dependabot[bot]
556c8c0dc2
chore(deps): bump sigstore/cosign-installer from 3.2.0 to 3.3.0 ( #1632 )
...
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ) from 3.2.0 to 3.3.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases )
- [Commits](1fc5bd396d...9614fae9e5
2023-12-15 10:29:02 -05:00
dependabot[bot]
7b334451b9
chore(deps): bump github.com/charmbracelet/bubbletea ( #1635 )
...
Bumps [github.com/charmbracelet/bubbletea](https://github.com/charmbracelet/bubbletea ) from 0.24.2 to 0.25.0.
- [Release notes](https://github.com/charmbracelet/bubbletea/releases )
- [Commits](https://github.com/charmbracelet/bubbletea/compare/v0.24.2...v0.25.0 )
---
updated-dependencies:
- dependency-name: github.com/charmbracelet/bubbletea
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-12-13 17:50:11 -05:00
dependabot[bot]
4ec7a03abd
chore(deps): bump github.com/google/uuid from 1.4.0 to 1.5.0 ( #1636 )
...
Bumps [github.com/google/uuid](https://github.com/google/uuid ) from 1.4.0 to 1.5.0.
- [Release notes](https://github.com/google/uuid/releases )
- [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md )
- [Commits](https://github.com/google/uuid/compare/v1.4.0...v1.5.0 )
---
updated-dependencies:
- dependency-name: github.com/google/uuid
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-12-13 11:44:27 -05:00
dependabot[bot]
a820759495
chore(deps): bump actions/setup-go from 4.1.0 to 5.0.0 ( #1630 )
...
Bumps [actions/setup-go](https://github.com/actions/setup-go ) from 4.1.0 to 5.0.0.
- [Release notes](https://github.com/actions/setup-go/releases )
- [Commits](93397bea11...0c52d547c9
2023-12-11 06:40:01 -05:00
dependabot[bot]
c6719ccd02
chore(deps): bump anchore/sbom-action from 0.15.0 to 0.15.1 ( #1626 )
...
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action ) from 0.15.0 to 0.15.1.
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Commits](fd74a6fb98...5ecf649a41
2023-12-05 09:49:09 -05:00
Christopher Angelo Phillips
11b9e9616c
chore: pin action to correct sha ( #1598 )
...
* chore: pin action to correct sha
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* chore: add version for dependabot
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-12-01 10:43:56 -05:00
dependabot[bot]
2e9eff8f74
chore(deps): bump github.com/google/go-containerregistry ( #1625 )
...
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry ) from 0.16.1 to 0.17.0.
- [Release notes](https://github.com/google/go-containerregistry/releases )
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml )
- [Commits](https://github.com/google/go-containerregistry/compare/v0.16.1...v0.17.0 )
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-30 12:08:31 -05:00
Weston Steimel
a4bced1602
chore: bump to syft v0.98.0 in quality gate tests ( #1623 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-11-30 09:22:34 -05:00
Christopher Angelo Phillips
06b9f1c907
chore: update syft; go mod tidy ( #1621 )
...
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-11-29 15:04:17 -05:00
dependabot[bot]
6a1aa587af
chore(deps): bump github.com/spf13/afero from 1.10.0 to 1.11.0 ( #1618 )
...
Bumps [github.com/spf13/afero](https://github.com/spf13/afero ) from 1.10.0 to 1.11.0.
- [Release notes](https://github.com/spf13/afero/releases )
- [Commits](https://github.com/spf13/afero/compare/v1.10.0...v1.11.0 )
---
updated-dependencies:
- dependency-name: github.com/spf13/afero
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-28 11:06:18 -05:00
William Murphy
e887501628
chore: explicitly test maven suffixes ( #1617 )
...
Some older Maven releases include a suffix like .RELEASE on the version
number. Grype's behavior with regard to these versions has been
suggested as a source of false positives. Pin the behavior with tests to
make it easier to reason about how Grype will compare maven versions and
to guard against this behavior accidentally changing.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-11-27 09:33:56 -05:00
dependabot[bot]
e4242b9246
chore(deps): bump anchore/sbom-action from 0.14.3 to 0.15.0 ( #1611 )
...
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action ) from 0.14.3 to 0.15.0.
- [Release notes](https://github.com/anchore/sbom-action/releases )
- [Commits](78fc58e266...fd74a6fb98
2023-11-21 13:47:08 -05:00
anchore-actions-token-generator[bot]
dbe2a9515a
chore(deps): update Syft to v0.97.1 ( #1610 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2023-11-17 21:27:07 +00:00
anchore-actions-token-generator[bot]
78f57a3c69
chore(deps): update Syft to v0.97.0 ( #1608 )
...
* chore(deps): update Syft to v0.97.0
Signed-off-by: GitHub <noreply@github.com>
* fix syft api usage
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2023-11-16 19:20:28 -05:00
Weston Steimel
2cbc64cc4f
chore: bump vulnerability match label dataset ( #1606 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-11-16 18:06:46 -05:00
William Murphy
273fe0ef16
fix: golang version parsing ( #1599 )
...
Add a golang version parser, which is a very thin wrapper
around a semantic vesion, but knows to trim "go" before attempting
to parse as a semantic version.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-11-15 17:25:32 -05:00
anchore-actions-token-generator[bot]
83e5176127
chore(deps): update bootstrap tools to latest versions ( #1595 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-11-09 08:08:22 -08:00
dependabot[bot]
830da2ff2c
chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.11 to 0.4.12 ( #1597 )
...
Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps ) from 0.4.11 to 0.4.12.
- [Release notes](https://github.com/gkampitakis/go-snaps/releases )
- [Commits](https://github.com/gkampitakis/go-snaps/compare/v0.4.11...v0.4.12 )
---
updated-dependencies:
- dependency-name: github.com/gkampitakis/go-snaps
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-09 07:52:24 -08:00
anchore-actions-token-generator[bot]
e44ec4d4bc
chore(deps): update Syft to v0.96.0 ( #1596 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: willmurphyscode <willmurphyscode@users.noreply.github.com>
2023-11-09 14:30:10 +00:00
William Murphy
1afcf1f185
fix: match against debian unstable ( #1593 )
...
This is done by special casing "sid" in the pretty name of
a Linux distro to point to the grype-db debian unstable namespace.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-11-08 15:17:01 -05:00
Eng Zer Jun
3c255e3c10
perf: avoid allocations with (*regexp.Regexp).MatchString ( #1592 )
...
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2023-11-08 09:32:01 -08:00
dependabot[bot]
5d8cfd56c7
chore(deps): bump sigstore/cosign-installer from 3.1.2 to 3.2.0 ( #1590 )
...
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ) from 3.1.2 to 3.2.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases )
- [Commits](11086d2504...1fc5bd396d
2023-11-08 06:18:38 +00:00
anchore-actions-token-generator[bot]
1543248822
chore(deps): update Syft to v0.95.0 ( #1591 )
2023-11-07 15:42:43 -05:00
Alex Goodman
4b06a160e1
chore: account for syft package metadata changes ( #1423 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
2023-11-07 15:17:36 -05:00
William Murphy
7984e0a84f
fix: bump fangs to enable setting golang CPE config using env var ( #1585 )
...
* fix: bump fangs
Bump fangs to pull in https://github.com/anchore/fangs/pull/27 , which
fixes an issue where env vars couldn't be used to set fields on embedded
structs in the config struct.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* fix: bump fangs to pull in panic fix
The previous fangs fix panicked when summarizing configs with embedded
structs. Bump fangs to pull in https://github.com/anchore/fangs/pull/29
which fixes this panic.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* commit mod tidy
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* Pull in dependency bumps from main to resolve conflicts
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-11-07 10:59:13 -05:00
anchore-actions-token-generator[bot]
92920ffde0
chore(deps): update bootstrap tools to latest versions ( #1588 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-11-07 06:44:58 -08:00
dependabot[bot]
2ef5d23844
chore(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0 ( #1586 )
...
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra ) from 1.7.0 to 1.8.0.
- [Release notes](https://github.com/spf13/cobra/releases )
- [Commits](https://github.com/spf13/cobra/compare/v1.7.0...v1.8.0 )
---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-06 21:55:53 -05:00
Christopher Angelo Phillips
b90c881ab4
chore: bootstrap action cleanup ( #1587 )
...
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-11-06 21:55:37 -05:00
anchore-actions-token-generator[bot]
5ca34efef8
chore(deps): update bootstrap tools to latest versions ( #1584 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-11-06 13:16:22 -05:00
Alex Goodman
21958a43b5
Incorporate format API changes from syft ( #1582 )
...
* incorporate changes from anchore/syft#2228
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix testing utils to use syft SBOM
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-11-02 15:25:48 -04:00
dependabot[bot]
3712c1c5c7
chore(deps): bump github.com/docker/docker ( #1579 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 24.0.6+incompatible to 24.0.7+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v24.0.6...v24.0.7 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-31 13:48:52 -04:00
Mateusz Urbanek
0d870faea6
feat(config): added reason field ( #1532 )
...
* feat(config): added reason field
Signed-off-by: Mateusz Urbanek <mateusz.urbanek.98@gmail.com>
* add CLI test for ignore reason field
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Mateusz Urbanek <mateusz.urbanek.98@gmail.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
2023-10-30 15:31:42 -04:00
dependabot[bot]
fc7713b763
chore(deps): bump github.com/glebarez/sqlite from 1.9.0 to 1.10.0 ( #1583 )
...
Bumps [github.com/glebarez/sqlite](https://github.com/glebarez/sqlite ) from 1.9.0 to 1.10.0.
- [Release notes](https://github.com/glebarez/sqlite/releases )
- [Commits](https://github.com/glebarez/sqlite/compare/v1.9.0...v1.10.0 )
---
updated-dependencies:
- dependency-name: github.com/glebarez/sqlite
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-30 13:39:54 -04:00
Shane Dell
81edd50e1e
Colorize severity in table output ( #1284 )
...
* Colorize severity in table output
- Create flag "--no-color" to allow disabling the color. By default its enabled.
- When "--no-color" not specified highlight severity in its color:
- Critical -> Bold Red
- High -> Red
- Medium -> Yellow
- Low -> Green
- Negligible -> Blue
- Note: Golang doesn't have all colors available. Also, doesn't seem to be able use hex codes properly.
- Add termenv to check if the terminal color profile supports colored output. If it doesn't default to noColor
Closes #225
Signed-off-by: Shane Dell <shanedell100@gmail.com>
* fix: adopt EnvColorProfile to support NO_COLOR
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* fix linting and update snapshots
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Shane Dell <shanedell100@gmail.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-10-30 13:57:46 +00:00
Christopher Angelo Phillips
401d67cd96
feat: add custom maven comparator ( #1571 )
...
This PR takes the recommendation from #1526 and adapts the go-mvn-version to be used as a custom comparator for matching against packages that have the JavaPkg type. Packages of type JavaPkg will no longer use the stock matcher.
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-10-27 14:24:56 -04:00
William Murphy
1ab051bac9
chore: fix path to quality tests ( #1578 )
...
Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-10-27 11:23:19 -04:00
Alex Goodman
a276bf120b
capture quality gate state on failures ( #1576 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-10-26 14:31:30 -04:00
dependabot[bot]
a2fdccdfc6
chore(deps): bump github.com/google/uuid from 1.3.1 to 1.4.0 ( #1575 )
...
Bumps [github.com/google/uuid](https://github.com/google/uuid ) from 1.3.1 to 1.4.0.
- [Release notes](https://github.com/google/uuid/releases )
- [Changelog](https://github.com/google/uuid/blob/master/CHANGELOG.md )
- [Commits](https://github.com/google/uuid/compare/v1.3.1...v1.4.0 )
---
updated-dependencies:
- dependency-name: github.com/google/uuid
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-26 13:30:37 -04:00
anchore-actions-token-generator[bot]
47f08a82f2
chore(deps): update bootstrap tools to latest versions ( #1574 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-10-26 11:13:07 -04:00
dependabot[bot]
66a47594f1
chore(deps): bump google.golang.org/grpc from 1.56.0 to 1.56.3 ( #1573 )
...
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go ) from 1.56.0 to 1.56.3.
- [Release notes](https://github.com/grpc/grpc-go/releases )
- [Commits](https://github.com/grpc/grpc-go/compare/v1.56.0...v1.56.3 )
---
updated-dependencies:
- dependency-name: google.golang.org/grpc
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-10-25 21:45:45 -04:00
Christopher Angelo Phillips
6b4978f633
docs: add cbl-mariner to supported distro ( #1569 )
...
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-10-24 12:11:55 -04:00
dependabot[bot]
dd823d19f6
chore(deps): bump ossf/scorecard-action from 2.3.0 to 2.3.1 ( #1570 )
...
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action ) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/ossf/scorecard-action/releases )
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md )
- [Commits](483ef80eb9...0864cf1902
2023-10-24 11:50:13 -04:00
anchore-actions-token-generator[bot]
562f228301
chore(deps): update bootstrap tools to latest versions ( #1567 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-10-23 10:48:35 -04:00
anchore-actions-token-generator[bot]
04df28051b
chore(deps): update Syft to v0.94.0 ( #1566 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2023-10-20 17:57:36 +00:00
Alex Goodman
156c081d3e
Incorporate Syft java detection improvements ( #1555 )
...
* incorporate anchore/syft#2220
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* incorporate .net core improvements
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-10-20 13:34:36 -04:00
Alex Goodman
9750ef2452
add exception for go stdlib search by CPE ( #1565 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-10-20 13:02:38 -04:00
dependabot[bot]
4c3ff476fa
chore(deps): bump actions/checkout from 4.1.0 to 4.1.1 ( #1564 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.1.0 to 4.1.1.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](8ade135a41...b4ffde65f4
2023-10-18 13:50:51 -04:00
James Hebden
30f05c3759
Add --ignore-states flag for ignoring findings with specific fix states ( #1473 )
...
* Add --ignore-states flag for ignoring findings with by fix state
Signed-off-by: James Hebden <jhebden@gitlab.com>
* ignore options checked before scan, fail on invalid ignore states, ignore states comma-separated
Signed-off-by: James Hebden <jhebden@gitlab.com>
* Add CLI tests for new --ignore-states flag
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: James Hebden <jhebden@gitlab.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
2023-10-17 14:07:34 -04:00
Christopher Angelo Phillips
72390f87e9
feat: update go-sarif library to use latest release ( #1563 )
...
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-10-17 11:18:22 -04:00
Alex Goodman
7d039cde2d
bump clio to get stderr reporting fix ( #1561 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-10-16 11:58:02 -04:00
