Finalize capabilities section

assets/scss/_capability_tables.scss

@@ -16,7 +16,6 @@
 }
 
 .capability-table thead th {
-  box-shadow: 0 3px 6px rgba(29, 78, 216, 0.4);
   padding: 0.625rem 0.5rem;
   text-align: left;
   font-weight: 600;
@@ -366,16 +365,40 @@ svg use[href='#icon-dash'] {
   border: none !important;
 }
 
+/* Deprecated Pill - Inline with cataloger name */
+
+.deprecated-pill {
+  display: inline-block;
+  padding: 0.125rem 0.375rem;
+  margin-left: 0.5rem;
+  border-radius: 3px;
+  font-size: 0.7rem;
+  font-weight: 500;
+  text-transform: uppercase;
+  letter-spacing: 0.025em;
+  vertical-align: middle;
+
+  [data-bs-theme='light'] & {
+    background-color: #fed7aa;
+    color: #92400e;
+  }
+  [data-bs-theme='dark'] & {
+    background-color: #92400e;
+    color: #fed7aa;
+  }
+}
+
 /* Header Help Tooltips */
 
-/* Abbr element containing help icon - remove default styling and set up tooltip positioning */
+/* Abbr element wrapping column header text - set up tooltip positioning and styling */
 .header-help {
   position: relative; /* position context for custom tooltip */
-  text-decoration: none;
+  text-decoration: underline dotted;
+  text-underline-offset: 0.25em; /* move dotted line lower below text */
+  text-decoration-thickness: 1px;
   border: none;
   cursor: help;
   display: inline-block;
-  margin-left: 0.25rem;
   vertical-align: middle;
 }
 
@@ -487,18 +510,35 @@ th:first-child .header-help::before {
   transform: translateX(0);
 }
 
-/* Evidence Tooltips for Capability Icons */
+/* Cataloger Condition Indicator - Inline Gear Icon */
+
+.cataloger-condition-wrapper {
+  display: inline-block;
+  margin-left: 0.375rem;
+  vertical-align: middle;
+  position: relative;
+  cursor: help;
+}
+
+.cataloger-condition-wrapper .inline-icon {
+  width: 16px;
+  height: 16px;
+}
+
+/* Unified Tooltips for Capability Icons and Cataloger Conditions */
 
-/* Capability icon wrapper with evidence - set up tooltip positioning */
-.capability-icon-wrapper[data-evidence] {
+/* Set up tooltip positioning for capability icons and cataloger conditions */
+.capability-icon-wrapper[data-tooltip],
+.cataloger-condition-wrapper[data-tooltip] {
   position: relative;
   cursor: help;
   display: inline-block; /* needed for proper positioning */
 }
 
 /* Tooltip content */
-.capability-icon-wrapper[data-evidence]::after {
-  content: attr(data-evidence);
+.capability-icon-wrapper[data-tooltip]::after,
+.cataloger-condition-wrapper[data-tooltip]::after {
+  content: attr(data-tooltip);
   position: absolute;
   bottom: calc(100% + 8px); /* position above with gap */
   left: 50%;
@@ -544,20 +584,21 @@ th:first-child .header-help::before {
 }
 
 /* Show tooltip on hover */
-.capability-icon-wrapper[data-evidence]:hover::after {
+.capability-icon-wrapper[data-tooltip]:hover::after,
+.cataloger-condition-wrapper[data-tooltip]:hover::after {
   opacity: 1;
   visibility: visible;
 }
 
 /* Adjust positioning for tooltips in cells near right edge */
-td:nth-last-child(-n + 2) .capability-icon-wrapper[data-evidence]::after {
+td:nth-last-child(-n + 2) .capability-icon-wrapper[data-tooltip]::after {
   left: auto;
   right: 0;
   transform: translateX(0);
 }
 
 /* Adjust positioning for tooltips in cells near left edge */
-td:first-child .capability-icon-wrapper[data-evidence]::after {
+td:first-child .capability-icon-wrapper[data-tooltip]::after {
   left: 0;
   transform: translateX(0);
 }

assets/scss/_page-meta.scss

@@ -0,0 +1,31 @@
+// page metadata styling (e.g., last modified info)
+
+.td-page-meta__lastmod {
+  font-size: 0.8rem;
+  color: #6c757d; // muted grey for light mode
+  margin-top: 2rem;
+
+  a {
+    color: #6c757d; // muted grey for links
+    text-decoration: underline; // preserve underline
+
+    &:hover {
+      color: #495057; // slightly darker on hover
+    }
+  }
+}
+
+// dark mode adjustments
+[data-bs-theme='dark'] {
+  .td-page-meta__lastmod {
+    color: #adb5bd; // lighter grey for dark mode
+
+    a {
+      color: #adb5bd;
+
+      &:hover {
+        color: #ced4da; // lighter on hover
+      }
+    }
+  }
+}

assets/scss/_sidebar.scss

@@ -41,6 +41,32 @@
   }
 }
 
+// sidebar group headers for organizing menu sections
+.td-sidebar-group-header {
+  padding: 1rem 0 0.5rem 0;
+  margin-top: 0.75rem;
+  font-size: 0.75rem;
+  font-weight: 600;
+  text-transform: uppercase;
+  letter-spacing: 0.05em;
+  pointer-events: none;
+  list-style: none;
+
+  [data-bs-theme='light'] & {
+    color: $syft-purple-blue;
+    border-top: 1px solid rgba(0, 0, 0, 0.08);
+  }
+  [data-bs-theme='dark'] & {
+    color: $syft-purple-blue;
+    border-top: 1px solid rgba(255, 255, 255, 0.12);
+  }
+
+  &:first-child {
+    margin-top: 0;
+    border-top: none;
+  }
+}
+
 // improved sidebar spacing and typography
 .td-sidebar {
   .td-sidebar-nav {

assets/scss/_styles_project.scss

@@ -18,6 +18,7 @@
 @import 'navbar';
 @import 'sidebar';
 @import 'page-actions';
+@import 'page-meta';
 
 // Feature-specific styles
 @import 'landing/landing';

content/_index.html

@@ -45,7 +45,7 @@ <h3>Syft</h3>
                 Get Started
                 <i class="fas fa-arrow-right"></i>
               </a>
-              <a class="btn btn-secondary" href="/docs/releases/syft/"> Releases </a>
+              <a class="btn btn-secondary" href="https://github.com/anchore/syft/releases"> Releases </a>
             </div>
           </div>
         </div>
@@ -66,7 +66,7 @@ <h3>Grype</h3>
                 Get Started
                 <i class="fas fa-arrow-right"></i>
               </a>
-              <a class="btn btn-secondary" href="/docs/releases/grype/"> Releases </a>
+              <a class="btn btn-secondary" href="https://github.com/anchore/grype/releases"> Releases </a>
             </div>
           </div>
         </div>
@@ -90,7 +90,7 @@ <h3>Grant</h3>
                 Get Started
                 <i class="fas fa-arrow-right"></i>
               </a>
-              <a class="btn btn-secondary" href="/docs/releases/grant/"> Releases </a>
+              <a class="btn btn-secondary" href="https://github.com/anchore/grant/releases"> Releases </a>
             </div>
           </div>
         </div>

content/docs/capabilities/alpm.md

@@ -3,6 +3,7 @@ title = "ALPM"
 description = "ALPM package format used by Arch-based Linux distributions"
 weight = 10
 type = "docs"
+menu_group = "os"
 [params]
 sidebar_badge = "arch"
 +++

content/docs/capabilities/apk.md

@@ -3,6 +3,7 @@ title = "APK"
 description = "APK package format analysis and vulnerability scanning capabilities"
 weight = 20
 type = "docs"
+menu_group = "os"
 [params]
 sidebar_badge = "alpine+"
 +++
@@ -19,7 +20,7 @@ sidebar_badge = "alpine+"
 
 {{< readfile file="/content/docs/capabilities/snippets/ecosystem/apk/os.md" >}}
 
-The APK vulnerability database (a.k.a. "SecDB") includes data from the Alpine Security Tracker, which provides detailed information on vulnerabilities affecting Alpine Linux packages.
+The APK vulnerability database (a.k.a. "SecDB") includes data from the Alpine Security Tracker, which provides fix information for known vulnerabilities that affect Alpine Linux packages.
 This database only includes vulnerabilities that have fixes available and does not track unfixed vulnerabilities.
 The maintainers of the SecDB intend for the primary source of truth for disclosures to be the [National Vulnerability Database](https://nvd.nist.gov/developers/vulnerabilities) (NVD).
 

content/docs/capabilities/binary.md

@@ -3,12 +3,71 @@ title = "Binary"
 description = "Binary package analysis and vulnerability scanning capabilities"
 weight = 30
 type = "docs"
+menu_group = "other"
 +++
 
+## File analysis
+
+Within the `.files[].executable` sections of the Syft JSON there is an analysis of what features and claims were found within a binary file.
+
+This includes:
+
+- Imported libraries (shared libraries)
+- Exported symbols
+- Security features (like NX, PIE, RELRO, etc)
+
+Security features that can be detected include:
+
+- if debugging symbols have been stripped
+- presence of _Stack Canaries_ to protect against stack smashing (which lead to buffer overflows)
+- _NoExecute_ (NX) bit support to prevent execution of code on the stack or heap
+- _Relocation Read-Only_ (RelRO) to protect the Global Offset Table (GOT) from being overwritten (can be "partial" or "full")
+- _Position Independent Executable_ (PIE) support such that offsets are used instead of absolute addresses
+- if it is a _Dynamic Shared Object_ (DSO) (not a security feature, but important for analysis)
+- [LLVM SafeStack](https://clang.llvm.org/docs/SafeStack.html) partitioning is in use, which separates unsafe stack objects from safe stack objects to mitigate stack-based memory corruption vulnerabilities
+- [LLVM Control Flow Integrity](https://clang.llvm.org/docs/ControlFlowIntegrity.html) (CFI) is in use, which adds runtime checks to ensure that indirect function calls only target valid functions, helping to prevent control-flow hijacking attacks
+- [Clang Fortified Builds](https://clang.llvm.org/docs/ClangFortifyBuild.html) is enabled, which adds additional runtime checks for certain standard library functions to detect buffer overflows and other memory errors
+
+When it comes to shared library requirement claims and exported symbol claims, these are used by Syft to:
+
+- associate file-to-file relationships (in the case of executables/shared libraries being distributed without a package manager)
+- associate file-to-package relationships (when an executable imports a shared library that is managed by a package manager)
+
+Say that all package manager information has been stripped from a container image, leaving behind a collection of binary files (some of which may be executables or shared libraries).
+In this case Syft can still synthesize a dependency graph from the imported libraries and exported symbols found within the binaries, allowing for a more complete SBOM to be generated.
+In a mixed case, where there are some packages managed by package managers and some binaries without package manager metadata, Syft can still use the binary analysis to fill in the gaps.
+Package-level relationships are preferred over file-level relationships when both are available, which simplifies the dependency graph.
+
 ## Package analysis
 
 {{< readfile file="/content/docs/capabilities/snippets/ecosystem/binary/package.md" >}}
 
+{{< readfile file="/content/docs/capabilities/snippets/ecosystem/binary/binary-package-details.md" >}}
+
+### ELF package notes
+
+Syft is capable of looking at ELF formatted binaries, specifically the `.note.package` note, that are formatted using the [convention established by the systemd project](https://systemd.io/PACKAGE_METADATA_FOR_EXECUTABLE_FILES/).
+This spec requires a PE/COFF section that wraps a json payload describing the package metadata for the binary, however, syft does not require the PE/COFF wrapping and can extract the json payload directly from the ELF note.
+
+Here's an example of what the json payload looks like:
+
+```json
+{
+  "name": "my-application",
+  "version": "1.2.3",
+  "purl": "pkg:deb/debian/my-application@1.2.3?arch=amd64&distro=debian-12",
+  "cpe": "cpe:2.3:a:vendor:my-application:1.2.3:*:*:*:*:*:*:*",
+  "license": "Apache-2.0",
+  "type": "deb"
+}
+```
+
+Which, if stored in `payload.json`, can be injected into an existing ELF binary using the following command:
+
+```bash
+objcopy --add-section .note.package=payload.json --set-section-flags .note.package=noload,readonly
+```
+
 ## Vulnerability scanning
 
 {{< readfile file="/content/docs/capabilities/snippets/ecosystem/binary/vulnerability.md" >}}

content/docs/capabilities/bitnami.md

@@ -3,12 +3,19 @@ title = "Bitnami"
 description = "Bitnami package analysis and vulnerability scanning capabilities"
 weight = 40
 type = "docs"
+menu_group = "other"
 +++
 
 ## Package analysis
 
 {{< readfile file="/content/docs/capabilities/snippets/ecosystem/bitnami/package.md" >}}
 
+Since all package data is gathered from SPDX SBOMs, the quality of the package analysis is dependent on the quality of the provided SBOMs.
+
+## Vulnerability scanning
+
+{{< readfile file="/content/docs/capabilities/snippets/ecosystem/bitnami/vulnerability.md" >}}
+
 ## Next steps
 
 - [Syft package analysis]({{< ref "docs/guides/sbom" >}})

content/docs/capabilities/conda.md

@@ -3,6 +3,7 @@ title = "Conda"
 description = "Conda package analysis and vulnerability scanning capabilities"
 weight = 50
 type = "docs"
+menu_group = "language"
 +++
 
 ## Package analysis

content/docs/capabilities/cpp.md

@@ -3,12 +3,15 @@ title = "C/C++"
 description = "C/C++ package analysis and vulnerability scanning capabilities"
 weight = 60
 type = "docs"
+menu_group = "language"
 +++
 
 ## Package analysis
 
 {{< readfile file="/content/docs/capabilities/snippets/ecosystem/c++/package.md" >}}
 
+We support package detection for [v1](https://docs.conan.io/1/versioning/lockfiles.html#lockfiles) and [v2](https://docs.conan.io/2/tutorial/versioning/lockfiles.html) formatted `conan.lock` files.
+
 ## Vulnerability scanning
 
 {{< readfile file="/content/docs/capabilities/snippets/ecosystem/c++/vulnerability.md" >}}

content/docs/capabilities/dart.md

@@ -3,6 +3,7 @@ title = "Dart"
 description = "Dart package analysis and vulnerability scanning capabilities"
 weight = 70
 type = "docs"
+menu_group = "language"
 +++
 
 ## Package analysis

content/docs/capabilities/dotnet.md

@@ -3,6 +3,7 @@ title = ".NET"
 description = ".NET package analysis and vulnerability scanning capabilities"
 weight = 90
 type = "docs"
+menu_group = "language"
 +++
 
 ## Package analysis
@@ -11,6 +12,9 @@ type = "docs"
 
 {{< readfile file="/content/docs/capabilities/snippets/ecosystem/dotnet/syft-app-config.md" >}}
 
+When scanning a .NET application evidence from deps.json (compiler output) as well as any built binaries are used together to identify packages.
+This way we can enrich missing data from any one source and synthesize a more complete and accurate package graph.
+
 ## Vulnerability scanning
 
 {{< readfile file="/content/docs/capabilities/snippets/ecosystem/dotnet/vulnerability.md" >}}