Merge pull request #21301 from dvdksn/scout-1.15.0

scout: scout-cli v1.15.0

_vendor/github.com/docker/scout-cli/docs/docker_scout_sbom.yaml

@@ -44,6 +44,7 @@ options:
         - list: list of packages of the image
         - json: json representation of the SBOM
         - spdx: spdx representation of the SBOM
+        - cyclonedx: cyclone dx representation of the SBOM
       deprecated: false
       hidden: false
       experimental: false

_vendor/github.com/docker/scout-cli/docs/scout_cves.md

@@ -264,8 +264,8 @@ pkg:apk/alpine/zlib@1.2.12-r1?arch=aarch64&distro=alpine-3.16.1
     ...
 
 11 vulnerabilities found in 2 packages
-  LOW       0
-  MEDIUM    8
-  HIGH      2
   CRITICAL  1
+  HIGH      2
+  MEDIUM    8
+  LOW       0
 ```

_vendor/github.com/docker/scout-cli/docs/scout_sbom.md

@@ -5,13 +5,13 @@ Generate or display SBOM of an image
 
 ### Options
 
-| Name                  | Type          | Default | Description                                                                                                                                   |
-|:----------------------|:--------------|:--------|:----------------------------------------------------------------------------------------------------------------------------------------------|
-| `--format`            | `string`      | `json`  | Output format:<br>- list: list of packages of the image<br>- json: json representation of the SBOM<br>- spdx: spdx representation of the SBOM |
-| `--only-package-type` | `stringSlice` |         | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc)<br>Can only be used with --format list                     |
-| `-o`, `--output`      | `string`      |         | Write the report to a file                                                                                                                    |
-| `--platform`          | `string`      |         | Platform of image to analyze                                                                                                                  |
-| `--ref`               | `string`      |         | Reference to use if the provided tarball contains multiple references.<br>Can only be used with archive                                       |
+| Name                  | Type          | Default | Description                                                                                                                                                                                         |
+|:----------------------|:--------------|:--------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `--format`            | `string`      | `json`  | Output format:<br>- list: list of packages of the image<br>- json: json representation of the SBOM<br>- spdx: spdx representation of the SBOM<br>- cyclonedx: cyclone dx representation of the SBOM |
+| `--only-package-type` | `stringSlice` |         | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc)<br>Can only be used with --format list                                                                           |
+| `-o`, `--output`      | `string`      |         | Write the report to a file                                                                                                                                                                          |
+| `--platform`          | `string`      |         | Platform of image to analyze                                                                                                                                                                        |
+| `--ref`               | `string`      |         | Reference to use if the provided tarball contains multiple references.<br>Can only be used with archive                                                                                             |
 
 
 <!---MARKER_GEN_END-->

_vendor/modules.txt

@@ -3,4 +3,4 @@
 # github.com/docker/buildx v0.18.0
 # github.com/docker/cli v27.3.2-0.20241008150905-cb3048fbebb1+incompatible
 # github.com/docker/compose/v2 v2.30.1
-# github.com/docker/scout-cli v1.13.0
+# github.com/docker/scout-cli v1.15.0

content/manuals/scout/release-notes/cli.md

@@ -9,6 +9,43 @@ This page contains information about the new features, improvements, known
 issues, and bug fixes in the Docker Scout [CLI plugin](https://github.com/docker/scout-cli/)
 and the `docker/scout-action` [GitHub Action](https://github.com/docker/scout-action).
 
+## 1.15.0
+
+{{< release-date date="2024-10-31" >}}
+
+### New
+
+- New `--format=cyclonedx` flag for the `docker scout sbom` to output the SBOM in CycloneDX format.
+
+### Enhancements
+
+- Use high-to-low sort order for CVE summary.
+- Support for enabling and disabling repositories that enabled by `docker scout push` or `docker scout watch`.
+
+### Bug fixes
+
+- Improve messaging when analyzing `oci` directories without attestations.
+  Only single-platform images and multi-platform image _with attestations_ are supported.
+  Multi-platform images without attestations are not supported.
+- Improve classifiers and SBOM indexer:
+  - Add classifier for Liquibase `lpm`.
+  - Add Rakudo Star/MoarVM binary classifier.
+  - Add binary classifiers for silverpeas utilities.
+- Improve reading and caching of attestations with the containerd image store.
+
+## 1.14.0
+
+{{< release-date date="2024-09-24" >}}
+
+### New
+
+- Add suppression information at the CVE level in the `docker scout cves` command.
+
+### Bug fixes
+
+- Fix listing CVEs for dangling images, for example: `local://sha256:...`
+- Fix panic when analysing a file system input, for instance with `docker scout cves fs://.`
+
 ## 1.13.0
 
 {{< release-date date="2024-08-05" >}}

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/docker/buildx v0.18.0 // indirect
 	github.com/docker/cli v27.3.2-0.20241008150905-cb3048fbebb1+incompatible // indirect
 	github.com/docker/compose/v2 v2.30.1 // indirect
-	github.com/docker/scout-cli v1.13.0 // indirect
+	github.com/docker/scout-cli v1.15.0 // indirect
 	github.com/moby/buildkit v0.17.0 // indirect
 	github.com/moby/moby v27.3.1+incompatible // indirect
 )
@@ -15,7 +15,7 @@ replace (
 	github.com/docker/buildx => github.com/docker/buildx v0.18.0
 	github.com/docker/cli => github.com/docker/cli v27.3.1+incompatible
 	github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.30.1
-	github.com/docker/scout-cli => github.com/docker/scout-cli v1.13.0
+	github.com/docker/scout-cli => github.com/docker/scout-cli v1.15.0
 	github.com/moby/buildkit => github.com/moby/buildkit v0.17.0
 	github.com/moby/moby => github.com/moby/moby v27.3.1+incompatible
 )

go.sum

@@ -228,6 +228,8 @@ github.com/docker/scout-cli v1.12.0 h1:NhmT4BzL2lYiIk5hPFvK5FzQ8izbLDL3/Rugcyulv
 github.com/docker/scout-cli v1.12.0/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc=
 github.com/docker/scout-cli v1.13.0 h1:RThUM56yooV5izqgMEYQS+a6Yx+vGmZofJwX0qjgkco=
 github.com/docker/scout-cli v1.13.0/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc=
+github.com/docker/scout-cli v1.15.0 h1:VhA9niVftEyZ9f5KGwKnrSfQOp2X3uIU3VbE/gTVMTM=
+github.com/docker/scout-cli v1.15.0/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc=
 github.com/elazarl/goproxy v0.0.0-20191011121108-aa519ddbe484/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
 github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=