Detections
Analytics

openSUSE 16 Security Update : syft (openSUSE-SU-2026:20928-1)

critical Nessus Plugin ID 320425

Synopsis

The remote openSUSE host is missing a security update.

Description

The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20928-1 advisory.

 Changes in syft:

 - Update to version 1.45.0:
 * Added Features
 - Add support for ZapAddOns as jar files [#4654 #4932 @douglasclarke]
 - MySQL binary classifier should distinguish between MySQL Cluster (ndb) and MySQL [#3297 #4907 @witchcraze]
 - Catalog ingress-nginx binary [#4818 #4857 @witchcraze]
 * Bug Fixes
 - Support helm binary various versions [#4820 #4922 @witchcraze]
 - Support julia binary various versions [#4867 #4945 @witchcraze]
 - Support deno binary old versions [#4865 #4939 @witchcraze]
 - Compressed kernel modules are not scanned by the linux-kernel-cataloger [#4721 #4740 @will-bates11]
 - Yarn Berry lockfile parser incorrectly deduplicates packages with multiple resolutions [#4691 #4838 @calumleslie]
 - Possible misdetection of AWS-LC as OpenSSL 1.1.1 [#4539 #4882 @witchcraze]
 - Support elixir binary rc versions [#4819 #4851 @ChrisJr404]
 - Exclude path ending with a slash are discarded [#4839 #4892 @ChrisJr404]
 - Incorrect CPE for .NET Runtime [#4738 #4743 @PGrayCS]
 - fix parsing of debian/copyright files [#4708 #4754 @Bahtya]
 - Grype ignores python requirements in arbitrary equality (===) format [#4834 #4835 @cyphercodes]
 - valkey is detected as both of valkey and redis [#4591 #4619 @witchcraze]
 - TypeByName missing nuget case causes UnknownPkg when reading SPDX SBOMs [#4837 #4848 @ChrisJr404]
 * Additional Changes
 - hoist name normalization regexp to package level [#4926 @matiasinsaurralde]
 - bump the actions-minor-patch group across 1 directory with 6 updates [#4946 @dependabot]
 - bump the actions-minor-patch group across 2 directories with 2 updates [#4936 @dependabot]
 - bump the actions-minor-patch group across 1 directory with 4 updates [#4927 @dependabot]
 - bump the actions-minor-patch group across 1 directory with 2 updates [#4920 @dependabot]
 - bump the actions-minor-patch group across 1 directory with 2 updates [#4897 @dependabot]
 - update CPE dictionary index [#4831 @anchore-oss-update-bot]
 * Dependencies
 - chore(deps): bump github.com/containerd/containerd/v2 (#4935)
 - chore(deps): update anchore dependencies (#4821)
 - chore(deps): bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1 (#4930)
 - chore(deps): update CPE dictionary index (#4925)
 - chore(deps): update CPE dictionary index (#4909)
 - chore(deps): bump github.com/go-git/go-git/v5 from 5.18.0 to 5.19.0 (#4911)

 - Update to version 1.44.0:
 * Added Features
 - Add support for linux-riscv64 [#4757 @luhenry]
 * Bug Fixes
 - Yarn lockfile cataloguing does not handle aliases [#4833 #4836 @cyphercodes]
 - Some snippet files are saved in the previous test directory [#4829 #4830 @witchcraze]
 - empty rockspec causes index out of range [#4824 #4827 @aki1770-del]
 - PE cataloger shows asp.net core ref assemblies using fileversion build stamp instead of productversion [#4813 #4814 @rezmoss]
 - Syft safeCopy silently swallows archive decompression errors [#4806 #4807 @SAY-5]

 - Update to version 1.43.0:
 * Added Features
 - added deno bin classifiers [#4677 @rezmoss]
 - Support haskell old versions [#3237 #4793 @witchcraze]
 - Add support for OpenLDAP binary detection [#4768 #4755 @nadimz]
 - Support erlang ols versions [#3235 #4766 @witchcraze]
 * Bug Fixes
 - improve redhat-release parsing fallback for RHEL clones [#4808 @westonsteimel]
 - fix format string in search results struct [#4775 @willmurphyscode]
 - prevent infinite recursion in Document.UnmarshalJSON with encoding/json/v2 [#4748 @benja-M-1]
 - Syft can not complete scanning golang image [#4686]
 - javascript-package-cataloger drops entire package.json when authors/contributors/maintainers is a single string [#4778 #4779 @yoav-orca]
 - pnpm lock file cataloger produces unstable output [#4648 #4765 @lawrence3699]
 - Linux Kernel bzImage and zImage not cataloged by linux-kernel-cataloger [#4769 #4751 @nadimz]
 - Support istio binary (pilot-discovery, pilot-agent) alpha,beta,rc,dev version [#4546 #4645 @witchcraze]
 - Scanning mounted ISO: duplicate entries [#4759]
 * Additional Changes
 - update CPE dictionary index [#4767 @anchore-oss-update-bot]
 * Dependencies
 - chore(deps): update anchore dependencies (#4797)
 - chore(deps): restore Go version to 1.25.8 (#4804)
 - chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates (#4790)
 - chore(deps): bump github.com/go-git/go-git/v5 from 5.17.0 to 5.18.0 (#4792)
 - chore(deps): update Go version (#4798)
 - chore(deps): update tools to latest versions (#4701)
 - chore(deps): update Go version (#4773)
 - chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 (#4750)
 - chore(deps): bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 (#4752)
 - chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#4737)
 - chore(deps): bump the actions-minor-patch group across 2 directories with 7 updates (#4763)
 - chore(deps): bump github.com/hashicorp/go-getter from 1.8.5 to 1.8.6 (#4764)
 - chore(deps): update CPE dictionary index (#4767)

 - Update to version 1.42.4:
 * Bug Fixes
 - Similar Packages Should Be Aggregated [#1162]
 - Support arangodb binary recent version [#4571 #4662 @witchcraze]
 - Support go binary various versions [#4687 #4694 @kzantow]
 * Additional Changes
 - update CPE dictionary index [#4745 @anchore-oss-update-bot]
 - update CPE dictionary index [#4726 @anchore-oss-update-bot]
 - Add a trust boundary section [#4716 @joshbressers]
 * Dependencies
 - chore(deps): update CPE dictionary index (#4745)
 - chore(deps): update CPE dictionary index (#4726)
 - chore(deps): update CPE dictionary index (#4715)
 - chore(deps): update tool versions (#4706)
 - chore(deps): bump slackapi/slack-github-action from 2.1.1 to 3.0.1 (#4684)
 - chore(deps): bump marocchino/sticky-pull-request-comment (#4685)
 - chore(deps): bump the go-minor-patch group with 2 updates (#4697)
 - chore(deps): bump actions/create-github-app-token from 2.2.1 to 3.0.0 (#4699)
 - chore(deps): update CPE dictionary index (#4689)
 - chore(deps): ignore some dependabot deps (#4696)
 - chore(deps): update tools to latest versions (#4690)

 - Update to version 1.42.3:
 * Bug Fixes
 - Missing secondary evidence for .NET dependency in ghcr.io/open-telemetry/demo:2.0.0-accounting image [#4652]
 * Additional Changes
 - centralize temp files and prefer streaming IO [#4668 @willmurphyscode]
 - chore(deps): update anchore dependencies (#4681)
 - chore(deps): bump github.com/buger/jsonsparser to v1.1.2 (#4680)
 - chore(deps): bump the go-minor-patch group with 2 updates (#4678)
 - chore(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.3 (#4675)
 - chore(deps): bump the go-minor-patch group with 2 updates (#4674)
 - chore(deps): update tools to latest versions (#4663)
 - chore(deps): bump the go-minor-patch group with 3 updates (#4669)
 - chore(deps): bump github/codeql-action (#4670)
 - chore(deps): bump docker/login-action from 3.7.0 to 4.0.0 (#4671)
 - chore(deps): update CPE dictionary index (#4673)
 - chore(tests): fix test fixture build on modern ARM Mac (#4666)

 - Update to version 1.42.2:
 * Bug Fixes
 - [BUG] Incorrect Maven PURL generation: Automatic-Module-Name should not be used as Maven groupId [#4611 #4642 @xnox]
 - Checksum is 0 for spdx files [#2307 #4620 @ppalucha]
 - Support grafana binary various versions [#4559 #4635 @witchcraze]
 * Additional Changes
 - migrate fixtures to testdata [#4651 @wagoodman]
 * Dependencies
 - chore(deps): update anchore dependencies (#4631)
 - chore(deps): update tools to latest versions (#4630)
 - chore(deps): update SPDX license list (#4637)
 - chore(deps): bump actions/download-artifact from 7.0.0 to 8.0.0 (#4658)
 - chore(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 (#4638)
 - chore(deps): bump the actions-minor-patch group across 2 directories with 2 updates (#4657)
 - chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 (#4659)
 - chore(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 (#4646)
 - chore(deps): update CPE dictionary index (#4647)
 - chore(deps): bump the go-minor-patch group across 1 directory with 5 updates (#4661)
 - chore(deps): update CPE dictionary index (#4636)
 - chore(deps): bump github/codeql-action (#4634)
 - chore(deps): bump github.com/charmbracelet/bubbles from 0.21.1 to 1.0.0 (#4633)
 - chore(deps): bump the go-minor-patch group with 5 updates (#4632)

 - Update to version 1.42.1:
 * Bug Fixes
 - Use redhat as namespace for hummingbird rpms [#4615 @scoheb]
 - False Positive: Emacs snap package version CVE-2024-39331 [#4485]
 * Additional Changes
 - call cleanup on tmpfile and replace some io.ReadAlls with streams [#4629 @willmurphyscode]
 - bumps go mod version to 1.25; ci takes latest patch [#4628 @spiffcs]
 * Dependencies
 - chore(deps): update tools to latest versions (#4614)
 - chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates (#4622)
 - chore(deps): bump the go-minor-patch group with 2 updates (#4621)
 - chore(deps): update CPE dictionary index (#4623)

 - Update to version 1.42.0:
 * Added Features
 - Add support for scanning GGUF models from OCI registries [#4335 @spiffcs]
 - yarn lockfile scan doesnt catch dev dependencies [#4548 #4549 @rezmoss]
 * Additional Changes
 - CPE detection for APK libavif to use aomedia vendor [#4597 @naag]
 * Dependencies
 - chore(deps): update anchore dependencies (#4613)
 - chore(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 (#4612)
 - chore(deps): update CPE dictionary index (#4610)
 - chore(deps): bump github.com/bmatcuk/doublestar/v4 (#4606)
 - chore(deps): bump the actions-minor-patch group across 2 directories with 2 updates (#4607)
 - chore(deps): update CPE dictionary index (#4601)
 - chore(deps): update tools to latest versions (#4594)

 - Update to version 1.41.2:
 * Bug Fixes
 - further improve go binary classifier, including windows [#4593 @kzantow]
 - Wrong format in license [#4233 #4588 @spiffcs]
 - Cannot detect installation of Qt6 [#4467 #4550 @rezmoss]
 - bug: Syft mis-identifies binary as deb inside a snap [#4486 #4500 @popey]
 * Dependencies
 - chore(deps): update tools to latest versions (#4589)
 - chore(deps): bump the go-minor-patch group with 2 updates (#4583)
 - chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates (#4584)

 - Update to version 1.41.1:
 * Bug Fixes
 - [Bug Report] Missing some dependencies on cyclonedx formatted SBOM using syft [#4562 #4573 @spiffcs]
 * Dependencies
 - chore(deps): update tools to latest versions (#4577)

 - Update to version 1.41.0:
 * Added Features
 - detect Debian version from /etc/debian_version [#4569 @kzantow]
 * Bug Fixes
 - correctly report supporting evidence for binary packages [#4558 @kzantow]
 * Dependencies
 - chore(deps): update anchore dependencies (#4575)
 - chore(deps): update tools to latest versions (#4570)
 - chore(deps): bump the actions-minor-patch group across 2 directories with 3 updates (#4568)
 - chore(deps): bump the go-minor-patch group with 6 updates (#4567)
 - chore(deps): update tools to latest versions (#4565)
 - chore(deps): bump github.com/spdx/tools-golang (#4557)

 - Update to version 1.40.1:
 * Bug Fixes
 - mongodb binary not detected manual/source install [#4540 #4541 @rezmoss]
 - chore: sync generated file immediately (#4538)
 * Dependencies
 - chore(deps): update anchore dependencies (#4552)
 - chore(deps): update tools to latest versions (#4551)
 - chore(deps): update tools to latest versions (#4545)
 - chore(deps): update tools to latest versions (#4542)
 - chore(deps): bump the go-minor-patch group with 4 updates (#4543)
 - chore(deps): bump anchore/sbom-action (#4544)
 - chore(deps): update tools to latest versions (#4537)

 - Update to version 1.40.0:
 * Added Features
 - Exclude development or test dependencies for PNPM Package type [#4430 #4487 @rezmoss]
 - Catalog istio binary (pilot-discovery, pilot-agent) [#4508 #4521 @witchcraze]
 - Catalog envoy binary [#4506 #4530 @witchcraze]
 - Catalog grafana binary [#4505 #4516 @witchcraze]
 - Add a binary classifier for valkey [#3400 #4509 @witchcraze]
 * Bug Fixes
 - old bitnami images without spdx files arent getting picked up correctly in the catalog [#4529 #4532 @rezmoss]
 - wrong traefik rc versions at binary detection [#3535 #4499 @rezmoss]
 - FromPOSIX() in internals\windows\path.go assumes that all Windows root paths must have a colon terminator [#4070 #4075 @luissantosHCIT]
 - binary cataloger is picking up the go version instead of the actual binary version in traefik experimental images [#4498 #4499 @rezmoss]
 * Dependencies
 - chore(deps): update anchore dependencies (#4535)
 - chore(deps): bump the go-minor-patch group with 3 updates (#4524)
 - chore(deps): bump the actions-minor-patch group across 1 directory with 2 updates (#4525)
 - chore(deps): bump actions/download-artifact from 6.0.0 to 7.0.0 (#4526)
 - chore(deps): bump actions/upload-artifact from 4.4.3 to 6.0.0 (#4527)
 - chore(deps): bump modernc.org/sqlite from 1.41.0 to 1.42.2 (#4513)
 - chore(deps): bump anchore/sbom-action from 0.20.11 to 0.21.0 (#4501)
 - chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.7.7 to 6.7.8 (#4502)
 - chore(deps): bump github.com/spdx/tools-golang from 0.5.5 to 0.5.6 (#4503)
 - chore(deps): update tools to latest versions (#4504)
 - chore(deps): bump github.com/hashicorp/go-getter from 1.8.3 to 1.8.4 (#4518)
 - chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.18 to 0.5.19 (#4520)

 - Update to version 1.39.0:
 * Added Features
 - add support for Gemfile.next.lock [#4457 @HatiCode]
 - Command output to give more information on what catalogers look for and what they can find [#4155 #4317 @wagoodman]
 - Support reading lzma compressed .go.buildinfo sections with upx [#4411 #4480 @wagoodman]
 - Specify specific snap revision to pull [#4389 #4439 @VictorHuu]
 - Cannot detect embedded deps.json metadata in single-file .NET binaries [#4344 #4375 @rezmoss]
 - ELF note cataloger does not pick up OS field, but should [#4384 #4438 @VictorHuu]
 * Bug Fixes
 - remove debug print statement in dependency parser [#4412 @cgreeno]
 - dotnet-deps cataloger should skip project references with type project when building the sbom [#4423 #4436 @rezmoss]
 - File digests not computed when using --base-path [#4410 #4478 @wagoodman]
 - Syft should not define subpaths by default in PURLs [#4394 #4395 @rezmoss]
 - go: valid purl but incorrect name [#1737 #4395 @rezmoss]
 - Incorrect Go module PURL generation when module path contains /vN (e.g. /v5) [#4316 #4395 @rezmoss]
 - Failing to convert npm repository information correctly to SPDX [#4362 #4390 @kendrickm]
 * Dependencies
 - chore(deps): update tools to latest versions (#4491)
 - chore(deps): bump modernc.org/sqlite from 1.40.1 to 1.41.0 (#4489)
 - chore(deps): bump github/codeql-action from 4.31.8 to 4.31.9 (#4481)
 - chore(deps): bump github.com/goccy/go-yaml from 1.19.0 to 1.19.1 (#4482)
 - chore(deps): bump actions/cache from 5.0.0 to 5.0.1 (#4476)
 - chore(deps): bump actions/cache in /.github/actions/bootstrap (#4477)
 - chore(deps): update tools to latest versions (#4473)
 - chore(deps): update tools to latest versions (#4466)
 - chore(deps): bump github/codeql-action from 4.31.7 to 4.31.8 (#4468)
 - chore(deps): bump actions/cache from 4.3.0 to 5.0.0 (#4469)
 - chore(deps): bump github.com/anchore/stereoscope from 0.1.14 to 0.1.16 (#4470)
 - chore(deps): bump actions/cache in /.github/actions/bootstrap (#4471)
 - chore(deps): update tools to latest versions (#4462)
 - chore(deps): update tools to latest versions (#4456)
 - chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.7.5 to 6.7.7 (#4460)
 - chore(deps): bump peter-evans/create-pull-request from 7.0.11 to 8.0.0 (#4459)
 - chore(deps): bump anchore/sbom-action from 0.20.10 to 0.20.11 (#4458)

 - Update to version 1.38.2 (.1 was not released):
 * Bug Fixes
 - drop cpe from gguf [#4383 @spiffcs]
 - emit lua rockspec dependencies in metadata [#4376 @willmurphyscode]
 - Invalid SBOMs are created when GO replace directive is used [#4415 #4419 @VictorHuu]
 - Incorrect CPE for Vercel's Next js [#4443 #4450 @willmurphyscode]
 - v1.38.0 generates empty sbom for tgz sources [#4416 #4421 @VictorHuu]
 - Syft: The dependency graph does not include all Requires-Dist relationships defined in the package's METADATA file [#4401 #4408 @willmurphyscode]
 * Dependencies
 - chore(deps): update anchore dependencies (#4440)
 - chore(deps): update tools to latest versions (#4442)
 - chore(deps): bump peter-evans/create-pull-request from 7.0.8 to 7.0.11 (#4447)
 - chore(deps): bump actions/create-github-app-token from 2.1.4 to 2.2.1 (#4445)
 - chore(deps): bump github.com/go-git/go-billy/v5 from 5.6.2 to 5.7.0 (#4448)
 - chore(deps): bump github/codeql-action from 4.31.6 to 4.31.7 (#4446)
 - chore(deps): bump golang.org/x/tools from 0.39.0 to 0.40.0 (#4453)
 - chore(deps): bump github.com/github/go-spdx/v2 from 2.3.4 to 2.3.5 (#4434)
 - chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 (#4435)
 - chore(deps): bump actions/checkout from 6.0.0 to 6.0.1 (#4431)
 - chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.17 to 0.5.18 (#4432)
 - chore(deps): bump github.com/gkampitakis/go-snaps from 0.5.15 to 0.5.17 (#4413)
 - chore(deps): update tools to latest versions (#4420)
 - chore(deps): bump github.com/olekukonko/tablewriter from 1.1.1 to 1.1.2 (#4427)
 - chore(deps): bump github/codeql-action from 4.31.4 to 4.31.6 (#4424)
 - chore(deps): bump github.com/goccy/go-yaml from 1.18.0 to 1.19.0 (#4426)
 - chore(deps): bump anchore/sbom-action from 0.20.9 to 0.20.10 (#4381)
 - chore(deps): bump modernc.org/sqlite from 1.40.0 to 1.40.1 (#4382)
 - chore(deps): bump actions/checkout from 5.0.0 to 6.0.0 (#4396)
 - chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.7.3 to 6.7.5 (#4397)
 - chore(deps): update tools to latest versions (#4398)
 - chore(deps): bump github.com/google/go-containerregistry (#4409)
 - chore(deps): bump github/codeql-action from 4.31.3 to 4.31.4 (#4386)
 - chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.7.2 to 6.7.3 (#4387)
 - chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 (#4391)
 - chore(deps): bump actions/setup-go from 6.0.0 to 6.1.0 (#4392)
 - chore(deps): bump actions/setup-go in /.github/actions/bootstrap (#4393)

 - Update to version 1.38.0:
 * Added Features
 - add support for cataloging GGUF models [#4184 #4279 @spiffcs]
 - Support scanning a list of CPEs [#3890 #4207 @chovanecadam]
 - Syft does not detect Elixir binary on system [#4333 #4334 @rezmoss]
 * Bug Fixes
 - Support extras statements in Python PDM cataloger [#4352 @wagoodman]
 - Preserve --from argument order [#4350 @wagoodman]
 - SBOM generated by Syft 1.28 contains license elements missing id or name (causing CycloneDX parser error) [#4363]
 - empty PURL output in dependency snapshot format breaks sbom-action [#4311]
 - Interface includes constraint elements, can only be used in type parameters [#4346]
 - Upgrade github.com/nwaples/[email protected] to 2.2.1 [#4338]
 - Upgrade to Golang 1.25.4 [#4341]
 * Additional Changes
 - migrate syft to use mholt/archives instead of anchore fork [#4029 @Rupikz]
 - Add license enrichment from pypi to python packages [#4295 @timols]
 - license file search [#4327 @kzantow]
 * Dependencies
 - chore(deps): update anchore dependencies (#4374)
 - chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.7.1 to 6.7.2 (#4372)
 - chore(deps): bump golang.org/x/tools from 0.38.0 to 0.39.0 (#4364)
 - chore(deps): update tools to latest versions (#4370)
 - chore(deps): update tools to latest versions (#4365)
 - chore(deps): bump github/codeql-action from 4.31.2 to 4.31.3 (#4366)
 - chore(deps): update tools to latest versions (#4358)
 - chore(deps): bump golang.org/x/mod from 0.29.0 to 0.30.0 (#4359)
 - chore(deps): bump github.com/olekukonko/tablewriter from 1.0.9 to 1.1.1 (#4354)
 - chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.7.0 to 6.7.1 (#4355)
 - chore(deps): update tools to latest versions (#4347)
 - chore(deps): bump github.com/opencontainers/selinux (#4349)
 - chore(deps): bump golang.org/x/time from 0.12.0 to 0.14.0 (#4348)
 - chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.9 to 6.7.0 (#4337)
 - chore(deps): bump github.com/containerd/containerd from 1.7.28 to 1.7.29 (#4340)

 - Update to version 1.37.0:
 * Added Features
 - Refactor fileresolver to not require base path [#4298 @Rupikz]
 - Describe cataloger capabilities via test observations [#4318 @wagoodman]
 - Support Java resource adapter extension .far as a Java archive [#4183 #4193 @kyounghunJang]
 - Add Java resource adapter extension .rar as supported Java archive [#4136 #4137 @thomassui]
 * Bug Fixes
 - fix empty PURL Github format [#4312 @rezmoss]
 - Canonicalize Ghostscript CPE/PURL for ghostscript packages from PE Binaries [#4308 @kdt523]
 - Respect rpmmod PURL qualifier [#4314 @willmurphyscode]
 - fix dpkg packages that are in deinstalled state should not be in SBOM [#3063 #4231 @rkirk-nos]
 * Dependencies
 - chore(deps): update anchore dependencies (#4330)
 - chore(deps): bump github/codeql-action from 4.31.1 to 4.31.2 (#4325)
 - chore(deps): bump github.com/hashicorp/go-getter from 1.8.2 to 1.8.3 (#4326)
 - chore(deps): bump modernc.org/sqlite from 1.39.1 to 1.40.0 (#4329)
 - chore(deps): bump github/codeql-action from 4.31.0 to 4.31.1 (#4321)
 - chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.6.8 to 6.6.9 (#4315)
 - chore(deps): bump github/codeql-action from 4.30.9 to 4.31.0 (#4310)
 - chore(deps): bump anchore/sbom-action from 0.20.8 to 0.20.9 (#4305)
 - chore(deps): update tools to latest versions (#4307)

 - Update to version 1.36.0 (1.35.0 was not released):
 * Added Features
 - Add the ability to fetch remote licenses for pnpm-lock.yaml files [#4286 @timols]
 - support universal (fat) mach-o binary files [#4278 @JoeyShapiro]
 - pdm support [#2709 #4234 @paulslaby]
 * Bug Fixes
 - Remove duplicate image source providers [#4289 @Rupikz]
 - syft can't extract go module information from executables on Windows [#4271 #4285 @JoeyShapiro]
 * Dependencies
 - chore(deps): update tools to latest versions (#4302)
 - chore(deps): bump github.com/github/go-spdx/v2 from 2.3.3 to 2.3.4 (#4301)
 - chore(deps): bump github/codeql-action from 4.30.8 to 4.30.9 (#4299)
 - chore(deps): bump sigstore/cosign-installer from 3.10.0 to 4.0.0 (#4296)
 - chore(deps): bump anchore/sbom-action from 0.20.7 to 0.20.8 (#4297)
 - chore(deps): bump anchore/sbom-action from 0.20.6 to 0.20.7 (#4293)

 - Update to version 1.34.2:
 * Bug Fixes
 - Extract zip archive with multiple entries [#4283 @Rupikz]
 - panic while resolving maven properties in archive parser [#4288 #4290 @kzantow]
 * Dependencies
 - chore(deps): update tools to latest versions (#4291)

 - Update to version 1.34.1 (1.34.0 was not released):
 * Added Features
 - feat: enhance setup.py parser to handle unquoted dependencies [#4255 @HalaAli198]
 - feat: support for identifying ffmpeg/libav libraries [#4227 @popey]
 - feat: PNPM latest lockfile (version 9.0) [#3927 #4256 @bernardoamc]
 - Add Windows ARM64 releases [#4179 #4237 @compnerd]
 * Bug Fixes
 - fix: SBOM CPE mismatch for Qt5 causes Grype to miss CVE matches [#4036 #4093 @hawkaii]
 - fix: use of manifest files present in Snap packages when generating SBOMs [#4147 #4151 @popey]
 - fix: Pom xml only archive parser [#4272 @douglasclarke]
 * Dependencies
 - chore(deps): bump actions/cache from 4.2.4 to 4.3.0 (#4240)
 - chore(deps): bump actions/ca ...

 Please note that the description has been truncated due to length. Please refer to vendor advisory for the full description.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected syft, syft-bash-completion, syft-fish-completion and / or syft-zsh-completion packages.

See Also

https://www.suse.com/security/cve/CVE-2024-39331

Plugin Details

Severity: Critical

ID: 320425

File Name: openSUSE-2026-20928-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 6/11/2026

Updated: 6/11/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-39331

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:syft, p-cpe:/a:novell:opensuse:syft-bash-completion, p-cpe:/a:novell:opensuse:syft-zsh-completion, p-cpe:/a:novell:opensuse:syft-fish-completion

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 6/8/2026

Vulnerability Publication Date: 6/23/2024

Reference Information

CVE: CVE-2024-39331