Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade syft to v0.103.1 #1688

Merged
merged 2 commits into from
Jan 31, 2024
Merged

Upgrade syft to v0.103.1 #1688

merged 2 commits into from
Jan 31, 2024

Conversation

wagoodman
Copy link
Contributor

@wagoodman wagoodman commented Jan 31, 2024
edited
Loading

Pulls in fixes from:

To address various tar path traversal bugs, specifically when malicious tar files are passed to grype (e.g. grype ./path/to/my.tar).

@wagoodman
upgrade syft to v0.103.0
e7b439f 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman marked this pull request as ready for review January 31, 2024 16:39
@wagoodman wagoodman requested a review from a team January 31, 2024 16:39
@wagoodman wagoodman changed the title Upgrade syft to v0.103.0 Upgrade syft to v0.103.1 Jan 31, 2024
@wagoodman wagoodman marked this pull request as draft January 31, 2024 17:08
@wagoodman
upgrade syft to v0.103.1
56966cf 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
@wagoodman wagoodman marked this pull request as ready for review January 31, 2024 17:15
@wagoodman wagoodman enabled auto-merge (squash) January 31, 2024 17:19
@wagoodman wagoodman added the security Vulnerabilities found in latest version of code label Jan 31, 2024
@wagoodman wagoodman merged commit 8f3a798 into main Jan 31, 2024
10 checks passed
@wagoodman wagoodman deleted the upgrade-syft-v0.103.0 branch January 31, 2024 17:32
@wagoodman wagoodman mentioned this pull request Jan 31, 2024
Merged
@Porkepix Porkepix mentioned this pull request Jan 31, 2024
Merged
spiffcs added a commit to jneate/grype that referenced this pull request Feb 13, 2024
@spiffcs
Merge branch 'main' into ignore-java-test-deps
a1ece5a 
* main: (224 commits)
  fix: only warn missing CPEs if CPEs wanted (anchore#1710)
  fix: ensure version output to stdout (anchore#1709)
  chore(deps): update bootstrap tools to latest versions (anchore#1706)
  chore(deps): update Syft to v0.104.0 (anchore#1704)
  Bump Syft in Grype to pull in unmarshaling fix (anchore#1703)
  chore(deps): bump github.com/docker/docker (anchore#1702)
  chore(deps): bump gorm.io/gorm from 1.25.6 to 1.25.7 (anchore#1700)
  chore(deps): update bootstrap tools to latest versions (anchore#1698)
  chore(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 (anchore#1699)
  chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.0 to 0.5.2 (anchore#1697)
  chore(deps): bump peter-evans/create-pull-request from 5.0.2 to 6.0.0 (anchore#1687)
  chore(deps): bump anchore/sbom-action from 0.15.6 to 0.15.8 (anchore#1690)
  chore(deps): bump sigstore/cosign-installer from 3.3.0 to 3.4.0 (anchore#1691)
  chore(deps): bump github.com/docker/docker (anchore#1692)
  chore(deps): bump github.com/opencontainers/runc from 1.1.5 to 1.1.12 (anchore#1689)
  Upgrade syft to v0.103.1 (anchore#1688)
  chore(deps): bump github.com/google/go-containerregistry (anchore#1685)
  chore(deps): bump anchore/sbom-action from 0.15.5 to 0.15.6 (anchore#1684)
  ensure releases only use released versions of syft (anchore#1680)
  chore(deps): bump gorm.io/gorm from 1.25.5 to 1.25.6 (anchore#1683)
  ...

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kzantow kzantow kzantow approved these changes

Assignees
No one assigned
Labels
security Vulnerabilities found in latest version of code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@wagoodman @kzantow