syft
CLI tool and library for generating a Software Bill of Materials from container images and filesystems
APACHE-2.0 License
Bot releases are hidden (Show)
Published by anchoreops about 2 years ago
Changelog
Added Features
- Attest support for Singularity images [Issue #1193]
- Remove upload to Anchore Enterprise [Issue #1252]
Bug Fixes
- Update requires to use list; remove field [PR #1234] [spiffcs]
- Deprecated SPDX license (GFDL* and BSD-2-Clause-NetBSD) [Issue #1179]
- SPDX JSON has external reference category of PACKAGE_MANAGER instead of PACKAGE-MANAGER [Issue #1236]
- Follow symlinks when searching for globs in all-layers scope [PR #1221] [kzantow]
Published by anchoreops about 2 years ago
Changelog
Added Features
- Add support for cpp
conan.lockfiles [PR #1230] - Adding file checksum field in SPDX documents [Issue #1226]
Bug Fixes
- Excluding a directory does not work on Windows [Issue #1024]
- RPM file scan failed [Issue #1231]
Published by anchoreops about 2 years ago
Changelog
Added Features
- Consistent sorting for SPDX JSON output [Issue #1213]
Bug Fixes
- Attest panic on MacOS [Issue #1210]
Published by anchoreops about 2 years ago
Changelog
Added Features
- Add flag to disable Syft hitting toolbox-data.anchore.io [Issue #1185]
Bug Fixes
- Warn on errors from RPM DB parsing [PR #1200] [wagoodman]
- SPDX PackageLicenseDeclared should be NOASSERTION [Issue #660]
- Syft failed to parse Singularity image [Issue #1150]
Published by anchoreops about 2 years ago
Changelog
v0.55.0 (2022-08-29)
Added Features
- Capture package.json private field for npm modules [Issue #1160]
- add support for pnpm [Issue #1165]
Bug Fixes
- Java-Cataloger produces empty entries for cyclonedx output [Issue #466]
- No licenses included in scan with yarn.lock [Issue #845]
- syft convert -o option erroring out [Issue #1095]
Published by anchoreops about 2 years ago
Changelog
v0.54.0 (2022-08-17)
Added Features
- Assume
:latesttag implicitly [Issue #411] - Add 'rpm modularity' to rpm records generated by syft [Issue #1145]
Bug Fixes
- Empty metadata while decoding should be allowed [PR #1154] [wagoodman]
- Add PHP Composer dev dependencies [Issue #773]
- opaque error when scanning an image in github registry [Issue #790]
- javascript-lock-cataloger not detect and parse yarn.lock file [Issue #798]
- Distro identification fails for dir: scheme when identityFiles not in scope. [Issue #814]
- podman report not working [Issue #893]
- Parsing yarn.lock fails to identify the currect package and version combinations [Issue #925]
- gemspecs going unreported [Issue #960]
- json SPDX invalid format [Issue #992]
- Docker configuration issue on release [Issue #1126]
- Can't configure off-by-default cataloger without using --all [Issue #1141]
Published by anchoreops about 2 years ago
Published by anchoreops about 2 years ago
Published by anchoreops about 2 years ago
Published by anchoreops about 2 years ago
Published by anchoreops about 2 years ago
Changelog
v0.53.0 (2022-08-02)
Added Features
- Add support for auditable Rust binaries [Issue #1108]
Bug Fixes
- WARN unable to convert relationship from CycloneDX 1.3 JSON [Issue #980]
- purls not generated for unknown types [Issue #1118]
Published by anchoreops about 2 years ago
Changelog
v0.52.0 (2022-07-21)
Added Features
- Replace scratch base image with distroless static [Issue #833]
- add Haskell support [Issue #1093]
Bug Fixes
- Unable to build binary on ppc64le architecture [Issue #1097]
Published by anchoreops over 2 years ago
Changelog
v0.51.0 (2022-07-11)
Added Features
- Syft ignore docker images [Issue #670]
- feat: add support for cocoapods (Swift/Objective-C) [Issue #815]
- An option to limit to a single filesystem (like -xdev) [Issue #674]
- Add Gentoo Linux support [Issue #998]
- Update README.md with information about syft choco package [Issue #1028]
Bug Fixes
- syft attest cmd is not exporting output to file [Issue #1061]
- Name is duplicated into Package URL Namespace when Go module path has one element [Issue #1091]
- fix: unintended artifactRelationship records of type ownership-by-file-overlap are being reported [Issue 1077]
Published by anchoreops over 2 years ago
Changelog
v0.50.0 (2022-07-06)
Added Features
- Add a dockerized workflow for local dev [Issue #1042]
- add flag for image scanning to use all catalogers rather than just some [Issue #1049]
- feat: add Conan (C/C++) support [Issue #1082]
Bug Fixes
- composer.json isn't parsed for packages [Issue #1064]
- Source pom.xml cataloger Namespace error [Issue #1075]
- unintended artifactRelationship records of type ownership-by-file-overlap are being reported in SBOMs generated against current fedora container imges [Issue #1077]
Published by anchoreops over 2 years ago
Changelog
v0.49.0 (2022-06-24)
Added Features
- Allow user-defined output formats [Issue #152]
- Add ability to enable/disable package catalogers [Issue #465]
- Catalog packages from source pom.xml during directory scans [Issue #676]
- Enable/disable SBOM generation for specific language types [Issue #840]
- Add support for Mariner distroless images [Issue #1044]
Bug Fixes
- No results for rpm packages when run against version 9.x of redhat/almalinux [Issue #1030]
- Updates parsing of yarn.lock to use resolved URLs [PR #926]
Published by anchoreops over 2 years ago
Changelog
v0.48.1 (2022-06-16)
Bug Fixes
- syft dependency graph on stereoscope upgrade [Issue #1047]. Resolves https://github.com/advisories/GHSA-5ffw-gxpp-mxpf
Published by anchoreops over 2 years ago
Changelog
v0.48.0 (2022-06-16)
Added Features
- Add Pacman (Arch linux package manager) support [Issue #241]
Bug Fixes
- syft Golang image finds no packages [Issue #1046]
Published by anchoreops over 2 years ago
Changelog
v0.47.0 (2022-06-09)
Added Features
- Support newer versions of 'rpm' that use Sqlite for the db instead of BerkeleyDB [Issue #469]
- Support 'ndb' rpm database format used in rpmdb 4.15+ [Issue #504]
- Amazon Linux 2022 [Issue #838]
- Specify the "main module" in Go binary metadata for packages [Issue #908]
- Make Syft available in the Nix Package Store (nixpkgs) [Issue #1019]
Bug Fixes
- Version is
[not provided]when encoding to most formats [Issue #1010] - Panic from Syft cyclonedx format method [Issue #1014
Published by anchoreops over 2 years ago
Changelog
v0.46.3 (2022-05-26)
Bug Fixes
- Longer CPEs for golang modules to avoid false positives [PR #1006] [jonasagx]
- Package.json cataloger malformed licences dropping package [Issue #1008]
Published by anchoreops over 2 years ago
Changelog
v0.46.2 (2022-05-23)
Bug Fixes
- Wrong source when ":" character in file name [Issue #927]
- json CycloneDX invalid format [Issue #995]
- Invalid CycloneDX SHA1 algorithm [Issue #1001]