dsv-cli
dsv-cli copied to clipboard
Published
20 hours ago •
DelineaXPM
DelineaXPM
build(aqua-proj): 🌊 major aqua major (major)
This PR contains the following updates:
| Package | Update | Change | OpenSSF |
|---|---|---|---|
| anchore/syft | major | v0.105.1 -> v1.37.0 |
|
| charmbracelet/glow | major | v1.5.1 -> v2.1.1 |
|
| goreleaser/goreleaser | major | v1.26.2 -> v2.12.7 |
Release Notes
anchore/syft (anchore/syft)
v1.37.0
Added Features
- Refactor fileresolver to not require base path [#​4298 @​Rupikz]
- Describe cataloger capabilities via test observations [#​4318 @​wagoodman]
- Support Java resource adapter extension .far as a Java archive [#​4183 #​4193 @​kyounghunJang]
- Add Java resource adapter extension ".rar" as supported Java archive [#​4136 #​4137 @​thomassui]
Bug Fixes
- fix empty PURL Github format [#​4312 @​rezmoss]
- Canonicalize Ghostscript CPE/PURL for ghostscript packages from PE Binaries [#​4308 @​kdt523]
- Respect "rpmmod" PURL qualifier [#​4314 @​willmurphyscode]
- fix dpkg packages that are in
deinstalledstate should not be in SBOM [#​3063 #​4231 @​rkirk-nos]
v1.36.0
Added Features
- Add the ability to fetch remote licenses for pnpm-lock.yaml files [#​4286 @​timols]
- support universal (fat) mach-o binary files [#​4278 @​JoeyShapiro]
- pdm support [#​2709 #​4234 @​paulslaby]
Bug Fixes
- Remove duplicate image source providers [#​4289 @​Rupikz]
- syft can't extract go module information from executables on Windows [#​4271 #​4285 @​JoeyShapiro]
v1.34.2
Bug Fixes
- Extract zip archive with multiple entries [#​4283 @​Rupikz]
- panic while resolving maven properties in archive parser [#​4288 #​4290 @​kzantow]
v1.34.1
Added Features
- feat: enhance setup.py parser to handle unquoted dependencies [#​4255 @​HalaAli198]
- feat: support for identifying ffmpeg/libav libraries [#​4227 @​popey]
- feat: PNPM latest lockfile (version 9.0) [#​3927 #​4256 @​bernardoamc]
- Add Windows ARM64 releases [#​4179 #​4237 @​compnerd]
Bug Fixes
- fix: SBOM CPE mismatch for Qt5 causes Grype to miss CVE matches [#​4036 #​4093 @​hawkaii]
- fix: use of manifest files present in Snap packages when generating SBOMs [#​4147 #​4151 @​popey]
- fix: Pom xml only archive parser [#​4272 @​douglasclarke]
v1.33.0
Added Features
- Modify RpmDBEntry to include modularityLabel for cyclonedx [#​4212 @​sfc-gh-rmaj]
- Add locations onto packages read from Java native image SBOMs [#​4186 @​rudsberg]
v1.32.0
Added Features
- Catalog entire build list for Go projects, not just packages listed in go.mod [#​432 #​4127 @​spiffcs]
- package.json authors keyword parsing [#​2250 #​4003 @​popey]
- Conda ecosystem support (basic) [#​4002@​SimeonStoykovQC]
Bug Fixes
- When scanning the FFmpeg binary with Syft a new package is now added [#​3988 #​3994 @​popey]
- Warn loudly if SQLite driver is not present when needed [#​3234 #​4150 @​kzantow]
Additional Changes
v1.31.0
Added Features
- Option to set
PackageSupplierin root of SPDX document generated by CLI [#​3098 #​4131 @​spiffcs]
Bug Fixes
- closed reader during java binary detection [#​4129 @​kzantow]
- support multiple letters in openssl patch version [#​4106 @​honigbot]
- Can not have license ID [#​1964 #​4132 @​spiffcs]
- Syft sometimes reports URL for license value when scanning JARs with a URL in
Bundle-Licensefield of manifest [#​3186]
v1.30.0
Added Features
- add binary classifier for hashicorp vault [#​4121 @​willmurphyscode]
Bug Fixes
- fix: update nondeterministic Java archive cataloging and improve groupID [#​3521 #​4118 @​kzantow]
v1.29.1
Bug Fixes
- Missing license information for tzdata [#​4102]
- Improve JVM Scan Accuracy for JDK and JRE Detection [#​4071 #​4046 @​kzantow]
- Azul JDK classified as Oracle JRE [#​3893 #​4046 @​kzantow]
v1.29.0
Added Features
- Catalog python
uv.lockfiles [#​3268 #​3763 @​jkugler]
Additional Changes
- Pkg Metadata type unmarshal bug [#​4043 @​houdini91]
v1.28.0
Added Features
- add native support for snap packages [#​1088 #​3929 @​wagoodman]
Additional Changes
- upgrade tablewriter dependency to use new API [#​3990 @​cpanato]
v1.27.1
Bug Fixes
- Allow decoding of enterprise-modified anchorectl json files [#​3997 @​wagoodman]
- Allow decoding of anchorectl json files [#​3973 @​wagoodman]
Additional Changes
- provide separate nonroot image [#​3998 @​kzantow]
v1.27.0
Added Features
- add syft schema version to version command [#​3949 @​spiffcs]
Bug Fixes
- Remove CPE product candidates for phf, prometheus, hyper and Rust crates [#​3967 @​jayvdb]
- Remove CPE product candidates for opentelemetry and redis Rust crates [#​3962 @​jayvdb]
- Harden Container Runtime with Non-Root User [#​3941 @​MikeTheCyberGuy]
- terraform provider lock entries should not require constraints [#​3934 @​ghouscht]
- sbom cataloger returning upstream package [#​3662 #​3981 @​kzantow]
- Syft missing md5 sums and list data for dpkg packages under
status.d/[#​3912] - Failure to detect dependency relationships between Python packages [#​3958 #​3965 @​christoph-blessing]
- Heavy memory consumption when directory scanning deb source [#​3928 #​3953 @​kzantow]
- In versions 1.25.0 and later, graalvm-native-image-cataloger adds 3-6 hours to Syft [#​3942 #​3944 @​kzantow]
- Syft incorrectly reports multiple APKs as parents of symlinked files [#​3847 #​3923 @​luhring]
A HUGE thank you to @​rezmoss for his help identifying and solving an issue causing excessive time and memory consumption with large numbers of symlinks! ❤️
v1.26.1
Bug Fixes
- Dotnet deps binary cataloger hangs [#​3919 #​3930 @​kzantow]
v1.26.0
Added Features
- Read version resources from non-.NET DLLs and executables [#​3842 #​3911 @​wagoodman]
Bug Fixes
pkg.JavaArchive.PomPropertiesis being populated even though nopom.propertiesfile was present for analysis [#​3922 @​wagoodman]- syft 1.24.0 debug container - wget fails TLS [#​3891 #​3915 @​spiffcs]
v1.25.1
Additional Changes
- remove go-rpmdb replace directive [#​3908 @​wagoodman]
v1.25.0
Added Features
- Add PHP interpreter + extensions cataloger [#​2585 @​LaurentGoderre]
Bug Fixes
- update license content filtering default case to be 'none' for no content [#​3903 @​spiffcs]
- Distinguish openjdk vs jdk when using file source [#​3895 @​adammcclenaghan]
- Make it discoverable if Native Image contains no embedded SBOM [#​3731 #​3805 @​sathiya06]
v1.24.0
Added Features
- Add cataloger for Dart pubspec [#​3292 @​LaurentGoderre]
- Translate Portage license strings to SPDX expressions [#​1763 @​wagoodman]
- Use package ID from decoded SBOMs when provided [#​1872 @​jneate]
- Annotate visible/hidden paths when all-layers scope [#​3855 @​wagoodman]
- Add support for PHP Pear [#​2775 @​LaurentGoderre]
- Detect whether full license text or a license name has been provided [#​3088 #​3876 @​spiffcs #​3450 @​spiffcs]
- Add Cataloger for Homebrew on macOS [#​3632 #​3724 @​rezmoss]
- Provide a way to get the LayerID the package was first found in [#​435 #​3858 @​wagoodman #​3138 @​tomersein]
- Go binaries that currently get
(devel)as the version should instead stubUNKNOWNbased on the compliance policy [#​3324 #​3873 @​wagoodman] - Upgrade base Docker image to gcr.io/distroless/static-debian12 [#​3840 #​3862 @​bgoareguer]
- Return full license string instead of SHA256 hash when license string exceeds 64 characters [#​3780 #​3844 @​spiffcs]
- Detect nix dependencies [#​3814 #​3837 @​wagoodman]
Bug Fixes
- update license sort to be stable with contents field [#​3860 @​spiffcs]
- Improve detection of erlang binary in alpine Linux [#​3839 @​avodotiiets]
- Do not search for main module versions within binary contents by default [#​3874 @​wagoodman]
- dpkg license improvement for non SPDX licenses [#​3090 #​3888 @​spiffcs]
- CycloneDX group field not symmetrically handled by encoder/decoders [#​2981 #​3853 @​kzantow]
- Syft crash [signal SIGSEGV: segmentation violation code=0x80 addr=0x0 pc=0x123a0da] [#​3872 #​3875 @​wagoodman]
- Syft 1.23.1 shows version (devel) for grafana 12.0.0 [#​3864]
- .NET cataloger does not always pair up PE binaries and deps.json packages, resulting in duplicate packages on some runs [#​3866 #​3869 @​wagoodman]
- Propagate error in FileSourceProvider instead of warn log [#​3831 #​3845 @​Rupikz]
- Update github.com/Masterminds/semver package [#​3829 #​3836 @​popey]
- go-module-file-cataloger fails if symlinks in path [#​3614 #​3783 @​VictorHuu]
- Support fluent-bit some versions of arm/s390x images [#​3793 #​3817 @​VictorHuu]
Additional Changes
- update rust test fixtures to latest [#​3852 @​spiffcs]
v1.23.1
Additional Changes
- Resolve owned file paths when searching for overlaps [#​3828 @​wagoodman]
v1.23.0
Added Features
- Support skipping archive extraction with file source [#​3795 @​adammcclenaghan]
- Use the R cataloger in directory scans [#​3774 @​spiffcs]
- Add support for detecting javascript assets in .NET projects using libman [#​3825 @​wagoodman]
- Parse GitHub actions comments [#​3776 @​wagoodman]
- Support chrome binary detection [#​3174 #​3136 @​lem-onade]
- Add support for detecting undeclared license files scanning from python installations [#​2624 #​3779 @​wagoodman]
Bug Fixes
- .NET cataloger should consider compile target paths from deps.json [#​3821 @​wagoodman]
- Skip license scanner injection [#​3796 @​adammcclenaghan]
- Delete collection name/type key entries when empty [#​3797 @​adammcclenaghan]
- Use module name over relative paths in
go.modreplace directives [#​3812 @​VictorHuu] - Correct variable names for Conan lock parsing version handling [#​3802 @​musangk]
- Consider DLL claims for dependencies of .NET packages from deps.json [#​3822 @​wagoodman]
- Empty source during decoding an SBOM document should not be fatal [#​3791 @​wagoodman]
- Dpkg are not detected when scanning a directory [#​3726 #​3820 @​VictorHuu]
- Support golang tip image [#​3681 #​3757 @​VictorHuu]
- syft cataloger list should flatten options [#​3801 #​3804 @​kzantow]
- Unable to generate a correct SBOM for C++ project [#​3755]
v1.22.0
Added Features
- Improve .NET package CPE generation [#​3764 @​wagoodman]
- Catalog deb archives directly [#​3315 #​3704 @​popey]
Bug Fixes
- Dotnet-Portable-Executable-Cataloger uses wrong component version for dotnet runtime libraries [#​3282 #​3768 @​wagoodman]
- Dotnet deps cataloger returns "wrong" dotnet-framework dependencies and misses out on the runtime (for applications) [#​2347 #​3768 @​wagoodman]
- .NET deps.json should be considered as installation evidence [#​3570 #​3563 @​wagoodman]
- Dotnet PE binary cataloger is detecting false positives [#​3469 #​3563 @​wagoodman]
- Long Processing Time in dpkg-db-cataloger with all-layers Option (Syft 1.20.0) [#​3683 #​3636 @​kzantow]
v1.21.0
Added Features
- Support extracting symbols in .dynsym section for GraalVM Native Images [#​3647 @​rudsberg]
- Support fluent-bit 1.7.0 dev, rc [#​3133 #​3701 @​popey]
Bug Fixes
- Suppress "file already closed" errors [#​3695 @​wagoodman]
- Add set ID to dotnet (lock) packages [#​3719 @​houdini91]
- Location order on packages should consider evidence annotations when sorting [#​3720 @​wagoodman]
- Fix /etc/redhat-release file parsing when resolving distro details [#​3688 @​wagoodman]
- Syft
fileresolver.containsPathallocates unnecessarily [#​3729 #​3730 @​yoav-orca] - Dart: Syft incorrectly generates SBOM with version 0.0.0 for SDK dependencies [#​3158 #​3572 @​sgreg]
- Download location is not a valid URI [#​3696 #​3697 @​stgrace]
Additional Changes
- Update rustaudit module name [#​3689 @​tofay]
- bump golang.org/x/net from 0.35.0 to 0.36.0 [#​3709 @​dependabot]
v1.20.0
Added Features
- Add file catalogers to selection configuration [#​3505 @​wagoodman]
- Configuration for including license contents in SBOM [#​3626 #​3631 @​spiffcs]
- Support Bitnami embedded SBOMs [#​3065 #​3341 @​juan131] [#​3676 @​willmurphyscode]
Bug Fixes
- Version parse caused by line breaks on different platforms [#​3672 @​idhyt]
- License files which do not match an SPDX expression are erroneously handled as 'unlicensed' [#​3412 #​3366 @​HeyeOpenSource]
- Incorrect URL encoding of package url (purl) [#​3533 #​3678 @​kzantow]
- syft should not warn on known bad package.json [#​3470 #​3645 @​kzantow]
- Scanning a project with many DLLs is slow [#​3455 #​3677 @​rogueai]
- cyclone-dx presenter drops files, includes only packages [#​3435 #​3539 @​spiffcs]
- "syft config" output swaps comments for search-indexed-archives / search-unindexed-archives [#​3624 #​3630 @​spiffcs]
- dpkg license improvement for non SPDX licenses [#​3090 #​3366 @​HeyeOpenSource]
- RPM-based PURLs sometimes have incorrect namespace (specifically OpenSUSE) [#​3534 #​3615 @​mprpic]
Additional Changes
- update to go 1.24.x [#​3660 @​westonsteimel]
- replace all shorthand tags of mapstruct -> mapstructure [#​3633 @​spiffcs]
v1.19.0
Added Features
- add license parsing from vendor dirs [#​3522 @​dschmidt]
- Support cataloging NuGet packages [#​373 #​3484 @​Kemosabert]
Bug Fixes
- Syft generates invalid PURLs when name contains
:[#​3577 #​3596 @​spiffcs @​jkugler] - warn instead of error if zero package catalogers are select - user might still run file metadata cataloger, for example [#​3128 #​3468 @​tomersein]
- sbom report: missing licenses [#​3527 #​3549 @​kzantow]
Additional Changes
- bump stereoscope to v0.0.13 [#​3601 @​spiffcs]
v1.18.1
Bug Fixes
- Runtime Error with Syft on Singularity .sif file (panic: index out of range) [#​3390]
- SPDX expressions are lost from CycloneDX if they contain extra parenthesis [#​3441 #​3517 @​willmurphyscode]
Additional Changes
- migrate syft to use anchore fork of archiver without replace [#​3516 @​spiffcs]
v1.18.0
Added Features
- convert spdx absolute to relative [#​3509 @​spiffcs]
- Add relationships for rust audit binary packages [#​3500 @​wagoodman]
- support configuration of layer size in Syft [#​3428 #​3464 @​tomersein]
- Support Dart arm/v7 in 3.x and 2.x [#​3278 #​3475 @​witchcraze]
Bug Fixes
- fix order of rust dependencies and support git sources in Cargo.lock dependencies [#​3502 @​willmurphyscode]
- Use file indexer directly when scanning with file source [#​3333 @​adammcclenaghan]
- Remove incorrect power-user help text that only image sources are supported [#​2046]
- Invalid SPDX: missing copyright text [#​3346 #​3495 @​spiffcs]
- Scanning a source tree with duplicate conanfile.txt dependencies generates multiple components [#​3403]
v1.17.0
Added Features
- Surface Rust dependency relationships [#​2353 #​3443 @​willmurphyscode]
- Support node 6.x versions [#​3404 #​3419 @​witchcraze]
Bug Fixes
- Restore log on UI teardown [#​3427 @​wagoodman]
- Syft should log warnings even when no TTY is present [#​3081 #​3466 @​willmurphyscode]
- Special characters (tab, newline) in license URL [#​3122 #​3449 @​spiffcs]
- LicenseDeclared not as per SPDX License List [#​3030 #​3461 @​spiffcs]
Additional Changes
v1.16.0
Added Features
- omit devDependencies for package-lock.json files by default [#​2348 #​3371 @​njv299]
Bug Fixes
- add support for dependencies and purl for Native Image SBOMs [#​3399 @​rudsberg]
- stop bubbling fileResolver errors from binary cataloger [#​3410 @​spiffcs]
- malformed pom.xml may cause recursive loop [#​3391 @​kzantow]
- syft convert: broken link in help - documentation no longer existing [#​3143 #​3407 @​Makefolder]
v1.15.0
Added Features
- Merge config files hierarchically and add support for config profiles [#​3337 @​kzantow]
- Enable cargo-auditable-binary-cataloger for files/directories [#​3376 @​ariel-miculas]
- Improve mariadb binary classifer to detect older versions [#​3052]
- Look for dpkg status file at additional globs [#​2692 #​3373 @​njv299]
- Emit relationships for Java dependencies [#​3189 #​3363 @​kzantow]
v1.14.2
Bug Fixes
- Use single license scanner for all catalogers [#​3348 @​wagoodman]
- use official CPE for linux kernel [#​3343 @​westonsteimel]
- improve mariadb binary classifer to detect older versions [#​3339 @​westonsteimel]
Additional Changes
- Update to latest packageurl-go [#​3347 @​wagoodman]
v1.14.1
Bug Fixes
- stop some log.Warn spam due parsing an empty string as a CPE [#​3330 @​willmurphyscode]
- improve go binary semver extraction for traefik [#​3325 @​westonsteimel]
v1.14.0
Added Features
- Report known unknowns directly in the output SBOM [#​518 #​2998 @​kzantow]
- Identify
bash.preinst[#​3191 #​3228 @​wagoodman] - Support HAProxy rc and some old versions [#​3233 #​3277 @​witchcraze]
- Support Redis arm/v5, arm/v7, 386 in 7.2, 7.4, 8.0 [#​3279 #​3281 @​witchcraze]
- Support node old versions [#​3236 #​3284 @​witchcraze]
- Support rubylang/ruby dev versions [#​3239 #​3285 @​witchcraze]
- Support ruby rc, preview [#​3238 #​3285 @​witchcraze]
Bug Fixes
- performance: instantiate license check scanner to prevent memory leak [#​3290 @​govrin]
- Parse package.json with non-standard fields in 'author' section [#​3300 @​nuada]
- make failed CPE validation correctly return error [#​2762 @​willmurphyscode]
- Improve subpath to mount matching [#​3269 @​cdupuis]
Additional Changes
- add pull request template [#​3294 @​willmurphyscode]
v1.13.0
Added Features
- --enrich flag for data enrichment feature enablement [#​3182 @​kzantow]
- Add classifier for Dart lang [#​3265 @​LaurentGoderre]
- add binary classifiers for lighttp, proftpd, zstd, xz, gzip, jq, and sqlcipher [#​3252 @​krysgor]
- Catalog JDKs more completely [#​3188 #​3217 @​wagoodman]
- Show richer information for JVM installations [#​1426 #​3217 @​wagoodman]
- Allow for stubbing unknown versions over dropping packages [#​2652 #​3257 @​wagoodman]
- Name and Version empty for Java package when scanning provided image [#​2132 #​3257 @​wagoodman]
- Support bitnami/mysql:8.x [#​3025]
Bug Fixes
- OpenJDK CPEs [#​2422 #​3217 @​wagoodman]
- SBOM generated from poetry lock file contains no license information on any dependencies [#​3204]
- Scanning a folder with a jar archive with no metadata creates a SPDX package without versionInfo (Non-NTIA compliant) [#​2039 #​3257 @​wagoodman]
- Using replace in a go.mod creates a SPDX package without versionInfo (Non-NTIA compliant) [#​2038 #​3257 @​wagoodman]
- Command
make add-snippetcan fail in some cases [#​3249]
v1.12.2
Added Features
- Detect curl binaries [#​3146 @​krysgor]
- Add haskell binaries cataloger [#​3078 @​LaurentGoderre]
- add the Ocaml ecosystem [#​3112 @​LaurentGoderre]
- Support HAProxy dev [#​3134 #​3180 @​witchcraze]
Bug Fixes
- Fix improper d
Configuration
đź“… Schedule: Branch creation - "after 10pm on monday,before 3am on monday" in timezone America/Chicago, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
â™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
đź‘» Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
:white_check_mark: Snyk checks have passed. No issues have been found so far.
| Status | Scanner |  Critical |
 High |
 Medium |
 Low |
Total (0) |
|---|---|---|---|---|---|---|
| :white_check_mark: | Open Source Security | 0 | 0 | 0 | 0 | 0 issues |
| :white_check_mark: | Licenses | 0 | 0 | 0 | 0 | 0 issues |
| :white_check_mark: | Code Security | 0 | 0 | 0 | 0 | 0 issues |
:computer: Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.
![snyk-io[bot] avatar](https://avatars.githubusercontent.com/in/372950?v=4 "Published by a pub.dev verified publisher"){kind=small}
Codecov Report
:white_check_mark: All modified and coverable lines are covered by tests.
:white_check_mark: Project coverage is 46.43%. Comparing base (a2521eb) to head (e602c0d).
:warning: Report is 131 commits behind head on main.
Additional details and impacted files
@@ Coverage Diff @@
## main #191 +/- ##
===========================================
+ Coverage 32.61% 46.43% +13.81%
===========================================
Files 80 87 +7
Lines 10855 10295 -560
===========================================
+ Hits 3540 4780 +1240
+ Misses 7027 5295 -1732
+ Partials 288 220 -68
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
:rocket: New features to boost your workflow:
- :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}