Unfortunately, there are also breaking changes in this release:
The type of Metadata.Tools has changed from *[]Tool to *ToolsChoice, to facilitate the deprecation of Tool in the spec
ToolsChoice holds both legacy *[]Tool, as well as the new *[]Component and *[]Service fields
The Tool type, as well as the ToolsChoice.Tools field are marked as deprecated
During encoding and decoding, it is asserted that only one of both options can be present, in accordance with the "One of" constraint of the spec
When encoding to lower spec versions than v1.5 (using EncodeVersion), Components and Services are automatically converted to legacy Tools
It is strongly recommended to use Components and Services. However, when consuming BOMs, applications should still expect legacy Tools to be present, and handle them accordingly.
Changelog
Fixes
64eb0c84b3d909db47c5154c17d075f68b0c85ae: fix: remove format linters that require extra tooling (@nscuro)
Building and Packaging
696aa66151e800a672c9ec860f30d8716ae6a025: build(deps): bump actions/checkout from 3.5.3 to 4.1.0 (@dependabot[bot])
b50b319d1580d5b624cfc866bc108b589b328157: build(deps): bump actions/checkout from 4.1.0 to 4.1.1 (@dependabot[bot])
5cad1b0a7dad106950790fad960be5f7e62b2110: build(deps): bump actions/setup-go from 4.1.0 to 5.0.0 (@dependabot[bot])
b0910619560e5b0b0fae51dc97c4a343983873fb: build(deps): bump gitpod/workspace-go from d3603c7 to 94ae638 (@dependabot[bot])
9e310b6d641245c89aa01f07a21b50c38f04b087: build(deps): bump gitpod/workspace-go from f37c673 to d3603c7 (@dependabot[bot])
89494fd98291ca8115e02cab78e2e47360352f00: build(deps): bump goreleaser/goreleaser-action from 4.4.0 to 5.0.0 (@dependabot[bot])
Others
61dd91e0bbe730454bef42bc0c1b0a3f97411c02: feat(spec1-5): add support for machine learning (@nscuro)
f831960f0887c1f60681924e4d4382cd4bb52ff0: feat(spec1-5): update valid-vulnerability test snapshots (@nscuro)
ffc9a4eb9204f5a31b7fb1d6cd907e6cc3e93578: ci: enable more linters (@mmorel-35)
runc 1.1.12 -- "Now you're thinking with Portals™!"
This is the twelfth patch release in the 1.1.z release branch of runc.
It fixes a high-severity container breakout vulnerability involving
leaked file descriptors, and users are strongly encouraged to update as
soon as possible.
Fix CVE-2024-21626, a container breakout attack that took advantage of
a file descriptor that was leaked internally within runc (but never
leaked to the container process).
In addition to fixing the leak, several strict hardening measures were
added to ensure that future internal leaks could not be used to break
out in this manner again.
Based on our research, while no other container runtime had a similar
leak, none had any of the hardening steps we've introduced (and some
runtimes would not check for any file descriptors that a calling
process may have leaked to them, allowing for container breakouts due
to basic user error).
Static Linking Notices
The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":
The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.
However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.
Thanks to all of the contributors who made this release possible:
Fix CVE-2024-21626, a container breakout attack that took
advantage of a file descriptor that was leaked internally within runc (but
never leaked to the container process). In addition to fixing the leak,
several strict hardening measures were added to ensure that future internal
leaks could not be used to break out in this manner again. Based on our
research, while no other container runtime had a similar leak, none had any
of the hardening steps we've introduced (and some runtimes would not check
for any file descriptors that a calling process may have leaked to them,
allowing for container breakouts due to basic user error).
Support memory.peak and memory.swap.peak in cgroups v2.
Add swapOnlyUsage in MemoryStats. This field reports swap-only usage.
For cgroupv1, Usage and Failcnt are set by subtracting memory usage
from memory+swap usage. For cgroupv2, Usage, Limit, and MaxUsage
are set. (#4000, #4010, #4131)
Bumps the go-modules group with 30 updates:
1.30.0
1.31.1
0.18.0
0.18.2
0.7.2
0.8.0
0.0.0-20230412183729-8602f1afc574
0.0.1
1.0.6
1.1.0
1.3.6
1.3.7
1.7.10
1.7.11
0.8.0
0.8.1
0.4.0
0.5.0
5.10.1
5.11.0
0.17.0
0.19.0
1.4.0
1.6.0
1.17.4
1.17.6
1.1.10
1.1.12
4.1.19
4.1.21
0.4.4
0.4.7
0.2.0
0.3.0
3.23.11
3.24.1
2.15.0
2.15.1
0.26.0
0.28.0
0.0.0-20230301185719-21920a456ad5
0.0.0-20230925121702-07e42b3cdba0
1.2.3
1.2.4
0.16.0
0.18.0
0.14.0
0.15.0
0.19.0
0.21.0
0.5.0
0.6.0
0.15.0
0.17.0
0.16.0
0.16.1
1.59.0
1.61.1
1.31.0
1.32.0
Updates
github.com/onsi/gomega
from 1.30.0 to 1.31.1Release notes
Sourced from github.com/onsi/gomega's releases.
Changelog
Sourced from github.com/onsi/gomega's changelog.
Commits
762b171
v1.31.126661b8
tidy up go.sumbde8f7a
bump dependencies24e958d
Show how to import the format sub packagead1a367
Update test in case keeping msg is desirede0dd999
Inverted arguments order of FailureMessage of BeComparableToMatcherba8bba2
v1.31.0121c37f
Async assertions include context cancellation cause if presentdee1e3c
Bump minimum go version49005fe
docs: fix typo in example usage "occured" -> "occurred"Updates
github.com/paketo-buildpacks/occam
from 0.18.0 to 0.18.2Release notes
Sourced from github.com/paketo-buildpacks/occam's releases.
Commits
f37d228
Bump github.com/opencontainers/runc from 1.1.5 to 1.1.121d68391
tests: adding tests for NewContainerFromInspectOutput function13e5704
fix: avoid accessing undefined host ports on while creating a new container f...0fb0353
Bump github.com/containerd/containerd from 1.7.7 to 1.7.11Updates
github.com/CycloneDX/cyclonedx-go
from 0.7.2 to 0.8.0Release notes
Sourced from github.com/CycloneDX/cyclonedx-go's releases.
Commits
b9654ae
Merge pull request #90 from CycloneDX/spec-v1.564eb0c8
fix: remove format linters that require extra toolingc7a84ac
feat(spec1-5): handle deprecation of toolsf856daa
feat(spec1-5): add support for formulation2fbde0e
feat(spec1-5): add support for identity, occurrences, and callstack evidence61dd91e
feat(spec1-5): add support for machine learningf831960
feat(spec1-5): updatevalid-vulnerability
test snapshotsfe3a904
feat(spec1-5): add support for ssvc scoring method7d2713f
feat(spec1-5): add support for vulnerability proof of concept2ae5445
feat(spec1-5): add support for additional compositions and composition identityUpdates
github.com/anchore/stereoscope
from 0.0.0-20230412183729-8602f1afc574 to 0.0.1Commits
Updates
github.com/andybalholm/brotli
from 1.0.6 to 1.1.0Commits
17e5901
Make my matchfinder work more accessible.cf812c0
matchfinder: add M01b6cf36
matchfinder: remove MultiHash265f3af
matchfinder: penalize score for overlapping matchesa8d524a
matchfinder: replace Score function with DistanceBitCost578645e
matchfinder: add MultiHash24b2bfa
matchfinder.M4: add Score function4a024e3
matchfinder.M4: add match chain3a1c5cd
Fix typo in comment.0d2aef3
matchfinder.M4: factor out extendMatch2Updates
github.com/cloudflare/circl
from 1.3.6 to 1.3.7Release notes
Sourced from github.com/cloudflare/circl's releases.
Commits
c48866b
Releasing CIRCL v1.3.775ef91e
kyber: remove division by q in ciphertext compression899732a
build(deps): bump golang.org/x/cryptoUpdates
github.com/containerd/containerd
from 1.7.10 to 1.7.11Release notes
Sourced from github.com/containerd/containerd's releases.
... (truncated)
Commits
64b8a81
Merge pull request #9491 from dmcgowan/prepare-1.7.11ea5a477
Merge pull request #9352 from thaJeztah/1.7_update_golang_1.20.1167d356c
Merge pull request from GHSA-7ww5-4wqc-m92cdfae68b
Prepare release notes for v1.7.11de6d8a8
Merge pull request #9482 from ambarve/sn_cleanup_1.7ed7c689
Don't block snapshot garbage collection on Remove failures467de56
Merge pull request #9481 from ruiwen-zhao/cri-ud94f8ff
Merge pull request #9483 from dmcgowan/backport-1.7-fix-otel-http1fdefdd
Add warning for CRIU config usage8e06899
Merge pull request #9479 from ruiwen-zhao/cri-api-warningUpdates
github.com/docker/docker-credential-helpers
from 0.8.0 to 0.8.1Release notes
Sourced from github.com/docker/docker-credential-helpers's releases.
Commits
292722b
Merge pull request #308 from thaJeztah/update_golang_1.21.6979dcc4
Merge pull request #309 from thaJeztah/update_golangcif411a65
Dockerfile: update golangci-lint to v1.55.29629bd7
update to go1.21.6f642c26
Merge pull request #306 from thaJeztah/err_checks8fc3306
Merge pull request #307 from thaJeztah/bump_wincred6a3e64c
move trimming whitespace to error-check helpers218f178
vendor: github.com/danieljoos/wincred v1.2.1Updates
github.com/docker/go-connections
from 0.4.0 to 0.5.0Commits
fa09c95
Merge pull request #108 from thaJeztah/carry_67a67a58
Swap CloseRead and CloseWrite481d3d2
Merge pull request #107 from thaJeztah/drop_legacy_go9548f9f
tlsconfig: remove deprecated io/ioutilc564c21
drop support for go1.17 and older7cbebcf
gha: update actions2cf423f
tlsconfig: move allTLSVersions vardca283b
tlsconfig: drop support for go1.12 and older21876c5
tlsconfig: drop support for go1.6 and older4d174db
tlsconfig: drop support for go1.4 and olderUpdates
github.com/go-git/go-git/v5
from 5.10.1 to 5.11.0Release notes
Sourced from github.com/go-git/go-git/v5's releases.
Commits
5d08d3b
Merge pull request #958 from pjbgf/workval5bd1d8f
build: Ensure checkout is the first operationb2c1982
git: worktree, Align validation with upstream rulescec7da6
Merge pull request #953 from pjbgf/alternates8b47ceb
storage: filesystem, Add option to set a specific FS for alternates4f61489
Merge pull request #941 from djmoch/filestats-renameae552ce
Merge pull request #939 from dhoizner/fix-pull-after-shallowcc1895b
Merge pull request #950 from aymanbagabas/validate-refde1d5a5
git: validate reference namesd87110b
Merge pull request #948 from go-git/dependabot/go_modules/cli/go-git/github.c...Updates
github.com/google/go-containerregistry
from 0.17.0 to 0.19.0Release notes
Sourced from github.com/google/go-containerregistry's releases.
Commits
8dadbe7
Work around docker v25 tarballs (#1872)a0658aa
Always print pushed digest in crane push (#1860)55ffb00
fix: goreleaser config (#1764)Updates
github.com/google/uuid
from 1.4.0 to 1.6.0Release notes
Sourced from github.com/google/uuid's releases.
Changelog
Sourced from github.com/google/uuid's changelog.
Commits
0f11ee6
chore(master): release 1.6.0 (#151)16939da
chore(tests): add strict monotonicity test case for uuid v7. (#154)016b199
fix: fix typo in version 7 uuid documentation (#153)1d8b6ea
ci: set token permissions to github workflows (#143)a2b2b32
fix: Monotonicity in UUIDv7 (#150)c58770e
feat: add Max UUID constant (#149)4d47f8e
chore(master): release 1.5.0 (#145)9ee7366
feat: Validate UUID without creating new UUID (#141)b35aa6a
add uuid version 6 and 7 (#139)Updates
github.com/klauspost/compress
from 1.17.4 to 1.17.6Release notes
Sourced from github.com/klauspost/compress's releases.
Commits
255a132
s2: Fix DecodeConcurrent deadlock on errors (#925)e8251aa
build: Remove garble compiler (#924)32f34cf
build(deps): bump the github-actions group with 1 update (#921)aac36dc
zstd: Fix incorrect repeat coding in best mode (#923)9b0f130
Update README.md6662a21
s2: Document and test how to peek the stream for skippable blocks (#918)3deb878
s2: Fix up AddSkippableBlock more (#919)6ac58c9
s2: Fix incorrect length encoded by writer.AddSkippableBlock (#917)515f153
s2: Fix callbacks for skippable blocks and disallow 0xfe (Padding) for custom...01b2a79
zstd: Limit default window to 8MB (#913)Updates
github.com/opencontainers/runc
from 1.1.10 to 1.1.12Release notes
Sourced from github.com/opencontainers/runc's releases.
... (truncated)
Changelog
Sourced from github.com/opencontainers/runc's changelog.
Commits
51d5e94
VERSION: release 1.1.122a4ed3e
merge 1.1-ghsa-xr7r-f8xq-vfvv into release-1.1e9665f4
init: don't special-case logrus fds683ad2f
libcontainer: mark all non-stdio fds O_CLOEXEC before spawning initb6633f4
cgroup: plug leaks of /sys/fs/cgroup handle284ba30
init: close internal fds before execvefbe3eed
setns init: do explicit lookup of execve argument early0994249
init: verify after chdir that cwd is inside the container506552a
Fix File to Close099ff69
merge #4177 into opencontainers/runc:release-1.1Updates
github.com/pierrec/lz4/v4
from 4.1.19 to 4.1.21Commits
294e765
Merge pull request #216 from evanphx/b-fix-tests6e17a24
Reverts bc1239ba, no longer needed to conform to legacy9542ba5
CI: update go versions to more recent onesd9eb671
cmd/lz4c: update go.mod and fix issue #214219b252
Merge pull request #213 from corneliusroemer/patch-158c6073
Update README.md: add@latest
to cli install commande974631
Merge pull request #211 from oakad/issue_2107613989
CompressingReader: support older Go versions4a80a2f
CompressingReader: account for possible out buffer statef2ece5b
CompressingReader: make sure to clear out bufferUpdates
github.com/rivo/uniseg
from 0.4.4 to 0.4.7Commits
03509a9
Fixed wrong width calculation for variation selectors combined with regular c...601bbb3
Clarified some performance statements.f302f7f
Clarifications and improvements in the package documentation.0b9a924
Improved performance by using switch statements instead of maps for state tra...e258aa1
Switched from transition map to switch statement to improve performance.b74d4dc
Some performance improvements by fast-tracking property search on ASCII chara...97691fc
Merge pull request #47 from junegunn/eastasian-ambiguous1f39ebc
Add comment272e3f0
Allow configuring the width of East Asian ambiguous width characters3628fa1
Merge pull request #42 from meowgorithm/unicode-v15.0.0Updates
github.com/sassoftware/go-rpmutils
from 0.2.0 to 0.3.0Release notes
Sourced from github.com/sassoftware/go-rpmutils's releases.