Commit graph

349 commits

Author SHA1 Message Date
Keith Zantow
04a84a4440
fix: orient by cve merging (#1046) 2023-01-04 13:41:10 -05:00
anchore-actions-token-generator[bot]
3ff1d64eab
Update Syft to v0.64.0 (#1047) 2022-12-23 16:33:08 -05:00
anchore-actions-token-generator[bot]
93499eec7e
Update Syft to v0.63.0 (#1037) 2022-12-12 19:30:04 -05:00
Alex Goodman
a869480f89
Optionally orient results by CVE (#1020)
Co-authored-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-12-08 15:22:40 -05:00
anchore-actions-token-generator[bot]
0a2a7b7cbb
Update Syft to v0.62.3 (#1026)
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-12-07 18:30:38 -05:00
anchore-actions-token-generator[bot]
6bdb3b50c4
Update Syft to v0.62.2 (#1018)
Signed-off-by: GitHub <noreply@github.com>
2022-11-29 08:40:34 +00:00
anchore-actions-token-generator[bot]
826726d553
Update Syft to v0.62.1 (#1006) 2022-11-21 11:11:25 -05:00
Christopher Angelo Phillips
a4a62aab4b
chore: bump syft version v0.62.0 (#1000) 2022-11-18 15:03:15 -05:00
Christopher Angelo Phillips
c8ddd7e218
chore: update syft to v0.60.3 (#978) 2022-11-03 16:19:03 +00:00
anchore-actions-token-generator[bot]
b62ad702b9
Update Syft to v0.59.0 (#957) 2022-10-17 16:07:39 -04:00
anchore-actions-token-generator[bot]
7ad60ce410
Update Syft to v0.58.0 (#941)
* Update Syft to v0.58.0

Signed-off-by: GitHub <noreply@github.com>

* fix conan metadata related unit test failures

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
Co-authored-by: Weston Steimel <weston.steimel@anchore.com>
2022-10-05 11:26:16 +01:00
anchore-actions-token-generator[bot]
f094b860b9
Update Syft to v0.57.0 (#930)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2022-09-20 09:35:37 +01:00
dependabot[bot]
e63910b2c5
Bump github.com/sigstore/cosign from 1.11.1 to 1.12.0 (#927)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-09-19 11:46:11 -04:00
anchore-actions-token-generator[bot]
403a535321
Update Syft to v0.56.0 (#919)
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2022-09-13 11:18:13 -04:00
Keith Zantow
ba73ab362a
Add support for scanning RPM files (#917) 2022-09-09 14:56:37 -04:00
anchore-actions-token-generator[bot]
77a8eb866d
Update Syft to v0.55.0 (#906)
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2022-08-30 09:18:17 -04:00
anchore-actions-token-generator[bot]
08b4ef493b
Update Syft to v0.54.0 (#881)
Signed-off-by: GitHub <noreply@github.com>

Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2022-08-17 19:36:54 +00:00
anchore-actions-token-generator[bot]
262630e01e
Update Syft to v0.53.4 (#856) 2022-08-04 09:37:48 -04:00
Christopher Angelo Phillips
74fd591caf
update golanci-lint, goreleaser, cosign (#850) 2022-07-28 14:55:14 -04:00
Christopher Angelo Phillips
991d16879a
update grype to use syft v0.52.0 (#838) 2022-07-22 16:12:18 +00:00
Zac Medico
30943e032b
add Gentoo matching support (#813)
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-07-19 09:37:21 -04:00
Christopher Angelo Phillips
cb6bddfeeb
bump syft version to v0.51.0 (#822) 2022-07-11 15:15:12 -04:00
Christopher Angelo Phillips
0e0a9d9e7a
update syft to v0.50.0 (#818) 2022-07-06 14:48:21 +00:00
Christopher Angelo Phillips
82c0146b0a
update syft => v0.49.0 (#804) 2022-06-24 18:30:36 +00:00
cpendery
bb2f8dcdb4
fix: add fixed versions to cyclonedxjson output (#763) 2022-06-21 17:50:05 -04:00
Christopher Angelo Phillips
0703bae977
update grype to latest syft patch v0.48.1 (#790) 2022-06-17 15:45:33 +00:00
Jonas Xavier
d6fa674edc
add db staleness check (#785)
* add db staleness check

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* less config fields

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix import order

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* warn even when set to not error on staleness

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* nits

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* nits

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* lint fix

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix test

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* consistent log message

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* consistent new version message

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* human friendly time durations

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix typo

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* cleaner tests and default db value

Signed-off-by: Jonas Xavier <jonasx@anchore.com>
2022-06-15 12:48:10 -04:00
Christopher Angelo Phillips
69de9e7a0a
update syft version to v0.47.0 (#781) 2022-06-09 16:03:14 -04:00
Weston Steimel
81af51302d
use anchore fork of glebarez/sqlite (#778)
This overcomes an issue with duplicate registration of sqlite drivers between glebarez/sqlite and knqyf263/go-rpmdb by
just using modernc.org/sqlite directly within our fork

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2022-06-08 09:41:15 -04:00
dependabot[bot]
07dfb28718
Bump github.com/hashicorp/go-getter from 1.5.11 to 1.6.1 (#770)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-06-02 09:18:53 -04:00
anchore-actions-token-generator[bot]
10c3604498
Update Syft to v0.46.3 (#761)
Signed-off-by: GitHub <noreply@github.com>

Co-authored-by: jonasagx <jonasagx@users.noreply.github.com>
2022-05-26 10:14:28 -07:00
Alex Goodman
06d28dad9f
bump to syft v0.46.2 (#755)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2022-05-23 13:47:21 +00:00
Jonas Xavier
c842fb9af5
bump stereoscope version to include source path fix (#752) 2022-05-19 08:18:49 -07:00
anchore-actions-token-generator[bot]
5a5642cc0d
Update Syft to v0.46.1 (#751)
Signed-off-by: GitHub <noreply@github.com>

Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2022-05-18 14:10:39 -07:00
Christian Kotzbauer
731abaab72
Add syft v0.46.0 Dotnet support (#747) 2022-05-13 12:46:31 -04:00
dependabot[bot]
d6196b6525
Bump github.com/hashicorp/go-getter from 1.5.9 to 1.5.11 (#742)
Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.5.9 to 1.5.11.
- [Release notes](https://github.com/hashicorp/go-getter/releases)
- [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml)
- [Commits](https://github.com/hashicorp/go-getter/compare/v1.5.9...v1.5.11)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-getter
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-05-04 16:33:28 +01:00
Dan Luhring
0df35f8d2c
address excessive warnings from multiple sources (#741) 2022-05-03 14:05:50 +00:00
Christopher Angelo Phillips
36f5150fa9
bump syft version (#738) 2022-04-29 13:39:08 -04:00
Jonas Xavier
523f5ce9c0
Consume attestation files (#706)
* add key flag to attest validation

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* mvp: verify sig and extract sbom

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* wip read attestation without scheme

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* mvp consuming attestations - needs unit tests

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* remove prototype file

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* drop local syft from go.mod

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix order of sbom parsing strategies

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* handle implicit attestation input

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* wip

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* add test for invalid attestation key

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* rebase and go-mod-tidy

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* consume attestation via stdin

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* attestation test for stdin

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* validate input and content for attestation

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add stdin test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix config tags

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add int test to ignore attestation validation

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix cycloneDX attestation fixture

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add tampered att test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add tampered predicate type test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* improve docs/help on atttestation

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* upgrade to latest syft

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fall through when guessing between sbom and att

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix butter finger rebase

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* drop default key value

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* assert error messages

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* better test/cli coverage

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix stdin decode test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix goimports

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* tui - verified attestation and feedback changes

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* better naming

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add attestation section to config file

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* emit event for skipped verification

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* use public key name

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* nit

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
2022-04-21 11:52:42 -07:00
Alex Goodman
9cc1c72169
Preserve package IDs on Syft JSON SBOM decode (#731) 2022-04-18 18:22:58 +00:00
Christopher Angelo Phillips
95f68b4c33
Add java.Matcher configuration to includes maven upstream sha1 query (#714) 2022-04-13 13:01:22 -04:00
Alex Goodman
c36e9df887
Use CGO-less sqlite GORM driver (#705) 2022-04-04 18:40:29 +00:00
Jonas Xavier
182c86d11d
Migrate LocationSet and add Dart support (#703) 2022-04-01 08:21:37 -07:00
Keith Zantow
44e676488e
Update syft to v0.42.4 (#697) 2022-03-24 14:11:17 -04:00
Keith Zantow
d8e1c37cd1
Update syft to v0.42.3 (#690) 2022-03-23 17:57:06 -04:00
Alex Goodman
9fc6fb8a32
Bump strset version to fix 386 builds (#689) 2022-03-23 18:27:11 +00:00
j-k
d40fb77c1a
Correct go.mod to enforce go 1.18 (#685)
Since grype now depends on debug/buildinfo go 1.18 is required to build
grype and as such go.mod needs updating

Signed-off-by: 06kellyjac <jack@control-plane.io>
2022-03-22 09:33:35 -04:00
Keith Zantow
f004f7dee3
Update Syft to 0.42.1 (#683) 2022-03-21 20:11:40 +00:00
Jonas Xavier
dae6411c5c
upgrade github workflows to go 1.18 (#649)
* upgrade github workflows to go 1.18

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* upgrade syft & set go1.18 for CI workflows

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* add go1.17 static analysis

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix yaml comment

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
2022-03-17 14:58:20 -07:00
Keith Zantow
60c2968953
Update Syft to v0.41.6 (#670) 2022-03-16 12:48:42 -04:00
Keith Zantow
cbdec2ae5e
Update to Syft v0.41.4 (#664) 2022-03-14 17:15:09 -04:00
Keith Zantow
bc8f8414ca
Add SARIF presenter option (#654) 2022-03-14 12:13:37 -04:00
Keith Zantow
ff424d3adc
Bump Syft for CycloneDX input (#650) 2022-03-02 10:05:01 -05:00
Alex Goodman
16cd14519a
Bump syft to release version v0.39.0 (#645)
* bump syft to v0.39.0

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update ByCriteria to log error on failure

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* integration tests now pass

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* bump to v0.39.3

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* raise search failures to warn

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* tidy go.mod/sum

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-02-26 17:28:08 -05:00
Alex Goodman
f29a0d06d8
Bump syft to v0.38.0 for release (#635) 2022-02-15 19:03:55 +00:00
Alex Goodman
5aa85338d6
Normalize release assets and refactor install.sh (#630)
* refactor release to keep snapshot assets in parity with release assets

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* refactor install.sh and put under test

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* tidy go.sum

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add mac acceptance test to github actions workflow

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* rm use of goreleaser in cli tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* go mod tidy with go 1.17

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2022-02-11 19:24:25 +00:00
Christopher Angelo Phillips
d2dba7d14a
update golang crypto to resolve CVE-2020-29652 (#631)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-02-11 13:37:17 -05:00
Christopher Angelo Phillips
16e6bee766
update go -> 1.17 (#628)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-02-11 10:50:13 -05:00
Alex Goodman
c9f2716389
Abstract upstream package before matching (#607)
* add metadata extraction from pURLs

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* extract upstream packages before matching

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* put pkg.UpstreamPackages under test

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove pURL related processing

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* pull in syft spdx decoding

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* allow for more flexible GHSA namespace and source extraction

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add matching parity integration tests for all supported formats

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump syft to get spdx tv fix

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2022-02-10 21:43:12 +00:00
Jonas Xavier
42ca8c61d3
Ensure completion of UI progress bar (#627) 2022-02-10 08:03:15 -08:00
Jonas Xavier
a8c65807fc
update stereoscope version to include Podman (#612)
* update stereoscope

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* test stereoscope with fix

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* remove mod replacement and use latest stereoscope

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
2022-02-01 14:45:11 -08:00
Sambhav Kothari
346df07df5
Add sprig templating functions for grype output (#610)
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
2022-01-28 11:27:27 -05:00
Alex Goodman
2f8682b3db
Add ability to merge matches (#602)
* enable merging of matches

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add ability for matches constructor to take initial matches

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update tests to include IDs on package objects

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* rename common matcher helper package to search package

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* rename search functions and add SearchByCriteria

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* cleanup imports

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2022-01-25 10:29:16 -05:00
Christopher Angelo Phillips
e453a06551
upgrade syft to v0.36.0 (#597)
* upgrade syft dependencies

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* add basic metadata for coverage

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-01-20 12:47:15 -05:00
Dan Luhring
bc0f4eb9b2
Bump syft to include file source fix (#596)
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
2022-01-18 19:29:31 +00:00
Christopher Angelo Phillips
a2e82ee8f0
Update goreleaser so Windows included in checksum (#594)
* update goreleaser so windows included in checksum

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-01-14 13:13:17 -05:00
Alex Goodman
6e3aa6a8d7
Add strong distro type (#585)
* add strong distro type

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* nit changes

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update grype/db package to use distro pointer

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* source distro type from release name

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump syft to pull in distro type updates

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump lint timeout

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2022-01-12 13:47:27 -05:00
Alex Goodman
2647cd0d9e
Port grype-db to grype (#587)
* port grype-db to grype

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* migrate vulnerability provider implementation to db package

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* upgrade path import validations

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix linting issues

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2022-01-12 10:03:22 -05:00
Christopher Angelo Phillips
24ef03efc4
update to secure syft version (#586)
* update to secure syft version

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* go mod tidy

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-01-11 10:33:58 -05:00
Christopher Angelo Phillips
7fbe20c223
upgrade stereoscope (#584)
* bump stereoscope to remove vulnerable containerd

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* go mod tidy

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-01-10 15:05:52 -05:00
Christopher Angelo Phillips
64d4dbb993
update syft version for new release (#578)
* update syft

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* update CatalogPackages to use new cataloger config struct

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* add new valid CPE to matcher tests
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* update integration tests

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-01-07 17:57:44 -05:00
Alex Goodman
b100315292
bump syft to v0.34.0 (#567)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-12-22 16:20:23 -05:00
Keith Zantow
647d6fb770
Add --exclude flag (#551) 2021-12-21 12:52:07 -05:00
Alex Goodman
4f964c4ee2
bump syft to v0.33.0 (#550)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-12-16 09:49:36 -05:00
Alex Goodman
81a16c4142
bump syft to v0.32.2 (#541)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-12-14 17:39:05 +00:00
Alex Goodman
3f23425fa5
bump syft to v0.32.1 (#535)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-12-14 02:03:13 +00:00
Alex Goodman
f2d02b0b09
pull in binary panic fix; closes #526 (#528)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-12-10 18:03:13 +00:00
Alex Goodman
e62186725b
bump syft to v0.32.0 (#524)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-12-08 21:52:34 +00:00
Bala Raman
8abc83f685
Adding AlmaLinux OS Support (#514)
* Adding AlmaLinux OS Support

Signed-off-by: Bala Raman <srbala@gmail.com>

* incorporate grype-db updates for ALMA linux

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
2021-12-07 16:55:33 -05:00
Alex Goodman
270606ad37
bump syft to v0.31.0 (#517)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-12-03 16:56:43 +00:00
Alex Goodman
51e1b6307b
Update syft, jotframe, and validations pipeline (#512)
* update syft and jotframe

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update validations and release pipeline

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* moved terminal package to golang.org/x/term

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update integration tests to account for package relationships

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add license exception for xz

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update Location and Coordinate references

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove benchmark tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove mac acceptance tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add syft-grype relationship notes in DEVELOPING.md

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-11-30 18:10:07 +00:00
Dan Luhring
70ec3bfb71
Support for private certificate authorities during DB curation (#494)
* Add injectable HTTP client to file getter

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>

* WIP: Map config for custom CA certs

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>

* update curator and add tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add TLS helper scripts

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove grype-db local mod edit

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* tidy go modules

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* use ssl.context over deprecated fn

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* disallow tls 1 and 1.1

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* suppress non-archive sources for fetch-to-dir capability

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* ensure DB load failure does not panic

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* address review comments

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
2021-11-22 16:59:38 +00:00
Christopher Angelo Phillips
48c0b9b0e3
bump grype-db to latest commit (#501)
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
2021-11-16 13:07:56 -05:00
Swathi Gangisetty
5aa2b7bcac
Support vulnerability matching for Rocky Linux (#500)
- Update grype-db dependency for the distro-feed namespace mapping
- Add test to verify the above mapping

Signed-off-by: Swathi Gangisetty <swathi@anchore.com>
2021-11-15 16:14:24 -08:00
Christopher Angelo Phillips
a2762bbbf0
Bump syft version => v0.30.1 (#498)
* update syft version with correct arguments

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* bump integration tests with new presenter format

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* update integration tests to remove php-composer failure

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
2021-11-15 17:11:56 -05:00
Dan Luhring
3797965d8a
Resolve vulnerabilities (#486)
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2021-11-09 10:36:33 -05:00
Alex Goodman
3d7c38c670
bump syft to v0.29.0 (#487)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-11-02 14:42:51 -04:00
Alex Goodman
9c00165306
pull in space suffix fix (#475)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-10-25 10:14:37 -04:00
Christopher Angelo Phillips
9cd917d29c
Add windows support (#464)
* update grype to compile windows

Signed-off-by: spiffcs <christopher.phillips@anchore.com>
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* update go mod with new stereoscope

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* update build comments

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* small build tags

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* add goreleaser windows

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* bump syft version

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* update tests

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* update test images to use newest pinned golang

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
2021-10-22 13:46:56 -04:00
Christopher Angelo Phillips
637a061532
Add APK version constraint parsing (#455)
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
2021-10-18 17:27:02 +00:00
Alex Goodman
b1f3be4520
Upgrade config, UI, and command package patterns (#406)
* split and upgrade config processing

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* upgrade UI organization

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* expose logger writter

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add (unused) signal handler

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add (unused) event loop abstraction

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update aux commands to use Cobra RunE over Run

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* upgrade root command to use new event loop and signal handler

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update CLI test to account for config representation

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update dependencies + fix linting

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* decompose application config parse func + add missing config struct tags

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* restore unparam lint exclusion for registry config

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-10-01 13:03:50 -04:00
Dan Luhring
e6831d9444
Update Syft to v0.24.1 (#433)
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2021-09-28 16:55:50 -04:00
Alex Goodman
608e126dc6
pull in grype-db default language namespace namer + fix imbalanced version v prefixes (#434)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-09-28 16:55:27 -04:00
Vijay Pillai
1a7c9d1779
Bugfixes + Integration test for sbom input vs grype library comparison (#424)
This change both adds a test to identify and fixes differences between loading sboms from json and loading sboms from Syft as a library.
* adds integration test that compares SBOM input vs image input
* fix integration test cache path
* Add handler for ApkMetadataType in partialSyftPackage.UnmarshalJSON
* Fix Epoch missing from Package.New RpmdbMetadataType handler and update RpmDbMetadata test in TestNew_MetadataExtraction
* bump syft to version 0.24.0
* update license check for packageurl-go

Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Vijay Pillai <vijay.pillai@anchore.com>

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Vijay Pillai <vijay.pillai@anchore.com>
2021-09-22 21:53:32 -04:00
Dan Palmer
83c6ee23a9
Update grype-db dependency, add some SLES tests (#413)
* Update grype-db dependency, add some SLES tests

Signed-off-by: Dan Palmer <dan.palmer@anchore.com>
2021-09-14 15:08:32 -04:00
Christopher Angelo Phillips
f3e3e832a8
bump syft to the newest 0.23.0 version - tidy mod (#414)
* bump syft to the newest 0.23.0 version - tidy mod
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* update integration test to use new pointer
syft source.New() was changed to return a pointer
rather than value for 0.23.0 this commit updates our 
integration tests to reflect that change
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
2021-09-13 16:46:41 -04:00
Zane Burstein
434a774106
Match against Alpine source packages (#407)
* Update go-version package and add test

This is being updated due to an issue that was encountered in the lessThanEqual constraint in go-version: https://github.com/anchore/go-version/pull/2. Was disovered while adding tests for apk origin package matching

Signed-off-by: Zane Burstein <zane.burstein@anchore.com>

* Added matching with source package for apk

This change allows grype to match with a packages source package for apk. Adds APKMetadata with OriginPackage, new matching logic in apk matchers, and tests

Signed-off-by: Zane Burstein <zane.burstein@anchore.com>
2021-09-09 07:42:11 -04:00
Keith Zantow
4e8794d610
Upgrade syft to 0.21.0 #385 (#396)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2021-08-23 15:15:42 -04:00
Alex Goodman
01a77d5c45
bump syft to v0.20.0 (#384)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-08-18 11:20:25 -04:00
Keith Zantow
7b044b1154
Add option to enable http registry connections #334 (#380)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2021-08-17 12:52:08 -04:00
Alex Goodman
fbc6bdfd8d
Update MSRC matching to include product ID in the suffix (#373)
* use squashed grype-db branch

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add more tests around the msrc matcher

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* incorporate the grype-db updates for msrc

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-08-12 08:35:30 -04:00
Alex Goodman
729aec24a6
incorporate CPE generator enhancements from syft (#375)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-08-10 09:06:40 -04:00
Alex Goodman
c7f33a8e4f
bump grype-db version to use main branch
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-07-20 12:18:29 -04:00
Dan Luhring
6647373e4d
Run go mod tidy
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2021-07-01 14:45:01 -04:00
Dan Luhring
f4858fee44
Add test for nil distro
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2021-07-01 11:50:01 -04:00
Dan Luhring
787dfd8f02
Update syft to v0.19.0 (#352)
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2021-06-30 11:09:44 -04:00
Dan Luhring
1714806a4c
Update syft to v0.18.0 (#351)
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2021-06-29 21:34:26 +00:00
Alex Goodman
27c3437e26
ensure RPM epoch is optional
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-06-16 09:23:46 -04:00
Alex Goodman
ed054f2038
incorporate multiple match details to accomodate more accurate reported CPE matching info
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-05-30 11:51:14 -04:00
Alex Goodman
402a53d14c
fix tests for v3 schema updates
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-05-27 15:25:21 -04:00
Alex Goodman
80bb416daa
bump grype-db to pull in v3 schema changes + ensure related vulns are not nil
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-05-27 14:17:05 -04:00
Alex Goodman
1849d7eaea
add vendor advisories and adjust fixes data shape
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-05-26 13:54:19 -04:00
Alex Goodman
f99da01100 add staging update-url to cli tests + add pre-release check
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-05-26 12:30:21 -04:00
Alex Goodman
a6585f4842
add go.mod tidy CI check
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-05-25 13:43:53 -04:00
Dan Luhring
8da410c578
Allow registry auth config without authority value (#322)
* Allow registry auth config without authority value

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>

* Update CLI tests for new stereoscope log output

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2021-05-24 16:06:09 -04:00
Alex Goodman
594cfd05c9
add java virutal path to package metadata
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-05-24 11:23:31 -04:00
Alex Goodman
a8577eade7
add package sorting for artifacts in json document
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-05-11 16:40:27 -04:00
Alfredo Deza
6a7a0a7e01 update dependencies
Signed-off-by: Alfredo Deza <adeza@anchore.com>
2021-05-03 14:56:00 -04:00
Alex Goodman
28f6051204
update syft to v0.15.1
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-04-22 17:29:01 -04:00
Alex Goodman
871722dd1e
bump syft to add manifest metadata to source for registry source
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-04-14 08:10:09 -04:00
Alex Goodman
31f44b7302
update syft and stereoscope to pull in registry source
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-04-13 16:09:27 -04:00
Dan Luhring
d4c3fa5f3b
Add tests for template presenter and consolidate data generation code
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2021-04-09 09:34:58 -04:00
Alex Goodman
8704dbb2bc
pull in registry credential encoding fix
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-04-05 14:27:42 -04:00
Alex Goodman
ebe1371d47
bump syft to pull in repoDigests onto image metadata (#274)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-04-01 21:28:53 +00:00
Alex Goodman
976e3d68eb
pull in syft v0.14.0 and further decouple presenters from syft
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-04-01 10:01:07 -04:00
Alfredo Deza
f2b815d760 bump go dependencies to use grype-db with v2 schema
This will cause grype to set its schema version requirement to 2

Signed-off-by: Alfredo Deza <adeza@anchore.com>
2021-03-30 13:52:31 -04:00
Alex Goodman
a399647afc
add docker image to release process
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-03-23 10:00:13 -04:00
Alfredo Deza
6c3cb94c03 update grype-db dependency
Signed-off-by: Alfredo Deza <adeza@anchore.com>
2021-03-05 09:32:13 -05:00
Alex Goodman
0a9408005f
refactor constraint expression parser to allow for quoted versions
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2021-02-16 09:15:17 -05:00
Dan Luhring
7ec9212c70
Update syft to v0.12.4
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2021-01-27 12:29:54 -05:00
Alex Goodman
0699e6a6ca
add package provider abstraction and update json document input
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-12-14 07:55:54 -05:00
Alex Goodman
137be60f28
add grype pkg.Package adapter for syft pkg.Package and remove pkg.Catalog
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-12-14 07:55:54 -05:00
Alex Goodman
7779e71b7e
update syft from v0.9.1 to v0.9.2
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-12-03 16:57:36 -05:00
Dan Luhring
159e168867
Update syft from 0.9.0 to 0.9.1
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2020-12-02 18:24:07 -05:00
Dan Luhring
d78c665925
Update syft from 0.8.1 to 0.9.0
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2020-12-02 15:54:46 -05:00
Alex Goodman
627aa77842
remove CPE generation (rely on static CPES from syft instead)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-11-20 06:43:45 -05:00
Alex Goodman
25d6ec6c79
add SBOM JSON document input from syft
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-11-17 17:55:24 -05:00
Alex Goodman
4ed516e784
bump syft to v0.7.1 (with related fixes)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-11-12 10:02:40 -05:00
Dan Luhring
5d21595414
Update to Syft v0.5.1
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2020-11-05 13:11:11 -05:00
Alex Goodman
2dcb017295
update python and javascript catalogers
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-10-23 11:34:18 -04:00
Alex Goodman
da614aa4ac
bump syft version (add package.json, rename bundler to ruby)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-10-19 08:02:13 -04:00
Alex Goodman
9d06b57a0e
incorporate gemspec cataloger (#177)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-10-09 11:09:42 -04:00
Dan Luhring
04f88a80c6
Bump go.mod item versions (#173)
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2020-09-29 16:24:12 -04:00
Alex Goodman
65ab6dacdb
Support file/dir tilde expansion + APK cataloger xattr fix (#170)
* pull in upstream tilde expansion

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* pull in apk cataloger xattr checksum fix

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-09-28 17:37:39 -04:00
Alex Goodman
63a6dd33df
always return a cleanup function from scope (#166)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-09-25 16:29:15 -04:00
Dan Luhring
f13b9a76ed
Use latest versions of anchore repos (#164)
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2020-09-25 15:00:15 -04:00
Alex Goodman
326afa3c41
Add OCI support + use URI schemes (#160)
* add oci support + update image schemes

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update to oci-dir

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump upstream stereoscope, testutils, and syft pins

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix malformed go.sum

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* pull in upstream syft json presenter updates

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-09-25 14:18:03 -04:00
Alex Goodman
9f6301bbc2
Change root of JSON presenter to a mapping (instead of a sequence) (#163)
* update root of json presenter document

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* change vulnerabilities to matches in json output

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-09-25 14:06:28 -04:00
Alex Goodman
ed9f9bcb2b
remove duplicate rows from the summary table (#161)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-09-25 10:34:54 -04:00
Alfredo Deza
578afab216 update go.mod and go.sum
Signed-off-by: Alfredo Deza <adeza@anchore.com>
2020-09-23 16:58:14 -04:00
Alfredo Deza
2b8dfc2d75 temporary bump of go deps for testing
Signed-off-by: Alfredo Deza <adeza@anchore.com>
2020-09-21 11:17:51 -04:00
Samuel Dacanay
cb437b6721 Change kebab case to camelCase, use updated syft version
Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com>

Ignore packageurl-go which is a dependency from syft, and has a weird license format

Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com>
2020-09-21 08:12:31 -07:00
Sam Dacanay
293368e25e
Shell completion via Cobra utility (#149)
* Add completion script, ValidArgsFunction to root command to list docker images using docker go sdk, and update README

Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com>

Remove support for zsh and powershell completion, as it doesnt work out of the box, and currently dont have a way to test powershell. Reported an issue with Cobra ZSH completion script generation as there are 2 bugs in it AFIACT

Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com>

* add zsh with cobra master branch

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
2020-09-14 09:06:29 -07:00
Alex Goodman
1338850a8e
Add fixed-in-version to the presenters (#147)
* add fix-in-version to the json and table presenters

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* incorporate grype-db fixed-in updates

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-09-09 12:55:22 -04:00
Alex Goodman
bd50ffc585
Change search key json output to a map (#146)
* change search key json output to a map

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add documentation around the match object

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-09-08 11:23:29 -04:00
Alfredo Deza
8e8ad489f9 dependencies: update to latest syft and include uuid
Signed-off-by: Alfredo Deza <adeza@anchore.com>
2020-08-28 13:38:56 -04:00
Alfredo Deza
b8e9431f89 dependencies: bump to latest syft that includes setup.py support
Signed-off-by: Alfredo Deza <adeza@anchore.com>
2020-08-17 17:24:43 -04:00
Dan Luhring
d3987d7e3e
Update modules (#127)
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2020-08-13 14:20:53 -04:00
Alex Goodman
56b9576a19
Add inline-comparison as acceptance test (#106)
* add inline-compare as acceptance tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* improve RPM matching with source indirection matching

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add comments to compare-* make targets

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* clean inline-compare image test names

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump syft version to get rpm field enhancements

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-08-10 11:03:48 -04:00
Alex Goodman
30d72dd476
fix spaces alignment on etui
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-08-07 18:19:25 -04:00
Alex Goodman
6de7e4030d
finalize the json output (no schema yet) (#102)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-08-07 13:05:58 -04:00
Alex Goodman
51479857e6
add description and cvss metadata to v1 schema (#100)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2020-08-06 13:15:22 -04:00
Alex Goodman
f3756d0dc0
change default scope to squashed (from all-layers) (#95) 2020-08-06 08:27:09 -04:00
Dan Luhring
2cd127b932
Update pkg type (#87)
* Integrate Alex's changes

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>

* Fix test issues

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>

* Update syft dependency references

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
2020-08-05 08:18:24 -04:00
Alex Goodman
e1f4c549d5
bump syft for docker pull + UI elements for pull status (#81) 2020-08-03 18:07:33 -04:00
Alex Goodman
11731fac40
replace zap logger with logrus (#80) 2020-08-01 11:58:10 -04:00
Alex Goodman
861883c8d4
pull in fix for bounds check progress formatting values in etui 2020-07-31 06:57:05 -04:00
Alex Goodman
6395481e73
Add ETUI (#77)
* add base syft UI elements

* add etui with shared ui elements

* allow for concurrent download DB and fetch/catalog image
2020-07-30 19:06:27 -04:00
Alfredo Deza
561f7577c1 dependencies: bump to latest syft that includes yarn support
Signed-off-by: Alfredo Deza <adeza@anchore.com>
2020-07-30 09:35:53 -04:00
Alex Goodman
6ec1ce6ca6
use explicitly the v1 db schema 2020-07-27 08:49:39 -04:00
Alex Goodman
5051c6202d
simplify schema checks and update grype-db 2020-07-25 19:03:33 -04:00
Alex Goodman
4220fc60a7
Add default table presenter (#59)
* add default table presenter

* compress table output

* fix table presenter found-by to use only search key
2020-07-25 11:38:08 -04:00
Alex Goodman
695cc0f640
support version constraint || operator conjunctions (#66) 2020-07-24 14:20:26 -04:00
Alex Goodman
03005af2f2
rename grype-db 2020-07-24 06:59:14 -04:00
Alex Goodman
6340b2da3a
add release pipeline & replace imgbom with syft (#60) 2020-07-23 21:26:03 -04:00
Alfredo Deza
8b17a43c28 dependencies: bump to latest imgbom
Signed-off-by: Alfredo Deza <adeza@anchore.com>
2020-07-23 13:30:12 -04:00
Alfredo Deza
6f06334b01 dependencies: bump to latest imgbom
Signed-off-by: Alfredo Deza <adeza@anchore.com>
2020-07-22 08:26:54 -04:00
Alex Goodman
bc3f298d64
use sqlite reader (remove a cgo dependency) (#57) 2020-07-21 13:41:48 -04:00
Alex Goodman
c8bca755ff
Add integration tests (#54)
* add integration tests + add matcher types

* tweak db auto update var; rm dead cache cmd

* Update cmd/root.go

Co-authored-by: Alfredo Deza <adeza@anchore.com>

Co-authored-by: Alfredo Deza <adeza@anchore.com>
2020-07-21 12:34:39 -04:00
Alfredo Deza
a9172fcd98 dependencies: update with latest imgbom
Signed-off-by: Alfredo Deza <adeza@anchore.com>
2020-07-17 13:58:07 -04:00
Alex Goodman
bbff869499
Add matching by CPE (#40)
* Commit just to share progress, needs to be squashed/fixed-up once working.

Signed-off-by: Zach Hill <zach@anchore.com>

* minor fixes

* add cpe obj

* add cpe matching

* report cpe in search key

* add verbose logging for matches; bump vulnscan-db ver

* add dev profiler option; tweak logging

* test support for CPE URI bindings

addresses https://github.com/anchore/vulnscan/pull/40#discussion_r455389937

* rename nvdv2 to nvd

* reduce scope of cpe matching to non-distro packages

* normalize nil constraint strings

Co-authored-by: Zach Hill <zach@anchore.com>
2020-07-16 15:12:19 -04:00
Alex Goodman
afb8597aa2
split vulnerability into index & metadata (#51) 2020-07-16 14:59:35 -04:00
Alex Goodman
12aeee3b92
add java matcher (#44) 2020-07-15 07:17:21 -04:00
Alex Goodman
2fa38cab3d
migrate to using siren-db lib (#48) 2020-07-14 10:21:20 -04:00
Alex Goodman
765d5dfb5b
add rpm version + constraint, rpmdb matching; refactor dpkg constraint 2020-07-07 09:22:14 -04:00
Alex Goodman
a004668056
add db archive import 2020-06-29 10:10:02 -04:00
Alex Goodman
92cf98ab12
sync vulnscan db changes 2020-06-28 07:22:27 -04:00
Alex Goodman
ce707a6f1a
fix testutils dependency 2020-06-22 14:42:14 -04:00
Alex Goodman
9c70953dfb
add curation of db file 2020-06-19 10:57:06 -04:00
Alfredo Deza
b484b85890 update dependencies
Signed-off-by: Alfredo Deza <adeza@anchore.com>
2020-06-18 10:12:41 -04:00
Alex Goodman
7593c31028
add python matcher 2020-06-05 10:00:14 -04:00
Alex Goodman
1ca035363a
add gem matcher 2020-06-04 15:40:40 -04:00
Alex Goodman
d9c922218c
add store provider tests 2020-06-02 20:54:19 -04:00
Alex Goodman
88eecbd2de
add indirect dpkg source matching 2020-06-02 17:22:57 -04:00
Alex Goodman
75ceb1af2d
pin to imgbom@master 2020-06-01 10:50:34 -04:00
Alex Goodman
aacc624033
add FindVulnerability lib function, wire up main with matcher 2020-06-01 07:21:07 -04:00
Alex Goodman
e8e8f416d0
add version & version constraint support 2020-06-01 07:13:53 -04:00
Alex Goodman
02556fdd9c
add basic matching execution flow 2020-05-28 18:28:29 -04:00
Alex Goodman
3c6ae01619
initial project structure 2020-05-26 10:41:23 -04:00