Commit graph

184 commits

Author SHA1 Message Date
anchore-actions-token-generator[bot]
403a535321
Update Syft to v0.56.0 (#919)
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2022-09-13 11:18:13 -04:00
Keith Zantow
ba73ab362a
Add support for scanning RPM files (#917) 2022-09-09 14:56:37 -04:00
anchore-actions-token-generator[bot]
77a8eb866d
Update Syft to v0.55.0 (#906)
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2022-08-30 09:18:17 -04:00
anchore-actions-token-generator[bot]
08b4ef493b
Update Syft to v0.54.0 (#881)
Signed-off-by: GitHub <noreply@github.com>

Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2022-08-17 19:36:54 +00:00
anchore-actions-token-generator[bot]
262630e01e
Update Syft to v0.53.4 (#856) 2022-08-04 09:37:48 -04:00
Christopher Angelo Phillips
74fd591caf
update golanci-lint, goreleaser, cosign (#850) 2022-07-28 14:55:14 -04:00
Christopher Angelo Phillips
991d16879a
update grype to use syft v0.52.0 (#838) 2022-07-22 16:12:18 +00:00
Zac Medico
30943e032b
add Gentoo matching support (#813)
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-07-19 09:37:21 -04:00
Christopher Angelo Phillips
cb6bddfeeb
bump syft version to v0.51.0 (#822) 2022-07-11 15:15:12 -04:00
Christopher Angelo Phillips
0e0a9d9e7a
update syft to v0.50.0 (#818) 2022-07-06 14:48:21 +00:00
Christopher Angelo Phillips
82c0146b0a
update syft => v0.49.0 (#804) 2022-06-24 18:30:36 +00:00
cpendery
bb2f8dcdb4
fix: add fixed versions to cyclonedxjson output (#763) 2022-06-21 17:50:05 -04:00
Christopher Angelo Phillips
0703bae977
update grype to latest syft patch v0.48.1 (#790) 2022-06-17 15:45:33 +00:00
Jonas Xavier
d6fa674edc
add db staleness check (#785)
* add db staleness check

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* less config fields

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix import order

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* warn even when set to not error on staleness

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* nits

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* nits

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* lint fix

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix test

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* consistent log message

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* consistent new version message

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* human friendly time durations

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix typo

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* cleaner tests and default db value

Signed-off-by: Jonas Xavier <jonasx@anchore.com>
2022-06-15 12:48:10 -04:00
Christopher Angelo Phillips
69de9e7a0a
update syft version to v0.47.0 (#781) 2022-06-09 16:03:14 -04:00
Weston Steimel
81af51302d
use anchore fork of glebarez/sqlite (#778)
This overcomes an issue with duplicate registration of sqlite drivers between glebarez/sqlite and knqyf263/go-rpmdb by
just using modernc.org/sqlite directly within our fork

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2022-06-08 09:41:15 -04:00
dependabot[bot]
07dfb28718
Bump github.com/hashicorp/go-getter from 1.5.11 to 1.6.1 (#770)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-06-02 09:18:53 -04:00
anchore-actions-token-generator[bot]
10c3604498
Update Syft to v0.46.3 (#761)
Signed-off-by: GitHub <noreply@github.com>

Co-authored-by: jonasagx <jonasagx@users.noreply.github.com>
2022-05-26 10:14:28 -07:00
Alex Goodman
06d28dad9f
bump to syft v0.46.2 (#755)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2022-05-23 13:47:21 +00:00
Jonas Xavier
c842fb9af5
bump stereoscope version to include source path fix (#752) 2022-05-19 08:18:49 -07:00
anchore-actions-token-generator[bot]
5a5642cc0d
Update Syft to v0.46.1 (#751)
Signed-off-by: GitHub <noreply@github.com>

Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2022-05-18 14:10:39 -07:00
Christian Kotzbauer
731abaab72
Add syft v0.46.0 Dotnet support (#747) 2022-05-13 12:46:31 -04:00
dependabot[bot]
d6196b6525
Bump github.com/hashicorp/go-getter from 1.5.9 to 1.5.11 (#742)
Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.5.9 to 1.5.11.
- [Release notes](https://github.com/hashicorp/go-getter/releases)
- [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml)
- [Commits](https://github.com/hashicorp/go-getter/compare/v1.5.9...v1.5.11)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-getter
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-05-04 16:33:28 +01:00
Dan Luhring
0df35f8d2c
address excessive warnings from multiple sources (#741) 2022-05-03 14:05:50 +00:00
Christopher Angelo Phillips
36f5150fa9
bump syft version (#738) 2022-04-29 13:39:08 -04:00
Sambhav Kothari
9f70cdbf24
add initial support for embedded CycloneDX VEX documents (#678) 2022-04-28 12:49:12 -04:00
Jonas Xavier
523f5ce9c0
Consume attestation files (#706)
* add key flag to attest validation

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* mvp: verify sig and extract sbom

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* wip read attestation without scheme

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* mvp consuming attestations - needs unit tests

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* remove prototype file

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* drop local syft from go.mod

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix order of sbom parsing strategies

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* handle implicit attestation input

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* wip

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* add test for invalid attestation key

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* rebase and go-mod-tidy

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* consume attestation via stdin

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* attestation test for stdin

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* validate input and content for attestation

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add stdin test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix config tags

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add int test to ignore attestation validation

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix cycloneDX attestation fixture

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add tampered att test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add tampered predicate type test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* improve docs/help on atttestation

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* upgrade to latest syft

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fall through when guessing between sbom and att

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix butter finger rebase

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* drop default key value

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* assert error messages

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* better test/cli coverage

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix stdin decode test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix goimports

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* tui - verified attestation and feedback changes

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* better naming

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add attestation section to config file

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* emit event for skipped verification

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* use public key name

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* nit

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
2022-04-21 11:52:42 -07:00
Alex Goodman
9cc1c72169
Preserve package IDs on Syft JSON SBOM decode (#731) 2022-04-18 18:22:58 +00:00
Christopher Angelo Phillips
95f68b4c33
Add java.Matcher configuration to includes maven upstream sha1 query (#714) 2022-04-13 13:01:22 -04:00
Alex Goodman
c36e9df887
Use CGO-less sqlite GORM driver (#705) 2022-04-04 18:40:29 +00:00
Jonas Xavier
182c86d11d
Migrate LocationSet and add Dart support (#703) 2022-04-01 08:21:37 -07:00
Keith Zantow
44e676488e
Update syft to v0.42.4 (#697) 2022-03-24 14:11:17 -04:00
Keith Zantow
d8e1c37cd1
Update syft to v0.42.3 (#690) 2022-03-23 17:57:06 -04:00
Alex Goodman
9fc6fb8a32
Bump strset version to fix 386 builds (#689) 2022-03-23 18:27:11 +00:00
j-k
d40fb77c1a
Correct go.mod to enforce go 1.18 (#685)
Since grype now depends on debug/buildinfo go 1.18 is required to build
grype and as such go.mod needs updating

Signed-off-by: 06kellyjac <jack@control-plane.io>
2022-03-22 09:33:35 -04:00
Keith Zantow
f004f7dee3
Update Syft to 0.42.1 (#683) 2022-03-21 20:11:40 +00:00
Jonas Xavier
dae6411c5c
upgrade github workflows to go 1.18 (#649)
* upgrade github workflows to go 1.18

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* upgrade syft & set go1.18 for CI workflows

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* add go1.17 static analysis

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix yaml comment

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
2022-03-17 14:58:20 -07:00
Keith Zantow
60c2968953
Update Syft to v0.41.6 (#670) 2022-03-16 12:48:42 -04:00
Keith Zantow
cbdec2ae5e
Update to Syft v0.41.4 (#664) 2022-03-14 17:15:09 -04:00
Keith Zantow
bc8f8414ca
Add SARIF presenter option (#654) 2022-03-14 12:13:37 -04:00
Alex Goodman
1368ea05cd
Add additional DB archive decompressors (#657) 2022-03-07 11:44:43 -05:00
Keith Zantow
ff424d3adc
Bump Syft for CycloneDX input (#650) 2022-03-02 10:05:01 -05:00
Alex Goodman
16cd14519a
Bump syft to release version v0.39.0 (#645)
* bump syft to v0.39.0

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update ByCriteria to log error on failure

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* integration tests now pass

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* bump to v0.39.3

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* raise search failures to warn

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* tidy go.mod/sum

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-02-26 17:28:08 -05:00
Alex Goodman
f29a0d06d8
Bump syft to v0.38.0 for release (#635) 2022-02-15 19:03:55 +00:00
Christopher Angelo Phillips
d2dba7d14a
update golang crypto to resolve CVE-2020-29652 (#631)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-02-11 13:37:17 -05:00
Christopher Angelo Phillips
16e6bee766
update go -> 1.17 (#628)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-02-11 10:50:13 -05:00
Alex Goodman
c9f2716389
Abstract upstream package before matching (#607)
* add metadata extraction from pURLs

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* extract upstream packages before matching

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* put pkg.UpstreamPackages under test

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove pURL related processing

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* pull in syft spdx decoding

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* allow for more flexible GHSA namespace and source extraction

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add matching parity integration tests for all supported formats

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump syft to get spdx tv fix

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2022-02-10 21:43:12 +00:00
Jonas Xavier
42ca8c61d3
Ensure completion of UI progress bar (#627) 2022-02-10 08:03:15 -08:00
Jonas Xavier
a8c65807fc
update stereoscope version to include Podman (#612)
* update stereoscope

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* test stereoscope with fix

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* remove mod replacement and use latest stereoscope

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
2022-02-01 14:45:11 -08:00
Sambhav Kothari
346df07df5
Add sprig templating functions for grype output (#610)
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
2022-01-28 11:27:27 -05:00