dependabot[bot]
e8fa509e72
chore(deps): bump anchore/sbom-action from 0.13.3 to 0.13.4 ( #1189 )
2023-03-21 09:50:56 -04:00
anchore-actions-token-generator[bot]
353bc87bb2
chore: Update grype bootstrap tools to latest versions. ( #1187 )
2023-03-21 09:36:06 -04:00
Weston Steimel
b996cbe29b
fix: by-cpe pivot by vuln metadata rather than vulnerability record ( #1188 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-03-20 14:39:46 +00:00
anchore-actions-token-generator[bot]
0bc0aa76a1
Update grype bootstrap tools to latest versions. ( #1173 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-03-15 17:20:06 -04:00
dependabot[bot]
96cbcad484
chore(deps): bump actions/setup-go from 3.5.0 to 4.0.0 ( #1182 )
...
Bumps [actions/setup-go](https://github.com/actions/setup-go ) from 3.5.0 to 4.0.0.
- [Release notes](https://github.com/actions/setup-go/releases )
- [Commits](6edd4406fa...4d34df0c23
2023-03-15 17:19:41 -04:00
dependabot[bot]
0cc8b9e4f6
chore(deps): bump github/codeql-action from 2.2.5 to 2.2.7 ( #1183 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.2.5 to 2.2.7.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](32dc499307...168b99b3c2
2023-03-15 17:19:12 -04:00
Weston Steimel
52f724f785
feat: disable CPE-based matching by default for javascript ( #1180 )
...
* feat: disable CPE-based matching by default for javascript
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* chore: bump vuln match label dataset
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
---------
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-03-14 16:34:41 +00:00
anchore-actions-token-generator[bot]
6da09d4fda
Update Syft to v0.75.0 ( #1177 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2023-03-14 08:47:20 +00:00
Weston Steimel
c3fc8cba63
chore: bump vuln match quality dataset ( #1174 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-03-13 19:36:26 +00:00
dependabot[bot]
3a4d01b59c
chore(deps): bump github.com/gabriel-vasile/mimetype from 1.4.1 to 1.4.2 ( #1166 )
...
Bumps [github.com/gabriel-vasile/mimetype](https://github.com/gabriel-vasile/mimetype ) from 1.4.1 to 1.4.2.
- [Release notes](https://github.com/gabriel-vasile/mimetype/releases )
- [Commits](https://github.com/gabriel-vasile/mimetype/compare/v1.4.1...v1.4.2 )
---
updated-dependencies:
- dependency-name: github.com/gabriel-vasile/mimetype
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-09 15:06:26 +00:00
anchore-actions-token-generator[bot]
29b6465689
Update grype bootstrap tools to latest versions. ( #1163 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-03-09 09:41:19 -05:00
anchore-actions-token-generator[bot]
2bc4c35142
Update Syft to v0.74.1 ( #1168 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2023-03-09 14:37:02 +00:00
Weston Steimel
6a46070cb1
fix: correct APK CPE version comparison logic ( #1165 )
...
Previously, the -r{buildindex} suffix of APK package versions were
treated as pre-release versions per the fuzzy matcher logic; however,
these should be treated as equivalent to the release version for the
purposes of collecting CPE-based matches for APK packages.
We may want to make a similar change in syft to generate cleaner CPE
versions for APK packages, but making the change in grype corrects
behaviour for previously-generated SBOMs as well.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-03-08 14:36:56 +00:00
Christopher Angelo Phillips
5754360376
Grype Release Pipeline Update ( #1147 )
...
- Remove old apple signing flow in favor of [quill](https://github.com/anchore/quill )
- Update changelog generation to be in sync with syft's flow
- Remove old goreleaser docker workflow in favor of single file
- Remove individual bootstrap options in favor of single bootstrap action
- Update release and validation workflows to use trigger based approach seen in syft
- Update golangci.yaml to be equivalent to syft patterns
- Remove unused Dockerfile.dev
- Remove docker-compose development cycle
- Add organized test-fixture Makefile targets
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-03-03 21:17:44 +00:00
Maxim Zhiburt
b88e961159
Add the total types of vulnerabilities in Grype output ( #946 )
...
* Add the total types of vulnerabilities in Grype output
Signed-off-by: Maxim Zhiburt <zhiburt@gmail.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Albert Simon <simon.albert75@gmail.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2023-03-03 20:38:29 +00:00
dependabot[bot]
8076863582
chore(deps): bump gorm.io/gorm from 1.23.5 to 1.23.10 ( #1157 )
...
Bumps [gorm.io/gorm](https://github.com/go-gorm/gorm ) from 1.23.5 to 1.23.10.
- [Release notes](https://github.com/go-gorm/gorm/releases )
- [Commits](https://github.com/go-gorm/gorm/compare/v1.23.5...v1.23.10 )
---
updated-dependencies:
- dependency-name: gorm.io/gorm
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-03 12:26:49 -05:00
Weston Steimel
adad97628e
chore: bump quality gate labels and syft version ( #1156 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-03-02 20:06:38 +00:00
anchore-actions-token-generator[bot]
04a55885ee
chore: Update Syft to v0.74.0 ( #1151 )
2023-03-02 12:22:46 -05:00
Morten Linderud
bb92f44003
fix(distro): Disable support for Arch Linux ( #1152 )
...
Signed-off-by: Morten Linderud <morten@linderud.pw>
2023-03-02 10:27:07 -05:00
Keith Zantow
bdcefd2554
chore: update progress monitor handling ( #1149 )
2023-03-01 16:47:01 -05:00
anchore-actions-token-generator[bot]
d1352ce843
Update Syft to v0.73.0 ( #1140 )
...
* Update Syft to v0.73.0
Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-02-27 21:12:37 +00:00
dependabot[bot]
7ec450d413
chore(deps): bump github.com/stretchr/testify from 1.8.1 to 1.8.2 ( #1144 )
...
Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify ) from 1.8.1 to 1.8.2.
- [Release notes](https://github.com/stretchr/testify/releases )
- [Commits](https://github.com/stretchr/testify/compare/v1.8.1...v1.8.2 )
---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-02-27 12:25:04 -05:00
dependabot[bot]
3e04d32706
chore(deps): bump github/codeql-action from 2.2.4 to 2.2.5 ( #1145 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.2.4 to 2.2.5.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](17573ee1cc...32dc499307
2023-02-27 12:24:47 -05:00
anchore-actions-token-generator[bot]
0b548ed138
Update grype bootstrap tools to latest versions. ( #1137 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-02-24 15:10:53 -05:00
dependabot[bot]
c65ef466a9
chore(deps): bump github.com/spf13/afero from 1.9.3 to 1.9.4 ( #1141 )
...
Bumps [github.com/spf13/afero](https://github.com/spf13/afero ) from 1.9.3 to 1.9.4.
- [Release notes](https://github.com/spf13/afero/releases )
- [Commits](https://github.com/spf13/afero/compare/v1.9.3...v1.9.4 )
---
updated-dependencies:
- dependency-name: github.com/spf13/afero
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-02-24 15:10:36 -05:00
dependabot[bot]
4d36e3706e
chore(deps): bump actions/cache from 3.2.5 to 3.2.6 ( #1143 )
...
Bumps [actions/cache](https://github.com/actions/cache ) from 3.2.5 to 3.2.6.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](6998d139dd...69d9d449ac
2023-02-24 15:10:19 -05:00
dependabot[bot]
0051d0e6d0
chore(deps): bump github.com/hashicorp/go-getter from 1.6.2 to 1.7.0 ( #1134 )
...
Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter ) from 1.6.2 to 1.7.0.
- [Release notes](https://github.com/hashicorp/go-getter/releases )
- [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml )
- [Commits](https://github.com/hashicorp/go-getter/compare/v1.6.2...v1.7.0 )
---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-getter
dependency-type: direct:production
update-type: version-update:semver-minor
...
Resolves reporting of CVE-2023-0475
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-02-20 09:59:19 +00:00
anchore-actions-token-generator[bot]
50a5c33247
Update Syft to v0.72.0 ( #1136 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-02-16 11:57:45 -05:00
Weston Steimel
18cce64f4a
chore: bump quality gate ( #1133 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-02-14 16:54:36 +00:00
Weston Steimel
dadf8edadc
fix: ignore some false-positives for ruby gems ( #1132 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-02-14 15:37:46 +00:00
dependabot[bot]
39b9138327
chore(deps): bump github/codeql-action from 2.2.3 to 2.2.4 ( #1131 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.2.3 to 2.2.4.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](8775e86802...17573ee1cc
2023-02-14 10:16:58 -05:00
Weston Steimel
17e11ac04d
fix: exclude OS packages from CPE target filtering ( #1130 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-02-13 10:44:44 -05:00
dependabot[bot]
0ccd5930c4
chore(deps): bump actions/cache from 3.2.4 to 3.2.5 ( #1129 )
...
Bumps [actions/cache](https://github.com/actions/cache ) from 3.2.4 to 3.2.5.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](627f0f41f6...6998d139dd
2023-02-10 13:20:12 -05:00
dependabot[bot]
47ab7f55d3
chore(deps): bump github.com/docker/docker ( #1128 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 23.0.0+incompatible to 23.0.1+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v23.0.0...v23.0.1 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-02-10 11:24:40 -05:00
anchore-actions-token-generator[bot]
29eeb69bc9
Update Syft to v0.71.0 ( #1126 )
2023-02-10 10:14:01 -05:00
dependabot[bot]
89b996b41b
chore(deps): bump github/codeql-action from 2.2.1 to 2.2.3 ( #1125 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 2.2.1 to 2.2.3.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](3ebbd71c74...8775e86802
2023-02-09 11:28:48 -05:00
anchore-actions-token-generator[bot]
d8df8ac64c
Update grype bootstrap tools to latest versions. ( #1124 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-02-09 11:28:21 -05:00
dependabot[bot]
562a8d1776
chore(deps): bump golang.org/x/term from 0.4.0 to 0.5.0 ( #1123 )
...
Bumps [golang.org/x/term](https://github.com/golang/term ) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/golang/term/releases )
- [Commits](https://github.com/golang/term/compare/v0.4.0...v0.5.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/term
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-02-08 11:56:58 -05:00
anchore-actions-token-generator[bot]
9870018db3
Update grype bootstrap tools to latest versions. ( #1122 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-02-08 11:55:13 -05:00
anchore-actions-token-generator[bot]
b355849b2b
Update grype bootstrap tools to latest versions. ( #1116 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
2023-02-06 09:24:36 -05:00
anchore-actions-token-generator[bot]
f7f1ae8344
Update Syft to v0.70.0 ( #1117 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2023-02-06 09:24:15 -05:00
dependabot[bot]
94b2ba8eef
chore(deps): bump github.com/docker/docker ( #1114 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 20.10.23+incompatible to 23.0.0+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v20.10.23...v23.0.0 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-02-02 12:18:57 -05:00
anchore-actions-token-generator[bot]
b6fcf20ca9
Update grype bootstrap tools to latest versions. ( #1112 )
2023-02-02 08:46:56 -05:00
anchore-actions-token-generator[bot]
1cd4ef1108
Update Syft to v0.69.1 ( #1111 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2023-02-01 08:28:50 +00:00
Christopher Angelo Phillips
788ed965ec
chore: prune cosign dependency for grype builds ( #1100 )
...
* feat: segment cosign dependency for grype builds for faster build times
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-01-31 11:42:40 -05:00
anchore-actions-token-generator[bot]
530762f2d2
Update grype bootstrap tools to latest versions. ( #1108 )
2023-01-31 09:27:05 -05:00
anchore-actions-token-generator[bot]
46a1955484
Update Syft to v0.69.0 ( #1109 )
2023-01-31 09:26:26 -05:00
dependabot[bot]
8545f2e686
chore(deps): bump actions/cache from 3.2.3 to 3.2.4 ( #1107 )
...
Bumps [actions/cache](https://github.com/actions/cache ) from 3.2.3 to 3.2.4.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](58c146cc91...627f0f41f6
2023-01-30 11:36:45 -05:00
Weston Steimel
e1d24077a8
chore: add new images to quality gate ( #1106 )
...
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-01-30 10:10:40 -05:00
Weston Steimel
899f8e3697
chore: bump yardstick for better quality gate filtering ( #1101 )
...
* chore: bump yardstick to 5bac4ade31ae337eae28cb8070740fe746776d0c
Better date-based filtering for oracle and amazon advisories
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* chore: bump vulnerability-match-labels
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
---------
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-01-27 16:22:34 -05:00
