chore(deps): update go dependencies - autoclosed

[vinted-renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/CycloneDX/cyclonedx-go	require	minor	v0.6.0 -> v0.7.2
github.com/anchore/stereoscope	require	digest	d24c9d6 -> bf05af5
github.com/anchore/syft	require	minor	v0.58.0 -> v0.92.0
github.com/go-git/go-git/v5	require	minor	v5.7.0 -> v5.9.0
github.com/spf13/cobra	require	minor	v1.5.0 -> v1.7.0
github.com/spf13/viper	require	minor	v1.13.0 -> v1.16.0

---

Release Notes

CycloneDX/cyclonedx-go (github.com/CycloneDX/cyclonedx-go)

v0.7.2

Compare Source

This is a bugfix release that ships with minimal support for the CycloneDX v1.5 specification.

Full support is being worked on and planned to be released soon. The progress may be tracked in #​90.

The reason for publishing partial support like this is to allow the consumption of v1.5 BOMs, which fails with cyclonedx-go <= v0.7.1.

Warning
The default SpecVersion has been updated to SpecVersion1_5. If your application generates BOMs, and you're not ready (or willing) to distribute BOMs following the v1.5 specification yet, consider using EncodeVersion to generate output for an older version of the spec.

Changelog

Features

• 7128a92: feat: raise baseline go version to 1.18 (@​nscuro)

Fixes

• ff719b6: fix: unmarshal bom on v1.5 return invalid specification version (@​chen-keinan)

Building and Packaging

• 966c223: build(deps): bump CycloneDX/gh-gomod-generate-sbom from 1.1.0 to 2.0.0 (@​dependabot[bot])
• 1e83e85: build(deps): bump actions/checkout from 3.5.0 to 3.5.1 (@​dependabot[bot])
• 78f6593: build(deps): bump actions/checkout from 3.5.1 to 3.5.2 (@​dependabot[bot])
• 868f6db: build(deps): bump actions/checkout from 3.5.2 to 3.5.3 (@​dependabot[bot])
• 5885827: build(deps): bump actions/setup-go from 4.0.0 to 4.0.1 (@​dependabot[bot])
• d772b54: build(deps): bump actions/setup-go from 4.0.1 to 4.1.0 (@​dependabot[bot])
• 578e862: build(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.4 (@​dependabot[bot])
• f83e6a7: build(deps): bump gitpod/workspace-go from 2be827f to 910daeb (@​dependabot[bot])
• cd7b23a: build(deps): bump gitpod/workspace-go from 910daeb to d7a41f5 (@​dependabot[bot])
• 668553d: build(deps): bump gitpod/workspace-go from d7a41f5 to f37c673 (@​dependabot[bot])
• d9a5f8c: build(deps): bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 (@​dependabot[bot])
• 66f96df: build(deps): bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 (@​dependabot[bot])
• 8b51c39: build(deps): bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 (@​dependabot[bot])
• e44f7de: build(deps): bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 (@​dependabot[bot])
• 6360fe1: build(deps): bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 (@​dependabot[bot])

Others

• a069906: feat(spec1-5): add initial support for spec v1.5 (@​nscuro)
• 67a7567: feat(spec1-5): add licensing, license properties, and license bom-ref (@​nscuro)
• d2f3bb9: feat(spec1-5): add lifecycle support (@​nscuro)
• eb041b5: feat(spec1-5): add new component types (@​nscuro)
• c45ba61: feat(spec1-5): add new external reference types (@​nscuro)
• d84947d: feat(spec1-5): add support for annotations (@​nscuro)
• 0ba0496: feat(spec1-5): bump schema to 1.5 for round-trip tests (@​nscuro)
• 4e20914: misc(dx): add project icon for intellij and goland (@​nscuro)

v0.7.1

Compare Source

Changelog

Features

• a1db675: feat: add JSON Schema to JSON output (#​79) (@​mcombuechen)
• 41a1ac5: feat: option to specify HTML escaping for JSON format (#​72) (@​kzantow)

Fixes

• 08953d1: fix: gitpod.yml refers to wrong Dockerfile (@​nscuro)
• 97c1e5a: fix: license header in Dockerfile.gitpod (@​nscuro)

Building and Packaging

• b904cab: build(deps): bump actions/checkout from 3.0.2 to 3.1.0 (@​dependabot[bot])
• 66aa7d3: build(deps): bump actions/checkout from 3.1.0 to 3.2.0 (@​dependabot[bot])
• 5a0b406: build(deps): bump actions/checkout from 3.2.0 to 3.3.0 (@​dependabot[bot])
• 8c73864: build(deps): bump actions/checkout from 3.3.0 to 3.4.0 (@​dependabot[bot])
• 6dc0ac5: build(deps): bump actions/checkout from 3.4.0 to 3.5.0 (@​dependabot[bot])
• 393b665: build(deps): bump actions/setup-go from 3.3.0 to 3.3.1 (@​dependabot[bot])
• dace5ef: build(deps): bump actions/setup-go from 3.3.1 to 3.4.0 (@​dependabot[bot])
• a7d5143: build(deps): bump actions/setup-go from 3.4.0 to 3.5.0 (@​dependabot[bot])
• fd636f7: build(deps): bump actions/setup-go from 3.5.0 to 4.0.0 (@​dependabot[bot])
• e3af71d: build(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (@​dependabot[bot])
• 2fe798d: build(deps): bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (@​dependabot[bot])
• 6b726a5: build(deps): bump golangci/golangci-lint-action from 3.2.0 to 3.3.0 (@​dependabot[bot])
• f8ad513: build(deps): bump golangci/golangci-lint-action from 3.3.0 to 3.3.1 (@​dependabot[bot])
• be3d2c3: build(deps): bump golangci/golangci-lint-action from 3.3.1 to 3.4.0 (@​dependabot[bot])
• f72e6b7: build(deps): bump goreleaser/goreleaser-action from 3.2.0 to 4.1.0 (@​dependabot[bot])
• 0414aa0: build(deps): bump goreleaser/goreleaser-action from 4.1.0 to 4.2.0 (@​dependabot[bot])
• fb45216: build: pin digest of gitpod image (@​nscuro)
• 3f98a11: build: pin github actions to commit digest (@​nscuro)

Others

• eaa4df6: Error if invalid json is passed. (@​justinabrahms)
• e4fe5c6: ci: enable dependabot for docker ecosystem (@​nscuro)
• 05a6bb7: ci: update cyclonedx-cli to 0.24.2 (@​nscuro)

v0.7.0

Compare Source

Changelog

Features

• acb9322: feat: add enum for official media types (@​nscuro)
• 2826fe2: feat: add support for encoding to older spec versions (#​51) (@​nscuro)
• 7a2113a: feat: raise baseline go version to 1.17 (#​53) (@​nscuro)
• 7415143: feat: return error when parsing unknown spec versions (@​nscuro)
• 1655b7d: feat: set SpecVersion when decoding from xml (@​nscuro)
• f97e04a: feat: update gitpod dockerfile (@​nscuro)

Fixes

• ea0d5b7: fix: prevent nesting of Dependency (@​nscuro)

Building and Packaging

• f43660c: build(deps): bump actions/setup-go from 3.1.0 to 3.2.0 (@​dependabot[bot])
• 2458312: build(deps): bump actions/setup-go from 3.2.0 to 3.2.1 (@​dependabot[bot])
• 760fae3: build(deps): bump actions/setup-go from 3.2.1 to 3.3.0 (@​dependabot[bot])
• 4dddf51: build(deps): bump apache/skywalking-eyes from 0.3.0 to 0.4.0 (@​dependabot[bot])
• 6eb6521: build(deps): bump github.com/bradleyjkemp/cupaloy/v2 from 2.7.0 to 2.8.0 (@​dependabot[bot])
• bff00ef: build(deps): bump github.com/stretchr/testify from 1.7.1 to 1.7.2 (@​dependabot[bot])
• fc11b56: build(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.4 (@​dependabot[bot])
• f521d75: build(deps): bump github.com/stretchr/testify from 1.7.4 to 1.7.5 (@​dependabot[bot])
• d5d1ab6: build(deps): bump github.com/stretchr/testify from 1.7.5 to 1.8.0 (@​dependabot[bot])
• b83bbe8: build(deps): bump goreleaser/goreleaser-action from 2 to 3 (@​dependabot[bot])

Documentation

• 8f8fadf: docs: fix cyclonedx-go version in compatibility matrix (@​nscuro)
• 124f2be: docs: fix typos (@​nscuro)

Others

• 5f10aea: refactor: refine spec version conversion to cover more cases (@​nscuro)
• 0c2ebff: refactor: separate custom marshalling logic from model (@​nscuro)

anchore/syft (github.com/anchore/syft)

v0.92.0

Compare Source

Added Features

• Support for multiple image refs of same sha in OCI layout [#​1544]

Bug Fixes

• Generated purls are different between runs of syft against the same image and artifact [#​2169 #​2170 @​willmurphyscode]

Additional Changes

• bump stereoscope to fix data race in UI code [#​2173 @​willmurphyscode]

(Full Changelog)

v0.91.0

Compare Source

Added Features

• Add support for CycloneDX 1.5 [#​2120 #​2123 @​spiffcs]
• Add support for containerd as an image source [#​201 #​1793 @​shanedell]
• Support cataloging github workflow & github action usages [#​1896 #​2140 @​wagoodman]

Bug Fixes

• Allow CycloneDX json input with no components [#​2127 @​ahoz]
• Prevent errors from clobbering terminal [#​2161 @​kzantow]
• Using syft as a go library to decode a syft json has incomplete data [#​2069 #​2083 @​kzantow]
• SBOMs are not the same on multiple runs of syft [#​1944]

Additional Changes

• Switch to stdlib's slices pkg [#​2148 @​hainenber]
• Remove unneeded arch switch in unit test [#​2156 @​willmurphyscode]
• Update chronicle to v0.8.0 [#​2154 @​wagoodman]
• Update to latest stereoscope [#​2151 @​spiffcs]
• Pin workflow checkout for cpe update-cpe-dictionary-index [#​2141 @​spiffcs]
• Add dependency information to conan lockfile parser [#​2131 @​Pro]
• Pin and update all workflow dependencies; add permission scopes [#​2138 @​spiffcs]
• Enforce race detector [#​2122 @​willmurphyscode]

(Full Changelog)

v0.90.0

Compare Source

v0.90.0 (2023-09-11)

Full Changelog

Added Features

• Expose cobra command in cli package [PR #​2097] [wagoodman]
• Explicitly test PURL generation against key packages [Issue #​2071]
• Add User-Agent with Syft version during update check [Issue #​2072] [PR #​2100] [hainenber]

Bug Fixes

• fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation [PR #​2075] [willmurphyscode]
• Cyclonedx external reference URLs are not validated when encoding [Issue #​2079] [PR #​2091] [hainenber]

Additional Changes

• Bump the golang.org/x/exp dependency and fix a build breakage. [PR #​2088] [dlorenc]
• fix: update codeql-analysis for go 1.21 [PR #​2108] [spiffcs]

v0.89.0

Compare Source

v0.89.0 (2023-08-31)

Full Changelog

Added Features

• Add registry certificate verification support [PR #​1734] [5p2O5pe25ouT]
• Add SYFT_CONFIG environment variable for configuration file path [Issue #​1986] [PR #​2001] [kzantow]

Bug Fixes

• Fix quiet flag [PR #​2081] [wagoodman]
• Command line flags not overriding configuration file values [Issue #​1143] [PR #​2001] [kzantow]
• Django package CPE is not correct [Issue #​1298] [PR #​2068] [witchcraze]
• Config parsing includes config.yaml in working dir [Issue #​1634] [PR #​2001] [kzantow]
• Fix a possible panic on universal go binaries [Issue #​2073] [PR #​2078] [willmurphyscode]
• Disabling catalogers is not working in power user command [Issue #​2074] [PR #​2001] [kzantow]
• Virtual path changes to java cataloger causing creation of extra incorrect packages when jars are renamed [Issue #​2077] [PR #​2080] [willmurphyscode]

v0.88.0

Compare Source

v0.88.0 (2023-08-25)

Full Changelog

Added Features

• Detect golang boring crypto and fipsonly modules [PR #​2021] [bathina2]
• feat: 1944 - update purl generation to use a consistent groupID [PR #​2033] [spiffcs]
• Add support to detect bash binaries [Issue #​1963] [PR #​2055] [witchcraze]

Bug Fixes

• fix: properly parse conan ref and include user and channel [PR #​2034] [Pro]
• New version notice only showing the version and no text [PR #​2042] [wagoodman]
• Fix: don't validate pom declared group [PR #​2054] [willmurphyscode]
• Errors when handling symlinks on Windows with syft v0.85.0 [Issue #​1950] [PR #​2051] [selzoc]
• Syft seems unable to parse non UTF-8 pom.xml files [Issue #​2044] [PR #​2047] [wagoodman]
• Error parsing pom.xml with v0.87.1 [Issue #​2060] [PR #​2064] [willmurphyscode]
• Invalid CycloneDX: duplicates in relationships section [Issue #​2062] [PR #​2063] [kzantow]

v0.87.1

Compare Source

v0.87.1 (2023-08-17)

Full Changelog

Bug Fixes

• Use Java package names to determine known groupIDs [PR #​2032] [kzantow]
• Relationships section of CycloneDX is not outputting even when the data is present [Issue #​1972] [PR #​1974] [markgalpin] [kzantow]
• SPDX Tag-Value conversion not handling files directly set on packages [Issue #​2013] [PR #​2014] [kzantow]
• Intermittent binary listings, different results every time [Issue #​2035] [PR #​2036] [kzantow]

v0.87.0

Compare Source

v0.87.0 (2023-08-14)

Full Changelog

Added Features

• feat: use originator logic to fill supplier [PR #​1980] [spiffcs]
• Expand deb cataloger to include opkg [PR #​1985] [johnDeSilencio]
• Package duplicated by different cataloger [Issue #​931] [PR #​1948] [spiffcs]
• Add binary cataloger for Nginx built from source [Issue #​1945] [PR #​1988] [SemProvoost]

Bug Fixes

• chore: update bubbly to fix hanging [PR #​1990] [kzantow]
• fix: update glob to use newer usr/lib/sysimage path [PR #​1997] [spiffcs]
• fix: SPDX license values and download location [PR #​2007] [kzantow]
• Different CPEs between java-cataloger and java-gradle-lockfile-cataloger [Issue #​1957] [PR #​1995] [kzantow]

v0.86.1

Compare Source

Changelog

v0.86.1 (2023-07-31)

Full Changelog

Bug Fixes

• Source requires default image name as user input for unparsable reference [PR #​1979] [kzantow]

v0.86.0

Compare Source

Changelog

v0.86.0 (2023-07-31)

Full Changelog

Added Features

• Introduce indexed embedded CPE dictionary [PR #​1897] [luhring]
• Add cataloger for Swift Package Manager. [PR #​1919] [trilleplay]
• Guess unpinned versions in python requirements.txt [PR #​1597] [PR #​1966] [manifestori] [wagoodman]
• Create a package record for the artifact an SBOM described when creating a SPDX SBOM [Issue #​1661] [Issue #​1241] [PR #​1934] [kzantow]

Bug Fixes

• Fix panic condition on docker pull failure [PR #​1968] [wagoodman]
• Syft reports the "minimum required version" of .NET assemblies rather than the "assembly version" [Issue #​1799] [PR #​1943] [luhring]
• Grype cannot read SPDX documents generated by SPDX-maven-plugin [PR #​1969] [spiffcs]

Breaking Changes

• Remove jotframe UI [PR #​1932] [wagoodman]
• Simplify python env markers [PR #​1967] [wagoodman]

v0.85.0

Compare Source

Changelog

v0.85.0 (2023-07-12)

Full Changelog

Added Features

• Add a --base-path command line flag to set the directory base for scans (this option was previously exposed via API only) [PR #​1867] [deitch]
• Add file source digest support [PR #​1914] [wagoodman]
• Remove erroneous Java CPEs from generation [PR #​1918] [luhring]
• Fix CPE generation for k8s python client [PR #​1921] [luhring]
• Don't use the actual redis or grpc CPEs for gems [PR #​1926] [luhring]
• The text user interface is now provided by the bubbletea library [Issue #​1441] [PR #​1888] [wagoodman]

Bug Fixes

• Install script returns exit code 0 even if install fails [Issue #​1566] [PR #​1915] [lorsatti]
• [Windows] Not able to scan volume mounted to folder [Issue #​1828] [PR #​1884] [dd-cws]
• Deprecated license: GFDL-1.2+ [Issue #​1899] [PR #​1907] [spiffcs]

Breaking Changes

• Refactor the source API and syft-json source block data shape [Issue #​1866] [PR #​1846] [wagoodman]

Additional Changes

• chore: update iterations to protect against race [PR #​1927] [spiffcs]
• fix: background reader apart from global handler for testing [PR #​1929] [spiffcs]

v0.84.1

Compare Source

Changelog

v0.84.1 (2023-06-29)

Full Changelog

Bug Fixes

• Fix version detection in Java archive name parsing [PR #​1889] [luhring]
• Improve support for Dart SDK package dependency lockfiles [PR #​1891] [rufman]
• Fix license output for some CycloneDX JSON SBOMs [Issue #​1877] [PR #​1879] [kzantow]
• Correctly discover Debian file relationships in distroless images [Issue #​1900] [PR #​1901] [westonsteimel]

Additional Changes

• Simplify the SBOM writer interface [PR #​1892] [wagoodman]

v0.84.0

Compare Source

Changelog

v0.84.0 (2023-06-20)

Full Changelog

Breaking Changes

• Pad artifact IDs [PR #​1882] [willmurphyscode]

Additional Changes

• chore: update SPDX license list to 3.21 [PR #​1885] [kzantow]

v0.83.1

Compare Source

Changelog

v0.83.1 (2023-06-14)

Full Changelog

Bug Fixes

• fix: pom properties not setting artifact id [PR #​1870] [jneate]
• fix(deps): pull in platform selection fix from stereoscope [PR #​1871] [anchore-actions-token-generator] - pulling in an image with a digest that does not match the platform and architecture of the host no longer fails with an error, see https://github.com/anchore/stereoscope/issues/188
• symlinks within a scanned directory tree are parsed outside the tree, failing if target does not exist [Issue #​1860] [PR #​1861] [deitch]

v0.83.0

Compare Source

Changelog

v0.83.0 (2023-06-05)

Full Changelog

Added Features

• Add new '--source-version' and '--source-name' options to set the name and version of the target being analyzed for reference in resulting syft-json format SBOMs (more formats will support these flags soon). [Issue #​1399] [PR #​1859] [kzantow]
• Add scope to POM properties [PR #​1779] [jneate]
• Accept main.version ldflags even without vcs [PR #​1855] [deitch]

Bug Fixes

• Fix directory resolver to consider CWD and root path input correctly [PR #​1840] [wagoodman]
• Show all error messages if there is a failure retrieving an image with a specified scheme [Issue #​1569] [PR #​1801] [FrimIdan]
• v0.81.0 crashing parsing some images [Issue #​1837] [PR #​1839] [spiffcs]

Deprecated Features

• Migrate location-related structs to the file package [PR #​1751] [wagoodman]

Additional Changes

• chore: code cleanup [PR #​1865] [spiffcs]

v0.82.0

Compare Source

Changelog

v0.82.0 (2023-05-23)

Full Changelog

Added Features

• Improve Go main module version detection by attempting to parse available ldflags [Issue #​1785] [PR #​1832] [wagoodman]

Bug Fixes

• Fix a problem in the license parsing logic that may result in a panic [PR #​1839]
• Return all relevant error messages if an image retrieval fails when a scheme is specified [PR #​1801] [FrimIdan]
• Fix a problem with PNPM scanning where v6 lockfiles might result in duplicated packages [Issue #​1762] [PR #​1778] [kzantow]

v0.81.0

Compare Source

Changelog

v0.81.0 (2023-05-22)

Full Changelog

Added Features

• Support cataloging R packages [Issue #​730] [PR #​1790] [willmurphyscode]
• Support describing license properties and SPDX expression assertions [Issue #​1577] [PR #​1743] [spiffcs]
• Warn if parsing a newer SBOM [PR #​1810] [willmurphyscode]

Bug Fixes

• Retain cataloged SBOM relationships [PR #​1509] [houdini91]
• fix: update field plurality of 8.0.0 schema before release [PR #​1820] [spiffcs]
• fix: remove spurious warnings - unknown relationship type: evident-by form-lib=syft [Issue #​1812] [PR #​1797] [willmurphyscode]
• CycloneDX Dependencies Relationships Inverted [Issue #​1815] [PR #​1816] [shanealv]
• Alpine: license expression should be complete and not parsed out [Issue #​1817] [PR #​1819] [spiffcs]

Additional Changes

• Print package list when extra packages found [PR #​1791] [willmurphyscode]
• update cosign to v2 release (different go module) [PR #​1805] [bobcallaway]

v0.80.0

Compare Source

Changelog

v0.80.0 (2023-05-05)

Full Changelog

Added Features

• Improve pnpm support [Issue #​1535] [PR #​1752] [Shanedell]

Bug Fixes

• chore: add more detail on SPDX file IDs [PR #​1769] [kzantow]
• chore: do not HTML escape PackageURLs [PR #​1782] [kzantow]
• RPM database not found on ostree-managed systems [Issue #​1755] [PR #​1756] [fpytloun]
• Unable to use syft for private azure container registry [Issue #​1777]
• linux-kernel-cataloger produces thousands of version-less components. [Issue #​1781] [PR #​1784] [kzantow]

Deprecated Features

• Rename pkg.Catalog to pkg.Collection [PR #​1764] [wagoodman]

v0.79.0

Compare Source

Changelog

v0.79.0 (2023-04-21)

Full Changelog

Added Features

• Add ALPM Metadata to CYCLONEDX and SPDX output formats [Issue #​1037] [PR #​1747] [Shanedell]
• consul binary classifier [Issue #​1590] [PR #​1738] [Shanedell]

Bug Fixes

• Syft missing direct dependencies from the gemfile.lock [Issue #​1660] [PR #​1749] [Shanedell]

Additional Changes

• chore: bump stereoscope to latest version [PR #​1741] [westonsteimel]

v0.78.0

Compare Source

Changelog

v0.78.0 (2023-04-17)

Full Changelog

Added Features

• Add Linux Kernel cataloger [PR #​1694] [deitch & wagoodman]
• Support scanning license files in golang packages over the network [Issue #​1056] [PR #​1630] [deitch & kzantow]
• Add consul binary classifier [Issue #​1590] [PR #​1738] [Shanedell]
• Add annotations for evidence on package locations [PR #​1723] [wagoodman]

Bug Fixes

• Decoding of the syft-json format does not handle files [Issue #​1534] [PR #​1698] [wagoodman]

v0.77.0

Compare Source

Changelog

v0.77.0 (2023-04-11)

Full Changelog

Added Features

• feat: gradle lockfile support [PR #​1719] [henrysachs]
• feat: support for java "nar" files [PR #​1727] [Shanedell]

v0.76.1

Compare Source

Changelog

v0.76.1 (2023-04-05)

Full Changelog

Added Features

• Capture file ownership relationships from portage ecosystem [PR #​1702] [wagoodman]
• Add Nix Cataloger [Issue #​462] [PR #​1107] [juliosueiras] [PR #​1696] [wagoodman] [flokli]

v0.76.0

Compare Source

Changelog

v0.76.0 (2023-03-31)

Full Changelog

Added Features

• Scan local go mod licenses for golang packages [PR #​1645] [deitch]
• update and clean license list generation to return more SPDXID for more inputs [PR #​1691] [spiffcs]
• argocd binary classifier [Issue #​1606] [PR #​1663] [y12studio]
• Add config option to allow user to select the default image source location [Issue #​1703] [spiffcs]

Bug Fixes

• Defer closing the opened file when using FileScheme [PR #​1668] [Noxsios]
• fix: remove author contributing to javascript CPEs [PR #​1669] [kzantow]
• fix: reduce logging for bad dpkg lines [PR #​1675] [kzantow]
• Broken shell completion - Bash [Issue #​962] [PR #​1688] [DanHam]
• syft produces different output when run with sudo [Issue #​1391] [PR #​1693] [anchore-actions-token-generator]
• some binary ruby are not detected [Issue #​1677] [PR #​1678] [witchcraze]
• Documentation says that output is SPDX 2.2 [Issue #​1679] [PR #​1680] [vargenau]
• fix: move defer after error to protect panic case [PR #​1670] [spiffcs]

Additional Changes

• Deprecate config.yaml as valid config source; Add unit regression for correct config paths [PR #​1640] [AidanDelaney]
• Remove more side effects from application config testing [PR #​1684] [wagoodman]
• chore: tweak some workflow text [PR #​1685] [kzantow]
• chore: fix flaky license sorting [PR #​1690] [kzantow]

v0.75.0

Compare Source

Changelog

v0.75.0 (2023-03-13)

Full Changelog

Added Features

• Catalog ruby binary [Issue #​1650] [PR #​1665] [witchcraze]

Bug Fixes

• more python matching support [PR #​1667] [kzantow]

v0.74.1

Compare Source

Changelog

v0.74.1 (2023-03-09)

Full Changelog

Bug Fixes

• purl for apk packages missing when installed db file is not in root [Issue #​1572] [PR #​1615] [deitch]
• invalid package url type: dotnet [Issue #​1622] [PR #​1649] [kzantow]
• Go tests detecting race cataloging packages [Issue #​1633] [PR #​1639] [kzantow]
• Improve Python binary scanning [Issue #​1643] [PR #​1648] [kzantow]
• Update haproxy binary matcher [Issue #​1646] [PR #​1648] [kzantow]
• SPDX tag-value SBOM value format is incorrect for LicenseID [Issue #​1651] [PR #​1657] [kzantow]

v0.74.0

Compare Source

Changelog

(v0.74.0) (2023-03-02)

Full Changelog

Added Features

• rust toolchain binary cataloger [PR #​1601] [westonsteimel]
• Add support for SUPPORT_END in distro [PR #​1612] [[noqcks](https://togithub.com/noqc

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.