syft
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
APACHE-2.0 License
Bot releases are visible (Hide)
syft
- v0.68.0
Published by github-actions[bot] over 1 year ago
Changelog
v0.68.0 (2023-01-20)
Added Features
- Catalog memcached binary [Issue #1459] [@witchcraze]
Bug Fixes
- Relax error conditions for catalogers [PR #1492] [wagoodman]
- Always set the package ID for java packages [PR #1493] [wagoodman]
- Fix panic in APK version specifier handling [PR #1494] [luhring]
- ZERO npm dependencies discovered if any npm dependency has an array as a license [Issue #1479]
- Syft panics on APK parsing when Dependencies or Provides holds an empty string [Issue #1483]
syft
- v0.66.2
Published by github-actions[bot] almost 2 years ago
Changelog
v0.66.2 (2023-01-17)
Bug Fixes
- update dependency golang.org/x/text [Issue #1457]
- syft is now throwing panic with version 0.66.1 [Issue #1462]
syft
- v0.66.0
Published by github-actions[bot] almost 2 years ago
Changelog
v0.66.0 (2023-01-12)
Added Features
- Catalog Erlang/Elixir artifacts using "rebar" and "mix" package managers [Issue #1071] [@cpendery]
- Catalog PHP binary runtimes [Issue #1429] [@witchcraze]
- Catalog Apache HTTP binary runtimes [Issue #1440] [@witchcraze]
- Catalog redis binary runtimes [Issue #1437] [@noqcks]
- Increase the speed of cataloger stage [Issue #1353] [@Mikcl]
- Add the origin field to the output format of syftjson [PR #1327] [@asi-cider]
Bug Fixes
- A duplicate file in tar archive causes read to fail [Issue #1400] [@kzantow]
syft
- v0.65.0
Published by github-actions[bot] almost 2 years ago
Changelog
v0.65.0 (2023-01-04)
Added Features
- refactor basic CPE functionality to its own package [PR #1436] [kzantow]
- adding purl types for binary classifiers [Issue #1435] [noqcks]
Bug Fixes
- silence additional excessive go binary warnings [Issue #1432] [jedevc]
syft
- v0.64.0
Published by github-actions[bot] almost 2 years ago
Changelog
v0.64.0 (2022-12-23)
Added Features
- License parsing for Java [PR #1385]
- Integration or association of binary and package [Issue #1411]
- Include go.sum h1 digest information in checksums [Issue #1277]
Bug Fixes
- Clean package names found in python catalogers [PR #1417] [wagoodman]
- FilesAnalyzed wrong and missing SHA1 for files [Issue #1396]
- Binary executables identified as "library" type in CycloneDX [Issue #1402]
- Excessive "unable to read golang buildinfo error=not a Go executable file" warnings in versions after v0.62.1 [Issue #1403]
- Binary java detection [Issue #1410]
syft
- v0.63.0
Published by github-actions[bot] almost 2 years ago
Changelog
v0.63.0 (2022-12-12)
Added Features
- Catalog Java binary runtimes [Issue #1388]
Bug Fixes
- Syft generates too loose of cpes for python redis [Issue #1066]
- Panic in alpm cataloger [Issue #1195]
- goroutine stack exceeds 1000000000-byte limit scanning image [Issue #1368]
- Binary go detection [Issue #1382]
syft
- v0.62.3
Published by github-actions[bot] almost 2 years ago
Changelog
v0.62.3 (2022-11-30)
Added Features
- Add a generic binary cataloger [PR #1336] [kzantow]
- Add
--nameoption to override name in output [1269] [jedevc]
Bug Fixes
- Recover from bad parsing of golang binary [PR #1371] [wagoodman]
- panic: runtime error: index out of range [0] with length 0 [Issue #1094]
- Syft finds no apks for some images with apks [Issue #1354]
syft
- v0.62.2
Published by github-actions[bot] almost 2 years ago
Changelog
v0.62.2 (2022-11-28)
Bug Fixes
- SPDX-json output differs between cli and golang implementation [Issue #1213]
- Python cataloging fails to remove some non-version characters from version string [Issue #1360]
- Haskell Cabal packages crash syft [Issue #1362]
- Panic case for alpm on windows has a correct error case [Issue #1094]
syft
- v0.62.1
Published by github-actions[bot] almost 2 years ago
Changelog
v0.62.1 (2022-11-21)
Bug Fixes
- fix(npm): handle aliases in package-lock.json [Issue #1314] [Mikcl]
- chore: add debug logging for decode errors [PR #1352] [kzantow]
- fix: sort relationships in SPDX output [Issue #1213] [kzantow]
syft
- v0.62.0
Published by github-actions[bot] almost 2 years ago
Changelog
v0.62.0 (2022-11-18)
Added Features
- NPM package-lock.json version 3 [Issue #1203]
Bug Fixes
- Don't replace : with - in docker SPDX namespaces [Issue #1111]
syft
- v0.61.0
Published by github-actions[bot] almost 2 years ago
Changelog
v0.61.0 (2022-11-18)
Added Features
- Add support for map fields in CycloneDX (XML and JSON) [Issue #1032]
- Dependency's MIT license not picked up when scanning package-lock.json [Issue #1113]
- Support SPDX 2.3 [Issue #1292]
- Add support for dependency relationships for alpine (apk) [PR #1063]
Bug Fixes
- Normalize alpm md5 refs [PR #1333] [wagoodman]
- APK Metadata decoding should be backwards compatible [PR #1341] [wagoodman]
- Add spdx relationship encoding for dependencies [PR #1342] [wagoodman]
- v0.3.0 SPDX SBOM Does Not Have Unique SPDXID Package IDs [Issue #923]
- Missing licenses and "skipping encoding of unsupported property: syft:metadata:goBuildSetting" [Issue #1007]
- System independent build not possible [Issue #1084]
- Dependency's MIT license not picked up when scanning package-lock.json [Issue #1113]
- No packages discovered in SIF when image source not specified [Issue #1189]
-
syft packagespanics on OCI archive creation [Issue #1318] - Missing metadata in syft-json artifacts crashes grype [Issue #1334]
- CPE for amazoncorretto:19.0.1-al2 is incorrect [Issue #1337]
syft
- v0.60.3
Published by github-actions[bot] almost 2 years ago
syft
- v0.60.2
Published by github-actions[bot] almost 2 years ago
syft
- v0.60.1
Published by github-actions[bot] almost 2 years ago
Changelog
v0.60.1 (2022-11-01)
Added Features
- Remove the docker installation from the release process [Issue #577]
- Include go binary h1 digests in SPDX [Issue #1261]
Bug Fixes
- A malformed Python RECORD file stops Syft processing [Issue #1012]
- Deprecated SPDX license (GFDL* and BSD-2-Clause-NetBSD) [Issue #1179]
- Update SPDX license list to 3.18 [Issue #1245]
- Versions not printed out properly from maven pom.xml [Issue #1251]
- syft attest --output cyclonedx-json incompatible with cosign [Issue #1268]
- Create SBOM file will have suffix in modules name [Issue #1275]
syft
- v0.59.0
Published by anchoreops about 2 years ago
Changelog
Added Features
- Attest support for Singularity images [Issue #1193]
- Remove upload to Anchore Enterprise [Issue #1252]
Bug Fixes
- Update requires to use list; remove field [PR #1234] [spiffcs]
- Deprecated SPDX license (GFDL* and BSD-2-Clause-NetBSD) [Issue #1179]
- SPDX JSON has external reference category of PACKAGE_MANAGER instead of PACKAGE-MANAGER [Issue #1236]
- Follow symlinks when searching for globs in all-layers scope [PR #1221] [kzantow]
syft
- v0.58.0
Published by anchoreops about 2 years ago
Changelog
Added Features
- Add support for cpp
conan.lockfiles [PR #1230] - Adding file checksum field in SPDX documents [Issue #1226]
Bug Fixes
- Excluding a directory does not work on Windows [Issue #1024]
- RPM file scan failed [Issue #1231]
syft
- v0.57.0
Published by anchoreops about 2 years ago
Changelog
Added Features
- Consistent sorting for SPDX JSON output [Issue #1213]
Bug Fixes
- Attest panic on MacOS [Issue #1210]
syft
- v0.56.0
Published by anchoreops about 2 years ago
Changelog
Added Features
- Add flag to disable Syft hitting toolbox-data.anchore.io [Issue #1185]
Bug Fixes
- Warn on errors from RPM DB parsing [PR #1200] [wagoodman]
- SPDX PackageLicenseDeclared should be NOASSERTION [Issue #660]
- Syft failed to parse Singularity image [Issue #1150]
syft
- v0.55.0
Published by anchoreops about 2 years ago
Changelog
v0.55.0 (2022-08-29)
Added Features
- Capture package.json private field for npm modules [Issue #1160]
- add support for pnpm [Issue #1165]
Bug Fixes
- Java-Cataloger produces empty entries for cyclonedx output [Issue #466]
- No licenses included in scan with yarn.lock [Issue #845]
- syft convert -o option erroring out [Issue #1095]
Package Rankings
Top 5.99% on Alpine-edge
Top 1.91% on Alpine-v3.18
Top 0.72% on Proxy.golang.org
Top 8.71% on Alpine-v3.17
Top 14.79% on Formulae.brew.sh