Syft Release Notes

1 - v1.32.0

Release Notes

Version v1.32.0

Added Features

• Catalog entire build list for Go projects, not just packages listed in go.mod [#432 #4127 @spiffcs]
• package.json authors keyword parsing [#2250 #4003 @popey]
• Conda ecosystem support (basic) [#4002@SimeonStoykovQC]

Bug Fixes

• When scanning the FFmpeg binary with Syft a new package is now added [#3988 #3994 @popey]
• Warn loudly if SQLite driver is not present when needed [#3234 #4150 @kzantow]

Additional Changes

• Update dependencies to use go.yaml.in/yaml [#4157 @n-bes]

(Full Changelog)

2 - v1.31.0

Release Notes

Version v1.31.0

Added Features

• Option to set PackageSupplier in root of SPDX document generated by CLI [#3098 #4131 @spiffcs]

Bug Fixes

• closed reader during java binary detection [#4129 @kzantow]
• support multiple letters in openssl patch version [#4106 @honigbot]
• Can not have license ID [#1964 #4132 @spiffcs]
• Syft sometimes reports URL for license value when scanning JARs with a URL in Bundle-License field of manifest [#3186]

(Full Changelog)

3 - v1.30.0

Release Notes

Version v1.30.0

Added Features

• add binary classifier for hashicorp vault [#4121 @willmurphyscode]

Bug Fixes

• fix: update nondeterministic Java archive cataloging and improve groupID [#3521 #4118 @kzantow]

(Full Changelog)

4 - v1.29.1

Release Notes

Version v1.29.1

Bug Fixes

• Missing license information for tzdata [#4102]
• Improve JVM Scan Accuracy for JDK and JRE Detection [#4071 #4046 @kzantow]
• Azul JDK classified as Oracle JRE [#3893 #4046 @kzantow]

(Full Changelog)

5 - v1.29.0

Release Notes

Version v1.29.0

Added Features

• Catalog python uv.lock files [#3268 #3763 @jkugler]

Additional Changes

• Pkg Metadata type unmarshal bug [#4043 @houdini91]

(Full Changelog)

6 - v1.28.0

Release Notes

Version v1.28.0

Added Features

• add native support for snap packages [#1088 #3929 @wagoodman]

Additional Changes

• upgrade tablewriter dependency to use new API [#3990 @cpanato]

(Full Changelog)

7 - v1.27.1

Release Notes

Version v1.27.1

Bug Fixes

• Allow decoding of enterprise-modified anchorectl json files [#3997 @wagoodman]
• Allow decoding of anchorectl json files [#3973 @wagoodman]

Additional Changes

• provide separate nonroot image [#3998 @kzantow]

(Full Changelog)

8 - v1.27.0

Release Notes

Version v1.27.0

Added Features

• add syft schema version to version command [#3949 @spiffcs]

Bug Fixes

• Remove CPE product candidates for phf, prometheus, hyper and Rust crates [#3967 @jayvdb]
• Remove CPE product candidates for opentelemetry and redis Rust crates [#3962 @jayvdb]
• Harden Container Runtime with Non-Root User [#3941 @MikeTheCyberGuy]
• terraform provider lock entries should not require constraints [#3934 @ghouscht]
• sbom cataloger returning upstream package [#3662 #3981 @kzantow]
• Syft missing md5 sums and list data for dpkg packages under status.d/ [#3912]
• Failure to detect dependency relationships between Python packages [#3958 #3965 @christoph-blessing]
• Heavy memory consumption when directory scanning deb source [#3928 #3953 @kzantow]
• In versions 1.25.0 and later, graalvm-native-image-cataloger adds 3-6 hours to Syft [#3942 #3944 @kzantow]
• Syft incorrectly reports multiple APKs as parents of symlinked files [#3847 #3923 @luhring]

(Full Changelog)

A HUGE thank you to @rezmoss for his help identifying and solving an issue causing excessive time and memory consumption with large numbers of symlinks! ❤️

9 - v1.26.1

Release Notes

Version v1.26.1

Bug Fixes

• Dotnet deps binary cataloger hangs [#3919 #3930 @kzantow]

(Full Changelog)

10 - v1.26.0

Release Notes

Version v1.26.0

Added Features

• Read version resources from non-.NET DLLs and executables [#3842 #3911 @wagoodman]

Bug Fixes

• pkg.JavaArchive.PomProperties is being populated even though no pom.properties file was present for analysis [#3922 @wagoodman]
• syft 1.24.0 debug container - wget fails TLS [#3891 #3915 @spiffcs]

(Full Changelog)

11 - v1.25.1

Release Notes

Version v1.25.1

Additional Changes

• remove go-rpmdb replace directive [#3908 @wagoodman]

(Full Changelog)

12 - v1.25.0

Release Notes

Version v1.25.0

Added Features

• Add PHP interpreter + extensions cataloger [#2585 @LaurentGoderre]

Bug Fixes

• update license content filtering default case to be ’none’ for no content [#3903 @spiffcs]
• Distinguish openjdk vs jdk when using file source [#3895 @adammcclenaghan]
• Make it discoverable if Native Image contains no embedded SBOM [#3731 #3805 @sathiya06]

(Full Changelog)

13 - v1.24.0

Release Notes

Version v1.24.0

Added Features

• Add cataloger for Dart pubspec [#3292 @LaurentGoderre]
• Translate Portage license strings to SPDX expressions [#1763 @wagoodman]
• Use package ID from decoded SBOMs when provided [#1872 @jneate]
• Annotate visible/hidden paths when all-layers scope [#3855 @wagoodman]
• Add support for PHP Pear [#2775 @LaurentGoderre]
• Detect whether full license text or a license name has been provided [#3088 #3876 @spiffcs #3450 @spiffcs]
• Add Cataloger for Homebrew on macOS [#3632 #3724 @rezmoss]
• Provide a way to get the LayerID the package was first found in [#435 #3858 @wagoodman #3138 @tomersein]
• Go binaries that currently get (devel) as the version should instead stub UNKNOWN based on the compliance policy [#3324 #3873 @wagoodman]
• Upgrade base Docker image to gcr.io/distroless/static-debian12 [#3840 #3862 @bgoareguer]
• Return full license string instead of SHA256 hash when license string exceeds 64 characters [#3780 #3844 @spiffcs]
• Detect nix dependencies [#3814 #3837 @wagoodman]

Bug Fixes

• update license sort to be stable with contents field [#3860 @spiffcs]
• Improve detection of erlang binary in alpine Linux [#3839 @avodotiiets]
• Do not search for main module versions within binary contents by default [#3874 @wagoodman]
• dpkg license improvement for non SPDX licenses [#3090 #3888 @spiffcs]
• CycloneDX group field not symmetrically handled by encoder/decoders [#2981 #3853 @kzantow]
• Syft crash [signal SIGSEGV: segmentation violation code=0x80 addr=0x0 pc=0x123a0da] [#3872 #3875 @wagoodman]
• Syft 1.23.1 shows version (devel) for grafana 12.0.0 [#3864]
• .NET cataloger does not always pair up PE binaries and deps.json packages, resulting in duplicate packages on some runs [#3866 #3869 @wagoodman]
• Propagate error in FileSourceProvider instead of warn log [#3831 #3845 @Rupikz]
• Update github.com/Masterminds/semver package [#3829 #3836 @popey]
• go-module-file-cataloger fails if symlinks in path [#3614 #3783 @VictorHuu]
• Support fluent-bit some versions of arm/s390x images [#3793 #3817 @VictorHuu]

Additional Changes

• update rust test fixtures to latest [#3852 @spiffcs]

(Full Changelog)

14 - v1.23.1

Release Notes

Version v1.23.1

Additional Changes

• Resolve owned file paths when searching for overlaps [#3828 @wagoodman]

(Full Changelog)

15 - v1.23.0

Release Notes

Version v1.23.0

Added Features

• Support skipping archive extraction with file source [#3795 @adammcclenaghan]
• Use the R cataloger in directory scans [#3774 @spiffcs]
• Add support for detecting javascript assets in .NET projects using libman [#3825 @wagoodman]
• Parse GitHub actions comments [#3776 @wagoodman]
• Support chrome binary detection [#3174 #3136 @lem-onade]
• Add support for detecting undeclared license files scanning from python installations [#2624 #3779 @wagoodman]

Bug Fixes

• .NET cataloger should consider compile target paths from deps.json [#3821 @wagoodman]
• Skip license scanner injection [#3796 @adammcclenaghan]
• Delete collection name/type key entries when empty [#3797 @adammcclenaghan]
• Use module name over relative paths in go.mod replace directives [#3812 @VictorHuu]
• Correct variable names for Conan lock parsing version handling [#3802 @musangk]
• Consider DLL claims for dependencies of .NET packages from deps.json [#3822 @wagoodman]
• Empty source during decoding an SBOM document should not be fatal [#3791 @wagoodman]
• Dpkg are not detected when scanning a directory [#3726 #3820 @VictorHuu]
• Support golang tip image [#3681 #3757 @VictorHuu]
• syft cataloger list should flatten options [#3801 #3804 @kzantow]
• Unable to generate a correct SBOM for C++ project [#3755]

(Full Changelog)

16 - v1.22.0

Release Notes

Version v1.22.0

Added Features

• Improve .NET package CPE generation [#3764 @wagoodman]
• Catalog deb archives directly [#3315 #3704 @popey]

Bug Fixes

• Dotnet-Portable-Executable-Cataloger uses wrong component version for dotnet runtime libraries [#3282 #3768 @wagoodman]
• Dotnet deps cataloger returns “wrong” dotnet-framework dependencies and misses out on the runtime (for applications) [#2347 #3768 @wagoodman]
• .NET deps.json should be considered as installation evidence [#3570 #3563 @wagoodman]
• Dotnet PE binary cataloger is detecting false positives [#3469 #3563 @wagoodman]
• Long Processing Time in dpkg-db-cataloger with all-layers Option (Syft 1.20.0) [#3683 #3636 @kzantow]

(Full Changelog)

17 - v1.21.0

Release Notes

Version v1.21.0

Added Features

• Support extracting symbols in .dynsym section for GraalVM Native Images [#3647 @rudsberg]
• Support fluent-bit 1.7.0 dev, rc [#3133 #3701 @popey]

Bug Fixes

• Suppress “file already closed” errors [#3695 @wagoodman]
• Add set ID to dotnet (lock) packages [#3719 @houdini91]
• Location order on packages should consider evidence annotations when sorting [#3720 @wagoodman]
• Fix /etc/redhat-release file parsing when resolving distro details [#3688 @wagoodman]
• Syft fileresolver.containsPath allocates unnecessarily [#3729 #3730 @yoav-orca]
• Dart: Syft incorrectly generates SBOM with version 0.0.0 for SDK dependencies [#3158 #3572 @sgreg]
• Download location is not a valid URI [#3696 #3697 @stgrace]

Additional Changes

• Update rustaudit module name [#3689 @tofay]
• bump golang.org/x/net from 0.35.0 to 0.36.0 [#3709 @dependabot]

(Full Changelog)

18 - v1.20.0

Release Notes

Version v1.20.0

Added Features

• Add file catalogers to selection configuration [#3505 @wagoodman]
• Configuration for including license contents in SBOM [#3626 #3631 @spiffcs]
• Support Bitnami embedded SBOMs [#3065 #3341 @juan131] [#3676 @willmurphyscode]

Bug Fixes

• Version parse caused by line breaks on different platforms [#3672 @idhyt]
• License files which do not match an SPDX expression are erroneously handled as ‘unlicensed’ [#3412 #3366 @HeyeOpenSource]
• Incorrect URL encoding of package url (purl) [#3533 #3678 @kzantow]
• syft should not warn on known bad package.json [#3470 #3645 @kzantow]
• Scanning a project with many DLLs is slow [#3455 #3677 @rogueai]
• cyclone-dx presenter drops files, includes only packages [#3435 #3539 @spiffcs]
• “syft config” output swaps comments for search-indexed-archives / search-unindexed-archives [#3624 #3630 @spiffcs]
• dpkg license improvement for non SPDX licenses [#3090 #3366 @HeyeOpenSource]
• RPM-based PURLs sometimes have incorrect namespace (specifically OpenSUSE) [#3534 #3615 @mprpic]

Additional Changes

• update to go 1.24.x [#3660 @westonsteimel]
• replace all shorthand tags of mapstruct -> mapstructure [#3633 @spiffcs]

(Full Changelog)

19 - v1.19.0

Release Notes

Version v1.19.0

Added Features

• add license parsing from vendor dirs [#3522 @dschmidt]
• Support cataloging NuGet packages [#373 #3484 @Kemosabert]

Bug Fixes

• Syft generates invalid PURLs when name contains : [#3577 #3596 @spiffcs @jkugler]
• warn instead of error if zero package catalogers are select - user might still run file metadata cataloger, for example [#3128 #3468 @tomersein]
• sbom report: missing licenses [#3527 #3549 @kzantow]

Additional Changes

• bump stereoscope to v0.0.13 [#3601 @spiffcs]

(Full Changelog)

20 - v1.18.1

Release Notes

Version v1.18.1

Bug Fixes

• Runtime Error with Syft on Singularity .sif file (panic: index out of range) [#3390]
• SPDX expressions are lost from CycloneDX if they contain extra parenthesis [#3441 #3517 @willmurphyscode]

Additional Changes

• migrate syft to use anchore fork of archiver without replace [#3516 @spiffcs]

(Full Changelog)

21 - v1.18.0

Release Notes

Version v1.18.0

Added Features

• convert spdx absolute to relative [#3509 @spiffcs]
• Add relationships for rust audit binary packages [#3500 @wagoodman]
• support configuration of layer size in Syft [#3428 #3464 @tomersein]
• Support Dart arm/v7 in 3.x and 2.x [#3278 #3475 @witchcraze]

Bug Fixes

• fix order of rust dependencies and support git sources in Cargo.lock dependencies [#3502 @willmurphyscode]
• Use file indexer directly when scanning with file source [#3333 @adammcclenaghan]
• Remove incorrect power-user help text that only image sources are supported [#2046]
• Invalid SPDX: missing copyright text [#3346 #3495 @spiffcs]
• Scanning a source tree with duplicate conanfile.txt dependencies generates multiple components [#3403]

(Full Changelog)

22 - v1.17.0

Release Notes

Version v1.17.0

Added Features

• Surface Rust dependency relationships [#2353 #3443 @willmurphyscode]
• Support node 6.x versions [#3404 #3419 @witchcraze]

Bug Fixes

• Restore log on UI teardown [#3427 @wagoodman]
• Syft should log warnings even when no TTY is present [#3081 #3466 @willmurphyscode]
• Special characters (tab, newline) in license URL [#3122 #3449 @spiffcs]
• LicenseDeclared not as per SPDX License List [#3030 #3461 @spiffcs]

Additional Changes

• doc: Add official Syft logo license information [#3421 @popey]

(Full Changelog)

23 - v1.16.0

Release Notes

Version v1.16.0

Added Features

• omit devDependencies for package-lock.json files by default [#2348 #3371 @njv299]

Bug Fixes

• add support for dependencies and purl for Native Image SBOMs [#3399 @rudsberg]
• stop bubbling fileResolver errors from binary cataloger [#3410 @spiffcs]
• malformed pom.xml may cause recursive loop [#3391 @kzantow]
• syft convert: broken link in help - documentation no longer existing [#3143 #3407 @Makefolder]

(Full Changelog)

24 - v1.15.0

Release Notes

Version v1.15.0

Added Features

• Merge config files hierarchically and add support for config profiles [#3337 @kzantow]
• Enable cargo-auditable-binary-cataloger for files/directories [#3376 @ariel-miculas]
• Improve mariadb binary classifer to detect older versions [#3052]
• Look for dpkg status file at additional globs [#2692 #3373 @njv299]
• Emit relationships for Java dependencies [#3189 #3363 @kzantow]

(Full Changelog)

25 - v1.14.2

Release Notes

Version v1.14.2

Bug Fixes

• Use single license scanner for all catalogers [#3348 @wagoodman]
• use official CPE for linux kernel [#3343 @westonsteimel]
• improve mariadb binary classifer to detect older versions [#3339 @westonsteimel]

Additional Changes

• Update to latest packageurl-go [#3347 @wagoodman]

(Full Changelog)

26 - v1.14.1

Release Notes

Version v1.14.1

Bug Fixes

• stop some log.Warn spam due parsing an empty string as a CPE [#3330 @willmurphyscode]
• improve go binary semver extraction for traefik [#3325 @westonsteimel]

(Full Changelog)

27 - v1.14.0

Release Notes

Version v1.14.0

Added Features

• Report known unknowns directly in the output SBOM [#518 #2998 @kzantow]
• Identify bash.preinst [#3191 #3228 @wagoodman]
• Support HAProxy rc and some old versions [#3233 #3277 @witchcraze]
• Support Redis arm/v5, arm/v7, 386 in 7.2, 7.4, 8.0 [#3279 #3281 @witchcraze]
• Support node old versions [#3236 #3284 @witchcraze]
• Support rubylang/ruby dev versions [#3239 #3285 @witchcraze]
• Support ruby rc, preview [#3238 #3285 @witchcraze]

Bug Fixes

• performance: instantiate license check scanner to prevent memory leak [#3290 @govrin]
• Parse package.json with non-standard fields in ‘author’ section [#3300 @nuada]
• make failed CPE validation correctly return error [#2762 @willmurphyscode]
• Improve subpath to mount matching [#3269 @cdupuis]

Additional Changes

• add pull request template [#3294 @willmurphyscode]

(Full Changelog)

28 - v1.13.0

Release Notes

Version v1.13.0

Added Features

• –enrich flag for data enrichment feature enablement [#3182 @kzantow]
• Add classifier for Dart lang [#3265 @LaurentGoderre]
• add binary classifiers for lighttp, proftpd, zstd, xz, gzip, jq, and sqlcipher [#3252 @krysgor]
• Catalog JDKs more completely [#3188 #3217 @wagoodman]
• Show richer information for JVM installations [#1426 #3217 @wagoodman]
• Allow for stubbing unknown versions over dropping packages [#2652 #3257 @wagoodman]
• Name and Version empty for Java package when scanning provided image [#2132 #3257 @wagoodman]
• Support bitnami/mysql:8.x [#3025]

Bug Fixes

• OpenJDK CPEs [#2422 #3217 @wagoodman]
• SBOM generated from poetry lock file contains no license information on any dependencies [#3204]
• Scanning a folder with a jar archive with no metadata creates a SPDX package without versionInfo (Non-NTIA compliant) [#2039 #3257 @wagoodman]
• Using replace in a go.mod creates a SPDX package without versionInfo (Non-NTIA compliant) [#2038 #3257 @wagoodman]
• Command make add-snippet can fail in some cases [#3249]

(Full Changelog)

29 - v1.12.2

Release Notes

Version v1.12.2

Added Features

• Detect curl binaries [#3146 @krysgor]
• Add haskell binaries cataloger [#3078 @LaurentGoderre]
• add the Ocaml ecosystem [#3112 @LaurentGoderre]
• Support HAProxy dev [#3134 #3180 @witchcraze]

Bug Fixes

• Fix improper decoding of SPDX license expressions in the CycloneDX format [#3175 @NyanKiyoshi]
• improve generated cpes for binaries with existing classifiers [#3169 @westonsteimel]
• improve known CPEs and set NVD as source for all current binary classifiers [#3167 @westonsteimel]
• Respond to authoratative CPEs from catalogers [#3166 @wagoodman]
• Set cataloger names within package cataloger task [#3165 @wagoodman]
• use official CPE for curl binary cataloger [#3164 @westonsteimel]
• Fix ELF package correlations [#3151 @wagoodman]
• no space left and Could not retrieve mirrorlist in test [#3181 #3190 @wagoodman]
• Multiple versions of libssl3 and libcrypto3 present in SBOM while only one version is installed [#3195]
• CycloneDX convertion into Syft improperly handles SPDX licenses [#3172]
• Syft Cause stack overflow [goroutine stack exceeds 1000000000-byte limit] [#3163 #3170 @kzantow]
• Mysql binary detection version incorrect for 8.0.x [#3141 #3142 @kzantow]

Additional Changes

• Less verbose java logging when non-fatal issues arise [#3208 @wagoodman]

(Full Changelog)

30 - v1.11.1

Release Notes

Version v1.11.1

Bug Fixes

• support .kar files [#3113 @tomersein]
• logging for remote network calls [#3140 @kzantow]
• Pick up CycloneDX BOM components from metadata as well [#3092 @dervoeti]
• improve groupid extraction for Jenkins plugins [#2815 @westonsteimel]

(Full Changelog)

31 - v1.11.0

Release Notes

Version v1.11.0

Added Features

• Added the SWI Prolog (swipl) ecosystem [#3076 @LaurentGoderre]
• Improved java cataloging [#2769 @GijsCalis]

Bug Fixes

• Empty version field on some dependencies when reading pom.xml [#1129 #2769 @GijsCalis]
• Support Maven multi-level configuration file / parent POM [#2017 #2769 @GijsCalis]
• DependencyManagement ignored in pom.xml [#1813 #2769 @GijsCalis]
• Version parsing regression for Go binaries [#3086 #3087 @spiffcs]

Additional Changes

• rather than have a hard max recursive depth - syft should detect parent pom cycles [#2284 #2769 @GijsCalis]
• increase java purl generation test coverage [#3110 @westonsteimel]
• Updated PackageSupplier to type Organization for JAR files [#3093 @harippriyas]
• Ensure accurate java main artifact name retrieval for multi-JARs and refine fallback approach [#3054 @dor-hayun]

(Full Changelog)

32 - v1.10.0

Release Notes

Version v1.10.0

Added Features

• Detect go main module from partial package builds [#3060 @wagoodman]
• Support traefik in linux/arm/v6, linux/riscv64 [#3038 #3077 @witchcraze]
• Catalog TiDB binary [#2763]
• Generate a Maven friendly CPE [#3042 #3045 @kzantow]

Bug Fixes

• Only match ldflag version if it matches the main module or targets main.version [#3062 @LaurentGoderre]
• python requirements.txt cataloger: allow dots in python package names [#3070 @Mikcl]
• SPDX output performance with many relationships [#3053 @kzantow]
• Order CPEs deterministically for SBOM reproducibility [#2967 #3085 @kzantow]
• Python packages: name normalization [#3064 #3069 @Mikcl]
• Syft report panics with the golang cataloger [#3037 #3043 @willmurphyscode]

Additional Changes

• add debug logging for errors reading RPM files [#3051 @kzantow]

(Full Changelog)

33 - v1.9.0

Release Notes

Version v1.9.0

Added Features

• Add detection of Erlang in Alpine linux [#2996 @LaurentGoderre]
• Add version 3 support for swift package manager of the resolved files [#3001 @4ell0]
• Map the downloadLocation field for PHP Composer packages [#3011 @LaurentGoderre]

Bug Fixes

• Infer the package type from ELF package notes [#3008 @wagoodman]
• Order CPEs deterministically for SBOM reproducibility [#2967 #3009 @spiffcs]

(Full Changelog)

34 - v1.8.0

Release Notes

Version v1.8.0

Added Features

• Add CycloneDX 1.6 Support [#2974 #2978 @ragaskar]

Bug Fixes

• Fixed the detection of arangodb 3.12 [#2979 @LaurentGoderre]
• Syft tries to create the cache directory at a location that has no permission [#2984 #2985 @kzantow]

(Full Changelog)

35 - v1.7.0

Release Notes

Version v1.7.0

Added Features

• index known CPEs for wordpress plugins and themes [#2963 @westonsteimel]
• Consider Author field for wordpress plugins when generating CPEs [#2946 @wagoodman]

Bug Fixes

• improve version extraction from ldflags for pingcap TiDB [#2962 @westonsteimel]
• Trim whitespace from wordpress values [#2945 @wagoodman]
• Issue scanning Poetry Project with Syft 1.6 and cataloger=python-package-cataloger [#2954 #2965 @spiffcs]
• Poetry’s multiple constraints seems to break the parser [#2947 #2965 @spiffcs]
• Golang: Search remote licenses not working in a CI pipeline when scanning Docker image [#2798 #2852 @kzantow]

(Full Changelog)

36 - v1.6.0

Release Notes

Version v1.6.0

Added Features

• Add relationships for go binary packages [#2912 @wagoodman]
• Add classifier for util-linux [#2933 @LaurentGoderre]
• Lua: Add support for more advanced syntax [#2908 @LaurentGoderre]
• add license field to ELF binary package metadata [#2890 @brian-ebarb]
• install.sh: check checksums file’s signature [#2884 #2941 @wagoodman]
• Detect ELF package notes from fedora binaries [#2713 #2939 @wagoodman]

Bug Fixes

• Use redhat as namespace for redhat rpms [#2914 @ralphbean]
• Close sqlite driver after testing sqlite availability [#2922 @ttc0419]
• syft does not find anything in archives if /tmp is a tmpfs [#2894 #2918 @willmurphyscode]
• Scanning a git repository folder present in /tmp produce an empty sbom [#2847 #2918 @willmurphyscode]

Additional Changes

• update unit tests to use pinned patch version [#2932 @spiffcs]
• fix comments and spelling [#2920 @dufucun]

(Full Changelog)

37 - v1.5.0

Release Notes

Version v1.5.0

Added Features

• Add abstraction for adding relationships from package cataloger results [#2853 @wagoodman]
• Capture dependencies when parsing SPDX SBOMs [#2869 @russellhaering]
• Add python wheel egg relationships [#2903 @wagoodman]
• Added functionality to convert major, minor, patch to version [#2864 @LaurentGoderre]
• Add support for RPM DB package relationships [#2872 @wagoodman]
• Detect fluent-bit binaries [#2904 #2905 @kzantow]
• Add syft config command [#2598 #2892 @kzantow]

Bug Fixes

• Fix DecoderCollection discarding input from non-seekable Readers [#2878 @russellhaering]
• Handle GOEXPERIMENTs in go version [#2893 @jonjohnsonjr]
• Go Mod Cataloger: Remove Replaced Packages [#2891 @russellhaering]
• Use values in relationship To/From fields [#2871 @wagoodman]
• Java package names showing up namespaced packages [#2230]

Additional Changes

• update spdx license list to 3.24.0 [#2895 @spiffcs]

(Full Changelog)

38 - v1.4.1

Release Notes

Version v1.4.1

Bug Fixes

• Fix redundant package deletions when considering ELF packages [#2862 @wagoodman]

(Full Changelog)

39 - v1.4.0

Release Notes

Version v1.4.0

Added Features

• Add detection for newer version of ErLang/OTP [#2829 @LaurentGoderre]
• Add missing CPE for traefik, memcached, and postgres binaries [#2845 @LaurentGoderre]
• Add binary classifier for ArangoDB [#2830 @LaurentGoderre]
• Add relationships to ELF packages [#2715 @brian-ebarb @cdivers18 ]
• Add relationships for ALPM packages (arch linux) [#2851 @wagoodman]

Bug Fixes

• close temp rpmdb file [#2792 @testwill]
• fix Windows file paths in local go mod cache [#2654 @willmurphyscode]
• Package Count doesn’t match list of packages [#2304 #2839 @wagoodman]
• New version 1.3.0 leads to “too many open files” while scanning bigger images [#2819 #2823 @willmurphyscode]
• license_info_in_file is mandatory in SPDX-2.2 [#2163 #2168 @kzantow]
• Wrong CPE for dnsmasq [#2636 #2659 @kzantow]
• SPDX originator is not always populated [#2632 #2822 @wagoodman]

Additional Changes

• Improve linting for defer Close type issues [#2826]
• use ruleguard to test for missing defer statements [#2837 @willmurphyscode]
• Publish security policy [#2835 @wagoodman]
• fix function name in comment [#2771 @camcui]
• enable go-critic deferInLoop lint [#2825 @willmurphyscode]

(Full Changelog)

40 - v1.3.0

Release Notes

Version v1.3.0

Added Features

• index known CPEs for go modules [#2816 @westonsteimel]
• support multiple known CPEs in index [#2813 @westonsteimel]
• index known CPEs for PHP Composer packagist.org packages [#2804 @westonsteimel]
• index known cpes for PHP extensions [#2777 @westonsteimel]

Bug Fixes

• re-use embedded union reader if possible [#2814 @willmurphyscode]
• prefer non-deprecated CPEs and include jenkins plugins from plugins.jenkins.io [#2806 @westonsteimel]
• improvements to known CPE index construction [#2801 @westonsteimel]
• Syft panics when scanning OCI image that contains packaged helm chart [#2745 #2757 @willmurphyscode]
• Pom parser not resolving all dependency versions [#2776 #2781 @willmurphyscode]
• exclude known instrumentation jars from being erroneously identified [#2796 @kzantow]
• return empty string if dereferncing pom var fails [#2797 @willmurphyscode]

(Full Changelog)

41 - v1.2.0

Release Notes

Version v1.2.0

Added Features

• Differentiate between JRE and JDK [#2748 @LaurentGoderre]
• Add support for dnf packages [#2758]

Bug Fixes

• more robust go main version extraction [#2767 @kzantow]
• Regression in 1.1 cataloging openjdk: generates version containing a null byte [#2750 #2766 @LaurentGoderre]

(Full Changelog)

42 - v1.1.1

Release Notes

Version v1.1.1

Bug Fixes

• update anchore/packageurl-go to use latest commits [#2746 @spiffcs]
• fix panic scanning binaries without symtab [#2736 #2739 @kzantow]

(Full Changelog)

43 - v1.1.0

Release Notes

Version v1.1.0

Added Features

• Adding the ability to retrieve remote licenses from package-lock.json [#2708 @coheigea]
• Show binary exports, entrypoint, and imports [#2626 @wagoodman]
• Add detection for Oracle GraalVM [#2705 @LaurentGoderre]

Bug Fixes

• reduce duplicate case SwiftPkg [#2696 @testwill]

(Full Changelog)

44 - v1.0.1

Release Notes

Version v1.0.1

Bug Fixes

• Unable to scan OCI images with syft v0.105.1 [#2678 #2683 @spiffcs]

(Full Changelog)

45 - v1.0.0

Release Notes

Version v1.0.0

🎉 Checkout the blog post about v1!

Added Features

• Allow source type input via CLI flag (not scheme) [#1783 #2610 @kzantow]

Bug Fixes

• OpenSSL binary matcher fails to properly detect letter releases [#2681 #2682 @harmw]
• TUI package count does not match package count in default table output [#2672 #2679 @wagoodman]
• .NET NuGet - dotnet-deps cataloger not working with syft v0.94.0 [#2264 #2674 @willmurphyscode]
• New path filtering logic excluding large number of unintended paths [#2667 #2675 @wagoodman]
• Syft TUI can hang when using license fetching from go modules [#2653 #2673 @willmurphyscode]

(Full Changelog)

46 - v0.105.1

Release Notes

Version v0.105.1

Bug Fixes

• return error codes from install script [#2664 @hacst]
• SPDX tag value version selector [#2665 @kzantow]

Additional Changes

• Add syft version used to SBOM tool info by default [#2647 @wagoodman]

(Full Changelog)

47 - v0.105.0

Release Notes

Version v0.105.0

Added Features

• Guess go main module version based on binary contents [#2608 @wagoodman]
• Catalog wordpress plugins [#1911 #2218 @disc]

Bug Fixes

• ensure version output to stdout [#2621 @kzantow]
• Survive indexing dead symlinks [#2645 @wagoodman]
• unable to index filesystem for amazonlinux images [#2627 #2644 @wagoodman]
• CycloneDX OS component does not have a bom-ref [#2101 #2634 @kzantow]
• v0.104.0 interface conversion error when creating bom from singularity image [#2628 #2631 @wagoodman]

Additional Changes

• Rename binary cataloger to be more unique [#2633 @wagoodman]
• Suppress executable parsing issues [#2614 @wagoodman]
• update license list, cpe dictionary [#2620 @spiffcs]

(Full Changelog)

48 - v0.104.0

Release Notes

Version v0.104.0

Added Features

• Adding metadata fields when parsing yarn.lock and poetry.lock [#2350 @asi-cider]
• Add Erlang OTP Application cataloger [#2403 @LaurentGoderre]
• Support Conan lockfiles v0.5 [#2050]
• Identify security-features-of-interest within binaries [#2434 #2443 @wagoodman]
• Top-level API should be more composable [#558 #2517 @wagoodman]
• Annotate where each CPE on a package is sourced from [#2282 #2552 @willmurphyscode]

Bug Fixes

• unmarshal key values in Java, Go, and Conan metadata [#2603 @willmurphyscode]
• incorrect conversion between integer types [#2605 @spiffcs]
• prefer portable executable product version when semantically greater than file version [#2600 @westonsteimel]
• Stop iterating maps in catalogers [#2405 #2553 @wagoodman]
• unknown flag: –key when use syft attest –key [KEY] [#2544 #2551 @willmurphyscode]
• purl generation broken for kafka jars [#2385 #2573 @westonsteimel]

Breaking Changes

• Top-level API should be more composable [#558 #2517 @wagoodman]
• Annotate where each CPE on a package is sourced from [#2282 #2552 @willmurphyscode]

(Full Changelog)

49 - v0.103.1

Release Notes

Version v0.103.1

Security Fixes

• Bump archiver and stereoscope to address path traversal issues [#2570 @wagoodman]

Bug Fixes

• Revert cosign signing of release checksums file [#2571 @wagoodman]
• java archive parser incorrectly splitting filenames [#2563 #2565 @willmurphyscode]

Breaking Changes

• Internalize format helpers [#2543 @wagoodman]
• Internalize CPE generation logic [#2541 @wagoodman]

(Full Changelog)

50 - v0.102.0

Release Notes

Version v0.102.0

Added Features

• Swap format uses of io.ReadSeeker for io.Reader [#2515 @wagoodman]
• Cataloger interface should accept context.Context [#2521 #2528 @wagoodman]

Bug Fixes

• Implement golang Purl subpath [#2547 @LaurentGoderre]
• CPE definition on pkg.Package is coupled to an external package as a type alias [#2529 #2534 @willmurphyscode]
• Turn off SBOM cataloger by default [#1555 #2527 @wagoodman]
• Syft missing linux kernel archives from SBOM results [#2524 #2526 @wagoodman]
• LocationResolver can leak goroutines [#2487 #2518 @willmurphyscode]
• Duplicates in Syft JSON “artifactRelationships” [#2251]

Breaking Changes

• Use the json schema as input for templating [#2542 @wagoodman]
• Unexport types and functions cataloger packages [#2530 @wagoodman]
• Internalize majority of cmd package [#2533 @wagoodman]
• Allow for RPM modularity to be optional [#2540 @wagoodman]
• CPE definition on pkg.Package is coupled to an external package as a type alias [#2529 #2534 @willmurphyscode]
• Cataloger interface should accept context.Context [#2521 #2528 @wagoodman]
• Remove deprecated API features [#2257 #2508 @wagoodman]
• Remove deprecated configuration [#1864 #2508 @wagoodman]
• Turn off SBOM cataloger by default [#1555 #2527 @wagoodman]

Additional Changes

• Fix migration of integration test [#2546 @wagoodman]
• minor cataloger and docs nits [#2519 @luhring]

(Full Changelog)

51 - v0.101.1

Release Notes

Version v0.101.1

Bug Fixes

• Deduplicate digests from user configuration [#2522 @wagoodman]
• Duplicate relationships in final SBOM [#2509 #2516 @spiffcs]

(Full Changelog)

52 - v0.101.0

Release Notes

Version v0.101.0

Security Fixes

• bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 [#2501 @dependabot]

Added Features

• Added binary classifier for GCC [#2479 @LaurentGoderre]
• Add binary classifier for pypy [#2474 @LaurentGoderre]
• Add binary classifiers for Percona Software for MySQL [#2478 @abg]
• Added classifier for wordpress cli binary [#2473 @LaurentGoderre]
• Add cataloger list command [#2366 @wagoodman]
• Add ability to enable or disable individual catalogers [#1731 #1383 @wagoodman]
• Improve cataloger selection capabilities [#1039 #1383 @wagoodman]

Bug Fixes

• Include binary cataloger configuration defaults [#2504 @wagoodman]
• Condense binary cataloger config in JSON output [#2499 @wagoodman]
• Add support for the traefik binary from the official Docker image [#2484 @LaurentGoderre]
• When specify java-cataloger, java-pom-cataloger will also be selected [#2136 #1383 @wagoodman]

(Full Changelog)

53 - v0.100.0

Release Notes

Version v0.100.0

Added Features

• Add more functionality to the ErLang parser [#2390 @LaurentGoderre]
• Added OpenSSL binary matcher [#2416 @LaurentGoderre]
• Add ability to extend the binaries cataloguers [#2469 @LaurentGoderre]

Bug Fixes

• Added missing Purl for busybox [#2457 @LaurentGoderre]
• Fix diff error obfuscating binary test failures message [#2468 @LaurentGoderre]
• v0.99.0: CycloneDX json output breaks osv-scanner [#2467]

Additional Changes

• update openssl binary to -x [#2456 @spiffcs]

(Full Changelog)

54 - v0.99.0

Release Notes

Version v0.99.0

Added Features

• Look for a maven version in a pom from a parent dependency management… [#2423 @coheigea]
• Adding the ability to retrieve remote licenses for yarn.lock [#2338 @coheigea]
• Retrieve remote licenses using pom.properties when there is no pom.xml [#2315 @coheigea]
• Add the option to retrieve remote licenses for projects defined in a … [#2409 @coheigea]
• Parse Python licenses from LicenseFile entry in the Wheel Metadata [#2331 @coheigea]
• Add binary classifier for the ERLang interpreter [#2417 @LaurentGoderre]
• Parse Python licenses from LicenseExpression entry in the Wheel Metadata [#2431 @coheigea]
• Add binary classifier for Julia lang [#2427 @LaurentGoderre]
• Add binary detection for PHP composer [#2432 @LaurentGoderre]

Bug Fixes

• bump fangs for ptr summarize fix [#2387 @willmurphyscode]
• improve identification for org.codehaus.groovy artifacts [#2404 @westonsteimel]
• improve identification for commons-jelly artifacts [#2399 @westonsteimel]
• improve identification for io.minio artifacts [#2398 @westonsteimel]
• improve identification for com.graphql-java artifacts [#2397 @westonsteimel]
• improve identification for org.apache.tapestry artifacts [#2384 @westonsteimel]
• improve identification for io.ratpack artifacts [#2379 @westonsteimel]
• improve identification for org.apache.cassandra artifacts [#2386 @westonsteimel]
• improve identification for org.neo4j.procedure artifacts [#2388 @westonsteimel]
• improve identification for org.elasticsearch artifacts [#2383 @westonsteimel]
• improve identification for org.apache.geode artifacts [#2382 @westonsteimel]
• improve identification for org.apache.tomcat artifacts [#2381 @westonsteimel]
• improve identification for io.projectreactor.netty artifacts [#2378 @westonsteimel]
• stop panic when parsing Haskell stack.yaml.lock with missing hackage field [#2421 #2419 @houdini91]
• fix detecting the name of the eclipse OSGi artifact [#2314 #2349 @westonsteimel]
• File Sources incorrectly exclude files on Windows [#2410 #2411 @Racer159]
• Parser for dotnet_portable_executable using wrong attribute name [#2029 #2133 @kzantow]

Breaking Changes

• Generalize UI events for cataloging tasks [#2369 @wagoodman]

Additional Changes

• refactor pkg.Collection to remove “catalog” references [#2439 @wagoodman]
• Expose javascript fields in cataloger configuration [#2438 @wagoodman]
• Use common archive catalog configuration [#2437 @wagoodman]
• Fix file digest cataloger when passed explicit coordinates [#2436 @wagoodman]

(Full Changelog)

55 - v0.98.0

Release Notes

Version v0.98.0

Added Features

• Add binary classifiers for MySQL and MariaDB [#2316 @duanemay]
• Enhance redis binary classifier to support additional versions [#2329 @whalelines]
• Expose compact JSON and XML format configuration [#561 #2275 @wagoodman]

Bug Fixes

• Fix file metadata cataloger when passed explicit coordinates [#2370 @wagoodman]
• hardcode xalan group ID [#2368 @willmurphyscode]
• logging level for parsing potential PE files [#2367 @kzantow]
• Use read lock in pkg.Collection [#2341 @wagoodman]
• add manual namespace mapping for org.springframework jars [#2345 @westonsteimel]
• add manual namespace mapping for org.springframework.security jars [#2343 @westonsteimel]
• errors are printed into the stdout in syft 0.97.1 [#2356 #2364 @kzantow]
• syft some-jar.jar fails to find packages if PWD is a symlink [#2355 #2359 @willmurphyscode]
• Default for recently added base path, "", disables detection of symlinked *.jar files [#1962 #2359 @willmurphyscode]
• syft attest broken since 0.85.0 [#2333 #2337 @wagoodman]
• Incorrect Java PURL for org.bouncycastle jars [#2339 #2342 @westonsteimel]

Breaking Changes

• Remove power-user command and related catalogers [#1419 #2306 @wagoodman]

Additional Changes

• Normalize cataloger configuration patterns [#2365 @wagoodman]
• Normalize enums to lowercase with hyphens [#2363 @wagoodman]

(Full Changelog)

Special Thanks

Thanks @duanemay and @whalelines for the enhanced binary classifier support 👍

56 - v0.97.1

Release Notes

Version v0.97.1

Bug Fixes

• Syft does not use HTTP proxy when downloading the Docker image itself [#2203 #2336 @anchore-actions-token-generator]

Additional Changes

• syft version report is broken with 0.97.0 release [#2334 #2335 @spiffcs]

(Full Changelog)

57 - v0.97.0

Release Notes

Version v0.97.0

Added Features

• Add license for golang stdlib package [#2317 @coheigea]
• Fall back to searching maven central using groupIDFromJavaMetadata [#2295 @coheigea]

Bug Fixes

• Refine license search from groupIDFromJavaMetadata to account for artfactId in the groupId [#2313 @coheigea]
• capture content written to stdout outside of report [#2324 @kzantow]
• add manual groupid mappings for org.apache.velocity jars [#2327 @westonsteimel]
• skip maven bundle plugin logic if vendor id and symbolic name match [#2326 @westonsteimel]
• cataloger dpkg-db-cataloger not working [#2323]

Breaking Changes

• Rename Location virtualPath to accessPath [#1835 #2288 @wagoodman]

Additional Changes

• Export syft-json format package metadata type helper [#2328 @wagoodman]
• Add dotnet-portable-executable-cataloger to README [#2322 @noqcks]

(Full Changelog)

58 - v0.96.0

Release Notes

Version v0.96.0

Added Features

• Check maven central as well for licenses in parents poms for nested jars [#2302 @coheigea]
• store image annotations inside the SBOM [#2267 #2294 @noqcks]
• Support parsing license information in Maven projects via parent poms [#2103]

Bug Fixes

• SPDX file has duplicate sha256 tag in versionInfo [#2300 @coheigea]
• Report virtual path consistently between file.Resolvers [#1836 #2287 @wagoodman]
• Unable to identify CycloneDX JSON documents without $schema property [#2299 #2303 @kzantow]

(Full Changelog)

59 - v0.95.0

Release Notes

Version v0.95.0

Added Features

• Use case-insensitive matching for Go license files [#2286 @miquella]
• Add conaninfo.txt parser to detect conan packages in docker images [#2234 @Pro]
• Perform case insensitive matching on Java License files [#2235 @coheigea]
• Read a license from a parent pom stored in Maven Central [#2228 @coheigea]
• Add PURLs when scanning Gradle lock files [#2278 @robbiev]

Bug Fixes

• Fix CPE index workflow [#2252 @wagoodman]
• Fix cpe generation task [#2270 @willmurphyscode]
• Introduce cataloger naming conventions [#1578 #2277 @wagoodman]
• .NET / nuget - invalid SBOM generated after parsing [#2255 #2273 @spiffcs]
• Wrong parsing after v0.85.0 syft for some components [#2241 #2273 @spiffcs]
• SPDX-2.3 is misidentified as SPDX-2.2 [#2112 #2186 @wagoodman]
• Jar parser chokes on empty lines [#2179 #2254 @spiffcs]
• Add a new Java configuration option to recursively search parent poms… [#2274 @coheigea]
• Fix directory resolver to always return virtual path [#2259 @wagoodman]
• Syft can now handle the case of parsing a jar with multiple poms [#2231 @coheigea]
• Add ruby.NewGemSpecCataloger to DirectoryCatalogers [#1971 @evanchaoli]

Breaking Changes

• Introduce cataloger naming conventions [#1578 #2277 @wagoodman]
• Remove MetadataType from the core package struct [#1735 #1983 @wagoodman]
• Add convention for JSON metadata type names and port existing values to the new convention [#1844 #1983 @wagoodman]
• Remove deprecated syft.Format functions [#1344 #2186 @wagoodman]

Additional Changes

• Upgrade tool management [#2188 @wagoodman]
• Fix homebrew post-release workflow [#2242 @wagoodman]

(Full Changelog)

60 - v0.94.0

Release Notes

Version v0.94.0

Added Features

• Add additional license filenames [#2227 @coheigea]
• Parse donet dependency trees [#2143 @noqcks]
• Find license by embedded license text [#2147 #2213 @coheigea]
• Add support for dpkg dependency relationships [#2040 #2212 @wagoodman]

Bug Fixes

• Report errors to stderr not stdout [#2232 @wagoodman]
• Python egg packages are not parsed for SBOM [#1761 #2239 @spiffcs]
• Java archive is listed twice [#2130 #2220 @wagoodman]
• Java archives not from Maven [#2217 #2220 @wagoodman]
• Remove internal.StringSet [#2209 #2219 @wagoodman]
• Invalid interface conversion in Swift cataloger [#2225 #2226 @wagoodman]

(Full Changelog)

61 - v0.93.0

Release Notes

Version v0.93.0

Added Features

• Parse license from the pom.xml if not contained in the manifest [#2115 @coheigea]
• Add Golang STD library package given a Golang binary has been discovered compiled with that go binary [#1853 #2195 @spiffcs]
• Improve –output CLI help and deprecate –file [#2165 #2187 @sharief007]

Bug Fixes

• Converting a SBOM looses the algorithm type for added checksums [#2183 #2207 @sharief007]

Additional Changes

• Refine the docs for building a cataloger [#2175 @wagoodman]
• update license list to 3.22 [#2201 @spiffcs]
• Add exact syntax of the conversion formats [#2196 @vargenau]

(Full Changelog)

62 - v0.92.0

Release Notes

Version v0.92.0

Added Features

• Support for multiple image refs of same sha in OCI layout [#1544]

Bug Fixes

• Generated purls are different between runs of syft against the same image and artifact [#2169 #2170 @willmurphyscode]

Additional Changes

• bump stereoscope to fix data race in UI code [#2173 @willmurphyscode]

(Full Changelog)

63 - v0.91.0

Release Notes

Version v0.91.0

Added Features

• Add support for CycloneDX 1.5 [#2120 #2123 @spiffcs]
• Add support for containerd as an image source [#201 #1793 @shanedell]
• Support cataloging github workflow & github action usages [#1896 #2140 @wagoodman]

Bug Fixes

• Allow CycloneDX json input with no components [#2127 @ahoz]
• Prevent errors from clobbering terminal [#2161 @kzantow]
• Using syft as a go library to decode a syft json has incomplete data [#2069 #2083 @kzantow]
• SBOMs are not the same on multiple runs of syft [#1944]

Additional Changes

• Switch to stdlib’s slices pkg [#2148 @hainenber]
• Remove unneeded arch switch in unit test [#2156 @willmurphyscode]
• Update chronicle to v0.8.0 [#2154 @wagoodman]
• Update to latest stereoscope [#2151 @spiffcs]
• Pin workflow checkout for cpe update-cpe-dictionary-index [#2141 @spiffcs]
• Add dependency information to conan lockfile parser [#2131 @Pro]
• Pin and update all workflow dependencies; add permission scopes [#2138 @spiffcs]
• Enforce race detector [#2122 @willmurphyscode]

(Full Changelog)

64 - v0.90.0

Release Notes

Version v0.90.0

v0.90.0 (2023-09-11)

Full Changelog

Added Features

• Expose cobra command in cli package [PR #2097] [wagoodman]
• Explicitly test PURL generation against key packages [Issue #2071]
• Add User-Agent with Syft version during update check [Issue #2072] [PR #2100] [hainenber]

Bug Fixes

• fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation [PR #2075] [willmurphyscode]
• Cyclonedx external reference URLs are not validated when encoding [Issue #2079] [PR #2091] [hainenber]

Additional Changes

• Bump the golang.org/x/exp dependency and fix a build breakage. [PR #2088] [dlorenc]
• fix: update codeql-analysis for go 1.21 [PR #2108] [spiffcs]

65 - v0.89.0

Release Notes

Version v0.89.0

v0.89.0 (2023-08-31)

Full Changelog

Added Features

• Add registry certificate verification support [PR #1734] [5p2O5pe25ouT]
• Add SYFT_CONFIG environment variable for configuration file path [Issue #1986] [PR #2001] [kzantow]

Bug Fixes

• Fix quiet flag [PR #2081] [wagoodman]
• Command line flags not overriding configuration file values [Issue #1143] [PR #2001] [kzantow]
• Django package CPE is not correct [Issue #1298] [PR #2068] [witchcraze]
• Config parsing includes config.yaml in working dir [Issue #1634] [PR #2001] [kzantow]
• Fix a possible panic on universal go binaries [Issue #2073] [PR #2078] [willmurphyscode]
• Disabling catalogers is not working in power user command [Issue #2074] [PR #2001] [kzantow]
• Virtual path changes to java cataloger causing creation of extra incorrect packages when jars are renamed [Issue #2077] [PR #2080] [willmurphyscode]

66 - v0.88.0

Release Notes

Version v0.88.0

v0.88.0 (2023-08-25)

Full Changelog

Added Features

• Detect golang boring crypto and fipsonly modules [PR #2021] [bathina2]
• feat: 1944 - update purl generation to use a consistent groupID [PR #2033] [spiffcs]
• Add support to detect bash binaries [Issue #1963] [PR #2055] [witchcraze]

Bug Fixes

• fix: properly parse conan ref and include user and channel [PR #2034] [Pro]
• New version notice only showing the version and no text [PR #2042] [wagoodman]
• Fix: don’t validate pom declared group [PR #2054] [willmurphyscode]
• Errors when handling symlinks on Windows with syft v0.85.0 [Issue #1950] [PR #2051] [selzoc]
• Syft seems unable to parse non UTF-8 pom.xml files [Issue #2044] [PR #2047] [wagoodman]
• Error parsing pom.xml with v0.87.1 [Issue #2060] [PR #2064] [willmurphyscode]
• Invalid CycloneDX: duplicates in relationships section [Issue #2062] [PR #2063] [kzantow]

67 - v0.87.1

Release Notes

Version v0.87.1

v0.87.1 (2023-08-17)

Full Changelog

Bug Fixes

• Use Java package names to determine known groupIDs [PR #2032] [kzantow]
• Relationships section of CycloneDX is not outputting even when the data is present [Issue #1972] [PR #1974] [markgalpin] [kzantow]
• SPDX Tag-Value conversion not handling files directly set on packages [Issue #2013] [PR #2014] [kzantow]
• Intermittent binary listings, different results every time [Issue #2035] [PR #2036] [kzantow]

68 - v0.87.0

Release Notes

Version v0.87.0

v0.87.0 (2023-08-14)

Full Changelog

Added Features

• feat: use originator logic to fill supplier [PR #1980] [spiffcs]
• Expand deb cataloger to include opkg [PR #1985] [johnDeSilencio]
• Package duplicated by different cataloger [Issue #931] [PR #1948] [spiffcs]
• Add binary cataloger for Nginx built from source [Issue #1945] [PR #1988] [SemProvoost]

Bug Fixes

• chore: update bubbly to fix hanging [PR #1990] [kzantow]
• fix: update glob to use newer usr/lib/sysimage path [PR #1997] [spiffcs]
• fix: SPDX license values and download location [PR #2007] [kzantow]
• Different CPEs between java-cataloger and java-gradle-lockfile-cataloger [Issue #1957] [PR #1995] [kzantow]

69 - v0.86.1

Release Notes

Version v0.86.1

v0.86.1 (2023-07-31)

Full Changelog

Bug Fixes

• Source requires default image name as user input for unparsable reference [PR #1979] [kzantow]

70 - v0.86.0

Release Notes

Version v0.86.0

v0.86.0 (2023-07-31)

Full Changelog

Added Features

• Introduce indexed embedded CPE dictionary [PR #1897] [luhring]
• Add cataloger for Swift Package Manager. [PR #1919] [trilleplay]
• Guess unpinned versions in python requirements.txt [PR #1597] [PR #1966] [manifestori] [wagoodman]
• Create a package record for the artifact an SBOM described when creating a SPDX SBOM [Issue #1661] [Issue #1241] [PR #1934] [kzantow]

Bug Fixes

• Fix panic condition on docker pull failure [PR #1968] [wagoodman]
• Syft reports the “minimum required version” of .NET assemblies rather than the “assembly version” [Issue #1799] [PR #1943] [luhring]
• Grype cannot read SPDX documents generated by SPDX-maven-plugin [PR #1969] [spiffcs]

Breaking Changes

• Remove jotframe UI [PR #1932] [wagoodman]
• Simplify python env markers [PR #1967] [wagoodman]

71 - v0.85.0

Release Notes

Version v0.85.0

v0.85.0 (2023-07-12)

Full Changelog

Added Features

• Add a –base-path command line flag to set the directory base for scans (this option was previously exposed via API only) [PR #1867] [deitch]
• Add file source digest support [PR #1914] [wagoodman]
• Remove erroneous Java CPEs from generation [PR #1918] [luhring]
• Fix CPE generation for k8s python client [PR #1921] [luhring]
• Don’t use the actual redis or grpc CPEs for gems [PR #1926] [luhring]
• The text user interface is now provided by the bubbletea library [Issue #1441] [PR #1888] [wagoodman]

Bug Fixes

• Install script returns exit code 0 even if install fails [Issue #1566] [PR #1915] [lorsatti]
• [Windows] Not able to scan volume mounted to folder [Issue #1828] [PR #1884] [dd-cws]
• Deprecated license: GFDL-1.2+ [Issue #1899] [PR #1907] [spiffcs]

Breaking Changes

• Refactor the source API and syft-json source block data shape [Issue #1866] [PR #1846] [wagoodman]

Additional Changes

• chore: update iterations to protect against race [PR #1927] [spiffcs]
• fix: background reader apart from global handler for testing [PR #1929] [spiffcs]

72 - v0.84.1

Release Notes

Version v0.84.1

v0.84.1 (2023-06-29)

Full Changelog

Bug Fixes

• Fix version detection in Java archive name parsing [PR #1889] [luhring]
• Improve support for Dart SDK package dependency lockfiles [PR #1891] [rufman]
• Fix license output for some CycloneDX JSON SBOMs [Issue #1877] [PR #1879] [kzantow]
• Correctly discover Debian file relationships in distroless images [Issue #1900] [PR #1901] [westonsteimel]

Additional Changes

• Simplify the SBOM writer interface [PR #1892] [wagoodman]

73 - v0.84.0

Release Notes

Version v0.84.0

v0.84.0 (2023-06-20)

Full Changelog

Breaking Changes

• Pad artifact IDs [PR #1882] [willmurphyscode]

Additional Changes

• chore: update SPDX license list to 3.21 [PR #1885] [kzantow]

74 - v0.83.1

Release Notes

Version v0.83.1

v0.83.1 (2023-06-14)

Full Changelog

Bug Fixes

• fix: pom properties not setting artifact id [PR #1870] [jneate]
• fix(deps): pull in platform selection fix from stereoscope [PR #1871] [anchore-actions-token-generator] - pulling in an image with a digest that does not match the platform and architecture of the host no longer fails with an error, see https://github.com/anchore/stereoscope/issues/188
• symlinks within a scanned directory tree are parsed outside the tree, failing if target does not exist [Issue #1860] [PR #1861] [deitch]

75 - v0.83.0

Release Notes

Version v0.83.0

v0.83.0 (2023-06-05)

Full Changelog

Added Features

• Add new ‘–source-version’ and ‘–source-name’ options to set the name and version of the target being analyzed for reference in resulting syft-json format SBOMs (more formats will support these flags soon). [Issue #1399] [PR #1859] [kzantow]
• Add scope to POM properties [PR #1779] [jneate]
• Accept main.version ldflags even without vcs [PR #1855] [deitch]

Bug Fixes

• Fix directory resolver to consider CWD and root path input correctly [PR #1840] [wagoodman]
• Show all error messages if there is a failure retrieving an image with a specified scheme [Issue #1569] [PR #1801] [FrimIdan]
• v0.81.0 crashing parsing some images [Issue #1837] [PR #1839] [spiffcs]

Deprecated Features

• Migrate location-related structs to the file package [PR #1751] [wagoodman]

Additional Changes

• chore: code cleanup [PR #1865] [spiffcs]

76 - v0.82.0

Release Notes

Version v0.82.0

v0.82.0 (2023-05-23)

Full Changelog

Added Features

• Improve Go main module version detection by attempting to parse available ldflags [Issue #1785] [PR #1832] [wagoodman]

Bug Fixes

• Fix a problem in the license parsing logic that may result in a panic [PR #1839]
• Return all relevant error messages if an image retrieval fails when a scheme is specified [PR #1801] [FrimIdan]
• Fix a problem with PNPM scanning where v6 lockfiles might result in duplicated packages [Issue #1762] [PR #1778] [kzantow]

77 - v0.81.0

Release Notes

Version v0.81.0

v0.81.0 (2023-05-22)

Full Changelog

Added Features

• Support cataloging R packages [Issue #730] [PR #1790] [willmurphyscode]
• Support describing license properties and SPDX expression assertions [Issue #1577] [PR #1743] [spiffcs]
• Warn if parsing a newer SBOM [PR #1810] [willmurphyscode]

Bug Fixes

• Retain cataloged SBOM relationships [PR #1509] [houdini91]
• fix: update field plurality of 8.0.0 schema before release [PR #1820] [spiffcs]
• fix: remove spurious warnings - unknown relationship type: evident-by form-lib=syft [Issue #1812] [PR #1797] [willmurphyscode]
• CycloneDX Dependencies Relationships Inverted [Issue #1815] [PR #1816] [shanealv]
• Alpine: license expression should be complete and not parsed out [Issue #1817] [PR #1819] [spiffcs]

Additional Changes

• Print package list when extra packages found [PR #1791] [willmurphyscode]
• update cosign to v2 release (different go module) [PR #1805] [bobcallaway]

78 - v0.80.0

Release Notes

Version v0.80.0

v0.80.0 (2023-05-05)

Full Changelog

Added Features

• Improve pnpm support [Issue #1535] [PR #1752] [Shanedell]

Bug Fixes

• chore: add more detail on SPDX file IDs [PR #1769] [kzantow]
• chore: do not HTML escape PackageURLs [PR #1782] [kzantow]
• RPM database not found on ostree-managed systems [Issue #1755] [PR #1756] [fpytloun]
• Unable to use syft for private azure container registry [Issue #1777]
• linux-kernel-cataloger produces thousands of version-less components. [Issue #1781] [PR #1784] [kzantow]

Deprecated Features

• Rename pkg.Catalog to pkg.Collection [PR #1764] [wagoodman]

79 - v0.79.0

Release Notes

Version v0.79.0

v0.79.0 (2023-04-21)

Full Changelog

Added Features

• Add ALPM Metadata to CYCLONEDX and SPDX output formats [Issue #1037] [PR #1747] [Shanedell]
• consul binary classifier [Issue #1590] [PR #1738] [Shanedell]

Bug Fixes

• Syft missing direct dependencies from the gemfile.lock [Issue #1660] [PR #1749] [Shanedell]

Additional Changes

• chore: bump stereoscope to latest version [PR #1741] [westonsteimel]

80 - v0.78.0

Release Notes

Version v0.78.0

v0.78.0 (2023-04-17)

Full Changelog

Added Features

• Add Linux Kernel cataloger [PR #1694] [deitch & wagoodman]
• Support scanning license files in golang packages over the network [Issue #1056] [PR #1630] [deitch & kzantow]
• Add consul binary classifier [Issue #1590] [PR #1738] [Shanedell]
• Add annotations for evidence on package locations [PR #1723] [wagoodman]

Bug Fixes

• Decoding of the syft-json format does not handle files [Issue #1534] [PR #1698] [wagoodman]

81 - v0.77.0

Release Notes

Version v0.77.0

v0.77.0 (2023-04-11)

Full Changelog

Added Features

• feat: gradle lockfile support [PR #1719] [henrysachs]
• feat: support for java “nar” files [PR #1727] [Shanedell]

82 - v0.76.1

Release Notes

Version v0.76.1

v0.76.1 (2023-04-05)

Full Changelog

Added Features

• Capture file ownership relationships from portage ecosystem [PR #1702] [wagoodman]
• Add Nix Cataloger [Issue #462] [PR #1107] [juliosueiras] [PR #1696] [wagoodman] [flokli]

83 - v0.76.0

Release Notes

Version v0.76.0

v0.76.0 (2023-03-31)

Full Changelog

Added Features

• Scan local go mod licenses for golang packages [PR #1645] [deitch]
• update and clean license list generation to return more SPDXID for more inputs [PR #1691] [spiffcs]
• argocd binary classifier [Issue #1606] [PR #1663] [y12studio]
• Add config option to allow user to select the default image source location [Issue #1703] [spiffcs]

Bug Fixes

• Defer closing the opened file when using FileScheme [PR #1668] [Noxsios]
• fix: remove author contributing to javascript CPEs [PR #1669] [kzantow]
• fix: reduce logging for bad dpkg lines [PR #1675] [kzantow]
• Broken shell completion - Bash [Issue #962] [PR #1688] [DanHam]
• syft produces different output when run with sudo [Issue #1391] [PR #1693] [anchore-actions-token-generator]
• some binary ruby are not detected [Issue #1677] [PR #1678] [witchcraze]
• Documentation says that output is SPDX 2.2 [Issue #1679] [PR #1680] [vargenau]
• fix: move defer after error to protect panic case [PR #1670] [spiffcs]

Additional Changes

• Deprecate config.yaml as valid config source; Add unit regression for correct config paths [PR #1640] [AidanDelaney]
• Remove more side effects from application config testing [PR #1684] [wagoodman]
• chore: tweak some workflow text [PR #1685] [kzantow]
• chore: fix flaky license sorting [PR #1690] [kzantow]

84 - v0.75.0

Release Notes

Version v0.75.0

v0.75.0 (2023-03-13)

Full Changelog

Added Features

• Catalog ruby binary [Issue #1650] [PR #1665] [witchcraze]

Bug Fixes

• more python matching support [PR #1667] [kzantow]

85 - v0.74.1

Release Notes

Version v0.74.1

v0.74.1 (2023-03-09)

Full Changelog

Bug Fixes

• purl for apk packages missing when installed db file is not in root [Issue #1572] [PR #1615] [deitch]
• invalid package url type: dotnet [Issue #1622] [PR #1649] [kzantow]
• Go tests detecting race cataloging packages [Issue #1633] [PR #1639] [kzantow]
• Improve Python binary scanning [Issue #1643] [PR #1648] [kzantow]
• Update haproxy binary matcher [Issue #1646] [PR #1648] [kzantow]
• SPDX tag-value SBOM value format is incorrect for LicenseID [Issue #1651] [PR #1657] [kzantow]

86 - v0.74.0

Release Notes

Version v0.74.0

(v0.74.0) (2023-03-02)

Full Changelog

Added Features

• rust toolchain binary cataloger [PR #1601] [westonsteimel]
• Add support for SUPPORT_END in distro [PR #1612] [noqcks]
• Catalog haproxy binary [Issue #1512] [PR #1591] [noqcks]
• Handle cataloger panics [Issue #1624] [PR #1636] [kzantow]
• set cosign attest predicate type based on Syft output type [PR #1598] [Nirusu]
• retain go package info when no module declared [PR #1632] [westonsteimel]

Bug Fixes

• improve CPE generation for curl APK [PR #1608] [westonsteimel]
• determine upstream for apk version streams [PR #1610] [westonsteimel]
• decoding null apk metadata pullDependencies [PR #1614] [kzantow]
• correct apk purls for other distros [PR #1620] [westonsteimel]
• further improvements to CPE generation for apk packages [PR #1623] [westonsteimel]
• improved CPE-generation for several more APK packages [PR #1631] [westonsteimel]
• apk product/vendor generation for old metadata [PR #1635] [westonsteimel]
• Encountering “cycle during symlink resolution” with syft version 0.71.0 onwards [Issue #1586] [PR #1604] [wagoodman]
• syft erlang cataloger can segfault when analyzing an erlang project containing rebar.lock with nested deps [Issue #1621] [PR #1628] [kzantow]
• Go tests detecting race cataloging packages [Issue #1633] [PR #1639] [kzantow]

87 - v0.72.1

Release Notes

Version v0.72.1

v0.72.1 (2023-02-22)

Full Changelog

Added Features

• Update SPDX license list to 3.20 [PR #1600] [vargenau]

Bug Fixes

• Encountering “cycle during symlink resolution” with syft version 0.71.0 onwards [Issue #1586]

88 - v0.73.0

Release Notes

Version v0.73.0

v0.73.0 (2023-02-22)

Full Changelog

Added Features

• Update SPDX license list to 3.20 [PR #1600] [vargenau]
• Catalog perl binary [Issue #1587] [PR #1592] [noqcks]

Bug Fixes

• Fix issue when matching format versions [PR #1585] [kzantow]
• Cataloger filtering cross matches wrong catalogers [Issue #1573] [PR #1582] [wagoodman]
• Python binary detected multiple times when only installed once [Issue #1579] [PR #1583] [kzantow]
• Encountering “cycle during symlink resolution” with syft version 0.71.0 onwards [Issue #1586]

89 - v0.72.0

Release Notes

Version v0.72.0

v0.72.0 (2023-02-16)

Full Changelog

Added Features

• Enable SBOM conversions from STDIN [PR #1570] [wagoodman]

Bug Fixes

• fix: python CPE generation for alpine [PR #1564] [westonsteimel]
• fix: improve CPE and upstream generation logic for Alpine packages [PR #1567] [westonsteimel]

90 - v0.71.0

Release Notes

Version v0.71.0

v0.71.0 (2023-02-09)

Full Changelog

Added Features

• Catalog postgres binary [Issue #1456] [PR #1536] [witchcraze]
• Improve Syft performance [Issue #1328] [PR #1510] [wagoodman]
• Export specific format versions (SPDX) [Issue #1519] [PR #1543] [kzantow]

Bug Fixes

• source: when base is set, responsePath should be absolute [PR #1542] [jedevc]
• Licenses missing in most report format [Issue #933] [PR #1540] [deitch]
• apk packages with simplified license show NOASSERTION [Issue #1529] [PR #1540] [deitch]

91 - v0.70.0

Release Notes

Version v0.70.0

v0.70.0 (2023-02-03)

Full Changelog

Added Features

• Catalog traefik binary [Issue #1460] [PR #1504] [witchcraze]

Bug Fixes

• Syft hardcodes custom attestation type [Issue #1532] [PR #1533] [Nirusu]

Security

• Prevent leaking attestation password or key path to console or SBOM contents [PR #1538] [GHSA-jp7v-3587-2956] [CVE-2023-24827]

92 - v0.69.1

Release Notes

Version v0.69.1

v0.69.1 (2023-01-31)

Full Changelog

Changes

• update golang to 1.19 [PR #1526] [bradleyjones]
• update spdx/tools-golang to v0.5.0-rc1 [PR #1503] [kzantow]

93 - v0.69.0

Release Notes

Version v0.69.0

v0.69.0 (2023-01-30)

Full Changelog

Added Features

• Allow scanning unpacked container filesystems if using Syft as a library [Issue #1359] [PR #1485] [jedevc]

Bug Fixes

• Syft convert now works properly with template output [Issue #1409] [PR #1521] [kzantow]
• Attestation with a private key [Issue #1465] [PR #1502] [spiffcs]

94 - v0.68.1

Release Notes

Version v0.68.1

v0.68.1 (2023-01-25)

Full Changelog

Bug Fixes

• Add relevant CPEs to python and busybox classifiers [PR #1517] [westonsteimel]

Additional Changes

• Bump github.com/spdx/tools-golang to v0.4.0 [PR #1450] [lucacome]

95 - v0.68.0

Release Notes

Version v0.68.0

v0.68.0 (2023-01-20)

Full Changelog

Added Features

• Catalog memcached binary [Issue #1459] [@witchcraze]

Bug Fixes

• Relax error conditions for catalogers [PR #1492] [wagoodman]
• Always set the package ID for java packages [PR #1493] [wagoodman]
• Fix panic in APK version specifier handling [PR #1494] [luhring]
• ZERO npm dependencies discovered if any npm dependency has an array as a license [Issue #1479]
• Syft panics on APK parsing when Dependencies or Provides holds an empty string [Issue #1483]

96 - v0.66.2

Release Notes

Version v0.66.2

v0.66.2 (2023-01-17)

Full Changelog

Bug Fixes

• update dependency golang.org/x/text [Issue #1457]
• syft is now throwing panic with version 0.66.1 [Issue #1462]

97 - v0.66.1

Release Notes

Version v0.66.1

v0.66.1 (2023-01-12)

Full Changelog

Bug Fixes

• update graalvm cataloger to fix panic [PR #1454] [kzantow]

98 - v0.66.0

Release Notes

Version v0.66.0

v0.66.0 (2023-01-12)

Full Changelog

Added Features

• Catalog Erlang/Elixir artifacts using “rebar” and “mix” package managers [Issue #1071] [@cpendery]
• Catalog PHP binary runtimes [Issue #1429] [@witchcraze]
• Catalog Apache HTTP binary runtimes [Issue #1440] [@witchcraze]
• Catalog redis binary runtimes [Issue #1437] [@noqcks]
• Increase the speed of cataloger stage [Issue #1353] [@Mikcl]
• Add the origin field to the output format of syftjson [PR #1327] [@asi-cider]

Bug Fixes

• A duplicate file in tar archive causes read to fail [Issue #1400] [@kzantow]

99 - v0.65.0

Release Notes

Version v0.65.0

v0.65.0 (2023-01-04)

Full Changelog

Added Features

• refactor basic CPE functionality to its own package [PR #1436] [kzantow]
• adding purl types for binary classifiers [Issue #1435] [noqcks]

Bug Fixes

• silence additional excessive go binary warnings [Issue #1432] [jedevc]

100 - v0.64.0

Release Notes

Version v0.64.0

v0.64.0 (2022-12-23)

Full Changelog

Added Features

• License parsing for Java [PR #1385]
• Integration or association of binary and package [Issue #1411]
• Include go.sum h1 digest information in checksums [Issue #1277]

Bug Fixes

• Clean package names found in python catalogers [PR #1417] [wagoodman]
• FilesAnalyzed wrong and missing SHA1 for files [Issue #1396]
• Binary executables identified as “library” type in CycloneDX [Issue #1402]
• Excessive “unable to read golang buildinfo error=not a Go executable file” warnings in versions after v0.62.1 [Issue #1403]
• Binary java detection [Issue #1410]

101 - v0.63.0

Release Notes

Version v0.63.0

v0.63.0 (2022-12-12)

Full Changelog

Added Features

• Catalog Java binary runtimes [Issue #1388]

Bug Fixes

• Syft generates too loose of cpes for python redis [Issue #1066]
• Panic in alpm cataloger [Issue #1195]
• goroutine stack exceeds 1000000000-byte limit scanning image [Issue #1368]
• Binary go detection [Issue #1382]

102 - v0.62.3

Release Notes

Version v0.62.3

v0.62.3 (2022-11-30)

Full Changelog

Added Features

• Add a generic binary cataloger [PR #1336] [kzantow]
• Add --name option to override name in output [1269] [jedevc]

Bug Fixes

• Recover from bad parsing of golang binary [PR #1371] [wagoodman]
• panic: runtime error: index out of range [0] with length 0 [Issue #1094]
• Syft finds no apks for some images with apks [Issue #1354]

103 - v0.62.2

Release Notes

Version v0.62.2

v0.62.2 (2022-11-28)

Full Changelog

Bug Fixes

• SPDX-json output differs between cli and golang implementation [Issue #1213]
• Python cataloging fails to remove some non-version characters from version string [Issue #1360]
• Haskell Cabal packages crash syft [Issue #1362]
• Panic case for alpm on windows has a correct error case [Issue #1094]

104 - v0.62.1

Release Notes

Version v0.62.1

v0.62.1 (2022-11-21)

Full Changelog

Bug Fixes

• fix(npm): handle aliases in package-lock.json [Issue #1314] [Mikcl]
• chore: add debug logging for decode errors [PR #1352] [kzantow]
• fix: sort relationships in SPDX output [Issue #1213] [kzantow]

105 - v0.62.0

Release Notes

Version v0.62.0

v0.62.0 (2022-11-18)

Full Changelog

Added Features

• NPM package-lock.json version 3 [Issue #1203]

Bug Fixes

• Don’t replace : with - in docker SPDX namespaces [Issue #1111]

106 - v0.61.0

Release Notes

Version v0.61.0

v0.61.0 (2022-11-18)

Full Changelog

Added Features

• Add support for map fields in CycloneDX (XML and JSON) [Issue #1032]
• Dependency’s MIT license not picked up when scanning package-lock.json [Issue #1113]
• Support SPDX 2.3 [Issue #1292]
• Add support for dependency relationships for alpine (apk) [PR #1063]

Bug Fixes

• Normalize alpm md5 refs [PR #1333] [wagoodman]
• APK Metadata decoding should be backwards compatible [PR #1341] [wagoodman]
• Add spdx relationship encoding for dependencies [PR #1342] [wagoodman]
• v0.3.0 SPDX SBOM Does Not Have Unique SPDXID Package IDs [Issue #923]
• Missing licenses and “skipping encoding of unsupported property: syft:metadata:goBuildSetting” [Issue #1007]
• System independent build not possible [Issue #1084]
• Dependency’s MIT license not picked up when scanning package-lock.json [Issue #1113]
• No packages discovered in SIF when image source not specified [Issue #1189]
• syft packages panics on OCI archive creation [Issue #1318]
• Missing metadata in syft-json artifacts crashes grype [Issue #1334]
• CPE for amazoncorretto:19.0.1-al2 is incorrect [Issue #1337]

107 - v0.60.3

Release Notes

Version v0.60.3

v0.60.3 (2022-11-03)

Full Changelog

108 - v0.60.2

Release Notes

Version v0.60.2

v0.60.2 (2022-11-02)

Full Changelog

109 - v0.60.1

Release Notes

Version v0.60.1

v0.60.1 (2022-11-01)

Full Changelog

Added Features

• Remove the docker installation from the release process [Issue #577]
• Include go binary h1 digests in SPDX [Issue #1261]

Bug Fixes

• A malformed Python RECORD file stops Syft processing [Issue #1012]
• Deprecated SPDX license (GFDL* and BSD-2-Clause-NetBSD) [Issue #1179]
• Update SPDX license list to 3.18 [Issue #1245]
• Versions not printed out properly from maven pom.xml [Issue #1251]
• syft attest –output cyclonedx-json incompatible with cosign [Issue #1268]
• Create SBOM file will have suffix in modules name [Issue #1275]

110 - v0.59.0

Release Notes

Version v0.59.0

Full Changelog

Added Features

• Attest support for Singularity images [Issue #1193]
• Remove upload to Anchore Enterprise [Issue #1252]

Bug Fixes

• Update requires to use list; remove field [PR #1234] [spiffcs]
• Deprecated SPDX license (GFDL* and BSD-2-Clause-NetBSD) [Issue #1179]
• SPDX JSON has external reference category of PACKAGE_MANAGER instead of PACKAGE-MANAGER [Issue #1236]
• Follow symlinks when searching for globs in all-layers scope [PR #1221] [kzantow]

111 - v0.58.0

Release Notes

Version v0.58.0

Full Changelog

Added Features

• Add support for cpp conan.lock files [PR #1230]
• Adding file checksum field in SPDX documents [Issue #1226]

Bug Fixes

• Excluding a directory does not work on Windows [Issue #1024]
• RPM file scan failed [Issue #1231]

112 - v0.57.0

Release Notes

Version v0.57.0

Full Changelog

Added Features

• Consistent sorting for SPDX JSON output [Issue #1213]

Bug Fixes

• Attest panic on MacOS [Issue #1210]

113 - v0.56.0

Release Notes

Version v0.56.0

Full Changelog

Added Features

• Add flag to disable Syft hitting toolbox-data.anchore.io [Issue #1185]

Bug Fixes

• Warn on errors from RPM DB parsing [PR #1200] [wagoodman]
• SPDX PackageLicenseDeclared should be NOASSERTION [Issue #660]
• Syft failed to parse Singularity image [Issue #1150]

114 - v0.55.0

Release Notes

Version v0.55.0

v0.55.0 (2022-08-29)

Full Changelog

Added Features

• Capture package.json private field for npm modules [Issue #1160]
• add support for pnpm [Issue #1165]

Bug Fixes

• Java-Cataloger produces empty entries for cyclonedx output [Issue #466]
• No licenses included in scan with yarn.lock [Issue #845]
• syft convert -o option erroring out [Issue #1095]

115 - v0.54.0

Release Notes

Version v0.54.0

v0.54.0 (2022-08-17)

Full Changelog

Added Features

• Assume :latest tag implicitly [Issue #411]
• Add ‘rpm modularity’ to rpm records generated by syft [Issue #1145]

Bug Fixes

• Empty metadata while decoding should be allowed [PR #1154] [wagoodman]
• Add PHP Composer dev dependencies [Issue #773]
• opaque error when scanning an image in github registry [Issue #790]
• javascript-lock-cataloger not detect and parse yarn.lock file [Issue #798]
• Distro identification fails for dir: scheme when identityFiles not in scope. [Issue #814]
• podman report not working [Issue #893]
• Parsing yarn.lock fails to identify the currect package and version combinations [Issue #925]
• gemspecs going unreported [Issue #960]
• json SPDX invalid format [Issue #992]
• Docker configuration issue on release [Issue #1126]
• Can’t configure off-by-default cataloger without using –all [Issue #1141]

116 - v0.53.4

Release Notes

Version v0.53.4

v0.53.4 (2022-08-03)

Full Changelog

117 - v0.53.3

Release Notes

Version v0.53.3

v0.53.3 (2022-08-03)

Full Changelog

Bug Fixes

• Deprecated SPDX license (GPL-2.0+) [Issue #950]

118 - v0.53.2

Release Notes

Version v0.53.2

v0.53.2 (2022-08-02)

Full Changelog

Bug Fixes

• Phantom release 0.53.0 [Issue #1128]

119 - v0.53.1

Release Notes

Version v0.53.1

v0.53.1 (2022-08-02)

Full Changelog

Added Features

• Singularity Image Format (SIF) support [Issue #937]

120 - v0.53.0

Release Notes

Version v0.53.0

v0.53.0 (2022-08-02)

Full Changelog

Added Features

• Add support for auditable Rust binaries [Issue #1108]

Bug Fixes

• WARN unable to convert relationship from CycloneDX 1.3 JSON [Issue #980]
• purls not generated for unknown types [Issue #1118]

121 - v0.52.0

Release Notes

Version v0.52.0

v0.52.0 (2022-07-21)

Full Changelog

Added Features

• Replace scratch base image with distroless static [Issue #833]
• add Haskell support [Issue #1093]

Bug Fixes

• Unable to build binary on ppc64le architecture [Issue #1097]

122 - v0.51.0

Release Notes

Version v0.51.0

v0.51.0 (2022-07-11)

Full Changelog

Added Features

• Syft ignore docker images [Issue #670]
• feat: add support for cocoapods (Swift/Objective-C) [Issue #815]
• An option to limit to a single filesystem (like -xdev) [Issue #674]
• Add Gentoo Linux support [Issue #998]
• Update README.md with information about syft choco package [Issue #1028]

Bug Fixes

• syft attest cmd is not exporting output to file [Issue #1061]
• Name is duplicated into Package URL Namespace when Go module path has one element [Issue #1091]
• fix: unintended artifactRelationship records of type ownership-by-file-overlap are being reported [Issue 1077]

123 - v0.50.0

Release Notes

Version v0.50.0

v0.50.0 (2022-07-06)

Full Changelog

Added Features

• Add a dockerized workflow for local dev [Issue #1042]
• add flag for image scanning to use all catalogers rather than just some [Issue #1049]
• feat: add Conan (C/C++) support [Issue #1082]

Bug Fixes

• composer.json isn’t parsed for packages [Issue #1064]
• Source pom.xml cataloger Namespace error [Issue #1075]
• unintended artifactRelationship records of type ownership-by-file-overlap are being reported in SBOMs generated against current fedora container imges [Issue #1077]

124 - v0.49.0

Release Notes

Version v0.49.0

v0.49.0 (2022-06-24)

Full Changelog

Added Features

• Allow user-defined output formats [Issue #152]
• Add ability to enable/disable package catalogers [Issue #465]
• Catalog packages from source pom.xml during directory scans [Issue #676]
• Enable/disable SBOM generation for specific language types [Issue #840]
• Add support for Mariner distroless images [Issue #1044]

Bug Fixes

• No results for rpm packages when run against version 9.x of redhat/almalinux [Issue #1030]
• Updates parsing of yarn.lock to use resolved URLs [PR #926]

125 - v0.48.1

Release Notes

Version v0.48.1

v0.48.1 (2022-06-16)

Full Changelog

Bug Fixes

• syft dependency graph on stereoscope upgrade [Issue #1047]. Resolves https://github.com/advisories/GHSA-5ffw-gxpp-mxpf

126 - v0.48.0

Release Notes

Version v0.48.0

v0.48.0 (2022-06-16)

Full Changelog

Added Features

• Add Pacman (Arch linux package manager) support [Issue #241]

Bug Fixes

• syft Golang image finds no packages [Issue #1046]

127 - v0.47.0

Release Notes

Version v0.47.0

v0.47.0 (2022-06-09)

Full Changelog

Added Features

• Support newer versions of ‘rpm’ that use Sqlite for the db instead of BerkeleyDB [Issue #469]
• Support ’ndb’ rpm database format used in rpmdb 4.15+ [Issue #504]
• Amazon Linux 2022 [Issue #838]
• Specify the “main module” in Go binary metadata for packages [Issue #908]
• Make Syft available in the Nix Package Store (nixpkgs) [Issue #1019]

Bug Fixes

• Version is [not provided] when encoding to most formats [Issue #1010]
• Panic from Syft cyclonedx format method [Issue #1014

128 - v0.46.3

Release Notes

Version v0.46.3

v0.46.3 (2022-05-26)

Full Changelog

Bug Fixes

• Longer CPEs for golang modules to avoid false positives [PR #1006] [jonasagx]
• Package.json cataloger malformed licences dropping package [Issue #1008]

129 - v0.46.2

Release Notes

Version v0.46.2

v0.46.2 (2022-05-23)

Full Changelog

Bug Fixes

• Wrong source when “:” character in file name [Issue #927]
• json CycloneDX invalid format [Issue #995]
• Invalid CycloneDX SHA1 algorithm [Issue #1001]

130 - v0.46.1

Release Notes

Version v0.46.1

v0.46.1 (2022-05-16)

Bug Fixes

• Fix Cyclone-DX output so only valid enum values are produced. Add integration tests to cover validation. [PR #967] [Christopher Phillips]

Full Changelog

131 - v0.46.0

Release Notes

Version v0.46.0

v0.46.0 (2022-05-12)

Full Changelog

Added Features

• Support format SBOM conversion [Issue #563]
• .NET Core-Support [Issue #726]
• Support attaching attestation right after generate it [Issue #990]

Bug Fixes

• Fix github-json output option [PR #967] [StevenMaude]
• Clearing Go main module version makes creating a CycloneDX 1.3 JSON document difficult [Issue #959]
• WARN golang cataloger: failed to read buildinfo [Issue #978]

132 - v0.45.1

Release Notes

Version v0.45.1

v0.45.1 (2022-05-03)

Full Changelog

Bug Fixes

• reduce noise of log output at the info level [PR #976] [luhring]
• fix Illegal character encoding in CylconeDX-XML. [Issue #918]
• update golang crypto library dependency [Issue #972]

133 - v0.45.0

Release Notes

Version v0.45.0

v0.45.0 (2022-04-29)

Full Changelog

Added Features

• Preserve package IDs on Syft JSON SBOM decode [PR #963] [wagoodman]
• refactor command package to remove globals and add dependency injection [PR #965] [spiffcs]

Bug Fixes

• Decoding of sparse CycloneDX does not set language [Issue #953]

134 - v0.44.1

Release Notes

Version v0.44.1

v0.44.1 (2022-04-15)

Full Changelog

Bug Fixes

• Invalid SPDXID (contains an underscore) [Issue #949]
• Invalid SPDXID (contains a slash) [Issue #952]

135 - v0.44.0

Release Notes

Version v0.44.0

v0.44.0 (2022-04-12)

Full Changelog

Added Features

• Detect Java Namespaces/Group IDs by hash [Issue #887]
• Add additional Vendors for Springframework [PR #947 ]

136 - v0.43.2

Release Notes

Version v0.43.2

v0.43.2 (2022-04-06)

Full Changelog

Bug Fixes

• Pulls from private DockerHub repo fails with 0.43.0 when working with 0.42.4 [Issue #936]

137 - v0.43.0

Release Notes

Version v0.43.0

v0.43.0 (2022-03-31)

Full Changelog

Added Features

• Add dart support [PR #919] [ericlarssen-wf]
• Add list of supported package managers or catalogers to the README for simpler reference [Issue #913]

Bug Fixes

• Pull from DockerHub fails for public images when using SSO [PR #928] [wagoodman]
• Panic in DirectoryResolver indexPath due to null info parameter [Issue #872]

138 - v0.42.4

Release Notes

Version v0.42.4

v0.42.4 (2022-03-24)

Full Changelog

Bug Fixes

• Fix panic on empty sbom [PR #917] [luhring]
• bump strset version to fix 386 builds [PR #911] [wagoodman]

139 - v0.42.3

Release Notes

Version v0.42.3

v0.42.3 (2022-03-23)

Full Changelog

Bug Fixes

• Less verbose logging in Golang Cataloger [PR #904] [jonasagx]

140 - v0.42.2

Release Notes

Version v0.42.2

v0.42.2 (2022-03-22)

Full Changelog

Added Features

• Improve docker config support [PR #906] [wagoodman]

141 - v0.42.1

Release Notes

Version v0.42.1

v0.42.1 (2022-03-21)

Full Changelog

Bug Fixes

• Fix CycloneDX license decoding [PR #898] [kzantow]
• Fix image cleanup when there is an error [PR #905] [wagoodman]
• Omit H1Digest when empty [PR #902] [jonasagx]

142 - v0.42.0

Release Notes

Version v0.42.0

v0.42.0 (2022-03-17)

Full Changelog

Added Features

• Capture additional go 1.18 based binary information [Issue #718] [jonasagx]

Bug Fixes

• Fix panic when CycloneDX BOM missing metadata.component [#895] [kzantow]

143 - v0.41.6

Release Notes

Version v0.41.6

v0.41.6 (2022-03-16)

Full Changelog

Bug Fixes

• Fix panic parsing CycloneDX [PR #892] [kzantow]

144 - v0.41.5

Release Notes

Version v0.41.5

v0.41.5 (2022-03-15)

Full Changelog

Bug Fixes

• NPM PURLs are invalid [PR #832] [houdini91]

145 - v0.41.4

Release Notes

Version v0.41.4

v0.41.4 (2022-03-11)

Full Changelog

Added Features

• Support Yarn v3 [PR #868] [cipher-ardvark]
• Update to CycloneDX 1.4 [Issue #744] [samj1912]

Bug Fixes

• Correct CycloneDX distro decoding, test relationships [PR #745] [kzantow]
• RPM Epoch should be optional in the json schema [PR #880] [wagoodman]
• syft packages fails to catalog golang binary’s modules for binary built with vendored modules [Issue #871] [fg-j]

146 - v0.41.1

Release Notes

Version v0.41.1

v0.41.1 (2022-03-08)

Full Changelog

Bug Fixes

• Fix file creation for output options [PR #875] [wagoodman]

147 - v0.41.0

Release Notes

Version v0.41.0

v0.41.0 (2022-03-07)

Full Changelog

Added Features

• Add platform selection [PR #866] [wagoodman]

Bug Fixes

• Include root path in directory resolve index [PR #869] [wagoodman]

148 - v0.40.1

Release Notes

Version v0.40.1

v0.40.1 (2022-03-04)

Full Changelog

Bug Fixes

• Correct SPDX-JSON checksum algorithm [PR #863] [kzantow]

149 - v0.40.0

Release Notes

Version v0.40.0

v0.40.0 (2022-03-02)

Full Changelog

Added Features

• Add support for multiple CPEs in CycloneDX [Issue #818]
• Use syft property namespace in CycloneDX [Issue #842]

Bug Fixes

• Wrong digest used for in-toto statement subject when using Docker daemon source [Issue #855]