Unfortunately, there are also breaking changes in this release:
The type of Metadata.Tools has changed from *[]Tool to *ToolsChoice, to facilitate the deprecation of Tool in the spec
ToolsChoice holds both legacy *[]Tool, as well as the new *[]Component and *[]Service fields
The Tool type, as well as the ToolsChoice.Tools field are marked as deprecated
During encoding and decoding, it is asserted that only one of both options can be present, in accordance with the "One of" constraint of the spec
When encoding to lower spec versions than v1.5 (using EncodeVersion), Components and Services are automatically converted to legacy Tools
It is strongly recommended to use Components and Services. However, when consuming BOMs, applications should still expect legacy Tools to be present, and handle them accordingly.
Changelog
Fixes
64eb0c84b3d909db47c5154c17d075f68b0c85ae: fix: remove format linters that require extra tooling (@nscuro)
Building and Packaging
696aa66151e800a672c9ec860f30d8716ae6a025: build(deps): bump actions/checkout from 3.5.3 to 4.1.0 (@dependabot[bot])
b50b319d1580d5b624cfc866bc108b589b328157: build(deps): bump actions/checkout from 4.1.0 to 4.1.1 (@dependabot[bot])
5cad1b0a7dad106950790fad960be5f7e62b2110: build(deps): bump actions/setup-go from 4.1.0 to 5.0.0 (@dependabot[bot])
b0910619560e5b0b0fae51dc97c4a343983873fb: build(deps): bump gitpod/workspace-go from d3603c7 to 94ae638 (@dependabot[bot])
9e310b6d641245c89aa01f07a21b50c38f04b087: build(deps): bump gitpod/workspace-go from f37c673 to d3603c7 (@dependabot[bot])
89494fd98291ca8115e02cab78e2e47360352f00: build(deps): bump goreleaser/goreleaser-action from 4.4.0 to 5.0.0 (@dependabot[bot])
Others
61dd91e0bbe730454bef42bc0c1b0a3f97411c02: feat(spec1-5): add support for machine learning (@nscuro)
f831960f0887c1f60681924e4d4382cd4bb52ff0: feat(spec1-5): update valid-vulnerability test snapshots (@nscuro)
ffc9a4eb9204f5a31b7fb1d6cd907e6cc3e93578: ci: enable more linters (@mmorel-35)
This is the eleventh patch release in the 1.1.z release branch of runc.
It primarily fixes a few issues with runc's handling of containers that
are configured to join existing user namespaces, as well as improvements
to cgroupv2 support.
Support memory.peak and memory.swap.peak in cgroups v2.
Add swapOnlyUsage in MemoryStats. This field reports swap-only usage.
For cgroupv1, Usage and Failcnt are set by subtracting memory usage
from memory+swap usage. For cgroupv2, Usage, Limit, and MaxUsage
are set. (#4000, #4010, #4131)
The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to all of the contributors who made this release possible:
Support memory.peak and memory.swap.peak in cgroups v2.
Add swapOnlyUsage in MemoryStats. This field reports swap-only usage.
For cgroupv1, Usage and Failcnt are set by subtracting memory usage
from memory+swap usage. For cgroupv2, Usage, Limit, and MaxUsage
are set. (#4000, #4010, #4131)
The ImageBuildInfo interface now includes a new method: BuildOptions, which is used to configure the build process.
This method returns the image build options when building a Docker image from a Dockerfile,
and it will apply some defaults and finally call the new BuildOptionsModifier method from the FromDockerfile struct, if set.
This way it's possible to access Docker's types.ImageBuildOptions type and modify it before the build process starts.
feat: support customizing the Docker build command (#1931) @mdelapenya
Executing commands using the Executable interface
It now includes an Options method that needs to be implemented. This method will allow configuring the exec options added in this PR for the WithStartupCommand functional option.
If your code is implementing Executable, you can embed the ExecOptions struct in your own struct in order to satisfy the interface.
Please take a look at the RabbitMQ test types to see examples on how to do it.
feat: support for executing commands in a container with user, workDir and env (#1914) @mdelapenya
🔒 Security
chore(deps): bump golang.org/x/crypto to 0.17.0 in /modules (#2006) @mdelapenya
Bumps the go-modules group with 20 updates:
1.30.0
1.31.1
0.18.0
0.18.1
0.7.2
0.8.0
1.0.6
1.1.0
1.7.11
1.7.12
0.8.0
0.8.1
0.4.0
0.5.0
0.17.0
0.18.0
1.4.0
1.6.0
1.1.10
1.1.11
4.1.19
4.1.21
3.23.11
3.23.12
2.15.0
2.15.1
0.26.0
0.27.0
0.17.0
0.18.0
0.19.0
0.20.0
0.5.0
0.6.0
0.16.1
0.17.0
1.59.0
1.61.0
1.31.0
1.32.0
Updates
github.com/onsi/gomega
from 1.30.0 to 1.31.1Release notes
Sourced from github.com/onsi/gomega's releases.
Changelog
Sourced from github.com/onsi/gomega's changelog.
Commits
762b171
v1.31.126661b8
tidy up go.sumbde8f7a
bump dependencies24e958d
Show how to import the format sub packagead1a367
Update test in case keeping msg is desirede0dd999
Inverted arguments order of FailureMessage of BeComparableToMatcherba8bba2
v1.31.0121c37f
Async assertions include context cancellation cause if presentdee1e3c
Bump minimum go version49005fe
docs: fix typo in example usage "occured" -> "occurred"Updates
github.com/paketo-buildpacks/occam
from 0.18.0 to 0.18.1Commits
1d68391
tests: adding tests for NewContainerFromInspectOutput function13e5704
fix: avoid accessing undefined host ports on while creating a new container f...0fb0353
Bump github.com/containerd/containerd from 1.7.7 to 1.7.11Updates
github.com/CycloneDX/cyclonedx-go
from 0.7.2 to 0.8.0Release notes
Sourced from github.com/CycloneDX/cyclonedx-go's releases.
Commits
b9654ae
Merge pull request #90 from CycloneDX/spec-v1.564eb0c8
fix: remove format linters that require extra toolingc7a84ac
feat(spec1-5): handle deprecation of toolsf856daa
feat(spec1-5): add support for formulation2fbde0e
feat(spec1-5): add support for identity, occurrences, and callstack evidence61dd91e
feat(spec1-5): add support for machine learningf831960
feat(spec1-5): updatevalid-vulnerability
test snapshotsfe3a904
feat(spec1-5): add support for ssvc scoring method7d2713f
feat(spec1-5): add support for vulnerability proof of concept2ae5445
feat(spec1-5): add support for additional compositions and composition identityUpdates
github.com/andybalholm/brotli
from 1.0.6 to 1.1.0Commits
17e5901
Make my matchfinder work more accessible.cf812c0
matchfinder: add M01b6cf36
matchfinder: remove MultiHash265f3af
matchfinder: penalize score for overlapping matchesa8d524a
matchfinder: replace Score function with DistanceBitCost578645e
matchfinder: add MultiHash24b2bfa
matchfinder.M4: add Score function4a024e3
matchfinder.M4: add match chain3a1c5cd
Fix typo in comment.0d2aef3
matchfinder.M4: factor out extendMatch2Updates
github.com/containerd/containerd
from 1.7.11 to 1.7.12Release notes
Sourced from github.com/containerd/containerd's releases.
... (truncated)
Commits
71909c1
Merge pull request #9632 from dmcgowan/prepare-v1.7.12775d544
Prepare release notes for v1.7.124ebe8e2
Merge pull request #9624 from thaJeztah/1.7_update_golang_1.20.13a5dc5b8
update to go1.20.13, test go1.21.650e7359
Merge pull request #9548 from Dzejrou/1.7_fix_ignoring_umask5a675f2
Merge pull request #9602 from thaJeztah/1.7_backport_no_execabsccca466
Merge pull request #9605 from thaJeztah/1.7_backport_switch_moby_user9251072
remove github.com/opencontainers/runc dependency4e67213
vendor: github.com/cncf-tags/container-device-interface v0.6.1e0ee0be
go.mod: github.com/opencontainers/runtime-spec v1.1.0Updates
github.com/docker/docker-credential-helpers
from 0.8.0 to 0.8.1Release notes
Sourced from github.com/docker/docker-credential-helpers's releases.
Commits
292722b
Merge pull request #308 from thaJeztah/update_golang_1.21.6979dcc4
Merge pull request #309 from thaJeztah/update_golangcif411a65
Dockerfile: update golangci-lint to v1.55.29629bd7
update to go1.21.6f642c26
Merge pull request #306 from thaJeztah/err_checks8fc3306
Merge pull request #307 from thaJeztah/bump_wincred6a3e64c
move trimming whitespace to error-check helpers218f178
vendor: github.com/danieljoos/wincred v1.2.1Updates
github.com/docker/go-connections
from 0.4.0 to 0.5.0Commits
fa09c95
Merge pull request #108 from thaJeztah/carry_67a67a58
Swap CloseRead and CloseWrite481d3d2
Merge pull request #107 from thaJeztah/drop_legacy_go9548f9f
tlsconfig: remove deprecated io/ioutilc564c21
drop support for go1.17 and older7cbebcf
gha: update actions2cf423f
tlsconfig: move allTLSVersions vardca283b
tlsconfig: drop support for go1.12 and older21876c5
tlsconfig: drop support for go1.6 and older4d174db
tlsconfig: drop support for go1.4 and olderUpdates
github.com/google/go-containerregistry
from 0.17.0 to 0.18.0Release notes
Sourced from github.com/google/go-containerregistry's releases.
Commits
a0658aa
Always print pushed digest in crane push (#1860)55ffb00
fix: goreleaser config (#1764)Updates
github.com/google/uuid
from 1.4.0 to 1.6.0Release notes
Sourced from github.com/google/uuid's releases.
Changelog
Sourced from github.com/google/uuid's changelog.
Commits
0f11ee6
chore(master): release 1.6.0 (#151)16939da
chore(tests): add strict monotonicity test case for uuid v7. (#154)016b199
fix: fix typo in version 7 uuid documentation (#153)1d8b6ea
ci: set token permissions to github workflows (#143)a2b2b32
fix: Monotonicity in UUIDv7 (#150)c58770e
feat: add Max UUID constant (#149)4d47f8e
chore(master): release 1.5.0 (#145)9ee7366
feat: Validate UUID without creating new UUID (#141)b35aa6a
add uuid version 6 and 7 (#139)Updates
github.com/opencontainers/runc
from 1.1.10 to 1.1.11Release notes
Sourced from github.com/opencontainers/runc's releases.
Changelog
Sourced from github.com/opencontainers/runc's changelog.
Commits
4bccb38
VERSION: release 1.1.11930fde5
Merge pull request #4144 from cyphar/1.1-ns-path-handling617db78
configs: make id mappings int64 to better handle 32-bite65d4ca
specconv: temporarily allow userns path and mapping if they match2dd8368
integration: add mega-test for joining namespaces8f8cb45
configs: disallow ambiguous userns and timens configurations0c8e2cc
*: actually support joining a userns with a new container75d99b4
Merge pull request #4131 from harche/backport87792ce
libct/cg: add swapOnlyUsage in MemoryStats4f13093
Merge pull request #4140 from thaJeztah/1.1_backport_update_securejoinUpdates
github.com/pierrec/lz4/v4
from 4.1.19 to 4.1.21Commits
294e765
Merge pull request #216 from evanphx/b-fix-tests6e17a24
Reverts bc1239ba, no longer needed to conform to legacy9542ba5
CI: update go versions to more recent onesd9eb671
cmd/lz4c: update go.mod and fix issue #214219b252
Merge pull request #213 from corneliusroemer/patch-158c6073
Update README.md: add@latest
to cli install commande974631
Merge pull request #211 from oakad/issue_2107613989
CompressingReader: support older Go versions4a80a2f
CompressingReader: account for possible out buffer statef2ece5b
CompressingReader: make sure to clear out bufferUpdates
github.com/shirou/gopsutil/v3
from 3.23.11 to 3.23.12Release notes
Sourced from github.com/shirou/gopsutil/v3's releases.
Commits
df3c7bd
Merge pull request #1573 from scop/feat/udev-fs-labeladaeba0
feat(disk): look for filesystem labels from udev on Linux4870f6f
Merge pull request #1569 from scop/perf/regex-compile08afc01
Merge pull request #1570 from scop/perf/unnecessary-regexps11bc5b3
Avoid some uses of regexps362fa4b
Avoid repeated regexp compilations108235a
Merge pull request #1561 from keeword/masterf308985
Merge pull request #1563 from shirou/dependabot/github_actions/actions/upload...5ce87a6
chore(deps): bump actions/upload-artifact from 3.1.3 to 4.0.04b820ed
Merge pull request #1564 from shirou/revert-1559-dependabot/github_actions/ac...Updates
github.com/sylabs/sif/v2
from 2.15.0 to 2.15.1Release notes
Sourced from github.com/sylabs/sif/v2's releases.
Commits
c428dc6
Merge pull request #341 from tri-adam/bump-crypto3af14f4
build(deps): bump github.com/ProtonMail/go-crypto from v0.0.0-20230717121422-...4fa5c1d
Merge pull request #339 from sylabs/dependabot/go_modules/main/github.com/sec...cb18ad9
refactor: adapt to breaking change in dsse package702020f
build(deps): bump github.com/secure-systems-lab/go-securesystemslibbb85aa2
build(deps): bump golang.org/x/crypto from 0.15.0 to 0.17.0 (#338)3685695
build(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0 (#337)252b6fb
build(deps): bump github.com/sigstore/sigstore from 1.7.5 to 1.7.6 (#336)85920b1
build(deps): bump github.com/google/go-containerregistry (#335)a8b0ecf
build(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0 (#334)Updates
github.com/testcontainers/testcontainers-go
from 0.26.0 to 0.27.0Release notes
Sourced from github.com/testcontainers/testcontainers-go's releases.
... (truncated)
Commits
8d0f53a
chore: use new version (v0.27.0) in modules and examplesc3a1834
chore: do not read config but instead pass the hub prefix to the prependHub m...1bac302
fix: remove docker.io from Ryuk image name (#2046)61a37cb
adds gotestsum to install tools (#2043)1c45958
Add neo4j license agreement customization options (#2036)974afd9
chore: bump Ryuk to 0.6.0 (#2040)cb51b9b
chore(deps): bump github.com/containerd/containerd from 1.7.7 to 1.7.11 (#2011)9f68760
feat: support configuring Ryuk verbose mode at config level (#2038)5faf6f4
chore: lookup exposed ports in the image from Config, not from ContainerConfi...a9f0ac8
chore(deps): bump golang.org/x/crypto to 0.17.0 in /modules (#2006)Updates
golang.org/x/crypto
from 0.17.0 to 0.18.0Commits
dbb6ec1
ssh/test: skip tests on darwin that fail on the darwin-amd64-longtest LUCI bu...403f699
ssh/test: avoid leaking a net.UnixConn in server.TryDialWithAddr055043d
go.mod: update golang.org... _Description has been truncated_