anchore-oss-update-bot
00d0bb59cc
chore(deps): update tool versions ( #4724 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-06-05 11:22:28 +00:00
dependabot[bot]
f474308783
chore(deps): bump the go-minor-patch group across 2 directories with 14 updates ( #4947 )
...
* chore(deps): bump the go-minor-patch group across 2 directories with 14 updates
Bumps the go-minor-patch group with 9 updates in the / directory:
| Package | From | To |
| --- | --- | --- |
| [github.com/CycloneDX/cyclonedx-go](https://github.com/CycloneDX/cyclonedx-go ) | `0.10.0` | `0.11.0` |
| [github.com/Masterminds/semver/v3](https://github.com/Masterminds/semver ) | `3.4.0` | `3.5.0` |
| [github.com/diskfs/go-diskfs](https://github.com/diskfs/go-diskfs ) | `1.7.0` | `1.9.3` |
| [github.com/github/go-spdx/v2](https://github.com/github/go-spdx ) | `2.4.0` | `2.7.0` |
| [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry ) | `0.21.5` | `0.21.6` |
| [github.com/gookit/color](https://github.com/gookit/color ) | `1.6.0` | `1.6.1` |
| [github.com/invopop/jsonschema](https://github.com/invopop/jsonschema ) | `0.13.0` | `0.14.0` |
| [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty ) | `6.7.8` | `6.7.10` |
| [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ) | `1.46.2` | `1.50.1` |
Bumps the go-minor-patch group with 1 update in the /.make directory: [github.com/anchore/go-make](https://github.com/anchore/go-make ).
Updates `github.com/CycloneDX/cyclonedx-go` from 0.10.0 to 0.11.0
- [Release notes](https://github.com/CycloneDX/cyclonedx-go/releases )
- [Commits](https://github.com/CycloneDX/cyclonedx-go/compare/v0.10.0...v0.11.0 )
Updates `github.com/Masterminds/semver/v3` from 3.4.0 to 3.5.0
- [Release notes](https://github.com/Masterminds/semver/releases )
- [Changelog](https://github.com/Masterminds/semver/blob/master/CHANGELOG.md )
- [Commits](https://github.com/Masterminds/semver/compare/v3.4.0...v3.5.0 )
Updates `github.com/diskfs/go-diskfs` from 1.7.0 to 1.9.3
- [Commits](https://github.com/diskfs/go-diskfs/compare/v1.7.0...v1.9.3 )
Updates `github.com/github/go-spdx/v2` from 2.4.0 to 2.7.0
- [Release notes](https://github.com/github/go-spdx/releases )
- [Commits](https://github.com/github/go-spdx/compare/v2.4.0...v2.7.0 )
Updates `github.com/google/go-containerregistry` from 0.21.5 to 0.21.6
- [Release notes](https://github.com/google/go-containerregistry/releases )
- [Commits](https://github.com/google/go-containerregistry/compare/v0.21.5...v0.21.6 )
Updates `github.com/gookit/color` from 1.6.0 to 1.6.1
- [Release notes](https://github.com/gookit/color/releases )
- [Commits](https://github.com/gookit/color/compare/v1.6.0...v1.6.1 )
Updates `github.com/invopop/jsonschema` from 0.13.0 to 0.14.0
- [Release notes](https://github.com/invopop/jsonschema/releases )
- [Commits](https://github.com/invopop/jsonschema/compare/v0.13.0...v0.14.0 )
Updates `github.com/jedib0t/go-pretty/v6` from 6.7.8 to 6.7.10
- [Release notes](https://github.com/jedib0t/go-pretty/releases )
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.7.8...v6.7.10 )
Updates `github.com/klauspost/compress` from 1.18.5 to 1.18.6
- [Release notes](https://github.com/klauspost/compress/releases )
- [Commits](https://github.com/klauspost/compress/compare/v1.18.5...v1.18.6 )
Updates `golang.org/x/mod` from 0.35.0 to 0.36.0
- [Commits](https://github.com/golang/mod/compare/v0.35.0...v0.36.0 )
Updates `golang.org/x/net` from 0.53.0 to 0.54.0
- [Commits](https://github.com/golang/net/compare/v0.53.0...v0.54.0 )
Updates `golang.org/x/tools` from 0.44.0 to 0.45.0
- [Release notes](https://github.com/golang/tools/releases )
- [Commits](https://github.com/golang/tools/compare/v0.44.0...v0.45.0 )
Updates `modernc.org/sqlite` from 1.46.2 to 1.50.1
- [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md )
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.46.2...v1.50.1 )
Updates `github.com/anchore/go-make` from 0.4.0 to 0.5.0
- [Release notes](https://github.com/anchore/go-make/releases )
- [Commits](https://github.com/anchore/go-make/compare/v0.4.0...v0.5.0 )
---
updated-dependencies:
- dependency-name: github.com/CycloneDX/cyclonedx-go
dependency-version: 0.11.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: github.com/Masterminds/semver/v3
dependency-version: 3.5.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: github.com/diskfs/go-diskfs
dependency-version: 1.9.3
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: github.com/github/go-spdx/v2
dependency-version: 2.7.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: github.com/google/go-containerregistry
dependency-version: 0.21.6
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go-minor-patch
- dependency-name: github.com/gookit/color
dependency-version: 1.6.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go-minor-patch
- dependency-name: github.com/invopop/jsonschema
dependency-version: 0.14.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: github.com/jedib0t/go-pretty/v6
dependency-version: 6.7.10
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go-minor-patch
- dependency-name: github.com/klauspost/compress
dependency-version: 1.18.6
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go-minor-patch
- dependency-name: golang.org/x/mod
dependency-version: 0.36.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: golang.org/x/net
dependency-version: 0.54.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: golang.org/x/tools
dependency-version: 0.45.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: modernc.org/sqlite
dependency-version: 1.50.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: github.com/anchore/go-make
dependency-version: 0.5.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
* fix: update signatures to return fs.FileInfo after breaking changes
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
* fix: lint-fix
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-04 17:06:25 -04:00
Will Murphy
bf67072246
chore: bump golang.org/x/crypto ( #4955 )
...
* chore: bump golang.org/x/crypto
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* also bump golang.org/x/net
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-06-04 16:06:08 -04:00
Will Murphy
9673f867e5
Pass contents: read to check-gate ( #4951 )
...
Otherwise check-gate doesn't have enough permissions to do its job and
fails.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-06-02 16:05:42 -04:00
Matias Insaurralde
a4fb2c0396
perf(python): hoist name normalization regexp to package level ( #4926 )
...
Avoid recompiling the separator pattern on every normalize() call during cataloging.
Signed-off-by: Matías Insaurralde <matias@insaurral.de>
2026-06-01 21:17:43 -04:00
witchcraze
cf2ce643c3
update helm classifier ( #4922 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-06-01 10:21:57 -04:00
dependabot[bot]
524a44b70d
chore(deps): bump the actions-minor-patch group across 1 directory with 6 updates ( #4946 )
...
Bumps the actions-minor-patch group with 6 updates in the / directory:
| Package | From | To |
| --- | --- | --- |
| [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows ) | `0.6.0` | `0.7.0` |
| [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows ) | `0.6.0` | `0.7.0` |
| [anchore/workflows/.github/workflows/check-gate.yaml](https://github.com/anchore/workflows ) | `0.6.0` | `0.7.0` |
| [docker/login-action](https://github.com/docker/login-action ) | `4.1.0` | `4.2.0` |
| [anchore/workflows/.github/workflows/release-install-script.yaml](https://github.com/anchore/workflows ) | `0.6.0` | `0.7.0` |
| [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action ) | `0.5.5` | `0.5.6` |
Updates `anchore/workflows/.github/workflows/codeql.yaml` from 0.6.0 to 0.7.0
- [Release notes](https://github.com/anchore/workflows/releases )
- [Commits](15122524ce...b3e328b5aehttps://github.com/anchore/workflows/releases )
- [Commits](15122524ce...b3e328b5aehttps://github.com/anchore/workflows/releases )
- [Commits](15122524ce...b3e328b5aehttps://github.com/docker/login-action/releases )
- [Commits](4907a6ddec...650006c6ebhttps://github.com/anchore/workflows/releases )
- [Commits](15122524ce...b3e328b5aehttps://github.com/zizmorcore/zizmor-action/releases )
- [Commits](a16621b09c...5f14fd08f7
2026-05-29 16:35:04 +00:00
witchcraze
4e86715c1a
fix: improve julia classifier to find shared libs and beta versions ( #4945 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-05-29 12:05:46 -04:00
Alex Goodman
e8c6b7151e
swap postgres signature check for rocky linux baseline rpm ( #4941 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-26 10:11:38 -04:00
witchcraze
0fb8762f41
fix: improve deno classifier ( #4939 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-05-25 11:58:10 -04:00
dependabot[bot]
58ddf74140
chore(deps): bump the actions-minor-patch group across 2 directories with 2 updates ( #4936 )
...
Bumps the actions-minor-patch group with 1 update in the / directory: [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action ).
Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [anchore/go-make](https://github.com/anchore/go-make ).
Updates `zizmorcore/zizmor-action` from 0.5.3 to 0.5.5
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases )
- [Commits](b1d7e1fb5d...a16621b09chttps://github.com/anchore/go-make/releases )
- [Commits](88c3650598...9de27be11e
2026-05-22 13:42:36 +00:00
dependabot[bot]
b5d828ee14
chore(deps): bump github.com/containerd/containerd/v2 ( #4935 )
...
Bumps [github.com/containerd/containerd/v2](https://github.com/containerd/containerd ) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/containerd/containerd/releases )
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md )
- [Commits](https://github.com/containerd/containerd/compare/v2.3.0...v2.3.1 )
---
updated-dependencies:
- dependency-name: github.com/containerd/containerd/v2
dependency-version: 2.3.1
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-21 22:17:36 +00:00
Doug Clarke
1c4394fed0
fix: enhancement to java cataloger to consider .zap files as jar files ( #4932 )
...
* Enhancements to java cataloger to consider .zap files as jar files - Issue #4654
Signed-off-by: Doug Clarke <douglas.clarke@oracle.com>
2026-05-21 15:24:38 -04:00
anchore-oss-update-bot
f5c1a0befc
chore(deps): update anchore dependencies ( #4821 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-05-20 19:50:47 +00:00
dependabot[bot]
b1287d45d8
chore(deps): bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1 ( #4930 )
...
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git ) from 5.19.0 to 5.19.1.
- [Release notes](https://github.com/go-git/go-git/releases )
- [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md )
- [Commits](https://github.com/go-git/go-git/compare/v5.19.0...v5.19.1 )
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-version: 5.19.1
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-19 16:11:18 +00:00
Alex Goodman
d97216ff70
Remediate audit ( #4929 )
...
* remove slack notification on release
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* restrict cache usage
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-18 15:01:37 -04:00
dependabot[bot]
c09a009bda
chore(deps): bump the actions-minor-patch group across 1 directory with 4 updates ( #4927 )
...
Bumps the actions-minor-patch group with 4 updates in the / directory: [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows ), [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows ), [anchore/workflows/.github/workflows/check-gate.yaml](https://github.com/anchore/workflows ) and [anchore/workflows/.github/workflows/release-install-script.yaml](https://github.com/anchore/workflows ).
Updates `anchore/workflows/.github/workflows/codeql.yaml` from 0.5.0 to 0.6.0
- [Commits](e8cee3a591...15122524ce8b2b1caf40...15122524ce8b2b1caf40...15122524ce8b2b1caf40...15122524ce
2026-05-18 16:13:54 +00:00
Alex Goodman
d61af0abab
Port to go-make ( #4923 )
...
* port to go-make
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* refresh fixtures on running unit tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address refresh cache issues with old now-gitignored files
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-18 11:59:55 -04:00
anchore-oss-update-bot
89cda82263
chore(deps): update CPE dictionary index ( #4925 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-05-18 10:21:30 -04:00
dependabot[bot]
ee6ace36d1
chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates ( #4920 )
...
Bumps the actions-minor-patch group with 2 updates in the / directory: [runs-on/action](https://github.com/runs-on/action ) and [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ).
Updates `runs-on/action` from 2.1.0 to 2.1.2
- [Release notes](https://github.com/runs-on/action/releases )
- [Commits](742bf56072...d141ef83ebhttps://github.com/sigstore/cosign-installer/releases )
- [Commits](cad07c2e89...6f9f177880
2026-05-15 13:34:58 +00:00
witchcraze
e2e5e223ab
feat: mysqld, ndbd, ndbmtd and ndb_mgmd classifier ( #4907 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-05-14 11:29:42 -04:00
William Bates
4579d11abc
fix: detect compressed kernel modules (.ko.gz, .ko.xz, .ko.zst) ( #4740 )
...
* fix: detect compressed kernel modules (.ko.gz, .ko.xz, .ko.zst)
The linux-kernel-cataloger only matched plain *.ko files, missing
compressed modules produced when CONFIG_MODULE_COMPRESS is enabled
(common on Debian 13 / Ubuntu 24.04+). This resulted in near-zero
module packages being reported for such filesystems.
Changes:
- Add *.ko.gz, *.ko.xz, *.ko.zst glob patterns to both the cataloger
and capabilities.yaml so the file resolver picks up compressed modules
- Add decompressedModuleReader() which detects the extension and
transparently decompresses via compress/gzip, ulikunitz/xz, or
klauspost/compress/zstd before handing the ELF bytes to the existing
parseLinuxKernelModuleMetadata parser
- Promote github.com/klauspost/compress from indirect to direct dependency
- Add unit tests covering all three compression formats plus the
uncompressed baseline, using a programmatically generated minimal ELF
Fixes #4721
Signed-off-by: Will Bates <william.bates11@outlook.com>
* address reading archives into memory
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Will Bates <william.bates11@outlook.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Will Bates <william.bates11@outlook.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-13 13:44:18 -04:00
anchore-oss-update-bot
07ae2ca08d
chore(deps): update CPE dictionary index ( #4909 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-05-13 10:03:11 -04:00
Calum Leslie
36969bdeff
fix: Allow duplicates in Yarn "Berry" files ( #4691 ) ( #4838 )
...
* fix: Allow duplicates in Yarn "Berry" files (#4691 )
Yarn lockfiles can have multiple versions resolved for the same package
name. We correctly allow this in Yarn v1 lockfiles but the "Berry"
YAML-format lockfiles were doing deduplication by package name. This
change removes that deduplication.
Signed-off-by: Calum Leslie <cleslie@atlassian.com>
* fix linting
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Calum Leslie <cleslie@atlassian.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Calum Leslie <cleslie@atlassian.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-11 21:10:17 +00:00
Alex Goodman
dfb6011083
pin and update fixture versions ( #4913 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-11 16:30:35 -04:00
Alex Goodman
997a486e22
use released shared workflow ( #4914 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-11 16:21:41 -04:00
dependabot[bot]
4f64fbc004
chore(deps): bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 ( #4911 )
...
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git ) from 5.18.0 to 5.19.0.
- [Release notes](https://github.com/go-git/go-git/releases )
- [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md )
- [Commits](https://github.com/go-git/go-git/compare/v5.18.0...v5.19.0 )
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-version: 5.19.0
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-11 16:25:44 +00:00
Alex Goodman
87d6a288d7
Tighten workflow permissions and update release shape ( #4899 )
...
* Rework release workflow to canonical shape
Replace the custom quality-gate job with the reusable check-version-available
and check-gate workflows from anchore/workflows. Remove the phase
workflow_dispatch input; the install-script-only path is now a standalone
workflow (release-install-script.yaml) that can be triggered independently.
- add version-available and check-gate jobs using pinned anchore/workflows SHA
- remove phase input and quality-gate job
- release job now needs [check-gate, version-available]
- release-install-script job no longer conditionally skips based on phase
- add release-install-script.yaml for standalone install script runs
- set permissions: {} at workflow level (contents pushed to release job)
- add concurrency: group: release
Signed-off-by: wagoodman <wagoodman@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Tighten workflow-level permissions to {}
Change top-level permissions from contents: read to {} in validations.yaml
and validate-github-actions.yaml, pushing the needed contents: read down
to each job that performs a checkout.
Signed-off-by: wagoodman <wagoodman@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* keep install script phase, remove workflow
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove schema detection workflow
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: wagoodman <wagoodman@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-08 17:16:31 -04:00
dependabot[bot]
20987d30d0
chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates ( #4897 )
...
Bumps the actions-minor-patch group with 2 updates in the / directory: [github/codeql-action](https://github.com/github/codeql-action ) and [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action ).
Updates `github/codeql-action` from 4.35.2 to 4.35.3
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](95e58e9a2c...e46ed2cbd0https://github.com/slackapi/slack-github-action/releases )
- [Changelog](https://github.com/slackapi/slack-github-action/blob/main/CHANGELOG.md )
- [Commits](03ea5433c1...45a88b9581
2026-05-08 13:38:31 +00:00
witchcraze
e2007d9bf2
feat: add aws-lc classifier ( #4882 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-05-06 16:43:34 -04:00
ChrisJr404
4f0e32ab51
binary classifier: detect elixir release-candidate versions ( #4851 )
...
The elixir-binary and elixir-library classifiers' regexes only matched
the bare semver triplet (and a single sub-segment for the library), so
release-candidate elixir images were either missed entirely or had
their version truncated:
$ syft -q elixir:1.12.0-rc | grep elixir # nothing
$ syft -q elixir:1.13.0-rc.0 | grep elixir
elixir 1.13.0 binary # truncated, "-rc.0" lost
Extend the version capture group to optionally include
"-<a-z0-9>+(\\.<digits>)?" so "1.12.0-rc.1", "1.13.0-rc.0", etc. match
exactly as the elixir.app and the binary's ELIXIR_VERSION line have
them.
Add a logical fixture under testdata/classifiers/snippets/elixir/
1.12.0-rc.1/linux-amd64 (cloned from the existing 1.19.1 fixture with
just the version strings changed) and register it in
Test_Cataloger_PositiveCases.
Closes #4819
Signed-off-by: Chris (ChrisJr404) <11917633+ChrisJr404@users.noreply.github.com>
Co-authored-by: Chris (ChrisJr404) <11917633+ChrisJr404@users.noreply.github.com>
2026-05-06 15:14:09 +00:00
witchcraze
605391114c
add ingress-nginx classifier ( #4857 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-05-06 14:54:20 +00:00
ChrisJr404
1caf243d29
fix(source): treat exclude paths with trailing slash as directories ( #4892 )
...
A trailing slash on --exclude (e.g. './lib/') is dropped during pattern
normalization but doublestar.Match still requires an exact string match,
so the resulting pattern silently matches nothing and the directory is
not excluded. Strip a trailing slash so './lib/' and './lib' behave the
same.
Fixes #4839
Signed-off-by: ChrisJr404 <chris@hacknow.com>
2026-05-06 14:51:41 +00:00
PGray
48e91312e8
fix(dotnet): align runtime CPEs with NVD ( #4743 )
...
Signed-off-by: PGray <PGrayCS@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: PGray <PGrayCS@users.noreply.github.com>
2026-05-06 13:07:49 +00:00
bahtyar
d81df67493
fix(debian): only parse machine-readable copyright files with Format header ( #4754 )
...
* fix(debian): only parse machine-readable copyright files with Format header
Only parse debian/copyright files as machine-readable DEP-5 format when
they contain the mandatory Format header field pointing to the copyright
specification URI. Files without this header are free-form text and
should not have License: regex patterns applied to them, which previously
produced nonsensical results like "#", "Permission", "This", "see" for
non-machine-readable files.
The fallback license classifier in the debian cataloger will handle
non-machine-readable files by doing full-text license identification.
Closes #4708
Signed-off-by: Bahtya <bahtya@users.noreply.github.com>
Signed-off-by: Bahtya <bahtayr@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* decompose parseLicensesFromCopyright to address linting issues
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Bahtya <bahtya@users.noreply.github.com>
Signed-off-by: Bahtya <bahtayr@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Bahtya <bahtayr@gmail.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-06 13:02:27 +00:00
dependabot[bot]
47cda2b5ef
chore(deps): bump the actions-minor-patch group across 2 directories with 5 updates ( #4846 )
...
Bumps the actions-minor-patch group with 4 updates in the / directory: [github/codeql-action](https://github.com/github/codeql-action ), [marocchino/sticky-pull-request-comment](https://github.com/marocchino/sticky-pull-request-comment ), [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action ) and [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action ).
Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [actions/cache](https://github.com/actions/cache ).
Updates `github/codeql-action` from 4.35.1 to 4.35.2
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](c10b8064de...95e58e9a2chttps://github.com/marocchino/sticky-pull-request-comment/releases )
- [Commits](d4d6b09364...0ea0beb66ehttps://github.com/slackapi/slack-github-action/releases )
- [Changelog](https://github.com/slackapi/slack-github-action/blob/main/CHANGELOG.md )
- [Commits](af78098f53...03ea5433c1https://github.com/zizmorcore/zizmor-action/releases )
- [Commits](71321a20a9...b1d7e1fb5dhttps://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](668228422a...27d5ce7f10
2026-05-05 11:42:04 -04:00
Rayan Salhab
ae711963d1
fix: parse arbitrary equality python requirements ( #4835 )
...
Signed-off-by: cyphercodes <cyphercodes@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com>
2026-05-05 13:49:03 +00:00
Alex Goodman
f878197150
chore: remove common workflows ( #4881 )
...
Removes deprecated common workflows now centralized elsewhere.
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-04 14:31:07 -04:00
witchcraze
514efb03e0
fix: prevent redis classifier from detecting valkey ( #4619 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-05-04 14:07:29 -04:00
anchore-oss-update-bot
1e4f424f09
chore(deps): update CPE dictionary index ( #4831 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-05-04 10:14:08 -04:00
ChrisJr404
b5f0877967
fix: map "nuget" purl type to DotnetPkg in TypeByName ( #4848 )
...
Signed-off-by: Chris (ChrisJr404) <11917633+ChrisJr404@users.noreply.github.com>
2026-05-04 08:51:19 -04:00
Rayan Salhab
8cb78ce40c
fix: resolve yarn lock aliases to source package ( #4836 )
...
Signed-off-by: cyphercodes <cyphercodes@users.noreply.github.com>
2026-04-29 09:50:09 -04:00
witchcraze
3b046b3787
chore: move snippet files from test-fixtures to testdata ( #4830 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-04-27 11:09:21 -04:00
Ludovic Henry
05cc8ee5f4
Add support for linux-riscv64 ( #4757 )
2026-04-27 10:21:41 +00:00
Akihiko Komada
3562dab445
fix(lua-rockspec): handle empty and whitespace-only rockspec files gracefully ( #4827 )
...
Empty or whitespace-only .rockspec files cause parseRockspecBlock to
panic with "index out of range" because the existing end-of-data guard
requires len(out) > 0 before returning the "unexpected end of block"
error, letting the bare data[*i] access on the next line crash.
Split the guard so that:
- partial content at end of data still returns the existing error
- empty data (or whitespace-only) returns an empty block cleanly
Closes #4824 .
Signed-off-by: Akihiko Komada <aki1770@gmail.com>
2026-04-24 12:44:25 -04:00
Sebastiaan van Stijn
014a4c9c59
chore: tidy go.mod ( #4823 )
...
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-04-23 18:07:11 -04:00
Rez Moss
3cb838eacf
fixed pe dotnet wrong ver , fixed #4813 ( #4814 )
...
Signed-off-by: Rez Moss <hi@rezmoss.com>
2026-04-22 20:55:56 -04:00
Sai Asish Y
758324b3e8
fix: propagate non-EOF errors out of safeCopy ( #4807 )
...
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com>
2026-04-22 12:06:03 -04:00
anchore-oss-update-bot
390cf6cce0
chore(deps): update anchore dependencies ( #4797 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-04-22 15:09:10 +00:00
Will Murphy
4393654d03
Chore fix sync bump ( #4809 )
...
* chore(deps): update anchore dependencies
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
* chore: update test to account for sync wrapping panic
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-04-22 08:48:30 -04:00
