* Add injectable HTTP client to file getter
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* WIP: Map config for custom CA certs
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* update curator and add tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add TLS helper scripts
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove grype-db local mod edit
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* tidy go modules
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use ssl.context over deprecated fn
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* disallow tls 1 and 1.1
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* suppress non-archive sources for fetch-to-dir capability
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* ensure DB load failure does not panic
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* address review comments
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
- Update grype-db dependency for the distro-feed namespace mapping
- Add test to verify the above mapping
Signed-off-by: Swathi Gangisetty <swathi@anchore.com>
* update syft version with correct arguments
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* bump integration tests with new presenter format
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update integration tests to remove php-composer failure
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* use named pipe bit on stdin as indicator for piped input
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* ensure stdin is ignored when the CLI hints are present
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add CLI test to cover subprocess integration behavior
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* added test case for java regression
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove extra line in makefile
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* see if QEMU offers support
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update QEMU support before cli verification
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update grype to compile windows
Signed-off-by: spiffcs <christopher.phillips@anchore.com>
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update go mod with new stereoscope
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update build comments
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* small build tags
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add goreleaser windows
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* bump syft version
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update tests
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update test images to use newest pinned golang
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* Remove webinar announcement
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Document only-fixed feature
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Expand docs for Grype database
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* List out allowed values for fix-state
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* add binary for arm64 to release process
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update from darwin -> linux
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* disable etui when piping input
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* restore jotframe version
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove test code
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* raise error from IsPipedInput
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* factor out verbosity check to function
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Silence usage and errors on root command
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* show help when no args are given
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove comments
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add cli test for help behavior
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
Add --only-fixed option to root command. Grype will now exit with status code 0 when passing this option if vulnerabilities are detected but have no upstream resolution.
* update config with new option
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add flag into root cmd
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* Retrieve target from directory sbom types in addition to image types
Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com>
* add dir sbom ingest test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* Make installation methods more obvious
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add badge for joining Slack
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Document requirement for signed commits
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* split and upgrade config processing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* upgrade UI organization
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* expose logger writter
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add (unused) signal handler
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add (unused) event loop abstraction
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update aux commands to use Cobra RunE over Run
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* upgrade root command to use new event loop and signal handler
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update CLI test to account for config representation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update dependencies + fix linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* decompose application config parse func + add missing config struct tags
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* restore unparam lint exclusion for registry config
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Move changes from kb_constraint_test.go to helper_test.go for uniform testing methodology across all constraint tests.
Signed-off-by: Vijay Pillai <vijay.pillai@anchore.com>
* refactor to go convention
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* Support gomod configuration in goreleaser
Signed-off-by: Conor Nosal <cnosal@vmware.com>
* switch to goreleaser build for snapshots + bump version
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* modify goreleaser buildx option due to deprecation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add snapshot flag to builds
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* Updates approach for epoch handling in rpm comparisons to ignore epochs
if not explicitly available from both sides of comparison. Fixes#437
This approach adds -1 as epoch value in the struct to identify
"not-specified" rather than defaulting to 0, per rpm spec, so that the
comparison logic can identify when it is provided vs missing.
During the comparison if both sides to not have an explicitly set epoch
it will skip the epoch check as unreliable and compare the remaining
components. This is done to handle messy data in RedHat vuln feeds where
often the sourceRpm versions do not include epochs when they should, and
defaulting to zero or using the epoch of the binary version is also
incorrect.
Signed-off-by: Zach Hill <zach@anchore.com>
* Uses switch instead of if-else-chain per linter suggestion
Signed-off-by: Zach Hill <zach@anchore.com>
* Fix import order/format for linter
Signed-off-by: Zach Hill <zach@anchore.com>
* Comment out strictCompare for linter
Signed-off-by: Zach Hill <zach@anchore.com>
* Minor cleanup
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Remove commented out function
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Refactor RPM version comparison to make missing epoch explicit
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* More cleanup
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* change epoch to pointer type
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add rpmdb matcher tests for explicit epoch being passed
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* explicitly pass the epoch on package versions in the rpmdb matcher
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Dan Luhring <dan.luhring@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* Preliminary implementation of ignore rules
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Support ignoring matches by package type
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add tests for ignore functionality
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add documentation for ignore rules and clean up README
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add test for glob location matching
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add announcement for KubeCon meetup
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Remove warning about zsh completion
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
This change both adds a test to identify and fixes differences between loading sboms from json and loading sboms from Syft as a library.
* adds integration test that compares SBOM input vs image input
* fix integration test cache path
* Add handler for ApkMetadataType in partialSyftPackage.UnmarshalJSON
* Fix Epoch missing from Package.New RpmdbMetadataType handler and update RpmDbMetadata test in TestNew_MetadataExtraction
* bump syft to version 0.24.0
* update license check for packageurl-go
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Vijay Pillai <vijay.pillai@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Vijay Pillai <vijay.pillai@anchore.com>
This change updates the KB constraint to not satisfy if raw constraint is empty.
Additional related changes:
* Implemented new NonFatalConstraintError and change kbConstraint.Satisfied to return an error if the version constraint is empty string.
* Re-implement TestVersionKbConstraint as test helper module helper_test.go does not satisfy testing needs.
* Add test to TestVersionKbConstraint for version "base" and constraint "base" to ensure unpatched microsoft images are matched.
Signed-off-by: Vijay Pillai <vijay.pillai@anchore.com>
