Grype-db Release Notes

1 - v0.42.0

Release Notes

Version v0.42.0

Added Features

• Add support for annotated openvex [#685 @wagoodman]

(Full Changelog)

2 - v0.41.0

Release Notes

Version v0.41.0

Added Features

• Add unaffected package and CPE stores [#648 @wagoodman]
• add vex as valid vulnerability format [#634 @CrosleyZack]

Bug Fixes

• Use results db explicitly in build [#683 @wagoodman]
• Validate only the results.db file [#682 @wagoodman]
• Some APK vulnerabilities are no longer reported by grype in the latest grype-db [#681]

(Full Changelog)

3 - v0.40.0

Release Notes

Version v0.40.0

Added Features

• Add fix date processing for OSV transformers [#649 @wagoodman]
• Add fix date processing to NVD transformer [#651 @wagoodman]
• Add fix available date to GHSA entries [#646 @wagoodman]

(Full Changelog)

4 - v0.39.0

Release Notes

Version v0.39.0

Added Features

• Add fix availability data for OS providers [#629 @wagoodman]

Bug Fixes

• recognize jvm versions at DB build time [#647 @willmurphyscode]

Additional Changes

• move to pyyaml-include 2.x, keep legacy CWD-relative !include [#642 @jamestexas]

(Full Changelog)

5 - v0.38.0

Release Notes

Version v0.38.0

Added Features

• Add custom compressor commands to the config [#635 @wagoodman]

(Full Changelog)

6 - v0.37.0

Release Notes

Version v0.37.0

Added Features

• Maximize compression for gzip [#632 @wagoodman]

(Full Changelog)

7 - v0.36.1

Release Notes

Version v0.36.1

Bug Fixes

• update generated mapping code for trixie [#626 @anchore-actions-token-generator]

(Full Changelog)

8 - v0.36.0

Release Notes

Version v0.36.0

Added Features

• move debian 13 (trixie) to released and debian 14 (forky) to testing/sid/unstable [#628 @westonsteimel]

Additional Changes

• migrate golangci-lint to v2 [#614 @cpanato]
• skip main repo workflows in forks [#618 @kzantow]

(Full Changelog)

9 - v0.35.0

Release Notes

Version v0.35.0

Added Features

• Add support for RedHat EUS data [#540 @willmurphyscode]

Bug Fixes

• CVE-2004-0377 false positive [#611 #609 @westonsteimel]

(Full Changelog)

10 - v0.34.1

Release Notes

Version v0.34.1

(Full Changelog)

11 - v0.34.0

Release Notes

Version v0.34.0

Added Features

• Add support for MinimOS [#566 @Daniel-Wachter]
• enable bitnami and minimOS providers by default [#587 @willmurphyscode]

Bug Fixes

• Version 5 vulnerability database no longer getting updates [#578]

Additional Changes

• enable bitnami vuln data [#581 @willmurphyscode]

(Full Changelog)

12 - v0.33.1

Release Notes

Version v0.33.1

Bug Fixes

• emit fuzzy ranges rather than invalid ranges [#574 @willmurphyscode]

(Full Changelog)

13 - v0.33.0

Release Notes

Version v0.33.0

Added Features

• allow db hydration during build [#558 @westonsteimel]

Additional Changes

• Fix processing of github-action entries [#556 @wagoodman]

(Full Changelog)

14 - v0.32.0

Release Notes

Version v0.32.0

Added Features

• Support CVSS v4 vectors [#553 @wagoodman]

Additional Changes

• add option to always publish databases under their schema direc… [#552 @asomya]

(Full Changelog)

15 - v0.31.0

Release Notes

Version v0.31.0

Added Features

• Add hardware and operating system CPE parts [#544 @wagoodman]

Bug Fixes

• Use all CPE parts when considering duplicates [#547 @wagoodman]
• Refactor NVD node configuration parsing [#546 @wagoodman]

(Full Changelog)

16 - v0.30.1

Release Notes

Version v0.30.1

Added Features

• add support for OSV schema [#217 @juan131]
• Port msrc transformer to v6 [#531 @wagoodman]

Additional Changes

• update grype schema version reference [#533 @kzantow]

(Full Changelog)

17 - v0.29.0

Release Notes

Version v0.29.0

Added Features

• Add KEV transformer + processor [#507 @wagoodman]
• Enable EPSS and KEV vunnel providers [#515 @wagoodman]
• Add EPSS v6 transforms [#511 @wagoodman]

Bug Fixes

• Fix jenkins plugin matching for v6 DBs [#505 @wagoodman]
• Tag advisory URLs for v6 references [#491 @wagoodman]
• Remove CVSS base score being explicitly tracked in v6 blobs [#490 @wagoodman]
• Explicitly use syft pkg types for v6 github transformer [#499 @wagoodman]
• Fix RPM modularity [#506 @wagoodman]
• Explicitly consider NVD type (primary/secondary) when sorting CVSS [#516 @wagoodman]
• Account for v prefix on schema versions [#512 @wagoodman]

Additional Changes

• Switch manager package management from poetry to UV [#497 @wagoodman]
• update to go 1.24.x [#495 @westonsteimel]

(Full Changelog)

18 - v0.28.0

Release Notes

Version v0.28.0

Added Features

• Change DB publish workflow to account for V6 [#387]

Bug Fixes

• Fix listing.json validations threshold [#478 @wagoodman]
• Loosen vunnel schema version check [#463 @wagoodman]
• Installation Instructions Do Not Work as Written [#398 #468 @smythp]

Additional Changes

• Fix vulnerability gate threshold [#480 @wagoodman]
• Add DB v6 support to grype-db / grype-db-manager [#446 @wagoodman]
• fix composite GitHub action path in dependabot config [#473 @westonsteimel]
• add crane to binny [#470 @westonsteimel]
• bootstrap oras for use in ci [#469 @westonsteimel]
• Pin vunnel providers [#458 @wagoodman]

(Full Changelog)

19 - v0.27.4

Release Notes

Version v0.27.4

(Full Changelog)

20 - v0.27.3

Release Notes

Version v0.27.3

Bug Fixes

• Add request retry count for NVD [#444 @wagoodman]
• use timestamp from only provider if only one provider [#445 @willmurphyscode]

(Full Changelog)

21 - v0.27.2

Release Notes

Version v0.27.2

Additional Changes

• Consider all providers and edge cases when determining earliest data timestamp [#441 @wagoodman]
• Ignore NVD data age when crafting DB timestamp [#440 @wagoodman]

(Full Changelog)

22 - v0.27.1

Release Notes

Version v0.27.1

Additional Changes

• Add OS codename dataset [#433 @wagoodman]
• Migrate common processor code to internal [#432 @wagoodman]

(Full Changelog)

23 - v0.27.0

Release Notes

Version v0.27.0

Added Features

• Bump github.com/anchore/grype from 0.82.2 to 0.83.0 [#420 @dependabot]

(Full Changelog)

24 - v0.26.0

Release Notes

Version v0.26.0

Added Features

• Add symlink support for cache backup and restore [#415 @wagoodman]

(Full Changelog)

25 - v0.25.1

Release Notes

Version v0.25.1

(Full Changelog)

26 - v0.25.0

Release Notes

Version v0.25.0

Added Features

• Add config for inferring fixes from NVD [#411 @westonsteimel]
• Add config for CPE part filtering [#410 @wagoodman]

(Full Changelog)

27 - v0.24.1

Release Notes

Version v0.24.1

Additional Changes

• Use migrated grype DB distribution package [#397 @wagoodman]

(Full Changelog)

28 - v0.24.0

Release Notes

Version v0.24.0

Added Features

• Add JVM package version format to NVD records [#382 @wagoodman]
• azure linux 3 support [#307 @willmurphyscode]

(Full Changelog)

29 - v0.23.4

Release Notes

Version v0.23.4

Bug Fixes

• use new platform logic even for only one platform [#386 @willmurphyscode]

Additional Changes

• deterministically sort listing file [#369 @willmurphyscode]
• query for ID before close but compute checksum after [#368 @willmurphyscode]
• enable R2 publishing schedule [#363 @kzantow]
• Sync listing.json from R2 to S3 [#361 @wagoodman]
• Update python requirements [#360 @wagoodman]
• publish database to secondary CloudFlare R2 bucket [#359 @kzantow]
• doc: Updates for the Slack to Discourse migration [#352 @popey]

(Full Changelog)

30 - v0.23.3

Release Notes

Version v0.23.3

Additional Changes

• Bumps go module dependency github.com/docker/docker to suppress reporting of a false positive CVE. grype-db does not make use of the affected components from github.com/docker/docker/pkg/authorization per GO-2024-3005
• CODE_OF_CONDUCT.md [#343 @popey]

(Full Changelog)

31 - v0.23.2

Release Notes

Version v0.23.2

(Full Changelog)

32 - v0.23.1

Release Notes

Version v0.23.1

Bug Fixes

• All DB updates from Daily DB publisher uses the same built date since job #467 [#315]

Additional Changes

• enable os vulns to have version range [#317 @willmurphyscode]
• assert namespaces for ubuntu 24.04 [#312 @westonsteimel]

(Full Changelog)

33 - v0.23.0

Release Notes

Version v0.23.0

Added Features

• Capture the dates for the last successful pull of each vunnel provider in the grype-db metadata.json file [#255 #306 @asomya]

(Full Changelog)

34 - v0.22.1

Release Notes

Version v0.22.1

Additional Changes

• Remove providers’ pull information from DB metadata file [#303 @asomya]
• bumping grype version [#304 @asomya]
• remove vunnel and update yardstick in grype-db [#299 @spiffcs]

(Full Changelog)

35 - v0.22.0

Release Notes

Version v0.22.0

Added Features

• Capture the dates for the last successful pull of each vunnel provider in the grype-db metadata.json file [#255 #292 @asomya]

(Full Changelog)

36 - v0.21.1

Release Notes

Version v0.21.1

Additional Changes

• pass max time to download canary [#281 @willmurphyscode]

(Full Changelog)

37 - v0.21.0

Release Notes

Version v0.21.0

v0.21.0 (2024-03-27)

Full Changelog

Added Features

• feat: add –results-only switch to grype-db cache backup [PR #268] [asomya]

Additional Changes

• Remove trailing / in listing create [PR #262] [willmurphyscode]

38 - v0.20.1

Release Notes

Version v0.20.1

v0.20.1 (2024-03-12)

Full Changelog

39 - v0.20.0

Release Notes

Version v0.20.0

v0.20.0 (2024-03-11)

Full Changelog

Added Features

• Allow for using grype-db from path [PR #250] [wagoodman]

Additional Changes

• Make schema mapping configurable [PR #249] [wagoodman]
• Add listing replicas [PR #252] [wagoodman]
• Ensure that archived packages are well ordered [PR #253] [wagoodman]
• Enable NVD overrides for OSS workflow [PR #258] [wagoodman]

40 - v0.19.6

Release Notes

Version v0.19.6

v0.19.6 (2024-02-16)

Full Changelog

Security Fixes

• Upgrade syft and grype for path traversal fix [PR #235] [wagoodman]

41 - v0.19.5

Release Notes

Version v0.19.5

v0.19.5 (2024-01-26)

Full Changelog

Bug Fixes

• fix: emit rpm-modularity qualifier for rpm rows [PR #230] [westonsteimel]

42 - v0.19.4

Release Notes

Version v0.19.4

v0.19.4 (2024-01-18)

Full Changelog

Additional Changes

• chore: automatically merge dependabot PRs [PR #212] [willmurphyscode]
• Add dependabot automation [PR #222] [wagoodman]
• Update to v0.74.1 grype [PR #223] [wagoodman]

43 - v0.19.3

Release Notes

Version v0.19.3

v0.19.3 (2023-12-07)

Full Changelog

Additional Changes

• Feat/multiple platform cpes [PR #203] [willmurphyscode]

44 - v0.19.2

Release Notes

Version v0.19.2

v0.19.2 (2023-11-09)

Full Changelog

Bug Fixes

• Upload DBs to s3 with ContentType header [PR #161] [wagoodman]

Additional Changes

• Workaround v1 and v2 schema differences [PR #152] [wagoodman]
• chore: update to go 1.21.0 [PR #156] [spiffcs]
• chore: bump crane [PR #159] [willmurphyscode]
• chore: pin workflow actions to git sha [PR #164] [spiffcs]
• Bump vulnerability match labels [PR #175] [wagoodman]
• chore: pin vunnel to v0.16.0 [PR #177] [westonsteimel]
• Revert “chore: pin vunnel to v0.16.0” [PR #189] [wagoodman]
• Add basic namespace check on publishing DBs [PR #192] [wagoodman]

45 - v0.19.1

Release Notes

Version v0.19.1

v0.19.1 (2023-08-25)

Full Changelog

Bug Fixes

• fix: include cpe version update component when building constraint [PR #145] [westonsteimel]
• fix: interpret constraints correctly for Amazon Linux Kernel advisories [PR #149] [westonsteimel]

46 - v0.19.0

Release Notes

Version v0.19.0

v0.19.0 (2023-07-11)

Full Changelog

47 - v0.18.0

Release Notes

Version v0.18.0

v0.18.0 (2023-05-26)

Full Changelog

48 - v0.17.0

Release Notes

Version v0.17.0

v0.17.0 (2023-05-24)

Full Changelog

Added Features

• feat: consume CVSS from GitHub provider data [PR #106] [westonsteimel]

49 - v0.16.0

Release Notes

Version v0.16.0

v0.16.0 (2023-05-22)

Full Changelog

Added Features

• capture platform CPE package qualifier [PR #103] [westonsteimel]

50 - v0.15.4

Release Notes

Version v0.15.4

v0.15.4 (2023-04-27)

Full Changelog

Bug Fixes

• fix: surface vunnel logs with provider log level if possible [PR #97] [westonsteimel]

51 - v0.15.3

Release Notes

Version v0.15.3

v0.15.3 (2023-04-21)

Full Changelog

Additional Changes

• chore: bump yardstick in acceptance tests to latest commit [PR #93] [westonsteimel]

52 - v0.15.2

Release Notes

Version v0.15.2

v0.15.2 (2023-03-28)

Full Changelog

Additional Changes

• Bump version of grype to include Chainguard support [PR #85] [luhring]
• Validations must use PR events [PR #86] [wagoodman]

53 - v0.15.1

Release Notes

Version v0.15.1

v0.15.1 (2023-03-22)

Full Changelog

54 - v0.15.0

Release Notes

Version v0.15.0

v0.15.0 (2023-03-22)

Full Changelog

Added Features

• Add list-providers command [PR #80] [wagoodman]

Bug Fixes

• Add list-providers command [PR #80] [wagoodman]

Additional Changes

• Add installation section to the README [PR #75] [wagoodman]
• Add root command [PR #76] [wagoodman]
• Add slack notification for aggregation failures [PR #77] [wagoodman]
• Update listing file CDN TTL to 5 minutes [PR #81] [wagoodman]

55 - v0.14.2

Release Notes

Version v0.14.2

v0.14.2 (2023-03-10)

Full Changelog

Bug Fixes

• Remove depending on package types for version constraint enforcement [PR #67] [wagoodman]

Additional Changes

• chore: regenerate test fixtures [PR #69] [westonsteimel]
• Use the latest vunnel release for building the nightly DB [PR #70] [wagoodman]
• Include LFS in staging builds [PR #72] [wagoodman]
• Remove use of deprecated github actions funcion “set-output” [PR #73] [wagoodman]

56 - v0.14.1

Release Notes

Version v0.14.1

v0.14.1 (2023-03-07)

Full Changelog

Additional Changes

• chore: update install script [PR #57] [westonsteimel]
• Upgrade CI workflows [PR #61] [wagoodman]
• bump grype to v0.59.0 [PR #64] [westonsteimel]

57 - v0.14.0

Release Notes

Version v0.14.0

v0.14.0 (2023-02-16)

Full Changelog

Added Features

• Port Grype-DB builder [PR #43] [wagoodman]

Additional Changes

• Add release workflow trigger [PR #44] [wagoodman]