v0.100.0

Added Features

• Add more functionality to the ErLang parser [#2390 @LaurentGoderre]
• Added OpenSSL binary matcher [#2416 @LaurentGoderre]
• Add ability to extend the binaries cataloguers [#2469 @LaurentGoderre]

Bug Fixes

• Added missing Purl for busybox [#2457 @LaurentGoderre]
• Fix diff error obfuscating binary test failures message [#2468 @LaurentGoderre]
• v0.99.0: CycloneDX json output breaks osv-scanner [#2467]

Additional Changes

• update openssl binary to -x [#2456 @spiffcs]

(Full Changelog)

v0.99.0

Added Features

• Look for a maven version in a pom from a parent dependency management… [#2423 @coheigea]
• Adding the ability to retrieve remote licenses for yarn.lock [#2338 @coheigea]
• Retrieve remote licenses using pom.properties when there is no pom.xml [#2315 @coheigea]
• Add the option to retrieve remote licenses for projects defined in a … [#2409 @coheigea]
• Parse Python licenses from LicenseFile entry in the Wheel Metadata [#2331 @coheigea]
• Add binary classifier for the ERLang interpreter [#2417 @LaurentGoderre]
• Parse Python licenses from LicenseExpression entry in the Wheel Metadata [#2431 @coheigea]
• Add binary classifier for Julia lang [#2427 @LaurentGoderre]
• Add binary detection for PHP composer [#2432 @LaurentGoderre]

Bug Fixes

• bump fangs for ptr summarize fix [#2387 @willmurphyscode]
• improve identification for org.codehaus.groovy artifacts [#2404 @westonsteimel]
• improve identification for commons-jelly artifacts [#2399 @westonsteimel]
• improve identification for io.minio artifacts [#2398 @westonsteimel]
• improve identification for com.graphql-java artifacts [#2397 @westonsteimel]
• improve identification for org.apache.tapestry artifacts [#2384 @westonsteimel]
• improve identification for io.ratpack artifacts [#2379 @westonsteimel]
• improve identification for org.apache.cassandra artifacts [#2386 @westonsteimel]
• improve identification for org.neo4j.procedure artifacts [#2388 @westonsteimel]
• improve identification for org.elasticsearch artifacts [#2383 @westonsteimel]
• improve identification for org.apache.geode artifacts [#2382 @westonsteimel]
• improve identification for org.apache.tomcat artifacts [#2381 @westonsteimel]
• improve identification for io.projectreactor.netty artifacts [#2378 @westonsteimel]
• stop panic when parsing Haskell stack.yaml.lock with missing hackage field [#2421 #2419 @houdini91]
• fix detecting the name of the eclipse OSGi artifact [#2314 #2349 @westonsteimel]
• File Sources incorrectly exclude files on Windows [#2410 #2411 @Racer159]
• Parser for dotnet_portable_executable using wrong attribute name [#2029 #2133 @kzantow]

Breaking Changes

• Generalize UI events for cataloging tasks [#2369 @wagoodman]

Additional Changes

• refactor pkg.Collection to remove "catalog" references [#2439 @wagoodman]
• Expose javascript fields in cataloger configuration [#2438 @wagoodman]
• Use common archive catalog configuration [#2437 @wagoodman]
• Fix file digest cataloger when passed explicit coordinates [#2436 @wagoodman]

(Full Changelog)

v0.98.0

Added Features

• Add binary classifiers for MySQL and MariaDB [#2316 @duanemay]
• Enhance redis binary classifier to support additional versions [#2329 @whalelines]
• Expose compact JSON and XML format configuration [#561 #2275 @wagoodman]

Bug Fixes

• Fix file metadata cataloger when passed explicit coordinates [#2370 @wagoodman]
• hardcode xalan group ID [#2368 @willmurphyscode]
• logging level for parsing potential PE files [#2367 @kzantow]
• Use read lock in pkg.Collection [#2341 @wagoodman]
• add manual namespace mapping for org.springframework jars [#2345 @westonsteimel]
• add manual namespace mapping for org.springframework.security jars [#2343 @westonsteimel]
• errors are printed into the stdout in syft 0.97.1 [#2356 #2364 @kzantow]
• syft some-jar.jar fails to find packages if PWD is a symlink [#2355 #2359 @willmurphyscode]
• Default for recently added base path, "", disables detection of symlinked *.jar files [#1962 #2359 @willmurphyscode]
• syft attest broken since 0.85.0 [#2333 #2337 @wagoodman]
• Incorrect Java PURL for org.bouncycastle jars [#2339 #2342 @westonsteimel]

Breaking Changes

• Remove power-user command and related catalogers [#1419 #2306 @wagoodman]

Additional Changes

• Normalize cataloger configuration patterns [#2365 @wagoodman]
• Normalize enums to lowercase with hyphens [#2363 @wagoodman]

(Full Changelog)

Special Thanks

Thanks @duanemay and @whalelines for the enhanced binary classifier support 👍

v0.97.1

Bug Fixes

• Syft does not use HTTP proxy when downloading the Docker image itself [#2203 #2336 @anchore-actions-token-generator]

Additional Changes

• syft version report is broken with 0.97.0 release [#2334 #2335 @spiffcs]

(Full Changelog)

v0.97.0

Added Features

• Add license for golang stdlib package [#2317 @coheigea]
• Fall back to searching maven central using groupIDFromJavaMetadata [#2295 @coheigea]

Bug Fixes

• Refine license search from groupIDFromJavaMetadata to account for artfactId in the groupId [#2313 @coheigea]
• capture content written to stdout outside of report [#2324 @kzantow]
• add manual groupid mappings for org.apache.velocity jars [#2327 @westonsteimel]
• skip maven bundle plugin logic if vendor id and symbolic name match [#2326 @westonsteimel]
• cataloger dpkg-db-cataloger not working [#2323]

Breaking Changes

• Rename Location virtualPath to accessPath [#1835 #2288 @wagoodman]

Additional Changes

• Export syft-json format package metadata type helper [#2328 @wagoodman]
• Add dotnet-portable-executable-cataloger to README [#2322 @noqcks]

(Full Changelog)

v0.96.0

Added Features

• Check maven central as well for licenses in parents poms for nested jars [#2302 @coheigea]
• store image annotations inside the SBOM [#2267 #2294 @noqcks]
• Support parsing license information in Maven projects via parent poms [#2103]

Bug Fixes

• SPDX file has duplicate sha256 tag in versionInfo [#2300 @coheigea]
• Report virtual path consistently between file.Resolvers [#1836 #2287 @wagoodman]
• Unable to identify CycloneDX JSON documents without $schema property [#2299 #2303 @kzantow]

(Full Changelog)

v0.95.0

Added Features

• Use case-insensitive matching for Go license files [#2286 @miquella]
• Add conaninfo.txt parser to detect conan packages in docker images [#2234 @Pro]
• Perform case insensitive matching on Java License files [#2235 @coheigea]
• Read a license from a parent pom stored in Maven Central [#2228 @coheigea]
• Add PURLs when scanning Gradle lock files [#2278 @robbiev]

Bug Fixes

• Fix CPE index workflow [#2252 @wagoodman]
• Fix cpe generation task [#2270 @willmurphyscode]
• Introduce cataloger naming conventions [#1578 #2277 @wagoodman]
• .NET / nuget - invalid SBOM generated after parsing [#2255 #2273 @spiffcs]
• Wrong parsing after v0.85.0 syft for some components [#2241 #2273 @spiffcs]
• SPDX-2.3 is misidentified as SPDX-2.2 [#2112 #2186 @wagoodman]
• Jar parser chokes on empty lines [#2179 #2254 @spiffcs]
• Add a new Java configuration option to recursively search parent poms… [#2274 @coheigea]
• Fix directory resolver to always return virtual path [#2259 @wagoodman]
• Syft can now handle the case of parsing a jar with multiple poms [#2231 @coheigea]
• Add ruby.NewGemSpecCataloger to DirectoryCatalogers [#1971 @evanchaoli]

Breaking Changes

• Introduce cataloger naming conventions [#1578 #2277 @wagoodman]
• Remove MetadataType from the core package struct [#1735 #1983 @wagoodman]
• Add convention for JSON metadata type names and port existing values to the new convention [#1844 #1983 @wagoodman]
• Remove deprecated syft.Format functions [#1344 #2186 @wagoodman]

Additional Changes

• Upgrade tool management [#2188 @wagoodman]
• Fix homebrew post-release workflow [#2242 @wagoodman]

(Full Changelog)

v0.94.0

Added Features

• Add additional license filenames [#2227 @coheigea]
• Parse donet dependency trees [#2143 @noqcks]
• Find license by embedded license text [#2147 #2213 @coheigea]
• Add support for dpkg dependency relationships [#2040 #2212 @wagoodman]

Bug Fixes

• Report errors to stderr not stdout [#2232 @wagoodman]
• Python egg packages are not parsed for SBOM [#1761 #2239 @spiffcs]
• Java archive is listed twice [#2130 #2220 @wagoodman]
• Java archives not from Maven [#2217 #2220 @wagoodman]
• Remove internal.StringSet [#2209 #2219 @wagoodman]
• Invalid interface conversion in Swift cataloger [#2225 #2226 @wagoodman]

(Full Changelog)

v0.93.0

Added Features

• Parse license from the pom.xml if not contained in the manifest [#2115 @coheigea]
• Add Golang STD library package given a Golang binary has been discovered compiled with that go binary [#1853 #2195 @spiffcs]
• Improve --output CLI help and deprecate --file [#2165 #2187 @sharief007]

Bug Fixes

• Converting a SBOM looses the algorithm type for added checksums [#2183 #2207 @sharief007]

Additional Changes

• Refine the docs for building a cataloger [#2175 @wagoodman]
• update license list to 3.22 [#2201 @spiffcs]
• Add exact syntax of the conversion formats [#2196 @vargenau]

(Full Changelog)

v0.92.0

Added Features

• Support for multiple image refs of same sha in OCI layout [#1544]

Bug Fixes

• Generated purls are different between runs of syft against the same image and artifact [#2169 #2170 @willmurphyscode]

Additional Changes

• bump stereoscope to fix data race in UI code [#2173 @willmurphyscode]

(Full Changelog)