Skip to content

Releases: containerbuildsystem/cachi2

0.14.0

19 Nov 15:16
@eskultety eskultety
0.14.0
d6638e5
Compare
Choose a tag to compare
0.14.0 Latest
Latest

Breaking changes

  • [pip] Stop allowing project metadata mixing from concurrent config files, e.g. pyproject.toml, setup.cfg, setup.py (5a65f16, #680)
    For projects that were defined this way and made use of cachi2 this will result in different SBOM component PURLs for the same set of inputs.

Improvements

  • [generic] Official support for the generic artifact fetcher
  • [generic] Support for fetching and SBOM reporting of Maven artifacts

Experimental features

  • [yarn v1] Implemented parsing for yarn.lock and package.json

Bug fixes

  • [CLI] typer: Do not log locals in an exception's stacktrace (CVE-2024-52582)
  • [bundler] Fixed missing cachi2:found_by SBOM property in precompiled gem components
Assets 2
Loading

0.13.0

29 Oct 18:00
@eskultety eskultety
0.13.0
16c3568
Compare
Choose a tag to compare
0.13.0

Improvements

  • Official backend support for Bundler (Ruby ecosystem)
  • Show help when no CLI arguments were given
  • Contributing: increase the release cadence to weekly

Experimental features

  • [yarn v1] add workspace handler
  • [generic artifact fetcher] introduce fetching files & SBOM reporting
Assets 2
Loading

0.12.0

15 Oct 11:27
@eskultety eskultety
0.12.0
c94a1a2
Compare
Choose a tag to compare
0.12.0

Improvements

  • adopt contributor's guidelines [CONTRIBUTING.md] (non-functional change)

Experimental features

  • [bundler] generate SBOM components
  • [yarn v1] CLI experimental enablement
  • [yarn v1] prefetching from offline mirrors
  • [rpm] enable TLS client authentication to RPM authenticated repositories with certificates passed via input JSON extra options
  • [generic artifact fetcher] CLI experimental enablement
  • [generic artifact fetcher] generic YAML lockfile representation
Assets 2
Loading

0.11.0

18 Sep 14:50
@eskultety eskultety
0.11.0
3398f3d
Compare
Choose a tag to compare
0.11.0

Improvements

  • Switch the container base image to UBI-9 (https://catalog.redhat.com/software/base-images)
  • Introduce a new merge-sboms CLI command
    • this allows merging multiple SBOMs which we generated ourselves
  • Remove the utils/merge_syft_sbom.py script
  • Replace the pyreflink dependency with a vendored implementation of fast in-kernel copying
  • Bump the max Go supported version 1.22 -> 1.23
    • note we're still lacking support for vendored workspaces (introduced in Go 1.22)
  • Deprecate global --gomod-vendor and --gomod-vendor-check CLI flags
    • users no longer need to explicitly instruct cachi2 to consider the vendoring use case with regards to dependency fetching
    • note that if a repository has vendored content cachi2 will check its integrity, but will no longer perform the vendoring as part of the dependency prefetch as was the case with the --gomod-vendor-check flag
    • note the flags will be dropped in a future release
Assets 2
Loading

0.10.0

21 Aug 16:13
@brunoapimentel brunoapimentel
0.10.0
3a55e98
Compare
Choose a tag to compare
0.10.0

Improvements

  • Adds preliminary support for Go 1.22
    • Cachi2 is now able to prefetch dependencies for Go 1.22.x based projects
    • Workspace vendoring is still not supported

Bug fixes

  • Fixes error in identifying Go workspaces when the GOWORK environment variable was set to off
Assets 2
Loading

0.9.1

24 Jul 14:00
@eskultety eskultety
0.9.1
6953607
Compare
Choose a tag to compare
0.9.1

Bug fixes

  • Fix a regression where the utility merge_syft_sbom.py script isn't installed in the resulting container image anymore
Assets 2
Loading

0.9.0

22 Jul 16:12
@eskultety eskultety
0.9.0
d49a134
Compare
Choose a tag to compare
0.9.0

Improvements

  • Converting the Containerfile/Dockerfile to a multi-stage build in order to easily pull in and vet latest releases of Go, NodeJS, etc.

Bug fixes

  • Fix the regex used when parsing go.mod files to figure out the desired Go version to include pre-releases and allow commentaries on the same line as the go line (e6a8010)
  • Fix aiohttp timing out on large downloads and slower connections by actually respecting the config option for async downloads (34b72cc)

Other

  • Added Python 3.12 as the officially supported platform by the project
Assets 2
Loading

0.8.0

26 Jun 13:28
@chmeliik chmeliik
0.8.0
695de20
Compare
Choose a tag to compare
0.8.0

Improvements

  • Support Go workspaces (for Go <= 1.21)
  • Support --index-url in requirements.txt files
  • Support ~/.netrc authentication for aiohttp requests (as used by the pip and npm code)

Bug fixes

  • Don't expose credentials in SBOM if git origin url includes credentials
  • Report missing checksums for RPMs properly: report the lockfile path, not the RPM filename
Assets 2
Loading

0.7.0

15 Apr 20:44
@taylormadore taylormadore
0.7.0
fdaebb5
Compare
Choose a tag to compare
0.7.0

Improvements:

  • Add full support for Go Toolchains
    • Cachi2 will use GOTOOLCHAIN=auto during the prefetch and any downloaded toolchains will be supplied in the output module cache
    • Cachi2 will no longer override GOTOOLCHAIN=local in the user build environment
  • pip: report components with downloaded wheels in the SBOM
  • pip: allow yanked sdists to be downloaded

Bug fixes:

N/A

Assets 2
Loading

0.6.0

16 Feb 15:14
@chmeliik chmeliik
0.6.0
6129c17
Compare
Choose a tag to compare
0.6.0

Improvements:

  • The merge_syft_sbom.py script packaged in the Cachi2 container supports the v1.5 style of metadata.tools
    • At least for the Syft SBOM. It still assumes that the Cachi2-generated SBOM is v1.4

Bug fixes:

n/a

Assets 2
Loading