* fix: adds ignore rules for kernel-headers indirect matches
Adds ignoring of kernel-headers indirect matches on kernel vulns
since the kernel-headers package does not have the kernel code in it
that kernel vulns are actually referring to.
Adds a config value to control this ignore behavior that defaults to
enabling the ignore rules.
Fixes: 1762
* Adds ignore rule support for match types and upstream package names.
* Adds default ignore rules for kernel-headers indirect matches on kernel
for rpms.
Signed-off-by: Zach Hill <zach@anchore.com>
* chore: add match-upstream-kernel-headers config to README.md
Signed-off-by: Zach Hill <zach@anchore.com>
* chore: update match labels
Signed-off-by: Keith Zantow <kzantow@gmail.com>
---------
Signed-off-by: Zach Hill <zach@anchore.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
* allow for RPM modularity to be optional
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use latest syft from main
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump syft
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove lint ignores for CPEs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update snapshot tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: treat oraclelinux default appstream rpm modularity as missing for now
For oraclelinux, the default stream of an installed appstream package does not currently set
the MODULARITYLABEL property in the rpm metadata; however, in their advisory data they do specify
modularity information, so this ends up in a case where the vuln entries have modularity but the
packages coming from the sbom won't, so for now we need to treat the constraint as satisfied when the
modularity label from an oraclelinux package is "".
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* test: add new appstream images to quality gate and bump labels
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* chore: bump quality gate labels
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Co-authored-by: Weston Steimel <weston.steimel@anchore.com>
This PR takes the recommendation from #1526 and adapts the go-mvn-version to be used as a custom comparator for matching against packages that have the JavaPkg type. Packages of type JavaPkg will no longer use the stock matcher.
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Previously, if a user cloned grype without passing
"--recurse-submodules", the makefile under test/quality would fail to
initialize the submodule, resulting in unexpected behavior. Always
initialize the submodule if it's misisng.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Include changes to gate.py to correctly guess that local builds of grype
are considered the changed version, not the latest release.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: use syft v0.86.1 in the quality gate tests
This ensures the CPE dict enhancements are taken into account for
future quality gate comparisons
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* fix: bump runner to use larger disk
Signed-off-by: Christopher Phillips <cphillips918@gmail.com>
---------
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Christopher Phillips <cphillips918@gmail.com>
Co-authored-by: Christopher Phillips <cphillips918@gmail.com>
Permit piping "make validate" (from test/quality) to a file without filling it with control
characters.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* initial port to bubbletea
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove jotframe UI
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add bubbletea component tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update main.go refs to cmd package
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* move goreleaser build dir to cmd
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* upgrade yardstick for grype source installs and fix post-ui tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* ensure stable severity map in UI component test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add windows support for tui
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Previously, the -r{buildindex} suffix of APK package versions were
treated as pre-release versions per the fuzzy matcher logic; however,
these should be treated as equivalent to the release version for the
purposes of collecting CPE-based matches for APK packages.
We may want to make a similar change in syft to generate cleaner CPE
versions for APK packages, but making the change in grype corrects
behaviour for previously-generated SBOMs as well.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Co-authored-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Enhances the CPE target software component match filtering logic to consider ecosystems which aren't currently supported by
syft cataloging but are well-known sources of false-positives. This currently adds support for filtering various
permutations of `wordpress`, `joomla`, and `drupal`
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Adds support for a `package_qualifiers` column to allow evaluating package matches to vulnerabilities based on more than just version constraints. Currently adds an rpm-modularity qualifier in order to support matching to correct app stream module in order to reduce false positives within rpm-based distro ecosystems. In order to prevent an increase in false positive matches for previous versions of grype using the v4 schema, this change (along with the vulnerability source driver parser updates) requires bumping the schema to v5.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
