Skip to content

Commit

Permalink
chore(deps): update ⬆️ aqua-packages (#37)
Browse files Browse the repository at this point in the history
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [anchore/syft](https://togithub.com/anchore/syft) | minor | `v0.73.0`
-> `v0.99.0` |
| [aquaproj/aqua-registry](https://togithub.com/aquaproj/aqua-registry)
| minor | `v3.138.0` -> `v3.162.0` |
| [charmbracelet/glow](https://togithub.com/charmbracelet/glow) | patch
| `v1.5.0` -> `v1.5.1` |
| [direnv/direnv](https://togithub.com/direnv/direnv) | minor |
`v2.32.2` -> `v2.33.0` |
| golang.org/x/tools/gopls | minor | `v0.11.0` -> `v0.14.2` |
| [golang/go](https://togithub.com/golang/go) | minor | `1.20.1` ->
`1.21.5` |
| [golang/tools](https://togithub.com/golang/tools) | minor | `v0.6.0`
-> `v0.16.1` |
| [goreleaser/goreleaser](https://togithub.com/goreleaser/goreleaser) |
minor | `v1.15.2` -> `v1.22.1` |
| [magefile/mage](https://togithub.com/magefile/mage) | minor |
`v1.14.0` -> `v1.15.0` |
| [miniscruff/changie](https://togithub.com/miniscruff/changie) | minor
| `v1.11.1` -> `v1.17.0` |
| [mvdan/gofumpt](https://togithub.com/mvdan/gofumpt) | minor | `v0.4.0`
-> `v0.5.0` |
| [thycotic/dsv-cli](https://togithub.com/thycotic/dsv-cli) | patch |
`v1.40.1` -> `v1.40.5` |

---

### Release Notes

<details>
<summary>anchore/syft (anchore/syft)</summary>

### [`v0.99.0`](https://togithub.com/anchore/syft/releases/tag/v0.99.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.98.0...v0.99.0)

##### Added Features

- Look for a maven version in a pom from a parent dependency management…
\[[#&#8203;2423](https://togithub.com/anchore/syft/pull/2423)
[@&#8203;coheigea](https://togithub.com/coheigea)]
- Adding the ability to retrieve remote licenses for yarn.lock
\[[#&#8203;2338](https://togithub.com/anchore/syft/pull/2338)
[@&#8203;coheigea](https://togithub.com/coheigea)]
- Retrieve remote licenses using pom.properties when there is no pom.xml
\[[#&#8203;2315](https://togithub.com/anchore/syft/pull/2315)
[@&#8203;coheigea](https://togithub.com/coheigea)]
- Add the option to retrieve remote licenses for projects defined in a …
\[[#&#8203;2409](https://togithub.com/anchore/syft/pull/2409)
[@&#8203;coheigea](https://togithub.com/coheigea)]
- Parse Python licenses from LicenseFile entry in the Wheel Metadata
\[[#&#8203;2331](https://togithub.com/anchore/syft/pull/2331)
[@&#8203;coheigea](https://togithub.com/coheigea)]
- Add binary classifier for the ERLang interpreter
\[[#&#8203;2417](https://togithub.com/anchore/syft/pull/2417)
[@&#8203;LaurentGoderre](https://togithub.com/LaurentGoderre)]
- Parse Python licenses from LicenseExpression entry in the Wheel
Metadata \[[#&#8203;2431](https://togithub.com/anchore/syft/pull/2431)
[@&#8203;coheigea](https://togithub.com/coheigea)]
- Add binary classifier for Julia lang
\[[#&#8203;2427](https://togithub.com/anchore/syft/pull/2427)
[@&#8203;LaurentGoderre](https://togithub.com/LaurentGoderre)]
- Add binary detection for PHP composer
\[[#&#8203;2432](https://togithub.com/anchore/syft/pull/2432)
[@&#8203;LaurentGoderre](https://togithub.com/LaurentGoderre)]

##### Bug Fixes

- bump fangs for ptr summarize fix
\[[#&#8203;2387](https://togithub.com/anchore/syft/pull/2387)
[@&#8203;willmurphyscode](https://togithub.com/willmurphyscode)]
- improve identification for org.codehaus.groovy artifacts
\[[#&#8203;2404](https://togithub.com/anchore/syft/pull/2404)
[@&#8203;westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for commons-jelly artifacts
\[[#&#8203;2399](https://togithub.com/anchore/syft/pull/2399)
[@&#8203;westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for io.minio artifacts
\[[#&#8203;2398](https://togithub.com/anchore/syft/pull/2398)
[@&#8203;westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for com.graphql-java artifacts
\[[#&#8203;2397](https://togithub.com/anchore/syft/pull/2397)
[@&#8203;westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for org.apache.tapestry artifacts
\[[#&#8203;2384](https://togithub.com/anchore/syft/pull/2384)
[@&#8203;westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for io.ratpack artifacts
\[[#&#8203;2379](https://togithub.com/anchore/syft/pull/2379)
[@&#8203;westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for org.apache.cassandra artifacts
\[[#&#8203;2386](https://togithub.com/anchore/syft/pull/2386)
[@&#8203;westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for org.neo4j.procedure artifacts
\[[#&#8203;2388](https://togithub.com/anchore/syft/pull/2388)
[@&#8203;westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for org.elasticsearch artifacts
\[[#&#8203;2383](https://togithub.com/anchore/syft/pull/2383)
[@&#8203;westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for org.apache.geode artifacts
\[[#&#8203;2382](https://togithub.com/anchore/syft/pull/2382)
[@&#8203;westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for org.apache.tomcat artifacts
\[[#&#8203;2381](https://togithub.com/anchore/syft/pull/2381)
[@&#8203;westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for io.projectreactor.netty artifacts
\[[#&#8203;2378](https://togithub.com/anchore/syft/pull/2378)
[@&#8203;westonsteimel](https://togithub.com/westonsteimel)]
- stop panic when parsing Haskell stack.yaml.lock with missing `hackage`
field \[[#&#8203;2421](https://togithub.com/anchore/syft/issues/2421)
[#&#8203;2419](https://togithub.com/anchore/syft/pull/2419)
[@&#8203;houdini91](https://togithub.com/houdini91)]
- fix detecting the name of the eclipse OSGi artifact
\[[#&#8203;2314](https://togithub.com/anchore/syft/issues/2314)
[#&#8203;2349](https://togithub.com/anchore/syft/pull/2349)
[@&#8203;westonsteimel](https://togithub.com/westonsteimel)]
- File Sources incorrectly exclude files on Windows
\[[#&#8203;2410](https://togithub.com/anchore/syft/issues/2410)
[#&#8203;2411](https://togithub.com/anchore/syft/pull/2411)
[@&#8203;Racer159](https://togithub.com/Racer159)]
- Parser for dotnet_portable_executable using wrong attribute name
\[[#&#8203;2029](https://togithub.com/anchore/syft/issues/2029)
[#&#8203;2133](https://togithub.com/anchore/syft/pull/2133)
[@&#8203;kzantow](https://togithub.com/kzantow)]

##### Breaking Changes

- Generalize UI events for cataloging tasks
\[[#&#8203;2369](https://togithub.com/anchore/syft/pull/2369)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]

##### Additional Changes

- refactor pkg.Collection to remove "catalog" references
\[[#&#8203;2439](https://togithub.com/anchore/syft/pull/2439)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- Expose javascript fields in cataloger configuration
\[[#&#8203;2438](https://togithub.com/anchore/syft/pull/2438)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- Use common archive catalog configuration
\[[#&#8203;2437](https://togithub.com/anchore/syft/pull/2437)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- Fix file digest cataloger when passed explicit coordinates
\[[#&#8203;2436](https://togithub.com/anchore/syft/pull/2436)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]

**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.98.0...v0.99.0)**

### [`v0.98.0`](https://togithub.com/anchore/syft/releases/tag/v0.98.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.97.1...v0.98.0)

##### Added Features

- Add binary classifiers for MySQL and MariaDB
\[[#&#8203;2316](https://togithub.com/anchore/syft/pull/2316)
[@&#8203;duanemay](https://togithub.com/duanemay)]
- Enhance redis binary classifier to support additional versions
\[[#&#8203;2329](https://togithub.com/anchore/syft/pull/2329)
[@&#8203;whalelines](https://togithub.com/whalelines)]
- Expose compact JSON and XML format configuration
\[[#&#8203;561](https://togithub.com/anchore/syft/issues/561)
[#&#8203;2275](https://togithub.com/anchore/syft/pull/2275)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]

##### Bug Fixes

- Fix file metadata cataloger when passed explicit coordinates
\[[#&#8203;2370](https://togithub.com/anchore/syft/pull/2370)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- hardcode xalan group ID
\[[#&#8203;2368](https://togithub.com/anchore/syft/pull/2368)
[@&#8203;willmurphyscode](https://togithub.com/willmurphyscode)]
- logging level for parsing potential PE files
\[[#&#8203;2367](https://togithub.com/anchore/syft/pull/2367)
[@&#8203;kzantow](https://togithub.com/kzantow)]
- Use read lock in `pkg.Collection`
\[[#&#8203;2341](https://togithub.com/anchore/syft/pull/2341)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- add manual namespace mapping for org.springframework jars
\[[#&#8203;2345](https://togithub.com/anchore/syft/pull/2345)
[@&#8203;westonsteimel](https://togithub.com/westonsteimel)]
- add manual namespace mapping for org.springframework.security jars
\[[#&#8203;2343](https://togithub.com/anchore/syft/pull/2343)
[@&#8203;westonsteimel](https://togithub.com/westonsteimel)]
- errors are printed into the stdout in syft 0.97.1
\[[#&#8203;2356](https://togithub.com/anchore/syft/issues/2356)
[#&#8203;2364](https://togithub.com/anchore/syft/pull/2364)
[@&#8203;kzantow](https://togithub.com/kzantow)]
- `syft some-jar.jar` fails to find packages if PWD is a symlink
\[[#&#8203;2355](https://togithub.com/anchore/syft/issues/2355)
[#&#8203;2359](https://togithub.com/anchore/syft/pull/2359)
[@&#8203;willmurphyscode](https://togithub.com/willmurphyscode)]
- Default for recently added base path, `""`, disables detection of
symlinked `*.jar` files
\[[#&#8203;1962](https://togithub.com/anchore/syft/issues/1962)
[#&#8203;2359](https://togithub.com/anchore/syft/pull/2359)
[@&#8203;willmurphyscode](https://togithub.com/willmurphyscode)]
- `syft attest` broken since 0.85.0
\[[#&#8203;2333](https://togithub.com/anchore/syft/issues/2333)
[#&#8203;2337](https://togithub.com/anchore/syft/pull/2337)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- Incorrect Java PURL for org.bouncycastle jars
\[[#&#8203;2339](https://togithub.com/anchore/syft/issues/2339)
[#&#8203;2342](https://togithub.com/anchore/syft/pull/2342)
[@&#8203;westonsteimel](https://togithub.com/westonsteimel)]

##### Breaking Changes

- Remove power-user command and related catalogers
\[[#&#8203;1419](https://togithub.com/anchore/syft/issues/1419)
[#&#8203;2306](https://togithub.com/anchore/syft/pull/2306)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]

##### Additional Changes

- Normalize cataloger configuration patterns
\[[#&#8203;2365](https://togithub.com/anchore/syft/pull/2365)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- Normalize enums to lowercase with hyphens
\[[#&#8203;2363](https://togithub.com/anchore/syft/pull/2363)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]

**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.97.1...v0.98.0)**

##### Special Thanks

Thanks [@&#8203;duanemay](https://togithub.com/duanemay) and
[@&#8203;whalelines](https://togithub.com/whalelines) for the enhanced
binary classifier support 👍

### [`v0.97.1`](https://togithub.com/anchore/syft/releases/tag/v0.97.1)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.97.0...v0.97.1)

##### Bug Fixes

- Syft does not use HTTP proxy when downloading the Docker image itself
\[[#&#8203;2203](https://togithub.com/anchore/syft/issues/2203)
[#&#8203;2336](https://togithub.com/anchore/syft/pull/2336)
[@&#8203;anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)]

##### Additional Changes

- `syft version` report is broken with 0.97.0 release
\[[#&#8203;2334](https://togithub.com/anchore/syft/issues/2334)
[#&#8203;2335](https://togithub.com/anchore/syft/pull/2335)
[@&#8203;spiffcs](https://togithub.com/spiffcs)]

**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.97.0...v0.97.1)**

### [`v0.97.0`](https://togithub.com/anchore/syft/releases/tag/v0.97.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.96.0...v0.97.0)

##### Added Features

- Add license for golang stdlib package
\[[#&#8203;2317](https://togithub.com/anchore/syft/pull/2317)
[@&#8203;coheigea](https://togithub.com/coheigea)]
- Fall back to searching maven central using groupIDFromJavaMetadata
\[[#&#8203;2295](https://togithub.com/anchore/syft/pull/2295)
[@&#8203;coheigea](https://togithub.com/coheigea)]

##### Bug Fixes

- Refine license search from groupIDFromJavaMetadata to account for
artfactId in the groupId
\[[#&#8203;2313](https://togithub.com/anchore/syft/pull/2313)
[@&#8203;coheigea](https://togithub.com/coheigea)]
- capture content written to stdout outside of report
\[[#&#8203;2324](https://togithub.com/anchore/syft/pull/2324)
[@&#8203;kzantow](https://togithub.com/kzantow)]
- add manual groupid mappings for org.apache.velocity jars
\[[#&#8203;2327](https://togithub.com/anchore/syft/pull/2327)
[@&#8203;westonsteimel](https://togithub.com/westonsteimel)]
- skip maven bundle plugin logic if vendor id and symbolic name match
\[[#&#8203;2326](https://togithub.com/anchore/syft/pull/2326)
[@&#8203;westonsteimel](https://togithub.com/westonsteimel)]
- cataloger `dpkg-db-cataloger` not working
\[[#&#8203;2323](https://togithub.com/anchore/syft/issues/2323)]

##### Breaking Changes

- Rename Location virtualPath to accessPath
\[[#&#8203;1835](https://togithub.com/anchore/syft/issues/1835)
[#&#8203;2288](https://togithub.com/anchore/syft/pull/2288)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]

##### Additional Changes

- Export syft-json format package metadata type helper
\[[#&#8203;2328](https://togithub.com/anchore/syft/pull/2328)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- Add dotnet-portable-executable-cataloger to README
\[[#&#8203;2322](https://togithub.com/anchore/syft/pull/2322)
[@&#8203;noqcks](https://togithub.com/noqcks)]

**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.96.0...v0.97.0)**

### [`v0.96.0`](https://togithub.com/anchore/syft/releases/tag/v0.96.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.95.0...v0.96.0)

##### Added Features

- Check maven central as well for licenses in parents poms for nested
jars \[[#&#8203;2302](https://togithub.com/anchore/syft/pull/2302)
[@&#8203;coheigea](https://togithub.com/coheigea)]
- store image annotations inside the SBOM
\[[#&#8203;2267](https://togithub.com/anchore/syft/issues/2267)
[#&#8203;2294](https://togithub.com/anchore/syft/pull/2294)
[@&#8203;noqcks](https://togithub.com/noqcks)]
- Support parsing license information in Maven projects via parent poms
\[[#&#8203;2103](https://togithub.com/anchore/syft/issues/2103)]

##### Bug Fixes

- SPDX file has duplicate sha256 tag in versionInfo
\[[#&#8203;2300](https://togithub.com/anchore/syft/pull/2300)
[@&#8203;coheigea](https://togithub.com/coheigea)]
- Report virtual path consistently between file.Resolvers
\[[#&#8203;1836](https://togithub.com/anchore/syft/issues/1836)
[#&#8203;2287](https://togithub.com/anchore/syft/pull/2287)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- Unable to identify CycloneDX JSON documents without $schema property
\[[#&#8203;2299](https://togithub.com/anchore/syft/issues/2299)
[#&#8203;2303](https://togithub.com/anchore/syft/pull/2303)
[@&#8203;kzantow](https://togithub.com/kzantow)]

**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.95.0...v0.96.0)**

### [`v0.95.0`](https://togithub.com/anchore/syft/releases/tag/v0.95.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.94.0...v0.95.0)

##### Added Features

- Use case-insensitive matching for Go license files
\[[#&#8203;2286](https://togithub.com/anchore/syft/pull/2286)
[@&#8203;miquella](https://togithub.com/miquella)]
- Add conaninfo.txt parser to detect conan packages in docker images
\[[#&#8203;2234](https://togithub.com/anchore/syft/pull/2234)
[@&#8203;Pro](https://togithub.com/Pro)]
- Perform case insensitive matching on Java License files
\[[#&#8203;2235](https://togithub.com/anchore/syft/pull/2235)
[@&#8203;coheigea](https://togithub.com/coheigea)]
- Read a license from a parent pom stored in Maven Central
\[[#&#8203;2228](https://togithub.com/anchore/syft/pull/2228)
[@&#8203;coheigea](https://togithub.com/coheigea)]
- Add PURLs when scanning Gradle lock files
\[[#&#8203;2278](https://togithub.com/anchore/syft/pull/2278)
[@&#8203;robbiev](https://togithub.com/robbiev)]

##### Bug Fixes

- Fix CPE index workflow
\[[#&#8203;2252](https://togithub.com/anchore/syft/pull/2252)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- Fix cpe generation task
\[[#&#8203;2270](https://togithub.com/anchore/syft/pull/2270)
[@&#8203;willmurphyscode](https://togithub.com/willmurphyscode)]
- Introduce cataloger naming conventions
\[[#&#8203;1578](https://togithub.com/anchore/syft/issues/1578)
[#&#8203;2277](https://togithub.com/anchore/syft/pull/2277)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- .NET / nuget - invalid SBOM generated after parsing
\[[#&#8203;2255](https://togithub.com/anchore/syft/issues/2255)
[#&#8203;2273](https://togithub.com/anchore/syft/pull/2273)
[@&#8203;spiffcs](https://togithub.com/spiffcs)]
- Wrong parsing after v0.85.0 syft for some components
\[[#&#8203;2241](https://togithub.com/anchore/syft/issues/2241)
[#&#8203;2273](https://togithub.com/anchore/syft/pull/2273)
[@&#8203;spiffcs](https://togithub.com/spiffcs)]
- SPDX-2.3 is misidentified as SPDX-2.2
\[[#&#8203;2112](https://togithub.com/anchore/syft/issues/2112)
[#&#8203;2186](https://togithub.com/anchore/syft/pull/2186)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- Jar parser chokes on empty lines
\[[#&#8203;2179](https://togithub.com/anchore/syft/issues/2179)
[#&#8203;2254](https://togithub.com/anchore/syft/pull/2254)
[@&#8203;spiffcs](https://togithub.com/spiffcs)]
- Add a new Java configuration option to recursively search parent poms…
\[[#&#8203;2274](https://togithub.com/anchore/syft/pull/2274)
[@&#8203;coheigea](https://togithub.com/coheigea)]
- Fix directory resolver to always return virtual path
\[[#&#8203;2259](https://togithub.com/anchore/syft/pull/2259)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- Syft can now handle the case of parsing a jar with multiple poms
\[[#&#8203;2231](https://togithub.com/anchore/syft/pull/2231)
[@&#8203;coheigea](https://togithub.com/coheigea)]
- Add ruby.NewGemSpecCataloger to DirectoryCatalogers
\[[#&#8203;1971](https://togithub.com/anchore/syft/pull/1971)
[@&#8203;evanchaoli](https://togithub.com/evanchaoli)]

##### Breaking Changes

- Introduce cataloger naming conventions
\[[#&#8203;1578](https://togithub.com/anchore/syft/issues/1578)
[#&#8203;2277](https://togithub.com/anchore/syft/pull/2277)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- Remove MetadataType from the core package struct
\[[#&#8203;1735](https://togithub.com/anchore/syft/issues/1735)
[#&#8203;1983](https://togithub.com/anchore/syft/pull/1983)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- Add convention for JSON metadata type names and port existing values
to the new convention
\[[#&#8203;1844](https://togithub.com/anchore/syft/issues/1844)
[#&#8203;1983](https://togithub.com/anchore/syft/pull/1983)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- Remove deprecated syft.Format functions
\[[#&#8203;1344](https://togithub.com/anchore/syft/issues/1344)
[#&#8203;2186](https://togithub.com/anchore/syft/pull/2186)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]

##### Additional Changes

- Upgrade tool management
\[[#&#8203;2188](https://togithub.com/anchore/syft/pull/2188)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- Fix homebrew post-release workflow
\[[#&#8203;2242](https://togithub.com/anchore/syft/pull/2242)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]

**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.94.0...v0.95.0)**

### [`v0.94.0`](https://togithub.com/anchore/syft/releases/tag/v0.94.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.93.0...v0.94.0)

##### Added Features

- Add additional license filenames
\[[#&#8203;2227](https://togithub.com/anchore/syft/pull/2227)
[@&#8203;coheigea](https://togithub.com/coheigea)]
- Parse donet dependency trees
\[[#&#8203;2143](https://togithub.com/anchore/syft/pull/2143)
[@&#8203;noqcks](https://togithub.com/noqcks)]
- Find license by embedded license text
\[[#&#8203;2147](https://togithub.com/anchore/syft/issues/2147)
[#&#8203;2213](https://togithub.com/anchore/syft/pull/2213)
[@&#8203;coheigea](https://togithub.com/coheigea)]
- Add support for dpkg dependency relationships
\[[#&#8203;2040](https://togithub.com/anchore/syft/issues/2040)
[#&#8203;2212](https://togithub.com/anchore/syft/pull/2212)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]

##### Bug Fixes

- Report errors to stderr not stdout
\[[#&#8203;2232](https://togithub.com/anchore/syft/pull/2232)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- Python egg packages are not parsed for SBOM
\[[#&#8203;1761](https://togithub.com/anchore/syft/issues/1761)
[#&#8203;2239](https://togithub.com/anchore/syft/pull/2239)
[@&#8203;spiffcs](https://togithub.com/spiffcs)]
- Java archive is listed twice
\[[#&#8203;2130](https://togithub.com/anchore/syft/issues/2130)
[#&#8203;2220](https://togithub.com/anchore/syft/pull/2220)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- Java archives not from Maven
\[[#&#8203;2217](https://togithub.com/anchore/syft/issues/2217)
[#&#8203;2220](https://togithub.com/anchore/syft/pull/2220)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- Remove internal.StringSet
\[[#&#8203;2209](https://togithub.com/anchore/syft/issues/2209)
[#&#8203;2219](https://togithub.com/anchore/syft/pull/2219)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- Invalid interface conversion in Swift cataloger
\[[#&#8203;2225](https://togithub.com/anchore/syft/issues/2225)
[#&#8203;2226](https://togithub.com/anchore/syft/pull/2226)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]

**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.93.0...v0.94.0)**

### [`v0.93.0`](https://togithub.com/anchore/syft/releases/tag/v0.93.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.92.0...v0.93.0)

##### Added Features

- Parse license from the pom.xml if not contained in the manifest
\[[#&#8203;2115](https://togithub.com/anchore/syft/pull/2115)
[@&#8203;coheigea](https://togithub.com/coheigea)]
- Add Golang STD library package given a Golang binary has been
discovered compiled with that go binary
\[[#&#8203;1853](https://togithub.com/anchore/syft/issues/1853)
[#&#8203;2195](https://togithub.com/anchore/syft/pull/2195)
[@&#8203;spiffcs](https://togithub.com/spiffcs)]
- Improve --output CLI help and deprecate --file
\[[#&#8203;2165](https://togithub.com/anchore/syft/issues/2165)
[#&#8203;2187](https://togithub.com/anchore/syft/pull/2187)
[@&#8203;sharief007](https://togithub.com/sharief007)]

##### Bug Fixes

- Converting a SBOM looses the algorithm type for added checksums
\[[#&#8203;2183](https://togithub.com/anchore/syft/issues/2183)
[#&#8203;2207](https://togithub.com/anchore/syft/pull/2207)
[@&#8203;sharief007](https://togithub.com/sharief007)]

##### Additional Changes

- Refine the docs for building a cataloger
\[[#&#8203;2175](https://togithub.com/anchore/syft/pull/2175)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- update license list to 3.22
\[[#&#8203;2201](https://togithub.com/anchore/syft/pull/2201)
[@&#8203;spiffcs](https://togithub.com/spiffcs)]
- Add exact syntax of the conversion formats
\[[#&#8203;2196](https://togithub.com/anchore/syft/pull/2196)
[@&#8203;vargenau](https://togithub.com/vargenau)]

**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.92.0...v0.93.0)**

### [`v0.92.0`](https://togithub.com/anchore/syft/releases/tag/v0.92.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.91.0...v0.92.0)

##### Added Features

- Support for multiple image refs of same sha in OCI layout
\[[#&#8203;1544](https://togithub.com/anchore/syft/issues/1544)]

##### Bug Fixes

- Generated purls are different between runs of syft against the same
image and artifact
\[[#&#8203;2169](https://togithub.com/anchore/syft/issues/2169)
[#&#8203;2170](https://togithub.com/anchore/syft/pull/2170)
[@&#8203;willmurphyscode](https://togithub.com/willmurphyscode)]

##### Additional Changes

- bump stereoscope to fix data race in UI code
\[[#&#8203;2173](https://togithub.com/anchore/syft/pull/2173)
[@&#8203;willmurphyscode](https://togithub.com/willmurphyscode)]

**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.91.0...v0.92.0)**

### [`v0.91.0`](https://togithub.com/anchore/syft/releases/tag/v0.91.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.90.0...v0.91.0)

##### Added Features

- Add support for CycloneDX 1.5
\[[#&#8203;2120](https://togithub.com/anchore/syft/issues/2120)
[#&#8203;2123](https://togithub.com/anchore/syft/pull/2123)
[@&#8203;spiffcs](https://togithub.com/spiffcs)]
- Add support for containerd as an image source
\[[#&#8203;201](https://togithub.com/anchore/syft/issues/201)
[#&#8203;1793](https://togithub.com/anchore/syft/pull/1793)
[@&#8203;shanedell](https://togithub.com/shanedell)]
- Support cataloging github workflow & github action usages
\[[#&#8203;1896](https://togithub.com/anchore/syft/issues/1896)
[#&#8203;2140](https://togithub.com/anchore/syft/pull/2140)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]

##### Bug Fixes

- Allow CycloneDX json input with no components
\[[#&#8203;2127](https://togithub.com/anchore/syft/pull/2127)
[@&#8203;ahoz](https://togithub.com/ahoz)]
- Prevent errors from clobbering terminal
\[[#&#8203;2161](https://togithub.com/anchore/syft/pull/2161)
[@&#8203;kzantow](https://togithub.com/kzantow)]
- Using syft as a go library to decode a syft json has incomplete data
\[[#&#8203;2069](https://togithub.com/anchore/syft/issues/2069)
[#&#8203;2083](https://togithub.com/anchore/syft/pull/2083)
[@&#8203;kzantow](https://togithub.com/kzantow)]
- SBOMs are not the same on multiple runs of syft
\[[#&#8203;1944](https://togithub.com/anchore/syft/issues/1944)]

##### Additional Changes

- Switch to stdlib's slices pkg
\[[#&#8203;2148](https://togithub.com/anchore/syft/pull/2148)
[@&#8203;hainenber](https://togithub.com/hainenber)]
- Remove unneeded arch switch in unit test
\[[#&#8203;2156](https://togithub.com/anchore/syft/pull/2156)
[@&#8203;willmurphyscode](https://togithub.com/willmurphyscode)]
- Update chronicle to v0.8.0
\[[#&#8203;2154](https://togithub.com/anchore/syft/pull/2154)
[@&#8203;wagoodman](https://togithub.com/wagoodman)]
- Update to latest stereoscope
\[[#&#8203;2151](https://togithub.com/anchore/syft/pull/2151)
[@&#8203;spiffcs](https://togithub.com/spiffcs)]
- Pin workflow checkout for cpe update-cpe-dictionary-index
\[[#&#8203;2141](https://togithub.com/anchore/syft/pull/2141)
[@&#8203;spiffcs](https://togithub.com/spiffcs)]
- Add dependency information to conan lockfile parser
\[[#&#8203;2131](https://togithub.com/anchore/syft/pull/2131)
[@&#8203;Pro](https://togithub.com/Pro)]
- Pin and update all workflow dependencies; add permission scopes
\[[#&#8203;2138](https://togithub.com/anchore/syft/pull/2138)
[@&#8203;spiffcs](https://togithub.com/spiffcs)]
- Enforce race detector
\[[#&#8203;2122](https://togithub.com/anchore/syft/pull/2122)
[@&#8203;willmurphyscode](https://togithub.com/willmurphyscode)]

**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.90.0...v0.91.0)**

### [`v0.90.0`](https://togithub.com/anchore/syft/releases/tag/v0.90.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.89.0...v0.90.0)

###

#### [v0.90.0](https://togithub.com/anchore/syft/tree/v0.90.0)
(2023-09-11)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.89.0...v0.90.0)

##### Added Features

- Expose cobra command in cli package \[[PR
#&#8203;2097](https://togithub.com/anchore/syft/pull/2097)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Explicitly test PURL generation against key packages \[[Issue
#&#8203;2071](https://togithub.com/anchore/syft/issues/2071)]
- Add User-Agent with Syft version during update check \[[Issue
#&#8203;2072](https://togithub.com/anchore/syft/issues/2072)] \[[PR
#&#8203;2100](https://togithub.com/anchore/syft/pull/2100)]
\[[hainenber](https://togithub.com/hainenber)]

##### Bug Fixes

- fix: correct group IDs for commons-codec, okhttp, okio, and add
integration tests for Java PURL generation \[[PR
#&#8203;2075](https://togithub.com/anchore/syft/pull/2075)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- Cyclonedx external reference URLs are not validated when encoding
\[[Issue #&#8203;2079](https://togithub.com/anchore/syft/issues/2079)]
\[[PR #&#8203;2091](https://togithub.com/anchore/syft/pull/2091)]
\[[hainenber](https://togithub.com/hainenber)]

##### Additional Changes

- Bump the golang.org/x/exp dependency and fix a build breakage. \[[PR
#&#8203;2088](https://togithub.com/anchore/syft/pull/2088)]
\[[dlorenc](https://togithub.com/dlorenc)]
- fix: update codeql-analysis for go 1.21 \[[PR
#&#8203;2108](https://togithub.com/anchore/syft/pull/2108)]
\[[spiffcs](https://togithub.com/spiffcs)]

### [`v0.89.0`](https://togithub.com/anchore/syft/releases/tag/v0.89.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.88.0...v0.89.0)

###

#### [v0.89.0](https://togithub.com/anchore/syft/tree/v0.89.0)
(2023-08-31)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.88.0...v0.89.0)

##### Added Features

- Add registry certificate verification support \[[PR
#&#8203;1734](https://togithub.com/anchore/syft/pull/1734)]
\[[5p2O5pe25ouT](https://togithub.com/5p2O5pe25ouT)]
- Add SYFT_CONFIG environment variable for configuration file path
\[[Issue #&#8203;1986](https://togithub.com/anchore/syft/issues/1986)]
\[[PR #&#8203;2001](https://togithub.com/anchore/syft/pull/2001)]
\[[kzantow](https://togithub.com/kzantow)]

##### Bug Fixes

- Fix quiet flag \[[PR
#&#8203;2081](https://togithub.com/anchore/syft/pull/2081)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Command line flags not overriding configuration file values \[[Issue
#&#8203;1143](https://togithub.com/anchore/syft/issues/1143)] \[[PR
#&#8203;2001](https://togithub.com/anchore/syft/pull/2001)]
\[[kzantow](https://togithub.com/kzantow)]
- Django package CPE is not correct \[[Issue
#&#8203;1298](https://togithub.com/anchore/syft/issues/1298)] \[[PR
#&#8203;2068](https://togithub.com/anchore/syft/pull/2068)]
\[[witchcraze](https://togithub.com/witchcraze)]
- Config parsing includes `config.yaml` in working dir \[[Issue
#&#8203;1634](https://togithub.com/anchore/syft/issues/1634)] \[[PR
#&#8203;2001](https://togithub.com/anchore/syft/pull/2001)]
\[[kzantow](https://togithub.com/kzantow)]
- Fix a possible panic on universal go binaries \[[Issue
#&#8203;2073](https://togithub.com/anchore/syft/issues/2073)] \[[PR
#&#8203;2078](https://togithub.com/anchore/syft/pull/2078)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- Disabling catalogers is not working in power user command \[[Issue
#&#8203;2074](https://togithub.com/anchore/syft/issues/2074)] \[[PR
#&#8203;2001](https://togithub.com/anchore/syft/pull/2001)]
\[[kzantow](https://togithub.com/kzantow)]
- Virtual path changes to java cataloger causing creation of extra
incorrect packages when jars are renamed \[[Issue
#&#8203;2077](https://togithub.com/anchore/syft/issues/2077)] \[[PR
#&#8203;2080](https://togithub.com/anchore/syft/pull/2080)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]

### [`v0.88.0`](https://togithub.com/anchore/syft/releases/tag/v0.88.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.87.1...v0.88.0)

###

#### [v0.88.0](https://togithub.com/anchore/syft/tree/v0.88.0)
(2023-08-25)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.87.1...v0.88.0)

##### Added Features

- Detect golang boring crypto and fipsonly modules \[[PR
#&#8203;2021](https://togithub.com/anchore/syft/pull/2021)]
\[[bathina2](https://togithub.com/bathina2)]
- feat: 1944 - update purl generation to use a consistent groupID \[[PR
#&#8203;2033](https://togithub.com/anchore/syft/pull/2033)]
\[[spiffcs](https://togithub.com/spiffcs)]
- Add support to detect bash binaries \[[Issue
#&#8203;1963](https://togithub.com/anchore/syft/issues/1963)] \[[PR
#&#8203;2055](https://togithub.com/anchore/syft/pull/2055)]
\[[witchcraze](https://togithub.com/witchcraze)]

##### Bug Fixes

- fix: properly parse conan ref and include user and channel \[[PR
#&#8203;2034](https://togithub.com/anchore/syft/pull/2034)]
\[[Pro](https://togithub.com/Pro)]
- New version notice only showing the version and no text \[[PR
#&#8203;2042](https://togithub.com/anchore/syft/pull/2042)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Fix: don't validate pom declared group \[[PR
#&#8203;2054](https://togithub.com/anchore/syft/pull/2054)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- Errors when handling symlinks on Windows with syft v0.85.0 \[[Issue
#&#8203;1950](https://togithub.com/anchore/syft/issues/1950)] \[[PR
#&#8203;2051](https://togithub.com/anchore/syft/pull/2051)]
\[[selzoc](https://togithub.com/selzoc)]
- Syft seems unable to parse non UTF-8 pom.xml files \[[Issue
#&#8203;2044](https://togithub.com/anchore/syft/issues/2044)] \[[PR
#&#8203;2047](https://togithub.com/anchore/syft/pull/2047)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Error parsing pom.xml with v0.87.1 \[[Issue
#&#8203;2060](https://togithub.com/anchore/syft/issues/2060)] \[[PR
#&#8203;2064](https://togithub.com/anchore/syft/pull/2064)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- Invalid CycloneDX: duplicates in relationships section \[[Issue
#&#8203;2062](https://togithub.com/anchore/syft/issues/2062)] \[[PR
#&#8203;2063](https://togithub.com/anchore/syft/pull/2063)]
\[[kzantow](https://togithub.com/kzantow)]

### [`v0.87.1`](https://togithub.com/anchore/syft/releases/tag/v0.87.1)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.87.0...v0.87.1)

###

#### [v0.87.1](https://togithub.com/anchore/syft/tree/v0.87.1)
(2023-08-17)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.87.0...v0.87.1)

##### Bug Fixes

- Use Java package names to determine known groupIDs \[[PR
#&#8203;2032](https://togithub.com/anchore/syft/pull/2032)]
\[[kzantow](https://togithub.com/kzantow)]
- Relationships section of CycloneDX is not outputting even when the
data is present \[[Issue
#&#8203;1972](https://togithub.com/anchore/syft/issues/1972)] \[[PR
#&#8203;1974](https://togithub.com/anchore/syft/pull/1974)]
\[[markgalpin](https://togithub.com/markgalpin)]
\[[kzantow](https://togithub.com/kzantow)]
- SPDX Tag-Value conversion not handling files directly set on packages
\[[Issue #&#8203;2013](https://togithub.com/anchore/syft/issues/2013)]
\[[PR #&#8203;2014](https://togithub.com/anchore/syft/pull/2014)]
\[[kzantow](https://togithub.com/kzantow)]
- Intermittent binary listings, different results every time \[[Issue
#&#8203;2035](https://togithub.com/anchore/syft/issues/2035)] \[[PR
#&#8203;2036](https://togithub.com/anchore/syft/pull/2036)]
\[[kzantow](https://togithub.com/kzantow)]

### [`v0.87.0`](https://togithub.com/anchore/syft/releases/tag/v0.87.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0)

###

#### [v0.87.0](https://togithub.com/anchore/syft/tree/v0.87.0)
(2023-08-14)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0)

##### Added Features

- feat: use originator logic to fill supplier \[[PR
#&#8203;1980](https://togithub.com/anchore/syft/pull/1980)]
\[[spiffcs](https://togithub.com/spiffcs)]
- Expand deb cataloger to include opkg \[[PR
#&#8203;1985](https://togithub.com/anchore/syft/pull/1985)]
\[[johnDeSilencio](https://togithub.com/johnDeSilencio)]
- Package duplicated by different cataloger \[[Issue
#&#8203;931](https://togithub.com/anchore/syft/issues/931)] \[[PR
#&#8203;1948](https://togithub.com/anchore/syft/pull/1948)]
\[[spiffcs](https://togithub.com/spiffcs)]
- Add binary cataloger for Nginx built from source \[[Issue
#&#8203;1945](https://togithub.com/anchore/syft/issues/1945)] \[[PR
#&#8203;1988](https://togithub.com/anchore/syft/pull/1988)]
\[[SemProvoost](https://togithub.com/SemProvoost)]

##### Bug Fixes

- chore: update bubbly to fix hanging \[[PR
#&#8203;1990](https://togithub.com/anchore/syft/pull/1990)]
\[[kzantow](https://togithub.com/kzantow)]
- fix: update glob to use newer usr/lib/sysimage path \[[PR
#&#8203;1997](https://togithub.com/anchore/syft/pull/1997)]
\[[spiffcs](https://togithub.com/spiffcs)]
- fix: SPDX license values and download location \[[PR
#&#8203;2007](https://togithub.com/anchore/syft/pull/2007)]
\[[kzantow](https://togithub.com/kzantow)]
- Different CPEs between java-cataloger and
java-gradle-lockfile-cataloger \[[Issue
#&#8203;1957](https://togithub.com/anchore/syft/issues/1957)] \[[PR
#&#8203;1995](https://togithub.com/anchore/syft/pull/1995)]
\[[kzantow](https://togithub.com/kzantow)]

### [`v0.86.1`](https://togithub.com/anchore/syft/releases/tag/v0.86.1)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1)

### Changelog

#### [v0.86.1](https://togithub.com/anchore/syft/tree/v0.86.1)
(2023-07-31)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1)

##### Bug Fixes

- Source requires default image name as user input for unparsable
reference \[[PR
#&#8203;1979](https://togithub.com/anchore/syft/pull/1979)]
\[[kzantow](https://togithub.com/kzantow)]

### [`v0.86.0`](https://togithub.com/anchore/syft/releases/tag/v0.86.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0)

### Changelog

#### [v0.86.0](https://togithub.com/anchore/syft/tree/v0.86.0)
(2023-07-31)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0)

##### Added Features

- Introduce indexed embedded CPE dictionary \[[PR
#&#8203;1897](https://togithub.com/anchore/syft/pull/1897)]
\[[luhring](https://togithub.com/luhring)]
- Add cataloger for Swift Package Manager. \[[PR
#&#8203;1919](https://togithub.com/anchore/syft/pull/1919)]
\[[trilleplay](https://togithub.com/trilleplay)]
- Guess unpinned versions in python requirements.txt \[[PR
#&#8203;1597](https://togithub.com/anchore/syft/pull/1597)] \[[PR
#&#8203;1966](https://togithub.com/anchore/syft/pull/1966)]
\[[manifestori](https://togithub.com/manifestori)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Create a package record for the artifact an SBOM described when
creating a SPDX SBOM \[[Issue
#&#8203;1661](https://togithub.com/anchore/syft/issues/1661)] \[[Issue
#&#8203;1241](https://togithub.com/anchore/syft/issues/1241)] \[[PR
#&#8203;1934](https://togithub.com/anchore/syft/pull/1934)]
\[[kzantow](https://togithub.com/kzantow)]

##### Bug Fixes

- Fix panic condition on docker pull failure \[[PR
#&#8203;1968](https://togithub.com/anchore/syft/pull/1968)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Syft reports the "minimum required version" of .NET assemblies rather
than the "assembly version" \[[Issue
#&#8203;1799](https://togithub.com/anchore/syft/issues/1799)] \[[PR
#&#8203;1943](https://togithub.com/anchore/syft/pull/1943)]
\[[luhring](https://togithub.com/luhring)]
- Grype cannot read SPDX documents generated by SPDX-maven-plugin \[[PR
#&#8203;1969](https://togithub.com/anchore/syft/pull/1969)]
\[[spiffcs](https://togithub.com/spiffcs)]

##### Breaking Changes

- Remove jotframe UI \[[PR
#&#8203;1932](https://togithub.com/anchore/syft/pull/1932)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Simplify python env markers \[[PR
#&#8203;1967](https://togithub.com/anchore/syft/pull/1967)]
\[[wagoodman](https://togithub.com/wagoodman)]

### [`v0.85.0`](https://togithub.com/anchore/syft/releases/tag/v0.85.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0)

### Changelog

#### [v0.85.0](https://togithub.com/anchore/syft/tree/v0.85.0)
(2023-07-12)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0)

##### Added Features

- Add a --base-path command line flag to set the directory base for
scans (this option was previously exposed via API only) \[[PR
#&#8203;1867](https://togithub.com/anchore/syft/pull/1867)]
\[[deitch](https://togithub.com/deitch)]
- Add file source digest support \[[PR
#&#8203;1914](https://togithub.com/anchore/syft/pull/1914)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Remove erroneous Java CPEs from generation \[[PR
#&#8203;1918](https://togithub.com/anchore/syft/pull/1918)]
\[[luhring](https://togithub.com/luhring)]
- Fix CPE generation for k8s python client \[[PR
#&#8203;1921](https://togithub.com/anchore/syft/pull/1921)]
\[[luhring](https://togithub.com/luhring)]
- Don't use the actual redis or grpc CPEs for gems \[[PR
#&#8203;1926](https://togithub.com/anchore/syft/pull/1926)]
\[[luhring](https://togithub.com/luhring)]
- The text user interface is now provided by the bubbletea library
\[[Issue #&#8203;1441](https://togithub.com/anchore/syft/issues/1441)]
\[[PR #&#8203;1888](https://togithub.com/anchore/syft/pull/1888)]
\[[wagoodman](https://togithub.com/wagoodman)]

##### Bug Fixes

- Install script returns exit code 0 even if install fails \[[Issue
#&#8203;1566](https://togithub.com/anchore/syft/issues/1566)] \[[PR
#&#8203;1915](https://togithub.com/anchore/syft/pull/1915)]
\[[lorsatti](https://togithub.com/lorsatti)]
- \[Windows] Not able to scan volume mounted to folder \[[Issue
#&#8203;1828](https://togithub.com/anchore/syft/issues/1828)] \[[PR
#&#8203;1884](https://togithub.com/anchore/syft/pull/1884)]
\[[dd-cws](https://togithub.com/dd-cws)]
- Deprecated license: GFDL-1.2+ \[[Issue
#&#8203;1899](https://togithub.com/anchore/syft/issues/1899)] \[[PR
#&#8203;1907](https://togithub.com/anchore/syft/pull/1907)]
\[[spiffcs](https://togithub.com/spiffcs)]

##### Breaking Changes

- Refactor the `source` API and syft-json `source` block data shape
\[[Issue #&#8203;1866](https://togithub.com/anchore/syft/issues/1866)]
\[[PR #&#8203;1846](https://togithub.com/anchore/syft/pull/1846)]
\[[wagoodman](https://togithub.com/wagoodman)]

##### Additional Changes

- chore: update iterations to protect against race \[[PR
#&#8203;1927](https://togithub.com/anchore/syft/pull/1927)]
\[[spiffcs](https://togithub.com/spiffcs)]
- fix: background reader apart from global handler for testing \[[PR
#&#8203;1929](https://togithub.com/anchore/syft/pull/1929)]
\[[spiffcs](https://togithub.com/spiffcs)]

### [`v0.84.1`](https://togithub.com/anchore/syft/releases/tag/v0.84.1)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1)

### Changelog

#### [v0.84.1](https://togithub.com/anchore/syft/tree/v0.84.1)
(2023-06-29)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1)

##### Bug Fixes

- Fix version detection in Java archive name parsing \[[PR
#&#8203;1889](https://togithub.com/anchore/syft/pull/1889)]
\[[luhring](https://togithub.com/luhring)]
- Improve support for Dart SDK package dependency lockfiles \[[PR
#&#8203;1891](https://togithub.com/anchore/syft/pull/1891)]
\[[rufman](https://togithub.com/rufman)]
- Fix license output for some CycloneDX JSON SBOMs \[[Issue
#&#8203;1877](https://togithub.com/anchore/syft/issues/1877)] \[[PR
#&#8203;1879](https://togithub.com/anchore/syft/pull/1879)]
\[[kzantow](https://togithub.com/kzantow)]
- Correctly discover Debian file relationships in distroless images
\[[Issue #&#8203;1900](https://togithub.com/anchore/syft/issues/1900)]
\[[PR #&#8203;1901](https://togithub.com/anchore/syft/pull/1901)]
\[[westonsteimel](https://togithub.com/westonsteimel)]

##### Additional Changes

- Simplify the SBOM writer interface \[[PR
#&#8203;1892](https://togithub.com/anchore/syft/pull/1892)]
\[[wagoodman](https://togithub.com/wagoodman)]

### [`v0.84.0`](https://togithub.com/anchore/syft/releases/tag/v0.84.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0)

### Changelog

#### [v0.84.0](https://togithub.com/anchore/syft/tree/v0.84.0)
(2023-06-20)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0)

##### Breaking Changes

- Pad artifact IDs \[[PR
#&#8203;1882](https://togithub.com/anchore/syft/pull/1882)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]

##### Additional Changes

- chore: update SPDX license list to 3.21 \[[PR
#&#8203;1885](https://togithub.com/anchore/syft/pull/1885)]
\[[kzantow](https://togithub.com/kzantow)]

### [`v0.83.1`](https://togithub.com/anchore/syft/releases/tag/v0.83.1)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1)

### Changelog

#### [v0.83.1](https://togithub.com/anchore/syft/tree/v0.83.1)
(2023-06-14)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1)

##### Bug Fixes

- fix: pom properties not setting artifact id \[[PR
#&#8203;1870](https://togithub.com/anchore/syft/pull/1870)]
\[[jneate](https://togithub.com/jneate)]
- fix(deps): pull in platform selection fix from stereoscope \[[PR
#&#8203;1871](https://togithub.com/anchore/syft/pull/1871)]
\[[anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)]
- pulling in an image with a digest that does not match the platform and
architecture of the host no longer fails with an error, see
[https://github.com/anchore/stereoscope/issues/188](https://togithub.com/anchore/stereoscope/issues/188)
- symlinks within a scanned directory tree are parsed outside the tree,
failing if target does not exist \[[Issue
#&#8203;1860](https://togithub.com/anchore/syft/issues/1860)] \[[PR
#&#8203;1861](https://togithub.com/anchore/syft/pull/1861)]
\[[deitch](https://togithub.com/deitch)]

### [`v0.83.0`](https://togithub.com/anchore/syft/releases/tag/v0.83.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.82.0...v0.83.0)

### Changelog

#### [v0.83.0](https://togithub.com/anchore/syft/tree/v0.83.0)
(2023-06-05)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.82.0...v0.83.0)

##### Added Features

- Add new '--source-version' and '--source-name' options to set the name
and version of the target being analyzed for reference in resulting
syft-json format SBOMs (more formats will support these flags soon).
\[[Issue #&#8203;1399](https://togithub.com/anchore/syft/issues/1399)]
\[[PR #&#8203;1859](https://togithub.com/anchore/syft/pull/1859)]
\[[kzantow](https://togithub.com/kzantow)]
- Add scope to POM properties \[[PR
#&#8203;1779](https://togithub.com/anchore/syft/pull/1779)]
\[[jneate](https://togithub.com/jneate)]
- Accept main.version ldflags even without vcs \[[PR
#&#8203;1855](https://togithub.com/anchore/syft/pull/1855)]
\[[deitch](https://togithub.com/deitch)]

##### Bug Fixes

- Fix directory resolver to consider CWD and root path input correctly
\[[PR #&#8203;1840](https://togithub.com/anchore/syft/pull/1840)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Show all error messages if there is a failure retrieving an image with
a specified scheme \[[Issue
#&#8203;1569](https://togithub.com/anchore/syft/issues/1569)] \[[PR
#&#8203;1801](https://togithub.com/anchore/syft/pull/1801)]
\[[FrimIdan](https://togithub.com/FrimIdan)]
- v0.81.0 crashing parsing some images \[[Issue
#&#8203;1837](https://togithub.com/anchore/syft/issues/1837)] \[[PR
#&#8203;1839](https://togithub.com/anchore/syft/pull/1839)]
\[[spiffcs](https://togithub.com/spiffcs)]

##### Deprecated Features

- Migrate location-related structs to the file package \[[PR
#&#8203;1751](https://togithub.com/anchore/syft/pull/1751)]
\[[wagoodman](https://togithub.com/wagoodman)]

##### Additional Changes

- chore: code cleanup \[[PR
#&#8203;1865](https://togithub.com/anchore/syft/pull/1865)]
\[[spiffcs](https://togithub.com/spiffcs)]

### [`v0.82.0`](https://togithub.com/anchore/syft/releases/tag/v0.82.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.81.0...v0.82.0)

### Changelog

#### [v0.82.0](https://togithub.com/anchore/syft/tree/v0.82.0)
(2023-05-23)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.81.0...v0.82.0)

##### Added Features

- Improve Go main module version detection by attempting to parse
available ldflags \[[Issue
#&#8203;1785](https://togithub.com/anchore/syft/issues/1785)] \[[PR
#&#8203;1832](https://togithub.com/anchore/syft/pull/1832)]
\[[wagoodman](https://togithub.com/wagoodman)]

##### Bug Fixes

- Fix a problem in the license parsing logic that may result in a panic
\[[PR #&#8203;1839](https://togithub.com/anchore/syft/pull/1839)]
- Return all relevant error messages if an image retrieval fails when a
scheme is specified \[[PR
#&#8203;1801](https://togithub.com/anchore/syft/pull/1801)]
\[[FrimIdan](https://togithub.com/FrimIdan)]
- Fix a problem with PNPM scanning where v6 lockfiles might result in
duplicated packages \[[Issue
#&#8203;1762](https://togithub.com/anchore/syft/issues/1762)] \[[PR
#&#8203;1778](https://togithub.com/anchore/syft/pull/1778)]
\[[kzantow](https://togithub.com/kzantow)]

### [`v0.81.0`](https://togithub.com/anchore/syft/releases/tag/v0.81.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.80.0...v0.81.0)

### Changelog

#### [v0.81.0](https://togithub.com/anchore/syft/tree/v0.81.0)
(2023-05-22)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.80.0...v0.81.0)

##### Added Features

- Support cataloging R packages \[[Issue
#&#8203;730](https://togithub.com/anchore/syft/issues/730)] \[[PR
#&#8203;1790](https://togithub.com/anchore/syft/pull/1790)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- Support describing license properties and SPDX expression assertions
\[[Issue #&#8203;1577](https://togithub.com/anchore/syft/issues/1577)]
\[[PR #&#8203;1743](https://togithub.com/anchore/syft/pull/1743)]
\[[spiffcs](https://togithub.com/spiffcs)]
- Warn if parsing a newer SBOM \[[PR
#&#8203;1810](https://togithub.com/anchore/syft/pull/1810)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]

##### Bug Fixes

- Retain cataloged SBOM relationships \[[PR
#&#8203;1509](https://togithub.com/anchore/syft/pull/1509)]
\[[houdini91](https://togithub.com/houdini91)]
- fix: update field plurality of 8.0.0 schema before release \[[PR
#&#8203;1820](https://togithub.com/anchore/syft/pull/1820)]
\[[spiffcs](https://togithub.com/spiffcs)]
- fix: remove spurious warnings - unknown relationship type: evident-by
form-lib=syft \[[Issue
#&#8203;1812](https://togithub.com/anchore/syft/issues/1812)] \[[PR
#&#8203;1797](https://togithub.com/anchore/syft/pull/1797)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- CycloneDX Dependencies Relationships Inverted \[[Issue
#&#8203;1815](https://togithub.com/anchore/syft/issues/1815)] \[[PR
#&#8203;1816](https://togithub.com/anchore/syft/pull/1816)]
\[[shanealv](https://togithub.com/shanealv)]
- Alpine: license expression should be complete and not parsed out
\[[Issue #&#8203;1817](https://togithub.com/anchore/syft/issues/1817)]
\[[PR #&#8203;1819](https://togithub.com/anchore/syft/pull/1819)]
\[[spiffcs](https://togithub.com/spiffcs)]

##### Additional Changes

- Print package list when extra packages found \[[PR
#&#8203;1791](https://togithub.com/anchore/syft/pull/1791)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- update cosign to v2 release (different go module) \[[PR
#&#8203;1805](https://togithub.com/anchore/syft/pull/1805)]
\[[bobcallaway](https://togithub.com/bobcallaway)]

### [`v0.80.0`](https://togithub.com/anchore/syft/releases/tag/v0.80.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.79.0...v0.80.0)

### Changelog

#### [v0.80.0](https://togithub.com/anchore/syft/tree/v0.80.0)
(2023-05-05)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.79.0...v0.80.0)

##### Added Features

- Improve pnpm support \[[Issue
#&#8203;1535](https://togithub.com/anchore/syft/issues/1535)] \[[PR
#&#8203;1752](https://togithub.com/anchore/syft/pull/1752)]
\[[Shanedell](https://togithub.com/Shanedell)]

##### Bug Fixes

- chore: add more detail on SPDX file IDs \[[PR
#&#8203;1769](https://togithub.com/anchore/syft/pull/1769)]
\[[kzantow](https://togithub.com/kzantow)]
- chore: do not HTML escape PackageURLs \[[PR
#&#8203;1782](https://togithub.com/anchore/syft/pull/1782)]
\[[kzantow](https://togithub.com/kzantow)]
- RPM database not found on ostree-managed systems \[[Issue
#&#8203;1755](https://togithub.com/anchore/syft/issues/1755)] \[[PR
#&#8203;1756](https://togithub.com/anchore/syft/pull/1756)]
\[[fpytloun](https://togithub.com/fpytloun)]
- Unable to use syft for private azure container registry \[[Issue
#&#8203;1777](https://togithub.com/anchore/syft/issues/1777)]
- linux-kernel-cataloger produces thousands of version-less components.
\[[Issue #&#8203;1781](https://togithub.com/anchore/syft/issues/1781)]
\[[PR #&#8203;1784](https://togithub.com/anchore/syft/pull/1784)]
\[[kzantow](https://togithub.com/kzantow)]

##### Deprecated Features

- Rename pkg.Catalog to pkg.Collection \[[PR
#&#8203;1764](https://togithub.com/anchore/syft/pull/1764)]
\[[wagoodman](https://togithub.com/wagoodman)]

### [`v0.79.0`](https://togithub.com/anchore/syft/releases/tag/v0.79.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.78.0...v0.79.0)

### Changelog

#### [v0.79.0](https://togithub.com/anchore/syft/tree/v0.79.0)
(2023-04-21)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.78.0...v0.79.0)

##### Added Features

- Add ALPM Metadata to CYCLONEDX and SPDX output formats \[[Issue
#&#8203;1037](https://togithub.com/anchore/syft/issues/1037)] \[[PR
#&#8203;1747](https://togithub.com/anchore/syft/pull/1747)]
\[[Shanedell](https://togithub.com/Shanedell)]
- consul binary classifier \[[Issue
#&#8203;1590](https://togithub.com/anchore/syft/issues/1590)] \[[PR
#&#8203;1738](https://togithub.com/anchore/syft/pull/1738)]
\[[Shanedell](https://togithub.com/Shanedell)]

##### Bug Fixes

- Syft missing direct dependencies from the gemfile.lock \[[Issue
#&#8203;1660](https://togithub.com/anchore/syft/issues/1660)] \[[PR
#&#8203;1749](https://togithub.com/anchore/syft/pull/1749)]
\[[Shanedell](https://togithub.com/Shanedell)]

##### Additional Changes

- chore: bump stereoscope to latest version \[[PR
#&#8203;1741](https://togithub.com/anchore/syft/pull/1741)]
\[[westonsteimel](https://togithub.com/westonsteimel)]

### [`v0.78.0`](https://togithub.com/anchore/syft/releases/tag/v0.78.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.77.0...v0.78.0)

### Changelog

#### [v0.78.0](https://togithub.com/anchore/syft/tree/v0.78.0)
(2023-04-17)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.77.0...v0.78.0)

##### Added Features

- Add Linux Kernel cataloger \[[PR
#&#8203;1694](https://togithub.com/anchore/syft/pull/1694)]
\[[deitch](https://togithub.com/deitch) &
[wagoodman](https://togithub.com/wagoodman)]
- Support scanning license files in golang packages over the network
\[[Issue #&#8203;1056](https://togithub.com/anchore/syft/issues/1056)]
\[[PR #&#8203;1630](https://togithub.com/anchore/syft/pull/1630)]
\[[deitch](https://togithub.com/deitch) &
[kzantow](https://togithub.com/kzantow)]
- Add consul binary classifier \[[Issue
#&#8203;1590](https://togithub.com/anchore/syft/issues/1590)] \[[PR
#&#8203;1738](https://togithub.com/anchore/syft/pull/1738)]
\[[Shanedell](https://togithub.com/Shanedell)]
- Add annotations for evidence on package locations \[[PR
#&#8203;1723](https://togithub.com/anchore/syft/pull/1723)]
\[[wagoodman](https://togithub.com/wagoodman)]

##### Bug Fixes

- Decoding of the syft-json format does not handle files \[[Issue
#&#8203;1534](https://togithub.com/anchore/syft/issues/1534)] \[[PR
#&#8203;1698](https://togithub.com/anchore/syft/pull/1698)]
\[[wagoodman](https://togithub.com/wagoodman)]

### [`v0.77.0`](https://togithub.com/anchore/syft/releases/tag/v0.77.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.76.1...v0.77.0)

### Changelog

#### [v0.77.0](https://togithub.com/anchore/syft/tree/v0.77.0)
(2023-04-11)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.76.1...v0.77.0)

##### Added Features

- feat: gradle lockfile support \[[PR
#&#8203;1719](https://togithub.com/anchore/syft/pull/1719)]
\[[henrysachs](https://togithub.com/henrysachs)]
- feat: support for java "nar" files \[[PR
#&#8203;1727](https://togithub.com/anchore/syft/pull/1727)]
\[[Shanedell](https://togithub.com/Shanedell)]

### [`v0.76.1`](https://togithub.com/anchore/syft/releases/tag/v0.76.1)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.76.0...v0.76.1)

### Changelog

#### [v0.76.1](https://togithub.com/anchore/syft/tree/v0.76.1)
(2023-04-05)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.76.0...v0.76.1)

##### Added Features

- Capture file ownership relationships from portage ecosystem \[[PR
#&#8203;1702](https://togithub.com/anchore/syft/pull/1702)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Add Nix Cataloger \[[Issue
#&#8203;462](https://togithub.com/anchore/syft/issues/462)] \[[PR
#&#8203;1107](https://togithub.com/anchore/syft/pull/1107)]
\[[juliosueiras](https://togithub.com/juliosueiras)] \[[PR
#&#8203;1696](https://togithub.com/anchore/syft/pull/1696)]
\[[wagoodman](https://togithub.com/wagoodman)]
\[[flokli](https://togithub.com/flokli)]

### [`v0.76.0`](https://togithub.com/anchore/syft/releases/tag/v0.76.0)

[Compare
Source](https://togithub.com/anchore/syft/compare/v0.75.0...v0.76.0)

### Changelog

#### [v0.76.0](https://togithub.com/anchore/syft/tree/v0.76.0)
(2023-03-31)

[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.75.0...v0.76.0)

##### Added Features

- Scan local go mod licenses for golang packages \[[PR
#&#8203;1645](https://togithub.com/anchore/syft/pull/1645)]
\[[deitch](https://togithub.com/deitch)]
- update and clean license list generation to return more SPDXID for
more inputs \[[PR
#&#8203;1691](https://togithub.com/anchore/syft/pull/1691)]
\[[spiffcs](https://togithub.com/spiffcs)]
- argocd binary classifier \[[Issue
#&#8203;1606](https://togithub.com/anchore/syft/issues/1606)] \[[PR
#&#8203;1663](https://togithub.com/anchore/syft/pull/1663)]
\[[y12studio](https://togithub.com/y12studio)]
- Add config option to allow user to select the default image source
location \[[Issue
#&#8203;1703](https://togithub.com/anchore/syft/pull/1703)]
\[[spiffcs](https://togithub.com/spiffcs)]

##### Bug Fixes

- Defer closing the opened file when using FileScheme \[[PR
#&#8203;1668](https://to

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekday" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy41Mi4wIiwidXBkYXRlZEluVmVyIjoiMzcuNTIuMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Co-authored-by: mend-for-github-com[bot] <50673670+mend-for-github-com[bot]@users.noreply.github.com>
  • Loading branch information
mend-for-github-com[bot] authored Dec 22, 2023
1 parent 3c5b37c commit 4ec15a4
Showing 1 changed file with 17 additions and 17 deletions.
34 changes: 17 additions & 17 deletions aqua.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,21 +3,21 @@
# https://aquaproj.github.io/
registries:
- type: standard
ref: v3.138.0 # renovate: depName=aquaproj/aqua-registry
ref: v3.162.0 # renovate: depName=aquaproj/aqua-registry
packages:
- name: miniscruff/changie@v1.11.1
- name: golang/go@go1.20.1
- name: direnv/direnv@v2.32.2
- name: magefile/mage@v1.14.0
- name: charmbracelet/glow@v1.5.0
- name: goreleaser/goreleaser@v1.15.2
- name: mvdan/gofumpt@v0.4.0
- name: golang.org/x/tools/gopls@v0.11.0
- name: golang/tools/gorename@v0.6.0
- name: golang/tools/stringer@v0.6.0
- name: golang/tools/gomvpkg@v0.6.0
- name: golang/tools/godoc@v0.6.0
- name: golang/tools/guru@v0.6.0
- name: anchore/syft@v0.73.0
- name: direnv/direnv@v2.32.2
- name: thycotic/dsv-cli@v1.40.1
- name: miniscruff/changie@v1.17.0
- name: golang/go@go1.21.5
- name: direnv/direnv@v2.33.0
- name: magefile/mage@v1.15.0
- name: charmbracelet/glow@v1.5.1
- name: goreleaser/goreleaser@v1.22.1
- name: mvdan/gofumpt@v0.5.0
- name: golang.org/x/tools/gopls@v0.14.2
- name: golang/tools/gorename@v0.16.1
- name: golang/tools/stringer@v0.16.1
- name: golang/tools/gomvpkg@v0.16.1
- name: golang/tools/godoc@v0.16.1
- name: golang/tools/guru@v0.16.1
- name: anchore/syft@v0.99.0
- name: direnv/direnv@v2.33.0
- name: thycotic/dsv-cli@v1.40.5

0 comments on commit 4ec15a4

Please sign in to comment.