Akihiko Komada
3562dab445
fix(lua-rockspec): handle empty and whitespace-only rockspec files gracefully ( #4827 )
...
Empty or whitespace-only .rockspec files cause parseRockspecBlock to
panic with "index out of range" because the existing end-of-data guard
requires len(out) > 0 before returning the "unexpected end of block"
error, letting the bare data[*i] access on the next line crash.
Split the guard so that:
- partial content at end of data still returns the existing error
- empty data (or whitespace-only) returns an empty block cleanly
Closes #4824 .
Signed-off-by: Akihiko Komada <aki1770@gmail.com>
2026-04-24 12:44:25 -04:00
Sebastiaan van Stijn
014a4c9c59
chore: tidy go.mod ( #4823 )
...
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-04-23 18:07:11 -04:00
Rez Moss
3cb838eacf
fixed pe dotnet wrong ver , fixed #4813 ( #4814 )
...
Signed-off-by: Rez Moss <hi@rezmoss.com>
2026-04-22 20:55:56 -04:00
Sai Asish Y
758324b3e8
fix: propagate non-EOF errors out of safeCopy ( #4807 )
...
Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com>
2026-04-22 12:06:03 -04:00
anchore-oss-update-bot
390cf6cce0
chore(deps): update anchore dependencies ( #4797 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-04-22 15:09:10 +00:00
Will Murphy
4393654d03
Chore fix sync bump ( #4809 )
...
* chore(deps): update anchore dependencies
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
* chore: update test to account for sync wrapping panic
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-04-22 08:48:30 -04:00
Weston Steimel
d179724f42
fix: improve redhat-release parsing fallback for RHEL clones ( #4808 )
...
Ensures the correct distro id for AlmaLinux and Rocky Linux when falling
back to parsing distro information from the redhat-release file. Also
sets the idlike to `rhel` for these instances as that is necessary to
ensure correct vulnerability data matching.
Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
2026-04-22 08:48:08 -04:00
Alex Goodman
2ddaaac706
restore go minimum version to 1.25.8 ( #4805 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-21 15:20:14 -04:00
Alex Goodman
073b4c5d55
chore(deps): restore Go version to 1.25.8 ( #4804 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-21 19:02:26 +00:00
witchcraze
ff6c34de7e
fix: improve haskell classifiers ( #4793 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-04-20 12:23:35 -04:00
dependabot[bot]
66ba575ae2
chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates ( #4790 )
...
Bumps the actions-minor-patch group with 2 updates in the / directory: [marocchino/sticky-pull-request-comment](https://github.com/marocchino/sticky-pull-request-comment ) and [actions/upload-artifact](https://github.com/actions/upload-artifact ).
Updates `marocchino/sticky-pull-request-comment` from 3.0.2 to 3.0.3
- [Release notes](https://github.com/marocchino/sticky-pull-request-comment/releases )
- [Commits](70d2764d1a...d4d6b09364https://github.com/actions/upload-artifact/releases )
- [Commits](bbbca2ddaa...043fb46d1a
2026-04-20 10:13:26 -04:00
dependabot[bot]
ed306c2a6d
chore(deps): bump github.com/go-git/go-git/v5 from 5.17.0 to 5.18.0 ( #4792 )
...
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git ) from 5.17.0 to 5.18.0.
- [Release notes](https://github.com/go-git/go-git/releases )
- [Commits](https://github.com/go-git/go-git/compare/v5.17.0...v5.18.0 )
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-version: 5.18.0
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-20 10:09:31 -04:00
anchore-oss-update-bot
33bc4b8397
chore(deps): update Go version ( #4798 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-04-20 10:03:15 -04:00
Alex Goodman
89e4e609d5
fix: update jruby download URLs from S3 to GitHub Releases ( #4799 )
...
The JRuby project migrated their downloads from S3 to GitHub Releases,
causing the old S3 URLs to return HTTP 403 Forbidden and breaking test
fixture image builds.
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-20 13:12:09 +00:00
David Dashti
076fb211cc
fix(cyclonedx): conditionally exclude group from package name ( #4791 )
...
Signed-off-by: David Dashti <david.dashti@hermesmedical.com>
2026-04-17 20:21:21 -04:00
witchcraze
26175d74f8
fix: consul classifier ( #4741 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-04-17 10:38:24 -04:00
anchore-actions-token-generator[bot]
9b58efed0c
chore(deps): update tools to latest versions ( #4701 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2026-04-16 15:39:39 -04:00
Yoav Alon
30fe53e629
fix(javascript): accept scalar people fields in package.json ( #4779 )
...
Signed-off-by: Yoav Alon <yoav@orca.security>
2026-04-15 14:21:49 -04:00
witchcraze
952469f0f0
update vault classifier ( #4742 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-04-15 14:41:37 +00:00
chaoliang yan
4321ecc66f
fix(javascript): ensure deterministic pnpm lockfile parsing ( #4765 )
...
* fix(javascript): ensure deterministic pnpm lockfile parsing
Replace nondeterministic Go map iteration with sorted key iteration
in both v6 and v9 pnpm lockfile parsers. When multiple lockfile keys
collapse to the same package key after peer dependency stripping, the
unsorted map iteration caused different entries to win on each run,
producing unstable artifact IDs and non-reproducible SBOM output.
Fixes #4648
Signed-off-by: lawrence3699 <lawrence3699@users.noreply.github.com>
* add regression test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: lawrence3699 <lawrence3699@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: lawrence3699 <lawrence3699@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-15 14:39:57 +00:00
anchore-oss-update-bot
5b58ec96b7
chore(deps): update Go version ( #4773 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-04-15 10:01:39 -04:00
Will Murphy
26e87c7cd3
fix format string in search results ( #4775 )
...
Passing '%q' to format strings for integer types is a go vet error in
recent go versions, and likely a bug.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-04-14 12:59:44 -04:00
Rez Moss
722e3f267b
added deno bin classifiers ( #4677 )
...
Signed-off-by: Rez Moss <hi@rezmoss.com>
2026-04-14 11:33:26 -04:00
nadimz
c09f42e024
feat: support zImage and bzImage in linux-kernel-cataloger ( #4751 )
...
Signed-off-by: Nadim Zubidat <nadimz@users.noreply.github.com>
2026-04-14 10:02:20 -04:00
Alex Goodman
19b4f41270
pin wolfi cache version ( #4774 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-14 09:15:24 -04:00
nadimz
bcc1f15ceb
feat: OpenLDAP binary classifier ( #4755 )
...
Signed-off-by: Nadim Zubidat <nadimz@users.noreply.github.com>
2026-04-13 16:27:48 -04:00
dependabot[bot]
ce2c56bf06
chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 ( #4750 )
...
Bumps [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2 ) from 1.96.0 to 1.97.3.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases )
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.96.0...service/s3/v1.97.3 )
---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
dependency-version: 1.97.3
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-13 15:47:17 -04:00
dependabot[bot]
532fbafe36
chore(deps): bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 ( #4752 )
...
Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go ) from 1.40.0 to 1.43.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.40.0...v1.43.0 )
---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/sdk
dependency-version: 1.43.0
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-13 15:22:53 -04:00
dependabot[bot]
8835af66b0
chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 ( #4737 )
...
Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose ) from 4.1.3 to 4.1.4.
- [Release notes](https://github.com/go-jose/go-jose/releases )
- [Commits](https://github.com/go-jose/go-jose/compare/v4.1.3...v4.1.4 )
---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
dependency-version: 4.1.4
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-13 14:58:53 -04:00
dependabot[bot]
f4290cb876
chore(deps): bump the actions-minor-patch group across 2 directories with 7 updates ( #4763 )
...
Bumps the actions-minor-patch group with 5 updates in the / directory:
| Package | From | To |
| --- | --- | --- |
| [docker/login-action](https://github.com/docker/login-action ) | `4.0.0` | `4.1.0` |
| [anchore/sbom-action](https://github.com/anchore/sbom-action ) | `0.23.0` | `0.24.0` |
| [runs-on/action](https://github.com/runs-on/action ) | `2.0.3` | `2.1.0` |
| [actions/download-artifact](https://github.com/actions/download-artifact ) | `8.0.0` | `8.0.1` |
| [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ) | `4.0.0` | `4.1.1` |
Bumps the actions-minor-patch group with 2 updates in the /.github/actions/bootstrap directory: [actions/setup-go](https://github.com/actions/setup-go ) and [actions/cache](https://github.com/actions/cache ).
Updates `docker/login-action` from 4.0.0 to 4.1.0
- [Release notes](https://github.com/docker/login-action/releases )
- [Commits](b45d80f862...4907a6ddechttps://github.com/anchore/sbom-action/releases )
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md )
- [Commits](17ae174017...e22c389904https://github.com/runs-on/action/releases )
- [Commits](cd2b598b05...742bf56072https://github.com/actions/download-artifact/releases )
- [Commits](70fc10c6e5...3e5f45b2cfhttps://github.com/sigstore/cosign-installer/releases )
- [Commits](faadad0cce...cad07c2e89https://github.com/actions/setup-go/releases )
- [Commits](4b73464bb3...4a3601121dhttps://github.com/actions/setup-go/releases )
- [Commits](4b73464bb3...4a3601121dhttps://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](cdf6c1fa76...668228422a
2026-04-13 11:39:21 -04:00
dependabot[bot]
990cc3c599
chore(deps): bump github.com/hashicorp/go-getter from 1.8.5 to 1.8.6 ( #4764 )
...
Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter ) from 1.8.5 to 1.8.6.
- [Release notes](https://github.com/hashicorp/go-getter/releases )
- [Commits](https://github.com/hashicorp/go-getter/compare/v1.8.5...v1.8.6 )
---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-getter
dependency-version: 1.8.6
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-13 11:39:08 -04:00
witchcraze
03d6399b0c
fix: update erlang classifier ( #4766 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-04-13 11:31:19 -04:00
anchore-oss-update-bot
1e08f703d0
chore(deps): update CPE dictionary index ( #4767 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-04-13 11:28:50 -04:00
witchcraze
e420322494
fix: more istio classifier matching ( #4645 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-04-12 10:54:08 -04:00
Benjamin Grandfond
cc3b8eb48f
fix(json): use value alias in Document.UnmarshalJSON to prevent infinite recursion with encoding/json/v2 ( #4748 )
...
The pattern 'type Alias *Document' does not strip methods under
encoding/json/v2 (GOEXPERIMENT=jsonv2), causing UnmarshalJSON to call
itself infinitely until the goroutine stack overflows (1GB limit).
Change to 'type Alias Document' with (*Alias)(d) cast — the standard
Go pattern that works correctly with both encoding/json v1 and v2.
Adds a regression test that uses debug.SetMaxStack to shrink the
goroutine stack limit to 8MB, making the overflow happen in milliseconds
rather than minutes if the recursion is reintroduced.
Ref: https://github.com/golang/go/issues/75361
Signed-off-by: Benjamin Grandfond <benjamin.grandfond@docker.com>
2026-04-10 13:36:07 -04:00
Alex Goodman
d0ee9098cf
bump version ( #4756 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-09 21:11:47 +00:00
Alex Goodman
344d1f47a1
support single arch images without manifests when checking platform ( #4753 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-09 15:54:41 +00:00
anchore-oss-update-bot
f618917527
chore(deps): update CPE dictionary index ( #4745 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-04-08 13:06:28 -04:00
Will Murphy
99158be0ba
chore: move test fixtures to oss-cache repo ( #4733 )
...
* chore: move test fixtures to oss-cache repo
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* pr feedback: sort vars in taskfile
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-02 20:50:43 +00:00
Alex Goodman
2089d086fe
chore: update zizmor workflow triggers ( #4732 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-02 14:56:46 -04:00
Alex Goodman
b0dc65a4fb
improve automation ( #4730 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-02 12:44:54 -04:00
Alex Goodman
611a24fcae
(chore): removing automations ( #4727 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-04-01 14:27:29 -04:00
anchore-oss-update-bot
da601363ed
chore(deps): update CPE dictionary index ( #4726 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-04-01 10:24:27 -04:00
Will Murphy
0d748ec700
chore: cpe index update job needs tools ( #4725 )
...
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-04-01 09:35:17 -04:00
Will Murphy
d60e43f822
chore: move CPE cache to oss-cache repo ( #4723 )
...
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-04-01 06:57:47 -04:00
anchore-actions-token-generator[bot]
2884cc77fc
chore(deps): update CPE dictionary index ( #4715 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
2026-03-31 14:28:15 -04:00
anchore-oss-update-bot
c11a79ef19
chore(deps): update tool versions ( #4706 )
...
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
2026-03-31 14:06:07 -04:00
Josh Bressers
90198da04d
Add a trust boundary section ( #4716 )
...
Signed-off-by: Josh Bressers <josh@bress.net>
2026-03-30 11:29:37 -05:00
dependabot[bot]
d71b747cd1
chore(deps): bump slackapi/slack-github-action from 2.1.1 to 3.0.1 ( #4684 )
...
Bumps [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action ) from 2.1.1 to 3.0.1.
- [Release notes](https://github.com/slackapi/slack-github-action/releases )
- [Commits](91efab103c...af78098f53
2026-03-26 11:12:33 -04:00
dependabot[bot]
58a8a95e26
chore(deps): bump marocchino/sticky-pull-request-comment ( #4685 )
...
Bumps [marocchino/sticky-pull-request-comment](https://github.com/marocchino/sticky-pull-request-comment ) from 2.9.4 to 3.0.2.
- [Release notes](https://github.com/marocchino/sticky-pull-request-comment/releases )
- [Commits](773744901b...70d2764d1a
2026-03-25 19:27:59 -04:00
