dependabot[bot]
8a870995a1
chore(deps): bump the go-minor-patch group across 2 directories with 11 updates
...
Bumps the go-minor-patch group with 11 updates in the / directory:
| Package | From | To |
| --- | --- | --- |
| [github.com/Masterminds/semver/v3](https://github.com/Masterminds/semver ) | `3.4.0` | `3.5.0` |
| [github.com/diskfs/go-diskfs](https://github.com/diskfs/go-diskfs ) | `1.7.0` | `1.9.2` |
| [github.com/github/go-spdx/v2](https://github.com/github/go-spdx ) | `2.4.0` | `2.6.0` |
| [github.com/gookit/color](https://github.com/gookit/color ) | `1.6.0` | `1.6.1` |
| [github.com/invopop/jsonschema](https://github.com/invopop/jsonschema ) | `0.13.0` | `0.14.0` |
| [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty ) | `6.7.8` | `6.7.10` |
| [github.com/klauspost/compress](https://github.com/klauspost/compress ) | `1.18.5` | `1.18.6` |
| [golang.org/x/mod](https://github.com/golang/mod ) | `0.35.0` | `0.36.0` |
| [golang.org/x/net](https://github.com/golang/net ) | `0.53.0` | `0.54.0` |
| [golang.org/x/tools](https://github.com/golang/tools ) | `0.44.0` | `0.45.0` |
| [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ) | `1.46.2` | `1.50.1` |
Bumps the go-minor-patch group with 1 update in the /.make directory: [golang.org/x/mod](https://github.com/golang/mod ).
Updates `github.com/Masterminds/semver/v3` from 3.4.0 to 3.5.0
- [Release notes](https://github.com/Masterminds/semver/releases )
- [Changelog](https://github.com/Masterminds/semver/blob/master/CHANGELOG.md )
- [Commits](https://github.com/Masterminds/semver/compare/v3.4.0...v3.5.0 )
Updates `github.com/diskfs/go-diskfs` from 1.7.0 to 1.9.2
- [Commits](https://github.com/diskfs/go-diskfs/compare/v1.7.0...v1.9.2 )
Updates `github.com/github/go-spdx/v2` from 2.4.0 to 2.6.0
- [Release notes](https://github.com/github/go-spdx/releases )
- [Commits](https://github.com/github/go-spdx/compare/v2.4.0...v2.6.0 )
Updates `github.com/gookit/color` from 1.6.0 to 1.6.1
- [Release notes](https://github.com/gookit/color/releases )
- [Commits](https://github.com/gookit/color/compare/v1.6.0...v1.6.1 )
Updates `github.com/invopop/jsonschema` from 0.13.0 to 0.14.0
- [Release notes](https://github.com/invopop/jsonschema/releases )
- [Commits](https://github.com/invopop/jsonschema/compare/v0.13.0...v0.14.0 )
Updates `github.com/jedib0t/go-pretty/v6` from 6.7.8 to 6.7.10
- [Release notes](https://github.com/jedib0t/go-pretty/releases )
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.7.8...v6.7.10 )
Updates `github.com/klauspost/compress` from 1.18.5 to 1.18.6
- [Release notes](https://github.com/klauspost/compress/releases )
- [Commits](https://github.com/klauspost/compress/compare/v1.18.5...v1.18.6 )
Updates `golang.org/x/mod` from 0.35.0 to 0.36.0
- [Commits](https://github.com/golang/mod/compare/v0.35.0...v0.36.0 )
Updates `golang.org/x/net` from 0.53.0 to 0.54.0
- [Commits](https://github.com/golang/net/compare/v0.53.0...v0.54.0 )
Updates `golang.org/x/tools` from 0.44.0 to 0.45.0
- [Release notes](https://github.com/golang/tools/releases )
- [Commits](https://github.com/golang/tools/compare/v0.44.0...v0.45.0 )
Updates `modernc.org/sqlite` from 1.46.2 to 1.50.1
- [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md )
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.46.2...v1.50.1 )
Updates `golang.org/x/mod` from 0.35.0 to 0.36.0
- [Commits](https://github.com/golang/mod/compare/v0.35.0...v0.36.0 )
---
updated-dependencies:
- dependency-name: github.com/Masterminds/semver/v3
dependency-version: 3.5.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: github.com/diskfs/go-diskfs
dependency-version: 1.9.2
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: github.com/github/go-spdx/v2
dependency-version: 2.6.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: github.com/gookit/color
dependency-version: 1.6.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go-minor-patch
- dependency-name: github.com/invopop/jsonschema
dependency-version: 0.14.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: github.com/jedib0t/go-pretty/v6
dependency-version: 6.7.10
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go-minor-patch
- dependency-name: github.com/klauspost/compress
dependency-version: 1.18.6
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go-minor-patch
- dependency-name: golang.org/x/mod
dependency-version: 0.36.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: golang.org/x/net
dependency-version: 0.54.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: golang.org/x/tools
dependency-version: 0.45.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: modernc.org/sqlite
dependency-version: 1.50.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: golang.org/x/mod
dependency-version: 0.36.0
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: go-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
2026-05-19 16:15:14 +00:00
dependabot[bot]
b1287d45d8
chore(deps): bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1 ( #4930 )
...
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git ) from 5.19.0 to 5.19.1.
- [Release notes](https://github.com/go-git/go-git/releases )
- [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md )
- [Commits](https://github.com/go-git/go-git/compare/v5.19.0...v5.19.1 )
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-version: 5.19.1
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-19 16:11:18 +00:00
Alex Goodman
d97216ff70
Remediate audit ( #4929 )
...
* remove slack notification on release
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* restrict cache usage
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-18 15:01:37 -04:00
dependabot[bot]
c09a009bda
chore(deps): bump the actions-minor-patch group across 1 directory with 4 updates ( #4927 )
...
Bumps the actions-minor-patch group with 4 updates in the / directory: [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows ), [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows ), [anchore/workflows/.github/workflows/check-gate.yaml](https://github.com/anchore/workflows ) and [anchore/workflows/.github/workflows/release-install-script.yaml](https://github.com/anchore/workflows ).
Updates `anchore/workflows/.github/workflows/codeql.yaml` from 0.5.0 to 0.6.0
- [Commits](e8cee3a591...15122524ce8b2b1caf40...15122524ce8b2b1caf40...15122524ce8b2b1caf40...15122524ce
2026-05-18 16:13:54 +00:00
Alex Goodman
d61af0abab
Port to go-make ( #4923 )
...
* port to go-make
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* refresh fixtures on running unit tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address refresh cache issues with old now-gitignored files
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-18 11:59:55 -04:00
anchore-oss-update-bot
89cda82263
chore(deps): update CPE dictionary index ( #4925 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-05-18 10:21:30 -04:00
dependabot[bot]
ee6ace36d1
chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates ( #4920 )
...
Bumps the actions-minor-patch group with 2 updates in the / directory: [runs-on/action](https://github.com/runs-on/action ) and [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ).
Updates `runs-on/action` from 2.1.0 to 2.1.2
- [Release notes](https://github.com/runs-on/action/releases )
- [Commits](742bf56072...d141ef83ebhttps://github.com/sigstore/cosign-installer/releases )
- [Commits](cad07c2e89...6f9f177880
2026-05-15 13:34:58 +00:00
witchcraze
e2e5e223ab
feat: mysqld, ndbd, ndbmtd and ndb_mgmd classifier ( #4907 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-05-14 11:29:42 -04:00
William Bates
4579d11abc
fix: detect compressed kernel modules (.ko.gz, .ko.xz, .ko.zst) ( #4740 )
...
* fix: detect compressed kernel modules (.ko.gz, .ko.xz, .ko.zst)
The linux-kernel-cataloger only matched plain *.ko files, missing
compressed modules produced when CONFIG_MODULE_COMPRESS is enabled
(common on Debian 13 / Ubuntu 24.04+). This resulted in near-zero
module packages being reported for such filesystems.
Changes:
- Add *.ko.gz, *.ko.xz, *.ko.zst glob patterns to both the cataloger
and capabilities.yaml so the file resolver picks up compressed modules
- Add decompressedModuleReader() which detects the extension and
transparently decompresses via compress/gzip, ulikunitz/xz, or
klauspost/compress/zstd before handing the ELF bytes to the existing
parseLinuxKernelModuleMetadata parser
- Promote github.com/klauspost/compress from indirect to direct dependency
- Add unit tests covering all three compression formats plus the
uncompressed baseline, using a programmatically generated minimal ELF
Fixes #4721
Signed-off-by: Will Bates <william.bates11@outlook.com>
* address reading archives into memory
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Will Bates <william.bates11@outlook.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Will Bates <william.bates11@outlook.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-13 13:44:18 -04:00
anchore-oss-update-bot
07ae2ca08d
chore(deps): update CPE dictionary index ( #4909 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-05-13 10:03:11 -04:00
Calum Leslie
36969bdeff
fix: Allow duplicates in Yarn "Berry" files ( #4691 ) ( #4838 )
...
* fix: Allow duplicates in Yarn "Berry" files (#4691 )
Yarn lockfiles can have multiple versions resolved for the same package
name. We correctly allow this in Yarn v1 lockfiles but the "Berry"
YAML-format lockfiles were doing deduplication by package name. This
change removes that deduplication.
Signed-off-by: Calum Leslie <cleslie@atlassian.com>
* fix linting
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Calum Leslie <cleslie@atlassian.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Calum Leslie <cleslie@atlassian.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-11 21:10:17 +00:00
Alex Goodman
dfb6011083
pin and update fixture versions ( #4913 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-11 16:30:35 -04:00
Alex Goodman
997a486e22
use released shared workflow ( #4914 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-11 16:21:41 -04:00
dependabot[bot]
4f64fbc004
chore(deps): bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 ( #4911 )
...
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git ) from 5.18.0 to 5.19.0.
- [Release notes](https://github.com/go-git/go-git/releases )
- [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md )
- [Commits](https://github.com/go-git/go-git/compare/v5.18.0...v5.19.0 )
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-version: 5.19.0
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-11 16:25:44 +00:00
Alex Goodman
87d6a288d7
Tighten workflow permissions and update release shape ( #4899 )
...
* Rework release workflow to canonical shape
Replace the custom quality-gate job with the reusable check-version-available
and check-gate workflows from anchore/workflows. Remove the phase
workflow_dispatch input; the install-script-only path is now a standalone
workflow (release-install-script.yaml) that can be triggered independently.
- add version-available and check-gate jobs using pinned anchore/workflows SHA
- remove phase input and quality-gate job
- release job now needs [check-gate, version-available]
- release-install-script job no longer conditionally skips based on phase
- add release-install-script.yaml for standalone install script runs
- set permissions: {} at workflow level (contents pushed to release job)
- add concurrency: group: release
Signed-off-by: wagoodman <wagoodman@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Tighten workflow-level permissions to {}
Change top-level permissions from contents: read to {} in validations.yaml
and validate-github-actions.yaml, pushing the needed contents: read down
to each job that performs a checkout.
Signed-off-by: wagoodman <wagoodman@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* keep install script phase, remove workflow
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove schema detection workflow
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: wagoodman <wagoodman@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-08 17:16:31 -04:00
dependabot[bot]
20987d30d0
chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates ( #4897 )
...
Bumps the actions-minor-patch group with 2 updates in the / directory: [github/codeql-action](https://github.com/github/codeql-action ) and [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action ).
Updates `github/codeql-action` from 4.35.2 to 4.35.3
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](95e58e9a2c...e46ed2cbd0https://github.com/slackapi/slack-github-action/releases )
- [Changelog](https://github.com/slackapi/slack-github-action/blob/main/CHANGELOG.md )
- [Commits](03ea5433c1...45a88b9581
2026-05-08 13:38:31 +00:00
witchcraze
e2007d9bf2
feat: add aws-lc classifier ( #4882 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-05-06 16:43:34 -04:00
ChrisJr404
4f0e32ab51
binary classifier: detect elixir release-candidate versions ( #4851 )
...
The elixir-binary and elixir-library classifiers' regexes only matched
the bare semver triplet (and a single sub-segment for the library), so
release-candidate elixir images were either missed entirely or had
their version truncated:
$ syft -q elixir:1.12.0-rc | grep elixir # nothing
$ syft -q elixir:1.13.0-rc.0 | grep elixir
elixir 1.13.0 binary # truncated, "-rc.0" lost
Extend the version capture group to optionally include
"-<a-z0-9>+(\\.<digits>)?" so "1.12.0-rc.1", "1.13.0-rc.0", etc. match
exactly as the elixir.app and the binary's ELIXIR_VERSION line have
them.
Add a logical fixture under testdata/classifiers/snippets/elixir/
1.12.0-rc.1/linux-amd64 (cloned from the existing 1.19.1 fixture with
just the version strings changed) and register it in
Test_Cataloger_PositiveCases.
Closes #4819
Signed-off-by: Chris (ChrisJr404) <11917633+ChrisJr404@users.noreply.github.com>
Co-authored-by: Chris (ChrisJr404) <11917633+ChrisJr404@users.noreply.github.com>
2026-05-06 15:14:09 +00:00
witchcraze
605391114c
add ingress-nginx classifier ( #4857 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-05-06 14:54:20 +00:00
ChrisJr404
1caf243d29
fix(source): treat exclude paths with trailing slash as directories ( #4892 )
...
A trailing slash on --exclude (e.g. './lib/') is dropped during pattern
normalization but doublestar.Match still requires an exact string match,
so the resulting pattern silently matches nothing and the directory is
not excluded. Strip a trailing slash so './lib/' and './lib' behave the
same.
Fixes #4839
Signed-off-by: ChrisJr404 <chris@hacknow.com>
2026-05-06 14:51:41 +00:00
PGray
48e91312e8
fix(dotnet): align runtime CPEs with NVD ( #4743 )
...
Signed-off-by: PGray <PGrayCS@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: PGray <PGrayCS@users.noreply.github.com>
2026-05-06 13:07:49 +00:00
bahtyar
d81df67493
fix(debian): only parse machine-readable copyright files with Format header ( #4754 )
...
* fix(debian): only parse machine-readable copyright files with Format header
Only parse debian/copyright files as machine-readable DEP-5 format when
they contain the mandatory Format header field pointing to the copyright
specification URI. Files without this header are free-form text and
should not have License: regex patterns applied to them, which previously
produced nonsensical results like "#", "Permission", "This", "see" for
non-machine-readable files.
The fallback license classifier in the debian cataloger will handle
non-machine-readable files by doing full-text license identification.
Closes #4708
Signed-off-by: Bahtya <bahtya@users.noreply.github.com>
Signed-off-by: Bahtya <bahtayr@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* decompose parseLicensesFromCopyright to address linting issues
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Bahtya <bahtya@users.noreply.github.com>
Signed-off-by: Bahtya <bahtayr@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Bahtya <bahtayr@gmail.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-06 13:02:27 +00:00
dependabot[bot]
47cda2b5ef
chore(deps): bump the actions-minor-patch group across 2 directories with 5 updates ( #4846 )
...
Bumps the actions-minor-patch group with 4 updates in the / directory: [github/codeql-action](https://github.com/github/codeql-action ), [marocchino/sticky-pull-request-comment](https://github.com/marocchino/sticky-pull-request-comment ), [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action ) and [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action ).
Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [actions/cache](https://github.com/actions/cache ).
Updates `github/codeql-action` from 4.35.1 to 4.35.2
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](c10b8064de...95e58e9a2chttps://github.com/marocchino/sticky-pull-request-comment/releases )
- [Commits](d4d6b09364...0ea0beb66ehttps://github.com/slackapi/slack-github-action/releases )
- [Changelog](https://github.com/slackapi/slack-github-action/blob/main/CHANGELOG.md )
- [Commits](af78098f53...03ea5433c1https://github.com/zizmorcore/zizmor-action/releases )
- [Commits](71321a20a9...b1d7e1fb5dhttps://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](668228422a...27d5ce7f10
2026-05-05 11:42:04 -04:00
Rayan Salhab
ae711963d1
fix: parse arbitrary equality python requirements ( #4835 )
...
Signed-off-by: cyphercodes <cyphercodes@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com>
2026-05-05 13:49:03 +00:00
Alex Goodman
f878197150
chore: remove common workflows ( #4881 )
...
Removes deprecated common workflows now centralized elsewhere.
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-04 14:31:07 -04:00
witchcraze
514efb03e0
fix: prevent redis classifier from detecting valkey ( #4619 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-05-04 14:07:29 -04:00
anchore-oss-update-bot
1e4f424f09
chore(deps): update CPE dictionary index ( #4831 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-05-04 10:14:08 -04:00
ChrisJr404
b5f0877967
fix: map "nuget" purl type to DotnetPkg in TypeByName ( #4848 )
...
Signed-off-by: Chris (ChrisJr404) <11917633+ChrisJr404@users.noreply.github.com>
2026-05-04 08:51:19 -04:00
Rayan Salhab
8cb78ce40c
fix: resolve yarn lock aliases to source package ( #4836 )
...
Signed-off-by: cyphercodes <cyphercodes@users.noreply.github.com>
2026-04-29 09:50:09 -04:00
witchcraze
3b046b3787
chore: move snippet files from test-fixtures to testdata ( #4830 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-04-27 11:09:21 -04:00
Ludovic Henry
05cc8ee5f4
Add support for linux-riscv64 ( #4757 )
2026-04-27 10:21:41 +00:00
Akihiko Komada
3562dab445
fix(lua-rockspec): handle empty and whitespace-only rockspec files gracefully ( #4827 )
...
Empty or whitespace-only .rockspec files cause parseRockspecBlock to
panic with "index out of range" because the existing end-of-data guard
requires len(out) > 0 before returning the "unexpected end of block"
error, letting the bare data[*i] access on the next line crash.
Split the guard so that:
- partial content at end of data still returns the existing error
- empty data (or whitespace-only) returns an empty block cleanly
Closes #4824 .
Signed-off-by: Akihiko Komada <aki1770@gmail.com>
2026-04-24 12:44:25 -04:00
Sebastiaan van Stijn
014a4c9c59
chore: tidy go.mod ( #4823 )
...
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-04-23 18:07:11 -04:00
Rez Moss
3cb838eacf
fixed pe dotnet wrong ver , fixed #4813 ( #4814 )
...
Signed-off-by: Rez Moss <hi@rezmoss.com>
2026-04-22 20:55:56 -04:00
Sai Asish Y
758324b3e8
fix: propagate non-EOF errors out of safeCopy ( #4807 )
...
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com>
2026-04-22 12:06:03 -04:00
anchore-oss-update-bot
390cf6cce0
chore(deps): update anchore dependencies ( #4797 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-04-22 15:09:10 +00:00
Will Murphy
4393654d03
Chore fix sync bump ( #4809 )
...
* chore(deps): update anchore dependencies
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
* chore: update test to account for sync wrapping panic
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-04-22 08:48:30 -04:00
Weston Steimel
d179724f42
fix: improve redhat-release parsing fallback for RHEL clones ( #4808 )
...
Ensures the correct distro id for AlmaLinux and Rocky Linux when falling
back to parsing distro information from the redhat-release file. Also
sets the idlike to `rhel` for these instances as that is necessary to
ensure correct vulnerability data matching.
Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
2026-04-22 08:48:08 -04:00
Alex Goodman
2ddaaac706
restore go minimum version to 1.25.8 ( #4805 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-21 15:20:14 -04:00
Alex Goodman
073b4c5d55
chore(deps): restore Go version to 1.25.8 ( #4804 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-21 19:02:26 +00:00
witchcraze
ff6c34de7e
fix: improve haskell classifiers ( #4793 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-04-20 12:23:35 -04:00
dependabot[bot]
66ba575ae2
chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates ( #4790 )
...
Bumps the actions-minor-patch group with 2 updates in the / directory: [marocchino/sticky-pull-request-comment](https://github.com/marocchino/sticky-pull-request-comment ) and [actions/upload-artifact](https://github.com/actions/upload-artifact ).
Updates `marocchino/sticky-pull-request-comment` from 3.0.2 to 3.0.3
- [Release notes](https://github.com/marocchino/sticky-pull-request-comment/releases )
- [Commits](70d2764d1a...d4d6b09364https://github.com/actions/upload-artifact/releases )
- [Commits](bbbca2ddaa...043fb46d1a
2026-04-20 10:13:26 -04:00
dependabot[bot]
ed306c2a6d
chore(deps): bump github.com/go-git/go-git/v5 from 5.17.0 to 5.18.0 ( #4792 )
...
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git ) from 5.17.0 to 5.18.0.
- [Release notes](https://github.com/go-git/go-git/releases )
- [Commits](https://github.com/go-git/go-git/compare/v5.17.0...v5.18.0 )
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-version: 5.18.0
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-20 10:09:31 -04:00
anchore-oss-update-bot
33bc4b8397
chore(deps): update Go version ( #4798 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-04-20 10:03:15 -04:00
Alex Goodman
89e4e609d5
fix: update jruby download URLs from S3 to GitHub Releases ( #4799 )
...
The JRuby project migrated their downloads from S3 to GitHub Releases,
causing the old S3 URLs to return HTTP 403 Forbidden and breaking test
fixture image builds.
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-20 13:12:09 +00:00
David Dashti
076fb211cc
fix(cyclonedx): conditionally exclude group from package name ( #4791 )
...
Signed-off-by: David Dashti <david.dashti@hermesmedical.com>
2026-04-17 20:21:21 -04:00
witchcraze
26175d74f8
fix: consul classifier ( #4741 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-04-17 10:38:24 -04:00
anchore-actions-token-generator[bot]
9b58efed0c
chore(deps): update tools to latest versions ( #4701 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2026-04-16 15:39:39 -04:00
Yoav Alon
30fe53e629
fix(javascript): accept scalar people fields in package.json ( #4779 )
...
Signed-off-by: Yoav Alon <yoav@orca.security>
2026-04-15 14:21:49 -04:00
witchcraze
952469f0f0
update vault classifier ( #4742 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-04-15 14:41:37 +00:00
