Unfortunately, there are also breaking changes in this release:
The type of Metadata.Tools has changed from *[]Tool to *ToolsChoice, to facilitate the deprecation of Tool in the spec
ToolsChoice holds both legacy *[]Tool, as well as the new *[]Component and *[]Service fields
The Tool type, as well as the ToolsChoice.Tools field are marked as deprecated
During encoding and decoding, it is asserted that only one of both options can be present, in accordance with the "One of" constraint of the spec
When encoding to lower spec versions than v1.5 (using EncodeVersion), Components and Services are automatically converted to legacy Tools
It is strongly recommended to use Components and Services. However, when consuming BOMs, applications should still expect legacy Tools to be present, and handle them accordingly.
Changelog
Fixes
64eb0c84b3d909db47c5154c17d075f68b0c85ae: fix: remove format linters that require extra tooling (@nscuro)
Building and Packaging
696aa66151e800a672c9ec860f30d8716ae6a025: build(deps): bump actions/checkout from 3.5.3 to 4.1.0 (@dependabot[bot])
b50b319d1580d5b624cfc866bc108b589b328157: build(deps): bump actions/checkout from 4.1.0 to 4.1.1 (@dependabot[bot])
5cad1b0a7dad106950790fad960be5f7e62b2110: build(deps): bump actions/setup-go from 4.1.0 to 5.0.0 (@dependabot[bot])
b0910619560e5b0b0fae51dc97c4a343983873fb: build(deps): bump gitpod/workspace-go from d3603c7 to 94ae638 (@dependabot[bot])
9e310b6d641245c89aa01f07a21b50c38f04b087: build(deps): bump gitpod/workspace-go from f37c673 to d3603c7 (@dependabot[bot])
89494fd98291ca8115e02cab78e2e47360352f00: build(deps): bump goreleaser/goreleaser-action from 4.4.0 to 5.0.0 (@dependabot[bot])
Others
61dd91e0bbe730454bef42bc0c1b0a3f97411c02: feat(spec1-5): add support for machine learning (@nscuro)
f831960f0887c1f60681924e4d4382cd4bb52ff0: feat(spec1-5): update valid-vulnerability test snapshots (@nscuro)
ffc9a4eb9204f5a31b7fb1d6cd907e6cc3e93578: ci: enable more linters (@mmorel-35)
runc 1.1.12 -- "Now you're thinking with Portals™!"
This is the twelfth patch release in the 1.1.z release branch of runc.
It fixes a high-severity container breakout vulnerability involving
leaked file descriptors, and users are strongly encouraged to update as
soon as possible.
Fix CVE-2024-21626, a container breakout attack that took advantage of
a file descriptor that was leaked internally within runc (but never
leaked to the container process).
In addition to fixing the leak, several strict hardening measures were
added to ensure that future internal leaks could not be used to break
out in this manner again.
Based on our research, while no other container runtime had a similar
leak, none had any of the hardening steps we've introduced (and some
runtimes would not check for any file descriptors that a calling
process may have leaked to them, allowing for container breakouts due
to basic user error).
Static Linking Notices
The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to all of the contributors who made this release possible:
Fix CVE-2024-21626, a container breakout attack that took
advantage of a file descriptor that was leaked internally within runc (but
never leaked to the container process). In addition to fixing the leak,
several strict hardening measures were added to ensure that future internal
leaks could not be used to break out in this manner again. Based on our
research, while no other container runtime had a similar leak, none had any
of the hardening steps we've introduced (and some runtimes would not check
for any file descriptors that a calling process may have leaked to them,
allowing for container breakouts due to basic user error).
Support memory.peak and memory.swap.peak in cgroups v2.
Add swapOnlyUsage in MemoryStats. This field reports swap-only usage.
For cgroupv1, Usage and Failcnt are set by subtracting memory usage
from memory+swap usage. For cgroupv2, Usage, Limit, and MaxUsage
are set. (#4000, #4010, #4131)
Bumps the go-modules group with 24 updates:
1.30.0
1.31.1
0.18.0
0.18.1
0.7.2
0.8.0
0.0.0-20230412183729-8602f1afc574
0.0.1
1.0.6
1.1.0
1.7.11
1.7.12
0.8.0
0.8.1
0.4.0
0.5.0
0.17.0
0.19.0
1.4.0
1.6.0
1.17.4
1.17.5
1.1.10
1.1.12
4.1.19
4.1.21
0.4.4
0.4.6
0.2.0
0.3.0
3.23.11
3.23.12
2.15.0
2.15.1
0.26.0
0.27.0
1.2.3
1.2.4
0.19.0
0.20.0
0.5.0
0.6.0
0.16.1
0.17.0
1.59.0
1.61.0
1.31.0
1.32.0
Updates
github.com/onsi/gomega
from 1.30.0 to 1.31.1Release notes
Sourced from github.com/onsi/gomega's releases.
Changelog
Sourced from github.com/onsi/gomega's changelog.
Commits
762b171
v1.31.126661b8
tidy up go.sumbde8f7a
bump dependencies24e958d
Show how to import the format sub packagead1a367
Update test in case keeping msg is desirede0dd999
Inverted arguments order of FailureMessage of BeComparableToMatcherba8bba2
v1.31.0121c37f
Async assertions include context cancellation cause if presentdee1e3c
Bump minimum go version49005fe
docs: fix typo in example usage "occured" -> "occurred"Updates
github.com/paketo-buildpacks/occam
from 0.18.0 to 0.18.1Commits
1d68391
tests: adding tests for NewContainerFromInspectOutput function13e5704
fix: avoid accessing undefined host ports on while creating a new container f...0fb0353
Bump github.com/containerd/containerd from 1.7.7 to 1.7.11Updates
github.com/CycloneDX/cyclonedx-go
from 0.7.2 to 0.8.0Release notes
Sourced from github.com/CycloneDX/cyclonedx-go's releases.
Commits
b9654ae
Merge pull request #90 from CycloneDX/spec-v1.564eb0c8
fix: remove format linters that require extra toolingc7a84ac
feat(spec1-5): handle deprecation of toolsf856daa
feat(spec1-5): add support for formulation2fbde0e
feat(spec1-5): add support for identity, occurrences, and callstack evidence61dd91e
feat(spec1-5): add support for machine learningf831960
feat(spec1-5): updatevalid-vulnerability
test snapshotsfe3a904
feat(spec1-5): add support for ssvc scoring method7d2713f
feat(spec1-5): add support for vulnerability proof of concept2ae5445
feat(spec1-5): add support for additional compositions and composition identityUpdates
github.com/anchore/stereoscope
from 0.0.0-20230412183729-8602f1afc574 to 0.0.1Commits
Updates
github.com/andybalholm/brotli
from 1.0.6 to 1.1.0Commits
17e5901
Make my matchfinder work more accessible.cf812c0
matchfinder: add M01b6cf36
matchfinder: remove MultiHash265f3af
matchfinder: penalize score for overlapping matchesa8d524a
matchfinder: replace Score function with DistanceBitCost578645e
matchfinder: add MultiHash24b2bfa
matchfinder.M4: add Score function4a024e3
matchfinder.M4: add match chain3a1c5cd
Fix typo in comment.0d2aef3
matchfinder.M4: factor out extendMatch2Updates
github.com/containerd/containerd
from 1.7.11 to 1.7.12Release notes
Sourced from github.com/containerd/containerd's releases.
... (truncated)
Commits
71909c1
Merge pull request #9632 from dmcgowan/prepare-v1.7.12775d544
Prepare release notes for v1.7.124ebe8e2
Merge pull request #9624 from thaJeztah/1.7_update_golang_1.20.13a5dc5b8
update to go1.20.13, test go1.21.650e7359
Merge pull request #9548 from Dzejrou/1.7_fix_ignoring_umask5a675f2
Merge pull request #9602 from thaJeztah/1.7_backport_no_execabsccca466
Merge pull request #9605 from thaJeztah/1.7_backport_switch_moby_user9251072
remove github.com/opencontainers/runc dependency4e67213
vendor: github.com/cncf-tags/container-device-interface v0.6.1e0ee0be
go.mod: github.com/opencontainers/runtime-spec v1.1.0Updates
github.com/docker/docker-credential-helpers
from 0.8.0 to 0.8.1Release notes
Sourced from github.com/docker/docker-credential-helpers's releases.
Commits
292722b
Merge pull request #308 from thaJeztah/update_golang_1.21.6979dcc4
Merge pull request #309 from thaJeztah/update_golangcif411a65
Dockerfile: update golangci-lint to v1.55.29629bd7
update to go1.21.6f642c26
Merge pull request #306 from thaJeztah/err_checks8fc3306
Merge pull request #307 from thaJeztah/bump_wincred6a3e64c
move trimming whitespace to error-check helpers218f178
vendor: github.com/danieljoos/wincred v1.2.1Updates
github.com/docker/go-connections
from 0.4.0 to 0.5.0Commits
fa09c95
Merge pull request #108 from thaJeztah/carry_67a67a58
Swap CloseRead and CloseWrite481d3d2
Merge pull request #107 from thaJeztah/drop_legacy_go9548f9f
tlsconfig: remove deprecated io/ioutilc564c21
drop support for go1.17 and older7cbebcf
gha: update actions2cf423f
tlsconfig: move allTLSVersions vardca283b
tlsconfig: drop support for go1.12 and older21876c5
tlsconfig: drop support for go1.6 and older4d174db
tlsconfig: drop support for go1.4 and olderUpdates
github.com/google/go-containerregistry
from 0.17.0 to 0.19.0Release notes
Sourced from github.com/google/go-containerregistry's releases.
Commits
8dadbe7
Work around docker v25 tarballs (#1872)a0658aa
Always print pushed digest in crane push (#1860)55ffb00
fix: goreleaser config (#1764)Updates
github.com/google/uuid
from 1.4.0 to 1.6.0Release notes
Sourced from github.com/google/uuid's releases.
Changelog
Sourced from github.com/google/uuid's changelog.
Commits
0f11ee6
chore(master): release 1.6.0 (#151)16939da
chore(tests): add strict monotonicity test case for uuid v7. (#154)016b199
fix: fix typo in version 7 uuid documentation (#153)1d8b6ea
ci: set token permissions to github workflows (#143)a2b2b32
fix: Monotonicity in UUIDv7 (#150)c58770e
feat: add Max UUID constant (#149)4d47f8e
chore(master): release 1.5.0 (#145)9ee7366
feat: Validate UUID without creating new UUID (#141)b35aa6a
add uuid version 6 and 7 (#139)Updates
github.com/klauspost/compress
from 1.17.4 to 1.17.5Release notes
Sourced from github.com/klauspost/compress's releases.
Commits
6662a21
s2: Document and test how to peek the stream for skippable blocks (#918)3deb878
s2: Fix up AddSkippableBlock more (#919)6ac58c9
s2: Fix incorrect length encoded by writer.AddSkippableBlock (#917)515f153
s2: Fix callbacks for skippable blocks and disallow 0xfe (Padding) for custom...01b2a79
zstd: Limit default window to 8MB (#913)32312d5
flate: Fix reset with dictionary on custom window encodes (#912)d9b6e1e
zstd: Tweak noasm FSE decoder (#910)85452d2
zstd: Add Frame header encoding and stripping (#908)eabf71d
build(deps): bump the github-actions group with 1 update (#906)f6216d3
Update README.md (#905)Updates
github.com/opencontainers/runc
from 1.1.10 to 1.1.12Release notes
Sourced from github.com/opencontainers/runc's releases.
... (truncated)
Changelog
Sourced from github.com/opencontainers/runc's changelog.
Commits
51d5e94
VERSION: release 1.1.122a4ed3e
merge 1.1-ghsa-xr7r-f8xq-vfvv into release-1.1e9665f4
init: don't special-case logrus fds683ad2f
libcontainer: mark all non-stdio fds O_CLOEXEC before spawning initb6633f4
cgroup: plug leaks of /sys/fs/cgroup handle284ba30
init: close internal fds before execvefbe3eed
setns init: do explicit lookup of execve argument early0994249
init: verify after chdir that cwd is inside the container506552a
Fix File to Close099ff69
merge #4177 into opencontainers/runc:release-1.1Updates
github.com/pierrec/lz4/v4
from 4.1.19 to 4.1.21Commits
294e765
Merge pull request #216 from evanphx/b-fix-tests6e17a24
Reverts bc1239ba, no longer needed to conform to legacy9542ba5
CI: update go versions to more recent onesd9eb671
cmd/lz4c: update go.mod and fix issue #214219b252
Merge pull request #213 from corneliusroemer/patch-158c6073
Update README.md: add@latest
to cli install commande974631
Merge pull request #211 from oakad/issue_2107613989
CompressingReader: support older Go versions4a80a2f
CompressingReader: account for possible out buffer statef2ece5b
CompressingReader: make sure to clear out bufferUpdates
github.com/rivo/uniseg
from 0.4.4 to 0.4.6Commits
f302f7f
Clarifications and improvements in the package documentation.0b9a924
Improved performance by using switch statements instead of maps for state tra...e258aa1
Switched from transition map to switch statement to improve performance.b74d4dc
Some performance improvements by fast-tracking property search on ASCII chara...97691fc
Merge pull request #47 from junegunn/eastasian-ambiguous1f39ebc
Add comment272e3f0
Allow configuring the width of East Asian ambiguous width characters3628fa1
Merge pull request #42 from meowgorithm/unicode-v15.0.03050bb8
Update Unicode version numbers in README and doc comments to 15.0.05509479
Upgrade to Unicode v15.0.0 (and regnerate accordingly)Updates
github.com/sassoftware/go-rpmutils
from 0.2.0 to 0.3.0Release notes
Sourced from github.com/sassoftware/go-rpmutils's releases.
Commits
d2036ff
chore: update dependencies and remove refs to ioutilbceacf4
feat: support RPMs with a payload digest but no SIG_MD5 (#28)277b154
Add CONFLICT tagsd2202c0
Fix non-continuous link groupsUpdates
github.com/shirou/gopsutil/v3
from 3.23.11 to 3.23.12Release notes
Sourced from github.com/shirou/gopsutil/v3's releases.
Commits
df3c7bd
Merge pull request #1573 from scop/feat/udev-fs-labeladaeba0
feat(disk): look for filesystem labels from udev on Linux4870f6f
Merge pull request #1569 from scop/perf/regex-compile08afc01
Merge pull request #1570 from scop/perf/unnecessary-regexps11bc5b3
Avoid some uses of regexps362fa4b
Avoid repeated regexp compilations108235a
Merge pull request #1561 from keeword/masterf308985
Merge pull request #1563 from shirou/dependabot/github_actions/actions/upload...5ce87a6
chore(deps): bump actions/upload-artifact from 3.1.3 to 4.0.04b820ed
Merge pull request #1564 from shirou/revert-1559-dependabot/github_actions/ac...Updates
github.com/sylabs/sif/v2
from 2.15.0 to 2.15.1Release notes
Sourced from github.com/sylabs/sif/v2's releases.