Christopher Phillips
6ceef5fe4a
feat: migrate gguf parser to separate PR from oci
...
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2025-11-12 23:56:52 -05:00
anchore-actions-token-generator[bot]
2e100f33f3
chore(deps): update tools to latest versions ( #4358 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2025-11-12 13:27:47 -05:00
dependabot[bot]
b444f0c2ed
chore(deps): bump golang.org/x/mod from 0.29.0 to 0.30.0 ( #4359 )
...
Bumps [golang.org/x/mod](https://github.com/golang/mod ) from 0.29.0 to 0.30.0.
- [Commits](https://github.com/golang/mod/compare/v0.29.0...v0.30.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/mod
dependency-version: 0.30.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-11-12 13:27:33 -05:00
Adam Chovanec
102d362daf
feat: CPEs format decoder ( #4207 )
...
Signed-off-by: Adam Chovanec <git@adamchovanec.cz>
2025-11-12 10:45:09 -05:00
Alex Goodman
66c78d44af
Document additional json schema fields ( #4356 )
...
* add documentation to key fields
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* regenerate json schema
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-11-10 16:29:06 -05:00
dependabot[bot]
78a4ab8ced
chore(deps): bump github.com/olekukonko/tablewriter from 1.0.9 to 1.1.1 ( #4354 )
...
Bumps [github.com/olekukonko/tablewriter](https://github.com/olekukonko/tablewriter ) from 1.0.9 to 1.1.1.
- [Commits](https://github.com/olekukonko/tablewriter/compare/v1.0.9...v1.1.1 )
---
updated-dependencies:
- dependency-name: github.com/olekukonko/tablewriter
dependency-version: 1.1.1
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-11-10 13:31:15 -05:00
dependabot[bot]
25ca33d20e
chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.7.0 to 6.7.1 ( #4355 )
...
Bumps [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty ) from 6.7.0 to 6.7.1.
- [Release notes](https://github.com/jedib0t/go-pretty/releases )
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.7.0...v6.7.1 )
---
updated-dependencies:
- dependency-name: github.com/jedib0t/go-pretty/v6
dependency-version: 6.7.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-11-10 13:30:56 -05:00
anchore-actions-token-generator[bot]
60ca241593
chore(deps): update tools to latest versions ( #4347 )
...
* chore: new tool checks
---------
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2025-11-07 20:56:44 +00:00
dependabot[bot]
0f475c8bcd
chore(deps): bump github.com/opencontainers/selinux ( #4349 )
...
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux ) from 1.11.0 to 1.13.0.
- [Release notes](https://github.com/opencontainers/selinux/releases )
- [Commits](https://github.com/opencontainers/selinux/compare/v1.11.0...v1.13.0 )
---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
dependency-version: 1.13.0
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-11-07 15:21:35 -05:00
Alex Goodman
199394934d
preserve --from order ( #4350 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-11-07 10:17:10 -05:00
dependabot[bot]
8a22d394ed
chore(deps): bump golang.org/x/time from 0.12.0 to 0.14.0 ( #4348 )
...
Bumps [golang.org/x/time](https://github.com/golang/time ) from 0.12.0 to 0.14.0.
- [Commits](https://github.com/golang/time/compare/v0.12.0...v0.14.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/time
dependency-version: 0.14.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-11-07 08:48:20 -05:00
Tim Olshansky
bbef262b8f
feat: Add license enrichment from pypi to python packages ( #4295 )
...
* feat: Add license enrichment from pypi to python packages
* Implement license caching and improve test coverage
---------
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
2025-11-06 16:05:08 -05:00
Tim Olshansky
4e06a7ab32
feat(javascript): Add dependency parsing ( #4304 )
...
* feat: Add dependency parsing to javascript package locks
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* Bump schema version
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* Add support for yarn and pnpm, excl. yarn v1
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* Add support for dependencies for v1 yarn lock files
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* Ensure schema is correctly generated
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* Fix tests
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* PR feedback
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
---------
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
2025-11-06 16:03:43 -05:00
Alex Goodman
e5711e9b42
Update CPE processing to use NVD API ( #4332 )
...
* update NVD CPE dictionary processor to use API
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* pass linting with exceptions
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-11-06 16:02:26 -05:00
Rez Moss
f69b1db099
feat: detect elixir bin ( #4334 )
...
* Elixir detection, fixed #4333
---------
Signed-off-by: Rez Moss <hi@rezmoss.com>
2025-11-06 16:02:02 -05:00
dependabot[bot]
fe1ea443c2
chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.9 to 6.7.0 ( #4337 )
...
Bumps [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty ) from 6.6.9 to 6.7.0.
- [Release notes](https://github.com/jedib0t/go-pretty/releases )
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.6.9...v6.7.0 )
---
updated-dependencies:
- dependency-name: github.com/jedib0t/go-pretty/v6
dependency-version: 6.7.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-11-06 15:47:49 -05:00
dependabot[bot]
bfcbf266df
chore(deps): bump github.com/containerd/containerd from 1.7.28 to 1.7.29 ( #4340 )
...
Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd ) from 1.7.28 to 1.7.29.
- [Release notes](https://github.com/containerd/containerd/releases )
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md )
- [Commits](https://github.com/containerd/containerd/compare/v1.7.28...v1.7.29 )
---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
dependency-version: 1.7.29
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-11-06 15:46:32 -05:00
Keith Zantow
a400c675fc
feat: license file search ( #4327 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2025-11-03 14:16:05 -05:00
Alex Goodman
7c154e7c37
use official action for token generation ( #4331 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-11-03 13:08:42 -05:00
anchore-actions-token-generator[bot]
4c93394bc2
chore(deps): update anchore dependencies ( #4330 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2025-11-03 12:44:07 -05:00
kdt523
3e4e82f03e
Canonicalize Ghostscript CPE/PURL for ghostscript packages from PE Binaries ( #4308 )
...
* binary(pe): canonicalize Ghostscript CPE to artifex:ghostscript and add generic purl for PE (#4275 )\n\n- Detect Ghostscript via PE version resources and set purl pkg:generic/ghostscript@<version>\n- Add PE-specific CPE candidates: vendor 'artifex', product 'ghostscript'\n- Add focused unit tests for purl and CPE generation
Signed-off-by: kdt523 <krushna.datir231@vit.edu>
* fix: gofmt formatting for static analysis pass (pe-ghostscript-cpe-purl-4275)
Signed-off-by: kdt523 <krushna.datir231@vit.edu>
---------
Signed-off-by: kdt523 <krushna.datir231@vit.edu>
2025-11-03 14:54:48 +00:00
dependabot[bot]
793b0a346f
chore(deps): bump github/codeql-action from 4.31.1 to 4.31.2 ( #4325 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.31.1 to 4.31.2.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](5fe9434cd2...0499de31b9
2025-11-03 09:11:20 -05:00
dependabot[bot]
a0dac519db
chore(deps): bump github.com/hashicorp/go-getter from 1.8.2 to 1.8.3 ( #4326 )
...
Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter ) from 1.8.2 to 1.8.3.
- [Release notes](https://github.com/hashicorp/go-getter/releases )
- [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml )
- [Commits](https://github.com/hashicorp/go-getter/compare/v1.8.2...v1.8.3 )
---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-getter
dependency-version: 1.8.3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-11-03 09:11:12 -05:00
dependabot[bot]
34f5e521c1
chore(deps): bump modernc.org/sqlite from 1.39.1 to 1.40.0 ( #4329 )
...
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ) from 1.39.1 to 1.40.0.
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.39.1...v1.40.0 )
---
updated-dependencies:
- dependency-name: modernc.org/sqlite
dependency-version: 1.40.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-11-03 09:11:05 -05:00
dependabot[bot]
774b1e97b9
chore(deps): bump github/codeql-action from 4.31.0 to 4.31.1 ( #4321 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.31.0 to 4.31.1.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](4e94bd11f7...5fe9434cd2
2025-10-30 13:19:57 -04:00
Alex Goodman
538430d65d
describe cataloger capabilities via test observations ( #4318 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-10-30 13:19:42 -04:00
Alex Goodman
5db3a9bf55
add workflow to create PR for spdx license list updates ( #4319 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-10-30 12:14:13 -04:00
Stepan
efc2f0012c
fix: go binary replace handling in path ( #4156 )
...
* Fix issue with relative paths on go binary
Signed-off-by: Stepan <stepworm@yandex.ru>
* Linting
Signed-off-by: Stepan <stepworm@yandex.ru>
---------
Signed-off-by: Stepan <stepworm@yandex.ru>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-10-29 15:59:47 +00:00
kyounghoonJang
c5c1454848
feat(java): Add support for .far (Feature Archive) files ( #4193 )
...
* feat(java): add support for .far archivesEnables the Java cataloger to recognize and catalog dependencies within .far files, which are used in Apache Sling applications.
Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com>
* feat(java): Add tests for .far (Feature Archive) file support
Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com>
---------
Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2025-10-29 15:41:27 +00:00
Kudryavcev Nikolay
f5c765192c
Refactor fileresolver to not require base path ( #4298 )
...
* ref: close source in test and examples
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
* ref: pretty file/directory source resolver (make them more similar)
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
* ref: move absoluteSymlinkFreePathToParent to file resolver
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
* revert breaking change
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
---------
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
2025-10-29 10:41:18 -04:00
Will Murphy
728feea620
ci: use apple creds before pushing tags ( #4313 )
...
We have had a few releases fail because the Apple credentials needed
some sort of fix. These release were operationally more interesting
because they failed after pushing a git tag (which effectively releases
the golagn package). Therefore, try to use these creds early, before
there's a tag pushed.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2025-10-29 10:07:47 -04:00
dependabot[bot]
45fb52dca1
chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.8 to 6.6.9 ( #4315 )
...
Bumps [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty ) from 6.6.8 to 6.6.9.
- [Release notes](https://github.com/jedib0t/go-pretty/releases )
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.6.8...v6.6.9 )
---
updated-dependencies:
- dependency-name: github.com/jedib0t/go-pretty/v6
dependency-version: 6.6.9
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-10-29 10:06:37 -04:00
Rez Moss
45bf8b14ab
fix: omit records with empty PURL in GitHub format ( #4312 )
...
Signed-off-by: Rez Moss <hi@rezmoss.com>
2025-10-28 18:34:10 -04:00
Brian Muenzenmeyer
9478cd974b
docs: update template link in README.md ( #4306 )
...
Signed-off-by: Brian Muenzenmeyer <brian.muenzenmeyer@gmail.com>
2025-10-28 11:29:07 -04:00
Will Murphy
0d9ea69a66
Respect "rpmmod" PURL qualifier ( #4314 )
...
Red Hat purls the RPM modularity info in a query param in the PURLs in
their vulnerability data. It would be nice if Syft respected this
qualifier so that Grype can use it when a Red Hat purl is passed.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2025-10-28 09:35:11 -04:00
dependabot[bot]
bee78c0b16
chore(deps): bump github/codeql-action from 4.30.9 to 4.31.0 ( #4310 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.30.9 to 4.31.0.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](16140ae1a1...4e94bd11f7
2025-10-27 10:43:04 -04:00
dependabot[bot]
88bbcbe9c6
chore(deps): bump anchore/sbom-action from 0.20.8 to 0.20.9 ( #4305 )
2025-10-27 02:03:09 -04:00
anchore-actions-token-generator[bot]
e0680eb704
chore(deps): update tools to latest versions ( #4307 )
2025-10-27 02:02:47 -04:00
Marc
16f851c5d9
feat: include .rar files as Java archives for Java resource adapters ( #4137 )
...
Signed-off-by: Marc Thomas <marc.thomas@t-systems.com>
2025-10-24 11:55:02 -04:00
Ross Kirk
d5ca1ad543
fix: ignore dpkg entries with "deinstall" status ( #4231 )
...
Signed-off-by: Ross Kirk <ross.kirk@upwind.io>
2025-10-23 16:23:58 -04:00
anchore-actions-token-generator[bot]
8be463911c
chore(deps): update tools to latest versions ( #4302 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2025-10-22 09:38:18 -04:00
dependabot[bot]
44b7b0947c
chore(deps): bump github.com/github/go-spdx/v2 from 2.3.3 to 2.3.4 ( #4301 )
2025-10-21 09:34:26 -04:00
dependabot[bot]
675075e882
chore(deps): bump github/codeql-action from 4.30.8 to 4.30.9 ( #4299 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.30.8 to 4.30.9.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](f443b600d9...16140ae1a1
2025-10-20 10:08:39 -04:00
JoeyShapiro
31b2c4c090
support universal (fat) mach-o binary files ( #4278 )
...
Signed-off-by: Joseph Shapiro <joeyashapiro@gmail.com>
2025-10-17 13:41:59 -04:00
dependabot[bot]
07029ead8a
chore(deps): bump sigstore/cosign-installer from 3.10.0 to 4.0.0 ( #4296 )
...
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ) from 3.10.0 to 4.0.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases )
- [Commits](d7543c93d8...faadad0cce
2025-10-17 10:22:20 -04:00
dependabot[bot]
f4de1e863c
chore(deps): bump anchore/sbom-action from 0.20.7 to 0.20.8 ( #4297 )
...
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action ) from 0.20.7 to 0.20.8.
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md )
- [Commits](d8a2c01300...aa0e114b2e
2025-10-17 10:22:10 -04:00
JoeyShapiro
538b4a2194
convert posix path back to windows ( #4285 )
...
Signed-off-by: Joseph Shapiro <joeyashapiro@gmail.com>
2025-10-17 09:29:06 -04:00
Kudryavcev Nikolay
fc74b07369
Remove duplicate image source providers ( #4289 )
...
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
2025-10-16 16:19:11 -04:00
dependabot[bot]
6627c5214c
chore(deps): bump anchore/sbom-action from 0.20.6 to 0.20.7 ( #4293 )
...
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action ) from 0.20.6 to 0.20.7.
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md )
- [Commits](f8bdd1d8ac...d8a2c01300
2025-10-16 13:57:17 -04:00
Tim Olshansky
c0f32e1dba
feat: add option to fetch remote licenses for pnpm-lock.yaml files ( #4286 )
...
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
2025-10-16 12:23:06 -04:00
