dependabot[bot]
d71b747cd1
chore(deps): bump slackapi/slack-github-action from 2.1.1 to 3.0.1 ( #4684 )
...
Bumps [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action ) from 2.1.1 to 3.0.1.
- [Release notes](https://github.com/slackapi/slack-github-action/releases )
- [Commits](91efab103c...af78098f53
2026-03-26 11:12:33 -04:00
dependabot[bot]
58a8a95e26
chore(deps): bump marocchino/sticky-pull-request-comment ( #4685 )
...
Bumps [marocchino/sticky-pull-request-comment](https://github.com/marocchino/sticky-pull-request-comment ) from 2.9.4 to 3.0.2.
- [Release notes](https://github.com/marocchino/sticky-pull-request-comment/releases )
- [Commits](773744901b...70d2764d1a
2026-03-25 19:27:59 -04:00
dependabot[bot]
78a21b9c88
chore(deps): bump the go-minor-patch group with 2 updates ( #4697 )
...
Bumps the go-minor-patch group with 2 updates: [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps ) and [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ).
Updates `github.com/gkampitakis/go-snaps` from 0.5.20 to 0.5.21
- [Release notes](https://github.com/gkampitakis/go-snaps/releases )
- [Commits](https://github.com/gkampitakis/go-snaps/compare/v0.5.20...v0.5.21 )
Updates `modernc.org/sqlite` from 1.46.1 to 1.46.2
- [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md )
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.46.1...v1.46.2 )
---
updated-dependencies:
- dependency-name: github.com/gkampitakis/go-snaps
dependency-version: 0.5.21
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go-minor-patch
- dependency-name: modernc.org/sqlite
dependency-version: 1.46.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-25 19:27:50 -04:00
dependabot[bot]
7d3882a425
chore(deps): bump actions/create-github-app-token from 2.2.1 to 3.0.0 ( #4699 )
...
Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token ) from 2.2.1 to 3.0.0.
- [Release notes](https://github.com/actions/create-github-app-token/releases )
- [Commits](29824e69f5...f8d387b68d
2026-03-25 19:27:31 -04:00
anchore-actions-token-generator[bot]
673c85754c
chore(deps): update CPE dictionary index ( #4689 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
2026-03-25 08:38:49 -04:00
Will Murphy
c5114fd745
chore(deps): ignore some dependabot deps ( #4696 )
...
Prevent some packages from being updated.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-03-24 08:12:50 -04:00
Weston Steimel
f68a7cc899
ci: further pr target code checkout assurances ( #4695 )
...
Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
2026-03-24 07:16:16 -04:00
witchcraze
7800b16529
fix: update arangodb classifier and capture-snippet.sh ( #4662 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-03-23 16:29:39 -04:00
Keith Zantow
834ddcb1c0
fix: golang version file regex ( #4694 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2026-03-23 15:56:29 -04:00
Weston Steimel
f5d318d934
ci: add explicit ref to main and warning for pull_request_target workflow ( #4693 )
...
Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
2026-03-23 16:45:18 +00:00
anchore-actions-token-generator[bot]
8531e1917b
chore(deps): update tools to latest versions ( #4690 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2026-03-23 12:01:27 -04:00
anchore-actions-token-generator[bot]
860126c650
chore(deps): update anchore dependencies ( #4681 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: willmurphyscode <12529630+willmurphyscode@users.noreply.github.com>
2026-03-19 16:44:55 +00:00
Will Murphy
36639f136b
chore(deps): bump github.com/buger/jsonsparser to v1.1.2 ( #4680 )
...
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-03-19 15:08:18 +00:00
dependabot[bot]
f32238c268
chore(deps): bump the go-minor-patch group with 2 updates ( #4678 )
...
Bumps the go-minor-patch group with 2 updates: [golang.org/x/net](https://github.com/golang/net ) and [golang.org/x/tools](https://github.com/golang/tools ).
Updates `golang.org/x/net` from 0.51.0 to 0.52.0
- [Commits](https://github.com/golang/net/compare/v0.51.0...v0.52.0 )
Updates `golang.org/x/tools` from 0.42.0 to 0.43.0
- [Release notes](https://github.com/golang/tools/releases )
- [Commits](https://github.com/golang/tools/compare/v0.42.0...v0.43.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/net
dependency-version: 0.52.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: golang.org/x/tools
dependency-version: 0.43.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-19 10:25:19 -04:00
dependabot[bot]
0c8eef65f0
chore(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.3 ( #4675 )
...
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go ) from 1.78.0 to 1.79.3.
- [Release notes](https://github.com/grpc/grpc-go/releases )
- [Commits](https://github.com/grpc/grpc-go/compare/v1.78.0...v1.79.3 )
---
updated-dependencies:
- dependency-name: google.golang.org/grpc
dependency-version: 1.79.3
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-18 16:55:30 -04:00
dependabot[bot]
4d42f8af32
chore(deps): bump the go-minor-patch group with 2 updates ( #4674 )
...
Bumps the go-minor-patch group with 2 updates: [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter ) and [golang.org/x/mod](https://github.com/golang/mod ).
Updates `github.com/hashicorp/go-getter` from 1.8.4 to 1.8.5
- [Release notes](https://github.com/hashicorp/go-getter/releases )
- [Commits](https://github.com/hashicorp/go-getter/compare/v1.8.4...v1.8.5 )
Updates `golang.org/x/mod` from 0.33.0 to 0.34.0
- [Commits](https://github.com/golang/mod/compare/v0.33.0...v0.34.0 )
---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-getter
dependency-version: 1.8.5
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go-minor-patch
- dependency-name: golang.org/x/mod
dependency-version: 0.34.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-18 16:13:35 -04:00
Will Murphy
e38851143e
chore: centralize temp files and prefer streaming IO ( #4668 )
...
* chore: centralize temp files and prefer streaming IO
Catalogers that create temp files ad-hoc can easily forget cleanup,
leaking files on disk. Similarly, io.ReadAll is convenient but risks
OOM on large or malicious inputs.
Introduce internal/tmpdir to manage all cataloger temp storage under
a single root directory with automatic cleanup. Prefer streaming
parsers (bufio.Scanner, json/yaml.NewDecoder, io.LimitReader) over
buffering entire inputs into memory. Add ruleguard rules to enforce
both practices going forward.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* chore: go back to old release parsing
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* simplify to limit reader in version check
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* chore: regex change postponed
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* simplify supplement release to limitreader
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-03-18 10:53:51 -04:00
anchore-actions-token-generator[bot]
a3dacf5ecd
chore(deps): update tools to latest versions ( #4663 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2026-03-16 11:26:06 -04:00
dependabot[bot]
cccc9bf7f9
chore(deps): bump the go-minor-patch group with 3 updates ( #4669 )
...
Bumps the go-minor-patch group with 3 updates: [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry ), [github.com/olekukonko/tablewriter](https://github.com/olekukonko/tablewriter ) and [golang.org/x/time](https://github.com/golang/time ).
Updates `github.com/google/go-containerregistry` from 0.21.1 to 0.21.2
- [Release notes](https://github.com/google/go-containerregistry/releases )
- [Commits](https://github.com/google/go-containerregistry/compare/v0.21.1...v0.21.2 )
Updates `github.com/olekukonko/tablewriter` from 1.1.3 to 1.1.4
- [Release notes](https://github.com/olekukonko/tablewriter/releases )
- [Commits](https://github.com/olekukonko/tablewriter/compare/v1.1.3...v1.1.4 )
Updates `golang.org/x/time` from 0.14.0 to 0.15.0
- [Commits](https://github.com/golang/time/compare/v0.14.0...v0.15.0 )
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-version: 0.21.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go-minor-patch
- dependency-name: github.com/olekukonko/tablewriter
dependency-version: 1.1.4
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go-minor-patch
- dependency-name: golang.org/x/time
dependency-version: 0.15.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-16 11:25:41 -04:00
dependabot[bot]
59f7725d0d
chore(deps): bump github/codeql-action ( #4670 )
...
Bumps the actions-minor-patch group with 1 update in the / directory: [github/codeql-action](https://github.com/github/codeql-action ).
Updates `github/codeql-action` from 4.32.3 to 4.32.6
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](9e907b5e64...0d579ffd05
2026-03-16 11:25:27 -04:00
dependabot[bot]
7a6b1575ae
chore(deps): bump docker/login-action from 3.7.0 to 4.0.0 ( #4671 )
...
Bumps [docker/login-action](https://github.com/docker/login-action ) from 3.7.0 to 4.0.0.
- [Release notes](https://github.com/docker/login-action/releases )
- [Commits](c94ce9fb46...b45d80f862
2026-03-16 11:25:16 -04:00
anchore-actions-token-generator[bot]
92a6b36e89
chore(deps): update CPE dictionary index ( #4673 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
2026-03-16 11:25:05 -04:00
Will Murphy
7158535fe6
chore(tests): fix test fixture build on modern ARM Mac ( #4666 )
...
BUILDPLATFORM is automatically set to the host's platform in new Docker,
so having it defined as an arg results in it being overridden by this
automatic value. Since it was always assigned to a literal string in the
test files, just use that string.
Additionally, image platform is better pulled from the manifest, not the
image config, in containerd store, so try that first.
Additionally, python3 is on PATH on new macs by default, but not python.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-03-11 09:37:40 -04:00
anchore-actions-token-generator[bot]
75455f050a
chore(deps): update anchore dependencies ( #4631 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: willmurphyscode <12529630+willmurphyscode@users.noreply.github.com>
2026-03-09 18:10:53 +00:00
anchore-actions-token-generator[bot]
22e78c7be1
chore(deps): update tools to latest versions ( #4630 )
...
* chore(deps): update tools to latest versions
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* chore(lint): fix errors in new golangci-lint
Two fixes:
First, replace sb.WriteString(fmt.Sprintf(...)) with fmt.Fprintf(&sb, ...)
Second, suppress errors where we read from the local file system at a
user provided path. This is a CLI tool, and reads from user provided
paths on the local file system by design.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-03-09 12:17:09 -04:00
anchore-actions-token-generator[bot]
d2461a9e0a
chore(deps): update SPDX license list ( #4637 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
2026-03-09 11:02:47 -04:00
dependabot[bot]
01f0e332c2
chore(deps): bump actions/download-artifact from 7.0.0 to 8.0.0 ( #4658 )
...
Bumps [actions/download-artifact](https://github.com/actions/download-artifact ) from 7.0.0 to 8.0.0.
- [Release notes](https://github.com/actions/download-artifact/releases )
- [Commits](37930b1c2a...70fc10c6e5
2026-03-09 10:37:33 -04:00
dependabot[bot]
c88051d74e
chore(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 ( #4638 )
...
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl ) from 1.6.1 to 1.6.3.
- [Release notes](https://github.com/cloudflare/circl/releases )
- [Commits](https://github.com/cloudflare/circl/compare/v1.6.1...v1.6.3 )
---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
dependency-version: 1.6.3
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-09 10:34:11 -04:00
dependabot[bot]
7d3d1c6237
chore(deps): bump the actions-minor-patch group across 2 directories with 2 updates ( #4657 )
...
Bumps the actions-minor-patch group with 2 updates in the / directory: [actions/setup-go](https://github.com/actions/setup-go ) and [anchore/sbom-action](https://github.com/anchore/sbom-action ).
Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [actions/setup-go](https://github.com/actions/setup-go ).
Updates `actions/setup-go` from 6.2.0 to 6.3.0
- [Release notes](https://github.com/actions/setup-go/releases )
- [Commits](7a3fe6cf4c...4b73464bb3https://github.com/anchore/sbom-action/releases )
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md )
- [Commits](28d71544de...17ae174017https://github.com/actions/setup-go/releases )
- [Commits](7a3fe6cf4c...4b73464bb3
2026-03-09 10:33:14 -04:00
dependabot[bot]
dcba765d86
chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 ( #4659 )
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 6.0.0 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](b7c566a772...bbbca2ddaa
2026-03-09 10:32:22 -04:00
dependabot[bot]
2c201469c3
chore(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 ( #4646 )
...
Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go ) from 1.39.0 to 1.40.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.39.0...v1.40.0 )
---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/sdk
dependency-version: 1.40.0
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-09 10:29:46 -04:00
anchore-actions-token-generator[bot]
c583da1c15
chore(deps): update CPE dictionary index ( #4647 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
2026-03-09 10:26:42 -04:00
dependabot[bot]
22014b6022
chore(deps): bump the go-minor-patch group across 1 directory with 5 updates ( #4661 )
...
Bumps the go-minor-patch group with 5 updates in the / directory:
| Package | From | To |
| --- | --- | --- |
| [github.com/github/go-spdx/v2](https://github.com/github/go-spdx ) | `2.3.6` | `2.4.0` |
| [github.com/go-git/go-billy/v5](https://github.com/go-git/go-billy ) | `5.7.0` | `5.8.0` |
| [github.com/go-git/go-git/v5](https://github.com/go-git/go-git ) | `5.16.5` | `5.17.0` |
| [golang.org/x/net](https://github.com/golang/net ) | `0.50.0` | `0.51.0` |
| [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ) | `1.45.0` | `1.46.1` |
Updates `github.com/github/go-spdx/v2` from 2.3.6 to 2.4.0
- [Release notes](https://github.com/github/go-spdx/releases )
- [Commits](https://github.com/github/go-spdx/compare/v2.3.6...v2.4.0 )
Updates `github.com/go-git/go-billy/v5` from 5.7.0 to 5.8.0
- [Release notes](https://github.com/go-git/go-billy/releases )
- [Commits](https://github.com/go-git/go-billy/compare/v5.7.0...v5.8.0 )
Updates `github.com/go-git/go-git/v5` from 5.16.5 to 5.17.0
- [Release notes](https://github.com/go-git/go-git/releases )
- [Commits](https://github.com/go-git/go-git/compare/v5.16.5...v5.17.0 )
Updates `golang.org/x/net` from 0.50.0 to 0.51.0
- [Commits](https://github.com/golang/net/compare/v0.50.0...v0.51.0 )
Updates `modernc.org/sqlite` from 1.45.0 to 1.46.1
- [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md )
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.45.0...v1.46.1 )
---
updated-dependencies:
- dependency-name: github.com/github/go-spdx/v2
dependency-version: 2.4.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: github.com/go-git/go-billy/v5
dependency-version: 5.8.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: github.com/go-git/go-git/v5
dependency-version: 5.17.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: golang.org/x/net
dependency-version: 0.51.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: modernc.org/sqlite
dependency-version: 1.46.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-09 10:20:06 -04:00
Alex Goodman
b5e85c3ea5
chore: migrate fixtures to testdata ( #4651 )
...
* migrate fixtures to testdata
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: correct broken symlinks after testdata migration
The migration from test-fixtures to testdata broke several symlinks:
- elf-test-fixtures symlinks pointed to old test-fixtures paths
- elf-test-fixtures needed to be renamed to elf-testdata
- image-pkg-coverage symlink pointed to test-fixtures instead of testdata
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: handle missing classifiers/bin directory in Makefile
The clean-fingerprint target was failing when classifiers/bin doesn't
exist (e.g., on fresh clone without downloaded binaries).
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: add gitignore negation for jar/zip fixtures in test/cli
The jar and zip files in test/cli/testdata/image-unknowns were being
gitignored by the root .gitignore patterns. This caused them to be
untracked and not included when building docker images in CI, resulting
in Test_Unknowns failures since the test expects errors from corrupt
archive files that weren't present.
Add a .gitignore in test/cli/testdata to negate the exclusions for
these specific test fixture files.
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* switch fixture cache to v2
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* test: update expected versions for rebuilt fixtures
Update test expectations for packages that have been updated in
upstream repositories when docker images are rebuilt:
- glibc: 2.42-r4 → 2.43-r1 (wolfi)
- php: 8.2.29 → 8.2.30 (ubuntu/apache)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* upgrade go
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: add go-shlex dependency for testdata manager tool
The manager tool in syft/pkg/cataloger/binary/testdata/ imports
go-shlex, but since it's in a testdata directory, Go doesn't track
its dependencies. This caused CI failures when go.mod didn't
explicitly list the dependency.
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* refactor: move binary classifier manager to internal/
Move the manager tool from testdata/manager to internal/manager so
that Go properly tracks its dependencies. Code in testdata directories
is ignored by Go for dependency tracking, which caused CI failures
when go.mod didn't explicitly list transitive dependencies.
This is a cleaner solution than manually adding dependencies to go.mod
for code that happens to live in testdata.
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: add gitignore negations for test fixtures blocked by root patterns
Multiple test fixtures were being blocked by root-level gitignore patterns
like bin/, *.jar, *.tar, and *.exe. This adds targeted .gitignore files with
negation patterns to allow these specific test fixtures to be tracked:
- syft/linux/testdata/os/busybox/bin/busybox (blocked by bin/)
- syft/pkg/cataloger/java/testdata/corrupt/example.{jar,tar} (blocked by *.jar, *.tar)
- syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/**/bin/go (blocked by bin/)
- syft/pkg/cataloger/bitnami/testdata/no-rel/.../bin/redis-server (blocked by bin/)
Also updates the bitnami test expectation to include the newly required
.gitignore files in the test fixture.
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* test: update glibc version expectation (2.43-r1 -> 2.43-r2)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add capability drift check as unit step
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* dont clear test observations before drift detection
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump stereoscope commit to main
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-03-06 19:42:04 +00:00
Dimitri John Ledkov
35278f3d3d
fix(java): improve lz4 detection ( #4642 )
...
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
2026-02-27 14:38:05 -05:00
Paweł Pałucha
db76d85d51
fix: use correct hashes for empty files ( #4620 )
...
Signed-off-by: Paweł Pałucha <pawel.palucha@chainguard.dev>
2026-02-24 09:52:29 -05:00
witchcraze
e9e7e20cc8
fix: grafana classifier ( #4635 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-02-23 09:38:02 -05:00
anchore-actions-token-generator[bot]
eb072deb9c
chore(deps): update CPE dictionary index ( #4636 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
2026-02-23 08:19:30 -05:00
dependabot[bot]
f4fc2d669a
chore(deps): bump github/codeql-action ( #4634 )
...
Bumps the actions-minor-patch group with 1 update in the / directory: [github/codeql-action](https://github.com/github/codeql-action ).
Updates `github/codeql-action` from 4.31.10 to 4.32.3
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](cdefb33c0f...9e907b5e64
2026-02-20 08:41:46 -05:00
dependabot[bot]
f5110f109a
chore(deps): bump github.com/charmbracelet/bubbles from 0.21.1 to 1.0.0 ( #4633 )
...
Bumps [github.com/charmbracelet/bubbles](https://github.com/charmbracelet/bubbles ) from 0.21.1 to 1.0.0.
- [Release notes](https://github.com/charmbracelet/bubbles/releases )
- [Commits](https://github.com/charmbracelet/bubbles/compare/v0.21.1...v1.0.0 )
---
updated-dependencies:
- dependency-name: github.com/charmbracelet/bubbles
dependency-version: 1.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-20 08:41:21 -05:00
dependabot[bot]
612eadb22e
chore(deps): bump the go-minor-patch group with 5 updates ( #4632 )
...
Bumps the go-minor-patch group with 5 updates:
| Package | From | To |
| --- | --- | --- |
| [golang.org/x/mod](https://github.com/golang/mod ) | `0.32.0` | `0.33.0` |
| [golang.org/x/net](https://github.com/golang/net ) | `0.49.0` | `0.50.0` |
| [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ) | `1.44.3` | `1.45.0` |
| [golang.org/x/tools](https://github.com/golang/tools ) | `0.41.0` | `0.42.0` |
| [github.com/gpustack/gguf-parser-go](https://github.com/gpustack/gguf-parser-go ) | `0.23.1` | `0.24.0` |
Updates `golang.org/x/mod` from 0.32.0 to 0.33.0
- [Commits](https://github.com/golang/mod/compare/v0.32.0...v0.33.0 )
Updates `golang.org/x/net` from 0.49.0 to 0.50.0
- [Commits](https://github.com/golang/net/compare/v0.49.0...v0.50.0 )
Updates `modernc.org/sqlite` from 1.44.3 to 1.45.0
- [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md )
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.44.3...v1.45.0 )
Updates `golang.org/x/tools` from 0.41.0 to 0.42.0
- [Release notes](https://github.com/golang/tools/releases )
- [Commits](https://github.com/golang/tools/compare/v0.41.0...v0.42.0 )
Updates `github.com/gpustack/gguf-parser-go` from 0.23.1 to 0.24.0
- [Release notes](https://github.com/gpustack/gguf-parser-go/releases )
- [Commits](https://github.com/gpustack/gguf-parser-go/compare/v0.23.1...v0.24.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/mod
dependency-version: 0.33.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: golang.org/x/net
dependency-version: 0.50.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: modernc.org/sqlite
dependency-version: 1.45.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: golang.org/x/tools
dependency-version: 0.42.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: github.com/gpustack/gguf-parser-go
dependency-version: 0.24.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-20 08:40:09 -05:00
Will Murphy
0a3f7bb06e
chore: call cleanup on tmpfile and replace some io.ReadAlls with streams ( #4629 )
...
* fix(deb and snaps): prevent excess reads
Previously, Syft could allocate excess memory or tempfile space if there
were highly compressed objects in deb archives, or at paths where the
kernel changelog was expected by the snap cataloger. Use io.LimitReaders
for extracting parts of deb archives, and refactor the snap cataloger's
reading of the kernel changelog to use a streaming parsing, eliminating
the possibility of excess allocation.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* fix: always cleanup temp file from file source
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* use streaming strategy for deb archives
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-02-17 17:32:35 -05:00
Christopher Angelo Phillips
2fe5f9c7b8
fix: bumps go mod version to 1.25; ci takes latest patch ( #4628 )
...
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-02-17 12:04:51 -05:00
anchore-actions-token-generator[bot]
f70631a719
chore(deps): update tools to latest versions ( #4614 )
...
* chore(deps): update tools to latest versions
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* chore: ci rules revive
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
---------
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2026-02-17 11:19:37 -05:00
dependabot[bot]
0bb3741c87
chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates ( #4622 )
...
Bumps the actions-minor-patch group with 2 updates in the / directory: [anchore/sbom-action](https://github.com/anchore/sbom-action ) and [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action ).
Updates `anchore/sbom-action` from 0.21.1 to 0.22.2
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md )
- [Commits](0b82b0b1a2...28d71544dehttps://github.com/zizmorcore/zizmor-action/releases )
- [Commits](135698455d...0dce2577a4
2026-02-17 11:16:26 -05:00
dependabot[bot]
458ebbbff8
chore(deps): bump the go-minor-patch group with 2 updates ( #4621 )
...
Bumps the go-minor-patch group with 2 updates: [github.com/CycloneDX/cyclonedx-go](https://github.com/CycloneDX/cyclonedx-go ) and [github.com/charmbracelet/bubbles](https://github.com/charmbracelet/bubbles ).
Updates `github.com/CycloneDX/cyclonedx-go` from 0.9.3 to 0.10.0
- [Release notes](https://github.com/CycloneDX/cyclonedx-go/releases )
- [Commits](https://github.com/CycloneDX/cyclonedx-go/compare/v0.9.3...v0.10.0 )
Updates `github.com/charmbracelet/bubbles` from 0.21.0 to 0.21.1
- [Release notes](https://github.com/charmbracelet/bubbles/releases )
- [Commits](https://github.com/charmbracelet/bubbles/compare/v0.21.0...v0.21.1 )
---
updated-dependencies:
- dependency-name: github.com/CycloneDX/cyclonedx-go
dependency-version: 0.10.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: github.com/charmbracelet/bubbles
dependency-version: 0.21.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-17 10:14:13 -05:00
anchore-actions-token-generator[bot]
fb3f560e43
chore(deps): update CPE dictionary index ( #4623 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
2026-02-17 09:50:12 -05:00
Scott Hebert
89b901b20b
Use redhat as namespace for hummingbird rpms ( #4615 )
...
The namespace value of `redhat` signifies this as an RPM package
produced and distributed by Red Hat.
Signed-off-by: Scott Hebert <scoheb@gmail.com>
2026-02-11 14:19:20 -05:00
anchore-actions-token-generator[bot]
9872ff36ba
chore(deps): update anchore dependencies ( #4613 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: willmurphyscode <12529630+willmurphyscode@users.noreply.github.com>
2026-02-10 17:19:56 +00:00
dependabot[bot]
31c503124f
chore(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 ( #4612 )
...
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git ) from 5.16.4 to 5.16.5.
- [Release notes](https://github.com/go-git/go-git/releases )
- [Commits](https://github.com/go-git/go-git/compare/v5.16.4...v5.16.5 )
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-version: 5.16.5
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-10 08:25:31 -05:00
