Releases: anchore/syft
Releases · anchore/syft
v1.23.1
Additional Changes
- Resolve owned file paths when searching for overlaps [#3828 @wagoodman]
Contributors
wagoodman
Assets 27
- 2.06 KB
2025-04-25T15:02:00Z - 3.07 KB
2025-04-25T15:02:00Z - 96 Bytes
2025-04-25T15:02:00Z - 204 KB
2025-04-25T15:01:59Z - 18.1 MB
2025-04-25T15:01:55Z - 204 KB
2025-04-25T15:01:59Z - 16.9 MB
2025-04-25T15:01:54Z - 17.5 MB
2025-04-25T15:01:58Z - 18.1 MB
2025-04-25T15:01:56Z - 203 KB
2025-04-25T15:01:59Z -
2025-04-25T14:52:09Z -
2025-04-25T14:52:09Z - Loading
v1.23.0
Added Features
- Support skipping archive extraction with file source [#3795 @adammcclenaghan]
- Use the R cataloger in directory scans [#3774 @spiffcs]
- Add support for detecting javascript assets in .NET projects using libman [#3825 @wagoodman]
- Parse GitHub actions comments [#3776 @wagoodman]
- Support chrome binary detection [#3174 #3136 @lem-onade]
- Add support for detecting undeclared license files scanning from python installations [#2624 #3779 @wagoodman]
Bug Fixes
- .NET cataloger should consider compile target paths from deps.json [#3821 @wagoodman]
- Skip license scanner injection [#3796 @adammcclenaghan]
- Delete collection name/type key entries when empty [#3797 @adammcclenaghan]
- Use module name over relative paths in
go.modreplace directives [#3812 @VictorHuu] - Correct variable names for Conan lock parsing version handling [#3802 @musangk]
- Consider DLL claims for dependencies of .NET packages from deps.json [#3822 @wagoodman]
- Empty source during decoding an SBOM document should not be fatal [#3791 @wagoodman]
- Dpkg are not detected when scanning a directory [#3726 #3820 @VictorHuu]
- Support golang tip image [#3681 #3757 @VictorHuu]
- syft cataloger list should flatten options [#3801 #3804 @kzantow]
- Unable to generate a correct SBOM for C++ project [#3755]
Contributors
wagoodman, kzantow, and 5 other contributors
Assets 27
v1.22.0
Added Features
- Improve .NET package CPE generation [#3764 @wagoodman]
- Catalog deb archives directly [#3315 #3704 @popey]
Bug Fixes
- Dotnet-Portable-Executable-Cataloger uses wrong component version for dotnet runtime libraries [#3282 #3768 @wagoodman]
- Dotnet deps cataloger returns "wrong" dotnet-framework dependencies and misses out on the runtime (for applications) [#2347 #3768 @wagoodman]
- .NET deps.json should be considered as installation evidence [#3570 #3563 @wagoodman]
- Dotnet PE binary cataloger is detecting false positives [#3469 #3563 @wagoodman]
- Long Processing Time in dpkg-db-cataloger with all-layers Option (Syft 1.20.0) [#3683 #3636 @kzantow]
Contributors
wagoodman, popey, and kzantow
Assets 27
v1.21.0
Added Features
- Support extracting symbols in .dynsym section for GraalVM Native Images [#3647 @rudsberg]
- Support fluent-bit 1.7.0 dev, rc [#3133 #3701 @popey]
Bug Fixes
- Suppress "file already closed" errors [#3695 @wagoodman]
- Add set ID to dotnet (lock) packages [#3719 @houdini91]
- Location order on packages should consider evidence annotations when sorting [#3720 @wagoodman]
- Fix /etc/redhat-release file parsing when resolving distro details [#3688 @wagoodman]
- Syft
fileresolver.containsPathallocates unnecessarily [#3729 #3730 @yoav-orca] - Dart: Syft incorrectly generates SBOM with version 0.0.0 for SDK dependencies [#3158 #3572 @sgreg]
- Download location is not a valid URI [#3696 #3697 @stgrace]
Additional Changes
- Update rustaudit module name [#3689 @tofay]
- bump golang.org/x/net from 0.35.0 to 0.36.0 [#3709 @dependabot]
Contributors
wagoodman, popey, and 7 other contributors
Assets 27
v1.20.0
Added Features
- Add file catalogers to selection configuration [#3505 @wagoodman]
- Configuration for including license contents in SBOM [#3626 #3631 @spiffcs]
- Support Bitnami embedded SBOMs [#3065 #3341 @juan131] [#3676 @willmurphyscode]
Bug Fixes
- Version parse caused by line breaks on different platforms [#3672 @idhyt]
- License files which do not match an SPDX expression are erroneously handled as 'unlicensed' [#3412 #3366 @HeyeOpenSource]
- Incorrect URL encoding of package url (purl) [#3533 #3678 @kzantow]
- syft should not warn on known bad package.json [#3470 #3645 @kzantow]
- Scanning a project with many DLLs is slow [#3455 #3677 @rogueai]
- cyclone-dx presenter drops files, includes only packages [#3435 #3539 @spiffcs]
- "syft config" output swaps comments for search-indexed-archives / search-unindexed-archives [#3624 #3630 @spiffcs]
- dpkg license improvement for non SPDX licenses [#3090 #3366 @HeyeOpenSource]
- RPM-based PURLs sometimes have incorrect namespace (specifically OpenSUSE) [#3534 #3615 @mprpic]
Additional Changes
- update to go 1.24.x [#3660 @westonsteimel]
- replace all shorthand tags of mapstruct -> mapstructure [#3633 @spiffcs]
Contributors
mprpic, wagoodman, and 8 other contributors
Assets 27
v1.19.0
Added Features
- add license parsing from vendor dirs [#3522 @dschmidt]
- Support cataloging NuGet packages [#373 #3484 @Kemosabert]
Bug Fixes
- Syft generates invalid PURLs when name contains
:[#3577 #3596 @spiffcs @jkugler] - warn instead of error if zero package catalogers are select - user might still run file metadata cataloger, for example [#3128 #3468 @tomersein]
- sbom report: missing licenses [#3527 #3549 @kzantow]
Additional Changes
Contributors
jkugler, dschmidt, and 4 other contributors
Assets 27
v1.18.1
Bug Fixes
- Runtime Error with Syft on Singularity .sif file (panic: index out of range) [#3390]
- SPDX expressions are lost from CycloneDX if they contain extra parenthesis [#3441 #3517 @willmurphyscode]
Additional Changes
Contributors
willmurphyscode and spiffcs
Assets 27
v1.18.0
Added Features
- convert spdx absolute to relative [#3509 @spiffcs]
- Add relationships for rust audit binary packages [#3500 @wagoodman]
- support configuration of layer size in Syft [#3428 #3464 @tomersein]
- Support Dart arm/v7 in 3.x and 2.x [#3278 #3475 @witchcraze]
Bug Fixes
- fix order of rust dependencies and support git sources in Cargo.lock dependencies [#3502 @willmurphyscode]
- Use file indexer directly when scanning with file source [#3333 @adammcclenaghan]
- Remove incorrect power-user help text that only image sources are supported [#2046]
- Invalid SPDX: missing copyright text [#3346 #3495 @spiffcs]
- Scanning a source tree with duplicate conanfile.txt dependencies generates multiple components [#3403]
Contributors
wagoodman, willmurphyscode, and 4 other contributors
Assets 27
v1.17.0
Added Features
- Surface Rust dependency relationships [#2353 #3443 @willmurphyscode]
- Support node 6.x versions [#3404 #3419 @witchcraze]
Bug Fixes
- Restore log on UI teardown [#3427 @wagoodman]
- Syft should log warnings even when no TTY is present [#3081 #3466 @willmurphyscode]
- Special characters (tab, newline) in license URL [#3122 #3449 @spiffcs]
- LicenseDeclared not as per SPDX License List [#3030 #3461 @spiffcs]
Additional Changes
Contributors
wagoodman, popey, and 3 other contributors
Assets 27
v1.16.0
Added Features
Bug Fixes
- add support for dependencies and purl for Native Image SBOMs [#3399 @rudsberg]
- stop bubbling fileResolver errors from binary cataloger [#3410 @spiffcs]
- malformed pom.xml may cause recursive loop [#3391 @kzantow]
- syft convert: broken link in help - documentation no longer existing [#3143 #3407 @Makefolder]
Contributors
njv299, kzantow, and 3 other contributors