Co-authored-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
* chore: update digest for test fixture dockerfile
The previous digest was specifically for i386. The updated digest should use the manifest to determine the correct platform to use based on the client.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* chore: add digesst on archlinux test fixture image
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Enhances the CPE target software component match filtering logic to consider ecosystems which aren't currently supported by
syft cataloging but are well-known sources of false-positives. This currently adds support for filtering various
permutations of `wordpress`, `joomla`, and `drupal`
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Adds support for a `package_qualifiers` column to allow evaluating package matches to vulnerabilities based on more than just version constraints. Currently adds an rpm-modularity qualifier in order to support matching to correct app stream module in order to reduce false positives within rpm-based distro ecosystems. In order to prevent an increase in false positive matches for previous versions of grype using the v4 schema, this change (along with the vulnerability source driver parser updates) requires bumping the schema to v5.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* initial v4 schema setup
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* update v3 => v4 for unit tests
-- did NOT update
- grype/db/v3/*
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* use nullable string in sqlite so null values get represented correctly
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add missing unit test case for dotnet
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* Add db writer function for calling sqlite vacuum
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* adding normalization of package names at database adapter layer
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* refactor namespaces for v4
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* update v4 stuff to use sqlite fork
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* Namespace should satisfy Stringer interface
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* normalize CPEs before comparison
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* vulnerability exclusion => vulnerability match exclusion
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* updates to vulnerability match exclusion models
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add initial vulnerability match exclusion store unit tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* make vuln match exclusion constraints nullable
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* move vuln match namespace into constraints object and refactor
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* check db match constraints to ensure there aren't any unknown fields and add json hints
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* ensure we only keep compatible match exclusion constraints
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* use omitempty on all match exclusion structs
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* remove db v4 schema resolver and namespace types
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename Vacuum to Close
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* lint fixes + remove panic on vuln provider creation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* WIP match exclusions
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* build list of ignore rules from v4 db records
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* quick attempt at a new uber object
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* just pass around the full object for now to quickly get to a usable state
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* fix panic when no vuln db loaded
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* use interfaces for db.store function signatures
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Flatten the match exclusion constraint model to simplify logic
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* updating some tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* fix panic when no db update possible
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* more tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* WIP fixing match exclusion constraint usability and json mapping logic
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add v4 db diff logic (excluding vulnerability_match_exclusion data for now)
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* lint fix
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* update integration tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* nvd -> nvd:cpe namespace updates
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* ensure test store uses v4 normalized names
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* set the grype db update url to staging for v4
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* prevent more segfaults on database open
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add continue when unable to load ignore rules
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* remove db.Status from the Store object
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* fix compare_sbom_input_vs_lib_test.go
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* remove staging endpoint now that v4 is published
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* ignore gemfile rich version during comparision
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* update search and version tests
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* fix int tests and lint error
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* nit on error message
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* split based on arch in gem version
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* reuse semVer constraint
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* more constraint tests cases
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* more comments and tests
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* add lower case version check
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* validate that ruby version work with semver and gem version
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* more comments and tests
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* rename gem version format const
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* add key flag to attest validation
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* mvp: verify sig and extract sbom
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* wip read attestation without scheme
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* mvp consuming attestations - needs unit tests
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* remove prototype file
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* drop local syft from go.mod
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix order of sbom parsing strategies
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* handle implicit attestation input
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* wip
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add test for invalid attestation key
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* rebase and go-mod-tidy
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* consume attestation via stdin
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* attestation test for stdin
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* validate input and content for attestation
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add stdin test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix config tags
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add int test to ignore attestation validation
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix cycloneDX attestation fixture
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add tampered att test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add tampered predicate type test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* improve docs/help on atttestation
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* upgrade to latest syft
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fall through when guessing between sbom and att
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix butter finger rebase
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* drop default key value
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* assert error messages
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* better test/cli coverage
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix stdin decode test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix goimports
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* tui - verified attestation and feedback changes
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* better naming
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add attestation section to config file
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* emit event for skipped verification
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* use public key name
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* nit
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* refactor release to keep snapshot assets in parity with release assets
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* refactor install.sh and put under test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* tidy go.sum
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add mac acceptance test to github actions workflow
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rm use of goreleaser in cli tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* go mod tidy with go 1.17
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add metadata extraction from pURLs
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* extract upstream packages before matching
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* put pkg.UpstreamPackages under test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove pURL related processing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* pull in syft spdx decoding
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* allow for more flexible GHSA namespace and source extraction
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add matching parity integration tests for all supported formats
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump syft to get spdx tv fix
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* enable merging of matches
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add ability for matches constructor to take initial matches
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update tests to include IDs on package objects
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename common matcher helper package to search package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename search functions and add SearchByCriteria
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* cleanup imports
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add strong distro type
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* nit changes
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update grype/db package to use distro pointer
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* source distro type from release name
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump syft to pull in distro type updates
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump lint timeout
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* port grype-db to grype
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* migrate vulnerability provider implementation to db package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* upgrade path import validations
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting issues
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update syft
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* update CatalogPackages to use new cataloger config struct
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* add new valid CPE to matcher tests
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* update integration tests
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
