grype currently produces CYCLONE-DX SBOM that are not compliant with the cyclone-dx tooling libraries. Rather than write the logic in two places, this PR moves grype to use syft's formatting functions as a library to produce valid CYCLONE-DX SBOM components along with the discovered vulnerabilities.
For more context on impacted issues:
https://github.com/anchore/grype/issues/796https://github.com/anchore/grype/issues/951
Co-authored-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
CVE-2017-41432 is not a valid ID but in theory could be one day. Changed it to CVE-2014-54321 which is one of a number sample IDs used during the Syntax change in 2013/2014. References: cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-54321 cve.mitre.org/data/board/archives/2013-04/msg00000.html
Co-authored-by: Jericho <3095424+attritionorg@users.noreply.github.com>
* chore: update digest for test fixture dockerfile
The previous digest was specifically for i386. The updated digest should use the manifest to determine the correct platform to use based on the client.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* chore: add digesst on archlinux test fixture image
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Adds support for building the correct vulnerability namespaces for rolling distros. This
will allow matching against distro-specific feeds once a namespace is populated within the grype
database.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Enhances the CPE target software component match filtering logic to consider ecosystems which aren't currently supported by
syft cataloging but are well-known sources of false-positives. This currently adds support for filtering various
permutations of `wordpress`, `joomla`, and `drupal`
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Adds support for a `package_qualifiers` column to allow evaluating package matches to vulnerabilities based on more than just version constraints. Currently adds an rpm-modularity qualifier in order to support matching to correct app stream module in order to reduce false positives within rpm-based distro ecosystems. In order to prevent an increase in false positive matches for previous versions of grype using the v4 schema, this change (along with the vulnerability source driver parser updates) requires bumping the schema to v5.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>