v1.4.1
These notes include changes part of v1.4.0
Highlights
- Update dependencies to address Leaky Vessels series of CVEs (CVE-2024-21626, CVE-2024-24557)
- Add initial VEX document to document false positive CVE-2020-8911 and CVE-2020-8912
- Support cosign SBOM attestations
- Support for VEX in-toto attestations
Bug fixes / Improvements
- Fix order and case of details column headers in the policy deviation details tables
- Fix platform detection when an image index contains
linux/arm64/v8
but the local platform is onlylinux/arm64
- Fix display of the base image in case the base image is not indexed by docker scout but defined in the provenance attestation (for private or non Docker Trusted Content base images)
Affectsquickview
andrecommendations
commands - Fix panic when an SBOM contains no packages
Especially when usingdocker scout
to analyse local file system, for instance usingdocker scout cves fs://.
- Bump Syft to 0.103.1 to fix golang Purl with subpath
- Add support for subpaths in PURLs
For instance an image containing both packagesgithub.com/gofiber/template
andgithub.com/gofiber/template/django/v3
, previously the two packages were visible under the samegithub.com/gofiber/template
name. Now both of them are correctly identified - Remove query strings from title in rendered hyperlinks