Permalink
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
...
- 18 commits
- 1,604 files changed
- 11 contributors
Commits on Feb 20, 2026
-
chore(deps): bump the go-minor-patch group with 5 updates (#4632)
Bumps the go-minor-patch group with 5 updates: | Package | From | To | | --- | --- | --- | | [golang.org/x/mod](https://github.com/golang/mod) | `0.32.0` | `0.33.0` | | [golang.org/x/net](https://github.com/golang/net) | `0.49.0` | `0.50.0` | | [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) | `1.44.3` | `1.45.0` | | [golang.org/x/tools](https://github.com/golang/tools) | `0.41.0` | `0.42.0` | | [github.com/gpustack/gguf-parser-go](https://github.com/gpustack/gguf-parser-go) | `0.23.1` | `0.24.0` | Updates `golang.org/x/mod` from 0.32.0 to 0.33.0 - [Commits](golang/mod@v0.32.0...v0.33.0) Updates `golang.org/x/net` from 0.49.0 to 0.50.0 - [Commits](golang/net@v0.49.0...v0.50.0) Updates `modernc.org/sqlite` from 1.44.3 to 1.45.0 - [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md) - [Commits](https://gitlab.com/cznic/sqlite/compare/v1.44.3...v1.45.0) Updates `golang.org/x/tools` from 0.41.0 to 0.42.0 - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.41.0...v0.42.0) Updates `github.com/gpustack/gguf-parser-go` from 0.23.1 to 0.24.0 - [Release notes](https://github.com/gpustack/gguf-parser-go/releases) - [Commits](gpustack/gguf-parser-go@v0.23.1...v0.24.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-version: 0.33.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch - dependency-name: golang.org/x/net dependency-version: 0.50.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch - dependency-name: modernc.org/sqlite dependency-version: 1.45.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch - dependency-name: golang.org/x/tools dependency-version: 0.42.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch - dependency-name: github.com/gpustack/gguf-parser-go dependency-version: 0.24.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
-
chore(deps): bump github.com/charmbracelet/bubbles from 0.21.1 to 1.0…
….0 (#4633) Bumps [github.com/charmbracelet/bubbles](https://github.com/charmbracelet/bubbles) from 0.21.1 to 1.0.0. - [Release notes](https://github.com/charmbracelet/bubbles/releases) - [Commits](charmbracelet/bubbles@v0.21.1...v1.0.0) --- updated-dependencies: - dependency-name: github.com/charmbracelet/bubbles dependency-version: 1.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
-
chore(deps): bump github/codeql-action (#4634)
Bumps the actions-minor-patch group with 1 update in the / directory: [github/codeql-action](https://github.com/github/codeql-action). Updates `github/codeql-action` from 4.31.10 to 4.32.3 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@cdefb33...9e907b5) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Commits on Feb 23, 2026
-
chore(deps): update CPE dictionary index (#4636)
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
-
fix: grafana classifier (#4635)
Signed-off-by: witchcraze <witchcraze@gmail.com>
Commits on Feb 24, 2026
-
fix: use correct hashes for empty files (#4620)
Signed-off-by: Paweł Pałucha <pawel.palucha@chainguard.dev>
Commits on Feb 27, 2026
-
fix(java): improve lz4 detection (#4642)
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk> Signed-off-by: Keith Zantow <kzantow@gmail.com> Co-authored-by: Keith Zantow <kzantow@gmail.com>
Commits on Mar 6, 2026
-
chore: migrate fixtures to testdata (#4651)
* migrate fixtures to testdata Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix: correct broken symlinks after testdata migration The migration from test-fixtures to testdata broke several symlinks: - elf-test-fixtures symlinks pointed to old test-fixtures paths - elf-test-fixtures needed to be renamed to elf-testdata - image-pkg-coverage symlink pointed to test-fixtures instead of testdata Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix: handle missing classifiers/bin directory in Makefile The clean-fingerprint target was failing when classifiers/bin doesn't exist (e.g., on fresh clone without downloaded binaries). Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix: add gitignore negation for jar/zip fixtures in test/cli The jar and zip files in test/cli/testdata/image-unknowns were being gitignored by the root .gitignore patterns. This caused them to be untracked and not included when building docker images in CI, resulting in Test_Unknowns failures since the test expects errors from corrupt archive files that weren't present. Add a .gitignore in test/cli/testdata to negate the exclusions for these specific test fixture files. Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * switch fixture cache to v2 Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * test: update expected versions for rebuilt fixtures Update test expectations for packages that have been updated in upstream repositories when docker images are rebuilt: - glibc: 2.42-r4 → 2.43-r1 (wolfi) - php: 8.2.29 → 8.2.30 (ubuntu/apache) Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * upgrade go Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix: add go-shlex dependency for testdata manager tool The manager tool in syft/pkg/cataloger/binary/testdata/ imports go-shlex, but since it's in a testdata directory, Go doesn't track its dependencies. This caused CI failures when go.mod didn't explicitly list the dependency. Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * refactor: move binary classifier manager to internal/ Move the manager tool from testdata/manager to internal/manager so that Go properly tracks its dependencies. Code in testdata directories is ignored by Go for dependency tracking, which caused CI failures when go.mod didn't explicitly list transitive dependencies. This is a cleaner solution than manually adding dependencies to go.mod for code that happens to live in testdata. Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix: add gitignore negations for test fixtures blocked by root patterns Multiple test fixtures were being blocked by root-level gitignore patterns like bin/, *.jar, *.tar, and *.exe. This adds targeted .gitignore files with negation patterns to allow these specific test fixtures to be tracked: - syft/linux/testdata/os/busybox/bin/busybox (blocked by bin/) - syft/pkg/cataloger/java/testdata/corrupt/example.{jar,tar} (blocked by *.jar, *.tar) - syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/**/bin/go (blocked by bin/) - syft/pkg/cataloger/bitnami/testdata/no-rel/.../bin/redis-server (blocked by bin/) Also updates the bitnami test expectation to include the newly required .gitignore files in the test fixture. Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * test: update glibc version expectation (2.43-r1 -> 2.43-r2) Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add capability drift check as unit step Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * dont clear test observations before drift detection Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * bump stereoscope commit to main Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Commits on Mar 9, 2026
-
chore(deps): bump the go-minor-patch group across 1 directory with 5 …
…updates (#4661) Bumps the go-minor-patch group with 5 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/github/go-spdx/v2](https://github.com/github/go-spdx) | `2.3.6` | `2.4.0` | | [github.com/go-git/go-billy/v5](https://github.com/go-git/go-billy) | `5.7.0` | `5.8.0` | | [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | `5.16.5` | `5.17.0` | | [golang.org/x/net](https://github.com/golang/net) | `0.50.0` | `0.51.0` | | [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) | `1.45.0` | `1.46.1` | Updates `github.com/github/go-spdx/v2` from 2.3.6 to 2.4.0 - [Release notes](https://github.com/github/go-spdx/releases) - [Commits](github/go-spdx@v2.3.6...v2.4.0) Updates `github.com/go-git/go-billy/v5` from 5.7.0 to 5.8.0 - [Release notes](https://github.com/go-git/go-billy/releases) - [Commits](go-git/go-billy@v5.7.0...v5.8.0) Updates `github.com/go-git/go-git/v5` from 5.16.5 to 5.17.0 - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.16.5...v5.17.0) Updates `golang.org/x/net` from 0.50.0 to 0.51.0 - [Commits](golang/net@v0.50.0...v0.51.0) Updates `modernc.org/sqlite` from 1.45.0 to 1.46.1 - [Changelog](https://gitlab.com/cznic/sqlite/blob/master/CHANGELOG.md) - [Commits](https://gitlab.com/cznic/sqlite/compare/v1.45.0...v1.46.1) --- updated-dependencies: - dependency-name: github.com/github/go-spdx/v2 dependency-version: 2.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch - dependency-name: github.com/go-git/go-billy/v5 dependency-version: 5.8.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.17.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch - dependency-name: golang.org/x/net dependency-version: 0.51.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch - dependency-name: modernc.org/sqlite dependency-version: 1.46.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
-
chore(deps): update CPE dictionary index (#4647)
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
-
chore(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 (#…
…4646) Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) from 1.39.0 to 1.40.0. - [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases) - [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md) - [Commits](open-telemetry/opentelemetry-go@v1.39.0...v1.40.0) --- updated-dependencies: - dependency-name: go.opentelemetry.io/otel/sdk dependency-version: 1.40.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
-
chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 (#4659)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6.0.0 to 7.0.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@b7c566a...bbbca2d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
-
chore(deps): bump the actions-minor-patch group across 2 directories …
…with 2 updates (#4657) Bumps the actions-minor-patch group with 2 updates in the / directory: [actions/setup-go](https://github.com/actions/setup-go) and [anchore/sbom-action](https://github.com/anchore/sbom-action). Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [actions/setup-go](https://github.com/actions/setup-go). Updates `actions/setup-go` from 6.2.0 to 6.3.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@7a3fe6c...4b73464) Updates `anchore/sbom-action` from 0.22.2 to 0.23.0 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@28d7154...17ae174) Updates `actions/setup-go` from 6.2.0 to 6.3.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@7a3fe6c...4b73464) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch - dependency-name: anchore/sbom-action dependency-version: 0.23.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch - dependency-name: actions/setup-go dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
-
chore(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 (#4638
) Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl) from 1.6.1 to 1.6.3. - [Release notes](https://github.com/cloudflare/circl/releases) - [Commits](cloudflare/circl@v1.6.1...v1.6.3) --- updated-dependencies: - dependency-name: github.com/cloudflare/circl dependency-version: 1.6.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
-
chore(deps): bump actions/download-artifact from 7.0.0 to 8.0.0 (#4658)
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7.0.0 to 8.0.0. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](actions/download-artifact@37930b1...70fc10c) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
-
chore(deps): update SPDX license list (#4637)
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
-
chore(deps): update tools to latest versions (#4630)
* chore(deps): update tools to latest versions Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore(lint): fix errors in new golangci-lint Two fixes: First, replace sb.WriteString(fmt.Sprintf(...)) with fmt.Fprintf(&sb, ...) Second, suppress errors where we read from the local file system at a user provided path. This is a CLI tool, and reads from user provided paths on the local file system by design. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com> Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com>
3 people authoredMar 9, 2026 -
chore(deps): update anchore dependencies (#4631)
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: willmurphyscode <12529630+willmurphyscode@users.noreply.github.com>
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v1.42.1...v1.42.2