Releases: anchore/grype
Releases · anchore/grype
v0.95.0
Added Features
- Add string severity to db search json results [#2730 @wagoodman]
- Add package specifier overrides for
kb
,dpkg
, andapkg
[#2742 @westonsteimel]
Bug Fixes
- show related NVD records for non-NVD matches [#2755 @kzantow]
- assume that a vulnerability with no ranges is always vulnerable [#2759 @wagoodman]
- DB should hydrate for when the client has new features [#2758 @wagoodman]
- show relationship back to NVD for all CVE ids [#2756 @westonsteimel]
- properly escape CPE segments [#2731 @kzantow]
- msrc matcher should search by package ecosystem, not by distro [#2748 @westonsteimel]
- Grype does not report any vulnerabilities for CPEs with target_sw field set to value that does not correspond to known package type [#2768 #2772 @willmurphyscode]
- malformed CPE in grype db search output [#2767 #2769 @westonsteimel]
- vex documents from the --vex flag do get processed or applied to the output correctly [#1836 #2741 @willmurphyscode]
Additional Changes
- replace deprecated GoReleaser configurations [#2729 @emmanuel-ferdman]
- specify types for all match details [#2762 @wagoodman]
- Refactor the version package [#2735 @wagoodman]
v0.94.0
v0.93.0
Added Features
- Add support for MinimOS [#2627 @Daniel-Wachter]
- Use the upstream Bitmani vulndb data for matching [#1609 #2538 @juan131]
- Support rubygems specific version comparision [#2646 #2712 @willmurphyscode]
Bug Fixes
- Harden Container Runtime with Non-Root User [#2716 @wagoodman]
- valid cpes in db search output [#2706 @westonsteimel]
- Always show results with json output for
db search
commands [#2692 @wagoodman] - False positive: CVE-2025-5702 reported with High severity on glibc 2.34 (wrong severity and affected version) [#2718]
v0.92.2
Bug Fixes
- unpin dockerfile base images to prevent wget TLS errors [#2671 @spiffcs]
- Parse java group ID and artifact ID from PURL when missing [#2675 @wagoodman]
- Grype can't update DB in docker volume (regression) [#2517 #2672 @willmurphyscode]
Additional Changes
- Remove getDB() from the v6 DB reader [#2669 @wagoodman]
v0.92.1
v0.92.0
Added Features
- improve html template [#2635 @OnceUponALoop]
- Add EPSS metrics to grype results [#1973 #2587 @wagoodman]
- Show indication of known exploited vulnerabilities (from CISA) [#1511 #2587 @wagoodman]
Bug Fixes
- adjust namespace translation logic to be v5 compatible [#2634 @westonsteimel]
- fall back to fuzzy constraint units [#2651 @willmurphyscode]
- adjust version prefix check when excluding overlapping packages [#2653 @westonsteimel]
- Dropping group from npm package names leads to false positives [#2554 #2645 @kzantow]
- Potential regression in CVE detection from 0.87.0 (v5 schema) to 0.88.0 (v6 schema) for go-module detection [#2642]
- Removal of temporary files not working on Windows [#2233 #2657 @popey]
- @jridgewell/gen-mapping incorrectly attributed GHSA-8rmg-jf7p-4p22 [#1886 #2645 @kzantow]
- Vulnerability reported on @group/name dependency when actual vulnerability exists on name dependency [#1701 #2645 @kzantow]
- Grype false negatives in versions v0.88.0 and later leading to missed critical vulnerabilities [#2628 #2645 @kzantow]
- PHP pecl redis mixes with redis project itself and creates false positive cve [#1804]
- False Positive: Openssl CVE-2022-2068, CVE-2022-1292, CVE-2021-3711 in SUSE Enterprise 15 SP5 [#1729]
- Grype does not handle purl file input with packages from different distributions [#2630 #2639 @chovanecadam]
- grype pkg:golang/k8s.io/ingress-nginx@v1.11.2 does not show cve [#2580 #2586 @goatwu1993]
v0.91.2
Bug Fixes
- Various false positives starting with 0.91.1 [#2618 #2621 @willmurphyscode]
v0.91.1
Bug Fixes
- Assume that empty versions should match on all possible versions [#2591 @wagoodman]
- Fix severity field in
db search vuln
[#2589 @wagoodman] - Recover from panic within a matcher [#2590 @wagoodman]
- Should only check maven central if pom info is missing [#2216 #2547 @tdunlap607]
- grype db search GHSA-mrrh-fwg8-r2c3 doesn't return results [#2530]
- Grype stopped reporting vulnerabilities after upgrade [#2608 #2610 @willmurphyscode]
- Grype does not handle cache-dir containing ~ correctly [#2599 #2600 @kzantow]
- Grype should expand
~
in paths in config file [#2024 #2600 @kzantow] - False Positive: Multiple old CVEs in chromium 134.0.6998.117 for apk ecosystem [#2581]
- Missing grype DB update from 20250411 [#2593]
- Does not fill in the Level field of the SARIF result object [#2511 #2571 @bdovaz]
Additional Changes
v0.91.0
Added Features
- Add v5 namespace emulation to db search output [#2539 @wagoodman]
- Add CVSS metrics in search JSON output [#2568 @wagoodman]
- Exit with a different return code for a failed scan [#1922]
Bug Fixes
- Use data driven approach when detecting Alpine:edge and Debian:sid [#2556 @wagoodman]
db list
should render out full URLs for text format [#2553 @wagoodman]- grype db import fails since v0.88 and above [#2542 #2546 @kzantow]
v0.90.0
Added Features
- Match vulnerabilities by distro name when no version specified [#2521 #2534 @kzantow]
- Allow DB import from a URL [#2134 #2532 @wagoodman]
- Add the DB url to the JSON descriptor block [#356 #2529 @wagoodman]