{
  "version": "https://jsonfeed.org/version/1.1",
  "title": "SCA Tools Feed - Grype",
  "feed_url": "https://tmyymmt.github.io/sca-tools-feed/feeds/grype.json",
  "items": [
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.115.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.115.0",
      "title": "[Grype] v0.115.0",
      "content_text": "### Added Features\n\n- emit golang.org/x/net vulns from govlundb [PR [#3534](https://github.com/anchore/grype/pull/3534) @willmurphyscode]\n- Merge Go vuln matches with GHSA matches [Issue [#3515](https://github.com/anchore/grype/issues/3515)]\n\n### Bug Fixes\n\n- only emit records for stdlib [PR [#3527](https://github.com/anchore/grype/pull/3527) @willmurphyscode]\n- mark hummingbird distro as rolling [PR [#3521](https://github.com/anchore/grype/pull/3521) @willmurphyscode]\n- disable go stdlib CPE matching by default [PR [#3517](https://github.com/anchore/grype/pull/3517) @willmurphyscode]\n- merge in custom ranges when applicable [PR [#3514](https://github.com/anchore/grype/pull/3514) @willmurphyscode]\n- exclude linux-kbuild deb indirect matches by default [PR [#3506](https://github.com/anchore/grype/pull/3506) @westonsteimel]\n- avoid panic on invalid RHEL version IDs [PR [#3490](https://github.com/anchore/grype/pull/3490) @jspilman]\n- Support reading CycloneDX 1.7 SBOMs [Issue [#3373](https://github.com/anchore/grype/issues/3373)]\n- Grype cannot read mariadb version correctly [Issue [#3452](https://github.com/anchore/grype/issues/3452)]\n- grype hangs when downloading certain images using registry client [Issue [#3492](https://github.com/anchore/grype/issues/3492)]\n- Can we get a fix for these Critical findings reported for grype [Issue [#3484](https://github.com/anchore/grype/issues/3484)]\n\n### Additional Changes\n\n- Security: bump golang.org/x/crypto to v0.52.0 to resolve multiple CVEs [Issue [#3493](https://github.com/anchore/grype/issues/3493)]\n- Security: bump golang.org/x/net to v0.55.0 to resolve CVEs [Issue [#3494](https://github.com/anchore/grype/issues/3494)]\n\n### Dependencies\n\n35 dependency changes (31 updated, 3 added, 1 removed). 5 vulnerabilities remediated.\n\n**🟢 Remediated (5)**\n\n- [GHSA-33vj-92qq-66hc](https://github.com/advisories/GHSA-33vj-92qq-66hc) (High) — github.com/containerd/containerd/v2\n- [GHSA-cvxm-645q-p574](https://github.com/advisories/GHSA-cvxm-645q-p574) (Medium) — github.com/containerd/containerd/v2\n- [GHSA-jpcc-p29g-p8mq](https://github.com/advisories/GHSA-jpcc-p29g-p8mq) (Medium) — github.com/containerd/containerd/v2\n- [GHSA-rgh6-rfwx-v388](https://github.com/advisories/GHSA-rgh6-rfwx-v388) (High) — github.com/containerd/containerd/v2\n- [GHSA-xhf5-7wjv-pqxp](https://github.com/advisories/GHSA-xhf5-7wjv-pqxp) (High) — github.com/containerd/containerd/v2\n\n<details>\n<summary>Updated (31 packages)</summary>\n\n- github.com/ProtonMail/go-crypto `v1.4.0` → `v1.4.1`\n- github.com/anchore/bubbly `v0.2.0` → `v0.2.1`\n- github.com/anchore/clio `v0.1.0` → `v0.1.1`\n- github.com/anchore/fangs `v0.1.0` → `v0.1.1`\n- github.com/anchore/go-collections `v0.1.0` → `v0.1.1`\n- github.com/anchore/go-homedir `v0.1.0` → `v0.1.1`\n- github.com/anchore/go-logger `v0.1.0` → `v0.1.1`\n- github.com/anchore/go-lzo `v0.1.0` → `v0.1.1`\n- github.com/anchore/go-macholibre `v0.1.0` → `v0.1.1`\n- github.com/anchore/go-make `v0.5.0` → `v0.8.0`\n- github.com/anchore/go-struct-converter `v0.1.0` → `v0.2.0-rc2`\n- github.com/anchore/go-sync `v0.1.0` → `v0.1.1`\n- github.com/anchore/stereoscope `v0.2.1` → `v0.2.2`\n- github.com/anchore/syft `v1.45.1` → `v1.46.0`\n- github.com/charmbracelet/colorprofile `v0.4.1` → `v0.4.3`\n- github.com/clipperhouse/displaywidth `v0.10.0` → `v0.11.0`\n- github.com/clipperhouse/uax29/v2 `v2.6.0` → `v2.7.0`\n- github.com/containerd/containerd/v2 `v2.3.1` → `v2.3.2` **(🟢 remediated [GHSA-33vj-92qq-66hc](https://github.com/advisories/GHSA-33vj-92qq-66hc), [GHSA-cvxm-645q-p574](https://github.com/advisories/GHSA-cvxm-645q-p574), [GHSA-jpcc-p29g-p8mq](https://github.com/advisories/GHSA-jpcc-p29g-p8mq), [GHSA-rgh6-rfwx-v388](https://github.com/advisories/GHSA-rgh6-rfwx-v388), [GHSA-xhf5-7wjv-pqxp](https://github.com/advisories/GHSA-xhf5-7wjv-pqxp))**\n- github.com/docker/cli `v29.4.3+incompatible` → `v29.5.3+incompatible`\n- github.com/google/go-containerregistry `v0.21.6` → `v0.21.7`\n- github.com/mattn/go-runewidth `v0.0.19` → `v0.0.21`\n- github.com/spdx/tools-golang `v0.5.7` → `v0.6.0-rc4`\n- github.com/sylabs/sif/v2 `v2.24.0` → `v2.24.1`\n- golang.org/x/crypto `v0.52.0` → `v0.53.0`\n- golang.org/x/mod `v0.36.0` → `v0.37.0`\n- golang.org/x/net `v0.55.0` → `v0.56.0`\n- golang.org/x/sync `v0.20.0` → `v0.21.0`\n- golang.org/x/sys `v0.45.0` → `v0.46.0`\n- golang.org/x/term `v0.43.0` → `v0.44.0`\n- golang.org/x/text `v0.37.0` → `v0.38.0`\n- golang.org/x/tools `v0.45.0` → `v0.46.0`\n</details>\n\n<details>\n<summary>Added (3 packages)</summary>\n\n- github.com/piprate/json-gold `v0.7.0`\n- github.com/pquerna/cachecontrol `v0.0.0-1555304`\n- github.com/tailscale/hujson `v0.0.0-ecc657c`\n</details>\n\n<details>\n<summary>Removed (1 package)</summary>\n\n- github.com/google/osv-scanner `v1.9.2`\n</details>\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.114.0...v0.115.0)**\n\n",
      "date_published": "2026-06-26T11:42:04Z",
      "tags": [
        "security"
      ],
      "_tool_id": "grype",
      "_version": "v0.115.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.114.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.114.0",
      "title": "[Grype] v0.114.0",
      "content_text": "### Added Features\n\n- Add ability to scan zarf packages [[#3329](https://github.com/anchore/grype/issues/3329) [#3366](https://github.com/anchore/grype/pull/3366) @brandtkeller]\n\n### Additional Changes\n\n- respect withdrawn status of Go Vuln DB OSV records [[#3495](https://github.com/anchore/grype/pull/3495) @willmurphyscode]\n- Govulndb OSV transformer [[#3485](https://github.com/anchore/grype/pull/3485) @willmurphyscode]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.113.0...v0.114.0)**\n\n",
      "date_published": "2026-06-05T16:17:05Z",
      "tags": [
        "feature"
      ],
      "_tool_id": "grype",
      "_version": "v0.114.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.113.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.113.0",
      "title": "[Grype] v0.113.0",
      "content_text": "### Added Features\n\n- Include Ubuntu 26.04 \"resolute\" in distro codenames [[#3397](https://github.com/anchore/grype/pull/3397) @anchore-oss-update-bot]\n- source RPM filtering on Hummingbird [[#3410](https://github.com/anchore/grype/pull/3410) @willmurphyscode]\n\n### Bug Fixes\n\n- use relatedVulnerabilities description as fallback in SARIF output [[#3271](https://github.com/anchore/grype/pull/3271) @axidex]\n- improve platform CPE determination logic [[#3470](https://github.com/anchore/grype/pull/3470) @westonsteimel]\n- normalize uppercase V in semantic version comparison [[#3461](https://github.com/anchore/grype/pull/3461) @immanuwell]\n- purl handling in cgr maven libs [[#3420](https://github.com/anchore/grype/pull/3420) @willmurphyscode]\n- Treat uppercase V prefixes the same as lowercase v prefixes in fuzzy version comparison [[#3037](https://github.com/anchore/grype/issues/3037) [#3089](https://github.com/anchore/grype/pull/3089) @wasup-yash]\n- Add Runtime Warnings When TLS Verification Is Disabled or HTTP Is Enabled [[#3101](https://github.com/anchore/grype/issues/3101) [#3396](https://github.com/anchore/grype/pull/3396) @Dashtid]\n- Add support for the aarch64 architecture when parsing the version of Ruby gems in lockfiles [[#3442](https://github.com/anchore/grype/issues/3442) [#3475](https://github.com/anchore/grype/pull/3475) @msnandhis]\n- zsh completion fails [[#2933](https://github.com/anchore/grype/issues/2933) [#3433](https://github.com/anchore/grype/pull/3433) @brandtkeller]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.112.0...v0.113.0)**\n\n",
      "date_published": "2026-06-03T14:19:21Z",
      "tags": [
        "bugfix"
      ],
      "_tool_id": "grype",
      "_version": "v0.113.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.112.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.112.0",
      "title": "[Grype] v0.112.0",
      "content_text": "### Added Features\n\n- Expand ignore rules to owned sub packages of distro packages [[#3368](https://github.com/anchore/grype/issues/3368) [#3326](https://github.com/anchore/grype/pull/3326) @kzantow]\n\n### Additional Changes\n\n- update anchore dependencies [[#3391](https://github.com/anchore/grype/pull/3391) @anchore-oss-update-bot]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.111.1...v0.112.0)**\n\n",
      "date_published": "2026-05-01T19:12:37Z",
      "tags": [
        "feature"
      ],
      "_tool_id": "grype",
      "_version": "v0.112.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.111.1",
      "url": "https://github.com/anchore/grype/releases/tag/v0.111.1",
      "title": "[Grype] v0.111.1",
      "content_text": "### Bug Fixes\n\n- apply overlap by ownership removal to dynamically created relationships [[#3363](https://github.com/anchore/grype/pull/3363) @kzantow]\n- compare mismatched package / db versions [[#3372](https://github.com/anchore/grype/pull/3372) @kzantow]\n- Grype doesn't recognize debian component when `\"group\" : \"debian\"` is specified [[#2967](https://github.com/anchore/grype/issues/2967)]\n- HelpURI missing information in SARIF output [[#2874](https://github.com/anchore/grype/issues/2874) [#3351](https://github.com/anchore/grype/pull/3351) @will-bates11]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.111.0...v0.111.1)**\n\n",
      "date_published": "2026-04-22T17:31:58Z",
      "tags": [
        "bugfix"
      ],
      "_tool_id": "grype",
      "_version": "v0.111.1"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.111.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.111.0",
      "title": "[Grype] v0.111.0",
      "content_text": "### Added Features\n\n- db diff for v6 [[#3277](https://github.com/anchore/grype/pull/3277) @kzantow]\n- add ProvideFromReader for in-memory SBOM processing [[#3344](https://github.com/anchore/grype/pull/3344) @jspilman]\n- match on hummingbird [[#3331](https://github.com/anchore/grype/pull/3331) @willmurphyscode]\n- CSAF vex transformer [[#3349](https://github.com/anchore/grype/pull/3349) @willmurphyscode]\n- curated mapping of known CPE to grype package specifiers [[#3332](https://github.com/anchore/grype/pull/3332) @westonsteimel]\n- templates/html.tmpl - Add Grype version and vulnerability DB version [[#2877](https://github.com/anchore/grype/issues/2877) [#3345](https://github.com/anchore/grype/pull/3345) @kenvez]\n\n### Bug Fixes\n\n- normalise version constraint types in v6 db [[#3328](https://github.com/anchore/grype/pull/3328) @westonsteimel]\n- set alpm ecosystem for Arch Linux packages [[#3324](https://github.com/anchore/grype/pull/3324) @westonsteimel]\n- spec-compliant CPE string formatting for db search commands [[#3308](https://github.com/anchore/grype/pull/3308) @westonsteimel]\n- Update APK NAK handling to be based on ownership-by-file-overlap relationship [[#3267](https://github.com/anchore/grype/issues/3267) [#3286](https://github.com/anchore/grype/pull/3286) @kzantow]\n- Wrong version output [[#3306](https://github.com/anchore/grype/issues/3306)]\n\n### Additional Changes\n\n- update anchore dependencies [[#3321](https://github.com/anchore/grype/pull/3321) @anchore-oss-update-bot]\n- update tool versions [[#3319](https://github.com/anchore/grype/pull/3319) @anchore-oss-update-bot]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.110.0...v0.111.0)**\n\n",
      "date_published": "2026-04-09T13:29:25Z",
      "tags": [
        "security"
      ],
      "_tool_id": "grype",
      "_version": "v0.111.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.110.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.110.0",
      "title": "[Grype] v0.110.0",
      "content_text": "### Added Features\n\n- suppress GHSA matches on language packages in fixed APKs [[#3282](https://github.com/anchore/grype/pull/3282) @willmurphyscode]\n\n### Bug Fixes\n\n- use Syft for decoding CPEs [[#3058](https://github.com/anchore/grype/pull/3058) @chovanecadam]\n\n### Additional Changes\n\n- bump github.com/buger/jsonparser to v1.1.2 [[#3297](https://github.com/anchore/grype/pull/3297) @willmurphyscode]\n- update quality gate labels [[#3293](https://github.com/anchore/grype/pull/3293) @westonsteimel]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.109.1...v0.110.0)**\n\n",
      "date_published": "2026-03-19T18:16:47Z",
      "tags": [
        "bugfix"
      ],
      "_tool_id": "grype",
      "_version": "v0.110.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.109.1",
      "url": "https://github.com/anchore/grype/releases/tag/v0.109.1",
      "title": "[Grype] v0.109.1",
      "content_text": "### Bug Fixes\n\n- CVE-2025-12183 is not detected even if vulnerable jar is present [[#3205](https://github.com/anchore/grype/issues/3205)]\n\n### Additional Changes\n\n- migrate fixtures to testdata [[#3263](https://github.com/anchore/grype/pull/3263) @wagoodman]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.109.0...v0.109.1)**\n\n",
      "date_published": "2026-03-09T19:50:07Z",
      "tags": [
        "security"
      ],
      "_tool_id": "grype",
      "_version": "v0.109.1"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.109.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.109.0",
      "title": "[Grype] v0.109.0",
      "content_text": "### Added Features\n\n- Strip v prefix from apk versions [[#3239](https://github.com/anchore/grype/pull/3239) @wagoodman]\n\n### Bug Fixes\n\n- missing EPSS/KEV should not be fatal error [[#3224](https://github.com/anchore/grype/pull/3224) @willmurphyscode]\n\n### Additional Changes\n\n- update build flag to use provenance=false [[#3243](https://github.com/anchore/grype/pull/3243) @spiffcs]\n- update to check-latest golang for ci [[#3238](https://github.com/anchore/grype/pull/3238) @spiffcs]\n- enable fedora OS transformer [[#3232](https://github.com/anchore/grype/pull/3232) @willmurphyscode]\n- Port grype-db lib to grype [[#3149](https://github.com/anchore/grype/pull/3149) @wagoodman]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.108.0...v0.109.0)**\n\n",
      "date_published": "2026-02-19T16:38:10Z",
      "tags": [
        "bugfix"
      ],
      "_tool_id": "grype",
      "_version": "v0.109.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.108.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.108.0",
      "title": "[Grype] v0.108.0",
      "content_text": "### Added Features\n\n- enable disabling EOL warnings [[#3204](https://github.com/anchore/grype/pull/3204) @willmurphyscode]\n\n### Bug Fixes\n\n- fix fallback on major only distro [[#3213](https://github.com/anchore/grype/pull/3213) @willmurphyscode]\n- VEX Documents still not working with syft sbom [[#3167](https://github.com/anchore/grype/issues/3167)]\n- VEX: minimal OpenVEX Example not working [[#3212](https://github.com/anchore/grype/issues/3212)]\n\n### Additional Changes\n\n- support more accurate scanning for postmarketos [[#3182](https://github.com/anchore/grype/pull/3182) @westonsteimel]\n- charmbracelet/bubbletea erases grype ui status line [[#3214](https://github.com/anchore/grype/pull/3214) @spiffcs]\n- bump labels and add several test images [[#3215](https://github.com/anchore/grype/pull/3215) @westonsteimel]\n- improve VEX product and subcomponent matching [[#3168](https://github.com/anchore/grype/pull/3168) @dariozachow]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.107.1...v0.108.0)**\n\n",
      "date_published": "2026-02-10T18:49:12Z",
      "tags": [
        "bugfix"
      ],
      "_tool_id": "grype",
      "_version": "v0.108.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.107.1",
      "url": "https://github.com/anchore/grype/releases/tag/v0.107.1",
      "title": "[Grype] v0.107.1",
      "content_text": "### Additional Changes\n\n- support context cancellation while finding vuln matches [[#3200](https://github.com/anchore/grype/pull/3200) @luhring]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.107.0...v0.107.1)**\n\n",
      "date_published": "2026-02-03T19:24:39Z",
      "tags": [
        "other"
      ],
      "_tool_id": "grype",
      "_version": "v0.107.1"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.107.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.107.0",
      "title": "[Grype] v0.107.0",
      "content_text": "### Added Features\n\n- Add secureos distro [[#3086](https://github.com/anchore/grype/pull/3086) @divolgin]\n- add hex matcher for Erlang/Elixir ecosystem [[#3194](https://github.com/anchore/grype/pull/3194) @willmurphyscode]\n\n### Bug Fixes\n\n- disable version fallback in EOL query [[#3195](https://github.com/anchore/grype/pull/3195) @willmurphyscode]\n- VEX documents with docker.io registry reference not matching, require index.docker.io instead [[#2818](https://github.com/anchore/grype/issues/2818) [#3172](https://github.com/anchore/grype/pull/3172) @jainlakshya]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.106.0...v0.107.0)**\n\n",
      "date_published": "2026-01-29T22:24:48Z",
      "tags": [
        "bugfix"
      ],
      "_tool_id": "grype",
      "_version": "v0.107.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.106.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.106.0",
      "title": "[Grype] v0.106.0",
      "content_text": "### Added Features\n\n- warn about packages from EOL distros [[#3171](https://github.com/anchore/grype/pull/3171) @willmurphyscode]\n- make it configurable what grype assumes when incoming package to grype is missing dpkg/RPM epoch [[#2964](https://github.com/anchore/grype/issues/2964) [#2976](https://github.com/anchore/grype/pull/2976) @willmurphyscode]\n\n### Bug Fixes\n\n- RHEL EUS: `--only-fixed` should filter out matches are not fixed in the current EUS version [[#2847](https://github.com/anchore/grype/issues/2847) [#3181](https://github.com/anchore/grype/pull/3181) @willmurphyscode]\n\n### Additional Changes\n\n- support scientific linux [[#3175](https://github.com/anchore/grype/pull/3175) @westonsteimel]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.105.0...v0.106.0)**\n\n",
      "date_published": "2026-01-27T14:08:53Z",
      "tags": [
        "bugfix"
      ],
      "_tool_id": "grype",
      "_version": "v0.106.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.105.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.105.0",
      "title": "[Grype] v0.105.0",
      "content_text": "### Added Features\n\n- Add archlinux matcher to grype [[#3154](https://github.com/anchore/grype/pull/3154) @willmurphyscode]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.104.4...v0.105.0)**\n\n",
      "date_published": "2026-01-15T23:07:39Z",
      "tags": [
        "feature"
      ],
      "_tool_id": "grype",
      "_version": "v0.105.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.104.4",
      "url": "https://github.com/anchore/grype/releases/tag/v0.104.4",
      "title": "[Grype] v0.104.4",
      "content_text": "### Bug Fixes\n\n- preserve local version segment in constraints for PEP 440 comparison [[#3146](https://github.com/anchore/grype/pull/3146) @willmurphyscode]\n\n### Additional Changes\n\n- correct help text for return code for fail-on severity option [[#3138](https://github.com/anchore/grype/pull/3138) @u-ways]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.104.3...v0.104.4)**\n\n",
      "date_published": "2026-01-08T13:58:30Z",
      "tags": [
        "bugfix"
      ],
      "_tool_id": "grype",
      "_version": "v0.104.4"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.104.3",
      "url": "https://github.com/anchore/grype/releases/tag/v0.104.3",
      "title": "[Grype] v0.104.3",
      "content_text": "### Bug Fixes\n\n- Use specifier matching rules when comparing python versions [[#3121](https://github.com/anchore/grype/pull/3121) @wagoodman]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.104.2...v0.104.3)**\n\n",
      "date_published": "2025-12-22T23:16:53Z",
      "tags": [
        "bugfix"
      ],
      "_tool_id": "grype",
      "_version": "v0.104.3"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.104.2",
      "url": "https://github.com/anchore/grype/releases/tag/v0.104.2",
      "title": "[Grype] v0.104.2",
      "content_text": "### Bug Fixes\n\n- Since version 0.104.0 shaded jars are not reported [[#3098](https://github.com/anchore/grype/issues/3098)]\n- db search fails with misleading message (out of memory) when no db is present [[#3049](https://github.com/anchore/grype/issues/3049) [#3077](https://github.com/anchore/grype/pull/3077) @JvD-Ericsson]\n\n### Additional Changes\n\n- replace os.Chdir with t.Chdir in test code [[#3067](https://github.com/anchore/grype/pull/3067) @joonas]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.104.1...v0.104.2)**\n\n",
      "date_published": "2025-12-09T23:17:35Z",
      "tags": [
        "bugfix"
      ],
      "_tool_id": "grype",
      "_version": "v0.104.2"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.104.1",
      "url": "https://github.com/anchore/grype/releases/tag/v0.104.1",
      "title": "[Grype] v0.104.1",
      "content_text": "### Bug Fixes\r\n\r\n- Redact during file output [[#3068](https://github.com/anchore/grype/pull/3068) @kzantow]\r\n- Unaffected match table does not filter results if CPE matching is enabled [[#3056](https://github.com/anchore/grype/issues/3056) [#3066](https://github.com/anchore/grype/pull/3066) @kzantow]\r\n\r\n### Additional Changes\r\n\r\n- Migrate grype to use `mholt/archives` instead of anchore fork [[#3036](https://github.com/anchore/grype/pull/3036) @joonas]\r\n\r\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.104.0...v0.104.1)**\r\n\r\n",
      "date_published": "2025-11-24T16:27:27Z",
      "tags": [
        "bugfix"
      ],
      "_tool_id": "grype",
      "_version": "v0.104.1"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.104.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.104.0",
      "title": "[Grype] v0.104.0",
      "content_text": "### Added Features\n\n- Add `--from` flag [[#3035](https://github.com/anchore/grype/pull/3035) @wagoodman]\n- Let a suppression expire to prevent that one will forget to resolve a vulnerability [[#3031](https://github.com/anchore/grype/issues/3031)]\n\n### Bug Fixes\n\n- Unnormalized fix version triggers false-positive in mssql-jdbc [[#3042](https://github.com/anchore/grype/issues/3042) [#3034](https://github.com/anchore/grype/pull/3034) @jamestexas]\n\n### Additional Changes\n\n- junit template use CDATA block to prevent XML parse errors [[#3019](https://github.com/anchore/grype/pull/3019) @nvtkaszpir]\n- Keep nested loggers labeled [[#3040](https://github.com/anchore/grype/pull/3040) @wagoodman]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.103.0...v0.104.0)**\n\n",
      "date_published": "2025-11-17T22:39:08Z",
      "tags": [
        "security"
      ],
      "_tool_id": "grype",
      "_version": "v0.104.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.103.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.103.0",
      "title": "[Grype] v0.103.0",
      "content_text": "### Added Features\n\n- Allow hyphen in version string [[#3021](https://github.com/anchore/grype/pull/3021) @willmurphyscode]\n- Respect rpmmod PURL qualifier [[#3020](https://github.com/anchore/grype/pull/3020) @willmurphyscode]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.102.0...v0.103.0)**\n\n",
      "date_published": "2025-11-03T20:00:40Z",
      "tags": [
        "feature"
      ],
      "_tool_id": "grype",
      "_version": "v0.103.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.102.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.102.0",
      "title": "[Grype] v0.102.0",
      "content_text": "### Added Features\n\n- Use Alma Linux specific advisories for Alma Linux scans [[#2745](https://github.com/anchore/grype/issues/2745) [#2939](https://github.com/anchore/grype/pull/2939) @willmurphyscode]\n\n### Bug Fixes\n\n- Bitnami packages with CPEs are not matched against CPE-based vulnerabilities [[#2997](https://github.com/anchore/grype/issues/2997)]\n\n### Additional Changes\n\n- add markdown template [[#2987](https://github.com/anchore/grype/pull/2987) @sebdanielsson]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.101.1...v0.102.0)**\n\n",
      "date_published": "2025-10-23T10:59:26Z",
      "tags": [
        "bugfix"
      ],
      "_tool_id": "grype",
      "_version": "v0.102.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.101.1",
      "url": "https://github.com/anchore/grype/releases/tag/v0.101.1",
      "title": "[Grype] v0.101.1",
      "content_text": "### Bug Fixes\n\n- Panic error scanning images with v0.101.0 on some java dependencies [[#3002](https://github.com/anchore/grype/issues/3002)]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.101.0...v0.101.1)**\n\n",
      "date_published": "2025-10-16T13:42:08Z",
      "tags": [
        "bugfix"
      ],
      "_tool_id": "grype",
      "_version": "v0.101.1"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.101.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.101.0",
      "title": "[Grype] v0.101.0",
      "content_text": "### Added Features\n\n- Add cyclonedx to RpmMetadata [[#2935](https://github.com/anchore/grype/pull/2935) @sfc-gh-rmaj]\n- `grype db search` can filter by fixed state [[#2968](https://github.com/anchore/grype/pull/2968) @willmurphyscode]\n- Support using VEX documents with directory scans and SBOMs [[#2471](https://github.com/anchore/grype/issues/2471) [#2811](https://github.com/anchore/grype/pull/2811) @alegrey91]\n\n### Bug Fixes\n\n- Issue installing Grype using documented curl command [[#2985](https://github.com/anchore/grype/issues/2985)]\n- Advisory ID blank in JSON output [[#2965](https://github.com/anchore/grype/issues/2965)]\n\n### Additional Changes\n\n- update flags with v3 to not use default config [[#3000](https://github.com/anchore/grype/pull/3000) @spiffcs]\n- fix Cosign documentation URL in installer [[#2995](https://github.com/anchore/grype/pull/2995) @lime]\n- set advisory id again [[#2979](https://github.com/anchore/grype/pull/2979) @willmurphyscode]\n- add db schema validation [[#2962](https://github.com/anchore/grype/pull/2962) @willmurphyscode]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.100.0...v0.101.0)**\n\n",
      "date_published": "2025-10-15T17:15:25Z",
      "tags": [
        "bugfix"
      ],
      "_tool_id": "grype",
      "_version": "v0.101.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.100.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.100.0",
      "title": "[Grype] v0.100.0",
      "content_text": "### Added Features\n\n- Add unaffected package and CPE stores [[#2888](https://github.com/anchore/grype/pull/2888) @wagoodman]\n- use unaffected match table to remove appropriate vulns [[#2886](https://github.com/anchore/grype/pull/2886) @CrosleyZack]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.99.1...v0.100.0)**\n\n",
      "date_published": "2025-09-15T22:06:37Z",
      "tags": [
        "feature"
      ],
      "_tool_id": "grype",
      "_version": "v0.100.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.99.1",
      "url": "https://github.com/anchore/grype/releases/tag/v0.99.1",
      "title": "[Grype] v0.99.1",
      "content_text": "### Bug Fixes\n\n- Present fix available version in grype JSON output [[#2905](https://github.com/anchore/grype/pull/2905) @wagoodman]\n- detect patch numbers in fuzzy version comparison [[#2844](https://github.com/anchore/grype/pull/2844) @willmurphyscode]\n- Make timestamp in output configurable (so that results are more reproducible) [[#522](https://github.com/anchore/grype/issues/522) [#2724](https://github.com/anchore/grype/pull/2724) @gabetrau]\n- Grype .98 misidentifies the container package version [[#2884](https://github.com/anchore/grype/issues/2884)]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.99.0...v0.99.1)**\n\n",
      "date_published": "2025-08-30T14:34:21Z",
      "tags": [
        "bugfix"
      ],
      "_tool_id": "grype",
      "_version": "v0.99.1"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.99.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.99.0",
      "title": "[Grype] v0.99.0",
      "content_text": "### Added Features\r\n\r\n- Add fix availability information to DB schema [[#2862](https://github.com/anchore/grype/pull/2862) @wagoodman]\r\n- Add support vulnerability matching for raspbian [[#2893](https://github.com/anchore/grype/pull/2893) @westonsteimel]\r\n- Add Vex CSAF support [[#1826](https://github.com/anchore/grype/pull/1826) @juan131]\r\n\r\n### Bug Fixes\r\n\r\n- include channel in grype db search output [[#2873](https://github.com/anchore/grype/pull/2873) @willmurphyscode]\r\n- add UnmarshalJSON to fix availability blob [[#2889](https://github.com/anchore/grype/pull/2889) @willmurphyscode]\r\n- Grype misdetect Grafana version [[#2783](https://github.com/anchore/grype/issues/2783)]\r\n\r\n### Breaking Changes\r\n\r\n- CSAF support [[#1826](https://github.com/anchore/grype/pull/1826) @juan131]\r\n\r\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.98.0...v0.99.0)**\r\n\r\n",
      "date_published": "2025-08-27T00:47:35Z",
      "tags": [
        "security"
      ],
      "_tool_id": "grype",
      "_version": "v0.99.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.98.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.98.0",
      "title": "[Grype] v0.98.0",
      "content_text": "### Added Features\n\n- move debian 13 (trixie) to released and debian 14 (forky) to testing/sid/unstable [[#2861](https://github.com/anchore/grype/pull/2861) @westonsteimel]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.97.2...v0.98.0)**\n\n",
      "date_published": "2025-08-13T17:38:04Z",
      "tags": [
        "feature"
      ],
      "_tool_id": "grype",
      "_version": "v0.98.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.97.2",
      "url": "https://github.com/anchore/grype/releases/tag/v0.97.2",
      "title": "[Grype] v0.97.2",
      "content_text": "## Grype v0.97.2\r\n\r\n### Added Features\r\n\r\n- new syft version adds binary classifier for hashicorp vault [[#4121](https://github.com/anchore/syft/pull/4121) @willmurphyscode]\r\n\r\n### Bug Fixes\r\n\r\n- fix: update syft's nondeterministic Java archive purl and improve groupID for better matching [[#3521](https://github.com/anchore/syft/issues/3521) [#4118](https://github.com/anchore/syft/pull/4118) @kzantow]\r\n\r\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.97.1...v0.97.2)**\r\n\r\n",
      "date_published": "2025-08-08T19:45:03Z",
      "tags": [
        "bugfix"
      ],
      "_tool_id": "grype",
      "_version": "v0.97.2"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.97.1",
      "url": "https://github.com/anchore/grype/releases/tag/v0.97.1",
      "title": "[Grype] v0.97.1",
      "content_text": "### Bug Fixes\n\n- Multiple EUS advisories where only some are fixed result in unexpected vulnerabilities [[#2840](https://github.com/anchore/grype/issues/2840) [#2841](https://github.com/anchore/grype/pull/2841) @kzantow]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.97.0...v0.97.1)**\n\n",
      "date_published": "2025-08-01T16:20:51Z",
      "tags": [
        "bugfix"
      ],
      "_tool_id": "grype",
      "_version": "v0.97.1"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.97.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.97.0",
      "title": "[Grype] v0.97.0",
      "content_text": "### Added Features\n\n- Add support for RHEL EUS [[#2446](https://github.com/anchore/grype/issues/2446) [#2787](https://github.com/anchore/grype/pull/2787) @wagoodman]\n\n### Bug Fixes\n\n- Error scanning snap \"unsupported source: source.SnapMetadata\" [[#2819](https://github.com/anchore/grype/issues/2819) [#2821](https://github.com/anchore/grype/pull/2821) @kzantow]\n\n### Additional Changes\n\n- add channel to os / distro [[#2782](https://github.com/anchore/grype/pull/2782) @wagoodman]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.96.1...v0.97.0)**\n\n",
      "date_published": "2025-07-30T19:29:46Z",
      "tags": [
        "bugfix"
      ],
      "_tool_id": "grype",
      "_version": "v0.97.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.96.1",
      "url": "https://github.com/anchore/grype/releases/tag/v0.96.1",
      "title": "[Grype] v0.96.1",
      "content_text": "### Syft Improvments\r\n- Update to latest version of syft [v1.29.0](https://github.com/anchore/syft/releases/tag/v1.29.0)\r\n\r\n### Performance Improvements\r\n- Create ignore regex objects conditionally[[#2805](https://github.com/anchore/grype/pull/2805) @wagoodman ]\r\n\r\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.96.0...v0.96.1)**\r\n\r\n",
      "date_published": "2025-07-21T21:10:35Z",
      "tags": [
        "feature"
      ],
      "_tool_id": "grype",
      "_version": "v0.96.1"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.96.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.96.0",
      "title": "[Grype] v0.96.0",
      "content_text": "### Added Features\n\n- Added the EPSS score and KEV indications as CycloneDX `vulnerabilities.ratings` entries [[#2695](https://github.com/anchore/grype/issues/2695) [#2765](https://github.com/anchore/grype/pull/2765) @AlinaPodoba]\n\n### Bug Fixes\n\n- The `go run` and `go install` broken due to useless `redirect` directive in `go.mod` [[#2777](https://github.com/anchore/grype/issues/2777) [#2780](https://github.com/anchore/grype/pull/2780) @stefanb]\n- EPSS implementation using percentile instead of percent probability [[#2778](https://github.com/anchore/grype/issues/2778) [#2785](https://github.com/anchore/grype/pull/2785) @wagoodman]\n- Latest version of grype with V6 schema lists incorrect URL for v6 database [[#2513](https://github.com/anchore/grype/issues/2513)]\n\n### Additional Changes\n\n- Add more detail around cataloging and DB load log statements [[#2779](https://github.com/anchore/grype/pull/2779) @wagoodman]\n- add version set and combined constraint [[#2763](https://github.com/anchore/grype/pull/2763) @wagoodman]\n- add v6 OS store [[#2766](https://github.com/anchore/grype/pull/2766) @wagoodman]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.95.0...v0.96.0)**\n\n",
      "date_published": "2025-07-15T13:13:59Z",
      "tags": [
        "bugfix"
      ],
      "_tool_id": "grype",
      "_version": "v0.96.0"
    },
    {
      "id": "https://github.com/anchore/grype/releases/tag/v0.95.0",
      "url": "https://github.com/anchore/grype/releases/tag/v0.95.0",
      "title": "[Grype] v0.95.0",
      "content_text": "### Added Features\n\n- Add string severity to db search json results [[#2730](https://github.com/anchore/grype/pull/2730) @wagoodman]\n- Add package specifier overrides for `kb`, `dpkg`, and `apkg` [[#2742](https://github.com/anchore/grype/pull/2742) @westonsteimel]\n\n### Bug Fixes\n\n- show related NVD records for non-NVD matches [[#2755](https://github.com/anchore/grype/pull/2755) @kzantow]\n- assume that a vulnerability with no ranges is always vulnerable [[#2759](https://github.com/anchore/grype/pull/2759) @wagoodman]\n- DB should hydrate for when the client has new features [[#2758](https://github.com/anchore/grype/pull/2758) @wagoodman]\n- show relationship back to NVD for all CVE ids [[#2756](https://github.com/anchore/grype/pull/2756) @westonsteimel]\n- properly escape CPE segments [[#2731](https://github.com/anchore/grype/pull/2731) @kzantow]\n- msrc matcher should search by package ecosystem, not by distro [[#2748](https://github.com/anchore/grype/pull/2748) @westonsteimel]\n- Grype does not report any vulnerabilities for CPEs with target_sw field set to value that does not correspond to known package type [[#2768](https://github.com/anchore/grype/issues/2768) [#2772](https://github.com/anchore/grype/pull/2772) @willmurphyscode]\n- malformed CPE in grype db search output [[#2767](https://github.com/anchore/grype/issues/2767) [#2769](https://github.com/anchore/grype/pull/2769) @westonsteimel]\n- vex documents from the --vex flag do get processed or applied to the output correctly [[#1836](https://github.com/anchore/grype/issues/1836) [#2741](https://github.com/anchore/grype/pull/2741) @willmurphyscode]\n\n### Additional Changes\n\n- replace deprecated GoReleaser configurations [[#2729](https://github.com/anchore/grype/pull/2729) @emmanuel-ferdman]\n- specify types for all match details [[#2762](https://github.com/anchore/grype/pull/2762) @wagoodman]\n- Refactor the version package [[#2735](https://github.com/anchore/grype/pull/2735) @wagoodman]\n\n**[(Full Changelog)](https://github.com/anchore/grype/compare/v0.94.0...v0.95.0)**\n\n",
      "date_published": "2025-07-02T17:26:05Z",
      "tags": [
        "security"
      ],
      "_tool_id": "grype",
      "_version": "v0.95.0"
    }
  ]
}