Commit graph

102 commits

Author SHA1 Message Date
plavy
89610e1e07
docs: fix logging configuration in README (#1646)
Signed-off-by: plavy <tinplavec@gmail.com>
2023-12-29 01:53:32 +00:00
Christopher Angelo Phillips
6b4978f633
docs: add cbl-mariner to supported distro (#1569)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-10-24 12:11:55 -04:00
Alex Goodman
9750ef2452
add exception for go stdlib search by CPE (#1565)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-10-20 13:02:38 -04:00
James Hebden
30f05c3759
Add --ignore-states flag for ignoring findings with specific fix states (#1473)
* Add --ignore-states flag for ignoring findings with by fix state

Signed-off-by: James Hebden <jhebden@gitlab.com>

* ignore options checked before scan, fail on invalid ignore states, ignore states comma-separated

Signed-off-by: James Hebden <jhebden@gitlab.com>

* Add CLI tests for new --ignore-states flag

Signed-off-by: Will Murphy <will.murphy@anchore.com>

---------

Signed-off-by: James Hebden <jhebden@gitlab.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
2023-10-17 14:07:34 -04:00
Shubham Hibare
e0e8b355f0
Add checksum signing (#1535)
* Add checksum signing

Signed-off-by: Shubham Hibare <shubham@hibare.in>

* Add artifact signature verification steps

Signed-off-by: Shubham Hibare <shubham@hibare.in>

---------

Signed-off-by: Shubham Hibare <shubham@hibare.in>
2023-10-12 15:38:30 -04:00
Christopher Angelo Phillips
6da8be94ac
chore: add OpenSSF Best Practices badge (#1523)
* chore: add OpenSSF Best Practices badge
--------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-09-27 11:06:35 -04:00
Rob Szumski
cc76ab82f9
Fix typo in flag (#1501)
Signed-off-by: Rob Szumski <rob@robszumski.com>
2023-09-18 16:54:14 -04:00
Puerco
b952d3808c
Ignore/add match results based on OpenVEX documents (#1397)
* go.mod: Pull OpenVEX go modules

This commit pulls the OpenVEX libraries into the grype source.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add generic VEX processor package

This commit adds a generic VEX processor package. It is implementation
agnostic. It has a single option for now: The documents used to load
the VEX data.

The processor has a single method: ApplyVEX() which takes a set of scan
results and applies VEX data to them. For now, the only modification that
is done is filtering of results, that is moving results to the ignored list
as a response to VEX documents.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* vex: Add OpenVEX processor implementation

This commit adds an openvex implementation of the vex processor.
It also wires the VEX processor to use it as default.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Table presenter: Highligt results suppressed by VEX

This commit marks results suppressed by VEX when presenting them
to the user.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Define  VEX status constants

This commit defines a set of local constants of each of the VEX statuses
based on the openvex constants.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add VexStatus to ignore rules

This commit modifies the ignore rules structure to support defining a vex
status. Any rules defining vex are ignored by the standard ignore rules
processing as they will be handled by the VEX processor.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add IgnoreRule HasConditions method

Adds a new HasConditions method to the IgnoreRule object to check if the rule is empty.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Control VEX filtering through IgnoreRules

This commit modifies how the vex processor is controlled. The processor now
takes a list of IgnoreRules which can act on the VEX status in addition to
the regular rule parameters.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* vex: Allow rules to match on VEX justification

This commit expands the ingore rules to also work on vex the
justification of not_affected statements.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Use go-vex merge implementation

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add OpenVEX matcher to matcher list

This commit adds a new entry to the matchers: An openvex matcher

This matcher is used when openvex augments results, moving matches
from the ignore list to the active results.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add vex.AugmentMatches() to the vex processor

This commit adds a new AugmentMatches() phase to the VEX processor.

This new step goes throught the configured ignore rules and acts on any
that have `affected` or `under_investigtion` as status.

The purpose of this rule is to move matches back from the ignored matches
list to the active results when a statement with either of those statuses
apply to ignored matches.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Parse context identifiers using GGC

This commit modifies the identifier synthesizer function to parse references
using GGCR. It also adds a simple test.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Bump funlen linter to 73

This commit bumps the maximum function length to 73 to accomodate
the new flag in AddFlags()

Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>

* Add VEX testing to matchers test

This commit adds a new test and fixtures to test the VEX matchers
along the rest of the matchers in TestMatchByImage(). As the VEX
matchers operate on previously ignored matches a new loop was added
to the test to accomodate the different testing model.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* add vex status and justification to ignored rule json model

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* nit rename + add TODO question about augmenting ignored matches

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* nit document comment updates + common variable extraction

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* migrate legacy matcher function to vulnerability matcher object

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update tui to respond to ignored and dropped matches

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* migrate vex processing to vulnerability match object

Based on Alex's previous caommit

Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Migrate VEX options and app config from legacy CLI

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* update table snapshot tests with suppressed vex entries

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add tests for match.Matches.Diff()

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add tests for vex processor

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix linting and restore global funlen rule

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* remove grpc pin

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* always return remaining and ignroed matches from matcher object

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* Add VEX documentation to main README

This commit adds a VEX section to the main Grype README. It adds
an example document and details on how vex rules can be written.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

---------

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-09-13 15:26:12 -04:00
5p2O5pe25ouT
bf84e2fa7f
Add registry certificate verification support (#1232)
* add registry certificate verification support

* modify go.mod

* rename registry cert options, add docs, and add test

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update to account for changes in anchore/stereoscope#195

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix cli tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: lishituo <24578666@qq.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-08-29 15:51:27 +00:00
Puerco
be91dc65d6
docs: fix some typos on main README (#1455)
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
2023-08-25 11:00:03 -04:00
Alex Goodman
f0f8454c3e
note supported versions of grype (#1458)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-08-24 19:31:09 +00:00
Alex Goodman
ebd4643930
Port UI to bubbletea (#1385)
* initial port to bubbletea

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* remove jotframe UI

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add bubbletea component tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update main.go refs to cmd package

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* move goreleaser build dir to cmd

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* upgrade yardstick for grype source installs and fix post-ui tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* ensure stable severity map in UI component test

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add windows support for tui

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-07-13 17:13:48 +00:00
Tim Gerla
ecf9e65b95
Add a simple CSV format template to the templates/ directory and tweak docs (#1366) 2023-06-29 17:05:17 -04:00
James Neate
0ace6b1a98
feat: add non-hermetic sprig functions (#1243) (#1273)
Because the general set of sprig functions can used to access
environment variables, explicitly warn users never to run untrusted
templates.

---------

Signed-off-by: James Neate <jamesmneate@gmail.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
2023-05-08 17:14:45 -04:00
James Neate
2930a18786
docs: add config flag to configuration section (#1271) (#1274)
Signed-off-by: James Neate <jamesmneate@gmail.com>
2023-05-05 18:58:21 -04:00
HNKNTA
9ba7a6a1ad
docs: add "cyclonedx-json" to output formats (#1252)
Signed-off-by: HNKNTA <hnknta@gmail.com>
2023-05-02 17:20:47 -04:00
Christopher Angelo Phillips
8dec5c3784
feat: add default-image-source-config option (#1215)
#1204 surfaces the need for allowing a user to express a preference over the default-image-pull-source to be used when building an SBOM for vulnerability scanning.

This adds a config option into grype to consume the new syft behavior.

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-04-04 10:28:33 -04:00
Christopher Angelo Phillips
788ed965ec
chore: prune cosign dependency for grype builds (#1100)
* feat: segment cosign dependency for grype builds for faster build times

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-01-31 11:42:40 -05:00
Christopher Angelo Phillips
cdb8f3fa45
chore: change CVE example to official sample (#1028)
CVE-2017-41432 is not a valid ID but in theory could be one day. Changed it to CVE-2014-54321 which is one of a number sample IDs used during the Syntax change in 2013/2014. References: cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-54321 cve.mitre.org/data/board/archives/2013-04/msg00000.html

Co-authored-by: Jericho <3095424+attritionorg@users.noreply.github.com>
2022-12-06 13:03:40 -05:00
Joyce
2cd2ef5340
Enable the Scorecard Github Action and badge (#929) 2022-11-03 14:24:20 -04:00
Jan Hensel
a678b8d134
Correct falsely copied app-name 'syft' in example (#922) 2022-09-19 12:19:49 -04:00
Chapman Pendery
d5b825e40b
feat: extract use cpes in matching logic to be configurable (#911) 2022-09-06 09:55:35 -04:00
Adam Hughes
ac3d6b643c
docs: add Singularity to "features" in README (#912) 2022-09-06 09:33:07 -04:00
Adam Hughes
9810495212
docs: improve Singularity image source docs (#910) 2022-09-01 12:53:54 -04:00
Adam Hughes
9f28cdc24f
Add Singularity image source (#908) 2022-08-31 13:55:49 -04:00
Keith Zantow
64cbb68d9d
Add blurbs about building and running from source (#893) 2022-08-24 15:30:21 -04:00
Brock R
174f61ec23
Update README.md (#871) 2022-08-16 19:45:50 +00:00
Neil Levine
f12bb67720
Update README.md (#868) 2022-08-04 21:08:16 +00:00
cpendery
51617f8aa5
feat: add --only-notfixed flag (#828) 2022-07-15 10:01:05 -04:00
cpendery
75a7e54f52
docs: update to include rust (#814) 2022-06-29 15:45:21 -04:00
Adin Ermie
b3a078aa02
Added Docker example to Readme (#769) 2022-06-27 16:59:51 -04:00
cpendery
64277bf6f4
docs: update php listing to be more clear that the .json file isn't indexed (#808) 2022-06-27 10:26:49 -04:00
Christopher Angelo Phillips
bbe933204a
remove oss meetup message (#799) 2022-06-23 18:03:38 +00:00
cpendery
335f744b9b
docs: update to include php (#793) 2022-06-17 19:14:47 +00:00
cpendery
11cf09222b
fix: add golang to documentation (#788) 2022-06-16 15:59:32 -04:00
Jonas Xavier
d6fa674edc
add db staleness check (#785)
* add db staleness check

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* less config fields

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix import order

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* warn even when set to not error on staleness

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* nits

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* nits

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* lint fix

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix test

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* consistent log message

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* consistent new version message

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* human friendly time durations

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix typo

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* cleaner tests and default db value

Signed-off-by: Jonas Xavier <jonasx@anchore.com>
2022-06-15 12:48:10 -04:00
Weston Steimel
736117e0d9
Support namespace and language as additional criteria for ignoring vulnerability matches (#780)
* support filtering matches based on Namespace

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* support filtering matches based on package language

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* add tests for filtering matches on Namespace and Language

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* update README for new ignore rule criteria

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix linting errors

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2022-06-10 18:15:58 +01:00
briankoe741
30f0aa7051
Add announcement for Anchore OSS Meetup (#775) 2022-06-06 16:51:34 -04:00
Sean Killeen
55b63a9fb8
Add reference to logrus logging levels (#758) 2022-05-25 15:06:17 -04:00
Herby Gillot
e6fc3e67d8
README: add MacPorts install info (#759)
Signed-off-by: Herby Gillot <herby.gillot@gmail.com>
2022-05-25 11:06:42 -07:00
Christian Kotzbauer
731abaab72
Add syft v0.46.0 Dotnet support (#747) 2022-05-13 12:46:31 -04:00
SALES
7fc4ca7646
Add reference to Grype-based GitHub Action (#710)
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
2022-05-01 20:03:19 +00:00
Jonas Xavier
523f5ce9c0
Consume attestation files (#706)
* add key flag to attest validation

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* mvp: verify sig and extract sbom

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* wip read attestation without scheme

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* mvp consuming attestations - needs unit tests

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* remove prototype file

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* drop local syft from go.mod

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix order of sbom parsing strategies

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* handle implicit attestation input

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* wip

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* add test for invalid attestation key

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* rebase and go-mod-tidy

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* consume attestation via stdin

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* attestation test for stdin

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* validate input and content for attestation

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add stdin test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix config tags

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add int test to ignore attestation validation

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix cycloneDX attestation fixture

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add tampered att test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add tampered predicate type test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* improve docs/help on atttestation

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* upgrade to latest syft

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fall through when guessing between sbom and att

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix butter finger rebase

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* drop default key value

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* assert error messages

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* better test/cli coverage

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix stdin decode test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix goimports

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* tui - verified attestation and feedback changes

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* better naming

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add attestation section to config file

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* emit event for skipped verification

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* use public key name

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* nit

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
2022-04-21 11:52:42 -07:00
Christopher Angelo Phillips
95f68b4c33
Add java.Matcher configuration to includes maven upstream sha1 query (#714) 2022-04-13 13:01:22 -04:00
briankoe741
67eacff3e2
Remove announcement for OSS Meetup (#691)
Proposing changes to remove our 3/23 meetup

Signed-off-by: Dan Luhring <dan+github@luhrings.com>
2022-03-25 00:12:07 +00:00
Jonas Xavier
7555342be0
add podman to readme and examples (#677)
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
2022-03-17 12:31:01 -07:00
Keith Zantow
a605d55ec0
Update register link text (#668) 2022-03-15 16:57:26 +00:00
Alex Goodman
cc8e7836f3
Add platform selection (#666) 2022-03-15 13:13:05 +00:00
briankoe741
8614a67ac5
Add announcement for Anchore OSS Meetup (#665) 2022-03-14 17:35:04 -04:00
Keith Zantow
fc8e13f5b8
Support for SBOMs with incomplete linux distribution or CPE information (#606) 2022-03-03 16:31:46 -05:00