build(deps): bump github.com/anchore/syft from 0.105.0 to 1.7.0 #108

dependabot · 2024-06-18T02:56:41Z

Bumps github.com/anchore/syft from 0.105.0 to 1.7.0.

Release notes

Sourced from github.com/anchore/syft's releases.

v1.7.0

Added Features

index known CPEs for wordpress plugins and themes [#2963 @westonsteimel]

Consider Author field for wordpress plugins when generating CPEs [#2946 @wagoodman]

Bug Fixes

improve version extraction from ldflags for pingcap TiDB [#2962 @westonsteimel]

Trim whitespace from wordpress values [#2945 @wagoodman]

Issue scanning Poetry Project with Syft 1.6 and cataloger=python-package-cataloger [#2954 #2965 @spiffcs]

Poetry's multiple constraints seems to break the parser [#2947 #2965 @spiffcs]

Golang: Search remote licenses not working in a CI pipeline when scanning Docker image [#2798 #2852 @kzantow]

(Full Changelog)

v1.6.0

Added Features

Add relationships for go binary packages [#2912 @wagoodman]

Add classifier for util-linux [#2933 @LaurentGoderre]

Lua: Add support for more advanced syntax [#2908 @LaurentGoderre]

add license field to ELF binary package metadata [#2890 @brian-ebarb]

install.sh: check checksums file's signature [#2884 #2941 @wagoodman]

Detect ELF package notes from fedora binaries [#2713 #2939 @wagoodman]

Bug Fixes

Use redhat as namespace for redhat rpms [#2914 @ralphbean]

Close sqlite driver after testing sqlite availability [#2922 @ttc0419]

syft does not find anything in archives if /tmp is a tmpfs [#2894 #2918 @willmurphyscode]

Scanning a git repository folder present in /tmp produce an empty sbom [#2847 #2918 @willmurphyscode]

Additional Changes

update unit tests to use pinned patch version [#2932 @spiffcs]

fix comments and spelling [#2920 @dufucun]

(Full Changelog)

v1.5.0

Added Features

Add abstraction for adding relationships from package cataloger results [#2853 @wagoodman]

Capture dependencies when parsing SPDX SBOMs [#2869 @russellhaering]

Add python wheel egg relationships [#2903 @wagoodman]

Added functionality to convert major, minor, patch to version [#2864 @LaurentGoderre]

Add support for RPM DB package relationships [#2872 @wagoodman]

Detect fluent-bit binaries [#2904 #2905 @kzantow]

Add syft config command [#2598 #2892 @kzantow]

... (truncated)

Commits

22d5731 fix: fix parsing for complex toml types (#2965)
af3aaa0 fix: make caching options more explicit (#2966)
70098e2 chore(deps): update tools to latest versions (#2961)
784b17f chore(deps): bump github/codeql-action from 3.25.9 to 3.25.10 (#2964)
d5cd5f6 feat: index known CPEs for wordpress plugins and themes (#2963)
749ccc5 fix(golang): improve version extraction from ldflags for pingcap TiDB (#2962)
273e31e chore(deps): bump actions/checkout from 4.1.6 to 4.1.7 (#2955)
9beaec2 chore(deps): bump github/codeql-action from 3.25.8 to 3.25.9 (#2956)
ca0cc52 fix: separate golang license caches from mod dir (#2852)
dd723bb chore(deps): bump github.com/vbatts/go-mtree from 0.5.3 to 0.5.4 (#2952)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/anchore/syft](https://github.com/anchore/syft) from 0.105.0 to 1.7.0. - [Release notes](https://github.com/anchore/syft/releases) - [Changelog](https://github.com/anchore/syft/blob/main/.goreleaser.yaml) - [Commits](anchore/syft@v0.105.0...v1.7.0) --- updated-dependencies: - dependency-name: github.com/anchore/syft dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot requested a review from cdupuis as a code owner June 18, 2024 02:56

dependabot bot added bot dependencies labels Jun 18, 2024

dependabot bot mentioned this pull request Jun 18, 2024

build(deps): bump github.com/anchore/syft from 0.105.0 to 1.6.0 #106

Closed

dependabot bot requested a review from jedevc June 18, 2024 02:56

thompson-shaun assigned crazy-max Jun 20, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump github.com/anchore/syft from 0.105.0 to 1.7.0 #108

build(deps): bump github.com/anchore/syft from 0.105.0 to 1.7.0 #108

dependabot bot commented on behalf of github Jun 18, 2024

build(deps): bump github.com/anchore/syft from 0.105.0 to 1.7.0 #108

Are you sure you want to change the base?

build(deps): bump github.com/anchore/syft from 0.105.0 to 1.7.0 #108

Conversation

dependabot bot commented on behalf of github Jun 18, 2024

v1.7.0

Added Features

Bug Fixes

v1.6.0

Added Features

Bug Fixes

Additional Changes

v1.5.0

Added Features