Search code, repositories, users, issues, pull requests...

Additional Changes

bump to syft v0.98.0 in quality gate tests [#1623 @westonsteimel]
update syft to v0.98.0; go mod tidy [#1621 @spiffcs]

Bug Fixes

Vulnerabilities in go packages without go modules are not detected [#1581 #1599 @willmurphyscode]

`v0.73.1`

Bug Fixes

CycloneDX based analysis failing [#1594 #1596 @anchore-actions-token-generator]
False negatives when scanning debian trixie/sid images from Dockerhub [#1446 #1593 @willmurphyscode]

Additional Changes

avoid allocations with (*regexp.Regexp).MatchString [#1592 @Juneezee]

`v0.73.0`

Added Features

Add a reason field to ignore config [#1337 #1532 @shanduur]
Colorize severity in table output [#225 #1284 @shanedell]

Bug Fixes

Enable setting golang CPE config using env var [#1585 @willmurphyscode]
Incorrect version comparisons for maven packages [#1526 #1571 @spiffcs]
Grype fails to detect postgresql jdbc driver CVEs when scanning .jar [#1482]

Additional Changes

Incorporate format API changes from syft [#1582 @wagoodman]

`v0.72.0`

Added Features

Add --ignore-states flag for ignoring findings with specific fix states [#1473 @jhebden-gl]
Implement checksum & artifact signing [#1513 #1535 @hibare]

Bug Fixes

Report errors to stderr not stdout [#1561 @wagoodman]
grype v0.71.0 stopped showing vulnerabilities for Go stdlib [#1562 #1565 @wagoodman]
SARIF output not compatible with GitHub [#1518 #1563 @spiffcs]

`v0.71.0`

Added Features

use ghsa to improve matching for cpes [#811 #1412 @westonsteimel]

`v0.70.0`

Added Features

Update Syft to v0.93.0 + enable golang stdlib matching [#1550 @spiffcs ]

Bug Fixes

JSON output: descriptor name is missing "grype" value [#1538 #1542 @kzantow]

`v0.69.1`

Bug Fixes

Incorrect python version comparisons for rc releases [#986 #1510 @willmurphyscode]
False Positive: CVE-2023-37920 reported for certifi library in python [#1417 #1510 @willmurphyscode]
Grype is not recognizing python-certifi is patched for GHSA-43fp-rhv2-5gv8 [#1172 #1510 @willmurphyscode]
False positive on certifi 2022.12.07 [#1034 #1510 @willmurphyscode]
Leading zeros seen as difference in version numbers [#1430 #1510 @willmurphyscode]

Additional Changes

add OpenSSF Best Practices badge [#1523 @spiffcs]
Bump vulnerability match labels [#1525 @wagoodman]
bump stereoscope to fix data race in UI [#1517 @willmurphyscode]

`v0.69.0`

Added Features

Upgrade syft to v0.91.0 (and CycloneDX to v1.5) [#1508 @wagoodman]

Bug Fixes

Grype doesn't exit cleanly on error [#1492 #1505 @kzantow]

Additional Changes

Fix typo in flag on Readme [#1501 @robszumski]
pin cache versions [#1495 @spiffcs]

`v0.68.1`

v0.68.1 (2023-09-15)

Bug Fixes

Version output was not including supported db schema [PR #1494] [kzantow]

`v0.68.0`

v0.68.0 (2023-09-14)

Added Features

Ignore/add match results based on OpenVEX documents [PR #1397] [puerco]
Introduce exit code failure option for db update check [PR #1463] [devfbe]

Bug Fixes

Fix race conditions around stager, enable detector [PR #1489] [willmurphyscode]
Grype hangs forever if gets interrupted during work (in rare cases) [Issue #1427] [PR #1437] [kzantow]

`v0.67.0`

v0.67.0 (2023-09-11)

Additional Changes

chore: bump quality gate to use syft v0.89.0 [PR #1479] [westonsteimel]
chore: update grype to use Go v1.21 [PR #1480] [spiffcs]

`v0.66.0`

v0.66.0 (2023-08-31)

Added Features

Allow for access to private CAs securely [Issue #1226] [PR #1232] [5p2O5pe25ouT]
Filter out packages that are owned by OS packages (ownership overlap) [Issue #1373] [PR #1387] [willmurphyscode]

Bug Fixes

fix: Only remove packages by binary overlap [PR #1444] [willmurphyscode]
New version notice only showing the version and no text [PR #1445] [wagoodman]
fix: set correct default to exclude overlapping binaries [PR #1452] [kzantow]
Portage version comparison is not working [Issue #1459] [PR #1468] [barnuri]

Additional Changes

Update Syft to 0.89.0

`v0.65.2`

v0.65.2 (2023-08-17)

Additional Changes

Update Syft to v0.87.1
Add a simple JUnit XML template [PR #1422] [YevheniiPokhvalii]
Update semver regular expression constraint to allow for 1.20rc1 cases no '-' [PR #1434] [spiffcs]

anchore/quill (anchore/quill)

`v0.4.1`

Changelog

v0.4.1 (2023-08-25)

Bug Fixes

Quill notarization failed [Issue #118] [PR #119] [wagoodman]

Additional Changes

Port to clio [PR #53] [wagoodman]
chore: update to latest clio [PR #98] [kzantow]

anchore/syft (anchore/syft)

`v0.98.0`

Added Features

Add binary classifiers for MySQL and MariaDB [#2316 @duanemay]
Enhance redis binary classifier to support additional versions [#2329 @whalelines]
Expose compact JSON and XML format configuration [#561 #2275 @wagoodman]

Bug Fixes

Fix file metadata cataloger when passed explicit coordinates [#2370 @wagoodman]
hardcode xalan group ID [#2368 @willmurphyscode]
logging level for parsing potential PE files [#2367 @kzantow]
Use read lock in pkg.Collection [#2341 @wagoodman]
add manual namespace mapping for org.springframework jars [#2345 @westonsteimel]
add manual namespace mapping for org.springframework.security jars [#2343 @westonsteimel]
errors are printed into the stdout in syft 0.97.1 [#2356 #2364 @kzantow]
syft some-jar.jar fails to find packages if PWD is a symlink [#2355 #2359 @willmurphyscode]
Default for recently added base path, "", disables detection of symlinked *.jar files [#1962 #2359 @willmurphyscode]
syft attest broken since 0.85.0 [#2333 #2337 @wagoodman]
Incorrect Java PURL for org.bouncycastle jars [#2339 #2342 @westonsteimel]

Breaking Changes

Remove power-user command and related catalogers [#1419 #2306 @wagoodman]

Additional Changes

Normalize cataloger configuration patterns [#2365 @wagoodman]
Normalize enums to lowercase with hyphens [#2363 @wagoodman]

Special Thanks

Thanks @duanemay and @whalelines for the enhanced binary classifier support 👍

`v0.97.1`

Bug Fixes

Syft does not use HTTP proxy when downloading the Docker image itself [#2203 #2336 @anchore-actions-token-generator]

Additional Changes

syft version report is broken with 0.97.0 release [#2334 #2335 @spiffcs]

`v0.97.0`

Added Features

Add license for golang stdlib package [#2317 @coheigea]
Fall back to searching maven central using groupIDFromJavaMetadata [#2295 @coheigea]

Bug Fixes

Refine license search from groupIDFromJavaMetadata to account for artfactId in the groupId [#2313 @coheigea]
capture content written to stdout outside of report [#2324 @kzantow]
add manual groupid mappings for org.apache.velocity jars [#2327 @westonsteimel]
skip maven bundle plugin logic if vendor id and symbolic name match [#2326 @westonsteimel]
cataloger dpkg-db-cataloger not working [#2323]

Breaking Changes

Rename Location virtualPath to accessPath [#1835 #2288 @wagoodman]

Additional Changes

Export syft-json format package metadata type helper [#2328 @wagoodman]
Add dotnet-portable-executable-cataloger to README [#2322 @noqcks]

`v0.96.0`

Added Features

Check maven central as well for licenses in parents poms for nested jars [#2302 @coheigea]
store image annotations inside the SBOM [#2267 #2294 @noqcks]
Support parsing license information in Maven projects via parent poms [#2103]

Bug Fixes

SPDX file has duplicate sha256 tag in versionInfo [#2300 @coheigea]
Report virtual path consistently between file.Resolvers [#1836 #2287 @wagoodman]
Unable to identify CycloneDX JSON documents without $schema property [#2299 #2303 @kzantow]

`v0.95.0`

Added Features

Use case-insensitive matching for Go license files [#2286 @miquella]
Add conaninfo.txt parser to detect conan packages in docker images [#2234 @Pro]
Perform case insensitive matching on Java License files [#2235 @coheigea]
Read a license from a parent pom stored in Maven Central [#2228 @coheigea]
Add PURLs when scanning Gradle lock files [#2278 @robbiev]

Bug Fixes

Fix CPE index workflow [#2252 @wagoodman]
Fix cpe generation task [#2270 @willmurphyscode]
Introduce cataloger naming conventions [#1578 #2277 @wagoodman]
.NET / nuget - invalid SBOM generated after parsing [#2255 #2273 @spiffcs]
Wrong parsing after v0.85.0 syft for some components [#2241 #2273 @spiffcs]
SPDX-2.3 is misidentified as SPDX-2.2 [#2112 #2186 @wagoodman]
Jar parser chokes on empty lines [#2179 #2254 @spiffcs]
Add a new Java configuration option to recursively search parent poms… [#2274 @coheigea]
Fix directory resolver to always return virtual path [#2259 @wagoodman]
Syft can now handle the case of parsing a jar with multiple poms [#2231 @coheigea]
Add ruby.NewGemSpecCataloger to DirectoryCatalogers [#1971 @evanchaoli]

Breaking Changes

Introduce cataloger naming conventions [#1578 #2277 @wagoodman]
Remove MetadataType from the core package struct [#1735 #1983 @wagoodman]
Add convention for JSON metadata type names and port existing values to the new convention [#1844 #1983 @wagoodman]
Remove deprecated syft.Format functions [#1344 #2186 @wagoodman]

Additional Changes

Upgrade tool management [#2188 @wagoodman]
Fix homebrew post-release workflow [#2242 @wagoodman]

`v0.94.0`

Added Features

Add additional license filenames [#2227 @coheigea]
Parse donet dependency trees [#2143 @noqcks]
Find license by embedded license text [#2147 #2213 @coheigea]
Add support for dpkg dependency relationships [#2040 #2212 @wagoodman]

Bug Fixes

Report errors to stderr not stdout [#2232 @wagoodman]
Python egg packages are not parsed for SBOM [#1761 #2239 @spiffcs]
Java archive is listed twice [#2130 #2220 @wagoodman]
Java archives not from Maven [#2217 #2220 @wagoodman]
Remove internal.StringSet [#2209 #2219 @wagoodman]
Invalid interface conversion in Swift cataloger [#2225 #2226 @wagoodman]

`v0.93.0`

Added Features

Parse license from the pom.xml if not contained in the manifest [#2115 @coheigea]
Add Golang STD library package given a Golang binary has been discovered compiled with that go binary [#1853 #2195 @spiffcs]
Improve --output CLI help and deprecate --file [#2165 #2187 @sharief007]

Bug Fixes

Converting a SBOM looses the algorithm type for added checksums [#2183 #2207 @sharief007]

Additional Changes

Refine the docs for building a cataloger [#2175 @wagoodman]
update license list to 3.22 [#2201 @spiffcs]
Add exact syntax of the conversion formats [#2196 @vargenau]

`v0.92.0`

Added Features

Support for multiple image refs of same sha in OCI layout [#1544]

Bug Fixes

Generated purls are different between runs of syft against the same image and artifact [#2169 #2170 @willmurphyscode]

Additional Changes

bump stereoscope to fix data race in UI code [#2173 @willmurphyscode]

`v0.91.0`

Added Features

Add support for CycloneDX 1.5 [#2120 #2123 @spiffcs]
Add support for containerd as an image source [#201 #1793 @shanedell]
Support cataloging github workflow & github action usages [#1896 #2140 @wagoodman]

Bug Fixes

Allow CycloneDX json input with no components [#2127 @ahoz]
Prevent errors from clobbering terminal [#2161 @kzantow]
Using syft as a go library to decode a syft json has incomplete data [#2069 #2083 @kzantow]
SBOMs are not the same on multiple runs of syft [#1944]

Additional Changes

Switch to stdlib's slices pkg [#2148 @hainenber]
Remove unneeded arch switch in unit test [#2156 @willmurphyscode]
Update chronicle to v0.8.0 [#2154 @wagoodman]
Update to latest stereoscope [#2151 @spiffcs]
Pin workflow checkout for cpe update-cpe-dictionary-index [#2141 @spiffcs]
Add dependency information to conan lockfile parser [#2131 @Pro]
Pin and update all workflow dependencies; add permission scopes [#2138 @spiffcs]
Enforce race detector [#2122 @willmurphyscode]

`v0.90.0`

v0.90.0 (2023-09-11)

Added Features

Expose cobra command in cli package [PR #2097] [wagoodman]
Explicitly test PURL generation against key packages [Issue #2071]
Add User-Agent with Syft version during update check [Issue #2072] [PR #2100] [hainenber]

Bug Fixes

fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation [PR #2075] [willmurphyscode]
Cyclonedx external reference URLs are not validated when encoding [Issue #2079] [PR #2091] [hainenber]

Additional Changes

Bump the golang.org/x/exp dependency and fix a build breakage. [PR #2088] [dlorenc]
fix: update codeql-analysis for go 1.21 [PR #2108] [spiffcs]

`v0.89.0`

v0.89.0 (2023-08-31)

Added Features

Add registry certificate verification support [PR #1734] [5p2O5pe25ouT]
Add SYFT_CONFIG environment variable for configuration file path [Issue #1986] [PR #2001] [kzantow]

Bug Fixes

Fix quiet flag [PR #2081] [wagoodman]
Command line flags not overriding configuration file values [Issue #1143] [PR #2001] [kzantow]
Django package CPE is not correct [Issue #1298] [PR #2068] [witchcraze]
Config parsing includes config.yaml in working dir [Issue #1634] [PR #2001] [kzantow]
Fix a possible panic on universal go binaries [Issue #2073] [PR #2078] [willmurphyscode]
Disabling catalogers is not working in power user command [Issue #2074] [PR #2001] [kzantow]
Virtual path changes to java cataloger causing creation of extra incorrect packages when jars are renamed [Issue #2077] [PR #2080] [willmurphyscode]

`v0.88.0`

v0.88.0 (2023-08-25)

Added Features

Detect golang boring crypto and fipsonly modules [PR #2021] [bathina2]
feat: 1944 - update purl generation to use a consistent groupID [PR #2033] [spiffcs]
Add support to detect bash binaries [Issue #1963] [PR #2055] [witchcraze]

Bug Fixes

fix: properly parse conan ref and include user and channel [PR #2034] [Pro]
New version notice only showing the version and no text [PR #2042] [wagoodman]
Fix: don't validate pom declared group [PR #2054] [willmurphyscode]
Errors when handling symlinks on Windows with syft v0.85.0 [Issue #1950] [PR #2051] [selzoc]
Syft seems unable to parse non UTF-8 pom.xml files [Issue #2044] [PR #2047] [wagoodman]
Error parsing pom.xml with v0.87.1 [Issue #2060] [PR #2064] [willmurphyscode]
Invalid CycloneDX: duplicates in relationships section [Issue #2062] [PR #2063] [kzantow]

`v0.87.1`

v0.87.1 (2023-08-17)

Bug Fixes

Use Java package names to determine known groupIDs [PR #2032] [kzantow]
Relationships section of CycloneDX is not outputting even when the data is present [Issue #1972] [PR #1974] [markgalpin] [kzantow]
SPDX Tag-Value conversion not handling files directly set on packages [Issue #2013] [PR #2014] [kzantow]
Intermittent binary listings, different results every time [Issue #2035] [PR #2036] [kzantow]

charmbracelet/gum (charmbracelet/gum)

`v0.13.0`

Changelog

New Features

Add --select-if-one flag to gum choose and gum filter.

> gum choose --select-if-one "option"
> option

fb6849c: --select-if-one flag to choose/filter. (#398) (@kennyp)

Bug fixes

5c65944: (fix): ShowOutput flag displays in realtime (#405) (@hopefulTex)

Verifying the artifacts

First, download the checksums.txt file, for example, with wget:

wget 'https://github.com/charmbracelet/gum/releases/download/v0.13.0/checksums.txt'

Then, verify it using cosign:

cosign verify-blob \
  --certificate-identity 'https://github.com/charmbracelet/meta/.github/workflows/goreleaser.yml@refs/heads/main' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --cert 'https://github.com/charmbracelet/gum/releases/download/v0.13.0/checksums.txt.pem' \
  --signature 'https://github.com/charmbracelet/gum/releases/download/v0.13.0/checksums.txt.sig' \
  ./checksums.txt

If the output is Verified OK, you can safely use it to verify the checksums of other artifacts you downloaded from the release using sha256sum:

sha256sum --ignore-missing -c checksums.txt

Done! You artifacts are now verified!

Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.

`v0.12.0`

Gum Log 🪵

Version 0.12.0 of gum features a brand new log command. Gum log logs messages to the terminal at using different levels and styling using the charmbracelet/log library.

To get started, simply run:

gum log

### Log some debug information.
gum log --structured --level debug "Creating file..." name file.txt

### DEBUG Unable to create file. name=temp.txt
### Log some error.
gum log --structured --level error "Unable to create file." name file.txt

### ERROR Unable to create file. name=temp.txt

See charmbracelet/log for more usage.

Running gum log with debug and error levels

What's Changed

Pretty Table Print by @maaslalani in https://github.com/charmbracelet/gum/pull/436
Log command by @aymanbagabas in https://github.com/charmbracelet/gum/pull/449
Avoid reading from stdin if --value is being used by @piero-vic in https://github.com/charmbracelet/gum/pull/448
Made filter work with lists as choose by @MikaelFangel in https://github.com/charmbracelet/gum/pull/424

New Contributors

@cglong made their first contribution in https://github.com/charmbracelet/gum/pull/401
@docwhat made their first contribution in https://github.com/charmbracelet/gum/pull/433
@piero-vic made their first contribution in https://github.com/charmbracelet/gum/pull/448

Full Changelog: charmbracelet/gum@v0.11.0...v0.12.0

Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or on Discord.

charmbracelet/vhs (charmbracelet/vhs)

`v0.7.1`

Freeze Frame ❄️ 📸

With VHS v0.7.0, you can capture the any moment during tape execution. Just add in Screenshot <filename>.png to your tapes:

Type ls
Enter

### Capture the output of 'ls'
Screenshot files.png

### Now, continue as you normally would
Type 'cd ..'
Enter

Your tape outputs a GIF, and outputs a file named files.png.

Copy-Paste Functionality!

VHS can now talk to your system clipboard. Please keep this in mind when executing tapes from unknown sources.

[!WARNING]
You should never curl pipe into VHS, it's similar to executing a bash script on your computer!

Copy "https://github.com/charmbracelet/huh"

Type 'curl '

Paste

Enter

New Modifiers + Keys Alert!

VHS v0.7.0 has some new additions: introducing the top level Shift+ modifier and the Insert + Delete keys!

### Shift things up a bit!
Shift+A
Shift+Tab
Shift+Enter

### Insert and delete to your hearts desire:
Insert
Delete

Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or Discord.

`v0.7.0`

Freeze Frame ❄️ 📸

With VHS v0.7.0, you can capture the any moment during tape execution. Just add in Screenshot <filename>.png to your tapes:

Type ls
Enter

### Capture the output of 'ls'
Screenshot files.png

### Now, continue as you normally would
Type 'cd ..'
Enter

Your tape outputs a GIF, and outputs a file named files.png.

Copy-Paste Functionality!

VHS can now talk to your system clipboard. Please keep this in mind when executing tapes from unknown sources.

[!WARNING]
You should never curl pipe into VHS, it's similar to executing a bash script on your computer!

Copy "https://github.com/charmbracelet/huh"

Type 'curl '

Paste

Enter

New Modifiers + Keys Alert!

VHS v0.7.0 has some new additions: introducing the top level Shift+ modifier and the Insert + Delete keys!

### Shift things up a bit!
Shift+A
Shift+Tab
Shift+Enter

### Insert and delete to your hearts desire:
Insert
Delete

Thoughts? Questions? We love hearing from you. Feel free to reach out on Twitter, The Fediverse, or Discord.

direnv/direnv (direnv/direnv)

`v2.33.0`

doc: add a Nushell section to hook.md by @amtoine in https://github.com/direnv/direnv/pull/1175
- doc: fix broken links in installation.md by @just1602 in https://github.com/direnv/direnv/pull/1110
- doc: show how to run tests by @bukzor-sentryio in https://github.com/direnv/direnv/pull/1137
- doc: update NixOS installation instructions by @Gerg-L in https://github.com/direnv/direnv/pull/1172
- doc: update direnv.toml.1.md by @Ativerc in https://github.com/direnv/direnv/pull/1099
- feat: direnv status --json by @shivaraj-bh in https://github.com/direnv/direnv/pull/1142
- feat: add PowerShell Support by @bamsammich in https://github.com/direnv/direnv/pull/1171
- feat: add mergify configuration by @Mic92 in https://github.com/direnv/direnv/pull/1147
- feat: add support for armv7l platform in install.sh by @ardje in https://github.com/direnv/direnv/pull/1162
- feat: add watch print command by @Mic92 in https://github.com/direnv/direnv/pull/1198
- feat: alias direnv disallow to deny by @will in https://github.com/direnv/direnv/pull/1182
- feat: stdlib: create CACHEDIR.TAG inside .direnv by @Mic92 in https://github.com/direnv/direnv/pull/1148
- fix: allowPath for LoadedRC by @shivaraj-bh in https://github.com/direnv/direnv/pull/1157
- fix: don't prompt to allow if user explicitly denied by @Gabriella439 in https://github.com/direnv/direnv/pull/1158
- fix: man/direnv-stdlib: fix obsolete opam-env example by @mzacho in https://github.com/direnv/direnv/pull/1170
- fix: print correct path in source_env log message by @wentasah in https://github.com/direnv/direnv/pull/1144
- fix: quote tcsh $PATH, to avoid failure on whitespace by @bukzor-sentryio in https://github.com/direnv/direnv/pull/1139
- fix: remove redundant nil check in CommandsDispatch by @Juneezee in https://github.com/direnv/direnv/pull/1166
- fix: update nixpkgs and shellcheck by @Mic92 in https://github.com/direnv/direnv/pull/1146

golang/go (golang/go)

`v1.21.5`

`v1.21.4`

`v1.21.3`

`v1.21.2`

`v1.21.1`

goreleaser/goreleaser (goreleaser/goreleaser)

`v1.22.1`