Mirrors/syft

mirror of https://github.com/anchore/syft synced 2024-11-10 06:14:16 +00:00

Author	SHA1	Message	Date
Christopher Angelo Phillips	0774ad15e2	chore: clean up linting configuration (#1343 )	2022-11-16 16:28:09 +00:00
Justin Chadwell	10f43d75e0	feat: Add `--name` option to override name in output (#1269 )	2022-11-10 14:03:23 -05:00
Dan Luhring	949cff158d	Add support for dependency relationships for alpine (apk) (#1063 ) * Fix type of pull deps and add support for provides Signed-off-by: Dan Luhring <dan+github@luhrings.com> * [wip] apk dependency lookup Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update whitespace for linter Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> * adjust test conditions Signed-off-by: Timothy Gerla <tim@gerla.net> * fix TODOs and improve Provides parser * run simports after main merge Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> * add tests to cover apk relationship parsing cases Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * generate JSON schema for breaking changes to apk metadata Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update tests to account for additional dependencies Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * [wip] fix relationship encoding for cyclonedx Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * simplify package relationships that can be expressed Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Signed-off-by: Dan Luhring <dan+github@luhrings.com> Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> Signed-off-by: Timothy Gerla <tim@gerla.net> Co-authored-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com> Co-authored-by: Timothy Gerla <tim@gerla.net>	2022-11-09 15:43:37 +00:00
Alex Goodman	d7a51a69dd	Update java generic cataloger (#1329 ) * remove centralize pURL generation Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * port java cataloger to new generic cataloger pattern Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * remove common.GenericCataloger Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update format test fixtures to reflect ID updates Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix package sort instability for encode-decode-encode cycles Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-11-09 14:55:54 +00:00
Alex Goodman	5ed002e1a9	Update swift cataloger to generic cataloger (#1324 ) * port swift cataloger to new generic cataloger pattern Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add cocopods metadata to json schema defs Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update json test fixture with latest schema version Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-11-04 13:51:59 -04:00
Alex Goodman	2deb96a801	Update portage cataloger to new generic cataloger (#1316 ) * port portage (ha) cataloger to new generic cataloger pattern Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update JSON schema to account for removing portage fields Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-11-03 14:49:18 -04:00
Christopher Angelo Phillips	edeba9c01c	feat: add nodejs-binary package classifier (#1296 )	2022-10-31 16:45:11 +00:00
Marc-Etienne Vargenau	dd89461ba3	Fix #1245 Update SPDX license list to 3.18 (#1259 ) * Fix #1245 Update SPDX license list to 3.18 Signed-off-by: Marc-Etienne Vargenau <marc-etienne.vargenau@nokia.com>	2022-10-27 23:46:54 -04:00
Alex Goodman	52cb7269bf	port deb/dpkg cataloger to new generic cataloger pattern (#1288 ) Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-10-25 15:47:32 +00:00
Alex Goodman	d8c659b65b	replace logger interface with anchore/go-logger (#1279 ) Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-10-21 15:12:14 +00:00
Marc-Etienne Vargenau	e2d06cecb7	chore: handle deprecated SPDX license: StandardML-NJ (#1266 )	2022-10-17 13:45:36 -04:00
Marc-Etienne Vargenau	41bc6bb410	Fixes #1179 Deprecated SPDX license (#1263 )	2022-10-14 15:54:57 -04:00
Christopher Angelo Phillips	89575199b8	feat: add RelationshipsBySourceOwnership to syft json output (#1248 )	2022-10-11 15:11:03 -04:00
Keith Zantow	780e1c310c	refactor: Remove experimental Anchore Enterprise upload functionality (#1257 )	2022-10-10 16:16:47 -04:00
Hiroaki KAWAI	b9b13d5525	Add Conan (C/C++) conan.lock file support (#1230 ) Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-09-29 18:45:59 +00:00
Keith Zantow	b20310eaf8	Add gosimports (#1205 )	2022-09-14 13:38:18 -04:00
Chapman Pendery	9097614f3b	refactor: move formats from internal into syft module (#1172 )	2022-09-13 11:20:52 -04:00
Keith Zantow	70db13d49e	Add RPM file scanning support (#1188 )	2022-09-07 14:16:30 -04:00
Scott Andrews	1c7b7c5f8a	Normalize syft-json output (#1194 )	2022-09-07 10:56:49 -04:00
Christopher Angelo Phillips	586d3fe77f	Revert "External sources configuration (#1158 )" (#1191 ) reverted as functionality is to be merged with dev branch of kubecon draft	2022-09-01 15:45:35 -04:00
Keith Zantow	a17ff7b555	Fix RPM DB license handling (#1184 )	2022-08-30 14:38:12 -04:00
Christopher Angelo Phillips	615f933d98	Bug fix for 1095 - syft conversion option error (#1177 ) Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>	2022-08-25 17:36:15 -04:00
anchore-actions-token-generator[bot]	b0fc955e0c	Update syft bootstrap tools to latest versions. (#1171 ) * Update syft bootstrap tools to latest versions. Signed-off-by: GitHub <noreply@github.com> Signed-off-by: Weston Steimel <weston.steimel@anchore.com> Co-authored-by: Weston Steimel <weston.steimel@anchore.com>	2022-08-23 20:36:59 +01:00
Marco Deicas	13296880cd	External sources configuration (#1158 )	2022-08-22 11:22:18 -04:00
Keith Zantow	21eb772060	Associate node package licenses from node_modules (#1152 )	2022-08-16 14:14:02 -04:00
Justin Chadwell	3db6911865	fix: extract file ids correctly for spdx-json (#1156 ) Previously, extracting relationships between packages and files was not completing correctly, as SPDXRef- ElementIDs were being compared to raw IDs, and so never matched. This patch ensures that we always compare ElementIDs, to ensure that the hasFiles field is correctly populated. Signed-off-by: Justin Chadwell <me@jedevc.com>	2022-08-11 14:06:36 -04:00
Alex Goodman	2693a8c19a	metadata decoding should be optional (#1154 ) Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-08-10 16:20:53 +00:00
Dan Nurmi	04387301ce	Add modularitylabel metadata to RPM type records generated by syft (#1148 ) * bump cosign to v1.10.1 (#1144) Signed-off-by: Daniel Nurmi <nurmi@anchore.com> * Add modularitylabel metadata to RPM type records generated by syft. Fixes #1145. Signed-off-by: Daniel Nurmi <nurmi@anchore.com> * update to address lint failures Signed-off-by: Daniel Nurmi <nurmi@anchore.com> * Update syft/pkg/rpmdb_metadata.go Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Daniel Nurmi <nurmi@anchore.com> * update json schema to match camel case Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Weston Steimel <weston.steimel@anchore.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <alex.goodman@anchore.com>	2022-08-08 11:52:32 +00:00
Jonas Xavier	69fb0a6f3b	Overwrite deprecated SPDX licenses automatically (#1009 ) Co-authored-by: Alex Goodman <alex.goodman@anchore.com>	2022-08-02 15:25:33 -04:00
cpendery	9b1adce19a	feat: implement haskell support (#1096 )	2022-07-18 15:33:54 -04:00
cpendery	470b13045b	feat: add support for cocoapods (Swift/Objective-C) (#1081 )	2022-07-11 10:09:08 -04:00
Zac Medico	4c55c62834	Add portage support for Gentoo Linux (#1076 ) Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-07-06 16:18:54 -04:00
Batuhan Apaydın	69134ed3b5	feat: add new login cmd (#1068 ) Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-07-05 11:57:28 -04:00
cpendery	57323a1666	feat: add support for conan packages (C/C++) (#1083 )	2022-07-05 10:49:24 -04:00
Alex Goodman	ea611dab5f	Add catalogers configuration (#1038 ) * Option to enable specific language or ecosystem cataloger Signed-off-by: ramanan-ravi <ramanan@deepfence.io> Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * Disable dotnet cataloger Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * Option to enable specific language or ecosystem cataloger Signed-off-by: Ramanan Ravikumar <ramanan@deepfence.io> Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * rename "enable-cataloger" option to "catalogers" Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add cli test for --catalogers option Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update readme with latest cataloger names Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * enable dotnet cataloger Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix linting Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix cataloger imports Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update readme with alpmdb cataloger config example Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: ramanan-ravi <ramanan@deepfence.io>	2022-06-21 13:06:25 +00:00
Jonas Xavier	aed1599c4d	add template output (#1051 ) * add template output Signed-off-by: Jonas Xavier <jonasx@anchore.com> * remove dead code Signed-off-by: Jonas Xavier <jonasx@anchore.com> * fix template cli flag Signed-off-by: Jonas Xavier <jonasx@anchore.com> * implement template's own format type Signed-off-by: Jonas Xavier <jonasx@anchore.com> * simpler code Signed-off-by: Jonas Xavier <jonasx@anchore.com> * fix readme link to Go template Signed-off-by: Jonas Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Xavier <jonasx@anchore.com> * simpler func signature patter Signed-off-by: Jonas Xavier <jonasx@anchore.com> * nit Signed-off-by: Jonas Xavier <jonasx@anchore.com> * fix linter error Signed-off-by: Jonas Xavier <jonasx@anchore.com>	2022-06-17 14:04:31 -04:00
Christopher Angelo Phillips	9e72771b85	update zip_read_closer to incorporate zip64 support (#1041 )	2022-06-16 10:43:18 -04:00
Morten Linderud	e72d68b0c6	Add pacman (alpm) parser support (#943 ) Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-06-13 18:51:37 +00:00
Jonas Xavier	0aea55f880	add main module field to go bin metadata (#1026 ) * add main module field to go bin metadata Signed-off-by: Jonas Xavier <jonasx@anchore.com> * udpate json ouput schema to 3.2.4 Signed-off-by: Jonas Xavier <jonasx@anchore.com> * clean up fixture Signed-off-by: Jonas Xavier <jonasx@anchore.com>	2022-06-03 23:12:09 +00:00
cpendery	6ccd460e59	fix: add component list to prevent cyclone-dx panic (#1015 )	2022-05-26 13:44:12 -04:00
Jonas Xavier	7cb8e1fc14	Use SBOM descriptor version (#1011 ) * Use SBOM descriptor version Signed-off-by: Jonas Xavier <jonasx@anchore.com> * Update tests Signed-off-by: Jonas Xavier <jonasx@anchore.com> * CycloneDX extract tools metadata in decoding stage Signed-off-by: Jonas Xavier <jonasx@anchore.com> * add descriptor to spdx tag-value test Signed-off-by: Jonas Xavier <jonasx@anchore.com> * remove comment Signed-off-by: Jonas Xavier <jonasx@anchore.com>	2022-05-25 14:40:08 -07:00
Christopher Angelo Phillips	03ee4fdf5e	add integration tests for validating CycloneDX output using cyclonedx-cli (#1000 )	2022-05-12 12:56:04 -04:00
Jonas Xavier	24f08e7738	Convert between SBOM formats (#964 ) * add convert command Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * mvp Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix hanging bug Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * validate SBOM formats for conversion Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * move convert cmd to new structure Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * remove bin Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * drop event loop from convert cmd extract SBOM type from document namespace Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * validate SPDX in tests Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * documenting convert cmd Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * support output format=file.json notation Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * test convertible formats Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix typo Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * clean up Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * more clean up and docs Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * nit Signed-off-by: Jonas Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Xavier <jonasx@anchore.com> * re-use more code Signed-off-by: Jonas Xavier <jonasx@anchore.com> * undo encode-decode cycle test Signed-off-by: Jonas Xavier <jonasx@anchore.com> * remove unnecessary test constraint Signed-off-by: Jonas Xavier <jonasx@anchore.com> * fix readme Signed-off-by: Jonas Xavier <jonasx@anchore.com> * try verbose Signed-off-by: Jonas Xavier <jonasx@anchore.com> * cleaner README and no table conversion Signed-off-by: Jonas Xavier <jonasx@anchore.com> * simpler conversion Signed-off-by: Jonas Xavier <jonasx@anchore.com> * feedback changes and cleanup Signed-off-by: Jonas Xavier <jonasx@anchore.com> * nit space fix Signed-off-by: Jonas Xavier <jonasx@anchore.com> * use defer Signed-off-by: Jonas Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Xavier <jonasx@anchore.com> Co-authored-by: Keith Zantow <kzantow@gmail.com>	2022-05-09 17:28:33 -07:00
Christopher Angelo Phillips	a83506628c	Add README updates for Keyless features (#988 )	2022-05-09 16:07:28 +00:00
Jonas Xavier	42f8601919	Fix tests: add timeout to long-running failures, update SPDX license list (#989 )	2022-05-09 11:48:44 -04:00
Christopher Angelo Phillips	d2d532f4a8	835 - Keyless Support for SBOM Attestations (#910 ) Co-authored-by: Alex Goodman <alex.goodman@anchore.com>	2022-05-06 18:06:32 -04:00
Christian Kotzbauer	1cea0ecd5c	feat: add initial dotnet-support (#951 ) * feat: add initial dotnet-support Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: add path, sha512 and hashpath Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: add missing dot Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: lint warnings Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix CLI test package counts to account for dotnet Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix: updated packagurl-go Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * tidy go.sum Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update json schema Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Alex Goodman <alex.goodman@anchore.com>	2022-05-05 15:32:02 -04:00
Dan Luhring	0bd3558fb2	reduce noise of log output (#976 )	2022-05-02 14:54:30 +00:00
Sambhav Kothari	36973021fa	Rename syft-id to package-id (#970 ) Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-04-29 11:18:45 -04:00
Christopher Angelo Phillips	6029dd7c2e	refactor command package to remove globals and add dependency injection	2022-04-26 18:23:03 +00:00
Jon McEwen	7304bbf8ee	fix: #953 Derive language from pURL - https://github.com/anchore/syft … (#957 ) Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-04-26 11:51:24 -04:00
Alex Goodman	172ecc0d77	Preserve syft IDs on SBOM decode (#963 )	2022-04-18 18:10:55 +00:00
Keith Zantow	248023baaf	Update GitHub format package_url and correlator (#961 )	2022-04-15 13:00:06 -04:00
Keith Zantow	b7295b79de	Ensure SPDXIDs are valid (#955 )	2022-04-14 15:07:23 -04:00
Christopher Angelo Phillips	b46d044d7e	Update spdx22json to only take uppercase checksum algorithm (#946 )	2022-04-11 14:56:04 -04:00
Christopher Angelo Phillips	782b2e3348	Add digest property to parent and nested java package metadata (#941 )	2022-04-08 15:12:32 -04:00
Sambhav Kothari	8bc5d84481	Ensure that all cyclonedx components have bom-refs (#914 ) Co-authored-by: Alex Goodman <alex.goodman@anchore.com>	2022-04-01 12:19:30 -04:00
Alex Goodman	f24bbc1838	Deduplicate packages across multiple container image layers (#930 )	2022-03-31 15:45:51 -04:00
Eric Larssen	cb3e73e308	Add dart support (#919 ) Co-authored-by: Alex Goodman <alex.goodman@anchore.com>	2022-03-31 15:44:55 -04:00
Dan Luhring	a7db43f5ec	Fix panic on empty sbom (#917 ) * Implement fmt.Stringer with format.ID Signed-off-by: Dan Luhring <dan+github@luhrings.com> * Add failing test for formats processing empty SBOMs Signed-off-by: Dan Luhring <dan+github@luhrings.com> * Account for nil SPDX document during Syft model conversion Signed-off-by: Dan Luhring <dan+github@luhrings.com>	2022-03-24 10:11:51 -04:00
Alex Goodman	7f9edf346a	Bump golangci-lint to 1.45.0 (#909 )	2022-03-22 11:02:36 -04:00
Jonas Xavier	283db88dc4	Omit H1Digest when empty (#902 ) * Omit HD1Field when empty Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * update test-fixtures Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>	2022-03-21 11:59:10 -07:00
Keith Zantow	9240860f44	Correct ID handling during Syft JSON decoding (#900 )	2022-03-18 17:03:26 -04:00
Christopher Angelo Phillips	4231f38fa2	add case to decode GolangBinMetadata for syftjson model (#901 ) Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-03-18 15:15:10 -04:00
Keith Zantow	99c3339810	Fix CycloneDX license decoding panic (#898 )	2022-03-18 09:44:51 -04:00
Keith Zantow	f4734d28b3	Fix panic when CycloneDX BOM missing metadata.component (#895 )	2022-03-17 10:22:35 -04:00
Jonas Xavier	6ef3e45ffc	Use go 1.18 buildinfo to catalog binaries (#827 ) * initial working version Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * added build settings to pkg metadata wip - unit tests Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * handle mach-O FatFiles Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * add support to mod replace fixed golang catalger tests trying GH Actions with go 1.18rc1 Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * log error Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * use go-macholibre for extraction Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * cleaner tests Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * add version to main module Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * check macho file with macholibre Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * run golangci in its own workflow Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * wip - golangci workflow Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix golangci wf yml Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix golangci wf yml Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * wip - golangci wf Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * wip - golangci wf Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * get arch from bin file headers upgrade macholibre Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * test new stereoscope lazy reader interface Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * remove devel version from golang cataloger Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * switch github workflows to go1.18 stable Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * add union reader interface in golang cataloger update stereoscope Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * simpler golangci validation Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix makefile Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * get archs refactor Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * nolint for golang version Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix go bin tests Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * feedback changes Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * golangci nolint needs a \n before package Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * cleanup Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * move golangci-lint to its own jobs again Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix ci yaml Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * add support for xcoff files add arch assets to test bin file types Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * clean up golangci-lint config Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * nolint for xcoff Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * explain nolints Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * remove unused xcoff testdata assets Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * make go bin test-fixtures in docker Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix make clean with -f Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * update json output schema Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * update schema version in test fixture Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * feedback changes Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * explain possible empty main module Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>	2022-03-16 17:07:02 -07:00
Keith Zantow	ee0a1d172c	panic parsing cyclonedx (#892 )	2022-03-16 09:10:44 -04:00
Keith Zantow	6c8102bf28	Correct CycloneDX distro decoding (#745 )	2022-03-11 09:27:18 -05:00
Keith Zantow	7789506dc6	Experimental GitHub export (#836 )	2022-03-10 22:38:12 -05:00
Alex Goodman	2946813a74	RPM Epoch should be optional in the json schema (#880 )	2022-03-09 14:51:43 -05:00
Christopher Angelo Phillips	003d28ad48	Add SchemaVersion to version command output (#877 ) * make JsonSchemaVersion available programmatically via syft version command Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-03-09 13:12:52 -05:00
Sambhav Kothari	39737a2825	Update cyclonedx to v1.4 (#820 )	2022-03-08 12:09:55 -05:00
Alex Goodman	07d3c9af52	Fix file creation for output options (#875 )	2022-03-08 15:37:28 +00:00
Alex Goodman	a86dd3704e	Add platform selection (#866 )	2022-03-04 22:41:38 +00:00
Alex Goodman	4af32c5bee	Migrate format definitions to sbom package (#864 )	2022-03-04 17:22:40 -05:00
Keith Zantow	b2ab4671b9	Correct SPDX-JSON checksum algorithm (#863 )	2022-03-03 17:13:13 -05:00
Keith Zantow	edac8c7bf7	Update CycloneDX to use syft namespace and output multiple CPEs (#849 )	2022-03-01 17:37:52 -05:00
Alex Goodman	99bb93d0fe	Resolve symlinks when fetching file contents (#782 )	2022-02-24 10:01:59 -05:00
Christopher Angelo Phillips	256e85bc12	510 - SBOM attestation stdout (#785 ) add syft attest command to produce an attestation as application/vnd.in-toto+json to standard out using on disk PKI Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-02-22 21:45:12 -05:00
Keith Zantow	20c1d14f6e	Add CycloneDX decoder (#811 )	2022-02-18 11:19:02 -05:00
Alex Goodman	51c6eb30f5	bump stereoscope to include functional options (#823 ) Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-02-14 20:40:51 -05:00
Alex Goodman	220f3a24fd	deduplicate SPDX tag-value package IDs (#813 ) Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-02-10 21:18:00 +00:00
Keith Zantow	76f8205936	Suport SPDX SBOM decoding (#738 )	2022-02-09 14:11:20 -05:00
Jonas Xavier	ca081ae5e0	use SYFT_LOG_FILE env var (#805 ) * use SYFT_LOG_FILE Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * enable debug logs when SYFT_LOG_FILE is set Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * set log.file and add tests Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * test log file in temp directory Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * add note on binding refactor Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * remove unused function Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>	2022-02-09 10:04:08 -08:00
Keith Zantow	1e338502ff	Update SPDX license list (#801 )	2022-02-07 15:24:08 +00:00
Alex Goodman	341288ba29	Normalize snapshot and release artifacts (#789 ) * refactor signing steps in release/snapshot workflows Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * show signing logs on snapshot or release failure Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update install.sh + tests to account for new goreleaser changes Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update cli tests to account for new goreleaser build names Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix acceptance test to use new snapshot bin path Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add notarization Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * address review comments Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-02-04 12:41:37 -05:00
Christopher Angelo Phillips	024a5a9f3f	Add dependencies to cyclonedx (#768 ) Add dependencies to cyclonedx Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> Co-authored-by: hectorj2f <hectorf@vmware.com>	2022-01-25 15:34:16 -05:00
Peter Balogh	161fa7be4a	[CycloneDX] Add artifactID and groupID to the cycloneDX properties (support lower level struct as properties) (#758 ) * [CycloneDX] Add artifactID and groupID to the cycloneDX properties Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com> * update comment Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com> * additional checks for value Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com> * fill group filed with groupID in the case of Java Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com> * fix linter warning Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Alex Goodman <alex.goodman@anchore.com>	2022-01-25 10:36:15 -05:00
Sambhav Kothari	aebe843c6f	Improve CycloneDX format output (#710 ) * Improve CycloneDX format output ## Additions to CycloneDX output * CPEs * Authors * Publishers * External References (Website, Distribution, VCS) * Description Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>	2022-01-19 11:43:16 -05:00
Alex Goodman	829e500aa9	Add additional PHP metadata (#753 ) * add php related metadata Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * enable decoding of php metadata for syftjson format Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add php metadata to json schema Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-01-19 11:42:16 -05:00
Toure Dunnon	814f2bf8b9	Update Syft formats for SyftJson (#752 ) * Update Syft formats for SyftJson This change will introduce omitempty struct tag to PackageCustomData. This struct tag will cause null and empty values to be dropped on serialization for consumers downstream. Signed-off-by: Toure Dunnon <toure.dunnon@anchore.com> * Updated the golden files for syftjson to allow for proper test coverage. Signed-off-by: Toure Dunnon <toure.dunnon@anchore.com>	2022-01-18 17:18:34 -05:00
Dan Luhring	c61204f56d	Add support for "file" source type in syftjson unmarshaling (#750 ) * Add tests for image and directory syftjson source Signed-off-by: Dan Luhring <dan+github@luhrings.com> * Add failing test case for file source unmarshaling Signed-off-by: Dan Luhring <dan+github@luhrings.com> * Fix file source unmarshaling Signed-off-by: Dan Luhring <dan+github@luhrings.com> * Add test case for unknown source type Signed-off-by: Dan Luhring <dan+github@luhrings.com>	2022-01-18 13:40:39 -05:00
Keith Zantow	f59af255e3	Align SPDX export more with SPDX 2.2 specification (#743 )	2022-01-13 15:27:06 -05:00
Alex Goodman	706f291679	Replace distro type (#742 ) * remove strong distro type Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * bump json schema to v3 (breaking distro shape) Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix linting Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * allow for v2 decoding of distro idLikes field in v3 json decoder Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix casing in simple linux release name Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * use discovered name as pretty name in simple linux release Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-01-12 12:13:42 -05:00
Keith Zantow	5e5312c72d	Add support for multiple output files in different formats (#732 )	2022-01-06 17:52:20 -05:00
Alex Goodman	38c4b17847	Add support for searching for jars within archives (#734 ) * add support for searching jars within archives Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add package cataloger config options Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * address review comments + factor out safeCopy helper Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update config docs regarding package archive search options Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * show that unindexed archive cataloging defaults to false Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * remove lies about -s Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * address review comments Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update search archive note about java Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-01-06 21:40:51 +00:00
Christopher Angelo Phillips	01dc78ccc3	683 windows filepath (#735 ) Support Windows Directory Resolver Add function that converts windows to posix functionality Add function that converts posix to windows Add build tags to remove windows developer environment errors redact carriage return specific windows issues Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-01-06 11:39:04 -05:00
Sambhav Kothari	2a7325a965	Fix CPE encode/decode when it contains special chars (#714 ) * Fix CPE generation when the generated CPE contains invalid characters Currently syft seems to generate invalid CPEs which do not conform with the official CPE spec. This is because the underlying nvdtools library is not a completely spec compliant implementation and has some interesting bugs/issues. The following are the list of issues I have encountered with nvdtools: 1. It parses strings which are not CPEs incorrectly as valid CPEs. This messes up our filter function which is supposed to filter out any incorrect CPEs we generate. In order to fix this, I have introduced a new regex in the NewCPE function which follows the upstream spec and filters out any incorrect CPEs. 2. Introduce wfn.WFNize for any cpe attributes we infer from packages. This ensures that we are escaping and quoting any special characters before putting them into CPEs. Note that nvdtools has yet another bug in the WFNize function, specifically the "addSlashesAt" part of the function which stops the loop as soon as it encounters ":" a valid character for a WFN attribute after quoting, but the way nvdtools handles it causes it to truncate strings that container ":". As a result strings like "prefix:1.2" which would have been quoted as "prefix\:1.2" end up becoming "prefix" instead causing loss of information and incorrect CPEs being generated. As a result in such cases, we remove out strings containing ":" in any part entirely for now. This is similar to the way we were handling CPE filtering in the past with http urls as vendor strings 3. Add special handling for version which contain ":" due to epochs in debian and rpm. In this case, we strip out the parts before ":" i.e. the epoch and only output the actual function. This ensures we are not discarding valid version strings due to pt #.2. In the future we should look at moving to a more spec compliant cpe parsing library to avoid such shenanigans. Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Remove WFNize for input strings WFNize seems to not be part of the standard as per https://pkg.go.dev/github.com/facebookincubator/nvdtools@v0.1.4/wfn#WFNize and seems to have bugs/issues with encode/decode cycles, so I am just removing it at this point and relying on the CPE regex to filter out invalid CPEs for now. Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Quote the string on decode to ensure consistent CPE string generation Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Add test cases for round-tripping the CPE and fix strip slashes Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Add comprehensive tests for cpe parsing Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Use strings.Builder instead of byte buffer Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>	2022-01-06 09:56:53 -05:00
Sambhav Kothari	4903b4d73f	Bump syft JSON schema and add v2.0.2 (#716 ) Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>	2021-12-22 13:55:34 -05:00

1 2 3 4 5 ...

272 commits