Bug Fixes

• drop cpe from gguf [#4383 @spiffcs]
• emit lua rockspec dependencies in metadata [#4376 @willmurphyscode]
• Invalid SBOMs are created when GO replace directive is used [#4415 #4419 @VictorHuu]
• Incorrect CPE for Vercel's Next js [#4443 #4450 @willmurphyscode]
• v1.38.0 generates empty sbom for tgz sources [#4416 #4421 @VictorHuu]
• Syft: The dependency graph does not include all Requires-Dist relationships defined in the package’s METADATA file [#4401 #4408 @willmurphyscode]

(Full Changelog)

Added Features

• add support for cataloging GGUF models [#4184 #4279 @spiffcs]
• Support scanning a list of CPEs [#3890 #4207 @chovanecadam]
• Syft does not detect Elixir binary on system [#4333 #4334 @rezmoss]

Bug Fixes

• Support extras statements in Python PDM cataloger [#4352 @wagoodman]
• Preserve --from argument order [#4350 @wagoodman]
• SBOM generated by Syft 1.28 contains license elements missing id or name (causing CycloneDX parser error) [#4363]
• empty PURL output in dependency snapshot format breaks sbom-action [#4311]
• Interface includes constraint elements, can only be used in type parameters [#4346]
• Upgrade github.com/nwaples/[email protected] to 2.2.1 [#4338]
• Upgrade to Golang 1.25.4 [#4341]

Additional Changes

• migrate syft to use mholt/archives instead of anchore fork [#4029 @Rupikz]
• Add license enrichment from pypi to python packages [#4295 @timols]
• license file search [#4327 @kzantow]

(Full Changelog)

Added Features

• Refactor fileresolver to not require base path [#4298 @Rupikz]
• Describe cataloger capabilities via test observations [#4318 @wagoodman]
• Support Java resource adapter extension .far as a Java archive [#4183 #4193 @kyounghunJang]
• Add Java resource adapter extension ".rar" as supported Java archive [#4136 #4137 @thomassui]

Bug Fixes

• fix empty PURL Github format [#4312 @rezmoss]
• Canonicalize Ghostscript CPE/PURL for ghostscript packages from PE Binaries [#4308 @kdt523]
• Respect "rpmmod" PURL qualifier [#4314 @willmurphyscode]
• fix dpkg packages that are in deinstalled state should not be in SBOM [#3063 #4231 @rkirk-nos]

(Full Changelog)

Added Features

• Add the ability to fetch remote licenses for pnpm-lock.yaml files [#4286 @timols]
• support universal (fat) mach-o binary files [#4278 @JoeyShapiro]
• pdm support [#2709 #4234 @paulslaby]

Bug Fixes

• Remove duplicate image source providers [#4289 @Rupikz]
• syft can't extract go module information from executables on Windows [#4271 #4285 @JoeyShapiro]

(Full Changelog)

Bug Fixes

• Extract zip archive with multiple entries [#4283 @Rupikz]
• panic while resolving maven properties in archive parser [#4288 #4290 @kzantow]

(Full Changelog)

Added Features

• feat: enhance setup.py parser to handle unquoted dependencies [#4255 @HalaAli198]
• feat: support for identifying ffmpeg/libav libraries [#4227 @popey]
• feat: PNPM latest lockfile (version 9.0) [#3927 #4256 @bernardoamc]
• Add Windows ARM64 releases [#4179 #4237 @compnerd]

Bug Fixes

• fix: SBOM CPE mismatch for Qt5 causes Grype to miss CVE matches [#4036 #4093 @hawkaii]
• fix: use of manifest files present in Snap packages when generating SBOMs [#4147 #4151 @popey]
• fix: Pom xml only archive parser [#4272 @douglasclarke]

(Full Changelog)

Added Features

• Modify RpmDBEntry to include modularityLabel for cyclonedx [#4212 @sfc-gh-rmaj]
• Add locations onto packages read from Java native image SBOMs [#4186 @rudsberg]

(Full Changelog)

Added Features

• Catalog entire build list for Go projects, not just packages listed in go.mod [#432 #4127 @spiffcs]
• package.json authors keyword parsing [#2250 #4003 @popey]
• Conda ecosystem support (basic) [#4002@SimeonStoykovQC]

Bug Fixes

• When scanning the FFmpeg binary with Syft a new package is now added [#3988 #3994 @popey]
• Warn loudly if SQLite driver is not present when needed [#3234 #4150 @kzantow]

Additional Changes

• Update dependencies to use go.yaml.in/yaml [#4157 @n-bes]

(Full Changelog)

Added Features

• Option to set PackageSupplier in root of SPDX document generated by CLI [#3098 #4131 @spiffcs]

Bug Fixes

• closed reader during java binary detection [#4129 @kzantow]
• support multiple letters in openssl patch version [#4106 @honigbot]
• Can not have license ID [#1964 #4132 @spiffcs]
• Syft sometimes reports URL for license value when scanning JARs with a URL in Bundle-License field of manifest [#3186]

(Full Changelog)

Added Features

• add binary classifier for hashicorp vault [#4121 @willmurphyscode]

Bug Fixes

• fix: update nondeterministic Java archive cataloging and improve groupID [#3521 #4118 @kzantow]

(Full Changelog)