Commit graph

756 commits

Author SHA1 Message Date
cpendery
90df6815e6
feat: add diffing 2 databases to v3 store functionality (#789) 2022-06-28 14:22:37 -04:00
cpendery
8ab0159f9f
fix: add support for partybus ui on grype db update cmd (#806) 2022-06-28 14:21:33 -04:00
Adin Ermie
b3a078aa02
Added Docker example to Readme (#769) 2022-06-27 16:59:51 -04:00
cpendery
e17bb9bd73
fix: add vex json & xml to listed formats (#802) 2022-06-27 11:26:59 -04:00
cpendery
64277bf6f4
docs: update php listing to be more clear that the .json file isn't indexed (#808) 2022-06-27 10:26:49 -04:00
Christopher Angelo Phillips
82c0146b0a
update syft => v0.49.0 (#804) 2022-06-24 18:30:36 +00:00
Christopher Angelo Phillips
bbe933204a
remove oss meetup message (#799) 2022-06-23 18:03:38 +00:00
cpendery
bb2f8dcdb4
fix: add fixed versions to cyclonedxjson output (#763) 2022-06-21 17:50:05 -04:00
cpendery
335f744b9b
docs: update to include php (#793) 2022-06-17 19:14:47 +00:00
Christopher Angelo Phillips
0703bae977
update grype to latest syft patch v0.48.1 (#790) 2022-06-17 15:45:33 +00:00
cpendery
11cf09222b
fix: add golang to documentation (#788) 2022-06-16 15:59:32 -04:00
Alan (Maciej) Paruszewski
b47e1935e1
fix: accept templates with custom functions (#786) 2022-06-16 16:25:54 +00:00
Jonas Xavier
d6fa674edc
add db staleness check (#785)
* add db staleness check

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* less config fields

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix import order

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* warn even when set to not error on staleness

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* nits

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* nits

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* lint fix

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix test

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* consistent log message

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* consistent new version message

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* human friendly time durations

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix typo

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* cleaner tests and default db value

Signed-off-by: Jonas Xavier <jonasx@anchore.com>
2022-06-15 12:48:10 -04:00
cpendery
cc0f134484
feat: add compose workflow for local dev (#783) 2022-06-14 13:02:48 -04:00
Jonas Xavier
2a587d0890
ignore gemfile rich version for semVer comparison (#776)
* ignore gemfile rich version during comparision

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* update search and version tests

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix int tests and lint error

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* nit on error message

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* split based on arch in gem version

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* reuse semVer constraint

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* more constraint tests cases

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* more comments and tests

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* add lower case version check

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* validate that ruby version work with semver and gem version

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* more comments and tests

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* rename gem version format const

Signed-off-by: Jonas Xavier <jonasx@anchore.com>
2022-06-10 14:09:58 -04:00
Weston Steimel
736117e0d9
Support namespace and language as additional criteria for ignoring vulnerability matches (#780)
* support filtering matches based on Namespace

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* support filtering matches based on package language

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* add tests for filtering matches on Namespace and Language

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* update README for new ignore rule criteria

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix linting errors

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2022-06-10 18:15:58 +01:00
Christopher Angelo Phillips
69de9e7a0a
update syft version to v0.47.0 (#781) 2022-06-09 16:03:14 -04:00
Weston Steimel
81af51302d
use anchore fork of glebarez/sqlite (#778)
This overcomes an issue with duplicate registration of sqlite drivers between glebarez/sqlite and knqyf263/go-rpmdb by
just using modernc.org/sqlite directly within our fork

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2022-06-08 09:41:15 -04:00
Abhijeet Kasurde
8163c9f988
template: Check sanity for template file (#674)
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2022-06-07 10:21:30 -04:00
briankoe741
30f0aa7051
Add announcement for Anchore OSS Meetup (#775) 2022-06-06 16:51:34 -04:00
dependabot[bot]
07dfb28718
Bump github.com/hashicorp/go-getter from 1.5.11 to 1.6.1 (#770)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-06-02 09:18:53 -04:00
Christopher Angelo Phillips
43b870d5fe
publish release to reduce user friction (#766) 2022-05-26 20:44:22 +00:00
anchore-actions-token-generator[bot]
10c3604498
Update Syft to v0.46.3 (#761)
Signed-off-by: GitHub <noreply@github.com>

Co-authored-by: jonasagx <jonasagx@users.noreply.github.com>
2022-05-26 10:14:28 -07:00
Sean Killeen
55b63a9fb8
Add reference to logrus logging levels (#758) 2022-05-25 15:06:17 -04:00
Herby Gillot
e6fc3e67d8
README: add MacPorts install info (#759)
Signed-off-by: Herby Gillot <herby.gillot@gmail.com>
2022-05-25 11:06:42 -07:00
Alex Goodman
06d28dad9f
bump to syft v0.46.2 (#755)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2022-05-23 13:47:21 +00:00
Jonas Xavier
c842fb9af5
bump stereoscope version to include source path fix (#752) 2022-05-19 08:18:49 -07:00
anchore-actions-token-generator[bot]
5a5642cc0d
Update Syft to v0.46.1 (#751)
Signed-off-by: GitHub <noreply@github.com>

Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2022-05-18 14:10:39 -07:00
Christian Kotzbauer
731abaab72
Add syft v0.46.0 Dotnet support (#747) 2022-05-13 12:46:31 -04:00
dependabot[bot]
d6196b6525
Bump github.com/hashicorp/go-getter from 1.5.9 to 1.5.11 (#742)
Bumps [github.com/hashicorp/go-getter](https://github.com/hashicorp/go-getter) from 1.5.9 to 1.5.11.
- [Release notes](https://github.com/hashicorp/go-getter/releases)
- [Changelog](https://github.com/hashicorp/go-getter/blob/main/.goreleaser.yml)
- [Commits](https://github.com/hashicorp/go-getter/compare/v1.5.9...v1.5.11)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/go-getter
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-05-04 16:33:28 +01:00
Dan Luhring
0df35f8d2c
address excessive warnings from multiple sources (#741) 2022-05-03 14:05:50 +00:00
SALES
7fc4ca7646
Add reference to Grype-based GitHub Action (#710)
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
2022-05-01 20:03:19 +00:00
Christopher Angelo Phillips
36f5150fa9
bump syft version (#738) 2022-04-29 13:39:08 -04:00
Sambhav Kothari
9f70cdbf24
add initial support for embedded CycloneDX VEX documents (#678) 2022-04-28 12:49:12 -04:00
Jonas Xavier
523f5ce9c0
Consume attestation files (#706)
* add key flag to attest validation

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* mvp: verify sig and extract sbom

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* wip read attestation without scheme

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* mvp consuming attestations - needs unit tests

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* remove prototype file

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* drop local syft from go.mod

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix order of sbom parsing strategies

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* handle implicit attestation input

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* wip

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* add test for invalid attestation key

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* rebase and go-mod-tidy

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* consume attestation via stdin

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* attestation test for stdin

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* validate input and content for attestation

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add stdin test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix config tags

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add int test to ignore attestation validation

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix cycloneDX attestation fixture

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add tampered att test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add tampered predicate type test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* improve docs/help on atttestation

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* upgrade to latest syft

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fall through when guessing between sbom and att

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix butter finger rebase

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* drop default key value

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* assert error messages

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* better test/cli coverage

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix stdin decode test

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* fix goimports

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* tui - verified attestation and feedback changes

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* better naming

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* add attestation section to config file

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* emit event for skipped verification

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* use public key name

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>

* nit

Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
2022-04-21 11:52:42 -07:00
Alex Goodman
9cc1c72169
Preserve package IDs on Syft JSON SBOM decode (#731) 2022-04-18 18:22:58 +00:00
Alex Goodman
359353c10e
Add matches helper (#730) 2022-04-18 09:38:28 -04:00
Keith Zantow
4ed0704dcf
Auto-PR needs to run go mod tidy (#727) 2022-04-13 16:30:53 -04:00
Christopher Angelo Phillips
fa524a491e
reduce log level for warning so not in default output for upstream matcher (#725) 2022-04-13 17:18:02 +00:00
Keith Zantow
b1e7189a4a
Add workflow for automatic PR for new Syft releases (#722) 2022-04-13 13:08:04 -04:00
Christopher Angelo Phillips
95f68b4c33
Add java.Matcher configuration to includes maven upstream sha1 query (#714) 2022-04-13 13:01:22 -04:00
Tom Sparrow
e77a6c8d63
Include package type in table output (#694)
* Include package type column in table output

This helps avoid confusion between packages of the same name but different types.

I've hit this on a number of occasions, some examples below:
 - `tar` could be either a node package or a linux apk/rpm/deb
 - `msgpack` is a node package but also a python package
 - `jsonpointer` is also a node and/or python package

In each case when I saw the vuln reported I unluckily picked
the "wrong" one and it took some digging to realise the issue
or even that there was another type of package with the same
name at all.

The "type" is a succinct representation of _where_ Grype found
this package which should make things a lot clearer.

Signed-off-by: Tom Sparrow <793763+sparrowt@users.noreply.github.com>

* Fix flag names

Signed-off-by: Tom Sparrow <793763+sparrowt@users.noreply.github.com>

* Move type column to be consistent with syft

...which does `name, version, type, ...`

Signed-off-by: Tom Sparrow <793763+sparrowt@users.noreply.github.com>
2022-04-08 21:00:02 -04:00
Alex Goodman
c36e9df887
Use CGO-less sqlite GORM driver (#705) 2022-04-04 18:40:29 +00:00
Jonas Xavier
182c86d11d
Migrate LocationSet and add Dart support (#703) 2022-04-01 08:21:37 -07:00
Christopher Angelo Phillips
e00a25220e
Add byMatchName custom function for custom template users 2022-03-30 16:27:04 +00:00
briankoe741
67eacff3e2
Remove announcement for OSS Meetup (#691)
Proposing changes to remove our 3/23 meetup

Signed-off-by: Dan Luhring <dan+github@luhrings.com>
2022-03-25 00:12:07 +00:00
Keith Zantow
44e676488e
Update syft to v0.42.4 (#697) 2022-03-24 14:11:17 -04:00
Dan Luhring
1e020d7ea0
Detect when a user specifies an empty SBOM (#695)
* Detect when the user specifies empty SBOM file

Signed-off-by: Dan Luhring <dan+github@luhrings.com>

* Fix darwin cert verification failure from Go 1.18

Signed-off-by: Dan Luhring <dan+github@luhrings.com>
2022-03-24 10:12:11 -04:00
Keith Zantow
d8e1c37cd1
Update syft to v0.42.3 (#690) 2022-03-23 17:57:06 -04:00
Alex Goodman
9fc6fb8a32
Bump strset version to fix 386 builds (#689) 2022-03-23 18:27:11 +00:00