Commit graph

201 commits

Author SHA1 Message Date
dependabot[bot]
9fb219495a
chore(deps): bump github.com/anchore/syft from 1.11.1 to 1.12.2 (#2108)
* chore(deps): bump github.com/anchore/syft from 1.11.1 to 1.12.2

Bumps [github.com/anchore/syft](https://github.com/anchore/syft) from 1.11.1 to 1.12.2.
- [Release notes](https://github.com/anchore/syft/releases)
- [Changelog](https://github.com/anchore/syft/blob/main/.goreleaser.yaml)
- [Commits](https://github.com/anchore/syft/compare/v1.11.1...v1.12.2)

---
updated-dependencies:
- dependency-name: github.com/anchore/syft
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* pin modernc/sqlite back due to build failure

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* account for new ocaml package

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update comment

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-09-11 16:57:20 +00:00
anchore-actions-token-generator[bot]
f9d8ac16ad
test: update quality gate db to latest version (#2094)
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-09-03 12:23:56 -04:00
Weston Steimel
b65822607e
chore: bump quality gate vuln match labels data (#2069)
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
2024-08-20 14:00:25 -04:00
Lucas Rodriguez
e7a3c011bc
fix: do not panic when given empty string arg (#2064)
Signed-off-by: Lucas Rodriguez <lucas.rodriguez9616@gmail.com>
2024-08-19 12:58:39 -04:00
Keith Zantow
b12a6f2dc9
chore: remove quality gate Makefile db age check (#2036)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2024-08-12 11:59:53 -04:00
Keith Zantow
4dfd9d76d1
feat: update to Syft 1.11.0 (#2047) 2024-08-09 14:32:05 -04:00
anchore-actions-token-generator[bot]
8642eba1b0
test: update quality gate db to latest version (#2034)
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: willmurphyscode <12529630+willmurphyscode@users.noreply.github.com>
2024-08-06 07:48:26 -04:00
anchore-actions-token-generator[bot]
486f9f11b1
test: update quality gate db to latest version (#2026)
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-08-01 12:39:14 -04:00
anchore-actions-token-generator[bot]
406d196726
chore(deps): update Syft to v1.10.0 (#2019) 2024-07-30 13:18:54 -04:00
anchore-actions-token-generator[bot]
5d9415df9e
test: update quality gate db to latest version (#1972)
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-07-02 07:41:09 -07:00
Christopher Angelo Phillips
84cbf10b9c
chore: add workflow to update quality test db (#1961)
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2024-06-25 10:38:37 -04:00
Christopher Angelo Phillips
5e454d8240
chore: update test_db_url; remove white space (#1960)
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2024-06-24 16:54:26 +00:00
Shubham Hibare
17b104771a
feat(signature): Checksum signature verification (#1670)
* feat(signature): Checksum signature verification

Signed-off-by: Shubham Hibare <shubham@hibare.in>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* Update message

Signed-off-by: Shubham Hibare <shubham@hibare.in>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* address comments

Signed-off-by: Shubham Hibare <shubham@hibare.in>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* consider -v flag across supported releases

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add tests for install.sh signature verification

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* check that release is run from main

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* summarize install.sh flags and recommendations

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* remove regex use on cosign verify-blob

Co-authored-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* simplify the compare_semver install function

Co-authored-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add more tests to compare_semver

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* nit copy change for install help

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* keep original compare_semver implementation

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update copy to include default install path

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Shubham Hibare <shubham@hibare.in>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Dominique Martinet <asmadeus@codewreck.org>
2024-06-06 21:23:04 +00:00
Alex Goodman
e5b341b87a
add skopeo to managed utilities (#1915)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-06-06 18:58:34 +00:00
Alex Goodman
621eeddcce
Update syft to 1.4.2-0.20240528141306-ac34808b9c55 (#1895)
* update to latest syft

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix tests related to syft bump

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-05-28 15:06:16 +00:00
Christopher Angelo Phillips
8c044b0d08
fix: update grype version to support darwin arm64 (#1830)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2024-04-25 18:34:48 +00:00
Zach Hill
a7cbe3a26c
fix: adds ignore rules for kernel-headers indirect matches (#1787)
* fix: adds ignore rules for kernel-headers indirect matches

Adds ignoring of kernel-headers indirect matches on kernel vulns
since the kernel-headers package does not have the kernel code in it
that kernel vulns are actually referring to.

Adds a config value to control this ignore behavior that defaults to
enabling the ignore rules.

Fixes: 1762

* Adds ignore rule support for match types and upstream package names.
* Adds default ignore rules for kernel-headers indirect matches on kernel
for rpms.

Signed-off-by: Zach Hill <zach@anchore.com>

* chore: add match-upstream-kernel-headers config to README.md

Signed-off-by: Zach Hill <zach@anchore.com>

* chore: update match labels

Signed-off-by: Keith Zantow <kzantow@gmail.com>

---------

Signed-off-by: Zach Hill <zach@anchore.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
2024-04-15 13:29:19 -07:00
Christopher Angelo Phillips
57af1c34cb
chore: update syft to latest v1.1.1 (#1784)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2024-04-04 11:52:02 -04:00
Keith Zantow
77e00feb42
chore: update syft source providers (#1727) 2024-02-27 20:47:51 -05:00
Keith Zantow
f664c59997
chore(test): update quality test grype db (#1726) 2024-02-23 10:01:42 -05:00
anchore-actions-token-generator[bot]
b9cf0e5cf8
chore(deps): update Syft to v0.105.0 (#1714)
* chore(deps): update Syft to v0.105.0

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* fix tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-02-14 22:09:50 +00:00
Weston Steimel
63a5788cb2
test(quality): bump label dataset and images (#1712)
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2024-02-13 13:38:04 -05:00
Keith Zantow
ba0cc19a1e
fix: ensure version output to stdout (#1709) 2024-02-09 21:05:52 +00:00
William Murphy
396cc0aea7
Bump Syft in Grype to pull in unmarshaling fix (#1703)
* WIP: package builds but tests do not

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* WIP: some unit tests compile

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* WIP: unit tests compile but do not pass

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* Units passing with some changes to syft

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* fix: excludes plus bad sbom should not suppress error

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* add conan entry v2 package test

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* bump syft again

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* chore: fix compiler error in integration tests

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* chore: remove erlang OTP from package types that must be seen in test image

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* bump syft version used

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Will Murphy <will.murphy@anchore.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-02-07 14:28:48 -05:00
Alex Goodman
3e0aa00242
Fix matching when RPM modularity is a factor (#1679)
* allow for RPM modularity to be optional

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* use latest syft from main

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* bump syft

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* remove lint ignores for CPEs

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update snapshot tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix: treat oraclelinux default appstream rpm modularity as missing for now

For oraclelinux, the default stream of an installed appstream package does not currently set
the MODULARITYLABEL property in the rpm metadata; however, in their advisory data they do specify
modularity information, so this ends up in a case where the vuln entries have modularity but the
packages coming from the sbom won't, so for now we need to treat the constraint as satisfied when the
modularity label from an oraclelinux package is "".

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* test: add new appstream images to quality gate and bump labels

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* chore: bump quality gate labels

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Co-authored-by: Weston Steimel <weston.steimel@anchore.com>
2024-01-26 09:18:11 -05:00
William Murphy
73cb5f6647
chore: break assumption that syft cpe.CPE is wfn.Attributes (#1675)
* chore: break assumption that syft cpe.CPE is wfn.Attributes

Previously, Syft's cpe.CPE type was an alias for wfn.Attributes. Fix a
couple places where Grype's compilation depended on that fact, since it
will stop being true in the next Syft release.

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* chore: fix linter

Signed-off-by: Will Murphy <will.murphy@anchore.com>

---------

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-01-25 14:24:01 +00:00
Alex Goodman
4569a5ffa6
upgrade syft with latest SBOM creation API (#1662)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-01-17 12:33:09 -05:00
Dan Luhring
474030cc62
fix: distro FP data not applied correctly (#1603)
* fix: distro FP data not applied correctly

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

* fix: apply FP data to apk subpackages

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

---------

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
2024-01-04 13:12:18 -05:00
Weston Steimel
a4bced1602
chore: bump to syft v0.98.0 in quality gate tests (#1623)
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-11-30 09:22:34 -05:00
Weston Steimel
2cbc64cc4f
chore: bump vulnerability match label dataset (#1606)
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-11-16 18:06:46 -05:00
Alex Goodman
21958a43b5
Incorporate format API changes from syft (#1582)
* incorporate changes from anchore/syft#2228

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix testing utils to use syft SBOM

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-11-02 15:25:48 -04:00
Mateusz Urbanek
0d870faea6
feat(config): added reason field (#1532)
* feat(config): added reason field

Signed-off-by: Mateusz Urbanek <mateusz.urbanek.98@gmail.com>

* add CLI test for ignore reason field

Signed-off-by: Will Murphy <will.murphy@anchore.com>

---------

Signed-off-by: Mateusz Urbanek <mateusz.urbanek.98@gmail.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
2023-10-30 15:31:42 -04:00
Christopher Angelo Phillips
401d67cd96
feat: add custom maven comparator (#1571)
This PR takes the recommendation from #1526 and adapts the go-mvn-version to be used as a custom comparator for matching against packages that have the JavaPkg type. Packages of type JavaPkg will no longer use the stock matcher.
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-10-27 14:24:56 -04:00
Alex Goodman
156c081d3e
Incorporate Syft java detection improvements (#1555)
* incorporate anchore/syft#2220

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* incorporate .net core improvements

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-10-20 13:34:36 -04:00
James Hebden
30f05c3759
Add --ignore-states flag for ignoring findings with specific fix states (#1473)
* Add --ignore-states flag for ignoring findings with by fix state

Signed-off-by: James Hebden <jhebden@gitlab.com>

* ignore options checked before scan, fail on invalid ignore states, ignore states comma-separated

Signed-off-by: James Hebden <jhebden@gitlab.com>

* Add CLI tests for new --ignore-states flag

Signed-off-by: Will Murphy <will.murphy@anchore.com>

---------

Signed-off-by: James Hebden <jhebden@gitlab.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
2023-10-17 14:07:34 -04:00
Weston Steimel
25762b7e3b
feat: disable CPE-based matching for GHSA ecosystems by default (#1412)
* feat: disable CPE-based matching for GHSA ecosystems by default

Disables CPE-based matching for ecosystems which are covered by GitHub
Security Advisories.  Also adds a separate rust matcher and related
configuration to allow configuring CPE-based matching off for it while
still leaving it on for the stock matcher.

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* chore: use --by-cve with quality gate comparison

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* chore: add rust auditable binary match integration test

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

---------

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-10-12 09:07:33 -04:00
anchore-actions-token-generator[bot]
7e5df38029
chore(deps): update Syft to v0.93.0 (#1550)
* chore(deps): update Syft to v0.93.0

Signed-off-by: GitHub <noreply@github.com>

* fix test to account for go pkg stdlib

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2023-10-10 18:26:34 +00:00
Keith Zantow
8ebf2955e8
fix: empty descriptor name and version (#1542)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-10-06 10:43:11 -04:00
Alex Goodman
13ed926f78
bump labels to latest (#1525)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-09-27 14:47:45 +00:00
William Murphy
d94c384a97
fix: correctly guess tool comparison (#1516)
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-09-25 09:29:24 -04:00
William Murphy
2f405f0680
fix: use PEP440 for Python package version comparison (#1510)
Previously, grype used fuzzy matcher for Python packages, since
there are cases in PEP440 that are not strictly semver. Switch to a
library that does PEP440 parsing and comparison for python version 
constraints.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-09-22 13:32:48 -04:00
Alex Goodman
18241e8986
Upgrade syft to v0.91.0 (#1508)
* bump syft to main

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* upgdate cyclonedx presenter fixtures (bump from cdx 1.4 to 1.5)

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update cyclonedx schema

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* allow for pkg type exceptions for github actions and workflows

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update cyclonedx json schema from v1.4 to v1.5

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* bump to syft v0.91.0

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* upgrade go-setup action to v4

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* remove asset upload from release workflow

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-09-20 16:39:23 -04:00
Christopher Angelo Phillips
9c0140d6b1
chore: pin actions; pin images; add top level action permissions (#1493)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-09-15 14:29:37 -04:00
Puerco
b952d3808c
Ignore/add match results based on OpenVEX documents (#1397)
* go.mod: Pull OpenVEX go modules

This commit pulls the OpenVEX libraries into the grype source.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add generic VEX processor package

This commit adds a generic VEX processor package. It is implementation
agnostic. It has a single option for now: The documents used to load
the VEX data.

The processor has a single method: ApplyVEX() which takes a set of scan
results and applies VEX data to them. For now, the only modification that
is done is filtering of results, that is moving results to the ignored list
as a response to VEX documents.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* vex: Add OpenVEX processor implementation

This commit adds an openvex implementation of the vex processor.
It also wires the VEX processor to use it as default.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Table presenter: Highligt results suppressed by VEX

This commit marks results suppressed by VEX when presenting them
to the user.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Define  VEX status constants

This commit defines a set of local constants of each of the VEX statuses
based on the openvex constants.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add VexStatus to ignore rules

This commit modifies the ignore rules structure to support defining a vex
status. Any rules defining vex are ignored by the standard ignore rules
processing as they will be handled by the VEX processor.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add IgnoreRule HasConditions method

Adds a new HasConditions method to the IgnoreRule object to check if the rule is empty.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Control VEX filtering through IgnoreRules

This commit modifies how the vex processor is controlled. The processor now
takes a list of IgnoreRules which can act on the VEX status in addition to
the regular rule parameters.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* vex: Allow rules to match on VEX justification

This commit expands the ingore rules to also work on vex the
justification of not_affected statements.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Use go-vex merge implementation

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add OpenVEX matcher to matcher list

This commit adds a new entry to the matchers: An openvex matcher

This matcher is used when openvex augments results, moving matches
from the ignore list to the active results.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add vex.AugmentMatches() to the vex processor

This commit adds a new AugmentMatches() phase to the VEX processor.

This new step goes throught the configured ignore rules and acts on any
that have `affected` or `under_investigtion` as status.

The purpose of this rule is to move matches back from the ignored matches
list to the active results when a statement with either of those statuses
apply to ignored matches.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Parse context identifiers using GGC

This commit modifies the identifier synthesizer function to parse references
using GGCR. It also adds a simple test.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Bump funlen linter to 73

This commit bumps the maximum function length to 73 to accomodate
the new flag in AddFlags()

Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>

* Add VEX testing to matchers test

This commit adds a new test and fixtures to test the VEX matchers
along the rest of the matchers in TestMatchByImage(). As the VEX
matchers operate on previously ignored matches a new loop was added
to the test to accomodate the different testing model.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* add vex status and justification to ignored rule json model

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* nit rename + add TODO question about augmenting ignored matches

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* nit document comment updates + common variable extraction

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* migrate legacy matcher function to vulnerability matcher object

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update tui to respond to ignored and dropped matches

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* migrate vex processing to vulnerability match object

Based on Alex's previous caommit

Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Migrate VEX options and app config from legacy CLI

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* update table snapshot tests with suppressed vex entries

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add tests for match.Matches.Diff()

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add tests for vex processor

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix linting and restore global funlen rule

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* remove grpc pin

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* always return remaining and ignroed matches from matcher object

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* Add VEX documentation to main README

This commit adds a VEX section to the main Grype README. It adds
an example document and details on how vex rules can be written.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

---------

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-09-13 15:26:12 -04:00
Keith Zantow
02d513e8e8
chore: update CLI to CLIO (#1437)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-09-11 15:10:06 -04:00
Weston Steimel
d6657e2498
chore: bump quality gate to use syft v0.89.0 (#1479)
Signed-off-by: Weston Steimel <weston.steimel@proton.me>
2023-09-06 17:51:51 +00:00
5p2O5pe25ouT
bf84e2fa7f
Add registry certificate verification support (#1232)
* add registry certificate verification support

* modify go.mod

* rename registry cert options, add docs, and add test

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update to account for changes in anchore/stereoscope#195

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix cli tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: lishituo <24578666@qq.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-08-29 15:51:27 +00:00
Alex Goodman
21250d258a
chore: pin the vulnerability DB used in quality gate testing (#1470)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-08-28 15:46:59 -04:00
Alex Goodman
0fd0c56d9a
bump vml labels (#1462)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-08-24 18:27:54 +00:00
William Murphy
7ff37a0310
feat: filter out packages owned by OS packages (#1387)
For example, if the rpm "python3-rpm" is installed, it brings a python
package called "rpm" with it, which is just python bindings to RPM. But
this python package is part of "python3-rpm", and should not be matched
against directly. Only apply this deduplication strategy on distros with 
a comprehensive enough vulnerability feed that we don't expect false 
negatives from it.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-08-18 15:43:42 -04:00