sync: Fix Dockerfile#139
Closed
github-actions[bot] wants to merge 346 commits into
Closed
Conversation
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Saleem Abdulrasool <compnerd@compnerd.org>
Bumps [actions/cache](https://github.com/actions/cache) from 4.2.4 to 4.3.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@0400d5f...0057852) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actions/cache](https://github.com/actions/cache) from 4.2.4 to 4.3.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@0400d5f...0057852) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 4.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.30.3 to 3.30.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@192325c...303c0ae) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.30.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
Bumps [github.com/quasilyte/go-ruleguard/dsl](https://github.com/quasilyte/go-ruleguard) from 0.3.22 to 0.3.23. - [Release notes](https://github.com/quasilyte/go-ruleguard/releases) - [Commits](quasilyte/go-ruleguard@dsl/v0.3.22...dsl/v0.3.23) --- updated-dependencies: - dependency-name: github.com/quasilyte/go-ruleguard/dsl dependency-version: 0.3.23 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…#4151) --------- Signed-off-by: Alan Pope <alan.pope@anchore.com> Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
* Add support for identifying ffmpeg/libav libraries Signed-off-by: Alan Pope <alan.pope@anchore.com> * Undo my snippet-based confusion Signed-off-by: Alan Pope <alan.pope@anchore.com> * Put test fixture config back Signed-off-by: Alan Pope <alan.pope@anchore.com> --------- Signed-off-by: Alan Pope <alan.pope@anchore.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
…(#4254) Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.8.1 to 1.8.2. - [Release notes](https://github.com/hashicorp/go-getter/releases) - [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml) - [Commits](hashicorp/go-getter@v1.8.1...v1.8.2) --- updated-dependencies: - dependency-name: github.com/hashicorp/go-getter dependency-version: 1.8.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.30.5 to 3.30.6. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@3599b3b...64d10c1) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.30.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…4252) * improve struct and field comments and incorporate into json schema Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * address review feedback Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
…#4259) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.16.2 to 5.16.3. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.16.2...v5.16.3) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.16.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github.com/iancoleman/orderedmap](https://github.com/iancoleman/orderedmap) from 0.0.0-20190318233801-ac98e3ecb4b0 to 0.3.0. - [Commits](https://github.com/iancoleman/orderedmap/commits/v0.3.0) --- updated-dependencies: - dependency-name: github.com/iancoleman/orderedmap dependency-version: 0.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ions in CPE generation (#4093) * feat(cpegenerate): add support for binary package digit-suffix variations in CPE generation Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.13 to 0.5.14 (#4089) Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps) from 0.5.13 to 0.5.14. - [Release notes](https://github.com/gkampitakis/go-snaps/releases) - [Commits](gkampitakis/go-snaps@v0.5.13...v0.5.14) --- updated-dependencies: - dependency-name: github.com/gkampitakis/go-snaps dependency-version: 0.5.14 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump modernc.org/sqlite from 1.38.1 to 1.38.2 (#4088) Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.38.1 to 1.38.2. - [Commits](https://gitlab.com/cznic/sqlite/compare/v1.38.1...v1.38.2) --- updated-dependencies: - dependency-name: modernc.org/sqlite dependency-version: 1.38.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump github.com/docker/docker (#4092) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 28.2.2+incompatible to 28.3.3+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](moby/moby@v28.2.2...v28.3.3) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-version: 28.3.3+incompatible dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump github.com/anchore/stereoscope (#4091) Bumps [github.com/anchore/stereoscope](https://github.com/anchore/stereoscope) from 0.1.7-0.20250716200927-94c6f92877d4 to 0.1.7. - [Release notes](https://github.com/anchore/stereoscope/releases) - [Changelog](https://github.com/anchore/stereoscope/blob/main/RELEASE.md) - [Commits](https://github.com/anchore/stereoscope/commits/v0.1.7) --- updated-dependencies: - dependency-name: github.com/anchore/stereoscope dependency-version: 0.1.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * migrate to get.anchore.io (#4095) Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): update anchore dependencies (#4098) * chore(deps): update anchore dependencies Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * address reader close operations Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): update anchore dependencies (#4104) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump github/codeql-action from 3.29.4 to 3.29.5 (#4096) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.4 to 3.29.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@4e828ff...51f7732) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.29.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): update tools to latest versions (#4108) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): update CPE dictionary index (#4112) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): update tools to latest versions (#4111) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump actions/cache in /.github/actions/bootstrap (#4120) Bumps [actions/cache](https://github.com/actions/cache) from 4.2.3 to 4.2.4. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@5a3ec84...0400d5f) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump actions/cache from 4.2.3 to 4.2.4 (#4119) Bumps [actions/cache](https://github.com/actions/cache) from 4.2.3 to 4.2.4. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@5a3ec84...0400d5f) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 4.2.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump docker/login-action from 3.4.0 to 3.5.0 (#4115) Bumps [docker/login-action](https://github.com/docker/login-action) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@74a5d14...184bdaa) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 3.5.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * fix: nondeterministic Java archive cataloging and improve groupID (#4118) Signed-off-by: Keith Zantow <kzantow@gmail.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * feat: add binary classifier for hashicorp vault (#4121) * add binary classifier for hashicorp vault The Go Binary Cataloger isn't able to parse the version out of the binary shipped in the DockerHub images of hashicorp/vault because the version of the main module isn't set in the binary. Therefore, add a binary classifier cataloger for this binary. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * chore: add test fixtures, update vault Signed-off-by: Keith Zantow <kzantow@gmail.com> * chore: set binary classifier package type based on PURL Signed-off-by: Keith Zantow <kzantow@gmail.com> * chore: use github.com/hashicorp/vault as package name Signed-off-by: Keith Zantow <kzantow@gmail.com> * chore: update tests Signed-off-by: Keith Zantow <kzantow@gmail.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> Signed-off-by: Keith Zantow <kzantow@gmail.com> Co-authored-by: Keith Zantow <kzantow@gmail.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump github/codeql-action from 3.29.7 to 3.29.8 (#4124) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.7 to 3.29.8. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@51f7732...76621b6) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.29.8 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump golang.org/x/mod from 0.26.0 to 0.27.0 (#4123) Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.26.0 to 0.27.0. - [Commits](golang/mod@v0.26.0...v0.27.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-version: 0.27.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump golang.org/x/net from 0.42.0 to 0.43.0 (#4122) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.42.0 to 0.43.0. - [Commits](golang/net@v0.42.0...v0.43.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.43.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): update CPE dictionary index (#4126) Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore: update GoReleaser configurations (#4128) Signed-off-by: Emmanuel Ferdman <emmanuelferdman@gmail.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 (#4130) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 5.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@11bd719...08c6903) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * fix: closed reader during java binary detection (#4129) Signed-off-by: Keith Zantow <kzantow@gmail.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * fix: support multiple letters in openssl patch version (#4106) Signed-off-by: honigbot <thesoftbear@gmail.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump github/codeql-action from 3.29.8 to 3.29.9 (#4134) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.8 to 3.29.9. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@76621b6...df55935) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.29.9 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * feat: update syft license construction to be able to look up by URL (#4132) --------- Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * feat: add package supplier flag (#4131) --------- Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * chore(deps): bump zizmorcore/zizmor-action from 0.1.1 to 0.1.2 (#4135) Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.1.1 to 0.1.2. - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](zizmorcore/zizmor-action@f52a838...5ca5fc7) --- updated-dependencies: - dependency-name: zizmorcore/zizmor-action dependency-version: 0.1.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * feat: add support for authors, maintainers, and contributors in package.json. (#4003) Fixes #2250 --------- Signed-off-by: Alan Pope <alan.pope@anchore.com> Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * feat(cpegentereate): added test for the addBinaryPackageDigitVariation function Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * docs(cpegenerate): made the comment more verbose Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> * nit: separate digit variation concerns from case of use Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> --------- Signed-off-by: Parthib Mukherjee <parthibmukherjee@gmail.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Keith Zantow <kzantow@gmail.com> Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> Signed-off-by: Emmanuel Ferdman <emmanuelferdman@gmail.com> Signed-off-by: honigbot <thesoftbear@gmail.com> Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Alan Pope <alan.pope@anchore.com> Signed-off-by: Parthib Mukherjee <109328510+hawkaii@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: anchore-actions-token-generator[bot] <102182147+anchore-actions-token-generator[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Keith Zantow <kzantow@gmail.com> Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com> Co-authored-by: Emmanuel Ferdman <emmanuelferdman@gmail.com> Co-authored-by: honigbot <34426443+honigbot@users.noreply.github.com> Co-authored-by: Alan Pope <alan.pope@anchore.com>
Signed-off-by: Sebastien Dionne <survivant00@gmail.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.44.0 to 0.45.0. - [Commits](golang/net@v0.44.0...v0.45.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.45.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.30.6 to 4.30.7. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@64d10c1...e296a93) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.30.7 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: bernardoamc <bernardo.amc@gmail.com>
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.45.0 to 0.46.0. - [Commits](golang/net@v0.45.0...v0.46.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.46.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….0 (#4267) Bumps [github.com/gohugoio/hashstructure](https://github.com/gohugoio/hashstructure) from 0.5.0 to 0.6.0. - [Release notes](https://github.com/gohugoio/hashstructure/releases) - [Commits](gohugoio/hashstructure@v0.5.0...v0.6.0) --- updated-dependencies: - dependency-name: github.com/gohugoio/hashstructure dependency-version: 0.6.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.39.0 to 1.39.1. - [Commits](https://gitlab.com/cznic/sqlite/compare/v1.39.0...v1.39.1) --- updated-dependencies: - dependency-name: modernc.org/sqlite dependency-version: 1.39.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…th 2 updates (#4584) Bumps the actions-minor-patch group with 2 updates in the / directory: [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request) and [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action). Updates `peter-evans/create-pull-request` from 8.0.0 to 8.1.0 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@98357b1...c0f553f) Updates `zizmorcore/zizmor-action` from 0.3.0 to 0.4.1 - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](zizmorcore/zizmor-action@e639db9...1356984) --- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-version: 8.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch - dependency-name: zizmorcore/zizmor-action dependency-version: 0.4.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
--------- Signed-off-by: Rez Moss <hi@rezmoss.com> Signed-off-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Bumps the go-minor-patch group with 2 updates: [github.com/olekukonko/tablewriter](https://github.com/olekukonko/tablewriter) and [modernc.org/sqlite](https://gitlab.com/cznic/sqlite). Updates `github.com/olekukonko/tablewriter` from 1.1.2 to 1.1.3 - [Release notes](https://github.com/olekukonko/tablewriter/releases) - [Commits](olekukonko/tablewriter@v1.1.2...v1.1.3) Updates `modernc.org/sqlite` from 1.44.1 to 1.44.3 - [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md) - [Commits](https://gitlab.com/cznic/sqlite/compare/v1.44.1...v1.44.3) --- updated-dependencies: - dependency-name: github.com/olekukonko/tablewriter dependency-version: 1.1.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-minor-patch - dependency-name: modernc.org/sqlite dependency-version: 1.44.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
--------- Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
NVD uses "aomedia" as the vendor for libavif CVEs. This change adds libavif to the APK package CPE candidate additions with "aomedia" as an additional vendor, enabling Syft/Grype to match CVEs like CVE-2025-48174 and CVE-2025-48175. Signed-off-by: Peter Bücker <peter.buecker@gmail.com>
* fix(cpe-generation): set start and end date Previously, the update job was silently failing because the NVD API returns a 404 with no body if a start date is specified but not an end date. Further, the API returns an error if more than 120 days are in range of the start and end date. Update the API client to: 1. Return a non-nil error on http 404 2. Chunk the date range into 120 day chunks 3. Pass start and end date to avoid errors. Also add more tolerant timestamp parsing since the previous update job would fail with timestamp format errors. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * refactor(cpe-generator): remove callbacks Previously, this job had callbacks that were there to make sure that incremental progress could be written to disk. However, incremental progress was not being written to disk, and there were issues related to the callbacks like double logging. Therefore, just remove the callbacks and do simple imperative code to page through the API results. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: willmurphyscode <12529630+willmurphyscode@users.noreply.github.com>
Otherwise sometimes the test that reads will run during the test that writes and fail because the yaml file is in a partially written state. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
--------- Signed-off-by: Rez Moss <hi@rezmoss.com> Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
…with 2 updates (#4607) Bumps the actions-minor-patch group with 1 update in the / directory: [docker/login-action](https://github.com/docker/login-action). Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [actions/cache](https://github.com/actions/cache). Updates `docker/login-action` from 3.6.0 to 3.7.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@5e57cd1...c94ce9f) Updates `actions/cache` from 5.0.1 to 5.0.3 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@9255dc7...cdf6c1f) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: 3.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch - dependency-name: actions/cache dependency-version: 5.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the go-minor-patch group with 1 update: [github.com/bmatcuk/doublestar/v4](https://github.com/bmatcuk/doublestar). Updates `github.com/bmatcuk/doublestar/v4` from 4.9.2 to 4.10.0 - [Release notes](https://github.com/bmatcuk/doublestar/releases) - [Commits](bmatcuk/doublestar@v4.9.2...v4.10.0) --- updated-dependencies: - dependency-name: github.com/bmatcuk/doublestar/v4 dependency-version: 4.10.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
--------- Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
…#4612) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.16.4 to 5.16.5. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.16.4...v5.16.5) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.16.5 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: willmurphyscode <12529630+willmurphyscode@users.noreply.github.com>
The namespace value of `redhat` signifies this as an RPM package produced and distributed by Red Hat. Signed-off-by: Scott Hebert <scoheb@gmail.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
Bumps the go-minor-patch group with 2 updates: [github.com/CycloneDX/cyclonedx-go](https://github.com/CycloneDX/cyclonedx-go) and [github.com/charmbracelet/bubbles](https://github.com/charmbracelet/bubbles). Updates `github.com/CycloneDX/cyclonedx-go` from 0.9.3 to 0.10.0 - [Release notes](https://github.com/CycloneDX/cyclonedx-go/releases) - [Commits](CycloneDX/cyclonedx-go@v0.9.3...v0.10.0) Updates `github.com/charmbracelet/bubbles` from 0.21.0 to 0.21.1 - [Release notes](https://github.com/charmbracelet/bubbles/releases) - [Commits](charmbracelet/bubbles@v0.21.0...v0.21.1) --- updated-dependencies: - dependency-name: github.com/CycloneDX/cyclonedx-go dependency-version: 0.10.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch - dependency-name: github.com/charmbracelet/bubbles dependency-version: 0.21.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…th 2 updates (#4622) Bumps the actions-minor-patch group with 2 updates in the / directory: [anchore/sbom-action](https://github.com/anchore/sbom-action) and [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action). Updates `anchore/sbom-action` from 0.21.1 to 0.22.2 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@0b82b0b...28d7154) Updates `zizmorcore/zizmor-action` from 0.4.1 to 0.5.0 - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](zizmorcore/zizmor-action@1356984...0dce257) --- updated-dependencies: - dependency-name: anchore/sbom-action dependency-version: 0.22.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): update tools to latest versions Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: ci rules revive Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
--------- Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
…ams (#4629) * fix(deb and snaps): prevent excess reads Previously, Syft could allocate excess memory or tempfile space if there were highly compressed objects in deb archives, or at paths where the kernel changelog was expected by the snap cataloger. Use io.LimitReaders for extracting parts of deb archives, and refactor the snap cataloger's reading of the kernel changelog to use a streaming parsing, eliminating the possibility of excess allocation. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * fix: always cleanup temp file from file source Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * use streaming strategy for deb archives Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: downstream-sync <downstream-sync@rh-syft.org>
Signed-off-by: downstream-sync <downstream-sync@rh-syft.org>
Signed-off-by: downstream-sync <downstream-sync@rh-syft.org>
Signed-off-by: downstream-sync <downstream-sync@rh-syft.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Synced from #138
This PR updates the Syft version and likely isn't directly merge-able.
To merge it, please follow https://github.com/redhat-appstudio/rh-syft#finish-the-update.