syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems

APACHE-2.0 License

Downloads
1.4K
Stars
5.4K
Committers
141
View Code on GitHub
Ecosystems: Go, Docker

Bot releases are visible (Hide)

syft - v0.54.0

Published by anchoreops about 2 years ago

Changelog

v0.54.0 (2022-08-17)

Full Changelog

Added Features

  • Assume :latest tag implicitly [Issue #411]
  • Add 'rpm modularity' to rpm records generated by syft [Issue #1145]

Bug Fixes

  • Empty metadata while decoding should be allowed [PR #1154] [wagoodman]
  • Add PHP Composer dev dependencies [Issue #773]
  • opaque error when scanning an image in github registry [Issue #790]
  • javascript-lock-cataloger not detect and parse yarn.lock file [Issue #798]
  • Distro identification fails for dir: scheme when identityFiles not in scope. [Issue #814]
  • podman report not working [Issue #893]
  • Parsing yarn.lock fails to identify the currect package and version combinations [Issue #925]
  • gemspecs going unreported [Issue #960]
  • json SPDX invalid format [Issue #992]
  • Docker configuration issue on release [Issue #1126]
  • Can't configure off-by-default cataloger without using --all [Issue #1141]
syft - v0.53.4

Published by anchoreops about 2 years ago

Changelog

v0.53.4 (2022-08-03)

Full Changelog

syft - v0.53.3

Published by anchoreops about 2 years ago

Changelog

v0.53.3 (2022-08-03)

Full Changelog

Bug Fixes

syft - v0.53.2

Published by anchoreops about 2 years ago

Changelog

v0.53.2 (2022-08-02)

Full Changelog

Bug Fixes

syft - v0.53.1

Published by anchoreops about 2 years ago

Changelog

v0.53.1 (2022-08-02)

Full Changelog

Added Features

  • Singularity Image Format (SIF) support [Issue #937]
syft - v0.53.0

Published by anchoreops about 2 years ago

Changelog

v0.53.0 (2022-08-02)

Full Changelog

Added Features

  • Add support for auditable Rust binaries [Issue #1108]

Bug Fixes

  • WARN unable to convert relationship from CycloneDX 1.3 JSON [Issue #980]
  • purls not generated for unknown types [Issue #1118]
syft - v0.52.0

Published by anchoreops about 2 years ago

Changelog

v0.52.0 (2022-07-21)

Full Changelog

Added Features

Bug Fixes

  • Unable to build binary on ppc64le architecture [Issue #1097]
syft - v0.51.0

Published by anchoreops over 2 years ago

Changelog

v0.51.0 (2022-07-11)

Full Changelog

Added Features

  • Syft ignore docker images [Issue #670]
  • feat: add support for cocoapods (Swift/Objective-C) [Issue #815]
  • An option to limit to a single filesystem (like -xdev) [Issue #674]
  • Add Gentoo Linux support [Issue #998]
  • Update README.md with information about syft choco package [Issue #1028]

Bug Fixes

  • syft attest cmd is not exporting output to file [Issue #1061]
  • Name is duplicated into Package URL Namespace when Go module path has one element [Issue #1091]
  • fix: unintended artifactRelationship records of type ownership-by-file-overlap are being reported [Issue 1077]
syft - v0.50.0

Published by anchoreops over 2 years ago

Changelog

v0.50.0 (2022-07-06)

Full Changelog

Added Features

  • Add a dockerized workflow for local dev [Issue #1042]
  • add flag for image scanning to use all catalogers rather than just some [Issue #1049]
  • feat: add Conan (C/C++) support [Issue #1082]

Bug Fixes

  • composer.json isn't parsed for packages [Issue #1064]
  • Source pom.xml cataloger Namespace error [Issue #1075]
  • unintended artifactRelationship records of type ownership-by-file-overlap are being reported in SBOMs generated against current fedora container imges [Issue #1077]
syft - v0.49.0

Published by anchoreops over 2 years ago

Changelog

v0.49.0 (2022-06-24)

Full Changelog

Added Features

  • Allow user-defined output formats [Issue #152]
  • Add ability to enable/disable package catalogers [Issue #465]
  • Catalog packages from source pom.xml during directory scans [Issue #676]
  • Enable/disable SBOM generation for specific language types [Issue #840]
  • Add support for Mariner distroless images [Issue #1044]

Bug Fixes

  • No results for rpm packages when run against version 9.x of redhat/almalinux [Issue #1030]
  • Updates parsing of yarn.lock to use resolved URLs [PR #926]
syft - v0.48.1

Published by anchoreops over 2 years ago

Changelog

v0.48.1 (2022-06-16)

Full Changelog

Bug Fixes

syft - v0.48.0

Published by anchoreops over 2 years ago

Changelog

v0.48.0 (2022-06-16)

Full Changelog

Added Features

  • Add Pacman (Arch linux package manager) support [Issue #241]

Bug Fixes

syft - v0.47.0

Published by anchoreops over 2 years ago

Changelog

v0.47.0 (2022-06-09)

Full Changelog

Added Features

  • Support newer versions of 'rpm' that use Sqlite for the db instead of BerkeleyDB [Issue #469]
  • Support 'ndb' rpm database format used in rpmdb 4.15+ [Issue #504]
  • Amazon Linux 2022 [Issue #838]
  • Specify the "main module" in Go binary metadata for packages [Issue #908]
  • Make Syft available in the Nix Package Store (nixpkgs) [Issue #1019]

Bug Fixes

  • Version is [not provided] when encoding to most formats [Issue #1010]
  • Panic from Syft cyclonedx format method [Issue #1014
syft - v0.46.3

Published by anchoreops over 2 years ago

Changelog

v0.46.3 (2022-05-26)

Full Changelog

Bug Fixes

  • Longer CPEs for golang modules to avoid false positives [PR #1006] [jonasagx]
  • Package.json cataloger malformed licences dropping package [Issue #1008]
syft - v0.46.2

Published by anchoreops over 2 years ago

Changelog

v0.46.2 (2022-05-23)

Full Changelog

Bug Fixes

syft - v0.46.1

Published by anchoreops over 2 years ago

Changelog

v0.46.1 (2022-05-16)

Bug Fixes

  • Fix Cyclone-DX output so only valid enum values are produced. Add integration tests to cover validation. [PR #967] [Christopher Phillips]

Full Changelog

syft - v0.46.0

Published by anchoreops over 2 years ago

Changelog

v0.46.0 (2022-05-12)

Full Changelog

Added Features

Bug Fixes

  • Fix github-json output option [PR #967] [StevenMaude]
  • Clearing Go main module version makes creating a CycloneDX 1.3 JSON document difficult [Issue #959]
  • WARN golang cataloger: failed to read buildinfo [Issue #978]
syft - v0.45.1

Published by anchoreops over 2 years ago

Changelog

v0.45.1 (2022-05-03)

Full Changelog

Bug Fixes

  • reduce noise of log output at the info level [PR #976] [luhring]
  • fix Illegal character encoding in CylconeDX-XML. [Issue #918]
  • update golang crypto library dependency [Issue #972]
syft - v0.45.0

Published by anchoreops over 2 years ago

Changelog

v0.45.0 (2022-04-29)

Full Changelog

Added Features

  • Preserve package IDs on Syft JSON SBOM decode [PR #963] [wagoodman]
  • refactor command package to remove globals and add dependency injection [PR #965] [spiffcs]

Bug Fixes

  • Decoding of sparse CycloneDX does not set language [Issue #953]
syft - v0.44.1

Published by anchoreops over 2 years ago

Changelog

v0.44.1 (2022-04-15)

Full Changelog

Bug Fixes

  • Invalid SPDXID (contains an underscore) [Issue #949]
  • Invalid SPDXID (contains a slash) [Issue #952]
Package Rankings
Top 5.99% on Alpine-edge
Top 1.91% on Alpine-v3.18
Top 0.72% on Proxy.golang.org
Top 8.71% on Alpine-v3.17
Top 14.79% on Formulae.brew.sh
Related Projects
scorecard

OpenSSF Scorecard - Security health metrics for Open Source

09 Oct 2020 4,223
openfga

A high performance and flexible authorization/permission engine built for developers and inspired...

08 Jun 2022 2,221
authelia

The Single Sign-On Multi-Factor portal for web apps

07 Dec 2016 21,292
mdox

Format your docs; autogenerate from flags or Go structs or even generate versioned website direct...

29 Aug 2020 67
guac

GUAC aggregates software security metadata into a high fidelity graph database.

10 Jun 2022 1,166
scrutiny

Hard Drive S.M.A.R.T Monitoring, Historical Trends & Real World Failure Thresholds

22 Aug 2020 5,069
kubernetes-ingress

NGINX and NGINX Plus Ingress Controllers for Kubernetes

10 Mar 2016 4,641
dockle

Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start

23 May 2019 2,653