From 87cd6c8c48239a20c413f6461e90000ff30ee601 Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Fri, 26 Apr 2024 10:50:55 -0400 Subject: [PATCH 1/8] update spdx license list to 3.23 (#2818) Signed-off-by: Alex Goodman --- schema/cyclonedx/spdx.xsd | 2975 ++++++++++++++++++++++++------------- 1 file changed, 1935 insertions(+), 1040 deletions(-) diff --git a/schema/cyclonedx/spdx.xsd b/schema/cyclonedx/spdx.xsd index 66ba6f199e7..1365ed71fdb 100644 --- a/schema/cyclonedx/spdx.xsd +++ b/schema/cyclonedx/spdx.xsd @@ -2,664 +2,669 @@ + version="1.0-3.23"> - + - Interbase Public License v1.0 + BSD Zero Clause License - + - Mup License + Attribution Assurance License - + - GNU General Public License v2.0 w/Autoconf exception + Abstyles License - + - Open LDAP Public License v2.1 + AdaCore Doc License - + - Creative Commons Attribution Non Commercial Share Alike 3.0 IGO + Adobe Systems Incorporated Source Code License Agreement - + - GNU Library General Public License v2 or later + Adobe Display PostScript License - + - XPP License + Adobe Glyph List License - + - SIL Open Font License 1.1 + Adobe Utopia Font License - + - CNRI Python License + Amazon Digital Services License - + - Linux man-pages Copyleft + Academic Free License v1.1 - + - Open LDAP Public License v2.2 + Academic Free License v1.2 - + - Open Software License 1.1 + Academic Free License v2.0 - + - Eclipse Public License 2.0 + Academic Free License v2.1 - + - Academic Free License v1.1 + Academic Free License v3.0 - + - Affero General Public License v1.0 or later + Afmparse License - + - Good Luck With That Public License + Affero General Public License v1.0 - + - MIT License Modern Variant + Affero General Public License v1.0 only - + - BSD 1-Clause License + Affero General Public License v1.0 or later - + - SGI Free Software License B v1.0 + GNU Affero General Public License v3.0 - + - Open Market License + GNU Affero General Public License v3.0 only - + - psfrag License + GNU Affero General Public License v3.0 or later - + - Artistic License 1.0 + Aladdin Free Public License - + - Creative Commons Public Domain Dedication and Certification + AMD's plpa_map.c License - + - eGenix.com Public License 1.1.0 + Apple MIT License - + - European Union Public License 1.1 + AML glslang variant License - + - Sendmail License + Academy of Motion Picture Arts and Sciences BSD - + - Python Software Foundation License 2.0 + ANTLR Software Rights Notice - + - Open Government Licence v1.0 + ANTLR Software Rights Notice with license fallback - + - Matrix Template Library License + Apache License 1.0 - + - Nara Institute of Science and Technology License (2003) + Apache License 1.1 - + - ANTLR Software Rights Notice with license fallback + Apache License 2.0 - + - PostgreSQL License + Adobe Postscript AFM License - + - Open Software License 1.0 + Adaptive Public License 1.0 - + - Nethack General Public License + App::s2p License - + - Creative Commons Attribution Non Commercial No Derivatives 4.0 International + Apple Public Source License 1.0 - + - Code Project Open License 1.02 + Apple Public Source License 1.1 - + - FSF Unlimited License (with License Retention) + Apple Public Source License 1.2 - + - GNU Free Documentation License v1.2 only - no invariants + Apple Public Source License 2.0 - + - Net-SNMP License + Arphic Public License - + - Amazon Digital Services License + Artistic License 1.0 - + - Sendmail License 8.23 + Artistic License 1.0 w/clause 8 - + - CNRI Jython License + Artistic License 1.0 (Perl) - + - Reciprocal Public License 1.5 + Artistic License 2.0 - + - BSD-2-Clause Plus Patent License + ASWF Digital Assets License version 1.0 - + - SIL Open Font License 1.1 with no Reserved Font Name + ASWF Digital Assets License 1.1 - + - Apple Public Source License 1.2 + Baekmuk License - + - Open LDAP Public License v2.4 + Bahyph License - + - Mozilla Public License 2.0 (no copyleft exception) + Barr License - + - ISC License + bcrypt Solar Designer License - + - Creative Commons Attribution Share Alike 2.5 Generic + Beerware License - + - Sleepycat License + Bitstream Charter Font License - + - CUA Office Public License v1.0 + Bitstream Vera Font License - + - Frameworx Open License 1.0 + BitTorrent Open Source License v1.0 - + - Common Public Attribution License 1.0 + BitTorrent Open Source License v1.1 - + - Norwegian Licence for Open Government Data (NLOD) 2.0 + SQLite Blessing - + - Creative Commons Attribution Non Commercial 2.0 Generic + Blue Oak Model License 1.0.0 - + - GNU Free Documentation License v1.1 or later - no invariants + Boehm-Demers-Weiser GC License - + - Creative Commons Attribution 2.5 Generic + Borceux license - + - Newsletr License + Brian Gladman 2-Clause License - + - The Parity Public License 7.0.0 + Brian Gladman 3-Clause License - + - Leptonica License + BSD 1-Clause License - + - CMU License + BSD 2-Clause "Simplified" License - + - Adobe Postscript AFM License + BSD 2-Clause - Ian Darwin variant - + - Creative Commons Attribution Non Commercial 2.5 Generic + BSD 2-Clause FreeBSD License - + - Cryptographic Autonomy License 1.0 (Combined Work Exception) + BSD 2-Clause NetBSD License - + - BSD 4 Clause Shortened + BSD-2-Clause Plus Patent License - + - Netscape Public License v1.1 + BSD 2-Clause with views sentence - + - Qhull License + BSD 3-Clause "New" or "Revised" License - + - CeCILL-C Free Software License Agreement + BSD 3-Clause acpica variant - + - GNU General Public License v1.0 only + BSD with attribution - + - Creative Commons Attribution Non Commercial No Derivatives 3.0 Germany + BSD 3-Clause Clear License - + - Creative Commons Attribution Non Commercial Share Alike 3.0 Unported + BSD 3-Clause Flex variant - + - Creative Commons Attribution Non Commercial Share Alike 1.0 Generic + Hewlett-Packard BSD variant license - + - MIT Open Group variant + Lawrence Berkeley National Labs BSD variant license - + - Multics License + BSD 3-Clause Modification - + - Scheme Widget Library (SWL) Software License Agreement + BSD 3-Clause No Military License - + - GNU General Public License v1.0 or later + BSD 3-Clause No Nuclear License - + - GNU General Public License v3.0 or later + BSD 3-Clause No Nuclear License 2014 - + - DOC License + BSD 3-Clause No Nuclear Warranty - + - PHP License v3.0 + BSD 3-Clause Open MPI variant - + - Sun Industry Standards Source License v1.2 + BSD 3-Clause Sun Microsystems - + - Common Documentation License 1.0 + BSD 4-Clause "Original" or "Old" License - + - Lucent Public License Version 1.0 + BSD 4 Clause Shortened - + - Red Hat eCos Public License v1.1 + BSD-4-Clause (University of California-Specific) - + - Licence Art Libre 1.3 + BSD 4.3 RENO License - + - Creative Commons Attribution Share Alike 3.0 Germany + BSD 4.3 TAHOE License - + - Community Data License Agreement Permissive 1.0 + BSD Advertising Acknowledgement License - + - gnuplot License + BSD with Attribution and HPND disclaimer - + - App::s2p License + BSD-Inferno-Nettverk - + - iMatix Standard Function Library Agreement + BSD Protection License - + - Microsoft Public License + BSD Source Code Attribution - beginning of file variant - + - eCos license version 2.0 + BSD Source Code Attribution - + - BSD 3-Clause "New" or "Revised" License + Systemics BSD variant license - + - Creative Commons Attribution Non Commercial No Derivatives 3.0 IGO + Systemics W3Works BSD variant license - + - ICU License + Boost Software License 1.0 - + - GNU Affero General Public License v3.0 or later + Business Source License 1.1 - + - Creative Commons Attribution Share Alike 2.1 Japan + bzip2 and libbzip2 License v1.0.5 - + - Creative Commons Attribution Non Commercial Share Alike 4.0 International + bzip2 and libbzip2 License v1.0.6 - + - The Unlicense + Computational Use of Data Agreement v1.0 - + - Creative Commons Attribution Non Commercial 3.0 Germany + Cryptographic Autonomy License 1.0 - + - Open LDAP Public License v1.4 + Cryptographic Autonomy License 1.0 (Combined Work Exception) - + - CERN Open Hardware Licence Version 2 - Weakly Reciprocal + Caldera License - + - SugarCRM Public License v1.1.3 + Caldera License (without preamble) - + - IPA Font License + Computer Associates Trusted Open Source License 1.1 - + - Academic Free License v2.0 + Creative Commons Attribution 1.0 Generic - + - Unicode License Agreement - Data Files and Software (2016) + Creative Commons Attribution 2.0 Generic - + - Creative Commons Attribution Non Commercial No Derivatives 3.0 Unported + Creative Commons Attribution 2.5 Generic - + - CERN Open Hardware Licence Version 2 - Permissive + Creative Commons Attribution 2.5 Australia - + - Creative Commons Attribution Non Commercial 3.0 Unported + Creative Commons Attribution 3.0 Unported - + - Copyfree Open Innovation License + Creative Commons Attribution 3.0 Austria - + - Cryptographic Autonomy License 1.0 + Creative Commons Attribution 3.0 Australia - + - Licence Libre du Québec – Permissive version 1.1 + Creative Commons Attribution 3.0 Germany - + - SIL Open Font License 1.1 with Reserved Font Name + Creative Commons Attribution 3.0 IGO - + - Lucent Public License v1.02 + Creative Commons Attribution 3.0 Netherlands - + - Open LDAP Public License v1.3 + Creative Commons Attribution 3.0 United States - + - Taiwan Open Government Data License, version 1.0 + Creative Commons Attribution 4.0 International - + - Creative Commons Attribution Non Commercial Share Alike 2.0 Generic + Creative Commons Attribution Non Commercial 1.0 Generic - + - Python License 2.0 + Creative Commons Attribution Non Commercial 2.0 Generic - + - NTP No Attribution + Creative Commons Attribution Non Commercial 2.5 Generic - + - FSF All Permissive License + Creative Commons Attribution Non Commercial 3.0 Unported - + - Erlang Public License v1.1 + Creative Commons Attribution Non Commercial 3.0 Germany - + - Barr License + Creative Commons Attribution Non Commercial 4.0 International - + - Creative Commons Attribution 3.0 United States + Creative Commons Attribution Non Commercial No Derivatives 1.0 Generic - + - BSD 3-Clause No Nuclear License 2014 + Creative Commons Attribution Non Commercial No Derivatives 2.0 Generic - + - No Limit Public License + Creative Commons Attribution Non Commercial No Derivatives 2.5 Generic - + - BSD 3-Clause Clear License + Creative Commons Attribution Non Commercial No Derivatives 3.0 Unported - + - SGI Free Software License B v1.1 + Creative Commons Attribution Non Commercial No Derivatives 3.0 Germany - + - Open Data Commons Public Domain Dedication & License 1.0 + Creative Commons Attribution Non Commercial No Derivatives 3.0 IGO - + - Common Development and Distribution License 1.0 + Creative Commons Attribution Non Commercial No Derivatives 4.0 International - + - GNU Lesser General Public License v2.1 or later + Creative Commons Attribution Non Commercial Share Alike 1.0 Generic - + - Blue Oak Model License 1.0.0 + Creative Commons Attribution Non Commercial Share Alike 2.0 Generic + + + + + Creative Commons Attribution Non Commercial Share Alike 2.0 Germany @@ -667,574 +672,1444 @@ Creative Commons Attribution-NonCommercial-ShareAlike 2.0 France - + - Fraunhofer FDK AAC Codec Library + Creative Commons Attribution Non Commercial Share Alike 2.0 England and Wales - + - Standard ML of New Jersey License + Creative Commons Attribution Non Commercial Share Alike 2.5 Generic - + - Affero General Public License v1.0 only + Creative Commons Attribution Non Commercial Share Alike 3.0 Unported - + - CeCILL Free Software License Agreement v1.0 + Creative Commons Attribution Non Commercial Share Alike 3.0 Germany - + - Attribution Assurance License + Creative Commons Attribution Non Commercial Share Alike 3.0 IGO - + - GNU General Public License v2.0 w/Font exception + Creative Commons Attribution Non Commercial Share Alike 4.0 International - + - Info-ZIP License + Creative Commons Attribution No Derivatives 1.0 Generic - + - SSH OpenSSH license + Creative Commons Attribution No Derivatives 2.0 Generic - + - SSH short notice + Creative Commons Attribution No Derivatives 2.5 Generic - + - GNU General Public License v2.0 or later + Creative Commons Attribution No Derivatives 3.0 Unported - + - Clarified Artistic License + Creative Commons Attribution No Derivatives 3.0 Germany - + + + Creative Commons Attribution No Derivatives 4.0 International + + + + + Creative Commons Attribution Share Alike 1.0 Generic + + + + + Creative Commons Attribution Share Alike 2.0 Generic + + + + + Creative Commons Attribution Share Alike 2.0 England and Wales + + + + + Creative Commons Attribution Share Alike 2.1 Japan + + + + + Creative Commons Attribution Share Alike 2.5 Generic + + + + + Creative Commons Attribution Share Alike 3.0 Unported + + + + + Creative Commons Attribution Share Alike 3.0 Austria + + + + + Creative Commons Attribution Share Alike 3.0 Germany + + + + + Creative Commons Attribution-ShareAlike 3.0 IGO + + + + + Creative Commons Attribution Share Alike 4.0 International + + + + + Creative Commons Public Domain Dedication and Certification + + + + + Creative Commons Zero v1.0 Universal + + + + + Common Development and Distribution License 1.0 + + + + + Common Development and Distribution License 1.1 + + + + + Common Documentation License 1.0 + + + + + Community Data License Agreement Permissive 1.0 + + + + + Community Data License Agreement Permissive 2.0 + + + + + Community Data License Agreement Sharing 1.0 + + + + + CeCILL Free Software License Agreement v1.0 + + + + + CeCILL Free Software License Agreement v1.1 + + + + + CeCILL Free Software License Agreement v2.0 + + + + + CeCILL Free Software License Agreement v2.1 + + + + + CeCILL-B Free Software License Agreement + + + + + CeCILL-C Free Software License Agreement + + + + + CERN Open Hardware Licence v1.1 + + + + + CERN Open Hardware Licence v1.2 + + + + + CERN Open Hardware Licence Version 2 - Permissive + + + + + CERN Open Hardware Licence Version 2 - Strongly Reciprocal + + + + + CERN Open Hardware Licence Version 2 - Weakly Reciprocal + + + + + CFITSIO License + + + + + check-cvs License + + + + + Checkmk License + + + + + Clarified Artistic License + + + + + Clips License + + + + + CMU Mach License + + + + + CMU Mach - no notices-in-documentation variant + + + + + CNRI Jython License + + + + + CNRI Python License + + + + + CNRI Python Open Source GPL Compatible License Agreement + + + + + Copyfree Open Innovation License + + + + + Community Specification License 1.0 + + + + + Condor Public License v1.1 + + + + + copyleft-next 0.3.0 + + + + + copyleft-next 0.3.1 + + + + + Cornell Lossless JPEG License + + + + + Common Public Attribution License 1.0 + + + + + Common Public License 1.0 + + + + + Code Project Open License 1.02 + + + + + Cronyx License + + + + + Crossword License + + + + + CrystalStacker License + + + + + CUA Office Public License v1.0 + + + + + Cube License + + + + + curl License + + + + + Deutsche Freie Software Lizenz + + + + + DEC 3-Clause License + + + + + diffmark license + + + + + Data licence Germany – attribution – version 2.0 + + + + + Data licence Germany – zero – version 2.0 + + + + + DOC License + + + + + Dotseqn License + + + + + Detection Rule License 1.0 + + + + + Detection Rule License 1.1 + + + + + DSDP License + + + + + David M. Gay dtoa License + + + + + dvipdfm License + + + + + Educational Community License v1.0 + + + + + Educational Community License v2.0 + + + + + eCos license version 2.0 + + + + + Eiffel Forum License v1.0 + + + + + Eiffel Forum License v2.0 + + + + + eGenix.com Public License 1.1.0 + + + + + Elastic License 2.0 + + + + + Entessa Public License v1.0 + + + + + EPICS Open License + + + + + Eclipse Public License 1.0 + + + + + Eclipse Public License 2.0 + + + + + Erlang Public License v1.1 + + + + + Etalab Open License 2.0 + + + + + EU DataGrid Software License + + + + + European Union Public License 1.0 + + + + + European Union Public License 1.1 + + + + + European Union Public License 1.2 + + + + + Eurosym License + + + + + Fair License + + + + + Fuzzy Bitmap License + + + + + Fraunhofer FDK AAC Codec Library + + + + + Ferguson Twofish License + + + + + Frameworx Open License 1.0 + + + + + FreeBSD Documentation License + + + + + FreeImage Public License v1.0 + + + + + FSF All Permissive License + + + + + FSF All Permissive License (without Warranty) + + + + + FSF Unlimited License + + + + + FSF Unlimited License (with License Retention) + + + + + FSF Unlimited License (With License Retention and Warranty Disclaimer) + + + + + Freetype Project License + + + + + Furuseth License + + + + + fwlw License + + + + + Gnome GCR Documentation License + + + + + GD License + + + + + GNU Free Documentation License v1.1 + + + + + GNU Free Documentation License v1.1 only - invariants + + + + + GNU Free Documentation License v1.1 or later - invariants + + + + + GNU Free Documentation License v1.1 only - no invariants + + + + + GNU Free Documentation License v1.1 or later - no invariants + + + + + GNU Free Documentation License v1.1 only + + + + + GNU Free Documentation License v1.1 or later + + + + + GNU Free Documentation License v1.2 + + + + + GNU Free Documentation License v1.2 only - invariants + + + + + GNU Free Documentation License v1.2 or later - invariants + + + + + GNU Free Documentation License v1.2 only - no invariants + + + + + GNU Free Documentation License v1.2 or later - no invariants + + + + + GNU Free Documentation License v1.2 only + + + + + GNU Free Documentation License v1.2 or later + + + + + GNU Free Documentation License v1.3 + + + + + GNU Free Documentation License v1.3 only - invariants + + + + + GNU Free Documentation License v1.3 or later - invariants + + + + + GNU Free Documentation License v1.3 only - no invariants + + + + + GNU Free Documentation License v1.3 or later - no invariants + + + - SNIA Public License 1.1 + GNU Free Documentation License v1.3 only - + - GNU Free Documentation License v1.1 only - invariants + GNU Free Documentation License v1.3 or later - + - BSD 3-Clause No Military License + Giftware License - + - GNU Free Documentation License v1.1 + GL2PS License - + - Mozilla Public License 1.1 + 3dfx Glide License - + - Open LDAP Public License v1.1 + Glulxe License - + - JSON License + Good Luck With That Public License - + - GNU Free Documentation License v1.3 only - no invariants + gnuplot License - + - OCLC Research Public License 2.0 + GNU General Public License v1.0 only + + + + + GNU General Public License v1.0 or later + + + + + GNU General Public License v1.0 only + + + + + GNU General Public License v1.0 or later + + + + + GNU General Public License v2.0 only + + + + + GNU General Public License v2.0 or later + + + + + GNU General Public License v2.0 only + + + + + GNU General Public License v2.0 or later + + + + + GNU General Public License v2.0 w/Autoconf exception + + + + + GNU General Public License v2.0 w/Bison exception + + + + + GNU General Public License v2.0 w/Classpath exception + + + + + GNU General Public License v2.0 w/Font exception + + + + + GNU General Public License v2.0 w/GCC Runtime Library exception + + + + + GNU General Public License v3.0 only + + + + + GNU General Public License v3.0 or later + + + + + GNU General Public License v3.0 only + + + + + GNU General Public License v3.0 or later + + + + + GNU General Public License v3.0 w/Autoconf exception + + + + + GNU General Public License v3.0 w/GCC Runtime Library exception + + + + + Graphics Gems License + + + + + gSOAP Public License v1.3b + + + + + gtkbook License + + + + + Haskell Language Report License + + + + + hdparm License + + + + + Hippocratic License 2.1 + + + + + Hewlett-Packard 1986 License + + + + + Hewlett-Packard 1989 License + + + + + Historical Permission Notice and Disclaimer + + + + + Historical Permission Notice and Disclaimer - DEC variant + + + + + Historical Permission Notice and Disclaimer - documentation variant + + + + + Historical Permission Notice and Disclaimer - documentation sell variant + + + + + HPND with US Government export control warning + + + + + HPND with US Government export control warning and modification rqmt + + + + + Historical Permission Notice and Disclaimer - Fenneberg-Livingston variant + + + + + Historical Permission Notice and Disclaimer - INRIA-IMAG variant + + + + + Historical Permission Notice and Disclaimer - Kevlin Henney variant + + + + + Historical Permission Notice and Disclaimer - Markus Kuhn variant + + + + + Historical Permission Notice and Disclaimer with MIT disclaimer + + + + + Historical Permission Notice and Disclaimer - Pbmplus variant + + + + + Historical Permission Notice and Disclaimer - sell xserver variant with MIT disclaimer + + + + + Historical Permission Notice and Disclaimer - sell regexpr variant + + + + + Historical Permission Notice and Disclaimer - sell variant + + + + + HPND sell variant with MIT disclaimer + + + + + Historical Permission Notice and Disclaimer - University of California variant + + + + + HTML Tidy License + + + + + IBM PowerPC Initialization and Boot Software + + + + + ICU License + + + + + IEC Code Components End-user licence agreement + + + + + Independent JPEG Group License + + + + + Independent JPEG Group License - short + + + + + ImageMagick License + + + + + iMatix Standard Function Library Agreement + + + + + Imlib2 License + + + + + Info-ZIP License - + - Open LDAP Public License v2.0.1 + Inner Net License v2.0 - + - FreeBSD Documentation License + Intel Open Source License - + - GNU General Public License v1.0 or later + Intel ACPI Software License Agreement - + - Yahoo! Public License v1.1 + Interbase Public License v1.0 - + - Common Public License 1.0 + IPA Font License - + - Apache License 1.0 + IBM Public License v1.0 - + - SIL Open Font License 1.0 + ISC License - + - Creative Commons Attribution 4.0 International + ISC Veillard variant - + - DSDP License + Jam License - + - IBM PowerPC Initialization and Boot Software + JasPer License - + - MIT No Attribution + JPL Image Use Policy - + - Detection Rule License 1.0 + Japan Network Information Center License - + - zlib License + JSON License - + - Adaptive Public License 1.0 + Kastrup License - + - Sybase Open Watcom Public License 1.0 + Kazlib License - + - GNU General Public License v2.0 w/GCC Runtime Library exception + Knuth CTAN License - + - European Union Public License 1.2 + Licence Art Libre 1.2 - + - FSF Unlimited License + Licence Art Libre 1.3 - + - NASA Open Source Agreement 1.3 + Latex2e License - + - BSD 2-Clause "Simplified" License + Latex2e with translated notice permission - + - XFree86 License 1.1 + Leptonica License - + - Eurosym License + GNU Library General Public License v2 only - + - Open LDAP Public License v2.8 + GNU Library General Public License v2 or later - + - dvipdfm License + GNU Library General Public License v2 only - + - NIST Public Domain Notice + GNU Library General Public License v2 or later - + - Apache License 1.1 + GNU Lesser General Public License v2.1 only - + - The Parity Public License 6.0.0 + GNU Lesser General Public License v2.1 or later - + - Creative Commons Attribution 2.0 Generic + GNU Lesser General Public License v2.1 only - + - GNU Lesser General Public License v3.0 or later + GNU Lesser General Public License v2.1 or later - + - BSD 2-Clause with views sentence + GNU Lesser General Public License v3.0 only - + - GNU General Public License v2.0 w/Classpath exception + GNU Lesser General Public License v3.0 or later - + - BSD 3-Clause No Nuclear Warranty + GNU Lesser General Public License v3.0 only - + - X11 License + GNU Lesser General Public License v3.0 or later - + - Community Data License Agreement Permissive 2.0 + Lesser General Public License For Linguistic Resources - + - Haskell Language Report License + libpng License - + - Artistic License 1.0 w/clause 8 + PNG Reference Library version 2 - + - Apple Public Source License 2.0 + libselinux public domain notice - + - GNU General Public License v3.0 or later + libtiff License - + - Solderpad Hardware License v0.5 + libutil David Nugent License - + - CNRI Python Open Source GPL Compatible License Agreement + Licence Libre du Québec – Permissive version 1.1 - + - Condor Public License v1.1 + Licence Libre du Québec – Réciprocité version 1.1 - + - Open LDAP Public License v2.3 + Licence Libre du Québec – Réciprocité forte version 1.1 - + - GNU General Public License v2.0 only + Linux man-pages - 1 paragraph - + - Business Source License 1.1 + Linux man-pages Copyleft - + - Licence Libre du Québec – Réciprocité version 1.1 + Linux man-pages Copyleft - 2 paragraphs - + - Academy of Motion Picture Arts and Sciences BSD + Linux man-pages Copyleft Variant - + - copyleft-next 0.3.1 + Linux Kernel Variant of OpenIB.org license - + - GNU Free Documentation License v1.3 or later - invariants + Common Lisp LOOP License - + - Open LDAP Public License v2.7 + LPD Documentation License - + - Open Software License 2.0 + Lucent Public License Version 1.0 - + - Unicode License Agreement - Data Files and Software (2015) + Lucent Public License v1.02 - + - Computer Associates Trusted Open Source License 1.1 + LaTeX Project Public License v1.0 - + - Ricoh Source Code Public License + LaTeX Project Public License v1.1 - + - PNG Reference Library version 2 + LaTeX Project Public License v1.2 - + - LaTeX Project Public License v1.1 + LaTeX Project Public License v1.3a - + - Community Data License Agreement Sharing 1.0 + LaTeX Project Public License v1.3c - + - Glulxe License + lsof License - + - GNU Free Documentation License v1.3 or later - no invariants + Lucida Bitmap Fonts License - + - Open LDAP Public License v1.2 + LZMA SDK License (versions 9.11 to 9.20) - + - Common Development and Distribution License 1.1 + LZMA SDK License (versions 9.22 and beyond) - + - CERN Open Hardware Licence v1.1 + Mackerras 3-Clause License - + - BSD Source Code Attribution + Mackerras 3-Clause - acknowledgment variant - + - Independent JPEG Group License + magaz License - + - Zimbra Public License v1.4 + mailprio License - + - BSD Zero Clause License + MakeIndex License - + - Creative Commons Attribution 1.0 Generic + Martin Birgmeier License - + - wxWindows Library License + McPhee Slideshow License - + - Zope Public License 2.1 + metamail License - + - NTP License + Minpack License - + - Artistic License 1.0 (Perl) + The MirOS Licence - + - Creative Commons Attribution No Derivatives 2.0 Generic + MIT License - + - Creative Commons Attribution No Derivatives 4.0 International + MIT No Attribution - + - Adobe Systems Incorporated Source Code License Agreement + Enlightenment License (e16) - + - Eclipse Public License 1.0 + CMU License - + - diffmark license + enna License - + - xinetd License + feh License - + - Plexus Classworlds License + MIT Festival Variant - + - Japan Network Information Center License + MIT License Modern Variant - + - Adobe Glyph List License + MIT Open Group variant - + - Cube License + MIT testregex Variant - + - TCP Wrappers License + MIT Tom Wu Variant - + - Creative Commons Attribution Share Alike 1.0 Generic + MIT +no-false-attribs license - + - BSD 2-Clause FreeBSD License + MMIXware License - + - Open Government Licence - Canada + Motosoto License - + - ANTLR Software Rights Notice + MPEG Software Simulation - + - GNU Library General Public License v2.1 or later + mpi Permissive License - + - Open Software License 2.1 + mpich2 License - + - psutils License + Mozilla Public License 1.0 - + - SCEA Shared Source License + Mozilla Public License 1.1 - + - The MirOS Licence + Mozilla Public License 2.0 - + - Hippocratic License 2.1 + Mozilla Public License 2.0 (no copyleft exception) - + - GNU Free Documentation License v1.2 only - invariants + mplus Font License - + - GNU Lesser General Public License v2.1 only + Microsoft Limited Public License - + - Entessa Public License v1.0 + Microsoft Public License @@ -1242,164 +2117,164 @@ Microsoft Reciprocal License - + - libselinux public domain notice + Matrix Template Library License - + - GNU Library General Public License v2 only + Mulan Permissive Software License, Version 1 - + - Open LDAP Public License v2.5 + Mulan Permissive Software License, Version 2 - + - Imlib2 License + Multics License - + - libpng License + Mup License - + - Scheme Language Report License + Nara Institute of Science and Technology License (2003) - + - Mozilla Public License 1.0 + NASA Open Source Agreement 1.3 - + - Sax Public Domain Notice + Naumen Public License - + - Norwegian Licence for Open Government Data (NLOD) 1.0 + Net Boolean Public License v1 - + - Simple Public License 2.0 + Non-Commercial Government Licence - + - Technische Universitaet Berlin License 1.0 + University of Illinois/NCSA Open Source License - + - GNU Free Documentation License v1.1 only - no invariants + Net-SNMP License - + - Creative Commons Attribution No Derivatives 3.0 Germany + NetCDF license - + - MakeIndex License + Newsletr License - + - EPICS Open License + Nethack General Public License - + - GNU Free Documentation License v1.3 only - invariants + NICTA Public Software License, Version 1.0 - + - XSkat License + NIST Public Domain Notice - + - bzip2 and libbzip2 License v1.0.5 + NIST Public Domain Notice with license fallback - + - Community Specification License 1.0 + NIST Software License - + - GL2PS License + Norwegian Licence for Open Government Data (NLOD) 1.0 - + - Historical Permission Notice and Disclaimer + Norwegian Licence for Open Government Data (NLOD) 2.0 - + - bzip2 and libbzip2 License v1.0.6 + No Limit Public License - + - Creative Commons Attribution Non Commercial 1.0 Generic + Nokia Open Source License - + - Fair License + Netizen Open Source License - + - CeCILL-B Free Software License Agreement + Noweb License - + - 3dfx Glide License + Netscape Public License v1.0 - + - Creative Commons Attribution Share Alike 4.0 International + Netscape Public License v1.1 - + - Creative Commons Zero v1.0 Universal + Non-Profit Open Software License 3.0 - + - enna License + NRL License - + - Wsuipa License + NTP License - + - RSA Message-Digest License + NTP No Attribution - + - VOSTROM Public License for Open Source + Nunit License @@ -1407,1040 +2282,1050 @@ Open Use of Data Agreement v1.0 - + - CERN Open Hardware Licence Version 2 - Strongly Reciprocal + Open CASCADE Technology Public License - + - X11 License Distribution Modification Variant + OCLC Research Public License 2.0 - + - copyleft-next 0.3.0 + Open Data Commons Open Database License v1.0 - + - Zimbra Public License v1.3 + Open Data Commons Attribution License v1.0 - + - NIST Public Domain Notice with license fallback + OFFIS License - + - Nokia Open Source License + SIL Open Font License 1.0 - + - Academic Free License v2.1 + SIL Open Font License 1.0 with no Reserved Font Name - + - Zope Public License 2.0 + SIL Open Font License 1.0 with Reserved Font Name - + - Open Data Commons Open Database License v1.0 + SIL Open Font License 1.1 - + - zlib/libpng License with Acknowledgement + SIL Open Font License 1.1 with no Reserved Font Name - + - PHP License v3.01 + SIL Open Font License 1.1 with Reserved Font Name - + - Afmparse License + OGC Software License, Version 1.0 - + - Historical Permission Notice and Disclaimer - sell variant + Taiwan Open Government Data License, version 1.0 - + - PolyForm Small Business License 1.0.0 + Open Government Licence - Canada - + - IBM Public License v1.0 + Open Government Licence v1.0 - + - CeCILL Free Software License Agreement v1.1 + Open Government Licence v2.0 - + - feh License + Open Government Licence v3.0 - + + + Open Group Test Suite License + + + + + Open LDAP Public License v1.1 + + + - SIL Open Font License 1.0 with Reserved Font Name + Open LDAP Public License v1.2 - + - TMate Open Source License + Open LDAP Public License v1.3 - + - BSD 3-Clause No Nuclear License + Open LDAP Public License v1.4 - + - W3C Software Notice and License (1998-07-20) + Open LDAP Public License v2.0 (or possibly 2.0A and 2.0B) - + - Sun Public License v1.0 + Open LDAP Public License v2.0.1 - + - NetCDF license + Open LDAP Public License v2.1 - + - Aladdin Free Public License + Open LDAP Public License v2.2 - + - AMD's plpa_map.c License + Open LDAP Public License v2.2.1 - + - CrystalStacker License + Open LDAP Public License 2.2.2 - + - Intel ACPI Software License Agreement + Open LDAP Public License v2.3 - + - CERN Open Hardware Licence v1.2 + Open LDAP Public License v2.4 - + - Creative Commons Attribution Non Commercial Share Alike 3.0 Germany + Open LDAP Public License v2.5 - + - MIT License + Open LDAP Public License v2.6 - + - Zed License + Open LDAP Public License v2.7 - + - Open LDAP Public License v2.0 (or possibly 2.0A and 2.0B) + Open LDAP Public License v2.8 - + - Mulan Permissive Software License, Version 1 + Open Logistics Foundation License Version 1.3 - + - Eiffel Forum License v2.0 + Open Market License - + - Latex2e License + OpenPBS v2.3 Software License - + - Spencer License 94 + OpenSSL License - + - Open Public License v1.0 + OpenSSL License - standalone - + - Creative Commons Attribution Non Commercial 4.0 International + OpenVision License - + - GNU Lesser General Public License v3.0 or later + Open Public License v1.0 - + - Universal Permissive License v1.0 + United Kingdom Open Parliament Licence v3.0 - + - University of Illinois/NCSA Open Source License + Open Publication License v1.0 - + - SGI Free Software License B v2.0 + OSET Public License version 2.1 - + - GNU General Public License v3.0 w/GCC Runtime Library exception + Open Software License 1.0 - + - Zend License v2.0 + Open Software License 1.1 - + - ImageMagick License + Open Software License 2.0 - + - Open LDAP Public License v2.6 + Open Software License 2.1 - + - Unicode Terms of Use + Open Software License 3.0 - + - GNU General Public License v3.0 only + PADL License - + - Artistic License 2.0 + The Parity Public License 6.0.0 - + - SQLite Blessing + The Parity Public License 7.0.0 - + - Etalab Open License 2.0 + Open Data Commons Public Domain Dedication & License 1.0 - + - GNU Free Documentation License v1.2 only + PHP License v3.0 - + - LaTeX Project Public License v1.0 + PHP License v3.01 - + - Rdisc License + Pixar License - + - BSD 3-Clause Modification + Plexus Classworlds License - + - Xerox License + pnmstitch License - + - Mozilla Public License 2.0 + PolyForm Noncommercial License 1.0.0 - + - BitTorrent Open Source License v1.1 + PolyForm Small Business License 1.0.0 - + - Creative Commons Attribution Non Commercial No Derivatives 2.0 Generic + PostgreSQL License - + - Sun Industry Standards Source License v1.1 + Python Software Foundation License 2.0 - + - libtiff License + psfrag License - + - Creative Commons Attribution Non Commercial Share Alike 2.0 England and Wales + psutils License - + - Deutsche Freie Software Lizenz + Python License 2.0 - + - LaTeX Project Public License v1.2 + Python License 2.0.1 - + - TAPR Open Hardware License v1.0 + Python ldap License - + - European Union Public License 1.0 + Qhull License - + - Solderpad Hardware License, Version 0.51 + Q Public License 1.0 - + - Freetype Project License + Q Public License 1.0 - INRIA 2004 variant - + - W3C Software Notice and Document License (2015-05-13) + radvd License - + - OSET Public License version 2.1 + Rdisc License - + - EU DataGrid Software License + Red Hat eCos Public License v1.1 - + - Upstream Compatibility License v1.0 + Reciprocal Public License 1.1 - + - Borceux license + Reciprocal Public License 1.5 - + - Elastic License 2.0 + RealNetworks Public Source License v1.0 - + - BSD 2-Clause NetBSD License + RSA Message-Digest License - + - BSD 3-Clause Open MPI variant + Ricoh Source Code Public License - + - Open Software License 3.0 + Ruby License - + - curl License + Sax Public Domain Notice - + - Spencer License 86 + Sax Public Domain Notice 2.0 - + - Boost Software License 1.0 + Saxpath License - + - Standard ML of New Jersey License + SCEA Shared Source License - + - Trusster Open Source License + Scheme Language Report License - + - Netizen Open Source License + Sendmail License - + - Academic Free License v1.2 + Sendmail License 8.23 - + - Mulan Permissive Software License, Version 2 + SGI Free Software License B v1.0 - + - Motosoto License + SGI Free Software License B v1.1 - + - Creative Commons Attribution Non Commercial Share Alike 2.5 Generic + SGI Free Software License B v2.0 - + - JasPer License + SGI OpenGL License - + - BSD-4-Clause (University of California-Specific) + SGP4 Permission Notice - + - Bahyph License + Solderpad Hardware License v0.5 - + - Vovida Software License v1.0 + Solderpad Hardware License, Version 0.51 - + - W3C Software Notice and License (2002-12-31) + Simple Public License 2.0 - + - Open Data Commons Attribution License v1.0 + Sun Industry Standards Source License v1.1 - + - BitTorrent Open Source License v1.0 + Sun Industry Standards Source License v1.2 - + - Open Government Licence v2.0 + SL License - + - GNU Lesser General Public License v3.0 only + Sleepycat License - + - X.Net License + Standard ML of New Jersey License - + - Ruby License + Secure Messaging Protocol Public License - + - GNU Free Documentation License v1.3 + SNIA Public License 1.1 - + - Zope Public License 1.1 + snprintf License - + - Open CASCADE Technology Public License + softSurfer License - + - LaTeX Project Public License v1.3c + Soundex License - + - Apache License 2.0 + Spencer License 86 - + - GD License + Spencer License 94 - + - Creative Commons Attribution 3.0 Netherlands + Spencer License 99 - + - LaTeX Project Public License v1.3a + Sun Public License v1.0 - + - Creative Commons Attribution 2.5 Australia + ssh-keyscan License - + - GNU Free Documentation License v1.1 only + SSH OpenSSH license - + - GNU Free Documentation License v1.1 or later + SSH short notice - + - Open Government Licence v3.0 + SSLeay License - standalone - + - Yahoo! Public License v1.0 + Server Side Public License, v 1 - + - Reciprocal Public License 1.1 + Standard ML of New Jersey License - + - GNU Library General Public License v2 or later + SugarCRM Public License v1.1.3 - + - Open Publication License v1.0 + Sun PPP License - + - Noweb License + SunPro License - + - Academic Free License v3.0 + Scheme Widget Library (SWL) Software License Agreement - + - Nunit License + swrule License - + - Creative Commons Attribution 3.0 Unported + Symlinks License - + - Beerware License + TAPR Open Hardware License v1.0 - + - Caldera License + TCL/TK License - + - GNU General Public License v1.0 only + TCP Wrappers License - + - GNU General Public License v2.0 or later + TermReadKey License - + - Non-Commercial Government Licence + Transitive Grace Period Public Licence 1.0 - + - Creative Commons Attribution No Derivatives 2.5 Generic + TMate Open Source License - + - GNU General Public License v2.0 only + TORQUE v2.5+ Software License v1.1 - + - Intel Open Source License + Trusster Open Source License - + - Vim License + Time::ParseDate License - + - Creative Commons Attribution Share Alike 2.0 Generic + THOR Public License 1.0 - + - MIT +no-false-attribs license + Text-Tabs+Wrap License - + - Apple Public Source License 1.1 + TTYP0 License - + - GNU Free Documentation License v1.2 or later + Technische Universitaet Berlin License 1.0 - + - BSD with attribution + Technische Universitaet Berlin License 2.0 - + - SIL Open Font License 1.0 with no Reserved Font Name + UCAR License - + - Naumen Public License + Upstream Compatibility License v1.0 - + - Creative Commons Attribution Non Commercial No Derivatives 2.5 Generic + ulem License - + - Computational Use of Data Agreement v1.0 + Michigan/Merit Networks License - + - Lesser General Public License For Linguistic Resources + Unicode License v3 - + - mpich2 License + Unicode License Agreement - Data Files and Software (2015) - + - Apple Public Source License 1.0 + Unicode License Agreement - Data Files and Software (2016) - + - Linux Kernel Variant of OpenIB.org license + Unicode Terms of Use - + - Enlightenment License (e16) + UnixCrypt License - + - GNU Free Documentation License v1.2 + The Unlicense - + - Open Group Test Suite License + Universal Permissive License v1.0 - + - Dotseqn License + Utah Raster Toolkit Run Length Encoded License - + - Data licence Germany – attribution – version 2.0 + Vim License - + - Saxpath License + VOSTROM Public License for Open Source - + - GNU Affero General Public License v3.0 + Vovida Software License v1.0 - + - Abstyles License + W3C Software Notice and License (2002-12-31) - + - Creative Commons Attribution Share Alike 3.0 Unported + W3C Software Notice and License (1998-07-20) - + - Giftware License + W3C Software Notice and Document License (2015-05-13) - + - FreeImage Public License v1.0 + w3m License - + - CeCILL Free Software License Agreement v2.1 + Sybase Open Watcom Public License 1.0 - + - RealNetworks Public Source License v1.0 + Widget Workshop License - + - GNU Free Documentation License v1.3 or later + Wsuipa License - + - GNU Free Documentation License v1.1 or later - invariants + Do What The F*ck You Want To Public License - + - Educational Community License v2.0 + wxWindows Library License - + - Licence Libre du Québec – Réciprocité forte version 1.1 + X11 License - + - GNU General Public License v3.0 w/Autoconf exception + X11 License Distribution Modification Variant - + - Jam License + Xdebug License v 1.03 - + - GNU Free Documentation License v1.2 or later - no invariants + Xerox License - + - CeCILL Free Software License Agreement v2.0 + Xfig License - + - PolyForm Noncommercial License 1.0.0 + XFree86 License 1.1 - + - OGC Software License, Version 1.0 + xinetd License - + - Creative Commons Attribution No Derivatives 3.0 Unported + xkeyboard-config Zinoviev License - + - Q Public License 1.0 + xlock License - + - Licence Art Libre 1.2 + X.Net License - + - Creative Commons Attribution 3.0 Germany + XPP License - + - OpenSSL License + XSkat License - + - Spencer License 99 + Yahoo! Public License v1.0 - + - Creative Commons Attribution Share Alike 3.0 Austria + Yahoo! Public License v1.1 - + - BSD Protection License + Zed License - + - Open LDAP Public License 2.2.2 + Zeeff License - + - NRL License + Zend License v2.0 - + - TORQUE v2.5+ Software License v1.1 + Zimbra Public License v1.3 - + - HTML Tidy License + Zimbra Public License v1.4 - + - Server Side Public License, v 1 + zlib License - + - Netscape Public License v1.0 + zlib/libpng License with Acknowledgement - + - GNU Library General Public License v2 only + Zope Public License 1.1 - + - GNU Affero General Public License v3.0 only + Zope Public License 2.0 - + - GNU Free Documentation License v1.2 or later - invariants + Zope Public License 2.1 - + + - GNU General Public License v2.0 w/Bison exception + 389 Directory Server Exception - + - Creative Commons Attribution Non Commercial No Derivatives 1.0 Generic + Asterisk exception - + - Educational Community License v1.0 + Autoconf exception 2.0 - + - Do What The F*ck You Want To Public License + Autoconf exception 3.0 - + - Creative Commons Attribution Share Alike 2.0 England and Wales + Autoconf generic exception - + - GNU General Public License v3.0 only + Autoconf generic exception for GPL-3.0 - + - Open LDAP Public License v2.2.1 + Autoconf macro exception - + - Secure Messaging Protocol Public License + Bison exception 1.24 - + - Creative Commons Attribution 3.0 Austria + Bison exception 2.2 - + - Eiffel Forum License v1.0 + Bootloader Distribution Exception - + - Net Boolean Public License v1 + Classpath exception 2.0 - + - Lawrence Berkeley National Labs BSD variant license + CLISP exception 2.0 - + - Affero General Public License v1.0 + cryptsetup OpenSSL exception - + - Crossword License + DigiRule FOSS License Exception - + - TCL/TK License + eCos exception 2.0 - + - Creative Commons Attribution No Derivatives 1.0 Generic + Fawkes Runtime Exception - + - Apple MIT License + FLTK exception - + - Technische Universitaet Berlin License 2.0 + fmt exception - + - GNU Free Documentation License v1.3 only + Font exception 2.0 - + - Non-Profit Open Software License 3.0 + FreeRTOS Exception 2.0 - + - BSD 4-Clause "Original" or "Old" License + GCC Runtime Library exception 2.0 - + - gSOAP Public License v1.3b + GCC Runtime Library exception 2.0 - note variant - + - GNU Lesser General Public License v2.1 only + GCC Runtime Library exception 3.1 - + - GNU Lesser General Public License v3.0 only + Gmsh exception> - - + - FreeRTOS Exception 2.0 + GNAT exception - + - Swift Exception + GNOME examples exception - + - Qt LGPL exception 1.1 + GNU Compiler Exception @@ -2448,14 +3333,19 @@ GNU JavaMail exception - + - CLISP exception 2.0 + GPL-3.0 Interface Exception - + - eCos exception 2.0 + GPL-3.0 Linking Exception + + + + + GPL-3.0 Linking Exception (with Corresponding Source) @@ -2463,29 +3353,39 @@ GPL Cooperation Commitment 1.0 - + - DigiRule FOSS License Exception + GStreamer Exception (2005) - + - Font exception 2.0 + GStreamer Exception (2008) - + - Qt GPL exception 1.0 + i2p GPL+Java Exception - + - PS/PDF font exception (2017-08-17) + KiCad Libraries Exception - + - GPL-3.0 Linking Exception (with Corresponding Source) + LGPL-3.0 Linking Exception + + + + + libpri OpenH323 exception + + + + + Libtool Exception @@ -2493,29 +3393,29 @@ Linux Syscall Note - + - GCC Runtime Library exception 2.0 + LLGPL Preamble - + - LZMA exception + LLVM Exception - + - Autoconf exception 3.0 + LZMA exception - + - U-Boot exception 2.0 + Macros and Inline Functions Exception - + - LLVM Exception + Nokia Qt LGPL exception 1.1 @@ -2523,19 +3423,14 @@ OCaml LGPL Linking Exception - - - Autoconf exception 2.0 - - - + - Bootloader Distribution Exception + Open CASCADE Exception 1.0 - + - LGPL-3.0 Linking Exception + OpenJDK Assembly exception 1.0 @@ -2543,97 +3438,97 @@ OpenVPN OpenSSL Exception - + - FLTK exception + PS/PDF font exception (2017-08-17) - + - Bison exception 2.2 + INRIA QPL 1.0 2004 variant exception - + - Open CASCADE Exception 1.0 + Qt GPL exception 1.0 - + - GCC Runtime Library exception 3.1 + Qt LGPL exception 1.1 - + - OpenJDK Assembly exception 1.0 + Qwt exception 1.0 - + - WxWindows Library Exception 3.1 + SANE Exception - + - Fawkes Runtime Exception + Solderpad Hardware License v2.0 - + - Nokia Qt LGPL exception 1.1 + Solderpad Hardware License v2.1 - + - Qwt exception 1.0 + stunnel Exception - + - Universal FOSS Exception, Version 1.0 + SWI exception - + - Classpath exception 2.0 + Swift Exception - + - Solderpad Hardware License v2.0 + Texinfo exception - + - GPL-3.0 Linking Exception + U-Boot exception 2.0 - + - Solderpad Hardware License v2.1 + Unmodified Binary Distribution exception - + - Libtool Exception + Universal FOSS Exception, Version 1.0 - + - Macros and Inline Functions Exception + vsftpd OpenSSL exception - + - 389 Directory Server Exception + WxWindows Library Exception 3.1 - + - i2p GPL+Java Exception + x11vnc OpenSSL Exception - + \ No newline at end of file From 9901ea8fe969522457b0d615032f0a997be824f1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Apr 2024 12:40:43 -0400 Subject: [PATCH 2/8] chore(deps): bump anchore/sbom-action from 0.15.10 to 0.15.11 (#2821) Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.15.10 to 0.15.11. - [Release notes](https://github.com/anchore/sbom-action/releases) - [Commits](https://github.com/anchore/sbom-action/compare/ab5d7b5f48981941c4c5d6bf33aeb98fe3bae38c...7ccf588e3cf3cc2611714c2eeae48550fbc17552) --- updated-dependencies: - dependency-name: anchore/sbom-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 1d3f34fdb9d..f85bf1b8c4e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -143,7 +143,7 @@ jobs: AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }} - - uses: anchore/sbom-action@ab5d7b5f48981941c4c5d6bf33aeb98fe3bae38c #v0.15.10 + - uses: anchore/sbom-action@7ccf588e3cf3cc2611714c2eeae48550fbc17552 #v0.15.11 continue-on-error: true with: artifact-name: sbom.spdx.json From 5b037883009148fc169f33094bf91f5421144112 Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Mon, 29 Apr 2024 16:33:00 -0400 Subject: [PATCH 3/8] Fill in SPDX originator for all supported package types (#2822) * add failing test + beef up doc comments Signed-off-by: Alex Goodman * cover more metadata types in spdx originator processing Signed-off-by: Alex Goodman --------- Signed-off-by: Alex Goodman --- .../common/spdxhelpers/to_format_model.go | 4 +- .../spdxutil/helpers/originator_supplier.go | 210 ++++++++ .../helpers/originator_supplier_test.go | 482 ++++++++++++++++++ .../spdxutil/helpers/originator_test.go | 119 ----- .../internal/spdxutil/helpers/origintor.go | 44 -- syft/pkg/r.go | 8 +- 6 files changed, 698 insertions(+), 169 deletions(-) create mode 100644 syft/format/internal/spdxutil/helpers/originator_supplier.go create mode 100644 syft/format/internal/spdxutil/helpers/originator_supplier_test.go delete mode 100644 syft/format/internal/spdxutil/helpers/originator_test.go delete mode 100644 syft/format/internal/spdxutil/helpers/origintor.go diff --git a/syft/format/common/spdxhelpers/to_format_model.go b/syft/format/common/spdxhelpers/to_format_model.go index 3a2061b658c..56b71322c61 100644 --- a/syft/format/common/spdxhelpers/to_format_model.go +++ b/syft/format/common/spdxhelpers/to_format_model.go @@ -517,9 +517,7 @@ func toPackageOriginator(p pkg.Package) *spdx.Originator { } func toPackageSupplier(p pkg.Package) *spdx.Supplier { - // this uses the Originator function for now until - // a better distinction can be made for supplier - kind, supplier := helpers.Originator(p) + kind, supplier := helpers.Supplier(p) if kind == "" || supplier == "" { return &spdx.Supplier{ Supplier: helpers.NOASSERTION, diff --git a/syft/format/internal/spdxutil/helpers/originator_supplier.go b/syft/format/internal/spdxutil/helpers/originator_supplier.go new file mode 100644 index 00000000000..5840b6bae5d --- /dev/null +++ b/syft/format/internal/spdxutil/helpers/originator_supplier.go @@ -0,0 +1,210 @@ +package helpers + +import ( + "fmt" + "regexp" + "strings" + + "github.com/anchore/syft/internal" + "github.com/anchore/syft/syft/pkg" +) + +const ( + orgType = "Organization" + personType = "Person" +) + +// Originator needs to conform to the SPDX spec here: +// https://spdx.github.io/spdx-spec/v2.2.2/package-information/#76-package-originator-field +// +// Definition: +// +// If the package identified in the SPDX document originated from a different person or +// organization than identified as Package Supplier (see 7.5 above), this field identifies from +// where or whom the package originally came. In some cases, a package may be created and +// originally distributed by a different third party than the Package Supplier of the package. +// For example, the SPDX document identifies the package as glibc and the Package Supplier as +// Red Hat, but the Free Software Foundation is the Package Originator. +// +// Use NOASSERTION if: +// +// - the SPDX document creator has attempted to but cannot reach a reasonable objective determination; +// - the SPDX document creator has made no attempt to determine this field; or +// - the SPDX document creator has intentionally provided no information (no meaning should be implied by doing so). +// +// Available options are: , NOASSERTION, Person: , Organization: +// return values are: , +func Originator(p pkg.Package) (typ string, author string) { // nolint: funlen + if !hasMetadata(p) { + return typ, author + } + + switch metadata := p.Metadata.(type) { + case pkg.ApkDBEntry: + author = metadata.Maintainer + + case pkg.DotnetPortableExecutableEntry: + typ = orgType + author = metadata.CompanyName + + case pkg.DpkgDBEntry: + author = metadata.Maintainer + + case pkg.JavaArchive: + if metadata.Manifest != nil { + author = metadata.Manifest.Main.MustGet("Specification-Vendor") + if author == "" { + author = metadata.Manifest.Main.MustGet("Implementation-Vendor") + } + } + + case pkg.LinuxKernelModule: + author = metadata.Author + + case pkg.PhpComposerLockEntry: + if len(metadata.Authors) > 0 { + entry := metadata.Authors[0] + author = formatPersonOrOrg(entry.Name, entry.Email) + } + + case pkg.PhpComposerInstalledEntry: + if len(metadata.Authors) > 0 { + entry := metadata.Authors[0] + author = formatPersonOrOrg(entry.Name, entry.Email) + } + + case pkg.RDescription: + // this is most likely to have a name and email + author = metadata.Maintainer + + if author == "" { + author = metadata.Author + } + + case pkg.NpmPackage: + author = metadata.Author + + case pkg.PythonPackage: + author = formatPersonOrOrg(metadata.Author, metadata.AuthorEmail) + + case pkg.RubyGemspec: + if len(metadata.Authors) > 0 { + author = metadata.Authors[0] + } + case pkg.RpmDBEntry: + typ = orgType + author = metadata.Vendor + + case pkg.RpmArchive: + typ = orgType + author = metadata.Vendor + + case pkg.WordpressPluginEntry: + // it seems that the vast majority of the time the author is an org, not a person + typ = orgType + author = metadata.Author + } + + if typ == "" && author != "" { + typ = personType + } + + return typ, parseAndFormatPersonOrOrg(author) +} + +// Supplier needs to conform to the SPDX spec here: +// https://spdx.github.io/spdx-spec/v2.2.2/package-information/#75-package-supplier-field +// +// Definition: +// +// Identify the actual distribution source for the package/directory identified in the SPDX document. This might +// or might not be different from the originating distribution source for the package. The name of the Package Supplier +// shall be an organization or recognized author and not a web site. For example, SourceForge is a host website, not a +// supplier, the supplier for https://sourceforge.net/projects/bridge/ is “The Linux Foundation.” +// +// Use NOASSERTION if: +// +// - the SPDX document creator has attempted to but cannot reach a reasonable objective determination; +// - the SPDX document creator has made no attempt to determine this field; or +// - the SPDX document creator has intentionally provided no information (no meaning should be implied by doing so). +// +// Available options are: , NOASSERTION, Person: , Organization: +// return values are: , +func Supplier(p pkg.Package) (typ string, author string) { + if !hasMetadata(p) { + return + } + + if metadata, ok := p.Metadata.(pkg.AlpmDBEntry); ok { + // most indications here are that this is the person that is simply packaging the upstream software. Most + // of the time this is not the original author of the upstream software (which would be the originator). + // Though it is possible for users to be both the packager and the author, this code cannot distinct this + // case and sticks to the semantically correct interpretation of the "packager" (which says nothing about the + // authorship of the upstream software). + author = metadata.Packager + } + + if author == "" { + // TODO: this uses the Originator function for now until a better distinction can be made for supplier + return Originator(p) + } + + if typ == "" && author != "" { + typ = personType + } + + return typ, parseAndFormatPersonOrOrg(author) +} + +var nameEmailURLPattern = regexp.MustCompile(`^(?P[^<>()]*)( <(?P[^@]+@\w+\.\w+)>)?( \((?P.*)\))?$`) + +func parseAndFormatPersonOrOrg(s string) string { + name, email, _ := parseNameEmailURL(s) + return formatPersonOrOrg(name, email) +} + +func parseNameEmailURL(s string) (name, email, url string) { + fields := internal.MatchNamedCaptureGroups(nameEmailURLPattern, s) + name = strings.TrimSpace(fields["name"]) + email = strings.TrimSpace(fields["email"]) + url = strings.TrimSpace(fields["url"]) + + if email == "" { + if approximatesAsEmail(url) { + email = url + url = "" + } else if approximatesAsEmail(name) { + email = name + name = "" + } + } + return name, email, url +} + +func approximatesAsEmail(s string) bool { + atIndex := strings.Index(s, "@") + if atIndex == -1 { + return false + } + dotIndex := strings.Index(s[atIndex:], ".") + return dotIndex != -1 +} + +func formatPersonOrOrg(name, email string) string { + name = strings.TrimSpace(name) + email = strings.TrimSpace(email) + + blankName := name == "" + blankEmail := email == "" + + if !blankEmail && !blankName { + return fmt.Sprintf("%s (%s)", name, email) + } + if !blankName && blankEmail { + return name + } + if blankName && !blankEmail { + return email + } + return "" +} diff --git a/syft/format/internal/spdxutil/helpers/originator_supplier_test.go b/syft/format/internal/spdxutil/helpers/originator_supplier_test.go new file mode 100644 index 00000000000..5becc4bf0e8 --- /dev/null +++ b/syft/format/internal/spdxutil/helpers/originator_supplier_test.go @@ -0,0 +1,482 @@ +package helpers + +import ( + "testing" + + "github.com/stretchr/testify/assert" + + "github.com/anchore/syft/syft/internal/packagemetadata" + "github.com/anchore/syft/syft/pkg" +) + +func Test_OriginatorSupplier(t *testing.T) { + completionTester := packagemetadata.NewCompletionTester(t, + pkg.BinarySignature{}, + pkg.CocoaPodfileLockEntry{}, + pkg.ConanV1LockEntry{}, + pkg.ConanV2LockEntry{}, // the field Username might be the username of either the package originator or the supplier (unclear currently) + pkg.ConanfileEntry{}, + pkg.ConaninfoEntry{}, + pkg.DartPubspecLockEntry{}, + pkg.DotnetDepsEntry{}, + pkg.ELFBinaryPackageNoteJSONPayload{}, + pkg.ElixirMixLockEntry{}, + pkg.ErlangRebarLockEntry{}, + pkg.GolangBinaryBuildinfoEntry{}, + pkg.GolangModuleEntry{}, + pkg.HackageStackYamlLockEntry{}, + pkg.HackageStackYamlEntry{}, + pkg.LinuxKernel{}, + pkg.MicrosoftKbPatch{}, + pkg.NixStoreEntry{}, + pkg.NpmPackageLockEntry{}, + pkg.PhpComposerInstalledEntry{}, + pkg.PhpPeclEntry{}, + pkg.PortageEntry{}, + pkg.PythonPipfileLockEntry{}, + pkg.PythonRequirementsEntry{}, + pkg.PythonPoetryLockEntry{}, + pkg.RustBinaryAuditEntry{}, + pkg.RustCargoLockEntry{}, + pkg.SwiftPackageManagerResolvedEntry{}, + pkg.YarnLockEntry{}, + ) + tests := []struct { + name string + input pkg.Package + originator string + supplier string + }{ + { + // note: since this is an optional field, no value is preferred over NONE or NOASSERTION + name: "no metadata", + input: pkg.Package{}, + originator: "", + supplier: "", + }, + { + // note: since this is an optional field, no value is preferred over NONE or NOASSERTION + name: "empty author on existing metadata", + input: pkg.Package{ + Metadata: pkg.NpmPackage{ + Author: "", + }, + }, + originator: "", + supplier: "", + }, + { + name: "from apk", + input: pkg.Package{ + Metadata: pkg.ApkDBEntry{ + Maintainer: "auth", + }, + }, + originator: "Person: auth", + supplier: "Person: auth", + }, + { + name: "from alpm", + input: pkg.Package{ + Metadata: pkg.AlpmDBEntry{ + Packager: "someone", + }, + }, + originator: "", + supplier: "Person: someone", + }, + { + name: "from dotnet -- PE binary", + input: pkg.Package{ + Metadata: pkg.DotnetPortableExecutableEntry{ + CompanyName: "Microsoft Corporation", + }, + }, + originator: "Organization: Microsoft Corporation", + supplier: "Organization: Microsoft Corporation", + }, + { + name: "from dpkg", + input: pkg.Package{ + Metadata: pkg.DpkgDBEntry{ + Maintainer: "auth", + }, + }, + originator: "Person: auth", + supplier: "Person: auth", + }, + { + name: "from gem", + input: pkg.Package{ + Metadata: pkg.RubyGemspec{ + Authors: []string{ + "auth1", + "auth2", + }, + }, + }, + originator: "Person: auth1", + supplier: "Person: auth1", + }, + { + name: "from java -- spec > impl cendor in main manifest section", + input: pkg.Package{ + Metadata: pkg.JavaArchive{ + Manifest: &pkg.JavaManifest{ + Main: pkg.KeyValues{ + { + Key: "Implementation-Vendor", + Value: "auth-impl", + }, + { + Key: "Specification-Vendor", + Value: "auth-spec", + }, + }, + }, + }, + }, + originator: "Person: auth-spec", + supplier: "Person: auth-spec", + }, + { + name: "from java -- fallback to impl vendor in main manifest section", + input: pkg.Package{ + Metadata: pkg.JavaArchive{ + Manifest: &pkg.JavaManifest{ + Main: pkg.KeyValues{ + { + Key: "Implementation-Vendor", + Value: "auth-impl", + }, + }, + }, + }, + }, + originator: "Person: auth-impl", + supplier: "Person: auth-impl", + }, + { + name: "from java -- non-main manifest sections ignored", + input: pkg.Package{ + Metadata: pkg.JavaArchive{ + Manifest: &pkg.JavaManifest{ + Sections: []pkg.KeyValues{ + { + { + Key: "Implementation-Vendor", + Value: "auth-impl", + }, + }, + }, + Main: pkg.KeyValues{}, + }, + }, + }, + // note: empty! + }, + { + name: "from linux kernel module", + input: pkg.Package{ + Metadata: pkg.LinuxKernelModule{ + Author: "auth", + }, + }, + originator: "Person: auth", + supplier: "Person: auth", + }, + { + name: "from npm", + input: pkg.Package{ + Metadata: pkg.NpmPackage{ + Author: "auth", + }, + }, + originator: "Person: auth", + supplier: "Person: auth", + }, + { + name: "from npm -- name, email, and url", + input: pkg.Package{ + Metadata: pkg.NpmPackage{ + Author: "Isaac Z. Schlueter (http://blog.izs.me)", + }, + }, + originator: "Person: Isaac Z. Schlueter (i@izs.me)", + supplier: "Person: Isaac Z. Schlueter (i@izs.me)", + }, + { + name: "from npm -- name, email", + input: pkg.Package{ + Metadata: pkg.NpmPackage{ + Author: "Isaac Z. Schlueter ", + }, + }, + originator: "Person: Isaac Z. Schlueter (i@izs.me)", + supplier: "Person: Isaac Z. Schlueter (i@izs.me)", + }, + { + name: "from php composer installed file", + input: pkg.Package{ + Metadata: pkg.PhpComposerInstalledEntry{ + Authors: []pkg.PhpComposerAuthors{ + { + Name: "auth", + Email: "me@auth.com", + }, + }, + }, + }, + originator: "Person: auth (me@auth.com)", + supplier: "Person: auth (me@auth.com)", + }, + { + name: "from php composer installed file", + input: pkg.Package{ + Metadata: pkg.PhpComposerLockEntry{ + Authors: []pkg.PhpComposerAuthors{ + { + Name: "auth", + Email: "me@auth.com", + }, + }, + }, + }, + originator: "Person: auth (me@auth.com)", + supplier: "Person: auth (me@auth.com)", + }, + { + name: "from python - just name", + input: pkg.Package{ + Metadata: pkg.PythonPackage{ + Author: "auth", + }, + }, + originator: "Person: auth", + supplier: "Person: auth", + }, + { + name: "from python - just email", + input: pkg.Package{ + Metadata: pkg.PythonPackage{ + AuthorEmail: "auth@auth.gov", + }, + }, + originator: "Person: auth@auth.gov", + supplier: "Person: auth@auth.gov", + }, + { + name: "from python - both name and email", + input: pkg.Package{ + Metadata: pkg.PythonPackage{ + Author: "auth", + AuthorEmail: "auth@auth.gov", + }, + }, + originator: "Person: auth (auth@auth.gov)", + supplier: "Person: auth (auth@auth.gov)", + }, + { + name: "from r -- maintainer > author", + input: pkg.Package{ + Metadata: pkg.RDescription{ + Author: "author", + Maintainer: "maintainer", + }, + }, + originator: "Person: maintainer", + supplier: "Person: maintainer", + }, + { + name: "from r -- fallback to author", + input: pkg.Package{ + Metadata: pkg.RDescription{ + Author: "author", + }, + }, + originator: "Person: author", + supplier: "Person: author", + }, + { + name: "from rpm archive", + input: pkg.Package{ + Metadata: pkg.RpmArchive{ + Vendor: "auth", + }, + }, + originator: "Organization: auth", + supplier: "Organization: auth", + }, + { + name: "from rpm DB", + input: pkg.Package{ + Metadata: pkg.RpmDBEntry{ + Vendor: "auth", + }, + }, + originator: "Organization: auth", + supplier: "Organization: auth", + }, + { + name: "from wordpress plugin", + input: pkg.Package{ + Metadata: pkg.WordpressPluginEntry{ + Author: "auth", + }, + }, + originator: "Organization: auth", + supplier: "Organization: auth", + }, + } + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + completionTester.Tested(t, test.input.Metadata) + + typ, value := Originator(test.input) + if typ != "" { + value = typ + ": " + value + } + assert.Equal(t, test.originator, value) + + typ, value = Supplier(test.input) + if typ != "" { + value = typ + ": " + value + } + assert.Equal(t, test.supplier, value) + }) + } +} + +func Test_parseNameEmailUrl(t *testing.T) { + tests := []struct { + name string + input string + wantName string + wantEmail string + wantUrl string + }{ + { + name: "empty", + input: "", + }, + { + name: "npm-like: name only", + input: "Isaac Z. Schlueter", + wantName: "Isaac Z. Schlueter", + }, + { + name: "npm-like: name and email", + input: "Ray Nos ", + wantName: "Ray Nos", + wantEmail: "bogus2@gmail.com", + }, + { + name: "npm-like: name and url", + input: "Ray Nos (http://example.com)", + wantName: "Ray Nos", + wantUrl: "http://example.com", + }, + { + name: "npm-like: name, email, and url", + input: "Isaac Z. Schlueter (http://blog.izs.me)", + wantName: "Isaac Z. Schlueter", + wantEmail: "i@izs.me", + wantUrl: "http://blog.izs.me", + }, + { + name: "mixed input: email only", + input: "i@izs.me", + wantEmail: "i@izs.me", + }, + { + name: "mixed input: email in url", + input: "my name (i@izs.me)", + wantName: "my name", + wantEmail: "i@izs.me", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + gotName, gotEmail, gotUrl := parseNameEmailURL(tt.input) + assert.Equal(t, tt.wantName, gotName) + assert.Equal(t, tt.wantEmail, gotEmail) + assert.Equal(t, tt.wantUrl, gotUrl) + }) + } +} + +func Test_formatPersonOrOrg(t *testing.T) { + + tests := []struct { + name string + input string + email string + want string + }{ + { + name: "empty", + want: "", + }, + { + name: "name only", + input: "Isaac Z. Schlueter", + want: "Isaac Z. Schlueter", + }, + { + name: "email only", + email: "i@something.com", + want: "i@something.com", + }, + { + name: "name and email", + input: "Isaac Z. Schlueter", + email: "i@something.com", + want: "Isaac Z. Schlueter (i@something.com)", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + assert.Equal(t, tt.want, formatPersonOrOrg(tt.input, tt.email)) + }) + } +} + +func Test_approximatesAsEmail(t *testing.T) { + + tests := []struct { + name string + input string + want bool + }{ + { + name: "empty", + input: "", + want: false, + }, + { + name: "no at", + input: "something.com", + want: false, + }, + { + name: "no dot", + input: "something@com", + want: false, + }, + { + name: "dot before at", + input: "something.com@nothing", + want: false, + }, + { + name: "valid", + input: "something@nothing.com", + want: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + assert.Equal(t, tt.want, approximatesAsEmail(tt.input)) + }) + } +} diff --git a/syft/format/internal/spdxutil/helpers/originator_test.go b/syft/format/internal/spdxutil/helpers/originator_test.go deleted file mode 100644 index 50ea8296f6d..00000000000 --- a/syft/format/internal/spdxutil/helpers/originator_test.go +++ /dev/null @@ -1,119 +0,0 @@ -package helpers - -import ( - "testing" - - "github.com/stretchr/testify/assert" - - "github.com/anchore/syft/syft/pkg" -) - -func Test_Originator(t *testing.T) { - tests := []struct { - name string - input pkg.Package - expected string - }{ - { - // note: since this is an optional field, no value is preferred over NONE or NOASSERTION - name: "no metadata", - input: pkg.Package{}, - expected: "", - }, - { - name: "from gem", - input: pkg.Package{ - Metadata: pkg.RubyGemspec{ - Authors: []string{ - "auth1", - "auth2", - }, - }, - }, - expected: "Person: auth1", - }, - { - name: "from npm", - input: pkg.Package{ - Metadata: pkg.NpmPackage{ - Author: "auth", - }, - }, - expected: "Person: auth", - }, - { - name: "from apk", - input: pkg.Package{ - Metadata: pkg.ApkDBEntry{ - Maintainer: "auth", - }, - }, - expected: "Person: auth", - }, - { - name: "from python - just name", - input: pkg.Package{ - Metadata: pkg.PythonPackage{ - Author: "auth", - }, - }, - expected: "Person: auth", - }, - { - name: "from python - just email", - input: pkg.Package{ - Metadata: pkg.PythonPackage{ - AuthorEmail: "auth@auth.gov", - }, - }, - expected: "Person: auth@auth.gov", - }, - { - name: "from python - both name and email", - input: pkg.Package{ - Metadata: pkg.PythonPackage{ - Author: "auth", - AuthorEmail: "auth@auth.gov", - }, - }, - expected: "Person: auth (auth@auth.gov)", - }, - { - name: "from rpm", - input: pkg.Package{ - Metadata: pkg.RpmDBEntry{ - Vendor: "auth", - }, - }, - expected: "Organization: auth", - }, - { - name: "from dpkg", - input: pkg.Package{ - Metadata: pkg.DpkgDBEntry{ - Maintainer: "auth", - }, - }, - expected: "Person: auth", - }, - { - // note: since this is an optional field, no value is preferred over NONE or NOASSERTION - name: "empty", - input: pkg.Package{ - Metadata: pkg.NpmPackage{ - Author: "", - }, - }, - expected: "", - }, - } - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - typ, value := Originator(test.input) - if typ != "" { - value = typ + ": " + value - } - assert.Equal(t, test.expected, value) - }) - } -} diff --git a/syft/format/internal/spdxutil/helpers/origintor.go b/syft/format/internal/spdxutil/helpers/origintor.go deleted file mode 100644 index e1ac4c6a941..00000000000 --- a/syft/format/internal/spdxutil/helpers/origintor.go +++ /dev/null @@ -1,44 +0,0 @@ -package helpers - -import ( - "fmt" - - "github.com/anchore/syft/syft/pkg" -) - -// Originator needs to conform to the SPDX spec here: -// https://spdx.github.io/spdx-spec/package-information/#76-package-originator-field -// Available options are: , NOASSERTION, Person: , Organization: -// return values are: , -func Originator(p pkg.Package) (string, string) { - typ := "" - author := "" - if hasMetadata(p) { - switch metadata := p.Metadata.(type) { - case pkg.ApkDBEntry: - author = metadata.Maintainer - case pkg.NpmPackage: - author = metadata.Author - case pkg.PythonPackage: - author = metadata.Author - if author == "" { - author = metadata.AuthorEmail - } else if metadata.AuthorEmail != "" { - author = fmt.Sprintf("%s (%s)", author, metadata.AuthorEmail) - } - case pkg.RubyGemspec: - if len(metadata.Authors) > 0 { - author = metadata.Authors[0] - } - case pkg.RpmDBEntry: - typ = "Organization" - author = metadata.Vendor - case pkg.DpkgDBEntry: - author = metadata.Maintainer - } - if typ == "" && author != "" { - typ = "Person" - } - } - return typ, author -} diff --git a/syft/pkg/r.go b/syft/pkg/r.go index e9c65c1f2b8..c10c11d0e16 100644 --- a/syft/pkg/r.go +++ b/syft/pkg/r.go @@ -3,9 +3,11 @@ package pkg type RDescription struct { /* Fields chosen by: - docker run --rm -it rocker/r-ver bash - $ install2.r ggplot2 # has a lot of dependencies - $ find /usr/local/lib/R -name DESCRIPTION | xargs cat | grep -v '^\s' | cut -d ':' -f 1 | sort | uniq -c | sort -nr + docker run --rm -it rocker/r-ver bash + $ install2.r ggplot2 # has a lot of dependencies + $ find /usr/local/lib/R -name DESCRIPTION | xargs cat | grep -v '^\s' | cut -d ':' -f 1 | sort | uniq -c | sort -nr + + For more information on the DESCRIPTION file see https://r-pkgs.org/description.html */ Title string `json:"title,omitempty"` Description string `json:"description,omitempty"` From 02dc2dfa9bc651c06bb3933b83a9b57eb88edc7f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Apr 2024 16:27:14 +0000 Subject: [PATCH 4/8] chore(deps): bump github/codeql-action from 3.25.2 to 3.25.3 (#2817) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.2 to 3.25.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/8f596b4ae3cb3c588a5c46780b86dd53fef16c52...d39d31e687223d841ef683f52467bd88e9b21c14) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Christopher Phillips --- .github/workflows/codeql-analysis.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 02a85c0e4b3..5bc21a566f4 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -45,7 +45,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 #v3.25.2 + uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 #v3.25.3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -56,7 +56,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 #v3.25.2 + uses: github/codeql-action/autobuild@d39d31e687223d841ef683f52467bd88e9b21c14 #v3.25.3 # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -70,4 +70,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 #v3.25.2 + uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 #v3.25.3 From 25b55e1704c9afaf0969c1a2d4bbe74251b979d1 Mon Sep 17 00:00:00 2001 From: guangwu Date: Wed, 1 May 2024 00:47:17 +0800 Subject: [PATCH 5/8] fix: close temp rpmdb file (#2792) * fix: close temp rpmdb file and db Signed-off-by: guoguangwu * chore: fix linter Signed-off-by: Christopher Phillips --------- Signed-off-by: guoguangwu Signed-off-by: Christopher Phillips Co-authored-by: Christopher Phillips --- syft/pkg/cataloger/redhat/parse_rpm_db.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/syft/pkg/cataloger/redhat/parse_rpm_db.go b/syft/pkg/cataloger/redhat/parse_rpm_db.go index f4634726bb6..cf9742a8144 100644 --- a/syft/pkg/cataloger/redhat/parse_rpm_db.go +++ b/syft/pkg/cataloger/redhat/parse_rpm_db.go @@ -17,6 +17,7 @@ import ( ) // parseRpmDb parses an "Packages" RPM DB and returns the Packages listed within it. +// nolint:funlen func parseRpmDB(_ context.Context, resolver file.Resolver, env *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) { f, err := os.CreateTemp("", "rpmdb") if err != nil { @@ -24,6 +25,10 @@ func parseRpmDB(_ context.Context, resolver file.Resolver, env *generic.Environm } defer func() { + err = f.Close() + if err != nil { + log.Errorf("failed to close temp rpmdb file: %+v", err) + } err = os.Remove(f.Name()) if err != nil { log.Errorf("failed to remove temp rpmdb file: %+v", err) @@ -39,6 +44,7 @@ func parseRpmDB(_ context.Context, resolver file.Resolver, env *generic.Environm if err != nil { return nil, nil, err } + defer db.Close() pkgList, err := db.ListPackages() if err != nil { From 047e31a969913b81b4fea6c6421c6473277b31d0 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 30 Apr 2024 13:24:01 -0400 Subject: [PATCH 6/8] fix: add correct vendor for dnsmasq CPE (#2659) Signed-off-by: Keith Zantow --- .../internal/cpegenerate/candidate_by_package_type.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go b/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go index c7cb26b191b..5fca14c5199 100644 --- a/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go +++ b/syft/pkg/cataloger/internal/cpegenerate/candidate_by_package_type.go @@ -344,6 +344,17 @@ var defaultCandidateAdditions = buildCandidateLookup( candidateKey{PkgName: "wpa_supplicant"}, candidateAddition{AdditionalVendors: []string{"w1.fi"}}, }, + { + pkg.ApkPkg, + candidateKey{PkgName: "dnsmasq", Vendor: "dnsmasq"}, + candidateAddition{AdditionalVendors: []string{"thekelleys"}}, + }, + // Debian packages + { + pkg.DebPkg, + candidateKey{PkgName: "dnsmasq", Vendor: "dnsmasq"}, + candidateAddition{AdditionalVendors: []string{"thekelleys"}}, + }, // // Binary packages { From b0c88ddea930deac990efeca6e0c7bbaa63908ea Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 30 Apr 2024 13:28:42 -0400 Subject: [PATCH 7/8] fix(spdx): include required fields (#2168) * fix(spdx): include required fields Signed-off-by: Keith Zantow * chore: missed update due to refactoring Signed-off-by: Keith Zantow * chore: update tools-golang Signed-off-by: Keith Zantow * chore: add test with packageVerificationCode included and excluded Signed-off-by: Keith Zantow --------- Signed-off-by: Keith Zantow --- .../common/spdxhelpers/to_format_model.go | 5 + syft/format/spdxjson/encoder_test.go | 70 ++++++++++++ .../TestSPDX22JSONRequredProperties.golden | 100 ++++++++++++++++++ .../TestSPDXJSONDirectoryEncoder.golden | 2 + .../snapshot/TestSPDXJSONImageEncoder.golden | 2 + .../snapshot/TestSPDXRelationshipOrder.golden | 20 ++++ .../snapshot/TestSPDXJSONSPDXIDs.golden | 2 + .../snapshot/TestSPDXRelationshipOrder.golden | 8 ++ .../TestSPDXTagValueDirectoryEncoder.golden | 2 + .../TestSPDXTagValueImageEncoder.golden | 2 + 10 files changed, 213 insertions(+) create mode 100644 syft/format/spdxjson/test-fixtures/snapshot/TestSPDX22JSONRequredProperties.golden diff --git a/syft/format/common/spdxhelpers/to_format_model.go b/syft/format/common/spdxhelpers/to_format_model.go index 56b71322c61..5edc8e12f37 100644 --- a/syft/format/common/spdxhelpers/to_format_model.go +++ b/syft/format/common/spdxhelpers/to_format_model.go @@ -245,6 +245,8 @@ func toRootPackage(s source.Description) *spdx.Package { Supplier: helpers.NOASSERTION, }, PackageDownloadLocation: helpers.NOASSERTION, + PackageLicenseConcluded: helpers.NOASSERTION, + PackageLicenseDeclared: helpers.NOASSERTION, } if purl != nil { @@ -622,6 +624,9 @@ func toFiles(s sbom.SBOM) (results []*spdx.File) { Checksums: toFileChecksums(digests), FileName: coordinates.RealPath, FileTypes: toFileTypes(metadata), + LicenseInfoInFiles: []string{ // required in SPDX 2.2 + helpers.NOASSERTION, + }, }) } diff --git a/syft/format/spdxjson/encoder_test.go b/syft/format/spdxjson/encoder_test.go index 8fdee1b8ceb..83999b53f85 100644 --- a/syft/format/spdxjson/encoder_test.go +++ b/syft/format/spdxjson/encoder_test.go @@ -3,6 +3,8 @@ package spdxjson import ( "bytes" "flag" + "github.com/anchore/syft/syft/artifact" + "github.com/anchore/syft/syft/file" "strings" "testing" @@ -113,6 +115,74 @@ func TestSPDXJSONImageEncoder(t *testing.T) { ) } +func TestSPDX22JSONRequredProperties(t *testing.T) { + cfg := DefaultEncoderConfig() + cfg.Pretty = true + cfg.Version = "2.2" + + enc, err := NewFormatEncoderWithConfig(cfg) + require.NoError(t, err) + + coords := file.Coordinates{ + RealPath: "/some/file", + FileSystemID: "ac897d978b6c38749a1", + } + + p1 := pkg.Package{ + Name: "files-analyzed-true", + Version: "v1", + Locations: file.NewLocationSet(file.NewLocation(coords.RealPath)), + Licenses: pkg.LicenseSet{}, + Language: pkg.Java, + Metadata: pkg.JavaArchive{ + ArchiveDigests: []file.Digest{ + { + Algorithm: "sha256", + Value: "a9b87321a9879c79d87987987a97c97b9789ce978dffea987", + }, + }, + Parent: nil, + }, + } + p1.SetID() + + p2 := pkg.Package{ + Name: "files-analyzed-false", + Version: "v2", + } + p2.SetID() + + testutil.AssertEncoderAgainstGoldenSnapshot(t, + testutil.EncoderSnapshotTestConfig{ + Subject: sbom.SBOM{ + Artifacts: sbom.Artifacts{ + Packages: pkg.NewCollection(p1, p2), + FileDigests: map[file.Coordinates][]file.Digest{ + coords: { + { + Algorithm: "sha1", + Value: "3b4ab96c371d913e2a88c269844b6c5fb5cbe761", + }, + }, + }, + }, + Relationships: []artifact.Relationship{ + { + From: p1, + To: coords, + Type: artifact.ContainsRelationship, + }, + }, + }, + Format: enc, + UpdateSnapshot: *updateSnapshot, + PersistRedactionsInSnapshot: true, + IsJSON: true, + Redactor: redactor(), + }, + ) +} + func TestSPDXRelationshipOrder(t *testing.T) { testImage := "image-simple" diff --git a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDX22JSONRequredProperties.golden b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDX22JSONRequredProperties.golden new file mode 100644 index 00000000000..118247b1dc0 --- /dev/null +++ b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDX22JSONRequredProperties.golden @@ -0,0 +1,100 @@ +{ + "spdxVersion": "SPDX-2.2", + "dataLicense": "CC0-1.0", + "SPDXID": "SPDXRef-DOCUMENT", + "name": "unknown", + "documentNamespace":"redacted", + "creationInfo": { + "licenseListVersion":"redacted", + "creators": [ + "Organization: Anchore, Inc", + "Tool: -" + ], + "created":"redacted" + }, + "packages": [ + { + "SPDXID": "SPDXRef-Package-files-analyzed-false-7d37ba9d2f7c574b", + "copyrightText": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "name": "files-analyzed-false", + "sourceInfo": "acquired package info from the following paths: ", + "supplier": "NOASSERTION", + "versionInfo": "v2" + }, + { + "name": "files-analyzed-true", + "SPDXID": "SPDXRef-Package-files-analyzed-true-035066c2086b8bb4", + "versionInfo": "v1", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": true, + "packageVerificationCode": { + "packageVerificationCodeValue": "6fe0c471faaaa544e33cae0918eabcdc1c798d18" + }, + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "a9b87321a9879c79d87987987a97c97b9789ce978dffea987" + } + ], + "sourceInfo": "acquired package info from the following paths: /some/file", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION" + }, + { + "SPDXID": "SPDXRef-DocumentRoot-Unknown-", + "copyrightText": "", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "name": "", + "supplier": "NOASSERTION" + } + ], + "files": [ + { + "fileName": "/some/file", + "SPDXID": "SPDXRef-File-some-file-2c5bc344430decac", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "3b4ab96c371d913e2a88c269844b6c5fb5cbe761" + } + ], + "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], + "copyrightText": "", + "comment": "layerID: ac897d978b6c38749a1" + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-Package-files-analyzed-true-035066c2086b8bb4", + "relatedSpdxElement": "SPDXRef-File-some-file-2c5bc344430decac", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", + "relatedSpdxElement": "SPDXRef-Package-files-analyzed-false-7d37ba9d2f7c574b", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", + "relatedSpdxElement": "SPDXRef-Package-files-analyzed-true-035066c2086b8bb4", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", + "relationshipType": "DESCRIBES" + } + ] +} diff --git a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden index a1efd833a16..dad2c03d5d5 100644 --- a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden +++ b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden @@ -67,6 +67,8 @@ "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "primaryPackagePurpose": "FILE" } ], diff --git a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden index 687265f611b..f305951e8e3 100644 --- a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden +++ b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden @@ -74,6 +74,8 @@ "checksumValue": "2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368" } ], + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", diff --git a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden index 906cd78f004..129804196b4 100644 --- a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden +++ b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden @@ -74,6 +74,8 @@ "checksumValue": "2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368" } ], + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -98,6 +100,9 @@ } ], "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], "copyrightText": "" }, { @@ -113,6 +118,9 @@ } ], "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], "copyrightText": "" }, { @@ -128,6 +136,9 @@ } ], "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], "copyrightText": "" }, { @@ -143,6 +154,9 @@ } ], "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], "copyrightText": "" }, { @@ -158,6 +172,9 @@ } ], "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], "copyrightText": "" }, { @@ -173,6 +190,9 @@ } ], "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], "copyrightText": "" } ], diff --git a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden index d33939beeac..dd946aa235b 100644 --- a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden +++ b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden @@ -16,6 +16,8 @@ PackageSupplier: NOASSERTION PackageDownloadLocation: NOASSERTION PrimaryPackagePurpose: FILE FilesAnalyzed: false +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION ##### Package: @at-sign diff --git a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden index af5f725b4de..dcd45e96a90 100644 --- a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden +++ b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden @@ -15,36 +15,42 @@ SPDXID: SPDXRef-File-a1-f6-9c2f7510199b17f6 FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION +LicenseInfoInFile: NOASSERTION FileName: /d1/f3 SPDXID: SPDXRef-File-d1-f3-c6f5b29dca12661f FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION +LicenseInfoInFile: NOASSERTION FileName: /d2/f4 SPDXID: SPDXRef-File-d2-f4-c641caa71518099f FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION +LicenseInfoInFile: NOASSERTION FileName: /f1 SPDXID: SPDXRef-File-f1-5265a4dde3edbf7c FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION +LicenseInfoInFile: NOASSERTION FileName: /f2 SPDXID: SPDXRef-File-f2-f9e49132a4b96ccd FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION +LicenseInfoInFile: NOASSERTION FileName: /z1/f5 SPDXID: SPDXRef-File-z1-f5-839d99ee67d9d174 FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION +LicenseInfoInFile: NOASSERTION ##### Package: user-image-input @@ -56,6 +62,8 @@ PackageDownloadLocation: NOASSERTION PrimaryPackagePurpose: CONTAINER FilesAnalyzed: false PackageChecksum: SHA256: 2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368 +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION ExternalRef: PACKAGE-MANAGER purl pkg:oci/user-image-input@sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368?arch= ##### Package: package-2 diff --git a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden index f422d3952e9..727f222917c 100644 --- a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden +++ b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden @@ -16,6 +16,8 @@ PackageSupplier: NOASSERTION PackageDownloadLocation: NOASSERTION PrimaryPackagePurpose: FILE FilesAnalyzed: false +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION ##### Package: package-2 diff --git a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden index 642bb365853..edaac4c9abf 100644 --- a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden +++ b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden @@ -18,6 +18,8 @@ PackageDownloadLocation: NOASSERTION PrimaryPackagePurpose: CONTAINER FilesAnalyzed: false PackageChecksum: SHA256: 2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368 +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION ExternalRef: PACKAGE-MANAGER purl pkg:oci/user-image-input@sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368?arch= ##### Package: package-2 From 93a99e36c2644b0b064bbf9e761fdba5e71c49ee Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 1 May 2024 11:03:31 -0400 Subject: [PATCH 8/8] chore(deps): bump github.com/docker/docker (#2827) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 26.1.0+incompatible to 26.1.1+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v26.1.0...v26.1.1) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 6775fa10d87..606ca115ca5 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,7 @@ require ( github.com/dave/jennifer v1.7.0 github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da github.com/distribution/reference v0.6.0 - github.com/docker/docker v26.1.0+incompatible + github.com/docker/docker v26.1.1+incompatible github.com/dustin/go-humanize v1.0.1 github.com/elliotchance/phpserialize v1.4.0 github.com/facebookincubator/nvdtools v0.1.5 diff --git a/go.sum b/go.sum index 426b458be4f..ca4ce00ecab 100644 --- a/go.sum +++ b/go.sum @@ -223,8 +223,8 @@ github.com/docker/cli v24.0.0+incompatible h1:0+1VshNwBQzQAx9lOl+OYCTCEAD8fKs/qe github.com/docker/cli v24.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk= github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v26.1.0+incompatible h1:W1G9MPNbskA6VZWL7b3ZljTh0pXI68FpINx0GKaOdaM= -github.com/docker/docker v26.1.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v26.1.1+incompatible h1:oI+4kkAgIwwb54b9OC7Xc3hSgu1RlJA/Lln/DF72djQ= +github.com/docker/docker v26.1.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=