chore(deps): update ⬆️ aqua-packages

[mend-for-github-com]

This PR contains the following updates:

Package	Update	Change
anchore/syft	minor	v0.73.0 -> v0.99.0
aquaproj/aqua-registry	minor	v3.138.0 -> v3.162.0
charmbracelet/glow	patch	v1.5.0 -> v1.5.1
direnv/direnv	minor	v2.32.2 -> v2.33.0
golang.org/x/tools/gopls	minor	v0.11.0 -> v0.14.2
golang/go	minor	1.20.1 -> 1.21.5
golang/tools	minor	v0.6.0 -> v0.16.1
goreleaser/goreleaser	minor	v1.15.2 -> v1.22.1
magefile/mage	minor	v1.14.0 -> v1.15.0
miniscruff/changie	minor	v1.11.1 -> v1.17.0
mvdan/gofumpt	minor	v0.4.0 -> v0.5.0
thycotic/dsv-cli	patch	v1.40.1 -> v1.40.5

---

Release Notes

anchore/syft (anchore/syft)

v0.99.0

Compare Source

Added Features

• Look for a maven version in a pom from a parent dependency management… [#​2423 @​coheigea]
• Adding the ability to retrieve remote licenses for yarn.lock [#​2338 @​coheigea]
• Retrieve remote licenses using pom.properties when there is no pom.xml [#​2315 @​coheigea]
• Add the option to retrieve remote licenses for projects defined in a … [#​2409 @​coheigea]
• Parse Python licenses from LicenseFile entry in the Wheel Metadata [#​2331 @​coheigea]
• Add binary classifier for the ERLang interpreter [#​2417 @​LaurentGoderre]
• Parse Python licenses from LicenseExpression entry in the Wheel Metadata [#​2431 @​coheigea]
• Add binary classifier for Julia lang [#​2427 @​LaurentGoderre]
• Add binary detection for PHP composer [#​2432 @​LaurentGoderre]

Bug Fixes

• bump fangs for ptr summarize fix [#​2387 @​willmurphyscode]
• improve identification for org.codehaus.groovy artifacts [#​2404 @​westonsteimel]
• improve identification for commons-jelly artifacts [#​2399 @​westonsteimel]
• improve identification for io.minio artifacts [#​2398 @​westonsteimel]
• improve identification for com.graphql-java artifacts [#​2397 @​westonsteimel]
• improve identification for org.apache.tapestry artifacts [#​2384 @​westonsteimel]
• improve identification for io.ratpack artifacts [#​2379 @​westonsteimel]
• improve identification for org.apache.cassandra artifacts [#​2386 @​westonsteimel]
• improve identification for org.neo4j.procedure artifacts [#​2388 @​westonsteimel]
• improve identification for org.elasticsearch artifacts [#​2383 @​westonsteimel]
• improve identification for org.apache.geode artifacts [#​2382 @​westonsteimel]
• improve identification for org.apache.tomcat artifacts [#​2381 @​westonsteimel]
• improve identification for io.projectreactor.netty artifacts [#​2378 @​westonsteimel]
• stop panic when parsing Haskell stack.yaml.lock with missing hackage field [#​2421 #​2419 @​houdini91]
• fix detecting the name of the eclipse OSGi artifact [#​2314 #​2349 @​westonsteimel]
• File Sources incorrectly exclude files on Windows [#​2410 #​2411 @​Racer159]
• Parser for dotnet_portable_executable using wrong attribute name [#​2029 #​2133 @​kzantow]

Breaking Changes

• Generalize UI events for cataloging tasks [#​2369 @​wagoodman]

Additional Changes

• refactor pkg.Collection to remove "catalog" references [#​2439 @​wagoodman]
• Expose javascript fields in cataloger configuration [#​2438 @​wagoodman]
• Use common archive catalog configuration [#​2437 @​wagoodman]
• Fix file digest cataloger when passed explicit coordinates [#​2436 @​wagoodman]

(Full Changelog)

v0.98.0

Compare Source

Added Features

• Add binary classifiers for MySQL and MariaDB [#​2316 @​duanemay]
• Enhance redis binary classifier to support additional versions [#​2329 @​whalelines]
• Expose compact JSON and XML format configuration [#​561 #​2275 @​wagoodman]

Bug Fixes

• Fix file metadata cataloger when passed explicit coordinates [#​2370 @​wagoodman]
• hardcode xalan group ID [#​2368 @​willmurphyscode]
• logging level for parsing potential PE files [#​2367 @​kzantow]
• Use read lock in pkg.Collection [#​2341 @​wagoodman]
• add manual namespace mapping for org.springframework jars [#​2345 @​westonsteimel]
• add manual namespace mapping for org.springframework.security jars [#​2343 @​westonsteimel]
• errors are printed into the stdout in syft 0.97.1 [#​2356 #​2364 @​kzantow]
• syft some-jar.jar fails to find packages if PWD is a symlink [#​2355 #​2359 @​willmurphyscode]
• Default for recently added base path, "", disables detection of symlinked *.jar files [#​1962 #​2359 @​willmurphyscode]
• syft attest broken since 0.85.0 [#​2333 #​2337 @​wagoodman]
• Incorrect Java PURL for org.bouncycastle jars [#​2339 #​2342 @​westonsteimel]

Breaking Changes

• Remove power-user command and related catalogers [#​1419 #​2306 @​wagoodman]

Additional Changes

• Normalize cataloger configuration patterns [#​2365 @​wagoodman]
• Normalize enums to lowercase with hyphens [#​2363 @​wagoodman]

(Full Changelog)

Special Thanks

Thanks @​duanemay and @​whalelines for the enhanced binary classifier support 👍

v0.97.1

Compare Source

Bug Fixes

• Syft does not use HTTP proxy when downloading the Docker image itself [#​2203 #​2336 @​anchore-actions-token-generator]

Additional Changes

• syft version report is broken with 0.97.0 release [#​2334 #​2335 @​spiffcs]

(Full Changelog)

v0.97.0

Compare Source

Added Features

• Add license for golang stdlib package [#​2317 @​coheigea]
• Fall back to searching maven central using groupIDFromJavaMetadata [#​2295 @​coheigea]

Bug Fixes

• Refine license search from groupIDFromJavaMetadata to account for artfactId in the groupId [#​2313 @​coheigea]
• capture content written to stdout outside of report [#​2324 @​kzantow]
• add manual groupid mappings for org.apache.velocity jars [#​2327 @​westonsteimel]
• skip maven bundle plugin logic if vendor id and symbolic name match [#​2326 @​westonsteimel]
• cataloger dpkg-db-cataloger not working [#​2323]

Breaking Changes

• Rename Location virtualPath to accessPath [#​1835 #​2288 @​wagoodman]

Additional Changes

• Export syft-json format package metadata type helper [#​2328 @​wagoodman]
• Add dotnet-portable-executable-cataloger to README [#​2322 @​noqcks]

(Full Changelog)

v0.96.0

Compare Source

Added Features

• Check maven central as well for licenses in parents poms for nested jars [#​2302 @​coheigea]
• store image annotations inside the SBOM [#​2267 #​2294 @​noqcks]
• Support parsing license information in Maven projects via parent poms [#​2103]

Bug Fixes

• SPDX file has duplicate sha256 tag in versionInfo [#​2300 @​coheigea]
• Report virtual path consistently between file.Resolvers [#​1836 #​2287 @​wagoodman]
• Unable to identify CycloneDX JSON documents without $schema property [#​2299 #​2303 @​kzantow]

(Full Changelog)

v0.95.0

Compare Source

Added Features

• Use case-insensitive matching for Go license files [#​2286 @​miquella]
• Add conaninfo.txt parser to detect conan packages in docker images [#​2234 @​Pro]
• Perform case insensitive matching on Java License files [#​2235 @​coheigea]
• Read a license from a parent pom stored in Maven Central [#​2228 @​coheigea]
• Add PURLs when scanning Gradle lock files [#​2278 @​robbiev]

Bug Fixes

• Fix CPE index workflow [#​2252 @​wagoodman]
• Fix cpe generation task [#​2270 @​willmurphyscode]
• Introduce cataloger naming conventions [#​1578 #​2277 @​wagoodman]
• .NET / nuget - invalid SBOM generated after parsing [#​2255 #​2273 @​spiffcs]
• Wrong parsing after v0.85.0 syft for some components [#​2241 #​2273 @​spiffcs]
• SPDX-2.3 is misidentified as SPDX-2.2 [#​2112 #​2186 @​wagoodman]
• Jar parser chokes on empty lines [#​2179 #​2254 @​spiffcs]
• Add a new Java configuration option to recursively search parent poms… [#​2274 @​coheigea]
• Fix directory resolver to always return virtual path [#​2259 @​wagoodman]
• Syft can now handle the case of parsing a jar with multiple poms [#​2231 @​coheigea]
• Add ruby.NewGemSpecCataloger to DirectoryCatalogers [#​1971 @​evanchaoli]

Breaking Changes

• Introduce cataloger naming conventions [#​1578 #​2277 @​wagoodman]
• Remove MetadataType from the core package struct [#​1735 #​1983 @​wagoodman]
• Add convention for JSON metadata type names and port existing values to the new convention [#​1844 #​1983 @​wagoodman]
• Remove deprecated syft.Format functions [#​1344 #​2186 @​wagoodman]

Additional Changes

• Upgrade tool management [#​2188 @​wagoodman]
• Fix homebrew post-release workflow [#​2242 @​wagoodman]

(Full Changelog)

v0.94.0

Compare Source

Added Features

• Add additional license filenames [#​2227 @​coheigea]
• Parse donet dependency trees [#​2143 @​noqcks]
• Find license by embedded license text [#​2147 #​2213 @​coheigea]
• Add support for dpkg dependency relationships [#​2040 #​2212 @​wagoodman]

Bug Fixes

• Report errors to stderr not stdout [#​2232 @​wagoodman]
• Python egg packages are not parsed for SBOM [#​1761 #​2239 @​spiffcs]
• Java archive is listed twice [#​2130 #​2220 @​wagoodman]
• Java archives not from Maven [#​2217 #​2220 @​wagoodman]
• Remove internal.StringSet [#​2209 #​2219 @​wagoodman]
• Invalid interface conversion in Swift cataloger [#​2225 #​2226 @​wagoodman]

(Full Changelog)

v0.93.0

Compare Source

Added Features

• Parse license from the pom.xml if not contained in the manifest [#​2115 @​coheigea]
• Add Golang STD library package given a Golang binary has been discovered compiled with that go binary [#​1853 #​2195 @​spiffcs]
• Improve --output CLI help and deprecate --file [#​2165 #​2187 @​sharief007]

Bug Fixes

• Converting a SBOM looses the algorithm type for added checksums [#​2183 #​2207 @​sharief007]

Additional Changes

• Refine the docs for building a cataloger [#​2175 @​wagoodman]
• update license list to 3.22 [#​2201 @​spiffcs]
• Add exact syntax of the conversion formats [#​2196 @​vargenau]

(Full Changelog)

v0.92.0

Compare Source

Added Features

• Support for multiple image refs of same sha in OCI layout [#​1544]

Bug Fixes

• Generated purls are different between runs of syft against the same image and artifact [#​2169 #​2170 @​willmurphyscode]

Additional Changes

• bump stereoscope to fix data race in UI code [#​2173 @​willmurphyscode]

(Full Changelog)

v0.91.0

Compare Source

Added Features

• Add support for CycloneDX 1.5 [#​2120 #​2123 @​spiffcs]
• Add support for containerd as an image source [#​201 #​1793 @​shanedell]
• Support cataloging github workflow & github action usages [#​1896 #​2140 @​wagoodman]

Bug Fixes

• Allow CycloneDX json input with no components [#​2127 @​ahoz]
• Prevent errors from clobbering terminal [#​2161 @​kzantow]
• Using syft as a go library to decode a syft json has incomplete data [#​2069 #​2083 @​kzantow]
• SBOMs are not the same on multiple runs of syft [#​1944]

Additional Changes

• Switch to stdlib's slices pkg [#​2148 @​hainenber]
• Remove unneeded arch switch in unit test [#​2156 @​willmurphyscode]
• Update chronicle to v0.8.0 [#​2154 @​wagoodman]
• Update to latest stereoscope [#​2151 @​spiffcs]
• Pin workflow checkout for cpe update-cpe-dictionary-index [#​2141 @​spiffcs]
• Add dependency information to conan lockfile parser [#​2131 @​Pro]
• Pin and update all workflow dependencies; add permission scopes [#​2138 @​spiffcs]
• Enforce race detector [#​2122 @​willmurphyscode]

(Full Changelog)

v0.90.0

Compare Source

v0.90.0 (2023-09-11)

Full Changelog

Added Features

• Expose cobra command in cli package [PR #​2097] [wagoodman]
• Explicitly test PURL generation against key packages [Issue #​2071]
• Add User-Agent with Syft version during update check [Issue #​2072] [PR #​2100] [hainenber]

Bug Fixes

• fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation [PR #​2075] [willmurphyscode]
• Cyclonedx external reference URLs are not validated when encoding [Issue #​2079] [PR #​2091] [hainenber]

Additional Changes

• Bump the golang.org/x/exp dependency and fix a build breakage. [PR #​2088] [dlorenc]
• fix: update codeql-analysis for go 1.21 [PR #​2108] [spiffcs]

v0.89.0

Compare Source

v0.89.0 (2023-08-31)

Full Changelog

Added Features

• Add registry certificate verification support [PR #​1734] [5p2O5pe25ouT]
• Add SYFT_CONFIG environment variable for configuration file path [Issue #​1986] [PR #​2001] [kzantow]

Bug Fixes

• Fix quiet flag [PR #​2081] [wagoodman]
• Command line flags not overriding configuration file values [Issue #​1143] [PR #​2001] [kzantow]
• Django package CPE is not correct [Issue #​1298] [PR #​2068] [witchcraze]
• Config parsing includes config.yaml in working dir [Issue #​1634] [PR #​2001] [kzantow]
• Fix a possible panic on universal go binaries [Issue #​2073] [PR #​2078] [willmurphyscode]
• Disabling catalogers is not working in power user command [Issue #​2074] [PR #​2001] [kzantow]
• Virtual path changes to java cataloger causing creation of extra incorrect packages when jars are renamed [Issue #​2077] [PR #​2080] [willmurphyscode]

v0.88.0

Compare Source

v0.88.0 (2023-08-25)

Full Changelog

Added Features

• Detect golang boring crypto and fipsonly modules [PR #​2021] [bathina2]
• feat: 1944 - update purl generation to use a consistent groupID [PR #​2033] [spiffcs]
• Add support to detect bash binaries [Issue #​1963] [PR #​2055] [witchcraze]

Bug Fixes

• fix: properly parse conan ref and include user and channel [PR #​2034] [Pro]
• New version notice only showing the version and no text [PR #​2042] [wagoodman]
• Fix: don't validate pom declared group [PR #​2054] [willmurphyscode]
• Errors when handling symlinks on Windows with syft v0.85.0 [Issue #​1950] [PR #​2051] [selzoc]
• Syft seems unable to parse non UTF-8 pom.xml files [Issue #​2044] [PR #​2047] [wagoodman]
• Error parsing pom.xml with v0.87.1 [Issue #​2060] [PR #​2064] [willmurphyscode]
• Invalid CycloneDX: duplicates in relationships section [Issue #​2062] [PR #​2063] [kzantow]

v0.87.1

Compare Source

v0.87.1 (2023-08-17)

Full Changelog

Bug Fixes

• Use Java package names to determine known groupIDs [PR #​2032] [kzantow]
• Relationships section of CycloneDX is not outputting even when the data is present [Issue #​1972] [PR #​1974] [markgalpin] [kzantow]
• SPDX Tag-Value conversion not handling files directly set on packages [Issue #​2013] [PR #​2014] [kzantow]
• Intermittent binary listings, different results every time [Issue #​2035] [PR #​2036] [kzantow]

v0.87.0

Compare Source

v0.87.0 (2023-08-14)

Full Changelog

Added Features

• feat: use originator logic to fill supplier [PR #​1980] [spiffcs]
• Expand deb cataloger to include opkg [PR #​1985] [johnDeSilencio]
• Package duplicated by different cataloger [Issue #​931] [PR #​1948] [spiffcs]
• Add binary cataloger for Nginx built from source [Issue #​1945] [PR #​1988] [SemProvoost]

Bug Fixes

• chore: update bubbly to fix hanging [PR #​1990] [kzantow]
• fix: update glob to use newer usr/lib/sysimage path [PR #​1997] [spiffcs]
• fix: SPDX license values and download location [PR #​2007] [kzantow]
• Different CPEs between java-cataloger and java-gradle-lockfile-cataloger [Issue #​1957] [PR #​1995] [kzantow]

v0.86.1

Compare Source

Changelog

v0.86.1 (2023-07-31)

Full Changelog

Bug Fixes

• Source requires default image name as user input for unparsable reference [PR #​1979] [kzantow]

v0.86.0

Compare Source

Changelog

v0.86.0 (2023-07-31)

Full Changelog

Added Features

• Introduce indexed embedded CPE dictionary [PR #​1897] [luhring]
• Add cataloger for Swift Package Manager. [PR #​1919] [trilleplay]
• Guess unpinned versions in python requirements.txt [PR #​1597] [PR #​1966] [manifestori] [wagoodman]
• Create a package record for the artifact an SBOM described when creating a SPDX SBOM [Issue #​1661] [Issue #​1241] [PR #​1934] [kzantow]

Bug Fixes

• Fix panic condition on docker pull failure [PR #​1968] [wagoodman]
• Syft reports the "minimum required version" of .NET assemblies rather than the "assembly version" [Issue #​1799] [PR #​1943] [luhring]
• Grype cannot read SPDX documents generated by SPDX-maven-plugin [PR #​1969] [spiffcs]

Breaking Changes

• Remove jotframe UI [PR #​1932] [wagoodman]
• Simplify python env markers [PR #​1967] [wagoodman]

v0.85.0

Compare Source

Changelog

v0.85.0 (2023-07-12)

Full Changelog

Added Features

• Add a --base-path command line flag to set the directory base for scans (this option was previously exposed via API only) [PR #​1867] [deitch]
• Add file source digest support [PR #​1914] [wagoodman]
• Remove erroneous Java CPEs from generation [PR #​1918] [luhring]
• Fix CPE generation for k8s python client [PR #​1921] [luhring]
• Don't use the actual redis or grpc CPEs for gems [PR #​1926] [luhring]
• The text user interface is now provided by the bubbletea library [Issue #​1441] [PR #​1888] [wagoodman]

Bug Fixes

• Install script returns exit code 0 even if install fails [Issue #​1566] [PR #​1915] [lorsatti]
• [Windows] Not able to scan volume mounted to folder [Issue #​1828] [PR #​1884] [dd-cws]
• Deprecated license: GFDL-1.2+ [Issue #​1899] [PR #​1907] [spiffcs]

Breaking Changes

• Refactor the source API and syft-json source block data shape [Issue #​1866] [PR #​1846] [wagoodman]

Additional Changes

• chore: update iterations to protect against race [PR #​1927] [spiffcs]
• fix: background reader apart from global handler for testing [PR #​1929] [spiffcs]

v0.84.1

Compare Source

Changelog

v0.84.1 (2023-06-29)

Full Changelog

Bug Fixes

• Fix version detection in Java archive name parsing [PR #​1889] [luhring]
• Improve support for Dart SDK package dependency lockfiles [PR #​1891] [rufman]
• Fix license output for some CycloneDX JSON SBOMs [Issue #​1877] [PR #​1879] [kzantow]
• Correctly discover Debian file relationships in distroless images [Issue #​1900] [PR #​1901] [westonsteimel]

Additional Changes

• Simplify the SBOM writer interface [PR #​1892] [wagoodman]

v0.84.0

Compare Source

Changelog

v0.84.0 (2023-06-20)

Full Changelog

Breaking Changes

• Pad artifact IDs [PR #​1882] [willmurphyscode]

Additional Changes

• chore: update SPDX license list to 3.21 [PR #​1885] [kzantow]

v0.83.1

Compare Source

Changelog

v0.83.1 (2023-06-14)

Full Changelog

Bug Fixes

• fix: pom properties not setting artifact id [PR #​1870] [jneate]
• fix(deps): pull in platform selection fix from stereoscope [PR #​1871] [anchore-actions-token-generator] - pulling in an image with a digest that does not match the platform and architecture of the host no longer fails with an error, see https://github.com/anchore/stereoscope/issues/188
• symlinks within a scanned directory tree are parsed outside the tree, failing if target does not exist [Issue #​1860] [PR #​1861] [deitch]

v0.83.0

Compare Source

Changelog

v0.83.0 (2023-06-05)

Full Changelog

Added Features

• Add new '--source-version' and '--source-name' options to set the name and version of the target being analyzed for reference in resulting syft-json format SBOMs (more formats will support these flags soon). [Issue #​1399] [PR #​1859] [kzantow]
• Add scope to POM properties [PR #​1779] [jneate]
• Accept main.version ldflags even without vcs [PR #​1855] [deitch]

Bug Fixes

• Fix directory resolver to consider CWD and root path input correctly [PR #​1840] [wagoodman]
• Show all error messages if there is a failure retrieving an image with a specified scheme [Issue #​1569] [PR #​1801] [FrimIdan]
• v0.81.0 crashing parsing some images [Issue #​1837] [PR #​1839] [spiffcs]

Deprecated Features

• Migrate location-related structs to the file package [PR #​1751] [wagoodman]

Additional Changes

• chore: code cleanup [PR #​1865] [spiffcs]

v0.82.0

Compare Source

Changelog

v0.82.0 (2023-05-23)

Full Changelog

Added Features

• Improve Go main module version detection by attempting to parse available ldflags [Issue #​1785] [PR #​1832] [wagoodman]

Bug Fixes

• Fix a problem in the license parsing logic that may result in a panic [PR #​1839]
• Return all relevant error messages if an image retrieval fails when a scheme is specified [PR #​1801] [FrimIdan]
• Fix a problem with PNPM scanning where v6 lockfiles might result in duplicated packages [Issue #​1762] [PR #​1778] [kzantow]

v0.81.0

Compare Source

Changelog

v0.81.0 (2023-05-22)

Full Changelog

Added Features

• Support cataloging R packages [Issue #​730] [PR #​1790] [willmurphyscode]
• Support describing license properties and SPDX expression assertions [Issue #​1577] [PR #​1743] [spiffcs]
• Warn if parsing a newer SBOM [PR #​1810] [willmurphyscode]

Bug Fixes

• Retain cataloged SBOM relationships [PR #​1509] [houdini91]
• fix: update field plurality of 8.0.0 schema before release [PR #​1820] [spiffcs]
• fix: remove spurious warnings - unknown relationship type: evident-by form-lib=syft [Issue #​1812] [PR #​1797] [willmurphyscode]
• CycloneDX Dependencies Relationships Inverted [Issue #​1815] [PR #​1816] [shanealv]
• Alpine: license expression should be complete and not parsed out [Issue #​1817] [PR #​1819] [spiffcs]

Additional Changes

• Print package list when extra packages found [PR #​1791] [willmurphyscode]
• update cosign to v2 release (different go module) [PR #​1805] [bobcallaway]

v0.80.0

Compare Source

Changelog

v0.80.0 (2023-05-05)

Full Changelog

Added Features

• Improve pnpm support [Issue #​1535] [PR #​1752] [Shanedell]

Bug Fixes

• chore: add more detail on SPDX file IDs [PR #​1769] [kzantow]
• chore: do not HTML escape PackageURLs [PR #​1782] [kzantow]
• RPM database not found on ostree-managed systems [Issue #​1755] [PR #​1756] [fpytloun]
• Unable to use syft for private azure container registry [Issue #​1777]
• linux-kernel-cataloger produces thousands of version-less components. [Issue #​1781] [PR #​1784] [kzantow]

Deprecated Features

• Rename pkg.Catalog to pkg.Collection [PR #​1764] [wagoodman]

v0.79.0

Compare Source

Changelog

v0.79.0 (2023-04-21)

Full Changelog

Added Features

• Add ALPM Metadata to CYCLONEDX and SPDX output formats [Issue #​1037] [PR #​1747] [Shanedell]
• consul binary classifier [Issue #​1590] [PR #​1738] [Shanedell]

Bug Fixes

• Syft missing direct dependencies from the gemfile.lock [Issue #​1660] [PR #​1749] [Shanedell]

Additional Changes

• chore: bump stereoscope to latest version [PR #​1741] [westonsteimel]

v0.78.0

Compare Source

Changelog

v0.78.0 (2023-04-17)

Full Changelog

Added Features

• Add Linux Kernel cataloger [PR #​1694] [deitch & wagoodman]
• Support scanning license files in golang packages over the network [Issue #​1056] [PR #​1630] [deitch & kzantow]
• Add consul binary classifier [Issue #​1590] [PR #​1738] [Shanedell]
• Add annotations for evidence on package locations [PR #​1723] [wagoodman]

Bug Fixes

• Decoding of the syft-json format does not handle files [Issue #​1534] [PR #​1698] [wagoodman]

v0.77.0

Compare Source

Changelog

v0.77.0 (2023-04-11)

Full Changelog

Added Features

• feat: gradle lockfile support [PR #​1719] [henrysachs]
• feat: support for java "nar" files [PR #​1727] [Shanedell]

v0.76.1

Compare Source

Changelog

v0.76.1 (2023-04-05)

Full Changelog

Added Features

• Capture file ownership relationships from portage ecosystem [PR #​1702] [wagoodman]
• Add Nix Cataloger [Issue #​462] [PR #​1107] [juliosueiras] [PR #​1696] [wagoodman] [flokli]

v0.76.0

Compare Source

Changelog

v0.76.0 (2023-03-31)

Full Changelog

Added Features

• Scan local go mod licenses for golang packages [PR #​1645] [deitch]
• update and clean license list generation to return more SPDXID for more inputs [PR #​1691] [spiffcs]
• argocd binary classifier [Issue #​1606] [PR #​1663] [y12studio]
• Add config option to allow user to select the default image source location [Issue #​1703] [spiffcs]

Bug Fixes

• Defer closing the opened file when using FileScheme [[PR #​1668](https://to

---

Configuration

📅 Schedule: Branch creation - "every weekday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box