dependabot[bot]
4172e72194
chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.12 to 0.5.0 ( #1674 )
...
Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps ) from 0.4.12 to 0.5.0.
- [Release notes](https://github.com/gkampitakis/go-snaps/releases )
- [Commits](https://github.com/gkampitakis/go-snaps/compare/v0.4.12...v0.5.0 )
---
updated-dependencies:
- dependency-name: github.com/gkampitakis/go-snaps
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-01-23 11:57:21 -05:00
Feroz Salam
a3ade4242b
fix: take VEX docs into account when --fail-on is set ( #1657 )
...
* Take VEX docs into account when --fail-on is set
Previously, VEX documents provided to Grype when --fail-on was set were not
taken into account. That led to inconsistent behaviour where a vulnerability
would be ignored when only `--vex` was specified, but would be included in
Grype output when both `--vex` and `--fail-on` were specified.
This change fixes that by moving the failure severity check to after the VEX
documents provided are tested.
I have also added a unit test to check that the combination of VEX docs and
failure severity checks works as expected.
Signed-off-by: Feroz Salam <feroz.salam@isovalent.com>
* Fix typos
Signed-off-by: Feroz Salam <feroz.salam@isovalent.com>
---------
Signed-off-by: Feroz Salam <feroz.salam@isovalent.com>
2024-01-23 10:08:25 -05:00
dependabot[bot]
5e1ba46fb8
chore(deps): bump anchore/sbom-action from 0.15.4 to 0.15.5 ( #1671 )
...
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action ) from 0.15.4 to 0.15.5.
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Commits](41f7a6c033...24b0d52385
2024-01-22 10:54:45 -05:00
anchore-actions-token-generator[bot]
90fa3f29fa
chore(deps): update Syft to v0.101.1 ( #1669 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2024-01-19 22:25:33 +00:00
dependabot[bot]
acd8c9c81f
chore(deps): bump github.com/docker/docker ( #1667 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 24.0.7+incompatible to 25.0.0+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v24.0.7...v25.0.0 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-01-19 17:11:39 -05:00
dependabot[bot]
8bc6ca8a1f
chore(deps): bump anchore/sbom-action from 0.15.3 to 0.15.4 ( #1666 )
...
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action ) from 0.15.3 to 0.15.4.
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Commits](c7f031d924...41f7a6c033
2024-01-19 15:46:07 -05:00
dependabot[bot]
5436f55aac
chore(deps): bump actions/upload-artifact from 4.1.0 to 4.2.0 ( #1668 )
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 4.1.0 to 4.2.0.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](1eb3cb2b3e...694cdabd8b
2024-01-19 15:45:48 -05:00
dependabot[bot]
9c0ed56528
chore(deps): bump github.com/google/go-containerregistry ( #1665 )
...
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry ) from 0.17.0 to 0.18.0.
- [Release notes](https://github.com/google/go-containerregistry/releases )
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml )
- [Commits](https://github.com/google/go-containerregistry/compare/v0.17.0...v0.18.0 )
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-01-19 10:26:28 -05:00
William Murphy
cd1c2ac66e
chore: enable automatic approval of dependabot PRs ( #1664 )
...
To reduce toil in this repo, enable dependabot PRs to be automatically
approved, but not merged. They are not automatically merged because if
the default GitHub token is used to automatically merge a PR, the
resulting commit will not trigger workflows on main. Rather than
generate a more potent token, just automatically review them, which
reduces toil by eliminating several clicks and page loads for
maintainers who are trying to merge dependabot PRs.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-01-18 08:35:37 -05:00
anchore-actions-token-generator[bot]
85be82158b
chore(deps): update Syft to v0.101.0 ( #1663 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2024-01-17 21:06:53 +00:00
Alex Goodman
4569a5ffa6
upgrade syft with latest SBOM creation API ( #1662 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-01-17 12:33:09 -05:00
dependabot[bot]
4c4dfd59f5
chore(deps): bump actions/cache from 3.3.3 to 4.0.0 ( #1661 )
...
Bumps [actions/cache](https://github.com/actions/cache ) from 3.3.3 to 4.0.0.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](e12d46a63a...13aacd865c
2024-01-17 11:40:51 -05:00
plavy
07656abef0
chore(tests): fix logging configuration in tests ( #1655 )
...
Signed-off-by: plavy <tinplavec@gmail.com>
2024-01-16 10:17:17 -05:00
dependabot[bot]
a9f72385f6
chore(deps): bump actions/cache from 3.3.2 to 3.3.3 ( #1656 )
...
Bumps [actions/cache](https://github.com/actions/cache ) from 3.3.2 to 3.3.3.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](704facf57e...e12d46a63a
2024-01-16 09:03:57 -05:00
dependabot[bot]
e296f5fe54
chore(deps): bump actions/upload-artifact from 4.0.0 to 4.1.0 ( #1659 )
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](c7d193f32e...1eb3cb2b3e
2024-01-16 09:02:36 -05:00
dependabot[bot]
0a7a15746a
chore(deps): bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 ( #1651 )
...
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl ) from 1.3.3 to 1.3.7.
- [Release notes](https://github.com/cloudflare/circl/releases )
- [Commits](https://github.com/cloudflare/circl/compare/v1.3.3...v1.3.7 )
---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-01-09 16:20:55 -05:00
dependabot[bot]
d8c89e8515
chore(deps): bump anchore/sbom-action from 0.15.2 to 0.15.3 ( #1650 )
...
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action ) from 0.15.2 to 0.15.3.
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Commits](719133684c...c7f031d924
2024-01-08 11:03:58 -05:00
anchore-actions-token-generator[bot]
a808408584
chore(deps): update Syft to v0.100.0 ( #1649 )
...
* chore(deps): update Syft to v0.100.0
Signed-off-by: GitHub <noreply@github.com>
* apply CLI options over default cataloging config
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: willmurphyscode <willmurphyscode@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-01-06 02:27:59 +00:00
Dan Luhring
474030cc62
fix: distro FP data not applied correctly ( #1603 )
...
* fix: distro FP data not applied correctly
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* fix: apply FP data to apk subpackages
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
---------
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
2024-01-04 13:12:18 -05:00
dependabot[bot]
33b15735a7
chore(deps): bump anchore/sbom-action from 0.15.1 to 0.15.2 ( #1647 )
...
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action ) from 0.15.1 to 0.15.2.
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Commits](5ecf649a41...719133684c
2024-01-03 05:06:05 -05:00
anchore-actions-token-generator[bot]
c6fbffe4cd
chore(deps): update bootstrap tools to latest versions ( #1644 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2024-01-02 09:22:39 -05:00
plavy
89610e1e07
docs: fix logging configuration in README ( #1646 )
...
Signed-off-by: plavy <tinplavec@gmail.com>
2023-12-29 01:53:32 +00:00
dependabot[bot]
55ef6b6108
chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.2 to 0.8.0 ( #1633 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-12-21 12:02:53 -05:00
dependabot[bot]
634cdf3647
chore(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 ( #1641 )
2023-12-20 16:30:16 +00:00
dependabot[bot]
010b2583b0
chore(deps): bump github.com/containerd/containerd from 1.7.8 to 1.7.11 ( #1642 )
2023-12-20 16:27:47 +00:00
dependabot[bot]
a88a00a515
chore(deps): bump actions/upload-artifact from 3.1.3 to 4.0.0 ( #1638 )
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 3.1.3 to 4.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](a8a3f3ad30...c7d193f32e
2023-12-18 06:57:52 -05:00
dependabot[bot]
556c8c0dc2
chore(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 ( #1632 )
...
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ) from 3.2.0 to 3.3.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases )
- [Commits](1fc5bd396d...9614fae9e5
2023-12-15 10:29:02 -05:00
dependabot[bot]
7b334451b9
chore(deps): bump github.com/charmbracelet/bubbletea ( #1635 )
...
Bumps [github.com/charmbracelet/bubbletea](https://github.com/charmbracelet/bubbletea ) from 0.24.2 to 0.25.0.
- [Release notes](https://github.com/charmbracelet/bubbletea/releases )
- [Commits](https://github.com/charmbracelet/bubbletea/compare/v0.24.2...v0.25.0 )
---
updated-dependencies:
- dependency-name: github.com/charmbracelet/bubbletea
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-12-13 17:50:11 -05:00
dependabot[bot]
4ec7a03abd
chore(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0 ( #1636 )
...
Bumps [github.com/google/uuid](https://github.com/google/uuid ) from 1.4.0 to 1.5.0.
- [Release notes](https://github.com/google/uuid/releases )
- [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md )
- [Commits](https://github.com/google/uuid/compare/v1.4.0...v1.5.0 )
---
updated-dependencies:
- dependency-name: github.com/google/uuid
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-12-13 11:44:27 -05:00
dependabot[bot]
a820759495
chore(deps): bump actions/setup-go from 4.1.0 to 5.0.0 ( #1630 )
...
Bumps [actions/setup-go](https://github.com/actions/setup-go ) from 4.1.0 to 5.0.0.
- [Release notes](https://github.com/actions/setup-go/releases )
- [Commits](93397bea11...0c52d547c9
2023-12-11 06:40:01 -05:00
dependabot[bot]
c6719ccd02
chore(deps): bump anchore/sbom-action from 0.15.0 to 0.15.1 ( #1626 )
...
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action ) from 0.15.0 to 0.15.1.
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Commits](fd74a6fb98...5ecf649a41
2023-12-05 09:49:09 -05:00
Christopher Angelo Phillips
11b9e9616c
chore: pin action to correct sha ( #1598 )
...
* chore: pin action to correct sha
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* chore: add version for dependabot
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-12-01 10:43:56 -05:00
dependabot[bot]
2e9eff8f74
chore(deps): bump github.com/google/go-containerregistry ( #1625 )
...
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry ) from 0.16.1 to 0.17.0.
- [Release notes](https://github.com/google/go-containerregistry/releases )
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml )
- [Commits](https://github.com/google/go-containerregistry/compare/v0.16.1...v0.17.0 )
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-30 12:08:31 -05:00
Weston Steimel
a4bced1602
chore: bump to syft v0.98.0 in quality gate tests ( #1623 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-11-30 09:22:34 -05:00
Christopher Angelo Phillips
06b9f1c907
chore: update syft; go mod tidy ( #1621 )
...
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-11-29 15:04:17 -05:00
dependabot[bot]
6a1aa587af
chore(deps): bump github.com/spf13/afero from 1.10.0 to 1.11.0 ( #1618 )
...
Bumps [github.com/spf13/afero](https://github.com/spf13/afero ) from 1.10.0 to 1.11.0.
- [Release notes](https://github.com/spf13/afero/releases )
- [Commits](https://github.com/spf13/afero/compare/v1.10.0...v1.11.0 )
---
updated-dependencies:
- dependency-name: github.com/spf13/afero
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-28 11:06:18 -05:00
William Murphy
e887501628
chore: explicitly test maven suffixes ( #1617 )
...
Some older Maven releases include a suffix like .RELEASE on the version
number. Grype's behavior with regard to these versions has been
suggested as a source of false positives. Pin the behavior with tests to
make it easier to reason about how Grype will compare maven versions and
to guard against this behavior accidentally changing.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-11-27 09:33:56 -05:00
dependabot[bot]
e4242b9246
chore(deps): bump anchore/sbom-action from 0.14.3 to 0.15.0 ( #1611 )
...
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action ) from 0.14.3 to 0.15.0.
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Commits](78fc58e266...fd74a6fb98
2023-11-21 13:47:08 -05:00
anchore-actions-token-generator[bot]
dbe2a9515a
chore(deps): update Syft to v0.97.1 ( #1610 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2023-11-17 21:27:07 +00:00
anchore-actions-token-generator[bot]
78f57a3c69
chore(deps): update Syft to v0.97.0 ( #1608 )
...
* chore(deps): update Syft to v0.97.0
Signed-off-by: GitHub <noreply@github.com>
* fix syft api usage
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2023-11-16 19:20:28 -05:00
Weston Steimel
2cbc64cc4f
chore: bump vulnerability match label dataset ( #1606 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-11-16 18:06:46 -05:00
William Murphy
273fe0ef16
fix: golang version parsing ( #1599 )
...
Add a golang version parser, which is a very thin wrapper
around a semantic vesion, but knows to trim "go" before attempting
to parse as a semantic version.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-11-15 17:25:32 -05:00
anchore-actions-token-generator[bot]
83e5176127
chore(deps): update bootstrap tools to latest versions ( #1595 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-11-09 08:08:22 -08:00
dependabot[bot]
830da2ff2c
chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.11 to 0.4.12 ( #1597 )
...
Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps ) from 0.4.11 to 0.4.12.
- [Release notes](https://github.com/gkampitakis/go-snaps/releases )
- [Commits](https://github.com/gkampitakis/go-snaps/compare/v0.4.11...v0.4.12 )
---
updated-dependencies:
- dependency-name: github.com/gkampitakis/go-snaps
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-09 07:52:24 -08:00
anchore-actions-token-generator[bot]
e44ec4d4bc
chore(deps): update Syft to v0.96.0 ( #1596 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: willmurphyscode <willmurphyscode@users.noreply.github.com>
2023-11-09 14:30:10 +00:00
William Murphy
1afcf1f185
fix: match against debian unstable ( #1593 )
...
This is done by special casing "sid" in the pretty name of
a Linux distro to point to the grype-db debian unstable namespace.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-11-08 15:17:01 -05:00
Eng Zer Jun
3c255e3c10
perf: avoid allocations with (*regexp.Regexp).MatchString ( #1592 )
...
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2023-11-08 09:32:01 -08:00
dependabot[bot]
5d8cfd56c7
chore(deps): bump sigstore/cosign-installer from 3.1.2 to 3.2.0 ( #1590 )
...
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ) from 3.1.2 to 3.2.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases )
- [Commits](11086d2504...1fc5bd396d
2023-11-08 06:18:38 +00:00
anchore-actions-token-generator[bot]
1543248822
chore(deps): update Syft to v0.95.0 ( #1591 )
2023-11-07 15:42:43 -05:00
Alex Goodman
4b06a160e1
chore: account for syft package metadata changes ( #1423 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
2023-11-07 15:17:36 -05:00
