Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(deps): update dependency anchore/syft to v0.105.1 (#38)
[](https://renovatebot.com) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [anchore/syft](https://togithub.com/anchore/syft) | minor | `v0.74.0` -> `v0.105.1` | --- ### Release Notes <details> <summary>anchore/syft (anchore/syft)</summary> ### [`v0.105.1`](https://togithub.com/anchore/syft/releases/tag/v0.105.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.105.0...v0.105.1) ##### Bug Fixes - return error codes from install script \[[#​2664](https://togithub.com/anchore/syft/pull/2664) [@​hacst](https://togithub.com/hacst)] - SPDX tag value version selector \[[#​2665](https://togithub.com/anchore/syft/pull/2665) [@​kzantow](https://togithub.com/kzantow)] ##### Additional Changes - Add syft version used to SBOM tool info by default \[[#​2647](https://togithub.com/anchore/syft/pull/2647) [@​wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.105.0...v0.105.1)** ### [`v0.105.0`](https://togithub.com/anchore/syft/releases/tag/v0.105.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.104.0...v0.105.0) ##### Added Features - Guess go main module version based on binary contents \[[#​2608](https://togithub.com/anchore/syft/pull/2608) [@​wagoodman](https://togithub.com/wagoodman)] - Catalog wordpress plugins \[[#​1911](https://togithub.com/anchore/syft/issues/1911) [#​2218](https://togithub.com/anchore/syft/pull/2218) [@​disc](https://togithub.com/disc)] ##### Bug Fixes - ensure version output to stdout \[[#​2621](https://togithub.com/anchore/syft/pull/2621) [@​kzantow](https://togithub.com/kzantow)] - Survive indexing dead symlinks \[[#​2645](https://togithub.com/anchore/syft/pull/2645) [@​wagoodman](https://togithub.com/wagoodman)] - unable to index filesystem for amazonlinux images \[[#​2627](https://togithub.com/anchore/syft/issues/2627) [#​2644](https://togithub.com/anchore/syft/pull/2644) [@​wagoodman](https://togithub.com/wagoodman)] - CycloneDX OS component does not have a bom-ref \[[#​2101](https://togithub.com/anchore/syft/issues/2101) [#​2634](https://togithub.com/anchore/syft/pull/2634) [@​kzantow](https://togithub.com/kzantow)] - v0.104.0 interface conversion error when creating bom from singularity image \[[#​2628](https://togithub.com/anchore/syft/issues/2628) [#​2631](https://togithub.com/anchore/syft/pull/2631) [@​wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Rename binary cataloger to be more unique \[[#​2633](https://togithub.com/anchore/syft/pull/2633) [@​wagoodman](https://togithub.com/wagoodman)] - Suppress executable parsing issues \[[#​2614](https://togithub.com/anchore/syft/pull/2614) [@​wagoodman](https://togithub.com/wagoodman)] - update license list, cpe dictionary \[[#​2620](https://togithub.com/anchore/syft/pull/2620) [@​spiffcs](https://togithub.com/spiffcs)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.104.0...v0.105.0)** ### [`v0.104.0`](https://togithub.com/anchore/syft/releases/tag/v0.104.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.103.1...v0.104.0) ##### Added Features - Adding metadata fields when parsing yarn.lock and poetry.lock \[[#​2350](https://togithub.com/anchore/syft/pull/2350) [@​asi-cider](https://togithub.com/asi-cider)] - Add Erlang OTP Application cataloger \[[#​2403](https://togithub.com/anchore/syft/pull/2403) [@​LaurentGoderre](https://togithub.com/LaurentGoderre)] - Support Conan lockfiles v0.5 \[[#​2050](https://togithub.com/anchore/syft/issues/2050)] - Identify security-features-of-interest within binaries \[[#​2434](https://togithub.com/anchore/syft/issues/2434) [#​2443](https://togithub.com/anchore/syft/pull/2443) [@​wagoodman](https://togithub.com/wagoodman)] - Top-level API should be more composable \[[#​558](https://togithub.com/anchore/syft/issues/558) [#​2517](https://togithub.com/anchore/syft/pull/2517) [@​wagoodman](https://togithub.com/wagoodman)] - Annotate where each CPE on a package is sourced from \[[#​2282](https://togithub.com/anchore/syft/issues/2282) [#​2552](https://togithub.com/anchore/syft/pull/2552) [@​willmurphyscode](https://togithub.com/willmurphyscode)] ##### Bug Fixes - unmarshal key values in Java, Go, and Conan metadata \[[#​2603](https://togithub.com/anchore/syft/pull/2603) [@​willmurphyscode](https://togithub.com/willmurphyscode)] - incorrect conversion between integer types \[[#​2605](https://togithub.com/anchore/syft/pull/2605) [@​spiffcs](https://togithub.com/spiffcs)] - prefer portable executable product version when semantically greater than file version \[[#​2600](https://togithub.com/anchore/syft/pull/2600) [@​westonsteimel](https://togithub.com/westonsteimel)] - Stop iterating maps in catalogers \[[#​2405](https://togithub.com/anchore/syft/issues/2405) [#​2553](https://togithub.com/anchore/syft/pull/2553) [@​wagoodman](https://togithub.com/wagoodman)] - unknown flag: --key when use syft attest --key \[KEY] \[[#​2544](https://togithub.com/anchore/syft/issues/2544) [#​2551](https://togithub.com/anchore/syft/pull/2551) [@​willmurphyscode](https://togithub.com/willmurphyscode)] - purl generation broken for kafka jars \[[#​2385](https://togithub.com/anchore/syft/issues/2385) [#​2573](https://togithub.com/anchore/syft/pull/2573) [@​westonsteimel](https://togithub.com/westonsteimel)] ##### Breaking Changes - Top-level API should be more composable \[[#​558](https://togithub.com/anchore/syft/issues/558) [#​2517](https://togithub.com/anchore/syft/pull/2517) [@​wagoodman](https://togithub.com/wagoodman)] - Annotate where each CPE on a package is sourced from \[[#​2282](https://togithub.com/anchore/syft/issues/2282) [#​2552](https://togithub.com/anchore/syft/pull/2552) [@​willmurphyscode](https://togithub.com/willmurphyscode)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.103.1...v0.104.0)** ### [`v0.103.1`](https://togithub.com/anchore/syft/releases/tag/v0.103.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.103.0...v0.103.1) ##### Security Fixes - Bump archiver and stereoscope to address path traversal issues \[[#​2570](https://togithub.com/anchore/syft/pull/2570) [@​wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Revert cosign signing of release checksums file \[[#​2571](https://togithub.com/anchore/syft/pull/2571) [@​wagoodman](https://togithub.com/wagoodman)] - java archive parser incorrectly splitting filenames \[[#​2563](https://togithub.com/anchore/syft/issues/2563) [#​2565](https://togithub.com/anchore/syft/pull/2565) [@​willmurphyscode](https://togithub.com/willmurphyscode)] ##### Breaking Changes - Internalize format helpers \[[#​2543](https://togithub.com/anchore/syft/pull/2543) [@​wagoodman](https://togithub.com/wagoodman)] - Internalize CPE generation logic \[[#​2541](https://togithub.com/anchore/syft/pull/2541) [@​wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.102.0...v0.103.1)** ### [`v0.103.0`](https://togithub.com/anchore/syft/compare/v0.102.0...v0.103.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.102.0...v0.103.0) ### [`v0.102.0`](https://togithub.com/anchore/syft/releases/tag/v0.102.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.101.1...v0.102.0) ##### Added Features - Swap format uses of io.ReadSeeker for io.Reader \[[#​2515](https://togithub.com/anchore/syft/pull/2515) [@​wagoodman](https://togithub.com/wagoodman)] - Cataloger interface should accept context.Context \[[#​2521](https://togithub.com/anchore/syft/issues/2521) [#​2528](https://togithub.com/anchore/syft/pull/2528) [@​wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Implement golang Purl subpath \[[#​2547](https://togithub.com/anchore/syft/pull/2547) [@​LaurentGoderre](https://togithub.com/LaurentGoderre)] - CPE definition on `pkg.Package` is coupled to an external package as a type alias \[[#​2529](https://togithub.com/anchore/syft/issues/2529) [#​2534](https://togithub.com/anchore/syft/pull/2534) [@​willmurphyscode](https://togithub.com/willmurphyscode)] - Turn off SBOM cataloger by default \[[#​1555](https://togithub.com/anchore/syft/issues/1555) [#​2527](https://togithub.com/anchore/syft/pull/2527) [@​wagoodman](https://togithub.com/wagoodman)] - Syft missing linux kernel archives from SBOM results \[[#​2524](https://togithub.com/anchore/syft/issues/2524) [#​2526](https://togithub.com/anchore/syft/pull/2526) [@​wagoodman](https://togithub.com/wagoodman)] - LocationResolver can leak goroutines \[[#​2487](https://togithub.com/anchore/syft/issues/2487) [#​2518](https://togithub.com/anchore/syft/pull/2518) [@​willmurphyscode](https://togithub.com/willmurphyscode)] - Duplicates in Syft JSON "artifactRelationships" \[[#​2251](https://togithub.com/anchore/syft/issues/2251)] ##### Breaking Changes - Use the json schema as input for templating \[[#​2542](https://togithub.com/anchore/syft/pull/2542) [@​wagoodman](https://togithub.com/wagoodman)] - Unexport types and functions cataloger packages \[[#​2530](https://togithub.com/anchore/syft/pull/2530) [@​wagoodman](https://togithub.com/wagoodman)] - Internalize majority of cmd package \[[#​2533](https://togithub.com/anchore/syft/pull/2533) [@​wagoodman](https://togithub.com/wagoodman)] - Allow for RPM modularity to be optional \[[#​2540](https://togithub.com/anchore/syft/pull/2540) [@​wagoodman](https://togithub.com/wagoodman)] - CPE definition on `pkg.Package` is coupled to an external package as a type alias \[[#​2529](https://togithub.com/anchore/syft/issues/2529) [#​2534](https://togithub.com/anchore/syft/pull/2534) [@​willmurphyscode](https://togithub.com/willmurphyscode)] - Cataloger interface should accept context.Context \[[#​2521](https://togithub.com/anchore/syft/issues/2521) [#​2528](https://togithub.com/anchore/syft/pull/2528) [@​wagoodman](https://togithub.com/wagoodman)] - Remove deprecated API features \[[#​2257](https://togithub.com/anchore/syft/issues/2257) [#​2508](https://togithub.com/anchore/syft/pull/2508) [@​wagoodman](https://togithub.com/wagoodman)] - Remove deprecated configuration \[[#​1864](https://togithub.com/anchore/syft/issues/1864) [#​2508](https://togithub.com/anchore/syft/pull/2508) [@​wagoodman](https://togithub.com/wagoodman)] - Turn off SBOM cataloger by default \[[#​1555](https://togithub.com/anchore/syft/issues/1555) [#​2527](https://togithub.com/anchore/syft/pull/2527) [@​wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Fix migration of integration test \[[#​2546](https://togithub.com/anchore/syft/pull/2546) [@​wagoodman](https://togithub.com/wagoodman)] - minor cataloger and docs nits \[[#​2519](https://togithub.com/anchore/syft/pull/2519) [@​luhring](https://togithub.com/luhring)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.101.1...v0.102.0)** ### [`v0.101.1`](https://togithub.com/anchore/syft/releases/tag/v0.101.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.101.0...v0.101.1) ##### Bug Fixes - Deduplicate digests from user configuration \[[#​2522](https://togithub.com/anchore/syft/pull/2522) [@​wagoodman](https://togithub.com/wagoodman)] - Duplicate relationships in final SBOM \[[#​2509](https://togithub.com/anchore/syft/issues/2509) [#​2516](https://togithub.com/anchore/syft/pull/2516) [@​spiffcs](https://togithub.com/spiffcs)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.101.0...v0.101.1)** ### [`v0.101.0`](https://togithub.com/anchore/syft/releases/tag/v0.101.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.100.0...v0.101.0) ##### Security Fixes - bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 \[[#​2501](https://togithub.com/anchore/syft/pull/2501) [@​dependabot](https://togithub.com/dependabot)] ##### Added Features - Added binary classifier for GCC \[[#​2479](https://togithub.com/anchore/syft/pull/2479) [@​LaurentGoderre](https://togithub.com/LaurentGoderre)] - Add binary classifier for pypy \[[#​2474](https://togithub.com/anchore/syft/pull/2474) [@​LaurentGoderre](https://togithub.com/LaurentGoderre)] - Add binary classifiers for Percona Software for MySQL \[[#​2478](https://togithub.com/anchore/syft/pull/2478) [@​abg](https://togithub.com/abg)] - Added classifier for wordpress cli binary \[[#​2473](https://togithub.com/anchore/syft/pull/2473) [@​LaurentGoderre](https://togithub.com/LaurentGoderre)] - Add cataloger list command \[[#​2366](https://togithub.com/anchore/syft/pull/2366) [@​wagoodman](https://togithub.com/wagoodman)] - Add ability to enable or disable individual catalogers \[[#​1731](https://togithub.com/anchore/syft/issues/1731) [#​1383](https://togithub.com/anchore/syft/pull/1383) [@​wagoodman](https://togithub.com/wagoodman)] - Improve cataloger selection capabilities \[[#​1039](https://togithub.com/anchore/syft/issues/1039) [#​1383](https://togithub.com/anchore/syft/pull/1383) [@​wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Include binary cataloger configuration defaults \[[#​2504](https://togithub.com/anchore/syft/pull/2504) [@​wagoodman](https://togithub.com/wagoodman)] - Condense binary cataloger config in JSON output \[[#​2499](https://togithub.com/anchore/syft/pull/2499) [@​wagoodman](https://togithub.com/wagoodman)] - Add support for the traefik binary from the official Docker image \[[#​2484](https://togithub.com/anchore/syft/pull/2484) [@​LaurentGoderre](https://togithub.com/LaurentGoderre)] - When specify java-cataloger, java-pom-cataloger will also be selected \[[#​2136](https://togithub.com/anchore/syft/issues/2136) [#​1383](https://togithub.com/anchore/syft/pull/1383) [@​wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.100.0...v0.101.0)** ### [`v0.100.0`](https://togithub.com/anchore/syft/releases/tag/v0.100.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.99.0...v0.100.0) ##### Added Features - Add more functionality to the ErLang parser \[[#​2390](https://togithub.com/anchore/syft/pull/2390) [@​LaurentGoderre](https://togithub.com/LaurentGoderre)] - Added OpenSSL binary matcher \[[#​2416](https://togithub.com/anchore/syft/pull/2416) [@​LaurentGoderre](https://togithub.com/LaurentGoderre)] - Add ability to extend the binaries cataloguers \[[#​2469](https://togithub.com/anchore/syft/pull/2469) [@​LaurentGoderre](https://togithub.com/LaurentGoderre)] ##### Bug Fixes - Added missing Purl for busybox \[[#​2457](https://togithub.com/anchore/syft/pull/2457) [@​LaurentGoderre](https://togithub.com/LaurentGoderre)] - Fix diff error obfuscating binary test failures message \[[#​2468](https://togithub.com/anchore/syft/pull/2468) [@​LaurentGoderre](https://togithub.com/LaurentGoderre)] - v0.99.0: CycloneDX json output breaks osv-scanner \[[#​2467](https://togithub.com/anchore/syft/issues/2467)] ##### Additional Changes - update openssl binary to -x \[[#​2456](https://togithub.com/anchore/syft/pull/2456) [@​spiffcs](https://togithub.com/spiffcs)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.99.0...v0.100.0)** ### [`v0.99.0`](https://togithub.com/anchore/syft/releases/tag/v0.99.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.98.0...v0.99.0) ##### Added Features - Look for a maven version in a pom from a parent dependency management… \[[#​2423](https://togithub.com/anchore/syft/pull/2423) [@​coheigea](https://togithub.com/coheigea)] - Adding the ability to retrieve remote licenses for yarn.lock \[[#​2338](https://togithub.com/anchore/syft/pull/2338) [@​coheigea](https://togithub.com/coheigea)] - Retrieve remote licenses using pom.properties when there is no pom.xml \[[#​2315](https://togithub.com/anchore/syft/pull/2315) [@​coheigea](https://togithub.com/coheigea)] - Add the option to retrieve remote licenses for projects defined in a … \[[#​2409](https://togithub.com/anchore/syft/pull/2409) [@​coheigea](https://togithub.com/coheigea)] - Parse Python licenses from LicenseFile entry in the Wheel Metadata \[[#​2331](https://togithub.com/anchore/syft/pull/2331) [@​coheigea](https://togithub.com/coheigea)] - Add binary classifier for the ERLang interpreter \[[#​2417](https://togithub.com/anchore/syft/pull/2417) [@​LaurentGoderre](https://togithub.com/LaurentGoderre)] - Parse Python licenses from LicenseExpression entry in the Wheel Metadata \[[#​2431](https://togithub.com/anchore/syft/pull/2431) [@​coheigea](https://togithub.com/coheigea)] - Add binary classifier for Julia lang \[[#​2427](https://togithub.com/anchore/syft/pull/2427) [@​LaurentGoderre](https://togithub.com/LaurentGoderre)] - Add binary detection for PHP composer \[[#​2432](https://togithub.com/anchore/syft/pull/2432) [@​LaurentGoderre](https://togithub.com/LaurentGoderre)] ##### Bug Fixes - bump fangs for ptr summarize fix \[[#​2387](https://togithub.com/anchore/syft/pull/2387) [@​willmurphyscode](https://togithub.com/willmurphyscode)] - improve identification for org.codehaus.groovy artifacts \[[#​2404](https://togithub.com/anchore/syft/pull/2404) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for commons-jelly artifacts \[[#​2399](https://togithub.com/anchore/syft/pull/2399) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for io.minio artifacts \[[#​2398](https://togithub.com/anchore/syft/pull/2398) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for com.graphql-java artifacts \[[#​2397](https://togithub.com/anchore/syft/pull/2397) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.tapestry artifacts \[[#​2384](https://togithub.com/anchore/syft/pull/2384) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for io.ratpack artifacts \[[#​2379](https://togithub.com/anchore/syft/pull/2379) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.cassandra artifacts \[[#​2386](https://togithub.com/anchore/syft/pull/2386) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.neo4j.procedure artifacts \[[#​2388](https://togithub.com/anchore/syft/pull/2388) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.elasticsearch artifacts \[[#​2383](https://togithub.com/anchore/syft/pull/2383) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.geode artifacts \[[#​2382](https://togithub.com/anchore/syft/pull/2382) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for org.apache.tomcat artifacts \[[#​2381](https://togithub.com/anchore/syft/pull/2381) [@​westonsteimel](https://togithub.com/westonsteimel)] - improve identification for io.projectreactor.netty artifacts \[[#​2378](https://togithub.com/anchore/syft/pull/2378) [@​westonsteimel](https://togithub.com/westonsteimel)] - stop panic when parsing Haskell stack.yaml.lock with missing `hackage` field \[[#​2421](https://togithub.com/anchore/syft/issues/2421) [#​2419](https://togithub.com/anchore/syft/pull/2419) [@​houdini91](https://togithub.com/houdini91)] - fix detecting the name of the eclipse OSGi artifact \[[#​2314](https://togithub.com/anchore/syft/issues/2314) [#​2349](https://togithub.com/anchore/syft/pull/2349) [@​westonsteimel](https://togithub.com/westonsteimel)] - File Sources incorrectly exclude files on Windows \[[#​2410](https://togithub.com/anchore/syft/issues/2410) [#​2411](https://togithub.com/anchore/syft/pull/2411) [@​Racer159](https://togithub.com/Racer159)] - Parser for dotnet_portable_executable using wrong attribute name \[[#​2029](https://togithub.com/anchore/syft/issues/2029) [#​2133](https://togithub.com/anchore/syft/pull/2133) [@​kzantow](https://togithub.com/kzantow)] ##### Breaking Changes - Generalize UI events for cataloging tasks \[[#​2369](https://togithub.com/anchore/syft/pull/2369) [@​wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - refactor pkg.Collection to remove "catalog" references \[[#​2439](https://togithub.com/anchore/syft/pull/2439) [@​wagoodman](https://togithub.com/wagoodman)] - Expose javascript fields in cataloger configuration \[[#​2438](https://togithub.com/anchore/syft/pull/2438) [@​wagoodman](https://togithub.com/wagoodman)] - Use common archive catalog configuration \[[#​2437](https://togithub.com/anchore/syft/pull/2437) [@​wagoodman](https://togithub.com/wagoodman)] - Fix file digest cataloger when passed explicit coordinates \[[#​2436](https://togithub.com/anchore/syft/pull/2436) [@​wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.98.0...v0.99.0)** ### [`v0.98.0`](https://togithub.com/anchore/syft/releases/tag/v0.98.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.97.1...v0.98.0) ##### Added Features - Add binary classifiers for MySQL and MariaDB \[[#​2316](https://togithub.com/anchore/syft/pull/2316) [@​duanemay](https://togithub.com/duanemay)] - Enhance redis binary classifier to support additional versions \[[#​2329](https://togithub.com/anchore/syft/pull/2329) [@​whalelines](https://togithub.com/whalelines)] - Expose compact JSON and XML format configuration \[[#​561](https://togithub.com/anchore/syft/issues/561) [#​2275](https://togithub.com/anchore/syft/pull/2275) [@​wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Fix file metadata cataloger when passed explicit coordinates \[[#​2370](https://togithub.com/anchore/syft/pull/2370) [@​wagoodman](https://togithub.com/wagoodman)] - hardcode xalan group ID \[[#​2368](https://togithub.com/anchore/syft/pull/2368) [@​willmurphyscode](https://togithub.com/willmurphyscode)] - logging level for parsing potential PE files \[[#​2367](https://togithub.com/anchore/syft/pull/2367) [@​kzantow](https://togithub.com/kzantow)] - Use read lock in `pkg.Collection` \[[#​2341](https://togithub.com/anchore/syft/pull/2341) [@​wagoodman](https://togithub.com/wagoodman)] - add manual namespace mapping for org.springframework jars \[[#​2345](https://togithub.com/anchore/syft/pull/2345) [@​westonsteimel](https://togithub.com/westonsteimel)] - add manual namespace mapping for org.springframework.security jars \[[#​2343](https://togithub.com/anchore/syft/pull/2343) [@​westonsteimel](https://togithub.com/westonsteimel)] - errors are printed into the stdout in syft 0.97.1 \[[#​2356](https://togithub.com/anchore/syft/issues/2356) [#​2364](https://togithub.com/anchore/syft/pull/2364) [@​kzantow](https://togithub.com/kzantow)] - `syft some-jar.jar` fails to find packages if PWD is a symlink \[[#​2355](https://togithub.com/anchore/syft/issues/2355) [#​2359](https://togithub.com/anchore/syft/pull/2359) [@​willmurphyscode](https://togithub.com/willmurphyscode)] - Default for recently added base path, `""`, disables detection of symlinked `*.jar` files \[[#​1962](https://togithub.com/anchore/syft/issues/1962) [#​2359](https://togithub.com/anchore/syft/pull/2359) [@​willmurphyscode](https://togithub.com/willmurphyscode)] - `syft attest` broken since 0.85.0 \[[#​2333](https://togithub.com/anchore/syft/issues/2333) [#​2337](https://togithub.com/anchore/syft/pull/2337) [@​wagoodman](https://togithub.com/wagoodman)] - Incorrect Java PURL for org.bouncycastle jars \[[#​2339](https://togithub.com/anchore/syft/issues/2339) [#​2342](https://togithub.com/anchore/syft/pull/2342) [@​westonsteimel](https://togithub.com/westonsteimel)] ##### Breaking Changes - Remove power-user command and related catalogers \[[#​1419](https://togithub.com/anchore/syft/issues/1419) [#​2306](https://togithub.com/anchore/syft/pull/2306) [@​wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Normalize cataloger configuration patterns \[[#​2365](https://togithub.com/anchore/syft/pull/2365) [@​wagoodman](https://togithub.com/wagoodman)] - Normalize enums to lowercase with hyphens \[[#​2363](https://togithub.com/anchore/syft/pull/2363) [@​wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.97.1...v0.98.0)** ##### Special Thanks Thanks [@​duanemay](https://togithub.com/duanemay) and [@​whalelines](https://togithub.com/whalelines) for the enhanced binary classifier support 👍 ### [`v0.97.1`](https://togithub.com/anchore/syft/releases/tag/v0.97.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.97.0...v0.97.1) ##### Bug Fixes - Syft does not use HTTP proxy when downloading the Docker image itself \[[#​2203](https://togithub.com/anchore/syft/issues/2203) [#​2336](https://togithub.com/anchore/syft/pull/2336) [@​anchore-actions-token-generator](https://togithub.com/anchore-actions-token-generator)] ##### Additional Changes - `syft version` report is broken with 0.97.0 release \[[#​2334](https://togithub.com/anchore/syft/issues/2334) [#​2335](https://togithub.com/anchore/syft/pull/2335) [@​spiffcs](https://togithub.com/spiffcs)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.97.0...v0.97.1)** ### [`v0.97.0`](https://togithub.com/anchore/syft/releases/tag/v0.97.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.96.0...v0.97.0) ##### Added Features - Add license for golang stdlib package \[[#​2317](https://togithub.com/anchore/syft/pull/2317) [@​coheigea](https://togithub.com/coheigea)] - Fall back to searching maven central using groupIDFromJavaMetadata \[[#​2295](https://togithub.com/anchore/syft/pull/2295) [@​coheigea](https://togithub.com/coheigea)] ##### Bug Fixes - Refine license search from groupIDFromJavaMetadata to account for artfactId in the groupId \[[#​2313](https://togithub.com/anchore/syft/pull/2313) [@​coheigea](https://togithub.com/coheigea)] - capture content written to stdout outside of report \[[#​2324](https://togithub.com/anchore/syft/pull/2324) [@​kzantow](https://togithub.com/kzantow)] - add manual groupid mappings for org.apache.velocity jars \[[#​2327](https://togithub.com/anchore/syft/pull/2327) [@​westonsteimel](https://togithub.com/westonsteimel)] - skip maven bundle plugin logic if vendor id and symbolic name match \[[#​2326](https://togithub.com/anchore/syft/pull/2326) [@​westonsteimel](https://togithub.com/westonsteimel)] - cataloger `dpkg-db-cataloger` not working \[[#​2323](https://togithub.com/anchore/syft/issues/2323)] ##### Breaking Changes - Rename Location virtualPath to accessPath \[[#​1835](https://togithub.com/anchore/syft/issues/1835) [#​2288](https://togithub.com/anchore/syft/pull/2288) [@​wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Export syft-json format package metadata type helper \[[#​2328](https://togithub.com/anchore/syft/pull/2328) [@​wagoodman](https://togithub.com/wagoodman)] - Add dotnet-portable-executable-cataloger to README \[[#​2322](https://togithub.com/anchore/syft/pull/2322) [@​noqcks](https://togithub.com/noqcks)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.96.0...v0.97.0)** ### [`v0.96.0`](https://togithub.com/anchore/syft/releases/tag/v0.96.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.95.0...v0.96.0) ##### Added Features - Check maven central as well for licenses in parents poms for nested jars \[[#​2302](https://togithub.com/anchore/syft/pull/2302) [@​coheigea](https://togithub.com/coheigea)] - store image annotations inside the SBOM \[[#​2267](https://togithub.com/anchore/syft/issues/2267) [#​2294](https://togithub.com/anchore/syft/pull/2294) [@​noqcks](https://togithub.com/noqcks)] - Support parsing license information in Maven projects via parent poms \[[#​2103](https://togithub.com/anchore/syft/issues/2103)] ##### Bug Fixes - SPDX file has duplicate sha256 tag in versionInfo \[[#​2300](https://togithub.com/anchore/syft/pull/2300) [@​coheigea](https://togithub.com/coheigea)] - Report virtual path consistently between file.Resolvers \[[#​1836](https://togithub.com/anchore/syft/issues/1836) [#​2287](https://togithub.com/anchore/syft/pull/2287) [@​wagoodman](https://togithub.com/wagoodman)] - Unable to identify CycloneDX JSON documents without $schema property \[[#​2299](https://togithub.com/anchore/syft/issues/2299) [#​2303](https://togithub.com/anchore/syft/pull/2303) [@​kzantow](https://togithub.com/kzantow)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.95.0...v0.96.0)** ### [`v0.95.0`](https://togithub.com/anchore/syft/releases/tag/v0.95.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.94.0...v0.95.0) ##### Added Features - Use case-insensitive matching for Go license files \[[#​2286](https://togithub.com/anchore/syft/pull/2286) [@​miquella](https://togithub.com/miquella)] - Add conaninfo.txt parser to detect conan packages in docker images \[[#​2234](https://togithub.com/anchore/syft/pull/2234) [@​Pro](https://togithub.com/Pro)] - Perform case insensitive matching on Java License files \[[#​2235](https://togithub.com/anchore/syft/pull/2235) [@​coheigea](https://togithub.com/coheigea)] - Read a license from a parent pom stored in Maven Central \[[#​2228](https://togithub.com/anchore/syft/pull/2228) [@​coheigea](https://togithub.com/coheigea)] - Add PURLs when scanning Gradle lock files \[[#​2278](https://togithub.com/anchore/syft/pull/2278) [@​robbiev](https://togithub.com/robbiev)] ##### Bug Fixes - Fix CPE index workflow \[[#​2252](https://togithub.com/anchore/syft/pull/2252) [@​wagoodman](https://togithub.com/wagoodman)] - Fix cpe generation task \[[#​2270](https://togithub.com/anchore/syft/pull/2270) [@​willmurphyscode](https://togithub.com/willmurphyscode)] - Introduce cataloger naming conventions \[[#​1578](https://togithub.com/anchore/syft/issues/1578) [#​2277](https://togithub.com/anchore/syft/pull/2277) [@​wagoodman](https://togithub.com/wagoodman)] - .NET / nuget - invalid SBOM generated after parsing \[[#​2255](https://togithub.com/anchore/syft/issues/2255) [#​2273](https://togithub.com/anchore/syft/pull/2273) [@​spiffcs](https://togithub.com/spiffcs)] - Wrong parsing after v0.85.0 syft for some components \[[#​2241](https://togithub.com/anchore/syft/issues/2241) [#​2273](https://togithub.com/anchore/syft/pull/2273) [@​spiffcs](https://togithub.com/spiffcs)] - SPDX-2.3 is misidentified as SPDX-2.2 \[[#​2112](https://togithub.com/anchore/syft/issues/2112) [#​2186](https://togithub.com/anchore/syft/pull/2186) [@​wagoodman](https://togithub.com/wagoodman)] - Jar parser chokes on empty lines \[[#​2179](https://togithub.com/anchore/syft/issues/2179) [#​2254](https://togithub.com/anchore/syft/pull/2254) [@​spiffcs](https://togithub.com/spiffcs)] - Add a new Java configuration option to recursively search parent poms… \[[#​2274](https://togithub.com/anchore/syft/pull/2274) [@​coheigea](https://togithub.com/coheigea)] - Fix directory resolver to always return virtual path \[[#​2259](https://togithub.com/anchore/syft/pull/2259) [@​wagoodman](https://togithub.com/wagoodman)] - Syft can now handle the case of parsing a jar with multiple poms \[[#​2231](https://togithub.com/anchore/syft/pull/2231) [@​coheigea](https://togithub.com/coheigea)] - Add ruby.NewGemSpecCataloger to DirectoryCatalogers \[[#​1971](https://togithub.com/anchore/syft/pull/1971) [@​evanchaoli](https://togithub.com/evanchaoli)] ##### Breaking Changes - Introduce cataloger naming conventions \[[#​1578](https://togithub.com/anchore/syft/issues/1578) [#​2277](https://togithub.com/anchore/syft/pull/2277) [@​wagoodman](https://togithub.com/wagoodman)] - Remove MetadataType from the core package struct \[[#​1735](https://togithub.com/anchore/syft/issues/1735) [#​1983](https://togithub.com/anchore/syft/pull/1983) [@​wagoodman](https://togithub.com/wagoodman)] - Add convention for JSON metadata type names and port existing values to the new convention \[[#​1844](https://togithub.com/anchore/syft/issues/1844) [#​1983](https://togithub.com/anchore/syft/pull/1983) [@​wagoodman](https://togithub.com/wagoodman)] - Remove deprecated syft.Format functions \[[#​1344](https://togithub.com/anchore/syft/issues/1344) [#​2186](https://togithub.com/anchore/syft/pull/2186) [@​wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - Upgrade tool management \[[#​2188](https://togithub.com/anchore/syft/pull/2188) [@​wagoodman](https://togithub.com/wagoodman)] - Fix homebrew post-release workflow \[[#​2242](https://togithub.com/anchore/syft/pull/2242) [@​wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.94.0...v0.95.0)** ### [`v0.94.0`](https://togithub.com/anchore/syft/releases/tag/v0.94.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.93.0...v0.94.0) ##### Added Features - Add additional license filenames \[[#​2227](https://togithub.com/anchore/syft/pull/2227) [@​coheigea](https://togithub.com/coheigea)] - Parse donet dependency trees \[[#​2143](https://togithub.com/anchore/syft/pull/2143) [@​noqcks](https://togithub.com/noqcks)] - Find license by embedded license text \[[#​2147](https://togithub.com/anchore/syft/issues/2147) [#​2213](https://togithub.com/anchore/syft/pull/2213) [@​coheigea](https://togithub.com/coheigea)] - Add support for dpkg dependency relationships \[[#​2040](https://togithub.com/anchore/syft/issues/2040) [#​2212](https://togithub.com/anchore/syft/pull/2212) [@​wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Report errors to stderr not stdout \[[#​2232](https://togithub.com/anchore/syft/pull/2232) [@​wagoodman](https://togithub.com/wagoodman)] - Python egg packages are not parsed for SBOM \[[#​1761](https://togithub.com/anchore/syft/issues/1761) [#​2239](https://togithub.com/anchore/syft/pull/2239) [@​spiffcs](https://togithub.com/spiffcs)] - Java archive is listed twice \[[#​2130](https://togithub.com/anchore/syft/issues/2130) [#​2220](https://togithub.com/anchore/syft/pull/2220) [@​wagoodman](https://togithub.com/wagoodman)] - Java archives not from Maven \[[#​2217](https://togithub.com/anchore/syft/issues/2217) [#​2220](https://togithub.com/anchore/syft/pull/2220) [@​wagoodman](https://togithub.com/wagoodman)] - Remove internal.StringSet \[[#​2209](https://togithub.com/anchore/syft/issues/2209) [#​2219](https://togithub.com/anchore/syft/pull/2219) [@​wagoodman](https://togithub.com/wagoodman)] - Invalid interface conversion in Swift cataloger \[[#​2225](https://togithub.com/anchore/syft/issues/2225) [#​2226](https://togithub.com/anchore/syft/pull/2226) [@​wagoodman](https://togithub.com/wagoodman)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.93.0...v0.94.0)** ### [`v0.93.0`](https://togithub.com/anchore/syft/releases/tag/v0.93.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.92.0...v0.93.0) ##### Added Features - Parse license from the pom.xml if not contained in the manifest \[[#​2115](https://togithub.com/anchore/syft/pull/2115) [@​coheigea](https://togithub.com/coheigea)] - Add Golang STD library package given a Golang binary has been discovered compiled with that go binary \[[#​1853](https://togithub.com/anchore/syft/issues/1853) [#​2195](https://togithub.com/anchore/syft/pull/2195) [@​spiffcs](https://togithub.com/spiffcs)] - Improve --output CLI help and deprecate --file \[[#​2165](https://togithub.com/anchore/syft/issues/2165) [#​2187](https://togithub.com/anchore/syft/pull/2187) [@​sharief007](https://togithub.com/sharief007)] ##### Bug Fixes - Converting a SBOM looses the algorithm type for added checksums \[[#​2183](https://togithub.com/anchore/syft/issues/2183) [#​2207](https://togithub.com/anchore/syft/pull/2207) [@​sharief007](https://togithub.com/sharief007)] ##### Additional Changes - Refine the docs for building a cataloger \[[#​2175](https://togithub.com/anchore/syft/pull/2175) [@​wagoodman](https://togithub.com/wagoodman)] - update license list to 3.22 \[[#​2201](https://togithub.com/anchore/syft/pull/2201) [@​spiffcs](https://togithub.com/spiffcs)] - Add exact syntax of the conversion formats \[[#​2196](https://togithub.com/anchore/syft/pull/2196) [@​vargenau](https://togithub.com/vargenau)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.92.0...v0.93.0)** ### [`v0.92.0`](https://togithub.com/anchore/syft/releases/tag/v0.92.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.91.0...v0.92.0) ##### Added Features - Support for multiple image refs of same sha in OCI layout \[[#​1544](https://togithub.com/anchore/syft/issues/1544)] ##### Bug Fixes - Generated purls are different between runs of syft against the same image and artifact \[[#​2169](https://togithub.com/anchore/syft/issues/2169) [#​2170](https://togithub.com/anchore/syft/pull/2170) [@​willmurphyscode](https://togithub.com/willmurphyscode)] ##### Additional Changes - bump stereoscope to fix data race in UI code \[[#​2173](https://togithub.com/anchore/syft/pull/2173) [@​willmurphyscode](https://togithub.com/willmurphyscode)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.91.0...v0.92.0)** ### [`v0.91.0`](https://togithub.com/anchore/syft/releases/tag/v0.91.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.90.0...v0.91.0) ##### Added Features - Add support for CycloneDX 1.5 \[[#​2120](https://togithub.com/anchore/syft/issues/2120) [#​2123](https://togithub.com/anchore/syft/pull/2123) [@​spiffcs](https://togithub.com/spiffcs)] - Add support for containerd as an image source \[[#​201](https://togithub.com/anchore/syft/issues/201) [#​1793](https://togithub.com/anchore/syft/pull/1793) [@​shanedell](https://togithub.com/shanedell)] - Support cataloging github workflow & github action usages \[[#​1896](https://togithub.com/anchore/syft/issues/1896) [#​2140](https://togithub.com/anchore/syft/pull/2140) [@​wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Allow CycloneDX json input with no components \[[#​2127](https://togithub.com/anchore/syft/pull/2127) [@​ahoz](https://togithub.com/ahoz)] - Prevent errors from clobbering terminal \[[#​2161](https://togithub.com/anchore/syft/pull/2161) [@​kzantow](https://togithub.com/kzantow)] - Using syft as a go library to decode a syft json has incomplete data \[[#​2069](https://togithub.com/anchore/syft/issues/2069) [#​2083](https://togithub.com/anchore/syft/pull/2083) [@​kzantow](https://togithub.com/kzantow)] - SBOMs are not the same on multiple runs of syft \[[#​1944](https://togithub.com/anchore/syft/issues/1944)] ##### Additional Changes - Switch to stdlib's slices pkg \[[#​2148](https://togithub.com/anchore/syft/pull/2148) [@​hainenber](https://togithub.com/hainenber)] - Remove unneeded arch switch in unit test \[[#​2156](https://togithub.com/anchore/syft/pull/2156) [@​willmurphyscode](https://togithub.com/willmurphyscode)] - Update chronicle to v0.8.0 \[[#​2154](https://togithub.com/anchore/syft/pull/2154) [@​wagoodman](https://togithub.com/wagoodman)] - Update to latest stereoscope \[[#​2151](https://togithub.com/anchore/syft/pull/2151) [@​spiffcs](https://togithub.com/spiffcs)] - Pin workflow checkout for cpe update-cpe-dictionary-index \[[#​2141](https://togithub.com/anchore/syft/pull/2141) [@​spiffcs](https://togithub.com/spiffcs)] - Add dependency information to conan lockfile parser \[[#​2131](https://togithub.com/anchore/syft/pull/2131) [@​Pro](https://togithub.com/Pro)] - Pin and update all workflow dependencies; add permission scopes \[[#​2138](https://togithub.com/anchore/syft/pull/2138) [@​spiffcs](https://togithub.com/spiffcs)] - Enforce race detector \[[#​2122](https://togithub.com/anchore/syft/pull/2122) [@​willmurphyscode](https://togithub.com/willmurphyscode)] **[(Full Changelog)](https://togithub.com/anchore/syft/compare/v0.90.0...v0.91.0)** ### [`v0.90.0`](https://togithub.com/anchore/syft/releases/tag/v0.90.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.89.0...v0.90.0) ### #### [v0.90.0](https://togithub.com/anchore/syft/tree/v0.90.0) (2023-09-11) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.89.0...v0.90.0) ##### Added Features - Expose cobra command in cli package \[[PR #​2097](https://togithub.com/anchore/syft/pull/2097)] \[[wagoodman](https://togithub.com/wagoodman)] - Explicitly test PURL generation against key packages \[[Issue #​2071](https://togithub.com/anchore/syft/issues/2071)] - Add User-Agent with Syft version during update check \[[Issue #​2072](https://togithub.com/anchore/syft/issues/2072)] \[[PR #​2100](https://togithub.com/anchore/syft/pull/2100)] \[[hainenber](https://togithub.com/hainenber)] ##### Bug Fixes - fix: correct group IDs for commons-codec, okhttp, okio, and add integration tests for Java PURL generation \[[PR #​2075](https://togithub.com/anchore/syft/pull/2075)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Cyclonedx external reference URLs are not validated when encoding \[[Issue #​2079](https://togithub.com/anchore/syft/issues/2079)] \[[PR #​2091](https://togithub.com/anchore/syft/pull/2091)] \[[hainenber](https://togithub.com/hainenber)] ##### Additional Changes - Bump the golang.org/x/exp dependency and fix a build breakage. \[[PR #​2088](https://togithub.com/anchore/syft/pull/2088)] \[[dlorenc](https://togithub.com/dlorenc)] - fix: update codeql-analysis for go 1.21 \[[PR #​2108](https://togithub.com/anchore/syft/pull/2108)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.89.0`](https://togithub.com/anchore/syft/releases/tag/v0.89.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.88.0...v0.89.0) ### #### [v0.89.0](https://togithub.com/anchore/syft/tree/v0.89.0) (2023-08-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.88.0...v0.89.0) ##### Added Features - Add registry certificate verification support \[[PR #​1734](https://togithub.com/anchore/syft/pull/1734)] \[[5p2O5pe25ouT](https://togithub.com/5p2O5pe25ouT)] - Add SYFT_CONFIG environment variable for configuration file path \[[Issue #​1986](https://togithub.com/anchore/syft/issues/1986)] \[[PR #​2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] ##### Bug Fixes - Fix quiet flag \[[PR #​2081](https://togithub.com/anchore/syft/pull/2081)] \[[wagoodman](https://togithub.com/wagoodman)] - Command line flags not overriding configuration file values \[[Issue #​1143](https://togithub.com/anchore/syft/issues/1143)] \[[PR #​2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] - Django package CPE is not correct \[[Issue #​1298](https://togithub.com/anchore/syft/issues/1298)] \[[PR #​2068](https://togithub.com/anchore/syft/pull/2068)] \[[witchcraze](https://togithub.com/witchcraze)] - Config parsing includes `config.yaml` in working dir \[[Issue #​1634](https://togithub.com/anchore/syft/issues/1634)] \[[PR #​2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] - Fix a possible panic on universal go binaries \[[Issue #​2073](https://togithub.com/anchore/syft/issues/2073)] \[[PR #​2078](https://togithub.com/anchore/syft/pull/2078)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Disabling catalogers is not working in power user command \[[Issue #​2074](https://togithub.com/anchore/syft/issues/2074)] \[[PR #​2001](https://togithub.com/anchore/syft/pull/2001)] \[[kzantow](https://togithub.com/kzantow)] - Virtual path changes to java cataloger causing creation of extra incorrect packages when jars are renamed \[[Issue #​2077](https://togithub.com/anchore/syft/issues/2077)] \[[PR #​2080](https://togithub.com/anchore/syft/pull/2080)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] ### [`v0.88.0`](https://togithub.com/anchore/syft/releases/tag/v0.88.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.87.1...v0.88.0) ### #### [v0.88.0](https://togithub.com/anchore/syft/tree/v0.88.0) (2023-08-25) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.87.1...v0.88.0) ##### Added Features - Detect golang boring crypto and fipsonly modules \[[PR #​2021](https://togithub.com/anchore/syft/pull/2021)] \[[bathina2](https://togithub.com/bathina2)] - feat: 1944 - update purl generation to use a consistent groupID \[[PR #​2033](https://togithub.com/anchore/syft/pull/2033)] \[[spiffcs](https://togithub.com/spiffcs)] - Add support to detect bash binaries \[[Issue #​1963](https://togithub.com/anchore/syft/issues/1963)] \[[PR #​2055](https://togithub.com/anchore/syft/pull/2055)] \[[witchcraze](https://togithub.com/witchcraze)] ##### Bug Fixes - fix: properly parse conan ref and include user and channel \[[PR #​2034](https://togithub.com/anchore/syft/pull/2034)] \[[Pro](https://togithub.com/Pro)] - New version notice only showing the version and no text \[[PR #​2042](https://togithub.com/anchore/syft/pull/2042)] \[[wagoodman](https://togithub.com/wagoodman)] - Fix: don't validate pom declared group \[[PR #​2054](https://togithub.com/anchore/syft/pull/2054)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Errors when handling symlinks on Windows with syft v0.85.0 \[[Issue #​1950](https://togithub.com/anchore/syft/issues/1950)] \[[PR #​2051](https://togithub.com/anchore/syft/pull/2051)] \[[selzoc](https://togithub.com/selzoc)] - Syft seems unable to parse non UTF-8 pom.xml files \[[Issue #​2044](https://togithub.com/anchore/syft/issues/2044)] \[[PR #​2047](https://togithub.com/anchore/syft/pull/2047)] \[[wagoodman](https://togithub.com/wagoodman)] - Error parsing pom.xml with v0.87.1 \[[Issue #​2060](https://togithub.com/anchore/syft/issues/2060)] \[[PR #​2064](https://togithub.com/anchore/syft/pull/2064)] \[[willmurphyscode](https://togithub.com/willmurphyscode)] - Invalid CycloneDX: duplicates in relationships section \[[Issue #​2062](https://togithub.com/anchore/syft/issues/2062)] \[[PR #​2063](https://togithub.com/anchore/syft/pull/2063)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.87.1`](https://togithub.com/anchore/syft/releases/tag/v0.87.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.87.0...v0.87.1) ### #### [v0.87.1](https://togithub.com/anchore/syft/tree/v0.87.1) (2023-08-17) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.87.0...v0.87.1) ##### Bug Fixes - Use Java package names to determine known groupIDs \[[PR #​2032](https://togithub.com/anchore/syft/pull/2032)] \[[kzantow](https://togithub.com/kzantow)] - Relationships section of CycloneDX is not outputting even when the data is present \[[Issue #​1972](https://togithub.com/anchore/syft/issues/1972)] \[[PR #​1974](https://togithub.com/anchore/syft/pull/1974)] \[[markgalpin](https://togithub.com/markgalpin)] \[[kzantow](https://togithub.com/kzantow)] - SPDX Tag-Value conversion not handling files directly set on packages \[[Issue #​2013](https://togithub.com/anchore/syft/issues/2013)] \[[PR #​2014](https://togithub.com/anchore/syft/pull/2014)] \[[kzantow](https://togithub.com/kzantow)] - Intermittent binary listings, different results every time \[[Issue #​2035](https://togithub.com/anchore/syft/issues/2035)] \[[PR #​2036](https://togithub.com/anchore/syft/pull/2036)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.87.0`](https://togithub.com/anchore/syft/releases/tag/v0.87.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0) ##### ##### [v0.87.0](https://togithub.com/anchore/syft/tree/v0.87.0) (2023-08-14) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.86.1...v0.87.0) ##### Added Features - feat: use originator logic to fill supplier \[[PR #​1980](https://togithub.com/anchore/syft/pull/1980)] \[[spiffcs](https://togithub.com/spiffcs)] - Expand deb cataloger to include opkg \[[PR #​1985](https://togithub.com/anchore/syft/pull/1985)] \[[johnDeSilencio](https://togithub.com/johnDeSilencio)] - Package duplicated by different cataloger \[[Issue #​931](https://togithub.com/anchore/syft/issues/931)] \[[PR #​1948](https://togithub.com/anchore/syft/pull/1948)] \[[spiffcs](https://togithub.com/spiffcs)] - Add binary cataloger for Nginx built from source \[[Issue #​1945](https://togithub.com/anchore/syft/issues/1945)] \[[PR #​1988](https://togithub.com/anchore/syft/pull/1988)] \[[SemProvoost](https://togithub.com/SemProvoost)] ##### Bug Fixes - chore: update bubbly to fix hanging \[[PR #​1990](https://togithub.com/anchore/syft/pull/1990)] \[[kzantow](https://togithub.com/kzantow)] - fix: update glob to use newer usr/lib/sysimage path \[[PR #​1997](https://togithub.com/anchore/syft/pull/1997)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: SPDX license values and download location \[[PR #​2007](https://togithub.com/anchore/syft/pull/2007)] \[[kzantow](https://togithub.com/kzantow)] - Different CPEs between java-cataloger and java-gradle-lockfile-cataloger \[[Issue #​1957](https://togithub.com/anchore/syft/issues/1957)] \[[PR #​1995](https://togithub.com/anchore/syft/pull/1995)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.86.1`](https://togithub.com/anchore/syft/releases/tag/v0.86.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1) ### Changelog #### [v0.86.1](https://togithub.com/anchore/syft/tree/v0.86.1) (2023-07-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.86.0...v0.86.1) ##### Bug Fixes - Source requires default image name as user input for unparsable reference \[[PR #​1979](https://togithub.com/anchore/syft/pull/1979)] \[[kzantow](https://togithub.com/kzantow)] ### [`v0.86.0`](https://togithub.com/anchore/syft/releases/tag/v0.86.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0) ### Changelog #### [v0.86.0](https://togithub.com/anchore/syft/tree/v0.86.0) (2023-07-31) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.85.0...v0.86.0) ##### Added Features - Introduce indexed embedded CPE dictionary \[[PR #​1897](https://togithub.com/anchore/syft/pull/1897)] \[[luhring](https://togithub.com/luhring)] - Add cataloger for Swift Package Manager. \[[PR #​1919](https://togithub.com/anchore/syft/pull/1919)] \[[trilleplay](https://togithub.com/trilleplay)] - Guess unpinned versions in python requirements.txt \[[PR #​1597](https://togithub.com/anchore/syft/pull/1597)] \[[PR #​1966](https://togithub.com/anchore/syft/pull/1966)] \[[manifestori](https://togithub.com/manifestori)] \[[wagoodman](https://togithub.com/wagoodman)] - Create a package record for the artifact an SBOM described when creating a SPDX SBOM \[[Issue #​1661](https://togithub.com/anchore/syft/issues/1661)] \[[Issue #​1241](https://togithub.com/anchore/syft/issues/1241)] \[[PR #​1934](https://togithub.com/anchore/syft/pull/1934)] \[[kzantow](https://togithub.com/kzantow)] ##### Bug Fixes - Fix panic condition on docker pull failure \[[PR #​1968](https://togithub.com/anchore/syft/pull/1968)] \[[wagoodman](https://togithub.com/wagoodman)] - Syft reports the "minimum required version" of .NET assemblies rather than the "assembly version" \[[Issue #​1799](https://togithub.com/anchore/syft/issues/1799)] \[[PR #​1943](https://togithub.com/anchore/syft/pull/1943)] \[[luhring](https://togithub.com/luhring)] - Grype cannot read SPDX documents generated by SPDX-maven-plugin \[[PR #​1969](https://togithub.com/anchore/syft/pull/1969)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Breaking Changes - Remove jotframe UI \[[PR #​1932](https://togithub.com/anchore/syft/pull/1932)] \[[wagoodman](https://togithub.com/wagoodman)] - Simplify python env markers \[[PR #​1967](https://togithub.com/anchore/syft/pull/1967)] \[[wagoodman](https://togithub.com/wagoodman)] ### [`v0.85.0`](https://togithub.com/anchore/syft/releases/tag/v0.85.0) [Compare Source](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0) ### Changelog #### [v0.85.0](https://togithub.com/anchore/syft/tree/v0.85.0) (2023-07-12) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.84.1...v0.85.0) ##### Added Features - Add a --base-path command line flag to set the directory base for scans (this option was previously exposed via API only) \[[PR #​1867](https://togithub.com/anchore/syft/pull/1867)] \[[deitch](https://togithub.com/deitch)] - Add file source digest support \[[PR #​1914](https://togithub.com/anchore/syft/pull/1914)] \[[wagoodman](https://togithub.com/wagoodman)] - Remove erroneous Java CPEs from generation \[[PR #​1918](https://togithub.com/anchore/syft/pull/1918)] \[[luhring](https://togithub.com/luhring)] - Fix CPE generation for k8s python client \[[PR #​1921](https://togithub.com/anchore/syft/pull/1921)] \[[luhring](https://togithub.com/luhring)] - Don't use the actual redis or grpc CPEs for gems \[[PR #​1926](https://togithub.com/anchore/syft/pull/1926)] \[[luhring](https://togithub.com/luhring)] - The text user interface is now provided by the bubbletea library \[[Issue #​1441](https://togithub.com/anchore/syft/issues/1441)] \[[PR #​1888](https://togithub.com/anchore/syft/pull/1888)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Bug Fixes - Install script returns exit code 0 even if install fails \[[Issue #​1566](https://togithub.com/anchore/syft/issues/1566)] \[[PR #​1915](https://togithub.com/anchore/syft/pull/1915)] \[[lorsatti](https://togithub.com/lorsatti)] - \[Windows] Not able to scan volume mounted to folder \[[Issue #​1828](https://togithub.com/anchore/syft/issues/1828)] \[[PR #​1884](https://togithub.com/anchore/syft/pull/1884)] \[[dd-cws](https://togithub.com/dd-cws)] - Deprecated license: GFDL-1.2+ \[[Issue #​1899](https://togithub.com/anchore/syft/issues/1899)] \[[PR #​1907](https://togithub.com/anchore/syft/pull/1907)] \[[spiffcs](https://togithub.com/spiffcs)] ##### Breaking Changes - Refactor the `source` API and syft-json `source` block data shape \[[Issue #​1866](https://togithub.com/anchore/syft/issues/1866)] \[[PR #​1846](https://togithub.com/anchore/syft/pull/1846)] \[[wagoodman](https://togithub.com/wagoodman)] ##### Additional Changes - chore: update iterations to protect against race \[[PR #​1927](https://togithub.com/anchore/syft/pull/1927)] \[[spiffcs](https://togithub.com/spiffcs)] - fix: background reader apart from global handler for testing \[[PR #​1929](https://togithub.com/anchore/syft/pull/1929)] \[[spiffcs](https://togithub.com/spiffcs)] ### [`v0.84.1`](https://togithub.com/anchore/syft/releases/tag/v0.84.1) [Compare Source](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1) ### Changelog #### [v0.84.1](https://togithub.com/anchore/syft/tree/v0.84.1) (2023-06-29) [Full Changelog](https://togithub.com/anchore/syft/compare/v0.84.0...v0.84.1) ##### Bug Fixes - Fix version detection in Java archive name parsing \[[PR #​1889](https://togithub.com/anchore/syft/pull/1889)] \[[luhring](https://togithub.com/luhring)] - Improve support for Dart SDK package dependency lockfiles \[[PR #​1891](https://togithub.com/anchore/syft/pull/1891)] \[[rufman](https://togithub.com/rufman)] - Fix license output for some CycloneDX JSON SBOMs \[[Issue #​1877](https://togithub.com/anchore/syft/issues/1877)] \[[PR #​1879](https://togithub.com/anchore/syft/pull/1879)] \[[kzantow](https://togithub.com/kzantow)] </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/DelineaXPM/github-workflows). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
- Loading branch information
1 parent
d6802c3
commit c518c55