Commit graph

135 commits

Author SHA1 Message Date
Sambhav Kothari
346df07df5
Add sprig templating functions for grype output (#610)
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
2022-01-28 11:27:27 -05:00
Alex Goodman
2f8682b3db
Add ability to merge matches (#602)
* enable merging of matches

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add ability for matches constructor to take initial matches

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update tests to include IDs on package objects

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* rename common matcher helper package to search package

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* rename search functions and add SearchByCriteria

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* cleanup imports

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2022-01-25 10:29:16 -05:00
Christopher Angelo Phillips
e453a06551
upgrade syft to v0.36.0 (#597)
* upgrade syft dependencies

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* add basic metadata for coverage

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-01-20 12:47:15 -05:00
Dan Luhring
bc0f4eb9b2
Bump syft to include file source fix (#596)
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
2022-01-18 19:29:31 +00:00
Alex Goodman
6e3aa6a8d7
Add strong distro type (#585)
* add strong distro type

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* nit changes

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update grype/db package to use distro pointer

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* source distro type from release name

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump syft to pull in distro type updates

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump lint timeout

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2022-01-12 13:47:27 -05:00
Alex Goodman
2647cd0d9e
Port grype-db to grype (#587)
* port grype-db to grype

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* migrate vulnerability provider implementation to db package

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* upgrade path import validations

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix linting issues

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2022-01-12 10:03:22 -05:00
Christopher Angelo Phillips
24ef03efc4
update to secure syft version (#586)
* update to secure syft version

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* go mod tidy

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-01-11 10:33:58 -05:00
Christopher Angelo Phillips
7fbe20c223
upgrade stereoscope (#584)
* bump stereoscope to remove vulnerable containerd

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* go mod tidy

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-01-10 15:05:52 -05:00
Christopher Angelo Phillips
64d4dbb993
update syft version for new release (#578)
* update syft

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* update CatalogPackages to use new cataloger config struct

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* add new valid CPE to matcher tests
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* update integration tests

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-01-07 17:57:44 -05:00
Alex Goodman
b100315292
bump syft to v0.34.0 (#567)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-12-22 16:20:23 -05:00
Keith Zantow
647d6fb770
Add --exclude flag (#551) 2021-12-21 12:52:07 -05:00
Alex Goodman
4f964c4ee2
bump syft to v0.33.0 (#550)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-12-16 09:49:36 -05:00
Alex Goodman
81a16c4142
bump syft to v0.32.2 (#541)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-12-14 17:39:05 +00:00
Alex Goodman
3f23425fa5
bump syft to v0.32.1 (#535)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-12-14 02:03:13 +00:00
Alex Goodman
f2d02b0b09
pull in binary panic fix; closes #526 (#528)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-12-10 18:03:13 +00:00
Alex Goodman
e62186725b
bump syft to v0.32.0 (#524)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-12-08 21:52:34 +00:00
Bala Raman
8abc83f685
Adding AlmaLinux OS Support (#514)
* Adding AlmaLinux OS Support

Signed-off-by: Bala Raman <srbala@gmail.com>

* incorporate grype-db updates for ALMA linux

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
2021-12-07 16:55:33 -05:00
Alex Goodman
270606ad37
bump syft to v0.31.0 (#517)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-12-03 16:56:43 +00:00
Alex Goodman
51e1b6307b
Update syft, jotframe, and validations pipeline (#512)
* update syft and jotframe

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update validations and release pipeline

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* moved terminal package to golang.org/x/term

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update integration tests to account for package relationships

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add license exception for xz

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update Location and Coordinate references

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove benchmark tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove mac acceptance tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add syft-grype relationship notes in DEVELOPING.md

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-11-30 18:10:07 +00:00
Dan Luhring
70ec3bfb71
Support for private certificate authorities during DB curation (#494)
* Add injectable HTTP client to file getter

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>

* WIP: Map config for custom CA certs

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>

* update curator and add tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add TLS helper scripts

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove grype-db local mod edit

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* tidy go modules

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* use ssl.context over deprecated fn

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* disallow tls 1 and 1.1

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* suppress non-archive sources for fetch-to-dir capability

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* ensure DB load failure does not panic

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* address review comments

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
2021-11-22 16:59:38 +00:00
Christopher Angelo Phillips
48c0b9b0e3
bump grype-db to latest commit (#501)
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
2021-11-16 13:07:56 -05:00
Swathi Gangisetty
5aa2b7bcac
Support vulnerability matching for Rocky Linux (#500)
- Update grype-db dependency for the distro-feed namespace mapping
- Add test to verify the above mapping

Signed-off-by: Swathi Gangisetty <swathi@anchore.com>
2021-11-15 16:14:24 -08:00
Christopher Angelo Phillips
a2762bbbf0
Bump syft version => v0.30.1 (#498)
* update syft version with correct arguments

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* bump integration tests with new presenter format

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* update integration tests to remove php-composer failure

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
2021-11-15 17:11:56 -05:00
Dan Luhring
3797965d8a
Resolve vulnerabilities (#486)
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2021-11-09 10:36:33 -05:00
Alex Goodman
3d7c38c670
bump syft to v0.29.0 (#487)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-11-02 14:42:51 -04:00
Alex Goodman
afc9de6058
Fix hang when running as a subprocess (#484)
* use named pipe bit on stdin as indicator for piped input

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* ensure stdin is ignored when the CLI hints are present

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add CLI test to cover subprocess integration behavior

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* added test case for java regression

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove extra line in makefile

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-10-29 14:51:58 +00:00
Alex Goodman
9c00165306
pull in space suffix fix (#475)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-10-25 10:14:37 -04:00
Christopher Angelo Phillips
9cd917d29c
Add windows support (#464)
* update grype to compile windows

Signed-off-by: spiffcs <christopher.phillips@anchore.com>
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* update go mod with new stereoscope

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* update build comments

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* small build tags

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* add goreleaser windows

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* bump syft version

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* update tests

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* update test images to use newest pinned golang

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
2021-10-22 13:46:56 -04:00
Christopher Angelo Phillips
637a061532
Add APK version constraint parsing (#455)
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
2021-10-18 17:27:02 +00:00
Alex Goodman
b1f3be4520
Upgrade config, UI, and command package patterns (#406)
* split and upgrade config processing

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* upgrade UI organization

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* expose logger writter

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add (unused) signal handler

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add (unused) event loop abstraction

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update aux commands to use Cobra RunE over Run

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* upgrade root command to use new event loop and signal handler

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update CLI test to account for config representation

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update dependencies + fix linting

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* decompose application config parse func + add missing config struct tags

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* restore unparam lint exclusion for registry config

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-10-01 13:03:50 -04:00
Dan Luhring
f86fd7eb38
Feature: Specifying ignore rules for vulnerability matches (#430)
* Preliminary implementation of ignore rules

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>

* Support ignoring matches by package type

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>

* Add tests for ignore functionality

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>

* Add documentation for ignore rules and clean up README

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>

* Add test for glob location matching

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2021-09-29 15:44:36 -04:00
Dan Luhring
e6831d9444
Update Syft to v0.24.1 (#433)
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2021-09-28 16:55:50 -04:00
Alex Goodman
608e126dc6
pull in grype-db default language namespace namer + fix imbalanced version v prefixes (#434)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-09-28 16:55:27 -04:00
Vijay Pillai
1a7c9d1779
Bugfixes + Integration test for sbom input vs grype library comparison (#424)
This change both adds a test to identify and fixes differences between loading sboms from json and loading sboms from Syft as a library.
* adds integration test that compares SBOM input vs image input
* fix integration test cache path
* Add handler for ApkMetadataType in partialSyftPackage.UnmarshalJSON
* Fix Epoch missing from Package.New RpmdbMetadataType handler and update RpmDbMetadata test in TestNew_MetadataExtraction
* bump syft to version 0.24.0
* update license check for packageurl-go

Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Vijay Pillai <vijay.pillai@anchore.com>

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Vijay Pillai <vijay.pillai@anchore.com>
2021-09-22 21:53:32 -04:00
Dan Palmer
83c6ee23a9
Update grype-db dependency, add some SLES tests (#413)
* Update grype-db dependency, add some SLES tests

Signed-off-by: Dan Palmer <dan.palmer@anchore.com>
2021-09-14 15:08:32 -04:00
Christopher Angelo Phillips
f3e3e832a8
bump syft to the newest 0.23.0 version - tidy mod (#414)
* bump syft to the newest 0.23.0 version - tidy mod
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* update integration test to use new pointer
syft source.New() was changed to return a pointer
rather than value for 0.23.0 this commit updates our 
integration tests to reflect that change
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
2021-09-13 16:46:41 -04:00
Zane Burstein
434a774106
Match against Alpine source packages (#407)
* Update go-version package and add test

This is being updated due to an issue that was encountered in the lessThanEqual constraint in go-version: https://github.com/anchore/go-version/pull/2. Was disovered while adding tests for apk origin package matching

Signed-off-by: Zane Burstein <zane.burstein@anchore.com>

* Added matching with source package for apk

This change allows grype to match with a packages source package for apk. Adds APKMetadata with OriginPackage, new matching logic in apk matchers, and tests

Signed-off-by: Zane Burstein <zane.burstein@anchore.com>
2021-09-09 07:42:11 -04:00
Keith Zantow
4e8794d610
Upgrade syft to 0.21.0 #385 (#396)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2021-08-23 15:15:42 -04:00
Alex Goodman
01a77d5c45
bump syft to v0.20.0 (#384)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-08-18 11:20:25 -04:00
Keith Zantow
7b044b1154
Add option to enable http registry connections #334 (#380)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2021-08-17 12:52:08 -04:00
Alex Goodman
fbc6bdfd8d
Update MSRC matching to include product ID in the suffix (#373)
* use squashed grype-db branch

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add more tests around the msrc matcher

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* incorporate the grype-db updates for msrc

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-08-12 08:35:30 -04:00
Alex Goodman
729aec24a6
incorporate CPE generator enhancements from syft (#375)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-08-10 09:06:40 -04:00
Alex Goodman
c7f33a8e4f
bump grype-db version to use main branch
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-07-20 12:18:29 -04:00
Dan Luhring
787dfd8f02
Update syft to v0.19.0 (#352)
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2021-06-30 11:09:44 -04:00
Dan Luhring
1714806a4c
Update syft to v0.18.0 (#351)
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2021-06-29 21:34:26 +00:00
Alex Goodman
27c3437e26
ensure RPM epoch is optional
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-06-16 09:23:46 -04:00
Alex Goodman
402a53d14c
fix tests for v3 schema updates
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-05-27 15:25:21 -04:00
Alex Goodman
80bb416daa
bump grype-db to pull in v3 schema changes + ensure related vulns are not nil
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-05-27 14:17:05 -04:00
Alex Goodman
1849d7eaea
add vendor advisories and adjust fixes data shape
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-05-26 13:54:19 -04:00
Alex Goodman
f99da01100 add staging update-url to cli tests + add pre-release check
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-05-26 12:30:21 -04:00