ChrisJr404
1caf243d29
fix(source): treat exclude paths with trailing slash as directories ( #4892 )
...
A trailing slash on --exclude (e.g. './lib/') is dropped during pattern
normalization but doublestar.Match still requires an exact string match,
so the resulting pattern silently matches nothing and the directory is
not excluded. Strip a trailing slash so './lib/' and './lib' behave the
same.
Fixes #4839
Signed-off-by: ChrisJr404 <chris@hacknow.com>
2026-05-06 14:51:41 +00:00
PGray
48e91312e8
fix(dotnet): align runtime CPEs with NVD ( #4743 )
...
Signed-off-by: PGray <PGrayCS@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: PGray <PGrayCS@users.noreply.github.com>
2026-05-06 13:07:49 +00:00
bahtyar
d81df67493
fix(debian): only parse machine-readable copyright files with Format header ( #4754 )
...
* fix(debian): only parse machine-readable copyright files with Format header
Only parse debian/copyright files as machine-readable DEP-5 format when
they contain the mandatory Format header field pointing to the copyright
specification URI. Files without this header are free-form text and
should not have License: regex patterns applied to them, which previously
produced nonsensical results like "#", "Permission", "This", "see" for
non-machine-readable files.
The fallback license classifier in the debian cataloger will handle
non-machine-readable files by doing full-text license identification.
Closes #4708
Signed-off-by: Bahtya <bahtya@users.noreply.github.com>
Signed-off-by: Bahtya <bahtayr@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* decompose parseLicensesFromCopyright to address linting issues
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Bahtya <bahtya@users.noreply.github.com>
Signed-off-by: Bahtya <bahtayr@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Bahtya <bahtayr@gmail.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-06 13:02:27 +00:00
dependabot[bot]
47cda2b5ef
chore(deps): bump the actions-minor-patch group across 2 directories with 5 updates ( #4846 )
...
Bumps the actions-minor-patch group with 4 updates in the / directory: [github/codeql-action](https://github.com/github/codeql-action ), [marocchino/sticky-pull-request-comment](https://github.com/marocchino/sticky-pull-request-comment ), [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action ) and [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action ).
Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [actions/cache](https://github.com/actions/cache ).
Updates `github/codeql-action` from 4.35.1 to 4.35.2
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](c10b8064de...95e58e9a2chttps://github.com/marocchino/sticky-pull-request-comment/releases )
- [Commits](d4d6b09364...0ea0beb66ehttps://github.com/slackapi/slack-github-action/releases )
- [Changelog](https://github.com/slackapi/slack-github-action/blob/main/CHANGELOG.md )
- [Commits](af78098f53...03ea5433c1https://github.com/zizmorcore/zizmor-action/releases )
- [Commits](71321a20a9...b1d7e1fb5dhttps://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](668228422a...27d5ce7f10
2026-05-05 11:42:04 -04:00
Rayan Salhab
ae711963d1
fix: parse arbitrary equality python requirements ( #4835 )
...
Signed-off-by: cyphercodes <cyphercodes@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com>
2026-05-05 13:49:03 +00:00
Alex Goodman
f878197150
chore: remove common workflows ( #4881 )
...
Removes deprecated common workflows now centralized elsewhere.
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-05-04 14:31:07 -04:00
witchcraze
514efb03e0
fix: prevent redis classifier from detecting valkey ( #4619 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-05-04 14:07:29 -04:00
anchore-oss-update-bot
1e4f424f09
chore(deps): update CPE dictionary index ( #4831 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-05-04 10:14:08 -04:00
ChrisJr404
b5f0877967
fix: map "nuget" purl type to DotnetPkg in TypeByName ( #4848 )
...
Signed-off-by: Chris (ChrisJr404) <11917633+ChrisJr404@users.noreply.github.com>
2026-05-04 08:51:19 -04:00
Rayan Salhab
8cb78ce40c
fix: resolve yarn lock aliases to source package ( #4836 )
...
Signed-off-by: cyphercodes <cyphercodes@users.noreply.github.com>
2026-04-29 09:50:09 -04:00
witchcraze
3b046b3787
chore: move snippet files from test-fixtures to testdata ( #4830 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-04-27 11:09:21 -04:00
Ludovic Henry
05cc8ee5f4
Add support for linux-riscv64 ( #4757 )
2026-04-27 10:21:41 +00:00
Akihiko Komada
3562dab445
fix(lua-rockspec): handle empty and whitespace-only rockspec files gracefully ( #4827 )
...
Empty or whitespace-only .rockspec files cause parseRockspecBlock to
panic with "index out of range" because the existing end-of-data guard
requires len(out) > 0 before returning the "unexpected end of block"
error, letting the bare data[*i] access on the next line crash.
Split the guard so that:
- partial content at end of data still returns the existing error
- empty data (or whitespace-only) returns an empty block cleanly
Closes #4824 .
Signed-off-by: Akihiko Komada <aki1770@gmail.com>
2026-04-24 12:44:25 -04:00
Sebastiaan van Stijn
014a4c9c59
chore: tidy go.mod ( #4823 )
...
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-04-23 18:07:11 -04:00
Rez Moss
3cb838eacf
fixed pe dotnet wrong ver , fixed #4813 ( #4814 )
...
Signed-off-by: Rez Moss <hi@rezmoss.com>
2026-04-22 20:55:56 -04:00
Sai Asish Y
758324b3e8
fix: propagate non-EOF errors out of safeCopy ( #4807 )
...
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com>
2026-04-22 12:06:03 -04:00
anchore-oss-update-bot
390cf6cce0
chore(deps): update anchore dependencies ( #4797 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-04-22 15:09:10 +00:00
Will Murphy
4393654d03
Chore fix sync bump ( #4809 )
...
* chore(deps): update anchore dependencies
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
* chore: update test to account for sync wrapping panic
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-04-22 08:48:30 -04:00
Weston Steimel
d179724f42
fix: improve redhat-release parsing fallback for RHEL clones ( #4808 )
...
Ensures the correct distro id for AlmaLinux and Rocky Linux when falling
back to parsing distro information from the redhat-release file. Also
sets the idlike to `rhel` for these instances as that is necessary to
ensure correct vulnerability data matching.
Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
2026-04-22 08:48:08 -04:00
Alex Goodman
2ddaaac706
restore go minimum version to 1.25.8 ( #4805 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-21 15:20:14 -04:00
Alex Goodman
073b4c5d55
chore(deps): restore Go version to 1.25.8 ( #4804 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-21 19:02:26 +00:00
witchcraze
ff6c34de7e
fix: improve haskell classifiers ( #4793 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-04-20 12:23:35 -04:00
dependabot[bot]
66ba575ae2
chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates ( #4790 )
...
Bumps the actions-minor-patch group with 2 updates in the / directory: [marocchino/sticky-pull-request-comment](https://github.com/marocchino/sticky-pull-request-comment ) and [actions/upload-artifact](https://github.com/actions/upload-artifact ).
Updates `marocchino/sticky-pull-request-comment` from 3.0.2 to 3.0.3
- [Release notes](https://github.com/marocchino/sticky-pull-request-comment/releases )
- [Commits](70d2764d1a...d4d6b09364https://github.com/actions/upload-artifact/releases )
- [Commits](bbbca2ddaa...043fb46d1a
2026-04-20 10:13:26 -04:00
dependabot[bot]
ed306c2a6d
chore(deps): bump github.com/go-git/go-git/v5 from 5.17.0 to 5.18.0 ( #4792 )
...
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git ) from 5.17.0 to 5.18.0.
- [Release notes](https://github.com/go-git/go-git/releases )
- [Commits](https://github.com/go-git/go-git/compare/v5.17.0...v5.18.0 )
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-version: 5.18.0
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-20 10:09:31 -04:00
anchore-oss-update-bot
33bc4b8397
chore(deps): update Go version ( #4798 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-04-20 10:03:15 -04:00
Alex Goodman
89e4e609d5
fix: update jruby download URLs from S3 to GitHub Releases ( #4799 )
...
The JRuby project migrated their downloads from S3 to GitHub Releases,
causing the old S3 URLs to return HTTP 403 Forbidden and breaking test
fixture image builds.
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-20 13:12:09 +00:00
David Dashti
076fb211cc
fix(cyclonedx): conditionally exclude group from package name ( #4791 )
...
Signed-off-by: David Dashti <david.dashti@hermesmedical.com>
2026-04-17 20:21:21 -04:00
witchcraze
26175d74f8
fix: consul classifier ( #4741 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-04-17 10:38:24 -04:00
anchore-actions-token-generator[bot]
9b58efed0c
chore(deps): update tools to latest versions ( #4701 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2026-04-16 15:39:39 -04:00
Yoav Alon
30fe53e629
fix(javascript): accept scalar people fields in package.json ( #4779 )
...
Signed-off-by: Yoav Alon <yoav@orca.security>
2026-04-15 14:21:49 -04:00
witchcraze
952469f0f0
update vault classifier ( #4742 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-04-15 14:41:37 +00:00
chaoliang yan
4321ecc66f
fix(javascript): ensure deterministic pnpm lockfile parsing ( #4765 )
...
* fix(javascript): ensure deterministic pnpm lockfile parsing
Replace nondeterministic Go map iteration with sorted key iteration
in both v6 and v9 pnpm lockfile parsers. When multiple lockfile keys
collapse to the same package key after peer dependency stripping, the
unsorted map iteration caused different entries to win on each run,
producing unstable artifact IDs and non-reproducible SBOM output.
Fixes #4648
Signed-off-by: lawrence3699 <lawrence3699@users.noreply.github.com>
* add regression test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: lawrence3699 <lawrence3699@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: lawrence3699 <lawrence3699@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-15 14:39:57 +00:00
anchore-oss-update-bot
5b58ec96b7
chore(deps): update Go version ( #4773 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-04-15 10:01:39 -04:00
Will Murphy
26e87c7cd3
fix format string in search results ( #4775 )
...
Passing '%q' to format strings for integer types is a go vet error in
recent go versions, and likely a bug.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-04-14 12:59:44 -04:00
Rez Moss
722e3f267b
added deno bin classifiers ( #4677 )
...
Signed-off-by: Rez Moss <hi@rezmoss.com>
2026-04-14 11:33:26 -04:00
nadimz
c09f42e024
feat: support zImage and bzImage in linux-kernel-cataloger ( #4751 )
...
Signed-off-by: Nadim Zubidat <nadimz@users.noreply.github.com>
2026-04-14 10:02:20 -04:00
Alex Goodman
19b4f41270
pin wolfi cache version ( #4774 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-14 09:15:24 -04:00
nadimz
bcc1f15ceb
feat: OpenLDAP binary classifier ( #4755 )
...
Signed-off-by: Nadim Zubidat <nadimz@users.noreply.github.com>
2026-04-13 16:27:48 -04:00
dependabot[bot]
ce2c56bf06
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 ( #4750 )
...
Bumps [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2 ) from 1.96.0 to 1.97.3.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases )
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.96.0...service/s3/v1.97.3 )
---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
dependency-version: 1.97.3
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-13 15:47:17 -04:00
dependabot[bot]
532fbafe36
chore(deps): bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 ( #4752 )
...
Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go ) from 1.40.0 to 1.43.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.40.0...v1.43.0 )
---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/sdk
dependency-version: 1.43.0
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-13 15:22:53 -04:00
dependabot[bot]
8835af66b0
chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 ( #4737 )
...
Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose ) from 4.1.3 to 4.1.4.
- [Release notes](https://github.com/go-jose/go-jose/releases )
- [Commits](https://github.com/go-jose/go-jose/compare/v4.1.3...v4.1.4 )
---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
dependency-version: 4.1.4
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-13 14:58:53 -04:00
dependabot[bot]
f4290cb876
chore(deps): bump the actions-minor-patch group across 2 directories with 7 updates ( #4763 )
...
Bumps the actions-minor-patch group with 5 updates in the / directory:
| Package | From | To |
| --- | --- | --- |
| [docker/login-action](https://github.com/docker/login-action ) | `4.0.0` | `4.1.0` |
| [anchore/sbom-action](https://github.com/anchore/sbom-action ) | `0.23.0` | `0.24.0` |
| [runs-on/action](https://github.com/runs-on/action ) | `2.0.3` | `2.1.0` |
| [actions/download-artifact](https://github.com/actions/download-artifact ) | `8.0.0` | `8.0.1` |
| [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ) | `4.0.0` | `4.1.1` |
Bumps the actions-minor-patch group with 2 updates in the /.github/actions/bootstrap directory: [actions/setup-go](https://github.com/actions/setup-go ) and [actions/cache](https://github.com/actions/cache ).
Updates `docker/login-action` from 4.0.0 to 4.1.0
- [Release notes](https://github.com/docker/login-action/releases )
- [Commits](b45d80f862...4907a6ddechttps://github.com/anchore/sbom-action/releases )
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md )
- [Commits](17ae174017...e22c389904https://github.com/runs-on/action/releases )
- [Commits](cd2b598b05...742bf56072https://github.com/actions/download-artifact/releases )
- [Commits](70fc10c6e5...3e5f45b2cfhttps://github.com/sigstore/cosign-installer/releases )
- [Commits](faadad0cce...cad07c2e89https://github.com/actions/setup-go/releases )
- [Commits](4b73464bb3...4a3601121dhttps://github.com/actions/setup-go/releases )
- [Commits](4b73464bb3...4a3601121dhttps://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](cdf6c1fa76...668228422a
2026-04-13 11:39:21 -04:00
dependabot[bot]
990cc3c599
chore(deps): bump github.com/hashicorp/go-getter from 1.8.5 to 1.8.6 ( #4764 )
...
Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter ) from 1.8.5 to 1.8.6.
- [Release notes](https://github.com/hashicorp/go-getter/releases )
- [Commits](https://github.com/hashicorp/go-getter/compare/v1.8.5...v1.8.6 )
---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-getter
dependency-version: 1.8.6
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-13 11:39:08 -04:00
witchcraze
03d6399b0c
fix: update erlang classifier ( #4766 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-04-13 11:31:19 -04:00
anchore-oss-update-bot
1e08f703d0
chore(deps): update CPE dictionary index ( #4767 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-04-13 11:28:50 -04:00
witchcraze
e420322494
fix: more istio classifier matching ( #4645 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-04-12 10:54:08 -04:00
Benjamin Grandfond
cc3b8eb48f
fix(json): use value alias in Document.UnmarshalJSON to prevent infinite recursion with encoding/json/v2 ( #4748 )
...
The pattern 'type Alias *Document' does not strip methods under
encoding/json/v2 (GOEXPERIMENT=jsonv2), causing UnmarshalJSON to call
itself infinitely until the goroutine stack overflows (1GB limit).
Change to 'type Alias Document' with (*Alias)(d) cast — the standard
Go pattern that works correctly with both encoding/json v1 and v2.
Adds a regression test that uses debug.SetMaxStack to shrink the
goroutine stack limit to 8MB, making the overflow happen in milliseconds
rather than minutes if the recursion is reintroduced.
Ref: https://github.com/golang/go/issues/75361
Signed-off-by: Benjamin Grandfond <benjamin.grandfond@docker.com>
2026-04-10 13:36:07 -04:00
Alex Goodman
d0ee9098cf
bump version ( #4756 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-09 21:11:47 +00:00
Alex Goodman
344d1f47a1
support single arch images without manifests when checking platform ( #4753 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-09 15:54:41 +00:00
anchore-oss-update-bot
f618917527
chore(deps): update CPE dictionary index ( #4745 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-04-08 13:06:28 -04:00
