build(aqua-proj): 🌊 minor aqua

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
anchore/syft		minor	v1.18.1 → v1.40.0
aquaproj/aqua		minor	v2.42.2 → v2.56.3
aquaproj/aqua-installer	action	patch	v4.0.3 → v4.0.4
aquaproj/aqua-registry		minor	v4.296.0 → v4.454.0
charmbracelet/glow		minor	v2.0.0 → v2.1.1
cli/cli		minor	v2.65.0 → v2.83.2
direnv/direnv		minor	v2.35.0 → v2.37.1
git-town/git-town		minor	v17.2.0 → v17.3.0
golang/go		minor	1.23.5 → 1.25.5
golangci/golangci-lint		minor	v1.63.4 → v1.64.8
goreleaser/goreleaser		minor	v2.5.1 → v2.13.3
mikefarah/yq		minor	v4.45.1 → v4.50.1
miniscruff/changie		minor	v1.21.0 → v1.24.0
mvdan/gofumpt		minor	v0.7.0 → v0.9.2

---

Release Notes

anchore/syft (anchore/syft)

v1.40.0

Compare Source

Added Features

• Exclude development or test dependencies for PNPM Package type [#​4430 #​4487 @​rezmoss]
• Catalog istio binary (pilot-discovery, pilot-agent) [#​4508 #​4521 @​witchcraze]
• Catalog envoy binary [#​4506 #​4530 @​witchcraze]
• Catalog grafana binary [#​4505 #​4516 @​witchcraze]
• Add a binary classifier for valkey [#​3400 #​4509 @​witchcraze]

Bug Fixes

• old bitnami images without spdx files arent getting picked up correctly in the catalog [#​4529 #​4532 @​rezmoss]
• wrong traefik rc versions at binary detection [#​3535 #​4499 @​rezmoss]
• FromPOSIX() in internals\windows\path.go assumes that all Windows root paths must have a colon terminator [#​4070 #​4075 @​luissantosHCIT]
• binary cataloger is picking up the go version instead of the actual binary version in traefik experimental images [#​4498 #​4499 @​rezmoss]

(Full Changelog)

v1.39.0

Compare Source

Added Features

• add support for Gemfile.next.lock [#​4457 @​HatiCode]
• Command output to give more information on what catalogers look for and what they can find [#​4155 #​4317 @​wagoodman]
• Support reading lzma compressed .go.buildinfo sections with upx [#​4411 #​4480 @​wagoodman]
• Specify specific snap revision to pull [#​4389 #​4439 @​VictorHuu]
• Cannot detect embedded deps.json metadata in single-file .NET binaries [#​4344 #​4375 @​rezmoss]
• ELF note cataloger does not pick up OS field, but should [#​4384 #​4438 @​VictorHuu]

Bug Fixes

• remove debug print statement in dependency parser [#​4412 @​cgreeno]
• dotnet-deps cataloger should skip project references with type "project" when building the sbom [#​4423 #​4436 @​rezmoss]
• File digests not computed when using --base-path [#​4410 #​4478 @​wagoodman]
• Syft should not define subpaths by default in PURLs [#​4394 #​4395 @​rezmoss]
• go: valid purl but incorrect name [#​1737 #​4395 @​rezmoss]
• Incorrect Go module PURL generation when module path contains /vN (e.g. /v5) [#​4316 #​4395 @​rezmoss]
• Failing to convert npm repository information correctly to SPDX [#​4362 #​4390 @​kendrickm]

(Full Changelog)

v1.38.2

Compare Source

Bug Fixes

• drop cpe from gguf [#​4383 @​spiffcs]
• emit lua rockspec dependencies in metadata [#​4376 @​willmurphyscode]
• Invalid SBOMs are created when GO replace directive is used [#​4415 #​4419 @​VictorHuu]
• Incorrect CPE for Vercel's Next js [#​4443 #​4450 @​willmurphyscode]
• v1.38.0 generates empty sbom for tgz sources [#​4416 #​4421 @​VictorHuu]
• Syft: The dependency graph does not include all Requires-Dist relationships defined in the package’s METADATA file [#​4401 #​4408 @​willmurphyscode]

(Full Changelog)

v1.38.0

Compare Source

Added Features

• add support for cataloging GGUF models [#​4184 #​4279 @​spiffcs]
• Support scanning a list of CPEs [#​3890 #​4207 @​chovanecadam]
• Syft does not detect Elixir binary on system [#​4333 #​4334 @​rezmoss]

Bug Fixes

• Support extras statements in Python PDM cataloger [#​4352 @​wagoodman]
• Preserve --from argument order [#​4350 @​wagoodman]
• SBOM generated by Syft 1.28 contains license elements missing id or name (causing CycloneDX parser error) [#​4363]
• empty PURL output in dependency snapshot format breaks sbom-action [#​4311]
• Interface includes constraint elements, can only be used in type parameters [#​4346]
• Upgrade github.com/nwaples/rardecode@​v1.1.3 to 2.2.1 [#​4338]
• Upgrade to Golang 1.25.4 [#​4341]

Additional Changes

• migrate syft to use mholt/archives instead of anchore fork [#​4029 @​Rupikz]
• Add license enrichment from pypi to python packages [#​4295 @​timols]
• license file search [#​4327 @​kzantow]

(Full Changelog)

v1.37.0

Compare Source

Added Features

• Refactor fileresolver to not require base path [#​4298 @​Rupikz]
• Describe cataloger capabilities via test observations [#​4318 @​wagoodman]
• Support Java resource adapter extension .far as a Java archive [#​4183 #​4193 @​kyounghunJang]
• Add Java resource adapter extension ".rar" as supported Java archive [#​4136 #​4137 @​thomassui]

Bug Fixes

• fix empty PURL Github format [#​4312 @​rezmoss]
• Canonicalize Ghostscript CPE/PURL for ghostscript packages from PE Binaries [#​4308 @​kdt523]
• Respect "rpmmod" PURL qualifier [#​4314 @​willmurphyscode]
• fix dpkg packages that are in deinstalled state should not be in SBOM [#​3063 #​4231 @​rkirk-nos]

(Full Changelog)

v1.36.0

Compare Source

Added Features

• Add the ability to fetch remote licenses for pnpm-lock.yaml files [#​4286 @​timols]
• support universal (fat) mach-o binary files [#​4278 @​JoeyShapiro]
• pdm support [#​2709 #​4234 @​paulslaby]

Bug Fixes

• Remove duplicate image source providers [#​4289 @​Rupikz]
• syft can't extract go module information from executables on Windows [#​4271 #​4285 @​JoeyShapiro]

(Full Changelog)

v1.34.2

Compare Source

Bug Fixes

• Extract zip archive with multiple entries [#​4283 @​Rupikz]
• panic while resolving maven properties in archive parser [#​4288 #​4290 @​kzantow]

(Full Changelog)

v1.34.1

Compare Source

Added Features

• feat: enhance setup.py parser to handle unquoted dependencies [#​4255 @​HalaAli198]
• feat: support for identifying ffmpeg/libav libraries [#​4227 @​popey]
• feat: PNPM latest lockfile (version 9.0) [#​3927 #​4256 @​bernardoamc]
• Add Windows ARM64 releases [#​4179 #​4237 @​compnerd]

Bug Fixes

• fix: SBOM CPE mismatch for Qt5 causes Grype to miss CVE matches [#​4036 #​4093 @​hawkaii]
• fix: use of manifest files present in Snap packages when generating SBOMs [#​4147 #​4151 @​popey]
• fix: Pom xml only archive parser [#​4272 @​douglasclarke]

(Full Changelog)

v1.33.0

Compare Source

Added Features

• Modify RpmDBEntry to include modularityLabel for cyclonedx [#​4212 @​sfc-gh-rmaj]
• Add locations onto packages read from Java native image SBOMs [#​4186 @​rudsberg]

(Full Changelog)

v1.32.0

Compare Source

Added Features

• Catalog entire build list for Go projects, not just packages listed in go.mod [#​432 #​4127 @​spiffcs]
• package.json authors keyword parsing [#​2250 #​4003 @​popey]
• Conda ecosystem support (basic) [#​4002@​SimeonStoykovQC]

Bug Fixes

• When scanning the FFmpeg binary with Syft a new package is now added [#​3988 #​3994 @​popey]
• Warn loudly if SQLite driver is not present when needed [#​3234 #​4150 @​kzantow]

Additional Changes

• Update dependencies to use go.yaml.in/yaml [#​4157 @​n-bes]

(Full Changelog)

v1.31.0

Compare Source

Added Features

• Option to set PackageSupplier in root of SPDX document generated by CLI [#​3098 #​4131 @​spiffcs]

Bug Fixes

• closed reader during java binary detection [#​4129 @​kzantow]
• support multiple letters in openssl patch version [#​4106 @​honigbot]
• Can not have license ID [#​1964 #​4132 @​spiffcs]
• Syft sometimes reports URL for license value when scanning JARs with a URL in Bundle-License field of manifest [#​3186]

(Full Changelog)

v1.30.0

Compare Source

Added Features

• add binary classifier for hashicorp vault [#​4121 @​willmurphyscode]

Bug Fixes

• fix: update nondeterministic Java archive cataloging and improve groupID [#​3521 #​4118 @​kzantow]

(Full Changelog)

v1.29.1

Compare Source

Bug Fixes

• Missing license information for tzdata [#​4102]
• Improve JVM Scan Accuracy for JDK and JRE Detection [#​4071 #​4046 @​kzantow]
• Azul JDK classified as Oracle JRE [#​3893 #​4046 @​kzantow]

(Full Changelog)

v1.29.0

Compare Source

Added Features

• Catalog python uv.lock files [#​3268 #​3763 @​jkugler]

Additional Changes

• Pkg Metadata type unmarshal bug [#​4043 @​houdini91]

(Full Changelog)

v1.28.0

Compare Source

Added Features

• add native support for snap packages [#​1088 #​3929 @​wagoodman]

Additional Changes

• upgrade tablewriter dependency to use new API [#​3990 @​cpanato]

(Full Changelog)

v1.27.1

Compare Source

Bug Fixes

• Allow decoding of enterprise-modified anchorectl json files [#​3997 @​wagoodman]
• Allow decoding of anchorectl json files [#​3973 @​wagoodman]

Additional Changes

• provide separate nonroot image [#​3998 @​kzantow]

(Full Changelog)

v1.27.0

Compare Source

Added Features

• add syft schema version to version command [#​3949 @​spiffcs]

Bug Fixes

• Remove CPE product candidates for phf, prometheus, hyper and Rust crates [#​3967 @​jayvdb]
• Remove CPE product candidates for opentelemetry and redis Rust crates [#​3962 @​jayvdb]
• Harden Container Runtime with Non-Root User [#​3941 @​MikeTheCyberGuy]
• terraform provider lock entries should not require constraints [#​3934 @​ghouscht]
• sbom cataloger returning upstream package [#​3662 #​3981 @​kzantow]
• Syft missing md5 sums and list data for dpkg packages under status.d/ [#​3912]
• Failure to detect dependency relationships between Python packages [#​3958 #​3965 @​christoph-blessing]
• Heavy memory consumption when directory scanning deb source [#​3928 #​3953 @​kzantow]
• In versions 1.25.0 and later, graalvm-native-image-cataloger adds 3-6 hours to Syft [#​3942 #​3944 @​kzantow]
• Syft incorrectly reports multiple APKs as parents of symlinked files [#​3847 #​3923 @​luhring]

(Full Changelog)

A HUGE thank you to @​rezmoss for his help identifying and solving an issue causing excessive time and memory consumption with large numbers of symlinks! ❤️

v1.26.1

Compare Source

Bug Fixes

• Dotnet deps binary cataloger hangs [#​3919 #​3930 @​kzantow]

(Full Changelog)

v1.26.0

Compare Source

Added Features

• Read version resources from non-.NET DLLs and executables [#​3842 #​3911 @​wagoodman]

Bug Fixes

• pkg.JavaArchive.PomProperties is being populated even though no pom.properties file was present for analysis [#​3922 @​wagoodman]
• syft 1.24.0 debug container - wget fails TLS [#​3891 #​3915 @​spiffcs]

(Full Changelog)

v1.25.1

Compare Source

Additional Changes

• remove go-rpmdb replace directive [#​3908 @​wagoodman]

(Full Changelog)

v1.25.0

Compare Source

Added Features

• Add PHP interpreter + extensions cataloger [#​2585 @​LaurentGoderre]

Bug Fixes

• update license content filtering default case to be 'none' for no content [#​3903 @​spiffcs]
• Distinguish openjdk vs jdk when using file source [#​3895 @​adammcclenaghan]
• Make it discoverable if Native Image contains no embedded SBOM [#​3731 #​3805 @​sathiya06]

(Full Changelog)

v1.24.0

Compare Source

Added Features

• Add cataloger for Dart pubspec [#​3292 @​LaurentGoderre]
• Translate Portage license strings to SPDX expressions [#​1763 @​wagoodman]
• Use package ID from decoded SBOMs when provided [#​1872 @​jneate]
• Annotate visible/hidden paths when all-layers scope [#​3855 @​wagoodman]
• Add support for PHP Pear [#​2775 @​LaurentGoderre]
• Detect whether full license text or a license name has been provided [#​3088 #​3876 @​spiffcs #​3450 @​spiffcs]
• Add Cataloger for Homebrew on macOS [#​3632 #​3724 @​rezmoss]
• Provide a way to get the LayerID the package was first found in [#​435 #​3858 @​wagoodman #​3138 @​tomersein]
• Go binaries that currently get (devel) as the version should instead stub UNKNOWN based on the compliance policy [#​3324 #​3873 @​wagoodman]
• Upgrade base Docker image to gcr.io/distroless/static-debian12 [#​3840 #​3862 @​bgoareguer]
• Return full license string instead of SHA256 hash when license string exceeds 64 characters [#​3780 #​3844 @​spiffcs]
• Detect nix dependencies [#​3814 #​3837 @​wagoodman]

Bug Fixes

• update license sort to be stable with contents field [#​3860 @​spiffcs]
• Improve detection of erlang binary in alpine Linux [#​3839 @​avodotiiets]
• Do not search for main module versions within binary contents by default [#​3874 @​wagoodman]
• dpkg license improvement for non SPDX licenses [#​3090 #​3888 @​spiffcs]
• CycloneDX group field not symmetrically handled by encoder/decoders [#​2981 #​3853 @​kzantow]
• Syft crash [signal SIGSEGV: segmentation violation code=0x80 addr=0x0 pc=0x123a0da] [#​3872 #​3875 @​wagoodman]
• Syft 1.23.1 shows version (devel) for grafana 12.0.0 [#​3864]
• .NET cataloger does not always pair up PE binaries and deps.json packages, resulting in duplicate packages on some runs [#​3866 #​3869 @​wagoodman]
• Propagate error in FileSourceProvider instead of warn log [#​3831 #​3845 @​Rupikz]
• Update github.com/Masterminds/semver package [#​3829 #​3836 @​popey]
• go-module-file-cataloger fails if symlinks in path [#​3614 #​3783 @​VictorHuu]
• Support fluent-bit some versions of arm/s390x images [#​3793 #​3817 @​VictorHuu]

Additional Changes

• update rust test fixtures to latest [#​3852 @​spiffcs]

(Full Changelog)

v1.23.1

Compare Source

Additional Changes

• Resolve owned file paths when searching for overlaps [#​3828 @​wagoodman]

(Full Changelog)

v1.23.0

Compare Source

Added Features

• Support skipping archive extraction with file source [#​3795 @​adammcclenaghan]
• Use the R cataloger in directory scans [#​3774 @​spiffcs]
• Add support for detecting javascript assets in .NET projects using libman [#​3825 @​wagoodman]
• Parse GitHub actions comments [#​3776 @​wagoodman]
• Support chrome binary detection [#​3174 #​3136 @​lem-onade]
• Add support for detecting undeclared license files scanning from python installations [#​2624 #​3779 @​wagoodman]

Bug Fixes

• .NET cataloger should consider compile target paths from deps.json [#​3821 @​wagoodman]
• Skip license scanner injection [#​3796 @​adammcclenaghan]
• Delete collection name/type key entries when empty [#​3797 @​adammcclenaghan]
• Use module name over relative paths in go.mod replace directives [#​3812 @​VictorHuu]
• Correct variable names for Conan lock parsing version handling [#​3802 @​musangk]
• Consider DLL claims for dependencies of .NET packages from deps.json [#​3822 @​wagoodman]
• Empty source during decoding an SBOM document should not be fatal [#​3791 @​wagoodman]
• Dpkg are not detected when scanning a directory [#​3726 #​3820 @​VictorHuu]
• Support golang tip image [#​3681 #​3757 @​VictorHuu]
• syft cataloger list should flatten options [#​3801 #​3804 @​kzantow]
• Unable to generate a correct SBOM for C++ project [#​3755]

(Full Changelog)

v1.22.0

Compare Source

Added Features

• Improve .NET package CPE generation [#​3764 @​wagoodman]
• Catalog deb archives directly [#​3315 #​3704 @​popey]

Bug Fixes

• Dotnet-Portable-Executable-Cataloger uses wrong component version for dotnet runtime libraries [#​3282 #​3768 @​wagoodman]
• Dotnet deps cataloger returns "wrong" dotnet-framework dependencies and misses out on the runtime (for applications) [#​2347 #​3768 @​wagoodman]
• .NET deps.json should be considered as installation evidence [#​3570 #​3563 @​wagoodman]
• Dotnet PE binary cataloger is detecting false positives [#​3469 #​3563 @​wagoodman]
• Long Processing Time in dpkg-db-cataloger with all-layers Option (Syft 1.20.0) [#​3683 #​3636 @​kzantow]

(Full Changelog)

v1.21.0

Compare Source

Added Features

• Support extracting symbols in .dynsym section for GraalVM Native Images [#​3647 @​rudsberg]
• Support fluent-bit 1.7.0 dev, rc [#​3133 #​3701 @​popey]

Bug Fixes

• Suppress "file already closed" errors [#​3695 @​wagoodman]
• Add set ID to dotnet (lock) packages [#​3719 @​houdini91]
• Location order on packages should consider evidence annotations when sorting [#​3720 @​wagoodman]
• Fix /etc/redhat-release file parsing when resolving distro details [#​3688 @​wagoodman]
• Syft fileresolver.containsPath allocates unnecessarily [#​3729 #​3730 @​yoav-orca]
• Dart: Syft incorrectly generates SBOM with version 0.0.0 for SDK dependencies [#​3158 #​3572 @​sgreg]
• Download location is not a valid URI [#​3696 #​3697 @​stgrace]

Additional Changes

• Update rustaudit module name [#​3689 @​tofay]
• bump golang.org/x/net from 0.35.0 to 0.36.0 [#​3709 @​dependabot]

(Full Changelog)

v1.20.0

Compare Source

Added Features

• Add file catalogers to selection configuration [#​3505 @​wagoodman]
• Configuration for including license contents in SBOM [#​3626 #​3631 @​spiffcs]
• Support Bitnami embedded SBOMs [#​3065 #​3341 @​juan131] [#​3676 @​willmurphyscode]

Bug Fixes

• Version parse caused by line breaks on different platforms [#​3672 @​idhyt]
• License files which do not match an SPDX expression are erroneously handled as 'unlicensed' [#​3412 #​3366 @​HeyeOpenSource]
• Incorrect URL encoding of package url (purl) [#​3533 #​3678 @​kzantow]
• syft should not warn on known bad package.json [#​3470 #​3645 @​kzantow]
• Scanning a project with many DLLs is slow [#​3455 #​3677 @​rogueai]
• cyclone-dx presenter drops files, includes only packages [#​3435 #​3539 @​spiffcs]
• "syft config" output swaps comments for search-indexed-archives / search-unindexed-archives [#​3624 #​3630 @​spiffcs]
• dpkg license improvement for non SPDX licenses [#​3090 #​3366 @​HeyeOpenSource]
• RPM-based PURLs sometimes have incorrect namespace (specifically OpenSUSE) [#​3534 #​3615 @​mprpic]

Additional Changes

• update to go 1.24.x [#​3660 @​westonsteimel]
• replace all shorthand tags of mapstruct -> mapstructure [#​3633 @​spiffcs]

(Full Changelog)

v1.19.0

Compare Source

Added Features

• add license parsing from vendor dirs [#​3522 @​dschmidt]
• Support cataloging NuGet packages [#​373 #​3484 @​Kemosabert]

Bug Fixes

• Syft generates invalid PURLs when name contains : [#​3577 #​3596 @​spiffcs @​jkugler]
• warn instead of error if zero package catalogers are select - user might still run file metadata cataloger, for example [#​3128 #​3468 @​tomersein]
• sbom report: missing licenses [#​3527 #​3549 @​kzantow]

Additional Changes

• bump stereoscope to v0.0.13 [#​3601 @​spiffcs]

(Full Changelog)

aquaproj/aqua (aquaproj/aqua)

v2.56.3

Compare Source

🐛 Bug Fixes

#​4475 cp: Fix a bug that command arguments are ignored and always all commands are copied
#​4476 update-aqua: Fix a bug that a command argument is ignored and always the latest version is installed

Others

#​4471 Update sigstore/cosign to v3.0.4

v2.56.2

Compare Source

Refactoring

#​4448 Replace logrus with slog
#​4450 Use urfave/cli/v3 Destination pattern for flag values

v2.56.1

Compare Source

Fixes

#​4436 gr: Exclude eabihf

v2.56.0

Compare Source

Features

#​4422 Get pseudo-versions from Go Proxy if no tagged version exists @​gizmoguy

Fixes

#​4401 Add YAML tags @​Shion1305
#​4404 Update golangci-lint to v2.7.2, with lint fixes @​Shion1305

Dependency Updates

#​4402 Update goreleaser to v2.13.1
#​4405 Update anchore/syft to v1.38.2
#​4406 Update Cosign to v3.0.3
#​4420 Update expr to v1.17.7
[#​4424](https://re

---

Configuration

📅 Schedule: Branch creation - "after 10pm on monday,before 3am on monday" in timezone America/Chicago, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

This PR was generated by Mend Renovate. View the repository job log.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.