v1.1.0

Added Features

• Adding the ability to retrieve remote licenses from package-lock.json [#2708 @coheigea]
• Show binary exports, entrypoint, and imports [#2626 @wagoodman]
• Add detection for Oracle GraalVM [#2705 @LaurentGoderre]

Bug Fixes

• reduce duplicate case SwiftPkg [#2696 @testwill]

(Full Changelog)

v1.0.1

Bug Fixes

• Unable to scan OCI images with syft v0.105.1 [#2678 #2683 @spiffcs]

(Full Changelog)

v1.0.0

🎉 Checkout the blog post about v1!

Added Features

• Allow source type input via CLI flag (not scheme) [#1783 #2610 @kzantow]

Bug Fixes

• OpenSSL binary matcher fails to properly detect letter releases [#2681 #2682 @harmw]
• TUI package count does not match package count in default table output [#2672 #2679 @wagoodman]
• .NET NuGet - dotnet-deps cataloger not working with syft v0.94.0 [#2264 #2674 @willmurphyscode]
• New path filtering logic excluding large number of unintended paths [#2667 #2675 @wagoodman]
• Syft TUI can hang when using license fetching from go modules [#2653 #2673 @willmurphyscode]

(Full Changelog)

v0.105.1

Bug Fixes

• return error codes from install script [#2664 @hacst]
• SPDX tag value version selector [#2665 @kzantow]

Additional Changes

• Add syft version used to SBOM tool info by default [#2647 @wagoodman]

(Full Changelog)

v0.105.0

Added Features

• Guess go main module version based on binary contents [#2608 @wagoodman]
• Catalog wordpress plugins [#1911 #2218 @disc]

Bug Fixes

• ensure version output to stdout [#2621 @kzantow]
• Survive indexing dead symlinks [#2645 @wagoodman]
• unable to index filesystem for amazonlinux images [#2627 #2644 @wagoodman]
• CycloneDX OS component does not have a bom-ref [#2101 #2634 @kzantow]
• v0.104.0 interface conversion error when creating bom from singularity image [#2628 #2631 @wagoodman]

Additional Changes

• Rename binary cataloger to be more unique [#2633 @wagoodman]
• Suppress executable parsing issues [#2614 @wagoodman]
• update license list, cpe dictionary [#2620 @spiffcs]

(Full Changelog)

v0.104.0

Added Features

• Adding metadata fields when parsing yarn.lock and poetry.lock [#2350 @asi-cider]
• Add Erlang OTP Application cataloger [#2403 @LaurentGoderre]
• Support Conan lockfiles v0.5 [#2050]
• Identify security-features-of-interest within binaries [#2434 #2443 @wagoodman]
• Top-level API should be more composable [#558 #2517 @wagoodman]
• Annotate where each CPE on a package is sourced from [#2282 #2552 @willmurphyscode]

Bug Fixes

• unmarshal key values in Java, Go, and Conan metadata [#2603 @willmurphyscode]
• incorrect conversion between integer types [#2605 @spiffcs]
• prefer portable executable product version when semantically greater than file version [#2600 @westonsteimel]
• Stop iterating maps in catalogers [#2405 #2553 @wagoodman]
• unknown flag: --key when use syft attest --key [KEY] [#2544 #2551 @willmurphyscode]
• purl generation broken for kafka jars [#2385 #2573 @westonsteimel]

Breaking Changes

• Top-level API should be more composable [#558 #2517 @wagoodman]
• Annotate where each CPE on a package is sourced from [#2282 #2552 @willmurphyscode]

(Full Changelog)

v0.103.1

Security Fixes

• Bump archiver and stereoscope to address path traversal issues [#2570 @wagoodman]

Bug Fixes

• Revert cosign signing of release checksums file [#2571 @wagoodman]
• java archive parser incorrectly splitting filenames [#2563 #2565 @willmurphyscode]

Breaking Changes

• Internalize format helpers [#2543 @wagoodman]
• Internalize CPE generation logic [#2541 @wagoodman]

(Full Changelog)

v0.102.0

Added Features

• Swap format uses of io.ReadSeeker for io.Reader [#2515 @wagoodman]
• Cataloger interface should accept context.Context [#2521 #2528 @wagoodman]

Bug Fixes

• Implement golang Purl subpath [#2547 @LaurentGoderre]
• CPE definition on pkg.Package is coupled to an external package as a type alias [#2529 #2534 @willmurphyscode]
• Turn off SBOM cataloger by default [#1555 #2527 @wagoodman]
• Syft missing linux kernel archives from SBOM results [#2524 #2526 @wagoodman]
• LocationResolver can leak goroutines [#2487 #2518 @willmurphyscode]
• Duplicates in Syft JSON "artifactRelationships" [#2251]

Breaking Changes

• Use the json schema as input for templating [#2542 @wagoodman]
• Unexport types and functions cataloger packages [#2530 @wagoodman]
• Internalize majority of cmd package [#2533 @wagoodman]
• Allow for RPM modularity to be optional [#2540 @wagoodman]
• CPE definition on pkg.Package is coupled to an external package as a type alias [#2529 #2534 @willmurphyscode]
• Cataloger interface should accept context.Context [#2521 #2528 @wagoodman]
• Remove deprecated API features [#2257 #2508 @wagoodman]
• Remove deprecated configuration [#1864 #2508 @wagoodman]
• Turn off SBOM cataloger by default [#1555 #2527 @wagoodman]

Additional Changes

• Fix migration of integration test [#2546 @wagoodman]
• minor cataloger and docs nits [#2519 @luhring]

(Full Changelog)

v0.101.1

Bug Fixes

• Deduplicate digests from user configuration [#2522 @wagoodman]
• Duplicate relationships in final SBOM [#2509 #2516 @spiffcs]

(Full Changelog)

v0.101.0

Security Fixes

• bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 [#2501 @dependabot]

Added Features

• Added binary classifier for GCC [#2479 @LaurentGoderre]
• Add binary classifier for pypy [#2474 @LaurentGoderre]
• Add binary classifiers for Percona Software for MySQL [#2478 @abg]
• Added classifier for wordpress cli binary [#2473 @LaurentGoderre]
• Add cataloger list command [#2366 @wagoodman]
• Add ability to enable or disable individual catalogers [#1731 #1383 @wagoodman]
• Improve cataloger selection capabilities [#1039 #1383 @wagoodman]

Bug Fixes

• Include binary cataloger configuration defaults [#2504 @wagoodman]
• Condense binary cataloger config in JSON output [#2499 @wagoodman]
• Add support for the traefik binary from the official Docker image [#2484 @LaurentGoderre]
• When specify java-cataloger, java-pom-cataloger will also be selected [#2136 #1383 @wagoodman]

(Full Changelog)