Commit graph

115 commits

Author SHA1 Message Date
Alan Pope
4ec46b5e24
doc: Updates for the Slack to Discourse migration (#2046)
Signed-off-by: Alan Pope <alan@popey.com>
2024-08-12 11:49:43 +01:00
Christopher Angelo Phillips
8ea95c422c
docs: update readme with new default format (#1974)
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2024-07-02 15:27:40 +00:00
Joshua Cooper
9c98ac80ab
Updating maven URLs in README.md (#1934) 2024-06-12 17:34:00 +00:00
Shubham Hibare
17b104771a
feat(signature): Checksum signature verification (#1670)
* feat(signature): Checksum signature verification

Signed-off-by: Shubham Hibare <shubham@hibare.in>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* Update message

Signed-off-by: Shubham Hibare <shubham@hibare.in>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* address comments

Signed-off-by: Shubham Hibare <shubham@hibare.in>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* consider -v flag across supported releases

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add tests for install.sh signature verification

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* check that release is run from main

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* summarize install.sh flags and recommendations

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* remove regex use on cosign verify-blob

Co-authored-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* simplify the compare_semver install function

Co-authored-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add more tests to compare_semver

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* nit copy change for install help

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* keep original compare_semver implementation

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update copy to include default install path

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Shubham Hibare <shubham@hibare.in>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Dominique Martinet <asmadeus@codewreck.org>
2024-06-06 21:23:04 +00:00
Avtar Gill
0baa116159
fix: add note about TMPDIR env var (#1880)
Signed-off-by: Avtar Gill <avtargill@gmail.com>
2024-05-31 10:19:42 -04:00
Dan Luhring
316c0e9a11
fix: main mod pseudo version default off (#1894)
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
2024-05-30 13:59:00 -04:00
Alex Goodman
24d5d4ffb2
Upgrade tool management (#1842)
* upgrade tool management

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update version file on release

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-05-09 16:25:00 -04:00
Dan Luhring
aed8e6304e
docs: update README with newer data sources (#1819)
* docs: update README with newer data sources

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

* docs: add Wolfi to distro list

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

---------

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
2024-04-24 12:07:33 -04:00
Tony DevOps
a9dc753c7f
Add some more examples for the config.yaml file in the README. (#1811)
---------
Signed-off-by: Tony DevOps <868644+TonyLovesDevOps@users.noreply.github.com>
2024-04-22 17:53:38 +00:00
Christopher Angelo Phillips
b7ffbeee53
config: add config opt in golang pseudo version main module comparison (#1816)
config: add config opt in golang pseudo version main module comparison
---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2024-04-18 14:40:52 -04:00
Zach Hill
a7cbe3a26c
fix: adds ignore rules for kernel-headers indirect matches (#1787)
* fix: adds ignore rules for kernel-headers indirect matches

Adds ignoring of kernel-headers indirect matches on kernel vulns
since the kernel-headers package does not have the kernel code in it
that kernel vulns are actually referring to.

Adds a config value to control this ignore behavior that defaults to
enabling the ignore rules.

Fixes: 1762

* Adds ignore rule support for match types and upstream package names.
* Adds default ignore rules for kernel-headers indirect matches on kernel
for rpms.

Signed-off-by: Zach Hill <zach@anchore.com>

* chore: add match-upstream-kernel-headers config to README.md

Signed-off-by: Zach Hill <zach@anchore.com>

* chore: update match labels

Signed-off-by: Keith Zantow <kzantow@gmail.com>

---------

Signed-off-by: Zach Hill <zach@anchore.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
2024-04-15 13:29:19 -07:00
Christopher Angelo Phillips
046c19102d
chore: readme formats updated with sarif option (#1786)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2024-04-04 21:02:45 +00:00
Robert
09fdabd814
Added instruction to install with choco (#1716)
Signed-off-by: Robert Roos <robert.soor@gmail.com>
2024-02-20 12:02:47 -05:00
plavy
89610e1e07
docs: fix logging configuration in README (#1646)
Signed-off-by: plavy <tinplavec@gmail.com>
2023-12-29 01:53:32 +00:00
Christopher Angelo Phillips
6b4978f633
docs: add cbl-mariner to supported distro (#1569)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-10-24 12:11:55 -04:00
Alex Goodman
9750ef2452
add exception for go stdlib search by CPE (#1565)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-10-20 13:02:38 -04:00
James Hebden
30f05c3759
Add --ignore-states flag for ignoring findings with specific fix states (#1473)
* Add --ignore-states flag for ignoring findings with by fix state

Signed-off-by: James Hebden <jhebden@gitlab.com>

* ignore options checked before scan, fail on invalid ignore states, ignore states comma-separated

Signed-off-by: James Hebden <jhebden@gitlab.com>

* Add CLI tests for new --ignore-states flag

Signed-off-by: Will Murphy <will.murphy@anchore.com>

---------

Signed-off-by: James Hebden <jhebden@gitlab.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
2023-10-17 14:07:34 -04:00
Shubham Hibare
e0e8b355f0
Add checksum signing (#1535)
* Add checksum signing

Signed-off-by: Shubham Hibare <shubham@hibare.in>

* Add artifact signature verification steps

Signed-off-by: Shubham Hibare <shubham@hibare.in>

---------

Signed-off-by: Shubham Hibare <shubham@hibare.in>
2023-10-12 15:38:30 -04:00
Christopher Angelo Phillips
6da8be94ac
chore: add OpenSSF Best Practices badge (#1523)
* chore: add OpenSSF Best Practices badge
--------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-09-27 11:06:35 -04:00
Rob Szumski
cc76ab82f9
Fix typo in flag (#1501)
Signed-off-by: Rob Szumski <rob@robszumski.com>
2023-09-18 16:54:14 -04:00
Puerco
b952d3808c
Ignore/add match results based on OpenVEX documents (#1397)
* go.mod: Pull OpenVEX go modules

This commit pulls the OpenVEX libraries into the grype source.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add generic VEX processor package

This commit adds a generic VEX processor package. It is implementation
agnostic. It has a single option for now: The documents used to load
the VEX data.

The processor has a single method: ApplyVEX() which takes a set of scan
results and applies VEX data to them. For now, the only modification that
is done is filtering of results, that is moving results to the ignored list
as a response to VEX documents.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* vex: Add OpenVEX processor implementation

This commit adds an openvex implementation of the vex processor.
It also wires the VEX processor to use it as default.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Table presenter: Highligt results suppressed by VEX

This commit marks results suppressed by VEX when presenting them
to the user.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Define  VEX status constants

This commit defines a set of local constants of each of the VEX statuses
based on the openvex constants.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add VexStatus to ignore rules

This commit modifies the ignore rules structure to support defining a vex
status. Any rules defining vex are ignored by the standard ignore rules
processing as they will be handled by the VEX processor.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add IgnoreRule HasConditions method

Adds a new HasConditions method to the IgnoreRule object to check if the rule is empty.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Control VEX filtering through IgnoreRules

This commit modifies how the vex processor is controlled. The processor now
takes a list of IgnoreRules which can act on the VEX status in addition to
the regular rule parameters.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* vex: Allow rules to match on VEX justification

This commit expands the ingore rules to also work on vex the
justification of not_affected statements.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Use go-vex merge implementation

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add OpenVEX matcher to matcher list

This commit adds a new entry to the matchers: An openvex matcher

This matcher is used when openvex augments results, moving matches
from the ignore list to the active results.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add vex.AugmentMatches() to the vex processor

This commit adds a new AugmentMatches() phase to the VEX processor.

This new step goes throught the configured ignore rules and acts on any
that have `affected` or `under_investigtion` as status.

The purpose of this rule is to move matches back from the ignored matches
list to the active results when a statement with either of those statuses
apply to ignored matches.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Parse context identifiers using GGC

This commit modifies the identifier synthesizer function to parse references
using GGCR. It also adds a simple test.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Bump funlen linter to 73

This commit bumps the maximum function length to 73 to accomodate
the new flag in AddFlags()

Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>

* Add VEX testing to matchers test

This commit adds a new test and fixtures to test the VEX matchers
along the rest of the matchers in TestMatchByImage(). As the VEX
matchers operate on previously ignored matches a new loop was added
to the test to accomodate the different testing model.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* add vex status and justification to ignored rule json model

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* nit rename + add TODO question about augmenting ignored matches

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* nit document comment updates + common variable extraction

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* migrate legacy matcher function to vulnerability matcher object

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update tui to respond to ignored and dropped matches

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* migrate vex processing to vulnerability match object

Based on Alex's previous caommit

Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Migrate VEX options and app config from legacy CLI

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* update table snapshot tests with suppressed vex entries

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add tests for match.Matches.Diff()

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add tests for vex processor

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix linting and restore global funlen rule

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* remove grpc pin

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* always return remaining and ignroed matches from matcher object

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* Add VEX documentation to main README

This commit adds a VEX section to the main Grype README. It adds
an example document and details on how vex rules can be written.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

---------

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
Signed-off-by: Adolfo Garcia Veytia (puerco) <puerco@chainguard.dev>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-09-13 15:26:12 -04:00
5p2O5pe25ouT
bf84e2fa7f
Add registry certificate verification support (#1232)
* add registry certificate verification support

* modify go.mod

* rename registry cert options, add docs, and add test

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update to account for changes in anchore/stereoscope#195

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix cli tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: lishituo <24578666@qq.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-08-29 15:51:27 +00:00
Puerco
be91dc65d6
docs: fix some typos on main README (#1455)
Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
2023-08-25 11:00:03 -04:00
Alex Goodman
f0f8454c3e
note supported versions of grype (#1458)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-08-24 19:31:09 +00:00
Alex Goodman
ebd4643930
Port UI to bubbletea (#1385)
* initial port to bubbletea

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* remove jotframe UI

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add bubbletea component tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update main.go refs to cmd package

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* move goreleaser build dir to cmd

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* upgrade yardstick for grype source installs and fix post-ui tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* ensure stable severity map in UI component test

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add windows support for tui

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-07-13 17:13:48 +00:00
Tim Gerla
ecf9e65b95
Add a simple CSV format template to the templates/ directory and tweak docs (#1366) 2023-06-29 17:05:17 -04:00
James Neate
0ace6b1a98
feat: add non-hermetic sprig functions (#1243) (#1273)
Because the general set of sprig functions can used to access
environment variables, explicitly warn users never to run untrusted
templates.

---------

Signed-off-by: James Neate <jamesmneate@gmail.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
2023-05-08 17:14:45 -04:00
James Neate
2930a18786
docs: add config flag to configuration section (#1271) (#1274)
Signed-off-by: James Neate <jamesmneate@gmail.com>
2023-05-05 18:58:21 -04:00
HNKNTA
9ba7a6a1ad
docs: add "cyclonedx-json" to output formats (#1252)
Signed-off-by: HNKNTA <hnknta@gmail.com>
2023-05-02 17:20:47 -04:00
Christopher Angelo Phillips
8dec5c3784
feat: add default-image-source-config option (#1215)
#1204 surfaces the need for allowing a user to express a preference over the default-image-pull-source to be used when building an SBOM for vulnerability scanning.

This adds a config option into grype to consume the new syft behavior.

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-04-04 10:28:33 -04:00
Christopher Angelo Phillips
788ed965ec
chore: prune cosign dependency for grype builds (#1100)
* feat: segment cosign dependency for grype builds for faster build times

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-01-31 11:42:40 -05:00
Christopher Angelo Phillips
cdb8f3fa45
chore: change CVE example to official sample (#1028)
CVE-2017-41432 is not a valid ID but in theory could be one day. Changed it to CVE-2014-54321 which is one of a number sample IDs used during the Syntax change in 2013/2014. References: cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-54321 cve.mitre.org/data/board/archives/2013-04/msg00000.html

Co-authored-by: Jericho <3095424+attritionorg@users.noreply.github.com>
2022-12-06 13:03:40 -05:00
Joyce
2cd2ef5340
Enable the Scorecard Github Action and badge (#929) 2022-11-03 14:24:20 -04:00
Jan Hensel
a678b8d134
Correct falsely copied app-name 'syft' in example (#922) 2022-09-19 12:19:49 -04:00
Chapman Pendery
d5b825e40b
feat: extract use cpes in matching logic to be configurable (#911) 2022-09-06 09:55:35 -04:00
Adam Hughes
ac3d6b643c
docs: add Singularity to "features" in README (#912) 2022-09-06 09:33:07 -04:00
Adam Hughes
9810495212
docs: improve Singularity image source docs (#910) 2022-09-01 12:53:54 -04:00
Adam Hughes
9f28cdc24f
Add Singularity image source (#908) 2022-08-31 13:55:49 -04:00
Keith Zantow
64cbb68d9d
Add blurbs about building and running from source (#893) 2022-08-24 15:30:21 -04:00
Brock R
174f61ec23
Update README.md (#871) 2022-08-16 19:45:50 +00:00
Neil Levine
f12bb67720
Update README.md (#868) 2022-08-04 21:08:16 +00:00
cpendery
51617f8aa5
feat: add --only-notfixed flag (#828) 2022-07-15 10:01:05 -04:00
cpendery
75a7e54f52
docs: update to include rust (#814) 2022-06-29 15:45:21 -04:00
Adin Ermie
b3a078aa02
Added Docker example to Readme (#769) 2022-06-27 16:59:51 -04:00
cpendery
64277bf6f4
docs: update php listing to be more clear that the .json file isn't indexed (#808) 2022-06-27 10:26:49 -04:00
Christopher Angelo Phillips
bbe933204a
remove oss meetup message (#799) 2022-06-23 18:03:38 +00:00
cpendery
335f744b9b
docs: update to include php (#793) 2022-06-17 19:14:47 +00:00
cpendery
11cf09222b
fix: add golang to documentation (#788) 2022-06-16 15:59:32 -04:00
Jonas Xavier
d6fa674edc
add db staleness check (#785)
* add db staleness check

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* less config fields

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix import order

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* warn even when set to not error on staleness

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* nits

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* nits

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* lint fix

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix test

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* consistent log message

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* consistent new version message

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* human friendly time durations

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix typo

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* cleaner tests and default db value

Signed-off-by: Jonas Xavier <jonasx@anchore.com>
2022-06-15 12:48:10 -04:00
Weston Steimel
736117e0d9
Support namespace and language as additional criteria for ignoring vulnerability matches (#780)
* support filtering matches based on Namespace

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* support filtering matches based on package language

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* add tests for filtering matches on Namespace and Language

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* update README for new ignore rule criteria

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix linting errors

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2022-06-10 18:15:58 +01:00