dependabot[bot]
7b3605db24
chore(deps): bump tibdex/github-app-token from 1.8.0 to 1.8.2 ( #1474 )
...
Bumps [tibdex/github-app-token](https://github.com/tibdex/github-app-token ) from 1.8.0 to 1.8.2.
- [Release notes](https://github.com/tibdex/github-app-token/releases )
- [Commits](b62528385c...0d49dd7211
)
---
updated-dependencies:
- dependency-name: tibdex/github-app-token
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-09-07 10:20:24 -04:00
dependabot[bot]
fb2328f152
chore(deps): bump golang.org/x/term from 0.11.0 to 0.12.0 ( #1476 )
...
Bumps [golang.org/x/term](https://github.com/golang/term ) from 0.11.0 to 0.12.0.
- [Commits](https://github.com/golang/term/compare/v0.11.0...v0.12.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/term
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-09-07 10:16:56 -04:00
dependabot[bot]
bd5ca66779
chore(deps): bump github.com/docker/docker ( #1478 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 24.0.5+incompatible to 24.0.6+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v24.0.5...v24.0.6 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-09-07 10:16:37 -04:00
dependabot[bot]
0e9817fc98
chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.8 to 0.4.10 ( #1477 )
...
Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps ) from 0.4.8 to 0.4.10.
- [Release notes](https://github.com/gkampitakis/go-snaps/releases )
- [Commits](https://github.com/gkampitakis/go-snaps/compare/v0.4.8...v0.4.10 )
---
updated-dependencies:
- dependency-name: github.com/gkampitakis/go-snaps
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-09-07 10:16:21 -04:00
Weston Steimel
d6657e2498
chore: bump quality gate to use syft v0.89.0 ( #1479 )
...
Signed-off-by: Weston Steimel <weston.steimel@proton.me>
2023-09-06 17:51:51 +00:00
anchore-actions-token-generator[bot]
35ffa2ac42
chore(deps): update Syft to v0.89.0 ( #1472 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2023-08-31 16:02:11 +00:00
5p2O5pe25ouT
bf84e2fa7f
Add registry certificate verification support ( #1232 )
...
* add registry certificate verification support
* modify go.mod
* rename registry cert options, add docs, and add test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update to account for changes in anchore/stereoscope#195
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix cli tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: lishituo <24578666@qq.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-08-29 15:51:27 +00:00
Keith Zantow
0d5be962d3
fix: set correct default to exclude overlapping binaries ( #1452 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-08-28 17:00:51 -04:00
Bar Nuri
e906e685a1
fix: portage version comparison ( #1468 )
...
Signed-off-by: Bar Nuri <barnuri@hotmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
2023-08-28 16:08:03 -04:00
Alex Goodman
21250d258a
chore: pin the vulnerability DB used in quality gate testing ( #1470 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-08-28 15:46:59 -04:00
anchore-actions-token-generator[bot]
4d84465681
chore(deps): update Syft to v0.88.0 ( #1466 )
2023-08-25 17:23:52 -04:00
Keith Zantow
a2e41a5c58
chore: update quill version ( #1465 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-08-25 17:03:25 -04:00
Puerco
be91dc65d6
docs: fix some typos on main README ( #1455 )
...
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
2023-08-25 11:00:03 -04:00
Alex Goodman
f0f8454c3e
note supported versions of grype ( #1458 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-08-24 19:31:09 +00:00
Alex Goodman
0fd0c56d9a
bump vml labels ( #1462 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-08-24 18:27:54 +00:00
dependabot[bot]
bc6a7cc8c9
chore(deps): bump github.com/google/uuid from 1.3.0 to 1.3.1 ( #1453 )
...
Bumps [github.com/google/uuid](https://github.com/google/uuid ) from 1.3.0 to 1.3.1.
- [Release notes](https://github.com/google/uuid/releases )
- [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md )
- [Commits](https://github.com/google/uuid/compare/v1.3.0...v1.3.1 )
---
updated-dependencies:
- dependency-name: github.com/google/uuid
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-08-23 13:40:49 -04:00
anchore-actions-token-generator[bot]
ee6ac51e35
chore(deps): update bootstrap tools to latest versions ( #1450 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-08-22 08:48:59 -04:00
Alex Goodman
3c50c885d3
fill out new version notice ( #1445 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-08-18 16:03:18 -04:00
William Murphy
7ff37a0310
feat: filter out packages owned by OS packages ( #1387 )
...
For example, if the rpm "python3-rpm" is installed, it brings a python
package called "rpm" with it, which is just python bindings to RPM. But
this python package is part of "python3-rpm", and should not be matched
against directly. Only apply this deduplication strategy on distros with
a comprehensive enough vulnerability feed that we don't expect false
negatives from it.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-08-18 15:43:42 -04:00
William Murphy
9e119c87a4
fix: Only remove packages by binary overlap ( #1444 )
...
Previously, ownership by file overlap would remove packages of the same
type, or packages with an empty type. Instead, only remove packages by
overlap if the owned package is binary, since the installation source of
the binary will have better version info than the binary itself.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-08-18 13:49:23 -04:00
Weston Steimel
487d038bfb
chore: bump to syft v0.87.1 in quality gate ( #1442 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-08-18 06:10:22 -04:00
anchore-actions-token-generator[bot]
51223cd0b1
chore(deps): update Syft to v0.87.1 ( #1432 )
2023-08-17 15:39:41 -04:00
William Murphy
0e7c72af59
chore: Init submodule if missing ( #1439 )
...
Previously, if a user cloned grype without passing
"--recurse-submodules", the makefile under test/quality would fail to
initialize the submodule, resulting in unexpected behavior. Always
initialize the submodule if it's misisng.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-08-17 10:05:45 -04:00
William Murphy
ef2a5e9c00
chore: exclude yardstick store from filename rules ( #1440 )
...
Enables "make lint" to be run after "make quality". Previously, the
linter rules that prohibit ":" in any filename would fail if the
yardstick or vulnerability-match-labels directories had been initialized
(e.g. if "make quality" had been run), since they have filenames like
"sha256:abcd" in them. Exclude them from this lint, since they are not
go files.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-08-16 16:11:41 -04:00
William Murphy
1c084c44b0
chore: use latest yardstick ( #1438 )
...
Include changes to gate.py to correctly guess that local builds of grype
are considered the changed version, not the latest release.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-08-16 09:25:19 -04:00
Christopher Angelo Phillips
94d58fba3c
fix: update semver regular expression constraint to allow for 1.20rc1 cases no '-' ( #1434 )
2023-08-15 15:08:18 -04:00
anchore-actions-token-generator[bot]
08a48a8674
chore(deps): update bootstrap tools to latest versions ( #1424 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-08-15 10:15:52 -04:00
dependabot[bot]
fff434156c
chore(deps): bump actions/setup-go from 4.0.1 to 4.1.0 ( #1421 )
...
Bumps [actions/setup-go](https://github.com/actions/setup-go ) from 4.0.1 to 4.1.0.
- [Release notes](https://github.com/actions/setup-go/releases )
- [Commits](fac708d667...93397bea11
)
---
updated-dependencies:
- dependency-name: actions/setup-go
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-08-08 13:29:12 -04:00
Yevhenii Pokhvalii
fe7027f9e9
docs(example-templates): add a simple JUnit XML template ( #1422 )
...
Signed-off-by: Yevhenii Pokhvalii <yevhenii_pokhvalii@epam.com>
2023-08-08 16:12:56 +00:00
dependabot[bot]
60e7b2bcdc
chore(deps): bump golang.org/x/term from 0.10.0 to 0.11.0 ( #1420 )
...
Bumps [golang.org/x/term](https://github.com/golang/term ) from 0.10.0 to 0.11.0.
- [Commits](https://github.com/golang/term/compare/v0.10.0...v0.11.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/term
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-08-07 18:11:09 -04:00
Weston Steimel
74a7a67b73
chore: use syft v0.86.1 in the quality gate tests ( #1418 )
...
* chore: use syft v0.86.1 in the quality gate tests
This ensures the CPE dict enhancements are taken into account for
future quality gate comparisons
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* fix: bump runner to use larger disk
Signed-off-by: Christopher Phillips <cphillips918@gmail.com>
---------
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Christopher Phillips <cphillips918@gmail.com>
Co-authored-by: Christopher Phillips <cphillips918@gmail.com>
2023-08-04 16:48:21 -04:00
Keith Zantow
078a6c5e9e
fix: some hang conditions ( #1414 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-08-03 21:28:37 +00:00
anchore-actions-token-generator[bot]
4761a68bb3
chore(deps): update bootstrap tools to latest versions ( #1413 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-08-03 11:02:02 -04:00
anchore-actions-token-generator[bot]
c97048baa1
chore(deps): update Syft to v0.86.1 ( #1410 )
...
* chore(deps): update Syft to v0.86.0
Signed-off-by: GitHub <noreply@github.com>
* fix python package metadata shape
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* account for new metadatas added in syft
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump syft to unreleased but fixed version
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2023-07-31 17:58:36 +00:00
dependabot[bot]
ea0b54c681
chore(deps): bump github.com/docker/docker ( #1402 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 24.0.4+incompatible to 24.0.5+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v24.0.4...v24.0.5 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-31 11:45:39 -04:00
dependabot[bot]
50bc9c0af5
chore(deps): bump github.com/hashicorp/go-getter from 1.7.1 to 1.7.2 ( #1406 )
...
Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter ) from 1.7.1 to 1.7.2.
- [Release notes](https://github.com/hashicorp/go-getter/releases )
- [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml )
- [Commits](https://github.com/hashicorp/go-getter/compare/v1.7.1...v1.7.2 )
---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-getter
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-27 12:54:06 -04:00
Weston Steimel
13feb5bf96
chore: bump quality gate label dataset ( #1404 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-07-27 15:17:06 +01:00
Christopher Angelo Phillips
05edf62e62
feat: implement secondary sorting for default json output ( #1403 )
...
* feat: implement secondary sorting for default json output
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-07-26 13:40:20 -04:00
Christopher Angelo Phillips
eb6c3b0acd
feat: update table sort to be name, version, type, severity, vulnerability ( #1400 )
...
* feat: update table sort to be name, version, type, severity, vuln
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-07-26 14:37:34 +00:00
William Murphy
5ee6bf4563
chore: in quality tests, only colorize quality output if in a tty ( #1398 )
...
Permit piping "make validate" (from test/quality) to a file without filling it with control
characters.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-07-24 10:10:06 -04:00
dependabot[bot]
e3be4916ac
chore(deps): bump github.com/gookit/color from 1.5.3 to 1.5.4 ( #1396 )
...
Bumps [github.com/gookit/color](https://github.com/gookit/color ) from 1.5.3 to 1.5.4.
- [Release notes](https://github.com/gookit/color/releases )
- [Commits](https://github.com/gookit/color/compare/v1.5.3...v1.5.4 )
---
updated-dependencies:
- dependency-name: github.com/gookit/color
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-20 12:28:06 -04:00
William Murphy
e09bae392d
fix: vulnerabilities should be printed when --fail-on
fails ( #1395 )
...
Stop terminating the UI early if the error is that the "--fail-on" threshold failed.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-07-19 16:36:20 -04:00
Weston Steimel
03d18a5de4
chore: bump yardstick to address PyYAML cython compatibility issues ( #1394 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-07-18 12:54:19 -04:00
William Murphy
e347e03f4d
Refactor integ test to table test ( #1390 )
...
To make it easier to see which tests fail if there's a failure.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-07-18 11:27:46 -04:00
William Murphy
43bcf301c4
Pass correct output file ( #1391 )
...
Previously, the wrong path would get passed, and the template file would
get truncated.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-07-17 16:16:34 -04:00
dependabot[bot]
5a8ea73ff2
chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.7 to 0.4.8 ( #1389 )
...
Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps ) from 0.4.7 to 0.4.8.
- [Release notes](https://github.com/gkampitakis/go-snaps/releases )
- [Commits](https://github.com/gkampitakis/go-snaps/compare/v0.4.7...v0.4.8 )
---
updated-dependencies:
- dependency-name: github.com/gkampitakis/go-snaps
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-17 14:09:22 -04:00
Alex Goodman
ebd4643930
Port UI to bubbletea ( #1385 )
...
* initial port to bubbletea
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove jotframe UI
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add bubbletea component tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update main.go refs to cmd package
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* move goreleaser build dir to cmd
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* upgrade yardstick for grype source installs and fix post-ui tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* ensure stable severity map in UI component test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add windows support for tui
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-07-13 17:13:48 +00:00
anchore-actions-token-generator[bot]
37f436cfb6
chore(deps): update Syft to v0.85.0 ( #1383 )
2023-07-13 11:06:41 -04:00
Olivier Boudet
9050883715
feat(outputs): allow to set multiple outputs ( #648 ) ( #1346 )
...
* feat(outputs): allow to set multiple outputs (#648 )
Signed-off-by: Olivier Boudet <o.boudet@gmail.com>
Signed-off-by: Olivier Boudet <olivier.boudet@cooperl.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* feat(outputs): allow to set multiple outputs (#648 )
review
Signed-off-by: Olivier Boudet <olivier.boudet@cooperl.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use syft format writter pattern and de-emphasize presenter package
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Olivier Boudet <o.boudet@gmail.com>
Signed-off-by: Olivier Boudet <olivier.boudet@cooperl.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-07-11 17:37:17 +00:00
William Murphy
6834e2148c
Remove Docker section from DEVELOPING.md ( #1384 )
...
Developing in Docker is no longer explicitly supported. Update
developing docs to reflect this.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-07-11 13:08:50 -04:00