grype

mirror of https://github.com/anchore/grype synced 2024-09-20 22:41:55 +00:00

Author	SHA1	Message	Date
Christopher Angelo Phillips	36f5150fa9	bump syft version (#738 )	2022-04-29 13:39:08 -04:00
Sambhav Kothari	9f70cdbf24	add initial support for embedded CycloneDX VEX documents (#678 )	2022-04-28 12:49:12 -04:00
Jonas Xavier	523f5ce9c0	Consume attestation files (#706 ) * add key flag to attest validation Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * mvp: verify sig and extract sbom Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * wip read attestation without scheme Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * mvp consuming attestations - needs unit tests Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * remove prototype file Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * drop local syft from go.mod Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix order of sbom parsing strategies Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * handle implicit attestation input Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * wip Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * add test for invalid attestation key Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * rebase and go-mod-tidy Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * consume attestation via stdin Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * attestation test for stdin Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * validate input and content for attestation Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add stdin test Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix config tags Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add int test to ignore attestation validation Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix cycloneDX attestation fixture Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add tampered att test Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add tampered predicate type test Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * improve docs/help on atttestation Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * upgrade to latest syft Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fall through when guessing between sbom and att Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix butter finger rebase Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * drop default key value Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * assert error messages Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * better test/cli coverage Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix stdin decode test Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix goimports Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * tui - verified attestation and feedback changes Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * better naming Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add attestation section to config file Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * emit event for skipped verification Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * use public key name Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * nit Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>	2022-04-21 11:52:42 -07:00
Alex Goodman	9cc1c72169	Preserve package IDs on Syft JSON SBOM decode (#731 )	2022-04-18 18:22:58 +00:00
Christopher Angelo Phillips	95f68b4c33	Add java.Matcher configuration to includes maven upstream sha1 query (#714 )	2022-04-13 13:01:22 -04:00
Alex Goodman	c36e9df887	Use CGO-less sqlite GORM driver (#705 )	2022-04-04 18:40:29 +00:00
Jonas Xavier	182c86d11d	Migrate LocationSet and add Dart support (#703 )	2022-04-01 08:21:37 -07:00
Keith Zantow	44e676488e	Update syft to v0.42.4 (#697 )	2022-03-24 14:11:17 -04:00
Keith Zantow	d8e1c37cd1	Update syft to v0.42.3 (#690 )	2022-03-23 17:57:06 -04:00
Alex Goodman	9fc6fb8a32	Bump strset version to fix 386 builds (#689 )	2022-03-23 18:27:11 +00:00
j-k	d40fb77c1a	Correct go.mod to enforce go 1.18 (#685 ) Since grype now depends on debug/buildinfo go 1.18 is required to build grype and as such go.mod needs updating Signed-off-by: 06kellyjac <jack@control-plane.io>	2022-03-22 09:33:35 -04:00
Keith Zantow	f004f7dee3	Update Syft to 0.42.1 (#683 )	2022-03-21 20:11:40 +00:00
Jonas Xavier	dae6411c5c	upgrade github workflows to go 1.18 (#649 ) * upgrade github workflows to go 1.18 Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * upgrade syft & set go1.18 for CI workflows Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * add go1.17 static analysis Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix yaml comment Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>	2022-03-17 14:58:20 -07:00
Keith Zantow	60c2968953	Update Syft to v0.41.6 (#670 )	2022-03-16 12:48:42 -04:00
Keith Zantow	cbdec2ae5e	Update to Syft v0.41.4 (#664 )	2022-03-14 17:15:09 -04:00
Keith Zantow	bc8f8414ca	Add SARIF presenter option (#654 )	2022-03-14 12:13:37 -04:00
Alex Goodman	1368ea05cd	Add additional DB archive decompressors (#657 )	2022-03-07 11:44:43 -05:00
Keith Zantow	ff424d3adc	Bump Syft for CycloneDX input (#650 )	2022-03-02 10:05:01 -05:00
Alex Goodman	16cd14519a	Bump syft to release version v0.39.0 (#645 ) * bump syft to v0.39.0 Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update ByCriteria to log error on failure Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> * integration tests now pass Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> * bump to v0.39.3 Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * raise search failures to warn Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * tidy go.mod/sum Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-02-26 17:28:08 -05:00
Alex Goodman	f29a0d06d8	Bump syft to v0.38.0 for release (#635 )	2022-02-15 19:03:55 +00:00
Christopher Angelo Phillips	d2dba7d14a	update golang crypto to resolve CVE-2020-29652 (#631 ) Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-02-11 13:37:17 -05:00
Christopher Angelo Phillips	16e6bee766	update go -> 1.17 (#628 ) Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-02-11 10:50:13 -05:00
Alex Goodman	c9f2716389	Abstract upstream package before matching (#607 ) * add metadata extraction from pURLs Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * extract upstream packages before matching Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * put pkg.UpstreamPackages under test Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * remove pURL related processing Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * pull in syft spdx decoding Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * allow for more flexible GHSA namespace and source extraction Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add matching parity integration tests for all supported formats Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * bump syft to get spdx tv fix Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-02-10 21:43:12 +00:00
Jonas Xavier	42ca8c61d3	Ensure completion of UI progress bar (#627 )	2022-02-10 08:03:15 -08:00
Jonas Xavier	a8c65807fc	update stereoscope version to include Podman (#612 ) * update stereoscope Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * test stereoscope with fix Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * remove mod replacement and use latest stereoscope Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>	2022-02-01 14:45:11 -08:00
Sambhav Kothari	346df07df5	Add sprig templating functions for grype output (#610 ) Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>	2022-01-28 11:27:27 -05:00
Alex Goodman	2f8682b3db	Add ability to merge matches (#602 ) * enable merging of matches Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add ability for matches constructor to take initial matches Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update tests to include IDs on package objects Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * rename common matcher helper package to search package Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * rename search functions and add SearchByCriteria Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * cleanup imports Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-01-25 10:29:16 -05:00
Christopher Angelo Phillips	e453a06551	upgrade syft to v0.36.0 (#597 ) * upgrade syft dependencies Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> * add basic metadata for coverage Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-01-20 12:47:15 -05:00
Dan Luhring	bc0f4eb9b2	Bump syft to include file source fix (#596 ) Signed-off-by: Dan Luhring <dan+github@luhrings.com>	2022-01-18 19:29:31 +00:00
Alex Goodman	6e3aa6a8d7	Add strong distro type (#585 ) * add strong distro type Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * nit changes Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update grype/db package to use distro pointer Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * source distro type from release name Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * bump syft to pull in distro type updates Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * bump lint timeout Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-01-12 13:47:27 -05:00
Alex Goodman	2647cd0d9e	Port grype-db to grype (#587 ) * port grype-db to grype Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * migrate vulnerability provider implementation to db package Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * upgrade path import validations Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix linting issues Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-01-12 10:03:22 -05:00
Christopher Angelo Phillips	24ef03efc4	update to secure syft version (#586 ) * update to secure syft version Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> * go mod tidy Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-01-11 10:33:58 -05:00
Christopher Angelo Phillips	7fbe20c223	upgrade stereoscope (#584 ) * bump stereoscope to remove vulnerable containerd Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> * go mod tidy Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-01-10 15:05:52 -05:00
Christopher Angelo Phillips	64d4dbb993	update syft version for new release (#578 ) * update syft Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> * update CatalogPackages to use new cataloger config struct Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> * add new valid CPE to matcher tests Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> * update integration tests Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-01-07 17:57:44 -05:00
Alex Goodman	b100315292	bump syft to v0.34.0 (#567 ) Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2021-12-22 16:20:23 -05:00
Keith Zantow	647d6fb770	Add --exclude flag (#551 )	2021-12-21 12:52:07 -05:00
Alex Goodman	4f964c4ee2	bump syft to v0.33.0 (#550 ) Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2021-12-16 09:49:36 -05:00
Alex Goodman	81a16c4142	bump syft to v0.32.2 (#541 ) Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2021-12-14 17:39:05 +00:00
Alex Goodman	3f23425fa5	bump syft to v0.32.1 (#535 ) Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2021-12-14 02:03:13 +00:00
Alex Goodman	f2d02b0b09	pull in binary panic fix; closes #526 (#528 ) Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2021-12-10 18:03:13 +00:00
Alex Goodman	e62186725b	bump syft to v0.32.0 (#524 ) Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2021-12-08 21:52:34 +00:00
Bala Raman	8abc83f685	Adding AlmaLinux OS Support (#514 ) * Adding AlmaLinux OS Support Signed-off-by: Bala Raman <srbala@gmail.com> * incorporate grype-db updates for ALMA linux Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Alex Goodman <alex.goodman@anchore.com>	2021-12-07 16:55:33 -05:00
Alex Goodman	270606ad37	bump syft to v0.31.0 (#517 ) Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2021-12-03 16:56:43 +00:00
Alex Goodman	51e1b6307b	Update syft, jotframe, and validations pipeline (#512 ) * update syft and jotframe Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update validations and release pipeline Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * moved terminal package to golang.org/x/term Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update integration tests to account for package relationships Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add license exception for xz Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update Location and Coordinate references Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * remove benchmark tests Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * remove mac acceptance tests Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add syft-grype relationship notes in DEVELOPING.md Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2021-11-30 18:10:07 +00:00
Dan Luhring	70ec3bfb71	Support for private certificate authorities during DB curation (#494 ) * Add injectable HTTP client to file getter Signed-off-by: Dan Luhring <dan.luhring@anchore.com> * WIP: Map config for custom CA certs Signed-off-by: Dan Luhring <dan.luhring@anchore.com> * update curator and add tests Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add TLS helper scripts Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * remove grype-db local mod edit Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * tidy go modules Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * use ssl.context over deprecated fn Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * disallow tls 1 and 1.1 Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * suppress non-archive sources for fetch-to-dir capability Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * ensure DB load failure does not panic Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * address review comments Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Alex Goodman <alex.goodman@anchore.com>	2021-11-22 16:59:38 +00:00
Christopher Angelo Phillips	48c0b9b0e3	bump grype-db to latest commit (#501 ) Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>	2021-11-16 13:07:56 -05:00
Swathi Gangisetty	5aa2b7bcac	Support vulnerability matching for Rocky Linux (#500 ) - Update grype-db dependency for the distro-feed namespace mapping - Add test to verify the above mapping Signed-off-by: Swathi Gangisetty <swathi@anchore.com>	2021-11-15 16:14:24 -08:00
Christopher Angelo Phillips	a2762bbbf0	Bump syft version => v0.30.1 (#498 ) * update syft version with correct arguments Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com> * bump integration tests with new presenter format Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com> * update integration tests to remove php-composer failure Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>	2021-11-15 17:11:56 -05:00
Dan Luhring	3797965d8a	Resolve vulnerabilities (#486 ) Signed-off-by: Dan Luhring <dan.luhring@anchore.com>	2021-11-09 10:36:33 -05:00
Alex Goodman	3d7c38c670	bump syft to v0.29.0 (#487 ) Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2021-11-02 14:42:51 -04:00

1 2 3 4

160 commits