winget install --id Anchore.SyftAbout Syft
Syft is a powerful and easy-to-use open-source tool for generating Software Bill of Materials (SBOMs) for container images and filesystems. It provides detailed visibility into the packages and dependencies in your software, helping you manage vulnerabilities, license compliance, and software supply chain security.
What's new in 1.44.0
Added Features - Add support for linux-riscv64 [#4757 @luhenry] Bug Fixes - Yarn lockfile cataloguing does not handle aliases [#4833 #4836 @cyphercodes] - Some snippet files are saved in the previous test directory [#4829 #4830 @witchcraze] - empty rockspec causes index out of range [#4824 #4827 @aki1770-del] - PE cataloger shows asp.net core ref assemblies using fileversion build stamp instead of productversion [#4813 #4814 @rezmoss] - Syft safeCopy silently swallows archive decompression errors [#4806 #4807 @SAY-5] (Full Changelog)
Version history
| Version | Updated | Notes |
|---|---|---|
| 1.44.0 | Unknown | Added Features - Add support for linux-riscv64 [#4757 @luhenry] Bug Fixes - Yarn lockfile cataloguing does not handle aliases [#4833 #4836 @cyphercodes] - Some snippet files are saved in the previous test directory [#482... |
| 1.43.0 | Unknown | Added Features - added deno bin classifiers [#4677 @rezmoss] - Support haskell old versions [#3237 #4793 @witchcraze] - Add support for OpenLDAP binary detection [#4768 #4755 @nadimz] - Support erlang ols versions [#3235... |
| 1.42.4 | Unknown | Bug Fixes - Similar Packages Should Be Aggregated [#1162] - Support arangodb binary recent version [#4571 #4662 @witchcraze] - Support go binary various versions [#4687 #4694 @kzantow] Additional Changes - update CPE dic... |
| 1.42.3 | Unknown | Bug Fixes - Missing secondary evidence for .NET dependency in ghcr.io/open-telemetry/demo:2.0.0-accounting image [#4652] Additional Changes - bump github.com/buger/jsonsparser to v1.1.2 [#4680 @willmurphyscode] - central... |
| 1.42.2 | Unknown | Bug Fixes - [BUG] Incorrect Maven PURL generation: Automatic-Module-Name should not be used as Maven groupId [#4611 #4642 @xnox] - Checksum is 0 for spdx files [#2307 #4620 @ppalucha] - Support grafana binary various ver... |
| 1.42.1 | Unknown | Bug Fixes - Use redhat as namespace for hummingbird rpms [#4615 @scoheb] - False Positive: Emacs snap package version CVE-2024-39331 [#4485] Additional Changes - call cleanup on tmpfile and replace some io.ReadAlls with... |
| 1.42.0 | Unknown | Added Features - Add support for scanning GGUF models from OCI registries [#4335 @spiffcs] - yarn lockfile scan doesnt catch dev dependencies [#4548 #4549 @rezmoss] Additional Changes - CPE detection for APK libavif to u... |
| 1.41.2 | Unknown | Bug Fixes - further improve go binary classifier, including windows [#4593 @kzantow] - Wrong format in license [#4233 #4588 @spiffcs] - Cannot detect installation of Qt6 [#4467 #4550 @rezmoss] - bug: Syft mis-identifies... |
| 1.41.1 | Unknown | Bug Fixes - [Bug Report] Missing some dependencies on cyclonedx formatted SBOM using syft [#4562 #4573 @spiffcs] (Full Changelog) |
| 1.41.0 | Unknown | Added Features - detect Debian version from /etc/debian_version [#4569 @kzantow] Bug Fixes - correctly report supporting evidence for binary packages [#4558 @kzantow] (Full Changelog) |
| 1.40.1 | Unknown | Important This release bumps github.com/containerd/containerd to v2, which will cause compiler errors if used alongside other dependencies that use v1 of containerd. See anchore/stereoscope#495 for a detailed discussion.... |
| 1.40.0 | Unknown | Added Features - Exclude development or test dependencies for PNPM Package type [#4430 #4487 @rezmoss] - Catalog istio binary (pilot-discovery, pilot-agent) [#4508 #4521 @witchcraze] - Catalog envoy binary [#4506 #4530 @... |
| 1.39.0 | Unknown | Added Features - add support for Gemfile.next.lock [#4457 @HatiCode] - Command output to give more information on what catalogers look for and what they can find [#4155 #4317 @wagoodman] - Support reading lzma compressed... |
| 1.38.2 | Unknown | Bug Fixes - drop cpe from gguf [#4383 @spiffcs] - emit lua rockspec dependencies in metadata [#4376 @willmurphyscode] - Invalid SBOMs are created when GO replace directive is used [#4415 #4419 @VictorHuu] - Incorrect CPE... |
| 1.38.0 | Unknown | Added Features - add support for cataloging GGUF models [#4184 #4279 @spiffcs] - Support scanning a list of CPEs [#3890 #4207 @chovanecadam] - Syft does not detect Elixir binary on system [#4333 #4334 @rezmoss] Bug Fixes... |
| 1.37.0 | Unknown | Added Features - Refactor fileresolver to not require base path [#4298 @Rupikz] - Describe cataloger capabilities via test observations [#4318 @wagoodman] - Support Java resource adapter extension .far as a Java archive... |
| 1.36.0 | Unknown | Added Features - Add the ability to fetch remote licenses for pnpm-lock.yaml files [#4286 @timols] - support universal (fat) mach-o binary files [#4278 @JoeyShapiro] - pdm support [#2709 #4234 @paulslaby] Bug Fixes - Rem... |
| 1.34.2 | Unknown | Bug Fixes - Extract zip archive with multiple entries [#4283 @Rupikz] - panic while resolving maven properties in archive parser [#4288 #4290 @kzantow] (Full Changelog) |
| 1.34.1 | Unknown | Added Features - enhance setup.py parser to handle unquoted dependencies [#4255 @HalaAli198] - Add support for identifying ffmpeg/libav libraries [#4227 @popey] - PNPM latest lockfile (version 9.0) [#3927 #4256 @bernardo... |
| 1.33.0 | Unknown | Added Features - Modify RpmDBEntry to include modularityLabel for cyclonedx [#4212 @sfc-gh-rmaj] - Add locations onto packages read from Java native image SBOMs [#4186 @rudsberg] (Full Changelog) |