Bump advanced-security/spdx-dependency-submission-action from 0.0.1 to 0.1.2

[dependabot]

Bumps advanced-security/spdx-dependency-submission-action from 0.0.1 to 0.1.2.

Release notes

Sourced from advanced-security/spdx-dependency-submission-action's releases.

v0.1.2 - features and maintenance release

What's Changed

• Update CODEOWNERS to DG team by @​jhutchings1 in advanced-security/spdx-dependency-submission-action#49
• Update CODEOWNERS by @​GeekMasher in advanced-security/spdx-dependency-submission-action#54
• deps: bump actions/setup-node from 4.0.2 to 4.2.0 in the production-dependencies group across 1 directory by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#69
• feat: Update dependabot.yml by @​GeekMasher in advanced-security/spdx-dependency-submission-action#55
• feat: Add support for running inside a matrix by overriding the default correlator identifier by @​felickz in advanced-security/spdx-dependency-submission-action#50
• deps: bump actions/setup-node from 4.2.0 to 4.3.0 in the production-dependencies group by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#71
• deps: bump actions/setup-node from 4.3.0 to 4.4.0 in the production-dependencies group by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#72
• Update README.md to use v4 for checkout and upload-artifact by @​CallMeGreg in advanced-security/spdx-dependency-submission-action#73
• conditional test - do not run on PR from fork by @​felickz in advanced-security/spdx-dependency-submission-action#74
• Bump the npm_and_yarn group across 1 directory with 5 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#77
• deps: bump actions/checkout from 4 to 5 in the production-dependencies group by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#79
• chore: bump the development-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#78
• chore: bump js-yaml from 3.14.1 to 3.14.2 in the npm_and_yarn group across 1 directory by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#86
• deps: bump the production-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#76
• chore: bump glob from 10.4.5 to 10.5.0 in the npm_and_yarn group across 1 directory by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#87
• deps: bump the production-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#85
• deps: Bump the production-dependencies group across 1 directory with 2 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#89
• chore: bump the development-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#82
• Fix for "workflow does not contain permissions", plus updated dist and fixed test failure with lazy loading of submission toolkit by @​aegilops in advanced-security/spdx-dependency-submission-action#90
• deps: bump @​actions/core from 1.11.1 to 2.0.1 in the production-dependencies group by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#92

New Contributors

• @​felickz made their first contribution in advanced-security/spdx-dependency-submission-action#50
• @​CallMeGreg made their first contribution in advanced-security/spdx-dependency-submission-action#73
• @​aegilops made their first contribution in advanced-security/spdx-dependency-submission-action#90

Full Changelog: advanced-security/spdx-dependency-submission-action@v0.1.1...v0.1.2

v0.1.1

What's Changed

• Hotfix for PURL issues by @​GeekMasher in advanced-security/spdx-dependency-submission-action#42

Full Changelog: advanced-security/spdx-dependency-submission-action@v0.1.0...v0.1.1

v0.1.0

What's Changed

• Bump eslint from 8.34.0 to 8.40.0 by @​dependabot in advanced-security/spdx-dependency-submission-action#11
• feat: Update dependabot.yml by @​GeekMasher in advanced-security/spdx-dependency-submission-action#27
• deps: bump the production-dependencies group with 4 updates by @​dependabot in advanced-security/spdx-dependency-submission-action#28
• v0.1.0 by @​GeekMasher in advanced-security/spdx-dependency-submission-action#38

New Contributors

• @​dependabot made their first contribution in advanced-security/spdx-dependency-submission-action#11
• @​GeekMasher made their first contribution in advanced-security/spdx-dependency-submission-action#27

Full Changelog: advanced-security/spdx-dependency-submission-action@v0.0.1...v0.1.0

Commits

• f957edb Update dist
• 03c6e8e Merge branch 'main' of https://github.com/advanced-security/spdx-dependency-s...
• 03a975c deps: bump @​actions/core in the production-dependencies group
• 58d0f52 Lazy loading submission toolkit to avoid Jest testing errors, loaded dist wit...
• ed5417e Potential fix for code scanning alert no. 5: Workflow does not contain permis...
• 20d17f1 Potential fix for code scanning alert no. 5: Workflow does not contain permis...
• 6d39860 chore: bump the development-dependencies group across 1 directory with 3 updates
• d9fb4fc deps: Bump the production-dependencies group across 1 directory with 2 updates
• 408d49e deps: bump the production-dependencies group across 1 directory with 3 updates
• 5d54a8d chore: bump glob in the npm_and_yarn group across 1 directory
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/advanced-security/spdx-dependency-submission-action	169d22427d74f3faf93504e70b03eede8dab272a	🟢 6.6	Details Check Score Reason Maintained 🟢 10 23 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 6 Found 3/5 approved changesets -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 9 SAST tool detected but not run on all commits

Scanned Files

• .github/workflows/sbom-generate-submit.yml

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (1 file)

• .github/workflows/sbom-generate-submit.yml

Overview:
The PR updates the spdx-dependency-submission-action from version v0.0.1 to v0.2.0 in the SBOM generation and submission workflow. This is a straightforward dependency update to use a newer version of the GitHub Action, which likely includes bug fixes and improvements.

[dependabot]

Superseded by #520.