Releases: anchore/syft
Releases · anchore/syft
v0.89.0
v0.89.0 (2023-08-31)
Added Features
- Add registry certificate verification support [PR #1734] [5p2O5pe25ouT]
- Add SYFT_CONFIG environment variable for configuration file path [Issue #1986] [PR #2001] [kzantow]
Bug Fixes
- Fix quiet flag [PR #2081] [wagoodman]
- Command line flags not overriding configuration file values [Issue #1143] [PR #2001] [kzantow]
- Django package CPE is not correct [Issue #1298] [PR #2068] [witchcraze]
- Config parsing includes
config.yaml
in working dir [Issue #1634] [PR #2001] [kzantow] - Fix a possible panic on universal go binaries [Issue #2073] [PR #2078] [willmurphyscode]
- Disabling catalogers is not working in power user command [Issue #2074] [PR #2001] [kzantow]
- Virtual path changes to java cataloger causing creation of extra incorrect packages when jars are renamed [Issue #2077] [PR #2080] [willmurphyscode]
v0.88.0
v0.88.0 (2023-08-25)
Added Features
- Detect golang boring crypto and fipsonly modules [PR #2021] [bathina2]
- feat: 1944 - update purl generation to use a consistent groupID [PR #2033] [spiffcs]
- Add support to detect bash binaries [Issue #1963] [PR #2055] [witchcraze]
Bug Fixes
- fix: properly parse conan ref and include user and channel [PR #2034] [Pro]
- New version notice only showing the version and no text [PR #2042] [wagoodman]
- Fix: don't validate pom declared group [PR #2054] [willmurphyscode]
- Errors when handling symlinks on Windows with syft v0.85.0 [Issue #1950] [PR #2051] [selzoc]
- Syft seems unable to parse non UTF-8 pom.xml files [Issue #2044] [PR #2047] [wagoodman]
- Error parsing pom.xml with v0.87.1 [Issue #2060] [PR #2064] [willmurphyscode]
- Invalid CycloneDX: duplicates in relationships section [Issue #2062] [PR #2063] [kzantow]
v0.87.1
v0.87.1 (2023-08-17)
Bug Fixes
- Use Java package names to determine known groupIDs [PR #2032] [kzantow]
- Relationships section of CycloneDX is not outputting even when the data is present [Issue #1972] [PR #1974] [markgalpin] [kzantow]
- SPDX Tag-Value conversion not handling files directly set on packages [Issue #2013] [PR #2014] [kzantow]
- Intermittent binary listings, different results every time [Issue #2035] [PR #2036] [kzantow]
v0.87.0
v0.87.0 (2023-08-14)
Added Features
- feat: use originator logic to fill supplier [PR #1980] [spiffcs]
- Expand deb cataloger to include opkg [PR #1985] [johnDeSilencio]
- Package duplicated by different cataloger [Issue #931] [PR #1948] [spiffcs]
- Add binary cataloger for Nginx built from source [Issue #1945] [PR #1988] [SemProvoost]
Bug Fixes
- chore: update bubbly to fix hanging [PR #1990] [kzantow]
- fix: update glob to use newer usr/lib/sysimage path [PR #1997] [spiffcs]
- fix: SPDX license values and download location [PR #2007] [kzantow]
- Different CPEs between java-cataloger and java-gradle-lockfile-cataloger [Issue #1957] [PR #1995] [kzantow]
v0.86.1
v0.86.0
Changelog
v0.86.0 (2023-07-31)
Added Features
- Introduce indexed embedded CPE dictionary [PR #1897] [luhring]
- Add cataloger for Swift Package Manager. [PR #1919] [trilleplay]
- Guess unpinned versions in python requirements.txt [PR #1597] [PR #1966] [manifestori] [wagoodman]
- Create a package record for the artifact an SBOM described when creating a SPDX SBOM [Issue #1661] [Issue #1241] [PR #1934] [kzantow]
Bug Fixes
- Fix panic condition on docker pull failure [PR #1968] [wagoodman]
- Syft reports the "minimum required version" of .NET assemblies rather than the "assembly version" [Issue #1799] [PR #1943] [luhring]
- Grype cannot read SPDX documents generated by SPDX-maven-plugin [PR #1969] [spiffcs]
Breaking Changes
v0.85.0
Changelog
v0.85.0 (2023-07-12)
Added Features
- Add a --base-path command line flag to set the directory base for scans (this option was previously exposed via API only) [PR #1867] [deitch]
- Add file source digest support [PR #1914] [wagoodman]
- Remove erroneous Java CPEs from generation [PR #1918] [luhring]
- Fix CPE generation for k8s python client [PR #1921] [luhring]
- Don't use the actual redis or grpc CPEs for gems [PR #1926] [luhring]
- The text user interface is now provided by the bubbletea library [Issue #1441] [PR #1888] [wagoodman]
Bug Fixes
- Install script returns exit code 0 even if install fails [Issue #1566] [PR #1915] [lorsatti]
- [Windows] Not able to scan volume mounted to folder [Issue #1828] [PR #1884] [dd-cws]
- Deprecated license: GFDL-1.2+ [Issue #1899] [PR #1907] [spiffcs]
Breaking Changes
- Refactor the
source
API and syft-jsonsource
block data shape [Issue #1866] [PR #1846] [wagoodman]
Additional Changes
v0.84.1
Changelog
v0.84.1 (2023-06-29)
Bug Fixes
- Fix version detection in Java archive name parsing [PR #1889] [luhring]
- Improve support for Dart SDK package dependency lockfiles [PR #1891] [rufman]
- Fix license output for some CycloneDX JSON SBOMs [Issue #1877] [PR #1879] [kzantow]
- Correctly discover Debian file relationships in distroless images [Issue #1900] [PR #1901] [westonsteimel]
Additional Changes
v0.84.0
Changelog
v0.84.0 (2023-06-20)
Breaking Changes
- Pad artifact IDs [PR #1882] [willmurphyscode]
Additional Changes
v0.83.1
Changelog
v0.83.1 (2023-06-14)
Bug Fixes
- fix: pom properties not setting artifact id [PR #1870] [jneate]
- fix(deps): pull in platform selection fix from stereoscope [PR #1871] [anchore-actions-token-generator] - pulling in an image with a digest that does not match the platform and architecture of the host no longer fails with an error, see anchore/stereoscope#188
- symlinks within a scanned directory tree are parsed outside the tree, failing if target does not exist [Issue #1860] [PR #1861] [deitch]