Releases: anchore/syft
Releases · anchore/syft
v0.86.0
Changelog
v0.86.0 (2023-07-31)
Added Features
- Introduce indexed embedded CPE dictionary [PR #1897] [luhring]
- Add cataloger for Swift Package Manager. [PR #1919] [trilleplay]
- Guess unpinned versions in python requirements.txt [PR #1597] [PR #1966] [manifestori] [wagoodman]
- Create a package record for the artifact an SBOM described when creating a SPDX SBOM [Issue #1661] [Issue #1241] [PR #1934] [kzantow]
Bug Fixes
- Fix panic condition on docker pull failure [PR #1968] [wagoodman]
- Syft reports the "minimum required version" of .NET assemblies rather than the "assembly version" [Issue #1799] [PR #1943] [luhring]
- Grype cannot read SPDX documents generated by SPDX-maven-plugin [PR #1969] [spiffcs]
Breaking Changes
v0.85.0
Changelog
v0.85.0 (2023-07-12)
Added Features
- Add a --base-path command line flag to set the directory base for scans (this option was previously exposed via API only) [PR #1867] [deitch]
- Add file source digest support [PR #1914] [wagoodman]
- Remove erroneous Java CPEs from generation [PR #1918] [luhring]
- Fix CPE generation for k8s python client [PR #1921] [luhring]
- Don't use the actual redis or grpc CPEs for gems [PR #1926] [luhring]
- The text user interface is now provided by the bubbletea library [Issue #1441] [PR #1888] [wagoodman]
Bug Fixes
- Install script returns exit code 0 even if install fails [Issue #1566] [PR #1915] [lorsatti]
- [Windows] Not able to scan volume mounted to folder [Issue #1828] [PR #1884] [dd-cws]
- Deprecated license: GFDL-1.2+ [Issue #1899] [PR #1907] [spiffcs]
Breaking Changes
- Refactor the
sourceAPI and syft-jsonsourceblock data shape [Issue #1866] [PR #1846] [wagoodman]
Additional Changes
v0.84.1
Changelog
v0.84.1 (2023-06-29)
Bug Fixes
- Fix version detection in Java archive name parsing [PR #1889] [luhring]
- Improve support for Dart SDK package dependency lockfiles [PR #1891] [rufman]
- Fix license output for some CycloneDX JSON SBOMs [Issue #1877] [PR #1879] [kzantow]
- Correctly discover Debian file relationships in distroless images [Issue #1900] [PR #1901] [westonsteimel]
Additional Changes
v0.84.0
Changelog
v0.84.0 (2023-06-20)
Breaking Changes
- Pad artifact IDs [PR #1882] [willmurphyscode]
Additional Changes
v0.83.1
Changelog
v0.83.1 (2023-06-14)
Bug Fixes
- fix: pom properties not setting artifact id [PR #1870] [jneate]
- fix(deps): pull in platform selection fix from stereoscope [PR #1871] [anchore-actions-token-generator] - pulling in an image with a digest that does not match the platform and architecture of the host no longer fails with an error, see anchore/stereoscope#188
- symlinks within a scanned directory tree are parsed outside the tree, failing if target does not exist [Issue #1860] [PR #1861] [deitch]
v0.83.0
Changelog
v0.83.0 (2023-06-05)
Added Features
- Add new '--source-version' and '--source-name' options to set the name and version of the target being analyzed for reference in resulting syft-json format SBOMs (more formats will support these flags soon). [Issue #1399] [PR #1859] [kzantow]
- Add scope to POM properties [PR #1779] [jneate]
- Accept main.version ldflags even without vcs [PR #1855] [deitch]
Bug Fixes
- Fix directory resolver to consider CWD and root path input correctly [PR #1840] [wagoodman]
- Show all error messages if there is a failure retrieving an image with a specified scheme [Issue #1569] [PR #1801] [FrimIdan]
- v0.81.0 crashing parsing some images [Issue #1837] [PR #1839] [spiffcs]
Deprecated Features
Additional Changes
v0.82.0
Changelog
v0.82.0 (2023-05-23)
Added Features
- Improve Go main module version detection by attempting to parse available ldflags [Issue #1785] [PR #1832] [wagoodman]
Bug Fixes
- Fix a problem in the license parsing logic that may result in a panic [PR #1839]
- Return all relevant error messages if an image retrieval fails when a scheme is specified [PR #1801] [FrimIdan]
- Fix a problem with PNPM scanning where v6 lockfiles might result in duplicated packages [Issue #1762] [PR #1778] [kzantow]
v0.81.0
Changelog
v0.81.0 (2023-05-22)
Added Features
- Support cataloging R packages [Issue #730] [PR #1790] [willmurphyscode]
- Support describing license properties and SPDX expression assertions [Issue #1577] [PR #1743] [spiffcs]
- Warn if parsing a newer SBOM [PR #1810] [willmurphyscode]
Bug Fixes
- Retain cataloged SBOM relationships [PR #1509] [houdini91]
- fix: update field plurality of 8.0.0 schema before release [PR #1820] [spiffcs]
- fix: remove spurious warnings - unknown relationship type: evident-by form-lib=syft [Issue #1812] [PR #1797] [willmurphyscode]
- CycloneDX Dependencies Relationships Inverted [Issue #1815] [PR #1816] [shanealv]
- Alpine: license expression should be complete and not parsed out [Issue #1817] [PR #1819] [spiffcs]
Additional Changes
- Print package list when extra packages found [PR #1791] [willmurphyscode]
- update cosign to v2 release (different go module) [PR #1805] [bobcallaway]
v0.80.0
Changelog
v0.80.0 (2023-05-05)
Added Features
- Improve pnpm support [Issue #1535] [PR #1752] [Shanedell]
Bug Fixes
- chore: add more detail on SPDX file IDs [PR #1769] [kzantow]
- chore: do not HTML escape PackageURLs [PR #1782] [kzantow]
- RPM database not found on ostree-managed systems [Issue #1755] [PR #1756] [fpytloun]
- Unable to use syft for private azure container registry [Issue #1777]
- linux-kernel-cataloger produces thousands of version-less components. [Issue #1781] [PR #1784] [kzantow]
Deprecated Features
v0.79.0
Changelog
v0.79.0 (2023-04-21)
Added Features
- Add ALPM Metadata to CYCLONEDX and SPDX output formats [Issue #1037] [PR #1747] [Shanedell]
- consul binary classifier [Issue #1590] [PR #1738] [Shanedell]
Bug Fixes
- Syft missing direct dependencies from the gemfile.lock [Issue #1660] [PR #1749] [Shanedell]
Additional Changes
- chore: bump stereoscope to latest version [PR #1741] [westonsteimel]