dependabot[bot]
45d03b6df0
chore(deps): bump github/codeql-action from 2.2.11 to 2.2.12 ( #1233 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.2.11 to 2.2.12.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](d186a2a36c...7df0ce3489
2023-04-17 11:42:08 -04:00
anchore-actions-token-generator[bot]
6477f328c8
chore(deps): update bootstrap tools to latest versions ( #1238 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-04-17 11:41:48 -04:00
Alex Goodman
17f4917da1
add format make target ( #1231 )
...
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2023-04-12 14:37:44 -04:00
dependabot[bot]
5f7b4f2416
chore(deps): bump 8398a7/action-slack from 3.15.0 to 3.15.1 ( #1223 )
...
Bumps [8398a7/action-slack](https://github.com/8398a7/action-slack ) from 3.15.0 to 3.15.1.
- [Release notes](https://github.com/8398a7/action-slack/releases )
- [Commits](bdc6f9de22...fbd6aa58ba
2023-04-12 10:55:31 -04:00
dependabot[bot]
1f51229e17
chore(deps): bump github.com/docker/docker ( #1218 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 23.0.2+incompatible to 23.0.3+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v23.0.2...v23.0.3 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-04-12 10:55:21 -04:00
dependabot[bot]
4b773c583e
chore(deps): bump github/codeql-action from 2.2.9 to 2.2.11 ( #1225 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.2.9 to 2.2.11.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](04df1262e6...d186a2a36c
2023-04-12 10:54:35 -04:00
anchore-actions-token-generator[bot]
47ff457a36
chore(deps): update bootstrap tools to latest versions ( #1227 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-04-12 10:54:17 -04:00
dependabot[bot]
01cbc98198
chore(deps): bump peter-evans/create-pull-request from 4.2.4 to 5.0.0 ( #1219 )
...
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request ) from 4.2.4 to 5.0.0.
- [Release notes](https://github.com/peter-evans/create-pull-request/releases )
- [Commits](38e0b6e68b...5b4a9f6a9e
2023-04-05 19:07:58 -04:00
dependabot[bot]
2e8a63dba6
chore(deps): bump golang.org/x/term from 0.6.0 to 0.7.0 ( #1217 )
...
Bumps [golang.org/x/term](https://github.com/golang/term ) from 0.6.0 to 0.7.0.
- [Release notes](https://github.com/golang/term/releases )
- [Commits](https://github.com/golang/term/compare/v0.6.0...v0.7.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/term
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-04-05 19:05:38 -04:00
dependabot[bot]
cecad5c9c4
chore(deps): bump github.com/spf13/cobra from 1.6.1 to 1.7.0 ( #1216 )
...
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra ) from 1.6.1 to 1.7.0.
- [Release notes](https://github.com/spf13/cobra/releases )
- [Commits](https://github.com/spf13/cobra/compare/v1.6.1...v1.7.0 )
---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-04-04 14:32:16 -04:00
dependabot[bot]
d8c0c0805b
chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.1-0.20221222100750-41a1ac565cce to 0.7.1 ( #1213 )
...
* chore(deps): bump github.com/CycloneDX/cyclonedx-go
Bumps [github.com/CycloneDX/cyclonedx-go](https://github.com/CycloneDX/cyclonedx-go ) from 0.7.1-0.20221222100750-41a1ac565cce to 0.7.1.
- [Release notes](https://github.com/CycloneDX/cyclonedx-go/releases )
- [Changelog](https://github.com/CycloneDX/cyclonedx-go/blob/master/.goreleaser.yml )
- [Commits](https://github.com/CycloneDX/cyclonedx-go/commits/v0.7.1 )
---
updated-dependencies:
- dependency-name: github.com/CycloneDX/cyclonedx-go
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* fix: update test fixtures
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-04-04 14:41:03 +00:00
Christopher Angelo Phillips
8dec5c3784
feat: add default-image-source-config option ( #1215 )
...
#1204 surfaces the need for allowing a user to express a preference over the default-image-pull-source to be used when building an SBOM for vulnerability scanning.
This adds a config option into grype to consume the new syft behavior.
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-04-04 10:28:33 -04:00
dependabot[bot]
0b306fae25
chore(deps): bump google.golang.org/protobuf from 1.29.0 to 1.29.1 ( #1212 )
...
Bumps google.golang.org/protobuf from 1.29.0 to 1.29.1.
---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-04-03 14:36:40 -04:00
dependabot[bot]
537c47735c
chore(deps): bump anchore/sbom-action from 0.13.4 to 0.14.1 ( #1214 )
...
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action ) from 0.13.4 to 0.14.1.
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Commits](448520c4f1...422cb34a0f
2023-04-03 14:35:56 -04:00
dependabot[bot]
147f5cf92f
chore(deps): bump github.com/anchore/syft from 0.75.0 to 0.76.0 ( #1207 )
...
* chore(deps): bump github.com/anchore/syft from 0.75.0 to 0.76.0
Bumps [github.com/anchore/syft](https://github.com/anchore/syft ) from 0.75.0 to 0.76.0.
- [Release notes](https://github.com/anchore/syft/releases )
- [Changelog](https://github.com/anchore/syft/blob/main/.goreleaser.yaml )
- [Commits](https://github.com/anchore/syft/compare/v0.75.0...v0.76.0 )
---
updated-dependencies:
- dependency-name: github.com/anchore/syft
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
* chore: update ParseInput signature with new syft version
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* fix: update integration tests
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-04-03 10:48:33 -04:00
Keith Zantow
b9e40306d2
chore: update syft update ( #1211 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-04-03 10:28:53 -04:00
Keith Zantow
f40b5d43ab
chore: update deprecated set-output calls ( #1210 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-04-03 09:36:18 -04:00
dependabot[bot]
e5cb58f597
chore(deps): bump ossf/scorecard-action from 2.1.2 to 2.1.3 ( #1205 )
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.1.2 to 2.1.3.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](e38b1902ae...80e868c13c
2023-03-31 09:39:00 -04:00
Weston Steimel
b2bd709e6d
chore: update quality gate dataset ( #1206 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-03-31 13:16:59 +01:00
dependabot[bot]
7614621b1d
chore(deps): bump github.com/docker/docker ( #1201 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 23.0.1+incompatible to 23.0.2+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v23.0.1...v23.0.2 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-29 09:59:00 -04:00
Dan Luhring
45c5f8c9c7
Implement support for Chainguard Linux ( #1198 )
...
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
2023-03-28 10:52:33 -04:00
anchore-actions-token-generator[bot]
dfcce84cdb
chore(deps): update bootstrap tools to latest versions ( #1194 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-03-27 12:51:53 -04:00
dependabot[bot]
fe76eb9efc
chore(deps): bump github/codeql-action from 2.2.8 to 2.2.9 ( #1197 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.2.8 to 2.2.9.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](67a35a0858...04df1262e6
2023-03-27 12:51:20 -04:00
dependabot[bot]
b3eff0c2d8
chore(deps): bump github.com/gookit/color from 1.5.2 to 1.5.3 ( #1192 )
2023-03-24 07:49:36 -04:00
dependabot[bot]
4ac94147a4
chore(deps): bump github/codeql-action from 2.2.7 to 2.2.8 ( #1193 )
2023-03-24 07:49:13 -04:00
anchore-actions-token-generator[bot]
c1990daed1
chore(deps): update bootstrap tools to latest versions ( #1191 )
2023-03-22 09:00:47 -04:00
Keith Zantow
c1bc54f943
chore: tweak some workflow text ( #1190 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-03-21 11:09:10 -04:00
dependabot[bot]
6716ca5e24
chore(deps): bump github.com/hashicorp/go-getter from 1.7.0 to 1.7.1 ( #1181 )
2023-03-21 09:51:55 -04:00
dependabot[bot]
568b504a7e
chore(deps): bump peter-evans/create-pull-request from 4.2.3 to 4.2.4 ( #1184 )
2023-03-21 09:51:27 -04:00
dependabot[bot]
e8fa509e72
chore(deps): bump anchore/sbom-action from 0.13.3 to 0.13.4 ( #1189 )
2023-03-21 09:50:56 -04:00
anchore-actions-token-generator[bot]
353bc87bb2
chore: Update grype bootstrap tools to latest versions. ( #1187 )
2023-03-21 09:36:06 -04:00
Weston Steimel
b996cbe29b
fix: by-cpe pivot by vuln metadata rather than vulnerability record ( #1188 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-03-20 14:39:46 +00:00
anchore-actions-token-generator[bot]
0bc0aa76a1
Update grype bootstrap tools to latest versions. ( #1173 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-03-15 17:20:06 -04:00
dependabot[bot]
96cbcad484
chore(deps): bump actions/setup-go from 3.5.0 to 4.0.0 ( #1182 )
...
Bumps [actions/setup-go](https://github.com/actions/setup-go ) from 3.5.0 to 4.0.0.
- [Release notes](https://github.com/actions/setup-go/releases )
- [Commits](6edd4406fa...4d34df0c23
2023-03-15 17:19:41 -04:00
dependabot[bot]
0cc8b9e4f6
chore(deps): bump github/codeql-action from 2.2.5 to 2.2.7 ( #1183 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.2.5 to 2.2.7.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](32dc499307...168b99b3c2
2023-03-15 17:19:12 -04:00
Weston Steimel
52f724f785
feat: disable CPE-based matching by default for javascript ( #1180 )
...
* feat: disable CPE-based matching by default for javascript
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* chore: bump vuln match label dataset
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
---------
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-03-14 16:34:41 +00:00
anchore-actions-token-generator[bot]
6da09d4fda
Update Syft to v0.75.0 ( #1177 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2023-03-14 08:47:20 +00:00
Weston Steimel
c3fc8cba63
chore: bump vuln match quality dataset ( #1174 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-03-13 19:36:26 +00:00
dependabot[bot]
3a4d01b59c
chore(deps): bump github.com/gabriel-vasile/mimetype from 1.4.1 to 1.4.2 ( #1166 )
...
Bumps [github.com/gabriel-vasile/mimetype](https://github.com/gabriel-vasile/mimetype ) from 1.4.1 to 1.4.2.
- [Release notes](https://github.com/gabriel-vasile/mimetype/releases )
- [Commits](https://github.com/gabriel-vasile/mimetype/compare/v1.4.1...v1.4.2 )
---
updated-dependencies:
- dependency-name: github.com/gabriel-vasile/mimetype
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-09 15:06:26 +00:00
anchore-actions-token-generator[bot]
29b6465689
Update grype bootstrap tools to latest versions. ( #1163 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-03-09 09:41:19 -05:00
anchore-actions-token-generator[bot]
2bc4c35142
Update Syft to v0.74.1 ( #1168 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2023-03-09 14:37:02 +00:00
Weston Steimel
6a46070cb1
fix: correct APK CPE version comparison logic ( #1165 )
...
Previously, the -r{buildindex} suffix of APK package versions were
treated as pre-release versions per the fuzzy matcher logic; however,
these should be treated as equivalent to the release version for the
purposes of collecting CPE-based matches for APK packages.
We may want to make a similar change in syft to generate cleaner CPE
versions for APK packages, but making the change in grype corrects
behaviour for previously-generated SBOMs as well.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-03-08 14:36:56 +00:00
Christopher Angelo Phillips
5754360376
Grype Release Pipeline Update ( #1147 )
...
- Remove old apple signing flow in favor of [quill](https://github.com/anchore/quill )
- Update changelog generation to be in sync with syft's flow
- Remove old goreleaser docker workflow in favor of single file
- Remove individual bootstrap options in favor of single bootstrap action
- Update release and validation workflows to use trigger based approach seen in syft
- Update golangci.yaml to be equivalent to syft patterns
- Remove unused Dockerfile.dev
- Remove docker-compose development cycle
- Add organized test-fixture Makefile targets
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-03-03 21:17:44 +00:00
Maxim Zhiburt
b88e961159
Add the total types of vulnerabilities in Grype output ( #946 )
...
* Add the total types of vulnerabilities in Grype output
Signed-off-by: Maxim Zhiburt <zhiburt@gmail.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Albert Simon <simon.albert75@gmail.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2023-03-03 20:38:29 +00:00
dependabot[bot]
8076863582
chore(deps): bump gorm.io/gorm from 1.23.5 to 1.23.10 ( #1157 )
...
Bumps [gorm.io/gorm](https://github.com/go-gorm/gorm ) from 1.23.5 to 1.23.10.
- [Release notes](https://github.com/go-gorm/gorm/releases )
- [Commits](https://github.com/go-gorm/gorm/compare/v1.23.5...v1.23.10 )
---
updated-dependencies:
- dependency-name: gorm.io/gorm
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-03 12:26:49 -05:00
Weston Steimel
adad97628e
chore: bump quality gate labels and syft version ( #1156 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-03-02 20:06:38 +00:00
anchore-actions-token-generator[bot]
04a55885ee
chore: Update Syft to v0.74.0 ( #1151 )
2023-03-02 12:22:46 -05:00
Morten Linderud
bb92f44003
fix(distro): Disable support for Arch Linux ( #1152 )
...
Signed-off-by: Morten Linderud <morten@linderud.pw>
2023-03-02 10:27:07 -05:00
Keith Zantow
bdcefd2554
chore: update progress monitor handling ( #1149 )
2023-03-01 16:47:01 -05:00
anchore-actions-token-generator[bot]
d1352ce843
Update Syft to v0.73.0 ( #1140 )
...
* Update Syft to v0.73.0
Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-02-27 21:12:37 +00:00
