Added Features
- emit golang.org/x/net vulns from govlundb [PR #3534 @willmurphyscode]
- Merge Go vuln matches with GHSA matches [Issue #3515]
Bug Fixes
- only emit records for stdlib [PR #3527 @willmurphyscode]
- mark hummingbird distro as rolling [PR #3521 @willmurphyscode]
- disable go stdlib CPE matching by default [PR #3517 @willmurphyscode]
- merge in custom ranges when applicable [PR #3514 @willmurphyscode]
- exclude linux-kbuild deb indirect matches by default [PR #3506 @westonsteimel]
- avoid panic on invalid RHEL version IDs [PR #3490 @jspilman]
- Support reading CycloneDX 1.7 SBOMs [Issue #3373]
- Grype cannot read mariadb version correctly [Issue #3452]
- grype hangs when downloading certain images using registry client [Issue #3492]
- Can we get a fix for these Critical findings reported for grype [Issue #3484]
Additional Changes
- Security: bump golang.org/x/crypto to v0.52.0 to resolve multiple CVEs [Issue #3493]
- Security: bump golang.org/x/net to v0.55.0 to resolve CVEs [Issue #3494]
Dependencies
35 dependency changes (31 updated, 3 added, 1 removed). 5 vulnerabilities remediated.
🟢 Remediated (5)
- GHSA-33vj-92qq-66hc (High) — github.com/containerd/containerd/v2
- GHSA-cvxm-645q-p574 (Medium) — github.com/containerd/containerd/v2
- GHSA-jpcc-p29g-p8mq (Medium) — github.com/containerd/containerd/v2
- GHSA-rgh6-rfwx-v388 (High) — github.com/containerd/containerd/v2
- GHSA-xhf5-7wjv-pqxp (High) — github.com/containerd/containerd/v2
Updated (31 packages)
- github.com/ProtonMail/go-crypto
v1.4.0→v1.4.1 - github.com/anchore/bubbly
v0.2.0→v0.2.1 - github.com/anchore/clio
v0.1.0→v0.1.1 - github.com/anchore/fangs
v0.1.0→v0.1.1 - github.com/anchore/go-collections
v0.1.0→v0.1.1 - github.com/anchore/go-homedir
v0.1.0→v0.1.1 - github.com/anchore/go-logger
v0.1.0→v0.1.1 - github.com/anchore/go-lzo
v0.1.0→v0.1.1 - github.com/anchore/go-macholibre
v0.1.0→v0.1.1 - github.com/anchore/go-make
v0.5.0→v0.8.0 - github.com/anchore/go-struct-converter
v0.1.0→v0.2.0-rc2 - github.com/anchore/go-sync
v0.1.0→v0.1.1 - github.com/anchore/stereoscope
v0.2.1→v0.2.2 - github.com/anchore/syft
v1.45.1→v1.46.0 - github.com/charmbracelet/colorprofile
v0.4.1→v0.4.3 - github.com/clipperhouse/displaywidth
v0.10.0→v0.11.0 - github.com/clipperhouse/uax29/v2
v2.6.0→v2.7.0 - github.com/containerd/containerd/v2
v2.3.1→v2.3.2(🟢 remediated GHSA-33vj-92qq-66hc, GHSA-cvxm-645q-p574, GHSA-jpcc-p29g-p8mq, GHSA-rgh6-rfwx-v388, GHSA-xhf5-7wjv-pqxp) - github.com/docker/cli
v29.4.3+incompatible→v29.5.3+incompatible - github.com/google/go-containerregistry
v0.21.6→v0.21.7 - github.com/mattn/go-runewidth
v0.0.19→v0.0.21 - github.com/spdx/tools-golang
v0.5.7→v0.6.0-rc4 - github.com/sylabs/sif/v2
v2.24.0→v2.24.1 - golang.org/x/crypto
v0.52.0→v0.53.0 - golang.org/x/mod
v0.36.0→v0.37.0 - golang.org/x/net
v0.55.0→v0.56.0 - golang.org/x/sync
v0.20.0→v0.21.0 - golang.org/x/sys
v0.45.0→v0.46.0 - golang.org/x/term
v0.43.0→v0.44.0 - golang.org/x/text
v0.37.0→v0.38.0 - golang.org/x/tools
v0.45.0→v0.46.0
Added (3 packages)
- github.com/piprate/json-gold
v0.7.0 - github.com/pquerna/cachecontrol
v0.0.0-1555304 - github.com/tailscale/hujson
v0.0.0-ecc657c
Removed (1 package)
- github.com/google/osv-scanner
v1.9.2