* initial v4 schema setup
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* update v3 => v4 for unit tests
-- did NOT update
- grype/db/v3/*
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* use nullable string in sqlite so null values get represented correctly
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add missing unit test case for dotnet
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* Add db writer function for calling sqlite vacuum
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* adding normalization of package names at database adapter layer
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* refactor namespaces for v4
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* update v4 stuff to use sqlite fork
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* Namespace should satisfy Stringer interface
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* normalize CPEs before comparison
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* vulnerability exclusion => vulnerability match exclusion
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* updates to vulnerability match exclusion models
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add initial vulnerability match exclusion store unit tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* make vuln match exclusion constraints nullable
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* move vuln match namespace into constraints object and refactor
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* check db match constraints to ensure there aren't any unknown fields and add json hints
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* ensure we only keep compatible match exclusion constraints
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* use omitempty on all match exclusion structs
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* remove db v4 schema resolver and namespace types
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename Vacuum to Close
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* lint fixes + remove panic on vuln provider creation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* WIP match exclusions
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* build list of ignore rules from v4 db records
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* quick attempt at a new uber object
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* just pass around the full object for now to quickly get to a usable state
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* fix panic when no vuln db loaded
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* use interfaces for db.store function signatures
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Flatten the match exclusion constraint model to simplify logic
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* updating some tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* fix panic when no db update possible
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* more tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* WIP fixing match exclusion constraint usability and json mapping logic
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add v4 db diff logic (excluding vulnerability_match_exclusion data for now)
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* lint fix
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* update integration tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* nvd -> nvd:cpe namespace updates
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* ensure test store uses v4 normalized names
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* set the grype db update url to staging for v4
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* prevent more segfaults on database open
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add continue when unable to load ignore rules
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* remove db.Status from the Store object
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* fix compare_sbom_input_vs_lib_test.go
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* remove staging endpoint now that v4 is published
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* ignore gemfile rich version during comparision
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* update search and version tests
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* fix int tests and lint error
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* nit on error message
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* split based on arch in gem version
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* reuse semVer constraint
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* more constraint tests cases
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* more comments and tests
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* add lower case version check
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* validate that ruby version work with semver and gem version
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* more comments and tests
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* rename gem version format const
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* add metadata extraction from pURLs
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* extract upstream packages before matching
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* put pkg.UpstreamPackages under test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove pURL related processing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* pull in syft spdx decoding
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* allow for more flexible GHSA namespace and source extraction
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add matching parity integration tests for all supported formats
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump syft to get spdx tv fix
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* enable merging of matches
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add ability for matches constructor to take initial matches
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update tests to include IDs on package objects
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename common matcher helper package to search package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename search functions and add SearchByCriteria
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* cleanup imports
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add strong distro type
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* nit changes
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update grype/db package to use distro pointer
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* source distro type from release name
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump syft to pull in distro type updates
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump lint timeout
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* port grype-db to grype
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* migrate vulnerability provider implementation to db package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* upgrade path import validations
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting issues
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update syft
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* update CatalogPackages to use new cataloger config struct
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* add new valid CPE to matcher tests
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* update integration tests
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil. This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
* update syft and jotframe
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update validations and release pipeline
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* moved terminal package to golang.org/x/term
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update integration tests to account for package relationships
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add license exception for xz
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update Location and Coordinate references
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove benchmark tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove mac acceptance tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add syft-grype relationship notes in DEVELOPING.md
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update syft version with correct arguments
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* bump integration tests with new presenter format
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update integration tests to remove php-composer failure
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update grype to compile windows
Signed-off-by: spiffcs <christopher.phillips@anchore.com>
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update go mod with new stereoscope
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update build comments
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* small build tags
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add goreleaser windows
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* bump syft version
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update tests
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update test images to use newest pinned golang
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
This change both adds a test to identify and fixes differences between loading sboms from json and loading sboms from Syft as a library.
* adds integration test that compares SBOM input vs image input
* fix integration test cache path
* Add handler for ApkMetadataType in partialSyftPackage.UnmarshalJSON
* Fix Epoch missing from Package.New RpmdbMetadataType handler and update RpmDbMetadata test in TestNew_MetadataExtraction
* bump syft to version 0.24.0
* update license check for packageurl-go
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Vijay Pillai <vijay.pillai@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Vijay Pillai <vijay.pillai@anchore.com>
* bump syft to the newest 0.23.0 version - tidy mod
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update integration test to use new pointer
syft source.New() was changed to return a pointer
rather than value for 0.23.0 this commit updates our
integration tests to reflect that change
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
