Chris Greeno
568b7601bb
fix(javascript): remove debug print statement in dependency parser ( #4412 )
...
Removes an accidental `fmt.Println("error", err)` that was left in
the javascript dependency parser. This causes noisy output to stdout
when parsing npm package-lock.json files that contain dependency
specifiers that aren't valid PURLs.
Signed-off-by: Chris Greeno <chris@fresha.com>
2025-12-10 13:42:09 -05:00
Kendrick
7fdb08c0b6
Validating download_url for github repositories, and updating if necessary ( #4390 )
...
* Adding a second function to validate/correct urls that are just github repositories
Signed-off-by: Kendrick <kmartinix@gmail.com>
* Adding test case to capture github repositories
Signed-off-by: Kendrick <kmartinix@gmail.com>
---------
Signed-off-by: Kendrick <kmartinix@gmail.com>
2025-12-10 13:41:00 -05:00
Keith Zantow
9e3150b7ee
fix: java archives excluded due to incorrect license glob results ( #4449 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2025-12-08 15:58:13 -05:00
Will Murphy
d950ac1fae
fix: use vercel for vendor in nextjs CPE ( #4450 )
...
The recent react / next CVE uses "vercel" as the vendor, see
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2025-12-08 20:23:36 +00:00
VictorHuu
baca32f04a
fix:after compliance applied,the relationship concerning the original one should be omitted ( #4419 )
...
---------
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
2025-12-04 15:30:16 -05:00
VictorHuu
afe28a2fc0
fix:handle compound aliases like ``.tgz`` when cataloging archives ( #4421 )
...
---------
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2025-12-02 16:55:32 -05:00
Will Murphy
a0f7148608
chore: ignore .DS_Store in test fixtures ( #4422 )
...
Otherwise, we get test failures on macOS if macOS has decided to put
.DS_Store entries in the test fixtures.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2025-12-01 10:15:35 -05:00
Adam Chovanec
5b96d1d69d
chore: rename test func for CPE decoder ( #4379 )
...
Signed-off-by: Adam Chovanec <git@adamchovanec.cz>
Co-authored-by: Adam Chovanec <git@adamchovanec.cz>
2025-11-25 23:05:31 -05:00
Will Murphy
c95893209d
fix: normalize python package names from dependency lists ( #4408 )
...
Because package names in METADATA files may have upper case like
Werkzeug or Jinja2, but Syft artifacts have normalized names and are
lower case, like werkzeug or jinja2, Syft would miss emitting dependency
relationships. Therefore, normalize dependency names before comparing
with existing artifacts.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2025-11-25 10:20:21 -05:00
Christopher Angelo Phillips
9aca8167b8
chore: drop cpe from gguf ( #4383 )
...
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2025-11-19 05:37:40 -05:00
Will Murphy
759909f611
fix: emit lua rockspec dependencies in metadata ( #4376 )
...
The types / schema allowed for this field to begin with but it wasn't
set.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2025-11-18 09:19:41 -05:00
dependabot[bot]
d2641dfa39
chore(deps): bump golang.org/x/tools from 0.38.0 to 0.39.0 ( #4364 )
...
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
2025-11-17 13:41:45 +00:00
Alex Goodman
153f2321ce
Fix test-fixture publish ( #4369 )
...
* pin python dependencies
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* pin rust dependencies
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* pin php deps
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update and pin http and curl fixtures
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-11-14 15:41:23 -05:00
Alex Goodman
7bf7bcc461
Support extras statements in Python PDM cataloger ( #4352 )
...
* fix pdm
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update json schema
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add test for metadata construction
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add missing test fixture
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* conserve markers
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update json schema
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add additional tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-11-14 15:13:10 -05:00
Kudryavcev Nikolay
89842bd2f6
chore: migrate syft to use mholt/archives instead of anchore fork ( #4029 )
...
---------
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-11-13 23:04:43 +00:00
Christopher Angelo Phillips
4a60c41f38
feat: 4184 gguf parser (ai artifact cataloger) part 1 ( #4279 )
...
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2025-11-13 17:43:48 -05:00
Adam Chovanec
102d362daf
feat: CPEs format decoder ( #4207 )
...
Signed-off-by: Adam Chovanec <git@adamchovanec.cz>
2025-11-12 10:45:09 -05:00
Alex Goodman
66c78d44af
Document additional json schema fields ( #4356 )
...
* add documentation to key fields
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* regenerate json schema
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-11-10 16:29:06 -05:00
anchore-actions-token-generator[bot]
60ca241593
chore(deps): update tools to latest versions ( #4347 )
...
* chore: new tool checks
---------
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2025-11-07 20:56:44 +00:00
Tim Olshansky
bbef262b8f
feat: Add license enrichment from pypi to python packages ( #4295 )
...
* feat: Add license enrichment from pypi to python packages
* Implement license caching and improve test coverage
---------
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
2025-11-06 16:05:08 -05:00
Tim Olshansky
4e06a7ab32
feat(javascript): Add dependency parsing ( #4304 )
...
* feat: Add dependency parsing to javascript package locks
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* Bump schema version
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* Add support for yarn and pnpm, excl. yarn v1
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* Add support for dependencies for v1 yarn lock files
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* Ensure schema is correctly generated
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* Fix tests
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* PR feedback
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
---------
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
2025-11-06 16:03:43 -05:00
Alex Goodman
e5711e9b42
Update CPE processing to use NVD API ( #4332 )
...
* update NVD CPE dictionary processor to use API
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* pass linting with exceptions
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-11-06 16:02:26 -05:00
Rez Moss
f69b1db099
feat: detect elixir bin ( #4334 )
...
* Elixir detection, fixed #4333
---------
Signed-off-by: Rez Moss <hi@rezmoss.com>
2025-11-06 16:02:02 -05:00
Keith Zantow
a400c675fc
feat: license file search ( #4327 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2025-11-03 14:16:05 -05:00
kdt523
3e4e82f03e
Canonicalize Ghostscript CPE/PURL for ghostscript packages from PE Binaries ( #4308 )
...
* binary(pe): canonicalize Ghostscript CPE to artifex:ghostscript and add generic purl for PE (#4275 )\n\n- Detect Ghostscript via PE version resources and set purl pkg:generic/ghostscript@<version>\n- Add PE-specific CPE candidates: vendor 'artifex', product 'ghostscript'\n- Add focused unit tests for purl and CPE generation
Signed-off-by: kdt523 <krushna.datir231@vit.edu>
* fix: gofmt formatting for static analysis pass (pe-ghostscript-cpe-purl-4275)
Signed-off-by: kdt523 <krushna.datir231@vit.edu>
---------
Signed-off-by: kdt523 <krushna.datir231@vit.edu>
2025-11-03 14:54:48 +00:00
Alex Goodman
538430d65d
describe cataloger capabilities via test observations ( #4318 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-10-30 13:19:42 -04:00
Stepan
efc2f0012c
fix: go binary replace handling in path ( #4156 )
...
* Fix issue with relative paths on go binary
Signed-off-by: Stepan <stepworm@yandex.ru>
* Linting
Signed-off-by: Stepan <stepworm@yandex.ru>
---------
Signed-off-by: Stepan <stepworm@yandex.ru>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-10-29 15:59:47 +00:00
kyounghoonJang
c5c1454848
feat(java): Add support for .far (Feature Archive) files ( #4193 )
...
* feat(java): add support for .far archivesEnables the Java cataloger to recognize and catalog dependencies within .far files, which are used in Apache Sling applications.
Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com>
* feat(java): Add tests for .far (Feature Archive) file support
Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com>
---------
Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-10-29 15:41:27 +00:00
Kudryavcev Nikolay
f5c765192c
Refactor fileresolver to not require base path ( #4298 )
...
* ref: close source in test and examples
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
* ref: pretty file/directory source resolver (make them more similar)
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
* ref: move absoluteSymlinkFreePathToParent to file resolver
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
* revert breaking change
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
---------
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
2025-10-29 10:41:18 -04:00
Rez Moss
45bf8b14ab
fix: omit records with empty PURL in GitHub format ( #4312 )
...
Signed-off-by: Rez Moss <hi@rezmoss.com>
2025-10-28 18:34:10 -04:00
Will Murphy
0d9ea69a66
Respect "rpmmod" PURL qualifier ( #4314 )
...
Red Hat purls the RPM modularity info in a query param in the PURLs in
their vulnerability data. It would be nice if Syft respected this
qualifier so that Grype can use it when a Red Hat purl is passed.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2025-10-28 09:35:11 -04:00
Marc
16f851c5d9
feat: include .rar files as Java archives for Java resource adapters ( #4137 )
...
Signed-off-by: Marc Thomas <marc.thomas@t-systems.com>
2025-10-24 11:55:02 -04:00
Ross Kirk
d5ca1ad543
fix: ignore dpkg entries with "deinstall" status ( #4231 )
...
Signed-off-by: Ross Kirk <ross.kirk@upwind.io>
2025-10-23 16:23:58 -04:00
JoeyShapiro
31b2c4c090
support universal (fat) mach-o binary files ( #4278 )
...
Signed-off-by: Joseph Shapiro <joeyashapiro@gmail.com>
2025-10-17 13:41:59 -04:00
JoeyShapiro
538b4a2194
convert posix path back to windows ( #4285 )
...
Signed-off-by: Joseph Shapiro <joeyashapiro@gmail.com>
2025-10-17 09:29:06 -04:00
Kudryavcev Nikolay
fc74b07369
Remove duplicate image source providers ( #4289 )
...
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
2025-10-16 16:19:11 -04:00
Tim Olshansky
c0f32e1dba
feat: add option to fetch remote licenses for pnpm-lock.yaml files ( #4286 )
...
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
2025-10-16 12:23:06 -04:00
Pavel Buchart
e923db2a94
Add PDM parser ( #4234 )
...
Signed-off-by: Pavel Buchart <pavel@buchart.cz>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
2025-10-16 08:50:44 -04:00
Keith Zantow
4343d04652
fix: panic during java archive maven resolution ( #4290 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2025-10-16 07:00:31 -04:00
Kudryavcev Nikolay
065ac13ab7
Extract zip archive with multiple entries ( #4283 )
...
* extract zip archive with multiple entries
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
* set OverwriteExisting by type assertion switch case
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
---------
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
2025-10-15 12:05:05 -04:00
Alex Goodman
d22914baf5
add docs to configs ( #4281 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-10-14 13:58:31 -04:00
Doug Clarke
760bd9a50a
feat: Pom xml only archive parser ( #4272 )
...
fix: identifying jar files with a single pom.xml and no pom.properties file
fix: test works with pom.xml being found, used and reported in metadata
Signed-off-by: Doug Clarke <douglas.clarke@oracle.com>
test: check for current project path and use
Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com>
---------
Signed-off-by: Doug Clarke <douglas.clarke@oracle.com>
Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <spiffcs@users.noreply.github.com>
2025-10-13 15:59:08 -04:00
Hala Ali
2d1ada1d00
fix: enhance setup.py parser to handle unquoted dependencies ( #4255 )
...
* fix: add support for unquoted Python dependencies in setup.py
- Add regex pattern to match unquoted package==version format
- Handles common .split() pattern used in projects like mayan-edms
- Maintains backward compatibility with quoted dependencies
- Prevents duplicate package detection
Signed-off-by: Hala Ali alih16@vcu.edu
Signed-off-by: HalaAli198 <alih16@vcu.edu>
* fix: apply gofmt formatting
Signed-off-by: HalaAli198 <alih16@vcu.edu>
* lint: incorporate new changes and refactor complexity
Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com>
---------
Signed-off-by: HalaAli198 <alih16@vcu.edu>
Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <spiffcs@users.noreply.github.com>
2025-10-13 15:10:42 -04:00
Alex Goodman
4ae8f73583
migrate json schema generation ( #4270 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-10-10 14:16:28 +00:00
Bernardo de Araujo
231f04ae0e
feat: Parse pnpm v9 lockfiles ( #4256 )
...
Signed-off-by: bernardoamc <bernardo.amc@gmail.com>
2025-10-09 15:07:59 -04:00
Sebastien Dionne
bd013fe99a
docs: Fix typos and linguistic errors in documentation ( #4257 )
...
Signed-off-by: Sebastien Dionne <survivant00@gmail.com>
2025-10-06 14:22:22 +00:00
Parthib Mukherjee
c732052cf1
feat(cpegenerate): add support for binary package digit-suffix variations in CPE generation ( #4093 )
...
* feat(cpegenerate): add support for binary package digit-suffix variations in CPE generation
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.13 to 0.5.14 (#4089 )
Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps ) from 0.5.13 to 0.5.14.
- [Release notes](https://github.com/gkampitakis/go-snaps/releases )
- [Commits](https://github.com/gkampitakis/go-snaps/compare/v0.5.13...v0.5.14 )
---
updated-dependencies:
- dependency-name: github.com/gkampitakis/go-snaps
dependency-version: 0.5.14
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* chore(deps): bump modernc.org/sqlite from 1.38.1 to 1.38.2 (#4088 )
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ) from 1.38.1 to 1.38.2.
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.38.1...v1.38.2 )
---
updated-dependencies:
- dependency-name: modernc.org/sqlite
dependency-version: 1.38.2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* chore(deps): bump github.com/docker/docker (#4092 )
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 28.2.2+incompatible to 28.3.3+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v28.2.2...v28.3.3 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-version: 28.3.3+incompatible
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* chore(deps): bump github.com/anchore/stereoscope (#4091 )
Bumps [github.com/anchore/stereoscope](https://github.com/anchore/stereoscope ) from 0.1.7-0.20250716200927-94c6f92877d4 to 0.1.7.
- [Release notes](https://github.com/anchore/stereoscope/releases )
- [Changelog](https://github.com/anchore/stereoscope/blob/main/RELEASE.md )
- [Commits](https://github.com/anchore/stereoscope/commits/v0.1.7 )
---
updated-dependencies:
- dependency-name: github.com/anchore/stereoscope
dependency-version: 0.1.7
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* migrate to get.anchore.io (#4095 )
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* chore(deps): update anchore dependencies (#4098 )
* chore(deps): update anchore dependencies
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* address reader close operations
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* chore(deps): update anchore dependencies (#4104 )
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* chore(deps): bump github/codeql-action from 3.29.4 to 3.29.5 (#4096 )
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.29.4 to 3.29.5.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](4e828ff8d4...51f77329af#4108 )
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* chore(deps): update CPE dictionary index (#4112 )
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* chore(deps): update tools to latest versions (#4111 )
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* chore(deps): bump actions/cache in /.github/actions/bootstrap (#4120 )
Bumps [actions/cache](https://github.com/actions/cache ) from 4.2.3 to 4.2.4.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](5a3ec84eff...0400d5f644#4119 )
Bumps [actions/cache](https://github.com/actions/cache ) from 4.2.3 to 4.2.4.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](5a3ec84eff...0400d5f644#4115 )
Bumps [docker/login-action](https://github.com/docker/login-action ) from 3.4.0 to 3.5.0.
- [Release notes](https://github.com/docker/login-action/releases )
- [Commits](74a5d14239...184bdaa072#4118 )
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* feat: add binary classifier for hashicorp vault (#4121 )
* add binary classifier for hashicorp vault
The Go Binary Cataloger isn't able to parse the version out of the
binary shipped in the DockerHub images of hashicorp/vault because the
version of the main module isn't set in the binary. Therefore, add a
binary classifier cataloger for this binary.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* chore: add test fixtures, update vault
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* chore: set binary classifier package type based on PURL
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* chore: use github.com/hashicorp/vault as package name
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* chore: update tests
Signed-off-by: Keith Zantow <kzantow@gmail.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* chore(deps): bump github/codeql-action from 3.29.7 to 3.29.8 (#4124 )
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.29.7 to 3.29.8.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](51f77329af...76621b61de#4123 )
Bumps [golang.org/x/mod](https://github.com/golang/mod ) from 0.26.0 to 0.27.0.
- [Commits](https://github.com/golang/mod/compare/v0.26.0...v0.27.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/mod
dependency-version: 0.27.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* chore(deps): bump golang.org/x/net from 0.42.0 to 0.43.0 (#4122 )
Bumps [golang.org/x/net](https://github.com/golang/net ) from 0.42.0 to 0.43.0.
- [Commits](https://github.com/golang/net/compare/v0.42.0...v0.43.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/net
dependency-version: 0.43.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* chore(deps): update CPE dictionary index (#4126 )
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* chore: update GoReleaser configurations (#4128 )
Signed-off-by: Emmanuel Ferdman <emmanuelferdman@gmail.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 (#4130 )
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.2.2 to 5.0.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](11bd71901b...08c6903cd8#4129 )
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* fix: support multiple letters in openssl patch version (#4106 )
Signed-off-by: honigbot <thesoftbear@gmail.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* chore(deps): bump github/codeql-action from 3.29.8 to 3.29.9 (#4134 )
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.29.8 to 3.29.9.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](76621b61de...df559355d5#4132 )
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* feat: add package supplier flag (#4131 )
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* chore(deps): bump zizmorcore/zizmor-action from 0.1.1 to 0.1.2 (#4135 )
Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action ) from 0.1.1 to 0.1.2.
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases )
- [Commits](f52a838cfa...5ca5fc7a47#4003 )
Fixes #2250
---------
Signed-off-by: Alan Pope <alan.pope@anchore.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* feat(cpegentereate): added test for the addBinaryPackageDigitVariation function
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* docs(cpegenerate): made the comment more verbose
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
* nit: separate digit variation concerns from case of use
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
---------
Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: Emmanuel Ferdman <emmanuelferdman@gmail.com>
Signed-off-by: honigbot <thesoftbear@gmail.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Alan Pope <alan.pope@anchore.com>
Signed-off-by: Parthib Mukherjee <109328510+hawkaii@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: anchore-actions-token-generator[bot] <102182147+anchore-actions-token-generator[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Co-authored-by: Emmanuel Ferdman <emmanuelferdman@gmail.com>
Co-authored-by: honigbot <34426443+honigbot@users.noreply.github.com>
Co-authored-by: Alan Pope <alan.pope@anchore.com>
2025-10-06 10:09:38 -04:00
Alex Goodman
a77d24e379
Improve struct and field comments and incorporate into json schema ( #4252 )
...
* improve struct and field comments and incorporate into json schema
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address review feedback
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-10-03 17:01:56 +00:00
Keith Zantow
9217f2099f
chore: update ffmpeg tests ( #4249 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2025-10-01 13:11:36 +00:00
Alan Pope
e1483e0285
Add support for identifying ffmpeg/libav libraries ( #4227 )
...
* Add support for identifying ffmpeg/libav libraries
Signed-off-by: Alan Pope <alan.pope@anchore.com>
* Undo my snippet-based confusion
Signed-off-by: Alan Pope <alan.pope@anchore.com>
* Put test fixture config back
Signed-off-by: Alan Pope <alan.pope@anchore.com>
---------
Signed-off-by: Alan Pope <alan.pope@anchore.com>
2025-09-26 10:43:47 -04:00
