v0.6.0

Changes by Kind

Feature

• Add attestation in the release job (#271, @cpanato)
• Added support for scanning images with RPM package managers (#342, @micahhausler)
• Bom now ships with the SPDX license list version v3.21 embedded. (#307, @puerco)
• Improved the query help output, most importantly there is now help for the purl matcher
  • New flag --purl to output purls instead of names
  • The name matching filter now supports full regexes and not just substring matching
  • New pluggable printer interface to output in more formats
  • bom document query now can output in JSON and CSV in addition to the usual line printer using --format
  • New --fields flag controls which fields of the sbom will be printed on the query output
  • Piped data on STDIN is now autodetected, you can now pipe an SBOM to bom document query and skip the filename (#291, @puerco)
• OS Packages now can include an auto-generated download location. Initially supports Debian and Wolfi. (#270, @puerco)
• The bom json parser now supports top-level elements specified with a DESCRIBES relationship to the document. documentDescribes is, of course, still suppoirted
  • License printing in query results has better NOASSERTION detection when choosing which license to print. (#304, @puerco)
• Update license-data to v3.22 (#357, @cpanato)
• bom now supports scanning OS packages from images based on distroless.
  • Fixed a bug where bom would drop the last package read from the debian database
  • Fixed an encoding bug in oci-typed purls where the version had an unescaped colon. (#345, @puerco)
• bom will now autodetect when STDIN is open to outline an SBOM to avoid specifying it with a dash (#260, @puerco)

Bug or Regression

• Bom will now read the SBOM until it detects the SBOM encoding data, enabling it to parse SBOMs with the document data defined at the end of the file.
  • When trying to ingest a CycloneDX document, bom will now print a more useful warning (#259, @puerco)
• Fixed a race condition where concurrent files canning processes could clash and cause a segfault (thanks to @howardjohn for reporting) (#312, @puerco)
• JSON-encoded files now include supplier and originator data. (#269, @puerco)

Other (Cleanup or Flake)

• Go.mod: Update github.com/uwu-tools/magex to v0.10.0 (#275, @cpanato)
• SPDX packages representing container images are now named using their full reference and digest: registry.com/repository/image@sha256:digest (#289, @puerco)

Dependencies

Added

• dario.cat/mergo: v1.0.0
• github.com/MakeNowJust/heredoc/v2: v2.0.1
• github.com/cyphar/filepath-securejoin: v0.2.4
• github.com/dustin/go-humanize: v1.0.1
• github.com/elazarl/goproxy: 2592e75
• github.com/glebarez/go-sqlite: v1.22.0
• github.com/go-jose/go-jose/v3: v3.0.0
• github.com/golang/groupcache: 41bb18b
• github.com/google/pprof: e6195bd
• github.com/hashicorp/errwrap: v1.0.0
• github.com/hashicorp/go-multierror: v1.1.1
• github.com/kballard/go-shellquote: 95032a8
• github.com/klauspost/cpuid/v2: v2.2.3
• github.com/knqyf263/go-rpmdb: 067d98b
• github.com/mattn/go-isatty: v0.0.20
• github.com/mattn/go-sqlite3: v1.14.16
• github.com/remyoudompheng/bigfft: 24d4a6f
• github.com/uwu-tools/magex: v0.10.0
• golang.org/x/exp: d852ddb
• golang.org/x/tools/go/vcs: v0.1.0-deprecated
• lukechampine.com/uint128: v1.3.0
• modernc.org/cc/v3: v3.41.0
• modernc.org/ccgo/v3: v3.16.15
• modernc.org/httpfs: v1.0.6
• modernc.org/libc: v1.37.6
• modernc.org/mathutil: v1.6.0
• modernc.org/memory: v1.7.2
• modernc.org/opt: v0.1.3
• modernc.org/sqlite: v1.28.0
• modernc.org/strutil: v1.2.0
• modernc.org/tcl: v1.15.2
• modernc.org/token: v1.1.0
• modernc.org/z: v1.7.3

Changed

• cloud.google.com/go/compute: v1.18.0 → v1.19.3
• github.com/BurntSushi/toml: v0.3.1 → v1.2.1
• github.com/Masterminds/semver/v3: v3.1.1 → v3.2.1
• github.com/Microsoft/go-winio: v0.6.0 → v0.6.1
• github.com/ProtonMail/go-crypto: 7d5c6f0 → 3c4c8a2
• github.com/cloudflare/circl: v1.1.0 → v1.3.3
• github.com/cpuguy83/go-md2man/v2: v2.0.2 → v2.0.3
• github.com/docker/cli: v23.0.1+incompatible → v24.0.0+incompatible
• github.com/docker/distribution: v2.8.1+incompatible → v2.8.2+incompatible
• github.com/docker/docker: v23.0.1+incompatible → v24.0.0+incompatible
• github.com/go-git/gcfg: v1.5.0 → 3a3c614
• github.com/go-git/go-billy/v5: v5.4.1 → v5.5.0
• github.com/go-git/go-git-fixtures/v4: v4.3.1 → 55a9409
• github.com/go-git/go-git/v5: v5.6.1 → v5.11.0
• github.com/google/go-cmp: v0.5.9 → v0.6.0
• github.com/google/go-containerregistry: v0.14.0 → v0.17.0
• github.com/google/uuid: v1.3.0 → v1.5.0
• github.com/in-toto/in-toto-golang: v0.7.0 → v0.9.0
• github.com/klauspost/compress: v1.16.0 → v1.16.5
• github.com/kr/pretty: v0.3.0 → v0.3.1
• github.com/magefile/mage: v1.14.0 → v1.15.0
• github.com/maxbrunsfeld/counterfeiter/v6: v6.6.1 → v6.8.1
• github.com/moby/term: 3f7ff69 → v0.5.0
• github.com/onsi/gomega: v1.26.0 → v1.30.0
• github.com/opencontainers/image-spec: v1.1.0-rc2 → v1.1.0-rc3
• github.com/package-url/packageurl-go: d704593 → v0.1.2
• github.com/rogpeppe/go-internal: v1.8.1 → v1.11.0
• github.com/secure-systems-lab/go-securesystemslib: v0.5.0 → v0.6.0
• github.com/sirupsen/logrus: v1.9.0 → v1.9.3
• github.com/skeema/knownhosts: v1.1.0 → v1.2.1
• github.com/spf13/cobra: v1.6.1 → v1.8.0
• github.com/spiffe/go-spiffe/v2: v2.1.2 → v2.1.3
• github.com/stretchr/testify: v1.8.2 → v1.8.4
• github.com/urfave/cli: v1.22.4 → v1.22.12
• github.com/vbatts/tar-split: v0.11.2 → v0.11.3
• gitlab.alpinelinux.org/alpine/go: v0.6.0 → v0.8.0
• golang.org/x/crypto: v0.6.0 → v0.18.0
• golang.org/x/mod: v0.9.0 → v0.14.0
• golang.org/x/net: v0.8.0 → v0.20.0
• golang.org/x/oauth2: v0.6.0 → v0.8.0
• golang.org/x/sync: v0.1.0 → v0.6.0
• golang.org/x/sys: v0.6.0 → v0.16.0
• golang.org/x/term: v0.6.0 → v0.16.0
• golang.org/x/text: v0.8.0 → v0.14.0
• golang.org/x/tools: v0.7.0 → v0.17.0
• golang.org/x/xerrors: 5ec99f8 → 104605a
• google.golang.org/genproto: 76db087 → 637eb22
• google.golang.org/grpc: v1.53.0 → v1.54.0
• google.golang.org/protobuf: v1.29.0 → v1.30.0
• mvdan.cc/sh/v3: v3.5.1 → v3.7.0
• sigs.k8s.io/release-utils: 2b998c6 → v0.7.7

Removed

• github.com/MakeNowJust/heredoc: v1.0.0
• github.com/acomagu/bufpipe: v1.0.4
• github.com/bwesterb/go-ristretto: v1.2.0
• github.com/carolynvs/magex: v0.9.0
• github.com/creack/pty: v1.1.17
• github.com/frankban/quicktest: v1.14.0
• github.com/google/renameio: v1.0.1
• github.com/imdario/mergo: v0.3.13
• github.com/jessevdk/go-flags: v1.5.0
• github.com/matryer/is: v1.2.0
• github.com/mmcloughlin/avo: v0.5.0
• github.com/niemeyer/pretty: a10e7ca
• github.com/pkg/diff: 20ebb0f
• github.com/shurcooL/sanitized_anchor_name: v1.0.0
• golang.org/x/arch: v0.1.0
• gopkg.in/errgo.v2: v2.1.0
• gopkg.in/square/go-jose.v2: v2.6.0
• mvdan.cc/editorconfig: v0.2.0
• rsc.io/pdf: v0.1.1