Gijs Calis
b90e7f9437
Fix removing labels in 'Detect schema changes' job ( #2772 )
...
* Fix error messages for add & remove label
Signed-off-by: Gijs Calis <51088038+GijsCalis@users.noreply.github.com>
* Check if label exists on PR before removing
Signed-off-by: Gijs Calis <51088038+GijsCalis@users.noreply.github.com>
---------
Signed-off-by: Gijs Calis <51088038+GijsCalis@users.noreply.github.com>
2024-04-23 14:42:57 -04:00
dependabot[bot]
fbdd4ee015
chore(deps): bump github.com/docker/docker ( #2805 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 26.0.2+incompatible to 26.1.0+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v26.0.2...v26.1.0 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-23 14:32:34 -04:00
William Murphy
f154bf570d
Display which provider caused which error in output ( #2757 )
...
* Display which provider caused which error in output
Otherwise, the output is very difficult to parse.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* lint fix
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* bump stereoscope to v0.0.2
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-04-23 14:27:39 -04:00
Weston Steimel
99b58db497
fix: prefer non-deprecated CPEs and include jenkins plugins from plugins.jenkins.io ( #2806 )
...
Improves the logic for adding known CPEs for Jenkins plugins by
including `plugins.jenkins.io` and prefers non-deprecated CPEs
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
2024-04-23 11:11:47 -04:00
Weston Steimel
8d960e62c6
feat: index known CPEs for PHP Composer packagist.org packages ( #2804 )
...
Indexes known CPEs from `packagist.org`
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
2024-04-23 10:42:59 -04:00
dependabot[bot]
27a8a1be03
chore(deps): bump github/codeql-action from 3.25.1 to 3.25.2 ( #2802 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.25.1 to 3.25.2.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](c7f9125735...8f596b4ae3
2024-04-23 09:54:36 -04:00
dependabot[bot]
4ccbd17255
chore(deps): bump actions/upload-artifact from 4.3.2 to 4.3.3 ( #2803 )
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 4.3.2 to 4.3.3.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](1746f4ab65...65462800fd
2024-04-23 09:54:28 -04:00
Weston Steimel
891e61a2ef
fix: improvements to known CPE index construction ( #2801 )
...
* fix: stop pre-filtering potential known CPE URLs
Previously when building the known CPE index, there was logic to
de-duplicate processing based on the normalized CPE name; however, this
means a significant number of known CPE's don't get indexed because the
first instance of that name didn't have a supported collection url but a
later one did. This isn't code that executes at runtime in syft so
de-duplicating the processing for performance isn't really necessary
here and it doesn't add much to the total runtime anyways
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
* fix: CPE index builder should extract and consider all reference urls
Previously the struct definition for CpeItem caused only the last URL
reference in the list to be kept and processed for inclusion in the
index
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
---------
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
2024-04-23 09:28:18 -04:00
Keith Zantow
f7d3d552ce
fix: exclude known instrumentation jars from being erroneously identified ( #2796 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2024-04-22 15:03:17 -04:00
Weston Steimel
12ea9912b4
feat: index known cpes for PHP extensions ( #2777 )
...
Indexes known CPEs from `pecl.php.net` and `pear.php.net`
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
2024-04-22 13:43:19 -04:00
dependabot[bot]
cf6f92f2c8
chore(deps): bump actions/checkout from 4.1.2 to 4.1.3 ( #2799 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.1.2 to 4.1.3.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](9bb56186c3...1d96c772d1
2024-04-22 13:29:13 -04:00
William Murphy
6440f26b5a
fix: return empty string if dereferncing pom var fails ( #2797 )
...
Previously, Syft would attempt to dereference pom variables, but if it
detected a cycle or failed to get back to a non-variable value, it would
return the last variable. Instead, return an empty string. Otherwise,
certain jars will have versions like "${project.version}" in the SBOM,
which is not helpful.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-04-19 19:38:36 +00:00
dependabot[bot]
f2633800ce
chore(deps): bump github.com/docker/docker ( #2793 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 26.0.1+incompatible to 26.0.2+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v26.0.1...v26.0.2 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-19 15:06:57 -04:00
dependabot[bot]
4f227bf447
chore(deps): bump modernc.org/sqlite from 1.29.7 to 1.29.8 ( #2794 )
...
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ) from 1.29.7 to 1.29.8.
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.29.7...v1.29.8 )
---
updated-dependencies:
- dependency-name: modernc.org/sqlite
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-19 15:06:44 -04:00
dependabot[bot]
d70eb3d04b
chore(deps): bump actions/upload-artifact from 4.3.1 to 4.3.2 ( #2795 )
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 4.3.1 to 4.3.2.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](5d5d22a312...1746f4ab65
2024-04-19 15:06:32 -04:00
guangwu
fe4819bc08
chore: cleanup redundant code ( #2791 )
...
Signed-off-by: guoguangwu <guoguangwug@gmail.com>
2024-04-19 12:12:48 -04:00
anchore-actions-token-generator[bot]
b26b38d6c5
chore(deps): update tools to latest versions ( #2789 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-04-18 12:40:08 -04:00
dependabot[bot]
31969136e3
chore(deps): bump github.com/spdx/tools-golang from 0.5.3 to 0.5.4 ( #2790 )
...
Bumps [github.com/spdx/tools-golang](https://github.com/spdx/tools-golang ) from 0.5.3 to 0.5.4.
- [Release notes](https://github.com/spdx/tools-golang/releases )
- [Changelog](https://github.com/spdx/tools-golang/blob/main/RELEASE-NOTES.md )
- [Commits](https://github.com/spdx/tools-golang/compare/v0.5.3...v0.5.4 )
---
updated-dependencies:
- dependency-name: github.com/spdx/tools-golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-18 12:39:42 -04:00
dependabot[bot]
f6845474bd
chore(deps): bump github/codeql-action from 3.25.0 to 3.25.1 ( #2786 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.25.0 to 3.25.1.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](df5a14dc28...c7f9125735
2024-04-17 10:46:34 -04:00
dependabot[bot]
e1cadead1d
chore(deps): bump peter-evans/create-pull-request from 6.0.3 to 6.0.4 ( #2787 )
...
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request ) from 6.0.3 to 6.0.4.
- [Release notes](https://github.com/peter-evans/create-pull-request/releases )
- [Commits](c55203cfde...9153d834b6
2024-04-17 10:46:24 -04:00
William Murphy
3e71f46fc8
Fix: repeatedly dereference pom variables ( #2781 )
...
* Fix: repeatedly dereference pom variables
Previously, if there was more than one layer of variable indirection in
the pom property (propert A says it has the same value as property B,
property B says it has the same value as property C), then Syft would
only dereference one layer. Add a loop to dereference variables until
either dereferencing fails, or until the variable is completely
dereferenced back to a literal.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* switch to recursive implementation
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* add test cases for degenerate poms
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* switch to recursive implementation
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* remove redundant pieces of test cases
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-04-16 15:44:02 -04:00
dependabot[bot]
3b01e13f92
chore(deps): bump modernc.org/sqlite from 1.29.6 to 1.29.7 ( #2783 )
...
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ) from 1.29.6 to 1.29.7.
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.29.6...v1.29.7 )
---
updated-dependencies:
- dependency-name: modernc.org/sqlite
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-16 11:05:35 -04:00
anchore-actions-token-generator[bot]
25c2e60358
chore(deps): update CPE dictionary index ( #2780 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: westonsteimel <1593939+westonsteimel@users.noreply.github.com>
2024-04-15 11:15:38 -04:00
dependabot[bot]
dc7fa21980
chore(deps): bump github/codeql-action from 3.24.10 to 3.25.0 ( #2779 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.24.10 to 3.25.0.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](4355270be1...df5a14dc28
2024-04-15 10:00:54 -04:00
Weston Steimel
587690b875
chore: fix broken cpe index generation task ( #2778 )
...
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
2024-04-15 09:39:57 -04:00
dependabot[bot]
21eaa5c82b
chore(deps): bump github.com/docker/docker ( #2773 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 26.0.0+incompatible to 26.0.1+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v26.0.0...v26.0.1 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-12 15:33:27 -04:00
dependabot[bot]
081ec04b3f
chore(deps): bump peter-evans/create-pull-request from 6.0.2 to 6.0.3 ( #2774 )
...
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request ) from 6.0.2 to 6.0.3.
- [Release notes](https://github.com/peter-evans/create-pull-request/releases )
- [Commits](70a41aba78...c55203cfde
2024-04-12 15:31:36 -04:00
Keith Zantow
dde5d349b1
fix: more robust go main version extraction ( #2767 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
2024-04-11 11:58:51 -04:00
anchore-actions-token-generator[bot]
a5d77b9263
chore(deps): update tools to latest versions ( #2768 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-04-11 11:53:55 -04:00
Laurent Goderre
c9aab4863b
fix: binary character in java version ( #2766 )
...
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
2024-04-11 10:32:24 -04:00
anchore-actions-token-generator[bot]
af1a065d2a
chore(deps): update tools to latest versions ( #2760 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-04-09 12:03:12 -04:00
dependabot[bot]
88cef1e05c
chore(deps): bump modernc.org/sqlite from 1.29.5 to 1.29.6 ( #2761 )
...
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ) from 1.29.5 to 1.29.6.
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.29.5...v1.29.6 )
---
updated-dependencies:
- dependency-name: modernc.org/sqlite
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-09 12:02:56 -04:00
dependabot[bot]
870d97ca5a
chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.6 to 6.5.8 ( #2754 )
...
Bumps [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty ) from 6.5.6 to 6.5.8.
- [Release notes](https://github.com/jedib0t/go-pretty/releases )
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.5.6...v6.5.8 )
---
updated-dependencies:
- dependency-name: github.com/jedib0t/go-pretty/v6
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-08 12:19:45 -04:00
dependabot[bot]
e681bc4780
chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.2 to 0.5.3 ( #2755 )
...
Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps ) from 0.5.2 to 0.5.3.
- [Release notes](https://github.com/gkampitakis/go-snaps/releases )
- [Commits](https://github.com/gkampitakis/go-snaps/compare/v0.5.2...v0.5.3 )
---
updated-dependencies:
- dependency-name: github.com/gkampitakis/go-snaps
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-08 12:19:32 -04:00
dependabot[bot]
c31696f131
chore(deps): bump github/codeql-action from 3.24.9 to 3.24.10 ( #2756 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.24.9 to 3.24.10.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](1b1aada464...4355270be1
2024-04-08 12:19:20 -04:00
dependabot[bot]
67781e98a2
chore(deps): bump golang.org/x/mod from 0.16.0 to 0.17.0 ( #2751 )
...
Bumps [golang.org/x/mod](https://github.com/golang/mod ) from 0.16.0 to 0.17.0.
- [Commits](https://github.com/golang/mod/compare/v0.16.0...v0.17.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/mod
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-05 19:22:00 +00:00
Laurent Goderre
619ace65c3
Differentiate between JRE and JDK ( #2748 )
...
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
2024-04-05 15:10:58 -04:00
dependabot[bot]
3e4e3bb1d4
chore(deps): bump golang.org/x/net from 0.23.0 to 0.24.0 ( #2752 )
...
Bumps [golang.org/x/net](https://github.com/golang/net ) from 0.23.0 to 0.24.0.
- [Commits](https://github.com/golang/net/compare/v0.23.0...v0.24.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/net
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-05 15:10:15 -04:00
anchore-actions-token-generator[bot]
1e31356c49
chore(deps): update tools to latest versions ( #2744 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-04-04 10:34:19 -04:00
dependabot[bot]
0fa925e5af
chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 ( #2747 )
...
Bumps [golang.org/x/net](https://github.com/golang/net ) from 0.22.0 to 0.23.0.
- [Commits](https://github.com/golang/net/compare/v0.22.0...v0.23.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/net
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-04 10:34:03 -04:00
Christopher Angelo Phillips
e100776f22
chore: update anchore/packageurl-go to use latest commits ( #2746 )
...
chore: update packageurl-go dependency to use latest commits
chore: go mod tidy
unit: update + -> %2B
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2024-04-04 10:33:51 -04:00
Laurent Goderre
e0233625cb
feat: cataloger for PHP Pecl and PEAR packages ( #2604 )
...
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
2024-04-02 11:55:56 -04:00
dependabot[bot]
e0f5b5a787
chore(deps): bump github.com/go-git/go-git/v5 from 5.11.0 to 5.12.0 ( #2743 )
...
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git ) from 5.11.0 to 5.12.0.
- [Release notes](https://github.com/go-git/go-git/releases )
- [Commits](https://github.com/go-git/go-git/compare/v5.11.0...v5.12.0 )
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-01 14:14:07 -04:00
anchore-actions-token-generator[bot]
9c42c83229
chore(deps): update tools to latest versions ( #2741 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-03-30 17:51:21 -04:00
Keith Zantow
01340b2a5c
fix: conan poco project cpe ( #2740 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2024-03-28 16:56:24 -04:00
dependabot[bot]
16edb40c72
chore(deps): bump github.com/distribution/reference from 0.5.0 to 0.6.0 ( #2738 )
...
Bumps [github.com/distribution/reference](https://github.com/distribution/reference ) from 0.5.0 to 0.6.0.
- [Release notes](https://github.com/distribution/reference/releases )
- [Commits](https://github.com/distribution/reference/compare/v0.5.0...v0.6.0 )
---
updated-dependencies:
- dependency-name: github.com/distribution/reference
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-28 12:22:00 -04:00
dependabot[bot]
5a865d0d90
chore(deps): bump anchore/sbom-action from 0.15.9 to 0.15.10 ( #2737 )
2024-03-27 17:52:22 +00:00
Keith Zantow
410867ca0c
fix: panic scanning binaries without symtab ( #2739 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2024-03-27 13:51:45 -04:00
guangwu
469b4c13bb
chore: remove useless code ( #2716 )
...
Signed-off-by: guoguangwu <guoguangwug@gmail.com>
2024-03-26 12:21:03 -04:00
dependabot[bot]
57e9cc52a4
chore(deps): bump google.golang.org/protobuf from 1.31.0 to 1.33.0 ( #2731 )
...
Bumps google.golang.org/protobuf from 1.31.0 to 1.33.0.
---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-26 11:52:50 -04:00
