v0.63.0

Changelog

v0.63.0 (2023-06-21)

Full Changelog

Added Features

• Always include the specific package name and version used in the vulnerability search in the matchDetails section of the output [PR #1339] [westonsteimel]
• Expose Go template file that produces the table report [Issue #629] [PR #1343] [jneate]
• Add a folder for community Go templates (see templates/README.md for more details) [Issue #1316]

Breaking Changes

• update Syft to v0.84.0: stereoscope platform fix and artifact ID padding [PR #1354] [anchore-actions-token-generator]

v0.62.3

Changelog

v0.62.3 (2023-06-05)

Full Changelog

Bug Fixes

• Suppressed vulnerabilties are now correctly hidden, unless the --show-suppressed option is provided.
  [Issue #1053] [Issue #1278] [PR #1322] [jamestran201]

v0.62.2

Changelog

v0.62.2 (2023-05-26)

Full Changelog

v0.62.1

Changelog

v0.62.1 (2023-05-24)

Full Changelog

Bug Fixes

• Updated syft to v0.82.0 to address license parsing logic that may result in a panic [PR #1313]

v0.62.0

Changelog

v0.62.0 (2023-05-22)

Full Changelog

Added Features

• Add package qualifier for platform CPE [PR #1291] [westonsteimel]
• Include timestamp and image name in reports [Issue #1170] [PR #1249] [jneate]
• Document command line flag for config file location [Issue #1271] [PR #1274] [jneate]
• Add support for Mariner distribution [Issue #1220]
• Add support for Syft IDs in JSON output [PR #1266] [luhring]

Bug Fixes

• False positive with pkg:rpm PURLs [Issue #1031] [PR #1237] [Shanedell]
• Specifying "extras" in pip / requirements.txt results in false negative [Issue #1246]
• CycloneDX dependencies relationships inverted [Issue #1294]

Additional Changes

• docs: add "cyclonedx-json" to output formats [PR #1252] [HNKNTA]
• chore: update quality gate labels and add keycloak [PR #1255] [westonsteimel]
• Install skopeo during bootstrap [PR #1260] [willmurphyscode]
• Replace deprecated io/ioutil calls [PR #1296] [testwill]
• Fix reading syft json from stdin by redirect [PR #1299] [devfbe]
• Add gitignore for default build target [PR #1305] [testwill]

v0.61.1

Changelog

v0.61.1 (2023-04-21)

Full Changelog

Bug Fixes

• ❔ Parsing dpkg status: extracting key-value from line: usr/lib/os-release err: cannot parse field [Issue #1195]
• Grype suggesting to upgrade to a version already used. [Issue #1209]

Additional Changes

• feat: add timestamp to json output (#1170) [PR #1249] [jneate]

v0.61.0

Changelog

v0.61.0 (2023-04-04)

Full Changelog

Added Features

• feat: Add config option to prefer registry over local Docker when scanning an image [Issue #1204] [PR #1215] [spiffcs]

Additional Changes

• chore: update quality gate dataset [PR #1206] [westonsteimel]
• chore: update deprecated set-output calls [PR #1210] [kzantow]
• chore: update syft [PR #1211] [kzantow]

v0.60.0

Changelog

v0.60.0 (2023-03-28)

Full Changelog

Added Features

• feat: disable CPE-based matching by default for javascript [PR #1180] [westonsteimel]

Additional Changes

• Improve --by-cve report performance [Issue #1185] [PR #1188] [westonsteimel]

v0.59.1

Changelog

v0.59.1 (2023-03-09)

Full Changelog

Bug Fixes

• fix: correct APK CPE version comparison logic [PR #1165] [westonsteimel]

v0.59.0

Changelog

v0.59.0 (2023-03-03)

Full Changelog

Added Features

• Add the total types of vulnerabilities in Grype output [Issue #877] [PR #946] [zhiburt]

Additional Changes

• chore: bump quality gate labels and syft version [PR #1156] [westonsteimel]