Releases: anchore/syft
Releases · anchore/syft
v0.94.0
Added Features
- Add additional license filenames [#2227 @coheigea]
- Parse donet dependency trees [#2143 @noqcks]
- Find license by embedded license text [#2147 #2213 @coheigea]
- Add support for dpkg dependency relationships [#2040 #2212 @wagoodman]
Bug Fixes
- Report errors to stderr not stdout [#2232 @wagoodman]
- Python egg packages are not parsed for SBOM [#1761 #2239 @spiffcs]
- Java archive is listed twice [#2130 #2220 @wagoodman]
- Java archives not from Maven [#2217 #2220 @wagoodman]
- Remove internal.StringSet [#2209 #2219 @wagoodman]
- Invalid interface conversion in Swift cataloger [#2225 #2226 @wagoodman]
Contributors
coheigea, wagoodman, and 2 other contributors
Assets 18
v0.93.0
Added Features
- Parse license from the pom.xml if not contained in the manifest [#2115 @coheigea]
- Add Golang STD library package given a Golang binary has been discovered compiled with that go binary [#1853 #2195 @spiffcs]
- Improve --output CLI help and deprecate --file [#2165 #2187 @sharief007]
Bug Fixes
- Converting a SBOM looses the algorithm type for added checksums [#2183 #2207 @sharief007]
Additional Changes
Contributors
vargenau, coheigea, and 3 other contributors
Assets 18
v0.92.0
Added Features
- Support for multiple image refs of same sha in OCI layout [#1544]
Bug Fixes
- Generated purls are different between runs of syft against the same image and artifact [#2169 #2170 @willmurphyscode]
Additional Changes
- bump stereoscope to fix data race in UI code [#2173 @willmurphyscode]
Contributors
willmurphyscode
Assets 18
v0.91.0
Added Features
- Add support for CycloneDX 1.5 [#2120 #2123 @spiffcs]
- Add support for containerd as an image source [#201 #1793 @shanedell]
- Support cataloging github workflow & github action usages [#1896 #2140 @wagoodman]
Bug Fixes
- Allow CycloneDX json input with no components [#2127 @ahoz]
- Prevent errors from clobbering terminal [#2161 @kzantow]
- Using syft as a go library to decode a syft json has incomplete data [#2069 #2083 @kzantow]
- SBOMs are not the same on multiple runs of syft [#1944]
Additional Changes
- Switch to stdlib's slices pkg [#2148 @hainenber]
- Remove unneeded arch switch in unit test [#2156 @willmurphyscode]
- Update chronicle to v0.8.0 [#2154 @wagoodman]
- Update to latest stereoscope [#2151 @spiffcs]
- Pin workflow checkout for cpe update-cpe-dictionary-index [#2141 @spiffcs]
- Add dependency information to conan lockfile parser [#2131 @Pro]
- Pin and update all workflow dependencies; add permission scopes [#2138 @spiffcs]
- Enforce race detector [#2122 @willmurphyscode]
Contributors
Pro, wagoodman, and 6 other contributors
Assets 18
v0.90.0
v0.90.0 (2023-09-11)
Added Features
- Expose cobra command in cli package [PR #2097] [wagoodman]
- Explicitly test PURL generation against key packages [Issue #2071]
- Add User-Agent with Syft version during update check [Issue #2072] [PR #2100] [hainenber]
Bug Fixes
- fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation [PR #2075] [willmurphyscode]
- Cyclonedx external reference URLs are not validated when encoding [Issue #2079] [PR #2091] [hainenber]
Additional Changes
v0.89.0
v0.89.0 (2023-08-31)
Added Features
- Add registry certificate verification support [PR #1734] [5p2O5pe25ouT]
- Add SYFT_CONFIG environment variable for configuration file path [Issue #1986] [PR #2001] [kzantow]
Bug Fixes
- Fix quiet flag [PR #2081] [wagoodman]
- Command line flags not overriding configuration file values [Issue #1143] [PR #2001] [kzantow]
- Django package CPE is not correct [Issue #1298] [PR #2068] [witchcraze]
- Config parsing includes
config.yamlin working dir [Issue #1634] [PR #2001] [kzantow] - Fix a possible panic on universal go binaries [Issue #2073] [PR #2078] [willmurphyscode]
- Disabling catalogers is not working in power user command [Issue #2074] [PR #2001] [kzantow]
- Virtual path changes to java cataloger causing creation of extra incorrect packages when jars are renamed [Issue #2077] [PR #2080] [willmurphyscode]
v0.88.0
v0.88.0 (2023-08-25)
Added Features
- Detect golang boring crypto and fipsonly modules [PR #2021] [bathina2]
- feat: 1944 - update purl generation to use a consistent groupID [PR #2033] [spiffcs]
- Add support to detect bash binaries [Issue #1963] [PR #2055] [witchcraze]
Bug Fixes
- fix: properly parse conan ref and include user and channel [PR #2034] [Pro]
- New version notice only showing the version and no text [PR #2042] [wagoodman]
- Fix: don't validate pom declared group [PR #2054] [willmurphyscode]
- Errors when handling symlinks on Windows with syft v0.85.0 [Issue #1950] [PR #2051] [selzoc]
- Syft seems unable to parse non UTF-8 pom.xml files [Issue #2044] [PR #2047] [wagoodman]
- Error parsing pom.xml with v0.87.1 [Issue #2060] [PR #2064] [willmurphyscode]
- Invalid CycloneDX: duplicates in relationships section [Issue #2062] [PR #2063] [kzantow]
v0.87.1
v0.87.1 (2023-08-17)
Bug Fixes
- Use Java package names to determine known groupIDs [PR #2032] [kzantow]
- Relationships section of CycloneDX is not outputting even when the data is present [Issue #1972] [PR #1974] [markgalpin] [kzantow]
- SPDX Tag-Value conversion not handling files directly set on packages [Issue #2013] [PR #2014] [kzantow]
- Intermittent binary listings, different results every time [Issue #2035] [PR #2036] [kzantow]
v0.87.0
v0.87.0 (2023-08-14)
Added Features
- feat: use originator logic to fill supplier [PR #1980] [spiffcs]
- Expand deb cataloger to include opkg [PR #1985] [johnDeSilencio]
- Package duplicated by different cataloger [Issue #931] [PR #1948] [spiffcs]
- Add binary cataloger for Nginx built from source [Issue #1945] [PR #1988] [SemProvoost]
Bug Fixes
- chore: update bubbly to fix hanging [PR #1990] [kzantow]
- fix: update glob to use newer usr/lib/sysimage path [PR #1997] [spiffcs]
- fix: SPDX license values and download location [PR #2007] [kzantow]
- Different CPEs between java-cataloger and java-gradle-lockfile-cataloger [Issue #1957] [PR #1995] [kzantow]