v0.62.1

Changelog

v0.62.1 (2023-05-24)

Full Changelog

Bug Fixes

• Updated syft to v0.82.0 to address license parsing logic that may result in a panic [PR #1313]

v0.62.0

Changelog

v0.62.0 (2023-05-22)

Full Changelog

Added Features

• Add package qualifier for platform CPE [PR #1291] [westonsteimel]
• Include timestamp and image name in reports [Issue #1170] [PR #1249] [jneate]
• Document command line flag for config file location [Issue #1271] [PR #1274] [jneate]
• Add support for Mariner distribution [Issue #1220]
• Add support for Syft IDs in JSON output [PR #1266] [luhring]

Bug Fixes

• False positive with pkg:rpm PURLs [Issue #1031] [PR #1237] [Shanedell]
• Specifying "extras" in pip / requirements.txt results in false negative [Issue #1246]
• CycloneDX dependencies relationships inverted [Issue #1294]

Additional Changes

• docs: add "cyclonedx-json" to output formats [PR #1252] [HNKNTA]
• chore: update quality gate labels and add keycloak [PR #1255] [westonsteimel]
• Install skopeo during bootstrap [PR #1260] [willmurphyscode]
• Replace deprecated io/ioutil calls [PR #1296] [testwill]
• Fix reading syft json from stdin by redirect [PR #1299] [devfbe]
• Add gitignore for default build target [PR #1305] [testwill]

v0.61.1

Changelog

v0.61.1 (2023-04-21)

Full Changelog

Bug Fixes

• ❔ Parsing dpkg status: extracting key-value from line: usr/lib/os-release err: cannot parse field [Issue #1195]
• Grype suggesting to upgrade to a version already used. [Issue #1209]

Additional Changes

• feat: add timestamp to json output (#1170) [PR #1249] [jneate]

v0.61.0

Changelog

v0.61.0 (2023-04-04)

Full Changelog

Added Features

• feat: Add config option to prefer registry over local Docker when scanning an image [Issue #1204] [PR #1215] [spiffcs]

Additional Changes

• chore: update quality gate dataset [PR #1206] [westonsteimel]
• chore: update deprecated set-output calls [PR #1210] [kzantow]
• chore: update syft [PR #1211] [kzantow]

v0.60.0

Changelog

v0.60.0 (2023-03-28)

Full Changelog

Added Features

• feat: disable CPE-based matching by default for javascript [PR #1180] [westonsteimel]

Additional Changes

• Improve --by-cve report performance [Issue #1185] [PR #1188] [westonsteimel]

v0.59.1

Changelog

v0.59.1 (2023-03-09)

Full Changelog

Bug Fixes

• fix: correct APK CPE version comparison logic [PR #1165] [westonsteimel]

v0.59.0

Changelog

v0.59.0 (2023-03-03)

Full Changelog

Added Features

• Add the total types of vulnerabilities in Grype output [Issue #877] [PR #946] [zhiburt]

Additional Changes

• chore: bump quality gate labels and syft version [PR #1156] [westonsteimel]

v0.58.0

Changelog

v0.58.0 (2023-03-02)

Full Changelog

Security Fixes

• chore(deps): bump github.com/hashicorp/go-getter from 1.6.2 to 1.7.0 [PR #1134] [dependabot]

Added Features

• add grype image to ArtifactHub [Issue #613] [PR #639] [developer-guy]

Bug Fixes

• Grype with version v.0.55 take 3 hour to scan the image [Issue #1063]
• Unable to install Grype [Issue #1102]

Additional Changes

• chore: update progress monitor handling [PR #1149] [kzantow]
• distro: Disable support for Arch Linux [PR #1152] [Foxboron]

v0.57.1

Changelog

v0.57.1 (2023-02-16)

Full Changelog

v0.57.0

Changelog

Updates

• Update to latest syft for faster indexing and SBOM generation when consuming source and not using the SBOM as an input

Full Changelog

Bug Fixes

• regression: Grype 0.54.0 does not find vulnerabilities in Nodejs runtime itself anymore [Issue #1043]

Additional Changes

• bump yardstick to 2d30ea7429d0a59020e0176bba1b3b6b8b01b08a [PR #1095] [wagoodman]
• chore: prune cosign dependency for grype builds [PR #1100] [spiffcs]
• chore: bump yardstick for better quality gate filtering [PR #1101] [westonsteimel]
• chore: add new images to quality gate [PR #1106] [westonsteimel]
• fix: exclude OS packages from CPE target filtering [PR #1130] [westonsteimel]
• fix: ignore some false-positives for ruby gems [PR #1132] [westonsteimel]