Releases: anchore/syft
Releases · anchore/syft
v0.98.0
Added Features
- Add binary classifiers for MySQL and MariaDB [#2316 @duanemay]
- Enhance redis binary classifier to support additional versions [#2329 @whalelines]
- Expose compact JSON and XML format configuration [#561 #2275 @wagoodman]
Bug Fixes
- Fix file metadata cataloger when passed explicit coordinates [#2370 @wagoodman]
- hardcode xalan group ID [#2368 @willmurphyscode]
- logging level for parsing potential PE files [#2367 @kzantow]
- Use read lock in
pkg.Collection
[#2341 @wagoodman] - add manual namespace mapping for org.springframework jars [#2345 @westonsteimel]
- add manual namespace mapping for org.springframework.security jars [#2343 @westonsteimel]
- errors are printed into the stdout in syft 0.97.1 [#2356 #2364 @kzantow]
syft some-jar.jar
fails to find packages if PWD is a symlink [#2355 #2359 @willmurphyscode]- Default for recently added base path,
""
, disables detection of symlinked*.jar
files [#1962 #2359 @willmurphyscode] syft attest
broken since 0.85.0 [#2333 #2337 @wagoodman]- Incorrect Java PURL for org.bouncycastle jars [#2339 #2342 @westonsteimel]
Breaking Changes
- Remove power-user command and related catalogers [#1419 #2306 @wagoodman]
Additional Changes
- Normalize cataloger configuration patterns [#2365 @wagoodman]
- Normalize enums to lowercase with hyphens [#2363 @wagoodman]
Special Thanks
Thanks @duanemay and @whalelines for the enhanced binary classifier support 👍
v0.97.1
v0.97.0
Added Features
- Add license for golang stdlib package [#2317 @coheigea]
- Fall back to searching maven central using groupIDFromJavaMetadata [#2295 @coheigea]
Bug Fixes
- Refine license search from groupIDFromJavaMetadata to account for artfactId in the groupId [#2313 @coheigea]
- capture content written to stdout outside of report [#2324 @kzantow]
- add manual groupid mappings for org.apache.velocity jars [#2327 @westonsteimel]
- skip maven bundle plugin logic if vendor id and symbolic name match [#2326 @westonsteimel]
- cataloger
dpkg-db-cataloger
not working [#2323]
Breaking Changes
- Rename Location virtualPath to accessPath [#1835 #2288 @wagoodman]
Additional Changes
- Export syft-json format package metadata type helper [#2328 @wagoodman]
- Add dotnet-portable-executable-cataloger to README [#2322 @noqcks]
v0.96.0
Added Features
- Check maven central as well for licenses in parents poms for nested jars [#2302 @coheigea]
- store image annotations inside the SBOM [#2267 #2294 @noqcks]
- Support parsing license information in Maven projects via parent poms [#2103]
Bug Fixes
v0.95.0
Added Features
- Use case-insensitive matching for Go license files [#2286 @miquella]
- Add conaninfo.txt parser to detect conan packages in docker images [#2234 @Pro]
- Perform case insensitive matching on Java License files [#2235 @coheigea]
- Read a license from a parent pom stored in Maven Central [#2228 @coheigea]
- Add PURLs when scanning Gradle lock files [#2278 @robbiev]
Bug Fixes
- Fix CPE index workflow [#2252 @wagoodman]
- Fix cpe generation task [#2270 @willmurphyscode]
- Introduce cataloger naming conventions [#1578 #2277 @wagoodman]
- .NET / nuget - invalid SBOM generated after parsing [#2255 #2273 @spiffcs]
- Wrong parsing after v0.85.0 syft for some components [#2241 #2273 @spiffcs]
- SPDX-2.3 is misidentified as SPDX-2.2 [#2112 #2186 @wagoodman]
- Jar parser chokes on empty lines [#2179 #2254 @spiffcs]
- Add a new Java configuration option to recursively search parent poms… [#2274 @coheigea]
- Fix directory resolver to always return virtual path [#2259 @wagoodman]
- Syft can now handle the case of parsing a jar with multiple poms [#2231 @coheigea]
- Add ruby.NewGemSpecCataloger to DirectoryCatalogers [#1971 @evanchaoli]
Breaking Changes
- Introduce cataloger naming conventions [#1578 #2277 @wagoodman]
- Remove MetadataType from the core package struct [#1735 #1983 @wagoodman]
- Add convention for JSON metadata type names and port existing values to the new convention [#1844 #1983 @wagoodman]
- Remove deprecated syft.Format functions [#1344 #2186 @wagoodman]
Additional Changes
- Upgrade tool management [#2188 @wagoodman]
- Fix homebrew post-release workflow [#2242 @wagoodman]
v0.94.0
Added Features
- Add additional license filenames [#2227 @coheigea]
- Parse donet dependency trees [#2143 @noqcks]
- Find license by embedded license text [#2147 #2213 @coheigea]
- Add support for dpkg dependency relationships [#2040 #2212 @wagoodman]
Bug Fixes
- Report errors to stderr not stdout [#2232 @wagoodman]
- Python egg packages are not parsed for SBOM [#1761 #2239 @spiffcs]
- Java archive is listed twice [#2130 #2220 @wagoodman]
- Java archives not from Maven [#2217 #2220 @wagoodman]
- Remove internal.StringSet [#2209 #2219 @wagoodman]
- Invalid interface conversion in Swift cataloger [#2225 #2226 @wagoodman]
v0.93.0
Added Features
- Parse license from the pom.xml if not contained in the manifest [#2115 @coheigea]
- Add Golang STD library package given a Golang binary has been discovered compiled with that go binary [#1853 #2195 @spiffcs]
- Improve --output CLI help and deprecate --file [#2165 #2187 @sharief007]
Bug Fixes
- Converting a SBOM looses the algorithm type for added checksums [#2183 #2207 @sharief007]
Additional Changes
v0.92.0
Added Features
- Support for multiple image refs of same sha in OCI layout [#1544]
Bug Fixes
- Generated purls are different between runs of syft against the same image and artifact [#2169 #2170 @willmurphyscode]
Additional Changes
- bump stereoscope to fix data race in UI code [#2173 @willmurphyscode]
v0.91.0
Added Features
- Add support for CycloneDX 1.5 [#2120 #2123 @spiffcs]
- Add support for containerd as an image source [#201 #1793 @shanedell]
- Support cataloging github workflow & github action usages [#1896 #2140 @wagoodman]
Bug Fixes
- Allow CycloneDX json input with no components [#2127 @ahoz]
- Prevent errors from clobbering terminal [#2161 @kzantow]
- Using syft as a go library to decode a syft json has incomplete data [#2069 #2083 @kzantow]
- SBOMs are not the same on multiple runs of syft [#1944]
Additional Changes
- Switch to stdlib's slices pkg [#2148 @hainenber]
- Remove unneeded arch switch in unit test [#2156 @willmurphyscode]
- Update chronicle to v0.8.0 [#2154 @wagoodman]
- Update to latest stereoscope [#2151 @spiffcs]
- Pin workflow checkout for cpe update-cpe-dictionary-index [#2141 @spiffcs]
- Add dependency information to conan lockfile parser [#2131 @Pro]
- Pin and update all workflow dependencies; add permission scopes [#2138 @spiffcs]
- Enforce race detector [#2122 @willmurphyscode]
v0.90.0
v0.90.0 (2023-09-11)
Added Features
- Expose cobra command in cli package [PR #2097] [wagoodman]
- Explicitly test PURL generation against key packages [Issue #2071]
- Add User-Agent with Syft version during update check [Issue #2072] [PR #2100] [hainenber]
Bug Fixes
- fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation [PR #2075] [willmurphyscode]
- Cyclonedx external reference URLs are not validated when encoding [Issue #2079] [PR #2091] [hainenber]