chore(deps): update dependency kubernetes-sigs/bom to v0.6.0 (main)

[cilium-renovate]

This PR contains the following updates:

Package	Update	Change
kubernetes-sigs/bom	minor	f0ff48f9a202abfddf656056bbeeb8efe29920ab -> v0.6.0

---

Release Notes

kubernetes-sigs/bom (kubernetes-sigs/bom)

v0.6.0

Compare Source

Changes by Kind

Feature

• Add attestation in the release job (#​271, @​cpanato)
• Added support for scanning images with RPM package managers (#​342, @​micahhausler)
• Bom now ships with the SPDX license list version v3.21 embedded. (#​307, @​puerco)
• Improved the query help output, most importantly there is now help for the purl matcher
  • New flag --purl to output purls instead of names
  • The name matching filter now supports full regexes and not just substring matching
  • New pluggable printer interface to output in more formats
  • bom document query now can output in JSON and CSV in addition to the usual line printer using --format
  • New --fields flag controls which fields of the sbom will be printed on the query output
  • Piped data on STDIN is now autodetected, you can now pipe an SBOM to bom document query and skip the filename (#​291, @​puerco)
• OS Packages now can include an auto-generated download location. Initially supports Debian and Wolfi. (#​270, @​puerco)
• The bom json parser now supports top-level elements specified with a DESCRIBES relationship to the document. documentDescribes is, of course, still suppoirted
  • License printing in query results has better NOASSERTION detection when choosing which license to print. (#​304, @​puerco)
• Update license-data to v3.22 (#​357, @​cpanato)
• bom now supports scanning OS packages from images based on distroless.
  • Fixed a bug where bom would drop the last package read from the debian database
  • Fixed an encoding bug in oci-typed purls where the version had an unescaped colon. (#​345, @​puerco)
• bom will now autodetect when STDIN is open to outline an SBOM to avoid specifying it with a dash (#​260, @​puerco)

Bug or Regression

• Bom will now read the SBOM until it detects the SBOM encoding data, enabling it to parse SBOMs with the document data defined at the end of the file.
  • When trying to ingest a CycloneDX document, bom will now print a more useful warning (#​259, @​puerco)
• Fixed a race condition where concurrent files canning processes could clash and cause a segfault (thanks to @​howardjohn for reporting) (#​312, @​puerco)
• JSON-encoded files now include supplier and originator data. (#​269, @​puerco)

Other (Cleanup or Flake)

• Go.mod: Update github.com/uwu-tools/magex to v0.10.0 (#​275, @​cpanato)
• SPDX packages representing container images are now named using their full reference and digest: registry.com/repository/image@sha256:digest (#​289, @​puerco)

Dependencies

Added

• dario.cat/mergo: v1.0.0
• github.com/MakeNowJust/heredoc/v2: v2.0.1
• github.com/cyphar/filepath-securejoin: v0.2.4
• github.com/dustin/go-humanize: v1.0.1
• github.com/elazarl/goproxy: 2592e75
• github.com/glebarez/go-sqlite: v1.22.0
• github.com/go-jose/go-jose/v3: v3.0.0
• github.com/golang/groupcache: 41bb18b
• github.com/google/pprof: e6195bd
• github.com/hashicorp/errwrap: v1.0.0
• github.com/hashicorp/go-multierror: v1.1.1
• github.com/kballard/go-shellquote: 95032a8
• github.com/klauspost/cpuid/v2: v2.2.3
• github.com/knqyf263/go-rpmdb: 067d98b
• github.com/mattn/go-isatty: v0.0.20
• github.com/mattn/go-sqlite3: v1.14.16
• github.com/remyoudompheng/bigfft: 24d4a6f
• github.com/uwu-tools/magex: v0.10.0
• golang.org/x/exp: d852ddb
• golang.org/x/tools/go/vcs: v0.1.0-deprecated
• lukechampine.com/uint128: v1.3.0
• modernc.org/cc/v3: v3.41.0
• modernc.org/ccgo/v3: v3.16.15
• modernc.org/httpfs: v1.0.6
• modernc.org/libc: v1.37.6
• modernc.org/mathutil: v1.6.0
• modernc.org/memory: v1.7.2
• modernc.org/opt: v0.1.3
• modernc.org/sqlite: v1.28.0
• modernc.org/strutil: v1.2.0
• modernc.org/tcl: v1.15.2
• modernc.org/token: v1.1.0
• modernc.org/z: v1.7.3

Changed

• cloud.google.com/go/compute: v1.18.0 → v1.19.3
• github.com/BurntSushi/toml: v0.3.1 → v1.2.1
• github.com/Masterminds/semver/v3: v3.1.1 → v3.2.1
• github.com/Microsoft/go-winio: v0.6.0 → v0.6.1
• github.com/ProtonMail/go-crypto: 7d5c6f0 → 3c4c8a2
• github.com/cloudflare/circl: v1.1.0 → v1.3.3
• github.com/cpuguy83/go-md2man/v2: v2.0.2 → v2.0.3
• github.com/docker/cli: v23.0.1+incompatible → v24.0.0+incompatible
• github.com/docker/distribution: v2.8.1+incompatible → v2.8.2+incompatible
• github.com/docker/docker: v23.0.1+incompatible → v24.0.0+incompatible
• github.com/go-git/gcfg: v1.5.0 → 3a3c614
• github.com/go-git/go-billy/v5: v5.4.1 → v5.5.0
• github.com/go-git/go-git-fixtures/v4: v4.3.1 → 55a9409
• github.com/go-git/go-git/v5: v5.6.1 → v5.11.0
• github.com/google/go-cmp: v0.5.9 → v0.6.0
• github.com/google/go-containerregistry: v0.14.0 → v0.17.0
• github.com/google/uuid: v1.3.0 → v1.5.0
• github.com/in-toto/in-toto-golang: v0.7.0 → v0.9.0
• github.com/klauspost/compress: v1.16.0 → v1.16.5
• github.com/kr/pretty: v0.3.0 → v0.3.1
• github.com/magefile/mage: v1.14.0 → v1.15.0
• github.com/maxbrunsfeld/counterfeiter/v6: v6.6.1 → v6.8.1
• github.com/moby/term: 3f7ff69 → v0.5.0
• github.com/onsi/gomega: v1.26.0 → v1.30.0
• github.com/opencontainers/image-spec: v1.1.0-rc2 → v1.1.0-rc3
• github.com/package-url/packageurl-go: d704593 → v0.1.2
• github.com/rogpeppe/go-internal: v1.8.1 → v1.11.0
• github.com/secure-systems-lab/go-securesystemslib: v0.5.0 → v0.6.0
• github.com/sirupsen/logrus: v1.9.0 → v1.9.3
• github.com/skeema/knownhosts: v1.1.0 → v1.2.1
• github.com/spf13/cobra: v1.6.1 → v1.8.0
• github.com/spiffe/go-spiffe/v2: v2.1.2 → v2.1.3
• github.com/stretchr/testify: v1.8.2 → v1.8.4
• github.com/urfave/cli: v1.22.4 → v1.22.12
• github.com/vbatts/tar-split: v0.11.2 → v0.11.3
• gitlab.alpinelinux.org/alpine/go: v0.6.0 → v0.8.0
• golang.org/x/crypto: v0.6.0 → v0.18.0
• golang.org/x/mod: v0.9.0 → v0.14.0
• golang.org/x/net: v0.8.0 → v0.20.0
• golang.org/x/oauth2: v0.6.0 → v0.8.0
• golang.org/x/sync: v0.1.0 → v0.6.0
• golang.org/x/sys: v0.6.0 → v0.16.0
• golang.org/x/term: v0.6.0 → v0.16.0
• golang.org/x/text: v0.8.0 → v0.14.0
• golang.org/x/tools: v0.7.0 → v0.17.0
• golang.org/x/xerrors: 5ec99f8 → 104605a
• google.golang.org/genproto: 76db087 → 637eb22
• google.golang.org/grpc: v1.53.0 → v1.54.0
• google.golang.org/protobuf: v1.29.0 → v1.30.0
• mvdan.cc/sh/v3: v3.5.1 → v3.7.0
• sigs.k8s.io/release-utils: 2b998c6 → v0.7.7

Removed

• github.com/MakeNowJust/heredoc: v1.0.0
• github.com/acomagu/bufpipe: v1.0.4
• github.com/bwesterb/go-ristretto: v1.2.0
• github.com/carolynvs/magex: v0.9.0
• github.com/creack/pty: v1.1.17
• github.com/frankban/quicktest: v1.14.0
• github.com/google/renameio: v1.0.1
• github.com/imdario/mergo: v0.3.13
• github.com/jessevdk/go-flags: v1.5.0
• github.com/matryer/is: v1.2.0
• github.com/mmcloughlin/avo: v0.5.0
• github.com/niemeyer/pretty: a10e7ca
• github.com/pkg/diff: 20ebb0f
• github.com/shurcooL/sanitized_anchor_name: v1.0.0
• golang.org/x/arch: v0.1.0
• gopkg.in/errgo.v2: v2.1.0
• gopkg.in/square/go-jose.v2: v2.6.0
• mvdan.cc/editorconfig: v0.2.0
• rsc.io/pdf: v0.1.1

v0.5.1

Compare Source

What's Changed

• update release binary name by @​cpanato in https://github.com/kubernetes-sigs/bom/pull/258

Full Changelog: kubernetes-sigs/bom@v0.5.0...v0.5.1

v0.5.0

Compare Source

Changes by Kind

Feature

• -bom now embeds the latest SPDX license list. This avoids pulling the license list from the internet, speeding up SBOM generation
  • The bom mage file now has a CheckEmbeddedData and UpdateEmbeddedData targets to ease the management of the embedded data. (#​255, @​puerco)
• Bom will now correctly register in the SBOM the license list it used to scan code to detect licenses
  • the version of the SPDX license list to use is now configurable at SBOM generation time using --license-list-version (#​245, @​puerco)
• Bom will now generate package listings out of apk-based systems (alpine and wolfi) (#​224, @​puerco)
• Replace the registry with cgr.dev (#​199, @​developer-guy)
• The license list downloader now cached the license list zip file
  • The license list downloader can now download arbitrary versions of the license list. (#​213, @​puerco)
• Upgrade to go1.20 (#​250, @​cpanato)
• bom document outline now displays version numbers along package names by default. This can be turned off with --version=false
  • The oultine subcommand has a new ---purl flag which will display purls instead of package names when outlining an SBOM (#​212, @​puerco)

Documentation

• Corrected the go install instructions to install the latest version (#​252, @​puerco)
• Updated the readme to show up to date features
  • bom now has a logo! 🎉 (#​222, @​puerco)

Bug or Regression

• Fixed a bug where SBOMs were not ingested when the supplier of a package was NOASSERTION. (#​203, @​puerco)
• Fixed a bug where bom would crash when outlining an SBOM containing files at the top level of the document.. (#​190, @​puerco)
• Fixed a bug where the license downloader was always returning nil data leading to licenses not being detected. (#​241, @​puerco)
• Fixed a bug where the tool version was not getting included in the document creator info. The new Creator field has the app name, version tag and commit: ``bom-v0.4.1-102-g98baf66 (#​242, @​puerco)
• Fixed a recursion loop in spdx.recursiveIDSearch which lead to panics when generating sboms describing multiple artifacts. (#​244, @​puerco)

Other (Cleanup or Flake)

• Fixed a bug where bom would open each file unnecessarily when checksumming (#​200, @​puerco)
• LicenseDeclared in packages and licenseConcluded in files and packages will now be omitted in SPDX 2.3 documents.
  • [API Change] the PackageVerificationCode in the package JSON types (both in 2.2 and 2.3) has been changed and is now a pointer. This is a breaking change for anything depending on the bom types. This fixes a bug where JSON SBOMs contained an empty package verification code struct.
  • licenseInfoInFile in both packages and files is now committed from the JSON output when empty. (#​243, @​puerco)
• SBOM ingestion now supports external references with both PACKAGE-MANAGER and PACKAGE-MANAGER in the category field. Output is always SPDX 2.3 which calls for PACKAGE-MANAGER in the schema. (#​221, @​puerco)

Uncategorized

• Add checksums binaries (#​191, @​cpanato)
• Fixed a bug where bom would panic when generating an SBOM of an image specified with a digest. (#​225, @​sbs2001)

Dependencies

Added

• cloud.google.com/go/compute/metadata: v0.2.3
• github.com/MakeNowJust/heredoc: v1.0.0
• github.com/bwesterb/go-ristretto: v1.2.0
• github.com/cloudflare/circl: v1.1.0
• github.com/frankban/quicktest: v1.14.0
• github.com/google/renameio: v1.0.1
• github.com/mmcloughlin/avo: v0.5.0
• github.com/pjbgf/sha1cd: v0.3.0
• github.com/skeema/knownhosts: v1.1.0
• github.com/spiffe/go-spiffe/v2: v2.1.2
• github.com/zeebo/errs: v1.3.0
• gitlab.alpinelinux.org/alpine/go: v0.6.0
• golang.org/x/arch: v0.1.0
• google.golang.org/genproto: 76db087
• google.golang.org/grpc: v1.53.0
• gopkg.in/ini.v1: v1.67.0
• gopkg.in/square/go-jose.v2: v2.6.0
• mvdan.cc/editorconfig: v0.2.0
• mvdan.cc/sh/v3: v3.5.1
• rsc.io/pdf: v0.1.1

Changed

• cloud.google.com/go/compute: v1.10.0 → v1.18.0
• github.com/ProtonMail/go-crypto: 04723f9 → 7d5c6f0
• github.com/acomagu/bufpipe: v1.0.3 → v1.0.4
• github.com/anmitsu/go-shlex: 648efa6 → 38f4b40
• github.com/containerd/stargz-snapshotter/estargz: v0.12.1 → v0.14.3
• github.com/creack/pty: v1.1.9 → v1.1.17
• github.com/docker/cli: v20.10.20+incompatible → v23.0.1+incompatible
• github.com/docker/docker: v20.10.20+incompatible → v23.0.1+incompatible
• github.com/emirpasic/gods: v1.12.0 → v1.18.1
• github.com/gliderlabs/ssh: v0.2.2 → v0.3.5
• github.com/go-git/go-billy/v5: v5.3.1 → v5.4.1
• github.com/go-git/go-git-fixtures/v4: v4.2.1 → v4.3.1
• github.com/go-git/go-git/v5: v5.4.2 → v5.6.1
• github.com/golang/protobuf: v1.5.2 → v1.5.3
• github.com/google/go-containerregistry: v0.12.0 → v0.14.0
• github.com/imdario/mergo: v0.3.12 → v0.3.13
• github.com/in-toto/in-toto-golang: af1f9fb → v0.7.0
• github.com/inconshreveable/mousetrap: v1.0.1 → v1.1.0
• github.com/kevinburke/ssh_config: 4977a11 → v1.2.0
• github.com/klauspost/compress: v1.15.11 → v1.16.0
• github.com/maxbrunsfeld/counterfeiter/v6: v6.5.0 → v6.6.1
• github.com/onsi/gomega: v1.18.1 → v1.26.0
• github.com/secure-systems-lab/go-securesystemslib: v0.3.0 → v0.5.0
• github.com/stretchr/testify: v1.8.1 → v1.8.2
• github.com/xanzy/ssh-agent: v0.3.0 → v0.3.3
• golang.org/x/crypto: v0.1.0 → v0.6.0
• golang.org/x/mod: v0.6.0 → v0.9.0
• golang.org/x/net: v0.1.0 → v0.8.0
• golang.org/x/oauth2: v0.1.0 → v0.6.0
• golang.org/x/sys: v0.1.0 → v0.6.0
• golang.org/x/term: v0.1.0 → v0.6.0
• golang.org/x/text: v0.4.0 → v0.8.0
• golang.org/x/tools: v0.2.0 → v0.7.0
• google.golang.org/protobuf: v1.28.1 → v1.29.0
• sigs.k8s.io/release-utils: v0.7.3 → 2b998c6

Removed

• github.com/flynn/go-shlex: 3f9db97
• github.com/konsorten/go-windows-terminal-sequences: v1.0.1

New Contributors

• @​rnjudge made their first contribution in https://github.com/kubernetes-sigs/bom/pull/231

Full Changelog: kubernetes-sigs/bom@v0.4.1...v0.5.0

v0.4.1

Compare Source

Release Notes

Changes by Kind

Bug or Regression

• Fixed a bug where bom would crash when outlining an SBOM containing files at the top level of the document.. (#​190, @​puerco)
• Fixed a bug where the secondary license list returned by the classifier was not being returned
  • Improved the licensing code to be more resilient to unexpected output from the classifier
  • Licensing output is now less verbose. Use --log-level=debug to see all messages (#​189, @​puerco)

Dependencies

Added

Nothing has changed.

Changed

• github.com/spf13/cobra: v1.6.0 → v1.6.1
• github.com/stretchr/objx: v0.4.0 → v0.5.0
• github.com/stretchr/testify: v1.8.0 → v1.8.1
• golang.org/x/tools: v0.1.12 → v0.2.0

Removed

Nothing has changed.

v0.4.0

Compare Source

Release Notes

Changes by Kind

API Change

• Change SPDX json package name to remove patch semantic versioning (#​145, @​lumjjb)

Feature

• Allow specifying URLs in bom document query/outline. (#​170, @​saschagrunert)
• Bump go to 1.19 (#​175, @​cpanato)
• Chore: use different base image to include go (#​136, @​developer-guy)
• Feat: use mage pkg to generate ldflags (#​154, @​developer-guy)
• Image archives are treated as files now. The SBOM structure now consists of a package representing the tar, with the OCI artifacts inside.
  • Package names now reflect container image digests instead of tags. This makes the bom SBOMs similar to what other tools are doing now (#​143, @​puerco)
• Introduced a new presubmit workflow to validate SPDX conformance check on the documents generated by bom using the SPDX java tools. (#​159, @​puerco)
• SBOM can now parse spdx&#​43;json documents which means that they can be outlined and queried just as their tag-value counterparts. (#​133, @​puerco)
• bom now generates SBOMs conformant to SPDX version 2.3 🎉
  • The ingestion engine has now been overhauled with new standards checks and SPDX version awareness. This means that we can now check for errors that apply to a particular SPDX version.
  • Improved JSON document validation, particularly when rendering empty elements. (#​157, @​puerco)

Bug or Regression

• Fix: ko version output in magefile (#​152, @​developer-guy)
• Fixed a bug where Debian packages were listed in the SBOM with the version appended, now Name only has the name as expected (#​138, @​puerco)
• Fixed a bug where FileType in compressed tars was not categorized as ARCHIVE (#​156, @​puerco)
• Looking for precached images in the local daemon is now removed as it broke multiarch image SBOMs
  • Image downloading is now done in parallel. This should provide some speed gains in some high bandwidth settings (#​139, @​puerco)
• The license module in bom is now compatible with the latest google/licenseclassifier v2 prereleases. (#​161, @​puerco)
• When indexing golang repos, bom would throw a fatal error if no go.sum file was found. Now it returns an empty dependency list and generates the SBOM from the repository correctly. (#​162, @​puerco)

Dependencies

Added

• github.com/Masterminds/semver/v3: v3.1.1
• github.com/blang/semver/v4: v4.0.0

Changed

• cloud.google.com/go/compute: v1.6.1 → v1.10.0
• github.com/BurntSushi/toml: v0.4.1 → v0.3.1
• github.com/Microsoft/go-winio: v0.5.2 → v0.6.0
• github.com/carolynvs/magex: v0.8.1 → v0.9.0
• github.com/containerd/stargz-snapshotter/estargz: v0.11.4 → v0.12.1
• github.com/danieljoos/wincred: v1.1.0 → v1.1.2
• github.com/docker/cli: v20.10.16+incompatible → v20.10.20+incompatible
• github.com/docker/docker-credential-helpers: v0.6.4 → v0.7.0
• github.com/docker/docker: v20.10.16+incompatible → v20.10.20+incompatible
• github.com/docker/go-units: v0.4.0 → v0.5.0
• github.com/google/go-cmp: v0.5.8 → v0.5.9
• github.com/google/go-containerregistry: v0.10.0 → v0.12.0
• github.com/google/licenseclassifier/v2: v2.0.0-alpha.1 → v2.0.0
• github.com/inconshreveable/mousetrap: v1.0.0 → v1.0.1
• github.com/klauspost/compress: v1.15.4 → v1.15.11
• github.com/konsorten/go-windows-terminal-sequences: v1.0.3 → v1.0.1
• github.com/magefile/mage: v1.13.0 → v1.14.0
• github.com/matryer/is: v1.4.0 → v1.2.0
• github.com/opencontainers/image-spec: 8b9d41f → v1.1.0-rc2
• github.com/sirupsen/logrus: v1.8.1 → v1.9.0
• github.com/spf13/cobra: v1.5.0 → v1.6.0
• github.com/yuin/goldmark: v1.4.1 → v1.4.13
• golang.org/x/crypto: e495a2d → v0.1.0
• golang.org/x/mod: 86c51ed → v0.6.0
• golang.org/x/net: 1d687d4 → v0.1.0
• golang.org/x/oauth2: 622c5d5 → v0.1.0
• golang.org/x/sync: 0976fa6 → v0.1.0
• golang.org/x/sys: bc2c85a → v0.1.0
• golang.org/x/term: 03fcf44 → v0.1.0
• golang.org/x/text: v0.3.7 → v0.4.0
• golang.org/x/tools: v0.1.11 → v0.1.12
• golang.org/x/xerrors: f3a8303 → 5ec99f8
• google.golang.org/protobuf: v1.28.0 → v1.28.1
• sigs.k8s.io/release-utils: v0.7.1 → v0.7.3

Removed

• 4d63.com/gochecknoglobals: v0.1.0
• bitbucket.org/creachadair/shell: v0.0.6
• cloud.google.com/go/bigquery: v1.8.0
• cloud.google.com/go/datastore: v1.1.0
• cloud.google.com/go/firestore: v1.6.0
• cloud.google.com/go/pubsub: v1.5.0
• cloud.google.com/go/spanner: v1.7.0
• cloud.google.com/go/storage: v1.10.0
• cloud.google.com/go: v0.93.3
• contrib.go.opencensus.io/exporter/stackdriver: v0.13.4
• dmitri.shuralyov.com/gpu/mtl: 666a987
• github.com/Antonboom/errname: v0.1.5
• github.com/Antonboom/nilnil: v0.1.0
• github.com/BurntSushi/xgb: 27f1227
• github.com/Djarvur/go-err113: aea10b5
• github.com/Masterminds/goutils: v1.1.0
• github.com/Masterminds/semver: v1.5.0
• github.com/Masterminds/sprig: v2.22.0+incompatible
• github.com/OneOfOne/xxhash: v1.2.2
• github.com/OpenPeeDeeP/depguard: v1.0.1
• github.com/StackExchange/wmi: v1.2.1
• github.com/alecthomas/template: fb15b89
• github.com/alecthomas/units: c3de453
• github.com/alexkohler/prealloc: v1.0.0
• github.com/antihax/optional: v1.0.0
• github.com/aokoli/goutils: v1.0.1
• github.com/armon/circbuf: bbbad09
• github.com/armon/consul-api: eb2c6b5
• github.com/armon/go-metrics: f0300d1
• github.com/armon/go-radix: v1.0.0
• github.com/ashanbrown/forbidigo: v1.2.0
• github.com/ashanbrown/makezero: b626158
• github.com/aws/aws-sdk-go: v1.36.30
• github.com/beorn7/perks: v1.0.1
• github.com/bgentry/speakeasy: v0.1.0
• github.com/bketelsen/crypt: v0.0.4
• github.com/bkielbasa/cyclop: v1.2.0
• github.com/blang/semver: v3.5.1+incompatible
• github.com/blizzy78/varnamelen: v0.3.0
• github.com/bombsimon/wsl/v3: v3.3.0
• github.com/breml/bidichk: v0.1.1
• github.com/butuzov/ireturn: v0.1.1
• github.com/census-instrumentation/opencensus-proto: v0.2.1
• github.com/cespare/xxhash/v2: v2.1.1
• github.com/cespare/xxhash: v1.1.0
• github.com/charithe/durationcheck: v0.0.9
• github.com/chavacava/garif: e8a0a40
• github.com/chzyer/logex: v1.1.10
• github.com/chzyer/readline: 2972be2
• github.com/chzyer/test: a1ea475
• github.com/client9/misspell: v0.3.4
• github.com/cncf/udpa/go: 5459f2c
• github.com/cncf/xds/go: fbca930
• github.com/cockroachdb/datadriven: 80d97fb
• github.com/coreos/etcd: v3.3.10+incompatible
• github.com/coreos/go-etcd: v2.0.0+incompatible
• github.com/coreos/go-semver: v0.3.0
• github.com/coreos/go-systemd/v22: v22.3.2
• github.com/coreos/go-systemd: e64a0ec
• github.com/coreos/pkg: 399ea9e
• github.com/cpuguy83/go-md2man: v1.0.10
• github.com/daixiang0/gci: v0.2.9
• github.com/denis-tingajkin/go-header: v0.4.2
• github.com/dgrijalva/jwt-go: v3.2.0+incompatible
• github.com/dustin/go-humanize: v1.0.0
• github.com/envoyproxy/go-control-plane: 63b5d3c
• github.com/envoyproxy/protoc-gen-validate: v0.1.0
• github.com/esimonov/ifshort: v1.0.3
• github.com/ettle/strcase: v0.1.1
• github.com/fatih/color: v1.13.0
• github.com/fatih/structtag: v1.2.0
• github.com/fsnotify/fsnotify: v1.5.1
• github.com/fullstorydev/grpcurl: v1.6.0
• github.com/fzipp/gocyclo: v0.3.1
• github.com/ghodss/yaml: v1.0.0
• github.com/go-critic/go-critic: v0.6.1
• github.com/go-gl/glfw/v3.3/glfw: 6f7a984
• github.com/go-gl/glfw: e6da0ac
• github.com/go-kit/kit: v0.9.0
• github.com/go-logfmt/logfmt: v0.4.0
• github.com/go-ole/go-ole: v1.2.6
• github.com/go-redis/redis: v6.15.8+incompatible
• github.com/go-sql-driver/mysql: v1.5.0
• github.com/go-stack/stack: v1.8.0
• github.com/go-task/slim-sprig: 348f09d
• github.com/go-toolsmith/astcast: v1.0.0
• github.com/go-toolsmith/astcopy: v1.0.0
• github.com/go-toolsmith/astequal: v1.0.1
• github.com/go-toolsmith/astfmt: v1.0.0
• github.com/go-toolsmith/astinfo: 9809ff7
• github.com/go-toolsmith/astp: v1.0.0
• github.com/go-toolsmith/pkgload: v1.0.0
• github.com/go-toolsmith/strparse: v1.0.0
• github.com/go-toolsmith/typep: v1.0.2
• github.com/go-xmlfmt/xmlfmt: d5b6f63
• github.com/gobwas/glob: v0.2.3
• github.com/godbus/dbus/v5: v5.0.4
• github.com/gofrs/flock: v0.8.1
• github.com/golang/glog: 23def4e
• github.com/golang/groupcache: 8c9f03a
• github.com/golang/mock: v1.6.0
• github.com/golangci/check: cfe4005
• github.com/golangci/dupl: 3e9179a
• github.com/golangci/go-misc: 927a3d8
• github.com/golangci/gofmt: 244bba7
• github.com/golangci/golangci-lint: v1.43.0
• github.com/golangci/lint-1: 297bf36
• github.com/golangci/maligned: b1d8939
• github.com/golangci/misspell: v0.3.5
• github.com/golangci/revgrep: c22e500
• github.com/golangci/unconvert: 28b1c44
• github.com/google/btree: v1.0.0
• github.com/google/certificate-transparency-go: v1.1.1
• github.com/google/gofuzz: v1.0.0
• github.com/google/martian/v3: v3.2.1
• github.com/google/martian: v2.1.0+incompatible
• github.com/google/pprof: 4bb14d4
• github.com/google/renameio: v0.1.0
• github.com/google/trillian: v1.3.11
• github.com/googleapis/gax-go/v2: v2.1.0
• github.com/gookit/color: v1.4.2
• github.com/gopherjs/gopherjs: 0766667
• github.com/gordonklaus/ineffassign: 2e10b26
• github.com/gorhill/cronexpr: 88b0669
• github.com/gorilla/mux: v1.8.0
• github.com/gorilla/websocket: v1.4.1
• github.com/gostaticanalysis/analysisutil: v0.7.1
• github.com/gostaticanalysis/comment: v1.4.2
• github.com/gostaticanalysis/forcetypeassert: 01d4955
• github.com/gostaticanalysis/nilerr: v0.1.1
• github.com/gostaticanalysis/testutil: v0.4.0
• github.com/gregjones/httpcache: 901d907
• github.com/grpc-ecosystem/go-grpc-middleware: v1.2.2
• github.com/grpc-ecosystem/go-grpc-prometheus: v1.2.0
• github.com/grpc-ecosystem/grpc-gateway: v1.16.0
• github.com/hashicorp/consul/api: v1.10.1
• github.com/hashicorp/consul/sdk: v0.8.0
• github.com/hashicorp/errwrap: v1.0.0
• github.com/hashicorp/go-cleanhttp: v0.5.1
• github.com/hashicorp/go-hclog: v0.12.0
• github.com/hashicorp/go-immutable-radix: v1.0.0
• github.com/hashicorp/go-msgpack: v0.5.3
• github.com/hashicorp/go-multierror: v1.1.1
• github.com/hashicorp/go-rootcerts: v1.0.2
• github.com/hashicorp/go-sockaddr: v1.0.0
• github.com/hashicorp/go-syslog: v1.0.0
• github.com/hashicorp/go-uuid: v1.0.1
• github.com/hashicorp/go-version: v1.2.1
• github.com/hashicorp/go.net: v0.0.1
• github.com/hashicorp/golang-lru: v0.5.4
• github.com/hashicorp/hcl: v1.0.0
• github.com/hashicorp/logutils: v1.0.0
• github.com/hashicorp/mdns: v1.0.1
• github.com/hashicorp/memberlist: v0.2.2
• github.com/hashicorp/serf: v0.9.5
• github.com/hpcloud/tail: v1.0.0
• github.com/huandu/xstrings: v1.2.0
• github.com/ianlancetaylor/demangle: 28f6c0f
• github.com/jgautheron/goconst: v1.5.1
• github.com/jhump/protoreflect: v1.6.1
• github.com/jingyugao/rowserrcheck: v1.1.1
• github.com/jirfag/go-printf-func-name: 7558a9e
• github.com/jmespath/go-jmespath/internal/testify: v1.5.1
• github.com/jmespath/go-jmespath: v0.4.0
• github.com/jmoiron/sqlx: v1.2.0
• github.com/jonboulle/clockwork: v0.2.0
• github.com/josharian/txtarfs: 0702f00
• github.com/json-iterator/go: v1.1.11
• github.com/jstemmer/go-junit-report: v0.9.1
• github.com/jtolds/gls: v4.20.0+incompatible
• github.com/juju/ratelimit: v1.0.1
• github.com/julienschmidt/httprouter: v1.2.0
• github.com/julz/importas: 841f0c0
• github.com/k0kubun/colorstring: 9440f19
• github.com/kisielk/errcheck: v1.6.0
• github.com/kisielk/gotool: v1.0.0
• github.com/kr/fs: v0.1.0
• github.com/kr/logfmt: b84e30a
• github.com/kulti/thelper: v0.4.0
• github.com/kunwardeep/paralleltest: v1.0.3
• github.com/kylelemons/godebug: v1.1.0
• github.com/kyoh86/exportloopref: v0.1.8
• github.com/ldez/gomoddirectives: v0.2.2
• github.com/ldez/tagliatelle: v0.2.0
• github.com/letsencrypt/pkcs11key/v4: v4.0.0
• github.com/lib/pq: v1.10.3
• github.com/logrusorgru/aurora: a7b3b31
• github.com/lufia/plan9stats: 39d0f17
• github.com/magiconair/properties: v1.8.5
• github.com/maratori/testpackage: v1.0.1
• github.com/matoous/godox: 6504466
• github.com/mattn/go-colorable: v0.1.11
• github.com/mattn/go-isatty: v0.0.14
• github.com/mattn/go-sqlite3: v1.9.0
• github.com/mattn/goveralls: v0.0.2
• github.com/matttproud/golang_protobuf_extensions: v1.0.1
• github.com/mbilski/exhaustivestruct: v1.2.0
• github.com/mgechev/dots: e955255
• github.com/mgechev/revive: v1.1.2
• github.com/miekg/dns: v1.1.35
• github.com/miekg/pkcs11: v1.0.3
• github.com/mitchellh/cli: v1.1.0
• github.com/mitchellh/copystructure: v1.0.0
• github.com/mitchellh/go-ps: v1.0.0
• github.com/mitchellh/go-testing-interface: v1.0.0
• github.com/mitchellh/gox: v0.4.0
• github.com/mitchellh/iochan: v1.0.0
• github.com/mitchellh/mapstructure: v1.4.2
• github.com/mitchellh/reflectwalk: v1.0.1
• github.com/modern-go/concurrent: bacd9c7
• github.com/modern-go/reflect2: v1.0.1
• github.com/mohae/deepcopy: c48cc78
• github.com/moricho/tparallel: v0.2.1
• github.com/mozilla/scribe: fb71baf
• github.com/mozilla/tls-observatory: 7bc4285
• github.com/mwitkow/go-conntrack: cc309e4
• github.com/mwitkow/go-proto-validators: v0.2.0
• github.com/nakabonne/nestif: v0.3.1
• github.com/nbutton23/zxcvbn-go: fa2cb28
• github.com/nishanths/exhaustive: v0.2.3
• github.com/nishanths/predeclared: v0.2.1
• github.com/nxadm/tail: v1.4.8
• github.com/onsi/ginkgo: v1.16.4
• github.com/opentracing/opentracing-go: v1.1.0
• github.com/otiai10/copy: v1.2.0
• github.com/otiai10/curr: v1.0.0
• github.com/otiai10/mint: v1.3.1
• github.com/pascaldekloe/goe: 57f6aae
• github.com/pborman/uuid: v1.2.0
• github.com/pelletier/go-toml: v1.9.4
• github.com/peterbourgon/diskv: v2.0.1+incompatible
• github.com/phayes/checkstyle: bfd46e6
• github.com/pkg/sftp: v1.10.1
• github.com/polyfloyd/go-errorlint: 910bb79
• github.com/posener/complete: v1.2.3
• github.com/prometheus/client_golang: v1.7.1
• github.com/prometheus/client_model: v0.2.0
• github.com/prometheus/common: v0.10.0
• github.com/prometheus/procfs: v0.6.0
• github.com/pseudomuto/protoc-gen-doc: v1.3.2
• github.com/pseudomuto/protokit: v0.2.0
• github.com/quasilyte/go-consistent: c6f3937
• github.com/quasilyte/go-ruleguard/dsl: v0.3.10
• github.com/quasilyte/go-ruleguard/rules: 545e0d2
• github.com/quasilyte/go-ruleguard: v0.3.13
• github.com/quasilyte/regex/syntax: 30656e2
• github.com/rogpeppe/fastuuid: v1.2.0
• github.com/rs/cors: v1.7.0
• github.com/ryancurrah/gomodguard: v1.2.3
• github.com/ryanrolds/sqlclosecheck: v0.3.0
• github.com/ryanuber/columnize: 9b3edd6
• github.com/sagikazarmark/crypt: v0.1.0
• github.com/sanposhiho/wastedassign/v2: v2.0.6
• github.com/sean-/seed: e2103e2
• github.com/securego/gosec/v2: v2.9.1
• github.com/shazow/go-diff: b6b7b67
• github.com/shirou/gopsutil/v3: v3.21.10
• github.com/shurcooL/go-goon: 37c2f52
• github.com/shurcooL/go: 9e1955d
• github.com/sivchari/tenv: v1.4.7
• github.com/smartystreets/assertions: b2de0cb
• github.com/smartystreets/goconvey: v1.6.4
• github.com/soheilhy/cmux: v0.1.4
• github.com/sonatard/noctx: v0.0.1
• github.com/sourcegraph/go-diff: v0.6.1
• github.com/spaolacci/murmur3: f09979e
• github.com/spf13/cast: v1.4.1
• github.com/spf13/jwalterweatherman: v1.1.0
• github.com/spf13/viper: v1.9.0
• github.com/ssgreg/nlreturn/v2: v2.2.1
• github.com/subosito/gotenv: v1.2.0
• github.com/sylvia7788/contextcheck: v1.0.4
• github.com/td

[mtardy]

please do not as long as they don't release a new patch version: kubernetes-sigs/bom#385

[mtardy]

perfect kubernetes-sigs/bom#385 (comment)