From 68daa42f86eab4330fb8a66d8bfe75d958e29746 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 23 May 2024 08:11:03 -0400 Subject: [PATCH 1/3] --- (#2888) updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 658c3e3c937..5b16da69a23 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -45,7 +45,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@b7cec7526559c32f1616476ff32d17ba4c59b2d6 #v3.25.5 + uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276 #v3.25.6 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -56,7 +56,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@b7cec7526559c32f1616476ff32d17ba4c59b2d6 #v3.25.5 + uses: github/codeql-action/autobuild@9fdb3e49720b44c48891d036bb502feb25684276 #v3.25.6 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -70,4 +70,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@b7cec7526559c32f1616476ff32d17ba4c59b2d6 #v3.25.5 + uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276 #v3.25.6 From b41d5cced5390760b35a24e5144a43383180c5c2 Mon Sep 17 00:00:00 2001 From: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com> Date: Thu, 23 May 2024 09:10:36 -0400 Subject: [PATCH 2/3] chore: update spdx license list to 3.24.0 (#2895) --------- Signed-off-by: Christopher Phillips --- internal/spdxlicense/license_list.go | 34 +++++++++++++++++-- .../common/spdxhelpers/to_format_model.go | 12 ++++++- 2 files changed, 43 insertions(+), 3 deletions(-) diff --git a/internal/spdxlicense/license_list.go b/internal/spdxlicense/license_list.go index a07f5d904c5..18e2a88cacc 100644 --- a/internal/spdxlicense/license_list.go +++ b/internal/spdxlicense/license_list.go @@ -1,12 +1,15 @@ // Code generated by go generate; DO NOT EDIT. -// This file was generated by robots at 2024-02-09 10:57:33.980847 -0500 EST m=+0.165923154 +// This file was generated by robots at 2024-05-23 08:47:23.204981 -0400 EDT m=+0.050881068 // using data from https://spdx.org/licenses/licenses.json package spdxlicense -const Version = "3.23" +const Version = "3.24.0" var licenseIDs = map[string]string{ "0bsd": "0BSD", + "3.0.0dslicer1.0": "3D-Slicer-1.0", + "3.0dslicer1.0": "3D-Slicer-1.0", + "3dslicer1.0": "3D-Slicer-1.0", "aal": "AAL", "abstyles": "Abstyles", "adacoredoc": "AdaCore-doc", @@ -56,12 +59,14 @@ var licenseIDs = map[string]string{ "agpl3only": "AGPL-3.0-only", "agpl3orlater": "AGPL-3.0-or-later", "aladdin": "Aladdin", + "amdnewlib": "AMD-newlib", "amdplpa": "AMDPLPA", "aml": "AML", "amlglslang": "AML-glslang", "ampas": "AMPAS", "antlrpd": "ANTLR-PD", "antlrpdfallback": "ANTLR-PD-fallback", + "anyosi": "any-OSI", "apache1": "Apache-1.0", "apache1.0": "Apache-1.0", "apache1.0.0": "Apache-1.0", @@ -136,18 +141,21 @@ var licenseIDs = map[string]string{ "bsd1clause": "BSD-1-Clause", "bsd2.0.0clause": "BSD-2-Clause", "bsd2.0.0clausedarwin": "BSD-2-Clause-Darwin", + "bsd2.0.0clausefirstlines": "BSD-2-Clause-first-lines", "bsd2.0.0clausefreebsd": "BSD-2-Clause-Views", "bsd2.0.0clausenetbsd": "BSD-2-Clause", "bsd2.0.0clausepatent": "BSD-2-Clause-Patent", "bsd2.0.0clauseviews": "BSD-2-Clause-Views", "bsd2.0clause": "BSD-2-Clause", "bsd2.0clausedarwin": "BSD-2-Clause-Darwin", + "bsd2.0clausefirstlines": "BSD-2-Clause-first-lines", "bsd2.0clausefreebsd": "BSD-2-Clause-Views", "bsd2.0clausenetbsd": "BSD-2-Clause", "bsd2.0clausepatent": "BSD-2-Clause-Patent", "bsd2.0clauseviews": "BSD-2-Clause-Views", "bsd2clause": "BSD-2-Clause", "bsd2clausedarwin": "BSD-2-Clause-Darwin", + "bsd2clausefirstlines": "BSD-2-Clause-first-lines", "bsd2clausefreebsd": "BSD-2-Clause-Views", "bsd2clausenetbsd": "BSD-2-Clause", "bsd2clausepatent": "BSD-2-Clause-Patent", @@ -237,6 +245,7 @@ var licenseIDs = map[string]string{ "cal1combinedworkexception": "CAL-1.0-Combined-Work-Exception", "caldera": "Caldera", "calderanopreamble": "Caldera-no-preamble", + "catharon": "Catharon", "catosl1": "CATOSL-1.1", "catosl1.1": "CATOSL-1.1", "catosl1.1.0": "CATOSL-1.1", @@ -477,6 +486,7 @@ var licenseIDs = map[string]string{ "cuda1.0": "C-UDA-1.0", "cuda1.0.0": "C-UDA-1.0", "curl": "curl", + "cvetou": "cve-tou", "dec3.0.0clause": "DEC-3-Clause", "dec3.0clause": "DEC-3-Clause", "dec3clause": "DEC-3-Clause", @@ -701,6 +711,7 @@ var licenseIDs = map[string]string{ "gsoap1.3b": "gSOAP-1.3b", "gsoap1b": "gSOAP-1.3b", "gtkbook": "gtkbook", + "gutmann": "Gutmann", "haskellreport": "HaskellReport", "hdparm": "hdparm", "hippocratic2": "Hippocratic-2.1", @@ -716,19 +727,27 @@ var licenseIDs = map[string]string{ "hpnddec": "HPND-DEC", "hpnddoc": "HPND-doc", "hpnddocsell": "HPND-doc-sell", + "hpndexport2.0.0us": "HPND-export2-US", + "hpndexport2.0us": "HPND-export2-US", + "hpndexport2us": "HPND-export2-US", "hpndexportus": "HPND-export-US", + "hpndexportusacknowledgement": "HPND-export-US-acknowledgement", "hpndexportusmodify": "HPND-export-US-modify", "hpndfenneberglivingston": "HPND-Fenneberg-Livingston", "hpndinriaimag": "HPND-INRIA-IMAG", + "hpndintel": "HPND-Intel", "hpndkevlinhenney": "HPND-Kevlin-Henney", "hpndmarkuskuhn": "HPND-Markus-Kuhn", + "hpndmerchantabilityvariant": "HPND-merchantability-variant", "hpndmitdisclaimer": "HPND-MIT-disclaimer", "hpndpbmplus": "HPND-Pbmplus", "hpndsellmitdisclaimerxserver": "HPND-sell-MIT-disclaimer-xserver", "hpndsellregexpr": "HPND-sell-regexpr", "hpndsellvariant": "HPND-sell-variant", "hpndsellvariantmitdisclaimer": "HPND-sell-variant-MIT-disclaimer", + "hpndsellvariantmitdisclaimerrev": "HPND-sell-variant-MIT-disclaimer-rev", "hpnduc": "HPND-UC", + "hpnducexportus": "HPND-UC-export-US", "htmltidy": "HTMLTIDY", "ibmpibs": "IBM-pibs", "icu": "ICU", @@ -886,6 +905,7 @@ var licenseIDs = map[string]string{ "mitenna": "MIT-enna", "mitfeh": "MIT-feh", "mitfestival": "MIT-Festival", + "mitkhronosold": "MIT-Khronos-old", "mitmodernvariant": "MIT-Modern-Variant", "mitnfa": "MITNFA", "mitopengroup": "MIT-open-group", @@ -932,9 +952,11 @@ var licenseIDs = map[string]string{ "nbpl1": "NBPL-1.0", "nbpl1.0": "NBPL-1.0", "nbpl1.0.0": "NBPL-1.0", + "ncbipd": "NCBI-PD", "ncgluk2": "NCGL-UK-2.0", "ncgluk2.0": "NCGL-UK-2.0", "ncgluk2.0.0": "NCGL-UK-2.0", + "ncl": "NCL", "ncsa": "NCSA", "netcdf": "NetCDF", "netsnmp": "Net-SNMP", @@ -968,6 +990,7 @@ var licenseIDs = map[string]string{ "ntp": "NTP", "ntp0": "NTP-0", "nunit": "Nunit", + "oar": "OAR", "occtpl": "OCCT-PL", "oclc2": "OCLC-2.0", "oclc2.0": "OCLC-2.0", @@ -1098,6 +1121,7 @@ var licenseIDs = map[string]string{ "php3.01": "PHP-3.01", "php3.01.0": "PHP-3.01", "pixar": "Pixar", + "pkgconf": "pkgconf", "plexus": "Plexus", "pnmstitch": "pnmstitch", "polyformnoncommercial1": "PolyForm-Noncommercial-1.0.0", @@ -1107,6 +1131,7 @@ var licenseIDs = map[string]string{ "polyformsmallbusiness1.0": "PolyForm-Small-Business-1.0.0", "polyformsmallbusiness1.0.0": "PolyForm-Small-Business-1.0.0", "postgresql": "PostgreSQL", + "ppl": "PPL", "psf2": "PSF-2.0", "psf2.0": "PSF-2.0", "psf2.0.0": "PSF-2.0", @@ -1206,6 +1231,9 @@ var licenseIDs = map[string]string{ "sugarcrm1.1": "SugarCRM-1.1.3", "sugarcrm1.1.3": "SugarCRM-1.1.3", "sunppp": "Sun-PPP", + "sunppp2000": "Sun-PPP-2000", + "sunppp2000.0": "Sun-PPP-2000", + "sunppp2000.0.0": "Sun-PPP-2000", "sunpro": "SunPro", "swl": "SWL", "swrule": "swrule", @@ -1219,6 +1247,7 @@ var licenseIDs = map[string]string{ "tgppl1": "TGPPL-1.0", "tgppl1.0": "TGPPL-1.0", "tgppl1.0.0": "TGPPL-1.0", + "threeparttable": "threeparttable", "tmate": "TMate", "torque1": "TORQUE-1.1", "torque1.1": "TORQUE-1.1", @@ -1302,6 +1331,7 @@ var licenseIDs = map[string]string{ "xnet": "Xnet", "xpp": "xpp", "xskat": "XSkat", + "xzoom": "xzoom", "ypl1": "YPL-1.0", "ypl1.0": "YPL-1.0", "ypl1.0.0": "YPL-1.0", diff --git a/syft/format/common/spdxhelpers/to_format_model.go b/syft/format/common/spdxhelpers/to_format_model.go index 5edc8e12f37..767ffdcbe62 100644 --- a/syft/format/common/spdxhelpers/to_format_model.go +++ b/syft/format/common/spdxhelpers/to_format_model.go @@ -124,7 +124,7 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document { CreationInfo: &spdx.CreationInfo{ // 6.7: License List Version // Cardinality: optional, one - LicenseListVersion: spdxlicense.Version, + LicenseListVersion: trimPatchVersion(spdxlicense.Version), // 6.8: Creators: may have multiple keys for Person, Organization // and/or Tool @@ -791,3 +791,13 @@ func newPackageVerificationCode(p pkg.Package, sbom sbom.SBOM) *spdx.PackageVeri Value: fmt.Sprintf("%+x", hasher.Sum(nil)), } } + +// SPDX 2.2 spec requires that the patch version be removed from the semver string +// for the license list version field +func trimPatchVersion(semver string) string { + parts := strings.Split(semver, ".") + if len(parts) >= 3 { + return strings.Join(parts[:2], ".") + } + return semver +} From ea50c6153d46c6a89cc7ca6806dcc5866f5dedad Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 23 May 2024 09:26:12 -0400 Subject: [PATCH 3/3] --- (#2889) updated-dependencies: - dependency-name: anchore/sbom-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8b2e999f511..8cce1e022b3 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -140,7 +140,7 @@ jobs: # for updating brew formula in anchore/homebrew-syft GITHUB_BREW_TOKEN: ${{ secrets.ANCHOREOPS_GITHUB_OSS_WRITE_TOKEN }} - - uses: anchore/sbom-action@7ccf588e3cf3cc2611714c2eeae48550fbc17552 #v0.15.11 + - uses: anchore/sbom-action@e8d2a6937ecead383dfe75190d104edd1f9c5751 #v0.16.0 continue-on-error: true with: artifact-name: sbom.spdx.json