* update to latest syft
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix tests related to syft bump
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* WIP: package builds but tests do not
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* WIP: some unit tests compile
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* WIP: unit tests compile but do not pass
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* Units passing with some changes to syft
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* fix: excludes plus bad sbom should not suppress error
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* add conan entry v2 package test
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* bump syft again
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: fix compiler error in integration tests
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: remove erlang OTP from package types that must be seen in test image
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* bump syft version used
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore: break assumption that syft cpe.CPE is wfn.Attributes
Previously, Syft's cpe.CPE type was an alias for wfn.Attributes. Fix a
couple places where Grype's compilation depended on that fact, since it
will stop being true in the next Syft release.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: fix linter
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* fix: distro FP data not applied correctly
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* fix: apply FP data to apk subpackages
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
---------
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* incorporate changes from anchore/syft#2228
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix testing utils to use syft SBOM
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* feat: disable CPE-based matching for GHSA ecosystems by default
Disables CPE-based matching for ecosystems which are covered by GitHub
Security Advisories. Also adds a separate rust matcher and related
configuration to allow configuring CPE-based matching off for it while
still leaving it on for the stock matcher.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* chore: use --by-cve with quality gate comparison
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* chore: add rust auditable binary match integration test
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
---------
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* chore(deps): update Syft to v0.93.0
Signed-off-by: GitHub <noreply@github.com>
* fix test to account for go pkg stdlib
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
Previously, grype used fuzzy matcher for Python packages, since
there are cases in PEP440 that are not strictly semver. Switch to a
library that does PEP440 parsing and comparison for python version
constraints.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* bump syft to main
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* upgdate cyclonedx presenter fixtures (bump from cdx 1.4 to 1.5)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update cyclonedx schema
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* allow for pkg type exceptions for github actions and workflows
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update cyclonedx json schema from v1.4 to v1.5
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump to syft v0.91.0
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* upgrade go-setup action to v4
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove asset upload from release workflow
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* go.mod: Pull OpenVEX go modules
This commit pulls the OpenVEX libraries into the grype source.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Add generic VEX processor package
This commit adds a generic VEX processor package. It is implementation
agnostic. It has a single option for now: The documents used to load
the VEX data.
The processor has a single method: ApplyVEX() which takes a set of scan
results and applies VEX data to them. For now, the only modification that
is done is filtering of results, that is moving results to the ignored list
as a response to VEX documents.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* vex: Add OpenVEX processor implementation
This commit adds an openvex implementation of the vex processor.
It also wires the VEX processor to use it as default.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Table presenter: Highligt results suppressed by VEX
This commit marks results suppressed by VEX when presenting them
to the user.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Define VEX status constants
This commit defines a set of local constants of each of the VEX statuses
based on the openvex constants.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Add VexStatus to ignore rules
This commit modifies the ignore rules structure to support defining a vex
status. Any rules defining vex are ignored by the standard ignore rules
processing as they will be handled by the VEX processor.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Add IgnoreRule HasConditions method
Adds a new HasConditions method to the IgnoreRule object to check if the rule is empty.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Control VEX filtering through IgnoreRules
This commit modifies how the vex processor is controlled. The processor now
takes a list of IgnoreRules which can act on the VEX status in addition to
the regular rule parameters.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* vex: Allow rules to match on VEX justification
This commit expands the ingore rules to also work on vex the
justification of not_affected statements.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Use go-vex merge implementation
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Add OpenVEX matcher to matcher list
This commit adds a new entry to the matchers: An openvex matcher
This matcher is used when openvex augments results, moving matches
from the ignore list to the active results.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Add vex.AugmentMatches() to the vex processor
This commit adds a new AugmentMatches() phase to the VEX processor.
This new step goes throught the configured ignore rules and acts on any
that have `affected` or `under_investigtion` as status.
The purpose of this rule is to move matches back from the ignored matches
list to the active results when a statement with either of those statuses
apply to ignored matches.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Parse context identifiers using GGC
This commit modifies the identifier synthesizer function to parse references
using GGCR. It also adds a simple test.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Bump funlen linter to 73
This commit bumps the maximum function length to 73 to accomodate
the new flag in AddFlags()
Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>
* Add VEX testing to matchers test
This commit adds a new test and fixtures to test the VEX matchers
along the rest of the matchers in TestMatchByImage(). As the VEX
matchers operate on previously ignored matches a new loop was added
to the test to accomodate the different testing model.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* add vex status and justification to ignored rule json model
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* nit rename + add TODO question about augmenting ignored matches
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* nit document comment updates + common variable extraction
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* migrate legacy matcher function to vulnerability matcher object
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update tui to respond to ignored and dropped matches
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* migrate vex processing to vulnerability match object
Based on Alex's previous caommit
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* Migrate VEX options and app config from legacy CLI
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
* update table snapshot tests with suppressed vex entries
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add tests for match.Matches.Diff()
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add tests for vex processor
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix linting and restore global funlen rule
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove grpc pin
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* always return remaining and ignroed matches from matcher object
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Add VEX documentation to main README
This commit adds a VEX section to the main Grype README. It adds
an example document and details on how vex rules can be written.
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
---------
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
For example, if the rpm "python3-rpm" is installed, it brings a python
package called "rpm" with it, which is just python bindings to RPM. But
this python package is part of "python3-rpm", and should not be matched
against directly. Only apply this deduplication strategy on distros with
a comprehensive enough vulnerability feed that we don't expect false
negatives from it.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore(deps): update Syft to v0.86.0
Signed-off-by: GitHub <noreply@github.com>
* fix python package metadata shape
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* account for new metadatas added in syft
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump syft to unreleased but fixed version
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
* port to new syft source API
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix linting
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
The "make integration" target assumes that skopeo will be available on
PATH, but this wasn't documented. Install it during bootstrap when other
utilities are installed. (See ./test/integration/utils_test.go:50).
Include a sample skopeo policy.json, otherwise skopeo will look for a
missing policy doc a /etc/containers/policy.json and exit with an error.
The sample policy document matches the one included by default with
"brew install skopeo".
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
- Remove old apple signing flow in favor of [quill](https://github.com/anchore/quill)
- Update changelog generation to be in sync with syft's flow
- Remove old goreleaser docker workflow in favor of single file
- Remove individual bootstrap options in favor of single bootstrap action
- Update release and validation workflows to use trigger based approach seen in syft
- Update golangci.yaml to be equivalent to syft patterns
- Remove unused Dockerfile.dev
- Remove docker-compose development cycle
- Add organized test-fixture Makefile targets
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* Add the total types of vulnerabilities in Grype output
Signed-off-by: Maxim Zhiburt <zhiburt@gmail.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Albert Simon <simon.albert75@gmail.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
* chore: update digest for test fixture dockerfile
The previous digest was specifically for i386. The updated digest should use the manifest to determine the correct platform to use based on the client.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* chore: add digesst on archlinux test fixture image
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Adds support for a `package_qualifiers` column to allow evaluating package matches to vulnerabilities based on more than just version constraints. Currently adds an rpm-modularity qualifier in order to support matching to correct app stream module in order to reduce false positives within rpm-based distro ecosystems. In order to prevent an increase in false positive matches for previous versions of grype using the v4 schema, this change (along with the vulnerability source driver parser updates) requires bumping the schema to v5.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* initial v4 schema setup
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* update v3 => v4 for unit tests
-- did NOT update
- grype/db/v3/*
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* use nullable string in sqlite so null values get represented correctly
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add missing unit test case for dotnet
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* Add db writer function for calling sqlite vacuum
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* adding normalization of package names at database adapter layer
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* refactor namespaces for v4
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* update v4 stuff to use sqlite fork
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* Namespace should satisfy Stringer interface
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* normalize CPEs before comparison
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* vulnerability exclusion => vulnerability match exclusion
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* updates to vulnerability match exclusion models
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add initial vulnerability match exclusion store unit tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* make vuln match exclusion constraints nullable
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* move vuln match namespace into constraints object and refactor
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* check db match constraints to ensure there aren't any unknown fields and add json hints
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* ensure we only keep compatible match exclusion constraints
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* use omitempty on all match exclusion structs
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* remove db v4 schema resolver and namespace types
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename Vacuum to Close
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* lint fixes + remove panic on vuln provider creation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* WIP match exclusions
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* build list of ignore rules from v4 db records
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* quick attempt at a new uber object
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* just pass around the full object for now to quickly get to a usable state
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* fix panic when no vuln db loaded
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* use interfaces for db.store function signatures
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Flatten the match exclusion constraint model to simplify logic
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* updating some tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* fix panic when no db update possible
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* more tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* WIP fixing match exclusion constraint usability and json mapping logic
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add v4 db diff logic (excluding vulnerability_match_exclusion data for now)
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* lint fix
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* update integration tests
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* nvd -> nvd:cpe namespace updates
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* ensure test store uses v4 normalized names
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* set the grype db update url to staging for v4
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* prevent more segfaults on database open
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* add continue when unable to load ignore rules
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* remove db.Status from the Store object
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* fix compare_sbom_input_vs_lib_test.go
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* remove staging endpoint now that v4 is published
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
