* allow for merging similar indirect matches to existing direct matches
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address PR review comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove gentoo integration test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove portage matcher from completion testing
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* feat: add `grype db providers` command
- currently reads content of `provider-metadata.json` file
- added flag `-o`/`--output` flags which accept `json` and `table`
- update method `getDBProviders()` and type `dbProviderMetadata` for db schema `v6`
Signed-off-by: Adnan Gulegulzar <gulegulzaradnan@gmail.com>
* chore: update readme for `grype db providers`
Signed-off-by: Adnan Gulegulzar <gulegulzaradnan@gmail.com>
* chore: update lint
Signed-off-by: Adnan Gulegulzar <gulegulzaradnan@gmail.com>
* chore: add cli test for `grype db providers`
Signed-off-by: Adnan Gulegulzar <gulegulzaradnan@gmail.com>
* fix: review changes
- updated table as the default output format
- updated tablewriter settings
- added unit test for the components of db providers command
- added dummy "provider-metadata.json" to aid unit tests
- added table and json assertion to cli test
Signed-off-by: Adnan Gulegulzar <gulegulzaradnan@gmail.com>
* chore: removes changes to `db diff`, `db serach` and `db list` commands
Signed-off-by: Adnan Gulegulzar <gulegulzaradnan@gmail.com>
* chore: remove unused constants
Signed-off-by: Adnan Gulegulzar <gulegulzaradnan@gmail.com>
* chore: move constants to scope where used
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Adnan Gulegulzar <gulegulzaradnan@gmail.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* feat: add distro mapping for azure linux 3
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* map mariner to azure on write path, not read path
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* add azure to list of all types
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* fix unit tests
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* chore: fix line endings in Azure Linux 3.0 example release file
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* chore: update vuln match labels
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* chore: add new result set for azure linux 3
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* add and wire up 2022 test set
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* chore: actually validate
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* chore: turn off failure on empty match set
Right now, the grype PR runner doesn't have a vuln db with Azure Linux
3.0 in it, so this setting needs to be off until the release.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* chore: use vuln match labels from main
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* add jvm version comparison
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add integration tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove jvm matcher
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add syft binary jre/jdk packages
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump syft rev to get permissive glob change
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix test cases
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* pull in syft cataloger from main
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore: switch to yardstick validate from custom gate.py
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* fix python version to work with new yardstick
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* chore: use yardstick release not branch
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* feat(signature): Checksum signature verification
Signed-off-by: Shubham Hibare <shubham@hibare.in>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Update message
Signed-off-by: Shubham Hibare <shubham@hibare.in>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address comments
Signed-off-by: Shubham Hibare <shubham@hibare.in>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* consider -v flag across supported releases
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add tests for install.sh signature verification
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* check that release is run from main
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* summarize install.sh flags and recommendations
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove regex use on cosign verify-blob
Co-authored-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* simplify the compare_semver install function
Co-authored-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add more tests to compare_semver
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* nit copy change for install help
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* keep original compare_semver implementation
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update copy to include default install path
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Shubham Hibare <shubham@hibare.in>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Dominique Martinet <asmadeus@codewreck.org>
* update to latest syft
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix tests related to syft bump
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: adds ignore rules for kernel-headers indirect matches
Adds ignoring of kernel-headers indirect matches on kernel vulns
since the kernel-headers package does not have the kernel code in it
that kernel vulns are actually referring to.
Adds a config value to control this ignore behavior that defaults to
enabling the ignore rules.
Fixes: 1762
* Adds ignore rule support for match types and upstream package names.
* Adds default ignore rules for kernel-headers indirect matches on kernel
for rpms.
Signed-off-by: Zach Hill <zach@anchore.com>
* chore: add match-upstream-kernel-headers config to README.md
Signed-off-by: Zach Hill <zach@anchore.com>
* chore: update match labels
Signed-off-by: Keith Zantow <kzantow@gmail.com>
---------
Signed-off-by: Zach Hill <zach@anchore.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
* WIP: package builds but tests do not
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* WIP: some unit tests compile
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* WIP: unit tests compile but do not pass
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* Units passing with some changes to syft
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* fix: excludes plus bad sbom should not suppress error
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* add conan entry v2 package test
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* bump syft again
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: fix compiler error in integration tests
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: remove erlang OTP from package types that must be seen in test image
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* bump syft version used
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* allow for RPM modularity to be optional
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use latest syft from main
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump syft
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove lint ignores for CPEs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update snapshot tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: treat oraclelinux default appstream rpm modularity as missing for now
For oraclelinux, the default stream of an installed appstream package does not currently set
the MODULARITYLABEL property in the rpm metadata; however, in their advisory data they do specify
modularity information, so this ends up in a case where the vuln entries have modularity but the
packages coming from the sbom won't, so for now we need to treat the constraint as satisfied when the
modularity label from an oraclelinux package is "".
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* test: add new appstream images to quality gate and bump labels
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* chore: bump quality gate labels
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Co-authored-by: Weston Steimel <weston.steimel@anchore.com>
* chore: break assumption that syft cpe.CPE is wfn.Attributes
Previously, Syft's cpe.CPE type was an alias for wfn.Attributes. Fix a
couple places where Grype's compilation depended on that fact, since it
will stop being true in the next Syft release.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: fix linter
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* fix: distro FP data not applied correctly
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* fix: apply FP data to apk subpackages
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
---------
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* incorporate changes from anchore/syft#2228
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix testing utils to use syft SBOM
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* feat(config): added reason field
Signed-off-by: Mateusz Urbanek <mateusz.urbanek.98@gmail.com>
* add CLI test for ignore reason field
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Mateusz Urbanek <mateusz.urbanek.98@gmail.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
This PR takes the recommendation from #1526 and adapts the go-mvn-version to be used as a custom comparator for matching against packages that have the JavaPkg type. Packages of type JavaPkg will no longer use the stock matcher.
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Add --ignore-states flag for ignoring findings with by fix state
Signed-off-by: James Hebden <jhebden@gitlab.com>
* ignore options checked before scan, fail on invalid ignore states, ignore states comma-separated
Signed-off-by: James Hebden <jhebden@gitlab.com>
* Add CLI tests for new --ignore-states flag
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: James Hebden <jhebden@gitlab.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
* feat: disable CPE-based matching for GHSA ecosystems by default
Disables CPE-based matching for ecosystems which are covered by GitHub
Security Advisories. Also adds a separate rust matcher and related
configuration to allow configuring CPE-based matching off for it while
still leaving it on for the stock matcher.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* chore: use --by-cve with quality gate comparison
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* chore: add rust auditable binary match integration test
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
---------
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* chore(deps): update Syft to v0.93.0
Signed-off-by: GitHub <noreply@github.com>
* fix test to account for go pkg stdlib
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
