v1.6.1: Release 1.6.1

Main changes in release version v1.6.1:

• Flake update
• Bug fixes

All commits included in this release: v1.6.0...v1.6.1

v1.6.0

Main changes in release version v1.6.0:

• Add provenance generation tool
• Include CVE patch info in cdx output
• Bug fixes

All commits included in this release: v1.5.0...v1.6.0

Release v1.5.0

Main changes in release version v1.5.0:

• Improve integration with nixpkgs metadata: --meta command-line argument is no longer needed: #100
• Change sbomnix, nixgraph, vulnxscan, and nix_outdated so each tool allows specifying the target as Nix flake reference in addition to the nix store path (which is still also supported). Also, align the use of command-line argument --buildtime, removing the --type argument from sbomnix
• Re-structure the project and apply nix best practices: #95, #92, and #94

All commits included in this release: v1.4.6...v1.5.0

sbomnix: release v1.4.6

Main changes in sbomnix release version 1.4.6:

• sbomnix: add --depth command-line option
• sbomnix: force-realise runtime dependency paths
• sbomnix: remove dependency to legacy nvd cpe json dictionary
• Update nix flake lock file

See all commits included in this release: v1.4.5...v1.4.6

sbomnix: release v1.4.5

- Introduce own nix files for each demo tool under scripts/.
  This change allows clearly stating dependencies for each tool.
  This change is also necessary in case we later decide to move
  some of the tools now under `scripts/` directory to their own
  repositories.

- From now on, the default.nix in the root of this repository is only
  for `sbomnix` and `nixgraph` which are the main tools currently
  maintained in this repository. Other tools under `scripts/` can still
  be used via the flakes.nix or the shell.nix.

- Add flake output targets for `repology_cli` and `nix_outdated` apps.

- Introduce basic tests for `repology_cli` and `nix_outdated`.

- Get rid of the `use_scm_version=True` in setup.py and read the version
  number from VERSION file instead. With this change, we can also remove
  the postPatch hack from default.nix.

- Remove travis.yml as it's no longer used.

- Update nix flake lock file.

- Bump sbomnix version to v1.4.5.

Signed-off-by: Henri Rosten <[email protected]>

sbomnix: release v1.4.4

- repology_cli: fix a bug that caused repology package info to be
  ignored for some sbom input packages. The issue occurred if the
  package info had already been processed by an earlier repology
  query, but had not been included to the result collection.

- repology_cli: improve local version classification

- repology_cli: fix the url in user-agent

- nixgraph: match inverse regex against full store paths. Earlier match
  was done only against the package name. This change allows querying
  inverse graphs starting from specific nix store objects, discarding
  possible duplicate package names.

- sbomnix: fix usage example in `--help` output

- update nix flake lock file

- bump sbomnix version to v1.4.4

Signed-off-by: Henri Rosten <[email protected]>

v1.4.3: sbomnix: release 1.4.3

- Fix uninstall instructions
- Add curl dependency
- Update flake lock file
- Up the version to 1.4.3

Signed-off-by: Henri Rosten <[email protected]>

v1.4.2: Up the version to 1.4.2

Improve derivation attributes:

• Make derivation pname more accurate e.g. for perl packages.
• Do not generate purl or cpe for packages with pname 'source'. Pname 'source' has a special meaning in in Nix - it is the default name for all fetchFromGitHub derivations.
• Add 'urls' attribute, which contains the package fetch url (if any).
• Add license and other meta information to the sbomnix release asset SBOMs.

In addition, this release includes the following other changes:

• Add a test case that checks the nix-shell works as expected to prevent cases like #44 in the future.
• Read 'unfree' and 'description' from each nix package meta information if available.
• Add more properties to SPDX sbom: package summary, downloadLocation.
• Add more properties to CDX sbom: component description, fetch_url, homepage.

v1.4.1: vulnxscan: make grype and vulnix dependencies explicit

- Make grype and vulnix dependencies explicit
- Flake update
- Use pip in place of pip3, add devshell dependency to pip
- Up the version to 1.4.1

Signed-off-by: Henri Rosten <[email protected]>

v1.4.0: sbomnix: add support for sbom output in spdx json format

- sbomnix: support spdx json output (--spdx) argument
- test: add relevant test cases to validate spdx output
- include spdx documents from sbomnix itself to release assets
- fix relevant documentation

In addition this commit includes a fix to Makefile to prune
python eggs from the list of python targets.

Signed-off-by: Henri Rosten <[email protected]>