* Remove webinar announcement
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Document only-fixed feature
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Expand docs for Grype database
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* List out allowed values for fix-state
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* add binary for arm64 to release process
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update from darwin -> linux
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* disable etui when piping input
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* restore jotframe version
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove test code
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* raise error from IsPipedInput
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* factor out verbosity check to function
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Silence usage and errors on root command
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* show help when no args are given
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove comments
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add cli test for help behavior
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
Add --only-fixed option to root command. Grype will now exit with status code 0 when passing this option if vulnerabilities are detected but have no upstream resolution.
* update config with new option
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add flag into root cmd
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* Retrieve target from directory sbom types in addition to image types
Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com>
* add dir sbom ingest test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* Make installation methods more obvious
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add badge for joining Slack
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Document requirement for signed commits
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* split and upgrade config processing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* upgrade UI organization
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* expose logger writter
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add (unused) signal handler
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add (unused) event loop abstraction
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update aux commands to use Cobra RunE over Run
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* upgrade root command to use new event loop and signal handler
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update CLI test to account for config representation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update dependencies + fix linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* decompose application config parse func + add missing config struct tags
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* restore unparam lint exclusion for registry config
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Move changes from kb_constraint_test.go to helper_test.go for uniform testing methodology across all constraint tests.
Signed-off-by: Vijay Pillai <vijay.pillai@anchore.com>
* refactor to go convention
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* Support gomod configuration in goreleaser
Signed-off-by: Conor Nosal <cnosal@vmware.com>
* switch to goreleaser build for snapshots + bump version
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* modify goreleaser buildx option due to deprecation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add snapshot flag to builds
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* Updates approach for epoch handling in rpm comparisons to ignore epochs
if not explicitly available from both sides of comparison. Fixes#437
This approach adds -1 as epoch value in the struct to identify
"not-specified" rather than defaulting to 0, per rpm spec, so that the
comparison logic can identify when it is provided vs missing.
During the comparison if both sides to not have an explicitly set epoch
it will skip the epoch check as unreliable and compare the remaining
components. This is done to handle messy data in RedHat vuln feeds where
often the sourceRpm versions do not include epochs when they should, and
defaulting to zero or using the epoch of the binary version is also
incorrect.
Signed-off-by: Zach Hill <zach@anchore.com>
* Uses switch instead of if-else-chain per linter suggestion
Signed-off-by: Zach Hill <zach@anchore.com>
* Fix import order/format for linter
Signed-off-by: Zach Hill <zach@anchore.com>
* Comment out strictCompare for linter
Signed-off-by: Zach Hill <zach@anchore.com>
* Minor cleanup
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Remove commented out function
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Refactor RPM version comparison to make missing epoch explicit
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* More cleanup
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* change epoch to pointer type
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add rpmdb matcher tests for explicit epoch being passed
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* explicitly pass the epoch on package versions in the rpmdb matcher
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Dan Luhring <dan.luhring@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* Preliminary implementation of ignore rules
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Support ignoring matches by package type
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add tests for ignore functionality
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add documentation for ignore rules and clean up README
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add test for glob location matching
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add announcement for KubeCon meetup
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Remove warning about zsh completion
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
This change both adds a test to identify and fixes differences between loading sboms from json and loading sboms from Syft as a library.
* adds integration test that compares SBOM input vs image input
* fix integration test cache path
* Add handler for ApkMetadataType in partialSyftPackage.UnmarshalJSON
* Fix Epoch missing from Package.New RpmdbMetadataType handler and update RpmDbMetadata test in TestNew_MetadataExtraction
* bump syft to version 0.24.0
* update license check for packageurl-go
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Vijay Pillai <vijay.pillai@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Vijay Pillai <vijay.pillai@anchore.com>
This change updates the KB constraint to not satisfy if raw constraint is empty.
Additional related changes:
* Implemented new NonFatalConstraintError and change kbConstraint.Satisfied to return an error if the version constraint is empty string.
* Re-implement TestVersionKbConstraint as test helper module helper_test.go does not satisfy testing needs.
* Add test to TestVersionKbConstraint for version "base" and constraint "base" to ensure unpatched microsoft images are matched.
Signed-off-by: Vijay Pillai <vijay.pillai@anchore.com>
* update command to take in SYFT_VERSION
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add dynamic input to build command for ci
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
Grype DB Builder was changed to use single quotes instead of double quotes for version constraints. This change broke constraint matching for vulndb records. This change fixes that by adding support for single quotes to the parseUnit function in grype/version/constraint_unit.go.
* Update constraint unit parser to remove single quotes as well as double quotes from a constraint unit. This will allow vulndb constratints to match again.
* Add unit test for quoted fuzzy constraints.
Signed-off-by: Vijay Pillai <vijay.pillai@anchore.com>
* bump syft to the newest 0.23.0 version - tidy mod
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update integration test to use new pointer
syft source.New() was changed to return a pointer
rather than value for 0.23.0 this commit updates our
integration tests to reflect that change
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* Update go-version package and add test
This is being updated due to an issue that was encountered in the lessThanEqual constraint in go-version: https://github.com/anchore/go-version/pull/2. Was disovered while adding tests for apk origin package matching
Signed-off-by: Zane Burstein <zane.burstein@anchore.com>
* Added matching with source package for apk
This change allows grype to match with a packages source package for apk. Adds APKMetadata with OriginPackage, new matching logic in apk matchers, and tests
Signed-off-by: Zane Burstein <zane.burstein@anchore.com>
Previous install of goreleaser v 0.160.0 was being done with curl command to https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh, but there have been changes to that script that broke bootstrap. Copied the shell script to repo and changed the checksum file name to goreleaser_checksums.txt
Signed-off-by: Zane Burstein <zane.burstein@anchore.com>
* include source RPM release in version used for matching
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* include package name and version searched by in search details
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update test to be table for future regression
Refactor test to assert on public contract of Match
Add base case as first table
TODO:
- Ask about buisness case of Public vs private method
- Add back second case regarding ignore source
- Add cases testing new regexp against variant package types
Signed-off-by: Christopher Phillips <cphillips918@gmail.com>
* add question for tests - base case passing
Signed-off-by: Christopher Phillips <cphillips918@gmail.com>
* update test to cover removed cases
Signed-off-by: Christopher Phillips <cphillips918@gmail.com>
* update with capture group names
Signed-off-by: Christopher Phillips <cphillips918@gmail.com>
* add failing test case for #376
Signed-off-by: Christopher Phillips <cphillips918@gmail.com>
* add version parse for indirect match
Signed-off-by: Christopher Phillips <cphillips918@gmail.com>
* remove debug and comments
Signed-off-by: Christopher Phillips <cphillips918@gmail.com>
* update regex based on PR feedback
Signed-off-by: Christopher Phillips <cphillips918@gmail.com>
* update matcher to use named capture groups
Signed-off-by: Christopher Phillips <cphillips918@gmail.com>
* add regression comment to test
Signed-off-by: Christopher Phillips <cphillips918@gmail.com>
* update to add back old case
Signed-off-by: Christopher Phillips <cphillips918@gmail.com>
* remove warning since we no longer will get multi
Signed-off-by: Christopher Phillips <cphillips918@gmail.com>
* remove wantErr
Signed-off-by: Christopher Phillips <cphillips918@gmail.com>
* bump untar file size threshold
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* adjust variable names and comments around copyWithLimits for tar processing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
