Issue #​2060](https://togithub.com/anchore/syft/issues/2060)] \[[PR #​2064](https://togithub.com/anchore/syft/pull/2064)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Invalid CycloneDX: duplicates in relationships section \[[Issue #​2062](https://togithub.com/anchore/syft/issues/2062)] \[[PR #​2063](https://togithub.com/anchore/syft/pull/2063)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.87.1`](https://togithub.com/anchore/syft/releases/tag/v0.87.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.87.0...v0.87.1) ### #### [v0.87.1](https://togithub.com/anchore/syft/tree/v0.87.1) (2023-08-17) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.87.0...v0.87.1) ##### Bug Fixes - Use Java package names to determine known groupIDs \[[PR #​2032](https://togithub.com/anchore/syft/pull/2032)] \[[kzantow](https://togithub.com/kzantow)] - Relationships section of CycloneDX is not outputting even when the data is present \[[Issue #​1972](https://togithub.com/anchore/syft/issues/1972)] \[[PR #​1974](https://togithub.com/anchore/syft/pull/1974)] \[[markgalpin](https://togithub.com/markgalpin)] \[[kzantow](https://togithub.com/kzantow)] - SPDX Tag-Value conversion not handling files directly set on packages \[[Issue #​2013](https://togithub.com/anchore/syft/issues/2013)] \[[PR #​2014](https://togithub.com/anchore/syft/pull/2014)] \[[kzantow](https://togithub.com/kzantow)] - Intermittent binary listings, different results every time \[[Issue #​2035](https://togithub.com/anchore/syft/issues/2035)] \[[PR #​2036](https://togithub.com/anchore/syft/pull/2036)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.87.0`](https://togithub.com/anchore/syft/releases/tag/v0.87.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0) ### #### [v0.87.0](https://togithub.com/anchore/syft/tree/v0.87.0) (2023-08-14) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0) ##### Added Features - feat: use originator logic to fill supplier \[[PR #​1980](https://togithub.com/anchore/syft/pull/1980)] \[[spiffcs](https://togithub.com/spiffcs)] - Expand deb cataloger to include opkg \[[PR #​1985](https://togithub.com/anchore/syft/pull/1985)] \[[johnDeSilencio](https://togithub.com/johnDeSilencio)] - Package duplicated by different cataloger \[[Issue #​931](https://togithub.com/anchore/syft/issues/931)] \[[PR #​1948](https://togithub.com/anchore/syft/pull/1948)] \[[spiffcs](https://togithub.com/spiffcs)] - Add binary cataloger for Nginx built from source \[[Issue #​1945](https://togithub.com/anchore/syft/issues/1945)] \[[PR #​1988](https://togithub.com/anchore/syft/pull/1988)] \[[SemProvoost](https://togithub.com/SemProvoost)] ##### Bug Fixes - chore: update bubbly to fix hanging \[[PR #​1990](https://togithub.com/anchore/syft/pull/1990)] \[[kzantow](https://togithub.com/kzantow)] - fix: update glob to use newer usr/lib/sysimage path \[[PR #​1997](https://togithub.com/anchore/syft/pull/1997)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: SPDX license values and download location \[[PR #​2007](https://togithub.com/anchore/syft/pull/2007)] \[[kzantow](https://togithub.com/kzantow)] - Different CPEs between java-cataloger and java-gradle-lockfile-cataloger \[[Issue #​1957](https://togithub.com/anchore/syft/issues/1957)] \[[PR #​1995](https://togithub.com/anchore/syft/pull/1995)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.86.1`](https://togithub.com/anchore/syft/releases/tag/v0.86.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1) ### Changelog #### [v0.86.1](https://togithub.com/anchore/syft/tree/v0.86.1) (2023-07-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1) ##### Bug Fixes - Source requires default image name as user input for unparsable reference \[[PR #​1979](https://togithub.com/anchore/syft/pull/1979)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.86.0`](https://togithub.com/anchore/syft/releases/tag/v0.86.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0) ### Changelog #### [v0.86.0](https://togithub.com/anchore/syft/tree/v0.86.0) (2023-07-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0) ##### Added Features - Introduce indexed embedded CPE dictionary \[[PR #​1897](https://togithub.com/anchore/syft/pull/1897)] \[[luhring](https://togithub.com/luhring)] - Add cataloger for Swift Package Manager. \[[PR #​1919](https://togithub.com/anchore/syft/pull/1919)] \[[trilleplay](https://togithub.com/trilleplay)] - Guess unpinned versions in python requirements.txt \[[PR #​1597](https://togithub.com/anchore/syft/pull/1597)] \[[PR #​1966](https://togithub.com/anchore/syft/pull/1966)] \[[manifestori](https://togithub.com/manifestori)] \[[wagoodman](https://togithub.com/wagoodman)] - Create a package record for the artifact an SBOM described when creating a SPDX SBOM \[[Issue #​1661](https://togithub.com/anchore/syft/issues/1661)] \[[Issue #​1241](https://togithub.com/anchore/syft/issues/1241)] \[[PR #​1934](https://togithub.com/anchore/syft/pull/1934)] \[[kzantow](https://togithub.com/kzantow)] ##### Bug Fixes - Fix panic condition on docker pull failure \[[PR #​1968](https://togithub.com/anchore/syft/pull/1968)] \[[wagoodman](https://togithub.com/wagoodman)] - Syft reports the "minimum required version" of .NET assemblies rather than the "assembly version" \[[Issue #​1799](https://togithub.com/anchore/syft/issues/1799)] \[[PR #​1943](https://togithub.com/anchore/syft/pull/1943)] \[[luhring](https://togithub.com/luhring)] - Grype cannot read SPDX documents generated by SPDX-maven-plugin \[[PR #​1969](https://togithub.com/anchore/syft/pull/1969)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Breaking Changes - Remove jotframe UI \[[PR #​1932](https://togithub.com/anchore/syft/pull/1932)] \[[wagoodman](https://togithub.com/wagoodman)] - Simplify python env markers \[[PR #​1967](https://togithub.com/anchore/syft/pull/1967)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.85.0`](https://togithub.com/anchore/syft/releases/tag/v0.85.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0) ### Changelog #### [v0.85.0](https://togithub.com/anchore/syft/tree/v0.85.0) (2023-07-12) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0) ##### Added Features - Add a --base-path command line flag to set the directory base for scans (this option was previously exposed via API only) \[[PR #​1867](https://togithub.com/anchore/syft/pull/1867)] \[[deitch](https://togithub.com/deitch)] - Add file source digest support \[[PR #​1914](https://togithub.com/anchore/syft/pull/1914)] \[[wagoodman](https://togithub.com/wagoodman)] - Remove erroneous Java CPEs from generation \[[PR #​1918](https://togithub.com/anchore/syft/pull/1918)] \[[luhring](https://togithub.com/luhring)] - Fix CPE generation for k8s python client \[[PR #​1921](https://togithub.com/anchore/syft/pull/1921)] \[[luhring](https://togithub.com/luhring)] - Don't use the actual redis or grpc CPEs for gems \[[PR #​1926](https://togithub.com/anchore/syft/pull/1926)] \[[luhring](https://togithub.com/luhring)] - The text user interface is now provided by the bubbletea library \[[Issue #​1441](https://togithub.com/anchore/syft/issues/1441)] \[[PR #​1888](https://togithub.com/anchore/syft/pull/1888)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Install script returns exit code 0 even if install fails \[[Issue #​1566](https://togithub.com/anchore/syft/issues/1566)] \[[PR #​1915](https://togithub.com/anchore/syft/pull/1915)] \[[lorsatti](https://togithub.com/lorsatti)] - \[Windows] Not able to scan volume mounted to folder \[[Issue #​1828](https://togithub.com/anchore/syft/issues/1828)] \[[PR #​1884](https://togithub.com/anchore/syft/pull/1884)] \[[dd-cws](https://togithub.com/dd-cws)] - Deprecated license: GFDL-1.2+ \[[Issue #​1899](https://togithub.com/anchore/syft/issues/1899)] \[[PR #​1907](https://togithub.com/anchore/syft/pull/1907)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Breaking Changes - Refactor the `source` API and syft-json `source` block data shape \[[Issue #​1866](https://togithub.com/anchore/syft/issues/1866)] \[[PR #​1846](https://togithub.com/anchore/syft/pull/1846)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - chore: update iterations to protect against race \[[PR #​1927](https://togithub.com/anchore/syft/pull/1927)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: background reader apart from global handler for testing \[[PR #​1929](https://togithub.com/anchore/syft/pull/1929)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.84.1`](https://togithub.com/anchore/syft/releases/tag/v0.84.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1) ### Changelog #### [v0.84.1](https://togithub.com/anchore/syft/tree/v0.84.1) (2023-06-29) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1) ##### Bug Fixes - Fix version detection in Java archive name parsing \[[PR #​1889](https://togithub.com/anchore/syft/pull/1889)] \[[luhring](https://togithub.com/luhring)] - Improve support for Dart SDK package dependency lockfiles \[[PR #​1891](https://togithub.com/anchore/syft/pull/1891)] \[[rufman](https://togithub.com/rufman)] - Fix license output for some CycloneDX JSON SBOMs \[[Issue #​1877](https://togithub.com/anchore/syft/issues/1877)] \[[PR #​1879](https://togithub.com/anchore/syft/pull/1879)] \[[kzantow](https://togithub.com/kzantow)] - Correctly discover Debian file relationships in distroless images \[[Issue #​1900](https://togithub.com/anchore/syft/issues/1900)] \[[PR #​1901](https://togithub.com/anchore/syft/pull/1901)] \[[westonsteimel](https://togithub.com/westonsteimel)] ##### Additional Changes - Simplify the SBOM writer interface \[[PR #​1892](https://togithub.com/anchore/syft/pull/1892)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.84.0`](https://togithub.com/anchore/syft/releases/tag/v0.84.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0) ### Changelog #### [v0.84.0](https://togithub.com/anchore/syft/tree/v0.84.0) (2023-06-20) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0) ##### Breaking Changes - Pad artifact IDs \[[PR #​1882](https://togithub.com/anchore/syft/pull/1882)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ##### Additional Changes - chore: update SPDX license list to 3.21 \[[PR #​1885](https://togithub.com/anchore/syft/pull/1885)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.83.1`](https://togithub.com/anchore/syft/releases/tag/v0.83.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1) ### Changelog #### [v0.83.1](https://togithub.com/anchore/syft/tree/v0.83.1) (2023-06-14) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1) ##### Bug Fixes - fix: pom properties not setting artifact id \[[PR #​1870](https://togithub.com/anchore/syft/pull/1870)] \[[jneate](https://togithub.com/jneate)] - fix(deps): pull in platform selection fix from stereoscope \[[PR #​1871](https://togithub.com/anchore/syft/pull/1871)] \[[anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)] - pulling in an image with a digest that does not match the platform and architecture of the host no longer fails with an error, see [https://github.com/anchore/stereoscope/issues/188](https://togithub.com/anchore/stereoscope/issues/188) - symlinks within a scanned directory tree are parsed outside the tree, failing if target does not exist \[[Issue #​1860](https://togithub.com/anchore/syft/issues/1860)] \[[PR #​1861](https://togithub.com/anchore/syft/pull/1861)] \[[deitch](https://togithub.com/deitch)] ### [`v0.83.0`](https://togithub.com/anchore/syft/releases/tag/v0.83.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.82.0...v0.83.0) ### Changelog #### [v0.83.0](https://togithub.com/anchore/syft/tree/v0.83.0) (2023-06-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.82.0...v0.83.0) ##### Added Features - Add new '--source-version' and '--source-name' options to set the name and version of the target being analyzed for reference in resulting syft-json format SBOMs (more formats will support these flags soon). \[[Issue #​1399](https://togithub.com/anchore/syft/issues/1399)] \[[PR #​1859](https://togithub.com/anchore/syft/pull/1859)] \[[kzantow](https://togithub.com/kzantow)] - Add scope to POM properties \[[PR #​1779](https://togithub.com/anchore/syft/pull/1779)] \[[jneate](https://togithub.com/jneate)] - Accept main.version ldflags even without vcs \[[PR #​1855](https://togithub.com/anchore/syft/pull/1855)] \[[deitch](https://togithub.com/deitch)] ##### Bug Fixes - Fix directory resolver to consider CWD and root path input correctly \[[PR #​1840](https://togithub.com/anchore/syft/pull/1840)] \[[wagoodman](https://togithub.com/wagoodman)] - Show all error messages if there is a failure retrieving an image with a specified scheme \[[Issue #​1569](https://togithub.com/anchore/syft/issues/1569)] \[[PR #​1801](https://togithub.com/anchore/syft/pull/1801)] \[[FrimIdan](https://togithub.com/FrimIdan)] - v0.81.0 crashing parsing some images \[[Issue #​1837](https://togithub.com/anchore/syft/issues/1837)] \[[PR #​1839](https://togithub.com/anchore/syft/pull/1839)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Deprecated Features - Migrate location-related structs to the file package \[[PR #​1751](https://togithub.com/anchore/syft/pull/1751)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - chore: code cleanup \[[PR #​1865](https://togithub.com/anchore/syft/pull/1865)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.82.0`](https://togithub.com/anchore/syft/releases/tag/v0.82.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.81.0...v0.82.0) ### Changelog #### [v0.82.0](https://togithub.com/anchore/syft/tree/v0.82.0) (2023-05-23) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.81.0...v0.82.0) ##### Added Features - Improve Go main module version detection by attempting to parse available ldflags \[[Issue #​1785](https://togithub.com/anchore/syft/issues/1785)] \[[PR #​1832](https://togithub.com/anchore/syft/pull/1832)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Fix a problem in the license parsing logic that may result in a panic \[[PR #​1839](https://togithub.com/anchore/syft/pull/1839)] - Return all relevant error messages if an image retrieval fails when a scheme is specified \[[PR #​1801](https://togithub.com/anchore/syft/pull/1801)] \[[FrimIdan](https://togithub.com/FrimIdan)] - Fix a problem with PNPM scanning where v6 lockfiles might result in duplicated packages \[[Issue #​1762](https://togithub.com/anchore/syft/issues/1762)] \[[PR #​1778](https://togithub.com/anchore/syft/pull/1778)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.81.0`](https://togithub.com/anchore/syft/releases/tag/v0.81.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.80.0...v0.81.0) ### Changelog #### [v0.81.0](https://togithub.com/anchore/syft/tree/v0.81.0) (2023-05-22) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.80.0...v0.81.0) ##### Added Features - Support cataloging R packages \[[Issue #​730](https://togithub.com/anchore/syft/issues/730)] \[[PR #​1790](https://togithub.com/anchore/syft/pull/1790)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Support describing license properties and SPDX expression assertions \[[Issue #​1577](https://togithub.com/anchore/syft/issues/1577)] \[[PR #​1743](https://togithub.com/anchore/syft/pull/1743)] \[[spiffcs](https://togithub.com/spiffcs)] - Warn if parsing a newer SBOM \[[PR #​1810](https://togithub.com/anchore/syft/pull/1810)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ##### Bug Fixes - Retain cataloged SBOM relationships \[[PR #​1509](https://togithub.com/anchore/syft/pull/1509)] \[[houdini91](https://togithub.com/houdini91)] - fix: update field plurality of 8.0.0 schema before release \[[PR #​1820](https://togithub.com/anchore/syft/pull/1820)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: remove spurious warnings - unknown relationship type: evident-by form-lib=syft \[[Issue #​1812](https://togithub.com/anchore/syft/issues/1812)] \[[PR #​1797](https://togithub.com/anchore/syft/pull/1797)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - CycloneDX Dependencies Relationships Inverted \[[Issue #​1815](https://togithub.com/anchore/syft/issues/1815)] \[[PR #​1816](https://togithub.com/anchore/syft/pull/1816)] \[[shanealv](https://togithub.com/shanealv)] - Alpine: license expression should be complete and not parsed out \[[Issue #​1817](https://togithub.com/anchore/syft/issues/1817)] \[[PR #​1819](https://togithub.com/anchore/syft/pull/1819)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Additional Changes - Print package list when extra packages found \[[PR #​1791](https://togithub.com/anchore/syft/pull/1791)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - update cosign to v2 release (different go module) \[[PR #​1805](https://togithub.com/anchore/syft/pull/1805)] \[[bobcallaway](https://togithub.com/bobcallaway)] ### [`v0.80.0`](https://togithub.com/anchore/syft/releases/tag/v0.80.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.79.0...v0.80.0) ### Changelog #### [v0.80.0](https://togithub.com/anchore/syft/tree/v0.80.0) (2023-05-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.79.0...v0.80.0) ##### Added Features - Improve pnpm support \[[Issue #​1535](https://togithub.com/anchore/syft/issues/1535)] \[[PR #​1752](https://togithub.com/anchore/syft/pull/1752)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Bug Fixes - chore: add more detail on SPDX file IDs \[[PR #​1769](https://togithub.com/anchore/syft/pull/1769)] \[[kzantow](https://togithub.com/kzantow)] - chore: do not HTML escape PackageURLs \[[PR #​1782](https://togithub.com/anchore/syft/pull/1782)] \[[kzantow](https://togithub.com/kzantow)] - RPM database not found on ostree-managed systems \[[Issue #​1755](https://togithub.com/anchore/syft/issues/1755)] \[[PR #​1756](https://togithub.com/anchore/syft/pull/1756)] \[[fpytloun](https://togithub.com/fpytloun)] - Unable to use syft for private azure container registry \[[Issue #​1777](https://togithub.com/anchore/syft/issues/1777)] - linux-kernel-cataloger produces thousands of version-less components. \[[Issue #​1781](https://togithub.com/anchore/syft/issues/1781)] \[[PR #​1784](https://togithub.com/anchore/syft/pull/1784)] \[[kzantow](https://togithub.com/kzantow)] ##### Deprecated Features - Rename pkg.Catalog to pkg.Collection \[[PR #​1764](https://togithub.com/anchore/syft/pull/1764)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.79.0`](https://togithub.com/anchore/syft/releases/tag/v0.79.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.78.0...v0.79.0) ### Changelog #### [v0.79.0](https://togithub.com/anchore/syft/tree/v0.79.0) (2023-04-21) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.78.0...v0.79.0) ##### Added Features - Add ALPM Metadata to CYCLONEDX and SPDX output formats \[[Issue #​1037](https://togithub.com/anchore/syft/issues/1037)] \[[PR #​1747](https://togithub.com/anchore/syft/pull/1747)] \[[Shanedell](https://togithub.com/Shanedell)] - consul binary classifier \[[Issue #​1590](https://togithub.com/anchore/syft/issues/1590)] \[[PR #​1738](https://togithub.com/anchore/syft/pull/1738)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Bug Fixes - Syft missing direct dependencies from the gemfile.lock \[[Issue #​1660](https://togithub.com/anchore/syft/issues/1660)] \[[PR #​1749](https://togithub.com/anchore/syft/pull/1749)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Additional Changes - chore: bump stereoscope to latest version \[[PR #​1741](https://togithub.com/anchore/syft/pull/1741)] \[[westonsteimel](https://togithub.com/westonsteimel)] ### [`v0.78.0`](https://togithub.com/anchore/syft/releases/tag/v0.78.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.77.0...v0.78.0) ### Changelog #### [v0.78.0](https://togithub.com/anchore/syft/tree/v0.78.0) (2023-04-17) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.77.0...v0.78.0) ##### Added Features - Add Linux Kernel cataloger \[[PR #​1694](https://togithub.com/anchore/syft/pull/1694)] \[[deitch](https://togithub.com/deitch) & [wagoodman](https://togithub.com/wagoodman)] - Support scanning license files in golang packages over the network \[[Issue #​1056](https://togithub.com/anchore/syft/issues/1056)] \[[PR #​1630](https://togithub.com/anchore/syft/pull/1630)] \[[deitch](https://togithub.com/deitch) & [kzantow](https://togithub.com/kzantow)] - Add consul binary classifier \[[Issue #​1590](https://togithub.com/anchore/syft/issues/1590)] \[[PR #​1738](https://togithub.com/anchore/syft/pull/1738)] \[[Shanedell](https://togithub.com/Shanedell)] - Add annotations for evidence on package locations \[[PR #​1723](https://togithub.com/anchore/syft/pull/1723)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Decoding of the syft-json format does not handle files \[[Issue #​1534](https://togithub.com/anchore/syft/issues/1534)] \[[PR #​1698](https://togithub.com/anchore/syft/pull/1698)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.77.0`](https://togithub.com/anchore/syft/releases/tag/v0.77.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.76.1...v0.77.0) ### Changelog #### [v0.77.0](https://togithub.com/anchore/syft/tree/v0.77.0) (2023-04-11) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.76.1...v0.77.0) ##### Added Features - feat: gradle lockfile support \[[PR #​1719](https://togithub.com/anchore/syft/pull/1719)] \[[henrysachs](https://togithub.com/henrysachs)] - feat: support for java "nar" files \[[PR #​1727](https://togithub.com/anchore/syft/pull/1727)] \[[Shanedell](https://togithub.com/Shanedell)] ### [`v0.76.1`](https://togithub.com/anchore/syft/releases/tag/v0.76.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.76.0...v0.76.1) ### Changelog #### [v0.76.1](https://togithub.com/anchore/syft/tree/v0.76.1) (2023-04-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.76.0...v0.76.1) ##### Added Features - Capture file ownership relationships from portage ecosystem \[[PR #​1702](https://togithub.com/anchore/syft/pull/1702)] \[[wagoodman](https://togithub.com/wagoodman)] - Add Nix Cataloger \[[Issue #​462](https://togithub.com/anchore/syft/issues/462)] \[[PR #​1107](https://togithub.com/anchore/syft/pull/1107)] \[[juliosueiras](https://togithub.com/juliosueiras)] \[[PR #​1696](https://togithub.com/anchore/syft/pull/1696)] \[[wagoodman](https://togithub.com/wagoodman)] \[[flokli](https://togithub.com/flokli)] ### [`v0.76.0`](https://togithub.com/anchore/syft/releases/tag/v0.76.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.75.0...v0.76.0) ### Changelog #### [v0.76.0](https://togithub.com/anchore/syft/tree/v0.76.0) (2023-03-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.75.0...v0.76.0) ##### Added Features - Scan local go mod licenses for golang packages \[[PR #​1645](https://togithub.com/anchore/syft/pull/1645)] \[[deitch](https://togithub.com/deitch)] - update and clean license list generation to return more SPDXID for more inputs \[[PR #​1691](https://togithub.com/anchore/syft/pull/1691)] \[[spiffcs](https://togithub.com/spiffcs)] - argocd binary classifier \[[Issue #​1606](https://togithub.com/anchore/syft/issues/1606)] \[[PR #​1663](https://togithub.com/anchore/syft/pull/1663)] \[[y12studio](https://togithub.com/y12studio)] - Add config option to allow user to select the default image source location \[[Issue #​1703](https://togithub.com/anchore/syft/pull/1703)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Bug Fixes - Defer closing the opened file when using FileScheme \[[PR #​1668](https://to </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy41Mi4wIiwidXBkYXRlZEluVmVyIjoiMzcuNTIuMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: mend-for-github-com[bot] <50673670+mend-for-github-com[bot]@users.noreply.github.com>
- Loading branch information