This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Grype Release Notes

Anchore Grype Release Notes

1 - v0.99.1

Release notes for grype v0.99.1

Release Notes

Version v0.99.1

Bug Fixes

Present fix available version in grype JSON output [#2905 @wagoodman]
detect patch numbers in fuzzy version comparison [#2844 @willmurphyscode]
Make timestamp in output configurable (so that results are more reproducible) [#522 #2724 @gabetrau]
Grype .98 misidentifies the container package version [#2884]

(Full Changelog)

2 - v0.99.0

Release notes for grype v0.99.0

Release Notes

Version v0.99.0

Added Features

Add fix availability information to DB schema [#2862 @wagoodman]
Add support vulnerability matching for raspbian [#2893 @westonsteimel]
Add Vex CSAF support [#1826 @juan131]

Bug Fixes

include channel in grype db search output [#2873 @willmurphyscode]
add UnmarshalJSON to fix availability blob [#2889 @willmurphyscode]
Grype misdetect Grafana version [#2783]

Breaking Changes

CSAF support [#1826 @juan131]

(Full Changelog)

3 - v0.98.0

Release notes for grype v0.98.0

Release Notes

Version v0.98.0

Added Features

move debian 13 (trixie) to released and debian 14 (forky) to testing/sid/unstable [#2861 @westonsteimel]

(Full Changelog)

4 - v0.97.2

Release notes for grype v0.97.2

Release Notes

Version v0.97.2

Grype v0.97.2

Added Features

new syft version adds binary classifier for hashicorp vault [#4121 @willmurphyscode]

Bug Fixes

fix: update syft’s nondeterministic Java archive purl and improve groupID for better matching [#3521 #4118 @kzantow]

(Full Changelog)

5 - v0.97.1

Release notes for grype v0.97.1

Release Notes

Version v0.97.1

Bug Fixes

Multiple EUS advisories where only some are fixed result in unexpected vulnerabilities [#2840 #2841 @kzantow]

(Full Changelog)

6 - v0.97.0

Release notes for grype v0.97.0

Release Notes

Version v0.97.0

Added Features

Add support for RHEL EUS [#2446 #2787 @wagoodman]

Bug Fixes

Error scanning snap “unsupported source: source.SnapMetadata” [#2819 #2821 @kzantow]

Additional Changes

add channel to os / distro [#2782 @wagoodman]

(Full Changelog)

7 - v0.96.1

Release notes for grype v0.96.1

Release Notes

Version v0.96.1

Syft Improvments

Update to latest version of syft v1.29.0

Performance Improvements

Create ignore regex objects conditionally[#2805 @wagoodman ]

(Full Changelog)

8 - v0.96.0

Release notes for grype v0.96.0

Release Notes

Version v0.96.0

Added Features

Added the EPSS score and KEV indications as CycloneDX vulnerabilities.ratings entries [#2695 #2765 @AlinaPodoba]

Bug Fixes

The go run and go install broken due to useless redirect directive in go.mod [#2777 #2780 @stefanb]
EPSS implementation using percentile instead of percent probability [#2778 #2785 @wagoodman]
Latest version of grype with V6 schema lists incorrect URL for v6 database [#2513]

Additional Changes

Add more detail around cataloging and DB load log statements [#2779 @wagoodman]
add version set and combined constraint [#2763 @wagoodman]
add v6 OS store [#2766 @wagoodman]

(Full Changelog)

9 - v0.95.0

Release notes for grype v0.95.0

Release Notes

Version v0.95.0

Added Features

Add string severity to db search json results [#2730 @wagoodman]
Add package specifier overrides for kb, dpkg, and apkg [#2742 @westonsteimel]

Bug Fixes

show related NVD records for non-NVD matches [#2755 @kzantow]
assume that a vulnerability with no ranges is always vulnerable [#2759 @wagoodman]
DB should hydrate for when the client has new features [#2758 @wagoodman]
show relationship back to NVD for all CVE ids [#2756 @westonsteimel]
properly escape CPE segments [#2731 @kzantow]
msrc matcher should search by package ecosystem, not by distro [#2748 @westonsteimel]
Grype does not report any vulnerabilities for CPEs with target_sw field set to value that does not correspond to known package type [#2768 #2772 @willmurphyscode]
malformed CPE in grype db search output [#2767 #2769 @westonsteimel]
vex documents from the –vex flag do get processed or applied to the output correctly [#1836 #2741 @willmurphyscode]

Additional Changes

replace deprecated GoReleaser configurations [#2729 @emmanuel-ferdman]
specify types for all match details [#2762 @wagoodman]
Refactor the version package [#2735 @wagoodman]

(Full Changelog)

10 - v0.94.0

Release notes for grype v0.94.0

Release Notes

Version v0.94.0

Added Features

Add echo os to grype [#2647 @orizerah]

Bug Fixes

Nonroot can’t load local docker image with docker socket bind [#2721 #2723 @kzantow]
“Harden Container Runtime with Non-Root User” breaks –output usage [#2720 #2723 @kzantow]

(Full Changelog)

11 - v0.93.0

Release notes for grype v0.93.0

Release Notes

Version v0.93.0

Added Features

Add support for MinimOS [#2627 @Daniel-Wachter]
Use the upstream Bitmani vulndb data for matching [#1609 #2538 @juan131]
Support rubygems specific version comparision [#2646 #2712 @willmurphyscode]

Bug Fixes

Harden Container Runtime with Non-Root User [#2716 @wagoodman]
valid cpes in db search output [#2706 @westonsteimel]
Always show results with json output for db search commands [#2692 @wagoodman]
False positive: CVE-2025-5702 reported with High severity on glibc 2.34 (wrong severity and affected version) [#2718]

(Full Changelog)

12 - v0.92.2

Release notes for grype v0.92.2

Release Notes

Version v0.92.2

Bug Fixes

unpin dockerfile base images to prevent wget TLS errors [#2671 @spiffcs]
Parse java group ID and artifact ID from PURL when missing [#2675 @wagoodman]
Grype can’t update DB in docker volume (regression) [#2517 #2672 @willmurphyscode]

Additional Changes

Remove getDB() from the v6 DB reader [#2669 @wagoodman]

(Full Changelog)

13 - v0.92.1

Release notes for grype v0.92.1

Release Notes

Version v0.92.1

(Full Changelog)

14 - v0.92.0

Release notes for grype v0.92.0

Release Notes

Version v0.92.0

Added Features

improve html template [#2635 @OnceUponALoop]
Add EPSS metrics to grype results [#1973 #2587 @wagoodman]
Show indication of known exploited vulnerabilities (from CISA) [#1511 #2587 @wagoodman]

Bug Fixes

adjust namespace translation logic to be v5 compatible [#2634 @westonsteimel]
fall back to fuzzy constraint units [#2651 @willmurphyscode]
adjust version prefix check when excluding overlapping packages [#2653 @westonsteimel]
Dropping group from npm package names leads to false positives [#2554 #2645 @kzantow]
Potential regression in CVE detection from 0.87.0 (v5 schema) to 0.88.0 (v6 schema) for go-module detection [#2642]
Removal of temporary files not working on Windows [#2233 #2657 @popey]
@jridgewell/gen-mapping incorrectly attributed GHSA-8rmg-jf7p-4p22 [#1886 #2645 @kzantow]
Vulnerability reported on @group/name dependency when actual vulnerability exists on name dependency [#1701 #2645 @kzantow]
Grype false negatives in versions v0.88.0 and later leading to missed critical vulnerabilities [#2628 #2645 @kzantow]
PHP pecl redis mixes with redis project itself and creates false positive cve [#1804]
False Positive: Openssl CVE-2022-2068, CVE-2022-1292, CVE-2021-3711 in SUSE Enterprise 15 SP5 [#1729]
Grype does not handle purl file input with packages from different distributions [#2630 #2639 @chovanecadam]
grype pkg:golang/k8s.io/ingress-nginx@v1.11.2 does not show cve [#2580 #2586 @goatwu1993]

(Full Changelog)

15 - v0.91.2

Release notes for grype v0.91.2

Release Notes

Version v0.91.2

Bug Fixes

Various false positives starting with 0.91.1 [#2618 #2621 @willmurphyscode]

(Full Changelog)

16 - v0.91.1

Release notes for grype v0.91.1

Release Notes

Version v0.91.1

Bug Fixes

Assume that empty versions should match on all possible versions [#2591 @wagoodman]
Fix severity field in db search vuln [#2589 @wagoodman]
Recover from panic within a matcher [#2590 @wagoodman]
Should only check maven central if pom info is missing [#2216 #2547 @tdunlap607]
grype db search GHSA-mrrh-fwg8-r2c3 doesn’t return results [#2530]
Grype stopped reporting vulnerabilities after upgrade [#2608 #2610 @willmurphyscode]
Grype does not handle cache-dir containing ~ correctly [#2599 #2600 @kzantow]
Grype should expand ~ in paths in config file [#2024 #2600 @kzantow]
False Positive: Multiple old CVEs in chromium 134.0.6998.117 for apk ecosystem [#2581]
Missing grype DB update from 20250411 [#2593]
Does not fill in the Level field of the SARIF result object [#2511 #2571 @bdovaz]

Additional Changes

add timing info to log output [#2597 @kzantow]
Replace os.ReadDir with afero.ReadDir for consistency [#2579 @joe-ton]

(Full Changelog)

17 - v0.91.0

Release notes for grype v0.91.0

Release Notes

Version v0.91.0

Added Features

Add v5 namespace emulation to db search output [#2539 @wagoodman]
Add CVSS metrics in search JSON output [#2568 @wagoodman]
Exit with a different return code for a failed scan [#1922]

Bug Fixes

Use data driven approach when detecting Alpine:edge and Debian:sid [#2556 @wagoodman]
db list should render out full URLs for text format [#2553 @wagoodman]
grype db import fails since v0.88 and above [#2542 #2546 @kzantow]

(Full Changelog)

18 - v0.90.0

Release notes for grype v0.90.0

Release Notes

Version v0.90.0

Added Features

Match vulnerabilities by distro name when no version specified [#2521 #2534 @kzantow]
Allow DB import from a URL [#2134 #2532 @wagoodman]
Add the DB url to the JSON descriptor block [#356 #2529 @wagoodman]

(Full Changelog)

19 - v0.89.1

Release notes for grype v0.89.1

Release Notes

Version v0.89.1

Bug Fixes

Ensure fatal error from maven search bubbles up [#2518 @luhring]
Source URLs missing/broken in output with latest release [#2520 #2523 @kzantow]
Grype results set a vulnerability as its own related vulnerability [#2514 #2515 @kzantow]

(Full Changelog)

20 - v0.89.0

Release notes for grype v0.89.0

Release Notes

Version v0.89.0

[!IMPORTANT] As of Grype v0.88.0, the listing file which hosts the URLs of databases to download has migrated from https://toolbox-data.anchore.io/grype/databases/listing.json to https://grype.anchore.io/databases/v6/latest.json.

Added Features

Show suggested fixed version when there are multiple listed [#2264 #2271 @tomersein]

Bug Fixes

Check for vulnerability database update failed with unsupported protocol scheme when referencing local file [#2507 #2508 @wagoodman]

(Full Changelog)

21 - v0.88.0

Release notes for grype v0.88.0

Release Notes

Version v0.88.0

[!IMPORTANT] With #2126 the listing file which hosts the URLs of databases to download has migrated from https://toolbox-data.anchore.io/grype/databases/listing.json to https://grype.anchore.io/databases/v6/latest.json.

Added Features

Add KEV information to v6 DB [#2464 @wagoodman]
Add pretty format option [#2406 @tomersein]
Add configuration for maven rate limit functionality [#2397 @rawlingsj]
Allow specifying literal CPEs via the CLI [#2463 @wagoodman]
Add KEV & EPSS to db search schema [#2481 @wagoodman]
Update vulnerability matchers to use v6 DB schema [#2132 #2311 @kzantow]
Configure and use new V6 DB distribution URLs [#2126 #2439 @kzantow]

Bug Fixes

fix golang 1.24 versions when not semver compliant [#2486 @xnox]
error out on maven search rate limiting [#2460 @luhring]
CPE search failed when considering target software for unknown package type [#2434 #2438 @westonsteimel]
Grype Does Not Clean TMPDIR When Running in a Docker Container [#2500]
GetMavenPackageBySha can be rate limited by maven central, grype will silently fail which results in inconsistent scan results [#2383]
Grype exits with error on JSON output with PURL input [#2360]
Removal of temporary files not working on Windows [#2233 #2439 @kzantow]
grype db status reports “valid” when the DB is missing [#2077 #2439 @kzantow]
grype db status doesn’t always check the db’s checksum and validity [#1648 #2439 @kzantow]
False positive of CVE-2023-45853 on apt zlib1g/now 1:1.2.13.dfsg-1 package [#2412 #2474 @westonsteimel]
GHSA-93ww-43rr-79v3 / CVE-2024-10039 does not get patched version [#2408]
“grype config” output swaps comments for search-indexed-archives / search-unindexed-archives [#2409 #2414 @spiffcs]

Breaking Changes

Remove DB schema v3 and v4 code [#2435 @wagoodman]
Replace grype db diff with grype db search --modified-after and --published-after flags [#2129 #2439 @kzantow]

Additional Changes

Refactor presenters to use static model over dynamic lookups [#2492 @wagoodman]
update syft to 1.20 [#2473 @kzantow]

(Full Changelog)

22 - v0.87.0

Release notes for grype v0.87.0

Release Notes

Version v0.87.0

Added Features

Question: Custom Vulnerability Sources CSAF [#2337]
vex: Add package name to VEX product identifiers [#1905 #2355 @ferozsalam]

Bug Fixes

fix upstream match for linux-.-headers-. [#2320 @barnuri]
external-sources: throttle requests to maven central to avoid being rate limited for large sets of java dependencies [#2384 @rawlingsj]
Clean up config help text [#2347 @wagoodman]

(Full Changelog)

23 - v0.86.1

Release notes for grype v0.86.1

Release Notes

Version v0.86.1

Security Fixes

archiver has been archived - replace with archives fork [#2304 #2313 @spiffcs]

Bug Fixes

archiver has been archived - replace with archives fork [#2304 #2313 @spiffcs]
Grype panics on certain output formats for PURL inputs [#2324 #2328 @willmurphyscode]
FP of upstream linux [#2326]

Additional Changes

move v5-specific interfaces and implementations to the v5 package [#2322 @kzantow]
Fix broken link to cosign documentation [#2321 @uaqben]

(Full Changelog)

24 - v0.86.0

Release notes for grype v0.86.0

Release Notes

Version v0.86.0

Added Features

Add missing package information for Sarif report [#2267 #2254 @GeorgeLS]

Bug Fixes

ignore linux-aws-headers-._ as well like linux-headers-._ [#2295 @barnuri]

Breaking Changes

Remove DB v1 & v2 schemas [#2278 @wagoodman]

Additional Changes

refactor v5-specific code out of core packages [#2299 @kzantow]

(Full Changelog)

25 - v0.85.0

Release notes for grype v0.85.0

Release Notes

Version v0.85.0

Added Features

Add support for gradle in Java [#2236]
Prefer direct match information over indirect matches [#1931 #2241 @wagoodman]

Bug Fixes

Restore log on UI teardown [#2248 @wagoodman]
Display warnings even when -v is not passed and no tty is present [#2180 #2268 @willmurphyscode]

Additional Changes

core dependencies: latest syft v1.17.0 and latest stereoscope v0.0.9 [#2275 @willmurphyscode]

(Full Changelog)

26 - v0.84.0

Release notes for grype v0.84.0

Release Notes

Version v0.84.0

Added Features

Add support for scanning single purl from the CLI [#2225 #2223 @wagoodman]

Bug Fixes

Flaky checks on STDIN for purl provider [#2192 #2223 @wagoodman]
Missing alpine patch version yields inaccurate results [#2222 #2226 @wagoodman]

Additional Changes

update Syft to v1.16.0 [#2237 @anchore-actions-token-generator]

(Full Changelog)

27 - v0.83.0

Release notes for grype v0.83.0

Release Notes

Version v0.83.0

Added Features

Merge config files hierarchically and add support for config profiles [#2009 #2194 @kzantow]
Add DB providers command [#2131 #2174 @ADorigi]

(Full Changelog)

28 - v0.82.2

Release notes for grype v0.82.2

Release Notes

Version v0.82.2

Bug Fixes

azurelinux considered as comprehensive distro [#2197 @westonsteimel]
Java archive cataloger performance in 0.82.x much slower than 0.81.0 [#2200]

Additional Changes

Update to Syft v1.14.2 [#2203 @wagoodman]

(Full Changelog)

29 - v0.82.1

Release notes for grype v0.82.1

Release Notes

Version v0.82.1

Bug Fixes

Skip matching on packages with missing version info [#2182 @wagoodman]
correctly identify version of traefik binaries [#2178 #2179 @westonsteimel]
RPM version comparison oddity with release field [#398 #2188 @wagoodman]
purl with epoch should be used even if version is missing epoch [#2170 #2186 @wagoodman]

Additional Changes

bump syft in quality gate to v1.14.0 [#2187 @westonsteimel]

(Full Changelog)

30 - v0.82.0

Release notes for grype v0.82.0

Release Notes

Version v0.82.0

Added Features

performance: only check for a new DB once every 2 hours (configurable) [#2148 @wagoodman]
wordpress-plugin support [#1553 @disc]

Bug Fixes

use fix info from secDB in APK matcher even if NVD fix info present [#2162 @willmurphyscode]

Breaking Changes

Split v1-5 DB distribution concerns to a new legacy package [#2124 #2144 @wagoodman]

Additional Changes

Add a space following the “Name:” label in html.tmpl [#2155 @deftdawg]

(Full Changelog)

31 - v0.81.0

Release notes for grype v0.81.0

Release Notes

Version v0.81.0

Added Features

add distro mapping for azure linux 3 [#1848 @willmurphyscode]
Support for Azure Linux 3.0 [#1829]

(Full Changelog)

32 - v0.80.2

Release notes for grype v0.80.2

Release Notes

Version v0.80.2

Bug Fixes

find secdb entries for origin packages [#1602 @luhring]
Matching java binary packages with NVD records is problematic [#1718 #2114 @wagoodman]
LoadVulnerabilityDB could be faster with ValidateByHashOnGet [#1502 #2054 @lucasrod16]

Additional Changes

update Syft to v1.13.0 [#2140 @anchore-actions-token-generator]
include file specifier in help [#2121 @willmurphyscode]

(Full Changelog)

33 - v0.80.1

Release notes for grype v0.80.1

Release Notes

Version v0.80.1

Bug Fixes

CVE-2024-3154 found with latest version [#1834 #2091 @spiffcs]

Additional Changes

Update Syft to 1.12.2 [#2108]

(Full Changelog)

34 - v0.80.0

Release notes for grype v0.80.0

Release Notes

Version v0.80.0

Added Features

Add info subcommand in order to query grype db vulnerabilities [#1629 #2031 @tomersein]

Bug Fixes

correctly close the db file in v4/v5 stores [#2066 @AndreiStefanie]
Grype panics with a nil pointer dereference error when given an empty string argument [#2063 #2064 @lucasrod16]
Ignoring search results when CPE is not set in the SBOM [#2039 #2040 @aeg]
“No vulnerability database update available” when actually the check for an update was unsuccessful [#310 #1247 @shanedell]
CycloneDX output metadata.properties set to null instead of empty array or omitted [#1759]

Additional Changes

update Syft to v1.11.1 [#2071 @anchore-actions-token-generator]
add grype version to db network operations [#2062 @kzantow]

(Full Changelog)

35 - v0.79.6

Release notes for grype v0.79.6

Release Notes

Version v0.79.6

Bug Fixes

Failed to parse constraint of CVE-2024-6345 which fails the scan [#2048 #2049 @wagoodman]

(Full Changelog)

36 - v0.79.5

Release notes for grype v0.79.5

Release Notes

Version v0.79.5

Bug Fixes

Grype failed to load vulnerability database: database metadata not found [#1885 #2033 @willmurphyscode]

Additional Changes

update to Syft 1.11.0 [#2047 @kzantow]
add grype version to application update check headers [#2021 @kzantow]

(Full Changelog)

37 - v0.79.4

Release notes for grype v0.79.4

Release Notes

Version v0.79.4

Bug Fixes

Disable ui before run function on db status [#2008 @wagoodman]

Additional Changes

update Syft to v1.10.0 [#2019 @anchore-actions-token-generator]

(Full Changelog)

38 - v0.79.3

Release notes for grype v0.79.3

Release Notes

Version v0.79.3

Bug Fixes

correct logic checking cpe target software component against package type [#1658 @westonsteimel]

Additional Changes

update Syft to v1.9.0 [#1986 @anchore-actions-token-generator]

(Full Changelog)

39 - v0.79.2

Release notes for grype v0.79.2

Release Notes

Version v0.79.2

Bug Fixes

use location RealPath not String() for match sorting [#1950 @luhring]

(Full Changelog)

40 - v0.79.1

Release notes for grype v0.79.1

Release Notes

Version v0.79.1

Updates

update CI to install golang at the latest version [#1949 @spiffcs]
Grype is now built with the latest version of Golang at v1.22.x. This resolves a few security findings that would have been flagged against the v0.79.0 binary for using an older version of the Golang standard library.

(Full Changelog)

41 - v0.79.0

Release notes for grype v0.79.0

Release Notes

Version v0.79.0

Added Features

Installation script: Support checksum signature verification [#1627 #1670 @hibare]

Bug Fixes

fix match sort ordering for different locations [#1944 @luhring]
Sort order for matches should consider fix info [#1933 @wagoodman]
Go main module pseudo version matching: turn off by default [#1894 @luhring]
Inconsistent naming of matchDetails.searchedBy.package field [#1877 #1900 @kzantow]

(Full Changelog)

42 - v0.78.0

Release notes for grype v0.78.0

Release Notes

Version v0.78.0

Added Features

add config command [#1876 @kzantow]

Bug Fixes

ask catalog for package, rather than type asserting [#1857 @willmurphyscode]
Disable TUI for simple commands [#1872 @wagoodman]
False Positive: CVE-2023-42282 not affected in SUSE ecosystem [#1813]
False positive GHSA-jr9c-h74f-2v28/CVE-2022-0905 reported for Non-vulnerable Gitea version [#1416]

Additional Changes

Update syft to v1.5.0 [#1897 @wagoodman]

(Full Changelog)

43 - v0.77.4

Release notes for grype v0.77.4

Release Notes

Version v0.77.4

Additional Changes

update Syft to v1.4.1 [#1855 @anchore-actions-token-generator]

(Full Changelog)

44 - v0.77.3

Release notes for grype v0.77.3

Release Notes

Version v0.77.3

Additional Changes

Remove providers’ pull information from DB metadata file [#1846 @asomya]

(Full Changelog)

45 - v0.77.2

Release notes for grype v0.77.2

Release Notes

Version v0.77.2

Bug Fixes

update ignored vulnerability count in tui [#1837 @kzantow]
SARIF output not compatible with GitHub [#1518 #1838 @kzantow]

(Full Changelog)

46 - v0.77.1

Release notes for grype v0.77.1

Release Notes

Version v0.77.1

Additional Changes

update Syft to v1.3.0 [#1832 @anchore-actions-token-generator]

(Full Changelog)

47 - v0.77.0

Release notes for grype v0.77.0

Release Notes

Version v0.77.0

Added Features

add linux and libc-dev headers ignore rules for debian packages [#1809 @zhill]
use Go main module version when possible [#1797 @luhring]

Additional Changes

Add providers’ pull date to DB metadata structure [#1795 @asomya]
config: add config opt in golang pseudo version main module comparison [#1816 @spiffcs]

(Full Changelog)

48 - v0.76.0

Release notes for grype v0.76.0

Release Notes

Version v0.76.0

Added Features

Database download timeouts [#1731 #1777 @willmurphyscode]

Bug Fixes

Disable matching kernel vulnerabilities by default for indirect matches against the ‘kernel-headers’ packages [#1762 #1787 @zhill]

Additional Changes

Update Syft to v1.2.0 [#1803], which fixes https://github.com/anchore/grype/issues/1792

(Full Changelog)

49 - v0.75.0

Release notes for grype v0.75.0

Release Notes

Version v0.75.0

Added Features

update syft source providers [#1727 @kzantow]
enable http timeout [#1777 @willmurphyscode]

Bug Fixes

use “path/filepath” to build file path [#1767 @seiyab]
Suppress warnings when matching go packages with devel version [#1752 @wagoodman]
not showing poco CVEs from syft generated sbom [#1737]

(Full Changelog)

50 - v0.74.7

Release notes for grype v0.74.7

Release Notes

Version v0.74.7

Bug Fixes

return exit codes from install script [#1725 @hacst]
GitHub code scanning alerts missing information [#1715 #1720 @kzantow]

Additional Changes

update Syft to v0.105.1 [#1728]

(Full Changelog)

51 - v0.74.6

Release notes for grype v0.74.6

Release Notes

Version v0.74.6

Bug Fixes

ensure version output to stdout [#1709 @kzantow]
Seeing “WARN some package(s) are missing CPEs” but it’s not clear why [#1634 #1710 @willmurphyscode]

(Full Changelog)

52 - v0.74.5

Release notes for grype v0.74.5

Release Notes

Version v0.74.5

Additional Changes

Bump Syft in Grype to pull in unmarshaling fix [#1703 @willmurphyscode]

(Full Changelog)

53 - v0.74.4

Release notes for grype v0.74.4

Release Notes

Version v0.74.4

Security Fixes

Upgrade syft to v0.103.1 [#1688 @wagoodman]

(Full Changelog)

54 - v0.74.3

Release notes for grype v0.74.3

Release Notes

Version v0.74.3

Bug Fixes

Fix matching when RPM modularity is a factor [#1679 @wagoodman]
VEX documents not taken into account when --fail-on is set [#1639 #1657 @ferozsalam]

Additional Changes

break assumption that syft cpe.CPE is wfn.Attributes [#1675 @willmurphyscode]

(Full Changelog)

55 - v0.74.2

Release notes for grype v0.74.2

Release Notes

Version v0.74.2

Additional Changes

update Syft to v0.101.1 [#1669 @anchore-actions-token-generator]

(Full Changelog)

56 - v0.74.1

Release notes for grype v0.74.1

Release Notes

Version v0.74.1

Security Fixes

bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 [#1651 @dependabot]

Additional Changes

fix logging configuration in tests [#1655 @plavy]
Update Syft to 0.101.0 [#1663]

(Full Changelog)

57 - v0.74.0

Release notes for grype v0.74.0

Release Notes

Version v0.74.0

Added Features

Vulnerabilities marked as fixed in distro packages should be reported as fixed for all contained packages too [#1236 #1603 @luhring]

Bug Fixes

Parameter quiet is ignored in configuration file [#1645 #1646 @plavy]
401 unauthorized pulling from public registry [#1637]

Additional Changes

Update Syft to 0.100.0 [#1649]

(Full Changelog)

58 - v0.73.5

Release notes for grype v0.73.5

Release Notes

Version v0.73.5

Additional Changes

Update Syft to v0.99.0 [#1633 @dependabot]

(Full Changelog)

59 - v0.73.4

Release notes for grype v0.73.4

Release Notes

Version v0.73.4

Additional Changes

bump to syft v0.98.0 in quality gate tests [#1623 @westonsteimel]
update syft to v0.98.0; go mod tidy [#1621 @spiffcs]

(Full Changelog)

60 - v0.73.3

Release notes for grype v0.73.3

Release Notes

Version v0.73.3

Additional Changes

update Syft to v0.97.1 [#1610 @anchore-actions-token-generator]

(Full Changelog)

61 - v0.73.2

Release notes for grype v0.73.2

Release Notes

Version v0.73.2

Bug Fixes

Vulnerabilities in go packages without go modules are not detected [#1581 #1599 @willmurphyscode]

(Full Changelog)

62 - v0.73.1

Release notes for grype v0.73.1

Release Notes

Version v0.73.1

Bug Fixes

CycloneDX based analysis failing [#1594 #1596 @anchore-actions-token-generator]
False negatives when scanning debian trixie/sid images from Dockerhub [#1446 #1593 @willmurphyscode]

Additional Changes

avoid allocations with (*regexp.Regexp).MatchString [#1592 @Juneezee]

(Full Changelog)

63 - v0.73.0

Release notes for grype v0.73.0

Release Notes

Version v0.73.0

Added Features

Add a reason field to ignore config [#1337 #1532 @shanduur]
Colorize severity in table output [#225 #1284 @shanedell]

Bug Fixes

Enable setting golang CPE config using env var [#1585 @willmurphyscode]
Incorrect version comparisons for maven packages [#1526 #1571 @spiffcs]
Grype fails to detect postgresql jdbc driver CVEs when scanning .jar [#1482]

Additional Changes

Incorporate format API changes from syft [#1582 @wagoodman]

(Full Changelog)

64 - v0.72.0

Release notes for grype v0.72.0

Release Notes

Version v0.72.0

Added Features

Add –ignore-states flag for ignoring findings with specific fix states [#1473 @jhebden-gl]
Implement checksum & artifact signing [#1513 #1535 @hibare]

Bug Fixes

Report errors to stderr not stdout [#1561 @wagoodman]
grype v0.71.0 stopped showing vulnerabilities for Go stdlib [#1562 #1565 @wagoodman]
SARIF output not compatible with GitHub [#1518 #1563 @spiffcs]

(Full Changelog)

65 - v0.71.0

Release notes for grype v0.71.0

Release Notes

Version v0.71.0

Added Features

use ghsa to improve matching for cpes [#811 #1412 @westonsteimel]

(Full Changelog)

66 - v0.70.0

Release notes for grype v0.70.0

Release Notes

Version v0.70.0

Added Features

Update Syft to v0.93.0 + enable golang stdlib matching [#1550 @spiffcs ]

Bug Fixes

JSON output: descriptor name is missing “grype” value [#1538 #1542 @kzantow]

(Full Changelog)

67 - v0.69.1

Release notes for grype v0.69.1

Release Notes

Version v0.69.1

Bug Fixes

Incorrect python version comparisons for rc releases [#986 #1510 @willmurphyscode]
False Positive: CVE-2023-37920 reported for certifi library in python [#1417 #1510 @willmurphyscode]
Grype is not recognizing python-certifi is patched for GHSA-43fp-rhv2-5gv8 [#1172 #1510 @willmurphyscode]
False positive on certifi 2022.12.07 [#1034 #1510 @willmurphyscode]
Leading zeros seen as difference in version numbers [#1430 #1510 @willmurphyscode]

Additional Changes

add OpenSSF Best Practices badge [#1523 @spiffcs]
Bump vulnerability match labels [#1525 @wagoodman]
bump stereoscope to fix data race in UI [#1517 @willmurphyscode]

(Full Changelog)

68 - v0.69.0

Release notes for grype v0.69.0

Release Notes

Version v0.69.0

Added Features

Upgrade syft to v0.91.0 (and CycloneDX to v1.5) [#1508 @wagoodman]

Bug Fixes

Grype doesn’t exit cleanly on error [#1492 #1505 @kzantow]

Additional Changes

Fix typo in flag on Readme [#1501 @robszumski]
pin cache versions [#1495 @spiffcs]

(Full Changelog)

69 - v0.68.1

Release notes for grype v0.68.1

Release Notes

Version v0.68.1

v0.68.1 (2023-09-15)

Full Changelog

Bug Fixes

Version output was not including supported db schema [PR #1494] [kzantow]

70 - v0.68.0

Release notes for grype v0.68.0

Release Notes

Version v0.68.0

v0.68.0 (2023-09-14)

Full Changelog

Added Features

Ignore/add match results based on OpenVEX documents [PR #1397] [puerco]
Introduce exit code failure option for db update check [PR #1463] [devfbe]

Bug Fixes

Fix race conditions around stager, enable detector [PR #1489] [willmurphyscode]
Grype hangs forever if gets interrupted during work (in rare cases) [Issue #1427] [PR #1437] [kzantow]

71 - v0.67.0

Release notes for grype v0.67.0

Release Notes

Version v0.67.0

v0.67.0 (2023-09-11)

Full Changelog

Additional Changes

chore: bump quality gate to use syft v0.89.0 [PR #1479] [westonsteimel]
chore: update grype to use Go v1.21 [PR #1480] [spiffcs]

72 - v0.66.0

Release notes for grype v0.66.0

Release Notes

Version v0.66.0

v0.66.0 (2023-08-31)

Full Changelog

Added Features

Allow for access to private CAs securely [Issue #1226] [PR #1232] [5p2O5pe25ouT]
Filter out packages that are owned by OS packages (ownership overlap) [Issue #1373] [PR #1387] [willmurphyscode]

Bug Fixes

fix: Only remove packages by binary overlap [PR #1444] [willmurphyscode]
New version notice only showing the version and no text [PR #1445] [wagoodman]
fix: set correct default to exclude overlapping binaries [PR #1452] [kzantow]
Portage version comparison is not working [Issue #1459] [PR #1468] [barnuri]

Additional Changes

Update Syft to 0.89.0

73 - v0.65.2

Release notes for grype v0.65.2

Release Notes

Version v0.65.2

v0.65.2 (2023-08-17)

Full Changelog

Additional Changes

Update Syft to v0.87.1
Add a simple JUnit XML template [PR #1422] [YevheniiPokhvalii]
Update semver regular expression constraint to allow for 1.20rc1 cases no ‘-’ [PR #1434] [spiffcs]

74 - v0.65.1

Release notes for grype v0.65.1

Release Notes

Version v0.65.1

v0.65.1 (2023-08-04)

Full Changelog

Bug Fixes

Grype cannot read SPDX documents generated by SPDX-maven-plugin [Issue #1306]

75 - v0.65.0

Release notes for grype v0.65.0

Release Notes

Version v0.65.0

v0.65.0 (2023-07-31)

Full Changelog

Added Features

feat: implement secondary sorting for default json output [PR #1403] [spiffcs]
Consistent sort order for grype output [Issue #709] [PR #1400] [spiffcs]

Bug Fixes

Grype reading SPDX file with json output gets UnknownScheme error [Issue #948]
grype 0.64.0 doesn’t list vulnerabilties if --fail-on fails [Issue #1392] [PR #1395] [willmurphyscode]

Additional Changes

chore: bump quality gate label dataset [PR #1404] [westonsteimel]

76 - v0.64.2

Release notes for grype v0.64.2

Release Notes

Version v0.64.2

v0.64.2 (2023-07-20)

Full Changelog

Bug Fixes

grype 0.64.0 doesn’t list vulnerabilties if --fail-on fails [Issue #1392] [PR #1395] [willmurphyscode]

77 - v0.64.1

Release notes for grype v0.64.1

Release Notes

Version v0.64.1

v0.64.1 (2023-07-17)

Full Changelog

Bug Fixes

stop truncating template files Issue #1388 PR #1391 willmurphyscode

Additional Changes

Port UI to bubbletea [PR #1385] [wagoodman]

78 - v0.64.0

Release notes for grype v0.64.0

Release Notes

Version v0.64.0

v0.64.0 (2023-07-13)

Full Changelog

Added Features

You can now list multiple output formats and files to write to disk with one command, like Syft: “-o format1=file1 -o format1=file2” [Issue #648] [PR #1346] [olivierboudet]

Bug Fixes

Correctly detect format of CycloneDX XML SBOM with no components [Issue #1005]
Fix vulnerability summary counts to be less confusing. [Issue #1360]

Additional Changes

Port to new Syft source API [PR #1376] [wagoodman]
Include Syft 0.85.0

79 - v0.63.1

Release notes for grype v0.63.1

Release Notes

Version v0.63.1

v0.63.1 (2023-06-30)

Full Changelog

Bug Fixes

Add more log4j-adjacent package ignore rules [PR #1358] [luhring]
The summary by severity is confusing [Issue #1312] [PR #1359] [kzantow]

80 - v0.63.0

Release notes for grype v0.63.0

Release Notes

Version v0.63.0

v0.63.0 (2023-06-21)

Full Changelog

Added Features

Always include the specific package name and version used in the vulnerability search in the matchDetails section of the output [PR #1339] [westonsteimel]
Expose Go template file that produces the table report [Issue #629] [PR #1343] [jneate]
Add a folder for community Go templates (see templates/README.md for more details) [Issue #1316]

Breaking Changes

update Syft to v0.84.0: stereoscope platform fix and artifact ID padding [PR #1354] [anchore-actions-token-generator]

81 - v0.62.3

Release notes for grype v0.62.3

Release Notes

Version v0.62.3

v0.62.3 (2023-06-05)

Full Changelog

Bug Fixes

Suppressed vulnerabilties are now correctly hidden, unless the –show-suppressed option is provided. [Issue #1053] [Issue #1278] [PR #1322] [jamestran201]

82 - v0.62.2

Release notes for grype v0.62.2

Release Notes

Version v0.62.2

v0.62.2 (2023-05-26)

Full Changelog

83 - v0.62.1

Release notes for grype v0.62.1

Release Notes

Version v0.62.1

v0.62.1 (2023-05-24)

Full Changelog

Bug Fixes

Updated syft to v0.82.0 to address license parsing logic that may result in a panic [PR #1313]

84 - v0.62.0

Release notes for grype v0.62.0

Release Notes

Version v0.62.0

v0.62.0 (2023-05-22)

Full Changelog

Added Features

Add package qualifier for platform CPE [PR #1291] [westonsteimel]
Include timestamp and image name in reports [Issue #1170] [PR #1249] [jneate]
Document command line flag for config file location [Issue #1271] [PR #1274] [jneate]
Add support for Mariner distribution [Issue #1220]
Add support for Syft IDs in JSON output [PR #1266] [luhring]

Bug Fixes

False positive with pkg:rpm PURLs [Issue #1031] [PR #1237] [Shanedell]
Specifying “extras” in pip / requirements.txt results in false negative [Issue #1246]
CycloneDX dependencies relationships inverted [Issue #1294]

Additional Changes

docs: add “cyclonedx-json” to output formats [PR #1252] [HNKNTA]
chore: update quality gate labels and add keycloak [PR #1255] [westonsteimel]
Install skopeo during bootstrap [PR #1260] [willmurphyscode]
Replace deprecated io/ioutil calls [PR #1296] [testwill]
Fix reading syft json from stdin by redirect [PR #1299] [devfbe]
Add gitignore for default build target [PR #1305] [testwill]

85 - v0.61.1

Release notes for grype v0.61.1

Release Notes

Version v0.61.1

v0.61.1 (2023-04-21)

Full Changelog

Bug Fixes

:grey_question: Parsing dpkg status: extracting key-value from line: usr/lib/os-release err: cannot parse field [Issue #1195]
Grype suggesting to upgrade to a version already used. [Issue #1209]

Additional Changes

feat: add timestamp to json output (#1170) [PR #1249] [jneate]

86 - v0.61.0

Release notes for grype v0.61.0

Release Notes

Version v0.61.0

v0.61.0 (2023-04-04)

Full Changelog

Added Features

feat: Add config option to prefer registry over local Docker when scanning an image [Issue #1204] [PR #1215] [spiffcs]

Additional Changes

chore: update quality gate dataset [PR #1206] [westonsteimel]
chore: update deprecated set-output calls [PR #1210] [kzantow]
chore: update syft [PR #1211] [kzantow]

87 - v0.60.0

Release notes for grype v0.60.0

Release Notes

Version v0.60.0

v0.60.0 (2023-03-28)

Full Changelog

Added Features

feat: disable CPE-based matching by default for javascript [PR #1180] [westonsteimel]

Additional Changes

Improve –by-cve report performance [Issue #1185] [PR #1188] [westonsteimel]

88 - v0.59.1

Release notes for grype v0.59.1

Release Notes

Version v0.59.1

v0.59.1 (2023-03-09)

Full Changelog

Bug Fixes

fix: correct APK CPE version comparison logic [PR #1165] [westonsteimel]

89 - v0.59.0

Release notes for grype v0.59.0

Release Notes

Version v0.59.0

v0.59.0 (2023-03-03)

Full Changelog

Added Features

Add the total types of vulnerabilities in Grype output [Issue #877] [PR #946] [zhiburt]

Additional Changes

chore: bump quality gate labels and syft version [PR #1156] [westonsteimel]

90 - v0.58.0

Release notes for grype v0.58.0

Release Notes

Version v0.58.0

v0.58.0 (2023-03-02)

Full Changelog

Security Fixes

chore(deps): bump github.com/hashicorp/go-getter from 1.6.2 to 1.7.0 [PR #1134] [dependabot]

Added Features

add grype image to ArtifactHub [Issue #613] [PR #639] [developer-guy]

Bug Fixes

Grype with version v.0.55 take 3 hour to scan the image [Issue #1063]
Unable to install Grype [Issue #1102]

Additional Changes

chore: update progress monitor handling [PR #1149] [kzantow]
distro: Disable support for Arch Linux [PR #1152] [Foxboron]

91 - v0.57.1

Release notes for grype v0.57.1

Release Notes

Version v0.57.1

v0.57.1 (2023-02-16)

Full Changelog

92 - v0.57.0

Release notes for grype v0.57.0

Release Notes

Version v0.57.0

Updates

Update to latest syft for faster indexing and SBOM generation when consuming source and not using the SBOM as an input

Full Changelog

Bug Fixes

regression: Grype 0.54.0 does not find vulnerabilities in Nodejs runtime itself anymore [Issue #1043]

Additional Changes

bump yardstick to 2d30ea7429d0a59020e0176bba1b3b6b8b01b08a [PR #1095] [wagoodman]
chore: prune cosign dependency for grype builds [PR #1100] [spiffcs]
chore: bump yardstick for better quality gate filtering [PR #1101] [westonsteimel]
chore: add new images to quality gate [PR #1106] [westonsteimel]
fix: exclude OS packages from CPE target filtering [PR #1130] [westonsteimel]
fix: ignore some false-positives for ruby gems [PR #1132] [westonsteimel]

93 - v0.56.0

Release notes for grype v0.56.0

Release Notes

Version v0.56.0

v0.56.0 (2023-01-26)

Full Changelog

Added Features

Allow db diff to specify local files [Issue #1059] [PR #1058] [kzantow]

Bug Fixes

False positive CVE-2015-5237 for protobuf-go [Issue #558] [PR #1062] [luhring]
Missing severities in embedded-cyclonedx-vex-json format since v0.55.0 [Issue #1066] [PR #1067] [kzantow]

94 - v0.55.0

Release notes for grype v0.55.0

Release Notes

Version v0.55.0

v0.55.0 (2023-01-04)

Full Changelog

Added Features

add documentation about air gap installation support [Issue #509]
Include Syft’s cyclonedx component properties in Grype output [Issue #951]

Bug Fixes

OWASP dependency track is not listing vulnerabilities (cyclone dx format) from grype , syft is working however [Issue #796]
Failure scanning images with arch variant (e.g. arm/v7) [Issue #831]
Unnecessarily escaped output in CycloneDX [Issue #959]
SBOM cataloger and ownership-by-file-overlap relationships for packages [Issue #1044]

95 - v0.54.0

Release notes for grype v0.54.0

Release Notes

Version v0.54.0

v0.54.0 (2022-12-13)

Full Changelog

Added Features

reporting the relevant CVE number when GHSA is reported [Issue #204]
Add official support for ppc64le [Issue #404]

Bug Fixes

False positive: redis vuln associated to somewhat unrelated python dependency [Issue #491]
False flagging [Issue #800]
grype db update error [Issue #846]
Grype debug image no longer contains busybox [Issue #1010]

96 - v0.53.1

Release notes for grype v0.53.1

Release Notes

Version v0.53.1

v0.53.1 (2022-11-21)

Full Changelog

97 - v0.53.0

Release notes for grype v0.53.0

Release Notes

Version v0.53.0

v0.53.0 (2022-11-18)

Full Changelog

Added Features

Enable the Scorecard Github Action and badge [Issue #926]
Update Grype to use use syft v0.62.0

98 - v0.52.0

Release notes for grype v0.52.0

Release Notes

Version v0.52.0

v0.52.0 (2022-11-03)

Full Changelog

Added Features

Show all vulnerabilities, even suppressed [Issue #887]
Ubuntu: Add as a Vulnerability Specification Source [Issue #958]

Bug Fixes

Grype inconsistence output squashed and all-layers representation [Issue #894]
Grype doesn’t find CVE-2022-3358 [Issue #954]
Not applying Alpine secdb data correctly for “edge” [Issue #964]
Incorrect artifact entry in json report for grype v0.51.0 [Issue #967]

99 - v0.51.0

Release notes for grype v0.51.0

Release Notes

Version v0.51.0

v0.51.0 (2022-10-17)

Full Changelog

Features

Upgrade to a new vulnerability database schema v5 [PR #944]

Bug Fixes

Grype is not reporting CVE-2018-1270 [Issue #237]
Grype does not recognize Debian fix for CVE-2022-37434 [Issue #900]
grype cannot be used, because modify syft CycloneDX format json result file. [Issue #953]

100 - v0.50.2

Release notes for grype v0.50.2

Release Notes

Version v0.50.2

(Unreleased) (2022-09-20)

Full Changelog

Added Features

Add distro information into the CPE generation process [Issue #141]
allow development installations via install.sh [Issue #253]

101 - v0.50.1

Release notes for grype v0.50.1

Release Notes

Version v0.50.1

Full Changelog

Bug Fix

Pin syft version to latest release to resolve pseudo version conflict

102 - v0.50.0

Release notes for grype v0.50.0

Release Notes

Version v0.50.0

Full Changelog

Added Features

0.49.0 docker image does not support arm64 [Issue #916]
review rpm packages [[Issue #570](https://github.com/anchore/grype/issues/570

103 - v0.49.0

Release notes for grype v0.49.0

Release Notes

Version v0.49.0

(Unreleased) (2022-09-01)

Full Changelog

Added Features

add basic instructions for compiling binaries to install readme [Issue #581]
How can grype scan manually installed dependencies? [Issue #651]
Flag to disable db check and update [Issue #878]

Bug Fixes

Java CVEs not detected from sparse CycloneDX SBOM [Issue #723]
Add support to bci images [Issue #740]
failed to catalog: could not fetch image (only on v0.47.0) [Issue #882]

104 - v0.48.0

Release notes for grype v0.48.0

Release Notes

Version v0.48.0

v0.48.0 (2022-08-24)

Full Changelog

Added Features

enhancement: add support for s390x arch [Issue #719]
More accurate “no OS distribution” messaging [Issue #748]

Fixed Bugs

disable CPE match filtering based on target software component for java packages [PR #889]

105 - v0.47.0

Release notes for grype v0.47.0

Release Notes

Version v0.47.0

v0.47.0 (2022-08-17)

Full Changelog

Security

Grype v0.46.0 reports a Critical vulnerability CVE-2022-35929 on itself [Issue #880]

Bug Fixes

GRYPE_DB_AUTO_UPDATE=false no longer works [Issue #870]

106 - v0.46.0

Release notes for grype v0.46.0

Release Notes

Version v0.46.0

v0.46.0 (2022-08-04)

Full Changelog

Added Features

ux: db: update: append more information about the next update [Issue #754]
update syft to use latest version [v0.53.4]

107 - v0.45.0

Release notes for grype v0.45.0

Release Notes

Version v0.45.0

v0.45.0 (2022-08-03)

Full Changelog

Added Features

Accept simple package list as input [Issue #516]
Request vulnerability data by a single cpe string [Issue #757]

Bug Fixes

grype db diff default case inverted [Issue #844]
Grype slow on parallel execution [Issue #855]
Concurrent gyrpe runs result in SQLITE_BUSY error [Issue #859]

108 - v0.44.0

Release notes for grype v0.44.0

Release Notes

Version v0.44.0

v0.44.0 (2022-07-25)

Full Changelog

Added Features

Filter CPE matches by target SW to reduce FPs [Issue #390]
Support ARM32 (linux/armv7) architecture [Issue #595]

109 - v0.43.0

Release notes for grype v0.43.0

Release Notes

Version v0.43.0

v0.43.0 (2022-07-18)

Full Changelog

Added Features

Remove matching for main go module matcher [PR #829]
Add –only-notfixed to complete the existing and useful –only-fixed [Issue #824]

Bug Fixes

Cannot concurrently access sqlite DB within a single process [Issue #155]
False positive of CVE-2020-16250 and CVE-2020-16251 [Issue #712]

110 - v0.42.0

Release notes for grype v0.42.0

Release Notes

Version v0.42.0

v0.42.0 (2022-07-11)

Full Changelog

Added Features

Templates for grype output. HTML template [Issue #724]
grype db diff command [Issue #764]

Bug Fixes

panic: runtime error: index out of range [0] with length 0 [Issue #821]

111 - v0.41.0

Release notes for grype v0.41.0

Release Notes

Version v0.41.0

v0.41.0 (2022-07-06)

Full Changelog

Features

Upgrade to a new vulnerability database schema v4 [PR #803]

Bug Fixes

Grype Busy Box Vulnerabilities resolved [Issue #510]
Vulnerabilities now reported under php (composer) [Issue #797]
Grype outputs listed properly [Issue #801]
Grype db update command now shows spinner [Issue #805]

112 - v0.40.1

Release notes for grype v0.40.1

Release Notes

Version v0.40.1

v0.40.1 (2022-06-24)

Full Changelog

Features

update syft to v0.49.0 release

Bug Fixes

grype fixed version cyclonedxjson [Issue #762]
Include php in Grype supported languages [Issue #792]

113 - v0.40.0

Release notes for grype v0.40.0

Release Notes

Version v0.40.0

v0.40.0 (2022-06-17)

Full Changelog

Added Features

Be clear about version and data staleness [Issue #240]
Add a dockerized workflow for local dev [Issue #782]
Update grype documentation to include golang [Issue #787]

Bug Fixes

“Matcher failed to parse version” when scanning a Ruby project using bundler 2.2.0 or newer [Issue #767]
GHSA-x24g-9w7v-vprh included in grype 0.38.0 [Issue #779]
Template pipelines don’t seem to work in 0.39.0 [Issue #784]

114 - v0.39.0

Release notes for grype v0.39.0

Release Notes

Version v0.39.0

v0.39.0 (2022-06-09)

Full Changelog

Features

Support newer versions of ‘rpm’ that use Sqlite for the db instead of BerkeleyDB [Issue #469]

Bug Fixes

Template errors don’t lead to non-zero exit status [Issue #623]
Issues with Grype’s handling of template output for invalid templates [Issue #625]
Grype reports some critical Vault CVE on itself [Issue #676]

115 - v0.38.0

Release notes for grype v0.38.0

Release Notes

Version v0.38.0

v0.38.0 (2022-05-23)

Full Changelog

Added Features

Dotnet-Support [Issue #736]

116 - v0.37.0

Release notes for grype v0.37.0

Release Notes

Version v0.37.0

v0.37.0 (2022-05-13)

Full Changelog

Added Features

Add Dotnet support [PR #747] [ckotzbauer]

Security Fixes

Bump github.com/hashicorp/go-getter from 1.5.9 to 1.5.11 [PR #742] [dependabot]

Bug Fixes

Unable to determine the OS distribution (Ubuntu 20.04.4 LTS) [Issue #684]

117 - v0.36.1

Release notes for grype v0.36.1

Release Notes

Version v0.36.1

v0.36.1 (2022-05-03)

Update grype to use syft v0.45.1 and reduce info level logging overload

Full Changelog

118 - v0.36.0

Release notes for grype v0.36.0

Release Notes

Version v0.36.0

v0.36.0 (2022-04-29)

Full Changelog

Added Features

Add support for cyclonedx 1.4 and VEX [Issue #591]
Read attestation file, validate attestation, produce vulnerability report [Issue #644]

Bug Fixes

Panic while running scan on directory [Issue #715]

119 - v0.35.0

Release notes for grype v0.35.0

Release Notes

Version v0.35.0

v0.35.0 (2022-04-13)

Full Changelog

Added Features

Indicate location of vulnerability [Issue #561]
Optional External Data Source Reference for Maven Packages [Issue #711]

Bug Fixes

False positive (critical) on GHSA-8v27-2fg9-7h62 [Issue #632]
False Positive on CVE-2020-36518 [Issue #692]
Matches should be sorted by package name for template output [Issue #696]
panic: runtime error: invalid memory address or nil pointer dereference [Issue #702]

120 - v0.34.7

Release notes for grype v0.34.7

Release Notes

Version v0.34.7

v0.34.7 (2022-03-24)

Full Changelog

Bug Fixes

Bump strset version to fix 386 builds [PR #689] [wagoodman]
Grype cannot handle empty SBOMs, results in SIGSEGV [Issue #693] [luhring]

121 - v0.34.6

Release notes for grype v0.34.6

Release Notes

Version v0.34.6

v0.34.5 (2022-03-23)

Full Changelog

Bug Fixes

Improve SARIF path handling and severity [PR #686] [kzantow]

122 - v0.34.4

Release notes for grype v0.34.4

Release Notes

Version v0.34.4

v0.34.4 (2022-03-21)

Full Changelog

Bug Fixes

Correct issue with SARIF dir scan relative paths [Issue #682] [kzantow]
Update Syft lib to 0.42.1 [Issue #683]
- Fix CycloneDX license decoding [PR #898] [kzantow]
- Fix image cleanup when there is an error [PR #905] [wagoodman]
- Omit H1Digest when empty [PR #902] [jonasagx]

123 - v0.34.3

Release notes for grype v0.34.3

Release Notes

Version v0.34.3

v0.34.3 (2022-03-16)

Full Changelog

Bug Fixes

Panic: runtime error - when utilizing the vulnerability scanner on an cyclonedx sbom file input [Issue #669] [kzantow]

124 - v0.34.1

Release notes for grype v0.34.1

Release Notes

Version v0.34.1

v0.34.1 (2022-03-15)

Full Changelog

Added Features

Add platform selection [PR #666] [wagoodman]
Add SARIF report output [Issue #304] [kzantow]
Support CycloneDX as SBOM input to grype [Issue #481] [kzantow]

Bug Fixes

Issue in Installation. err: anchore/grype err hash_sha256_verify unable to find checksum [Issue #577] [spiffcs]

125 - v0.33.1

Release notes for grype v0.33.1

Release Notes

Version v0.33.1

v0.33.1 (2022-02-27)

Full Changelog

Bug Fixes

Restore behavior of JSON distro block [PR #643] [wagoodman]

126 - v0.33.0

Release notes for grype v0.33.0

Release Notes

Version v0.33.0

v0.33.0 (2022-02-15)

Full Changelog

Added Features

Add ability to merge matches [PR #602] [wagoodman]
Allow for ingestion of SPDX SBOM documents as input [Issue #395]

Bug Fixes

Grype stuck on some images [Issue #549]

127 - v0.32.0

Release notes for grype v0.32.0

Release Notes

Version v0.32.0

v0.32.0 (2022-01-20)

Full Changelog

Features

Upgrade Grype to latest version of syft. See full release for details.

Bug Fixes

Error scanning SBOM from file: unsupported package metadata type: file [Issue #592]

Docker images

docker pull anchore/grype:v0.32.0

128 - v0.31.1

Release notes for grype v0.31.1

Release Notes

Version v0.31.1

v0.31.1 (2022-01-11)

Full Changelog

Added Features

Update Containerd dependency to fix GHSA-mvff-h3cj-wj9c

Bug Fixes

Grype installation contains vulnerability GHSA-mvff-h3cj-wj9c [Issue #583]

Docker images

docker pull anchore/grype:v0.31.1

129 - v0.30.0

Release notes for grype v0.30.0

Release Notes

Version v0.30.0

v0.30.0 (2022-01-09)

Full Changelog

Added Features

Add search configuration [PR #579] [wagoodman]

Docker images

docker pull anchore/grype:v0.30.0

130 - v0.29.0

Release notes for grype v0.29.0

Release Notes

Version v0.29.0

v0.29.0 (2022-01-07)

Full Changelog

Added Features

update syft to version v0.35.0

Bug Fixes

ability to go install “github.com/anchore/grype” [Issue #568]

Docker images

docker pull anchore/grype:v0.29.0

131 - v0.28.0

Release notes for grype v0.28.0

Release Notes

Version v0.28.0

v0.28.0 (2021-12-22)

Full Changelog

Added Features

Path filtering for file system scanning [Issue #389]
Grype verbose log version [Issue #555]

Bug Fixes

Java packages sometimes missing version information [Issue #504]
False positives cases for CVE-2021-44228 [Issue #552]
Error when scanning a single file (e.g. zip, war, etc.) and using JSON output format [Issue #554]
MacOS install fails using GNU coreutils version of cp [Issue #560]

Docker images

docker pull anchore/grype:v0.28.0

132 - v0.27.3

Release notes for grype v0.27.3

Release Notes

Version v0.27.3

v0.27.3 (2021-12-16)

Full Changelog

Bug Fixes

Panic when a package has been added to a catalog multiple times [Issue #548]

Docker images

docker pull anchore/grype:v0.27.3

133 - v0.27.2

Release notes for grype v0.27.2

Release Notes

Version v0.27.2

v0.27.2 (2021-12-14)

Full Changelog

Bug Fixes

Index out of range while scanning Java webapps [Issue #538]

Docker images

docker pull anchore/grype:v0.27.2

134 - v0.27.1

Release notes for grype v0.27.1

Release Notes

Version v0.27.1

v0.27.1 (2021-12-14)

Full Changelog

Bug Fixes

panic: runtime error: invalid memory address or nil pointer dereference (deb package parsing) [Issue #523]
panic: runtime error: invalid memory address or nil pointer dereference (go binary parsing) [Issue #526]

Docker images

docker pull anchore/grype:v0.27.1

135 - v0.27.0

Release notes for grype v0.27.0

Release Notes

Version v0.27.0

v0.27.0 (2021-12-08)

Full Changelog

Added Features

Adding AlmaLinux OS Support [PR #514] [srbala]

Docker images

docker pull anchore/grype:v0.27.0

136 - v0.26.1

Release notes for grype v0.26.1

Release Notes

Version v0.26.1

v0.26.1 (2021-12-03)

Full Changelog

Added Features

Add db list command [PR #506] [wagoodman]
Custom CA support for db.update-url [Issue #493]

Docker images

docker pull anchore/grype:v0.26.1

137 - v0.25.1

Release notes for grype v0.25.1

Release Notes

Version v0.25.1

Full Changelog

Update grype to use the latest grype-db so correct namespace for rocky linux distributions is used in vulnerability matching [PR #501]

Docker images

docker pull anchore/grype:0.25.1

138 - v0.25.0

Release notes for grype v0.25.0

Release Notes

Version v0.25.0

Full Changelog

Added Features

Use existing registry authentication such as Docker config [Issue #478]
Add Rocky Linux Support[PR #500]

Docker images

docker pull anchore/grype:0.25.0

139 - v0.24.1

Release notes for grype v0.24.1

Release Notes

Version v0.24.1

v0.24.1 (2021-11-05)

Full Changelog

Bug Fixes

Unable to invoke grype as an external process since 0.8.0 [Issue #267]
Homebrew - Tapping fails: Formulae require at least a URL on Apple M1 [Issue #401]

Docker images

docker pull anchore/grype:0.24.1

140 - v0.24.0

Release notes for grype v0.24.0

Release Notes

Version v0.24.0

v0.24.0 (2021-10-25)

Full Changelog

Added Features

Filter vulnerabilities without fixes [Issue #175]
Add a release for linux/arm64 [Issue #362]
Add windows support [Issue #447]

Bug Fixes

Cannot handle Syft SBOM for directory scans [Issue #298]
False positive for package version appended with a release number (e.g. 1.5.1-r1) [Issue #427]
Image parsing hang if finds a directory with name ending in space [Issue #460]
Scan against container generating error and usage prompt on finding vulnerability [Issue #461]

Docker images

docker pull anchore/grype:v0.24.0-amd64
docker pull anchore/grype:v0-amd64
docker pull anchore/grype:v0.24-amd64
docker pull anchore/grype:v0.24.0-arm64v8
docker pull anchore/grype:v0-arm64v8
docker pull anchore/grype:v0.24-arm64v8

141 - v0.23.0

Release notes for grype v0.23.0

Release Notes

Version v0.23.0

v0.23.0 (2021-10-06)

Full Changelog

Implemented enhancements:

add an option to output the report into a file rather than redirecting the output #207

Fixed bugs:

Cannot handle Syft SBOM for directory scans #298

* This Changelog was automatically generated by github_changelog_generator

Docker images

docker pull anchore/grype:v0.23.0
docker pull anchore/grype:v0
docker pull anchore/grype:v0.23

142 - v0.22.0

Release notes for grype v0.22.0

Release Notes

Version v0.22.0

v0.22.0 (2021-09-30)

Full Changelog

Implemented enhancements:

Ability to ignore vulnerability matches (to help manage false positives) #198

Fixed bugs:

False positives for perl-* packages in centos:8 images #437

* This Changelog was automatically generated by github_changelog_generator

Docker images

docker pull anchore/grype:latest
docker pull anchore/grype:v0.22.0
docker pull anchore/grype:v0
docker pull anchore/grype:v0.22

143 - v0.21.0

Release notes for grype v0.21.0

Release Notes

Version v0.21.0

v0.21.0 (2021-09-28)

Full Changelog

Implemented enhancements:

Add data-driven language matching #434 (wagoodman)
Add default matcher (language + CPE matching) #432 (wagoodman)

Fixed bugs:

Grype raise error: “failed to catalog: failed to parse CPE” #417

* This Changelog was automatically generated by github_changelog_generator

Docker images

docker pull anchore/grype:latest
docker pull anchore/grype:v0.21.0
docker pull anchore/grype:v0
docker pull anchore/grype:v0.21

144 - v0.20.0

Release notes for grype v0.20.0

Release Notes

Version v0.20.0

v0.20.0 (2021-09-23)

Full Changelog

Implemented enhancements:

Allow CPE parsing failures #425 (luhring)
Add syft version to version command output #420 (spiffcs)

Fixed bugs:

False positive on Centos/Rhel openjdk package #419
Java group ID not found resulting in missed results #378
False positive on sentry and other libs #280
update log file permissions to 0644 #422 (spiffcs)
Update KB constraint to not satisfy if raw constraint is empty. #421 (Vijay-P)

* This Changelog was automatically generated by github_changelog_generator

Docker images

docker pull anchore/grype:latest
docker pull anchore/grype:v0.20.0
docker pull anchore/grype:v0
docker pull anchore/grype:v0.20

145 - v0.19.0

Release notes for grype v0.19.0

Release Notes

Version v0.19.0

v0.19.0 (2021-09-14)

Full Changelog

Implemented enhancements:

Update grype-db dependency, add some SLES tests #413 (dspalmer99)

Fixed bugs:

False positive core.jar (CVE-2020-15235, CVE-2020-15505, CVE-2020-15506, CVE-2020-15507) #342
False positives for javax.mail #341
False positives in Python package “redis” confused with Redis server #307
False positive - Python Libraries mistaken for other Software #212

* This Changelog was automatically generated by github_changelog_generator

Docker images

docker pull anchore/grype:latest
docker pull anchore/grype:v0.19.0
docker pull anchore/grype:v0
docker pull anchore/grype:v0.19

146 - v0.18.0

Release notes for grype v0.18.0

Release Notes

Version v0.18.0

v0.18.0 (2021-09-13)

Full Changelog

Implemented enhancements:

bump syft to the newest 0.23.0 version #414 (spiffcs)

Fixed bugs:

Alpine matching should include source indirection matching #343
Ensure that virtual path is reported for java archives. #393 (dakaneye)

* This Changelog was automatically generated by github_changelog_generator

Docker images

docker pull anchore/grype:latest
docker pull anchore/grype:v0.18.0
docker pull anchore/grype:v0
docker pull anchore/grype:v0.18

147 - v0.17.0

Release notes for grype v0.17.0

Release Notes

Version v0.17.0

v0.17.0 (2021-08-25)

Full Changelog

Implemented enhancements:

(via Syft) Added parser for Pipfile.lock to cataloger anchore/syft#242

Fixed bugs:

Reporting vulnerabilities for NPM dependencies from lock files that should be excluded #385
False positive perl-Pod-Escapes vulns, RHEL7 #376
RPM matcher not always properly detecting package name from source RPM #374

* This Changelog was automatically generated by github_changelog_generator

Docker images

docker pull anchore/grype:latest
docker pull anchore/grype:v0.17.0
docker pull anchore/grype:v0
docker pull anchore/grype:v0.17

148 - v0.16.0

Release notes for grype v0.16.0

Release Notes

Version v0.16.0

v0.16.0 (2021-08-18)

Full Changelog

Implemented enhancements:

Grype is not consistent when scaning dir on disk #338
Add option for accessing registries without HTTPS #334
Incorporate CPE generation enhancements #375 (wagoodman)

* This Changelog was automatically generated by github_changelog_generator

Docker images

docker pull anchore/grype:latest
docker pull anchore/grype:v0.16.0
docker pull anchore/grype:v0
docker pull anchore/grype:v0.16

149 - v0.15.0

Release notes for grype v0.15.0

Release Notes

Version v0.15.0

v0.15.0 (2021-07-14)

Full Changelog

Implemented enhancements:

Add NVD CVSS scores to grype json output for matches on the vendor record #314
Vendor metadata for vulnerability fixes is missing #276

Fixed bugs:

cyclonedx reports a score of 0 if CVE has no CVSS #366
cyclonedx doesn’t report severity if feed has no CVSS #364
Pipelines allow unclean go.sum files that block our release pipeline #358
Panic during directory scan #353
CycloneDX Document struct returns empty Components list when parsing CycloneDX XML output #345
Add vendor-provided CVSS scores to vulnerability match records where available #287
There should always be links associated with a vulnerability #189
Show no value in table output for unknown fixes #350 (luhring)
Fix RPM epoch comparison logic #331 (wagoodman)

* This Changelog was automatically generated by github_changelog_generator

Docker images

docker pull anchore/grype:latest
docker pull anchore/grype:v0.15.0
docker pull anchore/grype:v0
docker pull anchore/grype:v0.15

150 - v0.13.0

Release notes for grype v0.13.0

Release Notes

Version v0.13.0

v0.13.0 (2021-06-02)

Full Changelog

Implemented enhancements:

Add NVD CVSS scores to grype json output for matches on the vendor record #314
Add Vendor metadata for vulnerability fixes #276

Fixed bugs:

Replace links to Slack channels with public signup link #325 (luhring)
There should always be links associated with a vulnerability #189
Add vendor-provided CVSS scores to vulnerability match records where available #287

* This Changelog was automatically generated by github_changelog_generator

Docker images

docker pull anchore/grype:latest
docker pull anchore/grype:v0.13.0
docker pull anchore/grype:v0
docker pull anchore/grype:v0.13

151 - v0.12.1

Release notes for grype v0.12.1

Release Notes

Version v0.12.1

v0.12.1 (2021-05-25)

Full Changelog

Implemented enhancements:

Allow registry auth config without authority value #322 (luhring)
Add java virtual path to package metadata #320 (wagoodman)
Show limited package metadata in json presenter #319 (wagoodman)
json output should be sorted #245
Expose the explicit record source for each match #283
Add database information to the JSON output #270
Add DB information to json descriptor block #302 (wagoodman)
Add grype db namespace indication in match details #299 (wagoodman)

Fixed bugs:

Alpine matching should use NVD as primary source #281
Vulnerability check should be more “greedy” #252
Allow registry auth config without authority value #322 (luhring)

* This Changelog was automatically generated by github_changelog_generator

Docker images

docker pull anchore/grype:latest
docker pull anchore/grype:v0.12.1
docker pull anchore/grype:v0
docker pull anchore/grype:v0.12

152 - v0.11.0

Release notes for grype v0.11.0

Release Notes

Version v0.11.0

v0.11.0 (2021-04-22)

Full Changelog

Implemented enhancements:

Update Syft to v0.15.1 #306 (wagoodman)
Refactor constraint expression parser to allow for quoted versions #234 (wagoodman)

Fixed bugs:

CycloneDX format is broken in 0.7.0 #288
Safely join paths derived from tar headers #294 (wagoodman)

* This Changelog was automatically generated by github_changelog_generator

Docker images

docker pull anchore/grype:latest
docker pull anchore/grype:v0.11.0
docker pull anchore/grype:v0
docker pull anchore/grype:v0.11

153 - v0.10.2

Release notes for grype v0.10.2

Release Notes

Version v0.10.2

v0.10.2 (2021-04-14)

Full Changelog

Implemented enhancements:

Report the repo digests in the JSON output source section #269
Ability to pull image directly from a registry (without the Docker daemon) #264
Allow user-defined output formats #251
Pull in syft v0.14.0 and further decouple presenters from Syft #263 (wagoodman)
Upgrade grype-db to schema v2 #255

Fixed bugs:

Status text column not consistently aligned #289
Cannot handle downgrading grype versions with different DB schemas #271
CPEs in JSON output should be a formatted string #268
Private registry and password not working with special chars #254
Align status text column with that of Syft handlers #292 (luhring)
Stage DB file within directory named by schema version #272 (wagoodman)

* This Changelog was automatically generated by github_changelog_generator

Docker images

docker pull anchore/grype:latest
docker pull anchore/grype:v0.10.2
docker pull anchore/grype:v0
docker pull anchore/grype:v0.10

154 - v0.9.0

Release notes for grype v0.9.0

Release Notes

Version v0.9.0

v0.9.0 (2021-03-25)

Full Changelog

Implemented enhancements:

Grype Docker Image #227

Fixed bugs:

Dockerfile for Grype #249
Reporting “exponent has no digits” on go case #246

* This Changelog was automatically generated by github_changelog_generator

Docker images

docker pull anchore/grype:latest
docker pull anchore/grype:v0.9.0
docker pull anchore/grype:v0
docker pull anchore/grype:v0.9

155 - v0.8.0

Release notes for grype v0.8.0

Release Notes

Version v0.8.0

v0.8.0 (2021-03-15)

Full Changelog

Implemented enhancements:

Refactor constraint expression parser to allow for quoted versions #234 (wagoodman)

Fixed bugs:

Can’t use syft JSON output as input #235
Reporting “exponent has no digits” on go case #246

* This Changelog was automatically generated by github_changelog_generator

156 - v0.7.0

Release notes for grype v0.7.0

Release Notes

Version v0.7.0

v0.7.0 (2021-01-27)

Full Changelog

Implemented enhancements:

Decouple grype from syft-specific data structures #220
Update to syft v0.12.4 #233 (luhring)

* This Changelog was automatically generated by github_changelog_generator

157 - v0.6.1

Release notes for grype v0.6.1

Release Notes

Version v0.6.1

v0.6.1 (2020-12-08)

Full Changelog

Fixed bugs:

UBI-based images do not generate any vulnerabilities #221

* This Changelog was automatically generated by github_changelog_generator

158 - v0.6.0

Release notes for grype v0.6.0

Release Notes

Version v0.6.0

v0.6.0 (2020-12-03)

Full Changelog

Implemented enhancements:

Update syft from 0.8.1 to 0.9.2 #217 (luhring)

Fixed bugs:

False negatives in finding CVEs in jar files #209

* This Changelog was automatically generated by github_changelog_generator

159 - v0.5.0

Release notes for grype v0.5.0

Release Notes

Version v0.5.0

v0.5.0 (2020-11-20)

Full Changelog

Implemented enhancements:

Option to use an SBOM input document instead of invoking syft’s cataloging functionality #196
Remove CPE generation (rely on static CPEa from syft instead) #213 (wagoodman)

Fixed bugs:

can’t brew install 0.3.0 on mac #203
“failed to catalog” error when scanning Python apps #200
Remove powershell description from completion command #211 (KeisukeYamashita)

* This Changelog was automatically generated by github_changelog_generator

160 - v0.4.0

Release notes for grype v0.4.0

Release Notes

Version v0.4.0

v0.4.0 (2020-11-12)

Full Changelog

Implemented enhancements:

Bump syft from v0.5.1 to v0.7.1 #206 (wagoodman)
Add signed and notarized ZIP release asset #205 (luhring)

Fixed bugs:

Updates for macOS release process #201 (luhring)
Remove darwin target from primary build entry #199 (luhring)

* This Changelog was automatically generated by github_changelog_generator

161 - v0.3.0

Release notes for grype v0.3.0

Release Notes

Version v0.3.0

v0.3.0 (2020-11-05)

Full Changelog

Implemented enhancements:

Update Syft from v0.4.0 to v0.5.1 #195 (luhring)

Fixed bugs:

Resolve security warning for macOS users #194 (luhring)
Fixes to acceptance workflows #195 (luhring)

* This Changelog was automatically generated by github_changelog_generator

162 - v0.2.0

Release notes for grype v0.2.0

Release Notes

Version v0.2.0

v0.2.0 (2020-10-23)

Full Changelog

Implemented enhancements:

Incorporate package.json & gemspec catalogers #187 (wagoodman)
Update install script arguments for proper argument processing #181 (wagoodman)
Run checks on PRs from forks #180 (wagoodman)
Edit typo in readme #179 (gsiener)
Incorporate gemspec cataloger #177 (wagoodman)
Migrate to GHA pipeline #176 (wagoodman)

Closed issues:

Enable auto pre-release goreleaser flag in release pipeline #119

* This Changelog was automatically generated by github_changelog_generator

163 - v0.1.0

Release notes for grype v0.1.0

Release Notes

Version v0.1.0

First Release! :tada:

164 - v0.1.0-beta.11

Release notes for grype v0.1.0-beta.11

Release Notes

Version v0.1.0-beta.11

v0.1.0-beta.11 (2020-09-26)

Full Changelog

Implemented enhancements:

Integrate the changelog generator into the release pipeline #165

Fixed bugs:

Always return a cleanup function from scope #166 (wagoodman)

* This Changelog was automatically generated by github_changelog_generator

165 - v0.1.0-beta.10

Release notes for grype v0.1.0-beta.10

Release Notes

Version v0.1.0-beta.10

f13b9a7 Use latest versions of anchore repos (#164) 326afa3 Add OCI support + use URI schemes (#160) 9f6301b Change root of JSON presenter to a mapping (instead of a sequence) (#163) b2715ff Update high level docs (#162) ed9f9bc remove duplicate rows from the summary table (#161)

166 - v0.1.0-beta.9

Release notes for grype v0.1.0-beta.9

Release Notes

Version v0.1.0-beta.9

ec493d5 Merge pull request #159 from anchore/update-testutils 578afab update go.mod and go.sum c73a337 fix replacement of results with matches (#158) f0f8f4b add –fail-on threshold support (#156) 0397206 Merge pull request #154 from anchore/issue-148 ca19b08 presenter: cyclonedx shouldn’t eat up errors 7b71401 cyclonedx tests: update BD name to use grype instead of syft 2d44839 presenter: cyclonedx document updates to pass schema validation 4f78b57 presenter: cyclonedx vulnerability schema fixes 2b8dfc2 temporary bump of go deps for testing 0fb5080 presenter: add new golden files for cyclonedx tests 46f3948 presenter: remove unneeded golden files 3de06ce presenter: join dir+img presesnter tests for cyclonedx 298a801 tests: update CycloneDX presenters with new namespaces 80d494b presenter: add xmlns for bd and v namespaces in cyclonedx output 3a57218 ci: hook the cyclonedx validation into CircleCI 57d777c tests: add cyclonedx schema check

167 - v0.1.0-beta.8

Release notes for grype v0.1.0-beta.8

Release Notes

Version v0.1.0-beta.8

2c1ddbe Merge pull request #152 from anchore/fix-json-keys cb437b6 Change kebab case to camelCase, use updated syft version ca8ac61 Rename Result object to Matches (#153) ad7d9d5 Merge pull request #151 from anchore/fix-version-json-output-casing 9fa5064 Fix json keys to be camel case instead of kebab 293368e Shell completion via Cobra utility (#149) 0f97081 add positional argument validation (#150)

168 - v0.1.0-beta.7

Release notes for grype v0.1.0-beta.7

Release Notes

Version v0.1.0-beta.7

1338850 Add fixed-in-version to the presenters (#147) bd50ffc Change search key json output to a map (#146) c0efed5 Merge pull request #143 from anchore/issue-39 c768955 presenter: cyclonedx tests 8fc7efd result: add a helper to get packages by ID 444b191 presenter: set the options to hook CycloneDX output 48c3c2a presenter: add a cyclonedx presenter 8e8ad48 dependencies: update to latest syft and include uuid b77e023 Merge pull request #137 from anchore/issue-94 d2949a2 matcher: add duplicate to demonstrate they don’t show up 89f8ac4 test: update integration to match new SearchMatches 46f614d tests: json presenter output updated 5428cc2 presenter: json to use a string for the search key, not a map 2d7af0b matchers: use strings for SearchKeys 87c267f matchers: cpe should prevent duplicates by not adding already present CPEs b8a4183 vuln matches should include search matches 651751f simplify version cmd + add json option (#139) be6a7ea Update README.md to highlight supported distros and languages (#135) 8757b47 Merge pull request #136 from anchore/issue-py-setup b0c6dc2 test: update scope.FilesByGlob, it is now part of Resolver b8e9431 dependencies: bump to latest syft that includes setup.py support 618672a matcher: use pkg.PythonSetupPkg as well 3836626 add demo gif (#134) d3987d7 Update modules (#127) 66b2512 Merge pull request #124 from anchore/issue-91 b237bf9 test: fuzzyConstraint needs a hint now, update tests 75b3537 version: use hint if provided 84684f2 test: add examples of crazy PEP440 rules 0399e08 version: use the new PythonFormat 41147df test: update integration validation for python packages with Python format 0618d1d github is picky about the issue template file extension d0b03fa add slack links to issue selection (#123) a34bf6e Merge pull request #122 from nwl/readme-fixes f2ce94b Replaced stray syft entries with grype 93e39a7 Merge pull request #120 from anchore/readme-install-fix 2caa0d2 docs: emphasize installation methods before features and getting started 89a6201 Disable prerelease version update check (#118) 12b2296 Add future ideas + beta warning to README (#114) 8052fa6 Update installation method (#117)

169 - v0.1.0-beta.6

Release notes for grype v0.1.0-beta.6

Release Notes

Version v0.1.0-beta.6

cbd6060 Add installer script + brew tap (#116) 457cd29 Add badges (#115) 219d8bc Use warn instead of error for packages with no matchers (#113) 50d7251 add issue templates (#112) 4596701 Merge pull request #110 from anchore/issue-35 9ece1f5 docs: add contributing guidelines

170 - v0.1.0-beta.5

Release notes for grype v0.1.0-beta.5

Release Notes

Version v0.1.0-beta.5

56b9576 Add inline-comparison as acceptance test (#106) f98e3cd replace search key from table with severity (#107) 37ceb17 Add shell completion script (#109) 2ccdefd Add poetry to package types (#108) 30d72dd fix spaces alignment on etui c1fdaba Adding additional detail to README (#103) f1ad989 replace master with main (#104) 6de7e40 finalize the json output (no schema yet) (#102) 76ff973 Merge pull request #99 from anchore/issue-18 5d057db cpe: update tests to match new ANY in product name d8da43b test: update integration tests for alpine e4689c6 matcher: add apk matcher unit tests 44767fc result: add a Count() helper method 4476fc9 broaden cpe matcher + modify alpine matcher a9bf268 integration tests for corner case cff46b8 add apk to controller e0db0c1 test: add integration corner cases for Alpine 905cae5 matcher: add APK support 317b383 match: add APK matcher type 5147985 add description and cvss metadata to v1 schema (#100) 4e6eb13 fix panic on top-level log (#97) 81eab4e pull all commits on checkout for release to build changelog (#98) f3756d0 change default scope to squashed (from all-layers) (#95) 0cfca60 Merge pull request #83 from anchore/initial-docs 57d73a5 docs: update README with sections and DB information 2cd127b Update pkg type (#87) e1f4c54 bump syft for docker pull + UI elements for pull status (#81) 5261e4a Merge pull request #84 from anchore/help-error c581a45 cmd: display help menu when no args are passed in - skip the error 87e6dc0 Merge pull request #82 from anchore/log-fix b214c29 cmd: fix log identifier for stereoscope fb8f3d8 restore log source after etui exit 11731fa replace zap logger with logrus (#80) 861883c pull in fix for bounds check progress formatting values in etui

171 - v0.1.0-beta.4

Release notes for grype v0.1.0-beta.4

Release Notes

Version v0.1.0-beta.4

172 - v0.1.0-beta.3

Release notes for grype v0.1.0-beta.3

Release Notes

Version v0.1.0-beta.3

173 - v0.1.0-beta.2

Release notes for grype v0.1.0-beta.2

Release Notes

Version v0.1.0-beta.2

174 - v0.1.0-beta.1

Release notes for grype v0.1.0-beta.1

Release Notes

Version v0.1.0-beta.1