grype

Added Features

• update syft source providers [#1727 @kzantow]
• enable http timeout [#1777 @willmurphyscode]

Bug Fixes

• use "path/filepath" to build file path [#1767 @seiyab]
• Suppress warnings when matching go packages with devel version [#1752 @wagoodman]
• not showing poco CVEs from syft generated sbom [#1737]

(Full Changelog)

Bug Fixes

• return exit codes from install script [#1725 @hacst]
• GitHub code scanning alerts missing information [#1715 #1720 @kzantow]

Additional Changes

• update Syft to v0.105.1 [#1728]

(Full Changelog)

Bug Fixes

• ensure version output to stdout [#1709 @kzantow]
• Seeing "WARN some package(s) are missing CPEs" but it's not clear why [#1634 #1710 @willmurphyscode]

(Full Changelog)

Additional Changes

• Bump Syft in Grype to pull in unmarshaling fix [#1703 @willmurphyscode]

(Full Changelog)

Security Fixes

• Upgrade syft to v0.103.1 [#1688 @wagoodman]

(Full Changelog)

Bug Fixes

• Fix matching when RPM modularity is a factor [#1679 @wagoodman]
• VEX documents not taken into account when --fail-on is set [#1639 #1657 @ferozsalam]

Additional Changes

• break assumption that syft cpe.CPE is wfn.Attributes [#1675 @willmurphyscode]

(Full Changelog)

Additional Changes

• update Syft to v0.101.1 [#1669 @anchore-actions-token-generator]

(Full Changelog)

Security Fixes

• bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 [#1651 @dependabot]

Bug Fixes

• No vulnerabilities found for nuget package [#1065]

Additional Changes

• fix logging configuration in tests [#1655 @plavy]
• Update Syft to 0.101.0 [#1663]

(Full Changelog)

Added Features

• Vulnerabilities marked as fixed in distro packages should be reported as fixed for all contained packages too [#1236 #1603 @luhring]

Bug Fixes

• Parameter quiet is ignored in configuration file [#1645 #1646 @plavy]
• 401 unauthorized pulling from public registry [#1637]

(Full Changelog)

Additional Changes

• Update Syft to v0.99.0 [#1633 @dependabot]

(Full Changelog)

Additional Changes

• bump to syft v0.98.0 in quality gate tests [#1623 @westonsteimel]
• update syft to v0.98.0; go mod tidy [#1621 @spiffcs]

(Full Changelog)

Additional Changes

• update Syft to v0.97.1 [#1610 @anchore-actions-token-generator]

(Full Changelog)

Bug Fixes

• Vulnerabilities in go packages without go modules are not detected [#1581 #1599 @willmurphyscode]

(Full Changelog)

Bug Fixes

• CycloneDX based analysis failing [#1594 #1596 @anchore-actions-token-generator]
• False negatives when scanning debian trixie/sid images from Dockerhub [#1446 #1593 @willmurphyscode]

Additional Changes

• avoid allocations with (*regexp.Regexp).MatchString [#1592 @Juneezee]

(Full Changelog)

Added Features

• Add a reason field to ignore config [#1337 #1532 @shanduur]
• Colorize severity in table output [#225 #1284 @shanedell]

Bug Fixes

• Enable setting golang CPE config using env var [#1585 @willmurphyscode]
• Incorrect version comparisons for maven packages [#1526 #1571 @spiffcs]
• Grype fails to detect postgresql jdbc driver CVEs when scanning .jar [#1482]

Additional Changes

• Incorporate format API changes from syft [#1582 @wagoodman]

(Full Changelog)

Added Features

• Add --ignore-states flag for ignoring findings with specific fix states [#1473 @jhebden-gl]
• Implement checksum & artifact signing [#1513 #1535 @hibare]

Bug Fixes

• Report errors to stderr not stdout [#1561 @wagoodman]
• grype v0.71.0 stopped showing vulnerabilities for Go stdlib [#1562 #1565 @wagoodman]
• SARIF output not compatible with GitHub [#1518 #1563 @spiffcs]

(Full Changelog)

Added Features

• use ghsa to improve matching for cpes [#811 #1412 @westonsteimel]

(Full Changelog)

Added Features

• Update Syft to v0.93.0 + enable golang stdlib matching [#1550 @spiffcs ]

Bug Fixes

• JSON output: descriptor name is missing "grype" value [#1538 #1542 @kzantow]

(Full Changelog)

Bug Fixes

• Incorrect python version comparisons for rc releases [#986 #1510 @willmurphyscode]
• False Positive: CVE-2023-37920 reported for certifi library in python [#1417 #1510 @willmurphyscode]
• Grype is not recognizing python-certifi is patched for GHSA-43fp-rhv2-5gv8 [#1172 #1510 @willmurphyscode]
• False positive on certifi 2022.12.07 [#1034 #1510 @willmurphyscode]
• Leading zeros seen as difference in version numbers [#1430 #1510 @willmurphyscode]

Additional Changes

• add OpenSSF Best Practices badge [#1523 @spiffcs]
• Bump vulnerability match labels [#1525 @wagoodman]
• bump stereoscope to fix data race in UI [#1517 @willmurphyscode]

(Full Changelog)

Added Features

• Upgrade syft to v0.91.0 (and CycloneDX to v1.5) [#1508 @wagoodman]

Bug Fixes

• Grype doesn't exit cleanly on error [#1492 #1505 @kzantow]

Additional Changes

• Fix typo in flag on Readme [#1501 @robszumski]
• pin cache versions [#1495 @spiffcs]

(Full Changelog)