3368 Commits

Author SHA1 Message Date
Alex Goodman
0e8d6deabe
require tmpdir to exist for fingerprints (#5002)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-06-22 10:54:26 -04:00
dependabot[bot]
deb2fd92ef
chore(deps): bump github.com/containerd/containerd/v2 (#5001)
Bumps [github.com/containerd/containerd/v2](https://github.com/containerd/containerd) from 2.3.1 to 2.3.2.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](https://github.com/containerd/containerd/compare/v2.3.1...v2.3.2)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd/v2
  dependency-version: 2.3.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-22 14:12:11 +00:00
Alex Goodman
80d3b62de4
bump go-make to v0.7.0 (#4999)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-06-22 09:47:58 -04:00
anchore-oss-update-bot
b71afc87fc
chore(deps): update tool versions (#4994)
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-06-19 11:51:05 +00:00
Alex Goodman
efe3174b5f
Preserve dependency edges when a compliance stub changes a package ID (#4993)
* fix relationship rewrites for isolated nodes

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* cover dangling pointers

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-06-18 19:50:30 -04:00
Rez Moss
58e4dbbf01
feat: added bin classifier elastic-agent (#4968)
Signed-off-by: Rez Moss <hi@rezmoss.com>
2026-06-17 15:29:07 +00:00
Sebastiaan van Stijn
b70fa899cb
golangci-lint: enable gci formatter (#4828)
This allows linting the imports to be grouped correctly, and provides
an auto-fix (`golangci-lint run --fix`).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-06-17 10:34:22 -04:00
Alex Goodman
951fbd454a
add purl types to cataloger info cmd (#4984)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-06-16 12:13:34 -04:00
Rez Moss
92ae4d44c5
fix: .net deps.json cataloger no longer shows phantom pkgs (#4971)
Signed-off-by: Rez Moss <hi@rezmoss.com>
2026-06-16 12:02:42 -04:00
Alex Goodman
8d48a8b8c2
ensure we have a snapshot build for cli tests (#4981)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-06-16 10:41:33 -04:00
David Dashti
cff5a05681
fix(dpkg): extract License field for opkg/ipkg entries (#4963)
* fix(dpkg): extract License field for opkg/ipkg entries

opkg and ipkg use the dpkg cataloger but declare the package License
inline in the status DB (unlike Debian dpkg, where licenses live in
copyright files). The cataloger silently dropped the License field at
mapstructure decode time, so all opkg-managed packages reported empty
licenses.

This adds the field to the intermediate decode struct and the public
DpkgDBEntry, and populates licenses in newDpkgPackage using the alpine
cataloger's pattern: try license.ParseExpression first to keep valid
SPDX expressions whole, fall back to whitespace splitting for
space-separated lists.

Standard Debian dpkg status files never carry a License field per
Debian policy, so the new path is a no-op for them; the existing
copyright-file lookup in addLicenses is unaffected.

Closes #4940

Signed-off-by: David Dashti <47575784+Dashtid@users.noreply.github.com>

* remove license from dpkg metadata struct

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* restore format snapshot files

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add additional tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: David Dashti <47575784+Dashtid@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-06-15 16:15:32 -04:00
Kursat Topcuoglu
00ca43d24a
fix: catalog uv PEP 723 script lockfiles (*.py.lock) (#4950)
Signed-off-by: Kursat Topcuoglu <7313835+ktopcuoglu@users.noreply.github.com>
Co-authored-by: Kursat Topcuoglu <7313835+ktopcuoglu@users.noreply.github.com>
2026-06-15 11:34:02 -04:00
dependabot[bot]
6a27678036
chore(deps): bump the actions-minor-patch group across 2 directories with 6 updates (#4975)
Bumps the actions-minor-patch group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |
| [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |
| [anchore/workflows/.github/workflows/check-gate.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |
| [actions/checkout](https://github.com/actions/checkout) | `6.0.2` | `6.0.3` |
| [anchore/workflows/.github/workflows/release-install-script.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |

Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [anchore/go-make](https://github.com/anchore/go-make).


Updates `anchore/workflows/.github/workflows/codeql.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](b3e328b5ae...b0c30a8040)

Updates `anchore/workflows/.github/workflows/check-version-available.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](b3e328b5ae...b0c30a8040)

Updates `anchore/workflows/.github/workflows/check-gate.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](b3e328b5ae...b0c30a8040)

Updates `actions/checkout` from 6.0.2 to 6.0.3
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](de0fac2e45...df4cb1c069)

Updates `anchore/workflows/.github/workflows/release-install-script.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](b3e328b5ae...b0c30a8040)

Updates `anchore/go-make` from 0.5.0 to 0.6.0
- [Release notes](https://github.com/anchore/go-make/releases)
- [Commits](9de27be11e...39fe5f7111)

---
updated-dependencies:
- dependency-name: anchore/workflows/.github/workflows/codeql.yaml
  dependency-version: 0.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml
  dependency-version: 0.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/check-gate.yaml
  dependency-version: 0.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: actions/checkout
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/release-install-script.yaml
  dependency-version: 0.7.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: anchore/go-make
  dependency-version: 0.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-12 13:29:23 +00:00
Keith Zantow
89773c0a12
fix: support CycloneDX 1.7 (#4967)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2026-06-11 09:40:42 -04:00
Yoonho Hann
b08d3c2970
feat: add support for Bun lockfile (#4625)
---------
Signed-off-by: Yoonho Hann <hnnynh125@gmail.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-09 13:22:43 -04:00
Keith Zantow
63232bf725
fix: local version identifiers in python requirements parsing (#4959)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2026-06-08 11:12:47 -04:00
Marcus
908eb57890
feat: add .bpl extension to PE cataloger (#4954)
BPL (Borland Package Library) files are standard PE/DLL format used by
Delphi and C++Builder. Adding the extension to the glob list so syft
picks them up during directory scans without users needing to rename
to .dll first.
---------
Signed-off-by: jfjrh2014 <jfjrh2014@gmail.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-08 10:07:15 -04:00
Arpit Jain
c5c423ab37
fix: detect mariadb version from RHEL build path (#4952)
Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
2026-06-07 13:28:18 -04:00
anchore-oss-update-bot
d4496b05aa
chore(deps): update anchore dependencies (#4934)
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
v1.45.1
2026-06-05 13:55:57 +00:00
dependabot[bot]
adc55cdb3a
chore(deps): bump the go-minor-patch group across 1 directory with 3 updates (#4957)
Bumps the go-minor-patch group with 3 updates in the / directory: [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps), [github.com/gpustack/gguf-parser-go](https://github.com/gpustack/gguf-parser-go) and [modernc.org/sqlite](https://gitlab.com/cznic/sqlite).


Updates `github.com/gkampitakis/go-snaps` from 0.5.21 to 0.5.22
- [Release notes](https://github.com/gkampitakis/go-snaps/releases)
- [Commits](https://github.com/gkampitakis/go-snaps/compare/v0.5.21...v0.5.22)

Updates `github.com/gpustack/gguf-parser-go` from 0.24.0 to 0.24.1
- [Release notes](https://github.com/gpustack/gguf-parser-go/releases)
- [Commits](https://github.com/gpustack/gguf-parser-go/compare/v0.24.0...v0.24.1)

Updates `modernc.org/sqlite` from 1.50.1 to 1.51.0
- [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md)
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.50.1...v1.51.0)

---
updated-dependencies:
- dependency-name: github.com/gkampitakis/go-snaps
  dependency-version: 0.5.22
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-minor-patch
- dependency-name: github.com/gpustack/gguf-parser-go
  dependency-version: 0.24.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-minor-patch
- dependency-name: modernc.org/sqlite
  dependency-version: 1.51.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-05 13:28:05 +00:00
anchore-oss-update-bot
00d0bb59cc
chore(deps): update tool versions (#4724)
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-06-05 11:22:28 +00:00
dependabot[bot]
f474308783
chore(deps): bump the go-minor-patch group across 2 directories with 14 updates (#4947)
* chore(deps): bump the go-minor-patch group across 2 directories with 14 updates

Bumps the go-minor-patch group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/CycloneDX/cyclonedx-go](https://github.com/CycloneDX/cyclonedx-go) | `0.10.0` | `0.11.0` |
| [github.com/Masterminds/semver/v3](https://github.com/Masterminds/semver) | `3.4.0` | `3.5.0` |
| [github.com/diskfs/go-diskfs](https://github.com/diskfs/go-diskfs) | `1.7.0` | `1.9.3` |
| [github.com/github/go-spdx/v2](https://github.com/github/go-spdx) | `2.4.0` | `2.7.0` |
| [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) | `0.21.5` | `0.21.6` |
| [github.com/gookit/color](https://github.com/gookit/color) | `1.6.0` | `1.6.1` |
| [github.com/invopop/jsonschema](https://github.com/invopop/jsonschema) | `0.13.0` | `0.14.0` |
| [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty) | `6.7.8` | `6.7.10` |
| [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) | `1.46.2` | `1.50.1` |

Bumps the go-minor-patch group with 1 update in the /.make directory: [github.com/anchore/go-make](https://github.com/anchore/go-make).

Updates `github.com/CycloneDX/cyclonedx-go` from 0.10.0 to 0.11.0
- [Release notes](https://github.com/CycloneDX/cyclonedx-go/releases)
- [Commits](https://github.com/CycloneDX/cyclonedx-go/compare/v0.10.0...v0.11.0)

Updates `github.com/Masterminds/semver/v3` from 3.4.0 to 3.5.0
- [Release notes](https://github.com/Masterminds/semver/releases)
- [Changelog](https://github.com/Masterminds/semver/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Masterminds/semver/compare/v3.4.0...v3.5.0)

Updates `github.com/diskfs/go-diskfs` from 1.7.0 to 1.9.3
- [Commits](https://github.com/diskfs/go-diskfs/compare/v1.7.0...v1.9.3)

Updates `github.com/github/go-spdx/v2` from 2.4.0 to 2.7.0
- [Release notes](https://github.com/github/go-spdx/releases)
- [Commits](https://github.com/github/go-spdx/compare/v2.4.0...v2.7.0)

Updates `github.com/google/go-containerregistry` from 0.21.5 to 0.21.6
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.21.5...v0.21.6)

Updates `github.com/gookit/color` from 1.6.0 to 1.6.1
- [Release notes](https://github.com/gookit/color/releases)
- [Commits](https://github.com/gookit/color/compare/v1.6.0...v1.6.1)

Updates `github.com/invopop/jsonschema` from 0.13.0 to 0.14.0
- [Release notes](https://github.com/invopop/jsonschema/releases)
- [Commits](https://github.com/invopop/jsonschema/compare/v0.13.0...v0.14.0)

Updates `github.com/jedib0t/go-pretty/v6` from 6.7.8 to 6.7.10
- [Release notes](https://github.com/jedib0t/go-pretty/releases)
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.7.8...v6.7.10)

Updates `github.com/klauspost/compress` from 1.18.5 to 1.18.6
- [Release notes](https://github.com/klauspost/compress/releases)
- [Commits](https://github.com/klauspost/compress/compare/v1.18.5...v1.18.6)

Updates `golang.org/x/mod` from 0.35.0 to 0.36.0
- [Commits](https://github.com/golang/mod/compare/v0.35.0...v0.36.0)

Updates `golang.org/x/net` from 0.53.0 to 0.54.0
- [Commits](https://github.com/golang/net/compare/v0.53.0...v0.54.0)

Updates `golang.org/x/tools` from 0.44.0 to 0.45.0
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.44.0...v0.45.0)

Updates `modernc.org/sqlite` from 1.46.2 to 1.50.1
- [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md)
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.46.2...v1.50.1)

Updates `github.com/anchore/go-make` from 0.4.0 to 0.5.0
- [Release notes](https://github.com/anchore/go-make/releases)
- [Commits](https://github.com/anchore/go-make/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: github.com/CycloneDX/cyclonedx-go
  dependency-version: 0.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
- dependency-name: github.com/Masterminds/semver/v3
  dependency-version: 3.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
- dependency-name: github.com/diskfs/go-diskfs
  dependency-version: 1.9.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
- dependency-name: github.com/github/go-spdx/v2
  dependency-version: 2.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
- dependency-name: github.com/google/go-containerregistry
  dependency-version: 0.21.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-minor-patch
- dependency-name: github.com/gookit/color
  dependency-version: 1.6.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-minor-patch
- dependency-name: github.com/invopop/jsonschema
  dependency-version: 0.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
- dependency-name: github.com/jedib0t/go-pretty/v6
  dependency-version: 6.7.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-minor-patch
- dependency-name: github.com/klauspost/compress
  dependency-version: 1.18.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-minor-patch
- dependency-name: golang.org/x/mod
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
- dependency-name: golang.org/x/net
  dependency-version: 0.54.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
- dependency-name: golang.org/x/tools
  dependency-version: 0.45.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
- dependency-name: modernc.org/sqlite
  dependency-version: 1.50.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
- dependency-name: github.com/anchore/go-make
  dependency-version: 0.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>

* fix: update signatures to return fs.FileInfo after breaking changes

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>

* fix: lint-fix

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-06-04 17:06:25 -04:00
Will Murphy
bf67072246
chore: bump golang.org/x/crypto (#4955)
* chore: bump golang.org/x/crypto

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* also bump golang.org/x/net

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

---------

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-06-04 16:06:08 -04:00
Will Murphy
9673f867e5
Pass contents: read to check-gate (#4951)
Otherwise check-gate doesn't have enough permissions to do its job and
fails.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
v1.45.0
2026-06-02 16:05:42 -04:00
Matias Insaurralde
a4fb2c0396
perf(python): hoist name normalization regexp to package level (#4926)
Avoid recompiling the separator pattern on every normalize() call during cataloging.

Signed-off-by: Matías Insaurralde <matias@insaurral.de>
2026-06-01 21:17:43 -04:00
witchcraze
cf2ce643c3
update helm classifier (#4922)
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-06-01 10:21:57 -04:00
dependabot[bot]
524a44b70d
chore(deps): bump the actions-minor-patch group across 1 directory with 6 updates (#4946)
Bumps the actions-minor-patch group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) | `0.6.0` | `0.7.0` |
| [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) | `0.6.0` | `0.7.0` |
| [anchore/workflows/.github/workflows/check-gate.yaml](https://github.com/anchore/workflows) | `0.6.0` | `0.7.0` |
| [docker/login-action](https://github.com/docker/login-action) | `4.1.0` | `4.2.0` |
| [anchore/workflows/.github/workflows/release-install-script.yaml](https://github.com/anchore/workflows) | `0.6.0` | `0.7.0` |
| [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) | `0.5.5` | `0.5.6` |



Updates `anchore/workflows/.github/workflows/codeql.yaml` from 0.6.0 to 0.7.0
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](15122524ce...b3e328b5ae)

Updates `anchore/workflows/.github/workflows/check-version-available.yaml` from 0.6.0 to 0.7.0
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](15122524ce...b3e328b5ae)

Updates `anchore/workflows/.github/workflows/check-gate.yaml` from 0.6.0 to 0.7.0
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](15122524ce...b3e328b5ae)

Updates `docker/login-action` from 4.1.0 to 4.2.0
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](4907a6ddec...650006c6eb)

Updates `anchore/workflows/.github/workflows/release-install-script.yaml` from 0.6.0 to 0.7.0
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](15122524ce...b3e328b5ae)

Updates `zizmorcore/zizmor-action` from 0.5.5 to 0.5.6
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases)
- [Commits](a16621b09c...5f14fd08f7)

---
updated-dependencies:
- dependency-name: anchore/workflows/.github/workflows/codeql.yaml
  dependency-version: 0.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml
  dependency-version: 0.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/check-gate.yaml
  dependency-version: 0.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
- dependency-name: docker/login-action
  dependency-version: 4.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/release-install-script.yaml
  dependency-version: 0.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
- dependency-name: zizmorcore/zizmor-action
  dependency-version: 0.5.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-29 16:35:04 +00:00
witchcraze
4e86715c1a
fix: improve julia classifier to find shared libs and beta versions (#4945)
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-05-29 12:05:46 -04:00
Alex Goodman
e8c6b7151e
swap postgres signature check for rocky linux baseline rpm (#4941)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-26 10:11:38 -04:00
witchcraze
0fb8762f41
fix: improve deno classifier (#4939)
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-05-25 11:58:10 -04:00
dependabot[bot]
58ddf74140
chore(deps): bump the actions-minor-patch group across 2 directories with 2 updates (#4936)
Bumps the actions-minor-patch group with 1 update in the / directory: [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action).
Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [anchore/go-make](https://github.com/anchore/go-make).


Updates `zizmorcore/zizmor-action` from 0.5.3 to 0.5.5
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases)
- [Commits](b1d7e1fb5d...a16621b09c)

Updates `anchore/go-make` from 0.4.0 to 0.5.0
- [Release notes](https://github.com/anchore/go-make/releases)
- [Commits](88c3650598...9de27be11e)

---
updated-dependencies:
- dependency-name: zizmorcore/zizmor-action
  dependency-version: 0.5.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: anchore/go-make
  dependency-version: 0.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-22 13:42:36 +00:00
dependabot[bot]
b5d828ee14
chore(deps): bump github.com/containerd/containerd/v2 (#4935)
Bumps [github.com/containerd/containerd/v2](https://github.com/containerd/containerd) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](https://github.com/containerd/containerd/compare/v2.3.0...v2.3.1)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd/v2
  dependency-version: 2.3.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-21 22:17:36 +00:00
Doug Clarke
1c4394fed0
fix: enhancement to java cataloger to consider .zap files as jar files (#4932)
* Enhancements to java cataloger to consider .zap files as jar files - Issue #4654
Signed-off-by: Doug Clarke <douglas.clarke@oracle.com>
2026-05-21 15:24:38 -04:00
anchore-oss-update-bot
f5c1a0befc
chore(deps): update anchore dependencies (#4821)
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-05-20 19:50:47 +00:00
dependabot[bot]
b1287d45d8
chore(deps): bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1 (#4930)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.19.0 to 5.19.1.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md)
- [Commits](https://github.com/go-git/go-git/compare/v5.19.0...v5.19.1)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.19.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-19 16:11:18 +00:00
Alex Goodman
d97216ff70
Remediate audit (#4929)
* remove slack notification on release

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* restrict cache usage

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-18 15:01:37 -04:00
dependabot[bot]
c09a009bda
chore(deps): bump the actions-minor-patch group across 1 directory with 4 updates (#4927)
Bumps the actions-minor-patch group with 4 updates in the / directory: [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows), [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows), [anchore/workflows/.github/workflows/check-gate.yaml](https://github.com/anchore/workflows) and [anchore/workflows/.github/workflows/release-install-script.yaml](https://github.com/anchore/workflows).


Updates `anchore/workflows/.github/workflows/codeql.yaml` from 0.5.0 to 0.6.0
- [Commits](e8cee3a591...15122524ce)

Updates `anchore/workflows/.github/workflows/check-version-available.yaml` from 0.4.0 to 0.6.0
- [Commits](8b2b1caf40...15122524ce)

Updates `anchore/workflows/.github/workflows/check-gate.yaml` from 0.4.0 to 0.6.0
- [Commits](8b2b1caf40...15122524ce)

Updates `anchore/workflows/.github/workflows/release-install-script.yaml` from 0.4.0 to 0.6.0
- [Commits](8b2b1caf40...15122524ce)

---
updated-dependencies:
- dependency-name: anchore/workflows/.github/workflows/codeql.yaml
  dependency-version: 0.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml
  dependency-version: 0.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/check-gate.yaml
  dependency-version: 0.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/release-install-script.yaml
  dependency-version: 0.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-18 16:13:54 +00:00
Alex Goodman
d61af0abab
Port to go-make (#4923)
* port to go-make

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* refresh fixtures on running unit tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* address refresh cache issues with old now-gitignored files

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-18 11:59:55 -04:00
anchore-oss-update-bot
89cda82263
chore(deps): update CPE dictionary index (#4925)
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-05-18 10:21:30 -04:00
dependabot[bot]
ee6ace36d1
chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates (#4920)
Bumps the actions-minor-patch group with 2 updates in the / directory: [runs-on/action](https://github.com/runs-on/action) and [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer).


Updates `runs-on/action` from 2.1.0 to 2.1.2
- [Release notes](https://github.com/runs-on/action/releases)
- [Commits](742bf56072...d141ef83eb)

Updates `sigstore/cosign-installer` from 4.1.1 to 4.1.2
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](cad07c2e89...6f9f177880)

---
updated-dependencies:
- dependency-name: runs-on/action
  dependency-version: 2.1.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.1.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-15 13:34:58 +00:00
witchcraze
e2e5e223ab
feat: mysqld, ndbd, ndbmtd and ndb_mgmd classifier (#4907)
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-05-14 11:29:42 -04:00
William Bates
4579d11abc
fix: detect compressed kernel modules (.ko.gz, .ko.xz, .ko.zst) (#4740)
* fix: detect compressed kernel modules (.ko.gz, .ko.xz, .ko.zst)

The linux-kernel-cataloger only matched plain *.ko files, missing
compressed modules produced when CONFIG_MODULE_COMPRESS is enabled
(common on Debian 13 / Ubuntu 24.04+). This resulted in near-zero
module packages being reported for such filesystems.

Changes:
- Add *.ko.gz, *.ko.xz, *.ko.zst glob patterns to both the cataloger
  and capabilities.yaml so the file resolver picks up compressed modules
- Add decompressedModuleReader() which detects the extension and
  transparently decompresses via compress/gzip, ulikunitz/xz, or
  klauspost/compress/zstd before handing the ELF bytes to the existing
  parseLinuxKernelModuleMetadata parser
- Promote github.com/klauspost/compress from indirect to direct dependency
- Add unit tests covering all three compression formats plus the
  uncompressed baseline, using a programmatically generated minimal ELF

Fixes #4721

Signed-off-by: Will Bates <william.bates11@outlook.com>

* address reading archives into memory

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Will Bates <william.bates11@outlook.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Will Bates <william.bates11@outlook.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-13 13:44:18 -04:00
anchore-oss-update-bot
07ae2ca08d
chore(deps): update CPE dictionary index (#4909)
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-05-13 10:03:11 -04:00
Calum Leslie
36969bdeff
fix: Allow duplicates in Yarn "Berry" files (#4691) (#4838)
* fix: Allow duplicates in Yarn "Berry" files (#4691)

Yarn lockfiles can have multiple versions resolved for the same package
name. We correctly allow this in Yarn v1 lockfiles but the "Berry"
YAML-format lockfiles were doing deduplication by package name. This
change removes that deduplication.

Signed-off-by: Calum Leslie <cleslie@atlassian.com>

* fix linting

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Calum Leslie <cleslie@atlassian.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Calum Leslie <cleslie@atlassian.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-11 21:10:17 +00:00
Alex Goodman
dfb6011083
pin and update fixture versions (#4913)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-11 16:30:35 -04:00
Alex Goodman
997a486e22
use released shared workflow (#4914)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-11 16:21:41 -04:00
dependabot[bot]
4f64fbc004
chore(deps): bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 (#4911)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.18.0 to 5.19.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md)
- [Commits](https://github.com/go-git/go-git/compare/v5.18.0...v5.19.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.19.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-11 16:25:44 +00:00
Alex Goodman
87d6a288d7
Tighten workflow permissions and update release shape (#4899)
* Rework release workflow to canonical shape

Replace the custom quality-gate job with the reusable check-version-available
and check-gate workflows from anchore/workflows. Remove the phase
workflow_dispatch input; the install-script-only path is now a standalone
workflow (release-install-script.yaml) that can be triggered independently.

- add version-available and check-gate jobs using pinned anchore/workflows SHA
- remove phase input and quality-gate job
- release job now needs [check-gate, version-available]
- release-install-script job no longer conditionally skips based on phase
- add release-install-script.yaml for standalone install script runs
- set permissions: {} at workflow level (contents pushed to release job)
- add concurrency: group: release

Signed-off-by: wagoodman <wagoodman@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* Tighten workflow-level permissions to {}

Change top-level permissions from contents: read to {} in validations.yaml
and validate-github-actions.yaml, pushing the needed contents: read down
to each job that performs a checkout.

Signed-off-by: wagoodman <wagoodman@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* keep install script phase, remove workflow

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* remove schema detection workflow

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: wagoodman <wagoodman@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-08 17:16:31 -04:00
dependabot[bot]
20987d30d0
chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates (#4897)
Bumps the actions-minor-patch group with 2 updates in the / directory: [github/codeql-action](https://github.com/github/codeql-action) and [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action).


Updates `github/codeql-action` from 4.35.2 to 4.35.3
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](95e58e9a2c...e46ed2cbd0)

Updates `slackapi/slack-github-action` from 3.0.2 to 3.0.3
- [Release notes](https://github.com/slackapi/slack-github-action/releases)
- [Changelog](https://github.com/slackapi/slack-github-action/blob/main/CHANGELOG.md)
- [Commits](03ea5433c1...45a88b9581)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
- dependency-name: slackapi/slack-github-action
  dependency-version: 3.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-05-08 13:38:31 +00:00
witchcraze
e2007d9bf2
feat: add aws-lc classifier (#4882)
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-05-06 16:43:34 -04:00