v0.88.0

Release notes for grype v0.88.0
Categories:
Tags:

Release Notes

Version v0.88.0

[!IMPORTANT] With #2126 the listing file which hosts the URLs of databases to download has migrated from https://toolbox-data.anchore.io/grype/databases/listing.json to https://grype.anchore.io/databases/v6/latest.json.

Added Features

Bug Fixes

  • fix golang 1.24 versions when not semver compliant [#2486 @xnox]
  • error out on maven search rate limiting [#2460 @luhring]
  • CPE search failed when considering target software for unknown package type [#2434 #2438 @westonsteimel]
  • Grype Does Not Clean TMPDIR When Running in a Docker Container [#2500]
  • GetMavenPackageBySha can be rate limited by maven central, grype will silently fail which results in inconsistent scan results [#2383]
  • Grype exits with error on JSON output with PURL input [#2360]
  • Removal of temporary files not working on Windows [#2233 #2439 @kzantow]
  • grype db status reports “valid” when the DB is missing [#2077 #2439 @kzantow]
  • grype db status doesn’t always check the db’s checksum and validity [#1648 #2439 @kzantow]
  • False positive of CVE-2023-45853 on apt zlib1g/now 1:1.2.13.dfsg-1 package [#2412 #2474 @westonsteimel]
  • GHSA-93ww-43rr-79v3 / CVE-2024-10039 does not get patched version [#2408]
  • “grype config” output swaps comments for search-indexed-archives / search-unindexed-archives [#2409 #2414 @spiffcs]

Breaking Changes

Additional Changes

(Full Changelog)

Last modified October 10, 2025: fix reference links (1594d93)