oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 08:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
3,086 Commits 60 Branches 243 Tags
Commit Graph

3086 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alex Goodman
7e330cdff8 correct poetry lock integrity hash claim 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-14 23:42:39 -05:00
Alex Goodman
9f9170a5f2 new capability descriptions for gguf and python 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-14 23:31:52 -05:00
Alex Goodman
558983dda7 Merge remote-tracking branch 'origin/main' into ast-parse-cataloger-capabilities 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-14 23:27:08 -05:00
Keith Zantow
725b0dfda2
chore: java binary data 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2025-11-14 15:44:38 -05:00
Alex Goodman
153f2321ce
Fix test-fixture publish (#4369) 
* pin python dependencies

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* pin rust dependencies

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* pin php deps

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update and pin http and curl fixtures

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-14 15:41:23 -05:00
Alex Goodman
7bf7bcc461
Support extras statements in Python PDM cataloger (#4352) 
* fix pdm

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update json schema

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add test for metadata construction

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add missing test fixture

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* conserve markers

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update json schema

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add additional tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-14 15:13:10 -05:00
anchore-actions-token-generator[bot]
6a21b5e5e2
chore(deps): update tools to latest versions (#4365) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
 2025-11-14 09:25:27 -05:00
dependabot[bot]
6480c8a425
chore(deps): bump github/codeql-action from 4.31.2 to 4.31.3 (#4366) 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.2 to 4.31.3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](0499de31b9...014f16e7ab)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-14 09:25:08 -05:00
Kudryavcev Nikolay
89842bd2f6
chore: migrate syft to use mholt/archives instead of anchore fork (#4029) 
---------
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-13 23:04:43 +00:00
Christopher Angelo Phillips
4a60c41f38
feat: 4184 gguf parser (ai artifact cataloger) part 1 (#4279) 
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
 2025-11-13 17:43:48 -05:00
anchore-actions-token-generator[bot]
2e100f33f3
chore(deps): update tools to latest versions (#4358) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
 2025-11-12 13:27:47 -05:00
dependabot[bot]
b444f0c2ed
chore(deps): bump golang.org/x/mod from 0.29.0 to 0.30.0 (#4359) 
Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.29.0 to 0.30.0.
- [Commits](https://github.com/golang/mod/compare/v0.29.0...v0.30.0)

---
updated-dependencies:
- dependency-name: golang.org/x/mod
  dependency-version: 0.30.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-12 13:27:33 -05:00
Adam Chovanec
102d362daf
feat: CPEs format decoder (#4207) 
Signed-off-by: Adam Chovanec <git@adamchovanec.cz>
 2025-11-12 10:45:09 -05:00
Alex Goodman
66c78d44af
Document additional json schema fields (#4356) 
* add documentation to key fields

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* regenerate json schema

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-10 16:29:06 -05:00
dependabot[bot]
78a4ab8ced
chore(deps): bump github.com/olekukonko/tablewriter from 1.0.9 to 1.1.1 (#4354) 
Bumps [github.com/olekukonko/tablewriter](https://github.com/olekukonko/tablewriter) from 1.0.9 to 1.1.1.
- [Commits](https://github.com/olekukonko/tablewriter/compare/v1.0.9...v1.1.1)

---
updated-dependencies:
- dependency-name: github.com/olekukonko/tablewriter
  dependency-version: 1.1.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-10 13:31:15 -05:00
dependabot[bot]
25ca33d20e
chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.7.0 to 6.7.1 (#4355) 
Bumps [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty) from 6.7.0 to 6.7.1.
- [Release notes](https://github.com/jedib0t/go-pretty/releases)
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.7.0...v6.7.1)

---
updated-dependencies:
- dependency-name: github.com/jedib0t/go-pretty/v6
  dependency-version: 6.7.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-10 13:30:56 -05:00
anchore-actions-token-generator[bot]
60ca241593
chore(deps): update tools to latest versions (#4347) 
* chore: new tool checks
---------
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
 2025-11-07 20:56:44 +00:00
Alex Goodman
891499685a fix pdm 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-07 15:42:46 -05:00
dependabot[bot]
0f475c8bcd
chore(deps): bump github.com/opencontainers/selinux (#4349) 
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.11.0 to 1.13.0.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.11.0...v1.13.0)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-version: 1.13.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-07 15:21:35 -05:00
Alex Goodman
199394934d
preserve --from order (#4350) 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-07 10:17:10 -05:00
dependabot[bot]
8a22d394ed
chore(deps): bump golang.org/x/time from 0.12.0 to 0.14.0 (#4348) 
Bumps [golang.org/x/time](https://github.com/golang/time) from 0.12.0 to 0.14.0.
- [Commits](https://github.com/golang/time/compare/v0.12.0...v0.14.0)

---
updated-dependencies:
- dependency-name: golang.org/x/time
  dependency-version: 0.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-07 08:48:20 -05:00
Tim Olshansky
bbef262b8f
feat: Add license enrichment from pypi to python packages (#4295) 
* feat: Add license enrichment from pypi to python packages
* Implement license caching and improve test coverage
---------
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
 2025-11-06 16:05:08 -05:00
Tim Olshansky
4e06a7ab32
feat(javascript): Add dependency parsing (#4304) 
* feat: Add dependency parsing to javascript package locks

Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>

* Bump schema version

Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>

* Add support for yarn and pnpm, excl. yarn v1

Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>

* Add support for dependencies for v1 yarn lock files

Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>

* Ensure schema is correctly generated

Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>

* Fix tests

Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>

* PR feedback

Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>

---------

Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
 2025-11-06 16:03:43 -05:00
Alex Goodman
e5711e9b42
Update CPE processing to use NVD API (#4332) 
* update NVD CPE dictionary processor to use API

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* pass linting with exceptions

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-06 16:02:26 -05:00
Rez Moss
f69b1db099
feat: detect elixir bin (#4334) 
* Elixir detection, fixed #4333
---------
Signed-off-by: Rez Moss <hi@rezmoss.com>
 2025-11-06 16:02:02 -05:00
dependabot[bot]
fe1ea443c2
chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.9 to 6.7.0 (#4337) 
Bumps [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty) from 6.6.9 to 6.7.0.
- [Release notes](https://github.com/jedib0t/go-pretty/releases)
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.6.9...v6.7.0)

---
updated-dependencies:
- dependency-name: github.com/jedib0t/go-pretty/v6
  dependency-version: 6.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-06 15:47:49 -05:00
dependabot[bot]
bfcbf266df
chore(deps): bump github.com/containerd/containerd from 1.7.28 to 1.7.29 (#4340) 
Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.7.28 to 1.7.29.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](https://github.com/containerd/containerd/compare/v1.7.28...v1.7.29)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
  dependency-version: 1.7.29
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-06 15:46:32 -05:00
Keith Zantow
a400c675fc
feat: license file search (#4327) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2025-11-03 14:16:05 -05:00
Alex Goodman
7c154e7c37
use official action for token generation (#4331) 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-03 13:08:42 -05:00
anchore-actions-token-generator[bot]
4c93394bc2
chore(deps): update anchore dependencies (#4330) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
v1.37.0 		2025-11-03 12:44:07 -05:00
kdt523
3e4e82f03e
Canonicalize Ghostscript CPE/PURL for ghostscript packages from PE Binaries (#4308) 
* binary(pe): canonicalize Ghostscript CPE to artifex:ghostscript and add generic purl for PE (#4275)\n\n- Detect Ghostscript via PE version resources and set purl pkg:generic/ghostscript@<version>\n- Add PE-specific CPE candidates: vendor 'artifex', product 'ghostscript'\n- Add focused unit tests for purl and CPE generation

Signed-off-by: kdt523 <krushna.datir231@vit.edu>

* fix: gofmt formatting for static analysis pass (pe-ghostscript-cpe-purl-4275)

Signed-off-by: kdt523 <krushna.datir231@vit.edu>

---------

Signed-off-by: kdt523 <krushna.datir231@vit.edu>
 2025-11-03 14:54:48 +00:00
dependabot[bot]
793b0a346f
chore(deps): bump github/codeql-action from 4.31.1 to 4.31.2 (#4325) 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.1 to 4.31.2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](5fe9434cd2...0499de31b9)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-03 09:11:20 -05:00
dependabot[bot]
a0dac519db
chore(deps): bump github.com/hashicorp/go-getter from 1.8.2 to 1.8.3 (#4326) 
Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.8.2 to 1.8.3.
- [Release notes](https://github.com/hashicorp/go-getter/releases)
- [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml)
- [Commits](https://github.com/hashicorp/go-getter/compare/v1.8.2...v1.8.3)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-getter
  dependency-version: 1.8.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-03 09:11:12 -05:00
dependabot[bot]
34f5e521c1
chore(deps): bump modernc.org/sqlite from 1.39.1 to 1.40.0 (#4329) 
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.39.1 to 1.40.0.
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.39.1...v1.40.0)

---
updated-dependencies:
- dependency-name: modernc.org/sqlite
  dependency-version: 1.40.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-03 09:11:05 -05:00
dependabot[bot]
774b1e97b9
chore(deps): bump github/codeql-action from 4.31.0 to 4.31.1 (#4321) 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.0 to 4.31.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](4e94bd11f7...5fe9434cd2)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-10-30 13:19:57 -04:00
Alex Goodman
538430d65d
describe cataloger capabilities via test observations (#4318) 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-30 13:19:42 -04:00
Alex Goodman
5db3a9bf55
add workflow to create PR for spdx license list updates (#4319) 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-30 12:14:13 -04:00
Alex Goodman
a97e1c6e1a tweak diagram 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-29 15:18:36 -04:00
Alex Goodman
4a2d94b4b9 Merge remote-tracking branch 'origin/main' into ast-parse-cataloger-capabilities 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-29 14:06:59 -04:00
Stepan
efc2f0012c
fix: go binary replace handling in path (#4156) 
* Fix issue with relative paths on go binary

Signed-off-by: Stepan <stepworm@yandex.ru>

* Linting

Signed-off-by: Stepan <stepworm@yandex.ru>

---------

Signed-off-by: Stepan <stepworm@yandex.ru>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-29 15:59:47 +00:00
Alex Goodman
c3e196bea5 restore goreleaser config 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-29 11:58:00 -04:00
Alex Goodman
16fb680b15 fix tests and linting 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-29 11:55:02 -04:00
kyounghoonJang
c5c1454848
feat(java): Add support for .far (Feature Archive) files (#4193) 
* feat(java): add support for .far archivesEnables the Java cataloger to recognize and catalog dependencies within .far files, which are used in Apache Sling applications.

Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com>

* feat(java): Add tests for .far (Feature Archive) file support

Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com>

---------

Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-29 15:41:27 +00:00
Kudryavcev Nikolay
f5c765192c
Refactor fileresolver to not require base path (#4298) 
* ref: close source in test and examples

Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>

* ref: pretty file/directory source resolver (make them more similar)

Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>

* ref: move absoluteSymlinkFreePathToParent to file resolver

Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>

* revert breaking change

Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>

---------

Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
 2025-10-29 10:41:18 -04:00
Alex Goodman
d6512456b3 improve testing a docs 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-29 10:08:29 -04:00
Will Murphy
728feea620
ci: use apple creds before pushing tags (#4313) 
We have had a few releases fail because the Apple credentials needed
some sort of fix. These release were operationally more interesting
because they failed after pushing a git tag (which effectively releases
the golagn package). Therefore, try to use these creds early, before
there's a tag pushed.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
 2025-10-29 10:07:47 -04:00
dependabot[bot]
45fb52dca1
chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.8 to 6.6.9 (#4315) 
Bumps [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty) from 6.6.8 to 6.6.9.
- [Release notes](https://github.com/jedib0t/go-pretty/releases)
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.6.8...v6.6.9)

---
updated-dependencies:
- dependency-name: github.com/jedib0t/go-pretty/v6
  dependency-version: 6.6.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-10-29 10:06:37 -04:00
Rez Moss
45bf8b14ab
fix: omit records with empty PURL in GitHub format (#4312) 
Signed-off-by: Rez Moss <hi@rezmoss.com>
 2025-10-28 18:34:10 -04:00
Brian Muenzenmeyer
9478cd974b
docs: update template link in README.md (#4306) 
Signed-off-by: Brian Muenzenmeyer <brian.muenzenmeyer@gmail.com>
 2025-10-28 11:29:07 -04:00
Alex Goodman
0dd906b071 fix linting 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-28 10:38:24 -04:00