Releases: anchore/grype
Releases · anchore/grype
v0.89.0
Important
As of Grype v0.88.0, the listing file which hosts the URLs of databases to download has migrated from https://toolbox-data.anchore.io/grype/databases/listing.json to https://grype.anchore.io/databases/v6/latest.json.
Added Features
- Show suggested fixed version when there are multiple listed [#2264 #2271 @tomersein]
Bug Fixes
- Check for vulnerability database update failed with
unsupported protocol schemewhen referencing local file [#2507 #2508 @wagoodman]
Contributors
wagoodman and tomersein
Assets 20
- 1.42 KB
2025-03-06T22:25:59Z - 3.09 KB
2025-03-06T22:26:00Z - 96 Bytes
2025-03-06T22:25:59Z - 23.5 MB
2025-03-06T22:25:56Z - 21.8 MB
2025-03-06T22:25:56Z - 22.5 MB
2025-03-06T22:25:59Z - 23.4 MB
2025-03-06T22:25:58Z - 22.5 MB
2025-03-06T22:25:55Z - 20.9 MB
2025-03-06T22:25:59Z - 21.6 MB
2025-03-06T22:25:57Z -
2025-03-06T22:15:40Z -
2025-03-06T22:15:40Z - Loading
v0.88.0
Important
With #2126 the listing file which hosts the URLs of databases to download has migrated from https://toolbox-data.anchore.io/grype/databases/listing.json to https://grype.anchore.io/databases/v6/latest.json.
Added Features
- Add KEV information to v6 DB [#2464 @wagoodman]
- Add pretty format option [#2406 @tomersein]
- Add configuration for maven rate limit functionality [#2397 @rawlingsj]
- Allow specifying literal CPEs via the CLI [#2463 @wagoodman]
- Add KEV & EPSS to db search schema [#2481 @wagoodman]
- Update vulnerability matchers to use v6 DB schema [#2132 #2311 @kzantow]
- Configure and use new V6 DB distribution URLs [#2126 #2439 @kzantow]
Bug Fixes
- fix golang 1.24 versions when not semver compliant [#2486 @xnox]
- error out on maven search rate limiting [#2460 @luhring]
- CPE search failed when considering target software for unknown package type [#2434 #2438 @westonsteimel]
- Grype Does Not Clean TMPDIR When Running in a Docker Container [#2500]
GetMavenPackageByShacan be rate limited by maven central, grype will silently fail which results in inconsistent scan results [#2383]- Grype exits with error on JSON output with PURL input [#2360]
- Removal of temporary files not working on Windows [#2233 #2439 @kzantow]
grype db statusreports "valid" when the DB is missing [#2077 #2439 @kzantow]grype db statusdoesn't always check the db's checksum and validity [#1648 #2439 @kzantow]- False positive of CVE-2023-45853 on apt zlib1g/now 1:1.2.13.dfsg-1 package [#2412 #2474 @westonsteimel]
- GHSA-93ww-43rr-79v3 / CVE-2024-10039 does not get patched version [#2408]
- "grype config" output swaps comments for search-indexed-archives / search-unindexed-archives [#2409 #2414 @spiffcs]
Breaking Changes
- Remove DB schema v3 and v4 code [#2435 @wagoodman]
- Replace
grype db diffwithgrype db search--modified-afterand--published-afterflags [#2129 #2439 @kzantow]
Additional Changes
- Refactor presenters to use static model over dynamic lookups [#2492 @wagoodman]
- update syft to 1.20 [#2473 @kzantow]
Contributors
xnox, wagoodman, and 6 other contributors
Assets 20
v0.87.0
Added Features
- Question: Custom Vulnerability Sources CSAF [#2337]
- vex: Add package name to VEX product identifiers [#1905 #2355 @ferozsalam]
Bug Fixes
- fix upstream match for linux-.-headers-. [#2320 @barnuri]
- external-sources: throttle requests to maven central to avoid being rate limited for large sets of java dependencies [#2384 @rawlingsj]
- Clean up config help text [#2347 @wagoodman]
Contributors
wagoodman, ferozsalam, and 2 other contributors
Assets 20
v0.86.1
Security Fixes
Bug Fixes
- archiver has been archived - replace with archives fork [#2304 #2313 @spiffcs]
- Grype panics on certain output formats for PURL inputs [#2324 #2328 @willmurphyscode]
- FP of upstream linux [#2326]
Additional Changes
Contributors
kzantow, uaqben, and 2 other contributors
Assets 20
v0.86.0
Added Features
Bug Fixes
Breaking Changes
- Remove DB v1 & v2 schemas [#2278 @wagoodman]
Additional Changes
Contributors
wagoodman, kzantow, and 2 other contributors
Assets 20
v0.85.0
Added Features
- Add support for gradle in Java [#2236]
- Prefer direct match information over indirect matches [#1931 #2241 @wagoodman]
Bug Fixes
- Restore log on UI teardown [#2248 @wagoodman]
- Display warnings even when
-vis not passed and no tty is present [#2180 #2268 @willmurphyscode]
Additional Changes
- core dependencies: latest syft v1.17.0 and latest stereoscope v0.0.9 [#2275 @willmurphyscode]
Contributors
wagoodman and willmurphyscode
Assets 20
v0.84.0
Added Features
- Add support for scanning single purl from the CLI [#2225 #2223 @wagoodman]
Bug Fixes
- Flaky checks on STDIN for purl provider [#2192 #2223 @wagoodman]
- Missing alpine patch version yields inaccurate results [#2222 #2226 @wagoodman]
Additional Changes
- update Syft to v1.16.0 [#2237 @anchore-actions-token-generator]
Contributors
wagoodman
Assets 20
v0.83.0
v0.82.2
Bug Fixes
- azurelinux considered as comprehensive distro [#2197 @westonsteimel]
- Java archive cataloger performance in 0.82.x much slower than 0.81.0 [#2200]
Additional Changes
- Update to Syft v1.14.2 [#2203 @wagoodman]
Contributors
wagoodman and westonsteimel
Assets 20
v0.82.1
Bug Fixes
- Skip matching on packages with missing version info [#2182 @wagoodman]
- correctly identify version of traefik binaries [#2178 #2179 @westonsteimel]
- RPM version comparison oddity with release field [#398 #2188 @wagoodman]
- purl with epoch should be used even if version is missing epoch [#2170 #2186 @wagoodman]
Additional Changes
- bump syft in quality gate to v1.14.0 [#2187 @westonsteimel]
Contributors
wagoodman and westonsteimel