Syft - v1.24.0 released

Help shape the future of Syft! Share your thoughts in our quick 5-question survey. Your feedback will guide our development priorities and help us better serve your needs. Thank you!

Release Notes:

Version v1.24.0

Added Features

• Add cataloger for Dart pubspec #3292 @LaurentGoderre
• Translate Portage license strings to SPDX expressions #1763 @wagoodman
• Use package ID from decoded SBOMs when provided #1872 @jneate
• Annotate visible/hidden paths when all-layers scope #3855 @wagoodman
• Add support for PHP Pear #2775 @LaurentGoderre
• Detect whether full license text or a license name has been provided #3088 #3876 @spiffcs #3450 @spiffcs
• Add Cataloger for Homebrew on macOS #3632 #3724 @rezmoss
• Provide a way to get the LayerID the package was first found in #435 #3858 @wagoodman #3138 @tomersein
• Go binaries that currently get (devel) as the version should instead stub UNKNOWN based on the compliance policy #3324 #3873 @wagoodman
• Upgrade base Docker image to gcr.io/distroless/static-debian12 #3840 #3862 @bgoareguer
• Return full license string instead of SHA256 hash when license string exceeds 64 characters #3780 #3844 @spiffcs
• Detect nix dependencies #3814 #3837 @wagoodman

Bug Fixes

• update license sort to be stable with contents field #3860 @spiffcs
• Improve detection of erlang binary in alpine Linux #3839 @avodotiiets
• Do not search for main module versions within binary contents by default #3874 @wagoodman
• dpkg license improvement for non SPDX licenses #3090 #3888 @spiffcs
• CycloneDX group field not symmetrically handled by encoder/decoders #2981 #3853 @kzantow
• Syft crash [signal SIGSEGV: segmentation violation code=0x80 addr=0x0 pc=0x123a0da] #3872 #3875 @wagoodman
• Syft 1.23.1 shows version (devel) for grafana 12.0.0 #3864
• .NET cataloger does not always pair up PE binaries and deps.json packages, resulting in duplicate packages on some runs #3866 #3869 @wagoodman
• Propagate error in FileSourceProvider instead of warn log #3831 #3845 @Rupikz
• Update GitHub - Masterminds/semver: Work with Semantic Versions in Go package #3829 #3836 @popey
• go-module-file-cataloger fails if symlinks in path #3614 #3783 @VictorHuu
• Support fluent-bit some versions of arm/s390x images #3793 #3817 @VictorHuu