Skip to content

Upgrade: Bump anchore/sbom-action from 0.17.2 to 0.17.5#200

Merged
santoshkal merged 1 commit intopre-mainfrom
dependabot/github_actions/pre-main/anchore/sbom-action-0.17.5
Oct 29, 2024
Merged

Upgrade: Bump anchore/sbom-action from 0.17.2 to 0.17.5#200
santoshkal merged 1 commit intopre-mainfrom
dependabot/github_actions/pre-main/anchore/sbom-action-0.17.5

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Oct 28, 2024

Bumps anchore/sbom-action from 0.17.2 to 0.17.5.

Release notes

Sourced from anchore/sbom-action's releases.

v0.17.5

Changes in v0.17.5

v0.17.4

Changes in v0.17.4

v0.17.3

Changes in v0.17.3

Commits
  • 1ca97d9 chore(deps): update Syft to v1.14.2 (#503)
  • 8d0a650 chore(deps): update Syft to v1.14.1 (#502)
  • f5e124a chore(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5 (#493)
  • eff08d0 chore: configure changelog-ignore label (#499)
  • 18f9bde chore: remove snapshot tests; fix deprecation errors for outdated packages (#...
  • 2e87236 add release docs (#500)
  • 4a914bc chore(deps): bump actions/checkout from 4.2.0 to 4.2.1 (#497)
  • 8cb9966 chore(deps): update Syft to v1.14.0 (#498)
  • beb779b Update README to include bit about permissions near the top (#496)
  • 87b3137 chore(deps): update Syft to v1.13.0 (#488)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Upgrade: Bump anchore/sbom-action from 0.17.2 to 0.17.5
eaf286c 
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.17.2 to 0.17.5.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md)
- [Commits](anchore/sbom-action@61119d4...1ca97d9)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Oct 28, 2024
@dryrunsecurity
Copy link
Copy Markdown

dryrunsecurity Bot commented Oct 28, 2024

DryRun Security Summary

The provided GitHub Pull Request updates the version of the anchore/sbom-action/download-syft action used in the project's release workflow, which is a routine dependency update that should be reviewed to ensure it does not introduce any new security risks.

Expand for full summary

Summary:

The code change in the provided GitHub Pull Request appears to be related to the release workflow of the project. The main change is an update to the version of the anchore/sbom-action/download-syft action used in the release workflow. From an application security perspective, this change does not seem to have any immediate security implications, as it is likely a routine update to a dependency. However, it is important to review the changes carefully and ensure that the updated dependencies do not introduce any new security risks. Additionally, keeping all dependencies up-to-date is a good practice to address any known security vulnerabilities.

Files Changed:

  • .github/workflows/release.yaml: This file contains the release workflow for the project. The changes in this Pull Request update the version of the anchore/sbom-action/download-syft action used in the workflow, from 61119d458adab75f756bc0b9e4bde25725f86a7a to 1ca97d9028b51809cf6d3c934c3e160716e1b605. This update is likely a routine dependency update and does not appear to have any significant security concerns, but it should be reviewed to ensure that it does not introduce any new security risks.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@santoshkal santoshkal merged commit c07ed02 into pre-main Oct 29, 2024
@santoshkal santoshkal deleted the dependabot/github_actions/pre-main/anchore/sbom-action-0.17.5 branch October 29, 2024 10:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@santoshkal