Commit graph

2319 commits

Author SHA1 Message Date
Christopher Angelo Phillips
b41d5cced5
chore: update spdx license list to 3.24.0 (#2895)
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2024-05-23 13:10:36 +00:00
dependabot[bot]
68daa42f86
--- (#2888)
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-23 08:11:03 -04:00
Russell Haering
2356787053
Go Mod Cataloger: Remove Replaced Packages (#2891)
When the goModCataloger processes a Replace directive it currently adds the new
package to the resulting package list, but does not remove the old one unless
the path is unchanged.

Based on an existing comment in the code, removing the old one seems to be the
intended behavior, and results in a more expected end-result, so this does so.

Signed-off-by: Russell Haering <russellhaering@gmail.com>
2024-05-22 14:26:40 -04:00
dependabot[bot]
2d318cffaa
chore(deps): bump actions/checkout from 4.1.5 to 4.1.6 (#2879)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.5 to 4.1.6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](44c2b7a8a4...a5ac7e51b4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-20 13:46:57 -04:00
Alan Pope
49c458b113
chore: Reduce length of readme, moving lengthy content to the wiki (#2882)
* chore: Reduce length of readme, moving lengthy content to the wiki
https://github.com/anchore/syft/wiki
---------
Signed-off-by: Alan Pope <alan@popey.com>
2024-05-20 13:46:32 -04:00
dependabot[bot]
1144407591
chore(deps): bump github.com/docker/docker (#2880)
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 26.1.2+incompatible to 26.1.3+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v26.1.2...v26.1.3)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-20 12:30:50 -04:00
dependabot[bot]
15808fbd04
chore(deps): bump github.com/saferwall/pe from 1.5.2 to 1.5.3 (#2881)
Bumps [github.com/saferwall/pe](https://github.com/saferwall/pe) from 1.5.2 to 1.5.3.
- [Release notes](https://github.com/saferwall/pe/releases)
- [Changelog](https://github.com/saferwall/pe/blob/main/CHANGELOG.md)
- [Commits](https://github.com/saferwall/pe/compare/v1.5.2...v1.5.3)

---
updated-dependencies:
- dependency-name: github.com/saferwall/pe
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-20 12:25:05 -04:00
dependabot[bot]
13ae56e3ef
chore(deps): bump modernc.org/sqlite from 1.29.9 to 1.29.10 (#2885)
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.29.9 to 1.29.10.
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.29.9...v1.29.10)

---
updated-dependencies:
- dependency-name: modernc.org/sqlite
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-20 11:59:28 -04:00
Russell Haering
1bec1fc5d3
fix: DecoderCollection discarding input from non-seekable Readers (#2878)
Signed-off-by: Russell Haering <russellhaering@gmail.com>
2024-05-16 15:17:11 -04:00
anchore-actions-token-generator[bot]
15c9fe092a
chore(deps): update tools to latest versions (#2863)
* chore(deps): update tools to latest versions

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* add tmate debug session

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add go tooling to bootstrap on mac

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-05-14 15:06:21 -04:00
Take
338ce51fd8
Fix outdated spdx links (#2865)
Signed-off-by: Takeru Tanaka <takeru.tt5672@gmail.com>
2024-05-14 17:58:36 +00:00
Alex Goodman
048df17e3d
Use values in relationship To/From fields (#2871)
* use pkg values in relationship fields

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add linter rule for using values in relationships

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* use new cmptest package for comparing relationships

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* create cmptest for common cmp.Diff options in test

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* condense matches for relationship ruleguard

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* remove relationship type from rules

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* restore build tag

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* suggest using values

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* nil check pkgs

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-05-14 13:48:33 -04:00
Alex Goodman
7ad7627d5d
add support for RPM DB package relationships (#2872)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-05-14 13:48:19 -04:00
Russell Haering
e767bcff4b
fix: capture dependencies when parsing SPDX SBOMs (#2869)
Signed-off-by: Russell Haering <russellhaering@gmail.com>
2024-05-14 09:57:48 -04:00
Alex Goodman
4a18895545
Add abstraction for adding relationships from package cataloger results (#2853)
* add internal dependency resolver

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* refactor dependency relationship resolution to common object

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* replace cataloger decorator with generic processor

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* refactor resolver to be a single function

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* use common dependency specifier for debian

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* use common dependency specifier for arch

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* use common dependency specifier for alpine

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* allow for generic pkg and rel assertions in testpkg helper

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* do not allow for empty results

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* move stable deduplicate comment

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* remove relationship resolver type

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-05-14 13:27:36 +00:00
dependabot[bot]
fae6f5d372
chore(deps): bump github/codeql-action from 3.25.4 to 3.25.5 (#2867)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.4 to 3.25.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](ccf74c9479...b7cec75265)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-13 12:27:14 -04:00
Christopher Angelo Phillips
ee75aafa37
chore: fix small tooling error for go.mod (#2868)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2024-05-13 11:47:21 -04:00
Alex Goodman
c200896a96
fix pruning binary packages when considering ELF packages (#2862)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-05-09 19:35:22 +00:00
Brian Ebarb
4194a2cd34
feat: add relationships to ELF package discovery (#2715)
This PR adds DependencyOf relationships when ELF packages have been discovered by the binary cataloger. The discovered file.Executable type has a []ImportedLibraries that's read from the file when discovered by syft. By mapping these imported libraries back to the package collection, syft is able to create relationships showing which packages are dependencies of other packages by just reading metadata from the ELF executable.

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Brian Ebarb <ebarb.brian@sers.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-05-09 13:53:59 -04:00
Jörg Thalheim
74b01a1c38
README.md: link to official wiki (#2858)
This commit updates the the link from the former, unofficial nixos wiki page to the new https://wiki.nixos.org
ref: NixOS/foundation#113

Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
2024-05-09 13:49:37 -04:00
William Murphy
b2ca5fbf89
fix Windows file paths in local go mod cache (#2654)
Previously, the file resolver was created from incorrect calls
(path.Join instead of filepath.Join) which resulted Go license searches
always missing on Windows. Use filepath.* functions when initializing
the Go config, and when the unindexed file resolver is being created.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-05-09 13:08:58 -04:00
dependabot[bot]
1892f24002
chore(deps): bump github.com/docker/docker (#2859)
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 26.1.1+incompatible to 26.1.2+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v26.1.1...v26.1.2)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-09 12:02:36 -04:00
dependabot[bot]
88aaab2841
chore(deps): bump github.com/charmbracelet/bubbletea (#2860)
Bumps [github.com/charmbracelet/bubbletea](https://github.com/charmbracelet/bubbletea) from 0.26.1 to 0.26.2.
- [Release notes](https://github.com/charmbracelet/bubbletea/releases)
- [Commits](https://github.com/charmbracelet/bubbletea/compare/v0.26.1...v0.26.2)

---
updated-dependencies:
- dependency-name: github.com/charmbracelet/bubbletea
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-09 12:02:28 -04:00
dependabot[bot]
5044f48cd6
chore(deps): bump github/codeql-action from 3.25.3 to 3.25.4 (#2855)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.3 to 3.25.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](d39d31e687...ccf74c9479)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-08 10:33:38 -04:00
dependabot[bot]
6c2e8c8c4b
chore(deps): bump github.com/sassoftware/go-rpmutils from 0.3.0 to 0.4.0 (#2856)
Bumps [github.com/sassoftware/go-rpmutils](https://github.com/sassoftware/go-rpmutils) from 0.3.0 to 0.4.0.
- [Release notes](https://github.com/sassoftware/go-rpmutils/releases)
- [Commits](https://github.com/sassoftware/go-rpmutils/compare/v0.3.0...v0.4.0)

---
updated-dependencies:
- dependency-name: github.com/sassoftware/go-rpmutils
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-08 10:33:11 -04:00
Alex Goodman
ada8f009d2
Add relationships for ALPM packages (arch linux) (#2851)
* add alpm relationships

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* tweak reader linter rule to check for reader impl

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update JSON schema with alpm dependency information

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-05-07 13:29:46 -04:00
Laurent Goderre
e7b6284039
Add binary classifier for ArangoDB (#2830)
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
2024-05-07 12:06:32 -04:00
dependabot[bot]
78625164c6
chore(deps): bump golang.org/x/net from 0.24.0 to 0.25.0 (#2849)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.24.0 to 0.25.0.
- [Commits](https://github.com/golang/net/compare/v0.24.0...v0.25.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-07 12:05:43 -04:00
dependabot[bot]
c0635a77a9
chore(deps): bump actions/checkout from 4.1.4 to 4.1.5 (#2850)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.4 to 4.1.5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](0ad4b8fada...44c2b7a8a4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-07 12:05:33 -04:00
William Murphy
3713d97b7b
chore: use ruleguard to test for missing defer statements (#2837)
* chore: ruleguard to enforce defer use

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* fix go.mod location

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* chore: defer close in linux release identifier

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* chore: better lint suggestion

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* chore: refactor binary classifier to defer close

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* chore: defer close readers in gentoo cataloger

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* chore: make go license parsing defer close readers

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* chore: defer closing readers in alpine apm parser

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* chore: defer close readers in graalvm parser

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* chore: defer close readers in debian package parser

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* chore: defer close readers in alpm parser

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* chore: defer close readers in executable file cataloger

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* chore: defer close readers in javascript license parser

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* chore: defer close readers in go mod parser

Signed-off-by: Will Murphy <will.murphy@anchore.com>

---------

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-05-07 05:42:29 -04:00
Alex Goodman
430c55a5b0
remove homebrew update workflow (#2846)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-05-06 15:38:12 -04:00
Alex Goodman
49e93646eb
Restore version file update on release (#2844)
* restore version file update on release

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* allow for shallower fetch depth

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-05-06 15:14:43 -04:00
Laurent Goderre
5ca26ed3ca
fix: Add missing CPE for traefik, memcached, and postgres binaries (#2845)
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
2024-05-06 15:06:30 -04:00
Laurent Goderre
e353214ef8
Add detection for newer version of ErLang/OTP (#2829)
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
2024-05-06 11:47:54 -04:00
Alex Goodman
a56eff90d6
fix ui race for package count (#2839)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-05-06 11:45:52 -04:00
anchore-actions-token-generator[bot]
00ff3ffda9
chore(deps): update CPE dictionary index (#2841)
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
2024-05-06 11:44:19 -04:00
dependabot[bot]
9de533996e
chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.8 to 6.5.9 (#2842)
Bumps [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty) from 6.5.8 to 6.5.9.
- [Release notes](https://github.com/jedib0t/go-pretty/releases)
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.5.8...v6.5.9)

---
updated-dependencies:
- dependency-name: github.com/jedib0t/go-pretty/v6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-06 11:44:05 -04:00
dependabot[bot]
7aae7470e2
chore(deps): bump modernc.org/sqlite from 1.29.8 to 1.29.9 (#2843)
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.29.8 to 1.29.9.
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.29.8...v1.29.9)

---
updated-dependencies:
- dependency-name: modernc.org/sqlite
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-06 11:43:55 -04:00
dependabot[bot]
d6604adaaf
chore(deps): bump github.com/charmbracelet/bubbletea (#2838)
Bumps [github.com/charmbracelet/bubbletea](https://github.com/charmbracelet/bubbletea) from 0.26.0 to 0.26.1.
- [Release notes](https://github.com/charmbracelet/bubbletea/releases)
- [Commits](https://github.com/charmbracelet/bubbletea/compare/v0.26.0...v0.26.1)

---
updated-dependencies:
- dependency-name: github.com/charmbracelet/bubbletea
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-03 09:50:20 -04:00
Alex Goodman
34ca9a8412
add security policy (#2835)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-05-02 14:45:17 +00:00
dependabot[bot]
f51b39ca04
chore(deps): bump actions/setup-go from 5.0.0 to 5.0.1 (#2834)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.0.0 to 5.0.1.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](0c52d547c9...cdcb360436)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-02 10:12:10 -04:00
anchore-actions-token-generator[bot]
9bbb42620a
chore(deps): update stereoscope to 2e9894674185d121917b283f773c2b5830f8b360 (#2831)
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: kzantow <3009477+kzantow@users.noreply.github.com>
2024-05-02 09:38:23 -04:00
dependabot[bot]
0b4de3d0c7
chore(deps): bump github.com/charmbracelet/bubbletea (#2833)
Bumps [github.com/charmbracelet/bubbletea](https://github.com/charmbracelet/bubbletea) from 0.25.0 to 0.26.0.
- [Release notes](https://github.com/charmbracelet/bubbletea/releases)
- [Commits](https://github.com/charmbracelet/bubbletea/compare/v0.25.0...v0.26.0)

---
updated-dependencies:
- dependency-name: github.com/charmbracelet/bubbletea
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-02 09:36:49 -04:00
camcui
80d196a8c9
chore: fix function name in comment (#2771)
Signed-off-by: camcui <cuishua@sina.cn>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2024-05-01 18:04:02 +00:00
William Murphy
ed40833b30
chore: enable go-critic deferInLoop lint (#2825)
The goal here is to be more careful about leaking file handles and other
resources.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-05-01 12:59:35 -04:00
William Murphy
93a7d2ee27
fix: better clean up of file handles (#2823)
* always close ELF cataloger file handles

The elf-binary-package-cataloger does its own file IO to account for the
possibility of a logical ELF package being broken across multiple
physical files. However, this casued it to skip the normal invocation
pattern in the generic cataloger code that prevented file leaks. Ensure
this cataloger always closes its file handles.

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* defer closing of generic cataloger file handles

Otherwise, a panicking cataloger could leak file handles.

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* add unit test for file closed on panic parser

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* make invoke parser a static function

Signed-off-by: Will Murphy <will.murphy@anchore.com>

* push error logging down into invoke parser

Signed-off-by: Will Murphy <will.murphy@anchore.com>

---------

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2024-05-01 12:58:17 -04:00
dependabot[bot]
93a99e36c2
chore(deps): bump github.com/docker/docker (#2827)
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 26.1.0+incompatible to 26.1.1+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v26.1.0...v26.1.1)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-01 11:03:31 -04:00
Keith Zantow
b0c88ddea9
fix(spdx): include required fields (#2168)
* fix(spdx): include required fields

Signed-off-by: Keith Zantow <kzantow@gmail.com>

* chore: missed update due to refactoring

Signed-off-by: Keith Zantow <kzantow@gmail.com>

* chore: update tools-golang

Signed-off-by: Keith Zantow <kzantow@gmail.com>

* chore: add test with packageVerificationCode included and excluded

Signed-off-by: Keith Zantow <kzantow@gmail.com>

---------

Signed-off-by: Keith Zantow <kzantow@gmail.com>
2024-04-30 13:28:42 -04:00
Keith Zantow
047e31a969
fix: add correct vendor for dnsmasq CPE (#2659)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2024-04-30 13:24:01 -04:00
guangwu
25b55e1704
fix: close temp rpmdb file (#2792)
* fix: close temp rpmdb file and db

Signed-off-by: guoguangwu <guoguangwug@gmail.com>

* chore: fix linter

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

---------

Signed-off-by: guoguangwu <guoguangwug@gmail.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2024-04-30 12:47:17 -04:00