grype/go.mod

255 lines
13 KiB
Modula-2
Raw Normal View History

2020-07-24 01:29:05 +00:00
module github.com/anchore/grype
2020-05-26 14:37:28 +00:00
go 1.21.1
2020-05-26 14:37:28 +00:00
require (
github.com/CycloneDX/cyclonedx-go v0.7.2
github.com/Masterminds/sprig/v3 v3.2.3
github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
2023-01-21 14:40:51 +00:00
github.com/adrg/xdg v0.4.0
github.com/anchore/bubbly v0.0.0-20230801194016-acdb4981b461
github.com/anchore/clio v0.0.0-20231016125544-c98a83e1c7fc
github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a
github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04
github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4
2023-01-18 17:50:46 +00:00
github.com/anchore/packageurl-go v0.1.1-0.20230104203445-02e0a6721501
github.com/anchore/stereoscope v0.0.0-20231027135531-5909e353ee88
github.com/anchore/syft v0.94.1-0.20231030161204-1aaa6440073d
github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
github.com/bmatcuk/doublestar/v2 v2.0.4
github.com/charmbracelet/bubbletea v0.24.2
github.com/charmbracelet/lipgloss v0.9.1
github.com/docker/docker v24.0.7+incompatible
github.com/dustin/go-humanize v1.0.1
2023-01-21 14:40:51 +00:00
github.com/facebookincubator/nvdtools v0.1.5
github.com/gabriel-vasile/mimetype v1.4.3
github.com/gkampitakis/go-snaps v0.4.11
github.com/glebarez/sqlite v1.10.0
2023-01-21 14:40:51 +00:00
github.com/go-test/deep v1.1.0
github.com/google/go-cmp v0.6.0
Ignore/add match results based on OpenVEX documents (#1397) * go.mod: Pull OpenVEX go modules This commit pulls the OpenVEX libraries into the grype source. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add generic VEX processor package This commit adds a generic VEX processor package. It is implementation agnostic. It has a single option for now: The documents used to load the VEX data. The processor has a single method: ApplyVEX() which takes a set of scan results and applies VEX data to them. For now, the only modification that is done is filtering of results, that is moving results to the ignored list as a response to VEX documents. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Add OpenVEX processor implementation This commit adds an openvex implementation of the vex processor. It also wires the VEX processor to use it as default. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Table presenter: Highligt results suppressed by VEX This commit marks results suppressed by VEX when presenting them to the user. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Define VEX status constants This commit defines a set of local constants of each of the VEX statuses based on the openvex constants. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add VexStatus to ignore rules This commit modifies the ignore rules structure to support defining a vex status. Any rules defining vex are ignored by the standard ignore rules processing as they will be handled by the VEX processor. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add IgnoreRule HasConditions method Adds a new HasConditions method to the IgnoreRule object to check if the rule is empty. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Control VEX filtering through IgnoreRules This commit modifies how the vex processor is controlled. The processor now takes a list of IgnoreRules which can act on the VEX status in addition to the regular rule parameters. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Allow rules to match on VEX justification This commit expands the ingore rules to also work on vex the justification of not_affected statements. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Use go-vex merge implementation Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add OpenVEX matcher to matcher list This commit adds a new entry to the matchers: An openvex matcher This matcher is used when openvex augments results, moving matches from the ignore list to the active results. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add vex.AugmentMatches() to the vex processor This commit adds a new AugmentMatches() phase to the VEX processor. This new step goes throught the configured ignore rules and acts on any that have `affected` or `under_investigtion` as status. The purpose of this rule is to move matches back from the ignored matches list to the active results when a statement with either of those statuses apply to ignored matches. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Parse context identifiers using GGC This commit modifies the identifier synthesizer function to parse references using GGCR. It also adds a simple test. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Bump funlen linter to 73 This commit bumps the maximum function length to 73 to accomodate the new flag in AddFlags() Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> * Add VEX testing to matchers test This commit adds a new test and fixtures to test the VEX matchers along the rest of the matchers in TestMatchByImage(). As the VEX matchers operate on previously ignored matches a new loop was added to the test to accomodate the different testing model. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * add vex status and justification to ignored rule json model Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit rename + add TODO question about augmenting ignored matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit document comment updates + common variable extraction Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate legacy matcher function to vulnerability matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update tui to respond to ignored and dropped matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate vex processing to vulnerability match object Based on Alex's previous caommit Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Migrate VEX options and app config from legacy CLI Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * update table snapshot tests with suppressed vex entries Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for match.Matches.Diff() Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for vex processor Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix linting and restore global funlen rule Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * remove grpc pin Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * always return remaining and ignroed matches from matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * Add VEX documentation to main README This commit adds a VEX section to the main Grype README. It adds an example document and details on how vex rules can be written. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> --------- Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-09-13 19:26:12 +00:00
github.com/google/go-containerregistry v0.16.1
github.com/google/uuid v1.4.0
github.com/gookit/color v1.5.4
github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b
github.com/hashicorp/go-cleanhttp v0.5.2
github.com/hashicorp/go-getter v1.7.3
github.com/hashicorp/go-multierror v1.1.1
github.com/hashicorp/go-version v1.6.0
github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
github.com/mholt/archiver/v3 v3.5.1
2020-05-26 14:37:28 +00:00
github.com/mitchellh/go-homedir v1.1.0
github.com/mitchellh/hashstructure/v2 v2.0.2
github.com/mitchellh/mapstructure v1.5.0
github.com/olekukonko/tablewriter v0.0.5
Ignore/add match results based on OpenVEX documents (#1397) * go.mod: Pull OpenVEX go modules This commit pulls the OpenVEX libraries into the grype source. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add generic VEX processor package This commit adds a generic VEX processor package. It is implementation agnostic. It has a single option for now: The documents used to load the VEX data. The processor has a single method: ApplyVEX() which takes a set of scan results and applies VEX data to them. For now, the only modification that is done is filtering of results, that is moving results to the ignored list as a response to VEX documents. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Add OpenVEX processor implementation This commit adds an openvex implementation of the vex processor. It also wires the VEX processor to use it as default. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Table presenter: Highligt results suppressed by VEX This commit marks results suppressed by VEX when presenting them to the user. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Define VEX status constants This commit defines a set of local constants of each of the VEX statuses based on the openvex constants. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add VexStatus to ignore rules This commit modifies the ignore rules structure to support defining a vex status. Any rules defining vex are ignored by the standard ignore rules processing as they will be handled by the VEX processor. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add IgnoreRule HasConditions method Adds a new HasConditions method to the IgnoreRule object to check if the rule is empty. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Control VEX filtering through IgnoreRules This commit modifies how the vex processor is controlled. The processor now takes a list of IgnoreRules which can act on the VEX status in addition to the regular rule parameters. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Allow rules to match on VEX justification This commit expands the ingore rules to also work on vex the justification of not_affected statements. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Use go-vex merge implementation Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add OpenVEX matcher to matcher list This commit adds a new entry to the matchers: An openvex matcher This matcher is used when openvex augments results, moving matches from the ignore list to the active results. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add vex.AugmentMatches() to the vex processor This commit adds a new AugmentMatches() phase to the VEX processor. This new step goes throught the configured ignore rules and acts on any that have `affected` or `under_investigtion` as status. The purpose of this rule is to move matches back from the ignored matches list to the active results when a statement with either of those statuses apply to ignored matches. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Parse context identifiers using GGC This commit modifies the identifier synthesizer function to parse references using GGCR. It also adds a simple test. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Bump funlen linter to 73 This commit bumps the maximum function length to 73 to accomodate the new flag in AddFlags() Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> * Add VEX testing to matchers test This commit adds a new test and fixtures to test the VEX matchers along the rest of the matchers in TestMatchByImage(). As the VEX matchers operate on previously ignored matches a new loop was added to the test to accomodate the different testing model. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * add vex status and justification to ignored rule json model Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit rename + add TODO question about augmenting ignored matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit document comment updates + common variable extraction Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate legacy matcher function to vulnerability matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update tui to respond to ignored and dropped matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate vex processing to vulnerability match object Based on Alex's previous caommit Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Migrate VEX options and app config from legacy CLI Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * update table snapshot tests with suppressed vex entries Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for match.Matches.Diff() Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for vex processor Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix linting and restore global funlen rule Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * remove grpc pin Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * always return remaining and ignroed matches from matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * Add VEX documentation to main README This commit adds a VEX section to the main Grype README. It adds an example document and details on how vex rules can be written. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> --------- Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-09-13 19:26:12 +00:00
github.com/openvex/go-vex v0.2.5
github.com/owenrumney/go-sarif v1.1.2-0.20231003122901-1000f5e05554
// pinned to pull in 386 arch fix: https://github.com/scylladb/go-set/commit/cc7b2070d91ebf40d233207b633e28f5bd8f03a5
github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e
2023-01-21 14:40:51 +00:00
github.com/sergi/go-diff v1.3.1
github.com/sirupsen/logrus v1.9.3
github.com/spf13/afero v1.10.0
github.com/spf13/cobra v1.8.0
github.com/stretchr/testify v1.8.4
github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651
github.com/wagoodman/go-presenter v0.0.0-20211015174752-f9c01afc824b
github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0
2020-08-01 15:58:10 +00:00
github.com/x-cray/logrus-prefixed-formatter v0.5.2
golang.org/x/exp v0.0.0-20230905200255-921286631fa9
gorm.io/gorm v1.25.5
)
require (
cloud.google.com/go v0.110.4 // indirect
cloud.google.com/go/compute v1.21.0 // indirect
2023-01-21 14:40:51 +00:00
cloud.google.com/go/compute/metadata v0.2.3 // indirect
cloud.google.com/go/iam v1.1.1 // indirect
cloud.google.com/go/storage v1.30.1 // indirect
dario.cat/mergo v1.0.0 // indirect
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
github.com/DataDog/zstd v1.4.5 // indirect
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver v1.5.0 // indirect
Ignore/add match results based on OpenVEX documents (#1397) * go.mod: Pull OpenVEX go modules This commit pulls the OpenVEX libraries into the grype source. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add generic VEX processor package This commit adds a generic VEX processor package. It is implementation agnostic. It has a single option for now: The documents used to load the VEX data. The processor has a single method: ApplyVEX() which takes a set of scan results and applies VEX data to them. For now, the only modification that is done is filtering of results, that is moving results to the ignored list as a response to VEX documents. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Add OpenVEX processor implementation This commit adds an openvex implementation of the vex processor. It also wires the VEX processor to use it as default. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Table presenter: Highligt results suppressed by VEX This commit marks results suppressed by VEX when presenting them to the user. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Define VEX status constants This commit defines a set of local constants of each of the VEX statuses based on the openvex constants. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add VexStatus to ignore rules This commit modifies the ignore rules structure to support defining a vex status. Any rules defining vex are ignored by the standard ignore rules processing as they will be handled by the VEX processor. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add IgnoreRule HasConditions method Adds a new HasConditions method to the IgnoreRule object to check if the rule is empty. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Control VEX filtering through IgnoreRules This commit modifies how the vex processor is controlled. The processor now takes a list of IgnoreRules which can act on the VEX status in addition to the regular rule parameters. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Allow rules to match on VEX justification This commit expands the ingore rules to also work on vex the justification of not_affected statements. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Use go-vex merge implementation Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add OpenVEX matcher to matcher list This commit adds a new entry to the matchers: An openvex matcher This matcher is used when openvex augments results, moving matches from the ignore list to the active results. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add vex.AugmentMatches() to the vex processor This commit adds a new AugmentMatches() phase to the VEX processor. This new step goes throught the configured ignore rules and acts on any that have `affected` or `under_investigtion` as status. The purpose of this rule is to move matches back from the ignored matches list to the active results when a statement with either of those statuses apply to ignored matches. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Parse context identifiers using GGC This commit modifies the identifier synthesizer function to parse references using GGCR. It also adds a simple test. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Bump funlen linter to 73 This commit bumps the maximum function length to 73 to accomodate the new flag in AddFlags() Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> * Add VEX testing to matchers test This commit adds a new test and fixtures to test the VEX matchers along the rest of the matchers in TestMatchByImage(). As the VEX matchers operate on previously ignored matches a new loop was added to the test to accomodate the different testing model. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * add vex status and justification to ignored rule json model Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit rename + add TODO question about augmenting ignored matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit document comment updates + common variable extraction Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate legacy matcher function to vulnerability matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update tui to respond to ignored and dropped matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate vex processing to vulnerability match object Based on Alex's previous caommit Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Migrate VEX options and app config from legacy CLI Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * update table snapshot tests with suppressed vex entries Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for match.Matches.Diff() Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for vex processor Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix linting and restore global funlen rule Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * remove grpc pin Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * always return remaining and ignroed matches from matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * Add VEX documentation to main README This commit adds a VEX section to the main Grype README. It adds an example document and details on how vex rules can be written. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> --------- Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-09-13 19:26:12 +00:00
github.com/Masterminds/semver/v3 v3.2.1 // indirect
github.com/Microsoft/go-winio v0.6.1 // indirect
github.com/Microsoft/hcsshim v0.11.1 // indirect
github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
github.com/acobaugh/osrelease v0.1.0 // indirect
github.com/acomagu/bufpipe v1.0.4 // indirect
github.com/anchore/fangs v0.0.0-20230818131516-2186b10924fe // indirect
github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb // indirect
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
github.com/andybalholm/brotli v1.0.4 // indirect
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 // indirect
Ignore/add match results based on OpenVEX documents (#1397) * go.mod: Pull OpenVEX go modules This commit pulls the OpenVEX libraries into the grype source. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add generic VEX processor package This commit adds a generic VEX processor package. It is implementation agnostic. It has a single option for now: The documents used to load the VEX data. The processor has a single method: ApplyVEX() which takes a set of scan results and applies VEX data to them. For now, the only modification that is done is filtering of results, that is moving results to the ignored list as a response to VEX documents. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Add OpenVEX processor implementation This commit adds an openvex implementation of the vex processor. It also wires the VEX processor to use it as default. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Table presenter: Highligt results suppressed by VEX This commit marks results suppressed by VEX when presenting them to the user. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Define VEX status constants This commit defines a set of local constants of each of the VEX statuses based on the openvex constants. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add VexStatus to ignore rules This commit modifies the ignore rules structure to support defining a vex status. Any rules defining vex are ignored by the standard ignore rules processing as they will be handled by the VEX processor. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add IgnoreRule HasConditions method Adds a new HasConditions method to the IgnoreRule object to check if the rule is empty. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Control VEX filtering through IgnoreRules This commit modifies how the vex processor is controlled. The processor now takes a list of IgnoreRules which can act on the VEX status in addition to the regular rule parameters. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Allow rules to match on VEX justification This commit expands the ingore rules to also work on vex the justification of not_affected statements. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Use go-vex merge implementation Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add OpenVEX matcher to matcher list This commit adds a new entry to the matchers: An openvex matcher This matcher is used when openvex augments results, moving matches from the ignore list to the active results. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add vex.AugmentMatches() to the vex processor This commit adds a new AugmentMatches() phase to the VEX processor. This new step goes throught the configured ignore rules and acts on any that have `affected` or `under_investigtion` as status. The purpose of this rule is to move matches back from the ignored matches list to the active results when a statement with either of those statuses apply to ignored matches. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Parse context identifiers using GGC This commit modifies the identifier synthesizer function to parse references using GGCR. It also adds a simple test. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Bump funlen linter to 73 This commit bumps the maximum function length to 73 to accomodate the new flag in AddFlags() Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> * Add VEX testing to matchers test This commit adds a new test and fixtures to test the VEX matchers along the rest of the matchers in TestMatchByImage(). As the VEX matchers operate on previously ignored matches a new loop was added to the test to accomodate the different testing model. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * add vex status and justification to ignored rule json model Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit rename + add TODO question about augmenting ignored matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit document comment updates + common variable extraction Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate legacy matcher function to vulnerability matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update tui to respond to ignored and dropped matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate vex processing to vulnerability match object Based on Alex's previous caommit Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Migrate VEX options and app config from legacy CLI Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * update table snapshot tests with suppressed vex entries Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for match.Matches.Diff() Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for vex processor Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix linting and restore global funlen rule Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * remove grpc pin Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * always return remaining and ignroed matches from matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * Add VEX documentation to main README This commit adds a VEX section to the main Grype README. It adds an example document and details on how vex rules can be written. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> --------- Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-09-13 19:26:12 +00:00
github.com/aws/aws-sdk-go v1.44.288 // indirect
github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
2023-02-10 15:14:01 +00:00
github.com/becheran/wildmatch-go v1.0.0 // indirect
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
github.com/bmatcuk/doublestar/v4 v4.6.1 // indirect
github.com/charmbracelet/bubbles v0.16.1 // indirect
github.com/charmbracelet/harmonica v0.2.0 // indirect
github.com/cloudflare/circl v1.3.3 // indirect
github.com/containerd/cgroups v1.1.0 // indirect
github.com/containerd/console v1.0.4-0.20230313162750-1ae8d489ac81 // indirect
github.com/containerd/containerd v1.7.8 // indirect
github.com/containerd/continuity v0.4.2 // indirect
github.com/containerd/fifo v1.1.0 // indirect
github.com/containerd/log v0.1.0 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
github.com/containerd/ttrpc v1.2.2 // indirect
github.com/containerd/typeurl/v2 v2.1.1 // indirect
github.com/cyphar/filepath-securejoin v0.2.4 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da // indirect
github.com/distribution/reference v0.5.0 // indirect
github.com/docker/cli v24.0.0+incompatible // indirect
github.com/docker/distribution v2.8.3+incompatible // indirect
2023-01-21 14:40:51 +00:00
github.com/docker/docker-credential-helpers v0.7.0 // indirect
github.com/docker/go-connections v0.4.0 // indirect
github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
2023-01-21 14:40:51 +00:00
github.com/docker/go-units v0.5.0 // indirect
github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
github.com/edsrzf/mmap-go v1.1.0 // indirect
github.com/emirpasic/gods v1.18.1 // indirect
github.com/felixge/fgprof v0.9.3 // indirect
2023-01-21 14:40:51 +00:00
github.com/fsnotify/fsnotify v1.6.0 // indirect
github.com/github/go-spdx/v2 v2.2.0 // indirect
github.com/gkampitakis/ciinfo v0.2.5 // indirect
github.com/gkampitakis/go-diff v1.3.2 // indirect
github.com/glebarez/go-sqlite v1.21.2 // indirect
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
github.com/go-git/go-billy/v5 v5.5.0 // indirect
github.com/go-git/go-git/v5 v5.10.0 // indirect
github.com/go-logr/logr v1.2.4 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-restruct/restruct v1.2.0-alpha // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.3 // indirect
github.com/golang/snappy v0.0.4 // indirect
github.com/google/licensecheck v0.3.1 // indirect
github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 // indirect
Ignore/add match results based on OpenVEX documents (#1397) * go.mod: Pull OpenVEX go modules This commit pulls the OpenVEX libraries into the grype source. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add generic VEX processor package This commit adds a generic VEX processor package. It is implementation agnostic. It has a single option for now: The documents used to load the VEX data. The processor has a single method: ApplyVEX() which takes a set of scan results and applies VEX data to them. For now, the only modification that is done is filtering of results, that is moving results to the ignored list as a response to VEX documents. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Add OpenVEX processor implementation This commit adds an openvex implementation of the vex processor. It also wires the VEX processor to use it as default. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Table presenter: Highligt results suppressed by VEX This commit marks results suppressed by VEX when presenting them to the user. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Define VEX status constants This commit defines a set of local constants of each of the VEX statuses based on the openvex constants. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add VexStatus to ignore rules This commit modifies the ignore rules structure to support defining a vex status. Any rules defining vex are ignored by the standard ignore rules processing as they will be handled by the VEX processor. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add IgnoreRule HasConditions method Adds a new HasConditions method to the IgnoreRule object to check if the rule is empty. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Control VEX filtering through IgnoreRules This commit modifies how the vex processor is controlled. The processor now takes a list of IgnoreRules which can act on the VEX status in addition to the regular rule parameters. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Allow rules to match on VEX justification This commit expands the ingore rules to also work on vex the justification of not_affected statements. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Use go-vex merge implementation Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add OpenVEX matcher to matcher list This commit adds a new entry to the matchers: An openvex matcher This matcher is used when openvex augments results, moving matches from the ignore list to the active results. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add vex.AugmentMatches() to the vex processor This commit adds a new AugmentMatches() phase to the VEX processor. This new step goes throught the configured ignore rules and acts on any that have `affected` or `under_investigtion` as status. The purpose of this rule is to move matches back from the ignored matches list to the active results when a statement with either of those statuses apply to ignored matches. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Parse context identifiers using GGC This commit modifies the identifier synthesizer function to parse references using GGCR. It also adds a simple test. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Bump funlen linter to 73 This commit bumps the maximum function length to 73 to accomodate the new flag in AddFlags() Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> * Add VEX testing to matchers test This commit adds a new test and fixtures to test the VEX matchers along the rest of the matchers in TestMatchByImage(). As the VEX matchers operate on previously ignored matches a new loop was added to the test to accomodate the different testing model. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * add vex status and justification to ignored rule json model Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit rename + add TODO question about augmenting ignored matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit document comment updates + common variable extraction Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate legacy matcher function to vulnerability matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update tui to respond to ignored and dropped matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate vex processing to vulnerability match object Based on Alex's previous caommit Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Migrate VEX options and app config from legacy CLI Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * update table snapshot tests with suppressed vex entries Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for match.Matches.Diff() Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for vex processor Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix linting and restore global funlen rule Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * remove grpc pin Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * always return remaining and ignroed matches from matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * Add VEX documentation to main README This commit adds a VEX section to the main Grype README. It adds an example document and details on how vex rules can be written. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> --------- Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-09-13 19:26:12 +00:00
github.com/google/s2a-go v0.1.4 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.2.4 // indirect
github.com/googleapis/gax-go/v2 v2.11.0 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-safetemp v1.0.0 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/huandu/xstrings v1.3.3 // indirect
github.com/iancoleman/strcase v0.3.0 // indirect
github.com/imdario/mergo v0.3.15 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
github.com/jinzhu/copier v0.4.0 // indirect
github.com/jinzhu/inflection v1.0.0 // indirect
github.com/jinzhu/now v1.1.5 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/kastenhq/goversion v0.0.0-20230811215019-93b2f8823953 // indirect
github.com/kevinburke/ssh_config v1.2.0 // indirect
github.com/klauspost/compress v1.16.5 // indirect
github.com/klauspost/pgzip v1.2.5 // indirect
github.com/knqyf263/go-rpmdb v0.0.0-20230301153543-ba94b245509b // indirect
github.com/kr/pretty v0.3.1 // indirect
github.com/kr/text v0.2.0 // indirect
github.com/logrusorgru/aurora v0.0.0-20200102142835-e9ef32dff381 // indirect
github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
2023-01-21 14:40:51 +00:00
github.com/magiconair/properties v1.8.7 // indirect
2022-11-03 16:19:03 +00:00
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.18 // indirect
github.com/mattn/go-localereader v0.0.2-0.20220822084749-2491eb6c1c75 // indirect
github.com/mattn/go-runewidth v0.0.15 // indirect
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
2022-08-04 13:37:48 +00:00
github.com/microsoft/go-rustaudit v0.0.0-20220730194248-4b17361d90a5 // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/go-testing-interface v1.14.1 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/moby/locker v1.0.1 // indirect
github.com/moby/sys/mountinfo v0.6.2 // indirect
github.com/moby/sys/sequential v0.5.0 // indirect
github.com/moby/sys/signal v0.7.0 // indirect
Ignore/add match results based on OpenVEX documents (#1397) * go.mod: Pull OpenVEX go modules This commit pulls the OpenVEX libraries into the grype source. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add generic VEX processor package This commit adds a generic VEX processor package. It is implementation agnostic. It has a single option for now: The documents used to load the VEX data. The processor has a single method: ApplyVEX() which takes a set of scan results and applies VEX data to them. For now, the only modification that is done is filtering of results, that is moving results to the ignored list as a response to VEX documents. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Add OpenVEX processor implementation This commit adds an openvex implementation of the vex processor. It also wires the VEX processor to use it as default. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Table presenter: Highligt results suppressed by VEX This commit marks results suppressed by VEX when presenting them to the user. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Define VEX status constants This commit defines a set of local constants of each of the VEX statuses based on the openvex constants. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add VexStatus to ignore rules This commit modifies the ignore rules structure to support defining a vex status. Any rules defining vex are ignored by the standard ignore rules processing as they will be handled by the VEX processor. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add IgnoreRule HasConditions method Adds a new HasConditions method to the IgnoreRule object to check if the rule is empty. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Control VEX filtering through IgnoreRules This commit modifies how the vex processor is controlled. The processor now takes a list of IgnoreRules which can act on the VEX status in addition to the regular rule parameters. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Allow rules to match on VEX justification This commit expands the ingore rules to also work on vex the justification of not_affected statements. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Use go-vex merge implementation Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add OpenVEX matcher to matcher list This commit adds a new entry to the matchers: An openvex matcher This matcher is used when openvex augments results, moving matches from the ignore list to the active results. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add vex.AugmentMatches() to the vex processor This commit adds a new AugmentMatches() phase to the VEX processor. This new step goes throught the configured ignore rules and acts on any that have `affected` or `under_investigtion` as status. The purpose of this rule is to move matches back from the ignored matches list to the active results when a statement with either of those statuses apply to ignored matches. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Parse context identifiers using GGC This commit modifies the identifier synthesizer function to parse references using GGCR. It also adds a simple test. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Bump funlen linter to 73 This commit bumps the maximum function length to 73 to accomodate the new flag in AddFlags() Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> * Add VEX testing to matchers test This commit adds a new test and fixtures to test the VEX matchers along the rest of the matchers in TestMatchByImage(). As the VEX matchers operate on previously ignored matches a new loop was added to the test to accomodate the different testing model. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * add vex status and justification to ignored rule json model Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit rename + add TODO question about augmenting ignored matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit document comment updates + common variable extraction Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate legacy matcher function to vulnerability matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update tui to respond to ignored and dropped matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate vex processing to vulnerability match object Based on Alex's previous caommit Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Migrate VEX options and app config from legacy CLI Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * update table snapshot tests with suppressed vex entries Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for match.Matches.Diff() Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for vex processor Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix linting and restore global funlen rule Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * remove grpc pin Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * always return remaining and ignroed matches from matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * Add VEX documentation to main README This commit adds a VEX section to the main Grype README. It adds an example document and details on how vex rules can be written. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> --------- Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-09-13 19:26:12 +00:00
github.com/moby/term v0.5.0 // indirect
github.com/muesli/ansi v0.0.0-20211031195517-c9f0611b6c70 // indirect
github.com/muesli/cancelreader v0.2.2 // indirect
github.com/muesli/reflow v0.3.0 // indirect
github.com/muesli/termenv v0.15.2 // indirect
github.com/nwaples/rardecode v1.1.0 // indirect
github.com/onsi/ginkgo v1.16.5 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.0-rc3 // indirect
github.com/opencontainers/runc v1.1.5 // indirect
github.com/opencontainers/runtime-spec v1.1.0-rc.1 // indirect
github.com/opencontainers/selinux v1.11.0 // indirect
Ignore/add match results based on OpenVEX documents (#1397) * go.mod: Pull OpenVEX go modules This commit pulls the OpenVEX libraries into the grype source. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add generic VEX processor package This commit adds a generic VEX processor package. It is implementation agnostic. It has a single option for now: The documents used to load the VEX data. The processor has a single method: ApplyVEX() which takes a set of scan results and applies VEX data to them. For now, the only modification that is done is filtering of results, that is moving results to the ignored list as a response to VEX documents. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Add OpenVEX processor implementation This commit adds an openvex implementation of the vex processor. It also wires the VEX processor to use it as default. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Table presenter: Highligt results suppressed by VEX This commit marks results suppressed by VEX when presenting them to the user. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Define VEX status constants This commit defines a set of local constants of each of the VEX statuses based on the openvex constants. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add VexStatus to ignore rules This commit modifies the ignore rules structure to support defining a vex status. Any rules defining vex are ignored by the standard ignore rules processing as they will be handled by the VEX processor. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add IgnoreRule HasConditions method Adds a new HasConditions method to the IgnoreRule object to check if the rule is empty. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Control VEX filtering through IgnoreRules This commit modifies how the vex processor is controlled. The processor now takes a list of IgnoreRules which can act on the VEX status in addition to the regular rule parameters. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Allow rules to match on VEX justification This commit expands the ingore rules to also work on vex the justification of not_affected statements. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Use go-vex merge implementation Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add OpenVEX matcher to matcher list This commit adds a new entry to the matchers: An openvex matcher This matcher is used when openvex augments results, moving matches from the ignore list to the active results. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add vex.AugmentMatches() to the vex processor This commit adds a new AugmentMatches() phase to the VEX processor. This new step goes throught the configured ignore rules and acts on any that have `affected` or `under_investigtion` as status. The purpose of this rule is to move matches back from the ignored matches list to the active results when a statement with either of those statuses apply to ignored matches. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Parse context identifiers using GGC This commit modifies the identifier synthesizer function to parse references using GGCR. It also adds a simple test. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Bump funlen linter to 73 This commit bumps the maximum function length to 73 to accomodate the new flag in AddFlags() Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> * Add VEX testing to matchers test This commit adds a new test and fixtures to test the VEX matchers along the rest of the matchers in TestMatchByImage(). As the VEX matchers operate on previously ignored matches a new loop was added to the test to accomodate the different testing model. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * add vex status and justification to ignored rule json model Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit rename + add TODO question about augmenting ignored matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit document comment updates + common variable extraction Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate legacy matcher function to vulnerability matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update tui to respond to ignored and dropped matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate vex processing to vulnerability match object Based on Alex's previous caommit Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Migrate VEX options and app config from legacy CLI Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * update table snapshot tests with suppressed vex entries Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for match.Matches.Diff() Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for vex processor Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix linting and restore global funlen rule Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * remove grpc pin Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * always return remaining and ignroed matches from matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * Add VEX documentation to main README This commit adds a VEX section to the main Grype README. It adds an example document and details on how vex rules can be written. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> --------- Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-09-13 19:26:12 +00:00
github.com/package-url/packageurl-go v0.1.1 // indirect
github.com/pborman/indent v1.2.1 // indirect
2022-06-09 20:03:14 +00:00
github.com/pelletier/go-toml v1.9.5 // indirect
github.com/pelletier/go-toml/v2 v2.0.8 // indirect
github.com/pierrec/lz4/v4 v4.1.15 // indirect
github.com/pjbgf/sha1cd v0.3.0 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pkg/profile v1.7.0 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
github.com/rivo/uniseg v0.2.0 // indirect
github.com/rogpeppe/go-internal v1.11.0 // indirect
github.com/saferwall/pe v1.4.7 // indirect
github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d // indirect
github.com/sassoftware/go-rpmutils v0.2.0 // indirect
github.com/shopspring/decimal v1.2.0 // indirect
github.com/skeema/knownhosts v1.2.0 // indirect
github.com/spdx/tools-golang v0.5.3 // indirect
github.com/spf13/cast v1.5.1 // indirect
github.com/spf13/jwalterweatherman v1.1.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/spf13/viper v1.16.0 // indirect
2023-01-21 14:40:51 +00:00
github.com/subosito/gotenv v1.4.2 // indirect
github.com/sylabs/sif/v2 v2.11.5 // indirect
github.com/sylabs/squashfs v0.6.1 // indirect
2022-08-04 13:37:48 +00:00
github.com/therootcompany/xz v1.0.1 // indirect
github.com/tidwall/gjson v1.16.0 // indirect
github.com/tidwall/match v1.1.1 // indirect
github.com/tidwall/pretty v1.2.1 // indirect
github.com/tidwall/sjson v1.2.5 // indirect
github.com/ulikunitz/xz v0.5.10 // indirect
github.com/vbatts/go-mtree v0.5.3 // indirect
github.com/vbatts/tar-split v0.11.3 // indirect
github.com/vifraa/gopom v1.0.0 // indirect
github.com/xanzy/ssh-agent v0.3.3 // indirect
github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect
github.com/zclconf/go-cty v1.14.0 // indirect
github.com/zyedidia/generic v1.2.2-0.20230320175451-4410d2372cb1 // indirect
go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
2023-01-21 14:40:51 +00:00
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/otel v1.14.0 // indirect
go.opentelemetry.io/otel/trace v1.14.0 // indirect
go.uber.org/goleak v1.2.0 // indirect
golang.org/x/crypto v0.14.0 // indirect
golang.org/x/mod v0.13.0 // indirect
golang.org/x/net v0.17.0 // indirect
golang.org/x/oauth2 v0.10.0 // indirect
golang.org/x/sync v0.3.0 // indirect
golang.org/x/sys v0.13.0 // indirect
golang.org/x/term v0.13.0 // indirect
golang.org/x/text v0.13.0 // indirect
golang.org/x/time v0.2.0 // indirect
golang.org/x/tools v0.13.0 // indirect
2022-11-03 16:19:03 +00:00
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
Ignore/add match results based on OpenVEX documents (#1397) * go.mod: Pull OpenVEX go modules This commit pulls the OpenVEX libraries into the grype source. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add generic VEX processor package This commit adds a generic VEX processor package. It is implementation agnostic. It has a single option for now: The documents used to load the VEX data. The processor has a single method: ApplyVEX() which takes a set of scan results and applies VEX data to them. For now, the only modification that is done is filtering of results, that is moving results to the ignored list as a response to VEX documents. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Add OpenVEX processor implementation This commit adds an openvex implementation of the vex processor. It also wires the VEX processor to use it as default. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Table presenter: Highligt results suppressed by VEX This commit marks results suppressed by VEX when presenting them to the user. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Define VEX status constants This commit defines a set of local constants of each of the VEX statuses based on the openvex constants. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add VexStatus to ignore rules This commit modifies the ignore rules structure to support defining a vex status. Any rules defining vex are ignored by the standard ignore rules processing as they will be handled by the VEX processor. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add IgnoreRule HasConditions method Adds a new HasConditions method to the IgnoreRule object to check if the rule is empty. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Control VEX filtering through IgnoreRules This commit modifies how the vex processor is controlled. The processor now takes a list of IgnoreRules which can act on the VEX status in addition to the regular rule parameters. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Allow rules to match on VEX justification This commit expands the ingore rules to also work on vex the justification of not_affected statements. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Use go-vex merge implementation Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add OpenVEX matcher to matcher list This commit adds a new entry to the matchers: An openvex matcher This matcher is used when openvex augments results, moving matches from the ignore list to the active results. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add vex.AugmentMatches() to the vex processor This commit adds a new AugmentMatches() phase to the VEX processor. This new step goes throught the configured ignore rules and acts on any that have `affected` or `under_investigtion` as status. The purpose of this rule is to move matches back from the ignored matches list to the active results when a statement with either of those statuses apply to ignored matches. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Parse context identifiers using GGC This commit modifies the identifier synthesizer function to parse references using GGCR. It also adds a simple test. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Bump funlen linter to 73 This commit bumps the maximum function length to 73 to accomodate the new flag in AddFlags() Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> * Add VEX testing to matchers test This commit adds a new test and fixtures to test the VEX matchers along the rest of the matchers in TestMatchByImage(). As the VEX matchers operate on previously ignored matches a new loop was added to the test to accomodate the different testing model. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * add vex status and justification to ignored rule json model Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit rename + add TODO question about augmenting ignored matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit document comment updates + common variable extraction Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate legacy matcher function to vulnerability matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update tui to respond to ignored and dropped matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate vex processing to vulnerability match object Based on Alex's previous caommit Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Migrate VEX options and app config from legacy CLI Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * update table snapshot tests with suppressed vex entries Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for match.Matches.Diff() Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for vex processor Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix linting and restore global funlen rule Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * remove grpc pin Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * always return remaining and ignroed matches from matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * Add VEX documentation to main README This commit adds a VEX section to the main Grype README. It adds an example document and details on how vex rules can be written. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> --------- Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-09-13 19:26:12 +00:00
google.golang.org/api v0.128.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
google.golang.org/grpc v1.58.3 // indirect
Ignore/add match results based on OpenVEX documents (#1397) * go.mod: Pull OpenVEX go modules This commit pulls the OpenVEX libraries into the grype source. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add generic VEX processor package This commit adds a generic VEX processor package. It is implementation agnostic. It has a single option for now: The documents used to load the VEX data. The processor has a single method: ApplyVEX() which takes a set of scan results and applies VEX data to them. For now, the only modification that is done is filtering of results, that is moving results to the ignored list as a response to VEX documents. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Add OpenVEX processor implementation This commit adds an openvex implementation of the vex processor. It also wires the VEX processor to use it as default. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Table presenter: Highligt results suppressed by VEX This commit marks results suppressed by VEX when presenting them to the user. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Define VEX status constants This commit defines a set of local constants of each of the VEX statuses based on the openvex constants. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add VexStatus to ignore rules This commit modifies the ignore rules structure to support defining a vex status. Any rules defining vex are ignored by the standard ignore rules processing as they will be handled by the VEX processor. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add IgnoreRule HasConditions method Adds a new HasConditions method to the IgnoreRule object to check if the rule is empty. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Control VEX filtering through IgnoreRules This commit modifies how the vex processor is controlled. The processor now takes a list of IgnoreRules which can act on the VEX status in addition to the regular rule parameters. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * vex: Allow rules to match on VEX justification This commit expands the ingore rules to also work on vex the justification of not_affected statements. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Use go-vex merge implementation Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add OpenVEX matcher to matcher list This commit adds a new entry to the matchers: An openvex matcher This matcher is used when openvex augments results, moving matches from the ignore list to the active results. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Add vex.AugmentMatches() to the vex processor This commit adds a new AugmentMatches() phase to the VEX processor. This new step goes throught the configured ignore rules and acts on any that have `affected` or `under_investigtion` as status. The purpose of this rule is to move matches back from the ignored matches list to the active results when a statement with either of those statuses apply to ignored matches. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Parse context identifiers using GGC This commit modifies the identifier synthesizer function to parse references using GGCR. It also adds a simple test. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Bump funlen linter to 73 This commit bumps the maximum function length to 73 to accomodate the new flag in AddFlags() Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> * Add VEX testing to matchers test This commit adds a new test and fixtures to test the VEX matchers along the rest of the matchers in TestMatchByImage(). As the VEX matchers operate on previously ignored matches a new loop was added to the test to accomodate the different testing model. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * add vex status and justification to ignored rule json model Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit rename + add TODO question about augmenting ignored matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * nit document comment updates + common variable extraction Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate legacy matcher function to vulnerability matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update tui to respond to ignored and dropped matches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate vex processing to vulnerability match object Based on Alex's previous caommit Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * Migrate VEX options and app config from legacy CLI Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> * update table snapshot tests with suppressed vex entries Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for match.Matches.Diff() Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add tests for vex processor Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix linting and restore global funlen rule Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * remove grpc pin Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * always return remaining and ignroed matches from matcher object Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * Add VEX documentation to main README This commit adds a VEX section to the main Grype README. It adds an example document and details on how vex rules can be written. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> --------- Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev> Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-09-13 19:26:12 +00:00
google.golang.org/protobuf v1.31.0 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
modernc.org/libc v1.24.1 // indirect
modernc.org/mathutil v1.5.0 // indirect
modernc.org/memory v1.6.0 // indirect
modernc.org/sqlite v1.26.0 // indirect
)