v1.4.1

Bug Fixes

• Fix redundant package deletions when considering ELF packages [#2862 @wagoodman]

(Full Changelog)

v1.4.0

Added Features

• Add detection for newer version of ErLang/OTP [#2829 @LaurentGoderre]
• Add missing CPE for traefik, memcached, and postgres binaries [#2845 @LaurentGoderre]
• Add binary classifier for ArangoDB [#2830 @LaurentGoderre]
• Add relationships to ELF packages [#2715 @brian-ebarb @cdivers18 ]
• Add relationships for ALPM packages (arch linux) [#2851 @wagoodman]

Bug Fixes

• close temp rpmdb file [#2792 @testwill]
• fix Windows file paths in local go mod cache [#2654 @willmurphyscode]
• Package Count doesn't match list of packages [#2304 #2839 @wagoodman]
• New version 1.3.0 leads to "too many open files" while scanning bigger images [#2819 #2823 @willmurphyscode]
• license_info_in_file is mandatory in SPDX-2.2 [#2163 #2168 @kzantow]
• Wrong CPE for dnsmasq [#2636 #2659 @kzantow]
• SPDX originator is not always populated [#2632 #2822 @wagoodman]

Additional Changes

• Improve linting for defer Close type issues [#2826]
• use ruleguard to test for missing defer statements [#2837 @willmurphyscode]
• Publish security policy [#2835 @wagoodman]
• fix function name in comment [#2771 @camcui]
• enable go-critic deferInLoop lint [#2825 @willmurphyscode]

(Full Changelog)

v1.3.0

Added Features

• index known CPEs for go modules [#2816 @westonsteimel]
• support multiple known CPEs in index [#2813 @westonsteimel]
• index known CPEs for PHP Composer packagist.org packages [#2804 @westonsteimel]
• index known cpes for PHP extensions [#2777 @westonsteimel]

Bug Fixes

• re-use embedded union reader if possible [#2814 @willmurphyscode]
• prefer non-deprecated CPEs and include jenkins plugins from plugins.jenkins.io [#2806 @westonsteimel]
• improvements to known CPE index construction [#2801 @westonsteimel]
• Syft panics when scanning OCI image that contains packaged helm chart [#2745 #2757 @willmurphyscode]
• Pom parser not resolving all dependency versions [#2776 #2781 @willmurphyscode]
• exclude known instrumentation jars from being erroneously identified [#2796 @kzantow]
• return empty string if dereferncing pom var fails [#2797 @willmurphyscode]

(Full Changelog)

v1.2.0

Added Features

• Differentiate between JRE and JDK [#2748 @LaurentGoderre]
• Add support for dnf packages [#2758]

Bug Fixes

• more robust go main version extraction [#2767 @kzantow]
• Regression in 1.1 cataloging openjdk: generates version containing a null byte [#2750 #2766 @LaurentGoderre]

(Full Changelog)

v1.1.1

Bug Fixes

• update anchore/packageurl-go to use latest commits [#2746 @spiffcs]
• fix panic scanning binaries without symtab [#2736 #2739 @kzantow]

(Full Changelog)

v1.1.0

Added Features

• Adding the ability to retrieve remote licenses from package-lock.json [#2708 @coheigea]
• Show binary exports, entrypoint, and imports [#2626 @wagoodman]
• Add detection for Oracle GraalVM [#2705 @LaurentGoderre]

Bug Fixes

• reduce duplicate case SwiftPkg [#2696 @testwill]

(Full Changelog)

v1.0.1

Bug Fixes

• Unable to scan OCI images with syft v0.105.1 [#2678 #2683 @spiffcs]

(Full Changelog)

v1.0.0

🎉 Checkout the blog post about v1!

Added Features

• Allow source type input via CLI flag (not scheme) [#1783 #2610 @kzantow]

Bug Fixes

• OpenSSL binary matcher fails to properly detect letter releases [#2681 #2682 @harmw]
• TUI package count does not match package count in default table output [#2672 #2679 @wagoodman]
• .NET NuGet - dotnet-deps cataloger not working with syft v0.94.0 [#2264 #2674 @willmurphyscode]
• New path filtering logic excluding large number of unintended paths [#2667 #2675 @wagoodman]
• Syft TUI can hang when using license fetching from go modules [#2653 #2673 @willmurphyscode]

(Full Changelog)

v0.105.1

Bug Fixes

• return error codes from install script [#2664 @hacst]
• SPDX tag value version selector [#2665 @kzantow]

Additional Changes

• Add syft version used to SBOM tool info by default [#2647 @wagoodman]

(Full Changelog)

v0.105.0

Added Features

• Guess go main module version based on binary contents [#2608 @wagoodman]
• Catalog wordpress plugins [#1911 #2218 @disc]

Bug Fixes

• ensure version output to stdout [#2621 @kzantow]
• Survive indexing dead symlinks [#2645 @wagoodman]
• unable to index filesystem for amazonlinux images [#2627 #2644 @wagoodman]
• CycloneDX OS component does not have a bom-ref [#2101 #2634 @kzantow]
• v0.104.0 interface conversion error when creating bom from singularity image [#2628 #2631 @wagoodman]

Additional Changes

• Rename binary cataloger to be more unique [#2633 @wagoodman]
• Suppress executable parsing issues [#2614 @wagoodman]
• update license list, cpe dictionary [#2620 @spiffcs]

(Full Changelog)