oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 16:33:21 +01:00
Code Issues Packages Projects Releases Wiki Activity
3,051 Commits 60 Branches 243 Tags
Commit Graph

3051 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Keith Zantow
725b0dfda2
chore: java binary data 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2025-11-14 15:44:38 -05:00
Alex Goodman
891499685a fix pdm 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-07 15:42:46 -05:00
Alex Goodman
a97e1c6e1a tweak diagram 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-29 15:18:36 -04:00
Alex Goodman
4a2d94b4b9 Merge remote-tracking branch 'origin/main' into ast-parse-cataloger-capabilities 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-29 14:06:59 -04:00
Stepan
efc2f0012c
fix: go binary replace handling in path (#4156) 
* Fix issue with relative paths on go binary

Signed-off-by: Stepan <stepworm@yandex.ru>

* Linting

Signed-off-by: Stepan <stepworm@yandex.ru>

---------

Signed-off-by: Stepan <stepworm@yandex.ru>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-29 15:59:47 +00:00
Alex Goodman
c3e196bea5 restore goreleaser config 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-29 11:58:00 -04:00
Alex Goodman
16fb680b15 fix tests and linting 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-29 11:55:02 -04:00
kyounghoonJang
c5c1454848
feat(java): Add support for .far (Feature Archive) files (#4193) 
* feat(java): add support for .far archivesEnables the Java cataloger to recognize and catalog dependencies within .far files, which are used in Apache Sling applications.

Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com>

* feat(java): Add tests for .far (Feature Archive) file support

Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com>

---------

Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-29 15:41:27 +00:00
Kudryavcev Nikolay
f5c765192c
Refactor fileresolver to not require base path (#4298) 
* ref: close source in test and examples

Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>

* ref: pretty file/directory source resolver (make them more similar)

Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>

* ref: move absoluteSymlinkFreePathToParent to file resolver

Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>

* revert breaking change

Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>

---------

Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
 2025-10-29 10:41:18 -04:00
Alex Goodman
d6512456b3 improve testing a docs 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-29 10:08:29 -04:00
Will Murphy
728feea620
ci: use apple creds before pushing tags (#4313) 
We have had a few releases fail because the Apple credentials needed
some sort of fix. These release were operationally more interesting
because they failed after pushing a git tag (which effectively releases
the golagn package). Therefore, try to use these creds early, before
there's a tag pushed.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
 2025-10-29 10:07:47 -04:00
dependabot[bot]
45fb52dca1
chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.8 to 6.6.9 (#4315) 
Bumps [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty) from 6.6.8 to 6.6.9.
- [Release notes](https://github.com/jedib0t/go-pretty/releases)
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.6.8...v6.6.9)

---
updated-dependencies:
- dependency-name: github.com/jedib0t/go-pretty/v6
  dependency-version: 6.6.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-10-29 10:06:37 -04:00
Rez Moss
45bf8b14ab
fix: omit records with empty PURL in GitHub format (#4312) 
Signed-off-by: Rez Moss <hi@rezmoss.com>
 2025-10-28 18:34:10 -04:00
Brian Muenzenmeyer
9478cd974b
docs: update template link in README.md (#4306) 
Signed-off-by: Brian Muenzenmeyer <brian.muenzenmeyer@gmail.com>
 2025-10-28 11:29:07 -04:00
Alex Goodman
0dd906b071 fix linting 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-28 10:38:24 -04:00
Will Murphy
0d9ea69a66
Respect "rpmmod" PURL qualifier (#4314) 
Red Hat purls the RPM modularity info in a query param in the PURLs in
their vulnerability data. It would be nice if Syft respected this
qualifier so that Grype can use it when a Red Hat purl is passed.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
 2025-10-28 09:35:11 -04:00
Alex Goodman
abfe73b3da latest generation 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-27 14:51:14 -04:00
dependabot[bot]
bee78c0b16
chore(deps): bump github/codeql-action from 4.30.9 to 4.31.0 (#4310) 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.30.9 to 4.31.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](16140ae1a1...4e94bd11f7)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-10-27 10:43:04 -04:00
dependabot[bot]
88bbcbe9c6
chore(deps): bump anchore/sbom-action from 0.20.8 to 0.20.9 (#4305) 2025-10-27 02:03:09 -04:00
anchore-actions-token-generator[bot]
e0680eb704
chore(deps): update tools to latest versions (#4307) 2025-10-27 02:02:47 -04:00
Alex Goodman
5d182ec5f1 add completeness tests for metadata types 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-26 06:44:32 -04:00
Marc
16f851c5d9
feat: include .rar files as Java archives for Java resource adapters (#4137) 
Signed-off-by: Marc Thomas <marc.thomas@t-systems.com>
 2025-10-24 11:55:02 -04:00
Alex Goodman
63832e5e5a expose json schema types 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-24 09:21:07 -04:00
Ross Kirk
d5ca1ad543
fix: ignore dpkg entries with "deinstall" status (#4231) 
Signed-off-by: Ross Kirk <ross.kirk@upwind.io>
 2025-10-23 16:23:58 -04:00
Alex Goodman
de111f4d5b expose metadata and pacakge types in json 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-23 16:16:33 -04:00
anchore-actions-token-generator[bot]
8be463911c
chore(deps): update tools to latest versions (#4302) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
v1.35.0 v1.36.0 		2025-10-22 09:38:18 -04:00
Alex Goodman
95ba1b04a4 better binary cataloger description 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-21 13:02:04 -04:00
dependabot[bot]
44b7b0947c
chore(deps): bump github.com/github/go-spdx/v2 from 2.3.3 to 2.3.4 (#4301) 2025-10-21 09:34:26 -04:00
Alex Goodman
02f61abc62 rename os pkg types 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-20 10:22:11 -04:00
dependabot[bot]
675075e882
chore(deps): bump github/codeql-action from 4.30.8 to 4.30.9 (#4299) 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.30.8 to 4.30.9.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](f443b600d9...16140ae1a1)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.30.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-10-20 10:08:39 -04:00
Alex Goodman
a92efd5b85 correct gentoo and arch ecosystems 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-17 14:12:55 -04:00
JoeyShapiro
31b2c4c090
support universal (fat) mach-o binary files (#4278) 
Signed-off-by: Joseph Shapiro <joeyashapiro@gmail.com>
 2025-10-17 13:41:59 -04:00
dependabot[bot]
07029ead8a
chore(deps): bump sigstore/cosign-installer from 3.10.0 to 4.0.0 (#4296) 
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.10.0 to 4.0.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](d7543c93d8...faadad0cce)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-10-17 10:22:20 -04:00
dependabot[bot]
f4de1e863c
chore(deps): bump anchore/sbom-action from 0.20.7 to 0.20.8 (#4297) 
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.20.7 to 0.20.8.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md)
- [Commits](d8a2c01300...aa0e114b2e)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-version: 0.20.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-10-17 10:22:10 -04:00
JoeyShapiro
538b4a2194
convert posix path back to windows (#4285) 
Signed-off-by: Joseph Shapiro <joeyashapiro@gmail.com>
 2025-10-17 09:29:06 -04:00
Kudryavcev Nikolay
fc74b07369
Remove duplicate image source providers (#4289) 
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
 2025-10-16 16:19:11 -04:00
dependabot[bot]
6627c5214c
chore(deps): bump anchore/sbom-action from 0.20.6 to 0.20.7 (#4293) 
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.20.6 to 0.20.7.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md)
- [Commits](f8bdd1d8ac...d8a2c01300)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-version: 0.20.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-10-16 13:57:17 -04:00
Tim Olshansky
c0f32e1dba
feat: add option to fetch remote licenses for pnpm-lock.yaml files (#4286) 
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
 2025-10-16 12:23:06 -04:00
Pavel Buchart
e923db2a94
Add PDM parser (#4234) 
Signed-off-by: Pavel Buchart <pavel@buchart.cz>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
 2025-10-16 08:50:44 -04:00
anchore-actions-token-generator[bot]
0c98a364d5
chore(deps): update tools to latest versions (#4291) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
v1.34.2 		2025-10-16 07:02:32 -04:00
Keith Zantow
4343d04652
fix: panic during java archive maven resolution (#4290) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2025-10-16 07:00:31 -04:00
Kudryavcev Nikolay
065ac13ab7
Extract zip archive with multiple entries (#4283) 
* extract zip archive with multiple entries

Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>

* set OverwriteExisting by type assertion switch case

Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>

---------

Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
 2025-10-15 12:05:05 -04:00
Christopher Angelo Phillips
e9a8bc5ab9
chore: update to use old configuration on new cosign (#4287) 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
v1.34.1 		2025-10-15 15:12:20 +00:00
anchore-actions-token-generator[bot]
6d790ec6ec
chore(deps): update anchore dependencies (#4282) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
v1.34.0 		2025-10-14 22:09:17 +00:00
dependabot[bot]
1d5bcc553a
chore(deps): bump github.com/mholt/archives from 0.1.3 to 0.1.5 (#4280) 
* chore(deps): bump github.com/mholt/archives from 0.1.3 to 0.1.5

Bumps [github.com/mholt/archives](https://github.com/mholt/archives) from 0.1.3 to 0.1.5.
- [Release notes](https://github.com/mholt/archives/releases)
- [Commits](https://github.com/mholt/archives/compare/v0.1.3...v0.1.5)

---
updated-dependencies:
- dependency-name: github.com/mholt/archives
  dependency-version: 0.1.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: allow lzip-go in bouncer yaml

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com>
 2025-10-14 14:22:00 -04:00
Alex Goodman
d22914baf5
add docs to configs (#4281) 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-14 13:58:31 -04:00
Alex Goodman
1510db7c4e add info command from generated capabilities 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-13 17:14:40 -04:00
Doug Clarke
760bd9a50a
feat: Pom xml only archive parser (#4272) 
fix: identifying jar files with a single pom.xml and no pom.properties file
fix: test works with pom.xml being found, used and reported in metadata
Signed-off-by: Doug Clarke <douglas.clarke@oracle.com>

test: check for current project path and use
Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com>
---------
Signed-off-by: Doug Clarke <douglas.clarke@oracle.com>
Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <spiffcs@users.noreply.github.com>
 2025-10-13 15:59:08 -04:00
Hala Ali
2d1ada1d00
fix: enhance setup.py parser to handle unquoted dependencies (#4255) 
* fix: add support for unquoted Python dependencies in setup.py

- Add regex pattern to match unquoted package==version format
- Handles common .split() pattern used in projects like mayan-edms
- Maintains backward compatibility with quoted dependencies
- Prevents duplicate package detection
Signed-off-by: Hala Ali alih16@vcu.edu

Signed-off-by: HalaAli198 <alih16@vcu.edu>

* fix: apply gofmt formatting

Signed-off-by: HalaAli198 <alih16@vcu.edu>

* lint: incorporate new changes and refactor complexity

Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com>

---------

Signed-off-by: HalaAli198 <alih16@vcu.edu>
Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <spiffcs@users.noreply.github.com>
 2025-10-13 15:10:42 -04:00
dependabot[bot]
8ffe15c710
chore(deps): bump golang.org/x/tools from 0.37.0 to 0.38.0 (#4265) 
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.37.0 to 0.38.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.37.0...v0.38.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-version: 0.38.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-10-13 11:50:59 -04:00