oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 08:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
3,071 Commits 60 Branches 243 Tags
Commit Graph

3071 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alex Goodman
ece3179655 add sboms 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-11 16:02:46 -05:00
Alex Goodman
a70e89b2ed use action to get artifacts working 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-11 15:34:56 -05:00
Alex Goodman
34b9533f22 better artifact filters 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-11 15:25:14 -05:00
Alex Goodman
f6cb65f5d7 change asset names and remove extras 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-11 14:54:07 -05:00
Alex Goodman
30324e9a9f attempt to replicate layout 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-11 14:36:10 -05:00
Alex Goodman
5f823b97ba fix deps 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-11 14:03:08 -05:00
Alex Goodman
800c345b6b disable magic cache 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-11 13:53:01 -05:00
Alex Goodman
42c7848016 troubleshoot artifact upload 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-11 13:39:03 -05:00
Alex Goodman
e857ff3a52 download individual artifacts 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-10 20:40:08 -05:00
Alex Goodman
c729a179d0 use artifacts api between jobs 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-10 15:02:34 -05:00
Alex Goodman
e5bb10b56a bust cache 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-10 15:02:34 -05:00
Alex Goodman
3335b85d61 correct ubuntu arm refs 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-10 15:02:34 -05:00
Alex Goodman
b16a401226 keep validations on x64 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-10 15:02:34 -05:00
Alex Goodman
178d38bc73 migrate to runs-on runners 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-10 15:02:34 -05:00
dependabot[bot]
78a4ab8ced
chore(deps): bump github.com/olekukonko/tablewriter from 1.0.9 to 1.1.1 (#4354) 
Bumps [github.com/olekukonko/tablewriter](https://github.com/olekukonko/tablewriter) from 1.0.9 to 1.1.1.
- [Commits](https://github.com/olekukonko/tablewriter/compare/v1.0.9...v1.1.1)

---
updated-dependencies:
- dependency-name: github.com/olekukonko/tablewriter
  dependency-version: 1.1.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-10 13:31:15 -05:00
dependabot[bot]
25ca33d20e
chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.7.0 to 6.7.1 (#4355) 
Bumps [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty) from 6.7.0 to 6.7.1.
- [Release notes](https://github.com/jedib0t/go-pretty/releases)
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.7.0...v6.7.1)

---
updated-dependencies:
- dependency-name: github.com/jedib0t/go-pretty/v6
  dependency-version: 6.7.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-10 13:30:56 -05:00
anchore-actions-token-generator[bot]
60ca241593
chore(deps): update tools to latest versions (#4347) 
* chore: new tool checks
---------
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
 2025-11-07 20:56:44 +00:00
dependabot[bot]
0f475c8bcd
chore(deps): bump github.com/opencontainers/selinux (#4349) 
Bumps [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) from 1.11.0 to 1.13.0.
- [Release notes](https://github.com/opencontainers/selinux/releases)
- [Commits](https://github.com/opencontainers/selinux/compare/v1.11.0...v1.13.0)

---
updated-dependencies:
- dependency-name: github.com/opencontainers/selinux
  dependency-version: 1.13.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-07 15:21:35 -05:00
Alex Goodman
199394934d
preserve --from order (#4350) 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-07 10:17:10 -05:00
dependabot[bot]
8a22d394ed
chore(deps): bump golang.org/x/time from 0.12.0 to 0.14.0 (#4348) 
Bumps [golang.org/x/time](https://github.com/golang/time) from 0.12.0 to 0.14.0.
- [Commits](https://github.com/golang/time/compare/v0.12.0...v0.14.0)

---
updated-dependencies:
- dependency-name: golang.org/x/time
  dependency-version: 0.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-07 08:48:20 -05:00
Tim Olshansky
bbef262b8f
feat: Add license enrichment from pypi to python packages (#4295) 
* feat: Add license enrichment from pypi to python packages
* Implement license caching and improve test coverage
---------
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
 2025-11-06 16:05:08 -05:00
Tim Olshansky
4e06a7ab32
feat(javascript): Add dependency parsing (#4304) 
* feat: Add dependency parsing to javascript package locks

Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>

* Bump schema version

Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>

* Add support for yarn and pnpm, excl. yarn v1

Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>

* Add support for dependencies for v1 yarn lock files

Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>

* Ensure schema is correctly generated

Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>

* Fix tests

Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>

* PR feedback

Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>

---------

Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
 2025-11-06 16:03:43 -05:00
Alex Goodman
e5711e9b42
Update CPE processing to use NVD API (#4332) 
* update NVD CPE dictionary processor to use API

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* pass linting with exceptions

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-06 16:02:26 -05:00
Rez Moss
f69b1db099
feat: detect elixir bin (#4334) 
* Elixir detection, fixed #4333
---------
Signed-off-by: Rez Moss <hi@rezmoss.com>
 2025-11-06 16:02:02 -05:00
dependabot[bot]
fe1ea443c2
chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.9 to 6.7.0 (#4337) 
Bumps [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty) from 6.6.9 to 6.7.0.
- [Release notes](https://github.com/jedib0t/go-pretty/releases)
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.6.9...v6.7.0)

---
updated-dependencies:
- dependency-name: github.com/jedib0t/go-pretty/v6
  dependency-version: 6.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-06 15:47:49 -05:00
dependabot[bot]
bfcbf266df
chore(deps): bump github.com/containerd/containerd from 1.7.28 to 1.7.29 (#4340) 
Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.7.28 to 1.7.29.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](https://github.com/containerd/containerd/compare/v1.7.28...v1.7.29)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
  dependency-version: 1.7.29
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-06 15:46:32 -05:00
Keith Zantow
a400c675fc
feat: license file search (#4327) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2025-11-03 14:16:05 -05:00
Alex Goodman
7c154e7c37
use official action for token generation (#4331) 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-11-03 13:08:42 -05:00
anchore-actions-token-generator[bot]
4c93394bc2
chore(deps): update anchore dependencies (#4330) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
v1.37.0 		2025-11-03 12:44:07 -05:00
kdt523
3e4e82f03e
Canonicalize Ghostscript CPE/PURL for ghostscript packages from PE Binaries (#4308) 
* binary(pe): canonicalize Ghostscript CPE to artifex:ghostscript and add generic purl for PE (#4275)\n\n- Detect Ghostscript via PE version resources and set purl pkg:generic/ghostscript@<version>\n- Add PE-specific CPE candidates: vendor 'artifex', product 'ghostscript'\n- Add focused unit tests for purl and CPE generation

Signed-off-by: kdt523 <krushna.datir231@vit.edu>

* fix: gofmt formatting for static analysis pass (pe-ghostscript-cpe-purl-4275)

Signed-off-by: kdt523 <krushna.datir231@vit.edu>

---------

Signed-off-by: kdt523 <krushna.datir231@vit.edu>
 2025-11-03 14:54:48 +00:00
dependabot[bot]
793b0a346f
chore(deps): bump github/codeql-action from 4.31.1 to 4.31.2 (#4325) 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.1 to 4.31.2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](5fe9434cd2...0499de31b9)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-03 09:11:20 -05:00
dependabot[bot]
a0dac519db
chore(deps): bump github.com/hashicorp/go-getter from 1.8.2 to 1.8.3 (#4326) 
Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.8.2 to 1.8.3.
- [Release notes](https://github.com/hashicorp/go-getter/releases)
- [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml)
- [Commits](https://github.com/hashicorp/go-getter/compare/v1.8.2...v1.8.3)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-getter
  dependency-version: 1.8.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-03 09:11:12 -05:00
dependabot[bot]
34f5e521c1
chore(deps): bump modernc.org/sqlite from 1.39.1 to 1.40.0 (#4329) 
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.39.1 to 1.40.0.
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.39.1...v1.40.0)

---
updated-dependencies:
- dependency-name: modernc.org/sqlite
  dependency-version: 1.40.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-11-03 09:11:05 -05:00
dependabot[bot]
774b1e97b9
chore(deps): bump github/codeql-action from 4.31.0 to 4.31.1 (#4321) 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.0 to 4.31.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](4e94bd11f7...5fe9434cd2)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-10-30 13:19:57 -04:00
Alex Goodman
538430d65d
describe cataloger capabilities via test observations (#4318) 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-30 13:19:42 -04:00
Alex Goodman
5db3a9bf55
add workflow to create PR for spdx license list updates (#4319) 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-30 12:14:13 -04:00
Stepan
efc2f0012c
fix: go binary replace handling in path (#4156) 
* Fix issue with relative paths on go binary

Signed-off-by: Stepan <stepworm@yandex.ru>

* Linting

Signed-off-by: Stepan <stepworm@yandex.ru>

---------

Signed-off-by: Stepan <stepworm@yandex.ru>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-29 15:59:47 +00:00
kyounghoonJang
c5c1454848
feat(java): Add support for .far (Feature Archive) files (#4193) 
* feat(java): add support for .far archivesEnables the Java cataloger to recognize and catalog dependencies within .far files, which are used in Apache Sling applications.

Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com>

* feat(java): Add tests for .far (Feature Archive) file support

Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com>

---------

Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2025-10-29 15:41:27 +00:00
Kudryavcev Nikolay
f5c765192c
Refactor fileresolver to not require base path (#4298) 
* ref: close source in test and examples

Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>

* ref: pretty file/directory source resolver (make them more similar)

Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>

* ref: move absoluteSymlinkFreePathToParent to file resolver

Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>

* revert breaking change

Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>

---------

Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
 2025-10-29 10:41:18 -04:00
Will Murphy
728feea620
ci: use apple creds before pushing tags (#4313) 
We have had a few releases fail because the Apple credentials needed
some sort of fix. These release were operationally more interesting
because they failed after pushing a git tag (which effectively releases
the golagn package). Therefore, try to use these creds early, before
there's a tag pushed.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
 2025-10-29 10:07:47 -04:00
dependabot[bot]
45fb52dca1
chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.8 to 6.6.9 (#4315) 
Bumps [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty) from 6.6.8 to 6.6.9.
- [Release notes](https://github.com/jedib0t/go-pretty/releases)
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.6.8...v6.6.9)

---
updated-dependencies:
- dependency-name: github.com/jedib0t/go-pretty/v6
  dependency-version: 6.6.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-10-29 10:06:37 -04:00
Rez Moss
45bf8b14ab
fix: omit records with empty PURL in GitHub format (#4312) 
Signed-off-by: Rez Moss <hi@rezmoss.com>
 2025-10-28 18:34:10 -04:00
Brian Muenzenmeyer
9478cd974b
docs: update template link in README.md (#4306) 
Signed-off-by: Brian Muenzenmeyer <brian.muenzenmeyer@gmail.com>
 2025-10-28 11:29:07 -04:00
Will Murphy
0d9ea69a66
Respect "rpmmod" PURL qualifier (#4314) 
Red Hat purls the RPM modularity info in a query param in the PURLs in
their vulnerability data. It would be nice if Syft respected this
qualifier so that Grype can use it when a Red Hat purl is passed.

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
 2025-10-28 09:35:11 -04:00
dependabot[bot]
bee78c0b16
chore(deps): bump github/codeql-action from 4.30.9 to 4.31.0 (#4310) 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.30.9 to 4.31.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](16140ae1a1...4e94bd11f7)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-10-27 10:43:04 -04:00
dependabot[bot]
88bbcbe9c6
chore(deps): bump anchore/sbom-action from 0.20.8 to 0.20.9 (#4305) 2025-10-27 02:03:09 -04:00
anchore-actions-token-generator[bot]
e0680eb704
chore(deps): update tools to latest versions (#4307) 2025-10-27 02:02:47 -04:00
Marc
16f851c5d9
feat: include .rar files as Java archives for Java resource adapters (#4137) 
Signed-off-by: Marc Thomas <marc.thomas@t-systems.com>
 2025-10-24 11:55:02 -04:00
Ross Kirk
d5ca1ad543
fix: ignore dpkg entries with "deinstall" status (#4231) 
Signed-off-by: Ross Kirk <ross.kirk@upwind.io>
 2025-10-23 16:23:58 -04:00
anchore-actions-token-generator[bot]
8be463911c
chore(deps): update tools to latest versions (#4302) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
v1.35.0 v1.36.0 		2025-10-22 09:38:18 -04:00