anchore/syft (anchore/syft)
### [`v1.17.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.17.0)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.16.0...v1.17.0)
##### Added Features
- Surface Rust dependency relationships \[[#2353](https://redirect.github.com/anchore/syft/issues/2353) [#3443](https://redirect.github.com/anchore/syft/pull/3443) [@willmurphyscode](https://redirect.github.com/willmurphyscode)]
- Support node 6.x versions \[[#3404](https://redirect.github.com/anchore/syft/issues/3404) [#3419](https://redirect.github.com/anchore/syft/pull/3419) [@witchcraze](https://redirect.github.com/witchcraze)]
##### Bug Fixes
- Restore log on UI teardown \[[#3427](https://redirect.github.com/anchore/syft/pull/3427) [@wagoodman](https://redirect.github.com/wagoodman)]
- Syft should log warnings even when no TTY is present \[[#3081](https://redirect.github.com/anchore/syft/issues/3081) [#3466](https://redirect.github.com/anchore/syft/pull/3466) [@willmurphyscode](https://redirect.github.com/willmurphyscode)]
- Special characters (tab, newline) in license URL \[[#3122](https://redirect.github.com/anchore/syft/issues/3122) [#3449](https://redirect.github.com/anchore/syft/pull/3449) [@spiffcs](https://redirect.github.com/spiffcs)]
- LicenseDeclared not as per SPDX License List \[[#3030](https://redirect.github.com/anchore/syft/issues/3030) [#3461](https://redirect.github.com/anchore/syft/pull/3461) [@spiffcs](https://redirect.github.com/spiffcs)]
##### Additional Changes
- doc: Add official Syft logo license information \[[#3421](https://redirect.github.com/anchore/syft/pull/3421) [@popey](https://redirect.github.com/popey)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.16.0...v1.17.0)**
### [`v1.16.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.16.0)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.15.0...v1.16.0)
##### Added Features
- omit devDependencies for package-lock.json files by default \[[#2348](https://redirect.github.com/anchore/syft/issues/2348) [#3371](https://redirect.github.com/anchore/syft/pull/3371) [@njv299](https://redirect.github.com/njv299)]
##### Bug Fixes
- add support for dependencies and purl for Native Image SBOMs \[[#3399](https://redirect.github.com/anchore/syft/pull/3399) [@rudsberg](https://redirect.github.com/rudsberg)]
- stop bubbling fileResolver errors from binary cataloger \[[#3410](https://redirect.github.com/anchore/syft/pull/3410) [@spiffcs](https://redirect.github.com/spiffcs)]
- malformed pom.xml may cause recursive loop \[[#3391](https://redirect.github.com/anchore/syft/pull/3391) [@kzantow](https://redirect.github.com/kzantow)]
- syft convert: broken link in help - documentation no longer existing \[[#3143](https://redirect.github.com/anchore/syft/issues/3143) [#3407](https://redirect.github.com/anchore/syft/pull/3407) [@Makefolder](https://redirect.github.com/Makefolder)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.15.0...v1.16.0)**
### [`v1.15.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.15.0)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.14.2...v1.15.0)
##### Added Features
- Merge config files hierarchically and add support for config profiles \[[#3337](https://redirect.github.com/anchore/syft/pull/3337) [@kzantow](https://redirect.github.com/kzantow)]
- Enable cargo-auditable-binary-cataloger for files/directories \[[#3376](https://redirect.github.com/anchore/syft/pull/3376) [@ariel-miculas](https://redirect.github.com/ariel-miculas)]
- Improve mariadb binary classifer to detect older versions \[[#3052](https://redirect.github.com/anchore/syft/issues/3052)]
- Look for dpkg status file at additional globs \[[#2692](https://redirect.github.com/anchore/syft/issues/2692) [#3373](https://redirect.github.com/anchore/syft/pull/3373) [@njv299](https://redirect.github.com/njv299)]
- Emit relationships for Java dependencies \[[#3189](https://redirect.github.com/anchore/syft/issues/3189) [#3363](https://redirect.github.com/anchore/syft/pull/3363) [@kzantow](https://redirect.github.com/kzantow)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.14.2...v1.15.0)**
### [`v1.14.2`](https://redirect.github.com/anchore/syft/releases/tag/v1.14.2)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.14.1...v1.14.2)
##### Bug Fixes
- Use single license scanner for all catalogers \[[#3348](https://redirect.github.com/anchore/syft/pull/3348) [@wagoodman](https://redirect.github.com/wagoodman)]
- use official CPE for linux kernel \[[#3343](https://redirect.github.com/anchore/syft/pull/3343) [@westonsteimel](https://redirect.github.com/westonsteimel)]
- improve mariadb binary classifer to detect older versions \[[#3339](https://redirect.github.com/anchore/syft/pull/3339) [@westonsteimel](https://redirect.github.com/westonsteimel)]
##### Additional Changes
- Update to latest packageurl-go \[[#3347](https://redirect.github.com/anchore/syft/pull/3347) [@wagoodman](https://redirect.github.com/wagoodman)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.14.1...v1.14.2)**
### [`v1.14.1`](https://redirect.github.com/anchore/syft/releases/tag/v1.14.1)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.14.0...v1.14.1)
##### Bug Fixes
- stop some log.Warn spam due parsing an empty string as a CPE \[[#3330](https://redirect.github.com/anchore/syft/pull/3330) [@willmurphyscode](https://redirect.github.com/willmurphyscode)]
- improve go binary semver extraction for traefik \[[#3325](https://redirect.github.com/anchore/syft/pull/3325) [@westonsteimel](https://redirect.github.com/westonsteimel)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.14.0...v1.14.1)**
### [`v1.14.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.14.0)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.13.0...v1.14.0)
##### Added Features
- Report known unknowns directly in the output SBOM \[[#518](https://redirect.github.com/anchore/syft/issues/518) [#2998](https://redirect.github.com/anchore/syft/pull/2998) [@kzantow](https://redirect.github.com/kzantow)]
- Identify `bash.preinst` \[[#3191](https://redirect.github.com/anchore/syft/issues/3191) [#3228](https://redirect.github.com/anchore/syft/pull/3228) [@wagoodman](https://redirect.github.com/wagoodman)]
- Support HAProxy rc and some old versions \[[#3233](https://redirect.github.com/anchore/syft/issues/3233) [#3277](https://redirect.github.com/anchore/syft/pull/3277) [@witchcraze](https://redirect.github.com/witchcraze)]
- Support Redis arm/v5, arm/v7, 386 in 7.2, 7.4, 8.0 \[[#3279](https://redirect.github.com/anchore/syft/issues/3279) [#3281](https://redirect.github.com/anchore/syft/pull/3281) [@witchcraze](https://redirect.github.com/witchcraze)]
- Support node old versions \[[#3236](https://redirect.github.com/anchore/syft/issues/3236) [#3284](https://redirect.github.com/anchore/syft/pull/3284) [@witchcraze](https://redirect.github.com/witchcraze)]
- Support rubylang/ruby dev versions \[[#3239](https://redirect.github.com/anchore/syft/issues/3239) [#3285](https://redirect.github.com/anchore/syft/pull/3285) [@witchcraze](https://redirect.github.com/witchcraze)]
- Support ruby rc, preview \[[#3238](https://redirect.github.com/anchore/syft/issues/3238) [#3285](https://redirect.github.com/anchore/syft/pull/3285) [@witchcraze](https://redirect.github.com/witchcraze)]
##### Bug Fixes
- performance: instantiate license check scanner to prevent memory leak \[[#3290](https://redirect.github.com/anchore/syft/pull/3290) [@govrin](https://redirect.github.com/govrin)]
- Parse package.json with non-standard fields in 'author' section \[[#3300](https://redirect.github.com/anchore/syft/pull/3300) [@nuada](https://redirect.github.com/nuada)]
- make failed CPE validation correctly return error \[[#2762](https://redirect.github.com/anchore/syft/pull/2762) [@willmurphyscode](https://redirect.github.com/willmurphyscode)]
- Improve subpath to mount matching \[[#3269](https://redirect.github.com/anchore/syft/pull/3269) [@cdupuis](https://redirect.github.com/cdupuis)]
##### Additional Changes
- add pull request template \[[#3294](https://redirect.github.com/anchore/syft/pull/3294) [@willmurphyscode](https://redirect.github.com/willmurphyscode)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.13.0...v1.14.0)**
### [`v1.13.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.13.0)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.12.2...v1.13.0)
##### Added Features
- \--enrich flag for data enrichment feature enablement \[[#3182](https://redirect.github.com/anchore/syft/pull/3182) [@kzantow](https://redirect.github.com/kzantow)]
- Add classifier for Dart lang \[[#3265](https://redirect.github.com/anchore/syft/pull/3265) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)]
- add binary classifiers for lighttp, proftpd, zstd, xz, gzip, jq, and sqlcipher \[[#3252](https://redirect.github.com/anchore/syft/pull/3252) [@krysgor](https://redirect.github.com/krysgor)]
- Catalog JDKs more completely \[[#3188](https://redirect.github.com/anchore/syft/issues/3188) [#3217](https://redirect.github.com/anchore/syft/pull/3217) [@wagoodman](https://redirect.github.com/wagoodman)]
- Show richer information for JVM installations \[[#1426](https://redirect.github.com/anchore/syft/issues/1426) [#3217](https://redirect.github.com/anchore/syft/pull/3217) [@wagoodman](https://redirect.github.com/wagoodman)]
- Allow for stubbing unknown versions over dropping packages \[[#2652](https://redirect.github.com/anchore/syft/issues/2652) [#3257](https://redirect.github.com/anchore/syft/pull/3257) [@wagoodman](https://redirect.github.com/wagoodman)]
- Name and Version empty for Java package when scanning provided image \[[#2132](https://redirect.github.com/anchore/syft/issues/2132) [#3257](https://redirect.github.com/anchore/syft/pull/3257) [@wagoodman](https://redirect.github.com/wagoodman)]
- Support bitnami/mysql:8.x \[[#3025](https://redirect.github.com/anchore/syft/issues/3025)]
##### Bug Fixes
- OpenJDK CPEs \[[#2422](https://redirect.github.com/anchore/syft/issues/2422) [#3217](https://redirect.github.com/anchore/syft/pull/3217) [@wagoodman](https://redirect.github.com/wagoodman)]
- SBOM generated from poetry lock file contains no license information on any dependencies \[[#3204](https://redirect.github.com/anchore/syft/issues/3204)]
- Scanning a folder with a jar archive with no metadata creates a SPDX package without versionInfo (Non-NTIA compliant) \[[#2039](https://redirect.github.com/anchore/syft/issues/2039) [#3257](https://redirect.github.com/anchore/syft/pull/3257) [@wagoodman](https://redirect.github.com/wagoodman)]
- Using replace in a go.mod creates a SPDX package without versionInfo (Non-NTIA compliant) \[[#2038](https://redirect.github.com/anchore/syft/issues/2038) [#3257](https://redirect.github.com/anchore/syft/pull/3257) [@wagoodman](https://redirect.github.com/wagoodman)]
- Command `make add-snippet` can fail in some cases \[[#3249](https://redirect.github.com/anchore/syft/issues/3249)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.12.2...v1.13.0)**
### [`v1.12.2`](https://redirect.github.com/anchore/syft/releases/tag/v1.12.2)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.11.1...v1.12.2)
##### Added Features
- Detect curl binaries \[[#3146](https://redirect.github.com/anchore/syft/pull/3146) [@krysgor](https://redirect.github.com/krysgor)]
- Add haskell binaries cataloger \[[#3078](https://redirect.github.com/anchore/syft/pull/3078) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)]
- add the Ocaml ecosystem \[[#3112](https://redirect.github.com/anchore/syft/pull/3112) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)]
- Support HAProxy dev \[[#3134](https://redirect.github.com/anchore/syft/issues/3134) [#3180](https://redirect.github.com/anchore/syft/pull/3180) [@witchcraze](https://redirect.github.com/witchcraze)]
##### Bug Fixes
- Fix improper decoding of SPDX license expressions in the CycloneDX format \[[#3175](https://redirect.github.com/anchore/syft/pull/3175) [@NyanKiyoshi](https://redirect.github.com/NyanKiyoshi)]
- improve generated cpes for binaries with existing classifiers \[[#3169](https://redirect.github.com/anchore/syft/pull/3169) [@westonsteimel](https://redirect.github.com/westonsteimel)]
- improve known CPEs and set NVD as source for all current binary classifiers \[[#3167](https://redirect.github.com/anchore/syft/pull/3167) [@westonsteimel](https://redirect.github.com/westonsteimel)]
- Respond to authoratative CPEs from catalogers \[[#3166](https://redirect.github.com/anchore/syft/pull/3166) [@wagoodman](https://redirect.github.com/wagoodman)]
- Set cataloger names within package cataloger task \[[#3165](https://redirect.github.com/anchore/syft/pull/3165) [@wagoodman](https://redirect.github.com/wagoodman)]
- use official CPE for curl binary cataloger \[[#3164](https://redirect.github.com/anchore/syft/pull/3164) [@westonsteimel](https://redirect.github.com/westonsteimel)]
- Fix ELF package correlations \[[#3151](https://redirect.github.com/anchore/syft/pull/3151) [@wagoodman](https://redirect.github.com/wagoodman)]
- no space left and Could not retrieve mirrorlist in test \[[#3181](https://redirect.github.com/anchore/syft/issues/3181) [#3190](https://redirect.github.com/anchore/syft/pull/3190) [@wagoodman](https://redirect.github.com/wagoodman)]
- Multiple versions of libssl3 and libcrypto3 present in SBOM while only one version is installed \[[#3195](https://redirect.github.com/anchore/syft/issues/3195)]
- CycloneDX convertion into Syft improperly handles SPDX licenses \[[#3172](https://redirect.github.com/anchore/syft/issues/3172)]
- Syft Cause stack overflow \[goroutine stack exceeds [`1000000`](https://redirect.github.com/anchore/syft/commit/1000000000)-byte limit] \[[#3163](https://redirect.github.com/anchore/syft/issues/3163) [#3170](https://redirect.github.com/anchore/syft/pull/3170) [@kzantow](https://redirect.github.com/kzantow)]
- Mysql binary detection version incorrect for 8.0.x \[[#3141](https://redirect.github.com/anchore/syft/issues/3141) [#3142](https://redirect.github.com/anchore/syft/pull/3142) [@kzantow](https://redirect.github.com/kzantow)]
##### Additional Changes
- Less verbose java logging when non-fatal issues arise \[[#3208](https://redirect.github.com/anchore/syft/pull/3208) [@wagoodman](https://redirect.github.com/wagoodman)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.11.1...v1.12.2)**
### [`v1.11.1`](https://redirect.github.com/anchore/syft/releases/tag/v1.11.1)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.11.0...v1.11.1)
##### Bug Fixes
- support .kar files \[[#3113](https://redirect.github.com/anchore/syft/pull/3113) [@tomersein](https://redirect.github.com/tomersein)]
- logging for remote network calls \[[#3140](https://redirect.github.com/anchore/syft/pull/3140) [@kzantow](https://redirect.github.com/kzantow)]
- Pick up CycloneDX BOM components from metadata as well \[[#3092](https://redirect.github.com/anchore/syft/pull/3092) [@dervoeti](https://redirect.github.com/dervoeti)]
- improve groupid extraction for Jenkins plugins \[[#2815](https://redirect.github.com/anchore/syft/pull/2815) [@westonsteimel](https://redirect.github.com/westonsteimel)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.11.0...v1.11.1)**
### [`v1.11.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.11.0)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.10.0...v1.11.0)
##### Added Features
- Added the SWI Prolog (swipl) ecosystem \[[#3076](https://redirect.github.com/anchore/syft/pull/3076) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)]
- Improved java cataloging \[[#2769](https://redirect.github.com/anchore/syft/pull/2769) [@GijsCalis](https://redirect.github.com/GijsCalis)]
##### Bug Fixes
- Empty version field on some dependencies when reading pom.xml \[[#1129](https://redirect.github.com/anchore/syft/issues/1129) [#2769](https://redirect.github.com/anchore/syft/pull/2769) [@GijsCalis](https://redirect.github.com/GijsCalis)]
- Support Maven multi-level configuration file / parent POM \[[#2017](https://redirect.github.com/anchore/syft/issues/2017) [#2769](https://redirect.github.com/anchore/syft/pull/2769) [@GijsCalis](https://redirect.github.com/GijsCalis)]
- DependencyManagement ignored in pom.xml \[[#1813](https://redirect.github.com/anchore/syft/issues/1813) [#2769](https://redirect.github.com/anchore/syft/pull/2769) [@GijsCalis](https://redirect.github.com/GijsCalis)]
- Version parsing regression for Go binaries \[[#3086](https://redirect.github.com/anchore/syft/issues/3086) [#3087](https://redirect.github.com/anchore/syft/pull/3087) [@spiffcs](https://redirect.github.com/spiffcs)]
##### Additional Changes
- rather than have a hard max recursive depth - syft should detect parent pom cycles \[[#2284](https://redirect.github.com/anchore/syft/issues/2284) [#2769](https://redirect.github.com/anchore/syft/pull/2769) [@GijsCalis](https://redirect.github.com/GijsCalis)]
- increase java purl generation test coverage \[[#3110](https://redirect.github.com/anchore/syft/pull/3110) [@westonsteimel](https://redirect.github.com/westonsteimel)]
- Updated PackageSupplier to type Organization for JAR files \[[#3093](https://redirect.github.com/anchore/syft/pull/3093) [@harippriyas](https://redirect.github.com/harippriyas)]
- Ensure accurate java main artifact name retrieval for multi-JARs and refine fallback approach \[[#3054](https://redirect.github.com/anchore/syft/pull/3054) [@dor-hayun](https://redirect.github.com/dor-hayun)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.10.0...v1.11.0)**
### [`v1.10.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.10.0)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.9.0...v1.10.0)
##### Added Features
- Detect go main module from partial package builds \[[#3060](https://redirect.github.com/anchore/syft/pull/3060) [@wagoodman](https://redirect.github.com/wagoodman)]
- Support traefik in linux/arm/v6, linux/riscv64 \[[#3038](https://redirect.github.com/anchore/syft/issues/3038) [#3077](https://redirect.github.com/anchore/syft/pull/3077) [@witchcraze](https://redirect.github.com/witchcraze)]
- Catalog TiDB binary \[[#2763](https://redirect.github.com/anchore/syft/issues/2763)]
- Generate a Maven friendly CPE \[[#3042](https://redirect.github.com/anchore/syft/issues/3042) [#3045](https://redirect.github.com/anchore/syft/pull/3045) [@kzantow](https://redirect.github.com/kzantow)]
##### Bug Fixes
- Only match ldflag version if it matches the main module or targets main.version \[[#3062](https://redirect.github.com/anchore/syft/pull/3062) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)]
- python requirements.txt cataloger: allow dots in python package names \[[#3070](https://redirect.github.com/anchore/syft/pull/3070) [@Mikcl](https://redirect.github.com/Mikcl)]
- SPDX output performance with many relationships \[[#3053](https://redirect.github.com/anchore/syft/pull/3053) [@kzantow](https://redirect.github.com/kzantow)]
- Order CPEs deterministically for SBOM reproducibility \[[#2967](https://redirect.github.com/anchore/syft/issues/2967) [#3085](https://redirect.github.com/anchore/syft/pull/3085) [@kzantow](https://redirect.github.com/kzantow)]
- Python packages: name normalization \[[#3064](https://redirect.github.com/anchore/syft/issues/3064) [#3069](https://redirect.github.com/anchore/syft/pull/3069) [@Mikcl](https://redirect.github.com/Mikcl)]
- Syft report panics with the golang cataloger \[[#3037](https://redirect.github.com/anchore/syft/issues/3037) [#3043](https://redirect.github.com/anchore/syft/pull/3043) [@willmurphyscode](https://redirect.github.com/willmurphyscode)]
##### Additional Changes
- add debug logging for errors reading RPM files \[[#3051](https://redirect.github.com/anchore/syft/pull/3051) [@kzantow](https://redirect.github.com/kzantow)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.9.0...v1.10.0)**
### [`v1.9.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.9.0)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.8.0...v1.9.0)
##### Added Features
- Add detection of Erlang in Alpine linux \[[#2996](https://redirect.github.com/anchore/syft/pull/2996) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)]
- Add version 3 support for swift package manager of the resolved files \[[#3001](https://redirect.github.com/anchore/syft/pull/3001) [@4ell0](https://redirect.github.com/4ell0)]
- Map the downloadLocation field for PHP Composer packages \[[#3011](https://redirect.github.com/anchore/syft/pull/3011) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)]
##### Bug Fixes
- Infer the package type from ELF package notes \[[#3008](https://redirect.github.com/anchore/syft/pull/3008) [@wagoodman](https://redirect.github.com/wagoodman)]
- Order CPEs deterministically for SBOM reproducibility \[[#2967](https://redirect.github.com/anchore/syft/issues/2967) [#3009](https://redirect.github.com/anchore/syft/pull/3009) [@spiffcs](https://redirect.github.com/spiffcs)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.8.0...v1.9.0)**
### [`v1.8.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.8.0)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.7.0...v1.8.0)
##### Added Features
- Add CycloneDX 1.6 Support \[[#2974](https://redirect.github.com/anchore/syft/issues/2974) [#2978](https://redirect.github.com/anchore/syft/pull/2978) [@ragaskar](https://redirect.github.com/ragaskar)]
##### Bug Fixes
- Fixed the detection of arangodb 3.12 \[[#2979](https://redirect.github.com/anchore/syft/pull/2979) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)]
- Syft tries to create the cache directory at a location that has no permission \[[#2984](https://redirect.github.com/anchore/syft/issues/2984) [#2985](https://redirect.github.com/anchore/syft/pull/2985) [@kzantow](https://redirect.github.com/kzantow)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.7.0...v1.8.0)**
### [`v1.7.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.7.0)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.6.0...v1.7.0)
##### Added Features
- index known CPEs for wordpress plugins and themes \[[#2963](https://redirect.github.com/anchore/syft/pull/2963) [@westonsteimel](https://redirect.github.com/westonsteimel)]
- Consider `Author` field for wordpress plugins when generating CPEs \[[#2946](https://redirect.github.com/anchore/syft/pull/2946) [@wagoodman](https://redirect.github.com/wagoodman)]
##### Bug Fixes
- improve version extraction from ldflags for pingcap TiDB \[[#2962](https://redirect.github.com/anchore/syft/pull/2962) [@westonsteimel](https://redirect.github.com/westonsteimel)]
- Trim whitespace from wordpress values \[[#2945](https://redirect.github.com/anchore/syft/pull/2945) [@wagoodman](https://redirect.github.com/wagoodman)]
- Issue scanning Poetry Project with Syft 1.6 and cataloger=python-package-cataloger \[[#2954](https://redirect.github.com/anchore/syft/issues/2954) [#2965](https://redirect.github.com/anchore/syft/pull/2965) [@spiffcs](https://redirect.github.com/spiffcs)]
- Poetry's multiple constraints seems to break the parser \[[#2947](https://redirect.github.com/anchore/syft/issues/2947) [#2965](https://redirect.github.com/anchore/syft/pull/2965) [@spiffcs](https://redirect.github.com/spiffcs)]
- Golang: Search remote licenses not working in a CI pipeline when scanning Docker image \[[#2798](https://redirect.github.com/anchore/syft/issues/2798) [#2852](https://redirect.github.com/anchore/syft/pull/2852) [@kzantow](https://redirect.github.com/kzantow)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.6.0...v1.7.0)**
### [`v1.6.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.6.0)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.5.0...v1.6.0)
##### Added Features
- Add relationships for go binary packages \[[#2912](https://redirect.github.com/anchore/syft/pull/2912) [@wagoodman](https://redirect.github.com/wagoodman)]
- Add classifier for util-linux \[[#2933](https://redirect.github.com/anchore/syft/pull/2933) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)]
- Lua: Add support for more advanced syntax \[[#2908](https://redirect.github.com/anchore/syft/pull/2908) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)]
- add license field to ELF binary package metadata \[[#2890](https://redirect.github.com/anchore/syft/pull/2890) [@brian-ebarb](https://redirect.github.com/brian-ebarb)]
- install.sh: check checksums file's signature \[[#2884](https://redirect.github.com/anchore/syft/issues/2884) [#2941](https://redirect.github.com/anchore/syft/pull/2941) [@wagoodman](https://redirect.github.com/wagoodman)]
- Detect ELF package notes from fedora binaries \[[#2713](https://redirect.github.com/anchore/syft/issues/2713) [#2939](https://redirect.github.com/anchore/syft/pull/2939) [@wagoodman](https://redirect.github.com/wagoodman)]
##### Bug Fixes
- Use redhat as namespace for redhat rpms \[[#2914](https://redirect.github.com/anchore/syft/pull/2914) [@ralphbean](https://redirect.github.com/ralphbean)]
- Close sqlite driver after testing sqlite availability \[[#2922](https://redirect.github.com/anchore/syft/pull/2922) [@ttc0419](https://redirect.github.com/ttc0419)]
- syft does not find anything in archives if /tmp is a tmpfs \[[#2894](https://redirect.github.com/anchore/syft/issues/2894) [#2918](https://redirect.github.com/anchore/syft/pull/2918) [@willmurphyscode](https://redirect.github.com/willmurphyscode)]
- Scanning a git repository folder present in /tmp produce an empty sbom \[[#2847](https://redirect.github.com/anchore/syft/issues/2847) [#2918](https://redirect.github.com/anchore/syft/pull/2918) [@willmurphyscode](https://redirect.github.com/willmurphyscode)]
##### Additional Changes
- update unit tests to use pinned patch version \[[#2932](https://redirect.github.com/anchore/syft/pull/2932) [@spiffcs](https://redirect.github.com/spiffcs)]
- fix comments and spelling \[[#2920](https://redirect.github.com/anchore/syft/pull/2920) [@dufucun](https://redirect.github.com/dufucun)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.5.0...v1.6.0)**
### [`v1.5.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.5.0)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.4.1...v1.5.0)
##### Added Features
- Add abstraction for adding relationships from package cataloger results \[[#2853](https://redirect.github.com/anchore/syft/pull/2853) [@wagoodman](https://redirect.github.com/wagoodman)]
- Capture dependencies when parsing SPDX SBOMs \[[#2869](https://redirect.github.com/anchore/syft/pull/2869) [@russellhaering](https://redirect.github.com/russellhaering)]
- Add python wheel egg relationships \[[#2903](https://redirect.github.com/anchore/syft/pull/2903) [@wagoodman](https://redirect.github.com/wagoodman)]
- Added functionality to convert major, minor, patch to version \[[#2864](https://redirect.github.com/anchore/syft/pull/2864) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)]
- Add support for RPM DB package relationships \[[#2872](https://redirect.github.com/anchore/syft/pull/2872) [@wagoodman](https://redirect.github.com/wagoodman)]
- Detect fluent-bit binaries \[[#2904](https://redirect.github.com/anchore/syft/issues/2904) [#2905](https://redirect.github.com/anchore/syft/pull/2905) [@kzantow](https://redirect.github.com/kzantow)]
- Add syft `config` command \[[#2598](https://redirect.github.com/anchore/syft/issues/2598) [#2892](https://redirect.github.com/anchore/syft/pull/2892) [@kzantow](https://redirect.github.com/kzantow)]
##### Bug Fixes
- Fix DecoderCollection discarding input from non-seekable Readers \[[#2878](https://redirect.github.com/anchore/syft/pull/2878) [@russellhaering](https://redirect.github.com/russellhaering)]
- Handle GOEXPERIMENTs in go version \[[#2893](https://redirect.github.com/anchore/syft/pull/2893) [@jonjohnsonjr](https://redirect.github.com/jonjohnsonjr)]
- Go Mod Cataloger: Remove Replaced Packages \[[#2891](https://redirect.github.com/anchore/syft/pull/2891) [@russellhaering](https://redirect.github.com/russellhaering)]
- Use values in relationship To/From fields \[[#2871](https://redirect.github.com/anchore/syft/pull/2871) [@wagoodman](https://redirect.github.com/wagoodman)]
- Java package names showing up namespaced packages \[[#2230](https://redirect.github.com/anchore/syft/issues/2230)]
##### Additional Changes
- update spdx license list to 3.24.0 \[[#2895](https://redirect.github.com/anchore/syft/pull/2895) [@spiffcs](https://redirect.github.com/spiffcs)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.4.1...v1.5.0)**
### [`v1.4.1`](https://redirect.github.com/anchore/syft/releases/tag/v1.4.1)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.4.0...v1.4.1)
##### Bug Fixes
- Fix redundant package deletions when considering ELF packages \[[#2862](https://redirect.github.com/anchore/syft/pull/2862) [@wagoodman](https://redirect.github.com/wagoodman)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.4.0...v1.4.1)**
### [`v1.4.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.4.0)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.3.0...v1.4.0)
##### Added Features
- Add detection for newer version of ErLang/OTP \[[#2829](https://redirect.github.com/anchore/syft/pull/2829) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)]
- Add missing CPE for traefik, memcached, and postgres binaries \[[#2845](https://redirect.github.com/anchore/syft/pull/2845) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)]
- Add binary classifier for ArangoDB \[[#2830](https://redirect.github.com/anchore/syft/pull/2830) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)]
- Add relationships to ELF packages \[[#2715](https://redirect.github.com/anchore/syft/pull/2715) [@brian-ebarb](https://redirect.github.com/brian-ebarb) [@cdivers18](https://redirect.github.com/cdivers18) ]
- Add relationships for ALPM packages (arch linux) \[[#2851](https://redirect.github.com/anchore/syft/pull/2851) [@wagoodman](https://redirect.github.com/wagoodman)]
##### Bug Fixes
- close temp rpmdb file \[[#2792](https://redirect.github.com/anchore/syft/pull/2792) [@testwill](https://redirect.github.com/testwill)]
- fix Windows file paths in local go mod cache \[[#2654](https://redirect.github.com/anchore/syft/pull/2654) [@willmurphyscode](https://redirect.github.com/willmurphyscode)]
- Package Count doesn't match list of packages \[[#2304](https://redirect.github.com/anchore/syft/issues/2304) [#2839](https://redirect.github.com/anchore/syft/pull/2839) [@wagoodman](https://redirect.github.com/wagoodman)]
- New version 1.3.0 leads to "too many open files" while scanning bigger images \[[#2819](https://redirect.github.com/anchore/syft/issues/2819) [#2823](https://redirect.github.com/anchore/syft/pull/2823) [@willmurphyscode](https://redirect.github.com/willmurphyscode)]
- `license_info_in_file` is mandatory in SPDX-2.2 \[[#2163](https://redirect.github.com/anchore/syft/issues/2163) [#2168](https://redirect.github.com/anchore/syft/pull/2168) [@kzantow](https://redirect.github.com/kzantow)]
- Wrong CPE for dnsmasq \[[#2636](https://redirect.github.com/anchore/syft/issues/2636) [#2659](https://redirect.github.com/anchore/syft/pull/2659) [@kzantow](https://redirect.github.com/kzantow)]
- SPDX originator is not always populated \[[#2632](https://redirect.github.com/anchore/syft/issues/2632) [#2822](https://redirect.github.com/anchore/syft/pull/2822) [@wagoodman](https://redirect.github.com/wagoodman)]
##### Additional Changes
- Improve linting for `defer Close` type issues \[[#2826](https://redirect.github.com/anchore/syft/issues/2826)]
- use ruleguard to test for missing defer statements \[[#2837](https://redirect.github.com/anchore/syft/pull/2837) [@willmurphyscode](https://redirect.github.com/willmurphyscode)]
- Publish security policy \[[#2835](https://redirect.github.com/anchore/syft/pull/2835) [@wagoodman](https://redirect.github.com/wagoodman)]
- fix function name in comment \[[#2771](https://redirect.github.com/anchore/syft/pull/2771) [@camcui](https://redirect.github.com/camcui)]
- enable go-critic deferInLoop lint \[[#2825](https://redirect.github.com/anchore/syft/pull/2825) [@willmurphyscode](https://redirect.github.com/willmurphyscode)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.3.0...v1.4.0)**
### [`v1.3.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.3.0)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.2.0...v1.3.0)
##### Added Features
- index known CPEs for go modules \[[#2816](https://redirect.github.com/anchore/syft/pull/2816) [@westonsteimel](https://redirect.github.com/westonsteimel)]
- support multiple known CPEs in index \[[#2813](https://redirect.github.com/anchore/syft/pull/2813) [@westonsteimel](https://redirect.github.com/westonsteimel)]
- index known CPEs for PHP Composer packagist.org packages \[[#2804](https://redirect.github.com/anchore/syft/pull/2804) [@westonsteimel](https://redirect.github.com/westonsteimel)]
- index known cpes for PHP extensions \[[#2777](https://redirect.github.com/anchore/syft/pull/2777) [@westonsteimel](https://redirect.github.com/westonsteimel)]
##### Bug Fixes
- re-use embedded union reader if possible \[[#2814](https://redirect.github.com/anchore/syft/pull/2814) [@willmurphyscode](https://redirect.github.com/willmurphyscode)]
- prefer non-deprecated CPEs and include jenkins plugins from plugins.jenkins.io \[[#2806](https://redirect.github.com/anchore/syft/pull/2806) [@westonsteimel](https://redirect.github.com/westonsteimel)]
- improvements to known CPE index construction \[[#2801](https://redirect.github.com/anchore/syft/pull/2801) [@westonsteimel](https://redirect.github.com/westonsteimel)]
- Syft panics when scanning OCI image that contains packaged helm chart \[[#2745](https://redirect.github.com/anchore/syft/issues/2745) [#2757](https://redirect.github.com/anchore/syft/pull/2757) [@willmurphyscode](https://redirect.github.com/willmurphyscode)]
- Pom parser not resolving all dependency versions \[[#2776](https://redirect.github.com/anchore/syft/issues/2776) [#2781](https://redirect.github.com/anchore/syft/pull/2781) [@willmurphyscode](https://redirect.github.com/willmurphyscode)]
- exclude known instrumentation jars from being erroneously identified \[[#2796](https://redirect.github.com/anchore/syft/pull/2796) [@kzantow](https://redirect.github.com/kzantow)]
- return empty string if dereferncing pom var fails \[[#2797](https://redirect.github.com/anchore/syft/pull/2797) [@willmurphyscode](https://redirect.github.com/willmurphyscode)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.2.0...v1.3.0)**
### [`v1.2.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.2.0)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.1.1...v1.2.0)
##### Added Features
- Differentiate between JRE and JDK \[[#2748](https://redirect.github.com/anchore/syft/pull/2748) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)]
- Add support for dnf packages \[[#2758](https://redirect.github.com/anchore/syft/issues/2758)]
##### Bug Fixes
- more robust go main version extraction \[[#2767](https://redirect.github.com/anchore/syft/pull/2767) [@kzantow](https://redirect.github.com/kzantow)]
- Regression in 1.1 cataloging openjdk: generates version containing a null byte \[[#2750](https://redirect.github.com/anchore/syft/issues/2750) [#2766](https://redirect.github.com/anchore/syft/pull/2766) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.1.1...v1.2.0)**
### [`v1.1.1`](https://redirect.github.com/anchore/syft/releases/tag/v1.1.1)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.1.0...v1.1.1)
##### Bug Fixes
- update anchore/packageurl-go to use latest commits \[[#2746](https://redirect.github.com/anchore/syft/pull/2746) [@spiffcs](https://redirect.github.com/spiffcs)]
- fix panic scanning binaries without symtab \[[#2736](https://redirect.github.com/anchore/syft/issues/2736) [#2739](https://redirect.github.com/anchore/syft/pull/2739) [@kzantow](https://redirect.github.com/kzantow)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.1.0...v1.1.1)**
### [`v1.1.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.1.0)
[Compare Source](https://redirect.github.com/anchore/syft/compare/v1.0.1...v1.1.0)
##### Added Features
- Adding the ability to retrieve remote licenses from package-lock.json \[[#2708](https://redirect.github.com/anchore/syft/pull/2708) [@coheigea](https://redirect.github.com/coheigea)]
- Show binary exports, entrypoint, and imports \[[#2626](https://redirect.github.com/anchore/syft/pull/2626) [@wagoodman](https://redirect.github.com/wagoodman)]
- Add detection for Oracle GraalVM \[[#2705](https://redirect.github.com/anchore/syft/pull/2705) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)]
##### Bug Fixes
- reduce duplicate case SwiftPkg \[[#2696](https://redirect.github.com/anchore/syft/pull/2696) [@testwill](https://redirect.github.com/testwill)]
**[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.0.1...v1.1.0)**
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
v1.0.1->v1.17.0Release Notes
anchore/syft (anchore/syft)
### [`v1.17.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.17.0) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.16.0...v1.17.0) ##### Added Features - Surface Rust dependency relationships \[[#2353](https://redirect.github.com/anchore/syft/issues/2353) [#3443](https://redirect.github.com/anchore/syft/pull/3443) [@willmurphyscode](https://redirect.github.com/willmurphyscode)] - Support node 6.x versions \[[#3404](https://redirect.github.com/anchore/syft/issues/3404) [#3419](https://redirect.github.com/anchore/syft/pull/3419) [@witchcraze](https://redirect.github.com/witchcraze)] ##### Bug Fixes - Restore log on UI teardown \[[#3427](https://redirect.github.com/anchore/syft/pull/3427) [@wagoodman](https://redirect.github.com/wagoodman)] - Syft should log warnings even when no TTY is present \[[#3081](https://redirect.github.com/anchore/syft/issues/3081) [#3466](https://redirect.github.com/anchore/syft/pull/3466) [@willmurphyscode](https://redirect.github.com/willmurphyscode)] - Special characters (tab, newline) in license URL \[[#3122](https://redirect.github.com/anchore/syft/issues/3122) [#3449](https://redirect.github.com/anchore/syft/pull/3449) [@spiffcs](https://redirect.github.com/spiffcs)] - LicenseDeclared not as per SPDX License List \[[#3030](https://redirect.github.com/anchore/syft/issues/3030) [#3461](https://redirect.github.com/anchore/syft/pull/3461) [@spiffcs](https://redirect.github.com/spiffcs)] ##### Additional Changes - doc: Add official Syft logo license information \[[#3421](https://redirect.github.com/anchore/syft/pull/3421) [@popey](https://redirect.github.com/popey)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.16.0...v1.17.0)** ### [`v1.16.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.16.0) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.15.0...v1.16.0) ##### Added Features - omit devDependencies for package-lock.json files by default \[[#2348](https://redirect.github.com/anchore/syft/issues/2348) [#3371](https://redirect.github.com/anchore/syft/pull/3371) [@njv299](https://redirect.github.com/njv299)] ##### Bug Fixes - add support for dependencies and purl for Native Image SBOMs \[[#3399](https://redirect.github.com/anchore/syft/pull/3399) [@rudsberg](https://redirect.github.com/rudsberg)] - stop bubbling fileResolver errors from binary cataloger \[[#3410](https://redirect.github.com/anchore/syft/pull/3410) [@spiffcs](https://redirect.github.com/spiffcs)] - malformed pom.xml may cause recursive loop \[[#3391](https://redirect.github.com/anchore/syft/pull/3391) [@kzantow](https://redirect.github.com/kzantow)] - syft convert: broken link in help - documentation no longer existing \[[#3143](https://redirect.github.com/anchore/syft/issues/3143) [#3407](https://redirect.github.com/anchore/syft/pull/3407) [@Makefolder](https://redirect.github.com/Makefolder)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.15.0...v1.16.0)** ### [`v1.15.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.15.0) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.14.2...v1.15.0) ##### Added Features - Merge config files hierarchically and add support for config profiles \[[#3337](https://redirect.github.com/anchore/syft/pull/3337) [@kzantow](https://redirect.github.com/kzantow)] - Enable cargo-auditable-binary-cataloger for files/directories \[[#3376](https://redirect.github.com/anchore/syft/pull/3376) [@ariel-miculas](https://redirect.github.com/ariel-miculas)] - Improve mariadb binary classifer to detect older versions \[[#3052](https://redirect.github.com/anchore/syft/issues/3052)] - Look for dpkg status file at additional globs \[[#2692](https://redirect.github.com/anchore/syft/issues/2692) [#3373](https://redirect.github.com/anchore/syft/pull/3373) [@njv299](https://redirect.github.com/njv299)] - Emit relationships for Java dependencies \[[#3189](https://redirect.github.com/anchore/syft/issues/3189) [#3363](https://redirect.github.com/anchore/syft/pull/3363) [@kzantow](https://redirect.github.com/kzantow)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.14.2...v1.15.0)** ### [`v1.14.2`](https://redirect.github.com/anchore/syft/releases/tag/v1.14.2) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.14.1...v1.14.2) ##### Bug Fixes - Use single license scanner for all catalogers \[[#3348](https://redirect.github.com/anchore/syft/pull/3348) [@wagoodman](https://redirect.github.com/wagoodman)] - use official CPE for linux kernel \[[#3343](https://redirect.github.com/anchore/syft/pull/3343) [@westonsteimel](https://redirect.github.com/westonsteimel)] - improve mariadb binary classifer to detect older versions \[[#3339](https://redirect.github.com/anchore/syft/pull/3339) [@westonsteimel](https://redirect.github.com/westonsteimel)] ##### Additional Changes - Update to latest packageurl-go \[[#3347](https://redirect.github.com/anchore/syft/pull/3347) [@wagoodman](https://redirect.github.com/wagoodman)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.14.1...v1.14.2)** ### [`v1.14.1`](https://redirect.github.com/anchore/syft/releases/tag/v1.14.1) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.14.0...v1.14.1) ##### Bug Fixes - stop some log.Warn spam due parsing an empty string as a CPE \[[#3330](https://redirect.github.com/anchore/syft/pull/3330) [@willmurphyscode](https://redirect.github.com/willmurphyscode)] - improve go binary semver extraction for traefik \[[#3325](https://redirect.github.com/anchore/syft/pull/3325) [@westonsteimel](https://redirect.github.com/westonsteimel)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.14.0...v1.14.1)** ### [`v1.14.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.14.0) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.13.0...v1.14.0) ##### Added Features - Report known unknowns directly in the output SBOM \[[#518](https://redirect.github.com/anchore/syft/issues/518) [#2998](https://redirect.github.com/anchore/syft/pull/2998) [@kzantow](https://redirect.github.com/kzantow)] - Identify `bash.preinst` \[[#3191](https://redirect.github.com/anchore/syft/issues/3191) [#3228](https://redirect.github.com/anchore/syft/pull/3228) [@wagoodman](https://redirect.github.com/wagoodman)] - Support HAProxy rc and some old versions \[[#3233](https://redirect.github.com/anchore/syft/issues/3233) [#3277](https://redirect.github.com/anchore/syft/pull/3277) [@witchcraze](https://redirect.github.com/witchcraze)] - Support Redis arm/v5, arm/v7, 386 in 7.2, 7.4, 8.0 \[[#3279](https://redirect.github.com/anchore/syft/issues/3279) [#3281](https://redirect.github.com/anchore/syft/pull/3281) [@witchcraze](https://redirect.github.com/witchcraze)] - Support node old versions \[[#3236](https://redirect.github.com/anchore/syft/issues/3236) [#3284](https://redirect.github.com/anchore/syft/pull/3284) [@witchcraze](https://redirect.github.com/witchcraze)] - Support rubylang/ruby dev versions \[[#3239](https://redirect.github.com/anchore/syft/issues/3239) [#3285](https://redirect.github.com/anchore/syft/pull/3285) [@witchcraze](https://redirect.github.com/witchcraze)] - Support ruby rc, preview \[[#3238](https://redirect.github.com/anchore/syft/issues/3238) [#3285](https://redirect.github.com/anchore/syft/pull/3285) [@witchcraze](https://redirect.github.com/witchcraze)] ##### Bug Fixes - performance: instantiate license check scanner to prevent memory leak \[[#3290](https://redirect.github.com/anchore/syft/pull/3290) [@govrin](https://redirect.github.com/govrin)] - Parse package.json with non-standard fields in 'author' section \[[#3300](https://redirect.github.com/anchore/syft/pull/3300) [@nuada](https://redirect.github.com/nuada)] - make failed CPE validation correctly return error \[[#2762](https://redirect.github.com/anchore/syft/pull/2762) [@willmurphyscode](https://redirect.github.com/willmurphyscode)] - Improve subpath to mount matching \[[#3269](https://redirect.github.com/anchore/syft/pull/3269) [@cdupuis](https://redirect.github.com/cdupuis)] ##### Additional Changes - add pull request template \[[#3294](https://redirect.github.com/anchore/syft/pull/3294) [@willmurphyscode](https://redirect.github.com/willmurphyscode)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.13.0...v1.14.0)** ### [`v1.13.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.13.0) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.12.2...v1.13.0) ##### Added Features - \--enrich flag for data enrichment feature enablement \[[#3182](https://redirect.github.com/anchore/syft/pull/3182) [@kzantow](https://redirect.github.com/kzantow)] - Add classifier for Dart lang \[[#3265](https://redirect.github.com/anchore/syft/pull/3265) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)] - add binary classifiers for lighttp, proftpd, zstd, xz, gzip, jq, and sqlcipher \[[#3252](https://redirect.github.com/anchore/syft/pull/3252) [@krysgor](https://redirect.github.com/krysgor)] - Catalog JDKs more completely \[[#3188](https://redirect.github.com/anchore/syft/issues/3188) [#3217](https://redirect.github.com/anchore/syft/pull/3217) [@wagoodman](https://redirect.github.com/wagoodman)] - Show richer information for JVM installations \[[#1426](https://redirect.github.com/anchore/syft/issues/1426) [#3217](https://redirect.github.com/anchore/syft/pull/3217) [@wagoodman](https://redirect.github.com/wagoodman)] - Allow for stubbing unknown versions over dropping packages \[[#2652](https://redirect.github.com/anchore/syft/issues/2652) [#3257](https://redirect.github.com/anchore/syft/pull/3257) [@wagoodman](https://redirect.github.com/wagoodman)] - Name and Version empty for Java package when scanning provided image \[[#2132](https://redirect.github.com/anchore/syft/issues/2132) [#3257](https://redirect.github.com/anchore/syft/pull/3257) [@wagoodman](https://redirect.github.com/wagoodman)] - Support bitnami/mysql:8.x \[[#3025](https://redirect.github.com/anchore/syft/issues/3025)] ##### Bug Fixes - OpenJDK CPEs \[[#2422](https://redirect.github.com/anchore/syft/issues/2422) [#3217](https://redirect.github.com/anchore/syft/pull/3217) [@wagoodman](https://redirect.github.com/wagoodman)] - SBOM generated from poetry lock file contains no license information on any dependencies \[[#3204](https://redirect.github.com/anchore/syft/issues/3204)] - Scanning a folder with a jar archive with no metadata creates a SPDX package without versionInfo (Non-NTIA compliant) \[[#2039](https://redirect.github.com/anchore/syft/issues/2039) [#3257](https://redirect.github.com/anchore/syft/pull/3257) [@wagoodman](https://redirect.github.com/wagoodman)] - Using replace in a go.mod creates a SPDX package without versionInfo (Non-NTIA compliant) \[[#2038](https://redirect.github.com/anchore/syft/issues/2038) [#3257](https://redirect.github.com/anchore/syft/pull/3257) [@wagoodman](https://redirect.github.com/wagoodman)] - Command `make add-snippet` can fail in some cases \[[#3249](https://redirect.github.com/anchore/syft/issues/3249)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.12.2...v1.13.0)** ### [`v1.12.2`](https://redirect.github.com/anchore/syft/releases/tag/v1.12.2) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.11.1...v1.12.2) ##### Added Features - Detect curl binaries \[[#3146](https://redirect.github.com/anchore/syft/pull/3146) [@krysgor](https://redirect.github.com/krysgor)] - Add haskell binaries cataloger \[[#3078](https://redirect.github.com/anchore/syft/pull/3078) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)] - add the Ocaml ecosystem \[[#3112](https://redirect.github.com/anchore/syft/pull/3112) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)] - Support HAProxy dev \[[#3134](https://redirect.github.com/anchore/syft/issues/3134) [#3180](https://redirect.github.com/anchore/syft/pull/3180) [@witchcraze](https://redirect.github.com/witchcraze)] ##### Bug Fixes - Fix improper decoding of SPDX license expressions in the CycloneDX format \[[#3175](https://redirect.github.com/anchore/syft/pull/3175) [@NyanKiyoshi](https://redirect.github.com/NyanKiyoshi)] - improve generated cpes for binaries with existing classifiers \[[#3169](https://redirect.github.com/anchore/syft/pull/3169) [@westonsteimel](https://redirect.github.com/westonsteimel)] - improve known CPEs and set NVD as source for all current binary classifiers \[[#3167](https://redirect.github.com/anchore/syft/pull/3167) [@westonsteimel](https://redirect.github.com/westonsteimel)] - Respond to authoratative CPEs from catalogers \[[#3166](https://redirect.github.com/anchore/syft/pull/3166) [@wagoodman](https://redirect.github.com/wagoodman)] - Set cataloger names within package cataloger task \[[#3165](https://redirect.github.com/anchore/syft/pull/3165) [@wagoodman](https://redirect.github.com/wagoodman)] - use official CPE for curl binary cataloger \[[#3164](https://redirect.github.com/anchore/syft/pull/3164) [@westonsteimel](https://redirect.github.com/westonsteimel)] - Fix ELF package correlations \[[#3151](https://redirect.github.com/anchore/syft/pull/3151) [@wagoodman](https://redirect.github.com/wagoodman)] - no space left and Could not retrieve mirrorlist in test \[[#3181](https://redirect.github.com/anchore/syft/issues/3181) [#3190](https://redirect.github.com/anchore/syft/pull/3190) [@wagoodman](https://redirect.github.com/wagoodman)] - Multiple versions of libssl3 and libcrypto3 present in SBOM while only one version is installed \[[#3195](https://redirect.github.com/anchore/syft/issues/3195)] - CycloneDX convertion into Syft improperly handles SPDX licenses \[[#3172](https://redirect.github.com/anchore/syft/issues/3172)] - Syft Cause stack overflow \[goroutine stack exceeds [`1000000`](https://redirect.github.com/anchore/syft/commit/1000000000)-byte limit] \[[#3163](https://redirect.github.com/anchore/syft/issues/3163) [#3170](https://redirect.github.com/anchore/syft/pull/3170) [@kzantow](https://redirect.github.com/kzantow)] - Mysql binary detection version incorrect for 8.0.x \[[#3141](https://redirect.github.com/anchore/syft/issues/3141) [#3142](https://redirect.github.com/anchore/syft/pull/3142) [@kzantow](https://redirect.github.com/kzantow)] ##### Additional Changes - Less verbose java logging when non-fatal issues arise \[[#3208](https://redirect.github.com/anchore/syft/pull/3208) [@wagoodman](https://redirect.github.com/wagoodman)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.11.1...v1.12.2)** ### [`v1.11.1`](https://redirect.github.com/anchore/syft/releases/tag/v1.11.1) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.11.0...v1.11.1) ##### Bug Fixes - support .kar files \[[#3113](https://redirect.github.com/anchore/syft/pull/3113) [@tomersein](https://redirect.github.com/tomersein)] - logging for remote network calls \[[#3140](https://redirect.github.com/anchore/syft/pull/3140) [@kzantow](https://redirect.github.com/kzantow)] - Pick up CycloneDX BOM components from metadata as well \[[#3092](https://redirect.github.com/anchore/syft/pull/3092) [@dervoeti](https://redirect.github.com/dervoeti)] - improve groupid extraction for Jenkins plugins \[[#2815](https://redirect.github.com/anchore/syft/pull/2815) [@westonsteimel](https://redirect.github.com/westonsteimel)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.11.0...v1.11.1)** ### [`v1.11.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.11.0) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.10.0...v1.11.0) ##### Added Features - Added the SWI Prolog (swipl) ecosystem \[[#3076](https://redirect.github.com/anchore/syft/pull/3076) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)] - Improved java cataloging \[[#2769](https://redirect.github.com/anchore/syft/pull/2769) [@GijsCalis](https://redirect.github.com/GijsCalis)] ##### Bug Fixes - Empty version field on some dependencies when reading pom.xml \[[#1129](https://redirect.github.com/anchore/syft/issues/1129) [#2769](https://redirect.github.com/anchore/syft/pull/2769) [@GijsCalis](https://redirect.github.com/GijsCalis)] - Support Maven multi-level configuration file / parent POM \[[#2017](https://redirect.github.com/anchore/syft/issues/2017) [#2769](https://redirect.github.com/anchore/syft/pull/2769) [@GijsCalis](https://redirect.github.com/GijsCalis)] - DependencyManagement ignored in pom.xml \[[#1813](https://redirect.github.com/anchore/syft/issues/1813) [#2769](https://redirect.github.com/anchore/syft/pull/2769) [@GijsCalis](https://redirect.github.com/GijsCalis)] - Version parsing regression for Go binaries \[[#3086](https://redirect.github.com/anchore/syft/issues/3086) [#3087](https://redirect.github.com/anchore/syft/pull/3087) [@spiffcs](https://redirect.github.com/spiffcs)] ##### Additional Changes - rather than have a hard max recursive depth - syft should detect parent pom cycles \[[#2284](https://redirect.github.com/anchore/syft/issues/2284) [#2769](https://redirect.github.com/anchore/syft/pull/2769) [@GijsCalis](https://redirect.github.com/GijsCalis)] - increase java purl generation test coverage \[[#3110](https://redirect.github.com/anchore/syft/pull/3110) [@westonsteimel](https://redirect.github.com/westonsteimel)] - Updated PackageSupplier to type Organization for JAR files \[[#3093](https://redirect.github.com/anchore/syft/pull/3093) [@harippriyas](https://redirect.github.com/harippriyas)] - Ensure accurate java main artifact name retrieval for multi-JARs and refine fallback approach \[[#3054](https://redirect.github.com/anchore/syft/pull/3054) [@dor-hayun](https://redirect.github.com/dor-hayun)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.10.0...v1.11.0)** ### [`v1.10.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.10.0) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.9.0...v1.10.0) ##### Added Features - Detect go main module from partial package builds \[[#3060](https://redirect.github.com/anchore/syft/pull/3060) [@wagoodman](https://redirect.github.com/wagoodman)] - Support traefik in linux/arm/v6, linux/riscv64 \[[#3038](https://redirect.github.com/anchore/syft/issues/3038) [#3077](https://redirect.github.com/anchore/syft/pull/3077) [@witchcraze](https://redirect.github.com/witchcraze)] - Catalog TiDB binary \[[#2763](https://redirect.github.com/anchore/syft/issues/2763)] - Generate a Maven friendly CPE \[[#3042](https://redirect.github.com/anchore/syft/issues/3042) [#3045](https://redirect.github.com/anchore/syft/pull/3045) [@kzantow](https://redirect.github.com/kzantow)] ##### Bug Fixes - Only match ldflag version if it matches the main module or targets main.version \[[#3062](https://redirect.github.com/anchore/syft/pull/3062) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)] - python requirements.txt cataloger: allow dots in python package names \[[#3070](https://redirect.github.com/anchore/syft/pull/3070) [@Mikcl](https://redirect.github.com/Mikcl)] - SPDX output performance with many relationships \[[#3053](https://redirect.github.com/anchore/syft/pull/3053) [@kzantow](https://redirect.github.com/kzantow)] - Order CPEs deterministically for SBOM reproducibility \[[#2967](https://redirect.github.com/anchore/syft/issues/2967) [#3085](https://redirect.github.com/anchore/syft/pull/3085) [@kzantow](https://redirect.github.com/kzantow)] - Python packages: name normalization \[[#3064](https://redirect.github.com/anchore/syft/issues/3064) [#3069](https://redirect.github.com/anchore/syft/pull/3069) [@Mikcl](https://redirect.github.com/Mikcl)] - Syft report panics with the golang cataloger \[[#3037](https://redirect.github.com/anchore/syft/issues/3037) [#3043](https://redirect.github.com/anchore/syft/pull/3043) [@willmurphyscode](https://redirect.github.com/willmurphyscode)] ##### Additional Changes - add debug logging for errors reading RPM files \[[#3051](https://redirect.github.com/anchore/syft/pull/3051) [@kzantow](https://redirect.github.com/kzantow)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.9.0...v1.10.0)** ### [`v1.9.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.9.0) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.8.0...v1.9.0) ##### Added Features - Add detection of Erlang in Alpine linux \[[#2996](https://redirect.github.com/anchore/syft/pull/2996) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)] - Add version 3 support for swift package manager of the resolved files \[[#3001](https://redirect.github.com/anchore/syft/pull/3001) [@4ell0](https://redirect.github.com/4ell0)] - Map the downloadLocation field for PHP Composer packages \[[#3011](https://redirect.github.com/anchore/syft/pull/3011) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)] ##### Bug Fixes - Infer the package type from ELF package notes \[[#3008](https://redirect.github.com/anchore/syft/pull/3008) [@wagoodman](https://redirect.github.com/wagoodman)] - Order CPEs deterministically for SBOM reproducibility \[[#2967](https://redirect.github.com/anchore/syft/issues/2967) [#3009](https://redirect.github.com/anchore/syft/pull/3009) [@spiffcs](https://redirect.github.com/spiffcs)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.8.0...v1.9.0)** ### [`v1.8.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.8.0) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.7.0...v1.8.0) ##### Added Features - Add CycloneDX 1.6 Support \[[#2974](https://redirect.github.com/anchore/syft/issues/2974) [#2978](https://redirect.github.com/anchore/syft/pull/2978) [@ragaskar](https://redirect.github.com/ragaskar)] ##### Bug Fixes - Fixed the detection of arangodb 3.12 \[[#2979](https://redirect.github.com/anchore/syft/pull/2979) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)] - Syft tries to create the cache directory at a location that has no permission \[[#2984](https://redirect.github.com/anchore/syft/issues/2984) [#2985](https://redirect.github.com/anchore/syft/pull/2985) [@kzantow](https://redirect.github.com/kzantow)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.7.0...v1.8.0)** ### [`v1.7.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.7.0) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.6.0...v1.7.0) ##### Added Features - index known CPEs for wordpress plugins and themes \[[#2963](https://redirect.github.com/anchore/syft/pull/2963) [@westonsteimel](https://redirect.github.com/westonsteimel)] - Consider `Author` field for wordpress plugins when generating CPEs \[[#2946](https://redirect.github.com/anchore/syft/pull/2946) [@wagoodman](https://redirect.github.com/wagoodman)] ##### Bug Fixes - improve version extraction from ldflags for pingcap TiDB \[[#2962](https://redirect.github.com/anchore/syft/pull/2962) [@westonsteimel](https://redirect.github.com/westonsteimel)] - Trim whitespace from wordpress values \[[#2945](https://redirect.github.com/anchore/syft/pull/2945) [@wagoodman](https://redirect.github.com/wagoodman)] - Issue scanning Poetry Project with Syft 1.6 and cataloger=python-package-cataloger \[[#2954](https://redirect.github.com/anchore/syft/issues/2954) [#2965](https://redirect.github.com/anchore/syft/pull/2965) [@spiffcs](https://redirect.github.com/spiffcs)] - Poetry's multiple constraints seems to break the parser \[[#2947](https://redirect.github.com/anchore/syft/issues/2947) [#2965](https://redirect.github.com/anchore/syft/pull/2965) [@spiffcs](https://redirect.github.com/spiffcs)] - Golang: Search remote licenses not working in a CI pipeline when scanning Docker image \[[#2798](https://redirect.github.com/anchore/syft/issues/2798) [#2852](https://redirect.github.com/anchore/syft/pull/2852) [@kzantow](https://redirect.github.com/kzantow)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.6.0...v1.7.0)** ### [`v1.6.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.6.0) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.5.0...v1.6.0) ##### Added Features - Add relationships for go binary packages \[[#2912](https://redirect.github.com/anchore/syft/pull/2912) [@wagoodman](https://redirect.github.com/wagoodman)] - Add classifier for util-linux \[[#2933](https://redirect.github.com/anchore/syft/pull/2933) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)] - Lua: Add support for more advanced syntax \[[#2908](https://redirect.github.com/anchore/syft/pull/2908) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)] - add license field to ELF binary package metadata \[[#2890](https://redirect.github.com/anchore/syft/pull/2890) [@brian-ebarb](https://redirect.github.com/brian-ebarb)] - install.sh: check checksums file's signature \[[#2884](https://redirect.github.com/anchore/syft/issues/2884) [#2941](https://redirect.github.com/anchore/syft/pull/2941) [@wagoodman](https://redirect.github.com/wagoodman)] - Detect ELF package notes from fedora binaries \[[#2713](https://redirect.github.com/anchore/syft/issues/2713) [#2939](https://redirect.github.com/anchore/syft/pull/2939) [@wagoodman](https://redirect.github.com/wagoodman)] ##### Bug Fixes - Use redhat as namespace for redhat rpms \[[#2914](https://redirect.github.com/anchore/syft/pull/2914) [@ralphbean](https://redirect.github.com/ralphbean)] - Close sqlite driver after testing sqlite availability \[[#2922](https://redirect.github.com/anchore/syft/pull/2922) [@ttc0419](https://redirect.github.com/ttc0419)] - syft does not find anything in archives if /tmp is a tmpfs \[[#2894](https://redirect.github.com/anchore/syft/issues/2894) [#2918](https://redirect.github.com/anchore/syft/pull/2918) [@willmurphyscode](https://redirect.github.com/willmurphyscode)] - Scanning a git repository folder present in /tmp produce an empty sbom \[[#2847](https://redirect.github.com/anchore/syft/issues/2847) [#2918](https://redirect.github.com/anchore/syft/pull/2918) [@willmurphyscode](https://redirect.github.com/willmurphyscode)] ##### Additional Changes - update unit tests to use pinned patch version \[[#2932](https://redirect.github.com/anchore/syft/pull/2932) [@spiffcs](https://redirect.github.com/spiffcs)] - fix comments and spelling \[[#2920](https://redirect.github.com/anchore/syft/pull/2920) [@dufucun](https://redirect.github.com/dufucun)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.5.0...v1.6.0)** ### [`v1.5.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.5.0) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.4.1...v1.5.0) ##### Added Features - Add abstraction for adding relationships from package cataloger results \[[#2853](https://redirect.github.com/anchore/syft/pull/2853) [@wagoodman](https://redirect.github.com/wagoodman)] - Capture dependencies when parsing SPDX SBOMs \[[#2869](https://redirect.github.com/anchore/syft/pull/2869) [@russellhaering](https://redirect.github.com/russellhaering)] - Add python wheel egg relationships \[[#2903](https://redirect.github.com/anchore/syft/pull/2903) [@wagoodman](https://redirect.github.com/wagoodman)] - Added functionality to convert major, minor, patch to version \[[#2864](https://redirect.github.com/anchore/syft/pull/2864) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)] - Add support for RPM DB package relationships \[[#2872](https://redirect.github.com/anchore/syft/pull/2872) [@wagoodman](https://redirect.github.com/wagoodman)] - Detect fluent-bit binaries \[[#2904](https://redirect.github.com/anchore/syft/issues/2904) [#2905](https://redirect.github.com/anchore/syft/pull/2905) [@kzantow](https://redirect.github.com/kzantow)] - Add syft `config` command \[[#2598](https://redirect.github.com/anchore/syft/issues/2598) [#2892](https://redirect.github.com/anchore/syft/pull/2892) [@kzantow](https://redirect.github.com/kzantow)] ##### Bug Fixes - Fix DecoderCollection discarding input from non-seekable Readers \[[#2878](https://redirect.github.com/anchore/syft/pull/2878) [@russellhaering](https://redirect.github.com/russellhaering)] - Handle GOEXPERIMENTs in go version \[[#2893](https://redirect.github.com/anchore/syft/pull/2893) [@jonjohnsonjr](https://redirect.github.com/jonjohnsonjr)] - Go Mod Cataloger: Remove Replaced Packages \[[#2891](https://redirect.github.com/anchore/syft/pull/2891) [@russellhaering](https://redirect.github.com/russellhaering)] - Use values in relationship To/From fields \[[#2871](https://redirect.github.com/anchore/syft/pull/2871) [@wagoodman](https://redirect.github.com/wagoodman)] - Java package names showing up namespaced packages \[[#2230](https://redirect.github.com/anchore/syft/issues/2230)] ##### Additional Changes - update spdx license list to 3.24.0 \[[#2895](https://redirect.github.com/anchore/syft/pull/2895) [@spiffcs](https://redirect.github.com/spiffcs)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.4.1...v1.5.0)** ### [`v1.4.1`](https://redirect.github.com/anchore/syft/releases/tag/v1.4.1) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.4.0...v1.4.1) ##### Bug Fixes - Fix redundant package deletions when considering ELF packages \[[#2862](https://redirect.github.com/anchore/syft/pull/2862) [@wagoodman](https://redirect.github.com/wagoodman)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.4.0...v1.4.1)** ### [`v1.4.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.4.0) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.3.0...v1.4.0) ##### Added Features - Add detection for newer version of ErLang/OTP \[[#2829](https://redirect.github.com/anchore/syft/pull/2829) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)] - Add missing CPE for traefik, memcached, and postgres binaries \[[#2845](https://redirect.github.com/anchore/syft/pull/2845) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)] - Add binary classifier for ArangoDB \[[#2830](https://redirect.github.com/anchore/syft/pull/2830) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)] - Add relationships to ELF packages \[[#2715](https://redirect.github.com/anchore/syft/pull/2715) [@brian-ebarb](https://redirect.github.com/brian-ebarb) [@cdivers18](https://redirect.github.com/cdivers18) ] - Add relationships for ALPM packages (arch linux) \[[#2851](https://redirect.github.com/anchore/syft/pull/2851) [@wagoodman](https://redirect.github.com/wagoodman)] ##### Bug Fixes - close temp rpmdb file \[[#2792](https://redirect.github.com/anchore/syft/pull/2792) [@testwill](https://redirect.github.com/testwill)] - fix Windows file paths in local go mod cache \[[#2654](https://redirect.github.com/anchore/syft/pull/2654) [@willmurphyscode](https://redirect.github.com/willmurphyscode)] - Package Count doesn't match list of packages \[[#2304](https://redirect.github.com/anchore/syft/issues/2304) [#2839](https://redirect.github.com/anchore/syft/pull/2839) [@wagoodman](https://redirect.github.com/wagoodman)] - New version 1.3.0 leads to "too many open files" while scanning bigger images \[[#2819](https://redirect.github.com/anchore/syft/issues/2819) [#2823](https://redirect.github.com/anchore/syft/pull/2823) [@willmurphyscode](https://redirect.github.com/willmurphyscode)] - `license_info_in_file` is mandatory in SPDX-2.2 \[[#2163](https://redirect.github.com/anchore/syft/issues/2163) [#2168](https://redirect.github.com/anchore/syft/pull/2168) [@kzantow](https://redirect.github.com/kzantow)] - Wrong CPE for dnsmasq \[[#2636](https://redirect.github.com/anchore/syft/issues/2636) [#2659](https://redirect.github.com/anchore/syft/pull/2659) [@kzantow](https://redirect.github.com/kzantow)] - SPDX originator is not always populated \[[#2632](https://redirect.github.com/anchore/syft/issues/2632) [#2822](https://redirect.github.com/anchore/syft/pull/2822) [@wagoodman](https://redirect.github.com/wagoodman)] ##### Additional Changes - Improve linting for `defer Close` type issues \[[#2826](https://redirect.github.com/anchore/syft/issues/2826)] - use ruleguard to test for missing defer statements \[[#2837](https://redirect.github.com/anchore/syft/pull/2837) [@willmurphyscode](https://redirect.github.com/willmurphyscode)] - Publish security policy \[[#2835](https://redirect.github.com/anchore/syft/pull/2835) [@wagoodman](https://redirect.github.com/wagoodman)] - fix function name in comment \[[#2771](https://redirect.github.com/anchore/syft/pull/2771) [@camcui](https://redirect.github.com/camcui)] - enable go-critic deferInLoop lint \[[#2825](https://redirect.github.com/anchore/syft/pull/2825) [@willmurphyscode](https://redirect.github.com/willmurphyscode)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.3.0...v1.4.0)** ### [`v1.3.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.3.0) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.2.0...v1.3.0) ##### Added Features - index known CPEs for go modules \[[#2816](https://redirect.github.com/anchore/syft/pull/2816) [@westonsteimel](https://redirect.github.com/westonsteimel)] - support multiple known CPEs in index \[[#2813](https://redirect.github.com/anchore/syft/pull/2813) [@westonsteimel](https://redirect.github.com/westonsteimel)] - index known CPEs for PHP Composer packagist.org packages \[[#2804](https://redirect.github.com/anchore/syft/pull/2804) [@westonsteimel](https://redirect.github.com/westonsteimel)] - index known cpes for PHP extensions \[[#2777](https://redirect.github.com/anchore/syft/pull/2777) [@westonsteimel](https://redirect.github.com/westonsteimel)] ##### Bug Fixes - re-use embedded union reader if possible \[[#2814](https://redirect.github.com/anchore/syft/pull/2814) [@willmurphyscode](https://redirect.github.com/willmurphyscode)] - prefer non-deprecated CPEs and include jenkins plugins from plugins.jenkins.io \[[#2806](https://redirect.github.com/anchore/syft/pull/2806) [@westonsteimel](https://redirect.github.com/westonsteimel)] - improvements to known CPE index construction \[[#2801](https://redirect.github.com/anchore/syft/pull/2801) [@westonsteimel](https://redirect.github.com/westonsteimel)] - Syft panics when scanning OCI image that contains packaged helm chart \[[#2745](https://redirect.github.com/anchore/syft/issues/2745) [#2757](https://redirect.github.com/anchore/syft/pull/2757) [@willmurphyscode](https://redirect.github.com/willmurphyscode)] - Pom parser not resolving all dependency versions \[[#2776](https://redirect.github.com/anchore/syft/issues/2776) [#2781](https://redirect.github.com/anchore/syft/pull/2781) [@willmurphyscode](https://redirect.github.com/willmurphyscode)] - exclude known instrumentation jars from being erroneously identified \[[#2796](https://redirect.github.com/anchore/syft/pull/2796) [@kzantow](https://redirect.github.com/kzantow)] - return empty string if dereferncing pom var fails \[[#2797](https://redirect.github.com/anchore/syft/pull/2797) [@willmurphyscode](https://redirect.github.com/willmurphyscode)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.2.0...v1.3.0)** ### [`v1.2.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.2.0) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.1.1...v1.2.0) ##### Added Features - Differentiate between JRE and JDK \[[#2748](https://redirect.github.com/anchore/syft/pull/2748) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)] - Add support for dnf packages \[[#2758](https://redirect.github.com/anchore/syft/issues/2758)] ##### Bug Fixes - more robust go main version extraction \[[#2767](https://redirect.github.com/anchore/syft/pull/2767) [@kzantow](https://redirect.github.com/kzantow)] - Regression in 1.1 cataloging openjdk: generates version containing a null byte \[[#2750](https://redirect.github.com/anchore/syft/issues/2750) [#2766](https://redirect.github.com/anchore/syft/pull/2766) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.1.1...v1.2.0)** ### [`v1.1.1`](https://redirect.github.com/anchore/syft/releases/tag/v1.1.1) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.1.0...v1.1.1) ##### Bug Fixes - update anchore/packageurl-go to use latest commits \[[#2746](https://redirect.github.com/anchore/syft/pull/2746) [@spiffcs](https://redirect.github.com/spiffcs)] - fix panic scanning binaries without symtab \[[#2736](https://redirect.github.com/anchore/syft/issues/2736) [#2739](https://redirect.github.com/anchore/syft/pull/2739) [@kzantow](https://redirect.github.com/kzantow)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.1.0...v1.1.1)** ### [`v1.1.0`](https://redirect.github.com/anchore/syft/releases/tag/v1.1.0) [Compare Source](https://redirect.github.com/anchore/syft/compare/v1.0.1...v1.1.0) ##### Added Features - Adding the ability to retrieve remote licenses from package-lock.json \[[#2708](https://redirect.github.com/anchore/syft/pull/2708) [@coheigea](https://redirect.github.com/coheigea)] - Show binary exports, entrypoint, and imports \[[#2626](https://redirect.github.com/anchore/syft/pull/2626) [@wagoodman](https://redirect.github.com/wagoodman)] - Add detection for Oracle GraalVM \[[#2705](https://redirect.github.com/anchore/syft/pull/2705) [@LaurentGoderre](https://redirect.github.com/LaurentGoderre)] ##### Bug Fixes - reduce duplicate case SwiftPkg \[[#2696](https://redirect.github.com/anchore/syft/pull/2696) [@testwill](https://redirect.github.com/testwill)] **[(Full Changelog)](https://redirect.github.com/anchore/syft/compare/v1.0.1...v1.1.0)**Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.