syft

Added Features

• index known CPEs for wordpress plugins and themes [#2963 @westonsteimel]
• Consider Author field for wordpress plugins when generating CPEs [#2946 @wagoodman]

Bug Fixes

• improve version extraction from ldflags for pingcap TiDB [#2962 @westonsteimel]
• Trim whitespace from wordpress values [#2945 @wagoodman]
• Issue scanning Poetry Project with Syft 1.6 and cataloger=python-package-cataloger [#2954 #2965 @spiffcs]
• Poetry's multiple constraints seems to break the parser [#2947 #2965 @spiffcs]
• Golang: Search remote licenses not working in a CI pipeline when scanning Docker image [#2798 #2852 @kzantow]

(Full Changelog)

Added Features

• Add relationships for go binary packages [#2912 @wagoodman]
• Add classifier for util-linux [#2933 @LaurentGoderre]
• Lua: Add support for more advanced syntax [#2908 @LaurentGoderre]
• add license field to ELF binary package metadata [#2890 @brian-ebarb]
• install.sh: check checksums file's signature [#2884 #2941 @wagoodman]
• Detect ELF package notes from fedora binaries [#2713 #2939 @wagoodman]

Bug Fixes

• Use redhat as namespace for redhat rpms [#2914 @ralphbean]
• Close sqlite driver after testing sqlite availability [#2922 @ttc0419]
• syft does not find anything in archives if /tmp is a tmpfs [#2894 #2918 @willmurphyscode]
• Scanning a git repository folder present in /tmp produce an empty sbom [#2847 #2918 @willmurphyscode]

Additional Changes

• update unit tests to use pinned patch version [#2932 @spiffcs]
• fix comments and spelling [#2920 @dufucun]

(Full Changelog)

Added Features

• Add abstraction for adding relationships from package cataloger results [#2853 @wagoodman]
• Capture dependencies when parsing SPDX SBOMs [#2869 @russellhaering]
• Add python wheel egg relationships [#2903 @wagoodman]
• Added functionality to convert major, minor, patch to version [#2864 @LaurentGoderre]
• Add support for RPM DB package relationships [#2872 @wagoodman]
• Detect fluent-bit binaries [#2904 #2905 @kzantow]
• Add syft config command [#2598 #2892 @kzantow]

Bug Fixes

• Fix DecoderCollection discarding input from non-seekable Readers [#2878 @russellhaering]
• Handle GOEXPERIMENTs in go version [#2893 @jonjohnsonjr]
• Go Mod Cataloger: Remove Replaced Packages [#2891 @russellhaering]
• Use values in relationship To/From fields [#2871 @wagoodman]
• Java package names showing up namespaced packages [#2230]

Additional Changes

• Reduce length of readme, moving lengthy content to the wiki [#2882 @popey]
• update spdx license list to 3.24.0 [#2895 @spiffcs]

(Full Changelog)

Bug Fixes

• Fix redundant package deletions when considering ELF packages [#2862 @wagoodman]

(Full Changelog)

Added Features

• Add detection for newer version of ErLang/OTP [#2829 @LaurentGoderre]
• Add missing CPE for traefik, memcached, and postgres binaries [#2845 @LaurentGoderre]
• Add binary classifier for ArangoDB [#2830 @LaurentGoderre]
• Add relationships to ELF packages [#2715 @brian-ebarb @cdivers18 ]
• Add relationships for ALPM packages (arch linux) [#2851 @wagoodman]

Bug Fixes

• close temp rpmdb file [#2792 @testwill]
• fix Windows file paths in local go mod cache [#2654 @willmurphyscode]
• Package Count doesn't match list of packages [#2304 #2839 @wagoodman]
• New version 1.3.0 leads to "too many open files" while scanning bigger images [#2819 #2823 @willmurphyscode]
• license_info_in_file is mandatory in SPDX-2.2 [#2163 #2168 @kzantow]
• Wrong CPE for dnsmasq [#2636 #2659 @kzantow]
• SPDX originator is not always populated [#2632 #2822 @wagoodman]

Additional Changes

• Improve linting for defer Close type issues [#2826]
• use ruleguard to test for missing defer statements [#2837 @willmurphyscode]
• Publish security policy [#2835 @wagoodman]
• fix function name in comment [#2771 @camcui]
• enable go-critic deferInLoop lint [#2825 @willmurphyscode]

(Full Changelog)

Added Features

• index known CPEs for go modules [#2816 @westonsteimel]
• support multiple known CPEs in index [#2813 @westonsteimel]
• index known CPEs for PHP Composer packagist.org packages [#2804 @westonsteimel]
• index known cpes for PHP extensions [#2777 @westonsteimel]

Bug Fixes

• re-use embedded union reader if possible [#2814 @willmurphyscode]
• prefer non-deprecated CPEs and include jenkins plugins from plugins.jenkins.io [#2806 @westonsteimel]
• improvements to known CPE index construction [#2801 @westonsteimel]
• Syft panics when scanning OCI image that contains packaged helm chart [#2745 #2757 @willmurphyscode]
• Pom parser not resolving all dependency versions [#2776 #2781 @willmurphyscode]
• exclude known instrumentation jars from being erroneously identified [#2796 @kzantow]
• return empty string if dereferncing pom var fails [#2797 @willmurphyscode]

(Full Changelog)

Added Features

• Differentiate between JRE and JDK [#2748 @LaurentGoderre]
• Add support for dnf packages [#2758]

Bug Fixes

• more robust go main version extraction [#2767 @kzantow]
• Regression in 1.1 cataloging openjdk: generates version containing a null byte [#2750 #2766 @LaurentGoderre]

(Full Changelog)

Bug Fixes

• update anchore/packageurl-go to use latest commits [#2746 @spiffcs]
• fix panic scanning binaries without symtab [#2736 #2739 @kzantow]

(Full Changelog)

Added Features

• Adding the ability to retrieve remote licenses from package-lock.json [#2708 @coheigea]
• Show binary exports, entrypoint, and imports [#2626 @wagoodman]
• Add detection for Oracle GraalVM [#2705 @LaurentGoderre]

Bug Fixes

• reduce duplicate case SwiftPkg [#2696 @testwill]

(Full Changelog)

Bug Fixes

• Unable to scan OCI images with syft v0.105.1 [#2678 #2683 @spiffcs]

(Full Changelog)

Added Features

• Allow source type input via CLI flag (not scheme) [#1783 #2610 @kzantow]

Bug Fixes

• OpenSSL binary matcher fails to properly detect letter releases [#2681 #2682 @harmw]
• TUI package count does not match package count in default table output [#2672 #2679 @wagoodman]
• .NET NuGet - dotnet-deps cataloger not working with syft v0.94.0 [#2264 #2674 @willmurphyscode]
• New path filtering logic excluding large number of unintended paths [#2667 #2675 @wagoodman]
• Syft TUI can hang when using license fetching from go modules [#2653 #2673 @willmurphyscode]

(Full Changelog)

Bug Fixes

• return error codes from install script [#2664 @hacst]
• SPDX tag value version selector [#2665 @kzantow]

Additional Changes

• Add syft version used to SBOM tool info by default [#2647 @wagoodman]

(Full Changelog)

Added Features

• Guess go main module version based on binary contents [#2608 @wagoodman]
• Catalog wordpress plugins [#1911 #2218 @disc]

Bug Fixes

• ensure version output to stdout [#2621 @kzantow]
• Survive indexing dead symlinks [#2645 @wagoodman]
• unable to index filesystem for amazonlinux images [#2627 #2644 @wagoodman]
• CycloneDX OS component does not have a bom-ref [#2101 #2634 @kzantow]
• v0.104.0 interface conversion error when creating bom from singularity image [#2628 #2631 @wagoodman]

Additional Changes

• Rename binary cataloger to be more unique [#2633 @wagoodman]
• Suppress executable parsing issues [#2614 @wagoodman]
• update license list, cpe dictionary [#2620 @spiffcs]

(Full Changelog)

Added Features

• Adding metadata fields when parsing yarn.lock and poetry.lock [#2350 @asi-cider]
• Add Erlang OTP Application cataloger [#2403 @LaurentGoderre]
• Support Conan lockfiles v0.5 [#2050]
• Identify security-features-of-interest within binaries [#2434 #2443 @wagoodman]
• Top-level API should be more composable [#558 #2517 @wagoodman]
• Annotate where each CPE on a package is sourced from [#2282 #2552 @willmurphyscode]

Bug Fixes

• unmarshal key values in Java, Go, and Conan metadata [#2603 @willmurphyscode]
• incorrect conversion between integer types [#2605 @spiffcs]
• prefer portable executable product version when semantically greater than file version [#2600 @westonsteimel]
• Stop iterating maps in catalogers [#2405 #2553 @wagoodman]
• unknown flag: --key when use syft attest --key [KEY] [#2544 #2551 @willmurphyscode]
• purl generation broken for kafka jars [#2385 #2573 @westonsteimel]

Breaking Changes

• Top-level API should be more composable [#558 #2517 @wagoodman]
• Annotate where each CPE on a package is sourced from [#2282 #2552 @willmurphyscode]

(Full Changelog)

Security Fixes

• Bump archiver and stereoscope to address path traversal issues [#2570 @wagoodman]

Bug Fixes

• Revert cosign signing of release checksums file [#2571 @wagoodman]
• java archive parser incorrectly splitting filenames [#2563 #2565 @willmurphyscode]

Breaking Changes

• Internalize format helpers [#2543 @wagoodman]
• Internalize CPE generation logic [#2541 @wagoodman]

(Full Changelog)

Added Features

• Swap format uses of io.ReadSeeker for io.Reader [#2515 @wagoodman]
• Cataloger interface should accept context.Context [#2521 #2528 @wagoodman]

Bug Fixes

• Implement golang Purl subpath [#2547 @LaurentGoderre]
• CPE definition on pkg.Package is coupled to an external package as a type alias [#2529 #2534 @willmurphyscode]
• Turn off SBOM cataloger by default [#1555 #2527 @wagoodman]
• Syft missing linux kernel archives from SBOM results [#2524 #2526 @wagoodman]
• LocationResolver can leak goroutines [#2487 #2518 @willmurphyscode]
• Duplicates in Syft JSON "artifactRelationships" [#2251]

Breaking Changes

• Use the json schema as input for templating [#2542 @wagoodman]
• Unexport types and functions cataloger packages [#2530 @wagoodman]
• Internalize majority of cmd package [#2533 @wagoodman]
• Allow for RPM modularity to be optional [#2540 @wagoodman]
• CPE definition on pkg.Package is coupled to an external package as a type alias [#2529 #2534 @willmurphyscode]
• Cataloger interface should accept context.Context [#2521 #2528 @wagoodman]
• Remove deprecated API features [#2257 #2508 @wagoodman]
• Remove deprecated configuration [#1864 #2508 @wagoodman]
• Turn off SBOM cataloger by default [#1555 #2527 @wagoodman]

Additional Changes

• Fix migration of integration test [#2546 @wagoodman]
• minor cataloger and docs nits [#2519 @luhring]

(Full Changelog)

Bug Fixes

• Deduplicate digests from user configuration [#2522 @wagoodman]
• Duplicate relationships in final SBOM [#2509 #2516 @spiffcs]

(Full Changelog)

Security Fixes

• bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 [#2501 @dependabot]

Added Features

• Added binary classifier for GCC [#2479 @LaurentGoderre]
• Add binary classifier for pypy [#2474 @LaurentGoderre]
• Add binary classifiers for Percona Software for MySQL [#2478 @abg]
• Added classifier for wordpress cli binary [#2473 @LaurentGoderre]
• Add cataloger list command [#2366 @wagoodman]
• Add ability to enable or disable individual catalogers [#1731 #1383 @wagoodman]
• Improve cataloger selection capabilities [#1039 #1383 @wagoodman]

Bug Fixes

• Include binary cataloger configuration defaults [#2504 @wagoodman]
• Condense binary cataloger config in JSON output [#2499 @wagoodman]
• Add support for the traefik binary from the official Docker image [#2484 @LaurentGoderre]
• When specify java-cataloger, java-pom-cataloger will also be selected [#2136 #1383 @wagoodman]

(Full Changelog)

Added Features

• Add more functionality to the ErLang parser [#2390 @LaurentGoderre]
• Added OpenSSL binary matcher [#2416 @LaurentGoderre]
• Add ability to extend the binaries cataloguers [#2469 @LaurentGoderre]

Bug Fixes

• Added missing Purl for busybox [#2457 @LaurentGoderre]
• Fix diff error obfuscating binary test failures message [#2468 @LaurentGoderre]
• v0.99.0: CycloneDX json output breaks osv-scanner [#2467]

Additional Changes

• update openssl binary to -x [#2456 @spiffcs]

(Full Changelog)

Added Features

• Look for a maven version in a pom from a parent dependency management… [#2423 @coheigea]
• Adding the ability to retrieve remote licenses for yarn.lock [#2338 @coheigea]
• Retrieve remote licenses using pom.properties when there is no pom.xml [#2315 @coheigea]
• Add the option to retrieve remote licenses for projects defined in a … [#2409 @coheigea]
• Parse Python licenses from LicenseFile entry in the Wheel Metadata [#2331 @coheigea]
• Add binary classifier for the ERLang interpreter [#2417 @LaurentGoderre]
• Parse Python licenses from LicenseExpression entry in the Wheel Metadata [#2431 @coheigea]
• Add binary classifier for Julia lang [#2427 @LaurentGoderre]
• Add binary detection for PHP composer [#2432 @LaurentGoderre]

Bug Fixes

• bump fangs for ptr summarize fix [#2387 @willmurphyscode]
• improve identification for org.codehaus.groovy artifacts [#2404 @westonsteimel]
• improve identification for commons-jelly artifacts [#2399 @westonsteimel]
• improve identification for io.minio artifacts [#2398 @westonsteimel]
• improve identification for com.graphql-java artifacts [#2397 @westonsteimel]
• improve identification for org.apache.tapestry artifacts [#2384 @westonsteimel]
• improve identification for io.ratpack artifacts [#2379 @westonsteimel]
• improve identification for org.apache.cassandra artifacts [#2386 @westonsteimel]
• improve identification for org.neo4j.procedure artifacts [#2388 @westonsteimel]
• improve identification for org.elasticsearch artifacts [#2383 @westonsteimel]
• improve identification for org.apache.geode artifacts [#2382 @westonsteimel]
• improve identification for org.apache.tomcat artifacts [#2381 @westonsteimel]
• improve identification for io.projectreactor.netty artifacts [#2378 @westonsteimel]
• stop panic when parsing Haskell stack.yaml.lock with missing hackage field [#2421 #2419 @houdini91]
• fix detecting the name of the eclipse OSGi artifact [#2314 #2349 @westonsteimel]
• File Sources incorrectly exclude files on Windows [#2410 #2411 @Racer159]
• Parser for dotnet_portable_executable using wrong attribute name [#2029 #2133 @kzantow]

Breaking Changes

• Generalize UI events for cataloging tasks [#2369 @wagoodman]

Additional Changes

• refactor pkg.Collection to remove "catalog" references [#2439 @wagoodman]
• Expose javascript fields in cataloger configuration [#2438 @wagoodman]
• Use common archive catalog configuration [#2437 @wagoodman]
• Fix file digest cataloger when passed explicit coordinates [#2436 @wagoodman]

(Full Changelog)