Unfortunately, there are also breaking changes in this release:
The type of Metadata.Tools has changed from *[]Tool to *ToolsChoice, to facilitate the deprecation of Tool in the spec
ToolsChoice holds both legacy *[]Tool, as well as the new *[]Component and *[]Service fields
The Tool type, as well as the ToolsChoice.Tools field are marked as deprecated
During encoding and decoding, it is asserted that only one of both options can be present, in accordance with the "One of" constraint of the spec
When encoding to lower spec versions than v1.5 (using EncodeVersion), Components and Services are automatically converted to legacy Tools
It is strongly recommended to use Components and Services. However, when consuming BOMs, applications should still expect legacy Tools to be present, and handle them accordingly.
Changelog
Fixes
64eb0c84b3d909db47c5154c17d075f68b0c85ae: fix: remove format linters that require extra tooling (@nscuro)
Building and Packaging
696aa66151e800a672c9ec860f30d8716ae6a025: build(deps): bump actions/checkout from 3.5.3 to 4.1.0 (@dependabot[bot])
b50b319d1580d5b624cfc866bc108b589b328157: build(deps): bump actions/checkout from 4.1.0 to 4.1.1 (@dependabot[bot])
5cad1b0a7dad106950790fad960be5f7e62b2110: build(deps): bump actions/setup-go from 4.1.0 to 5.0.0 (@dependabot[bot])
b0910619560e5b0b0fae51dc97c4a343983873fb: build(deps): bump gitpod/workspace-go from d3603c7 to 94ae638 (@dependabot[bot])
9e310b6d641245c89aa01f07a21b50c38f04b087: build(deps): bump gitpod/workspace-go from f37c673 to d3603c7 (@dependabot[bot])
89494fd98291ca8115e02cab78e2e47360352f00: build(deps): bump goreleaser/goreleaser-action from 4.4.0 to 5.0.0 (@dependabot[bot])
Others
61dd91e0bbe730454bef42bc0c1b0a3f97411c02: feat(spec1-5): add support for machine learning (@nscuro)
f831960f0887c1f60681924e4d4382cd4bb52ff0: feat(spec1-5): update valid-vulnerability test snapshots (@nscuro)
ffc9a4eb9204f5a31b7fb1d6cd907e6cc3e93578: ci: enable more linters (@mmorel-35)
This is the eleventh patch release in the 1.1.z release branch of runc.
It primarily fixes a few issues with runc's handling of containers that
are configured to join existing user namespaces, as well as improvements
to cgroupv2 support.
Support memory.peak and memory.swap.peak in cgroups v2.
Add swapOnlyUsage in MemoryStats. This field reports swap-only usage.
For cgroupv1, Usage and Failcnt are set by subtracting memory usage
from memory+swap usage. For cgroupv2, Usage, Limit, and MaxUsage
are set. (#4000, #4010, #4131)
The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to all of the contributors who made this release possible:
Support memory.peak and memory.swap.peak in cgroups v2.
Add swapOnlyUsage in MemoryStats. This field reports swap-only usage.
For cgroupv1, Usage and Failcnt are set by subtracting memory usage
from memory+swap usage. For cgroupv2, Usage, Limit, and MaxUsage
are set. (#4000, #4010, #4131)
The ImageBuildInfo interface now includes a new method: BuildOptions, which is used to configure the build process.
This method returns the image build options when building a Docker image from a Dockerfile,
and it will apply some defaults and finally call the new BuildOptionsModifier method from the FromDockerfile struct, if set.
This way it's possible to access Docker's types.ImageBuildOptions type and modify it before the build process starts.
feat: support customizing the Docker build command (#1931) @mdelapenya
Executing commands using the Executable interface
It now includes an Options method that needs to be implemented. This method will allow configuring the exec options added in this PR for the WithStartupCommand functional option.
If your code is implementing Executable, you can embed the ExecOptions struct in your own struct in order to satisfy the interface.
Please take a look at the RabbitMQ test types to see examples on how to do it.
feat: support for executing commands in a container with user, workDir and env (#1914) @mdelapenya
🔒 Security
chore(deps): bump golang.org/x/crypto to 0.17.0 in /modules (#2006) @mdelapenya
Updates google.golang.org/protobuf from 1.31.0 to 1.32.0
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Bumps the go-modules group with 16 updates:
0.7.2
0.8.0
1.7.10
1.7.11
0.8.0
0.8.1
0.4.0
0.5.0
1.4.0
1.5.0
1.1.10
1.1.11
4.1.19
4.1.21
3.23.11
3.23.12
2.15.0
2.15.1
0.26.0
0.27.0
0.17.0
0.18.0
0.19.0
0.20.0
0.5.0
0.6.0
0.16.0
0.16.1
1.59.0
1.60.1
1.31.0
1.32.0
Updates
github.com/CycloneDX/cyclonedx-go
from 0.7.2 to 0.8.0Release notes
Sourced from github.com/CycloneDX/cyclonedx-go's releases.
Commits
b9654ae
Merge pull request #90 from CycloneDX/spec-v1.564eb0c8
fix: remove format linters that require extra toolingc7a84ac
feat(spec1-5): handle deprecation of toolsf856daa
feat(spec1-5): add support for formulation2fbde0e
feat(spec1-5): add support for identity, occurrences, and callstack evidence61dd91e
feat(spec1-5): add support for machine learningf831960
feat(spec1-5): updatevalid-vulnerability
test snapshotsfe3a904
feat(spec1-5): add support for ssvc scoring method7d2713f
feat(spec1-5): add support for vulnerability proof of concept2ae5445
feat(spec1-5): add support for additional compositions and composition identityUpdates
github.com/containerd/containerd
from 1.7.10 to 1.7.11Release notes
Sourced from github.com/containerd/containerd's releases.
... (truncated)
Commits
64b8a81
Merge pull request #9491 from dmcgowan/prepare-1.7.11ea5a477
Merge pull request #9352 from thaJeztah/1.7_update_golang_1.20.1167d356c
Merge pull request from GHSA-7ww5-4wqc-m92cdfae68b
Prepare release notes for v1.7.11de6d8a8
Merge pull request #9482 from ambarve/sn_cleanup_1.7ed7c689
Don't block snapshot garbage collection on Remove failures467de56
Merge pull request #9481 from ruiwen-zhao/cri-ud94f8ff
Merge pull request #9483 from dmcgowan/backport-1.7-fix-otel-http1fdefdd
Add warning for CRIU config usage8e06899
Merge pull request #9479 from ruiwen-zhao/cri-api-warningUpdates
github.com/docker/docker-credential-helpers
from 0.8.0 to 0.8.1Release notes
Sourced from github.com/docker/docker-credential-helpers's releases.
Commits
292722b
Merge pull request #308 from thaJeztah/update_golang_1.21.6979dcc4
Merge pull request #309 from thaJeztah/update_golangcif411a65
Dockerfile: update golangci-lint to v1.55.29629bd7
update to go1.21.6f642c26
Merge pull request #306 from thaJeztah/err_checks8fc3306
Merge pull request #307 from thaJeztah/bump_wincred6a3e64c
move trimming whitespace to error-check helpers218f178
vendor: github.com/danieljoos/wincred v1.2.1Updates
github.com/docker/go-connections
from 0.4.0 to 0.5.0Commits
fa09c95
Merge pull request #108 from thaJeztah/carry_67a67a58
Swap CloseRead and CloseWrite481d3d2
Merge pull request #107 from thaJeztah/drop_legacy_go9548f9f
tlsconfig: remove deprecated io/ioutilc564c21
drop support for go1.17 and older7cbebcf
gha: update actions2cf423f
tlsconfig: move allTLSVersions vardca283b
tlsconfig: drop support for go1.12 and older21876c5
tlsconfig: drop support for go1.6 and older4d174db
tlsconfig: drop support for go1.4 and olderUpdates
github.com/google/uuid
from 1.4.0 to 1.5.0Release notes
Sourced from github.com/google/uuid's releases.
Changelog
Sourced from github.com/google/uuid's changelog.
Commits
4d47f8e
chore(master): release 1.5.0 (#145)9ee7366
feat: Validate UUID without creating new UUID (#141)b35aa6a
add uuid version 6 and 7 (#139)Updates
github.com/opencontainers/runc
from 1.1.10 to 1.1.11Release notes
Sourced from github.com/opencontainers/runc's releases.
Changelog
Sourced from github.com/opencontainers/runc's changelog.
Commits
4bccb38
VERSION: release 1.1.11930fde5
Merge pull request #4144 from cyphar/1.1-ns-path-handling617db78
configs: make id mappings int64 to better handle 32-bite65d4ca
specconv: temporarily allow userns path and mapping if they match2dd8368
integration: add mega-test for joining namespaces8f8cb45
configs: disallow ambiguous userns and timens configurations0c8e2cc
*: actually support joining a userns with a new container75d99b4
Merge pull request #4131 from harche/backport87792ce
libct/cg: add swapOnlyUsage in MemoryStats4f13093
Merge pull request #4140 from thaJeztah/1.1_backport_update_securejoinUpdates
github.com/pierrec/lz4/v4
from 4.1.19 to 4.1.21Commits
294e765
Merge pull request #216 from evanphx/b-fix-tests6e17a24
Reverts bc1239ba, no longer needed to conform to legacy9542ba5
CI: update go versions to more recent onesd9eb671
cmd/lz4c: update go.mod and fix issue #214219b252
Merge pull request #213 from corneliusroemer/patch-158c6073
Update README.md: add@latest
to cli install commande974631
Merge pull request #211 from oakad/issue_2107613989
CompressingReader: support older Go versions4a80a2f
CompressingReader: account for possible out buffer statef2ece5b
CompressingReader: make sure to clear out bufferUpdates
github.com/shirou/gopsutil/v3
from 3.23.11 to 3.23.12Release notes
Sourced from github.com/shirou/gopsutil/v3's releases.
Commits
df3c7bd
Merge pull request #1573 from scop/feat/udev-fs-labeladaeba0
feat(disk): look for filesystem labels from udev on Linux4870f6f
Merge pull request #1569 from scop/perf/regex-compile08afc01
Merge pull request #1570 from scop/perf/unnecessary-regexps11bc5b3
Avoid some uses of regexps362fa4b
Avoid repeated regexp compilations108235a
Merge pull request #1561 from keeword/masterf308985
Merge pull request #1563 from shirou/dependabot/github_actions/actions/upload...5ce87a6
chore(deps): bump actions/upload-artifact from 3.1.3 to 4.0.04b820ed
Merge pull request #1564 from shirou/revert-1559-dependabot/github_actions/ac...Updates
github.com/sylabs/sif/v2
from 2.15.0 to 2.15.1Release notes
Sourced from github.com/sylabs/sif/v2's releases.
Commits
c428dc6
Merge pull request #341 from tri-adam/bump-crypto3af14f4
build(deps): bump github.com/ProtonMail/go-crypto from v0.0.0-20230717121422-...4fa5c1d
Merge pull request #339 from sylabs/dependabot/go_modules/main/github.com/sec...cb18ad9
refactor: adapt to breaking change in dsse package702020f
build(deps): bump github.com/secure-systems-lab/go-securesystemslibbb85aa2
build(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 (#338)3685695
build(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0 (#337)252b6fb
build(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#336)85920b1
build(deps): bump github.com/google/go-containerregistry (#335)a8b0ecf
build(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0 (#334)Updates
github.com/testcontainers/testcontainers-go
from 0.26.0 to 0.27.0Release notes
Sourced from github.com/testcontainers/testcontainers-go's releases.
... (truncated)
Commits
8d0f53a
chore: use new version (v0.27.0) in modules and examplesc3a1834
chore: do not read config but instead pass the hub prefix to the prependHub m...1bac302
fix: remove docker.io from Ryuk image name (#2046)61a37cb
adds gotestsum to install tools (#2043)1c45958
Add neo4j license agreement customization options (#2036)974afd9
chore: bump Ryuk to 0.6.0 (#2040)cb51b9b
chore(deps): bump github.com/containerd/containerd from 1.7.7 to 1.7.11 (#2011)9f68760
feat: support configuring Ryuk verbose mode at config level (#2038)5faf6f4
chore: lookup exposed ports in the image from Config, not from ContainerConfi...a9f0ac8
chore(deps): bump golang.org/x/crypto to 0.17.0 in /modules (#2006)Updates
golang.org/x/crypto
from 0.17.0 to 0.18.0Commits
dbb6ec1
ssh/test: skip tests on darwin that fail on the darwin-amd64-longtest LUCI bu...403f699
ssh/test: avoid leaking a net.UnixConn in server.TryDialWithAddr055043d
go.mod: update golang.org/x dependencies08396bb
internal/poly1305: drop Go 1.12 compatibilityUpdates
golang.org/x/net
from 0.19.0 to 0.20.0Commits
cb5b10f
go.mod: update golang.org/x dependencies689bbc7
quic: deflake TestStreamsCreateConcurrencyf12db26
internal/quic/cmd/interop: use wget --no-verbose in Dockerfilec136d0c
quic: avoid panic when PTO expires and implicitly-created streams existf9726a9
quic: fix packet size loggingc337daf
quic: enable qlog output in tests2b416c3
quic/qlog: create log files with O_EXCL1e59a7e
quic/qlog: correctly write negative durationsb0eb4d6
quic: compute pnum len from max ack received, not sentb952594
quic: fix data race in connection closeUpdates
golang.org/x/sync
from 0.5.0 to 0.6.0Commits
59c1ca1
errgroup: add reference to sync.WaitGroupUpdates
golang.org/x/tools
from 0.16.0 to 0.16.1Commits
2acb2e6
gopls/internal/test/marker: minor clean up of marker test doc28b92af
internal/typeparams: eliminate remainining compatibility shimsee35f8e
gopls/internal/lsp/source: hovering over broken packages is not an error67611a1
internal/typeparams: eliminate type aliases23c86e8
internal/typeparams: delete const Enabled=true and simplifye46688f
gopls/internal/analysis/fillstruct: don't panic with invalid fields8bd7553
gopls/internal/util/goversion: warn about EOL for Go 1.18bc9cd15
gopls/internal/settings: remove MemoryMode optionbbc30f1
gopls/protocol: Allow AnnotatedTextEditsf40889d
gopls/internal/analysis/stubmethods: fix OOB panic in fromValueSpecUpdates
google.golang.org/grpc
from 1.59.0 to 1.60.1Release notes
Sourced from google.golang.org/grpc's releases.
Commits
dbbcf59
Update version.go to 1.60.1 (#6865)6e384cf
Cherry-pick #6856 to v1.60.x release branch (#6864)6430548
Change version to 1.60.1-dev (#6793)297d8dd
Cherry-pick #6841 to v1.60.x release branch (#6847)3580447
Change version to 1.60.0 (#6792)71e67a9
Cherry-pick #6834 to v1.60.x release branch (#6839)cb6581d
Cherry-pick #6804 and dependencies to v1.60.x release branch (#6838)dd39cdb
credentials: if not set, restrict to TLS v1.2+ and CipherSuites per RFC7540 (...8645f95
resolver: remove ClientConn.NewServiceConfig (#6784)8b17a4d
vet: various cleanups (#6780)Updates
google.golang.org/protobuf
from 1.31.0 to 1.32.0Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show