v0.112.0

Added Features

• Expand ignore rules to owned sub packages of distro packages [#3368 #3326 @kzantow]

Additional Changes

• update anchore dependencies [#3391 @anchore-oss-update-bot]

(Full Changelog)

v0.111.1

Bug Fixes

• apply overlap by ownership removal to dynamically created relationships [#3363 @kzantow]
• compare mismatched package / db versions [#3372 @kzantow]
• Grype doesn't recognize debian component when "group" : "debian" is specified [#2967]
• HelpURI missing information in SARIF output [#2874 #3351 @will-bates11]

(Full Changelog)

v0.111.0

Added Features

• db diff for v6 [#3277 @kzantow]
• add ProvideFromReader for in-memory SBOM processing [#3344 @jspilman]
• match on hummingbird [#3331 @willmurphyscode]
• CSAF vex transformer [#3349 @willmurphyscode]
• curated mapping of known CPE to grype package specifiers [#3332 @westonsteimel]
• templates/html.tmpl - Add Grype version and vulnerability DB version [#2877 #3345 @kenvez]

Bug Fixes

• normalise version constraint types in v6 db [#3328 @westonsteimel]
• set alpm ecosystem for Arch Linux packages [#3324 @westonsteimel]
• spec-compliant CPE string formatting for db search commands [#3308 @westonsteimel]
• Update APK NAK handling to be based on ownership-by-file-overlap relationship [#3267 #3286 @kzantow]
• Wrong version output [#3306]

Additional Changes

• update anchore dependencies [#3321 @anchore-oss-update-bot]
• update tool versions [#3319 @anchore-oss-update-bot]

(Full Changelog)

v0.110.0

Added Features

• suppress GHSA matches on language packages in fixed APKs [#3282 @willmurphyscode]

Bug Fixes

• use Syft for decoding CPEs [#3058 @chovanecadam]

Additional Changes

• bump github.com/buger/jsonparser to v1.1.2 [#3297 @willmurphyscode]
• update quality gate labels [#3293 @westonsteimel]

(Full Changelog)

v0.109.1

Bug Fixes

• CVE-2025-12183 is not detected even if vulnerable jar is present [#3205]

Additional Changes

• migrate fixtures to testdata [#3263 @wagoodman]

(Full Changelog)

v0.109.0

Added Features

• Strip v prefix from apk versions [#3239 @wagoodman]

Bug Fixes

• missing EPSS/KEV should not be fatal error [#3224 @willmurphyscode]

Additional Changes

• update build flag to use provenance=false [#3243 @spiffcs]
• update to check-latest golang for ci [#3238 @spiffcs]
• enable fedora OS transformer [#3232 @willmurphyscode]
• Port grype-db lib to grype [#3149 @wagoodman]

(Full Changelog)

v0.108.0

Added Features

• enable disabling EOL warnings [#3204 @willmurphyscode]

Bug Fixes

• fix fallback on major only distro [#3213 @willmurphyscode]
• VEX Documents still not working with syft sbom [#3167]
• VEX: minimal OpenVEX Example not working [#3212]

Additional Changes

• support more accurate scanning for postmarketos [#3182 @westonsteimel]
• charmbracelet/bubbletea erases grype ui status line [#3214 @spiffcs]
• bump labels and add several test images [#3215 @westonsteimel]
• improve VEX product and subcomponent matching [#3168 @dariozachow]

(Full Changelog)

v0.107.1

Additional Changes

• support context cancellation while finding vuln matches [#3200 @luhring]

(Full Changelog)

v0.107.0

Added Features

• Add secureos distro [#3086 @divolgin]
• add hex matcher for Erlang/Elixir ecosystem [#3194 @willmurphyscode]

Bug Fixes

• disable version fallback in EOL query [#3195 @willmurphyscode]
• VEX documents with docker.io registry reference not matching, require index.docker.io instead [#2818 #3172 @jainlakshya]

(Full Changelog)

v0.106.0

Added Features

• warn about packages from EOL distros [#3171 @willmurphyscode]
• make it configurable what grype assumes when incoming package to grype is missing dpkg/RPM epoch [#2964 #2976 @willmurphyscode]

Bug Fixes

• RHEL EUS: --only-fixed should filter out matches are not fixed in the current EUS version [#2847 #3181 @willmurphyscode]

Additional Changes

• support scientific linux [#3175 @westonsteimel]

(Full Changelog)