grype

mirror of https://github.com/anchore/grype synced 2024-11-10 14:44:12 +00:00

Author	SHA1	Message	Date
cpendery	e2fff6c22f	feat: implement `grype db diff` command (#812 ) Co-authored-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Weston Steimel <weston.steimel@anchore.com> Co-authored-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>	2022-07-11 09:46:59 -04:00
Weston Steimel	17a440033a	fix typo in log message (#819 )	2022-07-06 15:56:44 +00:00
Christopher Angelo Phillips	0e0a9d9e7a	update syft to v0.50.0 (#818 )	2022-07-06 14:48:21 +00:00
Weston Steimel	44032c514c	Finalize v4 Grype schema (#803 ) * initial v4 schema setup Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * update v3 => v4 for unit tests -- did NOT update - grype/db/v3/* Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> * use nullable string in sqlite so null values get represented correctly Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * add missing unit test case for dotnet Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * Add db writer function for calling sqlite vacuum Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * adding normalization of package names at database adapter layer Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * refactor namespaces for v4 Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * update v4 stuff to use sqlite fork Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * Namespace should satisfy Stringer interface Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * normalize CPEs before comparison Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * vulnerability exclusion => vulnerability match exclusion Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * updates to vulnerability match exclusion models Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * add initial vulnerability match exclusion store unit tests Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * make vuln match exclusion constraints nullable Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * move vuln match namespace into constraints object and refactor Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * check db match constraints to ensure there aren't any unknown fields and add json hints Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * ensure we only keep compatible match exclusion constraints Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * use omitempty on all match exclusion structs Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * remove db v4 schema resolver and namespace types Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * rename Vacuum to Close Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * lint fixes + remove panic on vuln provider creation Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * WIP match exclusions Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * build list of ignore rules from v4 db records Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * quick attempt at a new uber object Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * just pass around the full object for now to quickly get to a usable state Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * fix panic when no vuln db loaded Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * use interfaces for db.store function signatures Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * Flatten the match exclusion constraint model to simplify logic Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * updating some tests Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * fix panic when no db update possible Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * more tests Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * WIP fixing match exclusion constraint usability and json mapping logic Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * add v4 db diff logic (excluding vulnerability_match_exclusion data for now) Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * lint fix Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * update integration tests Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * nvd -> nvd:cpe namespace updates Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * ensure test store uses v4 normalized names Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * set the grype db update url to staging for v4 Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * prevent more segfaults on database open Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * add continue when unable to load ignore rules Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * remove db.Status from the Store object Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * fix compare_sbom_input_vs_lib_test.go Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * remove staging endpoint now that v4 is published Signed-off-by: Weston Steimel <weston.steimel@anchore.com> Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com> Co-authored-by: Alex Goodman <alex.goodman@anchore.com>	2022-07-05 19:03:16 +01:00
cpendery	75a7e54f52	docs: update to include rust (#814 )	2022-06-29 15:45:21 -04:00
cpendery	90df6815e6	feat: add diffing 2 databases to v3 store functionality (#789 )	2022-06-28 14:22:37 -04:00
cpendery	8ab0159f9f	fix: add support for partybus ui on `grype db update` cmd (#806 )	2022-06-28 14:21:33 -04:00
Adin Ermie	b3a078aa02	Added Docker example to Readme (#769 )	2022-06-27 16:59:51 -04:00
cpendery	e17bb9bd73	fix: add vex json & xml to listed formats (#802 )	2022-06-27 11:26:59 -04:00
cpendery	64277bf6f4	docs: update php listing to be more clear that the `.json` file isn't indexed (#808 )	2022-06-27 10:26:49 -04:00
Christopher Angelo Phillips	82c0146b0a	update syft => v0.49.0 (#804 )	2022-06-24 18:30:36 +00:00
Christopher Angelo Phillips	bbe933204a	remove oss meetup message (#799 )	2022-06-23 18:03:38 +00:00
cpendery	bb2f8dcdb4	fix: add fixed versions to cyclonedxjson output (#763 )	2022-06-21 17:50:05 -04:00
cpendery	335f744b9b	docs: update to include php (#793 )	2022-06-17 19:14:47 +00:00
Christopher Angelo Phillips	0703bae977	update grype to latest syft patch v0.48.1 (#790 )	2022-06-17 15:45:33 +00:00
cpendery	11cf09222b	fix: add golang to documentation (#788 )	2022-06-16 15:59:32 -04:00
Alan (Maciej) Paruszewski	b47e1935e1	fix: accept templates with custom functions (#786 )	2022-06-16 16:25:54 +00:00
Jonas Xavier	d6fa674edc	add db staleness check (#785 ) * add db staleness check Signed-off-by: Jonas Xavier <jonasx@anchore.com> * less config fields Signed-off-by: Jonas Xavier <jonasx@anchore.com> * fix import order Signed-off-by: Jonas Xavier <jonasx@anchore.com> * warn even when set to not error on staleness Signed-off-by: Jonas Xavier <jonasx@anchore.com> * nits Signed-off-by: Jonas Xavier <jonasx@anchore.com> * nits Signed-off-by: Jonas Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Xavier <jonasx@anchore.com> * lint fix Signed-off-by: Jonas Xavier <jonasx@anchore.com> * fix test Signed-off-by: Jonas Xavier <jonasx@anchore.com> * consistent log message Signed-off-by: Jonas Xavier <jonasx@anchore.com> * consistent new version message Signed-off-by: Jonas Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Xavier <jonasx@anchore.com> * human friendly time durations Signed-off-by: Jonas Xavier <jonasx@anchore.com> * fix typo Signed-off-by: Jonas Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Xavier <jonasx@anchore.com> * cleaner tests and default db value Signed-off-by: Jonas Xavier <jonasx@anchore.com>	2022-06-15 12:48:10 -04:00
cpendery	cc0f134484	feat: add compose workflow for local dev (#783 )	2022-06-14 13:02:48 -04:00
Jonas Xavier	2a587d0890	ignore gemfile rich version for semVer comparison (#776 ) * ignore gemfile rich version during comparision Signed-off-by: Jonas Xavier <jonasx@anchore.com> * update search and version tests Signed-off-by: Jonas Xavier <jonasx@anchore.com> * fix int tests and lint error Signed-off-by: Jonas Xavier <jonasx@anchore.com> * nit on error message Signed-off-by: Jonas Xavier <jonasx@anchore.com> * split based on arch in gem version Signed-off-by: Jonas Xavier <jonasx@anchore.com> * reuse semVer constraint Signed-off-by: Jonas Xavier <jonasx@anchore.com> * more constraint tests cases Signed-off-by: Jonas Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Xavier <jonasx@anchore.com> * more comments and tests Signed-off-by: Jonas Xavier <jonasx@anchore.com> * add lower case version check Signed-off-by: Jonas Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Xavier <jonasx@anchore.com> * validate that ruby version work with semver and gem version Signed-off-by: Jonas Xavier <jonasx@anchore.com> * more comments and tests Signed-off-by: Jonas Xavier <jonasx@anchore.com> * rename gem version format const Signed-off-by: Jonas Xavier <jonasx@anchore.com>	2022-06-10 14:09:58 -04:00
Weston Steimel	736117e0d9	Support namespace and language as additional criteria for ignoring vulnerability matches (#780 ) * support filtering matches based on Namespace Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * support filtering matches based on package language Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * add tests for filtering matches on Namespace and Language Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * update README for new ignore rule criteria Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * fix linting errors Signed-off-by: Weston Steimel <weston.steimel@anchore.com>	2022-06-10 18:15:58 +01:00
Christopher Angelo Phillips	69de9e7a0a	update syft version to v0.47.0 (#781 )	2022-06-09 16:03:14 -04:00
Weston Steimel	81af51302d	use anchore fork of glebarez/sqlite (#778 ) This overcomes an issue with duplicate registration of sqlite drivers between glebarez/sqlite and knqyf263/go-rpmdb by just using modernc.org/sqlite directly within our fork Signed-off-by: Weston Steimel <weston.steimel@anchore.com>	2022-06-08 09:41:15 -04:00
Abhijeet Kasurde	8163c9f988	template: Check sanity for template file (#674 ) Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-06-07 10:21:30 -04:00
briankoe741	30f0aa7051	Add announcement for Anchore OSS Meetup (#775 )	2022-06-06 16:51:34 -04:00
dependabot[bot]	07dfb28718	Bump github.com/hashicorp/go-getter from 1.5.11 to 1.6.1 (#770 ) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-06-02 09:18:53 -04:00
Christopher Angelo Phillips	43b870d5fe	publish release to reduce user friction (#766 )	2022-05-26 20:44:22 +00:00
anchore-actions-token-generator[bot]	10c3604498	Update Syft to v0.46.3 (#761 ) Signed-off-by: GitHub <noreply@github.com> Co-authored-by: jonasagx <jonasagx@users.noreply.github.com>	2022-05-26 10:14:28 -07:00
Sean Killeen	55b63a9fb8	Add reference to logrus logging levels (#758 )	2022-05-25 15:06:17 -04:00
Herby Gillot	e6fc3e67d8	README: add MacPorts install info (#759 ) Signed-off-by: Herby Gillot <herby.gillot@gmail.com>	2022-05-25 11:06:42 -07:00
Alex Goodman	06d28dad9f	bump to syft v0.46.2 (#755 ) Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-05-23 13:47:21 +00:00
Jonas Xavier	c842fb9af5	bump stereoscope version to include source path fix (#752 )	2022-05-19 08:18:49 -07:00
anchore-actions-token-generator[bot]	5a5642cc0d	Update Syft to v0.46.1 (#751 ) Signed-off-by: GitHub <noreply@github.com> Co-authored-by: kzantow <kzantow@users.noreply.github.com>	2022-05-18 14:10:39 -07:00
Christian Kotzbauer	731abaab72	Add syft v0.46.0 Dotnet support (#747 )	2022-05-13 12:46:31 -04:00
dependabot[bot]	d6196b6525	Bump github.com/hashicorp/go-getter from 1.5.9 to 1.5.11 (#742 ) Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.5.9 to 1.5.11. - [Release notes](https://github.com/hashicorp/go-getter/releases) - [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml) - [Commits](https://github.com/hashicorp/go-getter/compare/v1.5.9...v1.5.11) --- updated-dependencies: - dependency-name: github.com/hashicorp/go-getter dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-05-04 16:33:28 +01:00
Dan Luhring	0df35f8d2c	address excessive warnings from multiple sources (#741 )	2022-05-03 14:05:50 +00:00
SALES	7fc4ca7646	Add reference to Grype-based GitHub Action (#710 ) Signed-off-by: Dan Luhring <dan+github@luhrings.com>	2022-05-01 20:03:19 +00:00
Christopher Angelo Phillips	36f5150fa9	bump syft version (#738 )	2022-04-29 13:39:08 -04:00
Sambhav Kothari	9f70cdbf24	add initial support for embedded CycloneDX VEX documents (#678 )	2022-04-28 12:49:12 -04:00
Jonas Xavier	523f5ce9c0	Consume attestation files (#706 ) * add key flag to attest validation Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * mvp: verify sig and extract sbom Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * wip read attestation without scheme Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * mvp consuming attestations - needs unit tests Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * remove prototype file Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * drop local syft from go.mod Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix order of sbom parsing strategies Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * handle implicit attestation input Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * wip Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * add test for invalid attestation key Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * rebase and go-mod-tidy Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * consume attestation via stdin Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * attestation test for stdin Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * validate input and content for attestation Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add stdin test Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix config tags Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add int test to ignore attestation validation Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix cycloneDX attestation fixture Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add tampered att test Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add tampered predicate type test Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * improve docs/help on atttestation Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * upgrade to latest syft Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fall through when guessing between sbom and att Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix butter finger rebase Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * drop default key value Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * assert error messages Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * better test/cli coverage Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix stdin decode test Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix goimports Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * tui - verified attestation and feedback changes Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * better naming Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * add attestation section to config file Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * emit event for skipped verification Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * use public key name Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * nit Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>	2022-04-21 11:52:42 -07:00
Alex Goodman	9cc1c72169	Preserve package IDs on Syft JSON SBOM decode (#731 )	2022-04-18 18:22:58 +00:00
Alex Goodman	359353c10e	Add matches helper (#730 )	2022-04-18 09:38:28 -04:00
Keith Zantow	4ed0704dcf	Auto-PR needs to run go mod tidy (#727 )	2022-04-13 16:30:53 -04:00
Christopher Angelo Phillips	fa524a491e	reduce log level for warning so not in default output for upstream matcher (#725 )	2022-04-13 17:18:02 +00:00
Keith Zantow	b1e7189a4a	Add workflow for automatic PR for new Syft releases (#722 )	2022-04-13 13:08:04 -04:00
Christopher Angelo Phillips	95f68b4c33	Add java.Matcher configuration to includes maven upstream sha1 query (#714 )	2022-04-13 13:01:22 -04:00
Tom Sparrow	e77a6c8d63	Include package type in table output (#694 ) * Include package type column in table output This helps avoid confusion between packages of the same name but different types. I've hit this on a number of occasions, some examples below: - `tar` could be either a node package or a linux apk/rpm/deb - `msgpack` is a node package but also a python package - `jsonpointer` is also a node and/or python package In each case when I saw the vuln reported I unluckily picked the "wrong" one and it took some digging to realise the issue or even that there was another type of package with the same name at all. The "type" is a succinct representation of _where_ Grype found this package which should make things a lot clearer. Signed-off-by: Tom Sparrow <793763+sparrowt@users.noreply.github.com> * Fix flag names Signed-off-by: Tom Sparrow <793763+sparrowt@users.noreply.github.com> * Move type column to be consistent with syft ...which does `name, version, type, ...` Signed-off-by: Tom Sparrow <793763+sparrowt@users.noreply.github.com>	2022-04-08 21:00:02 -04:00
Alex Goodman	c36e9df887	Use CGO-less sqlite GORM driver (#705 )	2022-04-04 18:40:29 +00:00
Jonas Xavier	182c86d11d	Migrate LocationSet and add Dart support (#703 )	2022-04-01 08:21:37 -07:00
Christopher Angelo Phillips	e00a25220e	Add byMatchName custom function for custom template users	2022-03-30 16:27:04 +00:00

1 2 3 4 5 ...

661 commits