Changelog

v0.43.0 (2022-07-18)

Full Changelog

Added Features

• Remove matching for main go module matcher [PR #829]
• Add --only-notfixed to complete the existing and useful --only-fixed [Issue #824]

Bug Fixes

• Cannot concurrently access sqlite DB within a single process [Issue #155]
• False positive of CVE-2020-16250 and CVE-2020-16251 [Issue #712]

Changelog

v0.42.0 (2022-07-11)

Full Changelog

Added Features

• Templates for grype output. HTML template [Issue #724]
• grype db diff command [Issue #764]

Bug Fixes

• panic: runtime error: index out of range [0] with length 0 [Issue #821]

Changelog

v0.41.0 (2022-07-06)

Full Changelog

Features

• Upgrade to a new vulnerability database schema v4 [PR #803]

Bug Fixes

• Grype Busy Box Vulnerabilities resolved [Issue #510]
• Vulnerabilities now reported under php (composer) [Issue #797]
• Grype outputs listed properly [Issue #801]
• Grype db update command now shows spinner [Issue #805]

Changelog

v0.40.1 (2022-06-24)

Full Changelog

Features

• update syft to v0.49.0 release

Bug Fixes

• grype fixed version cyclonedxjson [Issue #762]
• Include php in Grype supported languages [Issue #792]

Changelog

v0.40.0 (2022-06-17)

Full Changelog

Added Features

• Be clear about version and data staleness [Issue #240]
• Add a dockerized workflow for local dev [Issue #782]
• Update grype documentation to include golang [Issue #787]

Bug Fixes

• "Matcher failed to parse version" when scanning a Ruby project using bundler 2.2.0 or newer [Issue #767]
• GHSA-x24g-9w7v-vprh included in grype 0.38.0 [Issue #779]
• Template pipelines don't seem to work in 0.39.0 [Issue #784]

Changelog

v0.39.0 (2022-06-09)

Full Changelog

Features

• Support newer versions of 'rpm' that use Sqlite for the db instead of BerkeleyDB [Issue #469]

Bug Fixes

• Template errors don't lead to non-zero exit status [Issue #623]
• Issues with Grype's handling of template output for invalid templates [Issue #625]
• Grype reports some critical Vault CVE on itself [Issue #676]

Changelog

v0.38.0 (2022-05-23)

Full Changelog

Added Features

• Dotnet-Support [Issue #736]

Changelog

v0.37.0 (2022-05-13)

Full Changelog

Added Features

• Add Dotnet support [PR #747] [ckotzbauer]

Security Fixes

• Bump github.com/hashicorp/go-getter from 1.5.9 to 1.5.11 [PR #742] [dependabot]

Bug Fixes

• Unable to determine the OS distribution (Ubuntu 20.04.4 LTS) [Issue #684]

Changelog

v0.36.1 (2022-05-03)

Update grype to use syft v0.45.1 and reduce info level logging overload

Full Changelog

Changelog

v0.36.0 (2022-04-29)

Full Changelog

Added Features

• Add support for cyclonedx 1.4 and VEX [Issue #591]
• Read attestation file, validate attestation, produce vulnerability report [Issue #644]

Bug Fixes

• Panic while running scan on directory [Issue #715]

Changelog

v0.35.0 (2022-04-13)

Full Changelog

Added Features

• Indicate location of vulnerability [Issue #561]
• Optional External Data Source Reference for Maven Packages [Issue #711]

Bug Fixes

• False positive (critical) on GHSA-8v27-2fg9-7h62 [Issue #632]
• False Positive on CVE-2020-36518 [Issue #692]
• Matches should be sorted by package name for template output [Issue #696]
• panic: runtime error: invalid memory address or nil pointer dereference [Issue #702]

Changelog

v0.34.7 (2022-03-24)

Full Changelog

Bug Fixes

• Bump strset version to fix 386 builds [PR #689] [wagoodman]
• Grype cannot handle empty SBOMs, results in SIGSEGV [Issue #693] [luhring]

Changelog

v0.34.5 (2022-03-23)

Full Changelog

Bug Fixes

• Improve SARIF path handling and severity [PR #686] [kzantow]

Changelog

v0.34.4 (2022-03-21)

Full Changelog

Bug Fixes

• Correct issue with SARIF dir scan relative paths [Issue #682] [kzantow]
• Update Syft lib to 0.42.1 [Issue #683]
  • Fix CycloneDX license decoding [PR #898] [kzantow]
  • Fix image cleanup when there is an error [PR #905] [wagoodman]
  • Omit H1Digest when empty [PR #902] [jonasagx]

Changelog

v0.34.3 (2022-03-16)

Full Changelog

Bug Fixes

• Panic: runtime error - when utilizing the vulnerability scanner on an cyclonedx sbom file input [Issue #669] [kzantow]

Changelog

v0.34.1 (2022-03-15)

Full Changelog

Added Features

• Add platform selection [PR #666] [wagoodman]
• Add SARIF report output [Issue #304] [kzantow]
• Support CycloneDX as SBOM input to grype [Issue #481] [kzantow]

Bug Fixes

• Issue in Installation. err: anchore/grype err hash_sha256_verify unable to find checksum [Issue #577] [spiffcs]

Changelog

v0.33.1 (2022-02-27)

Full Changelog

Bug Fixes

• Restore behavior of JSON distro block [PR #643] [wagoodman]

Changelog

v0.33.0 (2022-02-15)

Full Changelog

Added Features

• Add ability to merge matches [PR #602] [wagoodman]
• Allow for ingestion of SPDX SBOM documents as input [Issue #395]

Bug Fixes

• Grype stuck on some images [Issue #549]

Changelog

v0.32.0 (2022-01-20)

Full Changelog

Features

• Upgrade Grype to latest version of syft. See full release for details.

Bug Fixes

• Error scanning SBOM from file: unsupported package metadata type: file [Issue #592]

Docker images

• docker pull anchore/grype:v0.32.0

Changelog

v0.31.1 (2022-01-11)

Full Changelog

Added Features

• Update Containerd dependency to fix GHSA-mvff-h3cj-wj9c

Bug Fixes

• Grype installation contains vulnerability GHSA-mvff-h3cj-wj9c [Issue #583]

Docker images

• docker pull anchore/grype:v0.31.1