Platform selection in docker client has unnecessary error #188

willmurphyscode · 2023-06-01T17:59:02Z

What happened:

❯ go run examples/basic.go docker:busybox:1.31@sha256:91c15b1ba6f408a648be60f8c047ef79058f26fa640025f374281f31c8704387
[0000] DEBUG image: source=DockerDaemon location=busybox:1.31@sha256:91c15b1ba6f408a648be60f8c047ef79058f26fa640025f374281f31c8704387
[0000] DEBUG pulling docker image="busybox:1.31@sha256:91c15b1ba6f408a648be60f8c047ef79058f26fa640025f374281f31c8704387"
[0000] DEBUG using docker config="/Users/willmurphy/.docker/config.json"
[0000] DEBUG using docker credentials for "index.docker.io/v1/"
panic: unable to use DockerDaemon source: image has unexpected architecture "s390x", which differs from the user specified architecture "arm64"

goroutine 1 [running]:
main.main()
        /Users/willmurphy/work/stereoscope/examples/basic.go:38 +0x60c
exit status 2

This error affects syft:

❯ syft packages docker:busybox:1.31@sha256:91c15b1ba6f408a648be60f8c047ef79058f26fa640025f374281f31c8704387           
 ⠹ Pulling image           

2023/06/01 13:52:00 error during command execution: 1 error occurred:
        * failed to construct source from user input "docker:busybox:1.31@sha256:91c15b1ba6f408a648be60f8c047ef79058f26fa640025f374281f31c8704387": could not fetch image "busybox:1.31@sha256:91c15b1ba6f408a648be60f8c047ef79058f26fa640025f374281f31c8704387": scheme "docker" specified; image retrieval using scheme parsing (busybox:1.31@sha256:91c15b1ba6f408a648be60f8c047ef79058f26fa640025f374281f31c8704387) was unsuccessful: unable to use DockerDaemon source: image has unexpected architecture "s390x", which differs from the user specified architecture "arm64"; image retrieval without scheme parsing (docker:busybox:1.31@sha256:91c15b1ba6f408a648be60f8c047ef79058f26fa640025f374281f31c8704387) was unsuccessful: unable to determine image source to select platform

What you expected to happen:

Since I specified an exact digest, and didn't pass --platform, I didn't expect a validation error about the user requested platform.

How to reproduce it (as minimally and precisely as possible):

go run examples/basic.go docker:busybox:1.31@sha256:91c15b1ba6f408a648be60f8c047ef79058f26fa640025f374281f31c8704387

Anything else we need to know?:

I chose the digest based on running docker manifest inspect busybox:1.31 and choosing the digest of a platform that doesn't match my platform.

The registry provider doesn't have this error: go run examples/basic.go registry:busybox:1.31@sha256:91c15b1ba6f408a648be60f8c047ef79058f26fa640025f374281f31c8704387 works normally.

Environment:

OS (e.g: cat /etc/os-release or similar):
M1 macbook pro, Darwin Kernel Version 22.4.0 arm64.

❯ docker version
Client:
 Cloud integration: v1.0.31
 Version:           23.0.5
 API version:       1.42
 Go version:        go1.19.8
 Git commit:        bc4487a
 Built:             Wed Apr 26 16:12:52 2023
 OS/Arch:           darwin/arm64
 Context:           default

Server: Docker Desktop 4.19.0 (106363)
 Engine:
  Version:          23.0.5
  API version:      1.42 (minimum version 1.12)
  Go version:       go1.19.8
  Git commit:       94d3ad6
  Built:            Wed Apr 26 16:17:14 2023
  OS/Arch:          linux/arm64
  Experimental:     true
 containerd:
  Version:          1.6.20
  GitCommit:        2806fc1057397dbaeefbea0e4e17bddfbd388f38
 runc:
  Version:          1.1.5
  GitCommit:        v1.1.5-0-gf19387a
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

The text was updated successfully, but these errors were encountered:

willmurphyscode · 2023-06-02T21:05:16Z

Trying to run this down, there's some learnings to capture here:

Running something like docker pull myimage:mytage@sha256:somebytes can mean two completely different things: The digest sha256:somebytes can be the digest of a multi-architecture index, in which case the request to docker is to find that version of that multi-architecture index, and choose a platform out of id, and then download those bytes. Or sha256:somebytes can be the digest of a particular built image (a specific manifest), in which case that image is requested. In other words, the digest might uniquely identify a multi-architecture index, or it might uniquely identify an image (by manifest), and you can't tell which by inspecting the string. A digest does not necessarily reference exactly one image.
Specifically, you can't tell which without making a network call to the registry to download any multi-arch index the digest may refer to (e.g. by running docker manifest inspect ...)
Syft, and therefore stereoscope, should work in situations where they can talk to a docker socket but not make their own network calls, so we can't download the registry to check whether the digest from point 1 pins an index or a particular image manfiest.
The docker API, when pulling an image, doesn't let you pull an image and then receive an unambiguous identifier to what was pulled. Hence this code, which pulls an image, and then reuses the image name from the user (e.g. alpine:latest or whatever) to inspect the image. It is difficult to guarantee that these two calls will point to the same image. There is a digest returned in the JSON during pull, but it can just point to the multi-arch index, not a specific image's manifest. Also, if users have enabled "use containerd for pulling and store images" in docker settings, the events that come back from the API call are slightly different, so relying on them is brittle.

That said, I think we can and should revert the platform default selection from #152, and add some additional test cases to guard against regression here.

willmurphyscode · 2023-06-08T21:22:32Z

An example of this issue affecting users is anchore/sbom-action#419.

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | Type | Update | |---|---|---|---|---|---|---|---| | [@floating-ui/dom](https://floating-ui.com) ([source](https://togithub.com/floating-ui/floating-ui)) | [`1.3.0` -> `1.4.2`](https://renovatebot.com/diffs/npm/@floating-ui%2fdom/1.3.0/1.4.2) | [![age](https://badges.renovateapi.com/packages/npm/@floating-ui%2fdom/1.4.2/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@floating-ui%2fdom/1.4.2/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@floating-ui%2fdom/1.4.2/compatibility-slim/1.3.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@floating-ui%2fdom/1.4.2/confidence-slim/1.3.0)](https://docs.renovatebot.com/merge-confidence/) | dependencies | minor | | [@playwright/test](https://playwright.dev) ([source](https://togithub.com/Microsoft/playwright)) | [`1.35.0` -> `1.35.1`](https://renovatebot.com/diffs/npm/@playwright%2ftest/1.35.0/1.35.1) | [![age](https://badges.renovateapi.com/packages/npm/@playwright%2ftest/1.35.1/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@playwright%2ftest/1.35.1/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@playwright%2ftest/1.35.1/compatibility-slim/1.35.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@playwright%2ftest/1.35.1/confidence-slim/1.35.0)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | patch | | [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/typescript-eslint) | [`5.59.11` -> `5.60.1`](https://renovatebot.com/diffs/npm/@typescript-eslint%2feslint-plugin/5.59.11/5.60.1) | [![age](https://badges.renovateapi.com/packages/npm/@typescript-eslint%2feslint-plugin/5.60.1/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@typescript-eslint%2feslint-plugin/5.60.1/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@typescript-eslint%2feslint-plugin/5.60.1/compatibility-slim/5.59.11)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@typescript-eslint%2feslint-plugin/5.60.1/confidence-slim/5.59.11)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | minor | | [@typescript-eslint/parser](https://togithub.com/typescript-eslint/typescript-eslint) | [`5.59.11` -> `5.60.1`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/5.59.11/5.60.1) | [![age](https://badges.renovateapi.com/packages/npm/@typescript-eslint%2fparser/5.60.1/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/@typescript-eslint%2fparser/5.60.1/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/@typescript-eslint%2fparser/5.60.1/compatibility-slim/5.59.11)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/@typescript-eslint%2fparser/5.60.1/confidence-slim/5.59.11)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | minor | | [actions/checkout](https://togithub.com/actions/checkout) | `v3.5.2` -> `v3.5.3` | [![age](https://badges.renovateapi.com/packages/github-tags/actions%2fcheckout/v3.5.3/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/github-tags/actions%2fcheckout/v3.5.3/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/github-tags/actions%2fcheckout/v3.5.3/compatibility-slim/v3.5.2)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/github-tags/actions%2fcheckout/v3.5.3/confidence-slim/v3.5.2)](https://docs.renovatebot.com/merge-confidence/) | action | patch | | [anchore/sbom-action](https://togithub.com/anchore/sbom-action) | `v0.14.2` -> `v0.14.3` | [![age](https://badges.renovateapi.com/packages/github-tags/anchore%2fsbom-action/v0.14.3/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/github-tags/anchore%2fsbom-action/v0.14.3/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/github-tags/anchore%2fsbom-action/v0.14.3/compatibility-slim/v0.14.2)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/github-tags/anchore%2fsbom-action/v0.14.3/confidence-slim/v0.14.2)](https://docs.renovatebot.com/merge-confidence/) | action | patch | | [aws-actions/configure-aws-credentials](https://togithub.com/aws-actions/configure-aws-credentials) | `v2.1.0` -> `v2.2.0` | [![age](https://badges.renovateapi.com/packages/github-tags/aws-actions%2fconfigure-aws-credentials/v2.2.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/github-tags/aws-actions%2fconfigure-aws-credentials/v2.2.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/github-tags/aws-actions%2fconfigure-aws-credentials/v2.2.0/compatibility-slim/v2.1.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/github-tags/aws-actions%2fconfigure-aws-credentials/v2.2.0/confidence-slim/v2.1.0)](https://docs.renovatebot.com/merge-confidence/) | action | minor | | [big-bang/bigbang](https://repo1.dso.mil/big-bang/bigbang) | `2.0.0` -> `2.4.1` | [![age](https://badges.renovateapi.com/packages/gitlab-releases/big-bang%2fbigbang/2.4.1/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/gitlab-releases/big-bang%2fbigbang/2.4.1/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/gitlab-releases/big-bang%2fbigbang/2.4.1/compatibility-slim/2.0.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/gitlab-releases/big-bang%2fbigbang/2.4.1/confidence-slim/2.0.0)](https://docs.renovatebot.com/merge-confidence/) | | minor | | [docker/login-action](https://togithub.com/docker/login-action) | `v2.1.0` -> `v2.2.0` | [![age](https://badges.renovateapi.com/packages/github-tags/docker%2flogin-action/v2.2.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/github-tags/docker%2flogin-action/v2.2.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/github-tags/docker%2flogin-action/v2.2.0/compatibility-slim/v2.1.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/github-tags/docker%2flogin-action/v2.2.0/confidence-slim/v2.1.0)](https://docs.renovatebot.com/merge-confidence/) | action | minor | | [docker/setup-buildx-action](https://togithub.com/docker/setup-buildx-action) | `v2.5.0` -> `v2.8.0` | [![age](https://badges.renovateapi.com/packages/github-tags/docker%2fsetup-buildx-action/v2.8.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/github-tags/docker%2fsetup-buildx-action/v2.8.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/github-tags/docker%2fsetup-buildx-action/v2.8.0/compatibility-slim/v2.5.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/github-tags/docker%2fsetup-buildx-action/v2.8.0/confidence-slim/v2.5.0)](https://docs.renovatebot.com/merge-confidence/) | action | minor | | [eslint](https://eslint.org) ([source](https://togithub.com/eslint/eslint)) | [`8.42.0` -> `8.43.0`](https://renovatebot.com/diffs/npm/eslint/8.42.0/8.43.0) | [![age](https://badges.renovateapi.com/packages/npm/eslint/8.43.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/eslint/8.43.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/eslint/8.43.0/compatibility-slim/8.42.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/eslint/8.43.0/confidence-slim/8.42.0)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | minor | | [ghcr.io/stefanprodan/podinfo](https://togithub.com/stefanprodan/podinfo) | `6.3.5` -> `6.4.0` | [![age](https://badges.renovateapi.com/packages/docker/ghcr.io%2fstefanprodan%2fpodinfo/6.4.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/docker/ghcr.io%2fstefanprodan%2fpodinfo/6.4.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/docker/ghcr.io%2fstefanprodan%2fpodinfo/6.4.0/compatibility-slim/6.3.5)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/docker/ghcr.io%2fstefanprodan%2fpodinfo/6.4.0/confidence-slim/6.3.5)](https://docs.renovatebot.com/merge-confidence/) | | minor | | [github.com/AlecAivazis/survey/v2](https://togithub.com/AlecAivazis/survey) | `v2.3.6` -> `v2.3.7` | [![age](https://badges.renovateapi.com/packages/go/github.com%2fAlecAivazis%2fsurvey%2fv2/v2.3.7/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/go/github.com%2fAlecAivazis%2fsurvey%2fv2/v2.3.7/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/go/github.com%2fAlecAivazis%2fsurvey%2fv2/v2.3.7/compatibility-slim/v2.3.6)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/go/github.com%2fAlecAivazis%2fsurvey%2fv2/v2.3.7/confidence-slim/v2.3.6)](https://docs.renovatebot.com/merge-confidence/) | require | patch | | [github.com/anchore/syft](https://togithub.com/anchore/syft) | `v0.82.0` -> `v0.84.0` | [![age](https://badges.renovateapi.com/packages/go/github.com%2fanchore%2fsyft/v0.84.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/go/github.com%2fanchore%2fsyft/v0.84.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/go/github.com%2fanchore%2fsyft/v0.84.0/compatibility-slim/v0.82.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/go/github.com%2fanchore%2fsyft/v0.84.0/confidence-slim/v0.82.0)](https://docs.renovatebot.com/merge-confidence/) | require | minor | | [github.com/fluxcd/helm-controller/api](https://togithub.com/fluxcd/helm-controller) | `v0.34.1` -> `v0.34.2` | [![age](https://badges.renovateapi.com/packages/go/github.com%2ffluxcd%2fhelm-controller%2fapi/v0.34.2/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/go/github.com%2ffluxcd%2fhelm-controller%2fapi/v0.34.2/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/go/github.com%2ffluxcd%2fhelm-controller%2fapi/v0.34.2/compatibility-slim/v0.34.1)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/go/github.com%2ffluxcd%2fhelm-controller%2fapi/v0.34.2/confidence-slim/v0.34.1)](https://docs.renovatebot.com/merge-confidence/) | require | patch | | [github.com/otiai10/copy](https://togithub.com/otiai10/copy) | `v1.11.0` -> `v1.12.0` | [![age](https://badges.renovateapi.com/packages/go/github.com%2fotiai10%2fcopy/v1.12.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/go/github.com%2fotiai10%2fcopy/v1.12.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/go/github.com%2fotiai10%2fcopy/v1.12.0/compatibility-slim/v1.11.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/go/github.com%2fotiai10%2fcopy/v1.12.0/confidence-slim/v1.11.0)](https://docs.renovatebot.com/merge-confidence/) | require | minor | | [github/codeql-action](https://togithub.com/github/codeql-action) | `v2.3.6` -> `v2.20.1` | [![age](https://badges.renovateapi.com/packages/github-tags/github%2fcodeql-action/v2.20.1/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/github-tags/github%2fcodeql-action/v2.20.1/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/github-tags/github%2fcodeql-action/v2.20.1/compatibility-slim/v2.3.6)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/github-tags/github%2fcodeql-action/v2.20.1/confidence-slim/v2.3.6)](https://docs.renovatebot.com/merge-confidence/) | action | minor | | golang.org/x/crypto | `v0.9.0` -> `v0.10.0` | [![age](https://badges.renovateapi.com/packages/go/golang.org%2fx%2fcrypto/v0.10.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/go/golang.org%2fx%2fcrypto/v0.10.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/go/golang.org%2fx%2fcrypto/v0.10.0/compatibility-slim/v0.9.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/go/golang.org%2fx%2fcrypto/v0.10.0/confidence-slim/v0.9.0)](https://docs.renovatebot.com/merge-confidence/) | require | minor | | [goreleaser/goreleaser-action](https://togithub.com/goreleaser/goreleaser-action) | `v4.2.0` -> `v4.3.0` | [![age](https://badges.renovateapi.com/packages/github-tags/goreleaser%2fgoreleaser-action/v4.3.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/github-tags/goreleaser%2fgoreleaser-action/v4.3.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/github-tags/goreleaser%2fgoreleaser-action/v4.3.0/compatibility-slim/v4.2.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/github-tags/goreleaser%2fgoreleaser-action/v4.3.0/confidence-slim/v4.2.0)](https://docs.renovatebot.com/merge-confidence/) | action | minor | | [helm.sh/helm/v3](https://togithub.com/helm/helm) | `v3.12.0` -> `v3.12.1` | [![age](https://badges.renovateapi.com/packages/go/helm.sh%2fhelm%2fv3/v3.12.1/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/go/helm.sh%2fhelm%2fv3/v3.12.1/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/go/helm.sh%2fhelm%2fv3/v3.12.1/compatibility-slim/v3.12.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/go/helm.sh%2fhelm%2fv3/v3.12.1/confidence-slim/v3.12.0)](https://docs.renovatebot.com/merge-confidence/) | require | patch | | [k3s-io/k3s](https://togithub.com/k3s-io/k3s) | `v1.27.2+k3s1` -> `v1.27.3+k3s1` | [![age](https://badges.renovateapi.com/packages/github-releases/k3s-io%2fk3s/v1.27.3+k3s1/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/github-releases/k3s-io%2fk3s/v1.27.3+k3s1/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/github-releases/k3s-io%2fk3s/v1.27.3+k3s1/compatibility-slim/v1.27.2+k3s1)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/github-releases/k3s-io%2fk3s/v1.27.3+k3s1/confidence-slim/v1.27.2+k3s1)](https://docs.renovatebot.com/merge-confidence/) | | patch | | [k8s.io/api](https://togithub.com/kubernetes/api) | `v0.27.2` -> `v0.27.3` | [![age](https://badges.renovateapi.com/packages/go/k8s.io%2fapi/v0.27.3/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/go/k8s.io%2fapi/v0.27.3/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/go/k8s.io%2fapi/v0.27.3/compatibility-slim/v0.27.2)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/go/k8s.io%2fapi/v0.27.3/confidence-slim/v0.27.2)](https://docs.renovatebot.com/merge-confidence/) | require | patch | | [k8s.io/apimachinery](https://togithub.com/kubernetes/apimachinery) | `v0.27.2` -> `v0.27.3` | [![age](https://badges.renovateapi.com/packages/go/k8s.io%2fapimachinery/v0.27.3/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/go/k8s.io%2fapimachinery/v0.27.3/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/go/k8s.io%2fapimachinery/v0.27.3/compatibility-slim/v0.27.2)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/go/k8s.io%2fapimachinery/v0.27.3/confidence-slim/v0.27.2)](https://docs.renovatebot.com/merge-confidence/) | require | patch | | [k8s.io/client-go](https://togithub.com/kubernetes/client-go) | `v0.27.2` -> `v0.27.3` | [![age](https://badges.renovateapi.com/packages/go/k8s.io%2fclient-go/v0.27.3/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/go/k8s.io%2fclient-go/v0.27.3/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/go/k8s.io%2fclient-go/v0.27.3/compatibility-slim/v0.27.2)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/go/k8s.io%2fclient-go/v0.27.3/confidence-slim/v0.27.2)](https://docs.renovatebot.com/merge-confidence/) | require | patch | | [k8s.io/component-base](https://togithub.com/kubernetes/component-base) | `v0.27.2` -> `v0.27.3` | [![age](https://badges.renovateapi.com/packages/go/k8s.io%2fcomponent-base/v0.27.3/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/go/k8s.io%2fcomponent-base/v0.27.3/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/go/k8s.io%2fcomponent-base/v0.27.3/compatibility-slim/v0.27.2)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/go/k8s.io%2fcomponent-base/v0.27.3/confidence-slim/v0.27.2)](https://docs.renovatebot.com/merge-confidence/) | require | patch | | [k8s.io/kubectl](https://togithub.com/kubernetes/kubectl) | `v0.27.2` -> `v0.27.3` | [![age](https://badges.renovateapi.com/packages/go/k8s.io%2fkubectl/v0.27.3/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/go/k8s.io%2fkubectl/v0.27.3/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/go/k8s.io%2fkubectl/v0.27.3/compatibility-slim/v0.27.2)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/go/k8s.io%2fkubectl/v0.27.3/confidence-slim/v0.27.2)](https://docs.renovatebot.com/merge-confidence/) | require | patch | | [longhorn](https://togithub.com/longhorn/longhorn) ([source](https://togithub.com/longhorn/charts)) | `1.4.0` -> `1.4.2` | [![age](https://badges.renovateapi.com/packages/helm/longhorn/1.4.2/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/helm/longhorn/1.4.2/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/helm/longhorn/1.4.2/compatibility-slim/1.4.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/helm/longhorn/1.4.2/confidence-slim/1.4.0)](https://docs.renovatebot.com/merge-confidence/) | | patch | | [material-symbols](https://marella.github.io/material-symbols/demo/) ([source](https://togithub.com/marella/material-symbols)) | [`0.7.0` -> `0.8.1`](https://renovatebot.com/diffs/npm/material-symbols/0.7.0/0.8.1) | [![age](https://badges.renovateapi.com/packages/npm/material-symbols/0.8.1/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/material-symbols/0.8.1/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/material-symbols/0.8.1/compatibility-slim/0.7.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/material-symbols/0.8.1/confidence-slim/0.7.0)](https://docs.renovatebot.com/merge-confidence/) | dependencies | minor | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | `v2.1.3` -> `v2.2.0` | [![age](https://badges.renovateapi.com/packages/github-tags/ossf%2fscorecard-action/v2.2.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/github-tags/ossf%2fscorecard-action/v2.2.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/github-tags/ossf%2fscorecard-action/v2.2.0/compatibility-slim/v2.1.3)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/github-tags/ossf%2fscorecard-action/v2.2.0/confidence-slim/v2.1.3)](https://docs.renovatebot.com/merge-confidence/) | action | minor | | [playwright](https://playwright.dev) ([source](https://togithub.com/Microsoft/playwright)) | [`1.35.0` -> `1.35.1`](https://renovatebot.com/diffs/npm/playwright/1.35.0/1.35.1) | [![age](https://badges.renovateapi.com/packages/npm/playwright/1.35.1/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/playwright/1.35.1/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/playwright/1.35.1/compatibility-slim/1.35.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/playwright/1.35.1/confidence-slim/1.35.0)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | patch | | [prism-react-renderer](https://togithub.com/FormidableLabs/prism-react-renderer) | [`2.0.4` -> `2.0.6`](https://renovatebot.com/diffs/npm/prism-react-renderer/2.0.4/2.0.6) | [![age](https://badges.renovateapi.com/packages/npm/prism-react-renderer/2.0.6/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/prism-react-renderer/2.0.6/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/prism-react-renderer/2.0.6/compatibility-slim/2.0.4)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/prism-react-renderer/2.0.6/confidence-slim/2.0.4)](https://docs.renovatebot.com/merge-confidence/) | dependencies | patch | | [quicktype](https://togithub.com/quicktype/quicktype) | [`23.0.47` -> `23.0.48`](https://renovatebot.com/diffs/npm/quicktype/23.0.47/23.0.48) | [![age](https://badges.renovateapi.com/packages/npm/quicktype/23.0.48/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/quicktype/23.0.48/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/quicktype/23.0.48/compatibility-slim/23.0.47)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/quicktype/23.0.48/confidence-slim/23.0.47)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | patch | | [sass](https://togithub.com/sass/dart-sass) | [`1.63.4` -> `1.63.6`](https://renovatebot.com/diffs/npm/sass/1.63.4/1.63.6) | [![age](https://badges.renovateapi.com/packages/npm/sass/1.63.6/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/sass/1.63.6/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/sass/1.63.6/compatibility-slim/1.63.4)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/sass/1.63.6/confidence-slim/1.63.4)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | patch | | [serde_json](https://togithub.com/serde-rs/json) | `1.0.96` -> `1.0.99` | [![age](https://badges.renovateapi.com/packages/crate/serde_json/1.0.99/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/crate/serde_json/1.0.99/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/crate/serde_json/1.0.99/compatibility-slim/1.0.96)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/crate/serde_json/1.0.99/confidence-slim/1.0.96)](https://docs.renovatebot.com/merge-confidence/) | dependencies | patch | | [sha2](https://togithub.com/RustCrypto/hashes) | `0.10.6` -> `0.10.7` | [![age](https://badges.renovateapi.com/packages/crate/sha2/0.10.7/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/crate/sha2/0.10.7/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/crate/sha2/0.10.7/compatibility-slim/0.10.6)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/crate/sha2/0.10.7/confidence-slim/0.10.6)](https://docs.renovatebot.com/merge-confidence/) | dependencies | patch | | [sigs.k8s.io/kustomize/api](https://togithub.com/kubernetes-sigs/kustomize) | `v0.13.4` -> `v0.14.0` | [![age](https://badges.renovateapi.com/packages/go/sigs.k8s.io%2fkustomize%2fapi/v0.14.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/go/sigs.k8s.io%2fkustomize%2fapi/v0.14.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/go/sigs.k8s.io%2fkustomize%2fapi/v0.14.0/compatibility-slim/v0.13.4)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/go/sigs.k8s.io%2fkustomize%2fapi/v0.14.0/confidence-slim/v0.13.4)](https://docs.renovatebot.com/merge-confidence/) | require | minor | | [svelte-check](https://togithub.com/sveltejs/language-tools) | [`3.4.3` -> `3.4.4`](https://renovatebot.com/diffs/npm/svelte-check/3.4.3/3.4.4) | [![age](https://badges.renovateapi.com/packages/npm/svelte-check/3.4.4/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/svelte-check/3.4.4/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/svelte-check/3.4.4/compatibility-slim/3.4.3)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/svelte-check/3.4.4/confidence-slim/3.4.3)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | patch | | [tslib](https://www.typescriptlang.org/) ([source](https://togithub.com/Microsoft/tslib)) | [`2.5.3` -> `2.6.0`](https://renovatebot.com/diffs/npm/tslib/2.5.3/2.6.0) | [![age](https://badges.renovateapi.com/packages/npm/tslib/2.6.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/tslib/2.6.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/tslib/2.6.0/compatibility-slim/2.5.3)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/tslib/2.6.0/confidence-slim/2.5.3)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | minor | | [typescript](https://www.typescriptlang.org/) ([source](https://togithub.com/Microsoft/TypeScript)) | [`5.1.3` -> `5.1.5`](https://renovatebot.com/diffs/npm/typescript/5.1.3/5.1.5) | [![age](https://badges.renovateapi.com/packages/npm/typescript/5.1.5/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/typescript/5.1.5/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/typescript/5.1.5/compatibility-slim/5.1.3)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/typescript/5.1.5/confidence-slim/5.1.3)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | patch | | [weaveworks/eksctl](https://togithub.com/weaveworks/eksctl) | `v0.143.0` -> `v0.146.0` | [![age](https://badges.renovateapi.com/packages/github-releases/weaveworks%2feksctl/v0.146.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/github-releases/weaveworks%2feksctl/v0.146.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/github-releases/weaveworks%2feksctl/v0.146.0/compatibility-slim/v0.143.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/github-releases/weaveworks%2feksctl/v0.146.0/confidence-slim/v0.143.0)](https://docs.renovatebot.com/merge-confidence/) | | minor | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>floating-ui/floating-ui (@floating-ui/dom)</summary> ### [`v1.4.2`](https://togithub.com/floating-ui/floating-ui/releases/tag/%40floating-ui/dom%401.4.2) [Compare Source](https://togithub.com/floating-ui/floating-ui/compare/@floating-ui/dom@1.4.1...@floating-ui/dom@1.4.2) ##### Bug Fixes - fix(autoUpdate): prevent potential crash with `IntersectionObserver` threshold ([#2390](https://togithub.com/floating-ui/floating-ui/issues/2390)) ### [`v1.4.1`](https://togithub.com/floating-ui/floating-ui/releases/tag/%40floating-ui/dom%401.4.1) [Compare Source](https://togithub.com/floating-ui/floating-ui/compare/@floating-ui/dom@1.4.0...@floating-ui/dom@1.4.1) #### Bug Fixes - fix(autoUpdate): `layoutShift` checks ([#2384](https://togithub.com/floating-ui/floating-ui/issues/2384)) ### [`v1.4.0`](https://togithub.com/floating-ui/floating-ui/releases/tag/%40floating-ui/dom%401.4.0) [Compare Source](https://togithub.com/floating-ui/floating-ui/compare/@floating-ui/dom@1.3.0...@floating-ui/dom@1.4.0) #### New Features - feat(autoUpdate): add `layoutShift` option (`true` by default) to detect when the reference element moves on the screen. Thank you to [@samthor](https://togithub.com/samthor) for the technique using `IntersectionObserver`. ([#2373](https://togithub.com/floating-ui/floating-ui/issues/2373)) If you were using `animationFrame: true` for this purpose, you can now disable the option and use the defaults for layout shift checks. That option should now only be used if you need the floating element to stay anchored either during an animation using `transform` of the reference element, or for nested portaled floating elements (if necessary). #### Bug Fixes - fix: loop in tests with mocked `Node` ([#2383](https://togithub.com/floating-ui/floating-ui/issues/2383)) - fix(autoUpdate): `animationFrame: true` preventing updates if reference element is fixed ([#2373](https://togithub.com/floating-ui/floating-ui/issues/2373)) </details> <details> <summary>Microsoft/playwright (@playwright/test)</summary> ### [`v1.35.1`](https://togithub.com/microsoft/playwright/releases/tag/v1.35.1) [Compare Source](https://togithub.com/Microsoft/playwright/compare/v1.35.0...v1.35.1) ##### Highlights [https://github.com/microsoft/playwright/issues/23622](https://togithub.com/microsoft/playwright/issues/23622) - \[Docs] Provide a description how to correctly use expect.configure with poll parameter[https://github.com/microsoft/playwright/issues/23666](https://togithub.com/microsoft/playwright/issues/23666)6 - \[BUG] Live Trace does not work with Codespace[https://github.com/microsoft/playwright/issues/23693](https://togithub.com/microsoft/playwright/issues/23693)93 - \[BUG] attachment steps are not hidden inside expect.toHaveScreenshot() ##### Browser Versions - Chromium 115.0.5790.13 - Mozilla Firefox 113.0 - WebKit 16.4 This version was also tested against the following stable channels: - Google Chrome 114 - Microsoft Edge 114 </details> <details> <summary>typescript-eslint/typescript-eslint (@typescript-eslint/eslint-plugin)</summary> ### [`v5.60.1`](https://togithub.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/eslint-plugin/CHANGELOG.md#5601-httpsgithubcomtypescript-eslinttypescript-eslintcomparev5600v5601-2023-06-26) [Compare Source](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.60.0...v5.60.1) **Note:** Version bump only for package [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) You can read about our [versioning strategy](https://main--typescript-eslint.netlify.app/users/versioning) and [releases](https://main--typescript-eslint.netlify.app/users/releases) on our website. ### [`v5.60.0`](https://togithub.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/eslint-plugin/CHANGELOG.md#5600-httpsgithubcomtypescript-eslinttypescript-eslintcomparev55911v5600-2023-06-19) [Compare Source](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.11...v5.60.0) ##### Features - **eslint-plugin:** \[restrict-plus-operands] add allow\* options ([#6161](https://togithub.com/typescript-eslint/typescript-eslint/issues/6161)) ([def09f8](https://togithub.com/typescript-eslint/typescript-eslint/commit/def09f88cdb4a85cebb8619b45931f7e2c88dfc0)) #### [5.59.11](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.10...v5.59.11) (2023-06-12) **Note:** Version bump only for package [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) #### [5.59.10](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.9...v5.59.10) (2023-06-12) **Note:** Version bump only for package [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) #### [5.59.9](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.8...v5.59.9) (2023-06-05) **Note:** Version bump only for package [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) #### [5.59.8](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.7...v5.59.8) (2023-05-29) **Note:** Version bump only for package [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) #### [5.59.7](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.6...v5.59.7) (2023-05-22) **Note:** Version bump only for package [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) #### [5.59.6](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.5...v5.59.6) (2023-05-15) **Note:** Version bump only for package [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) #### [5.59.5](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.4...v5.59.5) (2023-05-08) **Note:** Version bump only for package [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) #### [5.59.4](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.3...v5.59.4) (2023-05-08) **Note:** Version bump only for package [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) #### [5.59.3](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.2...v5.59.3) (2023-05-08) **Note:** Version bump only for package [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) #### [5.59.2](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.1...v5.59.2) (2023-05-01) **Note:** Version bump only for package [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) #### [5.59.1](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.0...v5.59.1) (2023-04-24) ##### Bug Fixes - **eslint-plugin:** \[prefer-regexp-exec] skip malformed regexes ([#6935](https://togithub.com/typescript-eslint/typescript-eslint/issues/6935)) ([05ed60e](https://togithub.com/typescript-eslint/typescript-eslint/commit/05ed60e25f1de9d1bb83d56c81a349130960bec8)) - **eslint-plugin:** \[unified-signatures] no parameters function ([#6940](https://togithub.com/typescript-eslint/typescript-eslint/issues/6940)) ([2970861](https://togithub.com/typescript-eslint/typescript-eslint/commit/297086154acc568a0ae8eb41c8977b7a7ba4e0ed)) </details> <details> <summary>typescript-eslint/typescript-eslint (@typescript-eslint/parser)</summary> ### [`v5.60.1`](https://togithub.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#5601-httpsgithubcomtypescript-eslinttypescript-eslintcomparev5600v5601-2023-06-26) [Compare Source](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.60.0...v5.60.1) **Note:** Version bump only for package [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) You can read about our [versioning strategy](https://main--typescript-eslint.netlify.app/users/versioning) and [releases](https://main--typescript-eslint.netlify.app/users/releases) on our website. ### [`v5.60.0`](https://togithub.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#5600-httpsgithubcomtypescript-eslinttypescript-eslintcomparev55911v5600-2023-06-19) [Compare Source](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.11...v5.60.0) **Note:** Version bump only for package [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) #### [5.59.11](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.10...v5.59.11) (2023-06-12) **Note:** Version bump only for package [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) #### [5.59.10](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.9...v5.59.10) (2023-06-12) **Note:** Version bump only for package [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) #### [5.59.9](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.8...v5.59.9) (2023-06-05) **Note:** Version bump only for package [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) #### [5.59.8](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.7...v5.59.8) (2023-05-29) **Note:** Version bump only for package [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) #### [5.59.7](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.6...v5.59.7) (2023-05-22) **Note:** Version bump only for package [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) #### [5.59.6](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.5...v5.59.6) (2023-05-15) **Note:** Version bump only for package [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) #### [5.59.5](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.4...v5.59.5) (2023-05-08) **Note:** Version bump only for package [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) #### [5.59.4](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.3...v5.59.4) (2023-05-08) **Note:** Version bump only for package [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) #### [5.59.3](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.2...v5.59.3) (2023-05-08) **Note:** Version bump only for package [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) #### [5.59.2](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.1...v5.59.2) (2023-05-01) **Note:** Version bump only for package [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) #### [5.59.1](https://togithub.com/typescript-eslint/typescript-eslint/compare/v5.59.0...v5.59.1) (2023-04-24) **Note:** Version bump only for package [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) </details> <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v3.5.3`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v353) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.2...v3.5.3) - [Fix: Checkout fail in self-hosted runners when faulty submodule are checked-in](https://togithub.com/actions/checkout/pull/1196) - [Fix typos found by codespell](https://togithub.com/actions/checkout/pull/1287) - [Add support for sparse checkouts](https://togithub.com/actions/checkout/pull/1369) </details> <details> <summary>anchore/sbom-action (anchore/sbom-action)</summary> ### [`v0.14.3`](https://togithub.com/anchore/sbom-action/releases/tag/v0.14.3) [Compare Source](https://togithub.com/anchore/sbom-action/compare/v0.14.2...v0.14.3) #### Changes in v0.14.3 - update Syft to v0.84.0 ([#418](https://togithub.com/anchore/sbom-action/issues/418)) \[[anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)] </details> <details> <summary>aws-actions/configure-aws-credentials (aws-actions/configure-aws-credentials)</summary> ### [`v2.2.0`](https://togithub.com/aws-actions/configure-aws-credentials/releases/tag/v2.2.0) [Compare Source](https://togithub.com/aws-actions/configure-aws-credentials/compare/v2.1.0...v2.2.0) See the [changelog](https://togithub.com/aws-actions/configure-aws-credentials/blob/v2.2.0/CHANGELOG.md) for details about the changes included in this release. </details> <details> <summary>docker/login-action (docker/login-action)</summary> ### [`v2.2.0`](https://togithub.com/docker/login-action/releases/tag/v2.2.0) [Compare Source](https://togithub.com/docker/login-action/compare/v2.1.0...v2.2.0) - Switch to actions-toolkit implementation by [@crazy-max](https://togithub.com/crazy-max) in [https://github.com/docker/login-action/pull/409](https://togithub.com/docker/login-action/pull/409) [https://github.com/docker/login-action/pull/470](https://togithub.com/docker/login-action/pull/470) [https://github.com/docker/login-action/pull/476](https://togithub.com/docker/login-action/pull/476) - Bump [@aws-sdk/client-ecr](https://togithub.com/aws-sdk/client-ecr) and [@aws-sdk/client-ecr-public](https://togithub.com/aws-sdk/client-ecr-public) to 3.347.1 in [https://github.com/docker/login-action/pull/524](https://togithub.com/docker/login-action/pull/524) [https://github.com/docker/login-action/pull/364](https://togithub.com/docker/login-action/pull/364) [https://github.com/docker/login-action/pull/363](https://togithub.com/docker/login-action/pull/363) - Bump minimatch from 3.0.4 to 3.1.2 in [https://github.com/docker/login-action/pull/354](https://togithub.com/docker/login-action/pull/354) - Bump json5 from 2.2.0 to 2.2.3 in [https://github.com/docker/login-action/pull/378](https://togithub.com/docker/login-action/pull/378) - Bump http-proxy-agent from 5.0.0 to 7.0.0 in [https://github.com/docker/login-action/pull/509](https://togithub.com/docker/login-action/pull/509) - Bump https-proxy-agent from 5.0.1 to 7.0.0 in [https://github.com/docker/login-action/pull/508](https://togithub.com/docker/login-action/pull/508) **Full Changelog**: https://github.com/docker/login-action/compare/v2.1.0...v2.2.0 </details> <details> <summary>docker/setup-buildx-action (docker/setup-buildx-action)</summary> ### [`v2.8.0`](https://togithub.com/docker/setup-buildx-action/releases/tag/v2.8.0) [Compare Source](https://togithub.com/docker/setup-buildx-action/compare/v2.7.0...v2.8.0) - Only set specific flags for drivers supporting them by [@nicks](https://togithub.com/nicks) in [https://github.com/docker/setup-buildx-action/pull/241](https://togithub.com/docker/setup-buildx-action/pull/241) - Bump [@docker/actions-toolkit](https://togithub.com/docker/actions-toolkit) from 0.5.0 to 0.6.0 in [https://github.com/docker/setup-buildx-action/pull/242](https://togithub.com/docker/setup-buildx-action/pull/242) **Full Changelog**: https://github.com/docker/setup-buildx-action/compare/v2.7.0...v2.8.0 ### [`v2.7.0`](https://togithub.com/docker/setup-buildx-action/releases/tag/v2.7.0) [Compare Source](https://togithub.com/docker/setup-buildx-action/compare/v2.6.0...v2.7.0) - Bump [@docker/actions-toolkit](https://togithub.com/docker/actions-toolkit) from 0.3.0 to 0.5.0 in [https://github.com/docker/setup-buildx-action/pull/237](https://togithub.com/docker/setup-buildx-action/pull/237) [https://github.com/docker/setup-buildx-action/pull/238](https://togithub.com/docker/setup-buildx-action/pull/238) **Full Changelog**: https://github.com/docker/setup-buildx-action/compare/v2.6.0...v2.7.0 ### [`v2.6.0`](https://togithub.com/docker/setup-buildx-action/releases/tag/v2.6.0) [Compare Source](https://togithub.com/docker/setup-buildx-action/compare/v2.5.0...v2.6.0) - Set node name for k8s driver when appending nodes by [@crazy-max](https://togithub.com/crazy-max) in [https://github.com/docker/setup-buildx-action/pull/219](https://togithub.com/docker/setup-buildx-action/pull/219) - Bump [@docker/actions-toolkit](https://togithub.com/docker/actions-toolkit) from 0.1.0-beta.18 to 0.3.0 in [https://github.com/docker/setup-buildx-action/pull/220](https://togithub.com/docker/setup-buildx-action/pull/220) [https://github.com/docker/setup-buildx-action/pull/229](https://togithub.com/docker/setup-buildx-action/pull/229) [https://github.com/docker/setup-buildx-action/pull/231](https://togithub.com/docker/setup-buildx-action/pull/231) [https://github.com/docker/setup-buildx-action/pull/236](https://togithub.com/docker/setup-buildx-action/pull/236) **Full Changelog**: https://github.com/docker/setup-buildx-action/compare/v2.5.0...v2.6.0 </details> <details> <summary>eslint/eslint (eslint)</summary> ### [`v8.43.0`](https://togithub.com/eslint/eslint/releases/tag/v8.43.0) [Compare Source](https://togithub.com/eslint/eslint/compare/v8.42.0...v8.43.0) #### Features - [`14581ff`](https://togithub.com/eslint/eslint/commit/14581ff15aaee5a55c46bbf4983818ddc8dd7cb1) feat: directive prologue detection and autofix condition in `quotes` ([#17284](https://togithub.com/eslint/eslint/issues/17284)) (Francesco Trotta) - [`e50fac3`](https://togithub.com/eslint/eslint/commit/e50fac3f8f998f729e3080e256066db3a7827c67) feat: add declaration loc to message in block-scoped-var ([#17252](https://togithub.com/eslint/eslint/issues/17252)) (Milos Djermanovic) - [`1b7faf0`](https://togithub.com/eslint/eslint/commit/1b7faf0702b1af86b6a0ddafc37cf45d60f5d4d8) feat: add `skipJSXText` option to `no-irregular-whitespace` rule ([#17182](https://togithub.com/eslint/eslint/issues/17182)) (Azat S) #### Bug Fixes - [`5338b56`](https://togithub.com/eslint/eslint/commit/5338b56fda7f47d16bdb23514f1e95b24de7b92f) fix: normalize `cwd` passed to `ESLint`/`FlatESLint` constructor ([#17277](https://togithub.com/eslint/eslint/issues/17277)) (Milos Djermanovic) - [`54383e6`](https://togithub.com/eslint/eslint/commit/54383e69b092ef537d59a1f7799a85b1412f4e59) fix: Remove `no-extra-parens` autofix for potential directives ([#17022](https://togithub.com/eslint/eslint/issues/17022)) (Francesco Trotta) #### Documentation - [`8b855ea`](https://togithub.com/eslint/eslint/commit/8b855ea058992d5446d1d6dc6394ee683c3200a0) docs: resubmit pr17061 doc changes ([#17292](https://togithub.com/eslint/eslint/issues/17292)) (唯然) - [`372722e`](https://togithub.com/eslint/eslint/commit/372722eac32ca9e3f31cf0d0bc10317c6f153369) docs: resubmit pr17012 doc changes ([#17293](https://togithub.com/eslint/eslint/issues/17293)) (唯然) - [`67e7af3`](https://togithub.com/eslint/eslint/commit/67e7af3fdbdb4648b747dfd669be4decfe24086a) docs: resubmit custom-rules doc changes ([#17294](https://togithub.com/eslint/eslint/issues/17294)) (唯然) - [`9e3d77c`](https://togithub.com/eslint/eslint/commit/9e3d77cba65d0e38e07996e57961fb04f30d9303) docs: Resubmit Fix formatting in Custom Rules docs ([#17281](https://togithub.com/eslint/eslint/issues/17281)) (Milos Djermanovic) - [`503647a`](https://togithub.com/eslint/eslint/commit/503647a0b94ca8c776d7e7e8c54c8b1d32904467) docs: Resubmit markVariableAsUsed docs ([#17280](https://togithub.com/eslint/eslint/issues/17280)) (Nicholas C. Zakas) - [`e0cf0d8`](https://togithub.com/eslint/eslint/commit/e0cf0d86d985ed2b2f901dd9aab5ccd2fff062ad) docs: Custom rule & plugin tutorial ([#17024](https://togithub.com/eslint/eslint/issues/17024)) (Ben Perlmutter) - [`8e51ea9`](https://togithub.com/eslint/eslint/commit/8e51ea943c2fcd05bd8917cfa89e36b91209c7cd) docs: resubmit `no-new` rule documentation ([#17264](https://togithub.com/eslint/eslint/issues/17264)) (Nitin Kumar) - [`1b217f8`](https://togithub.com/eslint/eslint/commit/1b217f8de15961fd3c80389621080132f517a0fb) docs: resubmit `Custom Processors` documentation ([#17265](https://togithub.com/eslint/eslint/issues/17265)) (Nitin Kumar) - [`428fc76`](https://togithub.com/eslint/eslint/commit/428fc76806dea1ac82484d628261a5385f928e6a) docs: resubmit `Create Plugins` documentation ([#17268](https://togithub.com/eslint/eslint/issues/17268)) (Nitin Kumar) - [`bdca88c`](https://togithub.com/eslint/eslint/commit/bdca88cf4f8b7888cb72197bfe9c1d90b490a0dd) docs: resubmit `Configuration Files` documentation ([#17267](https://togithub.com/eslint/eslint/issues/17267)) (Nitin Kumar) - [`f5c01f2`](https://togithub.com/eslint/eslint/commit/f5c01f281ad288b1a0ebddbf579230ae11587c6c) docs: resubmit `Manage Issues` documentation ([#17266](https://togithub.com/eslint/eslint/issues/17266)) (Nitin Kumar) - [`b199295`](https://togithub.com/eslint/eslint/commit/b1992954591a3f4d8417013f52739b5fef4e0cd7) docs: Resubmit custom rules update docs ([#17273](https://togithub.com/eslint/eslint/issues/17273)) (Ben Perlmutter) - [`0e9980c`](https://togithub.com/eslint/eslint/commit/0e9980c3a8a1e554fdb377305c0ebe9e94a354c9) docs: add new `omitLastInOneLineClassBody` option to the `semi` rule ([#17263](https://togithub.com/eslint/eslint/issues/17263)) (Nitin Kumar) - [`cb2560f`](https://togithub.com/eslint/eslint/commit/cb2560f7a393e74b761faa9adad938fb1deb947d) docs: Resubmit getScope/getDeclaredVariables docs ([#17262](https://togithub.com/eslint/eslint/issues/17262)) (Nicholas C. Zakas) - [`85d2b30`](https://togithub.com/eslint/eslint/commit/85d2b30bc318c1355e52ebb21c56cca32f0ab198) docs: explain how to include predefined globals ([#17261](https://togithub.com/eslint/eslint/issues/17261)) (Marcus Wyatt) - [`de4d3c1`](https://togithub.com/eslint/eslint/commit/de4d3c14c30a88795b9075d59827d3fe63a42c5e) docs: update flat config default ignore patterns ([#17258](https://togithub.com/eslint/eslint/issues/17258)) (Milos Djermanovic) - [`3912f3a`](https://togithub.com/eslint/eslint/commit/3912f3a225c12bfb5ce9b7ba26c2b5301e6275bd) docs: Improve `ignores` documentation ([#17239](https://togithub.com/eslint/eslint/issues/17239)) (Francesco Trotta) - [`35e11d3`](https://togithub.com/eslint/eslint/commit/35e11d3248e00b711fd652836edc900f22af0ebd) docs: fix typos and missing info ([#17257](https://togithub.com/eslint/eslint/issues/17257)) (Ed Lucas) - [`0bc257c`](https://togithub.com/eslint/eslint/commit/0bc257c290b12fcda85cb61b40d55fc2be0f938c) docs: Clarify `no-div-regex` rule docs ([#17051](https://togithub.com/eslint/eslint/issues/17051)) ([#17255](https://togithub.com/eslint/eslint/issues/17255)) (Francesco Trotta) - [`788d836`](https://togithub.com/eslint/eslint/commit/788d83629a3790a7db6f52dcf0b4bddf51c6d063) docs: add references to MIT License ([#17248](https://togithub.com/eslint/eslint/issues/17248)) (Milos Djermanovic) - [`58aab6b`](https://togithub.com/eslint/eslint/commit/58aab6b6c09996875418aefeeb0fd76c50caef7a) docs: Update README (GitHub Actions Bot) - [`3ef5814`](https://togithub.com/eslint/eslint/commit/3ef58140550cf8ff34af35fc4d9a1f9a124fe0e6) docs: Revert all changes after the license change ([#17227](https://togithub.com/eslint/eslint/issues/17227)) (Milos Djermanovic) - [`03fc4aa`](https://togithub.com/eslint/eslint/commit/03fc4aa847bd0445e7b3ea81bcc9523b1847facc) docs: Update README (GitHub Actions Bot) #### Chores - [`78350f6`](https://togithub.com/eslint/eslint/commit/78350f63045c82b7990bb7bfe5080c5ad5e1c3f5) chore: upgrade [@eslint/js](https://togithub.com/eslint/js)[@8](https://togithub.com/8).43.0 ([#17295](https://togithub.com/eslint/eslint/issues/17295)) (Milos Djermanovic) - [`62bf759`](https://togithub.com/eslint/eslint/commit/62bf759124811b013ad7906c2536deb8b39c31a8) chore: package.json update for [@eslint/js](https://togithub.com/eslint/js) release (ESLint Jenkins) - [`e0a2448`](https://togithub.com/eslint/eslint/commit/e0a2448e0c0ef354e69998858846630a3fce8ebe) chore: docs package.license ISC => MIT ([#17254](https://togithub.com/eslint/eslint/issues/17254)) (唯然) - [`6a0196c`](https://togithub.com/eslint/eslint/commit/6a0196c51310630a0ff96a1e8d7f257c2c7adda9) chore: use eslint-plugin-eslint-plugin flat configs ([#17204](https://togithub.com/eslint/eslint/issues/17204)) (Milos Djermanovic) </details> <details> <summary>stefanprodan/podinfo (ghcr.io/stefanprodan/podinfo)</summary> ### [`v6.4.0`](https://togithub.com/stefanprodan/podinfo/releases/tag/6.4.0) [Compare Source](https://togithub.com/stefanprodan/podinfo/compare/6.3.6...6.4.0) CHANGELOG - PR [#273](https://togithub.com/stefanprodan/podinfo/issues/273) Release 6.4.0 - PR [#272](https://togithub.com/stefanprodan/podinfo/issues/272) Update dependencies - PR [#271](https://togithub.com/stefanprodan/podinfo/issues/271) feat(echo): add dynamic path support for echo endpoint ### [`v6.3.6`](https://togithub.com/stefanprodan/podinfo/releases/tag/6.3.6) [Compare Source](https://togithub.com/stefanprodan/podinfo/compare/6.3.5...6.3.6) CHANGELOG - PR [#265](https://togithub.com/stefanprodan/podinfo/issues/265) Release 6.3.6 - PR [#264](https://togithub.com/stefanprodan/podinfo/issues/264) Update dependencies - PR [#263](https://togithub.com/stefanprodan/podinfo/issues/263) chart: Add optional startupProbe values - PR [#262](https://togithub.com/stefanprodan/podinfo/issues/262) Update dependencies </details> <details> <summary>AlecAivazis/survey (github.com/AlecAivazis/survey/v2)</summary> ### [`v2.3.7`](https://togithub.com/AlecAivazis/survey/compare/v2.3.6...v2.3.7) [Compare Source](https://togithub.com/AlecAivazis/survey/compare/v2.3.6...v2.3.7) </details> <details> <summary>anchore/syft (github.com/anchore/syft)</summary> ### [`v0.84.0`](https://togithub.com/anchore/syft/releases/tag/v0.84.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0) ### Changelog #### [v0.84.0](https://togithub.com/anchore/syft/tree/v0.84.0) (2023-06-20) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0) ##### Breaking Changes - Pad artifact IDs \[[PR #1882](https://togithub.com/anchore/syft/pull/1882)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ##### Additional Changes - chore: update SPDX license list to 3.21 \[[PR #1885](https://togithub.com/anchore/syft/pull/1885)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.83.1`](https://togithub.com/anchore/syft/releases/tag/v0.83.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1) ### Changelog #### [v0.83.1](https://togithub.com/anchore/syft/tree/v0.83.1) (2023-06-14) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1) ##### Bug Fixes - fix: pom properties not setting artifact id \[[PR #1870](https://togithub.com/anchore/syft/pull/1870)] \[[jneate](https://togithub.com/jneate)] - fix(deps): pull in platform selection fix from stereoscope \[[PR #1871](https://togithub.com/anchore/syft/pull/1871)] \[[anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)] - pulling in an image with a digest that does not match the platform and architecture of the host no longer fails with an error, see [https://github.com/anchore/stereoscope/issues/188](https://togithub.com/anchore/stereoscope/issues/188) - symlinks within a scanned directory tree are parsed outside the tree, failing if target does not exist \[[Issue #1860](https://togithub.com/anchore/syft/iss </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/defenseunicorns/zarf).  --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Wayne Starr <me@racer159.com> Co-authored-by: Wayne Starr <Racer159@users.noreply.github.com>

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [DelineaXPM/dsv-cli](https://togithub.com/DelineaXPM/dsv-cli) | patch | `v1.40.1` -> `v1.40.5` | | [anchore/grype](https://togithub.com/anchore/grype) | minor | `v0.57.1` -> `v0.65.1` | | [anchore/quill](https://togithub.com/anchore/quill) | minor | `v0.2.0` -> `v0.4.0` | | [anchore/syft](https://togithub.com/anchore/syft) | minor | `v0.73.0` -> `v0.87.0` | | [aquaproj/aqua-registry](https://togithub.com/aquaproj/aqua-registry) | minor | `v3.138.0` -> `v3.162.0` | | [charmbracelet/glow](https://togithub.com/charmbracelet/glow) | patch | `v1.5.0` -> `v1.5.1` | | [charmbracelet/gum](https://togithub.com/charmbracelet/gum) | minor | `v0.9.0` -> `v0.11.0` | | [charmbracelet/vhs](https://togithub.com/charmbracelet/vhs) | minor | `v0.3.0` -> `v0.6.0` | | [direnv/direnv](https://togithub.com/direnv/direnv) | patch | `v2.32.2` -> `v2.32.3` | | [goreleaser/goreleaser](https://togithub.com/goreleaser/goreleaser) | minor | `v1.15.2` -> `v1.20.0` | | [gotestyourself/gotestsum](https://togithub.com/gotestyourself/gotestsum) | minor | `v1.9.0` -> `v1.10.1` | | [magefile/mage](https://togithub.com/magefile/mage) | minor | `v1.14.0` -> `v1.15.0` | | [mikefarah/yq](https://togithub.com/mikefarah/yq) | minor | `v4.31.1` -> `v4.35.1` | | [miniscruff/changie](https://togithub.com/miniscruff/changie) | minor | `v1.11.1` -> `v1.12.0` | | [mvdan/gofumpt](https://togithub.com/mvdan/gofumpt) | minor | `v0.4.0` -> `v0.5.0` | | [sharkdp/hyperfine](https://togithub.com/sharkdp/hyperfine) | minor | `v1.15.0` -> `v1.17.0` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>DelineaXPM/dsv-cli</summary> ### [`v1.40.5`](https://togithub.com/DelineaXPM/dsv-cli/blob/HEAD/CHANGELOG.md#v1405---2023-05-12) [Compare Source](https://togithub.com/DelineaXPM/dsv-cli/compare/v1.40.4...v1.40.5) ##### 🐛 Bug Fix - Windows cli version update check was looking for a binary with `windows` in the name, while the actual artifact is `win`. ### [`v1.40.4`](https://togithub.com/DelineaXPM/dsv-cli/blob/HEAD/CHANGELOG.md#v1404---2023-04-25) [Compare Source](https://togithub.com/DelineaXPM/dsv-cli/compare/v1.40.3...v1.40.4) ##### 🎉 Feature - `dsv pool list`: new `--limit`, `-l`, `--cursor` flags. See `dsv pool list --help` for more details. ##### Related - fixes [AB#495586](https://togithub.com/AB/dsv-cli/issues/495586) - related [AB#495586](https://togithub.com/AB/dsv-cli/issues/495586) - <https://github.com/andrii-zakurenyi> ##### Contributors - [andrii-zakurenyi](https://togithub.com/andrii-zakurenyi) ### [`v1.40.3`](https://togithub.com/DelineaXPM/dsv-cli/blob/HEAD/CHANGELOG.md#v1403---2023-04-04) [Compare Source](https://togithub.com/DelineaXPM/dsv-cli/compare/v1.40.2...v1.40.3) ##### 🐛 Bug Fix - Fix the format of links to pre-built binaries. ##### Contributors - [andrii-zakurenyi](https://togithub.com/andrii-zakurenyi) ### [`v1.40.2`](https://togithub.com/DelineaXPM/dsv-cli/blob/HEAD/CHANGELOG.md#v1402---2023-03-03) [Compare Source](https://togithub.com/DelineaXPM/dsv-cli/compare/v1.40.1...v1.40.2) ##### 🔨 Refactor - Allow defining command handlers which could return an error instead of exit code. - Move store package to internal/store. Do not use custom ApiError in the store package. - Reduce number of API calls in E2E tests by using CLI configuration profile instead of requesting a new token on each CLI run. ##### 🐛 Bug Fix - Remove "v" prefix from https://dsv.secretsvaultcloud.com/cli-version.json which causes error messages in log. ##### Contributors - [andrii-zakurenyi](https://togithub.com/andrii-zakurenyi) - [mariiatuzovska](https://togithub.com/mariiatuzovska) </details> <details> <summary>anchore/grype</summary> ### [`v0.65.1`](https://togithub.com/anchore/grype/releases/tag/v0.65.1) [Compare Source](https://togithub.com/anchore/grype/compare/v0.65.0...v0.65.1) ### #### [v0.65.1](https://togithub.com/anchore/grype/tree/v0.65.1) (2023-08-04) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.65.0...v0.65.1) ##### Bug Fixes - Grype cannot read SPDX documents generated by SPDX-maven-plugin \[[Issue #1306](https://togithub.com/anchore/grype/issues/1306)] ### [`v0.65.0`](https://togithub.com/anchore/grype/releases/tag/v0.65.0) [Compare Source](https://togithub.com/anchore/grype/compare/v0.64.2...v0.65.0) ### Changelog #### [v0.65.0](https://togithub.com/anchore/grype/tree/v0.65.0) (2023-07-31) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.64.2...v0.65.0) ##### Added Features - feat: implement secondary sorting for default json output \[[PR #1403](https://togithub.com/anchore/grype/pull/1403)] \[[spiffcs](https://togithub.com/spiffcs)] - Consistent sort order for grype output \[[Issue #709](https://togithub.com/anchore/grype/issues/709)] \[[PR #1400](https://togithub.com/anchore/grype/pull/1400)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Bug Fixes - Grype reading SPDX file with json output gets UnknownScheme error \[[Issue #948](https://togithub.com/anchore/grype/issues/948)] - grype 0.64.0 doesn't list vulnerabilties if `--fail-on` fails \[[Issue #1392](https://togithub.com/anchore/grype/issues/1392)] \[[PR #1395](https://togithub.com/anchore/grype/pull/1395)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ##### Additional Changes - chore: bump quality gate label dataset \[[PR #1404](https://togithub.com/anchore/grype/pull/1404)] \[[westonsteimel](https://togithub.com/westonsteimel)] ### [`v0.64.2`](https://togithub.com/anchore/grype/releases/tag/v0.64.2) [Compare Source](https://togithub.com/anchore/grype/compare/v0.64.1...v0.64.2) ### Changelog #### [v0.64.2](https://togithub.com/anchore/grype/tree/v0.64.2) (2023-07-20) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.64.1...v0.64.2) ##### Bug Fixes - grype 0.64.0 doesn't list vulnerabilties if `--fail-on` fails \[[Issue #1392](https://togithub.com/anchore/grype/issues/1392)] \[[PR #1395](https://togithub.com/anchore/grype/pull/1395)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ### [`v0.64.1`](https://togithub.com/anchore/grype/releases/tag/v0.64.1) [Compare Source](https://togithub.com/anchore/grype/compare/v0.64.0...v0.64.1) ### Changelog #### [v0.64.1](https://togithub.com/anchore/grype/tree/v0.64.1) (2023-07-17) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.64.0...v0.64.1) ##### Bug Fixes - stop truncating template files [Issue #1388](https://togithub.com/anchore/grype/issues/1388) [PR #1391](https://togithub.com/anchore/grype/pull/1391) [willmurphyscode](https://togithub.com/willmurphyscode) ##### Additional Changes - Port UI to bubbletea \[[PR #1385](https://togithub.com/anchore/grype/pull/1385)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.64.0`](https://togithub.com/anchore/grype/releases/tag/v0.64.0) [Compare Source](https://togithub.com/anchore/grype/compare/v0.63.1...v0.64.0) ### Changelog #### [v0.64.0](https://togithub.com/anchore/grype/tree/v0.64.0) (2023-07-13) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.63.1...v0.64.0) ##### Added Features - You can now list multiple output formats and files to write to disk with one command, like Syft: "-o format1=file1 -o format1=file2" \[[Issue #648](https://togithub.com/anchore/grype/issues/648)] \[[PR #1346](https://togithub.com/anchore/grype/pull/1346)] \[[olivierboudet](https://togithub.com/olivierboudet)] ##### Bug Fixes - Correctly detect format of CycloneDX XML SBOM with no components \[[Issue #1005](https://togithub.com/anchore/grype/issues/1005)] - Fix vulnerability summary counts to be less confusing. \[[Issue #1360](https://togithub.com/anchore/grype/issues/1360)] ##### Additional Changes - Port to new Syft source API \[[PR #1376](https://togithub.com/anchore/grype/pull/1376)] \[[wagoodman](https://togithub.com/wagoodman)] - Include Syft 0.85.0 ### [`v0.63.1`](https://togithub.com/anchore/grype/releases/tag/v0.63.1) [Compare Source](https://togithub.com/anchore/grype/compare/v0.63.0...v0.63.1) ### Changelog #### [v0.63.1](https://togithub.com/anchore/grype/tree/v0.63.1) (2023-06-30) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.63.0...v0.63.1) ##### Bug Fixes - Add more log4j-adjacent package ignore rules \[[PR #1358](https://togithub.com/anchore/grype/pull/1358)] \[[luhring](https://togithub.com/luhring)] - The summary by severity is confusing \[[Issue #1312](https://togithub.com/anchore/grype/issues/1312)] \[[PR #1359](https://togithub.com/anchore/grype/pull/1359)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.63.0`](https://togithub.com/anchore/grype/releases/tag/v0.63.0) [Compare Source](https://togithub.com/anchore/grype/compare/v0.62.3...v0.63.0) ### Changelog #### [v0.63.0](https://togithub.com/anchore/grype/tree/v0.63.0) (2023-06-21) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.62.3...v0.63.0) ##### Added Features - Always include the specific package name and version used in the vulnerability search in the matchDetails section of the output \[[PR #1339](https://togithub.com/anchore/grype/pull/1339)] \[[westonsteimel](https://togithub.com/westonsteimel)] - Expose Go template file that produces the table report \[[Issue #629](https://togithub.com/anchore/grype/issues/629)] \[[PR #1343](https://togithub.com/anchore/grype/pull/1343)] \[[jneate](https://togithub.com/jneate)] - Add a folder for community Go templates (see templates/README.md for more details) \[[Issue #1316](https://togithub.com/anchore/grype/issues/1316)] ##### Breaking Changes - update Syft to v0.84.0: stereoscope platform fix and artifact ID padding \[[PR #1354](https://togithub.com/anchore/grype/pull/1354)] \[[anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)] ### [`v0.62.3`](https://togithub.com/anchore/grype/releases/tag/v0.62.3) [Compare Source](https://togithub.com/anchore/grype/compare/v0.62.2...v0.62.3) ### Changelog #### [v0.62.3](https://togithub.com/anchore/grype/tree/v0.62.3) (2023-06-05) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.62.2...v0.62.3) ##### Bug Fixes - Suppressed vulnerabilties are now correctly hidden, unless the --show-suppressed option is provided. \[[Issue #1053](https://togithub.com/anchore/grype/issues/1053)] \[[Issue #1278](https://togithub.com/anchore/grype/issues/1278)] \[[PR #1322](https://togithub.com/anchore/grype/pull/1322)] \[[jamestran201](https://togithub.com/jamestran201)] ### [`v0.62.2`](https://togithub.com/anchore/grype/releases/tag/v0.62.2) [Compare Source](https://togithub.com/anchore/grype/compare/v0.62.1...v0.62.2) ### Changelog #### [v0.62.2](https://togithub.com/anchore/grype/tree/v0.62.2) (2023-05-26) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.62.1...v0.62.2) ### [`v0.62.1`](https://togithub.com/anchore/grype/releases/tag/v0.62.1) [Compare Source](https://togithub.com/anchore/grype/compare/v0.62.0...v0.62.1) ### Changelog #### [v0.62.1](https://togithub.com/anchore/grype/tree/v0.62.1) (2023-05-24) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.62.0...v0.62.1) #### Bug Fixes - Updated syft to v0.82.0 to address license parsing logic that may result in a panic \[[PR #1313](https://togithub.com/anchore/grype/pull/1313)] ### [`v0.62.0`](https://togithub.com/anchore/grype/releases/tag/v0.62.0) [Compare Source](https://togithub.com/anchore/grype/compare/v0.61.1...v0.62.0) ### Changelog #### [v0.62.0](https://togithub.com/anchore/grype/tree/v0.62.0) (2023-05-22) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.61.1...v0.62.0) ##### Added Features - Add package qualifier for platform CPE \[[PR #1291](https://togithub.com/anchore/grype/pull/1291)] \[[westonsteimel](https://togithub.com/westonsteimel)] - Include timestamp and image name in reports \[[Issue #1170](https://togithub.com/anchore/grype/issues/1170)] \[[PR #1249](https://togithub.com/anchore/grype/pull/1249)] \[[jneate](https://togithub.com/jneate)] - Document command line flag for config file location \[[Issue #1271](https://togithub.com/anchore/grype/issues/1271)] \[[PR #1274](https://togithub.com/anchore/grype/pull/1274)] \[[jneate](https://togithub.com/jneate)] - Add support for Mariner distribution \[[Issue #1220](https://togithub.com/anchore/grype/issues/1220)] - Add support for Syft IDs in JSON output \[[PR #1266](https://togithub.com/anchore/grype/pull/1266)] \[[luhring](https://togithub.com/luhring)] ##### Bug Fixes - False positive with pkg:rpm PURLs \[[Issue #1031](https://togithub.com/anchore/grype/issues/1031)] \[[PR #1237](https://togithub.com/anchore/grype/pull/1237)] \[[Shanedell](https://togithub.com/Shanedell)] - Specifying "extras" in pip / requirements.txt results in false negative \[[Issue #1246](https://togithub.com/anchore/grype/issues/1246)] - CycloneDX dependencies relationships inverted \[[Issue #1294](https://togithub.com/anchore/grype/issues/1294)] ##### Additional Changes - docs: add "cyclonedx-json" to output formats \[[PR #1252](https://togithub.com/anchore/grype/pull/1252)] \[[HNKNTA](https://togithub.com/HNKNTA)] - chore: update quality gate labels and add keycloak \[[PR #1255](https://togithub.com/anchore/grype/pull/1255)] \[[westonsteimel](https://togithub.com/westonsteimel)] - Install skopeo during bootstrap \[[PR #1260](https://togithub.com/anchore/grype/pull/1260)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Replace deprecated io/ioutil calls \[[PR #1296](https://togithub.com/anchore/grype/pull/1296)] \[[testwill](https://togithub.com/testwill)] - Fix reading syft json from stdin by redirect \[[PR #1299](https://togithub.com/anchore/grype/pull/1299)] \[[devfbe](https://togithub.com/devfbe)] - Add gitignore for default build target \[[PR #1305](https://togithub.com/anchore/grype/pull/1305)] \[[testwill](https://togithub.com/testwill)] ### [`v0.61.1`](https://togithub.com/anchore/grype/releases/tag/v0.61.1) [Compare Source](https://togithub.com/anchore/grype/compare/v0.61.0...v0.61.1) ### Changelog #### [v0.61.1](https://togithub.com/anchore/grype/tree/v0.61.1) (2023-04-21) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.61.0...v0.61.1) ##### Bug Fixes - :grey_question: Parsing dpkg status: extracting key-value from line: usr/lib/os-release err: cannot parse field \[[Issue #1195](https://togithub.com/anchore/grype/issues/1195)] - Grype suggesting to upgrade to a version already used. \[[Issue #1209](https://togithub.com/anchore/grype/issues/1209)] ##### Additional Changes - feat: add timestamp to json output ([#1170](https://togithub.com/anchore/grype/issues/1170)) \[[PR #1249](https://togithub.com/anchore/grype/pull/1249)] \[[jneate](https://togithub.com/jneate)] ### [`v0.61.0`](https://togithub.com/anchore/grype/releases/tag/v0.61.0) [Compare Source](https://togithub.com/anchore/grype/compare/v0.60.0...v0.61.0) ### Changelog #### [v0.61.0](https://togithub.com/anchore/grype/tree/v0.61.0) (2023-04-04) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.60.0...v0.61.0) ##### Added Features - feat: Add config option to prefer registry over local Docker when scanning an image \[[Issue #1204](https://togithub.com/anchore/grype/issues/1204)] \[[PR #1215](https://togithub.com/anchore/grype/pull/1215)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Additional Changes - chore: update quality gate dataset \[[PR #1206](https://togithub.com/anchore/grype/pull/1206)] \[[westonsteimel](https://togithub.com/westonsteimel)] - chore: update deprecated set-output calls \[[PR #1210](https://togithub.com/anchore/grype/pull/1210)] \[[kzantow](https://togithub.com/kzantow)] - chore: update syft \[[PR #1211](https://togithub.com/anchore/grype/pull/1211)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.60.0`](https://togithub.com/anchore/grype/releases/tag/v0.60.0) [Compare Source](https://togithub.com/anchore/grype/compare/v0.59.1...v0.60.0) ### Changelog #### [v0.60.0](https://togithub.com/anchore/grype/tree/v0.60.0) (2023-03-28) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.59.1...v0.60.0) ##### Added Features - feat: disable CPE-based matching by default for javascript \[[PR #1180](https://togithub.com/anchore/grype/pull/1180)] \[[westonsteimel](https://togithub.com/westonsteimel)] ##### Additional Changes - Improve --by-cve report performance \[[Issue #1185](https://togithub.com/anchore/grype/issues/1185)] \[[PR #1188](https://togithub.com/anchore/grype/pull/1188)] \[[westonsteimel](https://togithub.com/westonsteimel)] ### [`v0.59.1`](https://togithub.com/anchore/grype/releases/tag/v0.59.1) [Compare Source](https://togithub.com/anchore/grype/compare/v0.59.0...v0.59.1) ### Changelog #### [v0.59.1](https://togithub.com/anchore/grype/tree/v0.59.1) (2023-03-09) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.59.0...v0.59.1) ##### Bug Fixes - fix: correct APK CPE version comparison logic \[[PR #1165](https://togithub.com/anchore/grype/pull/1165)] \[[westonsteimel](https://togithub.com/westonsteimel)] ### [`v0.59.0`](https://togithub.com/anchore/grype/releases/tag/v0.59.0) [Compare Source](https://togithub.com/anchore/grype/compare/v0.58.0...v0.59.0) ### Changelog #### [v0.59.0](https://togithub.com/anchore/grype/tree/v0.59.0) (2023-03-03) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.58.0...v0.59.0) ##### Added Features - Add the total types of vulnerabilities in Grype output \[[Issue #877](https://togithub.com/anchore/grype/issues/877)] \[[PR #946](https://togithub.com/anchore/grype/pull/946)] \[[zhiburt](https://togithub.com/zhiburt)] ##### Additional Changes - chore: bump quality gate labels and syft version \[[PR #1156](https://togithub.com/anchore/grype/pull/1156)] \[[westonsteimel](https://togithub.com/westonsteimel)] ### [`v0.58.0`](https://togithub.com/anchore/grype/releases/tag/v0.58.0) [Compare Source](https://togithub.com/anchore/grype/compare/v0.57.1...v0.58.0) ### Changelog #### [v0.58.0](https://togithub.com/anchore/grype/tree/v0.58.0) (2023-03-02) [Full Changelog](https://togithub.com/anchore/grype/compare/v0.57.1...v0.58.0) ##### Security Fixes - chore(deps): bump github.com/hashicorp/go-getter from 1.6.2 to 1.7.0 \[[PR #1134](https://togithub.com/anchore/grype/pull/1134)] \[[dependabot](https://togithub.com/dependabot)] ##### Added Features - add grype image to ArtifactHub \[[Issue #613](https://togithub.com/anchore/grype/issues/613)] \[[PR #639](https://togithub.com/anchore/grype/pull/639)] \[[developer-guy](https://togithub.com/developer-guy)] ##### Bug Fixes - Grype with version v.0.55 take 3 hour to scan the image \[[Issue #1063](https://togithub.com/anchore/grype/issues/1063)] - Unable to install Grype \[[Issue #1102](https://togithub.com/anchore/grype/issues/1102)] ##### Additional Changes - chore: update progress monitor handling \[[PR #1149](https://togithub.com/anchore/grype/pull/1149)] \[[kzantow](https://togithub.com/kzantow)] - distro: Disable support for Arch Linux \[[PR #1152](https://togithub.com/anchore/grype/pull/1152)] \[[Foxboron](https://togithub.com/Foxboron)] </details> <details> <summary>anchore/quill</summary> ### [`v0.4.0`](https://togithub.com/anchore/quill/releases/tag/v0.4.0) [Compare Source](https://togithub.com/anchore/quill/compare/v0.2.0...v0.4.0) ### Changelog #### [v0.4.0](https://togithub.com/anchore/quill/tree/v0.4.0) (2023-04-12) [Full Changelog](https://togithub.com/anchore/quill/compare/v0.2.0...v0.4.0) ##### Added Features - Embed the Apple root and intermediate certificates directly into quill \[[Issue #8](https://togithub.com/anchore/quill/issues/8)] \[[PR #34](https://togithub.com/anchore/quill/pull/34)] \[[wagoodman](https://togithub.com/wagoodman)] - Add netbsd/amd64 release binaries \[[Issue #17](https://togithub.com/anchore/quill/issues/17)] \[[PR #39](https://togithub.com/anchore/quill/pull/39)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Don't attempt to notarize unsigned binaries \[[Issue #14](https://togithub.com/anchore/quill/issues/14)] \[[PR #41](https://togithub.com/anchore/quill/pull/41)] \[[wagoodman](https://togithub.com/wagoodman)] - Signing Is Failing for P12 With Chain File \[[Issue #16](https://togithub.com/anchore/quill/issues/16)] \[[PR #34](https://togithub.com/anchore/quill/pull/34)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - fix: bump golang.org/x/net to v0.4.0 \[[PR #19](https://togithub.com/anchore/quill/pull/19)] \[[westonsteimel](https://togithub.com/westonsteimel)] </details> <details> <summary>anchore/syft</summary> ### [`v0.87.0`](https://togithub.com/anchore/syft/releases/tag/v0.87.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0) ### #### [v0.87.0](https://togithub.com/anchore/syft/tree/v0.87.0) (2023-08-14) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0) ##### Added Features - feat: use originator logic to fill supplier \[[PR #1980](https://togithub.com/anchore/syft/pull/1980)] \[[spiffcs](https://togithub.com/spiffcs)] - Expand deb cataloger to include opkg \[[PR #1985](https://togithub.com/anchore/syft/pull/1985)] \[[johnDeSilencio](https://togithub.com/johnDeSilencio)] - Package duplicated by different cataloger \[[Issue #931](https://togithub.com/anchore/syft/issues/931)] \[[PR #1948](https://togithub.com/anchore/syft/pull/1948)] \[[spiffcs](https://togithub.com/spiffcs)] - Add binary cataloger for Nginx built from source \[[Issue #1945](https://togithub.com/anchore/syft/issues/1945)] \[[PR #1988](https://togithub.com/anchore/syft/pull/1988)] \[[SemProvoost](https://togithub.com/SemProvoost)] ##### Bug Fixes - chore: update bubbly to fix hanging \[[PR #1990](https://togithub.com/anchore/syft/pull/1990)] \[[kzantow](https://togithub.com/kzantow)] - fix: update glob to use newer usr/lib/sysimage path \[[PR #1997](https://togithub.com/anchore/syft/pull/1997)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: SPDX license values and download location \[[PR #2007](https://togithub.com/anchore/syft/pull/2007)] \[[kzantow](https://togithub.com/kzantow)] - Different CPEs between java-cataloger and java-gradle-lockfile-cataloger \[[Issue #1957](https://togithub.com/anchore/syft/issues/1957)] \[[PR #1995](https://togithub.com/anchore/syft/pull/1995)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.86.1`](https://togithub.com/anchore/syft/releases/tag/v0.86.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1) ### Changelog #### [v0.86.1](https://togithub.com/anchore/syft/tree/v0.86.1) (2023-07-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1) ##### Bug Fixes - Source requires default image name as user input for unparsable reference \[[PR #1979](https://togithub.com/anchore/syft/pull/1979)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.86.0`](https://togithub.com/anchore/syft/releases/tag/v0.86.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0) ### Changelog #### [v0.86.0](https://togithub.com/anchore/syft/tree/v0.86.0) (2023-07-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0) ##### Added Features - Introduce indexed embedded CPE dictionary \[[PR #1897](https://togithub.com/anchore/syft/pull/1897)] \[[luhring](https://togithub.com/luhring)] - Add cataloger for Swift Package Manager. \[[PR #1919](https://togithub.com/anchore/syft/pull/1919)] \[[trilleplay](https://togithub.com/trilleplay)] - Guess unpinned versions in python requirements.txt \[[PR #1597](https://togithub.com/anchore/syft/pull/1597)] \[[PR #1966](https://togithub.com/anchore/syft/pull/1966)] \[[manifestori](https://togithub.com/manifestori)] \[[wagoodman](https://togithub.com/wagoodman)] - Create a package record for the artifact an SBOM described when creating a SPDX SBOM \[[Issue #1661](https://togithub.com/anchore/syft/issues/1661)] \[[Issue #1241](https://togithub.com/anchore/syft/issues/1241)] \[[PR #1934](https://togithub.com/anchore/syft/pull/1934)] \[[kzantow](https://togithub.com/kzantow)] ##### Bug Fixes - Fix panic condition on docker pull failure \[[PR #1968](https://togithub.com/anchore/syft/pull/1968)] \[[wagoodman](https://togithub.com/wagoodman)] - Syft reports the "minimum required version" of .NET assemblies rather than the "assembly version" \[[Issue #1799](https://togithub.com/anchore/syft/issues/1799)] \[[PR #1943](https://togithub.com/anchore/syft/pull/1943)] \[[luhring](https://togithub.com/luhring)] - Grype cannot read SPDX documents generated by SPDX-maven-plugin \[[PR #1969](https://togithub.com/anchore/syft/pull/1969)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Breaking Changes - Remove jotframe UI \[[PR #1932](https://togithub.com/anchore/syft/pull/1932)] \[[wagoodman](https://togithub.com/wagoodman)] - Simplify python env markers \[[PR #1967](https://togithub.com/anchore/syft/pull/1967)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.85.0`](https://togithub.com/anchore/syft/releases/tag/v0.85.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0) ### Changelog #### [v0.85.0](https://togithub.com/anchore/syft/tree/v0.85.0) (2023-07-12) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0) ##### Added Features - Add a --base-path command line flag to set the directory base for scans (this option was previously exposed via API only) \[[PR #1867](https://togithub.com/anchore/syft/pull/1867)] \[[deitch](https://togithub.com/deitch)] - Add file source digest support \[[PR #1914](https://togithub.com/anchore/syft/pull/1914)] \[[wagoodman](https://togithub.com/wagoodman)] - Remove erroneous Java CPEs from generation \[[PR #1918](https://togithub.com/anchore/syft/pull/1918)] \[[luhring](https://togithub.com/luhring)] - Fix CPE generation for k8s python client \[[PR #1921](https://togithub.com/anchore/syft/pull/1921)] \[[luhring](https://togithub.com/luhring)] - Don't use the actual redis or grpc CPEs for gems \[[PR #1926](https://togithub.com/anchore/syft/pull/1926)] \[[luhring](https://togithub.com/luhring)] - The text user interface is now provided by the bubbletea library \[[Issue #1441](https://togithub.com/anchore/syft/issues/1441)] \[[PR #1888](https://togithub.com/anchore/syft/pull/1888)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Install script returns exit code 0 even if install fails \[[Issue #1566](https://togithub.com/anchore/syft/issues/1566)] \[[PR #1915](https://togithub.com/anchore/syft/pull/1915)] \[[lorsatti](https://togithub.com/lorsatti)] - \[Windows] Not able to scan volume mounted to folder \[[Issue #1828](https://togithub.com/anchore/syft/issues/1828)] \[[PR #1884](https://togithub.com/anchore/syft/pull/1884)] \[[dd-cws](https://togithub.com/dd-cws)] - Deprecated license: GFDL-1.2+ \[[Issue #1899](https://togithub.com/anchore/syft/issues/1899)] \[[PR #1907](https://togithub.com/anchore/syft/pull/1907)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Breaking Changes - Refactor the `source` API and syft-json `source` block data shape \[[Issue #1866](https://togithub.com/anchore/syft/issues/1866)] \[[PR #1846](https://togithub.com/anchore/syft/pull/1846)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - chore: update iterations to protect against race \[[PR #1927](https://togithub.com/anchore/syft/pull/1927)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: background reader apart from global handler for testing \[[PR #1929](https://togithub.com/anchore/syft/pull/1929)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.84.1`](https://togithub.com/anchore/syft/releases/tag/v0.84.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1) ### Changelog #### [v0.84.1](https://togithub.com/anchore/syft/tree/v0.84.1) (2023-06-29) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1) ##### Bug Fixes - Fix version detection in Java archive name parsing \[[PR #1889](https://togithub.com/anchore/syft/pull/1889)] \[[luhring](https://togithub.com/luhring)] - Improve support for Dart SDK package dependency lockfiles \[[PR #1891](https://togithub.com/anchore/syft/pull/1891)] \[[rufman](https://togithub.com/rufman)] - Fix license output for some CycloneDX JSON SBOMs \[[Issue #1877](https://togithub.com/anchore/syft/issues/1877)] \[[PR #1879](https://togithub.com/anchore/syft/pull/1879)] \[[kzantow](https://togithub.com/kzantow)] - Correctly discover Debian file relationships in distroless images \[[Issue #1900](https://togithub.com/anchore/syft/issues/1900)] \[[PR #1901](https://togithub.com/anchore/syft/pull/1901)] \[[westonsteimel](https://togithub.com/westonsteimel)] ##### Additional Changes - Simplify the SBOM writer interface \[[PR #1892](https://togithub.com/anchore/syft/pull/1892)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.84.0`](https://togithub.com/anchore/syft/releases/tag/v0.84.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0) ### Changelog #### [v0.84.0](https://togithub.com/anchore/syft/tree/v0.84.0) (2023-06-20) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0) ##### Breaking Changes - Pad artifact IDs \[[PR #1882](https://togithub.com/anchore/syft/pull/1882)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ##### Additional Changes - chore: update SPDX license list to 3.21 \[[PR #1885](https://togithub.com/anchore/syft/pull/1885)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.83.1`](https://togithub.com/anchore/syft/releases/tag/v0.83.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1) ### Changelog #### [v0.83.1](https://togithub.com/anchore/syft/tree/v0.83.1) (2023-06-14) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1) ##### Bug Fixes - fix: pom properties not setting artifact id \[[PR #1870](https://togithub.com/anchore/syft/pull/1870)] \[[jneate](https://togithub.com/jneate)] - fix(deps): pull in platform selection fix from stereoscope \[[PR #1871](https://togithub.com/anchore/syft/pull/1871)] \[[anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)] - pulling in an image with a digest that does not match the platform and architecture of the host no longer fails with an error, see [https://github.com/anchore/stereoscope/issues/188](https://togithub.com/anchore/stereoscope/issues/188) - symlinks within a scanned directory tree are parsed outside the tree, failing if target does not exist \[[Issue #1860](https://togithub.com/anchore/syft/issues/1860)] \[[PR #1861](https://togithub.com/anchore/syft/pull/1861)] \[[deitch](https://togithub.com/deitch)] ### [`v0.83.0`](https://togithub.com/anchore/syft/releases/tag/v0.83.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.82.0...v0.83.0) ### Changelog #### [v0.83.0](https://togithub.com/anchore/syft/tree/v0.83.0) (2023-06-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.82.0...v0.83.0) ##### Added Features - Add new '--source-version' and '--source-name' options to set the name and version of the target being analyzed for reference in resulting syft-json format SBOMs (more formats will support these flags soon). \[[Issue #1399](https://togithub.com/anchore/syft/issues/1399)] \[[PR #1859](https://togithub.com/anchore/syft/pull/1859)] \[[kzantow](https://togithub.com/kzantow)] - Add scope to POM properties \[[PR #1779](https://togithub.com/anchore/syft/pull/1779)] \[[jneate](https://togithub.com/jneate)] - Accept main.version ldflags even without vcs \[[PR #1855](https://togithub.com/anchore/syft/pull/1855)] \[[deitch](https://togithub.com/deitch)] ##### Bug Fixes - Fix directory resolver to consider CWD and root path input correctly \[[PR #1840](https://togithub.com/anchore/syft/pull/1840)] \[[wagoodman](https://togithub.com/wagoodman)] - Show all error messages if there is a failure retrieving an image with a specified scheme \[[Issue #1569](https://togithub.com/anchore/syft/issues/1569)] \[[PR #1801](https://togithub.com/anchore/syft/pull/1801)] \[[FrimIdan](https://togithub.com/FrimIdan)] - v0.81.0 crashing parsing some images \[[Issue #1837](https://togithub.com/anchore/syft/issues/1837)] \[[PR #1839](https://togithub.com/anchore/syft/pull/1839)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Deprecated Features - Migrate location-related structs to the file package \[[PR #1751](https://togithub.com/anchore/syft/pull/1751)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - chore: code cleanup \[[PR #1865](https://togithub.com/anchore/syft/pull/1865)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.82.0`](https://togithub.com/anchore/syft/releases/tag/v0.82.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.81.0...v0.82.0) ### Changelog #### [v0.82.0](https://togithub.com/anchore/syft/tree/v0.82.0) (2023-05-23) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.81.0...v0.82.0) ##### Added Features - Improve Go main module version detection by attempting to parse available ldflags \[[Issue #1785](https://togithub.com/anchore/syft/issues/1785)] \[[PR #1832](https://togithub.com/anchore/syft/pull/1832)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Fix a problem in the license parsing logic that may result in a panic \[[PR #1839](https://togithub.com/anchore/syft/pull/1839)] - Return all relevant error messages if an image retrieval fails when a scheme is specified \[[PR #1801](https://togithub.com/anchore/syft/pull/1801)] \[[FrimIdan](https://togithub.com/FrimIdan)] - Fix a problem with PNPM scanning where v6 lockfiles might result in duplicated packages \[[Issue #1762](https://togithub.com/anchore/syft/issues/1762)] \[[PR #1778](https://togithub.com/anchore/syft/pull/1778)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.81.0`](https://togithub.com/anchore/syft/releases/tag/v0.81.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.80.0...v0.81.0) ### Changelog #### [v0.81.0](https://togithub.com/anchore/syft/tree/v0.81.0) (2023-05-22) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.80.0...v0.81.0) ##### Added Features - Support cataloging R packages \[[Issue #730](https://togithub.com/anchore/syft/issues/730)] \[[PR #1790](https://togithub.com/anchore/syft/pull/1790)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Support describing license properties and SPDX expression assertions \[[Issue #1577](https://togithub.com/anchore/syft/issues/1577)] \[[PR #1743](https://togithub.com/anchore/syft/pull/1743)] \[[spiffcs](https://togithub.com/spiffcs)] - Warn if parsing a newer SBOM \[[PR #1810](https://togithub.com/anchore/syft/pull/1810)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ##### Bug Fixes - Retain cataloged SBOM relationships \[[PR #1509](https://togithub.com/anchore/syft/pull/1509)] \[[houdini91](https://togithub.com/houdini91)] - fix: update field plurality of 8.0.0 schema before release \[[PR #1820](https://togithub.com/anchore/syft/pull/1820)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: remove spurious warnings - unknown relationship type: evident-by form-lib=syft \[[Issue #1812](https://togithub.com/anchore/syft/issues/1812)] \[[PR #1797](https://togithub.com/anchore/syft/pull/1797)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - CycloneDX Dependencies Relationships Inverted \[[Issue #1815](https://togithub.com/anchore/syft/issues/1815)] \[[PR #1816](https://togithub.com/anchore/syft/pull/1816)] \[[shanealv](https://togithub.com/shanealv)] - Alpine: license expression should be complete and not parsed out \[[Issue #1817](https://togithub.com/anchore/syft/issues/1817)] \[[PR #1819](https://togithub.com/anchore/syft/pull/1819)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Additional Changes - Print package list when extra packages found \[[PR #1791](https://togithub.com/anchore/syft/pull/1791)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - update cosign to v2 release (different go module) \[[PR #1805](https://togithub.com/anchore/syft/pull/1805)] \[[bobcallaway](https://togithub.com/bobcallaway)] ### [`v0.80.0`](https://togithub.com/anchore/syft/releases/tag/v0.80.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.79.0...v0.80.0) ### Changelog #### [v0.80.0](https://togithub.com/anchore/syft/tree/v0.80.0) (2023-05-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.79.0...v0.80.0) ##### Added Features - Improve pnpm support \[[Issue #1535](https://togithub.com/anchore/syft/issues/1535)] \[[PR #1752](https://togithub.com/anchore/syft/pull/1752)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Bug Fixes - chore: add more detail on SPDX file IDs \[[PR #1769](https://togithub.com/anchore/syft/pull/1769)] \[[kzantow](https://togithub.com/kzantow)] - chore: do not HTML escape PackageURLs \[[PR #1782](https://togithub.com/anchore/syft/pull/1782)] \[[kzantow](https://togithub.com/kzantow)] - RPM database not found on ostree-managed systems \[[Issue #1755](https://togithub.com/anchore/syft/issues/1755)] \[[PR #1756](https://togithub.com/anchore/syft/pull/1756)] \[[fpytloun](https://togithub.com/fpytloun)] - Unable to use syft for private azure container registry \[[Issue #1777](https://togithub.com/anchore/syft/issues/1777)] - linux-kernel-cataloger produces thousands of version-less components. \[[Issue #1781](https://togithub.com/anchore/syft/issues/1781)] \[[PR #1784](https://togithub.com/anchore/syft/pull/1784)] \[[kzantow](https://togithub.com/kzantow)] ##### Deprecated Features - Rename pkg.Catalog to pkg.Collection \[[PR #1764](https://togithub.com/anchore/syft/pull/1764)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.79.0`](https://togithub.com/anchore/syft/releases/tag/v0.79.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.78.0...v0.79.0) ### Changelog #### [v0.79.0](https://togithub.com/anchore/syft/tree/v0.79.0) (2023-04-21) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.78.0...v0.79.0) ##### Added Features - Add ALPM Metadata to CYCLONEDX and SPDX output formats \[[Issue #1037](https://togithub.com/anchore/syft/issues/1037)] \[[PR #1747](https://togithub.com/anchore/syft/pull/1747)] \[[Shanedell](https://togithub.com/Shanedell)] - consul binary classifier \[[Issue #1590](https://togithub.com/anchore/syft/issues/1590)] \[[PR #1738](https://togithub.com/anchore/syft/pull/1738)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Bug Fixes - Syft missing direct dependencies from the gemfile.lock \[[Issue #1660](https://togithub.com/anchore/syft/issues/1660)] \[[PR #1749](https://togithub.com/anchore/syft/pull/1749)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Additional Changes - chore: bump stereoscope to latest version \[[PR #1741](https://togithub.com/anchore/syft/pull/1741)] \[[westonsteimel](https://togithub.com/westonsteimel)] ### [`v0.78.0`](https://togithub.com/anchore/syft/releases/tag/v0.78.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.77.0...v0.78.0) ### Changelog #### [v0.78.0](https://togithub.com/anchore/syft/tree/v0.78.0) (2023-04-17) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.77.0...v0.78.0) ##### Added Features - Add Linux Kernel cataloger \[[PR #1694](https://togithub.com/anchore/syft/pull/1694)] \[[deitch](https://togithub.com/deitch) & [wagoodman](https://togithub.com/wagoodman)] - Support scanning license files in golang packages over the network \[[Issue #1056](https://togithub.com/anchore/syft/issues/1056)] \[[PR #1630](https://togithub.com/anchore/syft/pull/1630)] \[[deitch](https://togithub.com/deitch) & [kzantow](https://togithub.com/kzantow)] - Add consul binary classifier \[[Issue #1590](https://togithub.com/anchore/syft/issues/1590)] \[[PR #1738](https://togithub.com/anchore/syft/pull/1738)] \[[Shanedell](https://togithub.com/Shanedell)] - Add annotations for evidence on package locations \[[PR #1723](https://togithub.com/anchore/syft/pull/1723)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Decoding of the syft-json format does not handle files \[[Issue #1534](https://togithub.com/anchore/syft/issues/1534)] \[[PR #1698](https://togithub.com/anchore/syft/pull/1698)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.77.0`](https://togithub.com/anchore/syft/releases/tag/v0.77.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.76.1...v0.77.0) ### Changelog #### [v0.77.0](https://togithub.com/anchore/syft/tree/v0.77.0) (2023-04-11) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.76.1...v0.77.0) ##### Added Features - feat: gradle lockfile support \[[PR #1719](https://togithub.com/anchore/syft/pull/1719)] \[[henrysachs](https://togithub.com/henrysachs)] - feat: support for java "nar" files \[[PR #1727](https://togithub.com/anchore/syft/pull/1727)] \[[Shanedell](https://togithub.com/Shanedell)] ### [`v0.76.1`](https://togithub.com/anchore/syft/releases/tag/v0.76.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.76.0...v0.76.1) ### Changelog #### [v0.76.1](https://togithub.com/anchore/syft/tree/v0.76.1) (2023-04-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.76.0...v0.76.1) ##### Added Features - Capture file ownership relationships from portage ecosystem \[[PR #1702](https://togithub.com/anchore/syft/pull/1702)] \[[wagoodman](https://togithub.com/wagoodman)] - Add Nix Cataloger \[[Issue #462](https://togithub.com/anchore/syft/issues/462)] \[[PR #1107](https://togithub.com/anchore/syft/pull/1107)] \[[juliosueiras](https://togithub.com/juliosueiras)] \[[PR #1696](https://togithub.com/anchore/syft/pull/1696)] \[[wagoodman](https://togithub.com/wagoodman)] \[[flokli](https://togithub.com/flokli)] ### [`v0.76.0`](https://togithub.com/anchore/syft/releases/tag/v0.76.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.75.0...v0.76.0) ### Changelog #### [v0.76.0](https://togithub.com/anchore/syft/tree/v0.76.0) (2023-03-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.75.0...v0.76.0) ##### Added Features - Scan local go mod licenses for golang packages \[[PR #1645](https://togithub.com/anchore/syft/pull/1645)] \[[deitch](https://togithub.com/deitch)] - update and clean license list generation to return more SPDXID for more inputs \[[PR #1691](https://togithub.com/anchore/syft/pull/1691)] \[[spiffcs](https://togithub.com/spiffcs)] - argocd binary classifier \[[Issue #1606](https://togithub.com/anchore/syft/issues/1606)] \[[PR #1663](https://togithub.com/anchore/syft/pull/1663)] \[[y12studio](https://togithub.com/y12studio)] - Add config option to allow user to select the default image source location \[[Issue #1703](https://togithub.com/anchore/syft/pull/1703)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Bug Fixes - Defer closing the opened file when using FileScheme \[[PR #1668](https://togithub.com/anchore/syft/pull/1668)] \[[Noxsios](https://togithub.com/Noxsios)] - fix: remove author contributing to javascript CPEs \[[PR #1669](https://togithub.com/anchore/syft/pull/1669)] \[[kzantow](https://togithub.com/kzantow)] - fix: reduce logging for bad dpkg lines \[[PR #1675](https://togithub.com/anchore/syft/pull/1675)] \[[kzantow](https://togithub.com/kzantow)] - Broken shell completion - Bash \[[Issue #962](https://togithub.com/anchore/syft/issues/962)] \[[PR #1688](https://togithub.com/anchore/syft/pull/1688)] \[[DanHam](https://togithub.com/DanHam)] - syft produces different output when run with sudo \[[Issue #1391](https://togithub.com/anchore/syft/issues/1391)] \[[PR #1693](https://togithub.com/anchore/syft/pull/1693)] \[[anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)] - some binary ruby are not detected \[[Issue #1677](https://togithub.com/anchore/syft/issues/1677)] \[[PR #1678](https://togithub.com/anchore/syft/pull/1678)] \[[witchcraze](https://togithub.com/witchcraze)] - Documentation says that output is SPDX 2.2 \[[Issue #1679](https://togithub.com/anchore/syft/issues/1679)] \[[PR #1680](https://togithub.com/anchore/syft/pull/1680)] \[[vargenau](https://togithub.com/vargenau)] - fix: move defer after error to protect panic case \[[PR #1670](https://togithub.com/anchore/syft/pull/1670)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Additional Changes - Deprecate config.yaml as valid config source; Add unit regression for correct config paths \[[PR #1640](https://togithub.com/anchore/syft/pull/1640)] \[[AidanDelaney](https://togithub.com/AidanDelaney)] - Remove more side effects from application config testing \[[PR #1684](https://togithub.com/anchore/syft/pull/1684)] \[[wagoodman](https://togithub.com/wagoodman)] - chore: tweak some workflow text \[[PR #1685](https://togithub.com/anchore/syft/pull/1685)] \[[kzantow](https://togithub.com/kzantow)] - chore: fix flaky license sorting \[[PR #1690](https://togithub.com/anchore/syft/pull/1690)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.75.0`](https://togithub.com/anchore/syft/releases/tag/v0.75.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.74.1...v0.75.0) ### Changelog #### [v0.75.0](https://togithub.com/anchore/syft/tree/v0.75.0) (2023-03-13) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.74.1...v0.75.0) ##### Added Features - Catalog ruby binary \[[Issue #1650](https://togithub.com/anchore/syft/issues/1650)] \[[PR #1665](https://togithub.com/anchore/syft/pull/1665)] \[[witchcraze](https://togithub.com/witchcraze)] ##### Bug Fixes - more python matching support \[[PR #1667](https://togithub.com/anchore/syft/pull/1667)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.74.1`](https://togithub.com/anchore/syft/releases/tag/v0.74.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.74.0...v0.74.1) ### Changelog #### [v0.74.1](https://togithub.com/anchore/syft/tree/v0.74.1) (2023-03-09) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.74.0...v0.74.1) ##### Bug Fixes - purl for apk packages missing when installed db file is not in root \[[Issue #1572](https://togithub.com/anchore/syft/issues/1572)] \[[PR #1615](https://togithub.com/anchore/syft/pull/1615)] \[[deitch](https://togithub.com/deitch)] - invalid package url type: dotnet \[[Issue #1622](https://togithub.com/anchore/syft/issues/1622)] \[[PR #1649](https://togithub.com/anchore/syft/pull/1649)] \[[kzantow](https://togithub.com/kzantow)] - Go tests detecting race cataloging packages \[[Issue #1633](https://togithub.com/anchore/syft/issues/1633)] \[[PR #1639](https://togithub.com/anchore/syft/pull/1639)] \[[kzantow](https://togithub.com/kzantow)] - Improve Python binary scanning \[[Issue #1643](https://togithub.com/anchore/syft/issues/1643)] \[[PR #1648](https://togithub.com/anchore/syft/pull/1648)] \[[kzantow](https://togithub.com/kzantow)] - Update haproxy binary matcher \[[Issue #1646](https://togithub.com/anchore/syft/issues/1646)] \[[PR #1648](https://togithub.com/anchore/syft/pull/1648)] \[[kzantow](https://togithub.com/kzantow)] - SPDX tag-value SBOM value format is incorrect for LicenseID \[[Issue #1651](https://togithub.com/anchore/syft/issues/1651)] \[[PR #1657](https://togithub.com/anchore/syft/pull/1657)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.74.0`](https://togithub.com/anchore/syft/releases/tag/v0.74.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.73.0...v0.74.0) ### Changelog #### [(v0.74.0)](https://togithub.com/anchore/syft/tree/v0.74.0) (2023-03-02) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.73.0...v0.74.0) ##### Added Features - rust toolchain binary cataloger \[[PR #1601](https://togithub.com/anchore/syft/pull/1601)] \[[westonsteimel](https://togithub.com/westonsteimel)] - Add support for SUPPORT_END in distro \[[PR #1612](https://togithub.com/anchore/syft/pull/1612)] \[[noqcks](https://togithub.com/noqcks)] - Catalog haproxy binary \[[Issue #1512](https://togithub.com/anchore/syft/issues/1512)] \[[PR #1591](https://togithub.com/anchore/syft/pull/1591)] \[[noqcks](https://togithub.com/noqcks)] - Handle cataloger panics \[[Issue #1624](https://togithub.com/anchore/syft/issues/1624)] \[[PR #1636](https://togithub.com/anchore/syft/pull/1636)] \[[kzantow](https://togithub.com/kzantow)] - set cosign attest predicate type based on Syft output type \[[PR #1598](https://togithub.com/anchore/syft/pull/1598)] \[[Nirusu](https://togithub.com/Nirusu)] - retain go package info when no module declared \[[PR #1632](https://togithub.com/anchore/syft/pull/1632)] \[[westonsteimel](https://togithub.com/westonsteimel)] ##### Bug Fixes - improve CPE generation for curl APK \[[PR #1608](https://togithub.com/anchore/syft/pull/1608)] \[[westonsteimel](https://togithub.com/westonsteimel)] - determine upstream for apk version streams \[[PR #1610](https://togithub.com/anchore/syft/pull/1610)] \[[westonsteimel](https://togithub.com/westonsteimel)] - decoding null apk metadata pullDependencies \[[PR #1614](https://togithub.com/anchore/syft/pull/1614)] \[[kzantow](https://togithub.com/kzantow)] - correct apk purls for other distros \[[PR #1620](https://togithub.com/anchore/syft/pull/1620)] \[[westonsteimel](https://togithub.com/westonsteimel)] - further improvements to CPE generation for apk packages \[[PR #1623](https://togithub.com/anchore/syft/pull/1623)] \[[westonsteimel](https://togithub.com/westonsteimel)] - improved CPE-generation for several more APK packages \[[PR #1631](https://togithub.com/anchore/syft/pull/1631)] \[[westonsteimel](https://togithub.com/westonsteimel)] - apk product/vendor generation for old metadata \[[PR #1635](https://togithub.com/anchore/syft/pull/1635)] \[[westonsteimel](https://togithub.com/westonsteimel)] - Encountering "cycle during symlink resolution" with syft version 0.71.0 onwards \[[Issue #1586](https://togithub.com/anchore/syft/issues/1586)] \[[PR #1604](https://togithub.com/anchore/syft/pull/1604)] \[[wagoodman](https://togithub.com/wagoodman)] - syft erlang cataloger can segfault when analyzing an erlang project containing rebar.lock with nested deps \[[Issue #1621](https://togithub.com/anchore/syft/issues/1621)] \[[PR #1628](https://togithub.com/anchore/syft/pull/1628)] \[[kzantow](https://togithub.com/kzantow)] - Go tests detecting race cataloging packages \[[Issue #1633](https://togithub.com/anchore/syft/issues/1633)] \[[PR #1639](https://togithub.com/anchore/syft/pull/1639)] \[[kzantow](https://togithub.com/kzantow)] </details> <details> <summary>aquaproj/aqua-registry</summary> ### [`v3.162.0`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v3.162.0) [Compare Source](https://togithub.com/aquaproj/aqua-registry/compare/v3.161.0...v3.162.0) [Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av3.162.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av3.162.0) | https://github.com/aquaproj/aqua-registry/compare/v3.161.0...v3.162.0 #### 🎉 New Packages [#11839](https://togithub.com/aquaproj/aqua-registry/issues/11839) [Madh93/tpm](https://togithub.com/Madh93/tpm): A package manager for Terraform providers [@ponkio-o](https://togithub.com/ponkio-o) ### [`v3.161.0`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v3.161.0) [Compare Source](https://togithub.com/aquaproj/aqua-registry/compare/v3.160.0...v3.161.0) [Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av3.161.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av3.161.0) | https://github.com/aquaproj/aqua-registry/compare/v3.160.0...v3.161.0 #### 🎉 New Packages [#11838](https://togithub.com/aquaproj/aqua-registry/issues/11838) [gopinath-langote/1build](https://togithub.com/gopinath-langote/1build): Frictionless way of managing project-specific commands ### [`v3.160.0`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v3.160.0) [Compare Source](https://togithub.com/aquaproj/aqua-registry/compare/v3.159.0...v3.160.0) [Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av3.160.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av3.160.0) | https://github.com/aquaproj/aqua-registry/compare/v3.159.0...v3.160.0 #### 🎉 New Packages [#11817](https://togithub.com/aquaproj/aqua-registry/issues/11817) [abice/go-enum](https://togithub.com/abice/go-enum): An enum generator for go #### Fixes [#11837](https://togithub.com/aquaproj/aqua-registry/issues/11837) ysugimoto/falco: Use tar.gz from falco v0.20.2 [@ponkio-o](https://togithub.com/ponkio-o) ### [`v3.159.0`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v3.159.0) [Compare Source](https://togithub.com/aquaproj/aqua-registry/compare/v3.158.1...v3.159.0) [Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av3.159.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av3.159.0) | https://github.com/aquaproj/aqua-registry/compare/v3.158.0...v3.159.0 #### 🎉 New Packages [#11807](https://togithub.com/aquaproj/aqua-registry/issues/11807) [kubecfg/kubecfg](https://togithub.com/kubecfg/kubecfg): A tool for managing complex enterprise Kubernetes environments as code [#11808](https://togithub.com/aquaproj/aqua-registry/issues/11808) [loov/goda](https://togithub.com/loov/goda): Go Dependency Analysis toolkit #### Fixes [#11806](https://togithub.com/aquaproj/aqua-registry/issues/11806) solidiquis/erdtree: Follow up changes of erdtree v2.0.0 https://github.com/solidiquis/erdtree/releases/tag/v2.0.0 > Perhaps the most important change to note is that the compiled binary has been renamed from et to erd in order to address the following issue > regarding name collisions with other programs > > - [https://github.com/solidiquis/erdtree/issues/23](https://togithub.com/solidiquis/erdtree/issues/23) ### [`v3.158.1`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v3.158.1) [Compare Source](https://togithub.com/aquaproj/aqua-registry/compare/v3.158.0...v3.158.1) [Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av3.158.1) | [Pull Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av3.158.1) | https://github.com/aquaproj/aqua-registry/compare/v3.158.0...v3.158.1 #### Fixes [#11790](https://togithub.com/aquaproj/aqua-registry/issues/11790) Follow up changes of cli/cli v2.28.0 [@kyontan](https://togithub.com/kyontan) GitHub's CLI (cli/cli) changed format for macOS to zip (from tar.gz) since v2.28.0 See https://github.com/cli/cli/releases/tag/v2.28.0 for details. ### [`v3.158.0`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v3.158.0) [Compare Source](https://togithub.com/aquaproj/aqua-registry/compare/v3.157.0...v3.158.0) [Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av3.158.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av3.158.0) | https://github.com/aquaproj/aqua-registry/compare/v3.157.0...v3.158.0 #### 🎉 New Packages [#11692](https://togithub.com/aquaproj/aqua-registry/issues/11692) [hexdigest/gowrap](https://togithub.com/hexdigest/gowrap): GoWrap is a command line tool for generating decorators for Go interfaces [#11691](https://togithub.com/aquaproj/aqua-registry/issues/11691) [knqyf263/go-plugin](https://togithub.com/knqyf263/go-plugin): Go Plugin System over WebAssembly [#11667](https://togithub.com/aquaproj/aqua-registry/issues/11667) [wasmerio/wasmer](https://togithub.com/wasmerio/wasmer): The leading WebAssembly Runtime supporting WASI and Emscripten ### [`v3.157.0`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v3.157.0) [Compare Source](https://togithub.com/aquaproj/aqua-registry/compare/v3.156.0...v3.157.0) [Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av3.157.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av3.157.0) | https://github.com/aquaproj/aqua-registry/compare/v3.156.0...v3.157.0 #### 🎉 New Packages [#11604](https://togithub.com/aquaproj/aqua-registry/issues/11604) [WebAssembly/binaryen](https://togithub.com/WebAssembly/binaryen): Optimizer and compiler/toolchain library for WebAssembly [@knqyf263](https://togithub.com/knqyf263) :tada: New Contributor # </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box  Co-authored-by: mend-for-github-com[bot] <50673670+mend-for-github-com[bot]@users.noreply.github.com>

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [anchore/syft](https://togithub.com/anchore/syft) | minor | `v0.78.0` -> `v0.99.0` | | [aquaproj/aqua-registry](https://togithub.com/aquaproj/aqua-registry) | minor | `v4.21.1` -> `v4.109.0` | | [charmbracelet/glow](https://togithub.com/charmbracelet/glow) | patch | `v1.5.0` -> `v1.5.1` | | [direnv/direnv](https://togithub.com/direnv/direnv) | minor | `v2.32.2` -> `v2.33.0` | | [golang/go](https://togithub.com/golang/go) | minor | `1.20.3` -> `1.21.5` | | [goreleaser/goreleaser](https://togithub.com/goreleaser/goreleaser) | minor | `v1.17.2` -> `v1.22.1` | | [gotestyourself/gotestsum](https://togithub.com/gotestyourself/gotestsum) | minor | `v1.10.0` -> `v1.11.0` | | [magefile/mage](https://togithub.com/magefile/mage) | minor | `v1.14.0` -> `v1.15.0` | | [miniscruff/changie](https://togithub.com/miniscruff/changie) | minor | `v1.12.0` -> `v1.17.0` | | [thycotic/dsv-cli](https://togithub.com/thycotic/dsv-cli) | patch | `v1.40.3` -> `v1.40.5` | --- ### Release Notes <details> <summary>anchore/syft (anchore/syft)</summary> ### [`v0.99.0`](https://togithub.com/anchore/syft/releases/tag/v0.99.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.98.0...v0.99.0) ##### Added Features - Look for a maven version in a pom from a parent dependency management… \[[#2423](https://togithub.com/anchore/syft/pull/2423) [@coheigea](https://togithub.com/coheigea)] - Adding the ability to retrieve remote licenses for yarn.lock \[[#2338](https://togithub.com/anchore/syft/pull/2338) [@coheigea](https://togithub.com/coheigea)] - Retrieve remote licenses using pom.properties when there is no pom.xml \[[#2315](https://togithub.com/anchore/syft/pull/2315) [@coheigea](https://togithub.com/coheigea)] - Add the option to retrieve remote licenses for projects defined in a … \[[#2409](https://togithub.com/anchore/syft/pull/2409) [@coheigea](https://togithub.com/coheigea)] - Parse Python licenses from LicenseFile entry in the Wheel Metadata \[[#2331](https://togithub.com/anchore/syft/pull/2331) [@coheigea](https://togithub.com/coheigea)] - Add binary classifier for the ERLang interpreter \[[#2417](https://togithub.com/anchore/syft/pull/2417) [@LaurentGoderre](https://togithub.com/LaurentGoderre)] - Parse Python licenses from LicenseExpression entry in the Wheel Metadata \[[#2431](https://togithub.com/anchore/syft/pull/2431) [@coheigea](https://togithub.com/coheigea)] - Add binary classifier for Julia lang \[[#2427](https://togithub.com/anchore/syft/pull/2427) [@LaurentGoderre](https://togithub.com/LaurentGoderre)] - Add binary detection for PHP composer \[[#2432](https://togithub.com/anchore/syft/pull/2432) [@LaurentGoderre](https://togithub.com/LaurentGoderre)] ##### Bug Fixes - bump fangs for ptr summarize fix \[[#2387](https://togithub.com/anchore/syft/pull/2387) [@willmurphyscode](https://togithub.com/willmurphyscode)] - improve identification for org.codehaus.groovy artifacts \[[#2404](https://togithub.com/anchore/syft/pull/2404) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for commons-jelly artifacts \[[#2399](https://togithub.com/anchore/syft/pull/2399) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for io.minio artifacts \[[#2398](https://togithub.com/anchore/syft/pull/2398) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for com.graphql-java artifacts \[[#2397](https://togithub.com/anchore/syft/pull/2397) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.tapestry artifacts \[[#2384](https://togithub.com/anchore/syft/pull/2384) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for io.ratpack artifacts \[[#2379](https://togithub.com/anchore/syft/pull/2379) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.cassandra artifacts \[[#2386](https://togithub.com/anchore/syft/pull/2386) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.neo4j.procedure artifacts \[[#2388](https://togithub.com/anchore/syft/pull/2388) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.elasticsearch artifacts \[[#2383](https://togithub.com/anchore/syft/pull/2383) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.geode artifacts \[[#2382](https://togithub.com/anchore/syft/pull/2382) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.tomcat artifacts \[[#2381](https://togithub.com/anchore/syft/pull/2381) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for io.projectreactor.netty artifacts \[[#2378](https://togithub.com/anchore/syft/pull/2378) [@westonsteimel](https://togithub.com/westonsteimel)] - stop panic when parsing Haskell stack.yaml.lock with missing `hackage` field \[[#2421](https://togithub.com/anchore/syft/issues/2421) [#2419](https://togithub.com/anchore/syft/pull/2419) [@houdini91](https://togithub.com/houdini91)] - fix detecting the name of the eclipse OSGi artifact \[[#2314](https://togithub.com/anchore/syft/issues/2314) [#2349](https://togithub.com/anchore/syft/pull/2349) [@westonsteimel](https://togithub.com/westonsteimel)] - File Sources incorrectly exclude files on Windows \[[#2410](https://togithub.com/anchore/syft/issues/2410) [#2411](https://togithub.com/anchore/syft/pull/2411) [@Racer159](https://togithub.com/Racer159)] - Parser for dotnet_portable_executable using wrong attribute name \[[#2029](https://togithub.com/anchore/syft/issues/2029) [#2133](https://togithub.com/anchore/syft/pull/2133) [@kzantow](https://togithub.com/kzantow)] ##### Breaking Changes - Generalize UI events for cataloging tasks \[[#2369](https://togithub.com/anchore/syft/pull/2369) [@wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - refactor pkg.Collection to remove "catalog" references \[[#2439](https://togithub.com/anchore/syft/pull/2439) [@wagoodman](https://togithub.com/wagoodman)] - Expose javascript fields in cataloger configuration \[[#2438](https://togithub.com/anchore/syft/pull/2438) [@wagoodman](https://togithub.com/wagoodman)] - Use common archive catalog configuration \[[#2437](https://togithub.com/anchore/syft/pull/2437) [@wagoodman](https://togithub.com/wagoodman)] - Fix file digest cataloger when passed explicit coordinates \[[#2436](https://togithub.com/anchore/syft/pull/2436) [@wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.98.0...v0.99.0)** ### [`v0.98.0`](https://togithub.com/anchore/syft/releases/tag/v0.98.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.97.1...v0.98.0) ##### Added Features - Add binary classifiers for MySQL and MariaDB \[[#2316](https://togithub.com/anchore/syft/pull/2316) [@duanemay](https://togithub.com/duanemay)] - Enhance redis binary classifier to support additional versions \[[#2329](https://togithub.com/anchore/syft/pull/2329) [@whalelines](https://togithub.com/whalelines)] - Expose compact JSON and XML format configuration \[[#561](https://togithub.com/anchore/syft/issues/561) [#2275](https://togithub.com/anchore/syft/pull/2275) [@wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Fix file metadata cataloger when passed explicit coordinates \[[#2370](https://togithub.com/anchore/syft/pull/2370) [@wagoodman](https://togithub.com/wagoodman)] - hardcode xalan group ID \[[#2368](https://togithub.com/anchore/syft/pull/2368) [@willmurphyscode](https://togithub.com/willmurphyscode)] - logging level for parsing potential PE files \[[#2367](https://togithub.com/anchore/syft/pull/2367) [@kzantow](https://togithub.com/kzantow)] - Use read lock in `pkg.Collection` \[[#2341](https://togithub.com/anchore/syft/pull/2341) [@wagoodman](https://togithub.com/wagoodman)] - add manual namespace mapping for org.springframework jars \[[#2345](https://togithub.com/anchore/syft/pull/2345) [@westonsteimel](https://togithub.com/westonsteimel)] - add manual namespace mapping for org.springframework.security jars \[[#2343](https://togithub.com/anchore/syft/pull/2343) [@westonsteimel](https://togithub.com/westonsteimel)] - errors are printed into the stdout in syft 0.97.1 \[[#2356](https://togithub.com/anchore/syft/issues/2356) [#2364](https://togithub.com/anchore/syft/pull/2364) [@kzantow](https://togithub.com/kzantow)] - `syft some-jar.jar` fails to find packages if PWD is a symlink \[[#2355](https://togithub.com/anchore/syft/issues/2355) [#2359](https://togithub.com/anchore/syft/pull/2359) [@willmurphyscode](https://togithub.com/willmurphyscode)] - Default for recently added base path, `""`, disables detection of symlinked `*.jar` files \[[#1962](https://togithub.com/anchore/syft/issues/1962) [#2359](https://togithub.com/anchore/syft/pull/2359) [@willmurphyscode](https://togithub.com/willmurphyscode)] - `syft attest` broken since 0.85.0 \[[#2333](https://togithub.com/anchore/syft/issues/2333) [#2337](https://togithub.com/anchore/syft/pull/2337) [@wagoodman](https://togithub.com/wagoodman)] - Incorrect Java PURL for org.bouncycastle jars \[[#2339](https://togithub.com/anchore/syft/issues/2339) [#2342](https://togithub.com/anchore/syft/pull/2342) [@westonsteimel](https://togithub.com/westonsteimel)] ##### Breaking Changes - Remove power-user command and related catalogers \[[#1419](https://togithub.com/anchore/syft/issues/1419) [#2306](https://togithub.com/anchore/syft/pull/2306) [@wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Normalize cataloger configuration patterns \[[#2365](https://togithub.com/anchore/syft/pull/2365) [@wagoodman](https://togithub.com/wagoodman)] - Normalize enums to lowercase with hyphens \[[#2363](https://togithub.com/anchore/syft/pull/2363) [@wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.97.1...v0.98.0)** ##### Special Thanks Thanks [@duanemay](https://togithub.com/duanemay) and [@whalelines](https://togithub.com/whalelines) for the enhanced binary classifier support 👍 ### [`v0.97.1`](https://togithub.com/anchore/syft/releases/tag/v0.97.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.97.0...v0.97.1) ##### Bug Fixes - Syft does not use HTTP proxy when downloading the Docker image itself \[[#2203](https://togithub.com/anchore/syft/issues/2203) [#2336](https://togithub.com/anchore/syft/pull/2336) [@anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)] ##### Additional Changes - `syft version` report is broken with 0.97.0 release \[[#2334](https://togithub.com/anchore/syft/issues/2334) [#2335](https://togithub.com/anchore/syft/pull/2335) [@spiffcs](https://togithub.com/spiffcs)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.97.0...v0.97.1)** ### [`v0.97.0`](https://togithub.com/anchore/syft/releases/tag/v0.97.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.96.0...v0.97.0) ##### Added Features - Add license for golang stdlib package \[[#2317](https://togithub.com/anchore/syft/pull/2317) [@coheigea](https://togithub.com/coheigea)] - Fall back to searching maven central using groupIDFromJavaMetadata \[[#2295](https://togithub.com/anchore/syft/pull/2295) [@coheigea](https://togithub.com/coheigea)] ##### Bug Fixes - Refine license search from groupIDFromJavaMetadata to account for artfactId in the groupId \[[#2313](https://togithub.com/anchore/syft/pull/2313) [@coheigea](https://togithub.com/coheigea)] - capture content written to stdout outside of report \[[#2324](https://togithub.com/anchore/syft/pull/2324) [@kzantow](https://togithub.com/kzantow)] - add manual groupid mappings for org.apache.velocity jars \[[#2327](https://togithub.com/anchore/syft/pull/2327) [@westonsteimel](https://togithub.com/westonsteimel)] - skip maven bundle plugin logic if vendor id and symbolic name match \[[#2326](https://togithub.com/anchore/syft/pull/2326) [@westonsteimel](https://togithub.com/westonsteimel)] - cataloger `dpkg-db-cataloger` not working \[[#2323](https://togithub.com/anchore/syft/issues/2323)] ##### Breaking Changes - Rename Location virtualPath to accessPath \[[#1835](https://togithub.com/anchore/syft/issues/1835) [#2288](https://togithub.com/anchore/syft/pull/2288) [@wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Export syft-json format package metadata type helper \[[#2328](https://togithub.com/anchore/syft/pull/2328) [@wagoodman](https://togithub.com/wagoodman)] - Add dotnet-portable-executable-cataloger to README \[[#2322](https://togithub.com/anchore/syft/pull/2322) [@noqcks](https://togithub.com/noqcks)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.96.0...v0.97.0)** ### [`v0.96.0`](https://togithub.com/anchore/syft/releases/tag/v0.96.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.95.0...v0.96.0) ##### Added Features - Check maven central as well for licenses in parents poms for nested jars \[[#2302](https://togithub.com/anchore/syft/pull/2302) [@coheigea](https://togithub.com/coheigea)] - store image annotations inside the SBOM \[[#2267](https://togithub.com/anchore/syft/issues/2267) [#2294](https://togithub.com/anchore/syft/pull/2294) [@noqcks](https://togithub.com/noqcks)] - Support parsing license information in Maven projects via parent poms \[[#2103](https://togithub.com/anchore/syft/issues/2103)] ##### Bug Fixes - SPDX file has duplicate sha256 tag in versionInfo \[[#2300](https://togithub.com/anchore/syft/pull/2300) [@coheigea](https://togithub.com/coheigea)] - Report virtual path consistently between file.Resolvers \[[#1836](https://togithub.com/anchore/syft/issues/1836) [#2287](https://togithub.com/anchore/syft/pull/2287) [@wagoodman](https://togithub.com/wagoodman)] - Unable to identify CycloneDX JSON documents without $schema property \[[#2299](https://togithub.com/anchore/syft/issues/2299) [#2303](https://togithub.com/anchore/syft/pull/2303) [@kzantow](https://togithub.com/kzantow)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.95.0...v0.96.0)** ### [`v0.95.0`](https://togithub.com/anchore/syft/releases/tag/v0.95.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.94.0...v0.95.0) ##### Added Features - Use case-insensitive matching for Go license files \[[#2286](https://togithub.com/anchore/syft/pull/2286) [@miquella](https://togithub.com/miquella)] - Add conaninfo.txt parser to detect conan packages in docker images \[[#2234](https://togithub.com/anchore/syft/pull/2234) [@Pro](https://togithub.com/Pro)] - Perform case insensitive matching on Java License files \[[#2235](https://togithub.com/anchore/syft/pull/2235) [@coheigea](https://togithub.com/coheigea)] - Read a license from a parent pom stored in Maven Central \[[#2228](https://togithub.com/anchore/syft/pull/2228) [@coheigea](https://togithub.com/coheigea)] - Add PURLs when scanning Gradle lock files \[[#2278](https://togithub.com/anchore/syft/pull/2278) [@robbiev](https://togithub.com/robbiev)] ##### Bug Fixes - Fix CPE index workflow \[[#2252](https://togithub.com/anchore/syft/pull/2252) [@wagoodman](https://togithub.com/wagoodman)] - Fix cpe generation task \[[#2270](https://togithub.com/anchore/syft/pull/2270) [@willmurphyscode](https://togithub.com/willmurphyscode)] - Introduce cataloger naming conventions \[[#1578](https://togithub.com/anchore/syft/issues/1578) [#2277](https://togithub.com/anchore/syft/pull/2277) [@wagoodman](https://togithub.com/wagoodman)] - .NET / nuget - invalid SBOM generated after parsing \[[#2255](https://togithub.com/anchore/syft/issues/2255) [#2273](https://togithub.com/anchore/syft/pull/2273) [@spiffcs](https://togithub.com/spiffcs)] - Wrong parsing after v0.85.0 syft for some components \[[#2241](https://togithub.com/anchore/syft/issues/2241) [#2273](https://togithub.com/anchore/syft/pull/2273) [@spiffcs](https://togithub.com/spiffcs)] - SPDX-2.3 is misidentified as SPDX-2.2 \[[#2112](https://togithub.com/anchore/syft/issues/2112) [#2186](https://togithub.com/anchore/syft/pull/2186) [@wagoodman](https://togithub.com/wagoodman)] - Jar parser chokes on empty lines \[[#2179](https://togithub.com/anchore/syft/issues/2179) [#2254](https://togithub.com/anchore/syft/pull/2254) [@spiffcs](https://togithub.com/spiffcs)] - Add a new Java configuration option to recursively search parent poms… \[[#2274](https://togithub.com/anchore/syft/pull/2274) [@coheigea](https://togithub.com/coheigea)] - Fix directory resolver to always return virtual path \[[#2259](https://togithub.com/anchore/syft/pull/2259) [@wagoodman](https://togithub.com/wagoodman)] - Syft can now handle the case of parsing a jar with multiple poms \[[#2231](https://togithub.com/anchore/syft/pull/2231) [@coheigea](https://togithub.com/coheigea)] - Add ruby.NewGemSpecCataloger to DirectoryCatalogers \[[#1971](https://togithub.com/anchore/syft/pull/1971) [@evanchaoli](https://togithub.com/evanchaoli)] ##### Breaking Changes - Introduce cataloger naming conventions \[[#1578](https://togithub.com/anchore/syft/issues/1578) [#2277](https://togithub.com/anchore/syft/pull/2277) [@wagoodman](https://togithub.com/wagoodman)] - Remove MetadataType from the core package struct \[[#1735](https://togithub.com/anchore/syft/issues/1735) [#1983](https://togithub.com/anchore/syft/pull/1983) [@wagoodman](https://togithub.com/wagoodman)] - Add convention for JSON metadata type names and port existing values to the new convention \[[#1844](https://togithub.com/anchore/syft/issues/1844) [#1983](https://togithub.com/anchore/syft/pull/1983) [@wagoodman](https://togithub.com/wagoodman)] - Remove deprecated syft.Format functions \[[#1344](https://togithub.com/anchore/syft/issues/1344) [#2186](https://togithub.com/anchore/syft/pull/2186) [@wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Upgrade tool management \[[#2188](https://togithub.com/anchore/syft/pull/2188) [@wagoodman](https://togithub.com/wagoodman)] - Fix homebrew post-release workflow \[[#2242](https://togithub.com/anchore/syft/pull/2242) [@wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.94.0...v0.95.0)** ### [`v0.94.0`](https://togithub.com/anchore/syft/releases/tag/v0.94.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.93.0...v0.94.0) ##### Added Features - Add additional license filenames \[[#2227](https://togithub.com/anchore/syft/pull/2227) [@coheigea](https://togithub.com/coheigea)] - Parse donet dependency trees \[[#2143](https://togithub.com/anchore/syft/pull/2143) [@noqcks](https://togithub.com/noqcks)] - Find license by embedded license text \[[#2147](https://togithub.com/anchore/syft/issues/2147) [#2213](https://togithub.com/anchore/syft/pull/2213) [@coheigea](https://togithub.com/coheigea)] - Add support for dpkg dependency relationships \[[#2040](https://togithub.com/anchore/syft/issues/2040) [#2212](https://togithub.com/anchore/syft/pull/2212) [@wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Report errors to stderr not stdout \[[#2232](https://togithub.com/anchore/syft/pull/2232) [@wagoodman](https://togithub.com/wagoodman)] - Python egg packages are not parsed for SBOM \[[#1761](https://togithub.com/anchore/syft/issues/1761) [#2239](https://togithub.com/anchore/syft/pull/2239) [@spiffcs](https://togithub.com/spiffcs)] - Java archive is listed twice \[[#2130](https://togithub.com/anchore/syft/issues/2130) [#2220](https://togithub.com/anchore/syft/pull/2220) [@wagoodman](https://togithub.com/wagoodman)] - Java archives not from Maven \[[#2217](https://togithub.com/anchore/syft/issues/2217) [#2220](https://togithub.com/anchore/syft/pull/2220) [@wagoodman](https://togithub.com/wagoodman)] - Remove internal.StringSet \[[#2209](https://togithub.com/anchore/syft/issues/2209) [#2219](https://togithub.com/anchore/syft/pull/2219) [@wagoodman](https://togithub.com/wagoodman)] - Invalid interface conversion in Swift cataloger \[[#2225](https://togithub.com/anchore/syft/issues/2225) [#2226](https://togithub.com/anchore/syft/pull/2226) [@wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.93.0...v0.94.0)** ### [`v0.93.0`](https://togithub.com/anchore/syft/releases/tag/v0.93.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.92.0...v0.93.0) ##### Added Features - Parse license from the pom.xml if not contained in the manifest \[[#2115](https://togithub.com/anchore/syft/pull/2115) [@coheigea](https://togithub.com/coheigea)] - Add Golang STD library package given a Golang binary has been discovered compiled with that go binary \[[#1853](https://togithub.com/anchore/syft/issues/1853) [#2195](https://togithub.com/anchore/syft/pull/2195) [@spiffcs](https://togithub.com/spiffcs)] - Improve --output CLI help and deprecate --file \[[#2165](https://togithub.com/anchore/syft/issues/2165) [#2187](https://togithub.com/anchore/syft/pull/2187) [@sharief007](https://togithub.com/sharief007)] ##### Bug Fixes - Converting a SBOM looses the algorithm type for added checksums \[[#2183](https://togithub.com/anchore/syft/issues/2183) [#2207](https://togithub.com/anchore/syft/pull/2207) [@sharief007](https://togithub.com/sharief007)] ##### Additional Changes - Refine the docs for building a cataloger \[[#2175](https://togithub.com/anchore/syft/pull/2175) [@wagoodman](https://togithub.com/wagoodman)] - update license list to 3.22 \[[#2201](https://togithub.com/anchore/syft/pull/2201) [@spiffcs](https://togithub.com/spiffcs)] - Add exact syntax of the conversion formats \[[#2196](https://togithub.com/anchore/syft/pull/2196) [@vargenau](https://togithub.com/vargenau)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.92.0...v0.93.0)** ### [`v0.92.0`](https://togithub.com/anchore/syft/releases/tag/v0.92.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.91.0...v0.92.0) ##### Added Features - Support for multiple image refs of same sha in OCI layout \[[#1544](https://togithub.com/anchore/syft/issues/1544)] ##### Bug Fixes - Generated purls are different between runs of syft against the same image and artifact \[[#2169](https://togithub.com/anchore/syft/issues/2169) [#2170](https://togithub.com/anchore/syft/pull/2170) [@willmurphyscode](https://togithub.com/willmurphyscode)] ##### Additional Changes - bump stereoscope to fix data race in UI code \[[#2173](https://togithub.com/anchore/syft/pull/2173) [@willmurphyscode](https://togithub.com/willmurphyscode)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.91.0...v0.92.0)** ### [`v0.91.0`](https://togithub.com/anchore/syft/releases/tag/v0.91.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.90.0...v0.91.0) ##### Added Features - Add support for CycloneDX 1.5 \[[#2120](https://togithub.com/anchore/syft/issues/2120) [#2123](https://togithub.com/anchore/syft/pull/2123) [@spiffcs](https://togithub.com/spiffcs)] - Add support for containerd as an image source \[[#201](https://togithub.com/anchore/syft/issues/201) [#1793](https://togithub.com/anchore/syft/pull/1793) [@shanedell](https://togithub.com/shanedell)] - Support cataloging github workflow & github action usages \[[#1896](https://togithub.com/anchore/syft/issues/1896) [#2140](https://togithub.com/anchore/syft/pull/2140) [@wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Allow CycloneDX json input with no components \[[#2127](https://togithub.com/anchore/syft/pull/2127) [@ahoz](https://togithub.com/ahoz)] - Prevent errors from clobbering terminal \[[#2161](https://togithub.com/anchore/syft/pull/2161) [@kzantow](https://togithub.com/kzantow)] - Using syft as a go library to decode a syft json has incomplete data \[[#2069](https://togithub.com/anchore/syft/issues/2069) [#2083](https://togithub.com/anchore/syft/pull/2083) [@kzantow](https://togithub.com/kzantow)] - SBOMs are not the same on multiple runs of syft \[[#1944](https://togithub.com/anchore/syft/issues/1944)] ##### Additional Changes - Switch to stdlib's slices pkg \[[#2148](https://togithub.com/anchore/syft/pull/2148) [@hainenber](https://togithub.com/hainenber)] - Remove unneeded arch switch in unit test \[[#2156](https://togithub.com/anchore/syft/pull/2156) [@willmurphyscode](https://togithub.com/willmurphyscode)] - Update chronicle to v0.8.0 \[[#2154](https://togithub.com/anchore/syft/pull/2154) [@wagoodman](https://togithub.com/wagoodman)] - Update to latest stereoscope \[[#2151](https://togithub.com/anchore/syft/pull/2151) [@spiffcs](https://togithub.com/spiffcs)] - Pin workflow checkout for cpe update-cpe-dictionary-index \[[#2141](https://togithub.com/anchore/syft/pull/2141) [@spiffcs](https://togithub.com/spiffcs)] - Add dependency information to conan lockfile parser \[[#2131](https://togithub.com/anchore/syft/pull/2131) [@Pro](https://togithub.com/Pro)] - Pin and update all workflow dependencies; add permission scopes \[[#2138](https://togithub.com/anchore/syft/pull/2138) [@spiffcs](https://togithub.com/spiffcs)] - Enforce race detector \[[#2122](https://togithub.com/anchore/syft/pull/2122) [@willmurphyscode](https://togithub.com/willmurphyscode)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.90.0...v0.91.0)** ### [`v0.90.0`](https://togithub.com/anchore/syft/releases/tag/v0.90.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.89.0...v0.90.0) ### #### [v0.90.0](https://togithub.com/anchore/syft/tree/v0.90.0) (2023-09-11) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.89.0...v0.90.0) ##### Added Features - Expose cobra command in cli package \[[PR #2097](https://togithub.com/anchore/syft/pull/2097)] \[[wagoodman](https://togithub.com/wagoodman)] - Explicitly test PURL generation against key packages \[[Issue #2071](https://togithub.com/anchore/syft/issues/2071)] - Add User-Agent with Syft version during update check \[[Issue #2072](https://togithub.com/anchore/syft/issues/2072)] \[[PR #2100](https://togithub.com/anchore/syft/pull/2100)] \[[hainenber](https://togithub.com/hainenber)] ##### Bug Fixes - fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation \[[PR #2075](https://togithub.com/anchore/syft/pull/2075)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Cyclonedx external reference URLs are not validated when encoding \[[Issue #2079](https://togithub.com/anchore/syft/issues/2079)] \[[PR #2091](https://togithub.com/anchore/syft/pull/2091)] \[[hainenber](https://togithub.com/hainenber)] ##### Additional Changes - Bump the golang.org/x/exp dependency and fix a build breakage. \[[PR #2088](https://togithub.com/anchore/syft/pull/2088)] \[[dlorenc](https://togithub.com/dlorenc)] - fix: update codeql-analysis for go 1.21 \[[PR #2108](https://togithub.com/anchore/syft/pull/2108)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.89.0`](https://togithub.com/anchore/syft/releases/tag/v0.89.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.88.0...v0.89.0) ### #### [v0.89.0](https://togithub.com/anchore/syft/tree/v0.89.0) (2023-08-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.88.0...v0.89.0) ##### Added Features - Add registry certificate verification support \[[PR #1734](https://togithub.com/anchore/syft/pull/1734)] \[[5p2O5pe25ouT](https://togithub.com/5p2O5pe25ouT)] - Add SYFT_CONFIG environment variable for configuration file path \[[Issue #1986](https://togithub.com/anchore/syft/issues/1986)] \[[PR #2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] ##### Bug Fixes - Fix quiet flag \[[PR #2081](https://togithub.com/anchore/syft/pull/2081)] \[[wagoodman](https://togithub.com/wagoodman)] - Command line flags not overriding configuration file values \[[Issue #1143](https://togithub.com/anchore/syft/issues/1143)] \[[PR #2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] - Django package CPE is not correct \[[Issue #1298](https://togithub.com/anchore/syft/issues/1298)] \[[PR #2068](https://togithub.com/anchore/syft/pull/2068)] \[[witchcraze](https://togithub.com/witchcraze)] - Config parsing includes `config.yaml` in working dir \[[Issue #1634](https://togithub.com/anchore/syft/issues/1634)] \[[PR #2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] - Fix a possible panic on universal go binaries \[[Issue #2073](https://togithub.com/anchore/syft/issues/2073)] \[[PR #2078](https://togithub.com/anchore/syft/pull/2078)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Disabling catalogers is not working in power user command \[[Issue #2074](https://togithub.com/anchore/syft/issues/2074)] \[[PR #2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] - Virtual path changes to java cataloger causing creation of extra incorrect packages when jars are renamed \[[Issue #2077](https://togithub.com/anchore/syft/issues/2077)] \[[PR #2080](https://togithub.com/anchore/syft/pull/2080)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ### [`v0.88.0`](https://togithub.com/anchore/syft/releases/tag/v0.88.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.87.1...v0.88.0) ### #### [v0.88.0](https://togithub.com/anchore/syft/tree/v0.88.0) (2023-08-25) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.87.1...v0.88.0) ##### Added Features - Detect golang boring crypto and fipsonly modules \[[PR #2021](https://togithub.com/anchore/syft/pull/2021)] \[[bathina2](https://togithub.com/bathina2)] - feat: 1944 - update purl generation to use a consistent groupID \[[PR #2033](https://togithub.com/anchore/syft/pull/2033)] \[[spiffcs](https://togithub.com/spiffcs)] - Add support to detect bash binaries \[[Issue #1963](https://togithub.com/anchore/syft/issues/1963)] \[[PR #2055](https://togithub.com/anchore/syft/pull/2055)] \[[witchcraze](https://togithub.com/witchcraze)] ##### Bug Fixes - fix: properly parse conan ref and include user and channel \[[PR #2034](https://togithub.com/anchore/syft/pull/2034)] \[[Pro](https://togithub.com/Pro)] - New version notice only showing the version and no text \[[PR #2042](https://togithub.com/anchore/syft/pull/2042)] \[[wagoodman](https://togithub.com/wagoodman)] - Fix: don't validate pom declared group \[[PR #2054](https://togithub.com/anchore/syft/pull/2054)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Errors when handling symlinks on Windows with syft v0.85.0 \[[Issue #1950](https://togithub.com/anchore/syft/issues/1950)] \[[PR #2051](https://togithub.com/anchore/syft/pull/2051)] \[[selzoc](https://togithub.com/selzoc)] - Syft seems unable to parse non UTF-8 pom.xml files \[[Issue #2044](https://togithub.com/anchore/syft/issues/2044)] \[[PR #2047](https://togithub.com/anchore/syft/pull/2047)] \[[wagoodman](https://togithub.com/wagoodman)] - Error parsing pom.xml with v0.87.1 \[[Issue #2060](https://togithub.com/anchore/syft/issues/2060)] \[[PR #2064](https://togithub.com/anchore/syft/pull/2064)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Invalid CycloneDX: duplicates in relationships section \[[Issue #2062](https://togithub.com/anchore/syft/issues/2062)] \[[PR #2063](https://togithub.com/anchore/syft/pull/2063)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.87.1`](https://togithub.com/anchore/syft/releases/tag/v0.87.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.87.0...v0.87.1) ### #### [v0.87.1](https://togithub.com/anchore/syft/tree/v0.87.1) (2023-08-17) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.87.0...v0.87.1) ##### Bug Fixes - Use Java package names to determine known groupIDs \[[PR #2032](https://togithub.com/anchore/syft/pull/2032)] \[[kzantow](https://togithub.com/kzantow)] - Relationships section of CycloneDX is not outputting even when the data is present \[[Issue #1972](https://togithub.com/anchore/syft/issues/1972)] \[[PR #1974](https://togithub.com/anchore/syft/pull/1974)] \[[markgalpin](https://togithub.com/markgalpin)] \[[kzantow](https://togithub.com/kzantow)] - SPDX Tag-Value conversion not handling files directly set on packages \[[Issue #2013](https://togithub.com/anchore/syft/issues/2013)] \[[PR #2014](https://togithub.com/anchore/syft/pull/2014)] \[[kzantow](https://togithub.com/kzantow)] - Intermittent binary listings, different results every time \[[Issue #2035](https://togithub.com/anchore/syft/issues/2035)] \[[PR #2036](https://togithub.com/anchore/syft/pull/2036)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.87.0`](https://togithub.com/anchore/syft/releases/tag/v0.87.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0) ### #### [v0.87.0](https://togithub.com/anchore/syft/tree/v0.87.0) (2023-08-14) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0) ##### Added Features - feat: use originator logic to fill supplier \[[PR #1980](https://togithub.com/anchore/syft/pull/1980)] \[[spiffcs](https://togithub.com/spiffcs)] - Expand deb cataloger to include opkg \[[PR #1985](https://togithub.com/anchore/syft/pull/1985)] \[[johnDeSilencio](https://togithub.com/johnDeSilencio)] - Package duplicated by different cataloger \[[Issue #931](https://togithub.com/anchore/syft/issues/931)] \[[PR #1948](https://togithub.com/anchore/syft/pull/1948)] \[[spiffcs](https://togithub.com/spiffcs)] - Add binary cataloger for Nginx built from source \[[Issue #1945](https://togithub.com/anchore/syft/issues/1945)] \[[PR #1988](https://togithub.com/anchore/syft/pull/1988)] \[[SemProvoost](https://togithub.com/SemProvoost)] ##### Bug Fixes - chore: update bubbly to fix hanging \[[PR #1990](https://togithub.com/anchore/syft/pull/1990)] \[[kzantow](https://togithub.com/kzantow)] - fix: update glob to use newer usr/lib/sysimage path \[[PR #1997](https://togithub.com/anchore/syft/pull/1997)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: SPDX license values and download location \[[PR #2007](https://togithub.com/anchore/syft/pull/2007)] \[[kzantow](https://togithub.com/kzantow)] - Different CPEs between java-cataloger and java-gradle-lockfile-cataloger \[[Issue #1957](https://togithub.com/anchore/syft/issues/1957)] \[[PR #1995](https://togithub.com/anchore/syft/pull/1995)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.86.1`](https://togithub.com/anchore/syft/releases/tag/v0.86.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1) ### Changelog #### [v0.86.1](https://togithub.com/anchore/syft/tree/v0.86.1) (2023-07-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1) ##### Bug Fixes - Source requires default image name as user input for unparsable reference \[[PR #1979](https://togithub.com/anchore/syft/pull/1979)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.86.0`](https://togithub.com/anchore/syft/releases/tag/v0.86.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0) ### Changelog #### [v0.86.0](https://togithub.com/anchore/syft/tree/v0.86.0) (2023-07-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0) ##### Added Features - Introduce indexed embedded CPE dictionary \[[PR #1897](https://togithub.com/anchore/syft/pull/1897)] \[[luhring](https://togithub.com/luhring)] - Add cataloger for Swift Package Manager. \[[PR #1919](https://togithub.com/anchore/syft/pull/1919)] \[[trilleplay](https://togithub.com/trilleplay)] - Guess unpinned versions in python requirements.txt \[[PR #1597](https://togithub.com/anchore/syft/pull/1597)] \[[PR #1966](https://togithub.com/anchore/syft/pull/1966)] \[[manifestori](https://togithub.com/manifestori)] \[[wagoodman](https://togithub.com/wagoodman)] - Create a package record for the artifact an SBOM described when creating a SPDX SBOM \[[Issue #1661](https://togithub.com/anchore/syft/issues/1661)] \[[Issue #1241](https://togithub.com/anchore/syft/issues/1241)] \[[PR #1934](https://togithub.com/anchore/syft/pull/1934)] \[[kzantow](https://togithub.com/kzantow)] ##### Bug Fixes - Fix panic condition on docker pull failure \[[PR #1968](https://togithub.com/anchore/syft/pull/1968)] \[[wagoodman](https://togithub.com/wagoodman)] - Syft reports the "minimum required version" of .NET assemblies rather than the "assembly version" \[[Issue #1799](https://togithub.com/anchore/syft/issues/1799)] \[[PR #1943](https://togithub.com/anchore/syft/pull/1943)] \[[luhring](https://togithub.com/luhring)] - Grype cannot read SPDX documents generated by SPDX-maven-plugin \[[PR #1969](https://togithub.com/anchore/syft/pull/1969)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Breaking Changes - Remove jotframe UI \[[PR #1932](https://togithub.com/anchore/syft/pull/1932)] \[[wagoodman](https://togithub.com/wagoodman)] - Simplify python env markers \[[PR #1967](https://togithub.com/anchore/syft/pull/1967)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.85.0`](https://togithub.com/anchore/syft/releases/tag/v0.85.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0) ### Changelog #### [v0.85.0](https://togithub.com/anchore/syft/tree/v0.85.0) (2023-07-12) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0) ##### Added Features - Add a --base-path command line flag to set the directory base for scans (this option was previously exposed via API only) \[[PR #1867](https://togithub.com/anchore/syft/pull/1867)] \[[deitch](https://togithub.com/deitch)] - Add file source digest support \[[PR #1914](https://togithub.com/anchore/syft/pull/1914)] \[[wagoodman](https://togithub.com/wagoodman)] - Remove erroneous Java CPEs from generation \[[PR #1918](https://togithub.com/anchore/syft/pull/1918)] \[[luhring](https://togithub.com/luhring)] - Fix CPE generation for k8s python client \[[PR #1921](https://togithub.com/anchore/syft/pull/1921)] \[[luhring](https://togithub.com/luhring)] - Don't use the actual redis or grpc CPEs for gems \[[PR #1926](https://togithub.com/anchore/syft/pull/1926)] \[[luhring](https://togithub.com/luhring)] - The text user interface is now provided by the bubbletea library \[[Issue #1441](https://togithub.com/anchore/syft/issues/1441)] \[[PR #1888](https://togithub.com/anchore/syft/pull/1888)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Install script returns exit code 0 even if install fails \[[Issue #1566](https://togithub.com/anchore/syft/issues/1566)] \[[PR #1915](https://togithub.com/anchore/syft/pull/1915)] \[[lorsatti](https://togithub.com/lorsatti)] - \[Windows] Not able to scan volume mounted to folder \[[Issue #1828](https://togithub.com/anchore/syft/issues/1828)] \[[PR #1884](https://togithub.com/anchore/syft/pull/1884)] \[[dd-cws](https://togithub.com/dd-cws)] - Deprecated license: GFDL-1.2+ \[[Issue #1899](https://togithub.com/anchore/syft/issues/1899)] \[[PR #1907](https://togithub.com/anchore/syft/pull/1907)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Breaking Changes - Refactor the `source` API and syft-json `source` block data shape \[[Issue #1866](https://togithub.com/anchore/syft/issues/1866)] \[[PR #1846](https://togithub.com/anchore/syft/pull/1846)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - chore: update iterations to protect against race \[[PR #1927](https://togithub.com/anchore/syft/pull/1927)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: background reader apart from global handler for testing \[[PR #1929](https://togithub.com/anchore/syft/pull/1929)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.84.1`](https://togithub.com/anchore/syft/releases/tag/v0.84.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1) ### Changelog #### [v0.84.1](https://togithub.com/anchore/syft/tree/v0.84.1) (2023-06-29) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1) ##### Bug Fixes - Fix version detection in Java archive name parsing \[[PR #1889](https://togithub.com/anchore/syft/pull/1889)] \[[luhring](https://togithub.com/luhring)] - Improve support for Dart SDK package dependency lockfiles \[[PR #1891](https://togithub.com/anchore/syft/pull/1891)] \[[rufman](https://togithub.com/rufman)] - Fix license output for some CycloneDX JSON SBOMs \[[Issue #1877](https://togithub.com/anchore/syft/issues/1877)] \[[PR #1879](https://togithub.com/anchore/syft/pull/1879)] \[[kzantow](https://togithub.com/kzantow)] - Correctly discover Debian file relationships in distroless images \[[Issue #1900](https://togithub.com/anchore/syft/issues/1900)] \[[PR #1901](https://togithub.com/anchore/syft/pull/1901)] \[[westonsteimel](https://togithub.com/westonsteimel)] ##### Additional Changes - Simplify the SBOM writer interface \[[PR #1892](https://togithub.com/anchore/syft/pull/1892)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.84.0`](https://togithub.com/anchore/syft/releases/tag/v0.84.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0) ### Changelog #### [v0.84.0](https://togithub.com/anchore/syft/tree/v0.84.0) (2023-06-20) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0) ##### Breaking Changes - Pad artifact IDs \[[PR #1882](https://togithub.com/anchore/syft/pull/1882)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ##### Additional Changes - chore: update SPDX license list to 3.21 \[[PR #1885](https://togithub.com/anchore/syft/pull/1885)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.83.1`](https://togithub.com/anchore/syft/releases/tag/v0.83.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1) ### Changelog #### [v0.83.1](https://togithub.com/anchore/syft/tree/v0.83.1) (2023-06-14) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1) ##### Bug Fixes - fix: pom properties not setting artifact id \[[PR #1870](https://togithub.com/anchore/syft/pull/1870)] \[[jneate](https://togithub.com/jneate)] - fix(deps): pull in platform selection fix from stereoscope \[[PR #1871](https://togithub.com/anchore/syft/pull/1871)] \[[anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)] - pulling in an image with a digest that does not match the platform and architecture of the host no longer fails with an error, see [https://github.com/anchore/stereoscope/issues/188](https://togithub.com/anchore/stereoscope/issues/188) - symlinks within a scanned directory tree are parsed outside the tree, failing if target does not exist \[[Issue #1860](https://togithub.com/anchore/syft/issues/1860)] \[[PR #1861](https://togithub.com/anchore/syft/pull/1861)] \[[deitch](https://togithub.com/deitch)] ### [`v0.83.0`](https://togithub.com/anchore/syft/releases/tag/v0.83.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.82.0...v0.83.0) ### Changelog #### [v0.83.0](https://togithub.com/anchore/syft/tree/v0.83.0) (2023-06-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.82.0...v0.83.0) ##### Added Features - Add new '--source-version' and '--source-name' options to set the name and version of the target being analyzed for reference in resulting syft-json format SBOMs (more formats will support these flags soon). \[[Issue #1399](https://togithub.com/anchore/syft/issues/1399)] \[[PR #1859](https://togithub.com/anchore/syft/pull/1859)] \[[kzantow](https://togithub.com/kzantow)] - Add scope to POM properties \[[PR #1779](https://togithub.com/anchore/syft/pull/1779)] \[[jneate](https://togithub.com/jneate)] - Accept main.version ldflags even without vcs \[[PR #1855](https://togithub.com/anchore/syft/pull/1855)] \[[deitch](https://togithub.com/deitch)] ##### Bug Fixes - Fix directory resolver to consider CWD and root path input correctly \[[PR #1840](https://togithub.com/anchore/syft/pull/1840)] \[[wagoodman](https://togithub.com/wagoodman)] - Show all error messages if there is a failure retrieving an image with a specified scheme \[[Issue #1569](https://togithub.com/anchore/syft/issues/1569)] \[[PR #1801](https://togithub.com/anchore/syft/pull/1801)] \[[FrimIdan](https://togithub.com/FrimIdan)] - v0.81.0 crashing parsing some images \[[Issue #1837](https://togithub.com/anchore/syft/issues/1837)] \[[PR #1839](https://togithub.com/anchore/syft/pull/1839)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Deprecated Features - Migrate location-related structs to the file package \[[PR #1751](https://togithub.com/anchore/syft/pull/1751)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - chore: code cleanup \[[PR #1865](https://togithub.com/anchore/syft/pull/1865)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.82.0`](https://togithub.com/anchore/syft/releases/tag/v0.82.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.81.0...v0.82.0) ### Changelog #### [v0.82.0](https://togithub.com/anchore/syft/tree/v0.82.0) (2023-05-23) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.81.0...v0.82.0) ##### Added Features - Improve Go main module version detection by attempting to parse available ldflags \[[Issue #1785](https://togithub.com/anchore/syft/issues/1785)] \[[PR #1832](https://togithub.com/anchore/syft/pull/1832)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Fix a problem in the license parsing logic that may result in a panic \[[PR #1839](https://togithub.com/anchore/syft/pull/1839)] - Return all relevant error messages if an image retrieval fails when a scheme is specified \[[PR #1801](https://togithub.com/anchore/syft/pull/1801)] \[[FrimIdan](https://togithub.com/FrimIdan)] - Fix a problem with PNPM scanning where v6 lockfiles might result in duplicated packages \[[Issue #1762](https://togithub.com/anchore/syft/issues/1762)] \[[PR #1778](https://togithub.com/anchore/syft/pull/1778)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.81.0`](https://togithub.com/anchore/syft/releases/tag/v0.81.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.80.0...v0.81.0) ### Changelog #### [v0.81.0](https://togithub.com/anchore/syft/tree/v0.81.0) (2023-05-22) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.80.0...v0.81.0) ##### Added Features - Support cataloging R packages \[[Issue #730](https://togithub.com/anchore/syft/issues/730)] \[[PR #1790](https://togithub.com/anchore/syft/pull/1790)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Support describing license properties and SPDX expression assertions \[[Issue #1577](https://togithub.com/anchore/syft/issues/1577)] \[[PR #1743](https://togithub.com/anchore/syft/pull/1743)] \[[spiffcs](https://togithub.com/spiffcs)] - Warn if parsing a newer SBOM \[[PR #1810](https://togithub.com/anchore/syft/pull/1810)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ##### Bug Fixes - Retain cataloged SBOM relationships \[[PR #1509](https://togithub.com/anchore/syft/pull/1509)] \[[houdini91](https://togithub.com/houdini91)] - fix: update field plurality of 8.0.0 schema before release \[[PR #1820](https://togithub.com/anchore/syft/pull/1820)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: remove spurious warnings - unknown relationship type: evident-by form-lib=syft \[[Issue #1812](https://togithub.com/anchore/syft/issues/1812)] \[[PR #1797](https://togithub.com/anchore/syft/pull/1797)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - CycloneDX Dependencies Relationships Inverted \[[Issue #1815](https://togithub.com/anchore/syft/issues/1815)] \[[PR #1816](https://togithub.com/anchore/syft/pull/1816)] \[[shanealv](https://togithub.com/shanealv)] - Alpine: license expression should be complete and not parsed out \[[Issue #1817](https://togithub.com/anchore/syft/issues/1817)] \[[PR #1819](https://togithub.com/anchore/syft/pull/1819)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Additional Changes - Print package list when extra packages found \[[PR #1791](https://togithub.com/anchore/syft/pull/1791)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - update cosign to v2 release (different go module) \[[PR #1805](https://togithub.com/anchore/syft/pull/1805)] \[[bobcallaway](https://togithub.com/bobcallaway)] ### [`v0.80.0`](https://togithub.com/anchore/syft/releases/tag/v0.80.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.79.0...v0.80.0) ### Changelog #### [v0.80.0](https://togithub.com/anchore/syft/tree/v0.80.0) (2023-05-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.79.0...v0.80.0) ##### Added Features - Improve pnpm support \[[Issue #1535](https://togithub.com/anchore/syft/issues/1535)] \[[PR #1752](https://togithub.com/anchore/syft/pull/1752)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Bug Fixes - chore: add more detail on SPDX file IDs \[[PR #1769](https://togithub.com/anchore/syft/pull/1769)] \[[kzantow](https://togithub.com/kzantow)] - chore: do not HTML escape PackageURLs \[[PR #1782](https://togithub.com/anchore/syft/pull/1782)] \[[kzantow](https://togithub.com/kzantow)] - RPM database not found on ostree-managed systems \[[Issue #1755](https://togithub.com/anchore/syft/issues/1755)] \[[PR #1756](https://togithub.com/anchore/syft/pull/1756)] \[[fpytloun](https://togithub.com/fpytloun)] - Unable to use syft for private azure container registry \[[Issue #1777](https://togithub.com/anchore/syft/issues/1777)] - linux-kernel-cataloger produces thousands of version-less components. \[[Issue #1781](https://togithub.com/anchore/syft/issues/1781)] \[[PR #1784](https://togithub.com/anchore/syft/pull/1784)] \[[kzantow](https://togithub.com/kzantow)] ##### Deprecated Features - Rename pkg.Catalog to pkg.Collection \[[PR #1764](https://togithub.com/anchore/syft/pull/1764)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.79.0`](https://togithub.com/anchore/syft/releases/tag/v0.79.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.78.0...v0.79.0) ### Changelog #### [v0.79.0](https://togithub.com/anchore/syft/tree/v0.79.0) (2023-04-21) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.78.0...v0.79.0) ##### Added Features - Add ALPM Metadata to CYCLONEDX and SPDX output formats \[[Issue #1037](https://togithub.com/anchore/syft/issues/1037)] \[[PR #1747](https://togithub.com/anchore/syft/pull/1747)] \[[Shanedell](https://togithub.com/Shanedell)] - consul binary classifier \[[Issue #1590](https://togithub.com/anchore/syft/issues/1590)] \[[PR #1738](https://togithub.com/anchore/syft/pull/1738)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Bug Fixes - Syft missing direct dependencies from the gemfile.lock \[[Issue #1660](https://togithub.com/anchore/syft/issues/1660)] \[[PR #1749](https://togithub.com/anchore/syft/pull/1749)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Additional Changes - chore: bump stereoscope to latest version \[[PR #1741](https://togithub.com/anchore/syft/pull/1741)] \[[westonsteimel](https://togithub.com/westonsteimel)] </details> <details> <summary>aquaproj/aqua-registry (aquaproj/aqua-registry)</summary> ### [`v4.109.0`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v4.109.0) [Compare Source](https://togithub.com/aquaproj/aqua-registry/compare/v4.108.0...v4.109.0) [Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av4.109.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av4.109.0) | https://github.com/aquaproj/aqua-registry/compare/v4.108.0...v4.109.0 ##### 🎉 New Packages [#18407](https://togithub.com/aquaproj/aqua-registry/issues/18407) [rajatjindal/kubectl-whoami](https://togithub.com/rajatjindal/kubectl-whoami): This plugin gets the subject name using the effective kubeconfig [@ponkio-o](https://togithub.com/ponkio-o) [#18451](https://togithub.com/aquaproj/aqua-registry/issues/18451) [takaishi/awscost](https://togithub.com/takaishi/awscost): Print AWS costs to text or graph image ### [`v4.108.0`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v4.108.0) [Compare Source](https://togithub.com/aquaproj/aqua-registry/compare/v4.107.0...v4.108.0) [Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av4.108.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av4.108.0) | https://github.com/aquaproj/aqua-registry/compare/v4.107.0...v4.108.0 #### 🎉 New Packages [#18349](https://togithub.com/aquaproj/aqua-registry/issues/18349) [afnanenayet/diffsitter](https://togithub.com/afnanenayet/diffsitter): A tree-sitter based AST difftool to get meaningful semantic diffs [@CrystalMethod](https://togithub.com/CrystalMethod) [#18379](https://togithub.com/aquaproj/aqua-registry/issues/18379) [#18405](https://togithub.com/aquaproj/aqua-registry/issues/18405) [aws-cloudformation/rain](https://togithub.com/aws-cloudformation/rain): A development workflow tool for working with AWS CloudFormation #### Fixes [#18402](https://togithub.com/aquaproj/aqua-registry/issues/18402) derailed/popeye: Follow up changes of popeye v0.11.2 ### [`v4.107.0`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v4.107.0) [Compare Source](https://togithub.com/aquaproj/aqua-registry/compare/v4.106.0...v4.107.0) [Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av4.107.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av4.107.0) | https://github.com/aquaproj/aqua-registry/compare/v4.106.0...v4.107.0 #### 🎉 New Packages [#18326](https://togithub.com/aquaproj/aqua-registry/issues/18326) [kubevirt/kubevirt/virtctl](https://togithub.com/kubevirt/kubevirt): Kubernetes Virtualization API and runtime in order to define and manage virtual machines [@honahuku](https://togithub.com/honahuku) ### [`v4.106.0`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v4.106.0) [Compare Source](https://togithub.com/aquaproj/aqua-registry/compare/v4.105.0...v4.106.0) [Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av4.106.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av4.106.0) | https://github.com/aquaproj/aqua-registry/compare/v4.105.0...v4.106.0 #### 🎉 New Packages [#18287](https://togithub.com/aquaproj/aqua-registry/issues/18287) [oxc-project/oxc/oxlint](https://togithub.com/oxc-project/oxc): The linter for oxc [@CrystalMethod](https://togithub.com/CrystalMethod) [#18297](https://togithub.com/aquaproj/aqua-registry/issues/18297) [pluveto/upgit](https://togithub.com/pluveto/upgit): Another upload hub that supports clipboard. It works well with Typora, Snipaste, VSCode [@sheldonhull](https://togithub.com/sheldonhull) ### [`v4.105.0`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v4.105.0) [Compare Source](https://togithub.com/aquaproj/aqua-registry/compare/v4.104.0...v4.105.0) [Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av4.105.0) | [Pull Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av4.105.0) | https://github.com/aquaproj/aqua-registry/compare/v4.104.0...v4.105.0 #### 🎉 New Package </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box  Co-authored-by: mend-for-github-com[bot] <50673670+mend-for-github-com[bot]@users.noreply.github.com>

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [anchore/syft](https://togithub.com/anchore/syft) | minor | `v0.73.0` -> `v0.99.0` | | [aquaproj/aqua-registry](https://togithub.com/aquaproj/aqua-registry) | minor | `v3.138.0` -> `v3.162.0` | | [charmbracelet/glow](https://togithub.com/charmbracelet/glow) | patch | `v1.5.0` -> `v1.5.1` | | [direnv/direnv](https://togithub.com/direnv/direnv) | minor | `v2.32.2` -> `v2.33.0` | | golang.org/x/tools/gopls | minor | `v0.11.0` -> `v0.14.2` | | [golang/go](https://togithub.com/golang/go) | minor | `1.20.1` -> `1.21.5` | | [golang/tools](https://togithub.com/golang/tools) | minor | `v0.6.0` -> `v0.16.1` | | [goreleaser/goreleaser](https://togithub.com/goreleaser/goreleaser) | minor | `v1.15.2` -> `v1.22.1` | | [magefile/mage](https://togithub.com/magefile/mage) | minor | `v1.14.0` -> `v1.15.0` | | [miniscruff/changie](https://togithub.com/miniscruff/changie) | minor | `v1.11.1` -> `v1.17.0` | | [mvdan/gofumpt](https://togithub.com/mvdan/gofumpt) | minor | `v0.4.0` -> `v0.5.0` | | [thycotic/dsv-cli](https://togithub.com/thycotic/dsv-cli) | patch | `v1.40.1` -> `v1.40.5` | --- ### Release Notes <details> <summary>anchore/syft (anchore/syft)</summary> ### [`v0.99.0`](https://togithub.com/anchore/syft/releases/tag/v0.99.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.98.0...v0.99.0) ##### Added Features - Look for a maven version in a pom from a parent dependency management… \[[#2423](https://togithub.com/anchore/syft/pull/2423) [@coheigea](https://togithub.com/coheigea)] - Adding the ability to retrieve remote licenses for yarn.lock \[[#2338](https://togithub.com/anchore/syft/pull/2338) [@coheigea](https://togithub.com/coheigea)] - Retrieve remote licenses using pom.properties when there is no pom.xml \[[#2315](https://togithub.com/anchore/syft/pull/2315) [@coheigea](https://togithub.com/coheigea)] - Add the option to retrieve remote licenses for projects defined in a … \[[#2409](https://togithub.com/anchore/syft/pull/2409) [@coheigea](https://togithub.com/coheigea)] - Parse Python licenses from LicenseFile entry in the Wheel Metadata \[[#2331](https://togithub.com/anchore/syft/pull/2331) [@coheigea](https://togithub.com/coheigea)] - Add binary classifier for the ERLang interpreter \[[#2417](https://togithub.com/anchore/syft/pull/2417) [@LaurentGoderre](https://togithub.com/LaurentGoderre)] - Parse Python licenses from LicenseExpression entry in the Wheel Metadata \[[#2431](https://togithub.com/anchore/syft/pull/2431) [@coheigea](https://togithub.com/coheigea)] - Add binary classifier for Julia lang \[[#2427](https://togithub.com/anchore/syft/pull/2427) [@LaurentGoderre](https://togithub.com/LaurentGoderre)] - Add binary detection for PHP composer \[[#2432](https://togithub.com/anchore/syft/pull/2432) [@LaurentGoderre](https://togithub.com/LaurentGoderre)] ##### Bug Fixes - bump fangs for ptr summarize fix \[[#2387](https://togithub.com/anchore/syft/pull/2387) [@willmurphyscode](https://togithub.com/willmurphyscode)] - improve identification for org.codehaus.groovy artifacts \[[#2404](https://togithub.com/anchore/syft/pull/2404) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for commons-jelly artifacts \[[#2399](https://togithub.com/anchore/syft/pull/2399) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for io.minio artifacts \[[#2398](https://togithub.com/anchore/syft/pull/2398) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for com.graphql-java artifacts \[[#2397](https://togithub.com/anchore/syft/pull/2397) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.tapestry artifacts \[[#2384](https://togithub.com/anchore/syft/pull/2384) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for io.ratpack artifacts \[[#2379](https://togithub.com/anchore/syft/pull/2379) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.cassandra artifacts \[[#2386](https://togithub.com/anchore/syft/pull/2386) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.neo4j.procedure artifacts \[[#2388](https://togithub.com/anchore/syft/pull/2388) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.elasticsearch artifacts \[[#2383](https://togithub.com/anchore/syft/pull/2383) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.geode artifacts \[[#2382](https://togithub.com/anchore/syft/pull/2382) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.tomcat artifacts \[[#2381](https://togithub.com/anchore/syft/pull/2381) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for io.projectreactor.netty artifacts \[[#2378](https://togithub.com/anchore/syft/pull/2378) [@westonsteimel](https://togithub.com/westonsteimel)] - stop panic when parsing Haskell stack.yaml.lock with missing `hackage` field \[[#2421](https://togithub.com/anchore/syft/issues/2421) [#2419](https://togithub.com/anchore/syft/pull/2419) [@houdini91](https://togithub.com/houdini91)] - fix detecting the name of the eclipse OSGi artifact \[[#2314](https://togithub.com/anchore/syft/issues/2314) [#2349](https://togithub.com/anchore/syft/pull/2349) [@westonsteimel](https://togithub.com/westonsteimel)] - File Sources incorrectly exclude files on Windows \[[#2410](https://togithub.com/anchore/syft/issues/2410) [#2411](https://togithub.com/anchore/syft/pull/2411) [@Racer159](https://togithub.com/Racer159)] - Parser for dotnet_portable_executable using wrong attribute name \[[#2029](https://togithub.com/anchore/syft/issues/2029) [#2133](https://togithub.com/anchore/syft/pull/2133) [@kzantow](https://togithub.com/kzantow)] ##### Breaking Changes - Generalize UI events for cataloging tasks \[[#2369](https://togithub.com/anchore/syft/pull/2369) [@wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - refactor pkg.Collection to remove "catalog" references \[[#2439](https://togithub.com/anchore/syft/pull/2439) [@wagoodman](https://togithub.com/wagoodman)] - Expose javascript fields in cataloger configuration \[[#2438](https://togithub.com/anchore/syft/pull/2438) [@wagoodman](https://togithub.com/wagoodman)] - Use common archive catalog configuration \[[#2437](https://togithub.com/anchore/syft/pull/2437) [@wagoodman](https://togithub.com/wagoodman)] - Fix file digest cataloger when passed explicit coordinates \[[#2436](https://togithub.com/anchore/syft/pull/2436) [@wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.98.0...v0.99.0)** ### [`v0.98.0`](https://togithub.com/anchore/syft/releases/tag/v0.98.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.97.1...v0.98.0) ##### Added Features - Add binary classifiers for MySQL and MariaDB \[[#2316](https://togithub.com/anchore/syft/pull/2316) [@duanemay](https://togithub.com/duanemay)] - Enhance redis binary classifier to support additional versions \[[#2329](https://togithub.com/anchore/syft/pull/2329) [@whalelines](https://togithub.com/whalelines)] - Expose compact JSON and XML format configuration \[[#561](https://togithub.com/anchore/syft/issues/561) [#2275](https://togithub.com/anchore/syft/pull/2275) [@wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Fix file metadata cataloger when passed explicit coordinates \[[#2370](https://togithub.com/anchore/syft/pull/2370) [@wagoodman](https://togithub.com/wagoodman)] - hardcode xalan group ID \[[#2368](https://togithub.com/anchore/syft/pull/2368) [@willmurphyscode](https://togithub.com/willmurphyscode)] - logging level for parsing potential PE files \[[#2367](https://togithub.com/anchore/syft/pull/2367) [@kzantow](https://togithub.com/kzantow)] - Use read lock in `pkg.Collection` \[[#2341](https://togithub.com/anchore/syft/pull/2341) [@wagoodman](https://togithub.com/wagoodman)] - add manual namespace mapping for org.springframework jars \[[#2345](https://togithub.com/anchore/syft/pull/2345) [@westonsteimel](https://togithub.com/westonsteimel)] - add manual namespace mapping for org.springframework.security jars \[[#2343](https://togithub.com/anchore/syft/pull/2343) [@westonsteimel](https://togithub.com/westonsteimel)] - errors are printed into the stdout in syft 0.97.1 \[[#2356](https://togithub.com/anchore/syft/issues/2356) [#2364](https://togithub.com/anchore/syft/pull/2364) [@kzantow](https://togithub.com/kzantow)] - `syft some-jar.jar` fails to find packages if PWD is a symlink \[[#2355](https://togithub.com/anchore/syft/issues/2355) [#2359](https://togithub.com/anchore/syft/pull/2359) [@willmurphyscode](https://togithub.com/willmurphyscode)] - Default for recently added base path, `""`, disables detection of symlinked `*.jar` files \[[#1962](https://togithub.com/anchore/syft/issues/1962) [#2359](https://togithub.com/anchore/syft/pull/2359) [@willmurphyscode](https://togithub.com/willmurphyscode)] - `syft attest` broken since 0.85.0 \[[#2333](https://togithub.com/anchore/syft/issues/2333) [#2337](https://togithub.com/anchore/syft/pull/2337) [@wagoodman](https://togithub.com/wagoodman)] - Incorrect Java PURL for org.bouncycastle jars \[[#2339](https://togithub.com/anchore/syft/issues/2339) [#2342](https://togithub.com/anchore/syft/pull/2342) [@westonsteimel](https://togithub.com/westonsteimel)] ##### Breaking Changes - Remove power-user command and related catalogers \[[#1419](https://togithub.com/anchore/syft/issues/1419) [#2306](https://togithub.com/anchore/syft/pull/2306) [@wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Normalize cataloger configuration patterns \[[#2365](https://togithub.com/anchore/syft/pull/2365) [@wagoodman](https://togithub.com/wagoodman)] - Normalize enums to lowercase with hyphens \[[#2363](https://togithub.com/anchore/syft/pull/2363) [@wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.97.1...v0.98.0)** ##### Special Thanks Thanks [@duanemay](https://togithub.com/duanemay) and [@whalelines](https://togithub.com/whalelines) for the enhanced binary classifier support 👍 ### [`v0.97.1`](https://togithub.com/anchore/syft/releases/tag/v0.97.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.97.0...v0.97.1) ##### Bug Fixes - Syft does not use HTTP proxy when downloading the Docker image itself \[[#2203](https://togithub.com/anchore/syft/issues/2203) [#2336](https://togithub.com/anchore/syft/pull/2336) [@anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)] ##### Additional Changes - `syft version` report is broken with 0.97.0 release \[[#2334](https://togithub.com/anchore/syft/issues/2334) [#2335](https://togithub.com/anchore/syft/pull/2335) [@spiffcs](https://togithub.com/spiffcs)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.97.0...v0.97.1)** ### [`v0.97.0`](https://togithub.com/anchore/syft/releases/tag/v0.97.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.96.0...v0.97.0) ##### Added Features - Add license for golang stdlib package \[[#2317](https://togithub.com/anchore/syft/pull/2317) [@coheigea](https://togithub.com/coheigea)] - Fall back to searching maven central using groupIDFromJavaMetadata \[[#2295](https://togithub.com/anchore/syft/pull/2295) [@coheigea](https://togithub.com/coheigea)] ##### Bug Fixes - Refine license search from groupIDFromJavaMetadata to account for artfactId in the groupId \[[#2313](https://togithub.com/anchore/syft/pull/2313) [@coheigea](https://togithub.com/coheigea)] - capture content written to stdout outside of report \[[#2324](https://togithub.com/anchore/syft/pull/2324) [@kzantow](https://togithub.com/kzantow)] - add manual groupid mappings for org.apache.velocity jars \[[#2327](https://togithub.com/anchore/syft/pull/2327) [@westonsteimel](https://togithub.com/westonsteimel)] - skip maven bundle plugin logic if vendor id and symbolic name match \[[#2326](https://togithub.com/anchore/syft/pull/2326) [@westonsteimel](https://togithub.com/westonsteimel)] - cataloger `dpkg-db-cataloger` not working \[[#2323](https://togithub.com/anchore/syft/issues/2323)] ##### Breaking Changes - Rename Location virtualPath to accessPath \[[#1835](https://togithub.com/anchore/syft/issues/1835) [#2288](https://togithub.com/anchore/syft/pull/2288) [@wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Export syft-json format package metadata type helper \[[#2328](https://togithub.com/anchore/syft/pull/2328) [@wagoodman](https://togithub.com/wagoodman)] - Add dotnet-portable-executable-cataloger to README \[[#2322](https://togithub.com/anchore/syft/pull/2322) [@noqcks](https://togithub.com/noqcks)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.96.0...v0.97.0)** ### [`v0.96.0`](https://togithub.com/anchore/syft/releases/tag/v0.96.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.95.0...v0.96.0) ##### Added Features - Check maven central as well for licenses in parents poms for nested jars \[[#2302](https://togithub.com/anchore/syft/pull/2302) [@coheigea](https://togithub.com/coheigea)] - store image annotations inside the SBOM \[[#2267](https://togithub.com/anchore/syft/issues/2267) [#2294](https://togithub.com/anchore/syft/pull/2294) [@noqcks](https://togithub.com/noqcks)] - Support parsing license information in Maven projects via parent poms \[[#2103](https://togithub.com/anchore/syft/issues/2103)] ##### Bug Fixes - SPDX file has duplicate sha256 tag in versionInfo \[[#2300](https://togithub.com/anchore/syft/pull/2300) [@coheigea](https://togithub.com/coheigea)] - Report virtual path consistently between file.Resolvers \[[#1836](https://togithub.com/anchore/syft/issues/1836) [#2287](https://togithub.com/anchore/syft/pull/2287) [@wagoodman](https://togithub.com/wagoodman)] - Unable to identify CycloneDX JSON documents without $schema property \[[#2299](https://togithub.com/anchore/syft/issues/2299) [#2303](https://togithub.com/anchore/syft/pull/2303) [@kzantow](https://togithub.com/kzantow)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.95.0...v0.96.0)** ### [`v0.95.0`](https://togithub.com/anchore/syft/releases/tag/v0.95.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.94.0...v0.95.0) ##### Added Features - Use case-insensitive matching for Go license files \[[#2286](https://togithub.com/anchore/syft/pull/2286) [@miquella](https://togithub.com/miquella)] - Add conaninfo.txt parser to detect conan packages in docker images \[[#2234](https://togithub.com/anchore/syft/pull/2234) [@Pro](https://togithub.com/Pro)] - Perform case insensitive matching on Java License files \[[#2235](https://togithub.com/anchore/syft/pull/2235) [@coheigea](https://togithub.com/coheigea)] - Read a license from a parent pom stored in Maven Central \[[#2228](https://togithub.com/anchore/syft/pull/2228) [@coheigea](https://togithub.com/coheigea)] - Add PURLs when scanning Gradle lock files \[[#2278](https://togithub.com/anchore/syft/pull/2278) [@robbiev](https://togithub.com/robbiev)] ##### Bug Fixes - Fix CPE index workflow \[[#2252](https://togithub.com/anchore/syft/pull/2252) [@wagoodman](https://togithub.com/wagoodman)] - Fix cpe generation task \[[#2270](https://togithub.com/anchore/syft/pull/2270) [@willmurphyscode](https://togithub.com/willmurphyscode)] - Introduce cataloger naming conventions \[[#1578](https://togithub.com/anchore/syft/issues/1578) [#2277](https://togithub.com/anchore/syft/pull/2277) [@wagoodman](https://togithub.com/wagoodman)] - .NET / nuget - invalid SBOM generated after parsing \[[#2255](https://togithub.com/anchore/syft/issues/2255) [#2273](https://togithub.com/anchore/syft/pull/2273) [@spiffcs](https://togithub.com/spiffcs)] - Wrong parsing after v0.85.0 syft for some components \[[#2241](https://togithub.com/anchore/syft/issues/2241) [#2273](https://togithub.com/anchore/syft/pull/2273) [@spiffcs](https://togithub.com/spiffcs)] - SPDX-2.3 is misidentified as SPDX-2.2 \[[#2112](https://togithub.com/anchore/syft/issues/2112) [#2186](https://togithub.com/anchore/syft/pull/2186) [@wagoodman](https://togithub.com/wagoodman)] - Jar parser chokes on empty lines \[[#2179](https://togithub.com/anchore/syft/issues/2179) [#2254](https://togithub.com/anchore/syft/pull/2254) [@spiffcs](https://togithub.com/spiffcs)] - Add a new Java configuration option to recursively search parent poms… \[[#2274](https://togithub.com/anchore/syft/pull/2274) [@coheigea](https://togithub.com/coheigea)] - Fix directory resolver to always return virtual path \[[#2259](https://togithub.com/anchore/syft/pull/2259) [@wagoodman](https://togithub.com/wagoodman)] - Syft can now handle the case of parsing a jar with multiple poms \[[#2231](https://togithub.com/anchore/syft/pull/2231) [@coheigea](https://togithub.com/coheigea)] - Add ruby.NewGemSpecCataloger to DirectoryCatalogers \[[#1971](https://togithub.com/anchore/syft/pull/1971) [@evanchaoli](https://togithub.com/evanchaoli)] ##### Breaking Changes - Introduce cataloger naming conventions \[[#1578](https://togithub.com/anchore/syft/issues/1578) [#2277](https://togithub.com/anchore/syft/pull/2277) [@wagoodman](https://togithub.com/wagoodman)] - Remove MetadataType from the core package struct \[[#1735](https://togithub.com/anchore/syft/issues/1735) [#1983](https://togithub.com/anchore/syft/pull/1983) [@wagoodman](https://togithub.com/wagoodman)] - Add convention for JSON metadata type names and port existing values to the new convention \[[#1844](https://togithub.com/anchore/syft/issues/1844) [#1983](https://togithub.com/anchore/syft/pull/1983) [@wagoodman](https://togithub.com/wagoodman)] - Remove deprecated syft.Format functions \[[#1344](https://togithub.com/anchore/syft/issues/1344) [#2186](https://togithub.com/anchore/syft/pull/2186) [@wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Upgrade tool management \[[#2188](https://togithub.com/anchore/syft/pull/2188) [@wagoodman](https://togithub.com/wagoodman)] - Fix homebrew post-release workflow \[[#2242](https://togithub.com/anchore/syft/pull/2242) [@wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.94.0...v0.95.0)** ### [`v0.94.0`](https://togithub.com/anchore/syft/releases/tag/v0.94.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.93.0...v0.94.0) ##### Added Features - Add additional license filenames \[[#2227](https://togithub.com/anchore/syft/pull/2227) [@coheigea](https://togithub.com/coheigea)] - Parse donet dependency trees \[[#2143](https://togithub.com/anchore/syft/pull/2143) [@noqcks](https://togithub.com/noqcks)] - Find license by embedded license text \[[#2147](https://togithub.com/anchore/syft/issues/2147) [#2213](https://togithub.com/anchore/syft/pull/2213) [@coheigea](https://togithub.com/coheigea)] - Add support for dpkg dependency relationships \[[#2040](https://togithub.com/anchore/syft/issues/2040) [#2212](https://togithub.com/anchore/syft/pull/2212) [@wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Report errors to stderr not stdout \[[#2232](https://togithub.com/anchore/syft/pull/2232) [@wagoodman](https://togithub.com/wagoodman)] - Python egg packages are not parsed for SBOM \[[#1761](https://togithub.com/anchore/syft/issues/1761) [#2239](https://togithub.com/anchore/syft/pull/2239) [@spiffcs](https://togithub.com/spiffcs)] - Java archive is listed twice \[[#2130](https://togithub.com/anchore/syft/issues/2130) [#2220](https://togithub.com/anchore/syft/pull/2220) [@wagoodman](https://togithub.com/wagoodman)] - Java archives not from Maven \[[#2217](https://togithub.com/anchore/syft/issues/2217) [#2220](https://togithub.com/anchore/syft/pull/2220) [@wagoodman](https://togithub.com/wagoodman)] - Remove internal.StringSet \[[#2209](https://togithub.com/anchore/syft/issues/2209) [#2219](https://togithub.com/anchore/syft/pull/2219) [@wagoodman](https://togithub.com/wagoodman)] - Invalid interface conversion in Swift cataloger \[[#2225](https://togithub.com/anchore/syft/issues/2225) [#2226](https://togithub.com/anchore/syft/pull/2226) [@wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.93.0...v0.94.0)** ### [`v0.93.0`](https://togithub.com/anchore/syft/releases/tag/v0.93.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.92.0...v0.93.0) ##### Added Features - Parse license from the pom.xml if not contained in the manifest \[[#2115](https://togithub.com/anchore/syft/pull/2115) [@coheigea](https://togithub.com/coheigea)] - Add Golang STD library package given a Golang binary has been discovered compiled with that go binary \[[#1853](https://togithub.com/anchore/syft/issues/1853) [#2195](https://togithub.com/anchore/syft/pull/2195) [@spiffcs](https://togithub.com/spiffcs)] - Improve --output CLI help and deprecate --file \[[#2165](https://togithub.com/anchore/syft/issues/2165) [#2187](https://togithub.com/anchore/syft/pull/2187) [@sharief007](https://togithub.com/sharief007)] ##### Bug Fixes - Converting a SBOM looses the algorithm type for added checksums \[[#2183](https://togithub.com/anchore/syft/issues/2183) [#2207](https://togithub.com/anchore/syft/pull/2207) [@sharief007](https://togithub.com/sharief007)] ##### Additional Changes - Refine the docs for building a cataloger \[[#2175](https://togithub.com/anchore/syft/pull/2175) [@wagoodman](https://togithub.com/wagoodman)] - update license list to 3.22 \[[#2201](https://togithub.com/anchore/syft/pull/2201) [@spiffcs](https://togithub.com/spiffcs)] - Add exact syntax of the conversion formats \[[#2196](https://togithub.com/anchore/syft/pull/2196) [@vargenau](https://togithub.com/vargenau)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.92.0...v0.93.0)** ### [`v0.92.0`](https://togithub.com/anchore/syft/releases/tag/v0.92.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.91.0...v0.92.0) ##### Added Features - Support for multiple image refs of same sha in OCI layout \[[#1544](https://togithub.com/anchore/syft/issues/1544)] ##### Bug Fixes - Generated purls are different between runs of syft against the same image and artifact \[[#2169](https://togithub.com/anchore/syft/issues/2169) [#2170](https://togithub.com/anchore/syft/pull/2170) [@willmurphyscode](https://togithub.com/willmurphyscode)] ##### Additional Changes - bump stereoscope to fix data race in UI code \[[#2173](https://togithub.com/anchore/syft/pull/2173) [@willmurphyscode](https://togithub.com/willmurphyscode)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.91.0...v0.92.0)** ### [`v0.91.0`](https://togithub.com/anchore/syft/releases/tag/v0.91.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.90.0...v0.91.0) ##### Added Features - Add support for CycloneDX 1.5 \[[#2120](https://togithub.com/anchore/syft/issues/2120) [#2123](https://togithub.com/anchore/syft/pull/2123) [@spiffcs](https://togithub.com/spiffcs)] - Add support for containerd as an image source \[[#201](https://togithub.com/anchore/syft/issues/201) [#1793](https://togithub.com/anchore/syft/pull/1793) [@shanedell](https://togithub.com/shanedell)] - Support cataloging github workflow & github action usages \[[#1896](https://togithub.com/anchore/syft/issues/1896) [#2140](https://togithub.com/anchore/syft/pull/2140) [@wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Allow CycloneDX json input with no components \[[#2127](https://togithub.com/anchore/syft/pull/2127) [@ahoz](https://togithub.com/ahoz)] - Prevent errors from clobbering terminal \[[#2161](https://togithub.com/anchore/syft/pull/2161) [@kzantow](https://togithub.com/kzantow)] - Using syft as a go library to decode a syft json has incomplete data \[[#2069](https://togithub.com/anchore/syft/issues/2069) [#2083](https://togithub.com/anchore/syft/pull/2083) [@kzantow](https://togithub.com/kzantow)] - SBOMs are not the same on multiple runs of syft \[[#1944](https://togithub.com/anchore/syft/issues/1944)] ##### Additional Changes - Switch to stdlib's slices pkg \[[#2148](https://togithub.com/anchore/syft/pull/2148) [@hainenber](https://togithub.com/hainenber)] - Remove unneeded arch switch in unit test \[[#2156](https://togithub.com/anchore/syft/pull/2156) [@willmurphyscode](https://togithub.com/willmurphyscode)] - Update chronicle to v0.8.0 \[[#2154](https://togithub.com/anchore/syft/pull/2154) [@wagoodman](https://togithub.com/wagoodman)] - Update to latest stereoscope \[[#2151](https://togithub.com/anchore/syft/pull/2151) [@spiffcs](https://togithub.com/spiffcs)] - Pin workflow checkout for cpe update-cpe-dictionary-index \[[#2141](https://togithub.com/anchore/syft/pull/2141) [@spiffcs](https://togithub.com/spiffcs)] - Add dependency information to conan lockfile parser \[[#2131](https://togithub.com/anchore/syft/pull/2131) [@Pro](https://togithub.com/Pro)] - Pin and update all workflow dependencies; add permission scopes \[[#2138](https://togithub.com/anchore/syft/pull/2138) [@spiffcs](https://togithub.com/spiffcs)] - Enforce race detector \[[#2122](https://togithub.com/anchore/syft/pull/2122) [@willmurphyscode](https://togithub.com/willmurphyscode)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.90.0...v0.91.0)** ### [`v0.90.0`](https://togithub.com/anchore/syft/releases/tag/v0.90.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.89.0...v0.90.0) ### #### [v0.90.0](https://togithub.com/anchore/syft/tree/v0.90.0) (2023-09-11) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.89.0...v0.90.0) ##### Added Features - Expose cobra command in cli package \[[PR #2097](https://togithub.com/anchore/syft/pull/2097)] \[[wagoodman](https://togithub.com/wagoodman)] - Explicitly test PURL generation against key packages \[[Issue #2071](https://togithub.com/anchore/syft/issues/2071)] - Add User-Agent with Syft version during update check \[[Issue #2072](https://togithub.com/anchore/syft/issues/2072)] \[[PR #2100](https://togithub.com/anchore/syft/pull/2100)] \[[hainenber](https://togithub.com/hainenber)] ##### Bug Fixes - fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation \[[PR #2075](https://togithub.com/anchore/syft/pull/2075)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Cyclonedx external reference URLs are not validated when encoding \[[Issue #2079](https://togithub.com/anchore/syft/issues/2079)] \[[PR #2091](https://togithub.com/anchore/syft/pull/2091)] \[[hainenber](https://togithub.com/hainenber)] ##### Additional Changes - Bump the golang.org/x/exp dependency and fix a build breakage. \[[PR #2088](https://togithub.com/anchore/syft/pull/2088)] \[[dlorenc](https://togithub.com/dlorenc)] - fix: update codeql-analysis for go 1.21 \[[PR #2108](https://togithub.com/anchore/syft/pull/2108)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.89.0`](https://togithub.com/anchore/syft/releases/tag/v0.89.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.88.0...v0.89.0) ### #### [v0.89.0](https://togithub.com/anchore/syft/tree/v0.89.0) (2023-08-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.88.0...v0.89.0) ##### Added Features - Add registry certificate verification support \[[PR #1734](https://togithub.com/anchore/syft/pull/1734)] \[[5p2O5pe25ouT](https://togithub.com/5p2O5pe25ouT)] - Add SYFT_CONFIG environment variable for configuration file path \[[Issue #1986](https://togithub.com/anchore/syft/issues/1986)] \[[PR #2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] ##### Bug Fixes - Fix quiet flag \[[PR #2081](https://togithub.com/anchore/syft/pull/2081)] \[[wagoodman](https://togithub.com/wagoodman)] - Command line flags not overriding configuration file values \[[Issue #1143](https://togithub.com/anchore/syft/issues/1143)] \[[PR #2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] - Django package CPE is not correct \[[Issue #1298](https://togithub.com/anchore/syft/issues/1298)] \[[PR #2068](https://togithub.com/anchore/syft/pull/2068)] \[[witchcraze](https://togithub.com/witchcraze)] - Config parsing includes `config.yaml` in working dir \[[Issue #1634](https://togithub.com/anchore/syft/issues/1634)] \[[PR #2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] - Fix a possible panic on universal go binaries \[[Issue #2073](https://togithub.com/anchore/syft/issues/2073)] \[[PR #2078](https://togithub.com/anchore/syft/pull/2078)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Disabling catalogers is not working in power user command \[[Issue #2074](https://togithub.com/anchore/syft/issues/2074)] \[[PR #2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] - Virtual path changes to java cataloger causing creation of extra incorrect packages when jars are renamed \[[Issue #2077](https://togithub.com/anchore/syft/issues/2077)] \[[PR #2080](https://togithub.com/anchore/syft/pull/2080)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ### [`v0.88.0`](https://togithub.com/anchore/syft/releases/tag/v0.88.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.87.1...v0.88.0) ### #### [v0.88.0](https://togithub.com/anchore/syft/tree/v0.88.0) (2023-08-25) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.87.1...v0.88.0) ##### Added Features - Detect golang boring crypto and fipsonly modules \[[PR #2021](https://togithub.com/anchore/syft/pull/2021)] \[[bathina2](https://togithub.com/bathina2)] - feat: 1944 - update purl generation to use a consistent groupID \[[PR #2033](https://togithub.com/anchore/syft/pull/2033)] \[[spiffcs](https://togithub.com/spiffcs)] - Add support to detect bash binaries \[[Issue #1963](https://togithub.com/anchore/syft/issues/1963)] \[[PR #2055](https://togithub.com/anchore/syft/pull/2055)] \[[witchcraze](https://togithub.com/witchcraze)] ##### Bug Fixes - fix: properly parse conan ref and include user and channel \[[PR #2034](https://togithub.com/anchore/syft/pull/2034)] \[[Pro](https://togithub.com/Pro)] - New version notice only showing the version and no text \[[PR #2042](https://togithub.com/anchore/syft/pull/2042)] \[[wagoodman](https://togithub.com/wagoodman)] - Fix: don't validate pom declared group \[[PR #2054](https://togithub.com/anchore/syft/pull/2054)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Errors when handling symlinks on Windows with syft v0.85.0 \[[Issue #1950](https://togithub.com/anchore/syft/issues/1950)] \[[PR #2051](https://togithub.com/anchore/syft/pull/2051)] \[[selzoc](https://togithub.com/selzoc)] - Syft seems unable to parse non UTF-8 pom.xml files \[[Issue #2044](https://togithub.com/anchore/syft/issues/2044)] \[[PR #2047](https://togithub.com/anchore/syft/pull/2047)] \[[wagoodman](https://togithub.com/wagoodman)] - Error parsing pom.xml with v0.87.1 \[[Issue #2060](https://togithub.com/anchore/syft/issues/2060)] \[[PR #2064](https://togithub.com/anchore/syft/pull/2064)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Invalid CycloneDX: duplicates in relationships section \[[Issue #2062](https://togithub.com/anchore/syft/issues/2062)] \[[PR #2063](https://togithub.com/anchore/syft/pull/2063)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.87.1`](https://togithub.com/anchore/syft/releases/tag/v0.87.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.87.0...v0.87.1) ### #### [v0.87.1](https://togithub.com/anchore/syft/tree/v0.87.1) (2023-08-17) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.87.0...v0.87.1) ##### Bug Fixes - Use Java package names to determine known groupIDs \[[PR #2032](https://togithub.com/anchore/syft/pull/2032)] \[[kzantow](https://togithub.com/kzantow)] - Relationships section of CycloneDX is not outputting even when the data is present \[[Issue #1972](https://togithub.com/anchore/syft/issues/1972)] \[[PR #1974](https://togithub.com/anchore/syft/pull/1974)] \[[markgalpin](https://togithub.com/markgalpin)] \[[kzantow](https://togithub.com/kzantow)] - SPDX Tag-Value conversion not handling files directly set on packages \[[Issue #2013](https://togithub.com/anchore/syft/issues/2013)] \[[PR #2014](https://togithub.com/anchore/syft/pull/2014)] \[[kzantow](https://togithub.com/kzantow)] - Intermittent binary listings, different results every time \[[Issue #2035](https://togithub.com/anchore/syft/issues/2035)] \[[PR #2036](https://togithub.com/anchore/syft/pull/2036)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.87.0`](https://togithub.com/anchore/syft/releases/tag/v0.87.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0) ### #### [v0.87.0](https://togithub.com/anchore/syft/tree/v0.87.0) (2023-08-14) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0) ##### Added Features - feat: use originator logic to fill supplier \[[PR #1980](https://togithub.com/anchore/syft/pull/1980)] \[[spiffcs](https://togithub.com/spiffcs)] - Expand deb cataloger to include opkg \[[PR #1985](https://togithub.com/anchore/syft/pull/1985)] \[[johnDeSilencio](https://togithub.com/johnDeSilencio)] - Package duplicated by different cataloger \[[Issue #931](https://togithub.com/anchore/syft/issues/931)] \[[PR #1948](https://togithub.com/anchore/syft/pull/1948)] \[[spiffcs](https://togithub.com/spiffcs)] - Add binary cataloger for Nginx built from source \[[Issue #1945](https://togithub.com/anchore/syft/issues/1945)] \[[PR #1988](https://togithub.com/anchore/syft/pull/1988)] \[[SemProvoost](https://togithub.com/SemProvoost)] ##### Bug Fixes - chore: update bubbly to fix hanging \[[PR #1990](https://togithub.com/anchore/syft/pull/1990)] \[[kzantow](https://togithub.com/kzantow)] - fix: update glob to use newer usr/lib/sysimage path \[[PR #1997](https://togithub.com/anchore/syft/pull/1997)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: SPDX license values and download location \[[PR #2007](https://togithub.com/anchore/syft/pull/2007)] \[[kzantow](https://togithub.com/kzantow)] - Different CPEs between java-cataloger and java-gradle-lockfile-cataloger \[[Issue #1957](https://togithub.com/anchore/syft/issues/1957)] \[[PR #1995](https://togithub.com/anchore/syft/pull/1995)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.86.1`](https://togithub.com/anchore/syft/releases/tag/v0.86.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1) ### Changelog #### [v0.86.1](https://togithub.com/anchore/syft/tree/v0.86.1) (2023-07-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1) ##### Bug Fixes - Source requires default image name as user input for unparsable reference \[[PR #1979](https://togithub.com/anchore/syft/pull/1979)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.86.0`](https://togithub.com/anchore/syft/releases/tag/v0.86.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0) ### Changelog #### [v0.86.0](https://togithub.com/anchore/syft/tree/v0.86.0) (2023-07-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0) ##### Added Features - Introduce indexed embedded CPE dictionary \[[PR #1897](https://togithub.com/anchore/syft/pull/1897)] \[[luhring](https://togithub.com/luhring)] - Add cataloger for Swift Package Manager. \[[PR #1919](https://togithub.com/anchore/syft/pull/1919)] \[[trilleplay](https://togithub.com/trilleplay)] - Guess unpinned versions in python requirements.txt \[[PR #1597](https://togithub.com/anchore/syft/pull/1597)] \[[PR #1966](https://togithub.com/anchore/syft/pull/1966)] \[[manifestori](https://togithub.com/manifestori)] \[[wagoodman](https://togithub.com/wagoodman)] - Create a package record for the artifact an SBOM described when creating a SPDX SBOM \[[Issue #1661](https://togithub.com/anchore/syft/issues/1661)] \[[Issue #1241](https://togithub.com/anchore/syft/issues/1241)] \[[PR #1934](https://togithub.com/anchore/syft/pull/1934)] \[[kzantow](https://togithub.com/kzantow)] ##### Bug Fixes - Fix panic condition on docker pull failure \[[PR #1968](https://togithub.com/anchore/syft/pull/1968)] \[[wagoodman](https://togithub.com/wagoodman)] - Syft reports the "minimum required version" of .NET assemblies rather than the "assembly version" \[[Issue #1799](https://togithub.com/anchore/syft/issues/1799)] \[[PR #1943](https://togithub.com/anchore/syft/pull/1943)] \[[luhring](https://togithub.com/luhring)] - Grype cannot read SPDX documents generated by SPDX-maven-plugin \[[PR #1969](https://togithub.com/anchore/syft/pull/1969)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Breaking Changes - Remove jotframe UI \[[PR #1932](https://togithub.com/anchore/syft/pull/1932)] \[[wagoodman](https://togithub.com/wagoodman)] - Simplify python env markers \[[PR #1967](https://togithub.com/anchore/syft/pull/1967)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.85.0`](https://togithub.com/anchore/syft/releases/tag/v0.85.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0) ### Changelog #### [v0.85.0](https://togithub.com/anchore/syft/tree/v0.85.0) (2023-07-12) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0) ##### Added Features - Add a --base-path command line flag to set the directory base for scans (this option was previously exposed via API only) \[[PR #1867](https://togithub.com/anchore/syft/pull/1867)] \[[deitch](https://togithub.com/deitch)] - Add file source digest support \[[PR #1914](https://togithub.com/anchore/syft/pull/1914)] \[[wagoodman](https://togithub.com/wagoodman)] - Remove erroneous Java CPEs from generation \[[PR #1918](https://togithub.com/anchore/syft/pull/1918)] \[[luhring](https://togithub.com/luhring)] - Fix CPE generation for k8s python client \[[PR #1921](https://togithub.com/anchore/syft/pull/1921)] \[[luhring](https://togithub.com/luhring)] - Don't use the actual redis or grpc CPEs for gems \[[PR #1926](https://togithub.com/anchore/syft/pull/1926)] \[[luhring](https://togithub.com/luhring)] - The text user interface is now provided by the bubbletea library \[[Issue #1441](https://togithub.com/anchore/syft/issues/1441)] \[[PR #1888](https://togithub.com/anchore/syft/pull/1888)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Install script returns exit code 0 even if install fails \[[Issue #1566](https://togithub.com/anchore/syft/issues/1566)] \[[PR #1915](https://togithub.com/anchore/syft/pull/1915)] \[[lorsatti](https://togithub.com/lorsatti)] - \[Windows] Not able to scan volume mounted to folder \[[Issue #1828](https://togithub.com/anchore/syft/issues/1828)] \[[PR #1884](https://togithub.com/anchore/syft/pull/1884)] \[[dd-cws](https://togithub.com/dd-cws)] - Deprecated license: GFDL-1.2+ \[[Issue #1899](https://togithub.com/anchore/syft/issues/1899)] \[[PR #1907](https://togithub.com/anchore/syft/pull/1907)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Breaking Changes - Refactor the `source` API and syft-json `source` block data shape \[[Issue #1866](https://togithub.com/anchore/syft/issues/1866)] \[[PR #1846](https://togithub.com/anchore/syft/pull/1846)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - chore: update iterations to protect against race \[[PR #1927](https://togithub.com/anchore/syft/pull/1927)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: background reader apart from global handler for testing \[[PR #1929](https://togithub.com/anchore/syft/pull/1929)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.84.1`](https://togithub.com/anchore/syft/releases/tag/v0.84.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1) ### Changelog #### [v0.84.1](https://togithub.com/anchore/syft/tree/v0.84.1) (2023-06-29) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1) ##### Bug Fixes - Fix version detection in Java archive name parsing \[[PR #1889](https://togithub.com/anchore/syft/pull/1889)] \[[luhring](https://togithub.com/luhring)] - Improve support for Dart SDK package dependency lockfiles \[[PR #1891](https://togithub.com/anchore/syft/pull/1891)] \[[rufman](https://togithub.com/rufman)] - Fix license output for some CycloneDX JSON SBOMs \[[Issue #1877](https://togithub.com/anchore/syft/issues/1877)] \[[PR #1879](https://togithub.com/anchore/syft/pull/1879)] \[[kzantow](https://togithub.com/kzantow)] - Correctly discover Debian file relationships in distroless images \[[Issue #1900](https://togithub.com/anchore/syft/issues/1900)] \[[PR #1901](https://togithub.com/anchore/syft/pull/1901)] \[[westonsteimel](https://togithub.com/westonsteimel)] ##### Additional Changes - Simplify the SBOM writer interface \[[PR #1892](https://togithub.com/anchore/syft/pull/1892)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.84.0`](https://togithub.com/anchore/syft/releases/tag/v0.84.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0) ### Changelog #### [v0.84.0](https://togithub.com/anchore/syft/tree/v0.84.0) (2023-06-20) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0) ##### Breaking Changes - Pad artifact IDs \[[PR #1882](https://togithub.com/anchore/syft/pull/1882)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ##### Additional Changes - chore: update SPDX license list to 3.21 \[[PR #1885](https://togithub.com/anchore/syft/pull/1885)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.83.1`](https://togithub.com/anchore/syft/releases/tag/v0.83.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1) ### Changelog #### [v0.83.1](https://togithub.com/anchore/syft/tree/v0.83.1) (2023-06-14) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1) ##### Bug Fixes - fix: pom properties not setting artifact id \[[PR #1870](https://togithub.com/anchore/syft/pull/1870)] \[[jneate](https://togithub.com/jneate)] - fix(deps): pull in platform selection fix from stereoscope \[[PR #1871](https://togithub.com/anchore/syft/pull/1871)] \[[anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)] - pulling in an image with a digest that does not match the platform and architecture of the host no longer fails with an error, see [https://github.com/anchore/stereoscope/issues/188](https://togithub.com/anchore/stereoscope/issues/188) - symlinks within a scanned directory tree are parsed outside the tree, failing if target does not exist \[[Issue #1860](https://togithub.com/anchore/syft/issues/1860)] \[[PR #1861](https://togithub.com/anchore/syft/pull/1861)] \[[deitch](https://togithub.com/deitch)] ### [`v0.83.0`](https://togithub.com/anchore/syft/releases/tag/v0.83.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.82.0...v0.83.0) ### Changelog #### [v0.83.0](https://togithub.com/anchore/syft/tree/v0.83.0) (2023-06-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.82.0...v0.83.0) ##### Added Features - Add new '--source-version' and '--source-name' options to set the name and version of the target being analyzed for reference in resulting syft-json format SBOMs (more formats will support these flags soon). \[[Issue #1399](https://togithub.com/anchore/syft/issues/1399)] \[[PR #1859](https://togithub.com/anchore/syft/pull/1859)] \[[kzantow](https://togithub.com/kzantow)] - Add scope to POM properties \[[PR #1779](https://togithub.com/anchore/syft/pull/1779)] \[[jneate](https://togithub.com/jneate)] - Accept main.version ldflags even without vcs \[[PR #1855](https://togithub.com/anchore/syft/pull/1855)] \[[deitch](https://togithub.com/deitch)] ##### Bug Fixes - Fix directory resolver to consider CWD and root path input correctly \[[PR #1840](https://togithub.com/anchore/syft/pull/1840)] \[[wagoodman](https://togithub.com/wagoodman)] - Show all error messages if there is a failure retrieving an image with a specified scheme \[[Issue #1569](https://togithub.com/anchore/syft/issues/1569)] \[[PR #1801](https://togithub.com/anchore/syft/pull/1801)] \[[FrimIdan](https://togithub.com/FrimIdan)] - v0.81.0 crashing parsing some images \[[Issue #1837](https://togithub.com/anchore/syft/issues/1837)] \[[PR #1839](https://togithub.com/anchore/syft/pull/1839)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Deprecated Features - Migrate location-related structs to the file package \[[PR #1751](https://togithub.com/anchore/syft/pull/1751)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - chore: code cleanup \[[PR #1865](https://togithub.com/anchore/syft/pull/1865)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.82.0`](https://togithub.com/anchore/syft/releases/tag/v0.82.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.81.0...v0.82.0) ### Changelog #### [v0.82.0](https://togithub.com/anchore/syft/tree/v0.82.0) (2023-05-23) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.81.0...v0.82.0) ##### Added Features - Improve Go main module version detection by attempting to parse available ldflags \[[Issue #1785](https://togithub.com/anchore/syft/issues/1785)] \[[PR #1832](https://togithub.com/anchore/syft/pull/1832)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Fix a problem in the license parsing logic that may result in a panic \[[PR #1839](https://togithub.com/anchore/syft/pull/1839)] - Return all relevant error messages if an image retrieval fails when a scheme is specified \[[PR #1801](https://togithub.com/anchore/syft/pull/1801)] \[[FrimIdan](https://togithub.com/FrimIdan)] - Fix a problem with PNPM scanning where v6 lockfiles might result in duplicated packages \[[Issue #1762](https://togithub.com/anchore/syft/issues/1762)] \[[PR #1778](https://togithub.com/anchore/syft/pull/1778)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.81.0`](https://togithub.com/anchore/syft/releases/tag/v0.81.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.80.0...v0.81.0) ### Changelog #### [v0.81.0](https://togithub.com/anchore/syft/tree/v0.81.0) (2023-05-22) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.80.0...v0.81.0) ##### Added Features - Support cataloging R packages \[[Issue #730](https://togithub.com/anchore/syft/issues/730)] \[[PR #1790](https://togithub.com/anchore/syft/pull/1790)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Support describing license properties and SPDX expression assertions \[[Issue #1577](https://togithub.com/anchore/syft/issues/1577)] \[[PR #1743](https://togithub.com/anchore/syft/pull/1743)] \[[spiffcs](https://togithub.com/spiffcs)] - Warn if parsing a newer SBOM \[[PR #1810](https://togithub.com/anchore/syft/pull/1810)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ##### Bug Fixes - Retain cataloged SBOM relationships \[[PR #1509](https://togithub.com/anchore/syft/pull/1509)] \[[houdini91](https://togithub.com/houdini91)] - fix: update field plurality of 8.0.0 schema before release \[[PR #1820](https://togithub.com/anchore/syft/pull/1820)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: remove spurious warnings - unknown relationship type: evident-by form-lib=syft \[[Issue #1812](https://togithub.com/anchore/syft/issues/1812)] \[[PR #1797](https://togithub.com/anchore/syft/pull/1797)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - CycloneDX Dependencies Relationships Inverted \[[Issue #1815](https://togithub.com/anchore/syft/issues/1815)] \[[PR #1816](https://togithub.com/anchore/syft/pull/1816)] \[[shanealv](https://togithub.com/shanealv)] - Alpine: license expression should be complete and not parsed out \[[Issue #1817](https://togithub.com/anchore/syft/issues/1817)] \[[PR #1819](https://togithub.com/anchore/syft/pull/1819)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Additional Changes - Print package list when extra packages found \[[PR #1791](https://togithub.com/anchore/syft/pull/1791)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - update cosign to v2 release (different go module) \[[PR #1805](https://togithub.com/anchore/syft/pull/1805)] \[[bobcallaway](https://togithub.com/bobcallaway)] ### [`v0.80.0`](https://togithub.com/anchore/syft/releases/tag/v0.80.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.79.0...v0.80.0) ### Changelog #### [v0.80.0](https://togithub.com/anchore/syft/tree/v0.80.0) (2023-05-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.79.0...v0.80.0) ##### Added Features - Improve pnpm support \[[Issue #1535](https://togithub.com/anchore/syft/issues/1535)] \[[PR #1752](https://togithub.com/anchore/syft/pull/1752)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Bug Fixes - chore: add more detail on SPDX file IDs \[[PR #1769](https://togithub.com/anchore/syft/pull/1769)] \[[kzantow](https://togithub.com/kzantow)] - chore: do not HTML escape PackageURLs \[[PR #1782](https://togithub.com/anchore/syft/pull/1782)] \[[kzantow](https://togithub.com/kzantow)] - RPM database not found on ostree-managed systems \[[Issue #1755](https://togithub.com/anchore/syft/issues/1755)] \[[PR #1756](https://togithub.com/anchore/syft/pull/1756)] \[[fpytloun](https://togithub.com/fpytloun)] - Unable to use syft for private azure container registry \[[Issue #1777](https://togithub.com/anchore/syft/issues/1777)] - linux-kernel-cataloger produces thousands of version-less components. \[[Issue #1781](https://togithub.com/anchore/syft/issues/1781)] \[[PR #1784](https://togithub.com/anchore/syft/pull/1784)] \[[kzantow](https://togithub.com/kzantow)] ##### Deprecated Features - Rename pkg.Catalog to pkg.Collection \[[PR #1764](https://togithub.com/anchore/syft/pull/1764)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.79.0`](https://togithub.com/anchore/syft/releases/tag/v0.79.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.78.0...v0.79.0) ### Changelog #### [v0.79.0](https://togithub.com/anchore/syft/tree/v0.79.0) (2023-04-21) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.78.0...v0.79.0) ##### Added Features - Add ALPM Metadata to CYCLONEDX and SPDX output formats \[[Issue #1037](https://togithub.com/anchore/syft/issues/1037)] \[[PR #1747](https://togithub.com/anchore/syft/pull/1747)] \[[Shanedell](https://togithub.com/Shanedell)] - consul binary classifier \[[Issue #1590](https://togithub.com/anchore/syft/issues/1590)] \[[PR #1738](https://togithub.com/anchore/syft/pull/1738)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Bug Fixes - Syft missing direct dependencies from the gemfile.lock \[[Issue #1660](https://togithub.com/anchore/syft/issues/1660)] \[[PR #1749](https://togithub.com/anchore/syft/pull/1749)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Additional Changes - chore: bump stereoscope to latest version \[[PR #1741](https://togithub.com/anchore/syft/pull/1741)] \[[westonsteimel](https://togithub.com/westonsteimel)] ### [`v0.78.0`](https://togithub.com/anchore/syft/releases/tag/v0.78.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.77.0...v0.78.0) ### Changelog #### [v0.78.0](https://togithub.com/anchore/syft/tree/v0.78.0) (2023-04-17) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.77.0...v0.78.0) ##### Added Features - Add Linux Kernel cataloger \[[PR #1694](https://togithub.com/anchore/syft/pull/1694)] \[[deitch](https://togithub.com/deitch) & [wagoodman](https://togithub.com/wagoodman)] - Support scanning license files in golang packages over the network \[[Issue #1056](https://togithub.com/anchore/syft/issues/1056)] \[[PR #1630](https://togithub.com/anchore/syft/pull/1630)] \[[deitch](https://togithub.com/deitch) & [kzantow](https://togithub.com/kzantow)] - Add consul binary classifier \[[Issue #1590](https://togithub.com/anchore/syft/issues/1590)] \[[PR #1738](https://togithub.com/anchore/syft/pull/1738)] \[[Shanedell](https://togithub.com/Shanedell)] - Add annotations for evidence on package locations \[[PR #1723](https://togithub.com/anchore/syft/pull/1723)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Decoding of the syft-json format does not handle files \[[Issue #1534](https://togithub.com/anchore/syft/issues/1534)] \[[PR #1698](https://togithub.com/anchore/syft/pull/1698)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.77.0`](https://togithub.com/anchore/syft/releases/tag/v0.77.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.76.1...v0.77.0) ### Changelog #### [v0.77.0](https://togithub.com/anchore/syft/tree/v0.77.0) (2023-04-11) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.76.1...v0.77.0) ##### Added Features - feat: gradle lockfile support \[[PR #1719](https://togithub.com/anchore/syft/pull/1719)] \[[henrysachs](https://togithub.com/henrysachs)] - feat: support for java "nar" files \[[PR #1727](https://togithub.com/anchore/syft/pull/1727)] \[[Shanedell](https://togithub.com/Shanedell)] ### [`v0.76.1`](https://togithub.com/anchore/syft/releases/tag/v0.76.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.76.0...v0.76.1) ### Changelog #### [v0.76.1](https://togithub.com/anchore/syft/tree/v0.76.1) (2023-04-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.76.0...v0.76.1) ##### Added Features - Capture file ownership relationships from portage ecosystem \[[PR #1702](https://togithub.com/anchore/syft/pull/1702)] \[[wagoodman](https://togithub.com/wagoodman)] - Add Nix Cataloger \[[Issue #462](https://togithub.com/anchore/syft/issues/462)] \[[PR #1107](https://togithub.com/anchore/syft/pull/1107)] \[[juliosueiras](https://togithub.com/juliosueiras)] \[[PR #1696](https://togithub.com/anchore/syft/pull/1696)] \[[wagoodman](https://togithub.com/wagoodman)] \[[flokli](https://togithub.com/flokli)] ### [`v0.76.0`](https://togithub.com/anchore/syft/releases/tag/v0.76.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.75.0...v0.76.0) ### Changelog #### [v0.76.0](https://togithub.com/anchore/syft/tree/v0.76.0) (2023-03-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.75.0...v0.76.0) ##### Added Features - Scan local go mod licenses for golang packages \[[PR #1645](https://togithub.com/anchore/syft/pull/1645)] \[[deitch](https://togithub.com/deitch)] - update and clean license list generation to return more SPDXID for more inputs \[[PR #1691](https://togithub.com/anchore/syft/pull/1691)] \[[spiffcs](https://togithub.com/spiffcs)] - argocd binary classifier \[[Issue #1606](https://togithub.com/anchore/syft/issues/1606)] \[[PR #1663](https://togithub.com/anchore/syft/pull/1663)] \[[y12studio](https://togithub.com/y12studio)] - Add config option to allow user to select the default image source location \[[Issue #1703](https://togithub.com/anchore/syft/pull/1703)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Bug Fixes - Defer closing the opened file when using FileScheme \[[PR #1668](https://to </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box  Co-authored-by: mend-for-github-com[bot] <50673670+mend-for-github-com[bot]@users.noreply.github.com>

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [DelineaXPM/dsv-cli](https://togithub.com/DelineaXPM/dsv-cli) | patch | `v1.40.2` -> `v1.40.5` | | [anchore/syft](https://togithub.com/anchore/syft) | minor | `v0.73.0` -> `v0.99.0` | | [aquaproj/aqua-registry](https://togithub.com/aquaproj/aqua-registry) | minor | `v3.149.0` -> `v3.162.0` | | [charmbracelet/glow](https://togithub.com/charmbracelet/glow) | patch | `v1.5.0` -> `v1.5.1` | | [direnv/direnv](https://togithub.com/direnv/direnv) | minor | `v2.32.2` -> `v2.33.0` | | [golang/go](https://togithub.com/golang/go) | minor | `1.20.1` -> `1.21.5` | | [golang/tools](https://togithub.com/golang/tools) | minor | `v0.6.0` -> `v0.16.1` | | [goreleaser/goreleaser](https://togithub.com/goreleaser/goreleaser) | minor | `v1.15.2` -> `v1.22.1` | | [gotestyourself/gotestsum](https://togithub.com/gotestyourself/gotestsum) | minor | `v1.9.0` -> `v1.11.0` | | [hashicorp/terraform](https://togithub.com/hashicorp/terraform) | minor | `v1.4.2` -> `v1.6.6` | | [magefile/mage](https://togithub.com/magefile/mage) | minor | `v1.14.0` -> `v1.15.0` | | [miniscruff/changie](https://togithub.com/miniscruff/changie) | minor | `v1.12.0` -> `v1.17.0` | | [mvdan/gofumpt](https://togithub.com/mvdan/gofumpt) | minor | `v0.4.0` -> `v0.5.0` | | [thycotic/dsv-cli](https://togithub.com/thycotic/dsv-cli) | patch | `v1.40.1` -> `v1.40.5` | --- ### Release Notes <details> <summary>DelineaXPM/dsv-cli (DelineaXPM/dsv-cli)</summary> ### [`v1.40.5`](https://togithub.com/DelineaXPM/dsv-cli/blob/HEAD/CHANGELOG.md#v1405---2023-05-12) [Compare Source](https://togithub.com/DelineaXPM/dsv-cli/compare/v1.40.4...v1.40.5) ##### 🐛 Bug Fix - Windows cli version update check was looking for a binary with `windows` in the name, while the actual artifact is `win`. ### [`v1.40.4`](https://togithub.com/DelineaXPM/dsv-cli/blob/HEAD/CHANGELOG.md#v1404---2023-04-25) [Compare Source](https://togithub.com/DelineaXPM/dsv-cli/compare/v1.40.3...v1.40.4) ##### 🎉 Feature - `dsv pool list`: new `--limit`, `-l`, `--cursor` flags. See `dsv pool list --help` for more details. ##### Related - fixes [AB#495586](https://togithub.com/AB/dsv-cli/issues/495586) - related [AB#495586](https://togithub.com/AB/dsv-cli/issues/495586) - <https://github.com/andrii-zakurenyi> ##### Contributors - [andrii-zakurenyi](https://togithub.com/andrii-zakurenyi) ### [`v1.40.3`](https://togithub.com/DelineaXPM/dsv-cli/blob/HEAD/CHANGELOG.md#v1403---2023-04-04) [Compare Source](https://togithub.com/DelineaXPM/dsv-cli/compare/v1.40.2...v1.40.3) ##### 🐛 Bug Fix - Fix the format of links to pre-built binaries. ##### Contributors - [andrii-zakurenyi](https://togithub.com/andrii-zakurenyi) </details> <details> <summary>anchore/syft (anchore/syft)</summary> ### [`v0.99.0`](https://togithub.com/anchore/syft/releases/tag/v0.99.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.98.0...v0.99.0) ##### Added Features - Look for a maven version in a pom from a parent dependency management… \[[#2423](https://togithub.com/anchore/syft/pull/2423) [@coheigea](https://togithub.com/coheigea)] - Adding the ability to retrieve remote licenses for yarn.lock \[[#2338](https://togithub.com/anchore/syft/pull/2338) [@coheigea](https://togithub.com/coheigea)] - Retrieve remote licenses using pom.properties when there is no pom.xml \[[#2315](https://togithub.com/anchore/syft/pull/2315) [@coheigea](https://togithub.com/coheigea)] - Add the option to retrieve remote licenses for projects defined in a … \[[#2409](https://togithub.com/anchore/syft/pull/2409) [@coheigea](https://togithub.com/coheigea)] - Parse Python licenses from LicenseFile entry in the Wheel Metadata \[[#2331](https://togithub.com/anchore/syft/pull/2331) [@coheigea](https://togithub.com/coheigea)] - Add binary classifier for the ERLang interpreter \[[#2417](https://togithub.com/anchore/syft/pull/2417) [@LaurentGoderre](https://togithub.com/LaurentGoderre)] - Parse Python licenses from LicenseExpression entry in the Wheel Metadata \[[#2431](https://togithub.com/anchore/syft/pull/2431) [@coheigea](https://togithub.com/coheigea)] - Add binary classifier for Julia lang \[[#2427](https://togithub.com/anchore/syft/pull/2427) [@LaurentGoderre](https://togithub.com/LaurentGoderre)] - Add binary detection for PHP composer \[[#2432](https://togithub.com/anchore/syft/pull/2432) [@LaurentGoderre](https://togithub.com/LaurentGoderre)] ##### Bug Fixes - bump fangs for ptr summarize fix \[[#2387](https://togithub.com/anchore/syft/pull/2387) [@willmurphyscode](https://togithub.com/willmurphyscode)] - improve identification for org.codehaus.groovy artifacts \[[#2404](https://togithub.com/anchore/syft/pull/2404) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for commons-jelly artifacts \[[#2399](https://togithub.com/anchore/syft/pull/2399) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for io.minio artifacts \[[#2398](https://togithub.com/anchore/syft/pull/2398) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for com.graphql-java artifacts \[[#2397](https://togithub.com/anchore/syft/pull/2397) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.tapestry artifacts \[[#2384](https://togithub.com/anchore/syft/pull/2384) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for io.ratpack artifacts \[[#2379](https://togithub.com/anchore/syft/pull/2379) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.cassandra artifacts \[[#2386](https://togithub.com/anchore/syft/pull/2386) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.neo4j.procedure artifacts \[[#2388](https://togithub.com/anchore/syft/pull/2388) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.elasticsearch artifacts \[[#2383](https://togithub.com/anchore/syft/pull/2383) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.geode artifacts \[[#2382](https://togithub.com/anchore/syft/pull/2382) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.tomcat artifacts \[[#2381](https://togithub.com/anchore/syft/pull/2381) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for io.projectreactor.netty artifacts \[[#2378](https://togithub.com/anchore/syft/pull/2378) [@westonsteimel](https://togithub.com/westonsteimel)] - stop panic when parsing Haskell stack.yaml.lock with missing `hackage` field \[[#2421](https://togithub.com/anchore/syft/issues/2421) [#2419](https://togithub.com/anchore/syft/pull/2419) [@houdini91](https://togithub.com/houdini91)] - fix detecting the name of the eclipse OSGi artifact \[[#2314](https://togithub.com/anchore/syft/issues/2314) [#2349](https://togithub.com/anchore/syft/pull/2349) [@westonsteimel](https://togithub.com/westonsteimel)] - File Sources incorrectly exclude files on Windows \[[#2410](https://togithub.com/anchore/syft/issues/2410) [#2411](https://togithub.com/anchore/syft/pull/2411) [@Racer159](https://togithub.com/Racer159)] - Parser for dotnet_portable_executable using wrong attribute name \[[#2029](https://togithub.com/anchore/syft/issues/2029) [#2133](https://togithub.com/anchore/syft/pull/2133) [@kzantow](https://togithub.com/kzantow)] ##### Breaking Changes - Generalize UI events for cataloging tasks \[[#2369](https://togithub.com/anchore/syft/pull/2369) [@wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - refactor pkg.Collection to remove "catalog" references \[[#2439](https://togithub.com/anchore/syft/pull/2439) [@wagoodman](https://togithub.com/wagoodman)] - Expose javascript fields in cataloger configuration \[[#2438](https://togithub.com/anchore/syft/pull/2438) [@wagoodman](https://togithub.com/wagoodman)] - Use common archive catalog configuration \[[#2437](https://togithub.com/anchore/syft/pull/2437) [@wagoodman](https://togithub.com/wagoodman)] - Fix file digest cataloger when passed explicit coordinates \[[#2436](https://togithub.com/anchore/syft/pull/2436) [@wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.98.0...v0.99.0)** ### [`v0.98.0`](https://togithub.com/anchore/syft/releases/tag/v0.98.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.97.1...v0.98.0) ##### Added Features - Add binary classifiers for MySQL and MariaDB \[[#2316](https://togithub.com/anchore/syft/pull/2316) [@duanemay](https://togithub.com/duanemay)] - Enhance redis binary classifier to support additional versions \[[#2329](https://togithub.com/anchore/syft/pull/2329) [@whalelines](https://togithub.com/whalelines)] - Expose compact JSON and XML format configuration \[[#561](https://togithub.com/anchore/syft/issues/561) [#2275](https://togithub.com/anchore/syft/pull/2275) [@wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Fix file metadata cataloger when passed explicit coordinates \[[#2370](https://togithub.com/anchore/syft/pull/2370) [@wagoodman](https://togithub.com/wagoodman)] - hardcode xalan group ID \[[#2368](https://togithub.com/anchore/syft/pull/2368) [@willmurphyscode](https://togithub.com/willmurphyscode)] - logging level for parsing potential PE files \[[#2367](https://togithub.com/anchore/syft/pull/2367) [@kzantow](https://togithub.com/kzantow)] - Use read lock in `pkg.Collection` \[[#2341](https://togithub.com/anchore/syft/pull/2341) [@wagoodman](https://togithub.com/wagoodman)] - add manual namespace mapping for org.springframework jars \[[#2345](https://togithub.com/anchore/syft/pull/2345) [@westonsteimel](https://togithub.com/westonsteimel)] - add manual namespace mapping for org.springframework.security jars \[[#2343](https://togithub.com/anchore/syft/pull/2343) [@westonsteimel](https://togithub.com/westonsteimel)] - errors are printed into the stdout in syft 0.97.1 \[[#2356](https://togithub.com/anchore/syft/issues/2356) [#2364](https://togithub.com/anchore/syft/pull/2364) [@kzantow](https://togithub.com/kzantow)] - `syft some-jar.jar` fails to find packages if PWD is a symlink \[[#2355](https://togithub.com/anchore/syft/issues/2355) [#2359](https://togithub.com/anchore/syft/pull/2359) [@willmurphyscode](https://togithub.com/willmurphyscode)] - Default for recently added base path, `""`, disables detection of symlinked `*.jar` files \[[#1962](https://togithub.com/anchore/syft/issues/1962) [#2359](https://togithub.com/anchore/syft/pull/2359) [@willmurphyscode](https://togithub.com/willmurphyscode)] - `syft attest` broken since 0.85.0 \[[#2333](https://togithub.com/anchore/syft/issues/2333) [#2337](https://togithub.com/anchore/syft/pull/2337) [@wagoodman](https://togithub.com/wagoodman)] - Incorrect Java PURL for org.bouncycastle jars \[[#2339](https://togithub.com/anchore/syft/issues/2339) [#2342](https://togithub.com/anchore/syft/pull/2342) [@westonsteimel](https://togithub.com/westonsteimel)] ##### Breaking Changes - Remove power-user command and related catalogers \[[#1419](https://togithub.com/anchore/syft/issues/1419) [#2306](https://togithub.com/anchore/syft/pull/2306) [@wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Normalize cataloger configuration patterns \[[#2365](https://togithub.com/anchore/syft/pull/2365) [@wagoodman](https://togithub.com/wagoodman)] - Normalize enums to lowercase with hyphens \[[#2363](https://togithub.com/anchore/syft/pull/2363) [@wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.97.1...v0.98.0)** ##### Special Thanks Thanks [@duanemay](https://togithub.com/duanemay) and [@whalelines](https://togithub.com/whalelines) for the enhanced binary classifier support 👍 ### [`v0.97.1`](https://togithub.com/anchore/syft/releases/tag/v0.97.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.97.0...v0.97.1) ##### Bug Fixes - Syft does not use HTTP proxy when downloading the Docker image itself \[[#2203](https://togithub.com/anchore/syft/issues/2203) [#2336](https://togithub.com/anchore/syft/pull/2336) [@anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)] ##### Additional Changes - `syft version` report is broken with 0.97.0 release \[[#2334](https://togithub.com/anchore/syft/issues/2334) [#2335](https://togithub.com/anchore/syft/pull/2335) [@spiffcs](https://togithub.com/spiffcs)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.97.0...v0.97.1)** ### [`v0.97.0`](https://togithub.com/anchore/syft/releases/tag/v0.97.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.96.0...v0.97.0) ##### Added Features - Add license for golang stdlib package \[[#2317](https://togithub.com/anchore/syft/pull/2317) [@coheigea](https://togithub.com/coheigea)] - Fall back to searching maven central using groupIDFromJavaMetadata \[[#2295](https://togithub.com/anchore/syft/pull/2295) [@coheigea](https://togithub.com/coheigea)] ##### Bug Fixes - Refine license search from groupIDFromJavaMetadata to account for artfactId in the groupId \[[#2313](https://togithub.com/anchore/syft/pull/2313) [@coheigea](https://togithub.com/coheigea)] - capture content written to stdout outside of report \[[#2324](https://togithub.com/anchore/syft/pull/2324) [@kzantow](https://togithub.com/kzantow)] - add manual groupid mappings for org.apache.velocity jars \[[#2327](https://togithub.com/anchore/syft/pull/2327) [@westonsteimel](https://togithub.com/westonsteimel)] - skip maven bundle plugin logic if vendor id and symbolic name match \[[#2326](https://togithub.com/anchore/syft/pull/2326) [@westonsteimel](https://togithub.com/westonsteimel)] - cataloger `dpkg-db-cataloger` not working \[[#2323](https://togithub.com/anchore/syft/issues/2323)] ##### Breaking Changes - Rename Location virtualPath to accessPath \[[#1835](https://togithub.com/anchore/syft/issues/1835) [#2288](https://togithub.com/anchore/syft/pull/2288) [@wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Export syft-json format package metadata type helper \[[#2328](https://togithub.com/anchore/syft/pull/2328) [@wagoodman](https://togithub.com/wagoodman)] - Add dotnet-portable-executable-cataloger to README \[[#2322](https://togithub.com/anchore/syft/pull/2322) [@noqcks](https://togithub.com/noqcks)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.96.0...v0.97.0)** ### [`v0.96.0`](https://togithub.com/anchore/syft/releases/tag/v0.96.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.95.0...v0.96.0) ##### Added Features - Check maven central as well for licenses in parents poms for nested jars \[[#2302](https://togithub.com/anchore/syft/pull/2302) [@coheigea](https://togithub.com/coheigea)] - store image annotations inside the SBOM \[[#2267](https://togithub.com/anchore/syft/issues/2267) [#2294](https://togithub.com/anchore/syft/pull/2294) [@noqcks](https://togithub.com/noqcks)] - Support parsing license information in Maven projects via parent poms \[[#2103](https://togithub.com/anchore/syft/issues/2103)] ##### Bug Fixes - SPDX file has duplicate sha256 tag in versionInfo \[[#2300](https://togithub.com/anchore/syft/pull/2300) [@coheigea](https://togithub.com/coheigea)] - Report virtual path consistently between file.Resolvers \[[#1836](https://togithub.com/anchore/syft/issues/1836) [#2287](https://togithub.com/anchore/syft/pull/2287) [@wagoodman](https://togithub.com/wagoodman)] - Unable to identify CycloneDX JSON documents without $schema property \[[#2299](https://togithub.com/anchore/syft/issues/2299) [#2303](https://togithub.com/anchore/syft/pull/2303) [@kzantow](https://togithub.com/kzantow)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.95.0...v0.96.0)** ### [`v0.95.0`](https://togithub.com/anchore/syft/releases/tag/v0.95.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.94.0...v0.95.0) ##### Added Features - Use case-insensitive matching for Go license files \[[#2286](https://togithub.com/anchore/syft/pull/2286) [@miquella](https://togithub.com/miquella)] - Add conaninfo.txt parser to detect conan packages in docker images \[[#2234](https://togithub.com/anchore/syft/pull/2234) [@Pro](https://togithub.com/Pro)] - Perform case insensitive matching on Java License files \[[#2235](https://togithub.com/anchore/syft/pull/2235) [@coheigea](https://togithub.com/coheigea)] - Read a license from a parent pom stored in Maven Central \[[#2228](https://togithub.com/anchore/syft/pull/2228) [@coheigea](https://togithub.com/coheigea)] - Add PURLs when scanning Gradle lock files \[[#2278](https://togithub.com/anchore/syft/pull/2278) [@robbiev](https://togithub.com/robbiev)] ##### Bug Fixes - Fix CPE index workflow \[[#2252](https://togithub.com/anchore/syft/pull/2252) [@wagoodman](https://togithub.com/wagoodman)] - Fix cpe generation task \[[#2270](https://togithub.com/anchore/syft/pull/2270) [@willmurphyscode](https://togithub.com/willmurphyscode)] - Introduce cataloger naming conventions \[[#1578](https://togithub.com/anchore/syft/issues/1578) [#2277](https://togithub.com/anchore/syft/pull/2277) [@wagoodman](https://togithub.com/wagoodman)] - .NET / nuget - invalid SBOM generated after parsing \[[#2255](https://togithub.com/anchore/syft/issues/2255) [#2273](https://togithub.com/anchore/syft/pull/2273) [@spiffcs](https://togithub.com/spiffcs)] - Wrong parsing after v0.85.0 syft for some components \[[#2241](https://togithub.com/anchore/syft/issues/2241) [#2273](https://togithub.com/anchore/syft/pull/2273) [@spiffcs](https://togithub.com/spiffcs)] - SPDX-2.3 is misidentified as SPDX-2.2 \[[#2112](https://togithub.com/anchore/syft/issues/2112) [#2186](https://togithub.com/anchore/syft/pull/2186) [@wagoodman](https://togithub.com/wagoodman)] - Jar parser chokes on empty lines \[[#2179](https://togithub.com/anchore/syft/issues/2179) [#2254](https://togithub.com/anchore/syft/pull/2254) [@spiffcs](https://togithub.com/spiffcs)] - Add a new Java configuration option to recursively search parent poms… \[[#2274](https://togithub.com/anchore/syft/pull/2274) [@coheigea](https://togithub.com/coheigea)] - Fix directory resolver to always return virtual path \[[#2259](https://togithub.com/anchore/syft/pull/2259) [@wagoodman](https://togithub.com/wagoodman)] - Syft can now handle the case of parsing a jar with multiple poms \[[#2231](https://togithub.com/anchore/syft/pull/2231) [@coheigea](https://togithub.com/coheigea)] - Add ruby.NewGemSpecCataloger to DirectoryCatalogers \[[#1971](https://togithub.com/anchore/syft/pull/1971) [@evanchaoli](https://togithub.com/evanchaoli)] ##### Breaking Changes - Introduce cataloger naming conventions \[[#1578](https://togithub.com/anchore/syft/issues/1578) [#2277](https://togithub.com/anchore/syft/pull/2277) [@wagoodman](https://togithub.com/wagoodman)] - Remove MetadataType from the core package struct \[[#1735](https://togithub.com/anchore/syft/issues/1735) [#1983](https://togithub.com/anchore/syft/pull/1983) [@wagoodman](https://togithub.com/wagoodman)] - Add convention for JSON metadata type names and port existing values to the new convention \[[#1844](https://togithub.com/anchore/syft/issues/1844) [#1983](https://togithub.com/anchore/syft/pull/1983) [@wagoodman](https://togithub.com/wagoodman)] - Remove deprecated syft.Format functions \[[#1344](https://togithub.com/anchore/syft/issues/1344) [#2186](https://togithub.com/anchore/syft/pull/2186) [@wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Upgrade tool management \[[#2188](https://togithub.com/anchore/syft/pull/2188) [@wagoodman](https://togithub.com/wagoodman)] - Fix homebrew post-release workflow \[[#2242](https://togithub.com/anchore/syft/pull/2242) [@wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.94.0...v0.95.0)** ### [`v0.94.0`](https://togithub.com/anchore/syft/releases/tag/v0.94.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.93.0...v0.94.0) ##### Added Features - Add additional license filenames \[[#2227](https://togithub.com/anchore/syft/pull/2227) [@coheigea](https://togithub.com/coheigea)] - Parse donet dependency trees \[[#2143](https://togithub.com/anchore/syft/pull/2143) [@noqcks](https://togithub.com/noqcks)] - Find license by embedded license text \[[#2147](https://togithub.com/anchore/syft/issues/2147) [#2213](https://togithub.com/anchore/syft/pull/2213) [@coheigea](https://togithub.com/coheigea)] - Add support for dpkg dependency relationships \[[#2040](https://togithub.com/anchore/syft/issues/2040) [#2212](https://togithub.com/anchore/syft/pull/2212) [@wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Report errors to stderr not stdout \[[#2232](https://togithub.com/anchore/syft/pull/2232) [@wagoodman](https://togithub.com/wagoodman)] - Python egg packages are not parsed for SBOM \[[#1761](https://togithub.com/anchore/syft/issues/1761) [#2239](https://togithub.com/anchore/syft/pull/2239) [@spiffcs](https://togithub.com/spiffcs)] - Java archive is listed twice \[[#2130](https://togithub.com/anchore/syft/issues/2130) [#2220](https://togithub.com/anchore/syft/pull/2220) [@wagoodman](https://togithub.com/wagoodman)] - Java archives not from Maven \[[#2217](https://togithub.com/anchore/syft/issues/2217) [#2220](https://togithub.com/anchore/syft/pull/2220) [@wagoodman](https://togithub.com/wagoodman)] - Remove internal.StringSet \[[#2209](https://togithub.com/anchore/syft/issues/2209) [#2219](https://togithub.com/anchore/syft/pull/2219) [@wagoodman](https://togithub.com/wagoodman)] - Invalid interface conversion in Swift cataloger \[[#2225](https://togithub.com/anchore/syft/issues/2225) [#2226](https://togithub.com/anchore/syft/pull/2226) [@wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.93.0...v0.94.0)** ### [`v0.93.0`](https://togithub.com/anchore/syft/releases/tag/v0.93.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.92.0...v0.93.0) ##### Added Features - Parse license from the pom.xml if not contained in the manifest \[[#2115](https://togithub.com/anchore/syft/pull/2115) [@coheigea](https://togithub.com/coheigea)] - Add Golang STD library package given a Golang binary has been discovered compiled with that go binary \[[#1853](https://togithub.com/anchore/syft/issues/1853) [#2195](https://togithub.com/anchore/syft/pull/2195) [@spiffcs](https://togithub.com/spiffcs)] - Improve --output CLI help and deprecate --file \[[#2165](https://togithub.com/anchore/syft/issues/2165) [#2187](https://togithub.com/anchore/syft/pull/2187) [@sharief007](https://togithub.com/sharief007)] ##### Bug Fixes - Converting a SBOM looses the algorithm type for added checksums \[[#2183](https://togithub.com/anchore/syft/issues/2183) [#2207](https://togithub.com/anchore/syft/pull/2207) [@sharief007](https://togithub.com/sharief007)] ##### Additional Changes - Refine the docs for building a cataloger \[[#2175](https://togithub.com/anchore/syft/pull/2175) [@wagoodman](https://togithub.com/wagoodman)] - update license list to 3.22 \[[#2201](https://togithub.com/anchore/syft/pull/2201) [@spiffcs](https://togithub.com/spiffcs)] - Add exact syntax of the conversion formats \[[#2196](https://togithub.com/anchore/syft/pull/2196) [@vargenau](https://togithub.com/vargenau)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.92.0...v0.93.0)** ### [`v0.92.0`](https://togithub.com/anchore/syft/releases/tag/v0.92.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.91.0...v0.92.0) ##### Added Features - Support for multiple image refs of same sha in OCI layout \[[#1544](https://togithub.com/anchore/syft/issues/1544)] ##### Bug Fixes - Generated purls are different between runs of syft against the same image and artifact \[[#2169](https://togithub.com/anchore/syft/issues/2169) [#2170](https://togithub.com/anchore/syft/pull/2170) [@willmurphyscode](https://togithub.com/willmurphyscode)] ##### Additional Changes - bump stereoscope to fix data race in UI code \[[#2173](https://togithub.com/anchore/syft/pull/2173) [@willmurphyscode](https://togithub.com/willmurphyscode)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.91.0...v0.92.0)** ### [`v0.91.0`](https://togithub.com/anchore/syft/releases/tag/v0.91.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.90.0...v0.91.0) ##### Added Features - Add support for CycloneDX 1.5 \[[#2120](https://togithub.com/anchore/syft/issues/2120) [#2123](https://togithub.com/anchore/syft/pull/2123) [@spiffcs](https://togithub.com/spiffcs)] - Add support for containerd as an image source \[[#201](https://togithub.com/anchore/syft/issues/201) [#1793](https://togithub.com/anchore/syft/pull/1793) [@shanedell](https://togithub.com/shanedell)] - Support cataloging github workflow & github action usages \[[#1896](https://togithub.com/anchore/syft/issues/1896) [#2140](https://togithub.com/anchore/syft/pull/2140) [@wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Allow CycloneDX json input with no components \[[#2127](https://togithub.com/anchore/syft/pull/2127) [@ahoz](https://togithub.com/ahoz)] - Prevent errors from clobbering terminal \[[#2161](https://togithub.com/anchore/syft/pull/2161) [@kzantow](https://togithub.com/kzantow)] - Using syft as a go library to decode a syft json has incomplete data \[[#2069](https://togithub.com/anchore/syft/issues/2069) [#2083](https://togithub.com/anchore/syft/pull/2083) [@kzantow](https://togithub.com/kzantow)] - SBOMs are not the same on multiple runs of syft \[[#1944](https://togithub.com/anchore/syft/issues/1944)] ##### Additional Changes - Switch to stdlib's slices pkg \[[#2148](https://togithub.com/anchore/syft/pull/2148) [@hainenber](https://togithub.com/hainenber)] - Remove unneeded arch switch in unit test \[[#2156](https://togithub.com/anchore/syft/pull/2156) [@willmurphyscode](https://togithub.com/willmurphyscode)] - Update chronicle to v0.8.0 \[[#2154](https://togithub.com/anchore/syft/pull/2154) [@wagoodman](https://togithub.com/wagoodman)] - Update to latest stereoscope \[[#2151](https://togithub.com/anchore/syft/pull/2151) [@spiffcs](https://togithub.com/spiffcs)] - Pin workflow checkout for cpe update-cpe-dictionary-index \[[#2141](https://togithub.com/anchore/syft/pull/2141) [@spiffcs](https://togithub.com/spiffcs)] - Add dependency information to conan lockfile parser \[[#2131](https://togithub.com/anchore/syft/pull/2131) [@Pro](https://togithub.com/Pro)] - Pin and update all workflow dependencies; add permission scopes \[[#2138](https://togithub.com/anchore/syft/pull/2138) [@spiffcs](https://togithub.com/spiffcs)] - Enforce race detector \[[#2122](https://togithub.com/anchore/syft/pull/2122) [@willmurphyscode](https://togithub.com/willmurphyscode)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.90.0...v0.91.0)** ### [`v0.90.0`](https://togithub.com/anchore/syft/releases/tag/v0.90.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.89.0...v0.90.0) ### #### [v0.90.0](https://togithub.com/anchore/syft/tree/v0.90.0) (2023-09-11) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.89.0...v0.90.0) ##### Added Features - Expose cobra command in cli package \[[PR #2097](https://togithub.com/anchore/syft/pull/2097)] \[[wagoodman](https://togithub.com/wagoodman)] - Explicitly test PURL generation against key packages \[[Issue #2071](https://togithub.com/anchore/syft/issues/2071)] - Add User-Agent with Syft version during update check \[[Issue #2072](https://togithub.com/anchore/syft/issues/2072)] \[[PR #2100](https://togithub.com/anchore/syft/pull/2100)] \[[hainenber](https://togithub.com/hainenber)] ##### Bug Fixes - fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation \[[PR #2075](https://togithub.com/anchore/syft/pull/2075)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Cyclonedx external reference URLs are not validated when encoding \[[Issue #2079](https://togithub.com/anchore/syft/issues/2079)] \[[PR #2091](https://togithub.com/anchore/syft/pull/2091)] \[[hainenber](https://togithub.com/hainenber)] ##### Additional Changes - Bump the golang.org/x/exp dependency and fix a build breakage. \[[PR #2088](https://togithub.com/anchore/syft/pull/2088)] \[[dlorenc](https://togithub.com/dlorenc)] - fix: update codeql-analysis for go 1.21 \[[PR #2108](https://togithub.com/anchore/syft/pull/2108)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.89.0`](https://togithub.com/anchore/syft/releases/tag/v0.89.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.88.0...v0.89.0) ### #### [v0.89.0](https://togithub.com/anchore/syft/tree/v0.89.0) (2023-08-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.88.0...v0.89.0) ##### Added Features - Add registry certificate verification support \[[PR #1734](https://togithub.com/anchore/syft/pull/1734)] \[[5p2O5pe25ouT](https://togithub.com/5p2O5pe25ouT)] - Add SYFT_CONFIG environment variable for configuration file path \[[Issue #1986](https://togithub.com/anchore/syft/issues/1986)] \[[PR #2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] ##### Bug Fixes - Fix quiet flag \[[PR #2081](https://togithub.com/anchore/syft/pull/2081)] \[[wagoodman](https://togithub.com/wagoodman)] - Command line flags not overriding configuration file values \[[Issue #1143](https://togithub.com/anchore/syft/issues/1143)] \[[PR #2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] - Django package CPE is not correct \[[Issue #1298](https://togithub.com/anchore/syft/issues/1298)] \[[PR #2068](https://togithub.com/anchore/syft/pull/2068)] \[[witchcraze](https://togithub.com/witchcraze)] - Config parsing includes `config.yaml` in working dir \[[Issue #1634](https://togithub.com/anchore/syft/issues/1634)] \[[PR #2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] - Fix a possible panic on universal go binaries \[[Issue #2073](https://togithub.com/anchore/syft/issues/2073)] \[[PR #2078](https://togithub.com/anchore/syft/pull/2078)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Disabling catalogers is not working in power user command \[[Issue #2074](https://togithub.com/anchore/syft/issues/2074)] \[[PR #2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] - Virtual path changes to java cataloger causing creation of extra incorrect packages when jars are renamed \[[Issue #2077](https://togithub.com/anchore/syft/issues/2077)] \[[PR #2080](https://togithub.com/anchore/syft/pull/2080)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ### [`v0.88.0`](https://togithub.com/anchore/syft/releases/tag/v0.88.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.87.1...v0.88.0) ### #### [v0.88.0](https://togithub.com/anchore/syft/tree/v0.88.0) (2023-08-25) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.87.1...v0.88.0) ##### Added Features - Detect golang boring crypto and fipsonly modules \[[PR #2021](https://togithub.com/anchore/syft/pull/2021)] \[[bathina2](https://togithub.com/bathina2)] - feat: 1944 - update purl generation to use a consistent groupID \[[PR #2033](https://togithub.com/anchore/syft/pull/2033)] \[[spiffcs](https://togithub.com/spiffcs)] - Add support to detect bash binaries \[[Issue #1963](https://togithub.com/anchore/syft/issues/1963)] \[[PR #2055](https://togithub.com/anchore/syft/pull/2055)] \[[witchcraze](https://togithub.com/witchcraze)] ##### Bug Fixes - fix: properly parse conan ref and include user and channel \[[PR #2034](https://togithub.com/anchore/syft/pull/2034)] \[[Pro](https://togithub.com/Pro)] - New version notice only showing the version and no text \[[PR #2042](https://togithub.com/anchore/syft/pull/2042)] \[[wagoodman](https://togithub.com/wagoodman)] - Fix: don't validate pom declared group \[[PR #2054](https://togithub.com/anchore/syft/pull/2054)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Errors when handling symlinks on Windows with syft v0.85.0 \[[Issue #1950](https://togithub.com/anchore/syft/issues/1950)] \[[PR #2051](https://togithub.com/anchore/syft/pull/2051)] \[[selzoc](https://togithub.com/selzoc)] - Syft seems unable to parse non UTF-8 pom.xml files \[[Issue #2044](https://togithub.com/anchore/syft/issues/2044)] \[[PR #2047](https://togithub.com/anchore/syft/pull/2047)] \[[wagoodman](https://togithub.com/wagoodman)] - Error parsing pom.xml with v0.87.1 \[[Issue #2060](https://togithub.com/anchore/syft/issues/2060)] \[[PR #2064](https://togithub.com/anchore/syft/pull/2064)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Invalid CycloneDX: duplicates in relationships section \[[Issue #2062](https://togithub.com/anchore/syft/issues/2062)] \[[PR #2063](https://togithub.com/anchore/syft/pull/2063)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.87.1`](https://togithub.com/anchore/syft/releases/tag/v0.87.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.87.0...v0.87.1) ### #### [v0.87.1](https://togithub.com/anchore/syft/tree/v0.87.1) (2023-08-17) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.87.0...v0.87.1) ##### Bug Fixes - Use Java package names to determine known groupIDs \[[PR #2032](https://togithub.com/anchore/syft/pull/2032)] \[[kzantow](https://togithub.com/kzantow)] - Relationships section of CycloneDX is not outputting even when the data is present \[[Issue #1972](https://togithub.com/anchore/syft/issues/1972)] \[[PR #1974](https://togithub.com/anchore/syft/pull/1974)] \[[markgalpin](https://togithub.com/markgalpin)] \[[kzantow](https://togithub.com/kzantow)] - SPDX Tag-Value conversion not handling files directly set on packages \[[Issue #2013](https://togithub.com/anchore/syft/issues/2013)] \[[PR #2014](https://togithub.com/anchore/syft/pull/2014)] \[[kzantow](https://togithub.com/kzantow)] - Intermittent binary listings, different results every time \[[Issue #2035](https://togithub.com/anchore/syft/issues/2035)] \[[PR #2036](https://togithub.com/anchore/syft/pull/2036)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.87.0`](https://togithub.com/anchore/syft/releases/tag/v0.87.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0) ### #### [v0.87.0](https://togithub.com/anchore/syft/tree/v0.87.0) (2023-08-14) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0) ##### Added Features - feat: use originator logic to fill supplier \[[PR #1980](https://togithub.com/anchore/syft/pull/1980)] \[[spiffcs](https://togithub.com/spiffcs)] - Expand deb cataloger to include opkg \[[PR #1985](https://togithub.com/anchore/syft/pull/1985)] \[[johnDeSilencio](https://togithub.com/johnDeSilencio)] - Package duplicated by different cataloger \[[Issue #931](https://togithub.com/anchore/syft/issues/931)] \[[PR #1948](https://togithub.com/anchore/syft/pull/1948)] \[[spiffcs](https://togithub.com/spiffcs)] - Add binary cataloger for Nginx built from source \[[Issue #1945](https://togithub.com/anchore/syft/issues/1945)] \[[PR #1988](https://togithub.com/anchore/syft/pull/1988)] \[[SemProvoost](https://togithub.com/SemProvoost)] ##### Bug Fixes - chore: update bubbly to fix hanging \[[PR #1990](https://togithub.com/anchore/syft/pull/1990)] \[[kzantow](https://togithub.com/kzantow)] - fix: update glob to use newer usr/lib/sysimage path \[[PR #1997](https://togithub.com/anchore/syft/pull/1997)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: SPDX license values and download location \[[PR #2007](https://togithub.com/anchore/syft/pull/2007)] \[[kzantow](https://togithub.com/kzantow)] - Different CPEs between java-cataloger and java-gradle-lockfile-cataloger \[[Issue #1957](https://togithub.com/anchore/syft/issues/1957)] \[[PR #1995](https://togithub.com/anchore/syft/pull/1995)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.86.1`](https://togithub.com/anchore/syft/releases/tag/v0.86.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1) ### Changelog #### [v0.86.1](https://togithub.com/anchore/syft/tree/v0.86.1) (2023-07-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1) ##### Bug Fixes - Source requires default image name as user input for unparsable reference \[[PR #1979](https://togithub.com/anchore/syft/pull/1979)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.86.0`](https://togithub.com/anchore/syft/releases/tag/v0.86.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0) ### Changelog #### [v0.86.0](https://togithub.com/anchore/syft/tree/v0.86.0) (2023-07-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0) ##### Added Features - Introduce indexed embedded CPE dictionary \[[PR #1897](https://togithub.com/anchore/syft/pull/1897)] \[[luhring](https://togithub.com/luhring)] - Add cataloger for Swift Package Manager. \[[PR #1919](https://togithub.com/anchore/syft/pull/1919)] \[[trilleplay](https://togithub.com/trilleplay)] - Guess unpinned versions in python requirements.txt \[[PR #1597](https://togithub.com/anchore/syft/pull/1597)] \[[PR #1966](https://togithub.com/anchore/syft/pull/1966)] \[[manifestori](https://togithub.com/manifestori)] \[[wagoodman](https://togithub.com/wagoodman)] - Create a package record for the artifact an SBOM described when creating a SPDX SBOM \[[Issue #1661](https://togithub.com/anchore/syft/issues/1661)] \[[Issue #1241](https://togithub.com/anchore/syft/issues/1241)] \[[PR #1934](https://togithub.com/anchore/syft/pull/1934)] \[[kzantow](https://togithub.com/kzantow)] ##### Bug Fixes - Fix panic condition on docker pull failure \[[PR #1968](https://togithub.com/anchore/syft/pull/1968)] \[[wagoodman](https://togithub.com/wagoodman)] - Syft reports the "minimum required version" of .NET assemblies rather than the "assembly version" \[[Issue #1799](https://togithub.com/anchore/syft/issues/1799)] \[[PR #1943](https://togithub.com/anchore/syft/pull/1943)] \[[luhring](https://togithub.com/luhring)] - Grype cannot read SPDX documents generated by SPDX-maven-plugin \[[PR #1969](https://togithub.com/anchore/syft/pull/1969)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Breaking Changes - Remove jotframe UI \[[PR #1932](https://togithub.com/anchore/syft/pull/1932)] \[[wagoodman](https://togithub.com/wagoodman)] - Simplify python env markers \[[PR #1967](https://togithub.com/anchore/syft/pull/1967)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.85.0`](https://togithub.com/anchore/syft/releases/tag/v0.85.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0) ### Changelog #### [v0.85.0](https://togithub.com/anchore/syft/tree/v0.85.0) (2023-07-12) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0) ##### Added Features - Add a --base-path command line flag to set the directory base for scans (this option was previously exposed via API only) \[[PR #1867](https://togithub.com/anchore/syft/pull/1867)] \[[deitch](https://togithub.com/deitch)] - Add file source digest support \[[PR #1914](https://togithub.com/anchore/syft/pull/1914)] \[[wagoodman](https://togithub.com/wagoodman)] - Remove erroneous Java CPEs from generation \[[PR #1918](https://togithub.com/anchore/syft/pull/1918)] \[[luhring](https://togithub.com/luhring)] - Fix CPE generation for k8s python client \[[PR #1921](https://togithub.com/anchore/syft/pull/1921)] \[[luhring](https://togithub.com/luhring)] - Don't use the actual redis or grpc CPEs for gems \[[PR #1926](https://togithub.com/anchore/syft/pull/1926)] \[[luhring](https://togithub.com/luhring)] - The text user interface is now provided by the bubbletea library \[[Issue #1441](https://togithub.com/anchore/syft/issues/1441)] \[[PR #1888](https://togithub.com/anchore/syft/pull/1888)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Install script returns exit code 0 even if install fails \[[Issue #1566](https://togithub.com/anchore/syft/issues/1566)] \[[PR #1915](https://togithub.com/anchore/syft/pull/1915)] \[[lorsatti](https://togithub.com/lorsatti)] - \[Windows] Not able to scan volume mounted to folder \[[Issue #1828](https://togithub.com/anchore/syft/issues/1828)] \[[PR #1884](https://togithub.com/anchore/syft/pull/1884)] \[[dd-cws](https://togithub.com/dd-cws)] - Deprecated license: GFDL-1.2+ \[[Issue #1899](https://togithub.com/anchore/syft/issues/1899)] \[[PR #1907](https://togithub.com/anchore/syft/pull/1907)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Breaking Changes - Refactor the `source` API and syft-json `source` block data shape \[[Issue #1866](https://togithub.com/anchore/syft/issues/1866)] \[[PR #1846](https://togithub.com/anchore/syft/pull/1846)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - chore: update iterations to protect against race \[[PR #1927](https://togithub.com/anchore/syft/pull/1927)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: background reader apart from global handler for testing \[[PR #1929](https://togithub.com/anchore/syft/pull/1929)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.84.1`](https://togithub.com/anchore/syft/releases/tag/v0.84.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1) ### Changelog #### [v0.84.1](https://togithub.com/anchore/syft/tree/v0.84.1) (2023-06-29) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1) ##### Bug Fixes - Fix version detection in Java archive name parsing \[[PR #1889](https://togithub.com/anchore/syft/pull/1889)] \[[luhring](https://togithub.com/luhring)] - Improve support for Dart SDK package dependency lockfiles \[[PR #1891](https://togithub.com/anchore/syft/pull/1891)] \[[rufman](https://togithub.com/rufman)] - Fix license output for some CycloneDX JSON SBOMs \[[Issue #1877](https://togithub.com/anchore/syft/issues/1877)] \[[PR #1879](https://togithub.com/anchore/syft/pull/1879)] \[[kzantow](https://togithub.com/kzantow)] - Correctly discover Debian file relationships in distroless images \[[Issue #1900](https://togithub.com/anchore/syft/issues/1900)] \[[PR #1901](https://togithub.com/anchore/syft/pull/1901)] \[[westonsteimel](https://togithub.com/westonsteimel)] ##### Additional Changes - Simplify the SBOM writer interface \[[PR #1892](https://togithub.com/anchore/syft/pull/1892)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.84.0`](https://togithub.com/anchore/syft/releases/tag/v0.84.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0) ### Changelog #### [v0.84.0](https://togithub.com/anchore/syft/tree/v0.84.0) (2023-06-20) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0) ##### Breaking Changes - Pad artifact IDs \[[PR #1882](https://togithub.com/anchore/syft/pull/1882)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ##### Additional Changes - chore: update SPDX license list to 3.21 \[[PR #1885](https://togithub.com/anchore/syft/pull/1885)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.83.1`](https://togithub.com/anchore/syft/releases/tag/v0.83.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1) ### Changelog #### [v0.83.1](https://togithub.com/anchore/syft/tree/v0.83.1) (2023-06-14) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1) ##### Bug Fixes - fix: pom properties not setting artifact id \[[PR #1870](https://togithub.com/anchore/syft/pull/1870)] \[[jneate](https://togithub.com/jneate)] - fix(deps): pull in platform selection fix from stereoscope \[[PR #1871](https://togithub.com/anchore/syft/pull/1871)] \[[anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)] - pulling in an image with a digest that does not match the platform and architecture of the host no longer fails with an error, see [https://github.com/anchore/stereoscope/issues/188](https://togithub.com/anchore/stereoscope/issues/188) - symlinks within a scanned directory tree are parsed outside the tree, failing if target does not exist \[[Issue #1860](https://togithub.com/anchore/syft/issues/1860)] \[[PR #1861](https://togithub.com/anchore/syft/pull/1861)] \[[deitch](https://togithub.com/deitch)] ### [`v0.83.0`](https://togithub.com/anchore/syft/releases/tag/v0.83.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.82.0...v0.83.0) ### Changelog #### [v0.83.0](https://togithub.com/anchore/syft/tree/v0.83.0) (2023-06-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.82.0...v0.83.0) ##### Added Features - Add new '--source-version' and '--source-name' options to set the name and version of the target being analyzed for reference in resulting syft-json format SBOMs (more formats will support these flags soon). \[[Issue #1399](https://togithub.com/anchore/syft/issues/1399)] \[[PR #1859](https://togithub.com/anchore/syft/pull/1859)] \[[kzantow](https://togithub.com/kzantow)] - Add scope to POM properties \[[PR #1779](https://togithub.com/anchore/syft/pull/1779)] \[[jneate](https://togithub.com/jneate)] - Accept main.version ldflags even without vcs \[[PR #1855](https://togithub.com/anchore/syft/pull/1855)] \[[deitch](https://togithub.com/deitch)] ##### Bug Fixes - Fix directory resolver to consider CWD and root path input correctly \[[PR #1840](https://togithub.com/anchore/syft/pull/1840)] \[[wagoodman](https://togithub.com/wagoodman)] - Show all error messages if there is a failure retrieving an image with a specified scheme \[[Issue #1569](https://togithub.com/anchore/syft/issues/1569)] \[[PR #1801](https://togithub.com/anchore/syft/pull/1801)] \[[FrimIdan](https://togithub.com/FrimIdan)] - v0.81.0 crashing parsing some images \[[Issue #1837](https://togithub.com/anchore/syft/issues/1837)] \[[PR #1839](https://togithub.com/anchore/syft/pull/1839)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Deprecated Features - Migrate location-related structs to the file package \[[PR #1751](https://togithub.com/anchore/syft/pull/1751)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - chore: code cleanup \[[PR #1865](https://togithub.com/anchore/syft/pull/1865)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.82.0`](https://togithub.com/anchore/syft/releases/tag/v0.82.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.81.0...v0.82.0) ### Changelog #### [v0.82.0](https://togithub.com/anchore/syft/tree/v0.82.0) (2023-05-23) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.81.0...v0.82.0) ##### Added Features - Improve Go main module version detection by attempting to parse available ldflags \[[Issue #1785](https://togithub.com/anchore/syft/issues/1785)] \[[PR #1832](https://togithub.com/anchore/syft/pull/1832)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Fix a problem in the license parsing logic that may result in a panic \[[PR #1839](https://togithub.com/anchore/syft/pull/1839)] - Return all relevant error messages if an image retrieval fails when a scheme is specified \[[PR #1801](https://togithub.com/anchore/syft/pull/1801)] \[[FrimIdan](https://togithub.com/FrimIdan)] - Fix a problem with PNPM scanning where v6 lockfiles might result in duplicated packages \[[Issue #1762](https://togithub.com/anchore/syft/issues/1762)] \[[PR #1778](https://togithub.com/anchore/syft/pull/1778)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.81.0`](https://togithub.com/anchore/syft/releases/tag/v0.81.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.80.0...v0.81.0) ### Changelog #### [v0.81.0](https://togithub.com/anchore/syft/tree/v0.81.0) (2023-05-22) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.80.0...v0.81.0) ##### Added Features - Support cataloging R packages \[[Issue #730](https://togithub.com/anchore/syft/issues/730)] \[[PR #1790](https://togithub.com/anchore/syft/pull/1790)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Support describing license properties and SPDX expression assertions \[[Issue #1577](https://togithub.com/anchore/syft/issues/1577)] \[[PR #1743](https://togithub.com/anchore/syft/pull/1743)] \[[spiffcs](https://togithub.com/spiffcs)] - Warn if parsing a newer SBOM \[[PR #1810](https://togithub.com/anchore/syft/pull/1810)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ##### Bug Fixes - Retain cataloged SBOM relationships \[[PR #1509](https://togithub.com/anchore/syft/pull/1509)] \[[houdini91](https://togithub.com/houdini91)] - fix: update field plurality of 8.0.0 schema before release \[[PR #1820](https://togithub.com/anchore/syft/pull/1820)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: remove spurious warnings - unknown relationship type: evident-by form-lib=syft \[[Issue #1812](https://togithub.com/anchore/syft/issues/1812)] \[[PR #1797](https://togithub.com/anchore/syft/pull/1797)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - CycloneDX Dependencies Relationships Inverted \[[Issue #1815](https://togithub.com/anchore/syft/issues/1815)] \[[PR #1816](https://togithub.com/anchore/syft/pull/1816)] \[[shanealv](https://togithub.com/shanealv)] - Alpine: license expression should be complete and not parsed out \[[Issue #1817](https://togithub.com/anchore/syft/issues/1817)] \[[PR #1819](https://togithub.com/anchore/syft/pull/1819)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Additional Changes - Print package list when extra packages found \[[PR #1791](https://togithub.com/anchore/syft/pull/1791)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - update cosign to v2 release (different go module) \[[PR #1805](https://togithub.com/anchore/syft/pull/1805)] \[[bobcallaway](https://togithub.com/bobcallaway)] ### [`v0.80.0`](https://togithub.com/anchore/syft/releases/tag/v0.80.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.79.0...v0.80.0) ### Changelog #### [v0.80.0](https://togithub.com/anchore/syft/tree/v0.80.0) (2023-05-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.79.0...v0.80.0) ##### Added Features - Improve pnpm support \[[Issue #1535](https://togithub.com/anchore/syft/issues/1535)] \[[PR #1752](https://togithub.com/anchore/syft/pull/1752)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Bug Fixes - chore: add more detail on SPDX file IDs \[[PR #1769](https://togithub.com/anchore/syft/pull/1769)] \[[kzantow](https://togithub.com/kzantow)] - chore: do not HTML escape PackageURLs \[[PR #1782](https://togithub.com/anchore/syft/pull/1782)] \[[kzantow](https://togithub.com/kzantow)] - RPM database not found on ostree-managed systems \[[Issue #1755](https://togithub.com/anchore/syft/issues/1755)] \[[PR #1756](https://togithub.com/anchore/syft/pull/1756)] \[[fpytloun](https://togithub.com/fpytloun)] - Unable to use syft for private azure container registry \[[Issue #1777](https://togithub.com/anchore/syft/issues/1777)] - linux-kernel-cataloger produces thousands of version-less components. \[[Issue #1781](https://togithub.com/anchore/syft/issues/1781)] \[[PR #1784](https://togithub.com/anchore/syft/pull/1784)] \[[kzantow](https://togithub.com/kzantow)] ##### Deprecated Features - Rename pkg.Catalog to pkg.Collection \[[PR #1764](https://togithub.com/anchore/syft/pull/1764)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.79.0`](https://togithub.com/anchore/syft/releases/tag/v0.79.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.78.0...v0.79.0) ### Changelog #### [v0.79.0](https://togithub.com/anchore/syft/tree/v0.79.0) (2023-04-21) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.78.0...v0.79.0) ##### Added Features - Add ALPM Metadata to CYCLONEDX and SPDX output formats \[[Issue #1037](https://togithub.com/anchore/syft/issues/1037)] \[[PR #1747](https://togithub.com/anchore/syft/pull/1747)] \[[Shanedell](https://togithub.com/Shanedell)] - consul binary classifier \[[Issue #1590](https://togithub.com/anchore/syft/issues/1590)] \[[PR #1738](https://togithub.com/anchore/syft/pull/1738)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Bug Fixes - Syft missing direct dependencies from the gemfile.lock \[[Issue #1660](https://togithub.com/anchore/syft/issues/1660)] \[[PR #1749](https://togithub.com/anchore/syft/pull/1749)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Additional Changes - chore: bump stereoscope to latest version \[[PR #1741](https://togithub.com/anchore/syft/pull/1741)] \[[westonsteimel](https://togithub.com/westonsteimel)] ### [`v0.78.0`](https://togithub.com/anchore/syft/releases/tag/v0.78.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.77.0...v0.78.0) ### Changelog #### [v0.78.0](https://togithub.com/anchore/syft/tree/v0.78.0) (2023-04-17) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.77.0...v0.78.0) ##### Added Features - Add Linux Kernel cataloger \[[PR #1694](https://togithub.com/anchore/syft/pull/1694)] \[[deitch](https://togithub.com/deitch) & [wagoodman](https://togithub.com/wagoodman)] - Support scanning license files in golang packages over the network \[[Issue #1056](https://togithub.com/anchore/syft/issues/1056)] \[[PR #1630](https://togithub.com/anchore/syft/pull/1630)] \[[deitch](https://togithub.com/deitch) & [kzantow](https://togithub.com/kzantow)] - Add consul binary classifier \[[Issue #1590](https://togithub.com/anchore/syft/issues/1590)] \[[PR #1738](https://togithub.com/anchore/syft/pull/1738)] \[[Shanedell](https://togithub.com/Shanedell)] - Add annotations for evidence on package locations \[[PR #1723](https://togithub.com/anchore/syft/pull/1723)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Decoding of the syft-json format does not handle files \[[Issue #1534](https://togithub.com/anchore/syft/issues/1534)] \[[PR #1698](https://togithub.com/anchore/syft/pull/1698)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.77.0`](https://togithub.com/anchore/syft/releases/tag/v0.77.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.76.1...v0.77.0) ### Changelog #### [v0.77.0](https://togithub.com/anchore/syft/tree/v0.77.0) (2023-04-11) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.76.1...v0.77.0) ##### Added Features - feat: gradle lockfile support \[[PR #1719](https://togithub.com/anchore/syft/pull/1719)] \[[henrysachs](https://togithub.com/henrysachs)] - feat: support for java "nar" files \[[PR #1727](https://togithub.com/anchore/syft/pull/1727)] \[[Shanedell](https://togithub.com/Shanedell)] ### [`v0.76.1`](https://togithub.com/anchore/syft/releases/tag/v0.76.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.76.0...v0.76.1) ### Changelog #### [v0.76.1](https://togithub.com/anchore/syft/tree/v0.76.1) (2023-04-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.76.0...v0.76.1) ##### Added Features - Capture file ownership relationships from portage ecosystem \[[PR #1702](https://togithub.com/anchore/syft/pull/1702)] \[[wagoodman](https://togithub </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box  Co-authored-by: mend-for-github-com[bot] <50673670+mend-for-github-com[bot]@users.noreply.github.com>

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [anchore/syft](https://togithub.com/anchore/syft) | minor | `v0.73.0` -> `v0.100.0` | | [aquaproj/aqua-registry](https://togithub.com/aquaproj/aqua-registry) | minor | `v4.44.1` -> `v4.115.0` | | [charmbracelet/glow](https://togithub.com/charmbracelet/glow) | patch | `v1.5.0` -> `v1.5.1` | | [direnv/direnv](https://togithub.com/direnv/direnv) | minor | `v2.32.2` -> `v2.33.0` | | [gitleaks/gitleaks](https://togithub.com/gitleaks/gitleaks) | patch | `v8.18.0` -> `v8.18.1` | | [golang/go](https://togithub.com/golang/go) | patch | `1.21.0` -> `1.21.6` | | [golangci/golangci-lint](https://togithub.com/golangci/golangci-lint) | minor | `v1.52.2` -> `v1.55.2` | | [goreleaser/goreleaser](https://togithub.com/goreleaser/goreleaser) | minor | `v1.20.0` -> `v1.23.0` | | [gotestyourself/gotestsum](https://togithub.com/gotestyourself/gotestsum) | minor | `v1.9.0` -> `v1.11.0` | | [helm/helm](https://togithub.com/helm/helm) | minor | `v3.11.1` -> `v3.13.3` | | [kubernetes-sigs/kind](https://togithub.com/kubernetes-sigs/kind) | minor | `v0.17.0` -> `v0.20.0` | | [kubernetes/minikube](https://togithub.com/kubernetes/minikube) | minor | `v1.31.2` -> `v1.32.0` | | [magefile/mage](https://togithub.com/magefile/mage) | minor | `v1.14.0` -> `v1.15.0` | | [miniscruff/changie](https://togithub.com/miniscruff/changie) | minor | `v1.12.0` -> `v1.17.0` | | [mvdan/gofumpt](https://togithub.com/mvdan/gofumpt) | minor | `v0.4.0` -> `v0.5.0` | | [norwoodj/helm-docs](https://togithub.com/norwoodj/helm-docs) | minor | `v1.11.0` -> `v1.12.0` | | [stern/stern](https://togithub.com/stern/stern) | minor | `v1.23.0` -> `v1.28.0` | | [tilt-dev/tilt](https://togithub.com/tilt-dev/tilt) | minor | `v0.32.0` -> `v0.33.10` | --- ### Release Notes <details> <summary>anchore/syft (anchore/syft)</summary> ### [`v0.100.0`](https://togithub.com/anchore/syft/releases/tag/v0.100.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.99.0...v0.100.0) ##### Added Features - Add more functionality to the ErLang parser \[[#2390](https://togithub.com/anchore/syft/pull/2390) [@LaurentGoderre](https://togithub.com/LaurentGoderre)] - Added OpenSSL binary matcher \[[#2416](https://togithub.com/anchore/syft/pull/2416) [@LaurentGoderre](https://togithub.com/LaurentGoderre)] - Add ability to extend the binaries cataloguers \[[#2469](https://togithub.com/anchore/syft/pull/2469) [@LaurentGoderre](https://togithub.com/LaurentGoderre)] ##### Bug Fixes - Added missing Purl for busybox \[[#2457](https://togithub.com/anchore/syft/pull/2457) [@LaurentGoderre](https://togithub.com/LaurentGoderre)] - Fix diff error obfuscating binary test failures message \[[#2468](https://togithub.com/anchore/syft/pull/2468) [@LaurentGoderre](https://togithub.com/LaurentGoderre)] - v0.99.0: CycloneDX json output breaks osv-scanner \[[#2467](https://togithub.com/anchore/syft/issues/2467)] ##### Additional Changes - update openssl binary to -x \[[#2456](https://togithub.com/anchore/syft/pull/2456) [@spiffcs](https://togithub.com/spiffcs)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.99.0...v0.100.0)** ### [`v0.99.0`](https://togithub.com/anchore/syft/releases/tag/v0.99.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.98.0...v0.99.0) ##### Added Features - Look for a maven version in a pom from a parent dependency management… \[[#2423](https://togithub.com/anchore/syft/pull/2423) [@coheigea](https://togithub.com/coheigea)] - Adding the ability to retrieve remote licenses for yarn.lock \[[#2338](https://togithub.com/anchore/syft/pull/2338) [@coheigea](https://togithub.com/coheigea)] - Retrieve remote licenses using pom.properties when there is no pom.xml \[[#2315](https://togithub.com/anchore/syft/pull/2315) [@coheigea](https://togithub.com/coheigea)] - Add the option to retrieve remote licenses for projects defined in a … \[[#2409](https://togithub.com/anchore/syft/pull/2409) [@coheigea](https://togithub.com/coheigea)] - Parse Python licenses from LicenseFile entry in the Wheel Metadata \[[#2331](https://togithub.com/anchore/syft/pull/2331) [@coheigea](https://togithub.com/coheigea)] - Add binary classifier for the ERLang interpreter \[[#2417](https://togithub.com/anchore/syft/pull/2417) [@LaurentGoderre](https://togithub.com/LaurentGoderre)] - Parse Python licenses from LicenseExpression entry in the Wheel Metadata \[[#2431](https://togithub.com/anchore/syft/pull/2431) [@coheigea](https://togithub.com/coheigea)] - Add binary classifier for Julia lang \[[#2427](https://togithub.com/anchore/syft/pull/2427) [@LaurentGoderre](https://togithub.com/LaurentGoderre)] - Add binary detection for PHP composer \[[#2432](https://togithub.com/anchore/syft/pull/2432) [@LaurentGoderre](https://togithub.com/LaurentGoderre)] ##### Bug Fixes - bump fangs for ptr summarize fix \[[#2387](https://togithub.com/anchore/syft/pull/2387) [@willmurphyscode](https://togithub.com/willmurphyscode)] - improve identification for org.codehaus.groovy artifacts \[[#2404](https://togithub.com/anchore/syft/pull/2404) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for commons-jelly artifacts \[[#2399](https://togithub.com/anchore/syft/pull/2399) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for io.minio artifacts \[[#2398](https://togithub.com/anchore/syft/pull/2398) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for com.graphql-java artifacts \[[#2397](https://togithub.com/anchore/syft/pull/2397) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.tapestry artifacts \[[#2384](https://togithub.com/anchore/syft/pull/2384) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for io.ratpack artifacts \[[#2379](https://togithub.com/anchore/syft/pull/2379) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.cassandra artifacts \[[#2386](https://togithub.com/anchore/syft/pull/2386) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.neo4j.procedure artifacts \[[#2388](https://togithub.com/anchore/syft/pull/2388) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.elasticsearch artifacts \[[#2383](https://togithub.com/anchore/syft/pull/2383) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.geode artifacts \[[#2382](https://togithub.com/anchore/syft/pull/2382) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.tomcat artifacts \[[#2381](https://togithub.com/anchore/syft/pull/2381) [@westonsteimel](https://togithub.com/westonsteimel)] - improve identification for io.projectreactor.netty artifacts \[[#2378](https://togithub.com/anchore/syft/pull/2378) [@westonsteimel](https://togithub.com/westonsteimel)] - stop panic when parsing Haskell stack.yaml.lock with missing `hackage` field \[[#2421](https://togithub.com/anchore/syft/issues/2421) [#2419](https://togithub.com/anchore/syft/pull/2419) [@houdini91](https://togithub.com/houdini91)] - fix detecting the name of the eclipse OSGi artifact \[[#2314](https://togithub.com/anchore/syft/issues/2314) [#2349](https://togithub.com/anchore/syft/pull/2349) [@westonsteimel](https://togithub.com/westonsteimel)] - File Sources incorrectly exclude files on Windows \[[#2410](https://togithub.com/anchore/syft/issues/2410) [#2411](https://togithub.com/anchore/syft/pull/2411) [@Racer159](https://togithub.com/Racer159)] - Parser for dotnet_portable_executable using wrong attribute name \[[#2029](https://togithub.com/anchore/syft/issues/2029) [#2133](https://togithub.com/anchore/syft/pull/2133) [@kzantow](https://togithub.com/kzantow)] ##### Breaking Changes - Generalize UI events for cataloging tasks \[[#2369](https://togithub.com/anchore/syft/pull/2369) [@wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - refactor pkg.Collection to remove "catalog" references \[[#2439](https://togithub.com/anchore/syft/pull/2439) [@wagoodman](https://togithub.com/wagoodman)] - Expose javascript fields in cataloger configuration \[[#2438](https://togithub.com/anchore/syft/pull/2438) [@wagoodman](https://togithub.com/wagoodman)] - Use common archive catalog configuration \[[#2437](https://togithub.com/anchore/syft/pull/2437) [@wagoodman](https://togithub.com/wagoodman)] - Fix file digest cataloger when passed explicit coordinates \[[#2436](https://togithub.com/anchore/syft/pull/2436) [@wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.98.0...v0.99.0)** ### [`v0.98.0`](https://togithub.com/anchore/syft/releases/tag/v0.98.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.97.1...v0.98.0) ##### Added Features - Add binary classifiers for MySQL and MariaDB \[[#2316](https://togithub.com/anchore/syft/pull/2316) [@duanemay](https://togithub.com/duanemay)] - Enhance redis binary classifier to support additional versions \[[#2329](https://togithub.com/anchore/syft/pull/2329) [@whalelines](https://togithub.com/whalelines)] - Expose compact JSON and XML format configuration \[[#561](https://togithub.com/anchore/syft/issues/561) [#2275](https://togithub.com/anchore/syft/pull/2275) [@wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Fix file metadata cataloger when passed explicit coordinates \[[#2370](https://togithub.com/anchore/syft/pull/2370) [@wagoodman](https://togithub.com/wagoodman)] - hardcode xalan group ID \[[#2368](https://togithub.com/anchore/syft/pull/2368) [@willmurphyscode](https://togithub.com/willmurphyscode)] - logging level for parsing potential PE files \[[#2367](https://togithub.com/anchore/syft/pull/2367) [@kzantow](https://togithub.com/kzantow)] - Use read lock in `pkg.Collection` \[[#2341](https://togithub.com/anchore/syft/pull/2341) [@wagoodman](https://togithub.com/wagoodman)] - add manual namespace mapping for org.springframework jars \[[#2345](https://togithub.com/anchore/syft/pull/2345) [@westonsteimel](https://togithub.com/westonsteimel)] - add manual namespace mapping for org.springframework.security jars \[[#2343](https://togithub.com/anchore/syft/pull/2343) [@westonsteimel](https://togithub.com/westonsteimel)] - errors are printed into the stdout in syft 0.97.1 \[[#2356](https://togithub.com/anchore/syft/issues/2356) [#2364](https://togithub.com/anchore/syft/pull/2364) [@kzantow](https://togithub.com/kzantow)] - `syft some-jar.jar` fails to find packages if PWD is a symlink \[[#2355](https://togithub.com/anchore/syft/issues/2355) [#2359](https://togithub.com/anchore/syft/pull/2359) [@willmurphyscode](https://togithub.com/willmurphyscode)] - Default for recently added base path, `""`, disables detection of symlinked `*.jar` files \[[#1962](https://togithub.com/anchore/syft/issues/1962) [#2359](https://togithub.com/anchore/syft/pull/2359) [@willmurphyscode](https://togithub.com/willmurphyscode)] - `syft attest` broken since 0.85.0 \[[#2333](https://togithub.com/anchore/syft/issues/2333) [#2337](https://togithub.com/anchore/syft/pull/2337) [@wagoodman](https://togithub.com/wagoodman)] - Incorrect Java PURL for org.bouncycastle jars \[[#2339](https://togithub.com/anchore/syft/issues/2339) [#2342](https://togithub.com/anchore/syft/pull/2342) [@westonsteimel](https://togithub.com/westonsteimel)] ##### Breaking Changes - Remove power-user command and related catalogers \[[#1419](https://togithub.com/anchore/syft/issues/1419) [#2306](https://togithub.com/anchore/syft/pull/2306) [@wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Normalize cataloger configuration patterns \[[#2365](https://togithub.com/anchore/syft/pull/2365) [@wagoodman](https://togithub.com/wagoodman)] - Normalize enums to lowercase with hyphens \[[#2363](https://togithub.com/anchore/syft/pull/2363) [@wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.97.1...v0.98.0)** ##### Special Thanks Thanks [@duanemay](https://togithub.com/duanemay) and [@whalelines](https://togithub.com/whalelines) for the enhanced binary classifier support 👍 ### [`v0.97.1`](https://togithub.com/anchore/syft/releases/tag/v0.97.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.97.0...v0.97.1) ##### Bug Fixes - Syft does not use HTTP proxy when downloading the Docker image itself \[[#2203](https://togithub.com/anchore/syft/issues/2203) [#2336](https://togithub.com/anchore/syft/pull/2336) [@anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)] ##### Additional Changes - `syft version` report is broken with 0.97.0 release \[[#2334](https://togithub.com/anchore/syft/issues/2334) [#2335](https://togithub.com/anchore/syft/pull/2335) [@spiffcs](https://togithub.com/spiffcs)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.97.0...v0.97.1)** ### [`v0.97.0`](https://togithub.com/anchore/syft/releases/tag/v0.97.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.96.0...v0.97.0) ##### Added Features - Add license for golang stdlib package \[[#2317](https://togithub.com/anchore/syft/pull/2317) [@coheigea](https://togithub.com/coheigea)] - Fall back to searching maven central using groupIDFromJavaMetadata \[[#2295](https://togithub.com/anchore/syft/pull/2295) [@coheigea](https://togithub.com/coheigea)] ##### Bug Fixes - Refine license search from groupIDFromJavaMetadata to account for artfactId in the groupId \[[#2313](https://togithub.com/anchore/syft/pull/2313) [@coheigea](https://togithub.com/coheigea)] - capture content written to stdout outside of report \[[#2324](https://togithub.com/anchore/syft/pull/2324) [@kzantow](https://togithub.com/kzantow)] - add manual groupid mappings for org.apache.velocity jars \[[#2327](https://togithub.com/anchore/syft/pull/2327) [@westonsteimel](https://togithub.com/westonsteimel)] - skip maven bundle plugin logic if vendor id and symbolic name match \[[#2326](https://togithub.com/anchore/syft/pull/2326) [@westonsteimel](https://togithub.com/westonsteimel)] - cataloger `dpkg-db-cataloger` not working \[[#2323](https://togithub.com/anchore/syft/issues/2323)] ##### Breaking Changes - Rename Location virtualPath to accessPath \[[#1835](https://togithub.com/anchore/syft/issues/1835) [#2288](https://togithub.com/anchore/syft/pull/2288) [@wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Export syft-json format package metadata type helper \[[#2328](https://togithub.com/anchore/syft/pull/2328) [@wagoodman](https://togithub.com/wagoodman)] - Add dotnet-portable-executable-cataloger to README \[[#2322](https://togithub.com/anchore/syft/pull/2322) [@noqcks](https://togithub.com/noqcks)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.96.0...v0.97.0)** ### [`v0.96.0`](https://togithub.com/anchore/syft/releases/tag/v0.96.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.95.0...v0.96.0) ##### Added Features - Check maven central as well for licenses in parents poms for nested jars \[[#2302](https://togithub.com/anchore/syft/pull/2302) [@coheigea](https://togithub.com/coheigea)] - store image annotations inside the SBOM \[[#2267](https://togithub.com/anchore/syft/issues/2267) [#2294](https://togithub.com/anchore/syft/pull/2294) [@noqcks](https://togithub.com/noqcks)] - Support parsing license information in Maven projects via parent poms \[[#2103](https://togithub.com/anchore/syft/issues/2103)] ##### Bug Fixes - SPDX file has duplicate sha256 tag in versionInfo \[[#2300](https://togithub.com/anchore/syft/pull/2300) [@coheigea](https://togithub.com/coheigea)] - Report virtual path consistently between file.Resolvers \[[#1836](https://togithub.com/anchore/syft/issues/1836) [#2287](https://togithub.com/anchore/syft/pull/2287) [@wagoodman](https://togithub.com/wagoodman)] - Unable to identify CycloneDX JSON documents without $schema property \[[#2299](https://togithub.com/anchore/syft/issues/2299) [#2303](https://togithub.com/anchore/syft/pull/2303) [@kzantow](https://togithub.com/kzantow)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.95.0...v0.96.0)** ### [`v0.95.0`](https://togithub.com/anchore/syft/releases/tag/v0.95.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.94.0...v0.95.0) ##### Added Features - Use case-insensitive matching for Go license files \[[#2286](https://togithub.com/anchore/syft/pull/2286) [@miquella](https://togithub.com/miquella)] - Add conaninfo.txt parser to detect conan packages in docker images \[[#2234](https://togithub.com/anchore/syft/pull/2234) [@Pro](https://togithub.com/Pro)] - Perform case insensitive matching on Java License files \[[#2235](https://togithub.com/anchore/syft/pull/2235) [@coheigea](https://togithub.com/coheigea)] - Read a license from a parent pom stored in Maven Central \[[#2228](https://togithub.com/anchore/syft/pull/2228) [@coheigea](https://togithub.com/coheigea)] - Add PURLs when scanning Gradle lock files \[[#2278](https://togithub.com/anchore/syft/pull/2278) [@robbiev](https://togithub.com/robbiev)] ##### Bug Fixes - Fix CPE index workflow \[[#2252](https://togithub.com/anchore/syft/pull/2252) [@wagoodman](https://togithub.com/wagoodman)] - Fix cpe generation task \[[#2270](https://togithub.com/anchore/syft/pull/2270) [@willmurphyscode](https://togithub.com/willmurphyscode)] - Introduce cataloger naming conventions \[[#1578](https://togithub.com/anchore/syft/issues/1578) [#2277](https://togithub.com/anchore/syft/pull/2277) [@wagoodman](https://togithub.com/wagoodman)] - .NET / nuget - invalid SBOM generated after parsing \[[#2255](https://togithub.com/anchore/syft/issues/2255) [#2273](https://togithub.com/anchore/syft/pull/2273) [@spiffcs](https://togithub.com/spiffcs)] - Wrong parsing after v0.85.0 syft for some components \[[#2241](https://togithub.com/anchore/syft/issues/2241) [#2273](https://togithub.com/anchore/syft/pull/2273) [@spiffcs](https://togithub.com/spiffcs)] - SPDX-2.3 is misidentified as SPDX-2.2 \[[#2112](https://togithub.com/anchore/syft/issues/2112) [#2186](https://togithub.com/anchore/syft/pull/2186) [@wagoodman](https://togithub.com/wagoodman)] - Jar parser chokes on empty lines \[[#2179](https://togithub.com/anchore/syft/issues/2179) [#2254](https://togithub.com/anchore/syft/pull/2254) [@spiffcs](https://togithub.com/spiffcs)] - Add a new Java configuration option to recursively search parent poms… \[[#2274](https://togithub.com/anchore/syft/pull/2274) [@coheigea](https://togithub.com/coheigea)] - Fix directory resolver to always return virtual path \[[#2259](https://togithub.com/anchore/syft/pull/2259) [@wagoodman](https://togithub.com/wagoodman)] - Syft can now handle the case of parsing a jar with multiple poms \[[#2231](https://togithub.com/anchore/syft/pull/2231) [@coheigea](https://togithub.com/coheigea)] - Add ruby.NewGemSpecCataloger to DirectoryCatalogers \[[#1971](https://togithub.com/anchore/syft/pull/1971) [@evanchaoli](https://togithub.com/evanchaoli)] ##### Breaking Changes - Introduce cataloger naming conventions \[[#1578](https://togithub.com/anchore/syft/issues/1578) [#2277](https://togithub.com/anchore/syft/pull/2277) [@wagoodman](https://togithub.com/wagoodman)] - Remove MetadataType from the core package struct \[[#1735](https://togithub.com/anchore/syft/issues/1735) [#1983](https://togithub.com/anchore/syft/pull/1983) [@wagoodman](https://togithub.com/wagoodman)] - Add convention for JSON metadata type names and port existing values to the new convention \[[#1844](https://togithub.com/anchore/syft/issues/1844) [#1983](https://togithub.com/anchore/syft/pull/1983) [@wagoodman](https://togithub.com/wagoodman)] - Remove deprecated syft.Format functions \[[#1344](https://togithub.com/anchore/syft/issues/1344) [#2186](https://togithub.com/anchore/syft/pull/2186) [@wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Upgrade tool management \[[#2188](https://togithub.com/anchore/syft/pull/2188) [@wagoodman](https://togithub.com/wagoodman)] - Fix homebrew post-release workflow \[[#2242](https://togithub.com/anchore/syft/pull/2242) [@wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.94.0...v0.95.0)** ### [`v0.94.0`](https://togithub.com/anchore/syft/releases/tag/v0.94.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.93.0...v0.94.0) ##### Added Features - Add additional license filenames \[[#2227](https://togithub.com/anchore/syft/pull/2227) [@coheigea](https://togithub.com/coheigea)] - Parse donet dependency trees \[[#2143](https://togithub.com/anchore/syft/pull/2143) [@noqcks](https://togithub.com/noqcks)] - Find license by embedded license text \[[#2147](https://togithub.com/anchore/syft/issues/2147) [#2213](https://togithub.com/anchore/syft/pull/2213) [@coheigea](https://togithub.com/coheigea)] - Add support for dpkg dependency relationships \[[#2040](https://togithub.com/anchore/syft/issues/2040) [#2212](https://togithub.com/anchore/syft/pull/2212) [@wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Report errors to stderr not stdout \[[#2232](https://togithub.com/anchore/syft/pull/2232) [@wagoodman](https://togithub.com/wagoodman)] - Python egg packages are not parsed for SBOM \[[#1761](https://togithub.com/anchore/syft/issues/1761) [#2239](https://togithub.com/anchore/syft/pull/2239) [@spiffcs](https://togithub.com/spiffcs)] - Java archive is listed twice \[[#2130](https://togithub.com/anchore/syft/issues/2130) [#2220](https://togithub.com/anchore/syft/pull/2220) [@wagoodman](https://togithub.com/wagoodman)] - Java archives not from Maven \[[#2217](https://togithub.com/anchore/syft/issues/2217) [#2220](https://togithub.com/anchore/syft/pull/2220) [@wagoodman](https://togithub.com/wagoodman)] - Remove internal.StringSet \[[#2209](https://togithub.com/anchore/syft/issues/2209) [#2219](https://togithub.com/anchore/syft/pull/2219) [@wagoodman](https://togithub.com/wagoodman)] - Invalid interface conversion in Swift cataloger \[[#2225](https://togithub.com/anchore/syft/issues/2225) [#2226](https://togithub.com/anchore/syft/pull/2226) [@wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.93.0...v0.94.0)** ### [`v0.93.0`](https://togithub.com/anchore/syft/releases/tag/v0.93.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.92.0...v0.93.0) ##### Added Features - Parse license from the pom.xml if not contained in the manifest \[[#2115](https://togithub.com/anchore/syft/pull/2115) [@coheigea](https://togithub.com/coheigea)] - Add Golang STD library package given a Golang binary has been discovered compiled with that go binary \[[#1853](https://togithub.com/anchore/syft/issues/1853) [#2195](https://togithub.com/anchore/syft/pull/2195) [@spiffcs](https://togithub.com/spiffcs)] - Improve --output CLI help and deprecate --file \[[#2165](https://togithub.com/anchore/syft/issues/2165) [#2187](https://togithub.com/anchore/syft/pull/2187) [@sharief007](https://togithub.com/sharief007)] ##### Bug Fixes - Converting a SBOM looses the algorithm type for added checksums \[[#2183](https://togithub.com/anchore/syft/issues/2183) [#2207](https://togithub.com/anchore/syft/pull/2207) [@sharief007](https://togithub.com/sharief007)] ##### Additional Changes - Refine the docs for building a cataloger \[[#2175](https://togithub.com/anchore/syft/pull/2175) [@wagoodman](https://togithub.com/wagoodman)] - update license list to 3.22 \[[#2201](https://togithub.com/anchore/syft/pull/2201) [@spiffcs](https://togithub.com/spiffcs)] - Add exact syntax of the conversion formats \[[#2196](https://togithub.com/anchore/syft/pull/2196) [@vargenau](https://togithub.com/vargenau)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.92.0...v0.93.0)** ### [`v0.92.0`](https://togithub.com/anchore/syft/releases/tag/v0.92.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.91.0...v0.92.0) ##### Added Features - Support for multiple image refs of same sha in OCI layout \[[#1544](https://togithub.com/anchore/syft/issues/1544)] ##### Bug Fixes - Generated purls are different between runs of syft against the same image and artifact \[[#2169](https://togithub.com/anchore/syft/issues/2169) [#2170](https://togithub.com/anchore/syft/pull/2170) [@willmurphyscode](https://togithub.com/willmurphyscode)] ##### Additional Changes - bump stereoscope to fix data race in UI code \[[#2173](https://togithub.com/anchore/syft/pull/2173) [@willmurphyscode](https://togithub.com/willmurphyscode)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.91.0...v0.92.0)** ### [`v0.91.0`](https://togithub.com/anchore/syft/releases/tag/v0.91.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.90.0...v0.91.0) ##### Added Features - Add support for CycloneDX 1.5 \[[#2120](https://togithub.com/anchore/syft/issues/2120) [#2123](https://togithub.com/anchore/syft/pull/2123) [@spiffcs](https://togithub.com/spiffcs)] - Add support for containerd as an image source \[[#201](https://togithub.com/anchore/syft/issues/201) [#1793](https://togithub.com/anchore/syft/pull/1793) [@shanedell](https://togithub.com/shanedell)] - Support cataloging github workflow & github action usages \[[#1896](https://togithub.com/anchore/syft/issues/1896) [#2140](https://togithub.com/anchore/syft/pull/2140) [@wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Allow CycloneDX json input with no components \[[#2127](https://togithub.com/anchore/syft/pull/2127) [@ahoz](https://togithub.com/ahoz)] - Prevent errors from clobbering terminal \[[#2161](https://togithub.com/anchore/syft/pull/2161) [@kzantow](https://togithub.com/kzantow)] - Using syft as a go library to decode a syft json has incomplete data \[[#2069](https://togithub.com/anchore/syft/issues/2069) [#2083](https://togithub.com/anchore/syft/pull/2083) [@kzantow](https://togithub.com/kzantow)] - SBOMs are not the same on multiple runs of syft \[[#1944](https://togithub.com/anchore/syft/issues/1944)] ##### Additional Changes - Switch to stdlib's slices pkg \[[#2148](https://togithub.com/anchore/syft/pull/2148) [@hainenber](https://togithub.com/hainenber)] - Remove unneeded arch switch in unit test \[[#2156](https://togithub.com/anchore/syft/pull/2156) [@willmurphyscode](https://togithub.com/willmurphyscode)] - Update chronicle to v0.8.0 \[[#2154](https://togithub.com/anchore/syft/pull/2154) [@wagoodman](https://togithub.com/wagoodman)] - Update to latest stereoscope \[[#2151](https://togithub.com/anchore/syft/pull/2151) [@spiffcs](https://togithub.com/spiffcs)] - Pin workflow checkout for cpe update-cpe-dictionary-index \[[#2141](https://togithub.com/anchore/syft/pull/2141) [@spiffcs](https://togithub.com/spiffcs)] - Add dependency information to conan lockfile parser \[[#2131](https://togithub.com/anchore/syft/pull/2131) [@Pro](https://togithub.com/Pro)] - Pin and update all workflow dependencies; add permission scopes \[[#2138](https://togithub.com/anchore/syft/pull/2138) [@spiffcs](https://togithub.com/spiffcs)] - Enforce race detector \[[#2122](https://togithub.com/anchore/syft/pull/2122) [@willmurphyscode](https://togithub.com/willmurphyscode)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.90.0...v0.91.0)** ### [`v0.90.0`](https://togithub.com/anchore/syft/releases/tag/v0.90.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.89.0...v0.90.0) ### #### [v0.90.0](https://togithub.com/anchore/syft/tree/v0.90.0) (2023-09-11) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.89.0...v0.90.0) ##### Added Features - Expose cobra command in cli package \[[PR #2097](https://togithub.com/anchore/syft/pull/2097)] \[[wagoodman](https://togithub.com/wagoodman)] - Explicitly test PURL generation against key packages \[[Issue #2071](https://togithub.com/anchore/syft/issues/2071)] - Add User-Agent with Syft version during update check \[[Issue #2072](https://togithub.com/anchore/syft/issues/2072)] \[[PR #2100](https://togithub.com/anchore/syft/pull/2100)] \[[hainenber](https://togithub.com/hainenber)] ##### Bug Fixes - fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation \[[PR #2075](https://togithub.com/anchore/syft/pull/2075)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Cyclonedx external reference URLs are not validated when encoding \[[Issue #2079](https://togithub.com/anchore/syft/issues/2079)] \[[PR #2091](https://togithub.com/anchore/syft/pull/2091)] \[[hainenber](https://togithub.com/hainenber)] ##### Additional Changes - Bump the golang.org/x/exp dependency and fix a build breakage. \[[PR #2088](https://togithub.com/anchore/syft/pull/2088)] \[[dlorenc](https://togithub.com/dlorenc)] - fix: update codeql-analysis for go 1.21 \[[PR #2108](https://togithub.com/anchore/syft/pull/2108)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.89.0`](https://togithub.com/anchore/syft/releases/tag/v0.89.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.88.0...v0.89.0) ### #### [v0.89.0](https://togithub.com/anchore/syft/tree/v0.89.0) (2023-08-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.88.0...v0.89.0) ##### Added Features - Add registry certificate verification support \[[PR #1734](https://togithub.com/anchore/syft/pull/1734)] \[[5p2O5pe25ouT](https://togithub.com/5p2O5pe25ouT)] - Add SYFT_CONFIG environment variable for configuration file path \[[Issue #1986](https://togithub.com/anchore/syft/issues/1986)] \[[PR #2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] ##### Bug Fixes - Fix quiet flag \[[PR #2081](https://togithub.com/anchore/syft/pull/2081)] \[[wagoodman](https://togithub.com/wagoodman)] - Command line flags not overriding configuration file values \[[Issue #1143](https://togithub.com/anchore/syft/issues/1143)] \[[PR #2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] - Django package CPE is not correct \[[Issue #1298](https://togithub.com/anchore/syft/issues/1298)] \[[PR #2068](https://togithub.com/anchore/syft/pull/2068)] \[[witchcraze](https://togithub.com/witchcraze)] - Config parsing includes `config.yaml` in working dir \[[Issue #1634](https://togithub.com/anchore/syft/issues/1634)] \[[PR #2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] - Fix a possible panic on universal go binaries \[[Issue #2073](https://togithub.com/anchore/syft/issues/2073)] \[[PR #2078](https://togithub.com/anchore/syft/pull/2078)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Disabling catalogers is not working in power user command \[[Issue #2074](https://togithub.com/anchore/syft/issues/2074)] \[[PR #2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] - Virtual path changes to java cataloger causing creation of extra incorrect packages when jars are renamed \[[Issue #2077](https://togithub.com/anchore/syft/issues/2077)] \[[PR #2080](https://togithub.com/anchore/syft/pull/2080)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ### [`v0.88.0`](https://togithub.com/anchore/syft/releases/tag/v0.88.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.87.1...v0.88.0) ### #### [v0.88.0](https://togithub.com/anchore/syft/tree/v0.88.0) (2023-08-25) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.87.1...v0.88.0) ##### Added Features - Detect golang boring crypto and fipsonly modules \[[PR #2021](https://togithub.com/anchore/syft/pull/2021)] \[[bathina2](https://togithub.com/bathina2)] - feat: 1944 - update purl generation to use a consistent groupID \[[PR #2033](https://togithub.com/anchore/syft/pull/2033)] \[[spiffcs](https://togithub.com/spiffcs)] - Add support to detect bash binaries \[[Issue #1963](https://togithub.com/anchore/syft/issues/1963)] \[[PR #2055](https://togithub.com/anchore/syft/pull/2055)] \[[witchcraze](https://togithub.com/witchcraze)] ##### Bug Fixes - fix: properly parse conan ref and include user and channel \[[PR #2034](https://togithub.com/anchore/syft/pull/2034)] \[[Pro](https://togithub.com/Pro)] - New version notice only showing the version and no text \[[PR #2042](https://togithub.com/anchore/syft/pull/2042)] \[[wagoodman](https://togithub.com/wagoodman)] - Fix: don't validate pom declared group \[[PR #2054](https://togithub.com/anchore/syft/pull/2054)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Errors when handling symlinks on Windows with syft v0.85.0 \[[Issue #1950](https://togithub.com/anchore/syft/issues/1950)] \[[PR #2051](https://togithub.com/anchore/syft/pull/2051)] \[[selzoc](https://togithub.com/selzoc)] - Syft seems unable to parse non UTF-8 pom.xml files \[[Issue #2044](https://togithub.com/anchore/syft/issues/2044)] \[[PR #2047](https://togithub.com/anchore/syft/pull/2047)] \[[wagoodman](https://togithub.com/wagoodman)] - Error parsing pom.xml with v0.87.1 \[[Issue #2060](https://togithub.com/anchore/syft/issues/2060)] \[[PR #2064](https://togithub.com/anchore/syft/pull/2064)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Invalid CycloneDX: duplicates in relationships section \[[Issue #2062](https://togithub.com/anchore/syft/issues/2062)] \[[PR #2063](https://togithub.com/anchore/syft/pull/2063)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.87.1`](https://togithub.com/anchore/syft/releases/tag/v0.87.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.87.0...v0.87.1) ### #### [v0.87.1](https://togithub.com/anchore/syft/tree/v0.87.1) (2023-08-17) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.87.0...v0.87.1) ##### Bug Fixes - Use Java package names to determine known groupIDs \[[PR #2032](https://togithub.com/anchore/syft/pull/2032)] \[[kzantow](https://togithub.com/kzantow)] - Relationships section of CycloneDX is not outputting even when the data is present \[[Issue #1972](https://togithub.com/anchore/syft/issues/1972)] \[[PR #1974](https://togithub.com/anchore/syft/pull/1974)] \[[markgalpin](https://togithub.com/markgalpin)] \[[kzantow](https://togithub.com/kzantow)] - SPDX Tag-Value conversion not handling files directly set on packages \[[Issue #2013](https://togithub.com/anchore/syft/issues/2013)] \[[PR #2014](https://togithub.com/anchore/syft/pull/2014)] \[[kzantow](https://togithub.com/kzantow)] - Intermittent binary listings, different results every time \[[Issue #2035](https://togithub.com/anchore/syft/issues/2035)] \[[PR #2036](https://togithub.com/anchore/syft/pull/2036)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.87.0`](https://togithub.com/anchore/syft/releases/tag/v0.87.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0) ### #### [v0.87.0](https://togithub.com/anchore/syft/tree/v0.87.0) (2023-08-14) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0) ##### Added Features - feat: use originator logic to fill supplier \[[PR #1980](https://togithub.com/anchore/syft/pull/1980)] \[[spiffcs](https://togithub.com/spiffcs)] - Expand deb cataloger to include opkg \[[PR #1985](https://togithub.com/anchore/syft/pull/1985)] \[[johnDeSilencio](https://togithub.com/johnDeSilencio)] - Package duplicated by different cataloger \[[Issue #931](https://togithub.com/anchore/syft/issues/931)] \[[PR #1948](https://togithub.com/anchore/syft/pull/1948)] \[[spiffcs](https://togithub.com/spiffcs)] - Add binary cataloger for Nginx built from source \[[Issue #1945](https://togithub.com/anchore/syft/issues/1945)] \[[PR #1988](https://togithub.com/anchore/syft/pull/1988)] \[[SemProvoost](https://togithub.com/SemProvoost)] ##### Bug Fixes - chore: update bubbly to fix hanging \[[PR #1990](https://togithub.com/anchore/syft/pull/1990)] \[[kzantow](https://togithub.com/kzantow)] - fix: update glob to use newer usr/lib/sysimage path \[[PR #1997](https://togithub.com/anchore/syft/pull/1997)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: SPDX license values and download location \[[PR #2007](https://togithub.com/anchore/syft/pull/2007)] \[[kzantow](https://togithub.com/kzantow)] - Different CPEs between java-cataloger and java-gradle-lockfile-cataloger \[[Issue #1957](https://togithub.com/anchore/syft/issues/1957)] \[[PR #1995](https://togithub.com/anchore/syft/pull/1995)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.86.1`](https://togithub.com/anchore/syft/releases/tag/v0.86.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1) ### Changelog #### [v0.86.1](https://togithub.com/anchore/syft/tree/v0.86.1) (2023-07-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1) ##### Bug Fixes - Source requires default image name as user input for unparsable reference \[[PR #1979](https://togithub.com/anchore/syft/pull/1979)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.86.0`](https://togithub.com/anchore/syft/releases/tag/v0.86.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0) ### Changelog #### [v0.86.0](https://togithub.com/anchore/syft/tree/v0.86.0) (2023-07-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0) ##### Added Features - Introduce indexed embedded CPE dictionary \[[PR #1897](https://togithub.com/anchore/syft/pull/1897)] \[[luhring](https://togithub.com/luhring)] - Add cataloger for Swift Package Manager. \[[PR #1919](https://togithub.com/anchore/syft/pull/1919)] \[[trilleplay](https://togithub.com/trilleplay)] - Guess unpinned versions in python requirements.txt \[[PR #1597](https://togithub.com/anchore/syft/pull/1597)] \[[PR #1966](https://togithub.com/anchore/syft/pull/1966)] \[[manifestori](https://togithub.com/manifestori)] \[[wagoodman](https://togithub.com/wagoodman)] - Create a package record for the artifact an SBOM described when creating a SPDX SBOM \[[Issue #1661](https://togithub.com/anchore/syft/issues/1661)] \[[Issue #1241](https://togithub.com/anchore/syft/issues/1241)] \[[PR #1934](https://togithub.com/anchore/syft/pull/1934)] \[[kzantow](https://togithub.com/kzantow)] ##### Bug Fixes - Fix panic condition on docker pull failure \[[PR #1968](https://togithub.com/anchore/syft/pull/1968)] \[[wagoodman](https://togithub.com/wagoodman)] - Syft reports the "minimum required version" of .NET assemblies rather than the "assembly version" \[[Issue #1799](https://togithub.com/anchore/syft/issues/1799)] \[[PR #1943](https://togithub.com/anchore/syft/pull/1943)] \[[luhring](https://togithub.com/luhring)] - Grype cannot read SPDX documents generated by SPDX-maven-plugin \[[PR #1969](https://togithub.com/anchore/syft/pull/1969)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Breaking Changes - Remove jotframe UI \[[PR #1932](https://togithub.com/anchore/syft/pull/1932)] \[[wagoodman](https://togithub.com/wagoodman)] - Simplify python env markers \[[PR #1967](https://togithub.com/anchore/syft/pull/1967)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.85.0`](https://togithub.com/anchore/syft/releases/tag/v0.85.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0) ### Changelog #### [v0.85.0](https://togithub.com/anchore/syft/tree/v0.85.0) (2023-07-12) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0) ##### Added Features - Add a --base-path command line flag to set the directory base for scans (this option was previously exposed via API only) \[[PR #1867](https://togithub.com/anchore/syft/pull/1867)] \[[deitch](https://togithub.com/deitch)] - Add file source digest support \[[PR #1914](https://togithub.com/anchore/syft/pull/1914)] \[[wagoodman](https://togithub.com/wagoodman)] - Remove erroneous Java CPEs from generation \[[PR #1918](https://togithub.com/anchore/syft/pull/1918)] \[[luhring](https://togithub.com/luhring)] - Fix CPE generation for k8s python client \[[PR #1921](https://togithub.com/anchore/syft/pull/1921)] \[[luhring](https://togithub.com/luhring)] - Don't use the actual redis or grpc CPEs for gems \[[PR #1926](https://togithub.com/anchore/syft/pull/1926)] \[[luhring](https://togithub.com/luhring)] - The text user interface is now provided by the bubbletea library \[[Issue #1441](https://togithub.com/anchore/syft/issues/1441)] \[[PR #1888](https://togithub.com/anchore/syft/pull/1888)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Install script returns exit code 0 even if install fails \[[Issue #1566](https://togithub.com/anchore/syft/issues/1566)] \[[PR #1915](https://togithub.com/anchore/syft/pull/1915)] \[[lorsatti](https://togithub.com/lorsatti)] - \[Windows] Not able to scan volume mounted to folder \[[Issue #1828](https://togithub.com/anchore/syft/issues/1828)] \[[PR #1884](https://togithub.com/anchore/syft/pull/1884)] \[[dd-cws](https://togithub.com/dd-cws)] - Deprecated license: GFDL-1.2+ \[[Issue #1899](https://togithub.com/anchore/syft/issues/1899)] \[[PR #1907](https://togithub.com/anchore/syft/pull/1907)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Breaking Changes - Refactor the `source` API and syft-json `source` block data shape \[[Issue #1866](https://togithub.com/anchore/syft/issues/1866)] \[[PR #1846](https://togithub.com/anchore/syft/pull/1846)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - chore: update iterations to protect against race \[[PR #1927](https://togithub.com/anchore/syft/pull/1927)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: background reader apart from global handler for testing \[[PR #1929](https://togithub.com/anchore/syft/pull/1929)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.84.1`](https://togithub.com/anchore/syft/releases/tag/v0.84.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1) ### Changelog #### [v0.84.1](https://togithub.com/anchore/syft/tree/v0.84.1) (2023-06-29) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1) ##### Bug Fixes - Fix version detection in Java archive name parsing \[[PR #1889](https://togithub.com/anchore/syft/pull/1889)] \[[luhring](https://togithub.com/luhring)] - Improve support for Dart SDK package dependency lockfiles \[[PR #1891](https://togithub.com/anchore/syft/pull/1891)] \[[rufman](https://togithub.com/rufman)] - Fix license output for some CycloneDX JSON SBOMs \[[Issue #1877](https://togithub.com/anchore/syft/issues/1877)] \[[PR #1879](https://togithub.com/anchore/syft/pull/1879)] \[[kzantow](https://togithub.com/kzantow)] - Correctly discover Debian file relationships in distroless images \[[Issue #1900](https://togithub.com/anchore/syft/issues/1900)] \[[PR #1901](https://togithub.com/anchore/syft/pull/1901)] \[[westonsteimel](https://togithub.com/westonsteimel)] ##### Additional Changes - Simplify the SBOM writer interface \[[PR #1892](https://togithub.com/anchore/syft/pull/1892)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.84.0`](https://togithub.com/anchore/syft/releases/tag/v0.84.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0) ### Changelog #### [v0.84.0](https://togithub.com/anchore/syft/tree/v0.84.0) (2023-06-20) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0) ##### Breaking Changes - Pad artifact IDs \[[PR #1882](https://togithub.com/anchore/syft/pull/1882)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ##### Additional Changes - chore: update SPDX license list to 3.21 \[[PR #1885](https://togithub.com/anchore/syft/pull/1885)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.83.1`](https://togithub.com/anchore/syft/releases/tag/v0.83.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1) ### Changelog #### [v0.83.1](https://togithub.com/anchore/syft/tree/v0.83.1) (2023-06-14) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1) ##### Bug Fixes - fix: pom properties not setting artifact id \[[PR #1870](https://togithub.com/anchore/syft/pull/1870)] \[[jneate](https://togithub.com/jneate)] - fix(deps): pull in platform selection fix from stereoscope \[[PR #1871](https://togithub.com/anchore/syft/pull/1871)] \[[anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)] - pulling in an image with a digest that does not match the platform and architecture of the host no longer fails with an error, see [https://github.com/anchore/stereoscope/issues/188](https://togithub.com/anchore/stereoscope/issues/188) - symlinks within a scanned directory tree are parsed outside the tree, failing if target does not exist \[[Issue #1860](https://togithub.com/anchore/syft/issues/1860)] \[[PR #1861](https://togithub.com/anchore/syft/pull/1861)] \[[deitch](https://togithub.com/deitch)] ### [`v0.83.0`](https://togithub.com/anchore/syft/releases/tag/v0.83.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.82.0...v0.83.0) ### Changelog #### [v0.83.0](https://togithub.com/anchore/syft/tree/v0.83.0) (2023-06-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.82.0...v0.83.0) ##### Added Features - Add new '--source-version' and '--source-name' options to set the name and version of the target being analyzed for reference in resulting syft-json format SBOMs (more formats will support these flags soon). \[[Issue #1399](https://togithub.com/anchore/syft/issues/1399)] \[[PR #1859](https://togithub.com/anchore/syft/pull/1859)] \[[kzantow](https://togithub.com/kzantow)] - Add scope to POM properties \[[PR #1779](https://togithub.com/anchore/syft/pull/1779)] \[[jneate](https://togithub.com/jneate)] - Accept main.version ldflags even without vcs \[[PR #1855](https://togithub.com/anchore/syft/pull/1855)] \[[deitch](https://togithub.com/deitch)] ##### Bug Fixes - Fix directory resolver to consider CWD and root path input correctly \[[PR #1840](https://togithub.com/anchore/syft/pull/1840)] \[[wagoodman](https://togithub.com/wagoodman)] - Show all error messages if there is a failure retrieving an image with a specified scheme \[[Issue #1569](https://togithub.com/anchore/syft/issues/1569)] \[[PR #1801](https://togithub.com/anchore/syft/pull/1801)] \[[FrimIdan](https://togithub.com/FrimIdan)] - v0.81.0 crashing parsing some images \[[Issue #1837](https://togithub.com/anchore/syft/issues/1837)] \[[PR #1839](https://togithub.com/anchore/syft/pull/1839)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Deprecated Features - Migrate location-related structs to the file package \[[PR #1751](https://togithub.com/anchore/syft/pull/1751)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - chore: code cleanup \[[PR #1865](https://togithub.com/anchore/syft/pull/1865)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.82.0`](https://togithub.com/anchore/syft/releases/tag/v0.82.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.81.0...v0.82.0) ### Changelog #### [v0.82.0](https://togithub.com/anchore/syft/tree/v0.82.0) (2023-05-23) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.81.0...v0.82.0) ##### Added Features - Improve Go main module version detection by attempting to parse available ldflags \[[Issue #1785](https://togithub.com/anchore/syft/issues/1785)] \[[PR #1832](https://togithub.com/anchore/syft/pull/1832)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Fix a problem in the license parsing logic that may result in a panic \[[PR #1839](https://togithub.com/anchore/syft/pull/1839)] - Return all relevant error messages if an image retrieval fails when a scheme is specified \[[PR #1801](https://togithub.com/anchore/syft/pull/1801)] \[[FrimIdan](https://togithub.com/FrimIdan)] - Fix a problem with PNPM scanning where v6 lockfiles might result in duplicated packages \[[Issue #1762](https://togithub.com/anchore/syft/issues/1762)] \[[PR #1778](https://togithub.com/anchore/syft/pull/1778)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.81.0`](https://togithub.com/anchore/syft/releases/tag/v0.81.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.80.0...v0.81.0) ### Changelog #### [v0.81.0](https://togithub.com/anchore/syft/tree/v0.81.0) (2023-05-22) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.80.0...v0.81.0) ##### Added Features - Support cataloging R packages \[[Issue #730](https://togithub.com/anchore/syft/issues/730)] \[[PR #1790](https://togithub.com/anchore/syft/pull/1790)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Support describing license properties and SPDX expression assertions \[[Issue #1577](https://togithub.com/anchore/syft/issues/1577)] \[[PR #1743](https://togithub.com/anchore/syft/pull/1743)] \[[spiffcs](https://togithub.com/spiffcs)] - Warn if parsing a newer SBOM \[[PR #1810](https://togithub.com/anchore/syft/pull/1810)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ##### Bug Fixes - Retain cataloged SBOM relationships \[[PR #1509](https://togithub.com/anchore/syft/pull/1509)] \[[houdini91](https://togithub.com/houdini91)] - fix: update field plurality of 8.0.0 schema before release \[[PR #1820](https://togithub.com/anchore/syft/pull/1820)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: remove spurious warnings - unknown relationship type: evident-by form-lib=syft \[[Issue #1812](https://togithub.com/anchore/syft/issues/1812)] \[[PR #1797](https://togithub.com/anchore/syft/pull/1797)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - CycloneDX Dependencies Relationships Inverted \[[Issue #1815](https://togithub.com/anchore/syft/issues/1815)] \[[PR #1816](https://togithub.com/anchore/syft/pull/1816)] \[[shanealv](https://togithub.com/shanealv)] - Alpine: license expression should be complete and not parsed out \[[Issue #1817](https://togithub.com/anchore/syft/issues/1817)] \[[PR #1819](https://togithub.com/anchore/syft/pull/1819)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Additional Changes - Print package list when extra packages found \[[PR #1791](https://togithub.com/anchore/syft/pull/1791)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - update cosign to v2 release (different go module) \[[PR #1805](https://togithub.com/anchore/syft/pull/1805)] \[[bobcallaway](https://togithub.com/bobcallaway)] ### [`v0.80.0`](https://togithub.com/anchore/syft/releases/tag/v0.80.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.79.0...v0.80.0) ### Changelog #### [v0.80.0](https://togithub.com/anchore/syft/tree/v0.80.0) (2023-05-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.79.0...v0.80.0) ##### Added Features - Improve pnpm support \[[Issue #1535](https://togithub.com/anchore/syft/issues/1535)] \[[PR #1752](https://togithub.com/anchore/syft/pull/1752)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Bug Fixes - chore: add more detail on SPDX file IDs \[[PR #1769](https://togithub.com/anchore/syft/pull/1769)] \[[kzantow](https://togithub.com/kzantow)] - chore: do not HTML escape PackageURLs \[[PR #1782](https://togithub.com/anchore/syft/pull/1782)] \[[kzantow](https://togithub.com/kzantow)] - RPM database not found on ostree-managed systems \[[Issue #1755](https://togithub.com/anchore/syft/issues/1755)] \[[PR #1756](https://togithub.com/anchore/syft/pull/1756)] \[[fpytloun](https://togithub.com/fpytloun)] - Unable to use syft for private azure container registry \[[Issue #1777](https://togithub.com/anchore/syft/issues/1777)] - linux-kernel-cataloger produces thousands of version-less components. \[[Issue #1781](https://togithub.com/anchore/syft/issues/1781)] \[[PR #1784](https://togithub.com/anchore/syft/pull/1784)] \[[kzantow](https://togithub.com/kzantow)] ##### Deprecated Features - Rename pkg.Catalog to pkg.Collection \[[PR #1764](https://togithub.com/anchore/syft/pull/1764)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.79.0`](https://togithub.com/anchore/syft/releases/tag/v0.79.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.78.0...v0.79.0) ### Changelog #### [v0.79.0](https://togithub.com/anchore/syft/tree/v0.79.0) (2023-04-21) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.78.0...v0.79.0) ##### Added Features - Add ALPM Metadata to CYCLONEDX and SPDX output formats \[[Issue #1037](https://togithub.com/anchore/syft/issues/1037)] \[[PR #1747](https://togithub.com/anchore/syft/pull/1747)] \[[Shanedell](https://togithub.com/Shanedell)] - consul binary classifier \[[Issue #1590](https://togithub.com/anchore/syft/issues/1590)] \[[PR #1738](https://togithub.com/anchore/syft/pull/1738)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Bug Fixes - Syft missing direct dependencies from the gemfile.lock \[[Issue #1660](https://togithub.com/anchore/syft/issues/1660)] \[[PR #1749](https://togithub.com/anchore/syft/pull/1749)] \[[Shanedell](https://togithub.com/Shanedell)] ##### Additional Changes - chore: bump stereoscope to latest version \[[PR #1741](https://togithub.com/anchore/syft/pull/1741)] \[[westonsteimel](https://togithub.com/westonsteimel)] ### [`v0.78.0`](https://togithub.com/anchore/syft/releases/tag/v0.78.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.77.0...v0.78.0) ### Changelog #### [v0.78.0](https://togithub.com/anchore/syft/tree/v0.78.0) (2023-04-17) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.77.0...v0.78.0) ##### Added Features - Add Linux Kernel cataloger \[[PR #1694](https://togithub.com/anchore/syft/pull/1694)] \[[deitch](https://togithub.com/deitch) & [wagoodman](https://togithub.com/wagoodman)] - Support scanning license files in golang packages over the network \[[Issue #1056](https://togithub.com/anchore/syft/issues/1056)] \[[PR #1630](https://togithub.com/anchore/syft/pull/1630)] \[[deitch](https://togithub.com/deitch) & [kzantow](https://togithub.com/kzantow)] - Add consul binary classifier \[[Issue #1590](https://togithub.com/anchore/syft/issues/1590)] \[[PR #1738](https://togithub.com/anchore/syft/pull/1738)] \[[Shanedell](https://togithub.com/Shanedell)] - Add annotations for evidence on package locations \[[PR #1723](https://togithub.com/anchore/syft/pull/1723)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Decoding of the syft-json format does not handle files \[[Issue #1534](https://togithub.com/anchore/syft/issues/1534)] \[[PR #1698](https://togithub.com/anchore/syft/pull/1698)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.77.0`](https://togithub.com/anchore/syft/releases/tag/v0.77.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.76.1...v0.77.0) ### Changelog #### [v0.77.0](https://togithub.com/anchore/syft/tree/v0.77.0) (2023-04-11) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.76.1...v0.77.0) ##### Added Features - feat: gradle lockfile support \[[PR #1719](https://togithub.com/anchore/syft/pull/1719)] \[[henrysachs](https://togithub.com/henrysachs)] - feat: support for java "nar" files \[[PR #1727](https://togithub.com/anchore/syft/pull/1727)] \[[Shanedell](https://togithub.com/Shanedell)] ### [`v0.76.1`](https://togithub.com/anchore/syft/releases/tag/v0.76.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.76.0...v0.76.1) ### Changelog #### [v0.76.1](https://togithub.com/anchore/syft/tree/v0.76.1) (2023-04-05) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.76.0...v0.76.1) ##### Added Features - Capture file ownership relationships from portage ecosystem \[[PR #1702](https://togithub.com/anchore/syft/pull/1702)] \[[wagoodman](https://togithub.com/wagoodman)] - Add Nix Cataloger \[[Issue #462](https://togithub.com/anchore/syft/issues/462)] \[[PR #1107](https://togithub.com/anchore/sy Co-authored-by: mend-for-github-com[bot] <50673670+mend-for-github-com[bot]@users.noreply.github.com>

willmurphyscode added the bug Something isn't working label Jun 1, 2023

willmurphyscode self-assigned this Jun 1, 2023

willmurphyscode mentioned this issue Jun 9, 2023

Change platform selection logic #189

Merged

willmurphyscode closed this as completed in #189 Jun 9, 2023

This was referenced Jun 9, 2023

Enhance specifying the mandatory "platform" arg for multi arch images anchore/sbom-action#419

Closed

fix(deps): pull in platform selection fix from stereoscope anchore/syft#1871

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Platform selection in docker client has unnecessary error #188

Platform selection in docker client has unnecessary error #188

willmurphyscode commented Jun 1, 2023

willmurphyscode commented Jun 2, 2023 •

edited

Loading

willmurphyscode commented Jun 8, 2023

Platform selection in docker client has unnecessary error #188

Platform selection in docker client has unnecessary error #188

Comments

willmurphyscode commented Jun 1, 2023

willmurphyscode commented Jun 2, 2023 • edited Loading

willmurphyscode commented Jun 8, 2023

willmurphyscode commented Jun 2, 2023 •

edited

Loading