* initial port to bubbletea
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove jotframe UI
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add bubbletea component tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update main.go refs to cmd package
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* move goreleaser build dir to cmd
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* upgrade yardstick for grype source installs and fix post-ui tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* ensure stable severity map in UI component test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add windows support for tui
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* port to new syft source API
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix linting
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
* add db staleness check
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* less config fields
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* fix import order
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* warn even when set to not error on staleness
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* nits
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* nits
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* lint fix
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* fix test
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* consistent log message
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* consistent new version message
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* human friendly time durations
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* fix typo
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* cleaner tests and default db value
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
This overcomes an issue with duplicate registration of sqlite drivers between glebarez/sqlite and knqyf263/go-rpmdb by
just using modernc.org/sqlite directly within our fork
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add key flag to attest validation
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* mvp: verify sig and extract sbom
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* wip read attestation without scheme
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* mvp consuming attestations - needs unit tests
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* remove prototype file
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* drop local syft from go.mod
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix order of sbom parsing strategies
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* handle implicit attestation input
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* wip
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add test for invalid attestation key
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* rebase and go-mod-tidy
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* consume attestation via stdin
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* attestation test for stdin
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* validate input and content for attestation
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add stdin test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix config tags
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add int test to ignore attestation validation
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix cycloneDX attestation fixture
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add tampered att test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add tampered predicate type test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* improve docs/help on atttestation
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* upgrade to latest syft
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fall through when guessing between sbom and att
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix butter finger rebase
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* drop default key value
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* assert error messages
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* better test/cli coverage
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix stdin decode test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix goimports
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* tui - verified attestation and feedback changes
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* better naming
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add attestation section to config file
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* emit event for skipped verification
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* use public key name
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* nit
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
Since grype now depends on debug/buildinfo go 1.18 is required to build
grype and as such go.mod needs updating
Signed-off-by: 06kellyjac <jack@control-plane.io>
* upgrade github workflows to go 1.18
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* upgrade syft & set go1.18 for CI workflows
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add go1.17 static analysis
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix yaml comment
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* bump syft to v0.39.0
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update ByCriteria to log error on failure
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* integration tests now pass
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* bump to v0.39.3
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* raise search failures to warn
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* tidy go.mod/sum
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
* refactor release to keep snapshot assets in parity with release assets
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* refactor install.sh and put under test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* tidy go.sum
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add mac acceptance test to github actions workflow
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rm use of goreleaser in cli tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* go mod tidy with go 1.17
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add metadata extraction from pURLs
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* extract upstream packages before matching
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* put pkg.UpstreamPackages under test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove pURL related processing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* pull in syft spdx decoding
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* allow for more flexible GHSA namespace and source extraction
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add matching parity integration tests for all supported formats
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump syft to get spdx tv fix
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update stereoscope
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* test stereoscope with fix
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* remove mod replacement and use latest stereoscope
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* enable merging of matches
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add ability for matches constructor to take initial matches
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update tests to include IDs on package objects
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename common matcher helper package to search package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename search functions and add SearchByCriteria
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* cleanup imports
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add strong distro type
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* nit changes
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update grype/db package to use distro pointer
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* source distro type from release name
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump syft to pull in distro type updates
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump lint timeout
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* port grype-db to grype
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* migrate vulnerability provider implementation to db package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* upgrade path import validations
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting issues
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update to secure syft version
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* go mod tidy
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* bump stereoscope to remove vulnerable containerd
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* go mod tidy
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* update syft
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* update CatalogPackages to use new cataloger config struct
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* add new valid CPE to matcher tests
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* update integration tests
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* Adding AlmaLinux OS Support
Signed-off-by: Bala Raman <srbala@gmail.com>
* incorporate grype-db updates for ALMA linux
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* update syft and jotframe
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update validations and release pipeline
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* moved terminal package to golang.org/x/term
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update integration tests to account for package relationships
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add license exception for xz
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update Location and Coordinate references
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove benchmark tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove mac acceptance tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add syft-grype relationship notes in DEVELOPING.md
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Add injectable HTTP client to file getter
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* WIP: Map config for custom CA certs
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* update curator and add tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add TLS helper scripts
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove grype-db local mod edit
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* tidy go modules
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use ssl.context over deprecated fn
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* disallow tls 1 and 1.1
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* suppress non-archive sources for fetch-to-dir capability
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* ensure DB load failure does not panic
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* address review comments
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
- Update grype-db dependency for the distro-feed namespace mapping
- Add test to verify the above mapping
Signed-off-by: Swathi Gangisetty <swathi@anchore.com>
* update syft version with correct arguments
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* bump integration tests with new presenter format
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update integration tests to remove php-composer failure
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update grype to compile windows
Signed-off-by: spiffcs <christopher.phillips@anchore.com>
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update go mod with new stereoscope
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update build comments
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* small build tags
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add goreleaser windows
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* bump syft version
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update tests
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update test images to use newest pinned golang
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* split and upgrade config processing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* upgrade UI organization
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* expose logger writter
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add (unused) signal handler
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add (unused) event loop abstraction
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update aux commands to use Cobra RunE over Run
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* upgrade root command to use new event loop and signal handler
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update CLI test to account for config representation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update dependencies + fix linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* decompose application config parse func + add missing config struct tags
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* restore unparam lint exclusion for registry config
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
This change both adds a test to identify and fixes differences between loading sboms from json and loading sboms from Syft as a library.
* adds integration test that compares SBOM input vs image input
* fix integration test cache path
* Add handler for ApkMetadataType in partialSyftPackage.UnmarshalJSON
* Fix Epoch missing from Package.New RpmdbMetadataType handler and update RpmDbMetadata test in TestNew_MetadataExtraction
* bump syft to version 0.24.0
* update license check for packageurl-go
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Vijay Pillai <vijay.pillai@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Vijay Pillai <vijay.pillai@anchore.com>
* bump syft to the newest 0.23.0 version - tidy mod
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update integration test to use new pointer
syft source.New() was changed to return a pointer
rather than value for 0.23.0 this commit updates our
integration tests to reflect that change
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* Update go-version package and add test
This is being updated due to an issue that was encountered in the lessThanEqual constraint in go-version: https://github.com/anchore/go-version/pull/2. Was disovered while adding tests for apk origin package matching
Signed-off-by: Zane Burstein <zane.burstein@anchore.com>
* Added matching with source package for apk
This change allows grype to match with a packages source package for apk. Adds APKMetadata with OriginPackage, new matching logic in apk matchers, and tests
Signed-off-by: Zane Burstein <zane.burstein@anchore.com>
* use squashed grype-db branch
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add more tests around the msrc matcher
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* incorporate the grype-db updates for msrc
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Allow registry auth config without authority value
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Update CLI tests for new stereoscope log output
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
