Alex Goodman
0fd0c56d9a
bump vml labels ( #1462 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-08-24 18:27:54 +00:00
dependabot[bot]
bc6a7cc8c9
chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 ( #1453 )
...
Bumps [github.com/google/uuid](https://github.com/google/uuid ) from 1.3.0 to 1.3.1.
- [Release notes](https://github.com/google/uuid/releases )
- [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md )
- [Commits](https://github.com/google/uuid/compare/v1.3.0...v1.3.1 )
---
updated-dependencies:
- dependency-name: github.com/google/uuid
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-08-23 13:40:49 -04:00
anchore-actions-token-generator[bot]
ee6ac51e35
chore(deps): update bootstrap tools to latest versions ( #1450 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-08-22 08:48:59 -04:00
Alex Goodman
3c50c885d3
fill out new version notice ( #1445 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-08-18 16:03:18 -04:00
William Murphy
7ff37a0310
feat: filter out packages owned by OS packages ( #1387 )
...
For example, if the rpm "python3-rpm" is installed, it brings a python
package called "rpm" with it, which is just python bindings to RPM. But
this python package is part of "python3-rpm", and should not be matched
against directly. Only apply this deduplication strategy on distros with
a comprehensive enough vulnerability feed that we don't expect false
negatives from it.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-08-18 15:43:42 -04:00
William Murphy
9e119c87a4
fix: Only remove packages by binary overlap ( #1444 )
...
Previously, ownership by file overlap would remove packages of the same
type, or packages with an empty type. Instead, only remove packages by
overlap if the owned package is binary, since the installation source of
the binary will have better version info than the binary itself.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-08-18 13:49:23 -04:00
Weston Steimel
487d038bfb
chore: bump to syft v0.87.1 in quality gate ( #1442 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-08-18 06:10:22 -04:00
anchore-actions-token-generator[bot]
51223cd0b1
chore(deps): update Syft to v0.87.1 ( #1432 )
2023-08-17 15:39:41 -04:00
William Murphy
0e7c72af59
chore: Init submodule if missing ( #1439 )
...
Previously, if a user cloned grype without passing
"--recurse-submodules", the makefile under test/quality would fail to
initialize the submodule, resulting in unexpected behavior. Always
initialize the submodule if it's misisng.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-08-17 10:05:45 -04:00
William Murphy
ef2a5e9c00
chore: exclude yardstick store from filename rules ( #1440 )
...
Enables "make lint" to be run after "make quality". Previously, the
linter rules that prohibit ":" in any filename would fail if the
yardstick or vulnerability-match-labels directories had been initialized
(e.g. if "make quality" had been run), since they have filenames like
"sha256:abcd" in them. Exclude them from this lint, since they are not
go files.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-08-16 16:11:41 -04:00
William Murphy
1c084c44b0
chore: use latest yardstick ( #1438 )
...
Include changes to gate.py to correctly guess that local builds of grype
are considered the changed version, not the latest release.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-08-16 09:25:19 -04:00
Christopher Angelo Phillips
94d58fba3c
fix: update semver regular expression constraint to allow for 1.20rc1 cases no '-' ( #1434 )
2023-08-15 15:08:18 -04:00
anchore-actions-token-generator[bot]
08a48a8674
chore(deps): update bootstrap tools to latest versions ( #1424 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-08-15 10:15:52 -04:00
dependabot[bot]
fff434156c
chore(deps): bump actions/setup-go from 4.0.1 to 4.1.0 ( #1421 )
...
Bumps [actions/setup-go](https://github.com/actions/setup-go ) from 4.0.1 to 4.1.0.
- [Release notes](https://github.com/actions/setup-go/releases )
- [Commits](fac708d667...93397bea11
2023-08-08 13:29:12 -04:00
Yevhenii Pokhvalii
fe7027f9e9
docs(example-templates): add a simple JUnit XML template ( #1422 )
...
Signed-off-by: Yevhenii Pokhvalii <yevhenii_pokhvalii@epam.com>
2023-08-08 16:12:56 +00:00
dependabot[bot]
60e7b2bcdc
chore(deps): bump golang.org/x/term from 0.10.0 to 0.11.0 ( #1420 )
...
Bumps [golang.org/x/term](https://github.com/golang/term ) from 0.10.0 to 0.11.0.
- [Commits](https://github.com/golang/term/compare/v0.10.0...v0.11.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/term
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-08-07 18:11:09 -04:00
Weston Steimel
74a7a67b73
chore: use syft v0.86.1 in the quality gate tests ( #1418 )
...
* chore: use syft v0.86.1 in the quality gate tests
This ensures the CPE dict enhancements are taken into account for
future quality gate comparisons
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* fix: bump runner to use larger disk
Signed-off-by: Christopher Phillips <cphillips918@gmail.com>
---------
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Christopher Phillips <cphillips918@gmail.com>
Co-authored-by: Christopher Phillips <cphillips918@gmail.com>
2023-08-04 16:48:21 -04:00
Keith Zantow
078a6c5e9e
fix: some hang conditions ( #1414 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-08-03 21:28:37 +00:00
anchore-actions-token-generator[bot]
4761a68bb3
chore(deps): update bootstrap tools to latest versions ( #1413 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-08-03 11:02:02 -04:00
anchore-actions-token-generator[bot]
c97048baa1
chore(deps): update Syft to v0.86.1 ( #1410 )
...
* chore(deps): update Syft to v0.86.0
Signed-off-by: GitHub <noreply@github.com>
* fix python package metadata shape
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* account for new metadatas added in syft
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump syft to unreleased but fixed version
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2023-07-31 17:58:36 +00:00
dependabot[bot]
ea0b54c681
chore(deps): bump github.com/docker/docker ( #1402 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 24.0.4+incompatible to 24.0.5+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v24.0.4...v24.0.5 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-31 11:45:39 -04:00
dependabot[bot]
50bc9c0af5
chore(deps): bump github.com/hashicorp/go-getter from 1.7.1 to 1.7.2 ( #1406 )
...
Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter ) from 1.7.1 to 1.7.2.
- [Release notes](https://github.com/hashicorp/go-getter/releases )
- [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml )
- [Commits](https://github.com/hashicorp/go-getter/compare/v1.7.1...v1.7.2 )
---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-getter
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-27 12:54:06 -04:00
Weston Steimel
13feb5bf96
chore: bump quality gate label dataset ( #1404 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-07-27 15:17:06 +01:00
Christopher Angelo Phillips
05edf62e62
feat: implement secondary sorting for default json output ( #1403 )
...
* feat: implement secondary sorting for default json output
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-07-26 13:40:20 -04:00
Christopher Angelo Phillips
eb6c3b0acd
feat: update table sort to be name, version, type, severity, vulnerability ( #1400 )
...
* feat: update table sort to be name, version, type, severity, vuln
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-07-26 14:37:34 +00:00
William Murphy
5ee6bf4563
chore: in quality tests, only colorize quality output if in a tty ( #1398 )
...
Permit piping "make validate" (from test/quality) to a file without filling it with control
characters.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-07-24 10:10:06 -04:00
dependabot[bot]
e3be4916ac
chore(deps): bump github.com/gookit/color from 1.5.3 to 1.5.4 ( #1396 )
...
Bumps [github.com/gookit/color](https://github.com/gookit/color ) from 1.5.3 to 1.5.4.
- [Release notes](https://github.com/gookit/color/releases )
- [Commits](https://github.com/gookit/color/compare/v1.5.3...v1.5.4 )
---
updated-dependencies:
- dependency-name: github.com/gookit/color
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-20 12:28:06 -04:00
William Murphy
e09bae392d
fix: vulnerabilities should be printed when --fail-on fails ( #1395 )
...
Stop terminating the UI early if the error is that the "--fail-on" threshold failed.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-07-19 16:36:20 -04:00
Weston Steimel
03d18a5de4
chore: bump yardstick to address PyYAML cython compatibility issues ( #1394 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-07-18 12:54:19 -04:00
William Murphy
e347e03f4d
Refactor integ test to table test ( #1390 )
...
To make it easier to see which tests fail if there's a failure.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-07-18 11:27:46 -04:00
William Murphy
43bcf301c4
Pass correct output file ( #1391 )
...
Previously, the wrong path would get passed, and the template file would
get truncated.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-07-17 16:16:34 -04:00
dependabot[bot]
5a8ea73ff2
chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.7 to 0.4.8 ( #1389 )
...
Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps ) from 0.4.7 to 0.4.8.
- [Release notes](https://github.com/gkampitakis/go-snaps/releases )
- [Commits](https://github.com/gkampitakis/go-snaps/compare/v0.4.7...v0.4.8 )
---
updated-dependencies:
- dependency-name: github.com/gkampitakis/go-snaps
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-17 14:09:22 -04:00
Alex Goodman
ebd4643930
Port UI to bubbletea ( #1385 )
...
* initial port to bubbletea
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove jotframe UI
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add bubbletea component tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update main.go refs to cmd package
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* move goreleaser build dir to cmd
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* upgrade yardstick for grype source installs and fix post-ui tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* ensure stable severity map in UI component test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add windows support for tui
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-07-13 17:13:48 +00:00
anchore-actions-token-generator[bot]
37f436cfb6
chore(deps): update Syft to v0.85.0 ( #1383 )
2023-07-13 11:06:41 -04:00
Olivier Boudet
9050883715
feat(outputs): allow to set multiple outputs ( #648 ) ( #1346 )
...
* feat(outputs): allow to set multiple outputs (#648 )
Signed-off-by: Olivier Boudet <o.boudet@gmail.com>
Signed-off-by: Olivier Boudet <olivier.boudet@cooperl.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* feat(outputs): allow to set multiple outputs (#648 )
review
Signed-off-by: Olivier Boudet <olivier.boudet@cooperl.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use syft format writter pattern and de-emphasize presenter package
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Olivier Boudet <o.boudet@gmail.com>
Signed-off-by: Olivier Boudet <olivier.boudet@cooperl.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-07-11 17:37:17 +00:00
William Murphy
6834e2148c
Remove Docker section from DEVELOPING.md ( #1384 )
...
Developing in Docker is no longer explicitly supported. Update
developing docs to reflect this.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-07-11 13:08:50 -04:00
anchore-actions-token-generator[bot]
d6bd01a4fa
chore(deps): update bootstrap tools to latest versions ( #1381 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-07-10 13:52:55 -04:00
dependabot[bot]
9ac9bdd9c2
chore(deps): bump github.com/docker/docker ( #1382 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 24.0.2+incompatible to 24.0.4+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v24.0.2...v24.0.4 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-10 13:52:35 -04:00
Alex Goodman
64e9c9c0d3
Port to new syft source API ( #1376 )
...
* port to new syft source API
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix linting
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-07-06 09:01:49 -04:00
dependabot[bot]
7545e8858d
chore(deps): bump golang.org/x/term from 0.9.0 to 0.10.0 ( #1375 )
...
Bumps [golang.org/x/term](https://github.com/golang/term ) from 0.9.0 to 0.10.0.
- [Commits](https://github.com/golang/term/compare/v0.9.0...v0.10.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/term
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-06 01:59:28 -04:00
Weston Steimel
74a7185340
chore: bump quality gate labels and images ( #1374 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-07-05 11:05:07 -04:00
anchore-actions-token-generator[bot]
116dc4aaff
chore(deps): update bootstrap tools to latest versions ( #1368 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-07-05 11:04:37 -04:00
Tim Gerla
ecf9e65b95
Add a simple CSV format template to the templates/ directory and tweak docs ( #1366 )
2023-06-29 17:05:17 -04:00
anchore-actions-token-generator[bot]
bc93a968b5
chore(deps): update Syft to v0.84.1 ( #1372 )
2023-06-29 16:07:15 -04:00
Dan Luhring
7436af93c1
fix: Add more log4j-adjacent package ignore rules ( #1358 )
...
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
2023-06-29 11:14:58 -04:00
Weston Steimel
a37940f699
chore: bump the quality gate labels ( #1369 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-06-29 14:59:52 +00:00
Alex Goodman
11301356cf
add oss community board auto-add workflow ( #1364 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-06-27 15:57:08 -04:00
Keith Zantow
ab0a31af64
fix: totals for vulnerability matches ( #1359 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-06-26 14:00:27 -04:00
dependabot[bot]
5c5fb0e665
chore(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 ( #1363 )
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.1.3 to 2.2.0.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](80e868c13c...08b4669551
2023-06-26 13:59:12 -04:00
dependabot[bot]
41d3d134d2
chore(deps): bump anchore/sbom-action from 0.14.2 to 0.14.3 ( #1357 )
...
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action ) from 0.14.2 to 0.14.3.
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Commits](4d571ad103...78fc58e266
2023-06-22 12:04:09 -04:00
