bump syft version (add package.json, rename bundler to ruby)

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Makefile

@@ -119,7 +119,7 @@ check-licenses:
 unit: ## Run unit tests (with coverage)
 	$(call title,Running unit tests)
 	mkdir -p $(RESULTSDIR)
-	go test -coverprofile $(COVER_REPORT) ./...
+	go test -coverprofile $(COVER_REPORT) $(shell go list ./... | grep -v anchore/grype/test)
 	@go tool cover -func $(COVER_REPORT) | grep total |  awk '{print substr($$3, 1, length($$3)-1)}' > $(COVER_TOTAL)
 	@echo "Coverage: $$(cat $(COVER_TOTAL))"
 	@if [ $$(echo "$$(cat $(COVER_TOTAL)) >= $(COVERAGE_THRESHOLD)" | bc -l) -ne 1 ]; then echo "$(RED)$(BOLD)Failed coverage quality gate (> $(COVERAGE_THRESHOLD)%)$(RESET)" && false; fi
@@ -127,7 +127,7 @@ unit: ## Run unit tests (with coverage)
 .PHONY: integration
 integration: ## Run integration tests
 	$(call title,Running integration tests)
-	go test -v -tags=integration ./test/integration
+	go test -v ./test/integration
 
 # note: this is used by CI to determine if the integration test fixture cache (docker image tars) should be busted
 .PHONY: integration-fingerprint

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/anchore/go-version v1.2.2-0.20200810141238-330bef18dbca
 	github.com/anchore/grype-db v0.0.0-20200929200644-6d1c82acc95e
 	github.com/anchore/stereoscope v0.0.0-20200925184903-c82da54e98fe
-	github.com/anchore/syft v0.2.0
+	github.com/anchore/syft v0.3.1-0.20201016212214-bb14f3b45b3e
 	github.com/docker/docker v17.12.0-ce-rc1.0.20200309214505-aa6a9891b09c+incompatible
 	github.com/dustin/go-humanize v1.0.0
 	github.com/facebookincubator/nvdtools v0.1.4-0.20200622182922-aed862a62ae6

go.sum

@@ -137,6 +137,10 @@ github.com/anchore/syft v0.1.0-beta.5.0.20200929155319-b6dfdf16b6a8 h1:lK6AEvTED
 github.com/anchore/syft v0.1.0-beta.5.0.20200929155319-b6dfdf16b6a8/go.mod h1:fxzECHyEWfAZ06gJVyrKK+DEkLJeJ4PrK7eyPAwqJR0=
 github.com/anchore/syft v0.2.0 h1:GK+41ub8jfZhBD4PbtKMCedJif9FVN/67iGvNtBZbTk=
 github.com/anchore/syft v0.2.0/go.mod h1:fxzECHyEWfAZ06gJVyrKK+DEkLJeJ4PrK7eyPAwqJR0=
+github.com/anchore/syft v0.3.0 h1:AgeMR8e72BqWO2IViIK+ME40GlI8S5XrV1yhlmm0gy0=
+github.com/anchore/syft v0.3.0/go.mod h1:fxzECHyEWfAZ06gJVyrKK+DEkLJeJ4PrK7eyPAwqJR0=
+github.com/anchore/syft v0.3.1-0.20201016212214-bb14f3b45b3e h1:jZQU+1Y4BwV3ImideJVH3HYpT1UhWycJMkUY5W6DEuQ=
+github.com/anchore/syft v0.3.1-0.20201016212214-bb14f3b45b3e/go.mod h1:fxzECHyEWfAZ06gJVyrKK+DEkLJeJ4PrK7eyPAwqJR0=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNgfBlViaCIJKLlCJ6/fmUseuG0wVQ=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y=

grype/match/matcher_type.go

@@ -3,7 +3,7 @@ package match
 const (
 	UnknownMatcherType MatcherType = iota
 	ApkMatcher
-	RubyBundleMatcher
+	RubyGemMatcher
 	DpkgMatcher
 	RpmDBMatcher
 	JavaMatcher
@@ -14,7 +14,7 @@ const (
 var matcherTypeStr = []string{
 	"UnknownMatcherType",
 	"apk-matcher",
-	"ruby-bundle-matcher",
+	"ruby-gem-matcher",
 	"dpkg-matcher",
 	"rpmdb-matcher",
 	"java-matcher",
@@ -24,7 +24,7 @@ var matcherTypeStr = []string{
 
 var AllMatcherTypes = []MatcherType{
 	ApkMatcher,
-	RubyBundleMatcher,
+	RubyGemMatcher,
 	DpkgMatcher,
 	RpmDBMatcher,
 	JavaMatcher,

grype/matcher/controller.go

@@ -4,12 +4,12 @@ import (
 	"github.com/anchore/grype/grype/event"
 	"github.com/anchore/grype/grype/match"
 	"github.com/anchore/grype/grype/matcher/apk"
-	"github.com/anchore/grype/grype/matcher/bundler"
 	"github.com/anchore/grype/grype/matcher/dpkg"
 	"github.com/anchore/grype/grype/matcher/java"
 	"github.com/anchore/grype/grype/matcher/javascript"
 	"github.com/anchore/grype/grype/matcher/python"
 	"github.com/anchore/grype/grype/matcher/rpmdb"
+	"github.com/anchore/grype/grype/matcher/ruby"
 	"github.com/anchore/grype/grype/vulnerability"
 	"github.com/anchore/grype/internal/bus"
 	"github.com/anchore/grype/internal/log"
@@ -39,7 +39,7 @@ func newController() controller {
 		matchers: make(map[pkg.Type][]Matcher),
 	}
 	ctrlr.add(&dpkg.Matcher{})
-	ctrlr.add(&bundler.Matcher{})
+	ctrlr.add(&ruby.Matcher{})
 	ctrlr.add(&python.Matcher{})
 	ctrlr.add(&rpmdb.Matcher{})
 	ctrlr.add(&java.Matcher{})

grype/matcher/javascript/matcher.go

@@ -12,7 +12,7 @@ type Matcher struct {
 }
 
 func (m *Matcher) PackageTypes() []pkg.Type {
-	return []pkg.Type{pkg.NpmPkg, pkg.YarnPkg}
+	return []pkg.Type{pkg.NpmPkg}
 }
 
 func (m *Matcher) Type() match.MatcherType {

grype/matcher/ruby/matcher.go

@@ -1,4 +1,4 @@
-package bundler
+package ruby
 
 import (
 	"github.com/anchore/grype/grype/match"
@@ -16,7 +16,7 @@ func (m *Matcher) PackageTypes() []pkg.Type {
 }
 
 func (m *Matcher) Type() match.MatcherType {
-	return match.RubyBundleMatcher
+	return match.RubyGemMatcher
 }
 
 func (m *Matcher) Match(store vulnerability.Provider, _ distro.Distro, p *pkg.Package) ([]match.Match, error) {

test/integration/corner_cases_test.go

@@ -1,5 +1,3 @@
-//+build integration
-
 package integration
 
 import (

test/integration/db_mock_test.go

@@ -1,5 +1,3 @@
-//+build integration
-
 package integration
 
 import (
@@ -36,10 +34,10 @@ func NewMockDbStore() *mockStore {
 				},
 			},
 			"github:npm": {
-				"validator": []v1.Vulnerability{
+				"npm": []v1.Vulnerability{
 					{
 						ID:                "CVE-javascript-validator",
-						VersionConstraint: "< 3.2.1",
+						VersionConstraint: "> 5, < 7.2.1",
 						VersionFormat:     "unknown",
 					},
 				},

test/integration/match_coverage_test.go

@@ -1,5 +1,3 @@
-//+build integration
-
 package integration
 
 import (
@@ -57,7 +55,7 @@ func addAlpineMatches(t *testing.T, theScope scope.Scope, catalog *pkg.Catalog,
 }
 
 func addJavascriptMatches(t *testing.T, theScope scope.Scope, catalog *pkg.Catalog, theStore *mockStore, theResult *match.Matches) {
-	packages := getPackagesByPath(t, theScope, catalog, "/javascript/pkg-lock/package-lock.json")
+	packages := getPackagesByPath(t, theScope, catalog, "/javascript/pkg-json/package.json")
 	if len(packages) != 1 {
 		t.Logf("Javascript Packages: %+v", packages)
 		t.Fatalf("problem with upstream syft cataloger (javascript)")
@@ -136,7 +134,7 @@ func addRubyMatches(t *testing.T, theScope scope.Scope, catalog *pkg.Catalog, th
 			"constraint": "> 4.0.0, <= 4.1.1 (semver)",
 		},
 		IndirectPackage: nil,
-		Matcher:         match.RubyBundleMatcher,
+		Matcher:         match.RubyGemMatcher,
 	})
 }
 

test/integration/test-fixtures/image-debian-match-coverage/javascript/pkg-json/package.json

@@ -0,0 +1,84 @@
+{
+  "version": "6.14.6",
+  "name": "npm",
+  "description": "a package manager for JavaScript",
+  "keywords": [
+    "install",
+    "modules",
+    "package manager",
+    "package.json"
+  ],
+  "preferGlobal": true,
+  "config": {
+    "publishtest": false
+  },
+  "homepage": "https://docs.npmjs.com/",
+  "author": "Isaac Z. Schlueter <i@izs.me> (http://blog.izs.me)",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/npm/cli"
+  },
+  "bugs": {
+    "url": "https://npm.community/c/bugs"
+  },
+  "directories": {
+    "bin": "./bin",
+    "doc": "./doc",
+    "lib": "./lib",
+    "man": "./man"
+  },
+  "main": "./lib/npm.js",
+  "bin": {
+    "npm": "./bin/npm-cli.js",
+    "npx": "./bin/npx-cli.js"
+  },
+  "dependencies": {
+    "JSONStream": "^1.3.5",
+    "abbrev": "~1.1.1",
+    "ansicolors": "~0.3.2",
+    "write-file-atomic": "^2.4.3"
+  },
+  "bundleDependencies": [
+    "abbrev",
+    "ansicolors",
+    "ansistyles",
+    "write-file-atomic"
+  ],
+  "devDependencies": {
+    "deep-equal": "^1.0.1",
+    "get-stream": "^4.1.0",
+    "licensee": "^7.0.3",
+    "marked": "^0.6.3",
+    "marked-man": "^0.6.0",
+    "npm-registry-couchapp": "^2.7.4",
+    "npm-registry-mock": "^1.3.1",
+    "require-inject": "^1.4.4",
+    "sprintf-js": "^1.1.2",
+    "standard": "^11.0.1",
+    "tacks": "^1.3.0",
+    "tap": "^12.7.0",
+    "tar-stream": "^2.1.0"
+  },
+  "scripts": {
+    "dumpconf": "env | grep npm | sort | uniq",
+    "prepare": "node bin/npm-cli.js rebuild && node bin/npm-cli.js --no-audit --no-timing prune --prefix=. --no-global && rimraf test/*/*/node_modules && make -j4 mandocs",
+    "preversion": "bash scripts/update-authors.sh && git add AUTHORS && git commit -m \"update AUTHORS\" || true",
+    "licenses": "licensee --production --errors-only",
+    "tap": "tap -J --timeout 300 --no-esm",
+    "tap-cover": "tap -J --nyc-arg=--cache --coverage --timeout 600 --no-esm",
+    "lint": "standard",
+    "pretest": "npm run lint",
+    "test": "npm run test-tap --",
+    "test:nocleanup": "NO_TEST_CLEANUP=1 npm run test --",
+    "sudotest": "sudo npm run tap -- \"test/tap/*.js\"",
+    "sudotest:nocleanup": "sudo NO_TEST_CLEANUP=1 npm run tap -- \"test/tap/*.js\"",
+    "posttest": "rimraf test/npm_cache*",
+    "test-coverage": "npm run tap-cover -- \"test/tap/*.js\" \"test/network/*.js\"",
+    "test-tap": "npm run tap -- \"test/tap/*.js\" \"test/network/*.js\"",
+    "test-node": "tap --timeout 240 \"test/tap/*.js\" \"test/network/*.js\""
+  },
+  "license": "Artistic-2.0",
+  "engines": {
+    "node": "6 >=6.2.0 || 8 || >=9.3.0"
+  }
+}

test/integration/test-fixtures/image-debian-match-coverage/javascript/pkg-lock/package-lock.json

@@ -1,11 +0,0 @@
-{
-  "requires": true,
-  "lockfileVersion": 1,
-  "dependencies": {
-    "validator": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/validator/-/validator-1.0.0.tgz",
-      "integrity": "sha1-n4P1sZyZYjsC4uj6EerJzKux6GQ="
-    }
-  }
-}