Mirrors/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft synced 2024-11-10 06:14:16 +00:00
Code Issues Projects Releases Packages Wiki Activity
1444 commits 73 branches 214 tags 132 MiB
Commit graph

1444 commits

This branch
This branch
All branches
Author SHA1 Message Date
Idan Frimark
087a6356b9
chore: return both failures when failed to retrieve an image with a scheme (#1801) 
Signed-off-by: Idan Frimark <idanf@cisco.com>
 2023-05-23 10:32:12 -04:00
Alex Goodman
26c201f7f7
Extract go module versions from ldflags for binaries built by go (#1832) 
* wip

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* with golang bin ldflags refactor

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add test for golang binary cataloger for ldflag extraction

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove binary classfiers that overlap with new go ldflags detection

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

---------

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Weston Steimel <weston.steimel@anchore.com>
 2023-05-23 10:27:48 -04:00
Keith Zantow
a3c5550217
fix: duplicate packages, support pnpm lockfile v6 (#1778) 2023-05-23 10:24:25 -04:00
anchore-actions-token-generator[bot]
798af57853
chore(deps): update stereoscope to e14bc4437b2eac481c5b6f101890b22df4f33596 (#1834) 
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
 2023-05-23 10:18:39 -04:00
dependabot[bot]
f50302b2ba
chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#1829) 
Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.2 to 1.8.3.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](https://github.com/stretchr/testify/compare/v1.8.2...v1.8.3)

---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-05-22 14:01:17 -04:00
dependabot[bot]
b09cf6c6b5
chore(deps): bump github.com/docker/docker (#1833) 
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.0+incompatible to 24.0.1+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v24.0.0...v24.0.1)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-05-22 13:07:24 -04:00
Alex Goodman
334a775cb9
Keep original FileInfo persisted on file.Metadata structs (#1794) 
* pull in fileinfo changes from stereoscope #172

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix CLI test assumption about the docker daemon

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

---------

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: <>
 2023-05-19 14:21:10 +00:00
dependabot[bot]
f1b6f38ea8
chore(deps): bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#1827) 
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-05-19 09:01:05 -04:00
dependabot[bot]
f6f8332b7f
chore(deps): bump github.com/google/go-containerregistry (#1823) 
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-05-17 14:34:27 -04:00
dependabot[bot]
74351567ab
chore(deps): bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1 (#1822) 
Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1.
- [Release notes](https://github.com/sirupsen/logrus/releases)
- [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md)
- [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1)

---
updated-dependencies:
- dependency-name: github.com/sirupsen/logrus
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-05-17 14:33:48 -04:00
dependabot[bot]
51d4c9b4ab
chore(deps): bump github.com/docker/docker (#1824) 
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 23.0.6+incompatible to 24.0.0+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v23.0.6...v24.0.0)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-05-17 14:33:30 -04:00
Christopher Angelo Phillips
4601ca3735
fix: update field plurality of 8.0.0 schema before release (#1820) 
to keep things consistent across the schema we want Locations and URLs to be plural fields now that they are fields on the License struct
---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-05-16 13:05:48 -04:00
Christopher Angelo Phillips
1a2a49840b
fix: update cataloger to check for expressions before split (#1819) 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-05-16 16:04:28 +00:00
Christopher Angelo Phillips
42fa9e4965
feat: update syft license concept to complex struct (#1743) 
this PR makes the following changes to update the underlying license model to have more expressive capabilities
it also provides some guarantee's surrounding the license values themselves

- Licenses are updated from string -> pkg.LicenseSet which contain pkg.License with the following fields:
- original `Value` read by syft
- If it's possible to construct licenses will always have a valid SPDX expression for downstream consumption
- the above is run against a generated list of SPDX license ID to try and find the correct ID
- SPDX concluded vs declared is added to the new struct
- URL source for license is added to the new struct
- Location source is added to the new struct to show where the expression was pulled from
 2023-05-15 16:23:39 -04:00
Shane Alvarez
8046f09562
fix: cyclonedx depends-on relationship inverted (#1816) 
Signed-off-by: Shane Alvarez <shane.alv@gmail.com>
 2023-05-15 09:59:26 -04:00
mikey strauss
b4ed599481
fix: retain sbom cataloger relationships (#1509) 
Signed-off-by: Eitan Goldenstein <eitan@scribesecurity.com>
Co-authored-by: Eitan Goldenstein <eitan@scribesecurity.com>
 2023-05-15 09:57:21 -04:00
William Murphy
e925d9d4a5
feat: warn if parsing newer SBOM (#1810) 
If syft is asked to parse an SBOM that was written by a newer version of
syft, emit a warning, since the current version of syft doesn't know about 
fields that may be added in the future.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
 2023-05-11 08:55:27 -04:00
William Murphy
da3624644a
feat: Add R cataloger (#1790) 
Add a cataloger that detects installed R packages by looking for DESCRIPTION
files. The base R package is now picked up in coverageImage tests in
test/cli/packages_cmd_test.go, so increment expected package counts for the
tests that use that image.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
 2023-05-10 12:30:11 -04:00
Bob Callaway
0580328ad9
update cosign to v2 release (different go module) (#1805) 
Signed-off-by: Bob Callaway <bcallaway@google.com>
 2023-05-10 11:12:37 -04:00
William Murphy
291da8cd12
fix: Reduce log spam on unknown relationship type (#1797) 
Rather than log a warning for every instance of an unknown relationship type,
or similar error, log a count of how many times each of these errors is
raised.

---------

Signed-off-by: Will Murphy <will.murphy@anchore.com>
 2023-05-10 09:51:12 -04:00
anchore-actions-token-generator[bot]
8a3cbf2fdd
chore(deps): update bootstrap tools to latest versions (#1807) 2023-05-10 08:25:36 -04:00
dependabot[bot]
ef08d0fa39
chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 (#1802) 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.9.0 to 0.10.0.
- [Commits](https://github.com/golang/net/compare/v0.9.0...v0.10.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-05-09 11:59:39 -04:00
dependabot[bot]
75d625b697
chore(deps): bump github.com/docker/docker (#1795) 
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 23.0.5+incompatible to 23.0.6+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v23.0.5...v23.0.6)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-05-08 12:45:50 -04:00
dependabot[bot]
88ba8b78fc
chore(deps): bump github.com/google/go-containerregistry (#1796) 
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.14.0 to 0.15.1.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.14.0...v0.15.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-05-08 12:45:30 -04:00
anchore-actions-token-generator[bot]
3f19aa589c
chore(deps): update bootstrap tools to latest versions (#1792) 2023-05-07 13:23:41 -04:00
William Murphy
630c18e0d3
Print package list when extra packages found (#1791) 
The tests in test/cli/packages_cmd_test.go are hard to debug when different
packages are found in different environments. For example, CI runs and M1 macs
have been observed to have different package counts. Therefore, if the test is
about to fail, log a sorted list of the packages that were found, so that it is
easy to compare failures of these tests.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
 2023-05-05 15:57:13 -04:00
anchore-actions-token-generator[bot]
1860bab24b
chore(deps): update bootstrap tools to latest versions (#1786) 2023-05-05 14:57:02 -04:00
dependabot[bot]
e31839a370
chore(deps): bump golang.org/x/term from 0.7.0 to 0.8.0 (#1787) 2023-05-05 18:56:40 +00:00
Josh Bressers
0f1aed4477
Update the CPE generation for spring-security-core (#1789) 
* Update the CPE generation for spring-security-core
* Add vendor test for spring-security

Signed-off-by: Josh Bressers <josh@bress.net>

---------

Signed-off-by: Josh Bressers <josh@bress.net>
 2023-05-05 15:41:41 +00:00
Keith Zantow
ddb338d834
chore: do not HTML escape PackageURLs (#1782) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-05-05 10:08:04 -04:00
Keith Zantow
354c72bbf4
chore: do not include kernel module cataloger by default (#1784) 2023-05-05 09:54:24 -04:00
Jeff Squyres
d63a1f5f80
chore(docs): Update lists of catalogers (#1780) 
Signed-off-by: Jeff Squyres <jeff@squyres.com>
 2023-05-04 15:36:22 -04:00
Keith Zantow
645206735e
chore: add more detail on SPDX file IDs (#1769) 2023-05-02 16:52:18 -04:00
Filip Pytloun
95a04cadea
Search /usr/share for rpmdb to fix scan on ostree-managed images (#1756) 
Fixes: https://github.com/anchore/syft/issues/1755

Signed-off-by: Filip Pytloun <filip@pytloun.cz>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
 2023-05-02 16:43:52 -04:00
dependabot[bot]
dd458a2b33
chore(deps): bump github.com/docker/docker (#1767) 
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 23.0.4+incompatible to 23.0.5+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v23.0.4...v23.0.5)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-05-02 16:43:16 -04:00
Alex Goodman
5f3d4d285b
rename sbom.PackageCatalog to sbom.Packages (#1773) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2023-05-01 10:19:58 -04:00
dependabot[bot]
10c3cc27e8
chore(deps): bump modernc.org/sqlite from 1.22.0 to 1.22.1 (#1768) 
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.22.0 to 1.22.1.
- [Release notes](https://gitlab.com/cznic/sqlite/tags)
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.22.0...v1.22.1)

---
updated-dependencies:
- dependency-name: modernc.org/sqlite
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-27 11:58:59 -04:00
Shane Dell
a07bfe7dfa
Create python requirements metadata (#1759) 
- Create new metadata struct and type for python requirements.
- Update parsing of python requirements to use python requirements metadata.
- Remove extras and url from line. Add them to metadata instead.
- Add unit test to test that extras are removed from package name.
- Update test to look at requirements metadata.
- Will need updated in future to support more than just == for the version constraint.
- Update JSON schema data

Closes anchore/grype#1246
Closes anchore/grype#1251

Signed-off-by: Shane Dell <shanedell100@gmail.com>
 2023-04-27 09:04:30 -04:00
Keith Zantow
451cb9d5ca
chore: update test redactor ordering (#1765) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-04-26 20:42:43 +00:00
Alex Goodman
fd02bef0a3
rename pkg.Catalog to pkg.Collection (#1764) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2023-04-26 13:56:33 -04:00
dependabot[bot]
02bd52728e
chore(deps): bump modernc.org/sqlite from 1.21.2 to 1.22.0 (#1758) 
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.21.2 to 1.22.0.
- [Release notes](https://gitlab.com/cznic/sqlite/tags)
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.21.2...v1.22.0)

---
updated-dependencies:
- dependency-name: modernc.org/sqlite
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-04-26 10:37:49 -04:00
Christopher Angelo Phillips
c038f13d44
chore: go-rpmdb update (#1757) 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
 2023-04-24 10:34:13 -04:00
dependabot[bot]
8102ad4edc
chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.1-0.20221222100750-41a1ac565cce to 0.7.1 (#1706) 2023-04-24 10:20:12 -04:00
Shane Dell
13485ca5e7
fix: Improve pnpm support (#1752) 
Signed-off-by: Shane Dell <shanedell100@gmail.com>
 2023-04-21 17:58:23 +00:00
Alex Lehman
b2b332e8b2
feat: Add template func hasField (#1754) 
Signed-off-by: Lehman, Alex <alex.lehman@gtri.gatech.edu>
 2023-04-21 09:34:06 -04:00
Christopher Angelo Phillips
a42bac6fcc
fix: only cache java packages and not source content (#1750) 
* fix: only cache java packages and not source content

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* fix: add gradle to matched files for ci checksum

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-04-19 16:07:34 -04:00
Shane Dell
98a6c6efbe
Add sections of interest for Gemfile.lock cataloger (#1749) 
- Updated tests to reflect the new sections being added to show they function properly.

Closes #1660

Signed-off-by: Shane Dell <shanedell100@gmail.com>
 2023-04-19 12:18:17 -04:00
Christopher Angelo Phillips
55a90a2ee0
fix: update cache.fingerprint file to java-builds dir (#1748) 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-04-19 12:17:07 -04:00
Shane Dell
6e835fd8fc
Add ALPM Metadata to CYCLONEDX and SPDX output formats (#1747) 
Signed-off-by: Shane Dell <shanedell100@gmail.com>
 2023-04-18 11:53:02 -04:00
Weston Steimel
ee80349ea0
chore: bump stereoscope to latest version (#1741) 
Resolves reporting of GHSA-hw7c-3rfg-p46j

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-04-18 15:44:03 +00:00