Adds tests to ensure fuzzy version comparison logic works as expected
for java version strings under both the pre version 9 schema and the
modern semver equivalents. Details of the version schemes can be found
in https://openjdk.org/jeps/223
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
* WIP: package builds but tests do not
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* WIP: some unit tests compile
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* WIP: unit tests compile but do not pass
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* Units passing with some changes to syft
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* fix: excludes plus bad sbom should not suppress error
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* add conan entry v2 package test
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* bump syft again
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: fix compiler error in integration tests
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: remove erlang OTP from package types that must be seen in test image
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* bump syft version used
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* upgrade syft to v0.103.0
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* upgrade syft to v0.103.1
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* allow for RPM modularity to be optional
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use latest syft from main
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump syft
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove lint ignores for CPEs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update snapshot tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: treat oraclelinux default appstream rpm modularity as missing for now
For oraclelinux, the default stream of an installed appstream package does not currently set
the MODULARITYLABEL property in the rpm metadata; however, in their advisory data they do specify
modularity information, so this ends up in a case where the vuln entries have modularity but the
packages coming from the sbom won't, so for now we need to treat the constraint as satisfied when the
modularity label from an oraclelinux package is "".
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* test: add new appstream images to quality gate and bump labels
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* chore: bump quality gate labels
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Co-authored-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
* fix: bump fangs
Bump fangs to pull in https://github.com/anchore/fangs/pull/27, which
fixes an issue where env vars couldn't be used to set fields on embedded
structs in the config struct.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* fix: bump fangs to pull in panic fix
The previous fangs fix panicked when summarizing configs with embedded
structs. Bump fangs to pull in https://github.com/anchore/fangs/pull/29
which fixes this panic.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* commit mod tidy
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* Pull in dependency bumps from main to resolve conflicts
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* incorporate changes from anchore/syft#2228
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix testing utils to use syft SBOM
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Colorize severity in table output
- Create flag "--no-color" to allow disabling the color. By default its enabled.
- When "--no-color" not specified highlight severity in its color:
- Critical -> Bold Red
- High -> Red
- Medium -> Yellow
- Low -> Green
- Negligible -> Blue
- Note: Golang doesn't have all colors available. Also, doesn't seem to be able use hex codes properly.
- Add termenv to check if the terminal color profile supports colored output. If it doesn't default to noColor
Closes#225
Signed-off-by: Shane Dell <shanedell100@gmail.com>
* fix: adopt EnvColorProfile to support NO_COLOR
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* fix linting and update snapshots
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Shane Dell <shanedell100@gmail.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
This PR takes the recommendation from #1526 and adapts the go-mvn-version to be used as a custom comparator for matching against packages that have the JavaPkg type. Packages of type JavaPkg will no longer use the stock matcher.
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore(deps): update Syft to v0.93.0
Signed-off-by: GitHub <noreply@github.com>
* fix test to account for go pkg stdlib
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
Pulls in a fix to go-progress so that scanning large images no longer
results in a data race in the UI code.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Previously, grype used fuzzy matcher for Python packages, since
there are cases in PEP440 that are not strictly semver. Switch to a
library that does PEP440 parsing and comparison for python version
constraints.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* bump syft to main
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* upgdate cyclonedx presenter fixtures (bump from cdx 1.4 to 1.5)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update cyclonedx schema
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* allow for pkg type exceptions for github actions and workflows
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update cyclonedx json schema from v1.4 to v1.5
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump to syft v0.91.0
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* upgrade go-setup action to v4
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove asset upload from release workflow
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore: remove dependency on sqlite fork
* chore(deps): bump gorm.io/gorm from 1.23.10 to 1.25.4
Removed the dependency on github.com/anchore/sqlite because the diff
added to that fork was no longer needed.
Bumps [gorm.io/gorm](https://github.com/go-gorm/gorm) from 1.23.10 to 1.25.4.
- [Release notes](https://github.com/go-gorm/gorm/releases)
- [Commits](https://github.com/go-gorm/gorm/compare/v1.23.10...v1.25.4)
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
* go.mod: Pull OpenVEX go modules
This commit pulls the OpenVEX libraries into the grype source.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Add generic VEX processor package
This commit adds a generic VEX processor package. It is implementation
agnostic. It has a single option for now: The documents used to load
the VEX data.
The processor has a single method: ApplyVEX() which takes a set of scan
results and applies VEX data to them. For now, the only modification that
is done is filtering of results, that is moving results to the ignored list
as a response to VEX documents.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* vex: Add OpenVEX processor implementation
This commit adds an openvex implementation of the vex processor.
It also wires the VEX processor to use it as default.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Table presenter: Highligt results suppressed by VEX
This commit marks results suppressed by VEX when presenting them
to the user.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Define VEX status constants
This commit defines a set of local constants of each of the VEX statuses
based on the openvex constants.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Add VexStatus to ignore rules
This commit modifies the ignore rules structure to support defining a vex
status. Any rules defining vex are ignored by the standard ignore rules
processing as they will be handled by the VEX processor.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Add IgnoreRule HasConditions method
Adds a new HasConditions method to the IgnoreRule object to check if the rule is empty.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Control VEX filtering through IgnoreRules
This commit modifies how the vex processor is controlled. The processor now
takes a list of IgnoreRules which can act on the VEX status in addition to
the regular rule parameters.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* vex: Allow rules to match on VEX justification
This commit expands the ingore rules to also work on vex the
justification of not_affected statements.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Use go-vex merge implementation
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Add OpenVEX matcher to matcher list
This commit adds a new entry to the matchers: An openvex matcher
This matcher is used when openvex augments results, moving matches
from the ignore list to the active results.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Add vex.AugmentMatches() to the vex processor
This commit adds a new AugmentMatches() phase to the VEX processor.
This new step goes throught the configured ignore rules and acts on any
that have `affected` or `under_investigtion` as status.
The purpose of this rule is to move matches back from the ignored matches
list to the active results when a statement with either of those statuses
apply to ignored matches.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Parse context identifiers using GGC
This commit modifies the identifier synthesizer function to parse references
using GGCR. It also adds a simple test.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Bump funlen linter to 73
This commit bumps the maximum function length to 73 to accomodate
the new flag in AddFlags()
Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>
* Add VEX testing to matchers test
This commit adds a new test and fixtures to test the VEX matchers
along the rest of the matchers in TestMatchByImage(). As the VEX
matchers operate on previously ignored matches a new loop was added
to the test to accomodate the different testing model.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* add vex status and justification to ignored rule json model
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* nit rename + add TODO question about augmenting ignored matches
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* nit document comment updates + common variable extraction
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* migrate legacy matcher function to vulnerability matcher object
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update tui to respond to ignored and dropped matches
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* migrate vex processing to vulnerability match object
Based on Alex's previous caommit
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Migrate VEX options and app config from legacy CLI
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* update table snapshot tests with suppressed vex entries
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add tests for match.Matches.Diff()
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add tests for vex processor
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix linting and restore global funlen rule
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove grpc pin
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* always return remaining and ignroed matches from matcher object
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Add VEX documentation to main README
This commit adds a VEX section to the main Grype README. It adds
an example document and details on how vex rules can be written.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
---------
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Fix the race conditions from setting stage.Current from multiple go
routines by upgrading to a newer version of go-progress that includes an
atomic version of stager and using that. Enable race detection on unit
tests, and on a single invocation of the main command under the
integration target.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Our understanding is that without the patch version, every run of "go
mod tidy" will write a toolchain directive in the file, which will
result in a diff from contributors with different point versions of go,
which is noisy and prone to breaking CI.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
