v0.6.0

Changes by Kind

Feature

• Add attestation in the release job (#271, @cpanato)
• Added support for scanning images with RPM package managers (#342, @micahhausler)
• Bom now ships with the SPDX license list version v3.21 embedded. (#307, @puerco)
• Improved the query help output, most importantly there is now help for the purl matcher
  • New flag --purl to output purls instead of names
  • The name matching filter now supports full regexes and not just substring matching
  • New pluggable printer interface to output in more formats
  • bom document query now can output in JSON and CSV in addition to the usual line printer using --format
  • New --fields flag controls which fields of the sbom will be printed on the query output
  • Piped data on STDIN is now autodetected, you can now pipe an SBOM to bom document query and skip the filename (#291, @puerco)
• OS Packages now can include an auto-generated download location. Initially supports Debian and Wolfi. (#270, @puerco)
• The bom json parser now supports top-level elements specified with a DESCRIBES relationship to the document. documentDescribes is, of course, still suppoirted
  • License printing in query results has better NOASSERTION detection when choosing which license to print. (#304, @puerco)
• Update license-data to v3.22 (#357, @cpanato)
• bom now supports scanning OS packages from images based on distroless.
  • Fixed a bug where bom would drop the last package read from the debian database
  • Fixed an encoding bug in oci-typed purls where the version had an unescaped colon. (#345, @puerco)
• bom will now autodetect when STDIN is open to outline an SBOM to avoid specifying it with a dash (#260, @puerco)

Bug or Regression

• Bom will now read the SBOM until it detects the SBOM encoding data, enabling it to parse SBOMs with the document data defined at the end of the file.
  • When trying to ingest a CycloneDX document, bom will now print a more useful warning (#259, @puerco)
• Fixed a race condition where concurrent files canning processes could clash and cause a segfault (thanks to @howardjohn for reporting) (#312, @puerco)
• JSON-encoded files now include supplier and originator data. (#269, @puerco)

Other (Cleanup or Flake)

• Go.mod: Update github.com/uwu-tools/magex to v0.10.0 (#275, @cpanato)
• SPDX packages representing container images are now named using their full reference and digest: registry.com/repository/image@sha256:digest (#289, @puerco)

Dependencies

Added

• dario.cat/mergo: v1.0.0
• github.com/MakeNowJust/heredoc/v2: v2.0.1
• github.com/cyphar/filepath-securejoin: v0.2.4
• github.com/dustin/go-humanize: v1.0.1
• github.com/elazarl/goproxy: 2592e75
• github.com/glebarez/go-sqlite: v1.22.0
• github.com/go-jose/go-jose/v3: v3.0.0
• github.com/golang/groupcache: 41bb18b
• github.com/google/pprof: e6195bd
• github.com/hashicorp/errwrap: v1.0.0
• github.com/hashicorp/go-multierror: v1.1.1
• github.com/kballard/go-shellquote: 95032a8
• github.com/klauspost/cpuid/v2: v2.2.3
• github.com/knqyf263/go-rpmdb: 067d98b
• github.com/mattn/go-isatty: v0.0.20
• github.com/mattn/go-sqlite3: v1.14.16
• github.com/remyoudompheng/bigfft: 24d4a6f
• github.com/uwu-tools/magex: v0.10.0
• golang.org/x/exp: d852ddb
• golang.org/x/tools/go/vcs: v0.1.0-deprecated
• lukechampine.com/uint128: v1.3.0
• modernc.org/cc/v3: v3.41.0
• modernc.org/ccgo/v3: v3.16.15
• modernc.org/httpfs: v1.0.6
• modernc.org/libc: v1.37.6
• modernc.org/mathutil: v1.6.0
• modernc.org/memory: v1.7.2
• modernc.org/opt: v0.1.3
• modernc.org/sqlite: v1.28.0
• modernc.org/strutil: v1.2.0
• modernc.org/tcl: v1.15.2
• modernc.org/token: v1.1.0
• modernc.org/z: v1.7.3

Changed

• cloud.google.com/go/compute: v1.18.0 → v1.19.3
• github.com/BurntSushi/toml: v0.3.1 → v1.2.1
• github.com/Masterminds/semver/v3: v3.1.1 → v3.2.1
• github.com/Microsoft/go-winio: v0.6.0 → v0.6.1
• github.com/ProtonMail/go-crypto: 7d5c6f0 → 3c4c8a2
• github.com/cloudflare/circl: v1.1.0 → v1.3.3
• github.com/cpuguy83/go-md2man/v2: v2.0.2 → v2.0.3
• github.com/docker/cli: v23.0.1+incompatible → v24.0.0+incompatible
• github.com/docker/distribution: v2.8.1+incompatible → v2.8.2+incompatible
• github.com/docker/docker: v23.0.1+incompatible → v24.0.0+incompatible
• github.com/go-git/gcfg: v1.5.0 → 3a3c614
• github.com/go-git/go-billy/v5: v5.4.1 → v5.5.0
• github.com/go-git/go-git-fixtures/v4: v4.3.1 → 55a9409
• github.com/go-git/go-git/v5: v5.6.1 → v5.11.0
• github.com/google/go-cmp: v0.5.9 → v0.6.0
• github.com/google/go-containerregistry: v0.14.0 → v0.17.0
• github.com/google/uuid: v1.3.0 → v1.5.0
• github.com/in-toto/in-toto-golang: v0.7.0 → v0.9.0
• github.com/klauspost/compress: v1.16.0 → v1.16.5
• github.com/kr/pretty: v0.3.0 → v0.3.1
• github.com/magefile/mage: v1.14.0 → v1.15.0
• github.com/maxbrunsfeld/counterfeiter/v6: v6.6.1 → v6.8.1
• github.com/moby/term: 3f7ff69 → v0.5.0
• github.com/onsi/gomega: v1.26.0 → v1.30.0
• github.com/opencontainers/image-spec: v1.1.0-rc2 → v1.1.0-rc3
• github.com/package-url/packageurl-go: d704593 → v0.1.2
• github.com/rogpeppe/go-internal: v1.8.1 → v1.11.0
• github.com/secure-systems-lab/go-securesystemslib: v0.5.0 → v0.6.0
• github.com/sirupsen/logrus: v1.9.0 → v1.9.3
• github.com/skeema/knownhosts: v1.1.0 → v1.2.1
• github.com/spf13/cobra: v1.6.1 → v1.8.0
• github.com/spiffe/go-spiffe/v2: v2.1.2 → v2.1.3
• github.com/stretchr/testify: v1.8.2 → v1.8.4
• github.com/urfave/cli: v1.22.4 → v1.22.12
• github.com/vbatts/tar-split: v0.11.2 → v0.11.3
• gitlab.alpinelinux.org/alpine/go: v0.6.0 → v0.8.0
• golang.org/x/crypto: v0.6.0 → v0.18.0
• golang.org/x/mod: v0.9.0 → v0.14.0
• golang.org/x/net: v0.8.0 → v0.20.0
• golang.org/x/oauth2: v0.6.0 → v0.8.0
• golang.org/x/sync: v0.1.0 → v0.6.0
• golang.org/x/sys: v0.6.0 → v0.16.0
• golang.org/x/term: v0.6.0 → v0.16.0
• golang.org/x/text: v0.8.0 → v0.14.0
• golang.org/x/tools: v0.7.0 → v0.17.0
• golang.org/x/xerrors: 5ec99f8 → 104605a
• google.golang.org/genproto: 76db087 → 637eb22
• google.golang.org/grpc: v1.53.0 → v1.54.0
• google.golang.org/protobuf: v1.29.0 → v1.30.0
• mvdan.cc/sh/v3: v3.5.1 → v3.7.0
• sigs.k8s.io/release-utils: 2b998c6 → v0.7.7

Removed

• github.com/MakeNowJust/heredoc: v1.0.0
• github.com/acomagu/bufpipe: v1.0.4
• github.com/bwesterb/go-ristretto: v1.2.0
• github.com/carolynvs/magex: v0.9.0
• github.com/creack/pty: v1.1.17
• github.com/frankban/quicktest: [v1.14.0](https://github.com/frankban/quic...

v0.5.1

What's Changed

• update release binary name by @cpanato in #258

Full Changelog: v0.5.0...v0.5.1

v0.5.0

Changes by Kind

Feature

• -bom now embeds the latest SPDX license list. This avoids pulling the license list from the internet, speeding up SBOM generation
  • The bom mage file now has a CheckEmbeddedData and UpdateEmbeddedData targets to ease the management of the embedded data. (#255, @puerco)
• Bom will now correctly register in the SBOM the license list it used to scan code to detect licenses
  • the version of the SPDX license list to use is now configurable at SBOM generation time using --license-list-version (#245, @puerco)
• Bom will now generate package listings out of apk-based systems (alpine and wolfi) (#224, @puerco)
• Replace the registry with cgr.dev (#199, @developer-guy)
• The license list downloader now cached the license list zip file
  • The license list downloader can now download arbitrary versions of the license list. (#213, @puerco)
• Upgrade to go1.20 (#250, @cpanato)
• bom document outline now displays version numbers along package names by default. This can be turned off with --version=false
  • The oultine subcommand has a new ---purl flag which will display purls instead of package names when outlining an SBOM (#212, @puerco)

Documentation

• Corrected the go install instructions to install the latest version (#252, @puerco)
• Updated the readme to show up to date features
  • bom now has a logo! 🎉 (#222, @puerco)

Bug or Regression

• Fixed a bug where SBOMs were not ingested when the supplier of a package was NOASSERTION. (#203, @puerco)
• Fixed a bug where bom would crash when outlining an SBOM containing files at the top level of the document.. (#190, @puerco)
• Fixed a bug where the license downloader was always returning nil data leading to licenses not being detected. (#241, @puerco)
• Fixed a bug where the tool version was not getting included in the document creator info. The new Creator field has the app name, version tag and commit: ``bom-v0.4.1-102-g98baf66 (#242, @puerco)
• Fixed a recursion loop in spdx.recursiveIDSearch which lead to panics when generating sboms describing multiple artifacts. (#244, @puerco)

Other (Cleanup or Flake)

• Fixed a bug where bom would open each file unnecessarily when checksumming (#200, @puerco)
• LicenseDeclared in packages and licenseConcluded in files and packages will now be omitted in SPDX 2.3 documents.
  • [API Change] the PackageVerificationCode in the package JSON types (both in 2.2 and 2.3) has been changed and is now a pointer. This is a breaking change for anything depending on the bom types. This fixes a bug where JSON SBOMs contained an empty package verification code struct.
  • licenseInfoInFile in both packages and files is now committed from the JSON output when empty. (#243, @puerco)
• SBOM ingestion now supports external references with both PACKAGE-MANAGER and PACKAGE-MANAGER in the category field. Output is always SPDX 2.3 which calls for PACKAGE-MANAGER in the schema. (#221, @puerco)

Uncategorized

• Add checksums binaries (#191, @cpanato)
• Fixed a bug where bom would panic when generating an SBOM of an image specified with a digest. (#225, @sbs2001)

Dependencies

Added

• cloud.google.com/go/compute/metadata: v0.2.3
• github.com/MakeNowJust/heredoc: v1.0.0
• github.com/bwesterb/go-ristretto: v1.2.0
• github.com/cloudflare/circl: v1.1.0
• github.com/frankban/quicktest: v1.14.0
• github.com/google/renameio: v1.0.1
• github.com/mmcloughlin/avo: v0.5.0
• github.com/pjbgf/sha1cd: v0.3.0
• github.com/skeema/knownhosts: v1.1.0
• github.com/spiffe/go-spiffe/v2: v2.1.2
• github.com/zeebo/errs: v1.3.0
• gitlab.alpinelinux.org/alpine/go: v0.6.0
• golang.org/x/arch: v0.1.0
• google.golang.org/genproto: 76db087
• google.golang.org/grpc: v1.53.0
• gopkg.in/ini.v1: v1.67.0
• gopkg.in/square/go-jose.v2: v2.6.0
• mvdan.cc/editorconfig: v0.2.0
• mvdan.cc/sh/v3: v3.5.1
• rsc.io/pdf: v0.1.1

Changed

• cloud.google.com/go/compute: v1.10.0 → v1.18.0
• github.com/ProtonMail/go-crypto: 04723f9 → 7d5c6f0
• github.com/acomagu/bufpipe: v1.0.3 → v1.0.4
• github.com/anmitsu/go-shlex: 648efa6 → 38f4b40
• github.com/containerd/stargz-snapshotter/estargz: v0.12.1 → v0.14.3
• github.com/creack/pty: v1.1.9 → v1.1.17
• github.com/docker/cli: v20.10.20+incompatible → v23.0.1+incompatible
• github.com/docker/docker: v20.10.20+incompatible → v23.0.1+incompatible
• github.com/emirpasic/gods: v1.12.0 → v1.18.1
• github.com/gliderlabs/ssh: v0.2.2 → v0.3.5
• github.com/go-git/go-billy/v5: v5.3.1 → v5.4.1
• github.com/go-git/go-git-fixtures/v4: v4.2.1 → v4.3.1
• github.com/go-git/go-git/v5: v5.4.2 → v5.6.1
• github.com/golang/protobuf: v1.5.2 → v1.5.3
• github.com/google/go-containerregistry: v0.12.0 → v0.14.0
• github.com/imdario/mergo: v0.3.12 → v0.3.13
• github.com/in-toto/in-toto-golang: af1f9fb → v0.7.0
• github.com/inconshreveable/mousetrap: v1.0.1 → v1.1.0
• github.com/kevinburke/ssh_config: 4977a11 → v1.2.0
• github.com/klauspost/compress: v1.15.11 → v1.16.0
• github.com/maxbrunsfeld/counterfeiter/v6: v6.5.0 → v6.6.1
• github.com/onsi/gomega: v1.18.1 → v1.26.0
• github.com/secure-systems-lab/go-securesystemslib: v0.3.0 → v0.5.0
• github.com/stretchr/testify: v1.8.1 → v1.8.2
• github.com/xanzy/ssh-agent: v0.3.0 → v0.3.3
• golang.org/x/crypto: v0.1.0 → v0.6.0
• golang.org/x/mod: v0.6.0 → v0.9.0
• golang.org/x/net: v0.1.0 → v0.8.0
• golang.org/x/oauth2: v0.1.0 → v0.6.0
• golang.org/x/sys: v0.1.0 → v0.6.0
• golang.org/x/term: v0.1.0 → v0.6.0
• golang.org/x/text: v0.4.0 → v0.8.0
• golang.org/x/tools: v0.2.0 → v0.7.0
• google.golang.org/protobuf: v1.28.1 → v1.29.0
• sigs.k8s.io/release-utils: v0.7.3 → 2b998c6

Removed

• github.com/flynn/go-shlex: 3f9db97
• github.com/konsorten/go-windows-terminal-sequences: v1.0.1

New Contributors

• @rnjudge made their first contribution in #231

Full Changelog: v0.4.1...v0.5.0

v0.4.1

Release Notes

Changes by Kind

Bug or Regression

• Fixed a bug where bom would crash when outlining an SBOM containing files at the top level of the document.. (#190, @puerco)
• Fixed a bug where the secondary license list returned by the classifier was not being returned
  • Improved the licensing code to be more resilient to unexpected output from the classifier
  • Licensing output is now less verbose. Use --log-level=debug to see all messages (#189, @puerco)

Dependencies

Added

Nothing has changed.

Changed

• github.com/spf13/cobra: v1.6.0 → v1.6.1
• github.com/stretchr/objx: v0.4.0 → v0.5.0
• github.com/stretchr/testify: v1.8.0 → v1.8.1
• golang.org/x/tools: v0.1.12 → v0.2.0

Removed

Nothing has changed.

v0.4.0

Release Notes

Changes by Kind

API Change

• Change SPDX json package name to remove patch semantic versioning (#145, @lumjjb)

Feature

• Allow specifying URLs in bom document query/outline. (#170, @saschagrunert)
• Bump go to 1.19 (#175, @cpanato)
• Chore: use different base image to include go (#136, @developer-guy)
• Feat: use mage pkg to generate ldflags (#154, @developer-guy)
• Image archives are treated as files now. The SBOM structure now consists of a package representing the tar, with the OCI artifacts inside.
  • Package names now reflect container image digests instead of tags. This makes the bom SBOMs similar to what other tools are doing now (#143, @puerco)
• Introduced a new presubmit workflow to validate SPDX conformance check on the documents generated by bom using the SPDX java tools. (#159, @puerco)
• SBOM can now parse spdx+json documents which means that they can be outlined and queried just as their tag-value counterparts. (#133, @puerco)
• bom now generates SBOMs conformant to SPDX version 2.3 🎉
  • The ingestion engine has now been overhauled with new standards checks and SPDX version awareness. This means that we can now check for errors that apply to a particular SPDX version.
  • Improved JSON document validation, particularly when rendering empty elements. (#157, @puerco)

Bug or Regression

• Fix: ko version output in magefile (#152, @developer-guy)
• Fixed a bug where Debian packages were listed in the SBOM with the version appended, now Name only has the name as expected (#138, @puerco)
• Fixed a bug where FileType in compressed tars was not categorized as ARCHIVE (#156, @puerco)
• Looking for precached images in the local daemon is now removed as it broke multiarch image SBOMs
  • Image downloading is now done in parallel. This should provide some speed gains in some high bandwidth settings (#139, @puerco)
• The license module in bom is now compatible with the latest google/licenseclassifier v2 prereleases. (#161, @puerco)
• When indexing golang repos, bom would throw a fatal error if no go.sum file was found. Now it returns an empty dependency list and generates the SBOM from the repository correctly. (#162, @puerco)

Dependencies

Added

• github.com/Masterminds/semver/v3: v3.1.1
• github.com/blang/semver/v4: v4.0.0

Changed

• cloud.google.com/go/compute: v1.6.1 → v1.10.0
• github.com/BurntSushi/toml: v0.4.1 → v0.3.1
• github.com/Microsoft/go-winio: v0.5.2 → v0.6.0
• github.com/carolynvs/magex: v0.8.1 → v0.9.0
• github.com/containerd/stargz-snapshotter/estargz: v0.11.4 → v0.12.1
• github.com/danieljoos/wincred: v1.1.0 → v1.1.2
• github.com/docker/cli: v20.10.16+incompatible → v20.10.20+incompatible
• github.com/docker/docker-credential-helpers: v0.6.4 → v0.7.0
• github.com/docker/docker: v20.10.16+incompatible → v20.10.20+incompatible
• github.com/docker/go-units: v0.4.0 → v0.5.0
• github.com/google/go-cmp: v0.5.8 → v0.5.9
• github.com/google/go-containerregistry: v0.10.0 → v0.12.0
• github.com/google/licenseclassifier/v2: v2.0.0-alpha.1 → v2.0.0
• github.com/inconshreveable/mousetrap: v1.0.0 → v1.0.1
• github.com/klauspost/compress: v1.15.4 → v1.15.11
• github.com/konsorten/go-windows-terminal-sequences: v1.0.3 → v1.0.1
• github.com/magefile/mage: v1.13.0 → v1.14.0
• github.com/matryer/is: v1.4.0 → v1.2.0
• github.com/opencontainers/image-spec: 8b9d41f → v1.1.0-rc2
• github.com/sirupsen/logrus: v1.8.1 → v1.9.0
• github.com/spf13/cobra: v1.5.0 → v1.6.0
• github.com/yuin/goldmark: v1.4.1 → v1.4.13
• golang.org/x/crypto: e495a2d → v0.1.0
• golang.org/x/mod: 86c51ed → v0.6.0
• golang.org/x/net: 1d687d4 → v0.1.0
• golang.org/x/oauth2: 622c5d5 → v0.1.0
• golang.org/x/sync: 0976fa6 → v0.1.0
• golang.org/x/sys: bc2c85a → v0.1.0
• golang.org/x/term: 03fcf44 → v0.1.0
• golang.org/x/text: v0.3.7 → v0.4.0
• golang.org/x/tools: v0.1.11 → v0.1.12
• golang.org/x/xerrors: f3a8303 → 5ec99f8
• google.golang.org/protobuf: v1.28.0 → v1.28.1
• sigs.k8s.io/release-utils: v0.7.1 → v0.7.3

Removed

• 4d63.com/gochecknoglobals: v0.1.0
• bitbucket.org/creachadair/shell: v0.0.6
• cloud.google.com/go/bigquery: v1.8.0
• cloud.google.com/go/datastore: v1.1.0
• cloud.google.com/go/firestore: v1.6.0
• cloud.google.com/go/pubsub: v1.5.0
• cloud.google.com/go/spanner: v1.7.0
• cloud.google.com/go/storage: v1.10.0
• cloud.google.com/go: v0.93.3
• contrib.go.opencensus.io/exporter/stackdriver: v0.13.4
• dmitri.shuralyov.com/gpu/mtl: 666a987
• github.com/Antonboom/errname: v0.1.5
• github.com/Antonboom/nilnil: v0.1.0
• github.com/BurntSushi/xgb: 27f1227
• github.com/Djarvur/go-err113: aea10b5
• github.com/Masterminds/goutils: v1.1.0
• github.com/Masterminds/semver: v1.5.0
• github.com/Masterminds/sprig: v2.22.0+incompatible
• github.com/OneOfOne/xxhash: v1.2.2
• github.com/OpenPeeDeeP/depguard: v1.0.1
• github.com/StackExchange/wmi: v1.2.1
• github.com/alecthomas/template: fb15b89
• github.com/alecthomas/units: c3de453
• github.com/alexkohler/prealloc: v1.0.0
• github.com/antihax/optional: v1.0.0
• github.com/aokoli/goutils: v1.0.1
• github.com/armon/circbuf: bbbad09
• github.com/armon/consul-api: eb2c6b5
• github.com/armon/go-metrics: f0300d1
• github.com/armon/go-radix: v1.0.0
• github.com/ashanbrown/forbidigo: v1.2.0
• github.com/ashanbrown/makezero: b626158
• github.com/aws/aws-sdk-go: v1.36.30
• github.com/beorn7/perks: v1.0.1
• github.com/bgentry/speakeasy: v0.1.0
• github.com/bketelsen/crypt: v0.0.4
• github.com/bkielbasa/cyclop: v1.2.0
• github.com/blang/semver: v3.5.1+incompatible
• github.com/blizzy78/varnamelen: v0.3.0
• github.com/bombsimon/wsl/v3: v3.3.0
• github.com/breml/bidichk: v0.1.1
• github.com/butuzov/ireturn: v0.1.1
• github.com/census-instrumentation/opencensus-proto: v0.2.1
• github.com/cespare/xxhash/v2: v2.1.1
• github.com/cespare/xxhash: v1.1.0
• github.com/charithe/durationcheck: v0.0.9
• github.com/chavacava/garif: e8a0a40
• github.com/chzyer/logex: v1.1.10
• github.com/chzyer/readline: 2972be2
• github.com/chzyer/test: a1ea475
• github.com/client9/misspell: v0.3.4
• github.com/cncf/udpa/go: 5459f2c
• github.com/cncf/xds/go: fbca930
• github.com/cockroachdb/datadriven: 80d97fb
• github.com/coreos/etcd: ...

Release v0.3.0

This release of bom introduces a ton of new features including JSON support document querying reading SBOMs from STDIN and more. bom now has a website too!. Thanks to our contributors for making this our biggest release so far :)

Release Notes

Changes by Kind

Feature

• --file now works with glob patterns (#70, @sbs2001)
• Added support for verifying whole directories via bom validate -d. (#123, @saschagrunert)
• Bom now adds ExternalRefs with Package URLs (purls) for all system packages, go dependencies and OCI images. (#69, @puerco)
• Feat: upgrade ko, utilize KOCACHE (#66, @developer-guy)
• SBOM can now parse spdx+json documents which means that they can be outlined and queried just as their tag-value counterparts. (#133, @puerco)
• SBOMs can now be read from STDIN by passing - as a path wherever a filename is expected
  • Added support to render and parse PackageSupplier, PackageHomePage, LicenseComments and PackageLicenseComments
  • Fixed a bug where the creator organization was missing from the SBOM output. (#63, @puerco)
• Upgrade go to 1.18 (#107, @cpanato)
• We now have image promotion manifests for canary jobs (#90, @puerco)
• bom can now validate artifacts! We now have a new validate subcommand that can be used to check files attached to the top of the SBOM: bom validate sbom.spdx file.txt. No more checksum.txt files! 🎉 (#46, @puerco)

Documentation

• Fixed minor typos in documentation (#62, @jspeed-meyers)

Bug or Regression

• Added externalDocumentRefs to the json types (#130, @puerco)
• Fixed a panic where bom would die when no OS packages could be read from a debian base layer.
  • Fixed a bug that disconnected the entire document subcommand from the main cobra command (#84, @puerco)
• Fixes a bug in the go dependency generator where var scope was handled wrong and errors were not being surfaced correctly
  • The go module parser is now more permissive preventing a fatal error when a dependency cannot be converted to a SPDX package
  • Fixed a bug where the go module being analyzed was incorrectly listed as a dependency of itself (#97, @puerco)
• Reverted licenseclassifier update because it includes a runtime panic regression. (#128, @saschagrunert)
• Update github.com/google/go-containerregistry to v0.9.0
  • update k8s.gcr.io reference to use registry.k8s.io (#109, @cpanato)

Other (Cleanup or Flake)

• Cobra commands in the CLI now can be reused and now share the same import pattern (#68, @puerco)
• Package names generated from go modules do not include the module's version anymore. (#99, @puerco)
• The bom project now features canary releases published to the staging bucket (#93, @puerco)
• Update version command to use the one from release-utils (#60, @cpanato)

Uncategorized

• bom now can write SBOMs in JSON!
  • New bom document query subcommand allows querying SBOMs using a new filtering language (#104, @jdolitsky)
• Fix: check local image cache first (#73, @developer-guy)
• bom now has a website! For now, it is hosted in https://kubernetes-sigs.github.io/bom while we finish setting up the k8s.io domain. (#131, @sbs2001)

Dependencies

Added

• 4d63.com/gochecknoglobals: v0.1.0
• bitbucket.org/creachadair/shell: v0.0.6
• cloud.google.com/go/compute: v1.6.1
• cloud.google.com/go/spanner: v1.7.0
• contrib.go.opencensus.io/exporter/stackdriver: v0.13.4
• github.com/Antonboom/errname: v0.1.5
• github.com/Antonboom/nilnil: v0.1.0
• github.com/Djarvur/go-err113: aea10b5
• github.com/Masterminds/goutils: v1.1.0
• github.com/Masterminds/semver: v1.5.0
• github.com/Masterminds/sprig: v2.22.0+incompatible
• github.com/OpenPeeDeeP/depguard: v1.0.1
• github.com/StackExchange/wmi: v1.2.1
• github.com/alexkohler/prealloc: v1.0.0
• github.com/aokoli/goutils: v1.0.1
• github.com/ashanbrown/forbidigo: v1.2.0
• github.com/ashanbrown/makezero: b626158
• github.com/bketelsen/crypt: v0.0.4
• github.com/bkielbasa/cyclop: v1.2.0
• github.com/blizzy78/varnamelen: v0.3.0
• github.com/bombsimon/wsl/v3: v3.3.0
• github.com/breml/bidichk: v0.1.1
• github.com/butuzov/ireturn: v0.1.1
• github.com/charithe/durationcheck: v0.0.9
• github.com/chavacava/garif: e8a0a40
• github.com/common-nighthawk/go-figure: 734e95f
• github.com/coreos/go-etcd: v2.0.0+incompatible
• github.com/cpuguy83/go-md2man: v1.0.10
• github.com/daixiang0/gci: v0.2.9
• github.com/denis-tingajkin/go-header: v0.4.2
• github.com/esimonov/ifshort: v1.0.3
• github.com/ettle/strcase: v0.1.1
• github.com/fatih/structtag: v1.2.0
• github.com/fullstorydev/grpcurl: v1.6.0
• github.com/fzipp/gocyclo: v0.3.1
• github.com/go-critic/go-critic: v0.6.1
• github.com/go-ole/go-ole: v1.2.6
• github.com/go-redis/redis: v6.15.8+incompatible
• github.com/go-sql-driver/mysql: v1.5.0
• github.com/go-task/slim-sprig: 348f09d
• github.com/go-toolsmith/astcast: v1.0.0
• github.com/go-toolsmith/astcopy: v1.0.0
• github.com/go-toolsmith/astequal: v1.0.1
• github.com/go-toolsmith/astfmt: v1.0.0
• github.com/go-toolsmith/astinfo: 9809ff7
• github.com/go-toolsmith/astp: v1.0.0
• github.com/go-toolsmith/pkgload: v1.0.0
• github.com/go-toolsmith/strparse: v1.0.0
• github.com/go-toolsmith/typep: v1.0.2
• github.com/go-xmlfmt/xmlfmt: d5b6f63
• github.com/gobwas/glob: v0.2.3
• github.com/gofrs/flock: v0.8.1
• github.com/golangci/check: cfe4005
• github.com/golangci/dupl: 3e9179a
• github.com/golangci/go-misc: 927a3d8
• github.com/golangci/gofmt: 244bba7
• github.com/golangci/golangci-lint: v1.43.0
• github.com/golangci/lint-1: 297bf36
• github.com/golangci/maligned: b1d8939
• github.com/golangci/misspell: v0.3.5
• github.com/golangci/revgrep: c22e500
• github.com/golangci/unconvert: 28b1c44
• github.com/google/certificate-transparency-go: v1.1.1
• github.com/google/trillian: v1.3.11
• github.com/gookit/color: v1.4.2
• github.com/gordonklaus/ineffassign: 2e10b26
• github.com/gorhill/cronexpr: 88b0669
• github.com/gostaticanalysis/analysisutil: v0.7.1
• github.com/gostaticanalysis/comment: v1.4.2
• github.com/gostaticanalysis/forcetypeassert: 01d4955
• github.com/gostaticanalysis/nilerr: v0.1.1
• github.com/gostaticanalysis/testutil: v0.4.0
• github.com/hashicorp/go-version: v1.2.1
• github.com/hashicorp/go.net: v0.0.1
• github.com/huand...

v0.3.0-rc1

What's Changed

• Validate Subcommand! by @puerco in #46
• Add ok-to-test label to dependabot PRs by @cpanato in #59
• update version command to use the one from release-utils by @cpanato in #60
• Fix minor typo in documentation by @jspeed-meyers in #62
• Support Parsing SBOMs from STDIN by @puerco in #63
• Add cloudbuild job to generate binaries and images by @cpanato in #45
• Fix image build command by @cpanato in #65
• update ko command by @cpanato in #67
• build(deps): bump github.com/carolynvs/magex from 0.6.0 to 0.6.1 by @dependabot in #64
• feat: upgrade ko, utilize KOCACHE by @developer-guy in #66
• generate+document commands refactor by @puerco in #68
• Generate purls from read sources by @puerco in #69
• build(deps): bump github.com/spf13/cobra from 1.3.0 to 1.4.0 by @dependabot in #71
• Support glob in 'generate --files' by @sbs2001 in #70
• build(deps): bump golang.org/x/tools from 0.1.9 to 0.1.10 by @dependabot in #75
• fix: check local image cache first by @developer-guy in #73
• build(deps): bump github.com/magefile/mage from 1.12.1 to 1.13.0 by @dependabot in #79
• build(deps): bump github.com/maxbrunsfeld/counterfeiter/v6 from 6.4.1 to 6.5.0 by @dependabot in #78
• build(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.1 by @dependabot in #76
• Add docs for YAML config by @sbs2001 in #83
• build(deps): bump github.com/carolynvs/magex from 0.6.1 to 0.7.0 by @dependabot in #85
• Fix panic when emtpy os deps, readd document by @puerco in #84
• build(deps): bump github.com/carolynvs/magex from 0.7.0 to 0.7.1 by @dependabot in #86
• build(deps): bump sigs.k8s.io/release-utils from 0.5.0 to 0.6.0 by @dependabot in #87
• update build image to use latest go by @cpanato in #88
• update version font and ko version by @cpanato in #89

New Contributors

• @jspeed-meyers made their first contribution in #62
• @developer-guy made their first contribution in #66
• @sbs2001 made their first contribution in #70

Full Changelog: v0.2.2...v0.3.0-rc1

Release v0.2.2

This release brings an important fix to avoid duplicating SPDX IDs when generating complex SBOMs that repeast elements such as base images. It also adds to the API a new function to query documents and other minor fixes. Thanks a lot to everyone for your contributions and feedback

Release Notes

Changes by Kind

Feature

• New XML-DOM inspired x.GetElementByID() allows querying documents, Files and Packages for elements that match an ID.
  • The builder Object now ensures that generated SPDX IDs are unique across the document. (#57, @puerco)
• The YAML configuration file now supports adding archives using type: archive (#50, @puerco)

Bug or Regression

• ./bom document outline
  bom document outline → Draw structure of a SPDX document",

  This subcommand draws a tree-like outline to help the user visualize
  the structure of the bom. Even when an SBOM represents a graph structure,
  drawing a tree helps a lot to understand what is contained in the document.

  You can define a level of depth to limit the expansion of the entities.
  For example set --depth=1 to only visualize only the files and packages
  attached directly to the root of the document.

  bom will try to add useful information to the oultine but, if needed, you can
  set the --spdx-ids to only output the IDs of the entities.

  Usage:
  bom document outline [SPDX File To Draw] [flags]

  Flags:
  -d, --depth int recursion level (default -1)
  -h, --help help for outline
  --spdx-ids use SPDX identifiers in tree nodes instead of names

  Global Flags:
  --log-level string the logging verbosity, either 'panic', 'fatal', 'error', 'warning', 'info', 'debug', 'trace' (default "info")
  FATA You should only specify one file (#54, @jeremyrickard)

• Released bom binaries are now statically compiled (#47, @puerco)

• When applying ignore patterns, bom will now refuse to build an empty SBOM if the patterns result in zero files included (#58, @kfaseela)

Other (Cleanup or Flake)

• Replaced the animation on the main GitHub page with a link to external page as it caused high CPU consumption (#39, @puerco)
• When generating an SBOM, bom will now print its version before running to record it in CI/CD logs (#51, @puerco)

Dependencies

Added

Nothing has changed.

Changed

• github.com/Azure/go-ansiterm: d6e3b33 → d185dfc
• github.com/moby/term: df9cb8a → 3f7ff69
• sigs.k8s.io/release-utils: v0.3.0 → v0.4.0

Removed

Nothing has changed.

Release v0.2.1

This minor patch release includes a fix to automatically detect compressed container image layers.

Release Notes

Changes by Kind

Feature

• Files and directories passed in flags to the bom utility are now checked for existence before running the SBOM generator
  • New flag --name allows thew user to set the document name from the command line
  • New flag --scan-images controls if container images are scanned for OS packages or not (#34, @puerco)
• New container image layer scanner for checking inside of layers for OS data. The first version supports extracting packages from debian based OSs. (#31, @puerco)

Bug or Regression

• Tarball headers are now checked to see if they are compressed. Previously we relied on file extensions which made the tarball handling code flaky
  • Fixed a proble where --scan-images was unresponsive because a bug in the internal plumbing (#37, @puerco)

Other (Cleanup or Flake)

• Replaced the animation on the main GitHub page with a link to external page as it caused high CPU consumption (#39, @puerco)

Uncategorized

• Added missing --archive and --image-archive flags to main README (#33, @kfaseela)

Dependencies

Added

Nothing has changed.

Changed

• golang.org/x/tools: v0.1.8 → v0.1.9

Removed

Nothing has changed.

Release v0.2.0

This is the first release of bom after the code move from kubernetes/release to its own repository! A big big thank you to all contributors that sent patches to the project.

Release Notes

Changes by Kind

Deprecation

• Added a few more unit tests to the spdx package to cover the following functions: spdx.GetImageReferences spdx.TestPullImagesToArchive spdx.TestGetDirectoryTree spdx.TestIgnorePatterns
  • bom: The --tarballs flag is now deprecated. It has been replaced with --image-archive during demos and chats, it proved to be confusing (it still works but will print a warning)
  • bom: There is a new flag: --archive. When enabled, bom adds archives (currently tars) as spdx packages to the doc. Its files are license-scanned and listed in the package
  • bom: Passing a flag defining the SPDX document namespace is not required anymore. The generator now defines it using the spdx.org public URL defined in the 2.2+ spec.
  • The spdx package now supports reading compressed tars (#4, @puerco)

Feature

• Add initial filetype support (#12, @cpanato)
• New container image layer scanner for checking inside of layers for OS data. The first version supports extracting packages from debian based OSs. (#31, @puerco)
• bom generate can now output provenance attestations along SBOMs. When specifying a json file using the new --provenance flag, bom will dump the SPDX data as an in-toto attestation with all the SBOM entities as in-toto subjects. The statement can then be picked up by later CI/CD stages to complete the rest of the build data. (#14, @puerco)

Failing Test

• Fixed flakes in TestWriteProvenance and TestToProvenance where the test would fail one every three runs (#25, @puerco)

Other (Cleanup or Flake)

• The provenance package now produces attestations conformant to the SLSA v0.2 specification. (#13, @puerco)

Uncategorized

• Use the default Docker keychain to leverage auth mechanisms so that we can allow users to work with non-public remote images. (#18, @jdolitsky)

Dependencies

Added

• github.com/DataDog/datadog-go: v3.2.0+incompatible
• github.com/cenkalti/backoff/v4: v4.1.1
• github.com/circonus-labs/circonus-gometrics: v2.3.1+incompatible
• github.com/circonus-labs/circonusllhist: v0.1.3
• github.com/hashicorp/go-hclog: v1.0.0
• github.com/hashicorp/go-retryablehttp: v0.5.3
• github.com/iancoleman/strcase: v0.2.0
• github.com/lyft/protoc-gen-star: v0.5.3
• github.com/sagikazarmark/crypt: v0.3.0
• github.com/secure-systems-lab/go-securesystemslib: v0.3.0
• github.com/tv42/httpunix: b75d861

Changed

• cloud.google.com/go/firestore: v1.1.0 → v1.6.1
• cloud.google.com/go: v0.97.0 → v0.99.0
• github.com/Microsoft/hcsshim: v0.8.21 → v0.8.23
• github.com/armon/go-metrics: f0300d1 → v0.3.10
• github.com/armon/go-radix: 7fddfc3 → v1.0.0
• github.com/census-instrumentation/opencensus-proto: v0.2.1 → v0.3.0
• github.com/cespare/xxhash/v2: v2.1.1 → v2.1.2
• github.com/cncf/xds/go: cb28da3 → a8f9461
• github.com/containerd/containerd: v1.5.7 → v1.5.8
• github.com/containerd/stargz-snapshotter/estargz: v0.10.0 → v0.10.1
• github.com/containerd/ttrpc: v1.0.2 → v1.1.0
• github.com/docker/cli: v20.10.10+incompatible → v20.10.12+incompatible
• github.com/docker/docker: v20.10.10+incompatible → v20.10.12+incompatible
• github.com/envoyproxy/go-control-plane: cf90f65 → v0.10.1
• github.com/envoyproxy/protoc-gen-validate: v0.1.0 → v0.6.2
• github.com/fatih/color: v1.7.0 → v1.13.0
• github.com/fsnotify/fsnotify: v1.4.9 → v1.5.1
• github.com/golang/groupcache: 8c9f03a → 41bb18b
• github.com/google/go-containerregistry: v0.7.0 → v0.8.0
• github.com/googleapis/gax-go/v2: v2.1.0 → v2.1.1
• github.com/hashicorp/consul/api: v1.1.0 → v1.11.0
• github.com/hashicorp/consul/sdk: v0.1.1 → v0.8.0
• github.com/hashicorp/go-cleanhttp: v0.5.1 → v0.5.2
• github.com/hashicorp/go-immutable-radix: v1.0.0 → v1.3.1
• github.com/hashicorp/go-multierror: v1.0.0 → v1.1.0
• github.com/hashicorp/go-rootcerts: v1.0.0 → v1.0.2
• github.com/hashicorp/golang-lru: v0.5.1 → v0.5.4
• github.com/hashicorp/mdns: v1.0.0 → v1.0.4
• github.com/hashicorp/memberlist: v0.1.3 → v0.3.0
• github.com/hashicorp/serf: v0.8.2 → v0.9.6
• github.com/in-toto/in-toto-golang: v0.3.3 → af1f9fb
• github.com/json-iterator/go: v1.1.11 → v1.1.12
• github.com/magefile/mage: v1.11.0 → v1.12.1
• github.com/mattn/go-colorable: v0.0.9 → v0.1.12
• github.com/mattn/go-isatty: v0.0.4 → v0.0.14
• github.com/miekg/dns: v1.0.14 → v1.1.41
• github.com/mitchellh/cli: v1.0.0 → v1.1.0
• github.com/mitchellh/mapstructure: v1.4.1 → v1.4.3
• github.com/modern-go/reflect2: v1.0.1 → v1.0.2
• github.com/opencontainers/image-spec: 8e42a01 → v1.0.2
• github.com/pascaldekloe/goe: 57f6aae → v0.1.0
• github.com/pelletier/go-toml: v1.9.3 → v1.9.4
• github.com/posener/complete: v1.1.1 → v1.2.3
• github.com/shibumi/go-pathspec: v1.2.0 → v1.3.0
• github.com/smartystreets/goconvey: v1.6.4 → 68dc04a
• github.com/spf13/cast: v1.3.1 → v1.4.1
• github.com/spf13/cobra: v1.2.1 → v1.3.0
• github.com/spf13/viper: v1.8.1 → v1.10.0
• github.com/yuin/goldmark: v1.4.0 → v1.4.1
• go.etcd.io/etcd/api/v3: v3.5.0 → v3.5.1
• go.etcd.io/etcd/client/pkg/v3: v3.5.0 → v3.5.1
• go.etcd.io/etcd/client/v2: v2.305.0 → v2.305.1
• golang.org/x/crypto: 83a5a9b → e495a2d
• golang.org/x/net: 58aab5e → fe4d628
• golang.org/x/sys: 99a5385 → 1d35b9e
• golang.org/x/text: v0.3.6 → v0.3.7
• golang.org/x/time: 3af7569 → f8bda1e
• golang.org/x/tools: v0.1.7 → v0.1.8
• google.golang.org/api: v0.57.0 → v0.62.0
• google.golang.org/genproto: 482062a → 3a66f56
• google.golang.org/grpc: v1.42.0 → v1.43.0
• gopkg.in/ini.v1: v1.62.0 → v1.66.2
• k8s.io/utils: 2afb431 → 7d6a63d

Removed

• github.com/bketelsen/crypt: v0.0.4
• github.com/hashicorp/go.net: v0.0.1
• github.com/mitchellh/gox: v0.4.0
• github.com/mitchellh/iochan: v1.0.0