Commit graph

1305 commits

Author SHA1 Message Date
Alex Goodman
7d039cde2d
bump clio to get stderr reporting fix (#1561)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-10-16 11:58:02 -04:00
dependabot[bot]
96f3b2c68a
chore(deps): bump github.com/gabriel-vasile/mimetype from 1.4.2 to 1.4.3 (#1558)
Bumps [github.com/gabriel-vasile/mimetype](https://github.com/gabriel-vasile/mimetype) from 1.4.2 to 1.4.3.
- [Release notes](https://github.com/gabriel-vasile/mimetype/releases)
- [Commits](https://github.com/gabriel-vasile/mimetype/compare/v1.4.2...v1.4.3)

---
updated-dependencies:
- dependency-name: github.com/gabriel-vasile/mimetype
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-12 15:39:09 -04:00
dependabot[bot]
9c9c2fbc02
chore(deps): bump github.com/charmbracelet/lipgloss from 0.9.0 to 0.9.1 (#1557)
Bumps [github.com/charmbracelet/lipgloss](https://github.com/charmbracelet/lipgloss) from 0.9.0 to 0.9.1.
- [Release notes](https://github.com/charmbracelet/lipgloss/releases)
- [Commits](https://github.com/charmbracelet/lipgloss/compare/v0.9.0...v0.9.1)

---
updated-dependencies:
- dependency-name: github.com/charmbracelet/lipgloss
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-12 15:39:00 -04:00
Shubham Hibare
e0e8b355f0
Add checksum signing (#1535)
* Add checksum signing

Signed-off-by: Shubham Hibare <shubham@hibare.in>

* Add artifact signature verification steps

Signed-off-by: Shubham Hibare <shubham@hibare.in>

---------

Signed-off-by: Shubham Hibare <shubham@hibare.in>
2023-10-12 15:38:30 -04:00
dependabot[bot]
3d582fd851
chore(deps): bump golang.org/x/net from 0.16.0 to 0.17.0 (#1554)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.16.0 to 0.17.0.
- [Commits](https://github.com/golang/net/compare/v0.16.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-12 09:08:51 -04:00
Weston Steimel
25762b7e3b
feat: disable CPE-based matching for GHSA ecosystems by default (#1412)
* feat: disable CPE-based matching for GHSA ecosystems by default

Disables CPE-based matching for ecosystems which are covered by GitHub
Security Advisories.  Also adds a separate rust matcher and related
configuration to allow configuring CPE-based matching off for it while
still leaving it on for the stock matcher.

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* chore: use --by-cve with quality gate comparison

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* chore: add rust auditable binary match integration test

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

---------

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-10-12 09:07:33 -04:00
dependabot[bot]
bcbc7e4bdc
chore(deps): bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#1552)
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.5.9 to 0.6.0.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.5.9...v0.6.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-11 13:51:20 -04:00
anchore-actions-token-generator[bot]
7e5df38029
chore(deps): update Syft to v0.93.0 (#1550)
* chore(deps): update Syft to v0.93.0

Signed-off-by: GitHub <noreply@github.com>

* fix test to account for go pkg stdlib

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2023-10-10 18:26:34 +00:00
dependabot[bot]
07677b1d9a
chore(deps): bump gorm.io/gorm from 1.25.4 to 1.25.5 (#1547)
Bumps [gorm.io/gorm](https://github.com/go-gorm/gorm) from 1.25.4 to 1.25.5.
- [Release notes](https://github.com/go-gorm/gorm/releases)
- [Commits](https://github.com/go-gorm/gorm/compare/v1.25.4...v1.25.5)

---
updated-dependencies:
- dependency-name: gorm.io/gorm
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-10 13:33:26 -04:00
dependabot[bot]
32a2083896
chore(deps): bump github.com/charmbracelet/lipgloss from 0.8.0 to 0.9.0 (#1548)
Bumps [github.com/charmbracelet/lipgloss](https://github.com/charmbracelet/lipgloss) from 0.8.0 to 0.9.0.
- [Release notes](https://github.com/charmbracelet/lipgloss/releases)
- [Commits](https://github.com/charmbracelet/lipgloss/compare/v0.8.0...v0.9.0)

---
updated-dependencies:
- dependency-name: github.com/charmbracelet/lipgloss
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-10 13:33:06 -04:00
dependabot[bot]
afa1b896c4
chore(deps): bump github.com/hashicorp/go-getter from 1.7.2 to 1.7.3 (#1549)
Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.7.2 to 1.7.3.
- [Release notes](https://github.com/hashicorp/go-getter/releases)
- [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml)
- [Commits](https://github.com/hashicorp/go-getter/compare/v1.7.2...v1.7.3)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-getter
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-10 13:32:48 -04:00
dependabot[bot]
88906fb60c
chore(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.0 (#1544)
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](08b4669551...483ef80eb9)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-09 13:05:06 -04:00
Keith Zantow
8ebf2955e8
fix: empty descriptor name and version (#1542)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-10-06 10:43:11 -04:00
chavacava
548da9e7cb
chore: removes unnecessary conditional (#1539)
Signed-off-by: chavacava <salvadorcavadini+github@gmail.com>
2023-10-04 18:08:34 +00:00
dependabot[bot]
4531528099
chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.10 to 0.4.11 (#1533)
Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps) from 0.4.10 to 0.4.11.
- [Release notes](https://github.com/gkampitakis/go-snaps/releases)
- [Commits](https://github.com/gkampitakis/go-snaps/compare/v0.4.10...v0.4.11)

---
updated-dependencies:
- dependency-name: github.com/gkampitakis/go-snaps
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-02 12:35:31 -04:00
anchore-actions-token-generator[bot]
dec563669d
chore(deps): update Syft to v0.92.0 (#1527)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: willmurphyscode <willmurphyscode@users.noreply.github.com>
2023-09-27 12:27:32 -04:00
anchore-actions-token-generator[bot]
7242323551
chore(deps): update bootstrap tools to latest versions (#1524)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-09-27 11:07:48 -04:00
Christopher Angelo Phillips
6da8be94ac
chore: add OpenSSF Best Practices badge (#1523)
* chore: add OpenSSF Best Practices badge
--------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-09-27 11:06:35 -04:00
Alex Goodman
13ed926f78
bump labels to latest (#1525)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-09-27 14:47:45 +00:00
dependabot[bot]
cc522decdb
chore(deps): bump actions/checkout from 4.0.0 to 4.1.0 (#1519)
* chore(deps): bump actions/checkout from 4.0.0 to 4.1.0

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](3df4ab11eb...8ade135a41)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: add version comment

Signed-off-by: Will Murphy <will.murphy@anchore.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
2023-09-26 13:16:42 -04:00
anchore-actions-token-generator[bot]
4ae7a11579
chore(deps): update bootstrap tools to latest versions (#1520)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-09-26 13:16:11 -04:00
William Murphy
377ea3e0c6
chore: explicitly test go pseudoversion (#1522)
The logic in the fuzzy version constraint works for go pseudoversions,
because they happen be in string sort order. Add unit tests to ensure
this coincidental behavior is not lost.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-09-26 09:22:08 -04:00
William Murphy
0085ddb550
chore: remove outdated comment about fuzzy matching python versions (#1521)
Now that we're using a real PEP440 library, there's no need for this
comment.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-09-26 09:21:36 -04:00
William Murphy
6f898b5d50
chore: bump stereoscope to fix data race in UI (#1517)
Pulls in a fix to go-progress so that scanning large images no longer
results in a data race in the UI code.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-09-25 11:56:51 -04:00
William Murphy
d94c384a97
fix: correctly guess tool comparison (#1516)
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-09-25 09:29:24 -04:00
anchore-actions-token-generator[bot]
79c130b9fe
chore(deps): update bootstrap tools to latest versions (#1515)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-09-24 06:17:55 -04:00
dependabot[bot]
f7c70be0f3
chore(deps): bump github.com/spf13/afero from 1.9.5 to 1.10.0 (#1514)
Bumps [github.com/spf13/afero](https://github.com/spf13/afero) from 1.9.5 to 1.10.0.
- [Release notes](https://github.com/spf13/afero/releases)
- [Commits](https://github.com/spf13/afero/compare/v1.9.5...v1.10.0)

---
updated-dependencies:
- dependency-name: github.com/spf13/afero
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-09-22 13:34:47 -04:00
William Murphy
2f405f0680
fix: use PEP440 for Python package version comparison (#1510)
Previously, grype used fuzzy matcher for Python packages, since
there are cases in PEP440 that are not strictly semver. Switch to a
library that does PEP440 parsing and comparison for python version 
constraints.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-09-22 13:32:48 -04:00
dependabot[bot]
da3de94842
chore(deps): bump tibdex/github-app-token from 2.0.0 to 2.1.0 (#1506)
Bumps [tibdex/github-app-token](https://github.com/tibdex/github-app-token) from 2.0.0 to 2.1.0.
- [Release notes](https://github.com/tibdex/github-app-token/releases)
- [Commits](0914d50df7...3beb63f4bd)

---
updated-dependencies:
- dependency-name: tibdex/github-app-token
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-09-20 16:39:49 -04:00
Alex Goodman
18241e8986
Upgrade syft to v0.91.0 (#1508)
* bump syft to main

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* upgdate cyclonedx presenter fixtures (bump from cdx 1.4 to 1.5)

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update cyclonedx schema

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* allow for pkg type exceptions for github actions and workflows

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update cyclonedx json schema from v1.4 to v1.5

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* bump to syft v0.91.0

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* upgrade go-setup action to v4

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* remove asset upload from release workflow

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-09-20 16:39:23 -04:00
Alex Goodman
970fbd9166
Update chronicle to v0.8.0 (#1507)
* use annotated tags, update chronicle, fix cache keys

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* dont show the title in the release notes

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-09-20 16:06:08 -04:00
Keith Zantow
3a6f3a3278
fix: terminal clobbering when commands return errors (#1505)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-09-20 12:17:33 -04:00
Rob Szumski
cc76ab82f9
Fix typo in flag (#1501)
Signed-off-by: Rob Szumski <rob@robszumski.com>
2023-09-18 16:54:14 -04:00
dependabot[bot]
b81340c7c6
chore(deps): bump actions/cache from 3.2.6 to 3.3.2 (#1499)
Bumps [actions/cache](https://github.com/actions/cache) from 3.2.6 to 3.3.2.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v3.2.6...704facf57e6136b1bc63b828d79edcd491f0ee84)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-09-18 13:00:43 -04:00
dependabot[bot]
6c99b95189
chore(deps): remove dependency on sqlite fork; bump gorm.io/gorm from 1.23.10 to 1.25.4 (#1448)
* chore: remove dependency on sqlite fork
* chore(deps): bump gorm.io/gorm from 1.23.10 to 1.25.4

Removed the dependency on github.com/anchore/sqlite because the diff
added to that fork was no longer needed. 

Bumps [gorm.io/gorm](https://github.com/go-gorm/gorm) from 1.23.10 to 1.25.4.
- [Release notes](https://github.com/go-gorm/gorm/releases)
- [Commits](https://github.com/go-gorm/gorm/compare/v1.23.10...v1.25.4)

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
2023-09-18 11:34:54 -04:00
Christopher Angelo Phillips
7a1f4a0891
chore: pin cache versions (#1495)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-09-15 16:07:17 -04:00
dependabot[bot]
655c65facb
chore(deps): bump actions/checkout from 3 to 4 (#1475)
* chore(deps): bump actions/checkout from 3 to 4

Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...3df4ab11eba7bda6032a0b82a6bb43b11571feac)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: update tag comments and standardize comments to # vx.x.x

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-09-15 15:25:20 -04:00
Keith Zantow
e61cb5ff51
fix: version output including supported db schema (#1494)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-09-15 18:35:30 +00:00
Christopher Angelo Phillips
9c0140d6b1
chore: pin actions; pin images; add top level action permissions (#1493)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-09-15 14:29:37 -04:00
devfbe
a87e198e58
feat: introduce exit code failure option for db update check (#1463)
Signed-off-by: Felix Becker <git@felixbecker.name>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
2023-09-14 12:12:38 -04:00
Puerco
b952d3808c
Ignore/add match results based on OpenVEX documents (#1397)
* go.mod: Pull OpenVEX go modules

This commit pulls the OpenVEX libraries into the grype source.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add generic VEX processor package

This commit adds a generic VEX processor package. It is implementation
agnostic. It has a single option for now: The documents used to load
the VEX data.

The processor has a single method: ApplyVEX() which takes a set of scan
results and applies VEX data to them. For now, the only modification that
is done is filtering of results, that is moving results to the ignored list
as a response to VEX documents.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* vex: Add OpenVEX processor implementation

This commit adds an openvex implementation of the vex processor.
It also wires the VEX processor to use it as default.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Table presenter: Highligt results suppressed by VEX

This commit marks results suppressed by VEX when presenting them
to the user.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Define  VEX status constants

This commit defines a set of local constants of each of the VEX statuses
based on the openvex constants.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add VexStatus to ignore rules

This commit modifies the ignore rules structure to support defining a vex
status. Any rules defining vex are ignored by the standard ignore rules
processing as they will be handled by the VEX processor.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add IgnoreRule HasConditions method

Adds a new HasConditions method to the IgnoreRule object to check if the rule is empty.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Control VEX filtering through IgnoreRules

This commit modifies how the vex processor is controlled. The processor now
takes a list of IgnoreRules which can act on the VEX status in addition to
the regular rule parameters.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* vex: Allow rules to match on VEX justification

This commit expands the ingore rules to also work on vex the
justification of not_affected statements.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Use go-vex merge implementation

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add OpenVEX matcher to matcher list

This commit adds a new entry to the matchers: An openvex matcher

This matcher is used when openvex augments results, moving matches
from the ignore list to the active results.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add vex.AugmentMatches() to the vex processor

This commit adds a new AugmentMatches() phase to the VEX processor.

This new step goes throught the configured ignore rules and acts on any
that have `affected` or `under_investigtion` as status.

The purpose of this rule is to move matches back from the ignored matches
list to the active results when a statement with either of those statuses
apply to ignored matches.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Parse context identifiers using GGC

This commit modifies the identifier synthesizer function to parse references
using GGCR. It also adds a simple test.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Bump funlen linter to 73

This commit bumps the maximum function length to 73 to accomodate
the new flag in AddFlags()

Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>

* Add VEX testing to matchers test

This commit adds a new test and fixtures to test the VEX matchers
along the rest of the matchers in TestMatchByImage(). As the VEX
matchers operate on previously ignored matches a new loop was added
to the test to accomodate the different testing model.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* add vex status and justification to ignored rule json model

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* nit rename + add TODO question about augmenting ignored matches

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* nit document comment updates + common variable extraction

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* migrate legacy matcher function to vulnerability matcher object

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update tui to respond to ignored and dropped matches

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* migrate vex processing to vulnerability match object

Based on Alex's previous caommit

Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Migrate VEX options and app config from legacy CLI

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* update table snapshot tests with suppressed vex entries

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add tests for match.Matches.Diff()

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add tests for vex processor

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix linting and restore global funlen rule

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* remove grpc pin

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* always return remaining and ignroed matches from matcher object

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* Add VEX documentation to main README

This commit adds a VEX section to the main Grype README. It adds
an example document and details on how vex rules can be written.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

---------

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-09-13 15:26:12 -04:00
dependabot[bot]
6ee9054c88
chore(deps): bump docker/login-action from 2 to 3 (#1488)
Bumps [docker/login-action](https://github.com/docker/login-action) from 2 to 3.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](https://github.com/docker/login-action/compare/v2...v3)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-09-12 14:04:24 -04:00
William Murphy
d5ced7fb81
chore: Fix race conditions around stager, enable detector (#1489)
Fix the race conditions from setting stage.Current from multiple go
routines by upgrading to a newer version of go-progress that includes an
atomic version of stager and using that. Enable race detection on unit
tests, and on a single invocation of the main command under the
integration target.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-09-12 13:52:26 -04:00
anchore-actions-token-generator[bot]
5577f27993
chore(deps): update Syft to v0.90.0 (#1486)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2023-09-12 08:45:37 -04:00
dependabot[bot]
8b34b585ca
chore(deps): bump tibdex/github-app-token from 1.8.2 to 2.0.0 (#1485)
Bumps [tibdex/github-app-token](https://github.com/tibdex/github-app-token) from 1.8.2 to 2.0.0.
- [Release notes](https://github.com/tibdex/github-app-token/releases)
- [Commits](0d49dd7211...0914d50df7)

---
updated-dependencies:
- dependency-name: tibdex/github-app-token
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-09-11 15:23:55 -04:00
Keith Zantow
02d513e8e8
chore: update CLI to CLIO (#1437)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-09-11 15:10:06 -04:00
William Murphy
1772f25e27
feat: grype explain prototype (#1367)
v0 of "grype explain" - a subcommand to have grype explain why grype
reported a match.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-09-11 13:32:11 -04:00
William Murphy
13bae4b49b
chore: Update go declaration to have point version (#1484)
Our understanding is that without the patch version, every run of "go
mod tidy" will write a toolchain directive in the file, which will
result in a diff from contributors with different point versions of go,
which is noisy and prone to breaking CI.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-09-11 08:08:53 -04:00
Christopher Angelo Phillips
719feb0b44
chore: update grype to use Go v1.21 (#1480)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-09-07 14:55:38 -04:00
dependabot[bot]
a04dfaac23
chore(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 (#1481)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.2 to 3.1.3.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](0b7f8abb15...a8a3f3ad30)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-09-07 11:51:25 -04:00