Releases: anchore/syft
Releases · anchore/syft
v1.19.0
Added Features
- add license parsing from vendor dirs [#3522 @dschmidt]
- Support cataloging NuGet packages [#373 #3484 @Kemosabert]
Bug Fixes
- Syft generates invalid PURLs when name contains
:[#3577 #3596 @spiffcs @jkugler] - warn instead of error if zero package catalogers are select - user might still run file metadata cataloger, for example [#3128 #3468 @tomersein]
- sbom report: missing licenses [#3527 #3549 @kzantow]
Additional Changes
Contributors
jkugler, dschmidt, and 4 other contributors
Assets 27
- 2.06 KB
2025-01-22T20:04:57Z - 3.08 KB
2025-01-22T20:04:57Z - 96 Bytes
2025-01-22T20:04:57Z - 191 KB
2025-01-22T20:04:57Z - 17.5 MB
2025-01-22T20:04:53Z - 191 KB
2025-01-22T20:04:57Z - 16.4 MB
2025-01-22T20:04:53Z - 16.9 MB
2025-01-22T20:04:56Z - 17.5 MB
2025-01-22T20:04:54Z - 190 KB
2025-01-22T20:04:57Z -
2025-01-22T19:57:03Z -
2025-01-22T19:57:03Z - Loading
v1.18.1
Bug Fixes
- Runtime Error with Syft on Singularity .sif file (panic: index out of range) [#3390]
- SPDX expressions are lost from CycloneDX if they contain extra parenthesis [#3441 #3517 @willmurphyscode]
Additional Changes
Contributors
willmurphyscode and spiffcs
Assets 27
v1.18.0
Added Features
- convert spdx absolute to relative [#3509 @spiffcs]
- Add relationships for rust audit binary packages [#3500 @wagoodman]
- support configuration of layer size in Syft [#3428 #3464 @tomersein]
- Support Dart arm/v7 in 3.x and 2.x [#3278 #3475 @witchcraze]
Bug Fixes
- fix order of rust dependencies and support git sources in Cargo.lock dependencies [#3502 @willmurphyscode]
- Use file indexer directly when scanning with file source [#3333 @adammcclenaghan]
- Remove incorrect power-user help text that only image sources are supported [#2046]
- Invalid SPDX: missing copyright text [#3346 #3495 @spiffcs]
- Scanning a source tree with duplicate conanfile.txt dependencies generates multiple components [#3403]
Contributors
wagoodman, willmurphyscode, and 4 other contributors
Assets 27
v1.17.0
Added Features
- Surface Rust dependency relationships [#2353 #3443 @willmurphyscode]
- Support node 6.x versions [#3404 #3419 @witchcraze]
Bug Fixes
- Restore log on UI teardown [#3427 @wagoodman]
- Syft should log warnings even when no TTY is present [#3081 #3466 @willmurphyscode]
- Special characters (tab, newline) in license URL [#3122 #3449 @spiffcs]
- LicenseDeclared not as per SPDX License List [#3030 #3461 @spiffcs]
Additional Changes
Contributors
wagoodman, popey, and 3 other contributors
Assets 27
v1.16.0
Added Features
Bug Fixes
- add support for dependencies and purl for Native Image SBOMs [#3399 @rudsberg]
- stop bubbling fileResolver errors from binary cataloger [#3410 @spiffcs]
- malformed pom.xml may cause recursive loop [#3391 @kzantow]
- syft convert: broken link in help - documentation no longer existing [#3143 #3407 @Makefolder]
Contributors
njv299, kzantow, and 3 other contributors
Assets 27
v1.15.0
Added Features
- Merge config files hierarchically and add support for config profiles [#3337 @kzantow]
- Enable cargo-auditable-binary-cataloger for files/directories [#3376 @ariel-miculas]
- Improve mariadb binary classifer to detect older versions [#3052]
- Look for dpkg status file at additional globs [#2692 #3373 @njv299]
- Emit relationships for Java dependencies [#3189 #3363 @kzantow]
Contributors
njv299, kzantow, and ariel-miculas
Assets 27
v1.14.2
Bug Fixes
- Use single license scanner for all catalogers [#3348 @wagoodman]
- use official CPE for linux kernel [#3343 @westonsteimel]
- improve mariadb binary classifer to detect older versions [#3339 @westonsteimel]
Additional Changes
- Update to latest packageurl-go [#3347 @wagoodman]
Contributors
wagoodman and westonsteimel
Assets 27
v1.14.1
Bug Fixes
- stop some log.Warn spam due parsing an empty string as a CPE [#3330 @willmurphyscode]
- improve go binary semver extraction for traefik [#3325 @westonsteimel]
Contributors
westonsteimel and willmurphyscode
Assets 27
v1.14.0
Added Features
- Report known unknowns directly in the output SBOM [#518 #2998 @kzantow]
- Identify
bash.preinst[#3191 #3228 @wagoodman] - Support HAProxy rc and some old versions [#3233 #3277 @witchcraze]
- Support Redis arm/v5, arm/v7, 386 in 7.2, 7.4, 8.0 [#3279 #3281 @witchcraze]
- Support node old versions [#3236 #3284 @witchcraze]
- Support rubylang/ruby dev versions [#3239 #3285 @witchcraze]
- Support ruby rc, preview [#3238 #3285 @witchcraze]
Bug Fixes
- performance: instantiate license check scanner to prevent memory leak [#3290 @govrin]
- Parse package.json with non-standard fields in 'author' section [#3300 @nuada]
- make failed CPE validation correctly return error [#2762 @willmurphyscode]
- Improve subpath to mount matching [#3269 @cdupuis]
Additional Changes
- add pull request template [#3294 @willmurphyscode]
Contributors
cdupuis, wagoodman, and 5 other contributors
Assets 27
v1.13.0
Added Features
- --enrich flag for data enrichment feature enablement [#3182 @kzantow]
- Add classifier for Dart lang [#3265 @LaurentGoderre]
- add binary classifiers for lighttp, proftpd, zstd, xz, gzip, jq, and sqlcipher [#3252 @krysgor]
- Catalog JDKs more completely [#3188 #3217 @wagoodman]
- Show richer information for JVM installations [#1426 #3217 @wagoodman]
- Allow for stubbing unknown versions over dropping packages [#2652 #3257 @wagoodman]
- Name and Version empty for Java package when scanning provided image [#2132 #3257 @wagoodman]
- Support bitnami/mysql:8.x [#3025]
Bug Fixes
- OpenJDK CPEs [#2422 #3217 @wagoodman]
- SBOM generated from poetry lock file contains no license information on any dependencies [#3204]
- Scanning a folder with a jar archive with no metadata creates a SPDX package without versionInfo (Non-NTIA compliant) [#2039 #3257 @wagoodman]
- Using replace in a go.mod creates a SPDX package without versionInfo (Non-NTIA compliant) [#2038 #3257 @wagoodman]
- Command
make add-snippetcan fail in some cases [#3249]
Contributors
wagoodman, LaurentGoderre, and 2 other contributors