Alex Goodman
5ea14d6e8b
[wip] prototype
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-03-11 10:00:29 -04:00
anchore-actions-token-generator[bot]
75455f050a
chore(deps): update anchore dependencies ( #4631 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: willmurphyscode <12529630+willmurphyscode@users.noreply.github.com>
2026-03-09 18:10:53 +00:00
anchore-actions-token-generator[bot]
22e78c7be1
chore(deps): update tools to latest versions ( #4630 )
...
* chore(deps): update tools to latest versions
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* chore(lint): fix errors in new golangci-lint
Two fixes:
First, replace sb.WriteString(fmt.Sprintf(...)) with fmt.Fprintf(&sb, ...)
Second, suppress errors where we read from the local file system at a
user provided path. This is a CLI tool, and reads from user provided
paths on the local file system by design.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-03-09 12:17:09 -04:00
anchore-actions-token-generator[bot]
d2461a9e0a
chore(deps): update SPDX license list ( #4637 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
2026-03-09 11:02:47 -04:00
dependabot[bot]
01f0e332c2
chore(deps): bump actions/download-artifact from 7.0.0 to 8.0.0 ( #4658 )
...
Bumps [actions/download-artifact](https://github.com/actions/download-artifact ) from 7.0.0 to 8.0.0.
- [Release notes](https://github.com/actions/download-artifact/releases )
- [Commits](37930b1c2a...70fc10c6e5
2026-03-09 10:37:33 -04:00
dependabot[bot]
c88051d74e
chore(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 ( #4638 )
...
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl ) from 1.6.1 to 1.6.3.
- [Release notes](https://github.com/cloudflare/circl/releases )
- [Commits](https://github.com/cloudflare/circl/compare/v1.6.1...v1.6.3 )
---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
dependency-version: 1.6.3
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-09 10:34:11 -04:00
dependabot[bot]
7d3d1c6237
chore(deps): bump the actions-minor-patch group across 2 directories with 2 updates ( #4657 )
...
Bumps the actions-minor-patch group with 2 updates in the / directory: [actions/setup-go](https://github.com/actions/setup-go ) and [anchore/sbom-action](https://github.com/anchore/sbom-action ).
Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [actions/setup-go](https://github.com/actions/setup-go ).
Updates `actions/setup-go` from 6.2.0 to 6.3.0
- [Release notes](https://github.com/actions/setup-go/releases )
- [Commits](7a3fe6cf4c...4b73464bb3https://github.com/anchore/sbom-action/releases )
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md )
- [Commits](28d71544de...17ae174017https://github.com/actions/setup-go/releases )
- [Commits](7a3fe6cf4c...4b73464bb3
2026-03-09 10:33:14 -04:00
dependabot[bot]
dcba765d86
chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 ( #4659 )
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 6.0.0 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](b7c566a772...bbbca2ddaa
2026-03-09 10:32:22 -04:00
dependabot[bot]
2c201469c3
chore(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 ( #4646 )
...
Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go ) from 1.39.0 to 1.40.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases )
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md )
- [Commits](https://github.com/open-telemetry/opentelemetry-go/compare/v1.39.0...v1.40.0 )
---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/sdk
dependency-version: 1.40.0
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-09 10:29:46 -04:00
anchore-actions-token-generator[bot]
c583da1c15
chore(deps): update CPE dictionary index ( #4647 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
2026-03-09 10:26:42 -04:00
dependabot[bot]
22014b6022
chore(deps): bump the go-minor-patch group across 1 directory with 5 updates ( #4661 )
...
Bumps the go-minor-patch group with 5 updates in the / directory:
| Package | From | To |
| --- | --- | --- |
| [github.com/github/go-spdx/v2](https://github.com/github/go-spdx ) | `2.3.6` | `2.4.0` |
| [github.com/go-git/go-billy/v5](https://github.com/go-git/go-billy ) | `5.7.0` | `5.8.0` |
| [github.com/go-git/go-git/v5](https://github.com/go-git/go-git ) | `5.16.5` | `5.17.0` |
| [golang.org/x/net](https://github.com/golang/net ) | `0.50.0` | `0.51.0` |
| [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ) | `1.45.0` | `1.46.1` |
Updates `github.com/github/go-spdx/v2` from 2.3.6 to 2.4.0
- [Release notes](https://github.com/github/go-spdx/releases )
- [Commits](https://github.com/github/go-spdx/compare/v2.3.6...v2.4.0 )
Updates `github.com/go-git/go-billy/v5` from 5.7.0 to 5.8.0
- [Release notes](https://github.com/go-git/go-billy/releases )
- [Commits](https://github.com/go-git/go-billy/compare/v5.7.0...v5.8.0 )
Updates `github.com/go-git/go-git/v5` from 5.16.5 to 5.17.0
- [Release notes](https://github.com/go-git/go-git/releases )
- [Commits](https://github.com/go-git/go-git/compare/v5.16.5...v5.17.0 )
Updates `golang.org/x/net` from 0.50.0 to 0.51.0
- [Commits](https://github.com/golang/net/compare/v0.50.0...v0.51.0 )
Updates `modernc.org/sqlite` from 1.45.0 to 1.46.1
- [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md )
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.45.0...v1.46.1 )
---
updated-dependencies:
- dependency-name: github.com/github/go-spdx/v2
dependency-version: 2.4.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: github.com/go-git/go-billy/v5
dependency-version: 5.8.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: github.com/go-git/go-git/v5
dependency-version: 5.17.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: golang.org/x/net
dependency-version: 0.51.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: modernc.org/sqlite
dependency-version: 1.46.1
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-09 10:20:06 -04:00
Alex Goodman
b5e85c3ea5
chore: migrate fixtures to testdata ( #4651 )
...
* migrate fixtures to testdata
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: correct broken symlinks after testdata migration
The migration from test-fixtures to testdata broke several symlinks:
- elf-test-fixtures symlinks pointed to old test-fixtures paths
- elf-test-fixtures needed to be renamed to elf-testdata
- image-pkg-coverage symlink pointed to test-fixtures instead of testdata
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: handle missing classifiers/bin directory in Makefile
The clean-fingerprint target was failing when classifiers/bin doesn't
exist (e.g., on fresh clone without downloaded binaries).
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: add gitignore negation for jar/zip fixtures in test/cli
The jar and zip files in test/cli/testdata/image-unknowns were being
gitignored by the root .gitignore patterns. This caused them to be
untracked and not included when building docker images in CI, resulting
in Test_Unknowns failures since the test expects errors from corrupt
archive files that weren't present.
Add a .gitignore in test/cli/testdata to negate the exclusions for
these specific test fixture files.
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* switch fixture cache to v2
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* test: update expected versions for rebuilt fixtures
Update test expectations for packages that have been updated in
upstream repositories when docker images are rebuilt:
- glibc: 2.42-r4 → 2.43-r1 (wolfi)
- php: 8.2.29 → 8.2.30 (ubuntu/apache)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* upgrade go
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: add go-shlex dependency for testdata manager tool
The manager tool in syft/pkg/cataloger/binary/testdata/ imports
go-shlex, but since it's in a testdata directory, Go doesn't track
its dependencies. This caused CI failures when go.mod didn't
explicitly list the dependency.
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* refactor: move binary classifier manager to internal/
Move the manager tool from testdata/manager to internal/manager so
that Go properly tracks its dependencies. Code in testdata directories
is ignored by Go for dependency tracking, which caused CI failures
when go.mod didn't explicitly list transitive dependencies.
This is a cleaner solution than manually adding dependencies to go.mod
for code that happens to live in testdata.
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: add gitignore negations for test fixtures blocked by root patterns
Multiple test fixtures were being blocked by root-level gitignore patterns
like bin/, *.jar, *.tar, and *.exe. This adds targeted .gitignore files with
negation patterns to allow these specific test fixtures to be tracked:
- syft/linux/testdata/os/busybox/bin/busybox (blocked by bin/)
- syft/pkg/cataloger/java/testdata/corrupt/example.{jar,tar} (blocked by *.jar, *.tar)
- syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/**/bin/go (blocked by bin/)
- syft/pkg/cataloger/bitnami/testdata/no-rel/.../bin/redis-server (blocked by bin/)
Also updates the bitnami test expectation to include the newly required
.gitignore files in the test fixture.
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* test: update glibc version expectation (2.43-r1 -> 2.43-r2)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add capability drift check as unit step
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* dont clear test observations before drift detection
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump stereoscope commit to main
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-03-06 19:42:04 +00:00
Dimitri John Ledkov
35278f3d3d
fix(java): improve lz4 detection ( #4642 )
...
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
2026-02-27 14:38:05 -05:00
Paweł Pałucha
db76d85d51
fix: use correct hashes for empty files ( #4620 )
...
Signed-off-by: Paweł Pałucha <pawel.palucha@chainguard.dev>
2026-02-24 09:52:29 -05:00
witchcraze
e9e7e20cc8
fix: grafana classifier ( #4635 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2026-02-23 09:38:02 -05:00
anchore-actions-token-generator[bot]
eb072deb9c
chore(deps): update CPE dictionary index ( #4636 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
2026-02-23 08:19:30 -05:00
dependabot[bot]
f4fc2d669a
chore(deps): bump github/codeql-action ( #4634 )
...
Bumps the actions-minor-patch group with 1 update in the / directory: [github/codeql-action](https://github.com/github/codeql-action ).
Updates `github/codeql-action` from 4.31.10 to 4.32.3
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](cdefb33c0f...9e907b5e64
2026-02-20 08:41:46 -05:00
dependabot[bot]
f5110f109a
chore(deps): bump github.com/charmbracelet/bubbles from 0.21.1 to 1.0.0 ( #4633 )
...
Bumps [github.com/charmbracelet/bubbles](https://github.com/charmbracelet/bubbles ) from 0.21.1 to 1.0.0.
- [Release notes](https://github.com/charmbracelet/bubbles/releases )
- [Commits](https://github.com/charmbracelet/bubbles/compare/v0.21.1...v1.0.0 )
---
updated-dependencies:
- dependency-name: github.com/charmbracelet/bubbles
dependency-version: 1.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-20 08:41:21 -05:00
dependabot[bot]
612eadb22e
chore(deps): bump the go-minor-patch group with 5 updates ( #4632 )
...
Bumps the go-minor-patch group with 5 updates:
| Package | From | To |
| --- | --- | --- |
| [golang.org/x/mod](https://github.com/golang/mod ) | `0.32.0` | `0.33.0` |
| [golang.org/x/net](https://github.com/golang/net ) | `0.49.0` | `0.50.0` |
| [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ) | `1.44.3` | `1.45.0` |
| [golang.org/x/tools](https://github.com/golang/tools ) | `0.41.0` | `0.42.0` |
| [github.com/gpustack/gguf-parser-go](https://github.com/gpustack/gguf-parser-go ) | `0.23.1` | `0.24.0` |
Updates `golang.org/x/mod` from 0.32.0 to 0.33.0
- [Commits](https://github.com/golang/mod/compare/v0.32.0...v0.33.0 )
Updates `golang.org/x/net` from 0.49.0 to 0.50.0
- [Commits](https://github.com/golang/net/compare/v0.49.0...v0.50.0 )
Updates `modernc.org/sqlite` from 1.44.3 to 1.45.0
- [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md )
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.44.3...v1.45.0 )
Updates `golang.org/x/tools` from 0.41.0 to 0.42.0
- [Release notes](https://github.com/golang/tools/releases )
- [Commits](https://github.com/golang/tools/compare/v0.41.0...v0.42.0 )
Updates `github.com/gpustack/gguf-parser-go` from 0.23.1 to 0.24.0
- [Release notes](https://github.com/gpustack/gguf-parser-go/releases )
- [Commits](https://github.com/gpustack/gguf-parser-go/compare/v0.23.1...v0.24.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/mod
dependency-version: 0.33.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: golang.org/x/net
dependency-version: 0.50.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: modernc.org/sqlite
dependency-version: 1.45.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: golang.org/x/tools
dependency-version: 0.42.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: github.com/gpustack/gguf-parser-go
dependency-version: 0.24.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-20 08:40:09 -05:00
Will Murphy
0a3f7bb06e
chore: call cleanup on tmpfile and replace some io.ReadAlls with streams ( #4629 )
...
* fix(deb and snaps): prevent excess reads
Previously, Syft could allocate excess memory or tempfile space if there
were highly compressed objects in deb archives, or at paths where the
kernel changelog was expected by the snap cataloger. Use io.LimitReaders
for extracting parts of deb archives, and refactor the snap cataloger's
reading of the kernel changelog to use a streaming parsing, eliminating
the possibility of excess allocation.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* fix: always cleanup temp file from file source
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* use streaming strategy for deb archives
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-02-17 17:32:35 -05:00
Christopher Angelo Phillips
2fe5f9c7b8
fix: bumps go mod version to 1.25; ci takes latest patch ( #4628 )
...
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-02-17 12:04:51 -05:00
anchore-actions-token-generator[bot]
f70631a719
chore(deps): update tools to latest versions ( #4614 )
...
* chore(deps): update tools to latest versions
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* chore: ci rules revive
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
---------
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2026-02-17 11:19:37 -05:00
dependabot[bot]
0bb3741c87
chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates ( #4622 )
...
Bumps the actions-minor-patch group with 2 updates in the / directory: [anchore/sbom-action](https://github.com/anchore/sbom-action ) and [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action ).
Updates `anchore/sbom-action` from 0.21.1 to 0.22.2
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md )
- [Commits](0b82b0b1a2...28d71544dehttps://github.com/zizmorcore/zizmor-action/releases )
- [Commits](135698455d...0dce2577a4
2026-02-17 11:16:26 -05:00
dependabot[bot]
458ebbbff8
chore(deps): bump the go-minor-patch group with 2 updates ( #4621 )
...
Bumps the go-minor-patch group with 2 updates: [github.com/CycloneDX/cyclonedx-go](https://github.com/CycloneDX/cyclonedx-go ) and [github.com/charmbracelet/bubbles](https://github.com/charmbracelet/bubbles ).
Updates `github.com/CycloneDX/cyclonedx-go` from 0.9.3 to 0.10.0
- [Release notes](https://github.com/CycloneDX/cyclonedx-go/releases )
- [Commits](https://github.com/CycloneDX/cyclonedx-go/compare/v0.9.3...v0.10.0 )
Updates `github.com/charmbracelet/bubbles` from 0.21.0 to 0.21.1
- [Release notes](https://github.com/charmbracelet/bubbles/releases )
- [Commits](https://github.com/charmbracelet/bubbles/compare/v0.21.0...v0.21.1 )
---
updated-dependencies:
- dependency-name: github.com/CycloneDX/cyclonedx-go
dependency-version: 0.10.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: github.com/charmbracelet/bubbles
dependency-version: 0.21.1
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-17 10:14:13 -05:00
anchore-actions-token-generator[bot]
fb3f560e43
chore(deps): update CPE dictionary index ( #4623 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
2026-02-17 09:50:12 -05:00
Scott Hebert
89b901b20b
Use redhat as namespace for hummingbird rpms ( #4615 )
...
The namespace value of `redhat` signifies this as an RPM package
produced and distributed by Red Hat.
Signed-off-by: Scott Hebert <scoheb@gmail.com>
2026-02-11 14:19:20 -05:00
anchore-actions-token-generator[bot]
9872ff36ba
chore(deps): update anchore dependencies ( #4613 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: willmurphyscode <12529630+willmurphyscode@users.noreply.github.com>
2026-02-10 17:19:56 +00:00
dependabot[bot]
31c503124f
chore(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 ( #4612 )
...
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git ) from 5.16.4 to 5.16.5.
- [Release notes](https://github.com/go-git/go-git/releases )
- [Commits](https://github.com/go-git/go-git/compare/v5.16.4...v5.16.5 )
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-version: 5.16.5
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-10 08:25:31 -05:00
Christopher Angelo Phillips
2c5e193f7a
feat: Add support for scanning GGUF models from OCI registries ( #4335 )
...
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2026-02-09 16:05:52 -05:00
anchore-actions-token-generator[bot]
3a23cfff1d
chore(deps): update CPE dictionary index ( #4610 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
2026-02-08 22:02:34 -05:00
dependabot[bot]
443de210ca
chore(deps): bump github.com/bmatcuk/doublestar/v4 ( #4606 )
...
Bumps the go-minor-patch group with 1 update: [github.com/bmatcuk/doublestar/v4](https://github.com/bmatcuk/doublestar ).
Updates `github.com/bmatcuk/doublestar/v4` from 4.9.2 to 4.10.0
- [Release notes](https://github.com/bmatcuk/doublestar/releases )
- [Commits](https://github.com/bmatcuk/doublestar/compare/v4.9.2...v4.10.0 )
---
updated-dependencies:
- dependency-name: github.com/bmatcuk/doublestar/v4
dependency-version: 4.10.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-06 13:20:24 -05:00
dependabot[bot]
1af8b1acaa
chore(deps): bump the actions-minor-patch group across 2 directories with 2 updates ( #4607 )
...
Bumps the actions-minor-patch group with 1 update in the / directory: [docker/login-action](https://github.com/docker/login-action ).
Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [actions/cache](https://github.com/actions/cache ).
Updates `docker/login-action` from 3.6.0 to 3.7.0
- [Release notes](https://github.com/docker/login-action/releases )
- [Commits](5e57cd1181...c94ce9fb46https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](9255dc7a25...cdf6c1fa76
2026-02-06 13:20:12 -05:00
Rez Moss
c185657d71
feat: add yarn lock dev dep detection; fixed #4548
...
---------
Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-02-05 22:27:17 +00:00
Will Murphy
48ee12be0c
ci(generate-capabilities): serialize writing and reading yaml ( #4602 )
...
Otherwise sometimes the test that reads will run during the test that
writes and fail because the yaml file is in a partially written state.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-02-05 11:35:45 -05:00
anchore-actions-token-generator[bot]
0b05f0ed69
chore(deps): update CPE dictionary index ( #4601 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: willmurphyscode <12529630+willmurphyscode@users.noreply.github.com>
2026-02-05 15:29:00 +00:00
Will Murphy
138cb1be0e
fix(cpe-generation): set start and end date ( #4600 )
...
* fix(cpe-generation): set start and end date
Previously, the update job was silently failing because the NVD API
returns a 404 with no body if a start date is specified but not an end
date. Further, the API returns an error if more than 120 days are in
range of the start and end date.
Update the API client to:
1. Return a non-nil error on http 404
2. Chunk the date range into 120 day chunks
3. Pass start and end date to avoid errors.
Also add more tolerant timestamp parsing since the previous update job
would fail with timestamp format errors.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* refactor(cpe-generator): remove callbacks
Previously, this job had callbacks that were there to make sure that
incremental progress could be written to disk. However, incremental
progress was not being written to disk, and there were issues related to
the callbacks like double logging. Therefore, just remove the callbacks
and do simple imperative code to page through the API results.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2026-02-05 09:54:24 -05:00
Peter Bücker
6755377554
fix: CPE detection for APK libavif to use aomedia vendor ( #4597 )
...
NVD uses "aomedia" as the vendor for libavif CVEs. This change adds
libavif to the APK package CPE candidate additions with "aomedia" as
an additional vendor, enabling Syft/Grype to match CVEs like
CVE-2025-48174 and CVE-2025-48175.
Signed-off-by: Peter Bücker <peter.buecker@gmail.com>
2026-02-05 09:11:44 +00:00
anchore-actions-token-generator[bot]
540c08a41b
chore(deps): update tools to latest versions ( #4594 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2026-02-04 09:26:09 -05:00
Keith Zantow
add2629446
fix: further improve go binary classifier, including windows ( #4593 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2026-02-03 10:29:00 -05:00
anchore-actions-token-generator[bot]
d22139ef1a
chore(deps): update tools to latest versions ( #4589 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2026-02-02 12:59:57 -05:00
Christopher Angelo Phillips
c94d1ccf1c
fix: lookup alternate scheme on url->licenseID ( #4588 )
...
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-01-30 14:25:27 -05:00
dependabot[bot]
69d0898918
chore(deps): bump the go-minor-patch group with 2 updates ( #4583 )
...
Bumps the go-minor-patch group with 2 updates: [github.com/olekukonko/tablewriter](https://github.com/olekukonko/tablewriter ) and [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ).
Updates `github.com/olekukonko/tablewriter` from 1.1.2 to 1.1.3
- [Release notes](https://github.com/olekukonko/tablewriter/releases )
- [Commits](https://github.com/olekukonko/tablewriter/compare/v1.1.2...v1.1.3 )
Updates `modernc.org/sqlite` from 1.44.1 to 1.44.3
- [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md )
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.44.1...v1.44.3 )
---
updated-dependencies:
- dependency-name: github.com/olekukonko/tablewriter
dependency-version: 1.1.3
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go-minor-patch
- dependency-name: modernc.org/sqlite
dependency-version: 1.44.3
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-01-30 11:24:34 -05:00
Rez Moss
94c8088542
feat: add Qt6 binary detection ( #4550 )
...
---------
Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-01-30 15:35:33 +00:00
dependabot[bot]
e136ebc44f
chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates ( #4584 )
...
Bumps the actions-minor-patch group with 2 updates in the / directory: [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request ) and [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action ).
Updates `peter-evans/create-pull-request` from 8.0.0 to 8.1.0
- [Release notes](https://github.com/peter-evans/create-pull-request/releases )
- [Commits](98357b18bf...c0f553fe54https://github.com/zizmorcore/zizmor-action/releases )
- [Commits](e639db9933...135698455d
2026-01-30 10:33:32 -05:00
Alan Pope
0bca34f986
fix: snap cataloger incorrectly identifies snap container as deb package ( #4500 )
...
Signed-off-by: Alan Pope <alan@popey.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-01-30 10:19:26 -05:00
anchore-actions-token-generator[bot]
8d836fb8b0
chore(deps): update tools to latest versions ( #4577 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2026-01-27 15:18:18 -05:00
Christopher Angelo Phillips
9a250a4b4b
fix: update mixed case dependencies in python to be normalized ( #4573 )
...
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2026-01-27 15:16:32 -05:00
anchore-actions-token-generator[bot]
e8b4527bfb
chore(deps): update anchore dependencies ( #4575 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: willmurphyscode <12529630+willmurphyscode@users.noreply.github.com>
2026-01-27 10:14:26 +00:00
anchore-actions-token-generator[bot]
d0bb042d74
chore(deps): update tools to latest versions ( #4570 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2026-01-26 12:25:31 -05:00
Keith Zantow
c65d023668
feat: detect Debian version from /etc/debian_version ( #4569 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2026-01-23 17:52:21 -05:00
