grype

mirror of https://github.com/anchore/grype synced 2024-11-10 06:34:13 +00:00

Author	SHA1	Message	Date
Christopher Angelo Phillips	991d16879a	update grype to use syft v0.52.0 (#838 )	2022-07-22 16:12:18 +00:00
Christopher Angelo Phillips	2c7d4e66d4	add debug distroless image to published images (#835 )	2022-07-20 16:52:05 -04:00
Christopher Angelo Phillips	3fae30d005	add new line for help block (#834 )	2022-07-19 12:26:21 -04:00
Zac Medico	30943e032b	add Gentoo matching support (#813 ) Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-07-19 09:37:21 -04:00
cpendery	951bc359bb	feat: add filtering support using target software field in cpe (#810 )	2022-07-18 15:28:19 -04:00
Christopher Angelo Phillips	addbd07b4f	Add new matcher files for golang => remove main module FP matches (#829 )	2022-07-18 13:14:03 -04:00
Josh Bressers	8ce541ee1c	Fix a cyclonedxvex typo and fix the schema document from (#830 ) https://github.com/CycloneDX/specification/issues/147 Signed-off-by: Josh Bressers <josh@bress.net>	2022-07-17 11:34:41 -04:00
cpendery	51617f8aa5	feat: add --only-notfixed flag (#828 )	2022-07-15 10:01:05 -04:00
artsv79	2233736e98	add DBCloser. Clients can aviod db connection leak if vulnerability db is loaded many times (#825 )	2022-07-12 09:54:42 -04:00
Christopher Angelo Phillips	cb6bddfeeb	bump syft version to v0.51.0 (#822 )	2022-07-11 15:15:12 -04:00
cpendery	e2fff6c22f	feat: implement `grype db diff` command (#812 ) Co-authored-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Weston Steimel <weston.steimel@anchore.com> Co-authored-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>	2022-07-11 09:46:59 -04:00
Weston Steimel	17a440033a	fix typo in log message (#819 )	2022-07-06 15:56:44 +00:00
Christopher Angelo Phillips	0e0a9d9e7a	update syft to v0.50.0 (#818 )	2022-07-06 14:48:21 +00:00
Weston Steimel	44032c514c	Finalize v4 Grype schema (#803 ) * initial v4 schema setup Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * update v3 => v4 for unit tests -- did NOT update - grype/db/v3/* Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> * use nullable string in sqlite so null values get represented correctly Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * add missing unit test case for dotnet Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * Add db writer function for calling sqlite vacuum Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * adding normalization of package names at database adapter layer Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * refactor namespaces for v4 Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * update v4 stuff to use sqlite fork Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * Namespace should satisfy Stringer interface Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * normalize CPEs before comparison Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * vulnerability exclusion => vulnerability match exclusion Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * updates to vulnerability match exclusion models Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * add initial vulnerability match exclusion store unit tests Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * make vuln match exclusion constraints nullable Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * move vuln match namespace into constraints object and refactor Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * check db match constraints to ensure there aren't any unknown fields and add json hints Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * ensure we only keep compatible match exclusion constraints Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * use omitempty on all match exclusion structs Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * remove db v4 schema resolver and namespace types Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * rename Vacuum to Close Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * lint fixes + remove panic on vuln provider creation Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * WIP match exclusions Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * build list of ignore rules from v4 db records Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * quick attempt at a new uber object Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * just pass around the full object for now to quickly get to a usable state Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * fix panic when no vuln db loaded Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * use interfaces for db.store function signatures Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * Flatten the match exclusion constraint model to simplify logic Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * updating some tests Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * fix panic when no db update possible Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * more tests Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * WIP fixing match exclusion constraint usability and json mapping logic Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * add v4 db diff logic (excluding vulnerability_match_exclusion data for now) Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * lint fix Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * update integration tests Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * nvd -> nvd:cpe namespace updates Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * ensure test store uses v4 normalized names Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * set the grype db update url to staging for v4 Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * prevent more segfaults on database open Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * add continue when unable to load ignore rules Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * remove db.Status from the Store object Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * fix compare_sbom_input_vs_lib_test.go Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * remove staging endpoint now that v4 is published Signed-off-by: Weston Steimel <weston.steimel@anchore.com> Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com> Co-authored-by: Alex Goodman <alex.goodman@anchore.com>	2022-07-05 19:03:16 +01:00
cpendery	75a7e54f52	docs: update to include rust (#814 )	2022-06-29 15:45:21 -04:00
cpendery	90df6815e6	feat: add diffing 2 databases to v3 store functionality (#789 )	2022-06-28 14:22:37 -04:00
cpendery	8ab0159f9f	fix: add support for partybus ui on `grype db update` cmd (#806 )	2022-06-28 14:21:33 -04:00
Adin Ermie	b3a078aa02	Added Docker example to Readme (#769 )	2022-06-27 16:59:51 -04:00
cpendery	e17bb9bd73	fix: add vex json & xml to listed formats (#802 )	2022-06-27 11:26:59 -04:00
cpendery	64277bf6f4	docs: update php listing to be more clear that the `.json` file isn't indexed (#808 )	2022-06-27 10:26:49 -04:00
Christopher Angelo Phillips	82c0146b0a	update syft => v0.49.0 (#804 )	2022-06-24 18:30:36 +00:00
Christopher Angelo Phillips	bbe933204a	remove oss meetup message (#799 )	2022-06-23 18:03:38 +00:00
cpendery	bb2f8dcdb4	fix: add fixed versions to cyclonedxjson output (#763 )	2022-06-21 17:50:05 -04:00
cpendery	335f744b9b	docs: update to include php (#793 )	2022-06-17 19:14:47 +00:00
Christopher Angelo Phillips	0703bae977	update grype to latest syft patch v0.48.1 (#790 )	2022-06-17 15:45:33 +00:00
cpendery	11cf09222b	fix: add golang to documentation (#788 )	2022-06-16 15:59:32 -04:00
Alan (Maciej) Paruszewski	b47e1935e1	fix: accept templates with custom functions (#786 )	2022-06-16 16:25:54 +00:00
Jonas Xavier	d6fa674edc	add db staleness check (#785 ) * add db staleness check Signed-off-by: Jonas Xavier <jonasx@anchore.com> * less config fields Signed-off-by: Jonas Xavier <jonasx@anchore.com> * fix import order Signed-off-by: Jonas Xavier <jonasx@anchore.com> * warn even when set to not error on staleness Signed-off-by: Jonas Xavier <jonasx@anchore.com> * nits Signed-off-by: Jonas Xavier <jonasx@anchore.com> * nits Signed-off-by: Jonas Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Xavier <jonasx@anchore.com> * lint fix Signed-off-by: Jonas Xavier <jonasx@anchore.com> * fix test Signed-off-by: Jonas Xavier <jonasx@anchore.com> * consistent log message Signed-off-by: Jonas Xavier <jonasx@anchore.com> * consistent new version message Signed-off-by: Jonas Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Xavier <jonasx@anchore.com> * human friendly time durations Signed-off-by: Jonas Xavier <jonasx@anchore.com> * fix typo Signed-off-by: Jonas Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Xavier <jonasx@anchore.com> * cleaner tests and default db value Signed-off-by: Jonas Xavier <jonasx@anchore.com>	2022-06-15 12:48:10 -04:00
cpendery	cc0f134484	feat: add compose workflow for local dev (#783 )	2022-06-14 13:02:48 -04:00
Jonas Xavier	2a587d0890	ignore gemfile rich version for semVer comparison (#776 ) * ignore gemfile rich version during comparision Signed-off-by: Jonas Xavier <jonasx@anchore.com> * update search and version tests Signed-off-by: Jonas Xavier <jonasx@anchore.com> * fix int tests and lint error Signed-off-by: Jonas Xavier <jonasx@anchore.com> * nit on error message Signed-off-by: Jonas Xavier <jonasx@anchore.com> * split based on arch in gem version Signed-off-by: Jonas Xavier <jonasx@anchore.com> * reuse semVer constraint Signed-off-by: Jonas Xavier <jonasx@anchore.com> * more constraint tests cases Signed-off-by: Jonas Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Xavier <jonasx@anchore.com> * more comments and tests Signed-off-by: Jonas Xavier <jonasx@anchore.com> * add lower case version check Signed-off-by: Jonas Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Xavier <jonasx@anchore.com> * validate that ruby version work with semver and gem version Signed-off-by: Jonas Xavier <jonasx@anchore.com> * more comments and tests Signed-off-by: Jonas Xavier <jonasx@anchore.com> * rename gem version format const Signed-off-by: Jonas Xavier <jonasx@anchore.com>	2022-06-10 14:09:58 -04:00
Weston Steimel	736117e0d9	Support namespace and language as additional criteria for ignoring vulnerability matches (#780 ) * support filtering matches based on Namespace Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * support filtering matches based on package language Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * add tests for filtering matches on Namespace and Language Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * update README for new ignore rule criteria Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * fix linting errors Signed-off-by: Weston Steimel <weston.steimel@anchore.com>	2022-06-10 18:15:58 +01:00
Christopher Angelo Phillips	69de9e7a0a	update syft version to v0.47.0 (#781 )	2022-06-09 16:03:14 -04:00
Weston Steimel	81af51302d	use anchore fork of glebarez/sqlite (#778 ) This overcomes an issue with duplicate registration of sqlite drivers between glebarez/sqlite and knqyf263/go-rpmdb by just using modernc.org/sqlite directly within our fork Signed-off-by: Weston Steimel <weston.steimel@anchore.com>	2022-06-08 09:41:15 -04:00
Abhijeet Kasurde	8163c9f988	template: Check sanity for template file (#674 ) Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-06-07 10:21:30 -04:00
briankoe741	30f0aa7051	Add announcement for Anchore OSS Meetup (#775 )	2022-06-06 16:51:34 -04:00
dependabot[bot]	07dfb28718	Bump github.com/hashicorp/go-getter from 1.5.11 to 1.6.1 (#770 ) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-06-02 09:18:53 -04:00
Christopher Angelo Phillips	43b870d5fe	publish release to reduce user friction (#766 )	2022-05-26 20:44:22 +00:00
anchore-actions-token-generator[bot]	10c3604498	Update Syft to v0.46.3 (#761 ) Signed-off-by: GitHub <noreply@github.com> Co-authored-by: jonasagx <jonasagx@users.noreply.github.com>	2022-05-26 10:14:28 -07:00
Sean Killeen	55b63a9fb8	Add reference to logrus logging levels (#758 )	2022-05-25 15:06:17 -04:00
Herby Gillot	e6fc3e67d8	README: add MacPorts install info (#759 ) Signed-off-by: Herby Gillot <herby.gillot@gmail.com>	2022-05-25 11:06:42 -07:00
Alex Goodman	06d28dad9f	bump to syft v0.46.2 (#755 ) Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-05-23 13:47:21 +00:00
Jonas Xavier	c842fb9af5	bump stereoscope version to include source path fix (#752 )	2022-05-19 08:18:49 -07:00
anchore-actions-token-generator[bot]	5a5642cc0d	Update Syft to v0.46.1 (#751 ) Signed-off-by: GitHub <noreply@github.com> Co-authored-by: kzantow <kzantow@users.noreply.github.com>	2022-05-18 14:10:39 -07:00
Christian Kotzbauer	731abaab72	Add syft v0.46.0 Dotnet support (#747 )	2022-05-13 12:46:31 -04:00
dependabot[bot]	d6196b6525	Bump github.com/hashicorp/go-getter from 1.5.9 to 1.5.11 (#742 ) Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.5.9 to 1.5.11. - [Release notes](https://github.com/hashicorp/go-getter/releases) - [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml) - [Commits](https://github.com/hashicorp/go-getter/compare/v1.5.9...v1.5.11) --- updated-dependencies: - dependency-name: github.com/hashicorp/go-getter dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-05-04 16:33:28 +01:00
Dan Luhring	0df35f8d2c	address excessive warnings from multiple sources (#741 )	2022-05-03 14:05:50 +00:00
SALES	7fc4ca7646	Add reference to Grype-based GitHub Action (#710 ) Signed-off-by: Dan Luhring <dan+github@luhrings.com>	2022-05-01 20:03:19 +00:00
Christopher Angelo Phillips	36f5150fa9	bump syft version (#738 )	2022-04-29 13:39:08 -04:00
Sambhav Kothari	9f70cdbf24	add initial support for embedded CycloneDX VEX documents (#678 )	2022-04-28 12:49:12 -04:00
Jonas Xavier	523f5ce9c0	Consume attestation files (#706 ) * add key flag to attest validation Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * mvp: verify sig and extract sbom Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * wip read attestation without scheme Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * mvp consuming attestations - needs unit tests Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * remove prototype file Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * drop local syft from go.mod Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix order of sbom parsing strategies Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * handle implicit attestation input Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * wip Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * add test for invalid attestation key Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * rebase and go-mod-tidy Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * consume attestation via stdin Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * attestation test for stdin Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * validate input and content for attestation Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add stdin test Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix config tags Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add int test to ignore attestation validation Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix cycloneDX attestation fixture Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add tampered att test Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add tampered predicate type test Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * improve docs/help on atttestation Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * upgrade to latest syft Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fall through when guessing between sbom and att Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix butter finger rebase Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * drop default key value Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * assert error messages Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * better test/cli coverage Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix stdin decode test Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix goimports Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * tui - verified attestation and feedback changes Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * better naming Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add attestation section to config file Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * emit event for skipped verification Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * use public key name Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * nit Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>	2022-04-21 11:52:42 -07:00

1 2 3 4 5 ...

771 commits