Added Features

• Add binary classifiers for MySQL and MariaDB [#2316 @duanemay]
• Enhance redis binary classifier to support additional versions [#2329 @whalelines]
• Expose compact JSON and XML format configuration [#561 #2275 @wagoodman]

Bug Fixes

• Fix file metadata cataloger when passed explicit coordinates [#2370 @wagoodman]
• hardcode xalan group ID [#2368 @willmurphyscode]
• logging level for parsing potential PE files [#2367 @kzantow]
• Use read lock in pkg.Collection [#2341 @wagoodman]
• add manual namespace mapping for org.springframework jars [#2345 @westonsteimel]
• add manual namespace mapping for org.springframework.security jars [#2343 @westonsteimel]
• errors are printed into the stdout in syft 0.97.1 [#2356 #2364 @kzantow]
• syft some-jar.jar fails to find packages if PWD is a symlink [#2355 #2359 @willmurphyscode]
• Default for recently added base path, "", disables detection of symlinked *.jar files [#1962 #2359 @willmurphyscode]
• syft attest broken since 0.85.0 [#2333 #2337 @wagoodman]
• Incorrect Java PURL for org.bouncycastle jars [#2339 #2342 @westonsteimel]

Breaking Changes

• Remove power-user command and related catalogers [#1419 #2306 @wagoodman]

Additional Changes

• Normalize cataloger configuration patterns [#2365 @wagoodman]
• Normalize enums to lowercase with hyphens [#2363 @wagoodman]

(Full Changelog)

Special Thanks

Thanks @duanemay and @whalelines for the enhanced binary classifier support 👍

Bug Fixes

• Syft does not use HTTP proxy when downloading the Docker image itself [#2203 #2336 @anchore-actions-token-generator]

Additional Changes

• syft version report is broken with 0.97.0 release [#2334 #2335 @spiffcs]

(Full Changelog)

Added Features

• Add license for golang stdlib package [#2317 @coheigea]
• Fall back to searching maven central using groupIDFromJavaMetadata [#2295 @coheigea]

Bug Fixes

• Refine license search from groupIDFromJavaMetadata to account for artfactId in the groupId [#2313 @coheigea]
• capture content written to stdout outside of report [#2324 @kzantow]
• add manual groupid mappings for org.apache.velocity jars [#2327 @westonsteimel]
• skip maven bundle plugin logic if vendor id and symbolic name match [#2326 @westonsteimel]
• cataloger dpkg-db-cataloger not working [#2323]

Breaking Changes

• Rename Location virtualPath to accessPath [#1835 #2288 @wagoodman]

Additional Changes

• Export syft-json format package metadata type helper [#2328 @wagoodman]
• Add dotnet-portable-executable-cataloger to README [#2322 @noqcks]

(Full Changelog)

Added Features

• Check maven central as well for licenses in parents poms for nested jars [#2302 @coheigea]
• store image annotations inside the SBOM [#2267 #2294 @noqcks]
• Support parsing license information in Maven projects via parent poms [#2103]

Bug Fixes

• SPDX file has duplicate sha256 tag in versionInfo [#2300 @coheigea]
• Report virtual path consistently between file.Resolvers [#1836 #2287 @wagoodman]
• Unable to identify CycloneDX JSON documents without $schema property [#2299 #2303 @kzantow]

(Full Changelog)

Added Features

• Use case-insensitive matching for Go license files [#2286 @miquella]
• Add conaninfo.txt parser to detect conan packages in docker images [#2234 @Pro]
• Perform case insensitive matching on Java License files [#2235 @coheigea]
• Read a license from a parent pom stored in Maven Central [#2228 @coheigea]
• Add PURLs when scanning Gradle lock files [#2278 @robbiev]

Bug Fixes

• Fix CPE index workflow [#2252 @wagoodman]
• Fix cpe generation task [#2270 @willmurphyscode]
• Introduce cataloger naming conventions [#1578 #2277 @wagoodman]
• .NET / nuget - invalid SBOM generated after parsing [#2255 #2273 @spiffcs]
• Wrong parsing after v0.85.0 syft for some components [#2241 #2273 @spiffcs]
• SPDX-2.3 is misidentified as SPDX-2.2 [#2112 #2186 @wagoodman]
• Jar parser chokes on empty lines [#2179 #2254 @spiffcs]
• Add a new Java configuration option to recursively search parent poms… [#2274 @coheigea]
• Fix directory resolver to always return virtual path [#2259 @wagoodman]
• Syft can now handle the case of parsing a jar with multiple poms [#2231 @coheigea]
• Add ruby.NewGemSpecCataloger to DirectoryCatalogers [#1971 @evanchaoli]

Breaking Changes

• Introduce cataloger naming conventions [#1578 #2277 @wagoodman]
• Remove MetadataType from the core package struct [#1735 #1983 @wagoodman]
• Add convention for JSON metadata type names and port existing values to the new convention [#1844 #1983 @wagoodman]
• Remove deprecated syft.Format functions [#1344 #2186 @wagoodman]

Additional Changes

• Upgrade tool management [#2188 @wagoodman]
• Fix homebrew post-release workflow [#2242 @wagoodman]

(Full Changelog)

Added Features

• Add additional license filenames [#2227 @coheigea]
• Parse donet dependency trees [#2143 @noqcks]
• Find license by embedded license text [#2147 #2213 @coheigea]
• Add support for dpkg dependency relationships [#2040 #2212 @wagoodman]

Bug Fixes

• Report errors to stderr not stdout [#2232 @wagoodman]
• Python egg packages are not parsed for SBOM [#1761 #2239 @spiffcs]
• Java archive is listed twice [#2130 #2220 @wagoodman]
• Java archives not from Maven [#2217 #2220 @wagoodman]
• Remove internal.StringSet [#2209 #2219 @wagoodman]
• Invalid interface conversion in Swift cataloger [#2225 #2226 @wagoodman]

(Full Changelog)

Added Features

• Parse license from the pom.xml if not contained in the manifest [#2115 @coheigea]
• Add Golang STD library package given a Golang binary has been discovered compiled with that go binary [#1853 #2195 @spiffcs]
• Improve --output CLI help and deprecate --file [#2165 #2187 @sharief007]

Bug Fixes

• Converting a SBOM looses the algorithm type for added checksums [#2183 #2207 @sharief007]

Additional Changes

• Refine the docs for building a cataloger [#2175 @wagoodman]
• update license list to 3.22 [#2201 @spiffcs]
• Add exact syntax of the conversion formats [#2196 @vargenau]

(Full Changelog)

Added Features

• Support for multiple image refs of same sha in OCI layout [#1544]

Bug Fixes

• Generated purls are different between runs of syft against the same image and artifact [#2169 #2170 @willmurphyscode]

Additional Changes

• bump stereoscope to fix data race in UI code [#2173 @willmurphyscode]

(Full Changelog)

Added Features

• Add support for CycloneDX 1.5 [#2120 #2123 @spiffcs]
• Add support for containerd as an image source [#201 #1793 @shanedell]
• Support cataloging github workflow & github action usages [#1896 #2140 @wagoodman]

Bug Fixes

• Allow CycloneDX json input with no components [#2127 @ahoz]
• Prevent errors from clobbering terminal [#2161 @kzantow]
• Using syft as a go library to decode a syft json has incomplete data [#2069 #2083 @kzantow]
• SBOMs are not the same on multiple runs of syft [#1944]

Additional Changes

• Switch to stdlib's slices pkg [#2148 @hainenber]
• Remove unneeded arch switch in unit test [#2156 @willmurphyscode]
• Update chronicle to v0.8.0 [#2154 @wagoodman]
• Update to latest stereoscope [#2151 @spiffcs]
• Pin workflow checkout for cpe update-cpe-dictionary-index [#2141 @spiffcs]
• Add dependency information to conan lockfile parser [#2131 @Pro]
• Pin and update all workflow dependencies; add permission scopes [#2138 @spiffcs]
• Enforce race detector [#2122 @willmurphyscode]

(Full Changelog)

v0.90.0 (2023-09-11)

Full Changelog

Added Features

• Expose cobra command in cli package [PR #2097] [wagoodman]
• Explicitly test PURL generation against key packages [Issue #2071]
• Add User-Agent with Syft version during update check [Issue #2072] [PR #2100] [hainenber]

Bug Fixes

• fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation [PR #2075] [willmurphyscode]
• Cyclonedx external reference URLs are not validated when encoding [Issue #2079] [PR #2091] [hainenber]

Additional Changes

• Bump the golang.org/x/exp dependency and fix a build breakage. [PR #2088] [dlorenc]
• fix: update codeql-analysis for go 1.21 [PR #2108] [spiffcs]

v0.89.0 (2023-08-31)

Full Changelog

Added Features

• Add registry certificate verification support [PR #1734] [5p2O5pe25ouT]
• Add SYFT_CONFIG environment variable for configuration file path [Issue #1986] [PR #2001] [kzantow]

Bug Fixes

• Fix quiet flag [PR #2081] [wagoodman]
• Command line flags not overriding configuration file values [Issue #1143] [PR #2001] [kzantow]
• Django package CPE is not correct [Issue #1298] [PR #2068] [witchcraze]
• Config parsing includes config.yaml in working dir [Issue #1634] [PR #2001] [kzantow]
• Fix a possible panic on universal go binaries [Issue #2073] [PR #2078] [willmurphyscode]
• Disabling catalogers is not working in power user command [Issue #2074] [PR #2001] [kzantow]
• Virtual path changes to java cataloger causing creation of extra incorrect packages when jars are renamed [Issue #2077] [PR #2080] [willmurphyscode]

v0.88.0 (2023-08-25)

Full Changelog

Added Features

• Detect golang boring crypto and fipsonly modules [PR #2021] [bathina2]
• feat: 1944 - update purl generation to use a consistent groupID [PR #2033] [spiffcs]
• Add support to detect bash binaries [Issue #1963] [PR #2055] [witchcraze]

Bug Fixes

• fix: properly parse conan ref and include user and channel [PR #2034] [Pro]
• New version notice only showing the version and no text [PR #2042] [wagoodman]
• Fix: don't validate pom declared group [PR #2054] [willmurphyscode]
• Errors when handling symlinks on Windows with syft v0.85.0 [Issue #1950] [PR #2051] [selzoc]
• Syft seems unable to parse non UTF-8 pom.xml files [Issue #2044] [PR #2047] [wagoodman]
• Error parsing pom.xml with v0.87.1 [Issue #2060] [PR #2064] [willmurphyscode]
• Invalid CycloneDX: duplicates in relationships section [Issue #2062] [PR #2063] [kzantow]

v0.87.1 (2023-08-17)

Full Changelog

Bug Fixes

• Use Java package names to determine known groupIDs [PR #2032] [kzantow]
• Relationships section of CycloneDX is not outputting even when the data is present [Issue #1972] [PR #1974] [markgalpin] [kzantow]
• SPDX Tag-Value conversion not handling files directly set on packages [Issue #2013] [PR #2014] [kzantow]
• Intermittent binary listings, different results every time [Issue #2035] [PR #2036] [kzantow]

v0.87.0 (2023-08-14)

Full Changelog

Added Features

• feat: use originator logic to fill supplier [PR #1980] [spiffcs]
• Expand deb cataloger to include opkg [PR #1985] [johnDeSilencio]
• Package duplicated by different cataloger [Issue #931] [PR #1948] [spiffcs]
• Add binary cataloger for Nginx built from source [Issue #1945] [PR #1988] [SemProvoost]

Bug Fixes

• chore: update bubbly to fix hanging [PR #1990] [kzantow]
• fix: update glob to use newer usr/lib/sysimage path [PR #1997] [spiffcs]
• fix: SPDX license values and download location [PR #2007] [kzantow]
• Different CPEs between java-cataloger and java-gradle-lockfile-cataloger [Issue #1957] [PR #1995] [kzantow]

Changelog

v0.86.1 (2023-07-31)

Full Changelog

Bug Fixes

• Source requires default image name as user input for unparsable reference [PR #1979] [kzantow]

Changelog

v0.86.0 (2023-07-31)

Full Changelog

Added Features

• Introduce indexed embedded CPE dictionary [PR #1897] [luhring]
• Add cataloger for Swift Package Manager. [PR #1919] [trilleplay]
• Guess unpinned versions in python requirements.txt [PR #1597] [PR #1966] [manifestori] [wagoodman]
• Create a package record for the artifact an SBOM described when creating a SPDX SBOM [Issue #1661] [Issue #1241] [PR #1934] [kzantow]

Bug Fixes

• Fix panic condition on docker pull failure [PR #1968] [wagoodman]
• Syft reports the "minimum required version" of .NET assemblies rather than the "assembly version" [Issue #1799] [PR #1943] [luhring]
• Grype cannot read SPDX documents generated by SPDX-maven-plugin [PR #1969] [spiffcs]

Breaking Changes

• Remove jotframe UI [PR #1932] [wagoodman]
• Simplify python env markers [PR #1967] [wagoodman]

Changelog

v0.85.0 (2023-07-12)

Full Changelog

Added Features

• Add a --base-path command line flag to set the directory base for scans (this option was previously exposed via API only) [PR #1867] [deitch]
• Add file source digest support [PR #1914] [wagoodman]
• Remove erroneous Java CPEs from generation [PR #1918] [luhring]
• Fix CPE generation for k8s python client [PR #1921] [luhring]
• Don't use the actual redis or grpc CPEs for gems [PR #1926] [luhring]
• The text user interface is now provided by the bubbletea library [Issue #1441] [PR #1888] [wagoodman]

Bug Fixes

• Install script returns exit code 0 even if install fails [Issue #1566] [PR #1915] [lorsatti]
• [Windows] Not able to scan volume mounted to folder [Issue #1828] [PR #1884] [dd-cws]
• Deprecated license: GFDL-1.2+ [Issue #1899] [PR #1907] [spiffcs]

Breaking Changes

• Refactor the source API and syft-json source block data shape [Issue #1866] [PR #1846] [wagoodman]

Additional Changes

• chore: update iterations to protect against race [PR #1927] [spiffcs]
• fix: background reader apart from global handler for testing [PR #1929] [spiffcs]

Changelog

v0.84.1 (2023-06-29)

Full Changelog

Bug Fixes

• Fix version detection in Java archive name parsing [PR #1889] [luhring]
• Improve support for Dart SDK package dependency lockfiles [PR #1891] [rufman]
• Fix license output for some CycloneDX JSON SBOMs [Issue #1877] [PR #1879] [kzantow]
• Correctly discover Debian file relationships in distroless images [Issue #1900] [PR #1901] [westonsteimel]

Additional Changes

• Simplify the SBOM writer interface [PR #1892] [wagoodman]

Changelog

v0.84.0 (2023-06-20)

Full Changelog

Breaking Changes

• Pad artifact IDs [PR #1882] [willmurphyscode]

Additional Changes

• chore: update SPDX license list to 3.21 [PR #1885] [kzantow]

Changelog

v0.83.1 (2023-06-14)

Full Changelog

Bug Fixes

• fix: pom properties not setting artifact id [PR #1870] [jneate]
• fix(deps): pull in platform selection fix from stereoscope [PR #1871] [anchore-actions-token-generator] - pulling in an image with a digest that does not match the platform and architecture of the host no longer fails with an error, see https://github.com/anchore/stereoscope/issues/188
• symlinks within a scanned directory tree are parsed outside the tree, failing if target does not exist [Issue #1860] [PR #1861] [deitch]