Added Features

• Add unaffected package and CPE stores [#2888 @wagoodman]
• use unaffected match table to remove appropriate vulns [#2886 @crosleyzack]

(Full Changelog)

Bug Fixes

• Present fix available version in grype JSON output [#2905 @wagoodman]
• detect patch numbers in fuzzy version comparison [#2844 @willmurphyscode]
• Make timestamp in output configurable (so that results are more reproducible) [#522 #2724 @gabetrau]
• Grype .98 misidentifies the container package version [#2884]

(Full Changelog)

Added Features

• Add fix availability information to DB schema [#2862 @wagoodman]
• Add support vulnerability matching for raspbian [#2893 @westonsteimel]
• Add Vex CSAF support [#1826 @juan131]

Bug Fixes

• include channel in grype db search output [#2873 @willmurphyscode]
• add UnmarshalJSON to fix availability blob [#2889 @willmurphyscode]
• Grype misdetect Grafana version [#2783]

Breaking Changes

• CSAF support [#1826 @juan131]

(Full Changelog)

Added Features

• move debian 13 (trixie) to released and debian 14 (forky) to testing/sid/unstable [#2861 @westonsteimel]

(Full Changelog)

Grype v0.97.2

Added Features

• new syft version adds binary classifier for hashicorp vault [#4121 @willmurphyscode]

Bug Fixes

• fix: update syft's nondeterministic Java archive purl and improve groupID for better matching [#3521 #4118 @kzantow]

(Full Changelog)

Bug Fixes

• Multiple EUS advisories where only some are fixed result in unexpected vulnerabilities [#2840 #2841 @kzantow]

(Full Changelog)

Added Features

• Add support for RHEL EUS [#2446 #2787 @wagoodman]

Bug Fixes

• Error scanning snap "unsupported source: source.SnapMetadata" [#2819 #2821 @kzantow]

Additional Changes

• add channel to os / distro [#2782 @wagoodman]

(Full Changelog)

Syft Improvments

• Update to latest version of syft v1.29.0

Performance Improvements

• Create ignore regex objects conditionally[#2805 @wagoodman ]

(Full Changelog)

Added Features

• Added the EPSS score and KEV indications as CycloneDX vulnerabilities.ratings entries [#2695 #2765 @AlinaPodoba]

Bug Fixes

• The go run and go install broken due to useless redirect directive in go.mod [#2777 #2780 @stefanb]
• EPSS implementation using percentile instead of percent probability [#2778 #2785 @wagoodman]
• Latest version of grype with V6 schema lists incorrect URL for v6 database [#2513]

Additional Changes

• Add more detail around cataloging and DB load log statements [#2779 @wagoodman]
• add version set and combined constraint [#2763 @wagoodman]
• add v6 OS store [#2766 @wagoodman]

(Full Changelog)

Added Features

• Add string severity to db search json results [#2730 @wagoodman]
• Add package specifier overrides for kb, dpkg, and apkg [#2742 @westonsteimel]

Bug Fixes

• show related NVD records for non-NVD matches [#2755 @kzantow]
• assume that a vulnerability with no ranges is always vulnerable [#2759 @wagoodman]
• DB should hydrate for when the client has new features [#2758 @wagoodman]
• show relationship back to NVD for all CVE ids [#2756 @westonsteimel]
• properly escape CPE segments [#2731 @kzantow]
• msrc matcher should search by package ecosystem, not by distro [#2748 @westonsteimel]
• Grype does not report any vulnerabilities for CPEs with target_sw field set to value that does not correspond to known package type [#2768 #2772 @willmurphyscode]
• malformed CPE in grype db search output [#2767 #2769 @westonsteimel]
• vex documents from the --vex flag do get processed or applied to the output correctly [#1836 #2741 @willmurphyscode]

Additional Changes

• replace deprecated GoReleaser configurations [#2729 @emmanuel-ferdman]
• specify types for all match details [#2762 @wagoodman]
• Refactor the version package [#2735 @wagoodman]

(Full Changelog)