Commit graph

194 commits

Author SHA1 Message Date
anchore-actions-token-generator[bot]
0a2a7b7cbb
Update Syft to v0.62.3 (#1026)
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-12-07 18:30:38 -05:00
anchore-actions-token-generator[bot]
6bdb3b50c4
Update Syft to v0.62.2 (#1018)
Signed-off-by: GitHub <noreply@github.com>
2022-11-29 08:40:34 +00:00
anchore-actions-token-generator[bot]
826726d553
Update Syft to v0.62.1 (#1006) 2022-11-21 11:11:25 -05:00
Christopher Angelo Phillips
a4a62aab4b
chore: bump syft version v0.62.0 (#1000) 2022-11-18 15:03:15 -05:00
Christopher Angelo Phillips
c8ddd7e218
chore: update syft to v0.60.3 (#978) 2022-11-03 16:19:03 +00:00
Weston Steimel
4cda526992
implement v5 db schema to support improved matching between rpm appstream modules (#944)
Adds support for a `package_qualifiers` column to allow evaluating package matches to vulnerabilities based on more than just version constraints. Currently adds an rpm-modularity qualifier in order to support matching to correct app stream module in order to reduce false positives within rpm-based distro ecosystems. In order to prevent an increase in false positive matches for previous versions of grype using the v4 schema, this change (along with the vulnerability source driver parser updates) requires bumping the schema to v5.

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
2022-10-18 00:34:47 +01:00
anchore-actions-token-generator[bot]
b62ad702b9
Update Syft to v0.59.0 (#957) 2022-10-17 16:07:39 -04:00
anchore-actions-token-generator[bot]
7ad60ce410
Update Syft to v0.58.0 (#941)
* Update Syft to v0.58.0

Signed-off-by: GitHub <noreply@github.com>

* fix conan metadata related unit test failures

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
Co-authored-by: Weston Steimel <weston.steimel@anchore.com>
2022-10-05 11:26:16 +01:00
anchore-actions-token-generator[bot]
f094b860b9
Update Syft to v0.57.0 (#930)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2022-09-20 09:35:37 +01:00
dependabot[bot]
e63910b2c5
Bump github.com/sigstore/cosign from 1.11.1 to 1.12.0 (#927)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-09-19 11:46:11 -04:00
anchore-actions-token-generator[bot]
403a535321
Update Syft to v0.56.0 (#919)
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2022-09-13 11:18:13 -04:00
Keith Zantow
ba73ab362a
Add support for scanning RPM files (#917) 2022-09-09 14:56:37 -04:00
anchore-actions-token-generator[bot]
77a8eb866d
Update Syft to v0.55.0 (#906)
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2022-08-30 09:18:17 -04:00
anchore-actions-token-generator[bot]
08b4ef493b
Update Syft to v0.54.0 (#881)
Signed-off-by: GitHub <noreply@github.com>

Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2022-08-17 19:36:54 +00:00
anchore-actions-token-generator[bot]
262630e01e
Update Syft to v0.53.4 (#856) 2022-08-04 09:37:48 -04:00
Christopher Angelo Phillips
74fd591caf
update golanci-lint, goreleaser, cosign (#850) 2022-07-28 14:55:14 -04:00
Christopher Angelo Phillips
991d16879a
update grype to use syft v0.52.0 (#838) 2022-07-22 16:12:18 +00:00
Zac Medico
30943e032b
add Gentoo matching support (#813)
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-07-19 09:37:21 -04:00
Christopher Angelo Phillips
cb6bddfeeb
bump syft version to v0.51.0 (#822) 2022-07-11 15:15:12 -04:00
Christopher Angelo Phillips
0e0a9d9e7a
update syft to v0.50.0 (#818) 2022-07-06 14:48:21 +00:00
Christopher Angelo Phillips
82c0146b0a
update syft => v0.49.0 (#804) 2022-06-24 18:30:36 +00:00
cpendery
bb2f8dcdb4
fix: add fixed versions to cyclonedxjson output (#763) 2022-06-21 17:50:05 -04:00
Christopher Angelo Phillips
0703bae977
update grype to latest syft patch v0.48.1 (#790) 2022-06-17 15:45:33 +00:00
Jonas Xavier
d6fa674edc
add db staleness check (#785)
* add db staleness check

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* less config fields

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix import order

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* warn even when set to not error on staleness

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* nits

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* nits

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* lint fix

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix test

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* consistent log message

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* consistent new version message

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* human friendly time durations

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix typo

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* cleaner tests and default db value

Signed-off-by: Jonas Xavier <jonasx@anchore.com>
2022-06-15 12:48:10 -04:00
Christopher Angelo Phillips
69de9e7a0a
update syft version to v0.47.0 (#781) 2022-06-09 16:03:14 -04:00
Weston Steimel
81af51302d
use anchore fork of glebarez/sqlite (#778)
This overcomes an issue with duplicate registration of sqlite drivers between glebarez/sqlite and knqyf263/go-rpmdb by
just using modernc.org/sqlite directly within our fork

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2022-06-08 09:41:15 -04:00
dependabot[bot]
07dfb28718
Bump github.com/hashicorp/go-getter from 1.5.11 to 1.6.1 (#770)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-06-02 09:18:53 -04:00
anchore-actions-token-generator[bot]
10c3604498
Update Syft to v0.46.3 (#761)
Signed-off-by: GitHub <noreply@github.com>

Co-authored-by: jonasagx <jonasagx@users.noreply.github.com>
2022-05-26 10:14:28 -07:00
Alex Goodman
06d28dad9f
bump to syft v0.46.2 (#755)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2022-05-23 13:47:21 +00:00
Jonas Xavier
c842fb9af5
bump stereoscope version to include source path fix (#752) 2022-05-19 08:18:49 -07:00
anchore-actions-token-generator[bot]
5a5642cc0d
Update Syft to v0.46.1 (#751)
Signed-off-by: GitHub <noreply@github.com>

Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2022-05-18 14:10:39 -07:00
Christian Kotzbauer
731abaab72
Add syft v0.46.0 Dotnet support (#747) 2022-05-13 12:46:31 -04:00
dependabot[bot]
d6196b6525
Bump github.com/hashicorp/go-getter from 1.5.9 to 1.5.11 (#742)
Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.5.9 to 1.5.11.
- [Release notes](https://github.com/hashicorp/go-getter/releases)
- [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml)
- [Commits](https://github.com/hashicorp/go-getter/compare/v1.5.9...v1.5.11)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-getter
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-05-04 16:33:28 +01:00
Dan Luhring
0df35f8d2c
address excessive warnings from multiple sources (#741) 2022-05-03 14:05:50 +00:00
Christopher Angelo Phillips
36f5150fa9
bump syft version (#738) 2022-04-29 13:39:08 -04:00
Sambhav Kothari
9f70cdbf24
add initial support for embedded CycloneDX VEX documents (#678) 2022-04-28 12:49:12 -04:00
Jonas Xavier
523f5ce9c0
Consume attestation files (#706)
* add key flag to attest validation

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* mvp: verify sig and extract sbom

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* wip read attestation without scheme

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* mvp consuming attestations - needs unit tests

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* remove prototype file

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* drop local syft from go.mod

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix order of sbom parsing strategies

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* handle implicit attestation input

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* wip

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* add test for invalid attestation key

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* rebase and go-mod-tidy

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* consume attestation via stdin

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* attestation test for stdin

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* validate input and content for attestation

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add stdin test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix config tags

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add int test to ignore attestation validation

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix cycloneDX attestation fixture

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add tampered att test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add tampered predicate type test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* improve docs/help on atttestation

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* upgrade to latest syft

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fall through when guessing between sbom and att

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix butter finger rebase

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* drop default key value

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* assert error messages

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* better test/cli coverage

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix stdin decode test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix goimports

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* tui - verified attestation and feedback changes

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* better naming

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add attestation section to config file

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* emit event for skipped verification

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* use public key name

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* nit

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
2022-04-21 11:52:42 -07:00
Alex Goodman
9cc1c72169
Preserve package IDs on Syft JSON SBOM decode (#731) 2022-04-18 18:22:58 +00:00
Christopher Angelo Phillips
95f68b4c33
Add java.Matcher configuration to includes maven upstream sha1 query (#714) 2022-04-13 13:01:22 -04:00
Alex Goodman
c36e9df887
Use CGO-less sqlite GORM driver (#705) 2022-04-04 18:40:29 +00:00
Jonas Xavier
182c86d11d
Migrate LocationSet and add Dart support (#703) 2022-04-01 08:21:37 -07:00
Keith Zantow
44e676488e
Update syft to v0.42.4 (#697) 2022-03-24 14:11:17 -04:00
Keith Zantow
d8e1c37cd1
Update syft to v0.42.3 (#690) 2022-03-23 17:57:06 -04:00
Alex Goodman
9fc6fb8a32
Bump strset version to fix 386 builds (#689) 2022-03-23 18:27:11 +00:00
j-k
d40fb77c1a
Correct go.mod to enforce go 1.18 (#685)
Since grype now depends on debug/buildinfo go 1.18 is required to build
grype and as such go.mod needs updating

Signed-off-by: 06kellyjac <jack@control-plane.io>
2022-03-22 09:33:35 -04:00
Keith Zantow
f004f7dee3
Update Syft to 0.42.1 (#683) 2022-03-21 20:11:40 +00:00
Jonas Xavier
dae6411c5c
upgrade github workflows to go 1.18 (#649)
* upgrade github workflows to go 1.18

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* upgrade syft & set go1.18 for CI workflows

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* add go1.17 static analysis

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix yaml comment

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
2022-03-17 14:58:20 -07:00
Keith Zantow
60c2968953
Update Syft to v0.41.6 (#670) 2022-03-16 12:48:42 -04:00
Keith Zantow
cbdec2ae5e
Update to Syft v0.41.4 (#664) 2022-03-14 17:15:09 -04:00
Keith Zantow
bc8f8414ca
Add SARIF presenter option (#654) 2022-03-14 12:13:37 -04:00