* chore(deps): update Syft to v0.93.0
Signed-off-by: GitHub <noreply@github.com>
* fix test to account for go pkg stdlib
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
Pulls in a fix to go-progress so that scanning large images no longer
results in a data race in the UI code.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Previously, grype used fuzzy matcher for Python packages, since
there are cases in PEP440 that are not strictly semver. Switch to a
library that does PEP440 parsing and comparison for python version
constraints.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* bump syft to main
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* upgdate cyclonedx presenter fixtures (bump from cdx 1.4 to 1.5)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update cyclonedx schema
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* allow for pkg type exceptions for github actions and workflows
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update cyclonedx json schema from v1.4 to v1.5
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump to syft v0.91.0
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* upgrade go-setup action to v4
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove asset upload from release workflow
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore: remove dependency on sqlite fork
* chore(deps): bump gorm.io/gorm from 1.23.10 to 1.25.4
Removed the dependency on github.com/anchore/sqlite because the diff
added to that fork was no longer needed.
Bumps [gorm.io/gorm](https://github.com/go-gorm/gorm) from 1.23.10 to 1.25.4.
- [Release notes](https://github.com/go-gorm/gorm/releases)
- [Commits](https://github.com/go-gorm/gorm/compare/v1.23.10...v1.25.4)
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
* go.mod: Pull OpenVEX go modules
This commit pulls the OpenVEX libraries into the grype source.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Add generic VEX processor package
This commit adds a generic VEX processor package. It is implementation
agnostic. It has a single option for now: The documents used to load
the VEX data.
The processor has a single method: ApplyVEX() which takes a set of scan
results and applies VEX data to them. For now, the only modification that
is done is filtering of results, that is moving results to the ignored list
as a response to VEX documents.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* vex: Add OpenVEX processor implementation
This commit adds an openvex implementation of the vex processor.
It also wires the VEX processor to use it as default.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Table presenter: Highligt results suppressed by VEX
This commit marks results suppressed by VEX when presenting them
to the user.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Define VEX status constants
This commit defines a set of local constants of each of the VEX statuses
based on the openvex constants.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Add VexStatus to ignore rules
This commit modifies the ignore rules structure to support defining a vex
status. Any rules defining vex are ignored by the standard ignore rules
processing as they will be handled by the VEX processor.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Add IgnoreRule HasConditions method
Adds a new HasConditions method to the IgnoreRule object to check if the rule is empty.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Control VEX filtering through IgnoreRules
This commit modifies how the vex processor is controlled. The processor now
takes a list of IgnoreRules which can act on the VEX status in addition to
the regular rule parameters.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* vex: Allow rules to match on VEX justification
This commit expands the ingore rules to also work on vex the
justification of not_affected statements.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Use go-vex merge implementation
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Add OpenVEX matcher to matcher list
This commit adds a new entry to the matchers: An openvex matcher
This matcher is used when openvex augments results, moving matches
from the ignore list to the active results.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Add vex.AugmentMatches() to the vex processor
This commit adds a new AugmentMatches() phase to the VEX processor.
This new step goes throught the configured ignore rules and acts on any
that have `affected` or `under_investigtion` as status.
The purpose of this rule is to move matches back from the ignored matches
list to the active results when a statement with either of those statuses
apply to ignored matches.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Parse context identifiers using GGC
This commit modifies the identifier synthesizer function to parse references
using GGCR. It also adds a simple test.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Bump funlen linter to 73
This commit bumps the maximum function length to 73 to accomodate
the new flag in AddFlags()
Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>
* Add VEX testing to matchers test
This commit adds a new test and fixtures to test the VEX matchers
along the rest of the matchers in TestMatchByImage(). As the VEX
matchers operate on previously ignored matches a new loop was added
to the test to accomodate the different testing model.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* add vex status and justification to ignored rule json model
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* nit rename + add TODO question about augmenting ignored matches
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* nit document comment updates + common variable extraction
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* migrate legacy matcher function to vulnerability matcher object
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update tui to respond to ignored and dropped matches
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* migrate vex processing to vulnerability match object
Based on Alex's previous caommit
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Migrate VEX options and app config from legacy CLI
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* update table snapshot tests with suppressed vex entries
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add tests for match.Matches.Diff()
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add tests for vex processor
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix linting and restore global funlen rule
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove grpc pin
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* always return remaining and ignroed matches from matcher object
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Add VEX documentation to main README
This commit adds a VEX section to the main Grype README. It adds
an example document and details on how vex rules can be written.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
---------
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Fix the race conditions from setting stage.Current from multiple go
routines by upgrading to a newer version of go-progress that includes an
atomic version of stager and using that. Enable race detection on unit
tests, and on a single invocation of the main command under the
integration target.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Our understanding is that without the patch version, every run of "go
mod tidy" will write a toolchain directive in the file, which will
result in a diff from contributors with different point versions of go,
which is noisy and prone to breaking CI.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* add registry certificate verification support
* modify go.mod
* rename registry cert options, add docs, and add test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update to account for changes in anchore/stereoscope#195
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix cli tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: lishituo <24578666@qq.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore(deps): update Syft to v0.86.0
Signed-off-by: GitHub <noreply@github.com>
* fix python package metadata shape
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* account for new metadatas added in syft
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump syft to unreleased but fixed version
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
* initial port to bubbletea
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove jotframe UI
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add bubbletea component tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update main.go refs to cmd package
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* move goreleaser build dir to cmd
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* upgrade yardstick for grype source installs and fix post-ui tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* ensure stable severity map in UI component test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add windows support for tui
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* port to new syft source API
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix linting
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Adds support for a `package_qualifiers` column to allow evaluating package matches to vulnerabilities based on more than just version constraints. Currently adds an rpm-modularity qualifier in order to support matching to correct app stream module in order to reduce false positives within rpm-based distro ecosystems. In order to prevent an increase in false positive matches for previous versions of grype using the v4 schema, this change (along with the vulnerability source driver parser updates) requires bumping the schema to v5.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* add db staleness check
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* less config fields
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* fix import order
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* warn even when set to not error on staleness
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* nits
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* nits
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* lint fix
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* fix test
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* consistent log message
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* consistent new version message
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* human friendly time durations
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* fix typo
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* cleaner tests and default db value
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
This overcomes an issue with duplicate registration of sqlite drivers between glebarez/sqlite and knqyf263/go-rpmdb by
just using modernc.org/sqlite directly within our fork
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add key flag to attest validation
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* mvp: verify sig and extract sbom
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* wip read attestation without scheme
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* mvp consuming attestations - needs unit tests
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* remove prototype file
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* drop local syft from go.mod
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix order of sbom parsing strategies
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* handle implicit attestation input
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* wip
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add test for invalid attestation key
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* rebase and go-mod-tidy
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* consume attestation via stdin
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* attestation test for stdin
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* validate input and content for attestation
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add stdin test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix config tags
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add int test to ignore attestation validation
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix cycloneDX attestation fixture
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add tampered att test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add tampered predicate type test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* improve docs/help on atttestation
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* upgrade to latest syft
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fall through when guessing between sbom and att
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix butter finger rebase
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* drop default key value
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* assert error messages
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* better test/cli coverage
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix stdin decode test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix goimports
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* tui - verified attestation and feedback changes
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* better naming
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add attestation section to config file
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* emit event for skipped verification
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* use public key name
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* nit
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
Since grype now depends on debug/buildinfo go 1.18 is required to build
grype and as such go.mod needs updating
Signed-off-by: 06kellyjac <jack@control-plane.io>
* upgrade github workflows to go 1.18
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* upgrade syft & set go1.18 for CI workflows
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add go1.17 static analysis
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix yaml comment
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* bump syft to v0.39.0
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update ByCriteria to log error on failure
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* integration tests now pass
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* bump to v0.39.3
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* raise search failures to warn
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* tidy go.mod/sum
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
* add metadata extraction from pURLs
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* extract upstream packages before matching
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* put pkg.UpstreamPackages under test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove pURL related processing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* pull in syft spdx decoding
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* allow for more flexible GHSA namespace and source extraction
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add matching parity integration tests for all supported formats
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump syft to get spdx tv fix
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update stereoscope
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* test stereoscope with fix
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* remove mod replacement and use latest stereoscope
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* enable merging of matches
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add ability for matches constructor to take initial matches
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update tests to include IDs on package objects
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename common matcher helper package to search package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename search functions and add SearchByCriteria
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* cleanup imports
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add strong distro type
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* nit changes
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update grype/db package to use distro pointer
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* source distro type from release name
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump syft to pull in distro type updates
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump lint timeout
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* port grype-db to grype
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* migrate vulnerability provider implementation to db package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* upgrade path import validations
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting issues
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update to secure syft version
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* go mod tidy
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* bump stereoscope to remove vulnerable containerd
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* go mod tidy
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* update syft
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* update CatalogPackages to use new cataloger config struct
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* add new valid CPE to matcher tests
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* update integration tests
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* Adding AlmaLinux OS Support
Signed-off-by: Bala Raman <srbala@gmail.com>
* incorporate grype-db updates for ALMA linux
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* update syft and jotframe
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update validations and release pipeline
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* moved terminal package to golang.org/x/term
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update integration tests to account for package relationships
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add license exception for xz
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update Location and Coordinate references
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove benchmark tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove mac acceptance tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add syft-grype relationship notes in DEVELOPING.md
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Add injectable HTTP client to file getter
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* WIP: Map config for custom CA certs
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* update curator and add tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add TLS helper scripts
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove grype-db local mod edit
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* tidy go modules
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use ssl.context over deprecated fn
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* disallow tls 1 and 1.1
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* suppress non-archive sources for fetch-to-dir capability
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* ensure DB load failure does not panic
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* address review comments
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
- Update grype-db dependency for the distro-feed namespace mapping
- Add test to verify the above mapping
Signed-off-by: Swathi Gangisetty <swathi@anchore.com>
* update syft version with correct arguments
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* bump integration tests with new presenter format
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update integration tests to remove php-composer failure
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* use named pipe bit on stdin as indicator for piped input
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* ensure stdin is ignored when the CLI hints are present
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add CLI test to cover subprocess integration behavior
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* added test case for java regression
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove extra line in makefile
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update grype to compile windows
Signed-off-by: spiffcs <christopher.phillips@anchore.com>
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update go mod with new stereoscope
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update build comments
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* small build tags
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add goreleaser windows
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* bump syft version
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update tests
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update test images to use newest pinned golang
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* split and upgrade config processing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* upgrade UI organization
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* expose logger writter
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add (unused) signal handler
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add (unused) event loop abstraction
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update aux commands to use Cobra RunE over Run
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* upgrade root command to use new event loop and signal handler
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update CLI test to account for config representation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update dependencies + fix linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* decompose application config parse func + add missing config struct tags
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* restore unparam lint exclusion for registry config
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Preliminary implementation of ignore rules
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Support ignoring matches by package type
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add tests for ignore functionality
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add documentation for ignore rules and clean up README
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add test for glob location matching
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
This change both adds a test to identify and fixes differences between loading sboms from json and loading sboms from Syft as a library.
* adds integration test that compares SBOM input vs image input
* fix integration test cache path
* Add handler for ApkMetadataType in partialSyftPackage.UnmarshalJSON
* Fix Epoch missing from Package.New RpmdbMetadataType handler and update RpmDbMetadata test in TestNew_MetadataExtraction
* bump syft to version 0.24.0
* update license check for packageurl-go
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Vijay Pillai <vijay.pillai@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Vijay Pillai <vijay.pillai@anchore.com>
* bump syft to the newest 0.23.0 version - tidy mod
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update integration test to use new pointer
syft source.New() was changed to return a pointer
rather than value for 0.23.0 this commit updates our
integration tests to reflect that change
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* Update go-version package and add test
This is being updated due to an issue that was encountered in the lessThanEqual constraint in go-version: https://github.com/anchore/go-version/pull/2. Was disovered while adding tests for apk origin package matching
Signed-off-by: Zane Burstein <zane.burstein@anchore.com>
* Added matching with source package for apk
This change allows grype to match with a packages source package for apk. Adds APKMetadata with OriginPackage, new matching logic in apk matchers, and tests
Signed-off-by: Zane Burstein <zane.burstein@anchore.com>
