build(deps): bump sigs.k8s.io/bom from 0.5.2-0.20230519223618-1ebaa9ce375f to 0.6.0

[dependabot]

Bumps sigs.k8s.io/bom from 0.5.2-0.20230519223618-1ebaa9ce375f to 0.6.0.

Release notes

Sourced from sigs.k8s.io/bom's releases.

v0.6.0

Changes by Kind

Feature

• Add attestation in the release job (#271, @​cpanato)
• Added support for scanning images with RPM package managers (#342, @​micahhausler)
• Bom now ships with the SPDX license list version v3.21 embedded. (#307, @​puerco)
• Improved the query help output, most importantly there is now help for the purl matcher
  • New flag --purl to output purls instead of names
  • The name matching filter now supports full regexes and not just substring matching
  • New pluggable printer interface to output in more formats
  • bom document query now can output in JSON and CSV in addition to the usual line printer using --format
  • New --fields flag controls which fields of the sbom will be printed on the query output
  • Piped data on STDIN is now autodetected, you can now pipe an SBOM to bom document query and skip the filename (#291, @​puerco)
• OS Packages now can include an auto-generated download location. Initially supports Debian and Wolfi. (#270, @​puerco)
• The bom json parser now supports top-level elements specified with a DESCRIBES relationship to the document. documentDescribes is, of course, still suppoirted
  • License printing in query results has better NOASSERTION detection when choosing which license to print. (#304, @​puerco)
• Update license-data to v3.22 (#357, @​cpanato)
• bom now supports scanning OS packages from images based on distroless.
  • Fixed a bug where bom would drop the last package read from the debian database
  • Fixed an encoding bug in oci-typed purls where the version had an unescaped colon. (#345, @​puerco)
• bom will now autodetect when STDIN is open to outline an SBOM to avoid specifying it with a dash (#260, @​puerco)

Bug or Regression

• Bom will now read the SBOM until it detects the SBOM encoding data, enabling it to parse SBOMs with the document data defined at the end of the file.
  • When trying to ingest a CycloneDX document, bom will now print a more useful warning (#259, @​puerco)
• Fixed a race condition where concurrent files canning processes could clash and cause a segfault (thanks to @​howardjohn for reporting) (#312, @​puerco)
• JSON-encoded files now include supplier and originator data. (#269, @​puerco)

Other (Cleanup or Flake)

• Go.mod: Update github.com/uwu-tools/magex to v0.10.0 (#275, @​cpanato)
• SPDX packages representing container images are now named using their full reference and digest: registry.com/repository/image@sha256:digest (#289, @​puerco)

Dependencies

Added

• dario.cat/mergo: v1.0.0
• github.com/MakeNowJust/heredoc/v2: v2.0.1
• github.com/cyphar/filepath-securejoin: v0.2.4
• github.com/dustin/go-humanize: v1.0.1
• github.com/elazarl/goproxy: 2592e75
• github.com/glebarez/go-sqlite: v1.22.0
• github.com/go-jose/go-jose/v3: v3.0.0
• github.com/golang/groupcache: 41bb18b
• github.com/google/pprof: e6195bd
• github.com/hashicorp/errwrap: v1.0.0
• github.com/hashicorp/go-multierror: v1.1.1

... (truncated)

Commits

• See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[dependabot]

The following labels could not be found: area/dependency, release-note-none, ok-to-test.