Bug Fixes

• Missing secondary evidence for .NET dependency in ghcr.io/open-telemetry/demo:2.0.0-accounting image [#4652]

Additional Changes

• bump github.com/buger/jsonsparser to v1.1.2 [#4680 @willmurphyscode]
• centralize temp files and prefer streaming IO [#4668 @willmurphyscode]

(Full Changelog)

Bug Fixes

• [BUG] Incorrect Maven PURL generation: Automatic-Module-Name should not be used as Maven groupId [#4611 #4642 @xnox]
• Checksum is 0 for spdx files [#2307 #4620 @ppalucha]
• Support grafana binary various versions [#4559 #4635 @witchcraze]

Additional Changes

• migrate fixtures to testdata [#4651 @wagoodman]

(Full Changelog)

Bug Fixes

• Use redhat as namespace for hummingbird rpms [#4615 @scoheb]
• False Positive: Emacs snap package version CVE-2024-39331 [#4485]

Additional Changes

• call cleanup on tmpfile and replace some io.ReadAlls with streams [#4629 @willmurphyscode]
• bumps go mod version to 1.25; ci takes latest patch [#4628 @spiffcs]

(Full Changelog)

Added Features

• Add support for scanning GGUF models from OCI registries [#4335 @spiffcs]
• yarn lockfile scan doesnt catch dev dependencies [#4548 #4549 @rezmoss]

Additional Changes

• CPE detection for APK libavif to use aomedia vendor [#4597 @naag]

(Full Changelog)

Bug Fixes

• further improve go binary classifier, including windows [#4593 @kzantow]
• Wrong format in license [#4233 #4588 @spiffcs]
• Cannot detect installation of Qt6 [#4467 #4550 @rezmoss]
• bug: Syft mis-identifies binary as deb inside a snap [#4486 #4500 @popey]

(Full Changelog)

Bug Fixes

• [Bug Report] Missing some dependencies on cyclonedx formatted SBOM using syft [#4562 #4573 @spiffcs]

(Full Changelog)

Added Features

• detect Debian version from /etc/debian_version [#4569 @kzantow]

Bug Fixes

• correctly report supporting evidence for binary packages [#4558 @kzantow]

(Full Changelog)

Bug Fixes

• mongodb binary not detected manual/source install [#4540 #4541 @rezmoss]

(Full Changelog)

Added Features

• Exclude development or test dependencies for PNPM Package type [#4430 #4487 @rezmoss]
• Catalog istio binary (pilot-discovery, pilot-agent) [#4508 #4521 @witchcraze]
• Catalog envoy binary [#4506 #4530 @witchcraze]
• Catalog grafana binary [#4505 #4516 @witchcraze]
• Add a binary classifier for valkey [#3400 #4509 @witchcraze]

Bug Fixes

• old bitnami images without spdx files arent getting picked up correctly in the catalog [#4529 #4532 @rezmoss]
• wrong traefik rc versions at binary detection [#3535 #4499 @rezmoss]
• FromPOSIX() in internals\windows\path.go assumes that all Windows root paths must have a colon terminator [#4070 #4075 @luissantosHCIT]
• binary cataloger is picking up the go version instead of the actual binary version in traefik experimental images [#4498 #4499 @rezmoss]

(Full Changelog)

Added Features

• add support for Gemfile.next.lock [#4457 @HatiCode]
• Command output to give more information on what catalogers look for and what they can find [#4155 #4317 @wagoodman]
• Support reading lzma compressed .go.buildinfo sections with upx [#4411 #4480 @wagoodman]
• Specify specific snap revision to pull [#4389 #4439 @VictorHuu]
• Cannot detect embedded deps.json metadata in single-file .NET binaries [#4344 #4375 @rezmoss]
• ELF note cataloger does not pick up OS field, but should [#4384 #4438 @VictorHuu]

Bug Fixes

• remove debug print statement in dependency parser [#4412 @cgreeno]
• dotnet-deps cataloger should skip project references with type "project" when building the sbom [#4423 #4436 @rezmoss]
• File digests not computed when using --base-path [#4410 #4478 @wagoodman]
• Syft should not define subpaths by default in PURLs [#4394 #4395 @rezmoss]
• go: valid purl but incorrect name [#1737 #4395 @rezmoss]
• Incorrect Go module PURL generation when module path contains /vN (e.g. /v5) [#4316 #4395 @rezmoss]
• Failing to convert npm repository information correctly to SPDX [#4362 #4390 @kendrickm]

(Full Changelog)