* bump syft to main
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* upgdate cyclonedx presenter fixtures (bump from cdx 1.4 to 1.5)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update cyclonedx schema
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* allow for pkg type exceptions for github actions and workflows
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update cyclonedx json schema from v1.4 to v1.5
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump to syft v0.91.0
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* upgrade go-setup action to v4
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove asset upload from release workflow
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
grype currently produces CYCLONE-DX SBOM that are not compliant with the cyclone-dx tooling libraries. Rather than write the logic in two places, this PR moves grype to use syft's formatting functions as a library to produce valid CYCLONE-DX SBOM components along with the discovered vulnerabilities.
For more context on impacted issues:
https://github.com/anchore/grype/issues/796https://github.com/anchore/grype/issues/951
