3424 Commits

Author SHA1 Message Date
Christopher Phillips
cf0c2c2dd6
fix: name safetensors models even when the run has a partial parse error
safeTensorsMergeProcessor used to early-return whenever it was handed a
non-nil error. Returning early left them nameless, and
missing-name compliance then silently dropped them, so a single unparseable
file could erase every otherwise-valid model from the SBOM. The processor
now always names/drops and propagates the error instead.

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-30 15:37:20 -04:00
Christopher Phillips
7e482a26c6
fix: hash logical content and count safetensors parameters as an integer
- metadataHash now covers logical tensor content (name + dtype + shape) plus
  __metadata__, and excludes DataOffsets.

- Parameters becomes a measured uint64 count (matching GGUFFileHeader) instead
  of a formatted/upstream string.

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-30 15:37:20 -04:00
Christopher Phillips
88ef52f617
chore: document one model per directory grouping
groupByParentDir treats every .safetensors file in a directory as a shard of
one model. Spell out that assumption and its trade-off

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-30 15:03:06 -04:00
Christopher Phillips
4d59bdbb7f
fix: bound safetensors header read to content size
readSafeTensorsHeader pre-allocated the declared header length, which is
read straight from the file and bounded only by the 100MB ceiling. A
short file declaring a huge header could force a large allocation it never
fills. Read incrementally via io.ReadAll(io.LimitReader(...)) and verify the
full header was actually present

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-30 14:57:06 -04:00
Christopher Phillips
b5fc7c46f1
Merge remote-tracking branch 'origin/main' into safe-tensors
* origin/main: (21 commits)
  added macOS .app cataloger (#4490)
  fix: composite action version parsing (#4616)
  fixed dotnet cataloger can't find packages from deps.json in linux el… (#4517)
  fix(template): expose sprig date/time functions in Go templates (#4644)
  Add support for MIT and Heimdal Kerberos 5 library detection (#4781)
  fix: correct typos and update examples README (#4703)
  ruby/gemspec: resolve simple #{s.name}/#{s.version} interpolation (#4782)
  feat(elixir): emit dependency relationships from mix.lock (#4985)
  fix: add .bpl file extension support to PE/DLL cataloger (closes #4664) (#4688)
  chore(deps): update anchore dependencies (#4960)
  Update go-make to v0.8.0 (#5010)
  fixes the wrapped taskfile-tasks (#5013)
  fix(purl-backfill): respect arch qualifier (#4987)
  feat: deno cataloger #4417 (#4523)
  chore(deps): bump golang.org/x/tools from 0.45.0 to 0.46.0 (#5008)
  chore(deps): bump golang.org/x/net from 0.55.0 to 0.56.0 (#5004)
  chore(deps): bump golang.org/x/mod from 0.36.0 to 0.37.0 (#5007)
  chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.7.10 to 6.8.1 (#5006)
  refactor release pipeline: TAG_TOKEN, skip-checks gate, dependabot/zizmor cleanup (#5003)
  feat: support envoy bin classifier
  ...

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-30 13:15:39 -04:00
Rez Moss
148fe572bc
added macOS .app cataloger (#4490)
* added macOS .app cataloger, fixed #4010

Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* added macOS .app cataloger, fixed #4010

Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* added macOS .app cataloger, fixed #4010

Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* address review comments

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* bump schema to 16.1.7

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* address static analysis failures

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* migrate to testdata

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* expand fields and improve test coverage

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-06-30 10:32:57 -04:00
Keith Zantow
deee79411a
fix: composite action version parsing (#4616)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2026-06-29 15:23:47 -04:00
Rez Moss
e7f1a803e7
fixed dotnet cataloger can't find packages from deps.json in linux el… (#4517)
* fixed dotnet cataloger can't find packages from deps.json in linux elf, fixed #4514

Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* split bundle and PE concerns

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* limit resource usage of readall call

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* removed duplicat

Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* make sure the first 4 bytes in elf arent lostt

Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* revert readelfbundle func, check size of readdeps json

Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* revert readelfbundle func, check size of readdeps json, fixed #4514

Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* move dotnet net8 linux fixture to testdata convention

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* address malformed elf size claims + add tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* dont key off of cataloger name in testing

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-29 13:52:55 -04:00
sputnik-mac
a34f86fba1
fix(template): expose sprig date/time functions in Go templates (#4644)
* fix(template): expose sprig date functions in Go templates

Replace HermeticTxtFuncMap with TxtFuncMap to expose date/time
functions (now, date, dateInZone, etc.) while still excluding
security-sensitive env/expandenv functions.

Users can now use date functions in templates, e.g.:
  {{ now | unixEpoch }}
  {{ now | date "2006-01-02" }}

Fixes #2372

Signed-off-by: Sputnik-MAC <sputnik.mac.001@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* invert to add functions to the hermetic set, not the other way around

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Sputnik-MAC <sputnik.mac.001@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-06-29 11:55:51 -04:00
nadimz
e388b5249d
Add support for MIT and Heimdal Kerberos 5 library detection (#4781)
* Add support for MIT and Heimdal Kerberos 5 library detection

Signed-off-by: Nadim Zubidat <nadimz@users.noreply.github.com>

* support 2-component case

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Nadim Zubidat <nadimz@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Nadim Zubidat <nadimz@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-06-29 11:54:44 -04:00
Archy
1746e96ad3
fix: correct typos and update examples README (#4703)
Signed-off-by: Artem Muterko <artem@sopho.tech>
2026-06-29 11:16:50 -04:00
Sai Asish Y
956858fc11
ruby/gemspec: resolve simple #{s.name}/#{s.version} interpolation (#4782)
* ruby/gemspec: resolve simple #{s.name}/#{s.version} interpolation

Reported in anchore/syft#4720: scanning projects that depend on gems
like formatador leaks literal Ruby interpolation into the emitted
SBOM, e.g.

    "externalReferences": [
      { "url": "https://github.com/geemus/#{s.name}", "type": "website" }
    ]

because formatador.gemspec uses

    s.homepage = "https://github.com/geemus/#{s.name}"

and parseGemSpecEntries reads the file as plain text instead of
evaluating it. The interpolation leaks through the captured homepage
field and on into any externalReferences entry the cataloger produces.
Dependency Track then rejects the whole BOM because '{' and '}' are
not valid IRI-reference characters (RFC 3987).

Add a post-parse pass that substitutes the common interpolation forms
(#{s.name}, #{gem.name}, #{name}, and the matching #{*.version}
variants) in captured string fields using values already parsed from
the same gemspec. Anything still containing '#{' after best-effort
substitution is an unresolvable Ruby expression, and for URL-like
fields (currently just homepage) we drop the field entirely so the
SBOM is always schema-valid; callers would rather miss a homepage URL
than emit one that breaks downstream tools.

Adds testdata/formatador.gemspec, a minimal real-world gemspec using
the #{s.name} pattern, plus a new parser test asserting that the
homepage field comes out fully resolved.

Fixes #4720

Signed-off-by: Sai Asish Y <say.apm35@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* improve test cases

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Sai Asish Y <say.apm35@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-06-29 11:00:48 -04:00
Chris Greeno
37fee88b5c
feat(elixir): emit dependency relationships from mix.lock (#4985)
adds dependency-of relationships between elixir locked packages, matching how other
ecosystem catalogers (alpine, arch, debian, redhat, python) express the
dependency graph via the shared dependency.Processor/Specifier mechanism.

Signed-off-by: Chris Greeno <cgreeno@gmail.com>
2026-06-29 10:22:38 -04:00
sputnik-mac
1143c12a97
fix: add .bpl file extension support to PE/DLL cataloger (closes #4664) (#4688)
Borland Package Library (.bpl) files are standard Windows PE/DLL files
used in Delphi and C++Builder ecosystems. This adds the .bpl glob
pattern to the PE file discovery so these files are cataloged alongside
.dll and .exe files.
2026-06-29 10:17:52 -04:00
anchore-oss-update-bot
b15c5dbfe2
chore(deps): update anchore dependencies (#4960)
* chore(deps): update anchore dependencies

Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>

* update snapshots

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
v1.46.0
2026-06-25 15:26:14 -04:00
Alex Goodman
35d56bfb99
Update go-make to v0.8.0 (#5010)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-06-25 15:01:40 -04:00
Alex Goodman
abf6d78dfc
fixes the wrapped taskfile-tasks (#5013)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-06-24 11:22:16 -04:00
Will Murphy
fe42bcec38
fix(purl-backfill): respect arch qualifier (#4987)
* fix(purl-backfill): respect arch qualifier

Previously, when constructing rpm, alpm, and apk metadata struct from a
PURL, Syft would ignore the arch qualifier. Start respecting that
qualifier.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* chore: fix static analysis

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* Clean up control flow in PURL backfill code

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

---------

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-06-23 15:23:46 -04:00
Rez Moss
fea4a50124
feat: deno cataloger #4417 (#4523)
Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-23 10:58:22 -04:00
dependabot[bot]
5eefd73ac7
chore(deps): bump golang.org/x/tools from 0.45.0 to 0.46.0 (#5008)
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.45.0 to 0.46.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.45.0...v0.46.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-version: 0.46.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-22 18:50:24 +00:00
dependabot[bot]
684c7018be
chore(deps): bump golang.org/x/net from 0.55.0 to 0.56.0 (#5004)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.55.0 to 0.56.0.
- [Commits](https://github.com/golang/net/compare/v0.55.0...v0.56.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.56.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-22 18:34:47 +00:00
dependabot[bot]
f827f91ec1
chore(deps): bump golang.org/x/mod from 0.36.0 to 0.37.0 (#5007)
Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.36.0 to 0.37.0.
- [Commits](https://github.com/golang/mod/compare/v0.36.0...v0.37.0)

---
updated-dependencies:
- dependency-name: golang.org/x/mod
  dependency-version: 0.37.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-22 18:19:47 +00:00
dependabot[bot]
e9af7d218c
chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.7.10 to 6.8.1 (#5006)
Bumps [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty) from 6.7.10 to 6.8.1.
- [Release notes](https://github.com/jedib0t/go-pretty/releases)
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.7.10...v6.8.1)

---
updated-dependencies:
- dependency-name: github.com/jedib0t/go-pretty/v6
  dependency-version: 6.8.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-22 18:18:54 +00:00
Alex Goodman
506ad5d6a7
refactor release pipeline: TAG_TOKEN, skip-checks gate, dependabot/zizmor cleanup (#5003)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-06-22 14:04:48 -04:00
Rez Moss
1f4f9332c5
feat: support envoy bin classifier
Signed-off-by: Rez Moss <hi@rezmoss.com>
2026-06-22 13:16:33 -04:00
Rez Moss
52a4c3b594
feat: elastic beats bin classifier (#4969)
Signed-off-by: Rez Moss <hi@rezmoss.com>
2026-06-22 11:49:44 -04:00
Christopher Phillips
a88406f375
schema: bump to 16.1.5
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:47:54 -04:00
Christopher Phillips
f9674c5f7d
schema: drift
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:47:24 -04:00
Christopher Phillips
16d0449cc8
pr: review
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:47:11 -04:00
Christopher Phillips
b216dad4a7
fix: schema drift
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:47:09 -04:00
Christopher Phillips
4e79519d33
lint: fix
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:46:57 -04:00
Christopher Phillips
0dc4abc0e1
pr: refactor
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:46:57 -04:00
Christopher Phillips
fe392a490b
pr: first pass refactor
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:46:57 -04:00
Christopher Phillips
dd179eb8a7
tests: clean up and add complete dir tests
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:46:57 -04:00
Alex Goodman
b85b50001d
remove oci artifact interface
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-06-22 11:46:57 -04:00
Christopher Phillips
dbf6dd2eb3
fix: trim fields to only be ones from safetensor header
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:46:55 -04:00
Christopher Phillips
549f526de0
fix: remove old generated capabilities
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:46:37 -04:00
Christopher Phillips
4eaf583526
review: remove and refactor implementation for easier review
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:46:37 -04:00
Christopher Phillips
4352ac4691
test: test cleanup
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:46:37 -04:00
Christopher Phillips
e88d6d019e
chore: refactor interface with new naming
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:46:37 -04:00
Christopher Phillips
b234d3eb2f
chore: comments
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:46:37 -04:00
Christopher Phillips
5d80168a5d
test: update originator supplier
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:46:36 -04:00
Christopher Phillips
b731aa4f33
lint: lintfix
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:46:23 -04:00
Christopher Phillips
9644340981
fix: license frontmatter
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:46:23 -04:00
Christopher Phillips
15bd509e15
fix: remove index parsing
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:46:23 -04:00
Christopher Phillips
19ea799cd2
test: tensor package naming precedence test
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:46:22 -04:00
Christopher Phillips
a75c3086f6
fix: move non safetensor layer fetch to post
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:46:22 -04:00
Christopher Phillips
69b7c5e3d0
fix: make MetadataHash consistent across oci/dir source
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:46:22 -04:00
Christopher Phillips
d12cf9a3e2
fix: update userMetadata to use KeyValue
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:46:21 -04:00
Christopher Phillips
1a1f2af92b
test: fixture test with real safetensor data
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-22 11:45:53 -04:00