Syft - v1.13.0 released

Added Features

• --enrich flag for data enrichment feature enablement #3182 @kzantow
• Add classifier for Dart lang #3265 @LaurentGoderre
• add binary classifiers for lighttp, proftpd, zstd, xz, gzip, jq, and sqlcipher #3252 @krysgor
• Catalog JDKs more completely #3188 #3217 @wagoodman
• Show richer information for JVM installations #1426 #3217 @wagoodman
• Allow for stubbing unknown versions over dropping packages #2652 #3257 @wagoodman
• Name and Version empty for Java package when scanning provided image #2132 #3257 @wagoodman
• Support bitnami/mysql:8.x #3025

Bug Fixes

• OpenJDK CPEs #2422 #3217 @wagoodman
• SBOM generated from poetry lock file contains no license information on any dependencies #3204]
• Scanning a folder with a jar archive with no metadata creates a SPDX package without versionInfo (Non-NTIA compliant) #2039 #3257 @wagoodman
• Using replace in a go.mod creates a SPDX package without versionInfo (Non-NTIA compliant) #2038 #3257 @wagoodman
• Command make add-snippet can fail in some cases #3249

(Full Changelog)

related to this feature - * Allow for stubbing unknown versions over dropping packages #2652 #3257 @wagoodman

can i expect the results to be the same as before if I choose not to set anything in the configuration?

Thanks!

@TimBrown1611 these are the defaults, so I think you might see slightly different behavior, but probably more preferred behavior: packages with no name are simply dropped. This corrects some issues summarily where no-name packages were being created. I suspect most of us find them fairly useless, and will appreciate this default. Additionally, the default behavior for empty version strings is to replace these with NTIA-compliant UNKNOWN version strings.