Releases: anchore/syft
Releases · anchore/syft
v0.104.0
Added Features
- Adding metadata fields when parsing yarn.lock and poetry.lock [#2350 @asi-cider]
- Add Erlang OTP Application cataloger [#2403 @LaurentGoderre]
- Support Conan lockfiles v0.5 [#2050]
- Identify security-features-of-interest within binaries [#2434 #2443 @wagoodman]
- Top-level API should be more composable [#558 #2517 @wagoodman]
- Annotate where each CPE on a package is sourced from [#2282 #2552 @willmurphyscode]
Bug Fixes
- unmarshal key values in Java, Go, and Conan metadata [#2603 @willmurphyscode]
- incorrect conversion between integer types [#2605 @spiffcs]
- prefer portable executable product version when semantically greater than file version [#2600 @westonsteimel]
- Stop iterating maps in catalogers [#2405 #2553 @wagoodman]
- unknown flag: --key when use syft attest --key [KEY] [#2544 #2551 @willmurphyscode]
- purl generation broken for kafka jars [#2385 #2573 @westonsteimel]
Breaking Changes
- Top-level API should be more composable [#558 #2517 @wagoodman]
- Annotate where each CPE on a package is sourced from [#2282 #2552 @willmurphyscode]
v0.103.1
Security Fixes
- Bump archiver and stereoscope to address path traversal issues [#2570 @wagoodman]
Bug Fixes
- Revert cosign signing of release checksums file [#2571 @wagoodman]
- java archive parser incorrectly splitting filenames [#2563 #2565 @willmurphyscode]
Breaking Changes
- Internalize format helpers [#2543 @wagoodman]
- Internalize CPE generation logic [#2541 @wagoodman]
v0.102.0
Added Features
- Swap format uses of io.ReadSeeker for io.Reader [#2515 @wagoodman]
- Cataloger interface should accept context.Context [#2521 #2528 @wagoodman]
Bug Fixes
- Implement golang Purl subpath [#2547 @LaurentGoderre]
- CPE definition on
pkg.Package
is coupled to an external package as a type alias [#2529 #2534 @willmurphyscode] - Turn off SBOM cataloger by default [#1555 #2527 @wagoodman]
- Syft missing linux kernel archives from SBOM results [#2524 #2526 @wagoodman]
- LocationResolver can leak goroutines [#2487 #2518 @willmurphyscode]
- Duplicates in Syft JSON "artifactRelationships" [#2251]
Breaking Changes
- Use the json schema as input for templating [#2542 @wagoodman]
- Unexport types and functions cataloger packages [#2530 @wagoodman]
- Internalize majority of cmd package [#2533 @wagoodman]
- Allow for RPM modularity to be optional [#2540 @wagoodman]
- CPE definition on
pkg.Package
is coupled to an external package as a type alias [#2529 #2534 @willmurphyscode] - Cataloger interface should accept context.Context [#2521 #2528 @wagoodman]
- Remove deprecated API features [#2257 #2508 @wagoodman]
- Remove deprecated configuration [#1864 #2508 @wagoodman]
- Turn off SBOM cataloger by default [#1555 #2527 @wagoodman]
Additional Changes
- Fix migration of integration test [#2546 @wagoodman]
- minor cataloger and docs nits [#2519 @luhring]
v0.101.1
Bug Fixes
- Deduplicate digests from user configuration [#2522 @wagoodman]
- Duplicate relationships in final SBOM [#2509 #2516 @spiffcs]
v0.101.0
Security Fixes
- bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 [#2501 @dependabot]
Added Features
- Added binary classifier for GCC [#2479 @LaurentGoderre]
- Add binary classifier for pypy [#2474 @LaurentGoderre]
- Add binary classifiers for Percona Software for MySQL [#2478 @abg]
- Added classifier for wordpress cli binary [#2473 @LaurentGoderre]
- Add cataloger list command [#2366 @wagoodman]
- Add ability to enable or disable individual catalogers [#1731 #1383 @wagoodman]
- Improve cataloger selection capabilities [#1039 #1383 @wagoodman]
Bug Fixes
- Include binary cataloger configuration defaults [#2504 @wagoodman]
- Condense binary cataloger config in JSON output [#2499 @wagoodman]
- Add support for the traefik binary from the official Docker image [#2484 @LaurentGoderre]
- When specify java-cataloger, java-pom-cataloger will also be selected [#2136 #1383 @wagoodman]
v0.100.0
Added Features
- Add more functionality to the ErLang parser [#2390 @LaurentGoderre]
- Added OpenSSL binary matcher [#2416 @LaurentGoderre]
- Add ability to extend the binaries cataloguers [#2469 @LaurentGoderre]
Bug Fixes
- Added missing Purl for busybox [#2457 @LaurentGoderre]
- Fix diff error obfuscating binary test failures message [#2468 @LaurentGoderre]
- v0.99.0: CycloneDX json output breaks osv-scanner [#2467]
Additional Changes
v0.99.0
Added Features
- Look for a maven version in a pom from a parent dependency management… [#2423 @coheigea]
- Adding the ability to retrieve remote licenses for yarn.lock [#2338 @coheigea]
- Retrieve remote licenses using pom.properties when there is no pom.xml [#2315 @coheigea]
- Add the option to retrieve remote licenses for projects defined in a … [#2409 @coheigea]
- Parse Python licenses from LicenseFile entry in the Wheel Metadata [#2331 @coheigea]
- Add binary classifier for the ERLang interpreter [#2417 @LaurentGoderre]
- Parse Python licenses from LicenseExpression entry in the Wheel Metadata [#2431 @coheigea]
- Add binary classifier for Julia lang [#2427 @LaurentGoderre]
- Add binary detection for PHP composer [#2432 @LaurentGoderre]
Bug Fixes
- bump fangs for ptr summarize fix [#2387 @willmurphyscode]
- improve identification for org.codehaus.groovy artifacts [#2404 @westonsteimel]
- improve identification for commons-jelly artifacts [#2399 @westonsteimel]
- improve identification for io.minio artifacts [#2398 @westonsteimel]
- improve identification for com.graphql-java artifacts [#2397 @westonsteimel]
- improve identification for org.apache.tapestry artifacts [#2384 @westonsteimel]
- improve identification for io.ratpack artifacts [#2379 @westonsteimel]
- improve identification for org.apache.cassandra artifacts [#2386 @westonsteimel]
- improve identification for org.neo4j.procedure artifacts [#2388 @westonsteimel]
- improve identification for org.elasticsearch artifacts [#2383 @westonsteimel]
- improve identification for org.apache.geode artifacts [#2382 @westonsteimel]
- improve identification for org.apache.tomcat artifacts [#2381 @westonsteimel]
- improve identification for io.projectreactor.netty artifacts [#2378 @westonsteimel]
- stop panic when parsing Haskell stack.yaml.lock with missing
hackage
field [#2421 #2419 @houdini91] - fix detecting the name of the eclipse OSGi artifact [#2314 #2349 @westonsteimel]
- File Sources incorrectly exclude files on Windows [#2410 #2411 @Racer159]
- Parser for dotnet_portable_executable using wrong attribute name [#2029 #2133 @kzantow]
Breaking Changes
- Generalize UI events for cataloging tasks [#2369 @wagoodman]
Additional Changes
- refactor pkg.Collection to remove "catalog" references [#2439 @wagoodman]
- Expose javascript fields in cataloger configuration [#2438 @wagoodman]
- Use common archive catalog configuration [#2437 @wagoodman]
- Fix file digest cataloger when passed explicit coordinates [#2436 @wagoodman]
v0.98.0
Added Features
- Add binary classifiers for MySQL and MariaDB [#2316 @duanemay]
- Enhance redis binary classifier to support additional versions [#2329 @whalelines]
- Expose compact JSON and XML format configuration [#561 #2275 @wagoodman]
Bug Fixes
- Fix file metadata cataloger when passed explicit coordinates [#2370 @wagoodman]
- hardcode xalan group ID [#2368 @willmurphyscode]
- logging level for parsing potential PE files [#2367 @kzantow]
- Use read lock in
pkg.Collection
[#2341 @wagoodman] - add manual namespace mapping for org.springframework jars [#2345 @westonsteimel]
- add manual namespace mapping for org.springframework.security jars [#2343 @westonsteimel]
- errors are printed into the stdout in syft 0.97.1 [#2356 #2364 @kzantow]
syft some-jar.jar
fails to find packages if PWD is a symlink [#2355 #2359 @willmurphyscode]- Default for recently added base path,
""
, disables detection of symlinked*.jar
files [#1962 #2359 @willmurphyscode] syft attest
broken since 0.85.0 [#2333 #2337 @wagoodman]- Incorrect Java PURL for org.bouncycastle jars [#2339 #2342 @westonsteimel]
Breaking Changes
- Remove power-user command and related catalogers [#1419 #2306 @wagoodman]
Additional Changes
- Normalize cataloger configuration patterns [#2365 @wagoodman]
- Normalize enums to lowercase with hyphens [#2363 @wagoodman]
Special Thanks
Thanks @duanemay and @whalelines for the enhanced binary classifier support 👍
v0.97.1
v0.97.0
Added Features
- Add license for golang stdlib package [#2317 @coheigea]
- Fall back to searching maven central using groupIDFromJavaMetadata [#2295 @coheigea]
Bug Fixes
- Refine license search from groupIDFromJavaMetadata to account for artfactId in the groupId [#2313 @coheigea]
- capture content written to stdout outside of report [#2324 @kzantow]
- add manual groupid mappings for org.apache.velocity jars [#2327 @westonsteimel]
- skip maven bundle plugin logic if vendor id and symbolic name match [#2326 @westonsteimel]
- cataloger
dpkg-db-cataloger
not working [#2323]
Breaking Changes
- Rename Location virtualPath to accessPath [#1835 #2288 @wagoodman]
Additional Changes
- Export syft-json format package metadata type helper [#2328 @wagoodman]
- Add dotnet-portable-executable-cataloger to README [#2322 @noqcks]