Alex Goodman
a56eff90d6
fix ui race for package count ( #2839 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-05-06 11:45:52 -04:00
anchore-actions-token-generator[bot]
00ff3ffda9
chore(deps): update CPE dictionary index ( #2841 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
2024-05-06 11:44:19 -04:00
dependabot[bot]
9de533996e
chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.8 to 6.5.9 ( #2842 )
...
Bumps [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty ) from 6.5.8 to 6.5.9.
- [Release notes](https://github.com/jedib0t/go-pretty/releases )
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.5.8...v6.5.9 )
---
updated-dependencies:
- dependency-name: github.com/jedib0t/go-pretty/v6
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-06 11:44:05 -04:00
dependabot[bot]
7aae7470e2
chore(deps): bump modernc.org/sqlite from 1.29.8 to 1.29.9 ( #2843 )
...
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ) from 1.29.8 to 1.29.9.
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.29.8...v1.29.9 )
---
updated-dependencies:
- dependency-name: modernc.org/sqlite
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-06 11:43:55 -04:00
dependabot[bot]
d6604adaaf
chore(deps): bump github.com/charmbracelet/bubbletea ( #2838 )
...
Bumps [github.com/charmbracelet/bubbletea](https://github.com/charmbracelet/bubbletea ) from 0.26.0 to 0.26.1.
- [Release notes](https://github.com/charmbracelet/bubbletea/releases )
- [Commits](https://github.com/charmbracelet/bubbletea/compare/v0.26.0...v0.26.1 )
---
updated-dependencies:
- dependency-name: github.com/charmbracelet/bubbletea
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-03 09:50:20 -04:00
Alex Goodman
34ca9a8412
add security policy ( #2835 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-05-02 14:45:17 +00:00
dependabot[bot]
f51b39ca04
chore(deps): bump actions/setup-go from 5.0.0 to 5.0.1 ( #2834 )
...
Bumps [actions/setup-go](https://github.com/actions/setup-go ) from 5.0.0 to 5.0.1.
- [Release notes](https://github.com/actions/setup-go/releases )
- [Commits](0c52d547c9...cdcb360436
)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-02 10:12:10 -04:00
anchore-actions-token-generator[bot]
9bbb42620a
chore(deps): update stereoscope to 2e9894674185d121917b283f773c2b5830f8b360 ( #2831 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: kzantow <3009477+kzantow@users.noreply.github.com>
2024-05-02 09:38:23 -04:00
dependabot[bot]
0b4de3d0c7
chore(deps): bump github.com/charmbracelet/bubbletea ( #2833 )
...
Bumps [github.com/charmbracelet/bubbletea](https://github.com/charmbracelet/bubbletea ) from 0.25.0 to 0.26.0.
- [Release notes](https://github.com/charmbracelet/bubbletea/releases )
- [Commits](https://github.com/charmbracelet/bubbletea/compare/v0.25.0...v0.26.0 )
---
updated-dependencies:
- dependency-name: github.com/charmbracelet/bubbletea
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-02 09:36:49 -04:00
camcui
80d196a8c9
chore: fix function name in comment ( #2771 )
...
Signed-off-by: camcui <cuishua@sina.cn>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2024-05-01 18:04:02 +00:00
William Murphy
ed40833b30
chore: enable go-critic deferInLoop lint ( #2825 )
...
The goal here is to be more careful about leaking file handles and other
resources.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-05-01 12:59:35 -04:00
William Murphy
93a7d2ee27
fix: better clean up of file handles ( #2823 )
...
* always close ELF cataloger file handles
The elf-binary-package-cataloger does its own file IO to account for the
possibility of a logical ELF package being broken across multiple
physical files. However, this casued it to skip the normal invocation
pattern in the generic cataloger code that prevented file leaks. Ensure
this cataloger always closes its file handles.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* defer closing of generic cataloger file handles
Otherwise, a panicking cataloger could leak file handles.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* add unit test for file closed on panic parser
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* make invoke parser a static function
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* push error logging down into invoke parser
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-05-01 12:58:17 -04:00
dependabot[bot]
93a99e36c2
chore(deps): bump github.com/docker/docker ( #2827 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 26.1.0+incompatible to 26.1.1+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v26.1.0...v26.1.1 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-01 11:03:31 -04:00
Keith Zantow
b0c88ddea9
fix(spdx): include required fields ( #2168 )
...
* fix(spdx): include required fields
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* chore: missed update due to refactoring
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* chore: update tools-golang
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* chore: add test with packageVerificationCode included and excluded
Signed-off-by: Keith Zantow <kzantow@gmail.com>
---------
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2024-04-30 13:28:42 -04:00
Keith Zantow
047e31a969
fix: add correct vendor for dnsmasq CPE ( #2659 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2024-04-30 13:24:01 -04:00
guangwu
25b55e1704
fix: close temp rpmdb file ( #2792 )
...
* fix: close temp rpmdb file and db
Signed-off-by: guoguangwu <guoguangwug@gmail.com>
* chore: fix linter
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---------
Signed-off-by: guoguangwu <guoguangwug@gmail.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2024-04-30 12:47:17 -04:00
dependabot[bot]
02dc2dfa9b
chore(deps): bump github/codeql-action from 3.25.2 to 3.25.3 ( #2817 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.25.2 to 3.25.3.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](8f596b4ae3...d39d31e687
)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2024-04-30 16:27:14 +00:00
Alex Goodman
5b03788300
Fill in SPDX originator for all supported package types ( #2822 )
...
* add failing test + beef up doc comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* cover more metadata types in spdx originator processing
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-04-29 16:33:00 -04:00
dependabot[bot]
9901ea8fe9
chore(deps): bump anchore/sbom-action from 0.15.10 to 0.15.11 ( #2821 )
...
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action ) from 0.15.10 to 0.15.11.
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Commits](ab5d7b5f48...7ccf588e3c
)
---
updated-dependencies:
- dependency-name: anchore/sbom-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-29 12:40:43 -04:00
Alex Goodman
87cd6c8c48
update spdx license list to 3.23 ( #2818 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-04-26 14:50:55 +00:00
William Murphy
d3310a1830
fix: re-use embedded union reader if possible ( #2814 )
...
* fix: re-use embedded union reader if possible
Previously, because file.LocationReadCloser embeds a ReadCloser that
might be a UnionReader, but doesn't implement the interface itself, the
type assertion would fall and Syft would fall back to io.ReadAll to
enable seeking on the underlying reader, resulting in a potentially
large extra allocation.
Instead, check whether the passed ReadCloser is a
file.LocationReadCloser, and if so, try to use the embedded ReadCloser
as a UnionReader.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* lint fix
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* Assert that underlying reader is returned
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-04-26 10:21:38 -04:00
Weston Steimel
8640f978ba
feat: index known CPEs for go modules ( #2816 )
...
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
2024-04-26 09:55:05 -04:00
dependabot[bot]
13b06dad45
chore(deps): bump peter-evans/create-pull-request from 6.0.4 to 6.0.5 ( #2812 )
2024-04-25 10:32:10 -04:00
Weston Steimel
9604e3dc9c
feat: support multiple known CPEs in index ( #2813 )
...
It is possible that a given package has multiple known "official" CPEs
active in the dictionary at once, so the index should support a slice of
CPE strings per package
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
2024-04-25 15:22:26 +01:00
anchore-actions-token-generator[bot]
f2fc10aa86
chore(deps): update stereoscope to 8b297badafd5d81fa1187b26ae34dd2a7ce7e425 ( #2807 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: kzantow <3009477+kzantow@users.noreply.github.com>
2024-04-24 15:19:13 -04:00
dependabot[bot]
21b22555d2
chore(deps): bump actions/checkout from 4.1.3 to 4.1.4 ( #2809 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.1.3 to 4.1.4.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](1d96c772d1...0ad4b8fada
)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-24 15:19:03 -04:00
dependabot[bot]
5326efcef1
chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.3 to 0.5.4 ( #2810 )
...
Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps ) from 0.5.3 to 0.5.4.
- [Release notes](https://github.com/gkampitakis/go-snaps/releases )
- [Commits](https://github.com/gkampitakis/go-snaps/compare/v0.5.3...v0.5.4 )
---
updated-dependencies:
- dependency-name: github.com/gkampitakis/go-snaps
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-24 12:04:09 -04:00
Gijs Calis
b90e7f9437
Fix removing labels in 'Detect schema changes' job ( #2772 )
...
* Fix error messages for add & remove label
Signed-off-by: Gijs Calis <51088038+GijsCalis@users.noreply.github.com>
* Check if label exists on PR before removing
Signed-off-by: Gijs Calis <51088038+GijsCalis@users.noreply.github.com>
---------
Signed-off-by: Gijs Calis <51088038+GijsCalis@users.noreply.github.com>
2024-04-23 14:42:57 -04:00
dependabot[bot]
fbdd4ee015
chore(deps): bump github.com/docker/docker ( #2805 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 26.0.2+incompatible to 26.1.0+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v26.0.2...v26.1.0 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-23 14:32:34 -04:00
William Murphy
f154bf570d
Display which provider caused which error in output ( #2757 )
...
* Display which provider caused which error in output
Otherwise, the output is very difficult to parse.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* lint fix
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* bump stereoscope to v0.0.2
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-04-23 14:27:39 -04:00
Weston Steimel
99b58db497
fix: prefer non-deprecated CPEs and include jenkins plugins from plugins.jenkins.io ( #2806 )
...
Improves the logic for adding known CPEs for Jenkins plugins by
including `plugins.jenkins.io` and prefers non-deprecated CPEs
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
2024-04-23 11:11:47 -04:00
Weston Steimel
8d960e62c6
feat: index known CPEs for PHP Composer packagist.org packages ( #2804 )
...
Indexes known CPEs from `packagist.org`
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
2024-04-23 10:42:59 -04:00
dependabot[bot]
27a8a1be03
chore(deps): bump github/codeql-action from 3.25.1 to 3.25.2 ( #2802 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.25.1 to 3.25.2.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](c7f9125735...8f596b4ae3
)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-23 09:54:36 -04:00
dependabot[bot]
4ccbd17255
chore(deps): bump actions/upload-artifact from 4.3.2 to 4.3.3 ( #2803 )
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 4.3.2 to 4.3.3.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](1746f4ab65...65462800fd
)
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-23 09:54:28 -04:00
Weston Steimel
891e61a2ef
fix: improvements to known CPE index construction ( #2801 )
...
* fix: stop pre-filtering potential known CPE URLs
Previously when building the known CPE index, there was logic to
de-duplicate processing based on the normalized CPE name; however, this
means a significant number of known CPE's don't get indexed because the
first instance of that name didn't have a supported collection url but a
later one did. This isn't code that executes at runtime in syft so
de-duplicating the processing for performance isn't really necessary
here and it doesn't add much to the total runtime anyways
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
* fix: CPE index builder should extract and consider all reference urls
Previously the struct definition for CpeItem caused only the last URL
reference in the list to be kept and processed for inclusion in the
index
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
---------
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
2024-04-23 09:28:18 -04:00
Keith Zantow
f7d3d552ce
fix: exclude known instrumentation jars from being erroneously identified ( #2796 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2024-04-22 15:03:17 -04:00
Weston Steimel
12ea9912b4
feat: index known cpes for PHP extensions ( #2777 )
...
Indexes known CPEs from `pecl.php.net` and `pear.php.net`
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
2024-04-22 13:43:19 -04:00
dependabot[bot]
cf6f92f2c8
chore(deps): bump actions/checkout from 4.1.2 to 4.1.3 ( #2799 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.1.2 to 4.1.3.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](9bb56186c3...1d96c772d1
)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-22 13:29:13 -04:00
William Murphy
6440f26b5a
fix: return empty string if dereferncing pom var fails ( #2797 )
...
Previously, Syft would attempt to dereference pom variables, but if it
detected a cycle or failed to get back to a non-variable value, it would
return the last variable. Instead, return an empty string. Otherwise,
certain jars will have versions like "${project.version}" in the SBOM,
which is not helpful.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-04-19 19:38:36 +00:00
dependabot[bot]
f2633800ce
chore(deps): bump github.com/docker/docker ( #2793 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 26.0.1+incompatible to 26.0.2+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v26.0.1...v26.0.2 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-19 15:06:57 -04:00
dependabot[bot]
4f227bf447
chore(deps): bump modernc.org/sqlite from 1.29.7 to 1.29.8 ( #2794 )
...
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ) from 1.29.7 to 1.29.8.
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.29.7...v1.29.8 )
---
updated-dependencies:
- dependency-name: modernc.org/sqlite
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-19 15:06:44 -04:00
dependabot[bot]
d70eb3d04b
chore(deps): bump actions/upload-artifact from 4.3.1 to 4.3.2 ( #2795 )
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 4.3.1 to 4.3.2.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](5d5d22a312...1746f4ab65
)
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-19 15:06:32 -04:00
guangwu
fe4819bc08
chore: cleanup redundant code ( #2791 )
...
Signed-off-by: guoguangwu <guoguangwug@gmail.com>
2024-04-19 12:12:48 -04:00
anchore-actions-token-generator[bot]
b26b38d6c5
chore(deps): update tools to latest versions ( #2789 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-04-18 12:40:08 -04:00
dependabot[bot]
31969136e3
chore(deps): bump github.com/spdx/tools-golang from 0.5.3 to 0.5.4 ( #2790 )
...
Bumps [github.com/spdx/tools-golang](https://github.com/spdx/tools-golang ) from 0.5.3 to 0.5.4.
- [Release notes](https://github.com/spdx/tools-golang/releases )
- [Changelog](https://github.com/spdx/tools-golang/blob/main/RELEASE-NOTES.md )
- [Commits](https://github.com/spdx/tools-golang/compare/v0.5.3...v0.5.4 )
---
updated-dependencies:
- dependency-name: github.com/spdx/tools-golang
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-18 12:39:42 -04:00
dependabot[bot]
f6845474bd
chore(deps): bump github/codeql-action from 3.25.0 to 3.25.1 ( #2786 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.25.0 to 3.25.1.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](df5a14dc28...c7f9125735
)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-17 10:46:34 -04:00
dependabot[bot]
e1cadead1d
chore(deps): bump peter-evans/create-pull-request from 6.0.3 to 6.0.4 ( #2787 )
...
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request ) from 6.0.3 to 6.0.4.
- [Release notes](https://github.com/peter-evans/create-pull-request/releases )
- [Commits](c55203cfde...9153d834b6
)
---
updated-dependencies:
- dependency-name: peter-evans/create-pull-request
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-17 10:46:24 -04:00
William Murphy
3e71f46fc8
Fix: repeatedly dereference pom variables ( #2781 )
...
* Fix: repeatedly dereference pom variables
Previously, if there was more than one layer of variable indirection in
the pom property (propert A says it has the same value as property B,
property B says it has the same value as property C), then Syft would
only dereference one layer. Add a loop to dereference variables until
either dereferencing fails, or until the variable is completely
dereferenced back to a literal.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* switch to recursive implementation
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* add test cases for degenerate poms
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* switch to recursive implementation
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* remove redundant pieces of test cases
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-04-16 15:44:02 -04:00
dependabot[bot]
3b01e13f92
chore(deps): bump modernc.org/sqlite from 1.29.6 to 1.29.7 ( #2783 )
...
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ) from 1.29.6 to 1.29.7.
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.29.6...v1.29.7 )
---
updated-dependencies:
- dependency-name: modernc.org/sqlite
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-04-16 11:05:35 -04:00
anchore-actions-token-generator[bot]
25c2e60358
chore(deps): update CPE dictionary index ( #2780 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: westonsteimel <1593939+westonsteimel@users.noreply.github.com>
2024-04-15 11:15:38 -04:00