Releases: anchore/syft
Releases · anchore/syft
v0.96.0
Added Features
- Check maven central as well for licenses in parents poms for nested jars [#2302 @coheigea]
- store image annotations inside the SBOM [#2267 #2294 @noqcks]
- Support parsing license information in Maven projects via parent poms [#2103]
Bug Fixes
v0.95.0
Added Features
- Use case-insensitive matching for Go license files [#2286 @miquella]
- Add conaninfo.txt parser to detect conan packages in docker images [#2234 @Pro]
- Perform case insensitive matching on Java License files [#2235 @coheigea]
- Read a license from a parent pom stored in Maven Central [#2228 @coheigea]
- Add PURLs when scanning Gradle lock files [#2278 @robbiev]
Bug Fixes
- Fix CPE index workflow [#2252 @wagoodman]
- Fix cpe generation task [#2270 @willmurphyscode]
- Introduce cataloger naming conventions [#1578 #2277 @wagoodman]
- .NET / nuget - invalid SBOM generated after parsing [#2255 #2273 @spiffcs]
- Wrong parsing after v0.85.0 syft for some components [#2241 #2273 @spiffcs]
- SPDX-2.3 is misidentified as SPDX-2.2 [#2112 #2186 @wagoodman]
- Jar parser chokes on empty lines [#2179 #2254 @spiffcs]
- Add a new Java configuration option to recursively search parent poms… [#2274 @coheigea]
- Fix directory resolver to always return virtual path [#2259 @wagoodman]
- Syft can now handle the case of parsing a jar with multiple poms [#2231 @coheigea]
- Add ruby.NewGemSpecCataloger to DirectoryCatalogers [#1971 @evanchaoli]
Breaking Changes
- Introduce cataloger naming conventions [#1578 #2277 @wagoodman]
- Remove MetadataType from the core package struct [#1735 #1983 @wagoodman]
- Add convention for JSON metadata type names and port existing values to the new convention [#1844 #1983 @wagoodman]
- Remove deprecated syft.Format functions [#1344 #2186 @wagoodman]
Additional Changes
- Upgrade tool management [#2188 @wagoodman]
- Fix homebrew post-release workflow [#2242 @wagoodman]
v0.94.0
Added Features
- Add additional license filenames [#2227 @coheigea]
- Parse donet dependency trees [#2143 @noqcks]
- Find license by embedded license text [#2147 #2213 @coheigea]
- Add support for dpkg dependency relationships [#2040 #2212 @wagoodman]
Bug Fixes
- Report errors to stderr not stdout [#2232 @wagoodman]
- Python egg packages are not parsed for SBOM [#1761 #2239 @spiffcs]
- Java archive is listed twice [#2130 #2220 @wagoodman]
- Java archives not from Maven [#2217 #2220 @wagoodman]
- Remove internal.StringSet [#2209 #2219 @wagoodman]
- Invalid interface conversion in Swift cataloger [#2225 #2226 @wagoodman]
v0.93.0
Added Features
- Parse license from the pom.xml if not contained in the manifest [#2115 @coheigea]
- Add Golang STD library package given a Golang binary has been discovered compiled with that go binary [#1853 #2195 @spiffcs]
- Improve --output CLI help and deprecate --file [#2165 #2187 @sharief007]
Bug Fixes
- Converting a SBOM looses the algorithm type for added checksums [#2183 #2207 @sharief007]
Additional Changes
v0.92.0
Added Features
- Support for multiple image refs of same sha in OCI layout [#1544]
Bug Fixes
- Generated purls are different between runs of syft against the same image and artifact [#2169 #2170 @willmurphyscode]
Additional Changes
- bump stereoscope to fix data race in UI code [#2173 @willmurphyscode]
v0.91.0
Added Features
- Add support for CycloneDX 1.5 [#2120 #2123 @spiffcs]
- Add support for containerd as an image source [#201 #1793 @shanedell]
- Support cataloging github workflow & github action usages [#1896 #2140 @wagoodman]
Bug Fixes
- Allow CycloneDX json input with no components [#2127 @ahoz]
- Prevent errors from clobbering terminal [#2161 @kzantow]
- Using syft as a go library to decode a syft json has incomplete data [#2069 #2083 @kzantow]
- SBOMs are not the same on multiple runs of syft [#1944]
Additional Changes
- Switch to stdlib's slices pkg [#2148 @hainenber]
- Remove unneeded arch switch in unit test [#2156 @willmurphyscode]
- Update chronicle to v0.8.0 [#2154 @wagoodman]
- Update to latest stereoscope [#2151 @spiffcs]
- Pin workflow checkout for cpe update-cpe-dictionary-index [#2141 @spiffcs]
- Add dependency information to conan lockfile parser [#2131 @Pro]
- Pin and update all workflow dependencies; add permission scopes [#2138 @spiffcs]
- Enforce race detector [#2122 @willmurphyscode]
v0.90.0
v0.90.0 (2023-09-11)
Added Features
- Expose cobra command in cli package [PR #2097] [wagoodman]
- Explicitly test PURL generation against key packages [Issue #2071]
- Add User-Agent with Syft version during update check [Issue #2072] [PR #2100] [hainenber]
Bug Fixes
- fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation [PR #2075] [willmurphyscode]
- Cyclonedx external reference URLs are not validated when encoding [Issue #2079] [PR #2091] [hainenber]
Additional Changes
v0.89.0
v0.89.0 (2023-08-31)
Added Features
- Add registry certificate verification support [PR #1734] [5p2O5pe25ouT]
- Add SYFT_CONFIG environment variable for configuration file path [Issue #1986] [PR #2001] [kzantow]
Bug Fixes
- Fix quiet flag [PR #2081] [wagoodman]
- Command line flags not overriding configuration file values [Issue #1143] [PR #2001] [kzantow]
- Django package CPE is not correct [Issue #1298] [PR #2068] [witchcraze]
- Config parsing includes
config.yaml
in working dir [Issue #1634] [PR #2001] [kzantow] - Fix a possible panic on universal go binaries [Issue #2073] [PR #2078] [willmurphyscode]
- Disabling catalogers is not working in power user command [Issue #2074] [PR #2001] [kzantow]
- Virtual path changes to java cataloger causing creation of extra incorrect packages when jars are renamed [Issue #2077] [PR #2080] [willmurphyscode]
v0.88.0
v0.88.0 (2023-08-25)
Added Features
- Detect golang boring crypto and fipsonly modules [PR #2021] [bathina2]
- feat: 1944 - update purl generation to use a consistent groupID [PR #2033] [spiffcs]
- Add support to detect bash binaries [Issue #1963] [PR #2055] [witchcraze]
Bug Fixes
- fix: properly parse conan ref and include user and channel [PR #2034] [Pro]
- New version notice only showing the version and no text [PR #2042] [wagoodman]
- Fix: don't validate pom declared group [PR #2054] [willmurphyscode]
- Errors when handling symlinks on Windows with syft v0.85.0 [Issue #1950] [PR #2051] [selzoc]
- Syft seems unable to parse non UTF-8 pom.xml files [Issue #2044] [PR #2047] [wagoodman]
- Error parsing pom.xml with v0.87.1 [Issue #2060] [PR #2064] [willmurphyscode]
- Invalid CycloneDX: duplicates in relationships section [Issue #2062] [PR #2063] [kzantow]
v0.87.1
v0.87.1 (2023-08-17)
Bug Fixes
- Use Java package names to determine known groupIDs [PR #2032] [kzantow]
- Relationships section of CycloneDX is not outputting even when the data is present [Issue #1972] [PR #1974] [markgalpin] [kzantow]
- SPDX Tag-Value conversion not handling files directly set on packages [Issue #2013] [PR #2014] [kzantow]
- Intermittent binary listings, different results every time [Issue #2035] [PR #2036] [kzantow]