v1.42.0

Added Features

• Add support for scanning GGUF models from OCI registries [#4335 @spiffcs]
• yarn lockfile scan doesnt catch dev dependencies [#4548 #4549 @rezmoss]

Additional Changes

• CPE detection for APK libavif to use aomedia vendor [#4597 @naag]

(Full Changelog)

v1.41.2

Bug Fixes

• further improve go binary classifier, including windows [#4593 @kzantow]
• Wrong format in license [#4233 #4588 @spiffcs]
• Cannot detect installation of Qt6 [#4467 #4550 @rezmoss]
• bug: Syft mis-identifies binary as deb inside a snap [#4486 #4500 @popey]

(Full Changelog)

v1.41.1

Bug Fixes

• [Bug Report] Missing some dependencies on cyclonedx formatted SBOM using syft [#4562 #4573 @spiffcs]

(Full Changelog)

v1.41.0

Added Features

• detect Debian version from /etc/debian_version [#4569 @kzantow]

Bug Fixes

• correctly report supporting evidence for binary packages [#4558 @kzantow]

(Full Changelog)

v1.40.1

Important

This release bumps github.com/containerd/containerd to v2, which will cause compiler errors if used alongside other dependencies that use v1 of containerd. See anchore/stereoscope#495 for a detailed discussion.

Bug Fixes

• mongodb binary not detected manual/source install [#4540 #4541 @rezmoss]

(Full Changelog)

v1.40.0

Added Features

• Exclude development or test dependencies for PNPM Package type [#4430 #4487 @rezmoss]
• Catalog istio binary (pilot-discovery, pilot-agent) [#4508 #4521 @witchcraze]
• Catalog envoy binary [#4506 #4530 @witchcraze]
• Catalog grafana binary [#4505 #4516 @witchcraze]
• Add a binary classifier for valkey [#3400 #4509 @witchcraze]

Bug Fixes

• old bitnami images without spdx files arent getting picked up correctly in the catalog [#4529 #4532 @rezmoss]
• wrong traefik rc versions at binary detection [#3535 #4499 @rezmoss]
• FromPOSIX() in internals\windows\path.go assumes that all Windows root paths must have a colon terminator [#4070 #4075 @luissantosHCIT]
• binary cataloger is picking up the go version instead of the actual binary version in traefik experimental images [#4498 #4499 @rezmoss]

(Full Changelog)

v1.39.0

Added Features

• add support for Gemfile.next.lock [#4457 @HatiCode]
• Command output to give more information on what catalogers look for and what they can find [#4155 #4317 @wagoodman]
• Support reading lzma compressed .go.buildinfo sections with upx [#4411 #4480 @wagoodman]
• Specify specific snap revision to pull [#4389 #4439 @VictorHuu]
• Cannot detect embedded deps.json metadata in single-file .NET binaries [#4344 #4375 @rezmoss]
• ELF note cataloger does not pick up OS field, but should [#4384 #4438 @VictorHuu]

Bug Fixes

• remove debug print statement in dependency parser [#4412 @cgreeno]
• dotnet-deps cataloger should skip project references with type "project" when building the sbom [#4423 #4436 @rezmoss]
• File digests not computed when using --base-path [#4410 #4478 @wagoodman]
• Syft should not define subpaths by default in PURLs [#4394 #4395 @rezmoss]
• go: valid purl but incorrect name [#1737 #4395 @rezmoss]
• Incorrect Go module PURL generation when module path contains /vN (e.g. /v5) [#4316 #4395 @rezmoss]
• Failing to convert npm repository information correctly to SPDX [#4362 #4390 @kendrickm]

(Full Changelog)

v1.38.2

Bug Fixes

• drop cpe from gguf [#4383 @spiffcs]
• emit lua rockspec dependencies in metadata [#4376 @willmurphyscode]
• Invalid SBOMs are created when GO replace directive is used [#4415 #4419 @VictorHuu]
• Incorrect CPE for Vercel's Next js [#4443 #4450 @willmurphyscode]
• v1.38.0 generates empty sbom for tgz sources [#4416 #4421 @VictorHuu]
• Syft: The dependency graph does not include all Requires-Dist relationships defined in the package’s METADATA file [#4401 #4408 @willmurphyscode]

(Full Changelog)

v1.38.0

Added Features

• add support for cataloging GGUF models [#4184 #4279 @spiffcs]
• Support scanning a list of CPEs [#3890 #4207 @chovanecadam]
• Syft does not detect Elixir binary on system [#4333 #4334 @rezmoss]

Bug Fixes

• Support extras statements in Python PDM cataloger [#4352 @wagoodman]
• Preserve --from argument order [#4350 @wagoodman]
• SBOM generated by Syft 1.28 contains license elements missing id or name (causing CycloneDX parser error) [#4363]
• empty PURL output in dependency snapshot format breaks sbom-action [#4311]
• Interface includes constraint elements, can only be used in type parameters [#4346]
• Upgrade github.com/nwaples/rardecode@v1.1.3 to 2.2.1 [#4338]
• Upgrade to Golang 1.25.4 [#4341]

Additional Changes

• migrate syft to use mholt/archives instead of anchore fork [#4029 @Rupikz]
• Add license enrichment from pypi to python packages [#4295 @timols]
• license file search [#4327 @kzantow]

(Full Changelog)

v1.37.0

Added Features

• Refactor fileresolver to not require base path [#4298 @Rupikz]
• Describe cataloger capabilities via test observations [#4318 @wagoodman]
• Support Java resource adapter extension .far as a Java archive [#4183 #4193 @kyounghunJang]
• Add Java resource adapter extension ".rar" as supported Java archive [#4136 #4137 @thomassui]

Bug Fixes

• fix empty PURL Github format [#4312 @rezmoss]
• Canonicalize Ghostscript CPE/PURL for ghostscript packages from PE Binaries [#4308 @kdt523]
• Respect "rpmmod" PURL qualifier [#4314 @willmurphyscode]
• fix dpkg packages that are in deinstalled state should not be in SBOM [#3063 #4231 @rkirk-nos]

(Full Changelog)