grype currently produces CYCLONE-DX SBOM that are not compliant with the cyclone-dx tooling libraries. Rather than write the logic in two places, this PR moves grype to use syft's formatting functions as a library to produce valid CYCLONE-DX SBOM components along with the discovered vulnerabilities.
For more context on impacted issues:
https://github.com/anchore/grype/issues/796https://github.com/anchore/grype/issues/951
Co-authored-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Adds support for a `package_qualifiers` column to allow evaluating package matches to vulnerabilities based on more than just version constraints. Currently adds an rpm-modularity qualifier in order to support matching to correct app stream module in order to reduce false positives within rpm-based distro ecosystems. In order to prevent an increase in false positive matches for previous versions of grype using the v4 schema, this change (along with the vulnerability source driver parser updates) requires bumping the schema to v5.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* initial v4 schema setup
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* update v3 => v4 for unit tests
-- did NOT update
- grype/db/v3/*
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* use nullable string in sqlite so null values get represented correctly
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add missing unit test case for dotnet
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* Add db writer function for calling sqlite vacuum
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* adding normalization of package names at database adapter layer
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* refactor namespaces for v4
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* update v4 stuff to use sqlite fork
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* Namespace should satisfy Stringer interface
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* normalize CPEs before comparison
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* vulnerability exclusion => vulnerability match exclusion
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* updates to vulnerability match exclusion models
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add initial vulnerability match exclusion store unit tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* make vuln match exclusion constraints nullable
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* move vuln match namespace into constraints object and refactor
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* check db match constraints to ensure there aren't any unknown fields and add json hints
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* ensure we only keep compatible match exclusion constraints
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* use omitempty on all match exclusion structs
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* remove db v4 schema resolver and namespace types
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename Vacuum to Close
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* lint fixes + remove panic on vuln provider creation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* WIP match exclusions
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* build list of ignore rules from v4 db records
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* quick attempt at a new uber object
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* just pass around the full object for now to quickly get to a usable state
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* fix panic when no vuln db loaded
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* use interfaces for db.store function signatures
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Flatten the match exclusion constraint model to simplify logic
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* updating some tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* fix panic when no db update possible
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* more tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* WIP fixing match exclusion constraint usability and json mapping logic
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add v4 db diff logic (excluding vulnerability_match_exclusion data for now)
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* lint fix
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* update integration tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* nvd -> nvd:cpe namespace updates
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* ensure test store uses v4 normalized names
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* set the grype db update url to staging for v4
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* prevent more segfaults on database open
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add continue when unable to load ignore rules
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* remove db.Status from the Store object
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* fix compare_sbom_input_vs_lib_test.go
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* remove staging endpoint now that v4 is published
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* add db staleness check
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* less config fields
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* fix import order
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* warn even when set to not error on staleness
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* nits
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* nits
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* lint fix
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* fix test
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* consistent log message
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* consistent new version message
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* human friendly time durations
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* fix typo
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* cleaner tests and default db value
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* add key flag to attest validation
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* mvp: verify sig and extract sbom
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* wip read attestation without scheme
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* mvp consuming attestations - needs unit tests
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* remove prototype file
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* drop local syft from go.mod
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix order of sbom parsing strategies
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* handle implicit attestation input
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* wip
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add test for invalid attestation key
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* rebase and go-mod-tidy
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* consume attestation via stdin
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* attestation test for stdin
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* validate input and content for attestation
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add stdin test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix config tags
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add int test to ignore attestation validation
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix cycloneDX attestation fixture
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add tampered att test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add tampered predicate type test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* improve docs/help on atttestation
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* upgrade to latest syft
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fall through when guessing between sbom and att
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix butter finger rebase
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* drop default key value
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* assert error messages
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* better test/cli coverage
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix stdin decode test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix goimports
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* tui - verified attestation and feedback changes
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* better naming
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add attestation section to config file
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* emit event for skipped verification
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* use public key name
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* nit
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* refactor release to keep snapshot assets in parity with release assets
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* refactor install.sh and put under test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* tidy go.sum
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add mac acceptance test to github actions workflow
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rm use of goreleaser in cli tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* go mod tidy with go 1.17
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* enable merging of matches
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add ability for matches constructor to take initial matches
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update tests to include IDs on package objects
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename common matcher helper package to search package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename search functions and add SearchByCriteria
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* cleanup imports
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* port grype-db to grype
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* migrate vulnerability provider implementation to db package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* upgrade path import validations
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting issues
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add version to logs
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* log when looking for updates
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add db list command
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add stderr print helper
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update docs to with details about listing files and DB curation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Add injectable HTTP client to file getter
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* WIP: Map config for custom CA certs
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* update curator and add tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add TLS helper scripts
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove grype-db local mod edit
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* tidy go modules
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use ssl.context over deprecated fn
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* disallow tls 1 and 1.1
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* suppress non-archive sources for fetch-to-dir capability
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* ensure DB load failure does not panic
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* address review comments
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* disable etui when piping input
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* restore jotframe version
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove test code
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* raise error from IsPipedInput
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* factor out verbosity check to function
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Silence usage and errors on root command
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* show help when no args are given
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove comments
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add cli test for help behavior
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
Add --only-fixed option to root command. Grype will now exit with status code 0 when passing this option if vulnerabilities are detected but have no upstream resolution.
* update config with new option
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add flag into root cmd
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* split and upgrade config processing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* upgrade UI organization
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* expose logger writter
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add (unused) signal handler
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add (unused) event loop abstraction
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update aux commands to use Cobra RunE over Run
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* upgrade root command to use new event loop and signal handler
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update CLI test to account for config representation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update dependencies + fix linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* decompose application config parse func + add missing config struct tags
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* restore unparam lint exclusion for registry config
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Preliminary implementation of ignore rules
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Support ignoring matches by package type
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add tests for ignore functionality
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add documentation for ignore rules and clean up README
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add test for glob location matching
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* update command to take in SYFT_VERSION
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add dynamic input to build command for ci
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
