dependabot[bot]
4c4dfd59f5
chore(deps): bump actions/cache from 3.3.3 to 4.0.0 ( #1661 )
...
Bumps [actions/cache](https://github.com/actions/cache ) from 3.3.3 to 4.0.0.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](e12d46a63a...13aacd865c
2024-01-17 11:40:51 -05:00
plavy
07656abef0
chore(tests): fix logging configuration in tests ( #1655 )
...
Signed-off-by: plavy <tinplavec@gmail.com>
2024-01-16 10:17:17 -05:00
dependabot[bot]
a9f72385f6
chore(deps): bump actions/cache from 3.3.2 to 3.3.3 ( #1656 )
...
Bumps [actions/cache](https://github.com/actions/cache ) from 3.3.2 to 3.3.3.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](704facf57e...e12d46a63a
2024-01-16 09:03:57 -05:00
dependabot[bot]
e296f5fe54
chore(deps): bump actions/upload-artifact from 4.0.0 to 4.1.0 ( #1659 )
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](c7d193f32e...1eb3cb2b3e
2024-01-16 09:02:36 -05:00
dependabot[bot]
0a7a15746a
chore(deps): bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 ( #1651 )
...
Bumps [github.com/cloudflare/circl](https://github.com/cloudflare/circl ) from 1.3.3 to 1.3.7.
- [Release notes](https://github.com/cloudflare/circl/releases )
- [Commits](https://github.com/cloudflare/circl/compare/v1.3.3...v1.3.7 )
---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-01-09 16:20:55 -05:00
dependabot[bot]
d8c89e8515
chore(deps): bump anchore/sbom-action from 0.15.2 to 0.15.3 ( #1650 )
...
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action ) from 0.15.2 to 0.15.3.
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Commits](719133684c...c7f031d924
2024-01-08 11:03:58 -05:00
anchore-actions-token-generator[bot]
a808408584
chore(deps): update Syft to v0.100.0 ( #1649 )
...
* chore(deps): update Syft to v0.100.0
Signed-off-by: GitHub <noreply@github.com>
* apply CLI options over default cataloging config
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: willmurphyscode <willmurphyscode@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-01-06 02:27:59 +00:00
Dan Luhring
474030cc62
fix: distro FP data not applied correctly ( #1603 )
...
* fix: distro FP data not applied correctly
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* fix: apply FP data to apk subpackages
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
---------
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
2024-01-04 13:12:18 -05:00
dependabot[bot]
33b15735a7
chore(deps): bump anchore/sbom-action from 0.15.1 to 0.15.2 ( #1647 )
...
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action ) from 0.15.1 to 0.15.2.
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Commits](5ecf649a41...719133684c
2024-01-03 05:06:05 -05:00
anchore-actions-token-generator[bot]
c6fbffe4cd
chore(deps): update bootstrap tools to latest versions ( #1644 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2024-01-02 09:22:39 -05:00
plavy
89610e1e07
docs: fix logging configuration in README ( #1646 )
...
Signed-off-by: plavy <tinplavec@gmail.com>
2023-12-29 01:53:32 +00:00
dependabot[bot]
55ef6b6108
chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.2 to 0.8.0 ( #1633 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-12-21 12:02:53 -05:00
dependabot[bot]
634cdf3647
chore(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 ( #1641 )
2023-12-20 16:30:16 +00:00
dependabot[bot]
010b2583b0
chore(deps): bump github.com/containerd/containerd from 1.7.8 to 1.7.11 ( #1642 )
2023-12-20 16:27:47 +00:00
dependabot[bot]
a88a00a515
chore(deps): bump actions/upload-artifact from 3.1.3 to 4.0.0 ( #1638 )
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 3.1.3 to 4.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](a8a3f3ad30...c7d193f32e
2023-12-18 06:57:52 -05:00
dependabot[bot]
556c8c0dc2
chore(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 ( #1632 )
...
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ) from 3.2.0 to 3.3.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases )
- [Commits](1fc5bd396d...9614fae9e5
2023-12-15 10:29:02 -05:00
dependabot[bot]
7b334451b9
chore(deps): bump github.com/charmbracelet/bubbletea ( #1635 )
...
Bumps [github.com/charmbracelet/bubbletea](https://github.com/charmbracelet/bubbletea ) from 0.24.2 to 0.25.0.
- [Release notes](https://github.com/charmbracelet/bubbletea/releases )
- [Commits](https://github.com/charmbracelet/bubbletea/compare/v0.24.2...v0.25.0 )
---
updated-dependencies:
- dependency-name: github.com/charmbracelet/bubbletea
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-12-13 17:50:11 -05:00
dependabot[bot]
4ec7a03abd
chore(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0 ( #1636 )
...
Bumps [github.com/google/uuid](https://github.com/google/uuid ) from 1.4.0 to 1.5.0.
- [Release notes](https://github.com/google/uuid/releases )
- [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md )
- [Commits](https://github.com/google/uuid/compare/v1.4.0...v1.5.0 )
---
updated-dependencies:
- dependency-name: github.com/google/uuid
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-12-13 11:44:27 -05:00
dependabot[bot]
a820759495
chore(deps): bump actions/setup-go from 4.1.0 to 5.0.0 ( #1630 )
...
Bumps [actions/setup-go](https://github.com/actions/setup-go ) from 4.1.0 to 5.0.0.
- [Release notes](https://github.com/actions/setup-go/releases )
- [Commits](93397bea11...0c52d547c9
2023-12-11 06:40:01 -05:00
dependabot[bot]
c6719ccd02
chore(deps): bump anchore/sbom-action from 0.15.0 to 0.15.1 ( #1626 )
...
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action ) from 0.15.0 to 0.15.1.
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Commits](fd74a6fb98...5ecf649a41
2023-12-05 09:49:09 -05:00
Christopher Angelo Phillips
11b9e9616c
chore: pin action to correct sha ( #1598 )
...
* chore: pin action to correct sha
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* chore: add version for dependabot
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-12-01 10:43:56 -05:00
dependabot[bot]
2e9eff8f74
chore(deps): bump github.com/google/go-containerregistry ( #1625 )
...
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry ) from 0.16.1 to 0.17.0.
- [Release notes](https://github.com/google/go-containerregistry/releases )
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml )
- [Commits](https://github.com/google/go-containerregistry/compare/v0.16.1...v0.17.0 )
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-30 12:08:31 -05:00
Weston Steimel
a4bced1602
chore: bump to syft v0.98.0 in quality gate tests ( #1623 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-11-30 09:22:34 -05:00
Christopher Angelo Phillips
06b9f1c907
chore: update syft; go mod tidy ( #1621 )
...
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-11-29 15:04:17 -05:00
dependabot[bot]
6a1aa587af
chore(deps): bump github.com/spf13/afero from 1.10.0 to 1.11.0 ( #1618 )
...
Bumps [github.com/spf13/afero](https://github.com/spf13/afero ) from 1.10.0 to 1.11.0.
- [Release notes](https://github.com/spf13/afero/releases )
- [Commits](https://github.com/spf13/afero/compare/v1.10.0...v1.11.0 )
---
updated-dependencies:
- dependency-name: github.com/spf13/afero
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-28 11:06:18 -05:00
William Murphy
e887501628
chore: explicitly test maven suffixes ( #1617 )
...
Some older Maven releases include a suffix like .RELEASE on the version
number. Grype's behavior with regard to these versions has been
suggested as a source of false positives. Pin the behavior with tests to
make it easier to reason about how Grype will compare maven versions and
to guard against this behavior accidentally changing.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-11-27 09:33:56 -05:00
dependabot[bot]
e4242b9246
chore(deps): bump anchore/sbom-action from 0.14.3 to 0.15.0 ( #1611 )
...
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action ) from 0.14.3 to 0.15.0.
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Commits](78fc58e266...fd74a6fb98
2023-11-21 13:47:08 -05:00
anchore-actions-token-generator[bot]
dbe2a9515a
chore(deps): update Syft to v0.97.1 ( #1610 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2023-11-17 21:27:07 +00:00
anchore-actions-token-generator[bot]
78f57a3c69
chore(deps): update Syft to v0.97.0 ( #1608 )
...
* chore(deps): update Syft to v0.97.0
Signed-off-by: GitHub <noreply@github.com>
* fix syft api usage
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2023-11-16 19:20:28 -05:00
Weston Steimel
2cbc64cc4f
chore: bump vulnerability match label dataset ( #1606 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-11-16 18:06:46 -05:00
William Murphy
273fe0ef16
fix: golang version parsing ( #1599 )
...
Add a golang version parser, which is a very thin wrapper
around a semantic vesion, but knows to trim "go" before attempting
to parse as a semantic version.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-11-15 17:25:32 -05:00
anchore-actions-token-generator[bot]
83e5176127
chore(deps): update bootstrap tools to latest versions ( #1595 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-11-09 08:08:22 -08:00
dependabot[bot]
830da2ff2c
chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.11 to 0.4.12 ( #1597 )
...
Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps ) from 0.4.11 to 0.4.12.
- [Release notes](https://github.com/gkampitakis/go-snaps/releases )
- [Commits](https://github.com/gkampitakis/go-snaps/compare/v0.4.11...v0.4.12 )
---
updated-dependencies:
- dependency-name: github.com/gkampitakis/go-snaps
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-09 07:52:24 -08:00
anchore-actions-token-generator[bot]
e44ec4d4bc
chore(deps): update Syft to v0.96.0 ( #1596 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: willmurphyscode <willmurphyscode@users.noreply.github.com>
2023-11-09 14:30:10 +00:00
William Murphy
1afcf1f185
fix: match against debian unstable ( #1593 )
...
This is done by special casing "sid" in the pretty name of
a Linux distro to point to the grype-db debian unstable namespace.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-11-08 15:17:01 -05:00
Eng Zer Jun
3c255e3c10
perf: avoid allocations with (*regexp.Regexp).MatchString ( #1592 )
...
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2023-11-08 09:32:01 -08:00
dependabot[bot]
5d8cfd56c7
chore(deps): bump sigstore/cosign-installer from 3.1.2 to 3.2.0 ( #1590 )
...
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ) from 3.1.2 to 3.2.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases )
- [Commits](11086d2504...1fc5bd396d
2023-11-08 06:18:38 +00:00
anchore-actions-token-generator[bot]
1543248822
chore(deps): update Syft to v0.95.0 ( #1591 )
2023-11-07 15:42:43 -05:00
Alex Goodman
4b06a160e1
chore: account for syft package metadata changes ( #1423 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
2023-11-07 15:17:36 -05:00
William Murphy
7984e0a84f
fix: bump fangs to enable setting golang CPE config using env var ( #1585 )
...
* fix: bump fangs
Bump fangs to pull in https://github.com/anchore/fangs/pull/27 , which
fixes an issue where env vars couldn't be used to set fields on embedded
structs in the config struct.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* fix: bump fangs to pull in panic fix
The previous fangs fix panicked when summarizing configs with embedded
structs. Bump fangs to pull in https://github.com/anchore/fangs/pull/29
which fixes this panic.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* commit mod tidy
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* Pull in dependency bumps from main to resolve conflicts
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-11-07 10:59:13 -05:00
anchore-actions-token-generator[bot]
92920ffde0
chore(deps): update bootstrap tools to latest versions ( #1588 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-11-07 06:44:58 -08:00
dependabot[bot]
2ef5d23844
chore(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0 ( #1586 )
...
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra ) from 1.7.0 to 1.8.0.
- [Release notes](https://github.com/spf13/cobra/releases )
- [Commits](https://github.com/spf13/cobra/compare/v1.7.0...v1.8.0 )
---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-06 21:55:53 -05:00
Christopher Angelo Phillips
b90c881ab4
chore: bootstrap action cleanup ( #1587 )
...
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-11-06 21:55:37 -05:00
anchore-actions-token-generator[bot]
5ca34efef8
chore(deps): update bootstrap tools to latest versions ( #1584 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-11-06 13:16:22 -05:00
Alex Goodman
21958a43b5
Incorporate format API changes from syft ( #1582 )
...
* incorporate changes from anchore/syft#2228
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix testing utils to use syft SBOM
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-11-02 15:25:48 -04:00
dependabot[bot]
3712c1c5c7
chore(deps): bump github.com/docker/docker ( #1579 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 24.0.6+incompatible to 24.0.7+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v24.0.6...v24.0.7 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-31 13:48:52 -04:00
Mateusz Urbanek
0d870faea6
feat(config): added reason field ( #1532 )
...
* feat(config): added reason field
Signed-off-by: Mateusz Urbanek <mateusz.urbanek.98@gmail.com>
* add CLI test for ignore reason field
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Mateusz Urbanek <mateusz.urbanek.98@gmail.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
2023-10-30 15:31:42 -04:00
dependabot[bot]
fc7713b763
chore(deps): bump github.com/glebarez/sqlite from 1.9.0 to 1.10.0 ( #1583 )
...
Bumps [github.com/glebarez/sqlite](https://github.com/glebarez/sqlite ) from 1.9.0 to 1.10.0.
- [Release notes](https://github.com/glebarez/sqlite/releases )
- [Commits](https://github.com/glebarez/sqlite/compare/v1.9.0...v1.10.0 )
---
updated-dependencies:
- dependency-name: github.com/glebarez/sqlite
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-30 13:39:54 -04:00
Shane Dell
81edd50e1e
Colorize severity in table output ( #1284 )
...
* Colorize severity in table output
- Create flag "--no-color" to allow disabling the color. By default its enabled.
- When "--no-color" not specified highlight severity in its color:
- Critical -> Bold Red
- High -> Red
- Medium -> Yellow
- Low -> Green
- Negligible -> Blue
- Note: Golang doesn't have all colors available. Also, doesn't seem to be able use hex codes properly.
- Add termenv to check if the terminal color profile supports colored output. If it doesn't default to noColor
Closes #225
Signed-off-by: Shane Dell <shanedell100@gmail.com>
* fix: adopt EnvColorProfile to support NO_COLOR
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* fix linting and update snapshots
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Shane Dell <shanedell100@gmail.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-10-30 13:57:46 +00:00
Christopher Angelo Phillips
401d67cd96
feat: add custom maven comparator ( #1571 )
...
This PR takes the recommendation from #1526 and adapts the go-mvn-version to be used as a custom comparator for matching against packages that have the JavaPkg type. Packages of type JavaPkg will no longer use the stock matcher.
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-10-27 14:24:56 -04:00
