Sourced from github.com/anchore/syft's releases.

v1.27.1

Bug Fixes

• Allow decoding of enterprise-modified anchorectl json files [#3997 @​wagoodman]
• Allow decoding of anchorectl json files [#3973 @​wagoodman]

Additional Changes

• provide separate nonroot image [#3998 @​kzantow]

(Full Changelog)

v1.27.0

Added Features

• add syft schema version to version command [#3949 @​spiffcs]

Bug Fixes

• Remove CPE product candidates for phf, prometheus, hyper and Rust crates [#3967 @​jayvdb]
• Remove CPE product candidates for opentelemetry and redis Rust crates [#3962 @​jayvdb]
• Harden Container Runtime with Non-Root User [#3941 @​MikeTheCyberGuy]
• terraform provider lock entries should not require constraints [#3934 @​ghouscht]
• sbom cataloger returning upstream package [#3662 #3981 @​kzantow]
• Syft missing md5 sums and list data for dpkg packages under status.d/ [#3912]
• Failure to detect dependency relationships between Python packages [#3958 #3965 @​christoph-blessing]
• Heavy memory consumption when directory scanning deb source [#3928 #3953 @​kzantow]
• In versions 1.25.0 and later, graalvm-native-image-cataloger adds 3-6 hours to Syft [#3942 #3944 @​kzantow]
• Syft incorrectly reports multiple APKs as parents of symlinked files [#3847 #3923 @​luhring]

(Full Changelog)

A HUGE thank you to @​rezmoss for his help identifying and solving an issue causing excessive time and memory consumption with large numbers of symlinks! ❤️

• 10f0631 fix: provide separate nonroot image (#3998)
• 96c34ff account for non-import shapes (#3997)
• 79b6d5d Allow decoding of anchorectl json files (#3973)
• cfa7cc5 chore(deps): bump github.com/anchore/stereoscope (#3991)
• 18f9b5a remove benchmark utils (#3982)
• 9090c69 fix: exclude packages with SPDX GENERATED_FROM source package indication (#3981)
• 1396a14 chore(deps): bump modernc.org/sqlite from 1.37.1 to 1.38.0 (#3979)
• 592bc0a chore(deps): bump github.com/go-git/go-git/v5 from 5.16.1 to 5.16.2 (#3978)
• b6b8a8f chore(deps): update tools to latest versions (#3977)
• a196cc9 chore(deps): update CPE dictionary index (#3976)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)