dependabot[bot]
4e31789324
chore(deps): bump peter-evans/create-pull-request from 5.0.1 to 5.0.2 ( #1351 )
...
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request ) from 5.0.1 to 5.0.2.
- [Release notes](https://github.com/peter-evans/create-pull-request/releases )
- [Commits](284f54f989...153407881e
)
---
updated-dependencies:
- dependency-name: peter-evans/create-pull-request
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-06-14 15:58:43 -04:00
dependabot[bot]
7be9da43e1
chore(deps): bump github/codeql-action from 2.3.6 to 2.13.4 ( #1344 )
2023-06-13 13:40:02 +00:00
Josh Bressers
6ac1f17d9c
chore: Update the contributing guide ( #1347 )
...
Signed-off-by: Josh Bressers <josh@bress.net>
2023-06-13 09:39:14 -04:00
James Neate
c47304b7a2
feat: add community template folder and new table template ( #1343 )
...
Signed-off-by: James Neate <jamesmneate@gmail.com>
2023-06-09 11:33:20 -04:00
Weston Steimel
e8143f2c94
chore: log unsupported package qualifier as debug ( #1340 )
...
Logs unsupported package qualifiers at `debug` level rather than
`warning`. The message is only meant to convey that there are new
qualifiers available in grype-db that the version of grype being used
cannot take advantage of to improve matching behavior; however, the
warning is confusing to users and may make it seem like grype is in a
broken state.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-06-08 17:02:07 -04:00
Weston Steimel
844711285b
feat: add package info to search by for all match details ( #1339 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-06-06 19:32:50 +01:00
anchore-actions-token-generator[bot]
3865f4cc1d
chore(deps): update bootstrap tools to latest versions ( #1334 )
...
* chore(deps): update bootstrap tools to latest versions
Signed-off-by: GitHub <noreply@github.com>
* chore: dependency clean-up
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* chore: fix s/a changes
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* fix: update PURL provider tests; remove unparam
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---------
Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-06-05 21:17:20 +00:00
dependabot[bot]
7f71f7f849
chore(deps): bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 ( #1336 )
...
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus ) from 1.9.2 to 1.9.3.
- [Release notes](https://github.com/sirupsen/logrus/releases )
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md )
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3 )
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-06-05 12:50:01 -04:00
dependabot[bot]
dc9bc1ee04
chore(deps): bump github/codeql-action from 2.3.5 to 2.3.6 ( #1331 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.3.5 to 2.3.6.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](0225834cc5...83f0fe6c49
)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-06-01 15:41:37 -04:00
James Tran
c1f677261c
Hide suppressed vulnerabilities when --show-suppressed is not given ( #1322 )
...
Signed-off-by: James Tran <jamestran201@github.com>
2023-05-30 13:46:46 -04:00
dependabot[bot]
7c681d5059
chore(deps): bump github.com/stretchr/testify from 1.8.3 to 1.8.4 ( #1324 )
...
Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify ) from 1.8.3 to 1.8.4.
- [Release notes](https://github.com/stretchr/testify/releases )
- [Commits](https://github.com/stretchr/testify/compare/v1.8.3...v1.8.4 )
---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-30 12:42:46 -04:00
dependabot[bot]
8fbcb42619
chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 ( #1323 )
...
Bumps [github.com/spf13/viper](https://github.com/spf13/viper ) from 1.15.0 to 1.16.0.
- [Release notes](https://github.com/spf13/viper/releases )
- [Commits](https://github.com/spf13/viper/compare/v1.15.0...v1.16.0 )
---
updated-dependencies:
- dependency-name: github.com/spf13/viper
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-30 12:13:39 -04:00
Weston Steimel
77eb4bb53f
feat: add source and type to CVSS information ( #1317 )
...
Adds source and type to the CVSS score information to allow
identification of the organization that submitted the score and whether
they are a primary or secondary source.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-05-26 18:37:08 +01:00
dependabot[bot]
2d1dcd72dc
chore(deps): bump github.com/docker/docker ( #1320 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 24.0.1+incompatible to 24.0.2+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v24.0.1...v24.0.2 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-26 12:39:51 -04:00
dependabot[bot]
ac67a27a87
chore(deps): bump github/codeql-action from 2.3.3 to 2.3.5 ( #1321 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.3.3 to 2.3.5.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](29b1f65c5e...0225834cc5
)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-26 12:35:45 -04:00
Christopher Angelo Phillips
0f71006f62
chore: update gomod with latest syft ( #1313 )
...
* chore: update go mod with latest syft
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-05-23 13:57:53 -04:00
dependabot[bot]
3b80916c23
chore(deps): bump github.com/docker/docker ( #1311 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 24.0.0+incompatible to 24.0.1+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v24.0.0...v24.0.1 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-23 13:42:03 -04:00
Alex Goodman
852a208417
bump syft to pre-release of v0.81.0 ( #1310 )
...
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2023-05-22 14:17:34 +00:00
guangwu
efb611d800
add main bin ignore ( #1305 )
...
Signed-off-by: guoguangwu <guoguangwu@magic-shield.com>
2023-05-22 09:14:31 -04:00
dependabot[bot]
1a3b92a3f1
chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 ( #1309 )
...
Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify ) from 1.8.2 to 1.8.3.
- [Release notes](https://github.com/stretchr/testify/releases )
- [Commits](https://github.com/stretchr/testify/compare/v1.8.2...v1.8.3 )
---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-22 09:13:30 -04:00
dependabot[bot]
e7fa9d6d50
chore(deps): bump github.com/docker/docker ( #1304 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 23.0.6+incompatible to 24.0.0+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v23.0.6...v24.0.0 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-19 11:41:10 -04:00
dependabot[bot]
f15b1fa1f8
chore(deps): bump github.com/sirupsen/logrus from 1.9.0 to 1.9.2 ( #1307 )
...
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus ) from 1.9.0 to 1.9.2.
- [Release notes](https://github.com/sirupsen/logrus/releases )
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md )
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.2 )
---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-19 11:40:38 -04:00
dependabot[bot]
a153b3047b
chore(deps): bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 ( #1289 )
2023-05-17 13:45:58 +00:00
dependabot[bot]
e4b756eb34
chore(deps): bump github.com/docker/distribution ( #1290 )
2023-05-17 13:45:39 +00:00
dependabot[bot]
745dca977c
chore(deps): bump actions/setup-go from 4.0.0 to 4.0.1 ( #1298 )
2023-05-17 13:24:06 +00:00
guangwu
8220910b83
chore: update deprecated io/ioutil calls ( #1296 )
...
Signed-off-by: guoguangwu <guoguangwu@magic-shield.com>
2023-05-17 09:23:31 -04:00
Weston Steimel
d34b28193e
feat: package qualifier for platform CPE ( #1291 )
...
This allows filtering vulnerability matches that are only applicable
when running on specific platforms. It currently supports filtering
matches that are only applicable for windows, debian, and ubuntu when
the underlying distro is known and does not match.
Additionally, wordpress platform matches are always filtered since
wordpress plugins are not currently discoverable by syft and can be
a significant source of false-positive matches. These are already
filtered when the target software component of the CPE is used
rather than a running on platform CPE configuration.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-05-17 13:35:03 +01:00
devfbe
e1bdbc7d27
Fix reading syft json from stdin by redirect ( #1299 )
...
I figured out that running `cat syft.json | grype` works but
`grype < syft.json` does not work. This happens, because the
IsPipedInput method only checks if stdin is a pipe which will be false
if stdin is fed by a redirect.
The go idiomatic way to fix this is by just checking if the file
produced by stat has a size > 0.
Implemented this check, that will recognize stdin by redirect, in the
IsPipedInput() method. Renamed the method to IsStdinPipeOrRedirect().
Signed-off-by: Felix Becker <git@felixbecker.name>
Co-authored-by: Benjamin Neff <benjamin@coding4coffee.ch>
2023-05-16 19:41:43 +00:00
Alex Goodman
d74e85385c
should only use hermetic functions in templates ( #1288 )
...
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2023-05-11 19:09:25 +00:00
anchore-actions-token-generator[bot]
2c9a1740e3
chore(deps): update bootstrap tools to latest versions ( #1285 )
2023-05-10 08:26:15 -04:00
James Neate
0ace6b1a98
feat: add non-hermetic sprig functions ( #1243 ) ( #1273 )
...
Because the general set of sprig functions can used to access
environment variables, explicitly warn users never to run untrusted
templates.
---------
Signed-off-by: James Neate <jamesmneate@gmail.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
2023-05-08 17:14:45 -04:00
William Murphy
6f779ec424
fix: typo in logger prefix ( #1283 )
...
s/form-lib/from-lib
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-05-08 17:03:14 -04:00
dependabot[bot]
75e7ef43cd
chore(deps): bump github.com/docker/docker ( #1280 )
2023-05-08 17:07:59 +00:00
dependabot[bot]
fce29858cb
chore(deps): bump anchore/sbom-action from 0.14.1 to 0.14.2 ( #1281 )
2023-05-08 17:07:35 +00:00
anchore-actions-token-generator[bot]
f9df952a2d
chore(deps): update Syft to v0.80.0 ( #1276 )
2023-05-07 13:57:12 -04:00
anchore-actions-token-generator[bot]
cddc8bcfcc
chore(deps): update bootstrap tools to latest versions ( #1277 )
2023-05-07 11:35:32 -04:00
James Neate
2930a18786
docs: add config flag to configuration section ( #1271 ) ( #1274 )
...
Signed-off-by: James Neate <jamesmneate@gmail.com>
2023-05-05 18:58:21 -04:00
dependabot[bot]
8d47fedd54
chore(deps): bump github/codeql-action from 2.3.2 to 2.3.3 ( #1272 )
2023-05-05 18:55:27 +00:00
dependabot[bot]
eb337bf45e
chore(deps): bump golang.org/x/term from 0.7.0 to 0.8.0 ( #1268 )
2023-05-05 15:43:13 +00:00
anchore-actions-token-generator[bot]
01ad5a52cd
chore(deps): update bootstrap tools to latest versions ( #1270 )
2023-05-05 11:42:28 -04:00
Dan Luhring
850a4acb05
Add support for Syft IDs in JSON output ( #1266 )
...
* Add support for Syft IDs in output
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* go mod tidy
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* make lint-fix
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* Convert map to for loop
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
---------
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
2023-05-05 13:47:04 +00:00
HNKNTA
9ba7a6a1ad
docs: add "cyclonedx-json" to output formats ( #1252 )
...
Signed-off-by: HNKNTA <hnknta@gmail.com>
2023-05-02 17:20:47 -04:00
dependabot[bot]
74a5d6d4fc
chore(deps): bump github.com/docker/docker ( #1257 )
2023-05-02 20:34:19 +00:00
dependabot[bot]
7861b63981
chore(deps): bump github/codeql-action from 2.3.1 to 2.3.2 ( #1261 )
2023-05-02 20:34:05 +00:00
dependabot[bot]
2e835eaebf
chore(deps): bump peter-evans/create-pull-request from 5.0.0 to 5.0.1 ( #1263 )
2023-05-02 20:33:51 +00:00
William Murphy
f0a09c0b9a
Install skopeo during bootstrap ( #1260 )
...
The "make integration" target assumes that skopeo will be available on
PATH, but this wasn't documented. Install it during bootstrap when other
utilities are installed. (See ./test/integration/utils_test.go:50).
Include a sample skopeo policy.json, otherwise skopeo will look for a
missing policy doc a /etc/containers/policy.json and exit with an error.
The sample policy document matches the one included by default with
"brew install skopeo".
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
2023-04-28 10:10:29 -04:00
dependabot[bot]
aa52d673d0
chore(deps): bump github/codeql-action from 2.3.0 to 2.3.1 ( #1258 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](b2c19fb9a2...8662eabe0e
)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-04-27 12:43:05 -04:00
dependabot[bot]
ae2fe4f063
chore(deps): bump github/codeql-action from 2.2.12 to 2.3.0 ( #1256 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.2.12 to 2.3.0.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](7df0ce3489...b2c19fb9a2
)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-04-24 14:49:01 -04:00
Weston Steimel
2cd2998d0e
chore: update quality gate labels and add keycloak ( #1255 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-04-24 12:38:46 +01:00
Shane Dell
dfa540f727
fix: false positive for purl provider for RPM without epoch ( #1237 )
...
Signed-off-by: Shane Dell <shanedell100@gmail.com>
2023-04-21 17:12:49 +00:00