Enhances the CPE target software component match filtering logic to consider ecosystems which aren't currently supported by
syft cataloging but are well-known sources of false-positives. This currently adds support for filtering various
permutations of `wordpress`, `joomla`, and `drupal`
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Adds support for a `package_qualifiers` column to allow evaluating package matches to vulnerabilities based on more than just version constraints. Currently adds an rpm-modularity qualifier in order to support matching to correct app stream module in order to reduce false positives within rpm-based distro ecosystems. In order to prevent an increase in false positive matches for previous versions of grype using the v4 schema, this change (along with the vulnerability source driver parser updates) requires bumping the schema to v5.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* initial v4 schema setup
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* update v3 => v4 for unit tests
-- did NOT update
- grype/db/v3/*
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* use nullable string in sqlite so null values get represented correctly
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add missing unit test case for dotnet
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* Add db writer function for calling sqlite vacuum
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* adding normalization of package names at database adapter layer
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* refactor namespaces for v4
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* update v4 stuff to use sqlite fork
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* Namespace should satisfy Stringer interface
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* normalize CPEs before comparison
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* vulnerability exclusion => vulnerability match exclusion
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* updates to vulnerability match exclusion models
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add initial vulnerability match exclusion store unit tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* make vuln match exclusion constraints nullable
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* move vuln match namespace into constraints object and refactor
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* check db match constraints to ensure there aren't any unknown fields and add json hints
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* ensure we only keep compatible match exclusion constraints
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* use omitempty on all match exclusion structs
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* remove db v4 schema resolver and namespace types
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename Vacuum to Close
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* lint fixes + remove panic on vuln provider creation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* WIP match exclusions
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* build list of ignore rules from v4 db records
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* quick attempt at a new uber object
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* just pass around the full object for now to quickly get to a usable state
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* fix panic when no vuln db loaded
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* use interfaces for db.store function signatures
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Flatten the match exclusion constraint model to simplify logic
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* updating some tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* fix panic when no db update possible
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* more tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* WIP fixing match exclusion constraint usability and json mapping logic
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add v4 db diff logic (excluding vulnerability_match_exclusion data for now)
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* lint fix
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* update integration tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* nvd -> nvd:cpe namespace updates
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* ensure test store uses v4 normalized names
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* set the grype db update url to staging for v4
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* prevent more segfaults on database open
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add continue when unable to load ignore rules
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* remove db.Status from the Store object
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* fix compare_sbom_input_vs_lib_test.go
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* remove staging endpoint now that v4 is published
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* ignore gemfile rich version during comparision
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* update search and version tests
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* fix int tests and lint error
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* nit on error message
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* split based on arch in gem version
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* reuse semVer constraint
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* more constraint tests cases
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* more comments and tests
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* add lower case version check
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* validate that ruby version work with semver and gem version
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* more comments and tests
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* rename gem version format const
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* add key flag to attest validation
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* mvp: verify sig and extract sbom
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* wip read attestation without scheme
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* mvp consuming attestations - needs unit tests
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* remove prototype file
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* drop local syft from go.mod
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix order of sbom parsing strategies
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* handle implicit attestation input
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* wip
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add test for invalid attestation key
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* rebase and go-mod-tidy
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* consume attestation via stdin
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* attestation test for stdin
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* validate input and content for attestation
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add stdin test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix config tags
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add int test to ignore attestation validation
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix cycloneDX attestation fixture
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add tampered att test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add tampered predicate type test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* improve docs/help on atttestation
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* upgrade to latest syft
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fall through when guessing between sbom and att
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix butter finger rebase
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* drop default key value
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* assert error messages
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* better test/cli coverage
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix stdin decode test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix goimports
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* tui - verified attestation and feedback changes
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* better naming
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add attestation section to config file
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* emit event for skipped verification
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* use public key name
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* nit
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* refactor release to keep snapshot assets in parity with release assets
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* refactor install.sh and put under test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* tidy go.sum
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add mac acceptance test to github actions workflow
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rm use of goreleaser in cli tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* go mod tidy with go 1.17
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add metadata extraction from pURLs
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* extract upstream packages before matching
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* put pkg.UpstreamPackages under test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove pURL related processing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* pull in syft spdx decoding
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* allow for more flexible GHSA namespace and source extraction
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add matching parity integration tests for all supported formats
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump syft to get spdx tv fix
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* enable merging of matches
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add ability for matches constructor to take initial matches
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update tests to include IDs on package objects
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename common matcher helper package to search package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename search functions and add SearchByCriteria
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* cleanup imports
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add strong distro type
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* nit changes
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update grype/db package to use distro pointer
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* source distro type from release name
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump syft to pull in distro type updates
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump lint timeout
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* port grype-db to grype
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* migrate vulnerability provider implementation to db package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* upgrade path import validations
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting issues
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update syft
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* update CatalogPackages to use new cataloger config struct
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* add new valid CPE to matcher tests
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* update integration tests
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil. This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
* update syft and jotframe
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update validations and release pipeline
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* moved terminal package to golang.org/x/term
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update integration tests to account for package relationships
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add license exception for xz
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update Location and Coordinate references
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove benchmark tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove mac acceptance tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add syft-grype relationship notes in DEVELOPING.md
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Add injectable HTTP client to file getter
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* WIP: Map config for custom CA certs
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* update curator and add tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add TLS helper scripts
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove grype-db local mod edit
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* tidy go modules
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use ssl.context over deprecated fn
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* disallow tls 1 and 1.1
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* suppress non-archive sources for fetch-to-dir capability
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* ensure DB load failure does not panic
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* address review comments
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* update syft version with correct arguments
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* bump integration tests with new presenter format
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update integration tests to remove php-composer failure
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* use named pipe bit on stdin as indicator for piped input
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* ensure stdin is ignored when the CLI hints are present
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add CLI test to cover subprocess integration behavior
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* added test case for java regression
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove extra line in makefile
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update grype to compile windows
Signed-off-by: spiffcs <christopher.phillips@anchore.com>
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update go mod with new stereoscope
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update build comments
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* small build tags
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add goreleaser windows
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* bump syft version
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update tests
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update test images to use newest pinned golang
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* Silence usage and errors on root command
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* show help when no args are given
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove comments
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add cli test for help behavior
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* Retrieve target from directory sbom types in addition to image types
Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com>
* add dir sbom ingest test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* split and upgrade config processing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* upgrade UI organization
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* expose logger writter
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add (unused) signal handler
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add (unused) event loop abstraction
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update aux commands to use Cobra RunE over Run
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* upgrade root command to use new event loop and signal handler
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update CLI test to account for config representation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update dependencies + fix linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* decompose application config parse func + add missing config struct tags
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* restore unparam lint exclusion for registry config
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
