Releases: anchore/grype
Releases · anchore/grype
v0.114.0
Immutable
release. Only release title and notes can be modified.
Added Features
- Add ability to scan zarf packages [#3329 #3366 @brandtkeller]
Additional Changes
- respect withdrawn status of Go Vuln DB OSV records [#3495 @willmurphyscode]
- Govulndb OSV transformer [#3485 @willmurphyscode]
Contributors
willmurphyscode and brandtkeller
Assets 21
- 1.43 KB
2026-06-05T16:17:03Z - 3.23 KB
2026-06-05T16:17:05Z - 96 Bytes
2026-06-05T16:17:04Z - 28.8 MB
2026-06-05T16:16:58Z - 26.3 MB
2026-06-05T16:16:58Z - 27.6 MB
2026-06-05T16:17:03Z - 27.5 MB
2026-06-05T16:17:01Z - 27.6 MB
2026-06-05T16:16:56Z - 25.1 MB
2026-06-05T16:17:03Z - 25 MB
2026-06-05T16:17:01Z -
2026-06-05T16:09:57Z -
2026-06-05T16:09:57Z -
2026-06-05T16:09:57Z - Loading
v0.113.0
Immutable
release. Only release title and notes can be modified.
Added Features
- Include Ubuntu 26.04 "resolute" in distro codenames [#3397 @anchore-oss-update-bot]
- source RPM filtering on Hummingbird [#3410 @willmurphyscode]
Bug Fixes
- use relatedVulnerabilities description as fallback in SARIF output [#3271 @axidex]
- improve platform CPE determination logic [#3470 @westonsteimel]
- normalize uppercase V in semantic version comparison [#3461 @immanuwell]
- purl handling in cgr maven libs [#3420 @willmurphyscode]
- Treat uppercase V prefixes the same as lowercase v prefixes in fuzzy version comparison [#3037 #3089 @wasup-yash]
- Add Runtime Warnings When TLS Verification Is Disabled or HTTP Is Enabled [#3101 #3396 @Dashtid]
- Add support for the aarch64 architecture when parsing the version of Ruby gems in lockfiles [#3442 #3475 @msnandhis]
- zsh completion fails [#2933 #3433 @brandtkeller]
Contributors
westonsteimel, willmurphyscode, and 7 other contributors
Assets 21
v0.112.0
Immutable
release. Only release title and notes can be modified.
Contributors
kzantow and anchore-oss-update-bot
Assets 21
v0.111.1
Immutable
release. Only release title and notes can be modified.
Bug Fixes
- apply overlap by ownership removal to dynamically created relationships [#3363 @kzantow]
- compare mismatched package / db versions [#3372 @kzantow]
- Grype doesn't recognize debian component when
"group" : "debian"is specified [#2967] - HelpURI missing information in SARIF output [#2874 #3351 @will-bates11]
Contributors
kzantow and will-bates11
Assets 21
v0.111.0
Immutable
release. Only release title and notes can be modified.
Added Features
- db diff for v6 [#3277 @kzantow]
- add ProvideFromReader for in-memory SBOM processing [#3344 @jspilman]
- match on hummingbird [#3331 @willmurphyscode]
- CSAF vex transformer [#3349 @willmurphyscode]
- curated mapping of known CPE to grype package specifiers [#3332 @westonsteimel]
- templates/html.tmpl - Add Grype version and vulnerability DB version [#2877 #3345 @kenvez]
Bug Fixes
- normalise version constraint types in v6 db [#3328 @westonsteimel]
- set alpm ecosystem for Arch Linux packages [#3324 @westonsteimel]
- spec-compliant CPE string formatting for db search commands [#3308 @westonsteimel]
- Update APK NAK handling to be based on ownership-by-file-overlap relationship [#3267 #3286 @kzantow]
- Wrong version output [#3306]
Additional Changes
- update anchore dependencies [#3321 @anchore-oss-update-bot]
- update tool versions [#3319 @anchore-oss-update-bot]
Contributors
westonsteimel, jspilman, and 4 other contributors
Assets 21
v0.110.0
Immutable
release. Only release title and notes can be modified.
Added Features
- suppress GHSA matches on language packages in fixed APKs [#3282 @willmurphyscode]
Bug Fixes
- use Syft for decoding CPEs [#3058 @chovanecadam]
Additional Changes
- bump github.com/buger/jsonparser to v1.1.2 [#3297 @willmurphyscode]
- update quality gate labels [#3293 @westonsteimel]
Contributors
westonsteimel, willmurphyscode, and chovanecadam
Assets 21
v0.109.1
Immutable
release. Only release title and notes can be modified.
Bug Fixes
- CVE-2025-12183 is not detected even if vulnerable jar is present [#3205]
Additional Changes
- migrate fixtures to testdata [#3263 @wagoodman]
Contributors
wagoodman
Assets 21
v0.109.0
Immutable
release. Only release title and notes can be modified.
Added Features
- Strip v prefix from apk versions [#3239 @wagoodman]
Bug Fixes
- missing EPSS/KEV should not be fatal error [#3224 @willmurphyscode]
Additional Changes
- update build flag to use provenance=false [#3243 @spiffcs]
- update to check-latest golang for ci [#3238 @spiffcs]
- enable fedora OS transformer [#3232 @willmurphyscode]
- Port grype-db lib to grype [#3149 @wagoodman]
Contributors
wagoodman, willmurphyscode, and spiffcs
Assets 21
v0.108.0
Immutable
release. Only release title and notes can be modified.
Added Features
- enable disabling EOL warnings [#3204 @willmurphyscode]
Bug Fixes
- fix fallback on major only distro [#3213 @willmurphyscode]
- VEX Documents still not working with syft sbom [#3167]
- VEX: minimal OpenVEX Example not working [#3212]
Additional Changes
- support more accurate scanning for postmarketos [#3182 @westonsteimel]
- charmbracelet/bubbletea erases grype ui status line [#3214 @spiffcs]
- bump labels and add several test images [#3215 @westonsteimel]
- improve VEX product and subcomponent matching [#3168 @dariozachow]
Contributors
westonsteimel, willmurphyscode, and 2 other contributors
Assets 21
v0.107.1
Immutable
release. Only release title and notes can be modified.
Additional Changes
Contributors
luhring