Bug Fixes

• Various false positives starting with 0.91.1 [#2618 #2621 @willmurphyscode]

(Full Changelog)

Bug Fixes

• Assume that empty versions should match on all possible versions [#2591 @wagoodman]
• Fix severity field in db search vuln [#2589 @wagoodman]
• Recover from panic within a matcher [#2590 @wagoodman]
• Should only check maven central if pom info is missing [#2216 #2547 @tdunlap607]
• grype db search GHSA-mrrh-fwg8-r2c3 doesn't return results [#2530]
• Grype stopped reporting vulnerabilities after upgrade [#2608 #2610 @willmurphyscode]
• Grype does not handle cache-dir containing ~ correctly [#2599 #2600 @kzantow]
• Grype should expand ~ in paths in config file [#2024 #2600 @kzantow]
• False Positive: Multiple old CVEs in chromium 134.0.6998.117 for apk ecosystem [#2581]
• Missing grype DB update from 20250411 [#2593]
• Does not fill in the Level field of the SARIF result object [#2511 #2571 @bdovaz]

Additional Changes

• add timing info to log output [#2597 @kzantow]
• Replace os.ReadDir with afero.ReadDir for consistency [#2579 @joe-ton]

(Full Changelog)

Added Features

• Add v5 namespace emulation to db search output [#2539 @wagoodman]
• Add CVSS metrics in search JSON output [#2568 @wagoodman]
• Exit with a different return code for a failed scan [#1922]

Bug Fixes

• Use data driven approach when detecting Alpine:edge and Debian:sid [#2556 @wagoodman]
• db list should render out full URLs for text format [#2553 @wagoodman]
• grype db import fails since v0.88 and above [#2542 #2546 @kzantow]

(Full Changelog)

Added Features

• Match vulnerabilities by distro name when no version specified [#2521 #2534 @kzantow]
• Allow DB import from a URL [#2134 #2532 @wagoodman]
• Add the DB url to the JSON descriptor block [#356 #2529 @wagoodman]

(Full Changelog)

Bug Fixes

• Ensure fatal error from maven search bubbles up [#2518 @luhring]
• Source URLs missing/broken in output with latest release [#2520 #2523 @kzantow]
• Grype results set a vulnerability as its own related vulnerability [#2514 #2515 @kzantow]

(Full Changelog)

Added Features

• Show suggested fixed version when there are multiple listed [#2264 #2271 @tomersein]

Bug Fixes

• Check for vulnerability database update failed with unsupported protocol scheme when referencing local file [#2507 #2508 @wagoodman]

(Full Changelog)

Added Features

• Add KEV information to v6 DB [#2464 @wagoodman]
• Add pretty format option [#2406 @tomersein]
• Add configuration for maven rate limit functionality [#2397 @rawlingsj]
• Allow specifying literal CPEs via the CLI [#2463 @wagoodman]
• Add KEV & EPSS to db search schema [#2481 @wagoodman]
• Update vulnerability matchers to use v6 DB schema [#2132 #2311 @kzantow]
• Configure and use new V6 DB distribution URLs [#2126 #2439 @kzantow]

Bug Fixes

• fix golang 1.24 versions when not semver compliant [#2486 @xnox]
• error out on maven search rate limiting [#2460 @luhring]
• CPE search failed when considering target software for unknown package type [#2434 #2438 @westonsteimel]
• Grype Does Not Clean TMPDIR When Running in a Docker Container [#2500]
• GetMavenPackageBySha can be rate limited by maven central, grype will silently fail which results in inconsistent scan results [#2383]
• Grype exits with error on JSON output with PURL input [#2360]
• Removal of temporary files not working on Windows [#2233 #2439 @kzantow]
• grype db status reports "valid" when the DB is missing [#2077 #2439 @kzantow]
• grype db status doesn't always check the db's checksum and validity [#1648 #2439 @kzantow]
• False positive of CVE-2023-45853 on apt zlib1g/now 1:1.2.13.dfsg-1 package [#2412 #2474 @westonsteimel]
• GHSA-93ww-43rr-79v3 / CVE-2024-10039 does not get patched version [#2408]
• "grype config" output swaps comments for search-indexed-archives / search-unindexed-archives [#2409 #2414 @spiffcs]

Breaking Changes

• Remove DB schema v3 and v4 code [#2435 @wagoodman]
• Replace grype db diff with grype db search --modified-after and --published-after flags [#2129 #2439 @kzantow]

Additional Changes

• Refactor presenters to use static model over dynamic lookups [#2492 @wagoodman]
• update syft to 1.20 [#2473 @kzantow]

(Full Changelog)

Added Features

• Question: Custom Vulnerability Sources CSAF [#2337]
• vex: Add package name to VEX product identifiers [#1905 #2355 @ferozsalam]

Bug Fixes

• fix upstream match for linux-.-headers-. [#2320 @barnuri]
• external-sources: throttle requests to maven central to avoid being rate limited for large sets of java dependencies [#2384 @rawlingsj]
• Clean up config help text [#2347 @wagoodman]

(Full Changelog)

Security Fixes

• archiver has been archived - replace with archives fork [#2304 #2313 @spiffcs]

Bug Fixes

• archiver has been archived - replace with archives fork [#2304 #2313 @spiffcs]
• Grype panics on certain output formats for PURL inputs [#2324 #2328 @willmurphyscode]
• FP of upstream linux [#2326]

Additional Changes

• move v5-specific interfaces and implementations to the v5 package [#2322 @kzantow]
• Fix broken link to cosign documentation [#2321 @uaqben]

(Full Changelog)

Added Features

• Add missing package information for Sarif report [#2267 #2254 @GeorgeLS]

Bug Fixes

• ignore linux-aws-headers-.* as well like linux-headers-.* [#2295 @barnuri]

Breaking Changes

• Remove DB v1 & v2 schemas [#2278 @wagoodman]

Additional Changes

• refactor v5-specific code out of core packages [#2299 @kzantow]

(Full Changelog)