Releases: anchore/syft
Releases · anchore/syft
v1.9.0
Added Features
- Add detection of Erlang in Alpine linux [#2996 @LaurentGoderre]
- Add version 3 support for swift package manager of the resolved files [#3001 @4ell0]
- Map the downloadLocation field for PHP Composer packages [#3011 @LaurentGoderre]
Bug Fixes
- Infer the package type from ELF package notes [#3008 @wagoodman]
- Order CPEs deterministically for SBOM reproducibility [#2967 #3009 @spiffcs]
Contributors
wagoodman, LaurentGoderre, and 2 other contributors
Assets 27
v1.8.0
Added Features
Bug Fixes
- Fixed the detection of arangodb 3.12 [#2979 @LaurentGoderre]
- Syft tries to create the cache directory at a location that has no permission [#2984 #2985 @kzantow]
Contributors
ragaskar, LaurentGoderre, and kzantow
Assets 27
v1.7.0
Added Features
- index known CPEs for wordpress plugins and themes [#2963 @westonsteimel]
- Consider
Authorfield for wordpress plugins when generating CPEs [#2946 @wagoodman]
Bug Fixes
- improve version extraction from ldflags for pingcap TiDB [#2962 @westonsteimel]
- Trim whitespace from wordpress values [#2945 @wagoodman]
- Issue scanning Poetry Project with Syft 1.6 and cataloger=python-package-cataloger [#2954 #2965 @spiffcs]
- Poetry's multiple constraints seems to break the parser [#2947 #2965 @spiffcs]
- Golang: Search remote licenses not working in a CI pipeline when scanning Docker image [#2798 #2852 @kzantow]
Contributors
wagoodman, westonsteimel, and 2 other contributors
Assets 27
v1.6.0
Added Features
- Add relationships for go binary packages [#2912 @wagoodman]
- Add classifier for util-linux [#2933 @LaurentGoderre]
- Lua: Add support for more advanced syntax [#2908 @LaurentGoderre]
- add license field to ELF binary package metadata [#2890 @brian-ebarb]
- install.sh: check checksums file's signature [#2884 #2941 @wagoodman]
- Detect ELF package notes from fedora binaries [#2713 #2939 @wagoodman]
Bug Fixes
- Use redhat as namespace for redhat rpms [#2914 @ralphbean]
- Close sqlite driver after testing sqlite availability [#2922 @ttc0419]
- syft does not find anything in archives if /tmp is a tmpfs [#2894 #2918 @willmurphyscode]
- Scanning a git repository folder present in /tmp produce an empty sbom [#2847 #2918 @willmurphyscode]
Additional Changes
Contributors
ralphbean, wagoodman, and 6 other contributors
Assets 27
v1.5.0
Added Features
- Add abstraction for adding relationships from package cataloger results [#2853 @wagoodman]
- Capture dependencies when parsing SPDX SBOMs [#2869 @russellhaering]
- Add python wheel egg relationships [#2903 @wagoodman]
- Added functionality to convert major, minor, patch to version [#2864 @LaurentGoderre]
- Add support for RPM DB package relationships [#2872 @wagoodman]
- Detect fluent-bit binaries [#2904 #2905 @kzantow]
- Add syft
configcommand [#2598 #2892 @kzantow]
Bug Fixes
- Fix DecoderCollection discarding input from non-seekable Readers [#2878 @russellhaering]
- Handle GOEXPERIMENTs in go version [#2893 @jonjohnsonjr]
- Go Mod Cataloger: Remove Replaced Packages [#2891 @russellhaering]
- Use values in relationship To/From fields [#2871 @wagoodman]
- Java package names showing up namespaced packages [#2230]
Additional Changes
Contributors
russellhaering, wagoodman, and 4 other contributors
Assets 27
v1.4.1
Bug Fixes
- Fix redundant package deletions when considering ELF packages [#2862 @wagoodman]
Contributors
wagoodman
Assets 27
v1.4.0
Added Features
- Add detection for newer version of ErLang/OTP [#2829 @LaurentGoderre]
- Add missing CPE for traefik, memcached, and postgres binaries [#2845 @LaurentGoderre]
- Add binary classifier for ArangoDB [#2830 @LaurentGoderre]
- Add relationships to ELF packages [#2715 @brian-ebarb @cdivers18 ]
- Add relationships for ALPM packages (arch linux) [#2851 @wagoodman]
Bug Fixes
- close temp rpmdb file [#2792 @testwill]
- fix Windows file paths in local go mod cache [#2654 @willmurphyscode]
- Package Count doesn't match list of packages [#2304 #2839 @wagoodman]
- New version 1.3.0 leads to "too many open files" while scanning bigger images [#2819 #2823 @willmurphyscode]
license_info_in_fileis mandatory in SPDX-2.2 [#2163 #2168 @kzantow]- Wrong CPE for dnsmasq [#2636 #2659 @kzantow]
- SPDX originator is not always populated [#2632 #2822 @wagoodman]
Additional Changes
- Improve linting for
defer Closetype issues [#2826] - use ruleguard to test for missing defer statements [#2837 @willmurphyscode]
- Publish security policy [#2835 @wagoodman]
- fix function name in comment [#2771 @camcui]
- enable go-critic deferInLoop lint [#2825 @willmurphyscode]
Contributors
wagoodman, LaurentGoderre, and 6 other contributors
Assets 27
v1.3.0
Added Features
- index known CPEs for go modules [#2816 @westonsteimel]
- support multiple known CPEs in index [#2813 @westonsteimel]
- index known CPEs for PHP Composer packagist.org packages [#2804 @westonsteimel]
- index known cpes for PHP extensions [#2777 @westonsteimel]
Bug Fixes
- re-use embedded union reader if possible [#2814 @willmurphyscode]
- prefer non-deprecated CPEs and include jenkins plugins from plugins.jenkins.io [#2806 @westonsteimel]
- improvements to known CPE index construction [#2801 @westonsteimel]
- Syft panics when scanning OCI image that contains packaged helm chart [#2745 #2757 @willmurphyscode]
- Pom parser not resolving all dependency versions [#2776 #2781 @willmurphyscode]
- exclude known instrumentation jars from being erroneously identified [#2796 @kzantow]
- return empty string if dereferncing pom var fails [#2797 @willmurphyscode]
Contributors
westonsteimel, kzantow, and willmurphyscode
Assets 27
v1.2.0
Added Features
- Differentiate between JRE and JDK [#2748 @LaurentGoderre]
- Add support for dnf packages [#2758]
Bug Fixes
- more robust go main version extraction [#2767 @kzantow]
- Regression in 1.1 cataloging openjdk: generates version containing a null byte [#2750 #2766 @LaurentGoderre]
Contributors
LaurentGoderre and kzantow