Sourced from github.com/anchore/syft's releases.

v1.26.0

Added Features

• Read version resources from non-.NET DLLs and executables [#3842 #3911 @​wagoodman]

Bug Fixes

• pkg.JavaArchive.PomProperties is being populated even though no pom.properties file was present for analysis [#3922 @​wagoodman]
• syft 1.24.0 debug container - wget fails TLS [#3891 #3915 @​spiffcs]

(Full Changelog)

v1.25.1

Additional Changes

• remove go-rpmdb replace directive [#3908 @​wagoodman]

(Full Changelog)

v1.25.0

Added Features

• Add PHP interpreter + extensions cataloger [#2585 @​LaurentGoderre]

Bug Fixes

• update license content filtering default case to be 'none' for no content [#3903 @​spiffcs]
• Distinguish openjdk vs jdk when using file source [#3895 @​adammcclenaghan]
• Make it discoverable if Native Image contains no embedded SBOM [#3731 #3805 @​sathiya06]

(Full Changelog)

v1.24.0

Added Features

• Add cataloger for Dart pubspec [#3292 @​LaurentGoderre]
• Translate Portage license strings to SPDX expressions [#1763 @​wagoodman]
• Use package ID from decoded SBOMs when provided [#1872 @​jneate]
• Annotate visible/hidden paths when all-layers scope [#3855 @​wagoodman]
• Add support for PHP Pear [#2775 @​LaurentGoderre]
• Detect whether full license text or a license name has been provided [#3088 #3876 @​spiffcs #3450 @​spiffcs]
• Add Cataloger for Homebrew on macOS [#3632 #3724 @​rezmoss]
• Provide a way to get the LayerID the package was first found in [#435 #3858 @​wagoodman #3138 @​tomersein]
• Go binaries that currently get (devel) as the version should instead stub UNKNOWN based on the compliance policy [#3324 #3873 @​wagoodman]
• Upgrade base Docker image to gcr.io/distroless/static-debian12 [#3840 #3862 @​bgoareguer]
• Return full license string instead of SHA256 hash when license string exceeds 64 characters [#3780 #3844 @​spiffcs]
• Detect nix dependencies [#3814 #3837 @​wagoodman]

Bug Fixes

... (truncated)

• ac883f5 add cdx group as purl namespace (#3922)
• e23ca43 add PE binary cataloger (#3911)
• b4ca040 chore: update dockerfile base images to latest rolling tags (#3915)
• 828645e chore(deps): update CPE dictionary index (#3913)
• db77b54 finalize go mod ref (#3908)
• 2d4fe51 remove benchmark workflow (#3906)
• e1374f7 fix: update license content filtering default case to be 'none' for no conten...
• 9458938 chore(deps): bump github/codeql-action from 3.28.17 to 3.28.18 (#3905)
• 8cbdd38 fix: Make Native Image contains no embedded SBOM Error Discoverable (#3805)
• 8f02bd8 fix: Distinguish openjdk vs jdk when using file source (#3895)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)