Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(deps): update ⬆️ aqua-packages (#125)
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [anchore/grype](https://togithub.com/anchore/grype) | minor |
`v0.65.1` -> `v0.73.4` |
| [anchore/quill](https://togithub.com/anchore/quill) | patch | `v0.4.0`
-> `v0.4.1` |
| [anchore/syft](https://togithub.com/anchore/syft) | minor | `v0.87.0`
-> `v0.98.0` |
| [charmbracelet/gum](https://togithub.com/charmbracelet/gum) | minor |
`v0.11.0` -> `v0.13.0` |
| [charmbracelet/vhs](https://togithub.com/charmbracelet/vhs) | minor |
`v0.6.0` -> `v0.7.1` |
| [direnv/direnv](https://togithub.com/direnv/direnv) | minor |
`v2.32.3` -> `v2.33.0` |
| [golang/go](https://togithub.com/golang/go) | patch | `1.21.0` ->
`1.21.5` |
| [goreleaser/goreleaser](https://togithub.com/goreleaser/goreleaser) |
minor | `v1.20.0` -> `v1.22.1` |
|
[gotestyourself/gotestsum](https://togithub.com/gotestyourself/gotestsum)
| minor | `v1.10.1` -> `v1.11.0` |
| [mikefarah/yq](https://togithub.com/mikefarah/yq) | minor | `v4.35.1`
-> `v4.40.5` |
| [miniscruff/changie](https://togithub.com/miniscruff/changie) | minor
| `v1.12.0` -> `v1.17.0` |
| [sharkdp/hyperfine](https://togithub.com/sharkdp/hyperfine) | minor |
`v1.17.0` -> `v1.18.0` |
---
> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.
---
### Release Notes
<details>
<summary>anchore/grype (anchore/grype)</summary>
### [`v0.73.4`](https://togithub.com/anchore/grype/releases/tag/v0.73.4)
[Compare
Source](https://togithub.com/anchore/grype/compare/v0.73.3...v0.73.4)
##### Additional Changes
- bump to syft v0.98.0 in quality gate tests
\[[#​1623](https://togithub.com/anchore/grype/pull/1623)
[@​westonsteimel](https://togithub.com/westonsteimel)]
- update syft to v0.98.0; go mod tidy
\[[#​1621](https://togithub.com/anchore/grype/pull/1621)
[@​spiffcs](https://togithub.com/spiffcs)]
**[(Full
Changelog)](https://togithub.com/anchore/grype/compare/v0.73.3...v0.73.4)**
### [`v0.73.3`](https://togithub.com/anchore/grype/releases/tag/v0.73.3)
[Compare
Source](https://togithub.com/anchore/grype/compare/v0.73.2...v0.73.3)
##### Additional Changes
- update Syft to v0.97.1
\[[#​1610](https://togithub.com/anchore/grype/pull/1610)
[@​anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)]
**[(Full
Changelog)](https://togithub.com/anchore/grype/compare/v0.73.2...v0.73.3)**
### [`v0.73.2`](https://togithub.com/anchore/grype/releases/tag/v0.73.2)
[Compare
Source](https://togithub.com/anchore/grype/compare/v0.73.1...v0.73.2)
##### Bug Fixes
- Vulnerabilities in go packages without go modules are not detected
\[[#​1581](https://togithub.com/anchore/grype/issues/1581)
[#​1599](https://togithub.com/anchore/grype/pull/1599)
[@​willmurphyscode](https://togithub.com/willmurphyscode)]
**[(Full
Changelog)](https://togithub.com/anchore/grype/compare/v0.73.1...v0.73.2)**
### [`v0.73.1`](https://togithub.com/anchore/grype/releases/tag/v0.73.1)
[Compare
Source](https://togithub.com/anchore/grype/compare/v0.73.0...v0.73.1)
##### Bug Fixes
- CycloneDX based analysis failing
\[[#​1594](https://togithub.com/anchore/grype/issues/1594)
[#​1596](https://togithub.com/anchore/grype/pull/1596)
[@​anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)]
- False negatives when scanning debian trixie/sid images from Dockerhub
\[[#​1446](https://togithub.com/anchore/grype/issues/1446)
[#​1593](https://togithub.com/anchore/grype/pull/1593)
[@​willmurphyscode](https://togithub.com/willmurphyscode)]
##### Additional Changes
- avoid allocations with `(*regexp.Regexp).MatchString`
\[[#​1592](https://togithub.com/anchore/grype/pull/1592)
[@​Juneezee](https://togithub.com/Juneezee)]
**[(Full
Changelog)](https://togithub.com/anchore/grype/compare/v0.73.0...v0.73.1)**
### [`v0.73.0`](https://togithub.com/anchore/grype/releases/tag/v0.73.0)
[Compare
Source](https://togithub.com/anchore/grype/compare/v0.72.0...v0.73.0)
##### Added Features
- Add a reason field to ignore config
\[[#​1337](https://togithub.com/anchore/grype/issues/1337)
[#​1532](https://togithub.com/anchore/grype/pull/1532)
[@​shanduur](https://togithub.com/shanduur)]
- Colorize severity in table output
\[[#​225](https://togithub.com/anchore/grype/issues/225)
[#​1284](https://togithub.com/anchore/grype/pull/1284)
[@​shanedell](https://togithub.com/shanedell)]
##### Bug Fixes
- Enable setting golang CPE config using env var
\[[#​1585](https://togithub.com/anchore/grype/pull/1585)
[@​willmurphyscode](https://togithub.com/willmurphyscode)]
- Incorrect version comparisons for maven packages
\[[#​1526](https://togithub.com/anchore/grype/issues/1526)
[#​1571](https://togithub.com/anchore/grype/pull/1571)
[@​spiffcs](https://togithub.com/spiffcs)]
- Grype fails to detect postgresql jdbc driver CVEs when scanning .jar
\[[#​1482](https://togithub.com/anchore/grype/issues/1482)]
##### Additional Changes
- Incorporate format API changes from syft
\[[#​1582](https://togithub.com/anchore/grype/pull/1582)
[@​wagoodman](https://togithub.com/wagoodman)]
**[(Full
Changelog)](https://togithub.com/anchore/grype/compare/v0.72.0...v0.73.0)**
### [`v0.72.0`](https://togithub.com/anchore/grype/releases/tag/v0.72.0)
[Compare
Source](https://togithub.com/anchore/grype/compare/v0.71.0...v0.72.0)
##### Added Features
- Add --ignore-states flag for ignoring findings with specific fix
states \[[#​1473](https://togithub.com/anchore/grype/pull/1473)
[@​jhebden-gl](https://togithub.com/jhebden-gl)]
- Implement checksum & artifact signing
\[[#​1513](https://togithub.com/anchore/grype/issues/1513)
[#​1535](https://togithub.com/anchore/grype/pull/1535)
[@​hibare](https://togithub.com/hibare)]
##### Bug Fixes
- Report errors to stderr not stdout
\[[#​1561](https://togithub.com/anchore/grype/pull/1561)
[@​wagoodman](https://togithub.com/wagoodman)]
- grype v0.71.0 stopped showing vulnerabilities for Go stdlib
\[[#​1562](https://togithub.com/anchore/grype/issues/1562)
[#​1565](https://togithub.com/anchore/grype/pull/1565)
[@​wagoodman](https://togithub.com/wagoodman)]
- SARIF output not compatible with GitHub
\[[#​1518](https://togithub.com/anchore/grype/issues/1518)
[#​1563](https://togithub.com/anchore/grype/pull/1563)
[@​spiffcs](https://togithub.com/spiffcs)]
**[(Full
Changelog)](https://togithub.com/anchore/grype/compare/v0.71.0...v0.72.0)**
### [`v0.71.0`](https://togithub.com/anchore/grype/releases/tag/v0.71.0)
[Compare
Source](https://togithub.com/anchore/grype/compare/v0.70.0...v0.71.0)
##### Added Features
- use ghsa to improve matching for cpes
\[[#​811](https://togithub.com/anchore/grype/issues/811)
[#​1412](https://togithub.com/anchore/grype/pull/1412)
[@​westonsteimel](https://togithub.com/westonsteimel)]
**[(Full
Changelog)](https://togithub.com/anchore/grype/compare/v0.70.0...v0.71.0)**
### [`v0.70.0`](https://togithub.com/anchore/grype/releases/tag/v0.70.0)
[Compare
Source](https://togithub.com/anchore/grype/compare/v0.69.1...v0.70.0)
##### Added Features
- Update Syft to v0.93.0 + enable golang stdlib matching
\[[#​1550](https://togithub.com/anchore/grype/pull/1550)
[@​spiffcs](https://togithub.com/spiffcs) ]
##### Bug Fixes
- JSON output: descriptor name is missing "grype" value
\[[#​1538](https://togithub.com/anchore/grype/issues/1538)
[#​1542](https://togithub.com/anchore/grype/pull/1542)
[@​kzantow](https://togithub.com/kzantow)]
**[(Full
Changelog)](https://togithub.com/anchore/grype/compare/v0.69.1...v0.70.0)**
### [`v0.69.1`](https://togithub.com/anchore/grype/releases/tag/v0.69.1)
[Compare
Source](https://togithub.com/anchore/grype/compare/v0.69.0...v0.69.1)
##### Bug Fixes
- Incorrect python version comparisons for rc releases
\[[#​986](https://togithub.com/anchore/grype/issues/986)
[#​1510](https://togithub.com/anchore/grype/pull/1510)
[@​willmurphyscode](https://togithub.com/willmurphyscode)]
- False Positive: CVE-2023-37920 reported for certifi library in python
\[[#​1417](https://togithub.com/anchore/grype/issues/1417)
[#​1510](https://togithub.com/anchore/grype/pull/1510)
[@​willmurphyscode](https://togithub.com/willmurphyscode)]
- Grype is not recognizing python-certifi is patched for
GHSA-43fp-rhv2-5gv8
\[[#​1172](https://togithub.com/anchore/grype/issues/1172)
[#​1510](https://togithub.com/anchore/grype/pull/1510)
[@​willmurphyscode](https://togithub.com/willmurphyscode)]
- False positive on certifi 2022.12.07
\[[#​1034](https://togithub.com/anchore/grype/issues/1034)
[#​1510](https://togithub.com/anchore/grype/pull/1510)
[@​willmurphyscode](https://togithub.com/willmurphyscode)]
- Leading zeros seen as difference in version numbers
\[[#​1430](https://togithub.com/anchore/grype/issues/1430)
[#​1510](https://togithub.com/anchore/grype/pull/1510)
[@​willmurphyscode](https://togithub.com/willmurphyscode)]
##### Additional Changes
- add OpenSSF Best Practices badge
\[[#​1523](https://togithub.com/anchore/grype/pull/1523)
[@​spiffcs](https://togithub.com/spiffcs)]
- Bump vulnerability match labels
\[[#​1525](https://togithub.com/anchore/grype/pull/1525)
[@​wagoodman](https://togithub.com/wagoodman)]
- bump stereoscope to fix data race in UI
\[[#​1517](https://togithub.com/anchore/grype/pull/1517)
[@​willmurphyscode](https://togithub.com/willmurphyscode)]
**[(Full
Changelog)](https://togithub.com/anchore/grype/compare/v0.69.0...v0.69.1)**
### [`v0.69.0`](https://togithub.com/anchore/grype/releases/tag/v0.69.0)
[Compare
Source](https://togithub.com/anchore/grype/compare/v0.68.1...v0.69.0)
##### Added Features
- Upgrade syft to v0.91.0 (and CycloneDX to v1.5)
\[[#​1508](https://togithub.com/anchore/grype/pull/1508)
[@​wagoodman](https://togithub.com/wagoodman)]
##### Bug Fixes
- Grype doesn't exit cleanly on error
\[[#​1492](https://togithub.com/anchore/grype/issues/1492)
[#​1505](https://togithub.com/anchore/grype/pull/1505)
[@​kzantow](https://togithub.com/kzantow)]
##### Additional Changes
- Fix typo in flag on Readme
\[[#​1501](https://togithub.com/anchore/grype/pull/1501)
[@​robszumski](https://togithub.com/robszumski)]
- pin cache versions
\[[#​1495](https://togithub.com/anchore/grype/pull/1495)
[@​spiffcs](https://togithub.com/spiffcs)]
**[(Full
Changelog)](https://togithub.com/anchore/grype/compare/v0.68.1...v0.69.0)**
### [`v0.68.1`](https://togithub.com/anchore/grype/releases/tag/v0.68.1)
[Compare
Source](https://togithub.com/anchore/grype/compare/v0.68.0...v0.68.1)
###
#### [v0.68.1](https://togithub.com/anchore/grype/tree/v0.68.1)
(2023-09-15)
[Full
Changelog](https://togithub.com/anchore/grype/compare/v0.68.0...v0.68.1)
##### Bug Fixes
- Version output was not including supported db schema \[[PR
#​1494](https://togithub.com/anchore/grype/pull/1494)]
\[[kzantow](https://togithub.com/kzantow)]
### [`v0.68.0`](https://togithub.com/anchore/grype/releases/tag/v0.68.0)
[Compare
Source](https://togithub.com/anchore/grype/compare/v0.67.0...v0.68.0)
###
#### [v0.68.0](https://togithub.com/anchore/grype/tree/v0.68.0)
(2023-09-14)
[Full
Changelog](https://togithub.com/anchore/grype/compare/v0.67.0...v0.68.0)
##### Added Features
- Ignore/add match results based on OpenVEX documents \[[PR
#​1397](https://togithub.com/anchore/grype/pull/1397)]
\[[puerco](https://togithub.com/puerco)]
- Introduce exit code failure option for db update check \[[PR
#​1463](https://togithub.com/anchore/grype/pull/1463)]
\[[devfbe](https://togithub.com/devfbe)]
##### Bug Fixes
- Fix race conditions around stager, enable detector \[[PR
#​1489](https://togithub.com/anchore/grype/pull/1489)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- Grype hangs forever if gets interrupted during work (in rare cases)
\[[Issue #​1427](https://togithub.com/anchore/grype/issues/1427)]
\[[PR #​1437](https://togithub.com/anchore/grype/pull/1437)]
\[[kzantow](https://togithub.com/kzantow)]
### [`v0.67.0`](https://togithub.com/anchore/grype/releases/tag/v0.67.0)
[Compare
Source](https://togithub.com/anchore/grype/compare/v0.66.0...v0.67.0)
###
#### [v0.67.0](https://togithub.com/anchore/grype/tree/v0.67.0)
(2023-09-11)
[Full
Changelog](https://togithub.com/anchore/grype/compare/v0.66.0...v0.67.0)
##### Additional Changes
- chore: bump quality gate to use syft v0.89.0 \[[PR
#​1479](https://togithub.com/anchore/grype/pull/1479)]
\[[westonsteimel](https://togithub.com/westonsteimel)]
- chore: update grype to use Go v1.21 \[[PR
#​1480](https://togithub.com/anchore/grype/pull/1480)]
\[[spiffcs](https://togithub.com/spiffcs)]
### [`v0.66.0`](https://togithub.com/anchore/grype/releases/tag/v0.66.0)
[Compare
Source](https://togithub.com/anchore/grype/compare/v0.65.2...v0.66.0)
###
#### [v0.66.0](https://togithub.com/anchore/grype/tree/v0.66.0)
(2023-08-31)
[Full
Changelog](https://togithub.com/anchore/grype/compare/v0.65.2...v0.66.0)
##### Added Features
- Allow for access to private CAs securely \[[Issue
#​1226](https://togithub.com/anchore/grype/issues/1226)] \[[PR
#​1232](https://togithub.com/anchore/grype/pull/1232)]
\[[5p2O5pe25ouT](https://togithub.com/5p2O5pe25ouT)]
- Filter out packages that are owned by OS packages (ownership overlap)
\[[Issue #​1373](https://togithub.com/anchore/grype/issues/1373)]
\[[PR #​1387](https://togithub.com/anchore/grype/pull/1387)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
##### Bug Fixes
- fix: Only remove packages by binary overlap \[[PR
#​1444](https://togithub.com/anchore/grype/pull/1444)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- New version notice only showing the version and no text \[[PR
#​1445](https://togithub.com/anchore/grype/pull/1445)]
\[[wagoodman](https://togithub.com/wagoodman)]
- fix: set correct default to exclude overlapping binaries \[[PR
#​1452](https://togithub.com/anchore/grype/pull/1452)]
\[[kzantow](https://togithub.com/kzantow)]
- Portage version comparison is not working \[[Issue
#​1459](https://togithub.com/anchore/grype/issues/1459)] \[[PR
#​1468](https://togithub.com/anchore/grype/pull/1468)]
\[[barnuri](https://togithub.com/barnuri)]
##### Additional Changes
- Update Syft to 0.89.0
### [`v0.65.2`](https://togithub.com/anchore/grype/releases/tag/v0.65.2)
[Compare
Source](https://togithub.com/anchore/grype/compare/v0.65.1...v0.65.2)
###
#### [v0.65.2](https://togithub.com/anchore/grype/tree/v0.65.2)
(2023-08-17)
[Full
Changelog](https://togithub.com/anchore/grype/compare/v0.65.1...v0.65.2)
##### Additional Changes
- Update Syft to v0.87.1
- Add a simple JUnit XML template \[[PR
#​1422](https://togithub.com/anchore/grype/pull/1422)]
\[[YevheniiPokhvalii](https://togithub.com/YevheniiPokhvalii)]
- Update semver regular expression constraint to allow for 1.20rc1 cases
no '-' \[[PR
#​1434](https://togithub.com/anchore/grype/pull/1434)]
\[[spiffcs](https://togithub.com/spiffcs)]
</details>
<details>
<summary>anchore/quill (anchore/quill)</summary>
### [`v0.4.1`](https://togithub.com/anchore/quill/releases/tag/v0.4.1)
[Compare
Source](https://togithub.com/anchore/quill/compare/v0.4.0...v0.4.1)
### Changelog
#### [v0.4.1](https://togithub.com/anchore/quill/tree/v0.4.1)
(2023-08-25)
[Full
Changelog](https://togithub.com/anchore/quill/compare/v0.4.0...v0.4.1)
##### Bug Fixes
- Quill notarization failed \[[Issue
#​118](https://togithub.com/anchore/quill/issues/118)] \[[PR
#​119](https://togithub.com/anchore/quill/pull/119)]
\[[wagoodman](https://togithub.com/wagoodman)]
##### Additional Changes
- Port to clio \[[PR
#​53](https://togithub.com/anchore/quill/pull/53)]
\[[wagoodman](https://togithub.com/wagoodman)]
- chore: update to latest clio \[[PR
#​98](https://togithub.com/anchore/quill/pull/98)]
\[[kzantow](https://togithub.com/kzantow)]
</details>
<details>
<summary>anchore/syft (anchore/syft)</summary>
### [`v0.98.0`](https://togithub.com/anchore/syft/releases/tag/v0.98.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.97.1...v0.98.0)
##### Added Features
- Add binary classifiers for MySQL and MariaDB
\[[#​2316](https://togithub.com/anchore/syft/pull/2316)
[@​duanemay](https://togithub.com/duanemay)]
- Enhance redis binary classifier to support additional versions
\[[#​2329](https://togithub.com/anchore/syft/pull/2329)
[@​whalelines](https://togithub.com/whalelines)]
- Expose compact JSON and XML format configuration
\[[#​561](https://togithub.com/anchore/syft/issues/561)
[#​2275](https://togithub.com/anchore/syft/pull/2275)
[@​wagoodman](https://togithub.com/wagoodman)]
##### Bug Fixes
- Fix file metadata cataloger when passed explicit coordinates
\[[#​2370](https://togithub.com/anchore/syft/pull/2370)
[@​wagoodman](https://togithub.com/wagoodman)]
- hardcode xalan group ID
\[[#​2368](https://togithub.com/anchore/syft/pull/2368)
[@​willmurphyscode](https://togithub.com/willmurphyscode)]
- logging level for parsing potential PE files
\[[#​2367](https://togithub.com/anchore/syft/pull/2367)
[@​kzantow](https://togithub.com/kzantow)]
- Use read lock in `pkg.Collection`
\[[#​2341](https://togithub.com/anchore/syft/pull/2341)
[@​wagoodman](https://togithub.com/wagoodman)]
- add manual namespace mapping for org.springframework jars
\[[#​2345](https://togithub.com/anchore/syft/pull/2345)
[@​westonsteimel](https://togithub.com/westonsteimel)]
- add manual namespace mapping for org.springframework.security jars
\[[#​2343](https://togithub.com/anchore/syft/pull/2343)
[@​westonsteimel](https://togithub.com/westonsteimel)]
- errors are printed into the stdout in syft 0.97.1
\[[#​2356](https://togithub.com/anchore/syft/issues/2356)
[#​2364](https://togithub.com/anchore/syft/pull/2364)
[@​kzantow](https://togithub.com/kzantow)]
- `syft some-jar.jar` fails to find packages if PWD is a symlink
\[[#​2355](https://togithub.com/anchore/syft/issues/2355)
[#​2359](https://togithub.com/anchore/syft/pull/2359)
[@​willmurphyscode](https://togithub.com/willmurphyscode)]
- Default for recently added base path, `""`, disables detection of
symlinked `*.jar` files
\[[#​1962](https://togithub.com/anchore/syft/issues/1962)
[#​2359](https://togithub.com/anchore/syft/pull/2359)
[@​willmurphyscode](https://togithub.com/willmurphyscode)]
- `syft attest` broken since 0.85.0
\[[#​2333](https://togithub.com/anchore/syft/issues/2333)
[#​2337](https://togithub.com/anchore/syft/pull/2337)
[@​wagoodman](https://togithub.com/wagoodman)]
- Incorrect Java PURL for org.bouncycastle jars
\[[#​2339](https://togithub.com/anchore/syft/issues/2339)
[#​2342](https://togithub.com/anchore/syft/pull/2342)
[@​westonsteimel](https://togithub.com/westonsteimel)]
##### Breaking Changes
- Remove power-user command and related catalogers
\[[#​1419](https://togithub.com/anchore/syft/issues/1419)
[#​2306](https://togithub.com/anchore/syft/pull/2306)
[@​wagoodman](https://togithub.com/wagoodman)]
##### Additional Changes
- Normalize cataloger configuration patterns
\[[#​2365](https://togithub.com/anchore/syft/pull/2365)
[@​wagoodman](https://togithub.com/wagoodman)]
- Normalize enums to lowercase with hyphens
\[[#​2363](https://togithub.com/anchore/syft/pull/2363)
[@​wagoodman](https://togithub.com/wagoodman)]
**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.97.1...v0.98.0)**
##### Special Thanks
Thanks [@​duanemay](https://togithub.com/duanemay) and
[@​whalelines](https://togithub.com/whalelines) for the enhanced
binary classifier support 👍
### [`v0.97.1`](https://togithub.com/anchore/syft/releases/tag/v0.97.1)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.97.0...v0.97.1)
##### Bug Fixes
- Syft does not use HTTP proxy when downloading the Docker image itself
\[[#​2203](https://togithub.com/anchore/syft/issues/2203)
[#​2336](https://togithub.com/anchore/syft/pull/2336)
[@​anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)]
##### Additional Changes
- `syft version` report is broken with 0.97.0 release
\[[#​2334](https://togithub.com/anchore/syft/issues/2334)
[#​2335](https://togithub.com/anchore/syft/pull/2335)
[@​spiffcs](https://togithub.com/spiffcs)]
**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.97.0...v0.97.1)**
### [`v0.97.0`](https://togithub.com/anchore/syft/releases/tag/v0.97.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.96.0...v0.97.0)
##### Added Features
- Add license for golang stdlib package
\[[#​2317](https://togithub.com/anchore/syft/pull/2317)
[@​coheigea](https://togithub.com/coheigea)]
- Fall back to searching maven central using groupIDFromJavaMetadata
\[[#​2295](https://togithub.com/anchore/syft/pull/2295)
[@​coheigea](https://togithub.com/coheigea)]
##### Bug Fixes
- Refine license search from groupIDFromJavaMetadata to account for
artfactId in the groupId
\[[#​2313](https://togithub.com/anchore/syft/pull/2313)
[@​coheigea](https://togithub.com/coheigea)]
- capture content written to stdout outside of report
\[[#​2324](https://togithub.com/anchore/syft/pull/2324)
[@​kzantow](https://togithub.com/kzantow)]
- add manual groupid mappings for org.apache.velocity jars
\[[#​2327](https://togithub.com/anchore/syft/pull/2327)
[@​westonsteimel](https://togithub.com/westonsteimel)]
- skip maven bundle plugin logic if vendor id and symbolic name match
\[[#​2326](https://togithub.com/anchore/syft/pull/2326)
[@​westonsteimel](https://togithub.com/westonsteimel)]
- cataloger `dpkg-db-cataloger` not working
\[[#​2323](https://togithub.com/anchore/syft/issues/2323)]
##### Breaking Changes
- Rename Location virtualPath to accessPath
\[[#​1835](https://togithub.com/anchore/syft/issues/1835)
[#​2288](https://togithub.com/anchore/syft/pull/2288)
[@​wagoodman](https://togithub.com/wagoodman)]
##### Additional Changes
- Export syft-json format package metadata type helper
\[[#​2328](https://togithub.com/anchore/syft/pull/2328)
[@​wagoodman](https://togithub.com/wagoodman)]
- Add dotnet-portable-executable-cataloger to README
\[[#​2322](https://togithub.com/anchore/syft/pull/2322)
[@​noqcks](https://togithub.com/noqcks)]
**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.96.0...v0.97.0)**
### [`v0.96.0`](https://togithub.com/anchore/syft/releases/tag/v0.96.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.95.0...v0.96.0)
##### Added Features
- Check maven central as well for licenses in parents poms for nested
jars \[[#​2302](https://togithub.com/anchore/syft/pull/2302)
[@​coheigea](https://togithub.com/coheigea)]
- store image annotations inside the SBOM
\[[#​2267](https://togithub.com/anchore/syft/issues/2267)
[#​2294](https://togithub.com/anchore/syft/pull/2294)
[@​noqcks](https://togithub.com/noqcks)]
- Support parsing license information in Maven projects via parent poms
\[[#​2103](https://togithub.com/anchore/syft/issues/2103)]
##### Bug Fixes
- SPDX file has duplicate sha256 tag in versionInfo
\[[#​2300](https://togithub.com/anchore/syft/pull/2300)
[@​coheigea](https://togithub.com/coheigea)]
- Report virtual path consistently between file.Resolvers
\[[#​1836](https://togithub.com/anchore/syft/issues/1836)
[#​2287](https://togithub.com/anchore/syft/pull/2287)
[@​wagoodman](https://togithub.com/wagoodman)]
- Unable to identify CycloneDX JSON documents without $schema property
\[[#​2299](https://togithub.com/anchore/syft/issues/2299)
[#​2303](https://togithub.com/anchore/syft/pull/2303)
[@​kzantow](https://togithub.com/kzantow)]
**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.95.0...v0.96.0)**
### [`v0.95.0`](https://togithub.com/anchore/syft/releases/tag/v0.95.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.94.0...v0.95.0)
##### Added Features
- Use case-insensitive matching for Go license files
\[[#​2286](https://togithub.com/anchore/syft/pull/2286)
[@​miquella](https://togithub.com/miquella)]
- Add conaninfo.txt parser to detect conan packages in docker images
\[[#​2234](https://togithub.com/anchore/syft/pull/2234)
[@​Pro](https://togithub.com/Pro)]
- Perform case insensitive matching on Java License files
\[[#​2235](https://togithub.com/anchore/syft/pull/2235)
[@​coheigea](https://togithub.com/coheigea)]
- Read a license from a parent pom stored in Maven Central
\[[#​2228](https://togithub.com/anchore/syft/pull/2228)
[@​coheigea](https://togithub.com/coheigea)]
- Add PURLs when scanning Gradle lock files
\[[#​2278](https://togithub.com/anchore/syft/pull/2278)
[@​robbiev](https://togithub.com/robbiev)]
##### Bug Fixes
- Fix CPE index workflow
\[[#​2252](https://togithub.com/anchore/syft/pull/2252)
[@​wagoodman](https://togithub.com/wagoodman)]
- Fix cpe generation task
\[[#​2270](https://togithub.com/anchore/syft/pull/2270)
[@​willmurphyscode](https://togithub.com/willmurphyscode)]
- Introduce cataloger naming conventions
\[[#​1578](https://togithub.com/anchore/syft/issues/1578)
[#​2277](https://togithub.com/anchore/syft/pull/2277)
[@​wagoodman](https://togithub.com/wagoodman)]
- .NET / nuget - invalid SBOM generated after parsing
\[[#​2255](https://togithub.com/anchore/syft/issues/2255)
[#​2273](https://togithub.com/anchore/syft/pull/2273)
[@​spiffcs](https://togithub.com/spiffcs)]
- Wrong parsing after v0.85.0 syft for some components
\[[#​2241](https://togithub.com/anchore/syft/issues/2241)
[#​2273](https://togithub.com/anchore/syft/pull/2273)
[@​spiffcs](https://togithub.com/spiffcs)]
- SPDX-2.3 is misidentified as SPDX-2.2
\[[#​2112](https://togithub.com/anchore/syft/issues/2112)
[#​2186](https://togithub.com/anchore/syft/pull/2186)
[@​wagoodman](https://togithub.com/wagoodman)]
- Jar parser chokes on empty lines
\[[#​2179](https://togithub.com/anchore/syft/issues/2179)
[#​2254](https://togithub.com/anchore/syft/pull/2254)
[@​spiffcs](https://togithub.com/spiffcs)]
- Add a new Java configuration option to recursively search parent poms…
\[[#​2274](https://togithub.com/anchore/syft/pull/2274)
[@​coheigea](https://togithub.com/coheigea)]
- Fix directory resolver to always return virtual path
\[[#​2259](https://togithub.com/anchore/syft/pull/2259)
[@​wagoodman](https://togithub.com/wagoodman)]
- Syft can now handle the case of parsing a jar with multiple poms
\[[#​2231](https://togithub.com/anchore/syft/pull/2231)
[@​coheigea](https://togithub.com/coheigea)]
- Add ruby.NewGemSpecCataloger to DirectoryCatalogers
\[[#​1971](https://togithub.com/anchore/syft/pull/1971)
[@​evanchaoli](https://togithub.com/evanchaoli)]
##### Breaking Changes
- Introduce cataloger naming conventions
\[[#​1578](https://togithub.com/anchore/syft/issues/1578)
[#​2277](https://togithub.com/anchore/syft/pull/2277)
[@​wagoodman](https://togithub.com/wagoodman)]
- Remove MetadataType from the core package struct
\[[#​1735](https://togithub.com/anchore/syft/issues/1735)
[#​1983](https://togithub.com/anchore/syft/pull/1983)
[@​wagoodman](https://togithub.com/wagoodman)]
- Add convention for JSON metadata type names and port existing values
to the new convention
\[[#​1844](https://togithub.com/anchore/syft/issues/1844)
[#​1983](https://togithub.com/anchore/syft/pull/1983)
[@​wagoodman](https://togithub.com/wagoodman)]
- Remove deprecated syft.Format functions
\[[#​1344](https://togithub.com/anchore/syft/issues/1344)
[#​2186](https://togithub.com/anchore/syft/pull/2186)
[@​wagoodman](https://togithub.com/wagoodman)]
##### Additional Changes
- Upgrade tool management
\[[#​2188](https://togithub.com/anchore/syft/pull/2188)
[@​wagoodman](https://togithub.com/wagoodman)]
- Fix homebrew post-release workflow
\[[#​2242](https://togithub.com/anchore/syft/pull/2242)
[@​wagoodman](https://togithub.com/wagoodman)]
**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.94.0...v0.95.0)**
### [`v0.94.0`](https://togithub.com/anchore/syft/releases/tag/v0.94.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.93.0...v0.94.0)
##### Added Features
- Add additional license filenames
\[[#​2227](https://togithub.com/anchore/syft/pull/2227)
[@​coheigea](https://togithub.com/coheigea)]
- Parse donet dependency trees
\[[#​2143](https://togithub.com/anchore/syft/pull/2143)
[@​noqcks](https://togithub.com/noqcks)]
- Find license by embedded license text
\[[#​2147](https://togithub.com/anchore/syft/issues/2147)
[#​2213](https://togithub.com/anchore/syft/pull/2213)
[@​coheigea](https://togithub.com/coheigea)]
- Add support for dpkg dependency relationships
\[[#​2040](https://togithub.com/anchore/syft/issues/2040)
[#​2212](https://togithub.com/anchore/syft/pull/2212)
[@​wagoodman](https://togithub.com/wagoodman)]
##### Bug Fixes
- Report errors to stderr not stdout
\[[#​2232](https://togithub.com/anchore/syft/pull/2232)
[@​wagoodman](https://togithub.com/wagoodman)]
- Python egg packages are not parsed for SBOM
\[[#​1761](https://togithub.com/anchore/syft/issues/1761)
[#​2239](https://togithub.com/anchore/syft/pull/2239)
[@​spiffcs](https://togithub.com/spiffcs)]
- Java archive is listed twice
\[[#​2130](https://togithub.com/anchore/syft/issues/2130)
[#​2220](https://togithub.com/anchore/syft/pull/2220)
[@​wagoodman](https://togithub.com/wagoodman)]
- Java archives not from Maven
\[[#​2217](https://togithub.com/anchore/syft/issues/2217)
[#​2220](https://togithub.com/anchore/syft/pull/2220)
[@​wagoodman](https://togithub.com/wagoodman)]
- Remove internal.StringSet
\[[#​2209](https://togithub.com/anchore/syft/issues/2209)
[#​2219](https://togithub.com/anchore/syft/pull/2219)
[@​wagoodman](https://togithub.com/wagoodman)]
- Invalid interface conversion in Swift cataloger
\[[#​2225](https://togithub.com/anchore/syft/issues/2225)
[#​2226](https://togithub.com/anchore/syft/pull/2226)
[@​wagoodman](https://togithub.com/wagoodman)]
**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.93.0...v0.94.0)**
### [`v0.93.0`](https://togithub.com/anchore/syft/releases/tag/v0.93.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.92.0...v0.93.0)
##### Added Features
- Parse license from the pom.xml if not contained in the manifest
\[[#​2115](https://togithub.com/anchore/syft/pull/2115)
[@​coheigea](https://togithub.com/coheigea)]
- Add Golang STD library package given a Golang binary has been
discovered compiled with that go binary
\[[#​1853](https://togithub.com/anchore/syft/issues/1853)
[#​2195](https://togithub.com/anchore/syft/pull/2195)
[@​spiffcs](https://togithub.com/spiffcs)]
- Improve --output CLI help and deprecate --file
\[[#​2165](https://togithub.com/anchore/syft/issues/2165)
[#​2187](https://togithub.com/anchore/syft/pull/2187)
[@​sharief007](https://togithub.com/sharief007)]
##### Bug Fixes
- Converting a SBOM looses the algorithm type for added checksums
\[[#​2183](https://togithub.com/anchore/syft/issues/2183)
[#​2207](https://togithub.com/anchore/syft/pull/2207)
[@​sharief007](https://togithub.com/sharief007)]
##### Additional Changes
- Refine the docs for building a cataloger
\[[#​2175](https://togithub.com/anchore/syft/pull/2175)
[@​wagoodman](https://togithub.com/wagoodman)]
- update license list to 3.22
\[[#​2201](https://togithub.com/anchore/syft/pull/2201)
[@​spiffcs](https://togithub.com/spiffcs)]
- Add exact syntax of the conversion formats
\[[#​2196](https://togithub.com/anchore/syft/pull/2196)
[@​vargenau](https://togithub.com/vargenau)]
**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.92.0...v0.93.0)**
### [`v0.92.0`](https://togithub.com/anchore/syft/releases/tag/v0.92.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.91.0...v0.92.0)
##### Added Features
- Support for multiple image refs of same sha in OCI layout
\[[#​1544](https://togithub.com/anchore/syft/issues/1544)]
##### Bug Fixes
- Generated purls are different between runs of syft against the same
image and artifact
\[[#​2169](https://togithub.com/anchore/syft/issues/2169)
[#​2170](https://togithub.com/anchore/syft/pull/2170)
[@​willmurphyscode](https://togithub.com/willmurphyscode)]
##### Additional Changes
- bump stereoscope to fix data race in UI code
\[[#​2173](https://togithub.com/anchore/syft/pull/2173)
[@​willmurphyscode](https://togithub.com/willmurphyscode)]
**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.91.0...v0.92.0)**
### [`v0.91.0`](https://togithub.com/anchore/syft/releases/tag/v0.91.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.90.0...v0.91.0)
##### Added Features
- Add support for CycloneDX 1.5
\[[#​2120](https://togithub.com/anchore/syft/issues/2120)
[#​2123](https://togithub.com/anchore/syft/pull/2123)
[@​spiffcs](https://togithub.com/spiffcs)]
- Add support for containerd as an image source
\[[#​201](https://togithub.com/anchore/syft/issues/201)
[#​1793](https://togithub.com/anchore/syft/pull/1793)
[@​shanedell](https://togithub.com/shanedell)]
- Support cataloging github workflow & github action usages
\[[#​1896](https://togithub.com/anchore/syft/issues/1896)
[#​2140](https://togithub.com/anchore/syft/pull/2140)
[@​wagoodman](https://togithub.com/wagoodman)]
##### Bug Fixes
- Allow CycloneDX json input with no components
\[[#​2127](https://togithub.com/anchore/syft/pull/2127)
[@​ahoz](https://togithub.com/ahoz)]
- Prevent errors from clobbering terminal
\[[#​2161](https://togithub.com/anchore/syft/pull/2161)
[@​kzantow](https://togithub.com/kzantow)]
- Using syft as a go library to decode a syft json has incomplete data
\[[#​2069](https://togithub.com/anchore/syft/issues/2069)
[#​2083](https://togithub.com/anchore/syft/pull/2083)
[@​kzantow](https://togithub.com/kzantow)]
- SBOMs are not the same on multiple runs of syft
\[[#​1944](https://togithub.com/anchore/syft/issues/1944)]
##### Additional Changes
- Switch to stdlib's slices pkg
\[[#​2148](https://togithub.com/anchore/syft/pull/2148)
[@​hainenber](https://togithub.com/hainenber)]
- Remove unneeded arch switch in unit test
\[[#​2156](https://togithub.com/anchore/syft/pull/2156)
[@​willmurphyscode](https://togithub.com/willmurphyscode)]
- Update chronicle to v0.8.0
\[[#​2154](https://togithub.com/anchore/syft/pull/2154)
[@​wagoodman](https://togithub.com/wagoodman)]
- Update to latest stereoscope
\[[#​2151](https://togithub.com/anchore/syft/pull/2151)
[@​spiffcs](https://togithub.com/spiffcs)]
- Pin workflow checkout for cpe update-cpe-dictionary-index
\[[#​2141](https://togithub.com/anchore/syft/pull/2141)
[@​spiffcs](https://togithub.com/spiffcs)]
- Add dependency information to conan lockfile parser
\[[#​2131](https://togithub.com/anchore/syft/pull/2131)
[@​Pro](https://togithub.com/Pro)]
- Pin and update all workflow dependencies; add permission scopes
\[[#​2138](https://togithub.com/anchore/syft/pull/2138)
[@​spiffcs](https://togithub.com/spiffcs)]
- Enforce race detector
\[[#​2122](https://togithub.com/anchore/syft/pull/2122)
[@​willmurphyscode](https://togithub.com/willmurphyscode)]
**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.90.0...v0.91.0)**
### [`v0.90.0`](https://togithub.com/anchore/syft/releases/tag/v0.90.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.89.0...v0.90.0)
###
#### [v0.90.0](https://togithub.com/anchore/syft/tree/v0.90.0)
(2023-09-11)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.89.0...v0.90.0)
##### Added Features
- Expose cobra command in cli package \[[PR
#​2097](https://togithub.com/anchore/syft/pull/2097)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Explicitly test PURL generation against key packages \[[Issue
#​2071](https://togithub.com/anchore/syft/issues/2071)]
- Add User-Agent with Syft version during update check \[[Issue
#​2072](https://togithub.com/anchore/syft/issues/2072)] \[[PR
#​2100](https://togithub.com/anchore/syft/pull/2100)]
\[[hainenber](https://togithub.com/hainenber)]
##### Bug Fixes
- fix: correct group IDs for commons-codec, okhttp, okio, and add
integration tests for Java PURL generation \[[PR
#​2075](https://togithub.com/anchore/syft/pull/2075)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- Cyclonedx external reference URLs are not validated when encoding
\[[Issue #​2079](https://togithub.com/anchore/syft/issues/2079)]
\[[PR #​2091](https://togithub.com/anchore/syft/pull/2091)]
\[[hainenber](https://togithub.com/hainenber)]
##### Additional Changes
- Bump the golang.org/x/exp dependency and fix a build breakage. \[[PR
#​2088](https://togithub.com/anchore/syft/pull/2088)]
\[[dlorenc](https://togithub.com/dlorenc)]
- fix: update codeql-analysis for go 1.21 \[[PR
#​2108](https://togithub.com/anchore/syft/pull/2108)]
\[[spiffcs](https://togithub.com/spiffcs)]
### [`v0.89.0`](https://togithub.com/anchore/syft/releases/tag/v0.89.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.88.0...v0.89.0)
###
#### [v0.89.0](https://togithub.com/anchore/syft/tree/v0.89.0)
(2023-08-31)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.88.0...v0.89.0)
##### Added Features
- Add registry certificate verification support \[[PR
#​1734](https://togithub.com/anchore/syft/pull/1734)]
\[[5p2O5pe25ouT](https://togithub.com/5p2O5pe25ouT)]
- Add SYFT_CONFIG environment variable for configuration file path
\[[Issue #​1986](https://togithub.com/anchore/syft/issues/1986)]
\[[PR #​2001](https://togithub.com/anchore/syft/pull/2001)]
\[[kzantow](https://togithub.com/kzantow)]
##### Bug Fixes
- Fix quiet flag \[[PR
#​2081](https://togithub.com/anchore/syft/pull/2081)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Command line flags not overriding configuration file values \[[Issue
#​1143](https://togithub.com/anchore/syft/issues/1143)] \[[PR
#​2001](https://togithub.com/anchore/syft/pull/2001)]
\[[kzantow](https://togithub.com/kzantow)]
- Django package CPE is not correct \[[Issue
#​1298](https://togithub.com/anchore/syft/issues/1298)] \[[PR
#​2068](https://togithub.com/anchore/syft/pull/2068)]
\[[witchcraze](https://togithub.com/witchcraze)]
- Config parsing includes `config.yaml` in working dir \[[Issue
#​1634](https://togithub.com/anchore/syft/issues/1634)] \[[PR
#​2001](https://togithub.com/anchore/syft/pull/2001)]
\[[kzantow](https://togithub.com/kzantow)]
- Fix a possible panic on universal go binaries \[[Issue
#​2073](https://togithub.com/anchore/syft/issues/2073)] \[[PR
#​2078](https://togithub.com/anchore/syft/pull/2078)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- Disabling catalogers is not working in power user command \[[Issue
#​2074](https://togithub.com/anchore/syft/issues/2074)] \[[PR
#​2001](https://togithub.com/anchore/syft/pull/2001)]
\[[kzantow](https://togithub.com/kzantow)]
- Virtual path changes to java cataloger causing creation of extra
incorrect packages when jars are renamed \[[Issue
#​2077](https://togithub.com/anchore/syft/issues/2077)] \[[PR
#​2080](https://togithub.com/anchore/syft/pull/2080)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
### [`v0.88.0`](https://togithub.com/anchore/syft/releases/tag/v0.88.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.87.1...v0.88.0)
###
#### [v0.88.0](https://togithub.com/anchore/syft/tree/v0.88.0)
(2023-08-25)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.87.1...v0.88.0)
##### Added Features
- Detect golang boring crypto and fipsonly modules \[[PR
#​2021](https://togithub.com/anchore/syft/pull/2021)]
\[[bathina2](https://togithub.com/bathina2)]
- feat: 1944 - update purl generation to use a consistent groupID \[[PR
#​2033](https://togithub.com/anchore/syft/pull/2033)]
\[[spiffcs](https://togithub.com/spiffcs)]
- Add support to detect bash binaries \[[Issue
#​1963](https://togithub.com/anchore/syft/issues/1963)] \[[PR
#​2055](https://togithub.com/anchore/syft/pull/2055)]
\[[witchcraze](https://togithub.com/witchcraze)]
##### Bug Fixes
- fix: properly parse conan ref and include user and channel \[[PR
#​2034](https://togithub.com/anchore/syft/pull/2034)]
\[[Pro](https://togithub.com/Pro)]
- New version notice only showing the version and no text \[[PR
#​2042](https://togithub.com/anchore/syft/pull/2042)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Fix: don't validate pom declared group \[[PR
#​2054](https://togithub.com/anchore/syft/pull/2054)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- Errors when handling symlinks on Windows with syft v0.85.0 \[[Issue
#​1950](https://togithub.com/anchore/syft/issues/1950)] \[[PR
#​2051](https://togithub.com/anchore/syft/pull/2051)]
\[[selzoc](https://togithub.com/selzoc)]
- Syft seems unable to parse non UTF-8 pom.xml files \[[Issue
#​2044](https://togithub.com/anchore/syft/issues/2044)] \[[PR
#​2047](https://togithub.com/anchore/syft/pull/2047)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Error parsing pom.xml with v0.87.1 \[[Issue
#​2060](https://togithub.com/anchore/syft/issues/2060)] \[[PR
#​2064](https://togithub.com/anchore/syft/pull/2064)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- Invalid CycloneDX: duplicates in relationships section \[[Issue
#​2062](https://togithub.com/anchore/syft/issues/2062)] \[[PR
#​2063](https://togithub.com/anchore/syft/pull/2063)]
\[[kzantow](https://togithub.com/kzantow)]
### [`v0.87.1`](https://togithub.com/anchore/syft/releases/tag/v0.87.1)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.87.0...v0.87.1)
###
#### [v0.87.1](https://togithub.com/anchore/syft/tree/v0.87.1)
(2023-08-17)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.87.0...v0.87.1)
##### Bug Fixes
- Use Java package names to determine known groupIDs \[[PR
#​2032](https://togithub.com/anchore/syft/pull/2032)]
\[[kzantow](https://togithub.com/kzantow)]
- Relationships section of CycloneDX is not outputting even when the
data is present \[[Issue
#​1972](https://togithub.com/anchore/syft/issues/1972)] \[[PR
#​1974](https://togithub.com/anchore/syft/pull/1974)]
\[[markgalpin](https://togithub.com/markgalpin)]
\[[kzantow](https://togithub.com/kzantow)]
- SPDX Tag-Value conversion not handling files directly set on packages
\[[Issue #​2013](https://togithub.com/anchore/syft/issues/2013)]
\[[PR #​2014](https://togithub.com/anchore/syft/pull/2014)]
\[[kzantow](https://togithub.com/kzantow)]
- Intermittent binary listings, different results every time \[[Issue
#​2035](https://togithub.com/anchore/syft/issues/2035)] \[[PR
#​2036](https://togithub.com/anchore/syft/pull/2036)]
\[[kzantow](https://togithub.com/kzantow)]
</details>
<details>
<summary>charmbracelet/gum (charmbracelet/gum)</summary>
###
[`v0.13.0`](https://togithub.com/charmbracelet/gum/releases/tag/v0.13.0)
[Compare
Source](https://togithub.com/charmbracelet/gum/compare/v0.12.0...v0.13.0)
#### Changelog
##### New Features
Add `--select-if-one` flag to `gum choose` and `gum filter`.
```bash
> gum choose --select-if-one "option"
> option
```
-
[`fb6849c`](https://togithub.com/charmbracelet/gum/commit/fb6849ca163779e5fa33786568b78592f433470a):
`--select-if-one` flag to `choose`/`filter`.
([#​398](https://togithub.com/charmbracelet/gum/issues/398))
([@​kennyp](https://togithub.com/kennyp))
##### Bug fixes
-
[`5c65944`](https://togithub.com/charmbracelet/gum/commit/5c65944c66156df9eeba7fe742d6837e7869292d):
(fix): ShowOutput flag displays in realtime
([#​405](https://togithub.com/charmbracelet/gum/issues/405))
([@​hopefulTex](https://togithub.com/hopefulTex))
***
<details>
<summary>Verifying the artifacts</summary>
First, download the [`checksums.txt`
file](https://togithub.com/charmbracelet/gum/releases/download/0.13.0/checksums.txt),
for example, with `wget`:
```bash
wget 'https://github.com/charmbracelet/gum/releases/download/v0.13.0/checksums.txt'
```
Then, verify it using [`cosign`](https://togithub.com/sigstore/cosign):
```bash
cosign verify-blob \
--certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--cert 'https://github.com/charmbracelet/gum/releases/download/v0.13.0/checksums.txt.pem' \
--signature 'https://github.com/charmbracelet/gum/releases/download/v0.13.0/checksums.txt.sig' \
./checksums.txt
```
If the output is `Verified OK`, you can safely use it to verify the
checksums of other artifacts you downloaded from the release using
`sha256sum`:
```bash
sha256sum --ignore-missing -c checksums.txt
```
Done! You artifacts are now verified!
</details>
<a href="https://charm.sh/"><img alt="The Charm logo"
src="https://stuff.charm.sh/charm-badge.jpg" width="400"></a>
Thoughts? Questions? We love hearing from you. Feel free to reach out on
[Twitter](https://twitter.com/charmcli), [The
Fediverse](https://mastodon.technology/@​charm), or on
[Discord](https://charm.sh/chat).
###
[`v0.12.0`](https://togithub.com/charmbracelet/gum/releases/tag/v0.12.0)
[Compare
Source](https://togithub.com/charmbracelet/gum/compare/v0.11.0...v0.12.0)
### Gum Log 🪵
Version 0.12.0 of gum features a brand new `log` command. Gum `log` logs
messages to the terminal at using different levels and styling using the
[`charmbracelet/log`](https://togithub.com/charmbracelet/log) library.
To get started, simply run:
gum log
```bash
### Log some debug information.
gum log --structured --level debug "Creating file..." name file.txt
### DEBUG Unable to create file. name=temp.txt
### Log some error.
gum log --structured --level error "Unable to create file." name file.txt
### ERROR Unable to create file. name=temp.txt
```
See [`charmbracelet/log`](https://togithub.com/charmbracelet/log) for
more usage.
<img src="https://vhs.charm.sh/vhs-6jupuFM0s2fXiUrBE0I1vU.gif"
width="600" alt="Running gum log with debug and error levels" />
#### What's Changed
- Pretty Table Print by
[@​maaslalani](https://togithub.com/maaslalani) in
[https://github.com/charmbracelet/gum/pull/436](https://togithub.com/charmbracelet/gum/pull/436)
- Log command by
[@​aymanbagabas](https://togithub.com/aymanbagabas) in
[https://github.com/charmbracelet/gum/pull/449](https://togithub.com/charmbracelet/gum/pull/449)
- Avoid reading from stdin if `--value` is being used by
[@​piero-vic](https://togithub.com/piero-vic) in
[https://github.com/charmbracelet/gum/pull/448](https://togithub.com/charmbracelet/gum/pull/448)
- Made filter work with lists as choose by
[@​MikaelFangel](https://togithub.com/MikaelFangel) in
[https://github.com/charmbracelet/gum/pull/424](https://togithub.com/charmbracelet/gum/pull/424)
#### New Contributors
- [@​cglong](https://togithub.com/cglong) made their first
contribution in
[https://github.com/charmbracelet/gum/pull/401](https://togithub.com/charmbracelet/gum/pull/401)
- [@​docwhat](https://togithub.com/docwhat) made their first
contribution in
[https://github.com/charmbracelet/gum/pull/433](https://togithub.com/charmbracelet/gum/pull/433)
- [@​piero-vic](https://togithub.com/piero-vic) made their first
contribution in
[https://github.com/charmbracelet/gum/pull/448](https://togithub.com/charmbracelet/gum/pull/448)
**Full Changelog**:
https://github.com/charmbracelet/gum/compare/v0.11.0...v0.12.0
***
<a href="https://charm.sh/"><img alt="The Charm logo"
src="https://stuff.charm.sh/charm-badge.jpg" width="400"></a>
Thoughts? Questions? We love hearing from you. Feel free to reach out on
[Twitter](https://twitter.com/charmcli), [The
Fediverse](https://mastodon.technology/@​charm), or on
[Discord](https://charm.sh/chat).
</details>
<details>
<summary>charmbracelet/vhs (charmbracelet/vhs)</summary>
###
[`v0.7.1`](https://togithub.com/charmbracelet/vhs/releases/tag/v0.7.1)
[Compare
Source](https://togithub.com/charmbracelet/vhs/compare/v0.7.0...v0.7.1)
### Freeze Frame ❄️ 📸
With VHS `v0.7.0`, you can capture the any moment during tape execution.
Just add in `Screenshot <filename>.png` to your tapes:
```elixir
Type ls
Enter
### Capture the output of 'ls'
Screenshot files.png
### Now, continue as you normally would
Type 'cd ..'
Enter
```
Your tape outputs a GIF, and outputs a file named `files.png`.
##### Copy-Paste Functionality!
VHS can now talk to your system clipboard. Please keep this in mind when
executing tapes from unknown sources.
> \[!WARNING]
> You should never `curl` pipe into VHS, it's similar to executing a
bash script on your computer!
```elixir
Copy "https://github.com/charmbracelet/huh"
Type 'curl '
Paste
Enter
```
#### New Modifiers + Keys Alert!
VHS `v0.7.0` has some new additions: introducing the top level `Shift+`
modifier and the `Insert` + `Delete` keys!
```elixir
### Shift things up a bit!
Shift+A
Shift+Tab
Shift+Enter
### Insert and delete to your hearts desire:
Insert
Delete
```
***
<a href="https://charm.sh/"><img alt="The Charm logo"
src="https://stuff.charm.sh/charm-badge.jpg" width="400"></a>
Thoughts? Questions? We love hearing from you. Feel free to reach out on
[Twitter](https://twitter.com/charmcli), [The
Fediverse](https://mastodon.social/@​charmcli), or
[Discord](https://charm.sh/chat).
###
[`v0.7.0`](https://togithub.com/charmbracelet/vhs/releases/tag/v0.7.0)
[Compare
Source](https://togithub.com/charmbracelet/vhs/compare/v0.6.0...v0.7.0)
### Freeze Frame ❄️ 📸
With VHS `v0.7.0`, you can capture the any moment during tape execution.
Just add in `Screenshot <filename>.png` to your tapes:
```elixir
Type ls
Enter
### Capture the output of 'ls'
Screenshot files.png
### Now, continue as you normally would
Type 'cd ..'
Enter
```
Your tape outputs a GIF, and outputs a file named `files.png`.
##### Copy-Paste Functionality!
VHS can now talk to your system clipboard. Please keep this in mind when
executing tapes from unknown sources.
> \[!WARNING]
> You should never `curl` pipe into VHS, it's similar to executing a
bash script on your computer!
```elixir
Copy "https://github.com/charmbracelet/huh"
Type 'curl '
Paste
Enter
```
#### New Modifiers + Keys Alert!
VHS `v0.7.0` has some new additions: introducing the top level `Shift+`
modifier and the `Insert` + `Delete` keys!
```elixir
### Shift things up a bit!
Shift+A
Shift+Tab
Shift+Enter
### Insert and delete to your hearts desire:
Insert
Delete
```
***
<a href="https://charm.sh/"><img alt="The Charm logo"
src="https://stuff.charm.sh/charm-badge.jpg" width="400"></a>
Thoughts? Questions? We love hearing from you. Feel free to reach out on
[Twitter](https://twitter.com/charmcli), [The
Fediverse](https://mastodon.social/@​charmcli), or
[Discord](https://charm.sh/chat).
</details>
<details>
<summary>direnv/direnv (direnv/direnv)</summary>
### [`v2.33.0`](https://togithub.com/direnv/direnv/releases/tag/v2.33.0)
[Compare
Source](https://togithub.com/direnv/direnv/compare/v2.32.3...v2.33.0)
- doc: add a Nushell section to `hook.md` by
[@​amtoine](https://togithub.com/amtoine) in
[https://github.com/direnv/direnv/pull/1175](https://togithub.com/direnv/direnv/pull/1175)
- doc: fix broken links in installation.md by
[@​just1602](https://togithub.com/just1602) in
[https://github.com/direnv/direnv/pull/1110](https://togithub.com/direnv/direnv/pull/1110)
- doc: show how to run tests by
[@​bukzor-sentryio](https://togithub.com/bukzor-sentryio) in
[https://github.com/direnv/direnv/pull/1137](https://togithub.com/direnv/direnv/pull/1137)
- doc: update NixOS installation instructions by
[@​Gerg-L](https://togithub.com/Gerg-L) in
[https://github.com/direnv/direnv/pull/1172](https://togithub.com/direnv/direnv/pull/1172)
- doc: update direnv.toml.1.md by
[@​Ativerc](https://togithub.com/Ativerc) in
[https://github.com/direnv/direnv/pull/1099](https://togithub.com/direnv/direnv/pull/1099)
- feat: `direnv status --json` by
[@​shivaraj-bh](https://togithub.com/shivaraj-bh) in
[https://github.com/direnv/direnv/pull/1142](https://togithub.com/direnv/direnv/pull/1142)
- feat: add PowerShell Support by
[@​bamsammich](https://togithub.com/bamsammich) in
[https://github.com/direnv/direnv/pull/1171](https://togithub.com/direnv/direnv/pull/1171)
- feat: add mergify configuration by
[@​Mic92](https://togithub.com/Mic92) in
[https://github.com/direnv/direnv/pull/1147](https://togithub.com/direnv/direnv/pull/1147)
- feat: add support for armv7l platform in install.sh by
[@​ardje](https://togithub.com/ardje) in
[https://github.com/direnv/direnv/pull/1162](https://togithub.com/direnv/direnv/pull/1162)
- feat: add watch print command by
[@​Mic92](https://togithub.com/Mic92) in
[https://github.com/direnv/direnv/pull/1198](https://togithub.com/direnv/direnv/pull/1198)
- feat: alias `direnv disallow` to deny by
[@​will](https://togithub.com/will) in
[https://github.com/direnv/direnv/pull/1182](https://togithub.com/direnv/direnv/pull/1182)
- feat: stdlib: create CACHEDIR.TAG inside .direnv by
[@​Mic92](https://togithub.com/Mic92) in
[https://github.com/direnv/direnv/pull/1148](https://togithub.com/direnv/direnv/pull/1148)
- fix: `allowPath` for `LoadedRC` by
[@​shivaraj-bh](https://togithub.com/shivaraj-bh) in
[https://github.com/direnv/direnv/pull/1157](https://togithub.com/direnv/direnv/pull/1157)
- fix: don't prompt to allow if user explicitly denied by
[@​Gabriella439](https://togithub.com/Gabriella439) in
[https://github.com/direnv/direnv/pull/1158](https://togithub.com/direnv/direnv/pull/1158)
- fix: man/direnv-stdlib: fix obsolete opam-env example by
[@​mzacho](https://togithub.com/mzacho) in
[https://github.com/direnv/direnv/pull/1170](https://togithub.com/direnv/direnv/pull/1170)
- fix: print correct path in source_env log message by
[@​wentasah](https://togithub.com/wentasah) in
[https://github.com/direnv/direnv/pull/1144](https://togithub.com/direnv/direnv/pull/1144)
- fix: quote tcsh $PATH, to avoid failure on whitespace by
[@​bukzor-sentryio](https://togithub.com/bukzor-sentryio) in
[https://github.com/direnv/direnv/pull/1139](https://togithub.com/direnv/direnv/pull/1139)
- fix: remove redundant nil check in `CommandsDispatch` by
[@​Juneezee](https://togithub.com/Juneezee) in
[https://github.com/direnv/direnv/pull/1166](https://togithub.com/direnv/direnv/pull/1166)
- fix: update nixpkgs and shellcheck by
[@​Mic92](https://togithub.com/Mic92) in
[https://github.com/direnv/direnv/pull/1146](https://togithub.com/direnv/direnv/pull/1146)
</details>
<details>
<summary>golang/go (golang/go)</summary>
###
[`v1.21.5`](https://togithub.com/golang/go/compare/go1.21.4...go1.21.5)
[Compare
Source](https://togithub.com/golang/go/compare/go1.21.4...go1.21.5)
###
[`v1.21.4`](https://togithub.com/golang/go/compare/go1.21.3...go1.21.4)
[Compare
Source](https://togithub.com/golang/go/compare/go1.21.3...go1.21.4)
###
[`v1.21.3`](https://togithub.com/golang/go/compare/go1.21.2...go1.21.3)
[Compare
Source](https://togithub.com/golang/go/compare/go1.21.2...go1.21.3)
###
[`v1.21.2`](https://togithub.com/golang/go/compare/go1.21.1...go1.21.2)
[Compare
Source](https://togithub.com/golang/go/compare/go1.21.1...go1.21.2)
###
[`v1.21.1`](https://togithub.com/golang/go/compare/go1.21.0...go1.21.1)
[Compare
Source](https://togithub.com/golang/go/compare/go1.21.0...go1.21.1)
</details>
<details>
<summary>goreleaser/goreleaser (goreleaser/goreleaser)</summary>
###
[`v1.22.1`](https://togithub.com/goreleaser/goreleaser/releases/tag/v1.22.1)
[Compare
Source](https://togithub.com/goreleaser/goreleaser/compare/v1.22.0...v1.22.1)
#### Changelog
##### Bug fixes
-
[`e33d053`](https://togithub.com/goreleaser/goreleaser/commit/e33d0536129abeee90f46fbde5950403ba37cee1):
fix: --single-target when no match
([@​caarlos0](https://togithub.com/caarlos0))
-
[`c0b2be3`](https://togithub.com/goreleaser/goreleaser/commit/c0b2be344fca8c66fda35391ca76d9c3ca9753c8):
fix: handle configs with no explicit targets on --single-target
([@​caarlos0](https://togithub.com/caarlos0))
##### Build process updates
-
[`4f17fba`](https://togithub.com/goreleaser/goreleaser/commit/4f17fba173ec6d8feb93b15607fc692dd2b64533):
build: fix setup-task rate limit
([@​caarlos0](https://togithub.com/caarlos0))
-
[`be9ad4d`](https://togithub.com/goreleaser/goreleaser/commit/be9ad4d47dd09c218c8fd32b321a99ff7eb5956d):
build: update workflow
([@​caarlos0](https://togithub.com/caarlos0))
**Full Changelog**:
https://github.com/goreleaser/goreleaser/compare/v1.22.0...v1.22.1
#### Helping out
This release is only possible thanks to **all** the support of some
**awesome people**!
Want to be one of them?
You can [sponsor](https://goreleaser.com/sponsors/), get a [Pro
License](https://goreleaser.com/pro) or [contribute with
code](https://goreleaser.com/contributing).
#### Where to go next?
- Find
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "every weekday" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy41Mi4wIiwidXBkYXRlZEluVmVyIjoiMzcuNTIuMCIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->
Co-authored-by: mend-for-github-com[bot] <50673670+mend-for-github-com[bot]@users.noreply.github.com>- Loading branch information
1 parent
0dc0ee7
commit c20a473