Added Features
- Add cataloger for Dart pubspec [#3292 @LaurentGoderre]
- Translate Portage license strings to SPDX expressions [#1763 @wagoodman]
- Use package ID from decoded SBOMs when provided [#1872 @jneate]
- Annotate visible/hidden paths when all-layers scope [#3855 @wagoodman]
- Add support for PHP Pear [#2775 @LaurentGoderre]
- Detect whether full license text or a license name has been provided [#3088 #3876 @spiffcs #3450 @spiffcs]
- Add Cataloger for Homebrew on macOS [#3632 #3724 @rezmoss]
- Provide a way to get the LayerID the package was first found in [#435 #3858 @wagoodman #3138 @tomersein]
- Go binaries that currently get
(devel)as the version should instead stubUNKNOWNbased on the compliance policy [#3324 #3873 @wagoodman] - Upgrade base Docker image to gcr.io/distroless/static-debian12 [#3840 #3862 @bgoareguer]
- Return full license string instead of SHA256 hash when license string exceeds 64 characters [#3780 #3844 @spiffcs]
- Detect nix dependencies [#3814 #3837 @wagoodman]
Bug Fixes
- update license sort to be stable with contents field [#3860 @spiffcs]
- Improve detection of erlang binary in alpine Linux [#3839 @avodotiiets]
- Do not search for main module versions within binary contents by default [#3874 @wagoodman]
- dpkg license improvement for non SPDX licenses [#3090 #3888 @spiffcs]
- CycloneDX group field not symmetrically handled by encoder/decoders [#2981 #3853 @kzantow]
- Syft crash [signal SIGSEGV: segmentation violation code=0x80 addr=0x0 pc=0x123a0da] [#3872 #3875 @wagoodman]
- Syft 1.23.1 shows version (devel) for grafana 12.0.0 [#3864]
- .NET cataloger does not always pair up PE binaries and deps.json packages, resulting in duplicate packages on some runs [#3866 #3869 @wagoodman]
- Propagate error in FileSourceProvider instead of warn log [#3831 #3845 @Rupikz]
- Update github.com/Masterminds/semver package [#3829 #3836 @popey]
- go-module-file-cataloger fails if symlinks in path [#3614 #3783 @VictorHuu]
- Support fluent-bit some versions of arm/s390x images [#3793 #3817 @VictorHuu]