Releases: docker/scout-cli
Releases · docker/scout-cli
v1.8.0
Bug Fixes / Improvements
- Improve format of EPSS score and percentile
- Before:
EPSS Score : 0.000440 EPSS Percentile : 0.092510
- After:
EPSS Score : 0.04% EPSS Percentile : 9th percentile
- Before:
- Fix
cves
command when used to analyse a local file system with a markdown output. See #113
Contributors
v1.7.0
Highlights
docker scout push
command: index an image then push the resulting SBOM to Docker Scout
Bug Fixes / Improvements
- Fix adding attestation (like vex statements) to a private image
- fix image processing for
scratch
"images" docker scout sbom://
can read Scout's SBOM$ docker scout sbom IMAGE | docker scout qv sbom://
- Add classifier for Joomla
Contributors
v1.6.4
v1.6.3
v1.6.2
Highlights
- EPSS data are now fetch backend side so the CLI doesn't need anymore to fetch them locally.
In comparison tov1.6.0
--epss-date
parameter has been removed anddocker scout cache prune --epss
has been removed.
Bug Fixes / Improvements
- fix an issue when rendering markdown output using
sbom://
prefix
Contributors
v1.6.0
Highlights
- Add support for passing in SBOM files in SDPX or in-toto SDPX format
$ docker scout cves sbom://path/to/sbom.spdx.json
- Add support for SBOM files in syft-json format
$ docker scout cves sbom://path/to/sbom.syft.json
- Reads sbom files from the standard input
$ syft -o json alpine | docker scout cves sbom://
- Prioritise CVEs by EPSS score
--epss
to display and prioritise the CVEs--epss-score
and--epss-percentile
to filter by score and percentile- prune cached EPSS files with
$ docker scout cache prune --epss
- Use Windows cache from WSL2
When inside WSL2 with Docker Desktop running, thedocker scout
CLI will now use the cache from Windows side. That way if an image has been indexed for instance by Docker Desktop there's no need anymore to re-index it on WSL2 side. - Indexing using the CLI is now blocked if it has been disabled using Settings Management feature
Bug Fixes / Improvements
- Fix panic when indexing single image
oci-dir
input - Improve local attestation support with the
containerd
image store
Contributors
v1.5.2
General bug fixes and performance improvements
v1.5.1
v1.5.0
Highlights
- Cache SBOM and attestations using the image index digest if exists
- Add file hashes/digest when generating SBOMs
- Upgrade
syft
to 0.105.0 - Process OpenVEX document before attaching to image to move subcomponents into product, product into subject
- Support local attestations from a containerd image store or OCI export
Bug fixes / Improvements
- fix reading SBOM for
gcr.io/distroless
images - read distribution in SBOM from attestations
- fix
docker scout push
with an image reference containing a prefix likeregistry://
v1.4.1
These notes include changes part of v1.4.0
Highlights
- Update dependencies to address Leaky Vessels series of CVEs (CVE-2024-21626, CVE-2024-24557)
- Add initial VEX document to document false positive CVE-2020-8911 and CVE-2020-8912
- Support cosign SBOM attestations
- Support for VEX in-toto attestations
Bug fixes / Improvements
- Fix order and case of details column headers in the policy deviation details tables
- Fix platform detection when an image index contains
linux/arm64/v8
but the local platform is onlylinux/arm64
- Fix display of the base image in case the base image is not indexed by docker scout but defined in the provenance attestation (for private or non Docker Trusted Content base images)
Affectsquickview
andrecommendations
commands - Fix panic when an SBOM contains no packages
Especially when usingdocker scout
to analyse local file system, for instance usingdocker scout cves fs://.
- Bump Syft to 0.103.1 to fix golang Purl with subpath
- Add support for subpaths in PURLs
For instance an image containing both packagesgithub.com/gofiber/template
andgithub.com/gofiber/template/django/v3
, previously the two packages were visible under the samegithub.com/gofiber/template
name. Now both of them are correctly identified - Remove query strings from title in rendered hyperlinks