Will Murphy
6676bb7459
fix lint
...
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-04-24 13:31:08 -04:00
Will Murphy
20b692df04
newLazyUnionReader cannot return err
...
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-04-24 12:51:49 -04:00
Will Murphy
434f100add
clean up lazy union reader
...
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-04-24 12:48:55 -04:00
Will Murphy
bad5cf2af8
more passing lazy union reader tests
...
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-04-24 11:00:50 -04:00
Will Murphy
20a26a0dfe
very WIP: lazy union reader
...
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-04-24 10:34:14 -04:00
William Murphy
6440f26b5a
fix: return empty string if dereferncing pom var fails ( #2797 )
...
Previously, Syft would attempt to dereference pom variables, but if it
detected a cycle or failed to get back to a non-variable value, it would
return the last variable. Instead, return an empty string. Otherwise,
certain jars will have versions like "${project.version}" in the SBOM,
which is not helpful.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-04-19 19:38:36 +00:00
dependabot[bot]
f2633800ce
chore(deps): bump github.com/docker/docker ( #2793 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 26.0.1+incompatible to 26.0.2+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v26.0.1...v26.0.2 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-19 15:06:57 -04:00
dependabot[bot]
4f227bf447
chore(deps): bump modernc.org/sqlite from 1.29.7 to 1.29.8 ( #2794 )
...
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ) from 1.29.7 to 1.29.8.
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.29.7...v1.29.8 )
---
updated-dependencies:
- dependency-name: modernc.org/sqlite
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-19 15:06:44 -04:00
dependabot[bot]
d70eb3d04b
chore(deps): bump actions/upload-artifact from 4.3.1 to 4.3.2 ( #2795 )
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 4.3.1 to 4.3.2.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](5d5d22a312...1746f4ab65
2024-04-19 15:06:32 -04:00
guangwu
fe4819bc08
chore: cleanup redundant code ( #2791 )
...
Signed-off-by: guoguangwu <guoguangwug@gmail.com>
2024-04-19 12:12:48 -04:00
anchore-actions-token-generator[bot]
b26b38d6c5
chore(deps): update tools to latest versions ( #2789 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-04-18 12:40:08 -04:00
dependabot[bot]
31969136e3
chore(deps): bump github.com/spdx/tools-golang from 0.5.3 to 0.5.4 ( #2790 )
...
Bumps [github.com/spdx/tools-golang](https://github.com/spdx/tools-golang ) from 0.5.3 to 0.5.4.
- [Release notes](https://github.com/spdx/tools-golang/releases )
- [Changelog](https://github.com/spdx/tools-golang/blob/main/RELEASE-NOTES.md )
- [Commits](https://github.com/spdx/tools-golang/compare/v0.5.3...v0.5.4 )
---
updated-dependencies:
- dependency-name: github.com/spdx/tools-golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-18 12:39:42 -04:00
dependabot[bot]
f6845474bd
chore(deps): bump github/codeql-action from 3.25.0 to 3.25.1 ( #2786 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.25.0 to 3.25.1.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](df5a14dc28...c7f9125735
2024-04-17 10:46:34 -04:00
dependabot[bot]
e1cadead1d
chore(deps): bump peter-evans/create-pull-request from 6.0.3 to 6.0.4 ( #2787 )
...
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request ) from 6.0.3 to 6.0.4.
- [Release notes](https://github.com/peter-evans/create-pull-request/releases )
- [Commits](c55203cfde...9153d834b6
2024-04-17 10:46:24 -04:00
William Murphy
3e71f46fc8
Fix: repeatedly dereference pom variables ( #2781 )
...
* Fix: repeatedly dereference pom variables
Previously, if there was more than one layer of variable indirection in
the pom property (propert A says it has the same value as property B,
property B says it has the same value as property C), then Syft would
only dereference one layer. Add a loop to dereference variables until
either dereferencing fails, or until the variable is completely
dereferenced back to a literal.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* switch to recursive implementation
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* add test cases for degenerate poms
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* switch to recursive implementation
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* remove redundant pieces of test cases
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-04-16 15:44:02 -04:00
dependabot[bot]
3b01e13f92
chore(deps): bump modernc.org/sqlite from 1.29.6 to 1.29.7 ( #2783 )
...
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ) from 1.29.6 to 1.29.7.
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.29.6...v1.29.7 )
---
updated-dependencies:
- dependency-name: modernc.org/sqlite
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-16 11:05:35 -04:00
anchore-actions-token-generator[bot]
25c2e60358
chore(deps): update CPE dictionary index ( #2780 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: westonsteimel <1593939+westonsteimel@users.noreply.github.com>
2024-04-15 11:15:38 -04:00
dependabot[bot]
dc7fa21980
chore(deps): bump github/codeql-action from 3.24.10 to 3.25.0 ( #2779 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.24.10 to 3.25.0.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](4355270be1...df5a14dc28
2024-04-15 10:00:54 -04:00
Weston Steimel
587690b875
chore: fix broken cpe index generation task ( #2778 )
...
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
2024-04-15 09:39:57 -04:00
dependabot[bot]
21eaa5c82b
chore(deps): bump github.com/docker/docker ( #2773 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 26.0.0+incompatible to 26.0.1+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v26.0.0...v26.0.1 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-12 15:33:27 -04:00
dependabot[bot]
081ec04b3f
chore(deps): bump peter-evans/create-pull-request from 6.0.2 to 6.0.3 ( #2774 )
...
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request ) from 6.0.2 to 6.0.3.
- [Release notes](https://github.com/peter-evans/create-pull-request/releases )
- [Commits](70a41aba78...c55203cfde
2024-04-12 15:31:36 -04:00
Keith Zantow
dde5d349b1
fix: more robust go main version extraction ( #2767 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
2024-04-11 11:58:51 -04:00
anchore-actions-token-generator[bot]
a5d77b9263
chore(deps): update tools to latest versions ( #2768 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-04-11 11:53:55 -04:00
Laurent Goderre
c9aab4863b
fix: binary character in java version ( #2766 )
...
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
2024-04-11 10:32:24 -04:00
anchore-actions-token-generator[bot]
af1a065d2a
chore(deps): update tools to latest versions ( #2760 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-04-09 12:03:12 -04:00
dependabot[bot]
88cef1e05c
chore(deps): bump modernc.org/sqlite from 1.29.5 to 1.29.6 ( #2761 )
...
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ) from 1.29.5 to 1.29.6.
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.29.5...v1.29.6 )
---
updated-dependencies:
- dependency-name: modernc.org/sqlite
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-09 12:02:56 -04:00
dependabot[bot]
870d97ca5a
chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.6 to 6.5.8 ( #2754 )
...
Bumps [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty ) from 6.5.6 to 6.5.8.
- [Release notes](https://github.com/jedib0t/go-pretty/releases )
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.5.6...v6.5.8 )
---
updated-dependencies:
- dependency-name: github.com/jedib0t/go-pretty/v6
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-08 12:19:45 -04:00
dependabot[bot]
e681bc4780
chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.2 to 0.5.3 ( #2755 )
...
Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps ) from 0.5.2 to 0.5.3.
- [Release notes](https://github.com/gkampitakis/go-snaps/releases )
- [Commits](https://github.com/gkampitakis/go-snaps/compare/v0.5.2...v0.5.3 )
---
updated-dependencies:
- dependency-name: github.com/gkampitakis/go-snaps
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-08 12:19:32 -04:00
dependabot[bot]
c31696f131
chore(deps): bump github/codeql-action from 3.24.9 to 3.24.10 ( #2756 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.24.9 to 3.24.10.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](1b1aada464...4355270be1
2024-04-08 12:19:20 -04:00
dependabot[bot]
67781e98a2
chore(deps): bump golang.org/x/mod from 0.16.0 to 0.17.0 ( #2751 )
...
Bumps [golang.org/x/mod](https://github.com/golang/mod ) from 0.16.0 to 0.17.0.
- [Commits](https://github.com/golang/mod/compare/v0.16.0...v0.17.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/mod
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-05 19:22:00 +00:00
Laurent Goderre
619ace65c3
Differentiate between JRE and JDK ( #2748 )
...
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
2024-04-05 15:10:58 -04:00
dependabot[bot]
3e4e3bb1d4
chore(deps): bump golang.org/x/net from 0.23.0 to 0.24.0 ( #2752 )
...
Bumps [golang.org/x/net](https://github.com/golang/net ) from 0.23.0 to 0.24.0.
- [Commits](https://github.com/golang/net/compare/v0.23.0...v0.24.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/net
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-05 15:10:15 -04:00
anchore-actions-token-generator[bot]
1e31356c49
chore(deps): update tools to latest versions ( #2744 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-04-04 10:34:19 -04:00
dependabot[bot]
0fa925e5af
chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 ( #2747 )
...
Bumps [golang.org/x/net](https://github.com/golang/net ) from 0.22.0 to 0.23.0.
- [Commits](https://github.com/golang/net/compare/v0.22.0...v0.23.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/net
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-04 10:34:03 -04:00
Christopher Angelo Phillips
e100776f22
chore: update anchore/packageurl-go to use latest commits ( #2746 )
...
chore: update packageurl-go dependency to use latest commits
chore: go mod tidy
unit: update + -> %2B
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2024-04-04 10:33:51 -04:00
Laurent Goderre
e0233625cb
feat: cataloger for PHP Pecl and PEAR packages ( #2604 )
...
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
2024-04-02 11:55:56 -04:00
dependabot[bot]
e0f5b5a787
chore(deps): bump github.com/go-git/go-git/v5 from 5.11.0 to 5.12.0 ( #2743 )
...
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git ) from 5.11.0 to 5.12.0.
- [Release notes](https://github.com/go-git/go-git/releases )
- [Commits](https://github.com/go-git/go-git/compare/v5.11.0...v5.12.0 )
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-01 14:14:07 -04:00
anchore-actions-token-generator[bot]
9c42c83229
chore(deps): update tools to latest versions ( #2741 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-03-30 17:51:21 -04:00
Keith Zantow
01340b2a5c
fix: conan poco project cpe ( #2740 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2024-03-28 16:56:24 -04:00
dependabot[bot]
16edb40c72
chore(deps): bump github.com/distribution/reference from 0.5.0 to 0.6.0 ( #2738 )
...
Bumps [github.com/distribution/reference](https://github.com/distribution/reference ) from 0.5.0 to 0.6.0.
- [Release notes](https://github.com/distribution/reference/releases )
- [Commits](https://github.com/distribution/reference/compare/v0.5.0...v0.6.0 )
---
updated-dependencies:
- dependency-name: github.com/distribution/reference
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-28 12:22:00 -04:00
dependabot[bot]
5a865d0d90
chore(deps): bump anchore/sbom-action from 0.15.9 to 0.15.10 ( #2737 )
2024-03-27 17:52:22 +00:00
Keith Zantow
410867ca0c
fix: panic scanning binaries without symtab ( #2739 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2024-03-27 13:51:45 -04:00
guangwu
469b4c13bb
chore: remove useless code ( #2716 )
...
Signed-off-by: guoguangwu <guoguangwug@gmail.com>
2024-03-26 12:21:03 -04:00
dependabot[bot]
57e9cc52a4
chore(deps): bump google.golang.org/protobuf from 1.31.0 to 1.33.0 ( #2731 )
...
Bumps google.golang.org/protobuf from 1.31.0 to 1.33.0.
---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-26 11:52:50 -04:00
dependabot[bot]
55fff0f4a1
chore(deps): bump github/codeql-action from 3.24.8 to 3.24.9 ( #2732 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.24.8 to 3.24.9.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](05963f47d8...1b1aada464
2024-03-26 11:50:31 -04:00
anchore-actions-token-generator[bot]
2a7b4f3761
chore(deps): update tools to latest versions ( #2733 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-03-26 11:50:21 -04:00
dependabot[bot]
fe3704d4a9
chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.5 to 6.5.6 ( #2734 )
...
Bumps [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty ) from 6.5.5 to 6.5.6.
- [Release notes](https://github.com/jedib0t/go-pretty/releases )
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.5.5...v6.5.6 )
---
updated-dependencies:
- dependency-name: github.com/jedib0t/go-pretty/v6
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-26 11:50:07 -04:00
Hung Nguyen
059cfd6730
update release token from readonly to write token ( #2735 )
...
Signed-off-by: Hung Nguyen <hung.tran.nguyen.585@gmail.com>
2024-03-26 09:06:55 -04:00
Colm O hEigeartaigh
f4e18961b9
Adding the ability to retrieve remote licenses from package.lock ( #2708 )
...
Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
2024-03-21 13:20:04 -04:00
Alex Goodman
0d5ebed74a
dont include labels for dependabot ecosystems ( #2720 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-03-21 12:16:01 -04:00
