From d435ce6b82d01c56fc7c4ba8f6906507e5622ae3 Mon Sep 17 00:00:00 2001
From: "mend-for-github-com[bot]"
<50673670+mend-for-github-com[bot]@users.noreply.github.com>
Date: Fri, 22 Dec 2023 04:20:12 +0000
Subject: [PATCH] =?UTF-8?q?chore(deps):=20update=20=E2=AC=86=EF=B8=8F=20aq?=
=?UTF-8?q?ua-packages=20(#60)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| [DelineaXPM/dsv-cli](https://togithub.com/DelineaXPM/dsv-cli) | patch
| `v1.40.2` -> `v1.40.5` |
| [anchore/syft](https://togithub.com/anchore/syft) | minor | `v0.73.0`
-> `v0.99.0` |
| [aquaproj/aqua-registry](https://togithub.com/aquaproj/aqua-registry)
| minor | `v3.149.0` -> `v3.162.0` |
| [charmbracelet/glow](https://togithub.com/charmbracelet/glow) | patch
| `v1.5.0` -> `v1.5.1` |
| [direnv/direnv](https://togithub.com/direnv/direnv) | minor |
`v2.32.2` -> `v2.33.0` |
| [golang/go](https://togithub.com/golang/go) | minor | `1.20.1` ->
`1.21.5` |
| [golang/tools](https://togithub.com/golang/tools) | minor | `v0.6.0`
-> `v0.16.1` |
| [goreleaser/goreleaser](https://togithub.com/goreleaser/goreleaser) |
minor | `v1.15.2` -> `v1.22.1` |
|
[gotestyourself/gotestsum](https://togithub.com/gotestyourself/gotestsum)
| minor | `v1.9.0` -> `v1.11.0` |
| [hashicorp/terraform](https://togithub.com/hashicorp/terraform) |
minor | `v1.4.2` -> `v1.6.6` |
| [magefile/mage](https://togithub.com/magefile/mage) | minor |
`v1.14.0` -> `v1.15.0` |
| [miniscruff/changie](https://togithub.com/miniscruff/changie) | minor
| `v1.12.0` -> `v1.17.0` |
| [mvdan/gofumpt](https://togithub.com/mvdan/gofumpt) | minor | `v0.4.0`
-> `v0.5.0` |
| [thycotic/dsv-cli](https://togithub.com/thycotic/dsv-cli) | patch |
`v1.40.1` -> `v1.40.5` |
---
### Release Notes
DelineaXPM/dsv-cli (DelineaXPM/dsv-cli)
###
[`v1.40.5`](https://togithub.com/DelineaXPM/dsv-cli/blob/HEAD/CHANGELOG.md#v1405---2023-05-12)
[Compare
Source](https://togithub.com/DelineaXPM/dsv-cli/compare/v1.40.4...v1.40.5)
##### 🐛 Bug Fix
- Windows cli version update check was looking for a binary with
`windows` in the name, while the actual artifact is `win`.
###
[`v1.40.4`](https://togithub.com/DelineaXPM/dsv-cli/blob/HEAD/CHANGELOG.md#v1404---2023-04-25)
[Compare
Source](https://togithub.com/DelineaXPM/dsv-cli/compare/v1.40.3...v1.40.4)
##### 🎉 Feature
- `dsv pool list`: new `--limit`, `-l`, `--cursor` flags. See `dsv pool
list --help` for more details.
##### Related
- fixes [AB#495586](https://togithub.com/AB/dsv-cli/issues/495586)
- related [AB#495586](https://togithub.com/AB/dsv-cli/issues/495586)
-
##### Contributors
- [andrii-zakurenyi](https://togithub.com/andrii-zakurenyi)
###
[`v1.40.3`](https://togithub.com/DelineaXPM/dsv-cli/blob/HEAD/CHANGELOG.md#v1403---2023-04-04)
[Compare
Source](https://togithub.com/DelineaXPM/dsv-cli/compare/v1.40.2...v1.40.3)
##### 🐛 Bug Fix
- Fix the format of links to pre-built binaries.
##### Contributors
- [andrii-zakurenyi](https://togithub.com/andrii-zakurenyi)
anchore/syft (anchore/syft)
### [`v0.99.0`](https://togithub.com/anchore/syft/releases/tag/v0.99.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.98.0...v0.99.0)
##### Added Features
- Look for a maven version in a pom from a parent dependency management…
\[[#2423](https://togithub.com/anchore/syft/pull/2423)
[@coheigea](https://togithub.com/coheigea)]
- Adding the ability to retrieve remote licenses for yarn.lock
\[[#2338](https://togithub.com/anchore/syft/pull/2338)
[@coheigea](https://togithub.com/coheigea)]
- Retrieve remote licenses using pom.properties when there is no pom.xml
\[[#2315](https://togithub.com/anchore/syft/pull/2315)
[@coheigea](https://togithub.com/coheigea)]
- Add the option to retrieve remote licenses for projects defined in a …
\[[#2409](https://togithub.com/anchore/syft/pull/2409)
[@coheigea](https://togithub.com/coheigea)]
- Parse Python licenses from LicenseFile entry in the Wheel Metadata
\[[#2331](https://togithub.com/anchore/syft/pull/2331)
[@coheigea](https://togithub.com/coheigea)]
- Add binary classifier for the ERLang interpreter
\[[#2417](https://togithub.com/anchore/syft/pull/2417)
[@LaurentGoderre](https://togithub.com/LaurentGoderre)]
- Parse Python licenses from LicenseExpression entry in the Wheel
Metadata \[[#2431](https://togithub.com/anchore/syft/pull/2431)
[@coheigea](https://togithub.com/coheigea)]
- Add binary classifier for Julia lang
\[[#2427](https://togithub.com/anchore/syft/pull/2427)
[@LaurentGoderre](https://togithub.com/LaurentGoderre)]
- Add binary detection for PHP composer
\[[#2432](https://togithub.com/anchore/syft/pull/2432)
[@LaurentGoderre](https://togithub.com/LaurentGoderre)]
##### Bug Fixes
- bump fangs for ptr summarize fix
\[[#2387](https://togithub.com/anchore/syft/pull/2387)
[@willmurphyscode](https://togithub.com/willmurphyscode)]
- improve identification for org.codehaus.groovy artifacts
\[[#2404](https://togithub.com/anchore/syft/pull/2404)
[@westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for commons-jelly artifacts
\[[#2399](https://togithub.com/anchore/syft/pull/2399)
[@westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for io.minio artifacts
\[[#2398](https://togithub.com/anchore/syft/pull/2398)
[@westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for com.graphql-java artifacts
\[[#2397](https://togithub.com/anchore/syft/pull/2397)
[@westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for org.apache.tapestry artifacts
\[[#2384](https://togithub.com/anchore/syft/pull/2384)
[@westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for io.ratpack artifacts
\[[#2379](https://togithub.com/anchore/syft/pull/2379)
[@westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for org.apache.cassandra artifacts
\[[#2386](https://togithub.com/anchore/syft/pull/2386)
[@westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for org.neo4j.procedure artifacts
\[[#2388](https://togithub.com/anchore/syft/pull/2388)
[@westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for org.elasticsearch artifacts
\[[#2383](https://togithub.com/anchore/syft/pull/2383)
[@westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for org.apache.geode artifacts
\[[#2382](https://togithub.com/anchore/syft/pull/2382)
[@westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for org.apache.tomcat artifacts
\[[#2381](https://togithub.com/anchore/syft/pull/2381)
[@westonsteimel](https://togithub.com/westonsteimel)]
- improve identification for io.projectreactor.netty artifacts
\[[#2378](https://togithub.com/anchore/syft/pull/2378)
[@westonsteimel](https://togithub.com/westonsteimel)]
- stop panic when parsing Haskell stack.yaml.lock with missing `hackage`
field \[[#2421](https://togithub.com/anchore/syft/issues/2421)
[#2419](https://togithub.com/anchore/syft/pull/2419)
[@houdini91](https://togithub.com/houdini91)]
- fix detecting the name of the eclipse OSGi artifact
\[[#2314](https://togithub.com/anchore/syft/issues/2314)
[#2349](https://togithub.com/anchore/syft/pull/2349)
[@westonsteimel](https://togithub.com/westonsteimel)]
- File Sources incorrectly exclude files on Windows
\[[#2410](https://togithub.com/anchore/syft/issues/2410)
[#2411](https://togithub.com/anchore/syft/pull/2411)
[@Racer159](https://togithub.com/Racer159)]
- Parser for dotnet_portable_executable using wrong attribute name
\[[#2029](https://togithub.com/anchore/syft/issues/2029)
[#2133](https://togithub.com/anchore/syft/pull/2133)
[@kzantow](https://togithub.com/kzantow)]
##### Breaking Changes
- Generalize UI events for cataloging tasks
\[[#2369](https://togithub.com/anchore/syft/pull/2369)
[@wagoodman](https://togithub.com/wagoodman)]
##### Additional Changes
- refactor pkg.Collection to remove "catalog" references
\[[#2439](https://togithub.com/anchore/syft/pull/2439)
[@wagoodman](https://togithub.com/wagoodman)]
- Expose javascript fields in cataloger configuration
\[[#2438](https://togithub.com/anchore/syft/pull/2438)
[@wagoodman](https://togithub.com/wagoodman)]
- Use common archive catalog configuration
\[[#2437](https://togithub.com/anchore/syft/pull/2437)
[@wagoodman](https://togithub.com/wagoodman)]
- Fix file digest cataloger when passed explicit coordinates
\[[#2436](https://togithub.com/anchore/syft/pull/2436)
[@wagoodman](https://togithub.com/wagoodman)]
**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.98.0...v0.99.0)**
### [`v0.98.0`](https://togithub.com/anchore/syft/releases/tag/v0.98.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.97.1...v0.98.0)
##### Added Features
- Add binary classifiers for MySQL and MariaDB
\[[#2316](https://togithub.com/anchore/syft/pull/2316)
[@duanemay](https://togithub.com/duanemay)]
- Enhance redis binary classifier to support additional versions
\[[#2329](https://togithub.com/anchore/syft/pull/2329)
[@whalelines](https://togithub.com/whalelines)]
- Expose compact JSON and XML format configuration
\[[#561](https://togithub.com/anchore/syft/issues/561)
[#2275](https://togithub.com/anchore/syft/pull/2275)
[@wagoodman](https://togithub.com/wagoodman)]
##### Bug Fixes
- Fix file metadata cataloger when passed explicit coordinates
\[[#2370](https://togithub.com/anchore/syft/pull/2370)
[@wagoodman](https://togithub.com/wagoodman)]
- hardcode xalan group ID
\[[#2368](https://togithub.com/anchore/syft/pull/2368)
[@willmurphyscode](https://togithub.com/willmurphyscode)]
- logging level for parsing potential PE files
\[[#2367](https://togithub.com/anchore/syft/pull/2367)
[@kzantow](https://togithub.com/kzantow)]
- Use read lock in `pkg.Collection`
\[[#2341](https://togithub.com/anchore/syft/pull/2341)
[@wagoodman](https://togithub.com/wagoodman)]
- add manual namespace mapping for org.springframework jars
\[[#2345](https://togithub.com/anchore/syft/pull/2345)
[@westonsteimel](https://togithub.com/westonsteimel)]
- add manual namespace mapping for org.springframework.security jars
\[[#2343](https://togithub.com/anchore/syft/pull/2343)
[@westonsteimel](https://togithub.com/westonsteimel)]
- errors are printed into the stdout in syft 0.97.1
\[[#2356](https://togithub.com/anchore/syft/issues/2356)
[#2364](https://togithub.com/anchore/syft/pull/2364)
[@kzantow](https://togithub.com/kzantow)]
- `syft some-jar.jar` fails to find packages if PWD is a symlink
\[[#2355](https://togithub.com/anchore/syft/issues/2355)
[#2359](https://togithub.com/anchore/syft/pull/2359)
[@willmurphyscode](https://togithub.com/willmurphyscode)]
- Default for recently added base path, `""`, disables detection of
symlinked `*.jar` files
\[[#1962](https://togithub.com/anchore/syft/issues/1962)
[#2359](https://togithub.com/anchore/syft/pull/2359)
[@willmurphyscode](https://togithub.com/willmurphyscode)]
- `syft attest` broken since 0.85.0
\[[#2333](https://togithub.com/anchore/syft/issues/2333)
[#2337](https://togithub.com/anchore/syft/pull/2337)
[@wagoodman](https://togithub.com/wagoodman)]
- Incorrect Java PURL for org.bouncycastle jars
\[[#2339](https://togithub.com/anchore/syft/issues/2339)
[#2342](https://togithub.com/anchore/syft/pull/2342)
[@westonsteimel](https://togithub.com/westonsteimel)]
##### Breaking Changes
- Remove power-user command and related catalogers
\[[#1419](https://togithub.com/anchore/syft/issues/1419)
[#2306](https://togithub.com/anchore/syft/pull/2306)
[@wagoodman](https://togithub.com/wagoodman)]
##### Additional Changes
- Normalize cataloger configuration patterns
\[[#2365](https://togithub.com/anchore/syft/pull/2365)
[@wagoodman](https://togithub.com/wagoodman)]
- Normalize enums to lowercase with hyphens
\[[#2363](https://togithub.com/anchore/syft/pull/2363)
[@wagoodman](https://togithub.com/wagoodman)]
**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.97.1...v0.98.0)**
##### Special Thanks
Thanks [@duanemay](https://togithub.com/duanemay) and
[@whalelines](https://togithub.com/whalelines) for the enhanced
binary classifier support 👍
### [`v0.97.1`](https://togithub.com/anchore/syft/releases/tag/v0.97.1)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.97.0...v0.97.1)
##### Bug Fixes
- Syft does not use HTTP proxy when downloading the Docker image itself
\[[#2203](https://togithub.com/anchore/syft/issues/2203)
[#2336](https://togithub.com/anchore/syft/pull/2336)
[@anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)]
##### Additional Changes
- `syft version` report is broken with 0.97.0 release
\[[#2334](https://togithub.com/anchore/syft/issues/2334)
[#2335](https://togithub.com/anchore/syft/pull/2335)
[@spiffcs](https://togithub.com/spiffcs)]
**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.97.0...v0.97.1)**
### [`v0.97.0`](https://togithub.com/anchore/syft/releases/tag/v0.97.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.96.0...v0.97.0)
##### Added Features
- Add license for golang stdlib package
\[[#2317](https://togithub.com/anchore/syft/pull/2317)
[@coheigea](https://togithub.com/coheigea)]
- Fall back to searching maven central using groupIDFromJavaMetadata
\[[#2295](https://togithub.com/anchore/syft/pull/2295)
[@coheigea](https://togithub.com/coheigea)]
##### Bug Fixes
- Refine license search from groupIDFromJavaMetadata to account for
artfactId in the groupId
\[[#2313](https://togithub.com/anchore/syft/pull/2313)
[@coheigea](https://togithub.com/coheigea)]
- capture content written to stdout outside of report
\[[#2324](https://togithub.com/anchore/syft/pull/2324)
[@kzantow](https://togithub.com/kzantow)]
- add manual groupid mappings for org.apache.velocity jars
\[[#2327](https://togithub.com/anchore/syft/pull/2327)
[@westonsteimel](https://togithub.com/westonsteimel)]
- skip maven bundle plugin logic if vendor id and symbolic name match
\[[#2326](https://togithub.com/anchore/syft/pull/2326)
[@westonsteimel](https://togithub.com/westonsteimel)]
- cataloger `dpkg-db-cataloger` not working
\[[#2323](https://togithub.com/anchore/syft/issues/2323)]
##### Breaking Changes
- Rename Location virtualPath to accessPath
\[[#1835](https://togithub.com/anchore/syft/issues/1835)
[#2288](https://togithub.com/anchore/syft/pull/2288)
[@wagoodman](https://togithub.com/wagoodman)]
##### Additional Changes
- Export syft-json format package metadata type helper
\[[#2328](https://togithub.com/anchore/syft/pull/2328)
[@wagoodman](https://togithub.com/wagoodman)]
- Add dotnet-portable-executable-cataloger to README
\[[#2322](https://togithub.com/anchore/syft/pull/2322)
[@noqcks](https://togithub.com/noqcks)]
**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.96.0...v0.97.0)**
### [`v0.96.0`](https://togithub.com/anchore/syft/releases/tag/v0.96.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.95.0...v0.96.0)
##### Added Features
- Check maven central as well for licenses in parents poms for nested
jars \[[#2302](https://togithub.com/anchore/syft/pull/2302)
[@coheigea](https://togithub.com/coheigea)]
- store image annotations inside the SBOM
\[[#2267](https://togithub.com/anchore/syft/issues/2267)
[#2294](https://togithub.com/anchore/syft/pull/2294)
[@noqcks](https://togithub.com/noqcks)]
- Support parsing license information in Maven projects via parent poms
\[[#2103](https://togithub.com/anchore/syft/issues/2103)]
##### Bug Fixes
- SPDX file has duplicate sha256 tag in versionInfo
\[[#2300](https://togithub.com/anchore/syft/pull/2300)
[@coheigea](https://togithub.com/coheigea)]
- Report virtual path consistently between file.Resolvers
\[[#1836](https://togithub.com/anchore/syft/issues/1836)
[#2287](https://togithub.com/anchore/syft/pull/2287)
[@wagoodman](https://togithub.com/wagoodman)]
- Unable to identify CycloneDX JSON documents without $schema property
\[[#2299](https://togithub.com/anchore/syft/issues/2299)
[#2303](https://togithub.com/anchore/syft/pull/2303)
[@kzantow](https://togithub.com/kzantow)]
**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.95.0...v0.96.0)**
### [`v0.95.0`](https://togithub.com/anchore/syft/releases/tag/v0.95.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.94.0...v0.95.0)
##### Added Features
- Use case-insensitive matching for Go license files
\[[#2286](https://togithub.com/anchore/syft/pull/2286)
[@miquella](https://togithub.com/miquella)]
- Add conaninfo.txt parser to detect conan packages in docker images
\[[#2234](https://togithub.com/anchore/syft/pull/2234)
[@Pro](https://togithub.com/Pro)]
- Perform case insensitive matching on Java License files
\[[#2235](https://togithub.com/anchore/syft/pull/2235)
[@coheigea](https://togithub.com/coheigea)]
- Read a license from a parent pom stored in Maven Central
\[[#2228](https://togithub.com/anchore/syft/pull/2228)
[@coheigea](https://togithub.com/coheigea)]
- Add PURLs when scanning Gradle lock files
\[[#2278](https://togithub.com/anchore/syft/pull/2278)
[@robbiev](https://togithub.com/robbiev)]
##### Bug Fixes
- Fix CPE index workflow
\[[#2252](https://togithub.com/anchore/syft/pull/2252)
[@wagoodman](https://togithub.com/wagoodman)]
- Fix cpe generation task
\[[#2270](https://togithub.com/anchore/syft/pull/2270)
[@willmurphyscode](https://togithub.com/willmurphyscode)]
- Introduce cataloger naming conventions
\[[#1578](https://togithub.com/anchore/syft/issues/1578)
[#2277](https://togithub.com/anchore/syft/pull/2277)
[@wagoodman](https://togithub.com/wagoodman)]
- .NET / nuget - invalid SBOM generated after parsing
\[[#2255](https://togithub.com/anchore/syft/issues/2255)
[#2273](https://togithub.com/anchore/syft/pull/2273)
[@spiffcs](https://togithub.com/spiffcs)]
- Wrong parsing after v0.85.0 syft for some components
\[[#2241](https://togithub.com/anchore/syft/issues/2241)
[#2273](https://togithub.com/anchore/syft/pull/2273)
[@spiffcs](https://togithub.com/spiffcs)]
- SPDX-2.3 is misidentified as SPDX-2.2
\[[#2112](https://togithub.com/anchore/syft/issues/2112)
[#2186](https://togithub.com/anchore/syft/pull/2186)
[@wagoodman](https://togithub.com/wagoodman)]
- Jar parser chokes on empty lines
\[[#2179](https://togithub.com/anchore/syft/issues/2179)
[#2254](https://togithub.com/anchore/syft/pull/2254)
[@spiffcs](https://togithub.com/spiffcs)]
- Add a new Java configuration option to recursively search parent poms…
\[[#2274](https://togithub.com/anchore/syft/pull/2274)
[@coheigea](https://togithub.com/coheigea)]
- Fix directory resolver to always return virtual path
\[[#2259](https://togithub.com/anchore/syft/pull/2259)
[@wagoodman](https://togithub.com/wagoodman)]
- Syft can now handle the case of parsing a jar with multiple poms
\[[#2231](https://togithub.com/anchore/syft/pull/2231)
[@coheigea](https://togithub.com/coheigea)]
- Add ruby.NewGemSpecCataloger to DirectoryCatalogers
\[[#1971](https://togithub.com/anchore/syft/pull/1971)
[@evanchaoli](https://togithub.com/evanchaoli)]
##### Breaking Changes
- Introduce cataloger naming conventions
\[[#1578](https://togithub.com/anchore/syft/issues/1578)
[#2277](https://togithub.com/anchore/syft/pull/2277)
[@wagoodman](https://togithub.com/wagoodman)]
- Remove MetadataType from the core package struct
\[[#1735](https://togithub.com/anchore/syft/issues/1735)
[#1983](https://togithub.com/anchore/syft/pull/1983)
[@wagoodman](https://togithub.com/wagoodman)]
- Add convention for JSON metadata type names and port existing values
to the new convention
\[[#1844](https://togithub.com/anchore/syft/issues/1844)
[#1983](https://togithub.com/anchore/syft/pull/1983)
[@wagoodman](https://togithub.com/wagoodman)]
- Remove deprecated syft.Format functions
\[[#1344](https://togithub.com/anchore/syft/issues/1344)
[#2186](https://togithub.com/anchore/syft/pull/2186)
[@wagoodman](https://togithub.com/wagoodman)]
##### Additional Changes
- Upgrade tool management
\[[#2188](https://togithub.com/anchore/syft/pull/2188)
[@wagoodman](https://togithub.com/wagoodman)]
- Fix homebrew post-release workflow
\[[#2242](https://togithub.com/anchore/syft/pull/2242)
[@wagoodman](https://togithub.com/wagoodman)]
**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.94.0...v0.95.0)**
### [`v0.94.0`](https://togithub.com/anchore/syft/releases/tag/v0.94.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.93.0...v0.94.0)
##### Added Features
- Add additional license filenames
\[[#2227](https://togithub.com/anchore/syft/pull/2227)
[@coheigea](https://togithub.com/coheigea)]
- Parse donet dependency trees
\[[#2143](https://togithub.com/anchore/syft/pull/2143)
[@noqcks](https://togithub.com/noqcks)]
- Find license by embedded license text
\[[#2147](https://togithub.com/anchore/syft/issues/2147)
[#2213](https://togithub.com/anchore/syft/pull/2213)
[@coheigea](https://togithub.com/coheigea)]
- Add support for dpkg dependency relationships
\[[#2040](https://togithub.com/anchore/syft/issues/2040)
[#2212](https://togithub.com/anchore/syft/pull/2212)
[@wagoodman](https://togithub.com/wagoodman)]
##### Bug Fixes
- Report errors to stderr not stdout
\[[#2232](https://togithub.com/anchore/syft/pull/2232)
[@wagoodman](https://togithub.com/wagoodman)]
- Python egg packages are not parsed for SBOM
\[[#1761](https://togithub.com/anchore/syft/issues/1761)
[#2239](https://togithub.com/anchore/syft/pull/2239)
[@spiffcs](https://togithub.com/spiffcs)]
- Java archive is listed twice
\[[#2130](https://togithub.com/anchore/syft/issues/2130)
[#2220](https://togithub.com/anchore/syft/pull/2220)
[@wagoodman](https://togithub.com/wagoodman)]
- Java archives not from Maven
\[[#2217](https://togithub.com/anchore/syft/issues/2217)
[#2220](https://togithub.com/anchore/syft/pull/2220)
[@wagoodman](https://togithub.com/wagoodman)]
- Remove internal.StringSet
\[[#2209](https://togithub.com/anchore/syft/issues/2209)
[#2219](https://togithub.com/anchore/syft/pull/2219)
[@wagoodman](https://togithub.com/wagoodman)]
- Invalid interface conversion in Swift cataloger
\[[#2225](https://togithub.com/anchore/syft/issues/2225)
[#2226](https://togithub.com/anchore/syft/pull/2226)
[@wagoodman](https://togithub.com/wagoodman)]
**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.93.0...v0.94.0)**
### [`v0.93.0`](https://togithub.com/anchore/syft/releases/tag/v0.93.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.92.0...v0.93.0)
##### Added Features
- Parse license from the pom.xml if not contained in the manifest
\[[#2115](https://togithub.com/anchore/syft/pull/2115)
[@coheigea](https://togithub.com/coheigea)]
- Add Golang STD library package given a Golang binary has been
discovered compiled with that go binary
\[[#1853](https://togithub.com/anchore/syft/issues/1853)
[#2195](https://togithub.com/anchore/syft/pull/2195)
[@spiffcs](https://togithub.com/spiffcs)]
- Improve --output CLI help and deprecate --file
\[[#2165](https://togithub.com/anchore/syft/issues/2165)
[#2187](https://togithub.com/anchore/syft/pull/2187)
[@sharief007](https://togithub.com/sharief007)]
##### Bug Fixes
- Converting a SBOM looses the algorithm type for added checksums
\[[#2183](https://togithub.com/anchore/syft/issues/2183)
[#2207](https://togithub.com/anchore/syft/pull/2207)
[@sharief007](https://togithub.com/sharief007)]
##### Additional Changes
- Refine the docs for building a cataloger
\[[#2175](https://togithub.com/anchore/syft/pull/2175)
[@wagoodman](https://togithub.com/wagoodman)]
- update license list to 3.22
\[[#2201](https://togithub.com/anchore/syft/pull/2201)
[@spiffcs](https://togithub.com/spiffcs)]
- Add exact syntax of the conversion formats
\[[#2196](https://togithub.com/anchore/syft/pull/2196)
[@vargenau](https://togithub.com/vargenau)]
**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.92.0...v0.93.0)**
### [`v0.92.0`](https://togithub.com/anchore/syft/releases/tag/v0.92.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.91.0...v0.92.0)
##### Added Features
- Support for multiple image refs of same sha in OCI layout
\[[#1544](https://togithub.com/anchore/syft/issues/1544)]
##### Bug Fixes
- Generated purls are different between runs of syft against the same
image and artifact
\[[#2169](https://togithub.com/anchore/syft/issues/2169)
[#2170](https://togithub.com/anchore/syft/pull/2170)
[@willmurphyscode](https://togithub.com/willmurphyscode)]
##### Additional Changes
- bump stereoscope to fix data race in UI code
\[[#2173](https://togithub.com/anchore/syft/pull/2173)
[@willmurphyscode](https://togithub.com/willmurphyscode)]
**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.91.0...v0.92.0)**
### [`v0.91.0`](https://togithub.com/anchore/syft/releases/tag/v0.91.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.90.0...v0.91.0)
##### Added Features
- Add support for CycloneDX 1.5
\[[#2120](https://togithub.com/anchore/syft/issues/2120)
[#2123](https://togithub.com/anchore/syft/pull/2123)
[@spiffcs](https://togithub.com/spiffcs)]
- Add support for containerd as an image source
\[[#201](https://togithub.com/anchore/syft/issues/201)
[#1793](https://togithub.com/anchore/syft/pull/1793)
[@shanedell](https://togithub.com/shanedell)]
- Support cataloging github workflow & github action usages
\[[#1896](https://togithub.com/anchore/syft/issues/1896)
[#2140](https://togithub.com/anchore/syft/pull/2140)
[@wagoodman](https://togithub.com/wagoodman)]
##### Bug Fixes
- Allow CycloneDX json input with no components
\[[#2127](https://togithub.com/anchore/syft/pull/2127)
[@ahoz](https://togithub.com/ahoz)]
- Prevent errors from clobbering terminal
\[[#2161](https://togithub.com/anchore/syft/pull/2161)
[@kzantow](https://togithub.com/kzantow)]
- Using syft as a go library to decode a syft json has incomplete data
\[[#2069](https://togithub.com/anchore/syft/issues/2069)
[#2083](https://togithub.com/anchore/syft/pull/2083)
[@kzantow](https://togithub.com/kzantow)]
- SBOMs are not the same on multiple runs of syft
\[[#1944](https://togithub.com/anchore/syft/issues/1944)]
##### Additional Changes
- Switch to stdlib's slices pkg
\[[#2148](https://togithub.com/anchore/syft/pull/2148)
[@hainenber](https://togithub.com/hainenber)]
- Remove unneeded arch switch in unit test
\[[#2156](https://togithub.com/anchore/syft/pull/2156)
[@willmurphyscode](https://togithub.com/willmurphyscode)]
- Update chronicle to v0.8.0
\[[#2154](https://togithub.com/anchore/syft/pull/2154)
[@wagoodman](https://togithub.com/wagoodman)]
- Update to latest stereoscope
\[[#2151](https://togithub.com/anchore/syft/pull/2151)
[@spiffcs](https://togithub.com/spiffcs)]
- Pin workflow checkout for cpe update-cpe-dictionary-index
\[[#2141](https://togithub.com/anchore/syft/pull/2141)
[@spiffcs](https://togithub.com/spiffcs)]
- Add dependency information to conan lockfile parser
\[[#2131](https://togithub.com/anchore/syft/pull/2131)
[@Pro](https://togithub.com/Pro)]
- Pin and update all workflow dependencies; add permission scopes
\[[#2138](https://togithub.com/anchore/syft/pull/2138)
[@spiffcs](https://togithub.com/spiffcs)]
- Enforce race detector
\[[#2122](https://togithub.com/anchore/syft/pull/2122)
[@willmurphyscode](https://togithub.com/willmurphyscode)]
**[(Full
Changelog)](https://togithub.com/anchore/syft/compare/v0.90.0...v0.91.0)**
### [`v0.90.0`](https://togithub.com/anchore/syft/releases/tag/v0.90.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.89.0...v0.90.0)
###
#### [v0.90.0](https://togithub.com/anchore/syft/tree/v0.90.0)
(2023-09-11)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.89.0...v0.90.0)
##### Added Features
- Expose cobra command in cli package \[[PR
#2097](https://togithub.com/anchore/syft/pull/2097)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Explicitly test PURL generation against key packages \[[Issue
#2071](https://togithub.com/anchore/syft/issues/2071)]
- Add User-Agent with Syft version during update check \[[Issue
#2072](https://togithub.com/anchore/syft/issues/2072)] \[[PR
#2100](https://togithub.com/anchore/syft/pull/2100)]
\[[hainenber](https://togithub.com/hainenber)]
##### Bug Fixes
- fix: correct group IDs for commons-codec, okhttp, okio, and add
integration tests for Java PURL generation \[[PR
#2075](https://togithub.com/anchore/syft/pull/2075)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- Cyclonedx external reference URLs are not validated when encoding
\[[Issue #2079](https://togithub.com/anchore/syft/issues/2079)]
\[[PR #2091](https://togithub.com/anchore/syft/pull/2091)]
\[[hainenber](https://togithub.com/hainenber)]
##### Additional Changes
- Bump the golang.org/x/exp dependency and fix a build breakage. \[[PR
#2088](https://togithub.com/anchore/syft/pull/2088)]
\[[dlorenc](https://togithub.com/dlorenc)]
- fix: update codeql-analysis for go 1.21 \[[PR
#2108](https://togithub.com/anchore/syft/pull/2108)]
\[[spiffcs](https://togithub.com/spiffcs)]
### [`v0.89.0`](https://togithub.com/anchore/syft/releases/tag/v0.89.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.88.0...v0.89.0)
###
#### [v0.89.0](https://togithub.com/anchore/syft/tree/v0.89.0)
(2023-08-31)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.88.0...v0.89.0)
##### Added Features
- Add registry certificate verification support \[[PR
#1734](https://togithub.com/anchore/syft/pull/1734)]
\[[5p2O5pe25ouT](https://togithub.com/5p2O5pe25ouT)]
- Add SYFT_CONFIG environment variable for configuration file path
\[[Issue #1986](https://togithub.com/anchore/syft/issues/1986)]
\[[PR #2001](https://togithub.com/anchore/syft/pull/2001)]
\[[kzantow](https://togithub.com/kzantow)]
##### Bug Fixes
- Fix quiet flag \[[PR
#2081](https://togithub.com/anchore/syft/pull/2081)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Command line flags not overriding configuration file values \[[Issue
#1143](https://togithub.com/anchore/syft/issues/1143)] \[[PR
#2001](https://togithub.com/anchore/syft/pull/2001)]
\[[kzantow](https://togithub.com/kzantow)]
- Django package CPE is not correct \[[Issue
#1298](https://togithub.com/anchore/syft/issues/1298)] \[[PR
#2068](https://togithub.com/anchore/syft/pull/2068)]
\[[witchcraze](https://togithub.com/witchcraze)]
- Config parsing includes `config.yaml` in working dir \[[Issue
#1634](https://togithub.com/anchore/syft/issues/1634)] \[[PR
#2001](https://togithub.com/anchore/syft/pull/2001)]
\[[kzantow](https://togithub.com/kzantow)]
- Fix a possible panic on universal go binaries \[[Issue
#2073](https://togithub.com/anchore/syft/issues/2073)] \[[PR
#2078](https://togithub.com/anchore/syft/pull/2078)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- Disabling catalogers is not working in power user command \[[Issue
#2074](https://togithub.com/anchore/syft/issues/2074)] \[[PR
#2001](https://togithub.com/anchore/syft/pull/2001)]
\[[kzantow](https://togithub.com/kzantow)]
- Virtual path changes to java cataloger causing creation of extra
incorrect packages when jars are renamed \[[Issue
#2077](https://togithub.com/anchore/syft/issues/2077)] \[[PR
#2080](https://togithub.com/anchore/syft/pull/2080)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
### [`v0.88.0`](https://togithub.com/anchore/syft/releases/tag/v0.88.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.87.1...v0.88.0)
###
#### [v0.88.0](https://togithub.com/anchore/syft/tree/v0.88.0)
(2023-08-25)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.87.1...v0.88.0)
##### Added Features
- Detect golang boring crypto and fipsonly modules \[[PR
#2021](https://togithub.com/anchore/syft/pull/2021)]
\[[bathina2](https://togithub.com/bathina2)]
- feat: 1944 - update purl generation to use a consistent groupID \[[PR
#2033](https://togithub.com/anchore/syft/pull/2033)]
\[[spiffcs](https://togithub.com/spiffcs)]
- Add support to detect bash binaries \[[Issue
#1963](https://togithub.com/anchore/syft/issues/1963)] \[[PR
#2055](https://togithub.com/anchore/syft/pull/2055)]
\[[witchcraze](https://togithub.com/witchcraze)]
##### Bug Fixes
- fix: properly parse conan ref and include user and channel \[[PR
#2034](https://togithub.com/anchore/syft/pull/2034)]
\[[Pro](https://togithub.com/Pro)]
- New version notice only showing the version and no text \[[PR
#2042](https://togithub.com/anchore/syft/pull/2042)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Fix: don't validate pom declared group \[[PR
#2054](https://togithub.com/anchore/syft/pull/2054)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- Errors when handling symlinks on Windows with syft v0.85.0 \[[Issue
#1950](https://togithub.com/anchore/syft/issues/1950)] \[[PR
#2051](https://togithub.com/anchore/syft/pull/2051)]
\[[selzoc](https://togithub.com/selzoc)]
- Syft seems unable to parse non UTF-8 pom.xml files \[[Issue
#2044](https://togithub.com/anchore/syft/issues/2044)] \[[PR
#2047](https://togithub.com/anchore/syft/pull/2047)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Error parsing pom.xml with v0.87.1 \[[Issue
#2060](https://togithub.com/anchore/syft/issues/2060)] \[[PR
#2064](https://togithub.com/anchore/syft/pull/2064)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- Invalid CycloneDX: duplicates in relationships section \[[Issue
#2062](https://togithub.com/anchore/syft/issues/2062)] \[[PR
#2063](https://togithub.com/anchore/syft/pull/2063)]
\[[kzantow](https://togithub.com/kzantow)]
### [`v0.87.1`](https://togithub.com/anchore/syft/releases/tag/v0.87.1)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.87.0...v0.87.1)
###
#### [v0.87.1](https://togithub.com/anchore/syft/tree/v0.87.1)
(2023-08-17)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.87.0...v0.87.1)
##### Bug Fixes
- Use Java package names to determine known groupIDs \[[PR
#2032](https://togithub.com/anchore/syft/pull/2032)]
\[[kzantow](https://togithub.com/kzantow)]
- Relationships section of CycloneDX is not outputting even when the
data is present \[[Issue
#1972](https://togithub.com/anchore/syft/issues/1972)] \[[PR
#1974](https://togithub.com/anchore/syft/pull/1974)]
\[[markgalpin](https://togithub.com/markgalpin)]
\[[kzantow](https://togithub.com/kzantow)]
- SPDX Tag-Value conversion not handling files directly set on packages
\[[Issue #2013](https://togithub.com/anchore/syft/issues/2013)]
\[[PR #2014](https://togithub.com/anchore/syft/pull/2014)]
\[[kzantow](https://togithub.com/kzantow)]
- Intermittent binary listings, different results every time \[[Issue
#2035](https://togithub.com/anchore/syft/issues/2035)] \[[PR
#2036](https://togithub.com/anchore/syft/pull/2036)]
\[[kzantow](https://togithub.com/kzantow)]
### [`v0.87.0`](https://togithub.com/anchore/syft/releases/tag/v0.87.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0)
###
#### [v0.87.0](https://togithub.com/anchore/syft/tree/v0.87.0)
(2023-08-14)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0)
##### Added Features
- feat: use originator logic to fill supplier \[[PR
#1980](https://togithub.com/anchore/syft/pull/1980)]
\[[spiffcs](https://togithub.com/spiffcs)]
- Expand deb cataloger to include opkg \[[PR
#1985](https://togithub.com/anchore/syft/pull/1985)]
\[[johnDeSilencio](https://togithub.com/johnDeSilencio)]
- Package duplicated by different cataloger \[[Issue
#931](https://togithub.com/anchore/syft/issues/931)] \[[PR
#1948](https://togithub.com/anchore/syft/pull/1948)]
\[[spiffcs](https://togithub.com/spiffcs)]
- Add binary cataloger for Nginx built from source \[[Issue
#1945](https://togithub.com/anchore/syft/issues/1945)] \[[PR
#1988](https://togithub.com/anchore/syft/pull/1988)]
\[[SemProvoost](https://togithub.com/SemProvoost)]
##### Bug Fixes
- chore: update bubbly to fix hanging \[[PR
#1990](https://togithub.com/anchore/syft/pull/1990)]
\[[kzantow](https://togithub.com/kzantow)]
- fix: update glob to use newer usr/lib/sysimage path \[[PR
#1997](https://togithub.com/anchore/syft/pull/1997)]
\[[spiffcs](https://togithub.com/spiffcs)]
- fix: SPDX license values and download location \[[PR
#2007](https://togithub.com/anchore/syft/pull/2007)]
\[[kzantow](https://togithub.com/kzantow)]
- Different CPEs between java-cataloger and
java-gradle-lockfile-cataloger \[[Issue
#1957](https://togithub.com/anchore/syft/issues/1957)] \[[PR
#1995](https://togithub.com/anchore/syft/pull/1995)]
\[[kzantow](https://togithub.com/kzantow)]
### [`v0.86.1`](https://togithub.com/anchore/syft/releases/tag/v0.86.1)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1)
### Changelog
#### [v0.86.1](https://togithub.com/anchore/syft/tree/v0.86.1)
(2023-07-31)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1)
##### Bug Fixes
- Source requires default image name as user input for unparsable
reference \[[PR
#1979](https://togithub.com/anchore/syft/pull/1979)]
\[[kzantow](https://togithub.com/kzantow)]
### [`v0.86.0`](https://togithub.com/anchore/syft/releases/tag/v0.86.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0)
### Changelog
#### [v0.86.0](https://togithub.com/anchore/syft/tree/v0.86.0)
(2023-07-31)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0)
##### Added Features
- Introduce indexed embedded CPE dictionary \[[PR
#1897](https://togithub.com/anchore/syft/pull/1897)]
\[[luhring](https://togithub.com/luhring)]
- Add cataloger for Swift Package Manager. \[[PR
#1919](https://togithub.com/anchore/syft/pull/1919)]
\[[trilleplay](https://togithub.com/trilleplay)]
- Guess unpinned versions in python requirements.txt \[[PR
#1597](https://togithub.com/anchore/syft/pull/1597)] \[[PR
#1966](https://togithub.com/anchore/syft/pull/1966)]
\[[manifestori](https://togithub.com/manifestori)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Create a package record for the artifact an SBOM described when
creating a SPDX SBOM \[[Issue
#1661](https://togithub.com/anchore/syft/issues/1661)] \[[Issue
#1241](https://togithub.com/anchore/syft/issues/1241)] \[[PR
#1934](https://togithub.com/anchore/syft/pull/1934)]
\[[kzantow](https://togithub.com/kzantow)]
##### Bug Fixes
- Fix panic condition on docker pull failure \[[PR
#1968](https://togithub.com/anchore/syft/pull/1968)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Syft reports the "minimum required version" of .NET assemblies rather
than the "assembly version" \[[Issue
#1799](https://togithub.com/anchore/syft/issues/1799)] \[[PR
#1943](https://togithub.com/anchore/syft/pull/1943)]
\[[luhring](https://togithub.com/luhring)]
- Grype cannot read SPDX documents generated by SPDX-maven-plugin \[[PR
#1969](https://togithub.com/anchore/syft/pull/1969)]
\[[spiffcs](https://togithub.com/spiffcs)]
##### Breaking Changes
- Remove jotframe UI \[[PR
#1932](https://togithub.com/anchore/syft/pull/1932)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Simplify python env markers \[[PR
#1967](https://togithub.com/anchore/syft/pull/1967)]
\[[wagoodman](https://togithub.com/wagoodman)]
### [`v0.85.0`](https://togithub.com/anchore/syft/releases/tag/v0.85.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0)
### Changelog
#### [v0.85.0](https://togithub.com/anchore/syft/tree/v0.85.0)
(2023-07-12)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0)
##### Added Features
- Add a --base-path command line flag to set the directory base for
scans (this option was previously exposed via API only) \[[PR
#1867](https://togithub.com/anchore/syft/pull/1867)]
\[[deitch](https://togithub.com/deitch)]
- Add file source digest support \[[PR
#1914](https://togithub.com/anchore/syft/pull/1914)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Remove erroneous Java CPEs from generation \[[PR
#1918](https://togithub.com/anchore/syft/pull/1918)]
\[[luhring](https://togithub.com/luhring)]
- Fix CPE generation for k8s python client \[[PR
#1921](https://togithub.com/anchore/syft/pull/1921)]
\[[luhring](https://togithub.com/luhring)]
- Don't use the actual redis or grpc CPEs for gems \[[PR
#1926](https://togithub.com/anchore/syft/pull/1926)]
\[[luhring](https://togithub.com/luhring)]
- The text user interface is now provided by the bubbletea library
\[[Issue #1441](https://togithub.com/anchore/syft/issues/1441)]
\[[PR #1888](https://togithub.com/anchore/syft/pull/1888)]
\[[wagoodman](https://togithub.com/wagoodman)]
##### Bug Fixes
- Install script returns exit code 0 even if install fails \[[Issue
#1566](https://togithub.com/anchore/syft/issues/1566)] \[[PR
#1915](https://togithub.com/anchore/syft/pull/1915)]
\[[lorsatti](https://togithub.com/lorsatti)]
- \[Windows] Not able to scan volume mounted to folder \[[Issue
#1828](https://togithub.com/anchore/syft/issues/1828)] \[[PR
#1884](https://togithub.com/anchore/syft/pull/1884)]
\[[dd-cws](https://togithub.com/dd-cws)]
- Deprecated license: GFDL-1.2+ \[[Issue
#1899](https://togithub.com/anchore/syft/issues/1899)] \[[PR
#1907](https://togithub.com/anchore/syft/pull/1907)]
\[[spiffcs](https://togithub.com/spiffcs)]
##### Breaking Changes
- Refactor the `source` API and syft-json `source` block data shape
\[[Issue #1866](https://togithub.com/anchore/syft/issues/1866)]
\[[PR #1846](https://togithub.com/anchore/syft/pull/1846)]
\[[wagoodman](https://togithub.com/wagoodman)]
##### Additional Changes
- chore: update iterations to protect against race \[[PR
#1927](https://togithub.com/anchore/syft/pull/1927)]
\[[spiffcs](https://togithub.com/spiffcs)]
- fix: background reader apart from global handler for testing \[[PR
#1929](https://togithub.com/anchore/syft/pull/1929)]
\[[spiffcs](https://togithub.com/spiffcs)]
### [`v0.84.1`](https://togithub.com/anchore/syft/releases/tag/v0.84.1)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1)
### Changelog
#### [v0.84.1](https://togithub.com/anchore/syft/tree/v0.84.1)
(2023-06-29)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1)
##### Bug Fixes
- Fix version detection in Java archive name parsing \[[PR
#1889](https://togithub.com/anchore/syft/pull/1889)]
\[[luhring](https://togithub.com/luhring)]
- Improve support for Dart SDK package dependency lockfiles \[[PR
#1891](https://togithub.com/anchore/syft/pull/1891)]
\[[rufman](https://togithub.com/rufman)]
- Fix license output for some CycloneDX JSON SBOMs \[[Issue
#1877](https://togithub.com/anchore/syft/issues/1877)] \[[PR
#1879](https://togithub.com/anchore/syft/pull/1879)]
\[[kzantow](https://togithub.com/kzantow)]
- Correctly discover Debian file relationships in distroless images
\[[Issue #1900](https://togithub.com/anchore/syft/issues/1900)]
\[[PR #1901](https://togithub.com/anchore/syft/pull/1901)]
\[[westonsteimel](https://togithub.com/westonsteimel)]
##### Additional Changes
- Simplify the SBOM writer interface \[[PR
#1892](https://togithub.com/anchore/syft/pull/1892)]
\[[wagoodman](https://togithub.com/wagoodman)]
### [`v0.84.0`](https://togithub.com/anchore/syft/releases/tag/v0.84.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0)
### Changelog
#### [v0.84.0](https://togithub.com/anchore/syft/tree/v0.84.0)
(2023-06-20)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.83.1...v0.84.0)
##### Breaking Changes
- Pad artifact IDs \[[PR
#1882](https://togithub.com/anchore/syft/pull/1882)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
##### Additional Changes
- chore: update SPDX license list to 3.21 \[[PR
#1885](https://togithub.com/anchore/syft/pull/1885)]
\[[kzantow](https://togithub.com/kzantow)]
### [`v0.83.1`](https://togithub.com/anchore/syft/releases/tag/v0.83.1)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1)
### Changelog
#### [v0.83.1](https://togithub.com/anchore/syft/tree/v0.83.1)
(2023-06-14)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.83.0...v0.83.1)
##### Bug Fixes
- fix: pom properties not setting artifact id \[[PR
#1870](https://togithub.com/anchore/syft/pull/1870)]
\[[jneate](https://togithub.com/jneate)]
- fix(deps): pull in platform selection fix from stereoscope \[[PR
#1871](https://togithub.com/anchore/syft/pull/1871)]
\[[anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)]
- pulling in an image with a digest that does not match the platform and
architecture of the host no longer fails with an error, see
[https://github.com/anchore/stereoscope/issues/188](https://togithub.com/anchore/stereoscope/issues/188)
- symlinks within a scanned directory tree are parsed outside the tree,
failing if target does not exist \[[Issue
#1860](https://togithub.com/anchore/syft/issues/1860)] \[[PR
#1861](https://togithub.com/anchore/syft/pull/1861)]
\[[deitch](https://togithub.com/deitch)]
### [`v0.83.0`](https://togithub.com/anchore/syft/releases/tag/v0.83.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.82.0...v0.83.0)
### Changelog
#### [v0.83.0](https://togithub.com/anchore/syft/tree/v0.83.0)
(2023-06-05)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.82.0...v0.83.0)
##### Added Features
- Add new '--source-version' and '--source-name' options to set the name
and version of the target being analyzed for reference in resulting
syft-json format SBOMs (more formats will support these flags soon).
\[[Issue #1399](https://togithub.com/anchore/syft/issues/1399)]
\[[PR #1859](https://togithub.com/anchore/syft/pull/1859)]
\[[kzantow](https://togithub.com/kzantow)]
- Add scope to POM properties \[[PR
#1779](https://togithub.com/anchore/syft/pull/1779)]
\[[jneate](https://togithub.com/jneate)]
- Accept main.version ldflags even without vcs \[[PR
#1855](https://togithub.com/anchore/syft/pull/1855)]
\[[deitch](https://togithub.com/deitch)]
##### Bug Fixes
- Fix directory resolver to consider CWD and root path input correctly
\[[PR #1840](https://togithub.com/anchore/syft/pull/1840)]
\[[wagoodman](https://togithub.com/wagoodman)]
- Show all error messages if there is a failure retrieving an image with
a specified scheme \[[Issue
#1569](https://togithub.com/anchore/syft/issues/1569)] \[[PR
#1801](https://togithub.com/anchore/syft/pull/1801)]
\[[FrimIdan](https://togithub.com/FrimIdan)]
- v0.81.0 crashing parsing some images \[[Issue
#1837](https://togithub.com/anchore/syft/issues/1837)] \[[PR
#1839](https://togithub.com/anchore/syft/pull/1839)]
\[[spiffcs](https://togithub.com/spiffcs)]
##### Deprecated Features
- Migrate location-related structs to the file package \[[PR
#1751](https://togithub.com/anchore/syft/pull/1751)]
\[[wagoodman](https://togithub.com/wagoodman)]
##### Additional Changes
- chore: code cleanup \[[PR
#1865](https://togithub.com/anchore/syft/pull/1865)]
\[[spiffcs](https://togithub.com/spiffcs)]
### [`v0.82.0`](https://togithub.com/anchore/syft/releases/tag/v0.82.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.81.0...v0.82.0)
### Changelog
#### [v0.82.0](https://togithub.com/anchore/syft/tree/v0.82.0)
(2023-05-23)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.81.0...v0.82.0)
##### Added Features
- Improve Go main module version detection by attempting to parse
available ldflags \[[Issue
#1785](https://togithub.com/anchore/syft/issues/1785)] \[[PR
#1832](https://togithub.com/anchore/syft/pull/1832)]
\[[wagoodman](https://togithub.com/wagoodman)]
##### Bug Fixes
- Fix a problem in the license parsing logic that may result in a panic
\[[PR #1839](https://togithub.com/anchore/syft/pull/1839)]
- Return all relevant error messages if an image retrieval fails when a
scheme is specified \[[PR
#1801](https://togithub.com/anchore/syft/pull/1801)]
\[[FrimIdan](https://togithub.com/FrimIdan)]
- Fix a problem with PNPM scanning where v6 lockfiles might result in
duplicated packages \[[Issue
#1762](https://togithub.com/anchore/syft/issues/1762)] \[[PR
#1778](https://togithub.com/anchore/syft/pull/1778)]
\[[kzantow](https://togithub.com/kzantow)]
### [`v0.81.0`](https://togithub.com/anchore/syft/releases/tag/v0.81.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.80.0...v0.81.0)
### Changelog
#### [v0.81.0](https://togithub.com/anchore/syft/tree/v0.81.0)
(2023-05-22)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.80.0...v0.81.0)
##### Added Features
- Support cataloging R packages \[[Issue
#730](https://togithub.com/anchore/syft/issues/730)] \[[PR
#1790](https://togithub.com/anchore/syft/pull/1790)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- Support describing license properties and SPDX expression assertions
\[[Issue #1577](https://togithub.com/anchore/syft/issues/1577)]
\[[PR #1743](https://togithub.com/anchore/syft/pull/1743)]
\[[spiffcs](https://togithub.com/spiffcs)]
- Warn if parsing a newer SBOM \[[PR
#1810](https://togithub.com/anchore/syft/pull/1810)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
##### Bug Fixes
- Retain cataloged SBOM relationships \[[PR
#1509](https://togithub.com/anchore/syft/pull/1509)]
\[[houdini91](https://togithub.com/houdini91)]
- fix: update field plurality of 8.0.0 schema before release \[[PR
#1820](https://togithub.com/anchore/syft/pull/1820)]
\[[spiffcs](https://togithub.com/spiffcs)]
- fix: remove spurious warnings - unknown relationship type: evident-by
form-lib=syft \[[Issue
#1812](https://togithub.com/anchore/syft/issues/1812)] \[[PR
#1797](https://togithub.com/anchore/syft/pull/1797)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- CycloneDX Dependencies Relationships Inverted \[[Issue
#1815](https://togithub.com/anchore/syft/issues/1815)] \[[PR
#1816](https://togithub.com/anchore/syft/pull/1816)]
\[[shanealv](https://togithub.com/shanealv)]
- Alpine: license expression should be complete and not parsed out
\[[Issue #1817](https://togithub.com/anchore/syft/issues/1817)]
\[[PR #1819](https://togithub.com/anchore/syft/pull/1819)]
\[[spiffcs](https://togithub.com/spiffcs)]
##### Additional Changes
- Print package list when extra packages found \[[PR
#1791](https://togithub.com/anchore/syft/pull/1791)]
\[[willmurphyscode](https://togithub.com/willmurphyscode)]
- update cosign to v2 release (different go module) \[[PR
#1805](https://togithub.com/anchore/syft/pull/1805)]
\[[bobcallaway](https://togithub.com/bobcallaway)]
### [`v0.80.0`](https://togithub.com/anchore/syft/releases/tag/v0.80.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.79.0...v0.80.0)
### Changelog
#### [v0.80.0](https://togithub.com/anchore/syft/tree/v0.80.0)
(2023-05-05)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.79.0...v0.80.0)
##### Added Features
- Improve pnpm support \[[Issue
#1535](https://togithub.com/anchore/syft/issues/1535)] \[[PR
#1752](https://togithub.com/anchore/syft/pull/1752)]
\[[Shanedell](https://togithub.com/Shanedell)]
##### Bug Fixes
- chore: add more detail on SPDX file IDs \[[PR
#1769](https://togithub.com/anchore/syft/pull/1769)]
\[[kzantow](https://togithub.com/kzantow)]
- chore: do not HTML escape PackageURLs \[[PR
#1782](https://togithub.com/anchore/syft/pull/1782)]
\[[kzantow](https://togithub.com/kzantow)]
- RPM database not found on ostree-managed systems \[[Issue
#1755](https://togithub.com/anchore/syft/issues/1755)] \[[PR
#1756](https://togithub.com/anchore/syft/pull/1756)]
\[[fpytloun](https://togithub.com/fpytloun)]
- Unable to use syft for private azure container registry \[[Issue
#1777](https://togithub.com/anchore/syft/issues/1777)]
- linux-kernel-cataloger produces thousands of version-less components.
\[[Issue #1781](https://togithub.com/anchore/syft/issues/1781)]
\[[PR #1784](https://togithub.com/anchore/syft/pull/1784)]
\[[kzantow](https://togithub.com/kzantow)]
##### Deprecated Features
- Rename pkg.Catalog to pkg.Collection \[[PR
#1764](https://togithub.com/anchore/syft/pull/1764)]
\[[wagoodman](https://togithub.com/wagoodman)]
### [`v0.79.0`](https://togithub.com/anchore/syft/releases/tag/v0.79.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.78.0...v0.79.0)
### Changelog
#### [v0.79.0](https://togithub.com/anchore/syft/tree/v0.79.0)
(2023-04-21)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.78.0...v0.79.0)
##### Added Features
- Add ALPM Metadata to CYCLONEDX and SPDX output formats \[[Issue
#1037](https://togithub.com/anchore/syft/issues/1037)] \[[PR
#1747](https://togithub.com/anchore/syft/pull/1747)]
\[[Shanedell](https://togithub.com/Shanedell)]
- consul binary classifier \[[Issue
#1590](https://togithub.com/anchore/syft/issues/1590)] \[[PR
#1738](https://togithub.com/anchore/syft/pull/1738)]
\[[Shanedell](https://togithub.com/Shanedell)]
##### Bug Fixes
- Syft missing direct dependencies from the gemfile.lock \[[Issue
#1660](https://togithub.com/anchore/syft/issues/1660)] \[[PR
#1749](https://togithub.com/anchore/syft/pull/1749)]
\[[Shanedell](https://togithub.com/Shanedell)]
##### Additional Changes
- chore: bump stereoscope to latest version \[[PR
#1741](https://togithub.com/anchore/syft/pull/1741)]
\[[westonsteimel](https://togithub.com/westonsteimel)]
### [`v0.78.0`](https://togithub.com/anchore/syft/releases/tag/v0.78.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.77.0...v0.78.0)
### Changelog
#### [v0.78.0](https://togithub.com/anchore/syft/tree/v0.78.0)
(2023-04-17)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.77.0...v0.78.0)
##### Added Features
- Add Linux Kernel cataloger \[[PR
#1694](https://togithub.com/anchore/syft/pull/1694)]
\[[deitch](https://togithub.com/deitch) &
[wagoodman](https://togithub.com/wagoodman)]
- Support scanning license files in golang packages over the network
\[[Issue #1056](https://togithub.com/anchore/syft/issues/1056)]
\[[PR #1630](https://togithub.com/anchore/syft/pull/1630)]
\[[deitch](https://togithub.com/deitch) &
[kzantow](https://togithub.com/kzantow)]
- Add consul binary classifier \[[Issue
#1590](https://togithub.com/anchore/syft/issues/1590)] \[[PR
#1738](https://togithub.com/anchore/syft/pull/1738)]
\[[Shanedell](https://togithub.com/Shanedell)]
- Add annotations for evidence on package locations \[[PR
#1723](https://togithub.com/anchore/syft/pull/1723)]
\[[wagoodman](https://togithub.com/wagoodman)]
##### Bug Fixes
- Decoding of the syft-json format does not handle files \[[Issue
#1534](https://togithub.com/anchore/syft/issues/1534)] \[[PR
#1698](https://togithub.com/anchore/syft/pull/1698)]
\[[wagoodman](https://togithub.com/wagoodman)]
### [`v0.77.0`](https://togithub.com/anchore/syft/releases/tag/v0.77.0)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.76.1...v0.77.0)
### Changelog
#### [v0.77.0](https://togithub.com/anchore/syft/tree/v0.77.0)
(2023-04-11)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.76.1...v0.77.0)
##### Added Features
- feat: gradle lockfile support \[[PR
#1719](https://togithub.com/anchore/syft/pull/1719)]
\[[henrysachs](https://togithub.com/henrysachs)]
- feat: support for java "nar" files \[[PR
#1727](https://togithub.com/anchore/syft/pull/1727)]
\[[Shanedell](https://togithub.com/Shanedell)]
### [`v0.76.1`](https://togithub.com/anchore/syft/releases/tag/v0.76.1)
[Compare
Source](https://togithub.com/anchore/syft/compare/v0.76.0...v0.76.1)
### Changelog
#### [v0.76.1](https://togithub.com/anchore/syft/tree/v0.76.1)
(2023-04-05)
[Full
Changelog](https://togithub.com/anchore/syft/compare/v0.76.0...v0.76.1)
##### Added Features
- Capture file ownership relationships from portage ecosystem \[[PR
#1702](https://togithub.com/anchore/syft/pull/1702)]
\[[wagoodman](https://togithub
---
### Configuration
📅 **Schedule**: Branch creation - "every weekday" (UTC), Automerge - At
any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.
---
- [ ] If you want to rebase/retry this PR, check
this box
Co-authored-by: mend-for-github-com[bot] <50673670+mend-for-github-com[bot]@users.noreply.github.com>
---
aqua.yaml | 38 +++++++++++++++++++-------------------
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/aqua.yaml b/aqua.yaml
index 13f0b08c..6b09cfbd 100644
--- a/aqua.yaml
+++ b/aqua.yaml
@@ -3,24 +3,24 @@
# https://aquaproj.github.io/
registries:
- type: standard
- ref: v3.149.0 # renovate: depName=aquaproj/aqua-registry
+ ref: v3.162.0 # renovate: depName=aquaproj/aqua-registry
packages:
- - name: miniscruff/changie@v1.12.0
- - name: golang/go@go1.20.1
- - name: direnv/direnv@v2.32.2
- - name: magefile/mage@v1.14.0
- - name: charmbracelet/glow@v1.5.0
- - name: goreleaser/goreleaser@v1.15.2
- - name: mvdan/gofumpt@v0.4.0
- - name: golang/tools/gorename@v0.6.0
- - name: golang/tools/stringer@v0.6.0
- - name: golang/tools/gomvpkg@v0.6.0
- - name: golang/tools/godoc@v0.6.0
- - name: golang/tools/guru@v0.6.0
- - name: anchore/syft@v0.73.0
- - name: direnv/direnv@v2.32.2
- - name: thycotic/dsv-cli@v1.40.1
- - name: hashicorp/terraform@v1.4.2
+ - name: miniscruff/changie@v1.17.0
+ - name: golang/go@go1.21.5
+ - name: direnv/direnv@v2.33.0
+ - name: magefile/mage@v1.15.0
+ - name: charmbracelet/glow@v1.5.1
+ - name: goreleaser/goreleaser@v1.22.1
+ - name: mvdan/gofumpt@v0.5.0
+ - name: golang/tools/gorename@v0.16.1
+ - name: golang/tools/stringer@v0.16.1
+ - name: golang/tools/gomvpkg@v0.16.1
+ - name: golang/tools/godoc@v0.16.1
+ - name: golang/tools/guru@v0.16.1
+ - name: anchore/syft@v0.99.0
+ - name: direnv/direnv@v2.33.0
+ - name: thycotic/dsv-cli@v1.40.5
+ - name: hashicorp/terraform@v1.6.6
- name: git-town/git-town@v7.9.0
- - name: DelineaXPM/dsv-cli@v1.40.2
- - name: gotestyourself/gotestsum@v1.9.0
+ - name: DelineaXPM/dsv-cli@v1.40.5
+ - name: gotestyourself/gotestsum@v1.11.0