* add db staleness check
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* less config fields
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* fix import order
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* warn even when set to not error on staleness
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* nits
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* nits
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* lint fix
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* fix test
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* consistent log message
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* consistent new version message
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* human friendly time durations
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* fix typo
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* cleaner tests and default db value
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* ignore gemfile rich version during comparision
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* update search and version tests
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* fix int tests and lint error
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* nit on error message
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* split based on arch in gem version
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* reuse semVer constraint
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* more constraint tests cases
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* more comments and tests
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* add lower case version check
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* validate that ruby version work with semver and gem version
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* more comments and tests
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* rename gem version format const
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* support filtering matches based on Namespace
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* support filtering matches based on package language
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add tests for filtering matches on Namespace and Language
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* update README for new ignore rule criteria
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* fix linting errors
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
This overcomes an issue with duplicate registration of sqlite drivers between glebarez/sqlite and knqyf263/go-rpmdb by
just using modernc.org/sqlite directly within our fork
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add key flag to attest validation
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* mvp: verify sig and extract sbom
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* wip read attestation without scheme
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* mvp consuming attestations - needs unit tests
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* remove prototype file
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* drop local syft from go.mod
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix order of sbom parsing strategies
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* handle implicit attestation input
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* wip
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add test for invalid attestation key
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* rebase and go-mod-tidy
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* consume attestation via stdin
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* attestation test for stdin
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* validate input and content for attestation
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add stdin test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix config tags
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add int test to ignore attestation validation
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix cycloneDX attestation fixture
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add tampered att test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add tampered predicate type test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* improve docs/help on atttestation
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* upgrade to latest syft
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fall through when guessing between sbom and att
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix butter finger rebase
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* drop default key value
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* assert error messages
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* better test/cli coverage
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix stdin decode test
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix goimports
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* tui - verified attestation and feedback changes
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* better naming
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* add attestation section to config file
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* emit event for skipped verification
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* use public key name
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* nit
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* Include package type column in table output
This helps avoid confusion between packages of the same name but different types.
I've hit this on a number of occasions, some examples below:
- `tar` could be either a node package or a linux apk/rpm/deb
- `msgpack` is a node package but also a python package
- `jsonpointer` is also a node and/or python package
In each case when I saw the vuln reported I unluckily picked
the "wrong" one and it took some digging to realise the issue
or even that there was another type of package with the same
name at all.
The "type" is a succinct representation of _where_ Grype found
this package which should make things a lot clearer.
Signed-off-by: Tom Sparrow <793763+sparrowt@users.noreply.github.com>
* Fix flag names
Signed-off-by: Tom Sparrow <793763+sparrowt@users.noreply.github.com>
* Move type column to be consistent with syft
...which does `name, version, type, ...`
Signed-off-by: Tom Sparrow <793763+sparrowt@users.noreply.github.com>
* Detect when the user specifies empty SBOM file
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
* Fix darwin cert verification failure from Go 1.18
Signed-off-by: Dan Luhring <dan+github@luhrings.com>