Releases: anchore/grype
Releases · anchore/grype
v0.92.1
v0.92.0
Added Features
- improve html template [#2635 @OnceUponALoop]
- Add EPSS metrics to grype results [#1973 #2587 @wagoodman]
- Show indication of known exploited vulnerabilities (from CISA) [#1511 #2587 @wagoodman]
Bug Fixes
- adjust namespace translation logic to be v5 compatible [#2634 @westonsteimel]
- fall back to fuzzy constraint units [#2651 @willmurphyscode]
- adjust version prefix check when excluding overlapping packages [#2653 @westonsteimel]
- Dropping group from npm package names leads to false positives [#2554 #2645 @kzantow]
- Potential regression in CVE detection from 0.87.0 (v5 schema) to 0.88.0 (v6 schema) for go-module detection [#2642]
- Removal of temporary files not working on Windows [#2233 #2657 @popey]
- @jridgewell/gen-mapping incorrectly attributed GHSA-8rmg-jf7p-4p22 [#1886 #2645 @kzantow]
- Vulnerability reported on @group/name dependency when actual vulnerability exists on name dependency [#1701 #2645 @kzantow]
- Grype false negatives in versions v0.88.0 and later leading to missed critical vulnerabilities [#2628 #2645 @kzantow]
- PHP pecl redis mixes with redis project itself and creates false positive cve [#1804]
- False Positive: Openssl CVE-2022-2068, CVE-2022-1292, CVE-2021-3711 in SUSE Enterprise 15 SP5 [#1729]
- Grype does not handle purl file input with packages from different distributions [#2630 #2639 @chovanecadam]
- grype pkg:golang/k8s.io/ingress-nginx@v1.11.2 does not show cve [#2580 #2586 @goatwu1993]
Contributors
wagoodman, westonsteimel, and 6 other contributors
Assets 20
v0.91.2
Bug Fixes
- Various false positives starting with 0.91.1 [#2618 #2621 @willmurphyscode]
Contributors
willmurphyscode
Assets 20
v0.91.1
Bug Fixes
- Assume that empty versions should match on all possible versions [#2591 @wagoodman]
- Fix severity field in
db search vuln[#2589 @wagoodman] - Recover from panic within a matcher [#2590 @wagoodman]
- Should only check maven central if pom info is missing [#2216 #2547 @tdunlap607]
- grype db search GHSA-mrrh-fwg8-r2c3 doesn't return results [#2530]
- Grype stopped reporting vulnerabilities after upgrade [#2608 #2610 @willmurphyscode]
- Grype does not handle cache-dir containing ~ correctly [#2599 #2600 @kzantow]
- Grype should expand
~in paths in config file [#2024 #2600 @kzantow] - False Positive: Multiple old CVEs in chromium 134.0.6998.117 for apk ecosystem [#2581]
- Missing grype DB update from 20250411 [#2593]
- Does not fill in the Level field of the SARIF result object [#2511 #2571 @bdovaz]
Additional Changes
Contributors
wagoodman, bdovaz, and 4 other contributors
Assets 20
v0.91.0
Added Features
- Add v5 namespace emulation to db search output [#2539 @wagoodman]
- Add CVSS metrics in search JSON output [#2568 @wagoodman]
- Exit with a different return code for a failed scan [#1922]
Bug Fixes
- Use data driven approach when detecting Alpine:edge and Debian:sid [#2556 @wagoodman]
db listshould render out full URLs for text format [#2553 @wagoodman]- grype db import fails since v0.88 and above [#2542 #2546 @kzantow]
Contributors
wagoodman and kzantow
Assets 20
v0.90.0
Added Features
- Match vulnerabilities by distro name when no version specified [#2521 #2534 @kzantow]
- Allow DB import from a URL [#2134 #2532 @wagoodman]
- Add the DB url to the JSON descriptor block [#356 #2529 @wagoodman]
Contributors
wagoodman and kzantow
Assets 20
v0.89.1
Contributors
kzantow and luhring
Assets 20
v0.89.0
Important
As of Grype v0.88.0, the listing file which hosts the URLs of databases to download has migrated from https://toolbox-data.anchore.io/grype/databases/listing.json to https://grype.anchore.io/databases/v6/latest.json.
Added Features
- Show suggested fixed version when there are multiple listed [#2264 #2271 @tomersein]
Bug Fixes
- Check for vulnerability database update failed with
unsupported protocol schemewhen referencing local file [#2507 #2508 @wagoodman]
Contributors
wagoodman and tomersein
Assets 20
v0.88.0
Important
With #2126 the listing file which hosts the URLs of databases to download has migrated from https://toolbox-data.anchore.io/grype/databases/listing.json to https://grype.anchore.io/databases/v6/latest.json.
Added Features
- Add KEV information to v6 DB [#2464 @wagoodman]
- Add pretty format option [#2406 @tomersein]
- Add configuration for maven rate limit functionality [#2397 @rawlingsj]
- Allow specifying literal CPEs via the CLI [#2463 @wagoodman]
- Add KEV & EPSS to db search schema [#2481 @wagoodman]
- Update vulnerability matchers to use v6 DB schema [#2132 #2311 @kzantow]
- Configure and use new V6 DB distribution URLs [#2126 #2439 @kzantow]
Bug Fixes
- fix golang 1.24 versions when not semver compliant [#2486 @xnox]
- error out on maven search rate limiting [#2460 @luhring]
- CPE search failed when considering target software for unknown package type [#2434 #2438 @westonsteimel]
- Grype Does Not Clean TMPDIR When Running in a Docker Container [#2500]
GetMavenPackageByShacan be rate limited by maven central, grype will silently fail which results in inconsistent scan results [#2383]- Grype exits with error on JSON output with PURL input [#2360]
- Removal of temporary files not working on Windows [#2233 #2439 @kzantow]
grype db statusreports "valid" when the DB is missing [#2077 #2439 @kzantow]grype db statusdoesn't always check the db's checksum and validity [#1648 #2439 @kzantow]- False positive of CVE-2023-45853 on apt zlib1g/now 1:1.2.13.dfsg-1 package [#2412 #2474 @westonsteimel]
- GHSA-93ww-43rr-79v3 / CVE-2024-10039 does not get patched version [#2408]
- "grype config" output swaps comments for search-indexed-archives / search-unindexed-archives [#2409 #2414 @spiffcs]
Breaking Changes
- Remove DB schema v3 and v4 code [#2435 @wagoodman]
- Replace
grype db diffwithgrype db search--modified-afterand--published-afterflags [#2129 #2439 @kzantow]
Additional Changes
- Refactor presenters to use static model over dynamic lookups [#2492 @wagoodman]
- update syft to 1.20 [#2473 @kzantow]
Contributors
xnox, wagoodman, and 6 other contributors
Assets 20
v0.87.0
Added Features
- Question: Custom Vulnerability Sources CSAF [#2337]
- vex: Add package name to VEX product identifiers [#1905 #2355 @ferozsalam]
Bug Fixes
- fix upstream match for linux-.-headers-. [#2320 @barnuri]
- external-sources: throttle requests to maven central to avoid being rate limited for large sets of java dependencies [#2384 @rawlingsj]
- Clean up config help text [#2347 @wagoodman]
Contributors
wagoodman, ferozsalam, and 2 other contributors