Mirrors/grype
2
0
Fork 0
mirror of https://github.com/anchore/grype synced 2024-11-10 06:34:13 +00:00
Code Issues Projects Releases Packages Wiki Activity

update syft version for new release (#578)

Browse source 
* update syft

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* update CatalogPackages to use new cataloger config struct

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* add new valid CPE to matcher tests
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* update integration tests

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
This commit is contained in:
Christopher Angelo Phillips 2022-01-07 17:57:44 -05:00 committed by GitHub
parent 3a1531f8f5
commit 64d4dbb993
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 37 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
go.mod
View file

@ -9,7 +9,7 @@ require (
github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4
github.com/anchore/grype-db v0.0.0-20211207213615-1bcbb779ee96
github.com/anchore/stereoscope v0.0.0-20211222141827-6e663afeef5d
github.com/anchore/syft v0.34.0
github.com/anchore/syft v0.35.0
github.com/bmatcuk/doublestar/v2 v2.0.4
github.com/docker/docker v20.10.11+incompatible
github.com/dustin/go-humanize v1.0.0

5
go.sum
View file

@ -161,7 +161,6 @@ github.com/alexflint/go-filemutex v0.0.0-20171022225611-72bdc8eae2ae/go.mod h1:C
github.com/alicebob/sqlittle v1.4.0 h1:vgYt0nAjhdf/hg52MjKJ84g/uTzBPfrvI+VUBrIghxA=
github.com/alicebob/sqlittle v1.4.0/go.mod h1:Co1L1qxHqCwf41puWhk2HOodojR0mcsAV4BIt8byZh8=
github.com/anchore/client-go v0.0.0-20210222170800-9c70f9b80bcf/go.mod h1:FaODhIA06mxO1E6R32JE0TL1JWZZkmjRIAd4ULvHUKk=
github.com/anchore/go-presenter v0.0.0-20211102174526-0dbf20f6c7fa h1:mDLUAkgXsV5Z8D0EEj8eS6FBekolV/A+Xxbs9054bPw=
github.com/anchore/go-presenter v0.0.0-20211102174526-0dbf20f6c7fa/go.mod h1:29jwxTSAS6pBcrmuwf1U3r1Tqp1o1XpuiOJ0NT9NoGg=
github.com/anchore/go-rpmdb v0.0.0-20210602151223-1f0f707a2894/go.mod h1:8jNYOxCJC5kyD/Ct4MbzsDN2hOhRoCAzQcb/7KdYYGw=
github.com/anchore/go-rpmdb v0.0.0-20210914181456-a9c52348da63 h1:C9W/LAydEz/qdUhx1MdjO9l8NEcFKYknkxDVyo9LAoM=
@ -197,8 +196,8 @@ github.com/anchore/syft v0.30.1/go.mod h1:7YlGmGFP/GlfNn80TDN1jFcosZqHBKCnrpwfiR
github.com/anchore/syft v0.31.0/go.mod h1:ZHM2Brl5yU8qM6YuXLRxm4UXCMSWQdd78S0eKnVm1Uw=
github.com/anchore/syft v0.31.0/go.mod h1:ZHM2Brl5yU8qM6YuXLRxm4UXCMSWQdd78S0eKnVm1Uw=
github.com/anchore/syft v0.31.1-0.20211207205931-7a359dc16be8/go.mod h1:6tuVZBaHohcTuX8S0G6S80o/6PmzoF7sHbjxDUJaLjU=
github.com/anchore/syft v0.34.0 h1:PrtTLdOfV1B5lx8FlyEeg7NhMnFdedqCYEpOoqnWHo4=
github.com/anchore/syft v0.34.0/go.mod h1:/R925Uu1YHhLi035Dxy10lsvn3hN/Pc0xGUHbsKHGyk=
github.com/anchore/syft v0.35.0 h1:Z5L/Jnst32Zj2gUpIMkE3vAwZhSRbsHMh3L/KQen+64=
github.com/anchore/syft v0.35.0/go.mod h1:Tc9SYuelmg7xw3PxOPFXOVYpSA18y40pCDuNwS0idY8=
github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNgfBlViaCIJKLlCJ6/fmUseuG0wVQ=
github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=

8
grype/matcher/apk/matcher_test.go
View file

@ -113,7 +113,7 @@ func TestBothSecdbAndNvdMatches(t *testing.T) {
ID: "CVE-2020-1",
VersionConstraint: "<= 0.9.11",
VersionFormat: "unknown",
CPEs: []string{"cpe:2.3:a:lib_vnc_project-(server):libvncserver:*:*:*:*:*:*:*:*"},
CPEs: []string{`cpe:2.3:a:lib_vnc_project-\(server\):libvncserver:*:*:*:*:*:*:*:*`},
Namespace: "nvd",
}
@ -283,7 +283,7 @@ func TestNvdOnlyMatches(t *testing.T) {
ID: "CVE-2020-1",
VersionConstraint: "<= 0.9.11",
VersionFormat: "unknown",
CPEs: []string{"cpe:2.3:a:lib_vnc_project-(server):libvncserver:*:*:*:*:*:*:*:*"},
CPEs: []string{`cpe:2.3:a:lib_vnc_project-\(server\):libvncserver:*:*:*:*:*:*:*:*`},
Namespace: "nvd",
}
store := mockStore{
@ -350,7 +350,7 @@ func TestNvdMatchesWithSecDBFix(t *testing.T) {
ID: "CVE-2020-1",
VersionConstraint: "> 0.9.0, < 0.10.0", // note: this is not normal NVD configuration, but has the desired effect of a "wide net" for vulnerable indication
VersionFormat: "unknown",
CPEs: []string{"cpe:2.3:a:lib_vnc_project-(server):libvncserver:*:*:*:*:*:*:*:*"},
CPEs: []string{`cpe:2.3:a:lib_vnc_project-\(server\):libvncserver:*:*:*:*:*:*:*:*`},
Namespace: "nvd",
}
@ -402,7 +402,7 @@ func TestNvdMatchesNoConstraintWithSecDBFix(t *testing.T) {
ID: "CVE-2020-1",
VersionConstraint: "", // note: empty value indicates that all versions are vulnerable
VersionFormat: "unknown",
CPEs: []string{"cpe:2.3:a:lib_vnc_project-(server):libvncserver:*:*:*:*:*:*:*:*"},
CPEs: []string{`cpe:2.3:a:lib_vnc_project-\(server\):libvncserver:*:*:*:*:*:*:*:*`},
Namespace: "nvd",
}

32
grype/matcher/common/cpe_matchers_test.go
View file

@ -112,8 +112,8 @@ func TestFindMatchesByPackageCPE(t *testing.T) {
name: "match from range",
p: pkg.Package{
CPEs: []syftPkg.CPE{
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.5:rando1:*:rando2:*:ruby:*:*")),
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.5:rando4:*:rando3:*:rails:*:*")),
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.5:rando1:*:ra:*:ruby:*:*")),
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.5:rando4:*:re:*:rails:*:*")),
},
Name: "activerecord",
Version: "3.7.5",
@ -128,8 +128,8 @@ func TestFindMatchesByPackageCPE(t *testing.T) {
},
Package: pkg.Package{
CPEs: []syftPkg.CPE{
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.5:rando1:*:rando2:*:ruby:*:*")),
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.5:rando4:*:rando3:*:rails:*:*")),
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.5:rando1:*:ra:*:ruby:*:*")),
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.5:rando4:*:re:*:rails:*:*")),
},
Name: "activerecord",
Version: "3.7.5",
@ -141,7 +141,7 @@ func TestFindMatchesByPackageCPE(t *testing.T) {
Confidence: 0.9,
SearchedBy: SearchedByCPEs{
Namespace: "nvd",
CPEs: []string{"cpe:2.3:*:activerecord:activerecord:3.7.5:rando4:*:rando3:*:rails:*:*"},
CPEs: []string{"cpe:2.3:*:activerecord:activerecord:3.7.5:rando4:*:re:*:rails:*:*"},
},
Found: FoundCPEs{
CPEs: []string{"cpe:2.3:*:activerecord:activerecord:*:*:*:*:*:rails:*:*"},
@ -157,8 +157,8 @@ func TestFindMatchesByPackageCPE(t *testing.T) {
name: "multiple matches",
p: pkg.Package{
CPEs: []syftPkg.CPE{
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.3:rando1:*:rando2:*:ruby:*:*")),
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.3:rando4:*:rando3:*:rails:*:*")),
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.3:rando1:*:ra:*:ruby:*:*")),
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.3:rando4:*:re:*:rails:*:*")),
},
Name: "activerecord",
Version: "3.7.3",
@ -173,8 +173,8 @@ func TestFindMatchesByPackageCPE(t *testing.T) {
},
Package: pkg.Package{
CPEs: []syftPkg.CPE{
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.3:rando1:*:rando2:*:ruby:*:*")),
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.3:rando4:*:rando3:*:rails:*:*")),
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.3:rando1:*:ra:*:ruby:*:*")),
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.3:rando4:*:re:*:rails:*:*")),
},
Name: "activerecord",
Version: "3.7.3",
@ -187,7 +187,7 @@ func TestFindMatchesByPackageCPE(t *testing.T) {
Confidence: 0.9,
SearchedBy: SearchedByCPEs{
CPEs: []string{
"cpe:2.3:*:activerecord:activerecord:3.7.3:rando4:*:rando3:*:rails:*:*",
"cpe:2.3:*:activerecord:activerecord:3.7.3:rando4:*:re:*:rails:*:*",
},
Namespace: "nvd",
},
@ -206,8 +206,8 @@ func TestFindMatchesByPackageCPE(t *testing.T) {
},
Package: pkg.Package{
CPEs: []syftPkg.CPE{
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.3:rando1:*:rando2:*:ruby:*:*")),
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.3:rando4:*:rando3:*:rails:*:*")),
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.3:rando1:*:ra:*:ruby:*:*")),
must(syftPkg.NewCPE("cpe:2.3:*:activerecord:activerecord:3.7.3:rando4:*:re:*:rails:*:*")),
},
Name: "activerecord",
Version: "3.7.3",
@ -219,7 +219,7 @@ func TestFindMatchesByPackageCPE(t *testing.T) {
{
Confidence: 0.9,
SearchedBy: SearchedByCPEs{
CPEs: []string{"cpe:2.3:*:activerecord:activerecord:3.7.3:rando1:*:rando2:*:ruby:*:*"},
CPEs: []string{"cpe:2.3:*:activerecord:activerecord:3.7.3:rando1:*:ra:*:ruby:*:*"},
Namespace: "nvd",
},
Found: FoundCPEs{
@ -289,7 +289,7 @@ func TestFindMatchesByPackageCPE(t *testing.T) {
name: "fuzzy version match",
p: pkg.Package{
CPEs: []syftPkg.CPE{
must(syftPkg.NewCPE("cpe:2.3:*:awesome:awesome:98SE1:rando1:*:rando2:*:dunno:*:*")),
must(syftPkg.NewCPE("cpe:2.3:*:awesome:awesome:98SE1:rando1:*:ra:*:dunno:*:*")),
},
Name: "awesome",
Version: "98SE1",
@ -302,7 +302,7 @@ func TestFindMatchesByPackageCPE(t *testing.T) {
},
Package: pkg.Package{
CPEs: []syftPkg.CPE{
must(syftPkg.NewCPE("cpe:2.3:*:awesome:awesome:98SE1:rando1:*:rando2:*:dunno:*:*")),
must(syftPkg.NewCPE("cpe:2.3:*:awesome:awesome:98SE1:rando1:*:ra:*:dunno:*:*")),
},
Name: "awesome",
Version: "98SE1",
@ -312,7 +312,7 @@ func TestFindMatchesByPackageCPE(t *testing.T) {
{
Confidence: 0.9,
SearchedBy: SearchedByCPEs{
CPEs: []string{"cpe:2.3:*:awesome:awesome:98SE1:rando1:*:rando2:*:dunno:*:*"},
CPEs: []string{"cpe:2.3:*:awesome:awesome:98SE1:rando1:*:ra:*:dunno:*:*"},
Namespace: "nvd",
},
Found: FoundCPEs{

6
grype/pkg/syft_provider.go
View file

@ -3,6 +3,7 @@ package pkg
import (
"github.com/anchore/stereoscope/pkg/image"
"github.com/anchore/syft/syft"
"github.com/anchore/syft/syft/pkg/cataloger"
"github.com/anchore/syft/syft/source"
)
@ -17,7 +18,10 @@ func syftProvider(userInput string, scopeOpt source.Scope, registryOptions *imag
}
defer cleanup()
catalog, _, theDistro, err := syft.CatalogPackages(src, scopeOpt)
searchConfig := cataloger.DefaultConfig()
searchConfig.Search.Scope = scopeOpt
catalog, _, theDistro, err := syft.CatalogPackages(src, searchConfig)
if err != nil {
return nil, Context{}, err
}

6
test/integration/match_by_image_test.go
View file

@ -11,6 +11,7 @@ import (
"github.com/anchore/stereoscope/pkg/imagetest"
"github.com/anchore/syft/syft"
syftPkg "github.com/anchore/syft/syft/pkg"
"github.com/anchore/syft/syft/pkg/cataloger"
"github.com/anchore/syft/syft/source"
"github.com/sergi/go-diff/diffmatchpatch"
)
@ -354,7 +355,10 @@ func TestMatchByImage(t *testing.T) {
defer cleanup()
// TODO: relationships are not verified at this time
theCatalog, _, theDistro, err := syft.CatalogPackages(theSource, source.SquashedScope)
config := cataloger.DefaultConfig()
config.Search.Scope = source.SquashedScope
theCatalog, _, theDistro, err := syft.CatalogPackages(theSource, config)
if err != nil {
t.Fatalf("could not get the source obj: %+v", err)
}

6
test/integration/utils_test.go
View file

@ -3,6 +3,7 @@ package integration
import (
"errors"
"fmt"
"github.com/anchore/syft/syft/pkg/cataloger"
"os"
"os/exec"
"path/filepath"
@ -68,9 +69,10 @@ func getSyftSBOM(t testing.TB, image string) string {
}
t.Cleanup(cleanup)
scope := source.SquashedScope
config := cataloger.DefaultConfig()
config.Search.Scope = source.SquashedScope
// TODO: relationships are not verified at this time
catalog, _, distro, err := syft.CatalogPackages(src, scope)
catalog, _, distro, err := syft.CatalogPackages(src, config)
sbom := sbom.SBOM{
Artifacts: sbom.Artifacts{