Added Features

• Add string severity to db search json results [#2730 @wagoodman]
• Add package specifier overrides for kb, dpkg, and apkg [#2742 @westonsteimel]

Bug Fixes

• show related NVD records for non-NVD matches [#2755 @kzantow]
• assume that a vulnerability with no ranges is always vulnerable [#2759 @wagoodman]
• DB should hydrate for when the client has new features [#2758 @wagoodman]
• show relationship back to NVD for all CVE ids [#2756 @westonsteimel]
• properly escape CPE segments [#2731 @kzantow]
• msrc matcher should search by package ecosystem, not by distro [#2748 @westonsteimel]
• Grype does not report any vulnerabilities for CPEs with target_sw field set to value that does not correspond to known package type [#2768 #2772 @willmurphyscode]
• malformed CPE in grype db search output [#2767 #2769 @westonsteimel]
• vex documents from the --vex flag do get processed or applied to the output correctly [#1836 #2741 @willmurphyscode]

Additional Changes

• replace deprecated GoReleaser configurations [#2729 @emmanuel-ferdman]
• specify types for all match details [#2762 @wagoodman]
• Refactor the version package [#2735 @wagoodman]

(Full Changelog)

Added Features

• Add echo os to grype [#2647 @orizerah]

Bug Fixes

• Nonroot can't load local docker image with docker socket bind [#2721 #2723 @kzantow]
• "Harden Container Runtime with Non-Root User" breaks --output usage [#2720 #2723 @kzantow]

(Full Changelog)

Added Features

• Add support for MinimOS [#2627 @Daniel-Wachter]
• Use the upstream Bitmani vulndb data for matching [#1609 #2538 @juan131]
• Support rubygems specific version comparision [#2646 #2712 @willmurphyscode]

Bug Fixes

• Harden Container Runtime with Non-Root User [#2716 @wagoodman]
• valid cpes in db search output [#2706 @westonsteimel]
• Always show results with json output for db search commands [#2692 @wagoodman]
• False positive: CVE-2025-5702 reported with High severity on glibc 2.34 (wrong severity and affected version) [#2718]

(Full Changelog)

Bug Fixes

• unpin dockerfile base images to prevent wget TLS errors [#2671 @spiffcs]
• Parse java group ID and artifact ID from PURL when missing [#2675 @wagoodman]
• Grype can't update DB in docker volume (regression) [#2517 #2672 @willmurphyscode]

Additional Changes

• Remove getDB() from the v6 DB reader [#2669 @wagoodman]

(Full Changelog)

(Full Changelog)

Added Features

• improve html template [#2635 @OnceUponALoop]
• Add EPSS metrics to grype results [#1973 #2587 @wagoodman]
• Show indication of known exploited vulnerabilities (from CISA) [#1511 #2587 @wagoodman]

Bug Fixes

• adjust namespace translation logic to be v5 compatible [#2634 @westonsteimel]
• fall back to fuzzy constraint units [#2651 @willmurphyscode]
• adjust version prefix check when excluding overlapping packages [#2653 @westonsteimel]
• Dropping group from npm package names leads to false positives [#2554 #2645 @kzantow]
• Potential regression in CVE detection from 0.87.0 (v5 schema) to 0.88.0 (v6 schema) for go-module detection [#2642]
• Removal of temporary files not working on Windows [#2233 #2657 @popey]
• @jridgewell/gen-mapping incorrectly attributed GHSA-8rmg-jf7p-4p22 [#1886 #2645 @kzantow]
• Vulnerability reported on @group/name dependency when actual vulnerability exists on name dependency [#1701 #2645 @kzantow]
• Grype false negatives in versions v0.88.0 and later leading to missed critical vulnerabilities [#2628 #2645 @kzantow]
• PHP pecl redis mixes with redis project itself and creates false positive cve [#1804]
• False Positive: Openssl CVE-2022-2068, CVE-2022-1292, CVE-2021-3711 in SUSE Enterprise 15 SP5 [#1729]
• Grype does not handle purl file input with packages from different distributions [#2630 #2639 @chovanecadam]
• grype pkg:golang/k8s.io/ingress-nginx@v1.11.2 does not show cve [#2580 #2586 @goatwu1993]

(Full Changelog)

Bug Fixes

• Various false positives starting with 0.91.1 [#2618 #2621 @willmurphyscode]

(Full Changelog)

Bug Fixes

• Assume that empty versions should match on all possible versions [#2591 @wagoodman]
• Fix severity field in db search vuln [#2589 @wagoodman]
• Recover from panic within a matcher [#2590 @wagoodman]
• Should only check maven central if pom info is missing [#2216 #2547 @tdunlap607]
• grype db search GHSA-mrrh-fwg8-r2c3 doesn't return results [#2530]
• Grype stopped reporting vulnerabilities after upgrade [#2608 #2610 @willmurphyscode]
• Grype does not handle cache-dir containing ~ correctly [#2599 #2600 @kzantow]
• Grype should expand ~ in paths in config file [#2024 #2600 @kzantow]
• False Positive: Multiple old CVEs in chromium 134.0.6998.117 for apk ecosystem [#2581]
• Missing grype DB update from 20250411 [#2593]
• Does not fill in the Level field of the SARIF result object [#2511 #2571 @bdovaz]

Additional Changes

• add timing info to log output [#2597 @kzantow]
• Replace os.ReadDir with afero.ReadDir for consistency [#2579 @joe-ton]

(Full Changelog)

Added Features

• Add v5 namespace emulation to db search output [#2539 @wagoodman]
• Add CVSS metrics in search JSON output [#2568 @wagoodman]
• Exit with a different return code for a failed scan [#1922]

Bug Fixes

• Use data driven approach when detecting Alpine:edge and Debian:sid [#2556 @wagoodman]
• db list should render out full URLs for text format [#2553 @wagoodman]
• grype db import fails since v0.88 and above [#2542 #2546 @kzantow]

(Full Changelog)

Added Features

• Match vulnerabilities by distro name when no version specified [#2521 #2534 @kzantow]
• Allow DB import from a URL [#2134 #2532 @wagoodman]
• Add the DB url to the JSON descriptor block [#356 #2529 @wagoodman]

(Full Changelog)