Releases: anchore/syft
Releases · anchore/syft
v1.13.0
Added Features
- --enrich flag for data enrichment feature enablement [#3182 @kzantow]
- Add classifier for Dart lang [#3265 @LaurentGoderre]
- add binary classifiers for lighttp, proftpd, zstd, xz, gzip, jq, and sqlcipher [#3252 @krysgor]
- Catalog JDKs more completely [#3188 #3217 @wagoodman]
- Show richer information for JVM installations [#1426 #3217 @wagoodman]
- Allow for stubbing unknown versions over dropping packages [#2652 #3257 @wagoodman]
- Name and Version empty for Java package when scanning provided image [#2132 #3257 @wagoodman]
- Support bitnami/mysql:8.x [#3025]
Bug Fixes
- OpenJDK CPEs [#2422 #3217 @wagoodman]
- SBOM generated from poetry lock file contains no license information on any dependencies [#3204]
- Scanning a folder with a jar archive with no metadata creates a SPDX package without versionInfo (Non-NTIA compliant) [#2039 #3257 @wagoodman]
- Using replace in a go.mod creates a SPDX package without versionInfo (Non-NTIA compliant) [#2038 #3257 @wagoodman]
- Command
make add-snippetcan fail in some cases [#3249]
Contributors
wagoodman, LaurentGoderre, and 2 other contributors
Assets 27
v1.12.2
Added Features
- Detect curl binaries [#3146 @krysgor]
- Add haskell binaries cataloger [#3078 @LaurentGoderre]
- add the Ocaml ecosystem [#3112 @LaurentGoderre]
- Support HAProxy dev [#3134 #3180 @witchcraze]
Bug Fixes
- Fix improper decoding of SPDX license expressions in the CycloneDX format [#3175 @NyanKiyoshi]
- improve generated cpes for binaries with existing classifiers [#3169 @westonsteimel]
- improve known CPEs and set NVD as source for all current binary classifiers [#3167 @westonsteimel]
- Respond to authoratative CPEs from catalogers [#3166 @wagoodman]
- Set cataloger names within package cataloger task [#3165 @wagoodman]
- use official CPE for curl binary cataloger [#3164 @westonsteimel]
- Fix ELF package correlations [#3151 @wagoodman]
- no space left and Could not retrieve mirrorlist in test [#3181 #3190 @wagoodman]
- Multiple versions of libssl3 and libcrypto3 present in SBOM while only one version is installed [#3195]
- CycloneDX convertion into Syft improperly handles SPDX licenses [#3172]
- Syft Cause stack overflow [goroutine stack exceeds 1000000000-byte limit] [#3163 #3170 @kzantow]
- Mysql binary detection version incorrect for 8.0.x [#3141 #3142 @kzantow]
Additional Changes
- Less verbose java logging when non-fatal issues arise [#3208 @wagoodman]
Contributors
wagoodman, LaurentGoderre, and 5 other contributors
Assets 27
v1.11.1
Bug Fixes
- support .kar files [#3113 @tomersein]
- logging for remote network calls [#3140 @kzantow]
- Pick up CycloneDX BOM components from metadata as well [#3092 @dervoeti]
- improve groupid extraction for Jenkins plugins [#2815 @westonsteimel]
Contributors
westonsteimel, kzantow, and 2 other contributors
Assets 27
v1.11.0
Added Features
- Added the SWI Prolog (swipl) ecosystem [#3076 @LaurentGoderre]
- Improved java cataloging [#2769 @GijsCalis]
Bug Fixes
- Empty version field on some dependencies when reading pom.xml [#1129 #2769 @GijsCalis]
- Support Maven multi-level configuration file / parent POM [#2017 #2769 @GijsCalis]
- DependencyManagement ignored in pom.xml [#1813 #2769 @GijsCalis]
- Version parsing regression for Go binaries [#3086 #3087 @spiffcs]
Additional Changes
- rather than have a hard max recursive depth - syft should detect parent pom cycles [#2284 #2769 @GijsCalis]
- increase java purl generation test coverage [#3110 @westonsteimel]
- Updated PackageSupplier to type Organization for JAR files [#3093 @harippriyas]
- Ensure accurate java main artifact name retrieval for multi-JARs and refine fallback approach [#3054 @dor-hayun]
Contributors
LaurentGoderre, westonsteimel, and 4 other contributors
Assets 27
v1.10.0
Added Features
- Detect go main module from partial package builds [#3060 @wagoodman]
- Support traefik in linux/arm/v6, linux/riscv64 [#3038 #3077 @witchcraze]
- Catalog TiDB binary [#2763]
- Generate a Maven friendly CPE [#3042 #3045 @kzantow]
Bug Fixes
- Only match ldflag version if it matches the main module or targets main.version [#3062 @LaurentGoderre]
- python requirements.txt cataloger: allow dots in python package names [#3070 @Mikcl]
- SPDX output performance with many relationships [#3053 @kzantow]
- Order CPEs deterministically for SBOM reproducibility [#2967 #3085 @kzantow]
- Python packages: name normalization [#3064 #3069 @Mikcl]
- Syft report panics with the golang cataloger [#3037 #3043 @willmurphyscode]
Additional Changes
Contributors
wagoodman, LaurentGoderre, and 4 other contributors
Assets 27
v1.9.0
Added Features
- Add detection of Erlang in Alpine linux [#2996 @LaurentGoderre]
- Add version 3 support for swift package manager of the resolved files [#3001 @4ell0]
- Map the downloadLocation field for PHP Composer packages [#3011 @LaurentGoderre]
Bug Fixes
- Infer the package type from ELF package notes [#3008 @wagoodman]
- Order CPEs deterministically for SBOM reproducibility [#2967 #3009 @spiffcs]
Contributors
wagoodman, LaurentGoderre, and 2 other contributors
Assets 27
v1.8.0
Added Features
Bug Fixes
- Fixed the detection of arangodb 3.12 [#2979 @LaurentGoderre]
- Syft tries to create the cache directory at a location that has no permission [#2984 #2985 @kzantow]
Contributors
ragaskar, LaurentGoderre, and kzantow
Assets 27
v1.7.0
Added Features
- index known CPEs for wordpress plugins and themes [#2963 @westonsteimel]
- Consider
Authorfield for wordpress plugins when generating CPEs [#2946 @wagoodman]
Bug Fixes
- improve version extraction from ldflags for pingcap TiDB [#2962 @westonsteimel]
- Trim whitespace from wordpress values [#2945 @wagoodman]
- Issue scanning Poetry Project with Syft 1.6 and cataloger=python-package-cataloger [#2954 #2965 @spiffcs]
- Poetry's multiple constraints seems to break the parser [#2947 #2965 @spiffcs]
- Golang: Search remote licenses not working in a CI pipeline when scanning Docker image [#2798 #2852 @kzantow]
Contributors
wagoodman, westonsteimel, and 2 other contributors
Assets 27
v1.6.0
Added Features
- Add relationships for go binary packages [#2912 @wagoodman]
- Add classifier for util-linux [#2933 @LaurentGoderre]
- Lua: Add support for more advanced syntax [#2908 @LaurentGoderre]
- add license field to ELF binary package metadata [#2890 @brian-ebarb]
- install.sh: check checksums file's signature [#2884 #2941 @wagoodman]
- Detect ELF package notes from fedora binaries [#2713 #2939 @wagoodman]
Bug Fixes
- Use redhat as namespace for redhat rpms [#2914 @ralphbean]
- Close sqlite driver after testing sqlite availability [#2922 @ttc0419]
- syft does not find anything in archives if /tmp is a tmpfs [#2894 #2918 @willmurphyscode]
- Scanning a git repository folder present in /tmp produce an empty sbom [#2847 #2918 @willmurphyscode]
Additional Changes
Contributors
ralphbean, wagoodman, and 6 other contributors
Assets 27
v1.5.0
Added Features
- Add abstraction for adding relationships from package cataloger results [#2853 @wagoodman]
- Capture dependencies when parsing SPDX SBOMs [#2869 @russellhaering]
- Add python wheel egg relationships [#2903 @wagoodman]
- Added functionality to convert major, minor, patch to version [#2864 @LaurentGoderre]
- Add support for RPM DB package relationships [#2872 @wagoodman]
- Detect fluent-bit binaries [#2904 #2905 @kzantow]
- Add syft
configcommand [#2598 #2892 @kzantow]
Bug Fixes
- Fix DecoderCollection discarding input from non-seekable Readers [#2878 @russellhaering]
- Handle GOEXPERIMENTs in go version [#2893 @jonjohnsonjr]
- Go Mod Cataloger: Remove Replaced Packages [#2891 @russellhaering]
- Use values in relationship To/From fields [#2871 @wagoodman]
- Java package names showing up namespaced packages [#2230]
Additional Changes
Contributors
russellhaering, wagoodman, and 4 other contributors