Support local attestations from a containerd image store or OCI export
Bug fixes / Improvements
fix reading SBOM for gcr.io/distroless images
read distribution in SBOM from attestations
v1.4.1
These notes include changes part of v1.4.0
Highlights
Update dependencies to address Leaky Vessels series of CVEs (CVE-2024-21626, CVE-2024-24557)
Add initial VEX document to document false positive CVE-2020-8911 and CVE-2020-8912
Support cosign SBOM attestations
Support for VEX in-toto attestations
Bug fixes / Improvements
Fix platform detection when an image index contains linux/arm64/v8 but the local platform is only linux/arm64
Fix display of the base image in case the base image is not indexed by docker scout but defined in the provenance attestation (for private or non Docker Trusted Content base images)
Affects quickview and recommendations commands
Fix panic when an SBOM contains no packages
Especially when using docker scout to analyse local file system, for instance using docker scout cves fs://.
Bump Syft to 102 to fix golang Purl with subpath
Add support for subpaths in PURLs
For instance an image containing both packages github.com/gofiber/template and github.com/gofiber/template/django/v3, previously the two packages were visible under the same github.com/gofiber/template name. Now both of them are correctly identified
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps docker/scout-action from 0.18.1 to 1.5.1.
Release notes
Sourced from docker/scout-action's releases.
... (truncated)
Commits
b3dd3d6
Merge 192a4dfd7d6181111e78ba15dd528b130a420a62 into 574cf60b31819d4b83319536f...192a4df
[BOT] Publish v1.5.1 release574cf60
Merge pull request #31 from docker/ref_namefaa6c15
ci: use ref_name when release on tag push67eb1af
Merge a942cacf39df1cb99156fece2cf675e8b254c370 into e9ced2013cbdd4d9af09c797a...a942cac
[BOT] Publish v1.5.0 releasee9ced20
Merge pull request #29 from docker/tag-majorcc8bdce
ci: trigger release process once merged0e55bd2
ci: do not write comments to the PR01eb1c8
ci: update major tag on releaseDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show