v1.31.0

Added Features

• Option to set PackageSupplier in root of SPDX document generated by CLI [#3098 #4131 @spiffcs]

Bug Fixes

• closed reader during java binary detection [#4129 @kzantow]
• support multiple letters in openssl patch version [#4106 @honigbot]
• Can not have license ID [#1964 #4132 @spiffcs]
• Syft sometimes reports URL for license value when scanning JARs with a URL in Bundle-License field of manifest [#3186]

(Full Changelog)

v1.30.0

Added Features

• add binary classifier for hashicorp vault [#4121 @willmurphyscode]

Bug Fixes

• fix: update nondeterministic Java archive cataloging and improve groupID [#3521 #4118 @kzantow]

(Full Changelog)

v1.29.1

Bug Fixes

• Missing license information for tzdata [#4102]
• Improve JVM Scan Accuracy for JDK and JRE Detection [#4071 #4046 @kzantow]
• Azul JDK classified as Oracle JRE [#3893 #4046 @kzantow]

(Full Changelog)

v1.29.0

Added Features

• Catalog python uv.lock files [#3268 #3763 @jkugler]

Additional Changes

• Pkg Metadata type unmarshal bug [#4043 @houdini91]

(Full Changelog)

v1.28.0

Added Features

• add native support for snap packages [#1088 #3929 @wagoodman]

Additional Changes

• upgrade tablewriter dependency to use new API [#3990 @cpanato]

(Full Changelog)

v1.27.1

Bug Fixes

• Allow decoding of enterprise-modified anchorectl json files [#3997 @wagoodman]
• Allow decoding of anchorectl json files [#3973 @wagoodman]

Additional Changes

• provide separate nonroot image [#3998 @kzantow]

(Full Changelog)

v1.27.0

Added Features

• add syft schema version to version command [#3949 @spiffcs]

Bug Fixes

• Remove CPE product candidates for phf, prometheus, hyper and Rust crates [#3967 @jayvdb]
• Remove CPE product candidates for opentelemetry and redis Rust crates [#3962 @jayvdb]
• Harden Container Runtime with Non-Root User [#3941 @MikeTheCyberGuy]
• terraform provider lock entries should not require constraints [#3934 @ghouscht]
• sbom cataloger returning upstream package [#3662 #3981 @kzantow]
• Syft missing md5 sums and list data for dpkg packages under status.d/ [#3912]
• Failure to detect dependency relationships between Python packages [#3958 #3965 @christoph-blessing]
• Heavy memory consumption when directory scanning deb source [#3928 #3953 @kzantow]
• In versions 1.25.0 and later, graalvm-native-image-cataloger adds 3-6 hours to Syft [#3942 #3944 @kzantow]
• Syft incorrectly reports multiple APKs as parents of symlinked files [#3847 #3923 @luhring]

(Full Changelog)

A HUGE thank you to @rezmoss for his help identifying and solving an issue causing excessive time and memory consumption with large numbers of symlinks! ❤️

v1.26.1

Bug Fixes

• Dotnet deps binary cataloger hangs [#3919 #3930 @kzantow]

(Full Changelog)

v1.26.0

Added Features

• Read version resources from non-.NET DLLs and executables [#3842 #3911 @wagoodman]

Bug Fixes

• pkg.JavaArchive.PomProperties is being populated even though no pom.properties file was present for analysis [#3922 @wagoodman]
• syft 1.24.0 debug container - wget fails TLS [#3891 #3915 @spiffcs]

(Full Changelog)

v1.25.1

Additional Changes

• remove go-rpmdb replace directive [#3908 @wagoodman]

(Full Changelog)