Update Syft to v0.64.0 (#1047)

2024-09-20 06:21:56 +00:00 · 2022-12-23 16:33:08 -05:00 · 2022-12-23 16:33:08 -05:00 · 3ff1d64eab
commit 3ff1d64eab
parent 03b402a5ae
10 changed files with 32 additions and 29 deletions
--- a/go.mod
+++ b/go.mod
@ -3,7 +3,7 @@ module github.com/anchore/grype
 go 1.18

 require (
-	github.com/CycloneDX/cyclonedx-go v0.7.0
+	github.com/CycloneDX/cyclonedx-go v0.7.1-0.20221222100750-41a1ac565cce
 	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
 	github.com/adrg/xdg v0.3.3
@ -40,7 +40,7 @@ require (
 	github.com/spf13/cobra v1.6.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.13.0
-	github.com/stretchr/testify v1.8.0
+	github.com/stretchr/testify v1.8.1
 	github.com/wagoodman/go-partybus v0.0.0-20210627031916-db1f5573bbc5
 	github.com/wagoodman/go-progress v0.0.0-20200807221327-51d465df1451
 	github.com/wagoodman/jotframe v0.0.0-20211129225309-56b0d0a4aebb
@ -53,7 +53,7 @@ require (
 require (
 	github.com/anchore/go-logger v0.0.0-20220728155337-03b66a5207d8
 	github.com/anchore/sqlite v1.4.6-0.20220607210448-bcc6ee5c4963
-	github.com/anchore/syft v0.63.0
+	github.com/anchore/syft v0.64.0
 	github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b
 	github.com/in-toto/in-toto-golang v0.4.1-0.20221018183522-731d0640b65f
 	github.com/mitchellh/mapstructure v1.5.0
@ -217,7 +217,7 @@ require (
 	github.com/spdx/tools-golang v0.3.1-0.20221108182156-8a01147e6342 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/stretchr/objx v0.4.0 // indirect
+	github.com/stretchr/objx v0.5.0 // indirect
 	github.com/subosito/gotenv v1.4.1 // indirect
 	github.com/sylabs/sif/v2 v2.8.1 // indirect
 	github.com/sylabs/squashfs v0.6.1 // indirect
--- a/go.sum
+++ b/go.sum
@ -147,8 +147,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/toml v0.4.1 h1:GaI7EiDXDRfa8VshkTj7Fym7ha+y8/XxIgD2okUIjLw=
 github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/CycloneDX/cyclonedx-go v0.7.0 h1:jNxp8hL7UpcvPDFXjY+Y1ibFtsW+e5zyF9QoSmhK/zg=
-github.com/CycloneDX/cyclonedx-go v0.7.0/go.mod h1:W5Z9w8pTTL+t+yG3PCiFRGlr8PUlE0pGWzKSJbsyXkg=
+github.com/CycloneDX/cyclonedx-go v0.7.1-0.20221222100750-41a1ac565cce h1:o5r3msApzvtE5LhcMkxWaKernD/PK0HpMccu7ywBj5Q=
+github.com/CycloneDX/cyclonedx-go v0.7.1-0.20221222100750-41a1ac565cce/go.mod h1:XURd0m8zvnLE5aIRqg6JOVRl7qZ/pWBtuFa9EHjQwFc=
 github.com/DataDog/zstd v1.4.5 h1:EndNeuB0l9syBZhut0wns3gV1hL8zX8LIu6ZiVHWLIQ=
 github.com/DataDog/zstd v1.4.5/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo=
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
@ -240,8 +240,8 @@ github.com/anchore/sqlite v1.4.6-0.20220607210448-bcc6ee5c4963 h1:vrf2PYH77vqVJo
 github.com/anchore/sqlite v1.4.6-0.20220607210448-bcc6ee5c4963/go.mod h1:AVRyXOUP0hTz9Cb8OlD1XnwA8t4lBPfTuwPHmEUuiLc=
 github.com/anchore/stereoscope v0.0.0-20221208011002-c5ff155d72f1 h1:DXUAm/H9chRTEzMfkFyduBIcCiJyFXhCmv3zH3C0HGs=
 github.com/anchore/stereoscope v0.0.0-20221208011002-c5ff155d72f1/go.mod h1:/zjVnu2Jdl7xQCUtASegzeEg+IHKrM7SyMqdao3e+Nc=
-github.com/anchore/syft v0.63.0 h1:L00jzHH7pqX1oLsHGAQTaI3162UKfNoyGDvlwOaqb3c=
-github.com/anchore/syft v0.63.0/go.mod h1:VEm67LKIGewP1FLoameSlVQocozvmKFlpaljEPhBSQg=
+github.com/anchore/syft v0.64.0 h1:+hyo6Z34BLPZDDl//Bde5RiNhjN3wIT8AYlCiLAgLwg=
+github.com/anchore/syft v0.64.0/go.mod h1:jJu1mN1B602p4qS6sE28pAgcv5Xfx9h9M/jECMjIb6Q=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
 github.com/andybalholm/brotli v1.0.2/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
@ -1818,8 +1818,9 @@ github.com/stretchr/objx v0.0.0-20180129172003-8a3f7159479f/go.mod h1:HFkY916IF+
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
-github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v0.0.0-20170130113145-4d4bfba8f1d1/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v0.0.0-20180303142811-b89eecf5ca5d/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.1.4/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
@ -1831,8 +1832,9 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
-github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs=
 github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
--- a/grype/matcher/golang/matcher.go
+++ b/grype/matcher/golang/matcher.go
@ -35,9 +35,9 @@ func (m *Matcher) Type() match.MatcherType {

 func (m *Matcher) Match(store vulnerability.Provider, d *distro.Distro, p pkg.Package) ([]match.Match, error) {
 	matches := make([]match.Match, 0)
-	metadata := pkg.GolangBinMetadata{}
+	metadata := pkg.GolangMetadata{}
 	if p.Metadata != nil {
-		metadata = p.Metadata.(pkg.GolangBinMetadata)
+		metadata = p.Metadata.(pkg.GolangMetadata)
 	}

 	// Golang currently does not have a standard way of incorporating the vcs version
--- a/grype/matcher/golang/matcher_test.go
+++ b/grype/matcher/golang/matcher_test.go
@ -19,8 +19,8 @@ func TestMatcherGolang_DropMainPackage(t *testing.T) {
 		Name:         "istio.io/istio",
 		Version:      "v0.0.0-20220606222826-f59ce19ec6b6",
 		Type:         syftPkg.GoModulePkg,
-		MetadataType: pkg.GolangBinMetadataType,
-		Metadata: pkg.GolangBinMetadata{
+		MetadataType: pkg.GolangMetadataType,
+		Metadata: pkg.GolangMetadata{
 			MainModule: "istio.io/istio",
 		},
 	}
--- a/grype/pkg/golang_bin_metadata.go
+++ b/grype/pkg/golang_bin_metadata.go
@ -1,6 +1,6 @@
 package pkg

-type GolangBinMetadata struct {
+type GolangMetadata struct {
 	BuildSettings     map[string]string `json:"goBuildSettings,omitempty"`
 	GoCompiledVersion string            `json:"goCompiledVersion"`
 	Architecture      string            `json:"architecture"`
--- a/grype/pkg/metadata.go
+++ b/grype/pkg/metadata.go
@ -6,8 +6,8 @@ type MetadataType string
 const (
 	// this is the full set of data shapes that can be represented within the pkg.Package.Metadata field

-	UnknownMetadataType   MetadataType = "UnknownMetadata"
-	JavaMetadataType      MetadataType = "JavaMetadata"
-	RpmMetadataType       MetadataType = "RpmMetadata"
-	GolangBinMetadataType MetadataType = "GolangBinMetadata"
+	UnknownMetadataType MetadataType = "UnknownMetadata"
+	JavaMetadataType    MetadataType = "JavaMetadata"
+	RpmMetadataType     MetadataType = "RpmMetadata"
+	GolangMetadataType  MetadataType = "GolangMetadata"
 )
--- a/grype/pkg/package.go
+++ b/grype/pkg/package.go
@ -138,10 +138,10 @@ func dataFromPkg(p pkg.Package) (MetadataType, interface{}, []UpstreamPackage) {
 	var metadataType MetadataType

 	switch p.MetadataType {
-	case pkg.GolangBinMetadataType:
+	case pkg.GolangMetadataType:
 		if m := golangBinDataFromPkg(p); m != nil {
 			metadata = *m
-			metadataType = GolangBinMetadataType
+			metadataType = GolangMetadataType
 		}
 	case pkg.DpkgMetadataType:
 		upstreams = dpkgDataFromPkg(p)
@ -163,9 +163,9 @@ func dataFromPkg(p pkg.Package) (MetadataType, interface{}, []UpstreamPackage) {
 	return metadataType, metadata, upstreams
 }

-func golangBinDataFromPkg(p pkg.Package) (m *GolangBinMetadata) {
-	metadata := &GolangBinMetadata{}
-	if value, ok := p.Metadata.(pkg.GolangBinMetadata); ok {
+func golangBinDataFromPkg(p pkg.Package) (m *GolangMetadata) {
+	metadata := &GolangMetadata{}
+	if value, ok := p.Metadata.(pkg.GolangMetadata); ok {
 		if value.BuildSettings != nil {
 			metadata.BuildSettings = value.BuildSettings
 		}
--- a/grype/pkg/package_test.go
+++ b/grype/pkg/package_test.go
@ -260,17 +260,17 @@ func TestNew(t *testing.T) {
 			},
 		},
 		{
-			name: "golang-bin-metadata",
+			name: "golang-metadata",
 			syftPkg: syftPkg.Package{
-				MetadataType: syftPkg.GolangBinMetadataType,
-				Metadata: syftPkg.GolangBinMetadata{
+				MetadataType: syftPkg.GolangMetadataType,
+				Metadata: syftPkg.GolangMetadata{
 					BuildSettings:     map[string]string{},
 					GoCompiledVersion: "1.0.0",
 					H1Digest:          "a",
 					MainModule:        "myMainModule",
 				},
 			},
-			metadata: GolangBinMetadata{
+			metadata: GolangMetadata{
 				BuildSettings:     map[string]string{},
 				GoCompiledVersion: "1.0.0",
 				H1Digest:          "a",
--- a/grype/pkg/qualifier/rpmmodularity/qualifier_test.go
+++ b/grype/pkg/qualifier/rpmmodularity/qualifier_test.go
@ -25,7 +25,7 @@ func TestRpmModularity_Satisfied(t *testing.T) {
 		{
 			name:          "invalid rpm metadata",
 			rpmModularity: New("test:1"),
-			pkg: pkg.Package{MetadataType: pkg.RpmMetadataType, Metadata: pkg.GolangBinMetadata{
+			pkg: pkg.Package{MetadataType: pkg.RpmMetadataType, Metadata: pkg.GolangMetadata{
 				BuildSettings:     nil,
 				GoCompiledVersion: "",
 				Architecture:      "",
--- a/grype/presenter/cyclonedx/presenter.go
+++ b/grype/presenter/cyclonedx/presenter.go
@ -77,6 +77,7 @@ func (pres *Presenter) Present(output io.Writer) error {
 	cyclonedxBOM.Vulnerabilities = &vulns
 	enc := cyclonedx.NewBOMEncoder(output, pres.format)
 	enc.SetPretty(true)
+	enc.SetEscapeHTML(false)

 	return enc.Encode(cyclonedxBOM)
 }