Changelog

v0.59.0 (2023-03-03)

Full Changelog

Added Features

• Add the total types of vulnerabilities in Grype output [Issue #877] [PR #946] [zhiburt]

Additional Changes

• chore: bump quality gate labels and syft version [PR #1156] [westonsteimel]

Changelog

v0.58.0 (2023-03-02)

Full Changelog

Security Fixes

• chore(deps): bump github.com/hashicorp/go-getter from 1.6.2 to 1.7.0 [PR #1134] [dependabot]

Added Features

• add grype image to ArtifactHub [Issue #613] [PR #639] [developer-guy]

Bug Fixes

• Grype with version v.0.55 take 3 hour to scan the image [Issue #1063]
• Unable to install Grype [Issue #1102]

Additional Changes

• chore: update progress monitor handling [PR #1149] [kzantow]
• distro: Disable support for Arch Linux [PR #1152] [Foxboron]

Changelog

v0.57.1 (2023-02-16)

Full Changelog

Changelog

Updates

• Update to latest syft for faster indexing and SBOM generation when consuming source and not using the SBOM as an input

Full Changelog

Bug Fixes

• regression: Grype 0.54.0 does not find vulnerabilities in Nodejs runtime itself anymore [Issue #1043]

Additional Changes

• bump yardstick to 2d30ea7429d0a59020e0176bba1b3b6b8b01b08a [PR #1095] [wagoodman]
• chore: prune cosign dependency for grype builds [PR #1100] [spiffcs]
• chore: bump yardstick for better quality gate filtering [PR #1101] [westonsteimel]
• chore: add new images to quality gate [PR #1106] [westonsteimel]
• fix: exclude OS packages from CPE target filtering [PR #1130] [westonsteimel]
• fix: ignore some false-positives for ruby gems [PR #1132] [westonsteimel]

Changelog

v0.56.0 (2023-01-26)

Full Changelog

Added Features

• Allow db diff to specify local files [Issue #1059] [PR #1058] [kzantow]

Bug Fixes

• False positive CVE-2015-5237 for protobuf-go [Issue #558] [PR #1062] [luhring]
• Missing severities in embedded-cyclonedx-vex-json format since v0.55.0 [Issue #1066] [PR #1067] [kzantow]

Changelog

v0.55.0 (2023-01-04)

Full Changelog

Added Features

• add documentation about air gap installation support [Issue #509]
• Include Syft's cyclonedx component properties in Grype output [Issue #951]

Bug Fixes

• OWASP dependency track is not listing vulnerabilities (cyclone dx format) from grype , syft is working however [Issue #796]
• Failure scanning images with arch variant (e.g. arm/v7) [Issue #831]
• Unnecessarily escaped output in CycloneDX [Issue #959]
• SBOM cataloger and ownership-by-file-overlap relationships for packages [Issue #1044]

Changelog

v0.54.0 (2022-12-13)

Full Changelog

Added Features

• reporting the relevant CVE number when GHSA is reported [Issue #204]
• Add official support for ppc64le [Issue #404]

Bug Fixes

• False positive: redis vuln associated to somewhat unrelated python dependency [Issue #491]
• False flagging [Issue #800]
• grype db update error [Issue #846]
• Grype debug image no longer contains busybox [Issue #1010]

Changelog

v0.53.1 (2022-11-21)

Full Changelog

Changelog

v0.53.0 (2022-11-18)

Full Changelog

Added Features

• Enable the Scorecard Github Action and badge [Issue #926]
• Update Grype to use use syft v0.62.0

Changelog

v0.52.0 (2022-11-03)

Full Changelog

Added Features

• Show all vulnerabilities, even suppressed [Issue #887]
• Ubuntu: Add as a Vulnerability Specification Source [Issue #958]

Bug Fixes

• Grype inconsistence output squashed and all-layers representation [Issue #894]
• Grype doesn't find CVE-2022-3358 [Issue #954]
• Not applying Alpine secdb data correctly for "edge" [Issue #964]
• Incorrect artifact entry in json report for grype v0.51.0 [Issue #967]

Changelog

v0.51.0 (2022-10-17)

Full Changelog

Features

• Upgrade to a new vulnerability database schema v5 [PR #944]

Bug Fixes

• Grype is not reporting CVE-2018-1270 [Issue #237]
• Grype does not recognize Debian fix for CVE-2022-37434 [Issue #900]
• grype cannot be used, because modify syft CycloneDX format json result file. [Issue #953]

Changelog

(Unreleased) (2022-09-20)

Full Changelog

Added Features

• Add distro information into the CPE generation process [Issue #141]
• allow development installations via install.sh [Issue #253]

Changelog

Full Changelog

Bug Fix

• Pin syft version to latest release to resolve pseudo version conflict

Changelog

Full Changelog

Added Features

• 0.49.0 docker image does not support arm64 [Issue #916]
• review rpm packages [[Issue #570](https://github.com/anchore/grype/issues/570

Changelog

(Unreleased) (2022-09-01)

Full Changelog

Added Features

• add basic instructions for compiling binaries to install readme [Issue #581]
• How can grype scan manually installed dependencies? [Issue #651]
• Flag to disable db check and update [Issue #878]

Bug Fixes

• Java CVEs not detected from sparse CycloneDX SBOM [Issue #723]
• Add support to bci images [Issue #740]
• failed to catalog: could not fetch image (only on v0.47.0) [Issue #882]

Changelog

v0.48.0 (2022-08-24)

Full Changelog

Added Features

• enhancement: add support for s390x arch [Issue #719]
• More accurate "no OS distribution" messaging [Issue #748]

Fixed Bugs

• disable CPE match filtering based on target software component for java packages [PR #889]

Changelog

v0.47.0 (2022-08-17)

Full Changelog

Security

• Grype v0.46.0 reports a Critical vulnerability CVE-2022-35929 on itself [Issue #880]

Bug Fixes

• GRYPE_DB_AUTO_UPDATE=false no longer works [Issue #870]

Changelog

v0.46.0 (2022-08-04)

Full Changelog

Added Features

• ux: db: update: append more information about the next update [Issue #754]
• update syft to use latest version [v0.53.4]

Changelog

v0.45.0 (2022-08-03)

Full Changelog

Added Features

• Accept simple package list as input [Issue #516]
• Request vulnerability data by a single cpe string [Issue #757]

Bug Fixes

• grype db diff default case inverted [Issue #844]
• Grype slow on parallel execution [Issue #855]
• Concurrent gyrpe runs result in SQLITE_BUSY error [Issue #859]

Changelog

v0.44.0 (2022-07-25)

Full Changelog

Added Features

• Filter CPE matches by target SW to reduce FPs [Issue #390]
• Support ARM32 (linux/armv7) architecture [Issue #595]