grype

mirror of https://github.com/anchore/grype synced 2024-11-10 06:34:13 +00:00

Author	SHA1	Message	Date
Christopher Angelo Phillips	c8ddd7e218	chore: update syft to v0.60.3 (#978 )	2022-11-03 16:19:03 +00:00
Weston Steimel	4cda526992	implement v5 db schema to support improved matching between rpm appstream modules (#944 ) Adds support for a `package_qualifiers` column to allow evaluating package matches to vulnerabilities based on more than just version constraints. Currently adds an rpm-modularity qualifier in order to support matching to correct app stream module in order to reduce false positives within rpm-based distro ecosystems. In order to prevent an increase in false positive matches for previous versions of grype using the v4 schema, this change (along with the vulnerability source driver parser updates) requires bumping the schema to v5. Signed-off-by: Weston Steimel <weston.steimel@anchore.com> Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Alex Goodman <alex.goodman@anchore.com>	2022-10-18 00:34:47 +01:00
anchore-actions-token-generator[bot]	b62ad702b9	Update Syft to v0.59.0 (#957 )	2022-10-17 16:07:39 -04:00
anchore-actions-token-generator[bot]	7ad60ce410	Update Syft to v0.58.0 (#941 ) * Update Syft to v0.58.0 Signed-off-by: GitHub <noreply@github.com> * fix conan metadata related unit test failures Signed-off-by: Weston Steimel <weston.steimel@anchore.com> Signed-off-by: GitHub <noreply@github.com> Signed-off-by: Weston Steimel <weston.steimel@anchore.com> Co-authored-by: kzantow <kzantow@users.noreply.github.com> Co-authored-by: Weston Steimel <weston.steimel@anchore.com>	2022-10-05 11:26:16 +01:00
anchore-actions-token-generator[bot]	f094b860b9	Update Syft to v0.57.0 (#930 ) Signed-off-by: GitHub <noreply@github.com> Co-authored-by: kzantow <kzantow@users.noreply.github.com>	2022-09-20 09:35:37 +01:00
dependabot[bot]	e63910b2c5	Bump github.com/sigstore/cosign from 1.11.1 to 1.12.0 (#927 ) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-09-19 11:46:11 -04:00
anchore-actions-token-generator[bot]	403a535321	Update Syft to v0.56.0 (#919 ) Co-authored-by: kzantow <kzantow@users.noreply.github.com>	2022-09-13 11:18:13 -04:00
Keith Zantow	ba73ab362a	Add support for scanning RPM files (#917 )	2022-09-09 14:56:37 -04:00
anchore-actions-token-generator[bot]	77a8eb866d	Update Syft to v0.55.0 (#906 ) Co-authored-by: kzantow <kzantow@users.noreply.github.com>	2022-08-30 09:18:17 -04:00
anchore-actions-token-generator[bot]	08b4ef493b	Update Syft to v0.54.0 (#881 ) Signed-off-by: GitHub <noreply@github.com> Signed-off-by: GitHub <noreply@github.com> Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>	2022-08-17 19:36:54 +00:00
anchore-actions-token-generator[bot]	262630e01e	Update Syft to v0.53.4 (#856 )	2022-08-04 09:37:48 -04:00
Christopher Angelo Phillips	74fd591caf	update golanci-lint, goreleaser, cosign (#850 )	2022-07-28 14:55:14 -04:00
Christopher Angelo Phillips	991d16879a	update grype to use syft v0.52.0 (#838 )	2022-07-22 16:12:18 +00:00
Zac Medico	30943e032b	add Gentoo matching support (#813 ) Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-07-19 09:37:21 -04:00
Christopher Angelo Phillips	cb6bddfeeb	bump syft version to v0.51.0 (#822 )	2022-07-11 15:15:12 -04:00
Christopher Angelo Phillips	0e0a9d9e7a	update syft to v0.50.0 (#818 )	2022-07-06 14:48:21 +00:00
Christopher Angelo Phillips	82c0146b0a	update syft => v0.49.0 (#804 )	2022-06-24 18:30:36 +00:00
cpendery	bb2f8dcdb4	fix: add fixed versions to cyclonedxjson output (#763 )	2022-06-21 17:50:05 -04:00
Christopher Angelo Phillips	0703bae977	update grype to latest syft patch v0.48.1 (#790 )	2022-06-17 15:45:33 +00:00
Jonas Xavier	d6fa674edc	add db staleness check (#785 ) * add db staleness check Signed-off-by: Jonas Xavier <jonasx@anchore.com> * less config fields Signed-off-by: Jonas Xavier <jonasx@anchore.com> * fix import order Signed-off-by: Jonas Xavier <jonasx@anchore.com> * warn even when set to not error on staleness Signed-off-by: Jonas Xavier <jonasx@anchore.com> * nits Signed-off-by: Jonas Xavier <jonasx@anchore.com> * nits Signed-off-by: Jonas Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Xavier <jonasx@anchore.com> * lint fix Signed-off-by: Jonas Xavier <jonasx@anchore.com> * fix test Signed-off-by: Jonas Xavier <jonasx@anchore.com> * consistent log message Signed-off-by: Jonas Xavier <jonasx@anchore.com> * consistent new version message Signed-off-by: Jonas Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Xavier <jonasx@anchore.com> * human friendly time durations Signed-off-by: Jonas Xavier <jonasx@anchore.com> * fix typo Signed-off-by: Jonas Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Xavier <jonasx@anchore.com> * cleaner tests and default db value Signed-off-by: Jonas Xavier <jonasx@anchore.com>	2022-06-15 12:48:10 -04:00
Christopher Angelo Phillips	69de9e7a0a	update syft version to v0.47.0 (#781 )	2022-06-09 16:03:14 -04:00
Weston Steimel	81af51302d	use anchore fork of glebarez/sqlite (#778 ) This overcomes an issue with duplicate registration of sqlite drivers between glebarez/sqlite and knqyf263/go-rpmdb by just using modernc.org/sqlite directly within our fork Signed-off-by: Weston Steimel <weston.steimel@anchore.com>	2022-06-08 09:41:15 -04:00
dependabot[bot]	07dfb28718	Bump github.com/hashicorp/go-getter from 1.5.11 to 1.6.1 (#770 ) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-06-02 09:18:53 -04:00
anchore-actions-token-generator[bot]	10c3604498	Update Syft to v0.46.3 (#761 ) Signed-off-by: GitHub <noreply@github.com> Co-authored-by: jonasagx <jonasagx@users.noreply.github.com>	2022-05-26 10:14:28 -07:00
Alex Goodman	06d28dad9f	bump to syft v0.46.2 (#755 ) Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-05-23 13:47:21 +00:00
Jonas Xavier	c842fb9af5	bump stereoscope version to include source path fix (#752 )	2022-05-19 08:18:49 -07:00
anchore-actions-token-generator[bot]	5a5642cc0d	Update Syft to v0.46.1 (#751 ) Signed-off-by: GitHub <noreply@github.com> Co-authored-by: kzantow <kzantow@users.noreply.github.com>	2022-05-18 14:10:39 -07:00
Christian Kotzbauer	731abaab72	Add syft v0.46.0 Dotnet support (#747 )	2022-05-13 12:46:31 -04:00
dependabot[bot]	d6196b6525	Bump github.com/hashicorp/go-getter from 1.5.9 to 1.5.11 (#742 ) Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.5.9 to 1.5.11. - [Release notes](https://github.com/hashicorp/go-getter/releases) - [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml) - [Commits](https://github.com/hashicorp/go-getter/compare/v1.5.9...v1.5.11) --- updated-dependencies: - dependency-name: github.com/hashicorp/go-getter dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-05-04 16:33:28 +01:00
Dan Luhring	0df35f8d2c	address excessive warnings from multiple sources (#741 )	2022-05-03 14:05:50 +00:00
Christopher Angelo Phillips	36f5150fa9	bump syft version (#738 )	2022-04-29 13:39:08 -04:00
Sambhav Kothari	9f70cdbf24	add initial support for embedded CycloneDX VEX documents (#678 )	2022-04-28 12:49:12 -04:00
Jonas Xavier	523f5ce9c0	Consume attestation files (#706 ) * add key flag to attest validation Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * mvp: verify sig and extract sbom Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * wip read attestation without scheme Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * mvp consuming attestations - needs unit tests Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * remove prototype file Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * drop local syft from go.mod Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix order of sbom parsing strategies Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * handle implicit attestation input Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * wip Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * add test for invalid attestation key Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * rebase and go-mod-tidy Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * consume attestation via stdin Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * attestation test for stdin Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * validate input and content for attestation Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add stdin test Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix config tags Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add int test to ignore attestation validation Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix cycloneDX attestation fixture Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add tampered att test Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add tampered predicate type test Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * improve docs/help on atttestation Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * upgrade to latest syft Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fall through when guessing between sbom and att Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix butter finger rebase Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * drop default key value Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * assert error messages Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * better test/cli coverage Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix stdin decode test Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix goimports Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * tui - verified attestation and feedback changes Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * better naming Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add attestation section to config file Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * emit event for skipped verification Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * use public key name Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * nit Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>	2022-04-21 11:52:42 -07:00
Alex Goodman	9cc1c72169	Preserve package IDs on Syft JSON SBOM decode (#731 )	2022-04-18 18:22:58 +00:00
Christopher Angelo Phillips	95f68b4c33	Add java.Matcher configuration to includes maven upstream sha1 query (#714 )	2022-04-13 13:01:22 -04:00
Alex Goodman	c36e9df887	Use CGO-less sqlite GORM driver (#705 )	2022-04-04 18:40:29 +00:00
Jonas Xavier	182c86d11d	Migrate LocationSet and add Dart support (#703 )	2022-04-01 08:21:37 -07:00
Keith Zantow	44e676488e	Update syft to v0.42.4 (#697 )	2022-03-24 14:11:17 -04:00
Keith Zantow	d8e1c37cd1	Update syft to v0.42.3 (#690 )	2022-03-23 17:57:06 -04:00
Alex Goodman	9fc6fb8a32	Bump strset version to fix 386 builds (#689 )	2022-03-23 18:27:11 +00:00
j-k	d40fb77c1a	Correct go.mod to enforce go 1.18 (#685 ) Since grype now depends on debug/buildinfo go 1.18 is required to build grype and as such go.mod needs updating Signed-off-by: 06kellyjac <jack@control-plane.io>	2022-03-22 09:33:35 -04:00
Keith Zantow	f004f7dee3	Update Syft to 0.42.1 (#683 )	2022-03-21 20:11:40 +00:00
Jonas Xavier	dae6411c5c	upgrade github workflows to go 1.18 (#649 ) * upgrade github workflows to go 1.18 Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * upgrade syft & set go1.18 for CI workflows Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * add go1.17 static analysis Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix yaml comment Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>	2022-03-17 14:58:20 -07:00
Keith Zantow	60c2968953	Update Syft to v0.41.6 (#670 )	2022-03-16 12:48:42 -04:00
Keith Zantow	cbdec2ae5e	Update to Syft v0.41.4 (#664 )	2022-03-14 17:15:09 -04:00
Keith Zantow	bc8f8414ca	Add SARIF presenter option (#654 )	2022-03-14 12:13:37 -04:00
Alex Goodman	1368ea05cd	Add additional DB archive decompressors (#657 )	2022-03-07 11:44:43 -05:00
Keith Zantow	ff424d3adc	Bump Syft for CycloneDX input (#650 )	2022-03-02 10:05:01 -05:00
Alex Goodman	16cd14519a	Bump syft to release version v0.39.0 (#645 ) * bump syft to v0.39.0 Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update ByCriteria to log error on failure Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> * integration tests now pass Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> * bump to v0.39.3 Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * raise search failures to warn Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * tidy go.mod/sum Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-02-26 17:28:08 -05:00
Alex Goodman	f29a0d06d8	Bump syft to v0.38.0 for release (#635 )	2022-02-15 19:03:55 +00:00

1 2 3 4

190 commits