scout-cli
-
v1.4.1
Published by eunomie 9 months ago
These notes include changes part of v1.4.0
Highlights
- Update dependencies to address Leaky Vessels series of CVEs (CVE-2024-21626, CVE-2024-24557)
- Add initial VEX document to document false positive CVE-2020-8911 and CVE-2020-8912
- Support cosign SBOM attestations
- Support for VEX in-toto attestations
Bug fixes / Improvements
- Fix order and case of details column headers in the policy deviation details tables
- Fix platform detection when an image index contains
linux/arm64/v8
but the local platform is only linux/arm64
- Fix display of the base image in case the base image is not indexed by docker scout but defined in the provenance attestation (for private or non Docker Trusted Content base images)
Affects quickview
and recommendations
commands
- Fix panic when an SBOM contains no packages
Especially when using docker scout
to analyse local file system, for instance using docker scout cves fs://.
- Bump Syft to 0.103.1 to fix golang Purl with subpath
- Add support for subpaths in PURLs
For instance an image containing both packages github.com/gofiber/template
and github.com/gofiber/template/django/v3
, previously the two packages were visible under the same github.com/gofiber/template
name. Now both of them are correctly identified
- Remove query strings from title in rendered hyperlinks