v0.4.0

Release Notes

Changes by Kind

API Change

• Change SPDX json package name to remove patch semantic versioning (#145, @lumjjb)

Feature

• Allow specifying URLs in bom document query/outline. (#170, @saschagrunert)
• Bump go to 1.19 (#175, @cpanato)
• Chore: use different base image to include go (#136, @developer-guy)
• Feat: use mage pkg to generate ldflags (#154, @developer-guy)
• Image archives are treated as files now. The SBOM structure now consists of a package representing the tar, with the OCI artifacts inside.
  • Package names now reflect container image digests instead of tags. This makes the bom SBOMs similar to what other tools are doing now (#143, @puerco)
• Introduced a new presubmit workflow to validate SPDX conformance check on the documents generated by bom using the SPDX java tools. (#159, @puerco)
• SBOM can now parse spdx+json documents which means that they can be outlined and queried just as their tag-value counterparts. (#133, @puerco)
• bom now generates SBOMs conformant to SPDX version 2.3 🎉
  • The ingestion engine has now been overhauled with new standards checks and SPDX version awareness. This means that we can now check for errors that apply to a particular SPDX version.
  • Improved JSON document validation, particularly when rendering empty elements. (#157, @puerco)

Bug or Regression

• Fix: ko version output in magefile (#152, @developer-guy)
• Fixed a bug where Debian packages were listed in the SBOM with the version appended, now Name only has the name as expected (#138, @puerco)
• Fixed a bug where FileType in compressed tars was not categorized as ARCHIVE (#156, @puerco)
• Looking for precached images in the local daemon is now removed as it broke multiarch image SBOMs
  • Image downloading is now done in parallel. This should provide some speed gains in some high bandwidth settings (#139, @puerco)
• The license module in bom is now compatible with the latest google/licenseclassifier v2 prereleases. (#161, @puerco)
• When indexing golang repos, bom would throw a fatal error if no go.sum file was found. Now it returns an empty dependency list and generates the SBOM from the repository correctly. (#162, @puerco)

Dependencies

Added

• github.com/Masterminds/semver/v3: v3.1.1
• github.com/blang/semver/v4: v4.0.0

Changed

• cloud.google.com/go/compute: v1.6.1 → v1.10.0
• github.com/BurntSushi/toml: v0.4.1 → v0.3.1
• github.com/Microsoft/go-winio: v0.5.2 → v0.6.0
• github.com/carolynvs/magex: v0.8.1 → v0.9.0
• github.com/containerd/stargz-snapshotter/estargz: v0.11.4 → v0.12.1
• github.com/danieljoos/wincred: v1.1.0 → v1.1.2
• github.com/docker/cli: v20.10.16+incompatible → v20.10.20+incompatible
• github.com/docker/docker-credential-helpers: v0.6.4 → v0.7.0
• github.com/docker/docker: v20.10.16+incompatible → v20.10.20+incompatible
• github.com/docker/go-units: v0.4.0 → v0.5.0
• github.com/google/go-cmp: v0.5.8 → v0.5.9
• github.com/google/go-containerregistry: v0.10.0 → v0.12.0
• github.com/google/licenseclassifier/v2: v2.0.0-alpha.1 → v2.0.0
• github.com/inconshreveable/mousetrap: v1.0.0 → v1.0.1
• github.com/klauspost/compress: v1.15.4 → v1.15.11
• github.com/konsorten/go-windows-terminal-sequences: v1.0.3 → v1.0.1
• github.com/magefile/mage: v1.13.0 → v1.14.0
• github.com/matryer/is: v1.4.0 → v1.2.0
• github.com/opencontainers/image-spec: 8b9d41f → v1.1.0-rc2
• github.com/sirupsen/logrus: v1.8.1 → v1.9.0
• github.com/spf13/cobra: v1.5.0 → v1.6.0
• github.com/yuin/goldmark: v1.4.1 → v1.4.13
• golang.org/x/crypto: e495a2d → v0.1.0
• golang.org/x/mod: 86c51ed → v0.6.0
• golang.org/x/net: 1d687d4 → v0.1.0
• golang.org/x/oauth2: 622c5d5 → v0.1.0
• golang.org/x/sync: 0976fa6 → v0.1.0
• golang.org/x/sys: bc2c85a → v0.1.0
• golang.org/x/term: 03fcf44 → v0.1.0
• golang.org/x/text: v0.3.7 → v0.4.0
• golang.org/x/tools: v0.1.11 → v0.1.12
• golang.org/x/xerrors: f3a8303 → 5ec99f8
• google.golang.org/protobuf: v1.28.0 → v1.28.1
• sigs.k8s.io/release-utils: v0.7.1 → v0.7.3

Removed

• 4d63.com/gochecknoglobals: v0.1.0
• bitbucket.org/creachadair/shell: v0.0.6
• cloud.google.com/go/bigquery: v1.8.0
• cloud.google.com/go/datastore: v1.1.0
• cloud.google.com/go/firestore: v1.6.0
• cloud.google.com/go/pubsub: v1.5.0
• cloud.google.com/go/spanner: v1.7.0
• cloud.google.com/go/storage: v1.10.0
• cloud.google.com/go: v0.93.3
• contrib.go.opencensus.io/exporter/stackdriver: v0.13.4
• dmitri.shuralyov.com/gpu/mtl: 666a987
• github.com/Antonboom/errname: v0.1.5
• github.com/Antonboom/nilnil: v0.1.0
• github.com/BurntSushi/xgb: 27f1227
• github.com/Djarvur/go-err113: aea10b5
• github.com/Masterminds/goutils: v1.1.0
• github.com/Masterminds/semver: v1.5.0
• github.com/Masterminds/sprig: v2.22.0+incompatible
• github.com/OneOfOne/xxhash: v1.2.2
• github.com/OpenPeeDeeP/depguard: v1.0.1
• github.com/StackExchange/wmi: v1.2.1
• github.com/alecthomas/template: fb15b89
• github.com/alecthomas/units: c3de453
• github.com/alexkohler/prealloc: v1.0.0
• github.com/antihax/optional: v1.0.0
• github.com/aokoli/goutils: v1.0.1
• github.com/armon/circbuf: bbbad09
• github.com/armon/consul-api: eb2c6b5
• github.com/armon/go-metrics: f0300d1
• github.com/armon/go-radix: v1.0.0
• github.com/ashanbrown/forbidigo: v1.2.0
• github.com/ashanbrown/makezero: b626158
• github.com/aws/aws-sdk-go: v1.36.30
• github.com/beorn7/perks: v1.0.1
• github.com/bgentry/speakeasy: v0.1.0
• github.com/bketelsen/crypt: v0.0.4
• github.com/bkielbasa/cyclop: v1.2.0
• github.com/blang/semver: v3.5.1+incompatible
• github.com/blizzy78/varnamelen: v0.3.0
• github.com/bombsimon/wsl/v3: v3.3.0
• github.com/breml/bidichk: v0.1.1
• github.com/butuzov/ireturn: v0.1.1
• github.com/census-instrumentation/opencensus-proto: v0.2.1
• github.com/cespare/xxhash/v2: v2.1.1
• github.com/cespare/xxhash: v1.1.0
• github.com/charithe/durationcheck: v0.0.9
• github.com/chavacava/garif: e8a0a40
• github.com/chzyer/logex: v1.1.10
• github.com/chzyer/readline: 2972be2
• github.com/chzyer/test: a1ea475
• github.com/client9/misspell: v0.3.4
• github.com/cncf/udpa/go: 5459f2c
• github.com/cncf/xds/go: fbca930
• github.com/cockroachdb/datadriven: 80d97fb
• github.com/coreos/etcd: v3.3.10+incompatible
• github.com/coreos/go-etcd: v2.0.0+incompatible
• github.com/coreos/go-semver: v0.3.0
• github.com/coreos/go-systemd/v22: v22.3.2
• github.com/coreos/go-systemd: e64a0ec
• github.com/coreos/pkg: 399ea9e
• github.com/cpuguy83/go-md2man: v1.0.10
• github.com/daixiang0/gci: v0.2.9
• github.com/denis-tingajkin/go-header: v0.4.2
• github.com/dgrijalva/jwt-go: v3.2.0+incompatible
• github.com/dustin/go-humanize: v1.0.0
• github.com/envoyproxy/go-control-plane: 63b5d3c
• github.com/envoyproxy/protoc-gen-validate: v0.1.0
• github.com/esimonov/ifshort: v1.0.3
• github.com/ettle/strcase: v0.1.1
• github.com/fatih/color: v1.13.0
• github.com/fatih/structtag: v1.2.0
• github.com/fsnotify/fsnotify: v1.5.1
• github.com/fullstorydev/grpcurl: v1.6.0
• github.com/fzipp/gocyclo: v0.3.1
• github.com/ghodss/yaml: v1.0.0
• github.com/go-critic/go-critic: v0.6.1
• github.com/go-gl/glfw/v3.3/glfw: 6f7a984
• github.com/go-gl/glfw: e6da0ac
• github.com/go-kit/kit: v0.9.0
• github.com/go-logfmt/logfmt: v0.4.0
• github.com/go-ole/go-ole: v1.2.6
• github.com/go-redis/redis: v6.15.8+incompatible
• github.com/go-sql-driver/mysql: v1.5.0
• github.com/go-stack/stack: v1.8.0
• github.com/go-task/slim-sprig: 348f09d
• github.com/go-toolsmith/astcast: v1.0.0
• github.com/go-toolsmith/astcopy: v1.0.0
• github.com/go-toolsmith/astequal: v1.0.1
• github.com/go-toolsmith/astfmt: v1.0.0
• github.com/go-toolsmith/astinfo: 9809ff7
• github.com/go-toolsmith/astp: v1.0.0
• github.com/go-toolsmith/pkgload: v1.0.0
• github.com/go-toolsmith/strparse: v1.0.0
• github.com/go-toolsmith/typep: v1.0.2
• github.com/go-xmlfmt/xmlfmt: d5b6f63
• github.com/gobwas/glob: v0.2.3
• github.com/godbus/dbus/v5: v5.0.4
• github.com/gofrs/flock: v0.8.1
• github.com/golang/glog: 23def4e
• github.com/golang/groupcache: 8c9f03a
• github.com/golang/mock: v1.6.0
• github.com/golangci/check: cfe4005
• github.com/golangci/dupl: 3e9179a
• github.com/golangci/go-misc: 927a3d8
• github.com/golangci/gofmt: 244bba7
• github.com/golangci/golangci-lint: v1.43.0
• github.com/golangci/lint-1: 297bf36
• github.com/golangci/maligned: b1d8939
• github.com/golangci/misspell: v0.3.5
• github.com/golangci/revgrep: c22e500
• github.com/golangci/unconvert: 28b1c44
• github.com/google/btree: v1.0.0
• github.com/google/certificate-transparency-go: v1.1.1
• github.com/google/gofuzz: v1.0.0
• github.com/google/martian/v3: v3.2.1
• github.com/google/martian: v2.1.0+incompatible
• github.com/google/pprof: 4bb14d4
• github.com/google/renameio: v0.1.0
• github.com/google/trillian: v1.3.11
• github.com/googleapis/gax-go/v2: v2.1.0
• github.com/gookit/color: v1.4.2
• github.com/gopherjs/gopherjs: 0766667
• github.com/gordonklaus/ineffassign: 2e10b26
• github.com/gorhill/cronexpr: 88b0669
• github.com/gorilla/mux: v1.8.0
• github.com/gorilla/websocket: v1.4.1
• github.com/gostaticanalysis/analysisutil: v0.7.1
• github.com/gostaticanalysis/comment: v1.4.2
• github.com/gostaticanalysis/forcetypeassert: 01d4955
• github.com/gostaticanalysis/nilerr: v0.1.1
• github.com/gostaticanalysis/testutil: v0.4.0
• github.com/gregjones/httpcache: 901d907
• github.com/grpc-ecosystem/go-grpc-middleware: v1.2.2
• github.com/grpc-ecosystem/go-grpc-prometheus: v1.2.0
• github.com/grpc-ecosystem/grpc-gateway: v1.16.0
• github.com/hashicorp/consul/api: v1.10.1
• github.com/hashicorp/consul/sdk: v0.8.0
• github.com/hashicorp/errwrap: v1.0.0
• github.com/hashicorp/go-cleanhttp: v0.5.1
• github.com/hashicorp/go-hclog: v0.12.0
• github.com/hashicorp/go-immutable-radix: v1.0.0
• github.com/hashicorp/go-msgpack: v0.5.3
• github.com/hashicorp/go-multierror: v1.1.1
• github.com/hashicorp/go-rootcerts: v1.0.2
• github.com/hashicorp/go-sockaddr: v1.0.0
• github.com/hashicorp/go-syslog: v1.0.0
• github.com/hashicorp/go-uuid: v1.0.1
• github.com/hashicorp/go-version: v1.2.1
• github.com/hashicorp/go.net: v0.0.1
• github.com/hashicorp/golang-lru: v0.5.4
• github.com/hashicorp/hcl: v1.0.0
• github.com/hashicorp/logutils: v1.0.0
• github.com/hashicorp/mdns: v1.0.1
• github.com/hashicorp/memberlist: v0.2.2
• github.com/hashicorp/serf: v0.9.5
• github.com/hpcloud/tail: v1.0.0
• github.com/huandu/xstrings: v1.2.0
• github.com/ianlancetaylor/demangle: 28f6c0f
• github.com/jgautheron/goconst: v1.5.1
• github.com/jhump/protoreflect: v1.6.1
• github.com/jingyugao/rowserrcheck: v1.1.1
• github.com/jirfag/go-printf-func-name: 7558a9e
• github.com/jmespath/go-jmespath/internal/testify: v1.5.1
• github.com/jmespath/go-jmespath: v0.4.0
• github.com/jmoiron/sqlx: v1.2.0
• github.com/jonboulle/clockwork: v0.2.0
• github.com/josharian/txtarfs: 0702f00
• github.com/json-iterator/go: v1.1.11
• github.com/jstemmer/go-junit-report: v0.9.1
• github.com/jtolds/gls: v4.20.0+incompatible
• github.com/juju/ratelimit: v1.0.1
• github.com/julienschmidt/httprouter: v1.2.0
• github.com/julz/importas: 841f0c0
• github.com/k0kubun/colorstring: 9440f19
• github.com/kisielk/errcheck: v1.6.0
• github.com/kisielk/gotool: v1.0.0
• github.com/kr/fs: v0.1.0
• github.com/kr/logfmt: b84e30a
• github.com/kulti/thelper: v0.4.0
• github.com/kunwardeep/paralleltest: v1.0.3
• github.com/kylelemons/godebug: v1.1.0
• github.com/kyoh86/exportloopref: v0.1.8
• github.com/ldez/gomoddirectives: v0.2.2
• github.com/ldez/tagliatelle: v0.2.0
• github.com/letsencrypt/pkcs11key/v4: v4.0.0
• github.com/lib/pq: v1.10.3
• github.com/logrusorgru/aurora: a7b3b31
• github.com/lufia/plan9stats: 39d0f17
• github.com/magiconair/properties: v1.8.5
• github.com/maratori/testpackage: v1.0.1
• github.com/matoous/godox: 6504466
• github.com/mattn/go-colorable: v0.1.11
• github.com/mattn/go-isatty: v0.0.14
• github.com/mattn/go-sqlite3: v1.9.0
• github.com/mattn/goveralls: v0.0.2
• github.com/matttproud/golang_protobuf_extensions: v1.0.1
• github.com/mbilski/exhaustivestruct: v1.2.0
• github.com/mgechev/dots: e955255
• github.com/mgechev/revive: v1.1.2
• github.com/miekg/dns: v1.1.35
• github.com/miekg/pkcs11: v1.0.3
• github.com/mitchellh/cli: v1.1.0
• github.com/mitchellh/copystructure: v1.0.0
• github.com/mitchellh/go-ps: v1.0.0
• github.com/mitchellh/go-testing-interface: v1.0.0
• github.com/mitchellh/gox: v0.4.0
• github.com/mitchellh/iochan: v1.0.0
• github.com/mitchellh/mapstructure: v1.4.2
• github.com/mitchellh/reflectwalk: v1.0.1
• github.com/modern-go/concurrent: bacd9c7
• github.com/modern-go/reflect2: v1.0.1
• github.com/mohae/deepcopy: c48cc78
• github.com/moricho/tparallel: v0.2.1
• github.com/mozilla/scribe: fb71baf
• github.com/mozilla/tls-observatory: 7bc4285
• github.com/mwitkow/go-conntrack: cc309e4
• github.com/mwitkow/go-proto-validators: v0.2.0
• github.com/nakabonne/nestif: v0.3.1
• github.com/nbutton23/zxcvbn-go: fa2cb28
• github.com/nishanths/exhaustive: v0.2.3
• github.com/nishanths/predeclared: v0.2.1
• github.com/nxadm/tail: v1.4.8
• github.com/onsi/ginkgo: v1.16.4
• github.com/opentracing/opentracing-go: v1.1.0
• github.com/otiai10/copy: v1.2.0
• github.com/otiai10/curr: v1.0.0
• github.com/otiai10/mint: v1.3.1
• github.com/pascaldekloe/goe: 57f6aae
• github.com/pborman/uuid: v1.2.0
• github.com/pelletier/go-toml: v1.9.4
• github.com/peterbourgon/diskv: v2.0.1+incompatible
• github.com/phayes/checkstyle: bfd46e6
• github.com/pkg/sftp: v1.10.1
• github.com/polyfloyd/go-errorlint: 910bb79
• github.com/posener/complete: v1.2.3
• github.com/prometheus/client_golang: v1.7.1
• github.com/prometheus/client_model: v0.2.0
• github.com/prometheus/common: v0.10.0
• github.com/prometheus/procfs: v0.6.0
• github.com/pseudomuto/protoc-gen-doc: v1.3.2
• github.com/pseudomuto/protokit: v0.2.0
• github.com/quasilyte/go-consistent: c6f3937
• github.com/quasilyte/go-ruleguard/dsl: v0.3.10
• github.com/quasilyte/go-ruleguard/rules: 545e0d2
• github.com/quasilyte/go-ruleguard: v0.3.13
• github.com/quasilyte/regex/syntax: 30656e2
• github.com/rogpeppe/fastuuid: v1.2.0
• github.com/rs/cors: v1.7.0
• github.com/ryancurrah/gomodguard: v1.2.3
• github.com/ryanrolds/sqlclosecheck: v0.3.0
• github.com/ryanuber/columnize: 9b3edd6
• github.com/sagikazarmark/crypt: v0.1.0
• github.com/sanposhiho/wastedassign/v2: v2.0.6
• github.com/sean-/seed: e2103e2
• github.com/securego/gosec/v2: v2.9.1
• github.com/shazow/go-diff: b6b7b67
• github.com/shirou/gopsutil/v3: v3.21.10
• github.com/shurcooL/go-goon: 37c2f52
• github.com/shurcooL/go: 9e1955d
• github.com/sivchari/tenv: v1.4.7
• github.com/smartystreets/assertions: b2de0cb
• github.com/smartystreets/goconvey: v1.6.4
• github.com/soheilhy/cmux: v0.1.4
• github.com/sonatard/noctx: v0.0.1
• github.com/sourcegraph/go-diff: v0.6.1
• github.com/spaolacci/murmur3: f09979e
• github.com/spf13/cast: v1.4.1
• github.com/spf13/jwalterweatherman: v1.1.0
• github.com/spf13/viper: v1.9.0
• github.com/ssgreg/nlreturn/v2: v2.2.1
• github.com/subosito/gotenv: v1.2.0
• github.com/sylvia7788/contextcheck: v1.0.4
• github.com/tdakkota/asciicheck: e657995
• github.com/tenntenn/modver: v1.0.1
• github.com/tenntenn/text/transform: 7eef512
• github.com/tetafro/godot: v1.4.11
• github.com/timakin/bodyclose: cb62158
• github.com/tklauser/go-sysconf: v0.3.9
• github.com/tklauser/numcpus: v0.3.0
• github.com/tmc/grpc-websocket-proxy: 3cfed13
• github.com/tomarrell/wrapcheck/v2: v2.4.0
• github.com/tomasen/realip: f0c99a9
• github.com/tommy-muehle/go-mnd/v2: v2.4.0
• github.com/ugorji/go/codec: d75b2dc
• github.com/ultraware/funlen: v0.0.3
• github.com/ultraware/whitespace: v0.0.4
• github.com/uudashr/gocognit: v1.0.5
• github.com/valyala/bytebufferpool: v1.0.0
• github.com/valyala/fasthttp: v1.30.0
• github.com/valyala/quicktemplate: v1.7.0
• github.com/valyala/tcplisten: v1.0.0
• github.com/viki-org/dnscache: c70c1f2
• github.com/xiang90/probing: 43a291a
• github.com/xo/terminfo: ca9a967
• github.com/xordataexchange/crypt: b2862e3
• github.com/yeya24/promlinter: v0.1.0
• github.com/yudai/gojsondiff: v1.0.0
• github.com/yudai/golcs: ecda9a5
• github.com/yudai/pp: v2.0.1+incompatible
• go.etcd.io/bbolt: v1.3.4
• go.etcd.io/etcd/api/v3: v3.5.0
• go.etcd.io/etcd/client/pkg/v3: v3.5.0
• go.etcd.io/etcd/client/v2: v2.305.0
• go.etcd.io/etcd: e048e16
• go.mozilla.org/mozlog: 4bb1313
• go.opencensus.io: v0.23.0
• go.opentelemetry.io/proto/otlp: v0.7.0
• go.uber.org/atomic: v1.7.0
• go.uber.org/multierr: v1.6.0
• go.uber.org/tools: 2cfd321
• go.uber.org/zap: v1.17.0
• golang.org/x/exp: e8c3332
• golang.org/x/image: cff245a
• golang.org/x/lint: 6edffad
• golang.org/x/mobile: d2bd2a2
• google.golang.org/api: v0.56.0
• google.golang.org/genproto: 66f60bf
• google.golang.org/grpc/cmd/protoc-gen-go-grpc: v1.1.0
• google.golang.org/grpc: v1.40.0
• gopkg.in/alecthomas/kingpin.v2: v2.2.6
• gopkg.in/cheggaaa/pb.v1: v1.0.28
• gopkg.in/fsnotify.v1: v1.4.7
• gopkg.in/gcfg.v1: v1.2.3
• gopkg.in/ini.v1: v1.63.2
• gopkg.in/resty.v1: v1.12.0
• gopkg.in/tomb.v1: dd63297
• honnef.co/go/tools: v0.2.1
• mvdan.cc/gofumpt: v0.1.1
• mvdan.cc/interfacer: c200402
• mvdan.cc/lint: adc824a
• mvdan.cc/unparam: aac4ce9
• rsc.io/binaryregexp: v0.2.0
• rsc.io/quote/v3: v3.1.0
• rsc.io/sampler: v1.3.0
• sigs.k8s.io/yaml: v1.1.0