Commit graph

1109 commits

Author SHA1 Message Date
plavy
89610e1e07
docs: fix logging configuration in README (#1646)
Signed-off-by: plavy <tinplavec@gmail.com>
2023-12-29 01:53:32 +00:00
dependabot[bot]
55ef6b6108
chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.2 to 0.8.0 (#1633)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-12-21 12:02:53 -05:00
dependabot[bot]
634cdf3647
chore(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 (#1641) 2023-12-20 16:30:16 +00:00
dependabot[bot]
010b2583b0
chore(deps): bump github.com/containerd/containerd from 1.7.8 to 1.7.11 (#1642) 2023-12-20 16:27:47 +00:00
dependabot[bot]
a88a00a515
chore(deps): bump actions/upload-artifact from 3.1.3 to 4.0.0 (#1638)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.3 to 4.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](a8a3f3ad30...c7d193f32e)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-12-18 06:57:52 -05:00
dependabot[bot]
556c8c0dc2
chore(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 (#1632)
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.2.0 to 3.3.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](1fc5bd396d...9614fae9e5)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-12-15 10:29:02 -05:00
dependabot[bot]
7b334451b9
chore(deps): bump github.com/charmbracelet/bubbletea (#1635)
Bumps [github.com/charmbracelet/bubbletea](https://github.com/charmbracelet/bubbletea) from 0.24.2 to 0.25.0.
- [Release notes](https://github.com/charmbracelet/bubbletea/releases)
- [Commits](https://github.com/charmbracelet/bubbletea/compare/v0.24.2...v0.25.0)

---
updated-dependencies:
- dependency-name: github.com/charmbracelet/bubbletea
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-12-13 17:50:11 -05:00
dependabot[bot]
4ec7a03abd
chore(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0 (#1636)
Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.4.0 to 1.5.0.
- [Release notes](https://github.com/google/uuid/releases)
- [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md)
- [Commits](https://github.com/google/uuid/compare/v1.4.0...v1.5.0)

---
updated-dependencies:
- dependency-name: github.com/google/uuid
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-12-13 11:44:27 -05:00
dependabot[bot]
a820759495
chore(deps): bump actions/setup-go from 4.1.0 to 5.0.0 (#1630)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.1.0 to 5.0.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](93397bea11...0c52d547c9)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-12-11 06:40:01 -05:00
dependabot[bot]
c6719ccd02
chore(deps): bump anchore/sbom-action from 0.15.0 to 0.15.1 (#1626)
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.15.0 to 0.15.1.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Commits](fd74a6fb98...5ecf649a41)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-12-05 09:49:09 -05:00
Christopher Angelo Phillips
11b9e9616c
chore: pin action to correct sha (#1598)
* chore: pin action to correct sha

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* chore: add version for dependabot

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-12-01 10:43:56 -05:00
dependabot[bot]
2e9eff8f74
chore(deps): bump github.com/google/go-containerregistry (#1625)
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.16.1 to 0.17.0.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.16.1...v0.17.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-30 12:08:31 -05:00
Weston Steimel
a4bced1602
chore: bump to syft v0.98.0 in quality gate tests (#1623)
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-11-30 09:22:34 -05:00
Christopher Angelo Phillips
06b9f1c907
chore: update syft; go mod tidy (#1621)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-11-29 15:04:17 -05:00
dependabot[bot]
6a1aa587af
chore(deps): bump github.com/spf13/afero from 1.10.0 to 1.11.0 (#1618)
Bumps [github.com/spf13/afero](https://github.com/spf13/afero) from 1.10.0 to 1.11.0.
- [Release notes](https://github.com/spf13/afero/releases)
- [Commits](https://github.com/spf13/afero/compare/v1.10.0...v1.11.0)

---
updated-dependencies:
- dependency-name: github.com/spf13/afero
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-28 11:06:18 -05:00
William Murphy
e887501628
chore: explicitly test maven suffixes (#1617)
Some older Maven releases include a suffix like .RELEASE on the version
number. Grype's behavior with regard to these versions has been
suggested as a source of false positives. Pin the behavior with tests to
make it easier to reason about how Grype will compare maven versions and
to guard against this behavior accidentally changing.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-11-27 09:33:56 -05:00
dependabot[bot]
e4242b9246
chore(deps): bump anchore/sbom-action from 0.14.3 to 0.15.0 (#1611)
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.14.3 to 0.15.0.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Commits](78fc58e266...fd74a6fb98)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-21 13:47:08 -05:00
anchore-actions-token-generator[bot]
dbe2a9515a
chore(deps): update Syft to v0.97.1 (#1610)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2023-11-17 21:27:07 +00:00
anchore-actions-token-generator[bot]
78f57a3c69
chore(deps): update Syft to v0.97.0 (#1608)
* chore(deps): update Syft to v0.97.0

Signed-off-by: GitHub <noreply@github.com>

* fix syft api usage

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2023-11-16 19:20:28 -05:00
Weston Steimel
2cbc64cc4f
chore: bump vulnerability match label dataset (#1606)
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-11-16 18:06:46 -05:00
William Murphy
273fe0ef16
fix: golang version parsing (#1599)
Add a golang version parser, which is a very thin wrapper
around a semantic vesion, but knows to trim "go" before attempting
to parse as a semantic version.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-11-15 17:25:32 -05:00
anchore-actions-token-generator[bot]
83e5176127
chore(deps): update bootstrap tools to latest versions (#1595)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-11-09 08:08:22 -08:00
dependabot[bot]
830da2ff2c
chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.11 to 0.4.12 (#1597)
Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps) from 0.4.11 to 0.4.12.
- [Release notes](https://github.com/gkampitakis/go-snaps/releases)
- [Commits](https://github.com/gkampitakis/go-snaps/compare/v0.4.11...v0.4.12)

---
updated-dependencies:
- dependency-name: github.com/gkampitakis/go-snaps
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-09 07:52:24 -08:00
anchore-actions-token-generator[bot]
e44ec4d4bc
chore(deps): update Syft to v0.96.0 (#1596)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: willmurphyscode <willmurphyscode@users.noreply.github.com>
2023-11-09 14:30:10 +00:00
William Murphy
1afcf1f185
fix: match against debian unstable (#1593)
This is done by special casing "sid" in the pretty name of 
a Linux distro to point to the grype-db debian unstable namespace.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-11-08 15:17:01 -05:00
Eng Zer Jun
3c255e3c10
perf: avoid allocations with (*regexp.Regexp).MatchString (#1592)
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2023-11-08 09:32:01 -08:00
dependabot[bot]
5d8cfd56c7
chore(deps): bump sigstore/cosign-installer from 3.1.2 to 3.2.0 (#1590)
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.1.2 to 3.2.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](11086d2504...1fc5bd396d)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-08 06:18:38 +00:00
anchore-actions-token-generator[bot]
1543248822
chore(deps): update Syft to v0.95.0 (#1591) 2023-11-07 15:42:43 -05:00
Alex Goodman
4b06a160e1
chore: account for syft package metadata changes (#1423)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
2023-11-07 15:17:36 -05:00
William Murphy
7984e0a84f
fix: bump fangs to enable setting golang CPE config using env var (#1585)
* fix: bump fangs

Bump fangs to pull in https://github.com/anchore/fangs/pull/27, which
fixes an issue where env vars couldn't be used to set fields on embedded
structs in the config struct.

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* fix: bump fangs to pull in panic fix

The previous fangs fix panicked when summarizing configs with embedded
structs. Bump fangs to pull in https://github.com/anchore/fangs/pull/29
which fixes this panic.

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* commit mod tidy

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* Pull in dependency bumps from main to resolve conflicts

Signed-off-by: Will Murphy <will.murphy@anchore.com>

---------

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-11-07 10:59:13 -05:00
anchore-actions-token-generator[bot]
92920ffde0
chore(deps): update bootstrap tools to latest versions (#1588)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-11-07 06:44:58 -08:00
dependabot[bot]
2ef5d23844
chore(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0 (#1586)
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.7.0 to 1.8.0.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](https://github.com/spf13/cobra/compare/v1.7.0...v1.8.0)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-06 21:55:53 -05:00
Christopher Angelo Phillips
b90c881ab4
chore: bootstrap action cleanup (#1587)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-11-06 21:55:37 -05:00
anchore-actions-token-generator[bot]
5ca34efef8
chore(deps): update bootstrap tools to latest versions (#1584)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-11-06 13:16:22 -05:00
Alex Goodman
21958a43b5
Incorporate format API changes from syft (#1582)
* incorporate changes from anchore/syft#2228

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix testing utils to use syft SBOM

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-11-02 15:25:48 -04:00
dependabot[bot]
3712c1c5c7
chore(deps): bump github.com/docker/docker (#1579)
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.6+incompatible to 24.0.7+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v24.0.6...v24.0.7)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-31 13:48:52 -04:00
Mateusz Urbanek
0d870faea6
feat(config): added reason field (#1532)
* feat(config): added reason field

Signed-off-by: Mateusz Urbanek <mateusz.urbanek.98@gmail.com>

* add CLI test for ignore reason field

Signed-off-by: Will Murphy <will.murphy@anchore.com>

---------

Signed-off-by: Mateusz Urbanek <mateusz.urbanek.98@gmail.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
2023-10-30 15:31:42 -04:00
dependabot[bot]
fc7713b763
chore(deps): bump github.com/glebarez/sqlite from 1.9.0 to 1.10.0 (#1583)
Bumps [github.com/glebarez/sqlite](https://github.com/glebarez/sqlite) from 1.9.0 to 1.10.0.
- [Release notes](https://github.com/glebarez/sqlite/releases)
- [Commits](https://github.com/glebarez/sqlite/compare/v1.9.0...v1.10.0)

---
updated-dependencies:
- dependency-name: github.com/glebarez/sqlite
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-30 13:39:54 -04:00
Shane Dell
81edd50e1e
Colorize severity in table output (#1284)
* Colorize severity in table output

- Create flag "--no-color" to allow disabling the color. By default its enabled.
- When "--no-color" not specified highlight severity in its color:
  - Critical -> Bold Red
  - High -> Red
  - Medium -> Yellow
  - Low -> Green
  - Negligible -> Blue
  - Note: Golang doesn't have all colors available. Also, doesn't seem to be able use hex codes properly.
- Add termenv to check if the terminal color profile supports colored output. If it doesn't default to noColor

Closes #225

Signed-off-by: Shane Dell <shanedell100@gmail.com>

* fix: adopt EnvColorProfile to support NO_COLOR

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* fix linting and update snapshots

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Shane Dell <shanedell100@gmail.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-10-30 13:57:46 +00:00
Christopher Angelo Phillips
401d67cd96
feat: add custom maven comparator (#1571)
This PR takes the recommendation from #1526 and adapts the go-mvn-version to be used as a custom comparator for matching against packages that have the JavaPkg type. Packages of type JavaPkg will no longer use the stock matcher.
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-10-27 14:24:56 -04:00
William Murphy
1ab051bac9
chore: fix path to quality tests (#1578)
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-10-27 11:23:19 -04:00
Alex Goodman
a276bf120b
capture quality gate state on failures (#1576)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-10-26 14:31:30 -04:00
dependabot[bot]
a2fdccdfc6
chore(deps): bump github.com/google/uuid from 1.3.1 to 1.4.0 (#1575)
Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.3.1 to 1.4.0.
- [Release notes](https://github.com/google/uuid/releases)
- [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md)
- [Commits](https://github.com/google/uuid/compare/v1.3.1...v1.4.0)

---
updated-dependencies:
- dependency-name: github.com/google/uuid
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-26 13:30:37 -04:00
anchore-actions-token-generator[bot]
47f08a82f2
chore(deps): update bootstrap tools to latest versions (#1574)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-10-26 11:13:07 -04:00
dependabot[bot]
66a47594f1
chore(deps): bump google.golang.org/grpc from 1.56.0 to 1.56.3 (#1573)
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.56.0 to 1.56.3.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.56.0...v1.56.3)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-25 21:45:45 -04:00
Christopher Angelo Phillips
6b4978f633
docs: add cbl-mariner to supported distro (#1569)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-10-24 12:11:55 -04:00
dependabot[bot]
dd823d19f6
chore(deps): bump ossf/scorecard-action from 2.3.0 to 2.3.1 (#1570)
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](483ef80eb9...0864cf1902)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-24 11:50:13 -04:00
anchore-actions-token-generator[bot]
562f228301
chore(deps): update bootstrap tools to latest versions (#1567)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-10-23 10:48:35 -04:00
anchore-actions-token-generator[bot]
04df28051b
chore(deps): update Syft to v0.94.0 (#1566)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2023-10-20 17:57:36 +00:00
Alex Goodman
156c081d3e
Incorporate Syft java detection improvements (#1555)
* incorporate anchore/syft#2220

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* incorporate .net core improvements

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-10-20 13:34:36 -04:00