search

paulscherrerinstitute / alphafold-on-fire

GNU General Public License v3.0
1 stars 3 forks source link

Bump docker/scout-action from 0.18.1 to 1.5.1 #531

Closed dependabot[bot] closed 6 months ago

dependabot[bot] commented 6 months ago

Bumps docker/scout-action from 0.18.1 to 1.5.1.

Release notes

Sourced from docker/scout-action's releases.

v1.5.1

What's Changed

  • Fix panic on single image oci-dir input by @​cdupuis

v1.5.0

Highlights

  • Cache SBOM and attestations using the image index digest if exists
  • Add file hashes/digest when generating SBOMs
  • Upgrade syft to 0.105.0
  • Support local attestations from a containerd image store or OCI export

Bug fixes / Improvements

  • fix reading SBOM for gcr.io/distroless images
  • read distribution in SBOM from attestations

v1.4.1

These notes include changes part of v1.4.0

Highlights

  • Update dependencies to address Leaky Vessels series of CVEs (CVE-2024-21626, CVE-2024-24557)
  • Add initial VEX document to document false positive CVE-2020-8911 and CVE-2020-8912
  • Support cosign SBOM attestations
  • Support for VEX in-toto attestations

Bug fixes / Improvements

  • Fix platform detection when an image index contains linux/arm64/v8 but the local platform is only linux/arm64
  • Fix display of the base image in case the base image is not indexed by docker scout but defined in the provenance attestation (for private or non Docker Trusted Content base images) Affects quickview and recommendations commands
  • Fix panic when an SBOM contains no packages Especially when using docker scout to analyse local file system, for instance using docker scout cves fs://.
  • Bump Syft to 102 to fix golang Purl with subpath
  • Add support for subpaths in PURLs For instance an image containing both packages github.com/gofiber/template and github.com/gofiber/template/django/v3, previously the two packages were visible under the same github.com/gofiber/template name. Now both of them are correctly identified

v1.3.0

  • Update syft to v0.100.0
  • Support in-toto envelope layer in attestations
  • Improve display of policy results in case of a boolean policy

v1.2.2

What's Changed

... (truncated)

Commits
  • b3dd3d6 Merge 192a4dfd7d6181111e78ba15dd528b130a420a62 into 574cf60b31819d4b83319536f...
  • 192a4df [BOT] Publish v1.5.1 release
  • 574cf60 Merge pull request #31 from docker/ref_name
  • faa6c15 ci: use ref_name when release on tag push
  • 67eb1af Merge a942cacf39df1cb99156fece2cf675e8b254c370 into e9ced2013cbdd4d9af09c797a...
  • a942cac [BOT] Publish v1.5.0 release
  • e9ced20 Merge pull request #29 from docker/tag-major
  • cc8bdce ci: trigger release process once merged
  • 0e55bd2 ci: do not write comments to the PR
  • 01eb1c8 ci: update major tag on release
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot] commented 6 months ago

Superseded by #539.