Alex Goodman
cb0214ec1d
fill out new version notice ( #2042 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-08-18 16:03:11 -04:00
Keith Zantow
4762ba0943
feat: use java package names to determine known groupids ( #2032 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-08-17 12:55:25 -04:00
Keith Zantow
d1635971a1
fix: inconsistent removal of binaries by overlap ( #2036 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-08-17 15:27:31 +00:00
Mark Galpin
9467bd66c2
fix: CycloneDX relationships not output or decoded properly ( #1974 )
...
Signed-off-by: Mark Galpin <mark@tidelift.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Mark Galpin <mark@tidelift.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
2023-08-17 11:02:12 -04:00
Keith Zantow
59107324ce
chore: restore cataloger.DefaultConfig ( #2028 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-08-14 20:28:07 +00:00
Keith Zantow
b3d7ba569b
fix: read direct package files when decoding SPDX tag-value ( #2014 )
...
* fix: read direct package files when decoding SPDX tag-value
---------
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-08-14 11:37:24 -04:00
anchore-actions-token-generator[bot]
c7fe58683d
chore(deps): update bootstrap tools to latest versions ( #2022 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
2023-08-14 11:36:15 -04:00
anchore-actions-token-generator[bot]
28b06dae25
chore(deps): update CPE dictionary index ( #2025 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2023-08-14 11:35:57 -04:00
anchore-actions-token-generator[bot]
a90cff1cd2
chore(deps): update bootstrap tools to latest versions ( #2012 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
2023-08-10 13:20:09 -04:00
dependabot[bot]
82eafeaf4a
chore(deps): bump github.com/vifraa/gopom from 0.2.2 to 1.0.0 ( #2008 )
...
* chore(deps): bump github.com/vifraa/gopom from 0.2.2 to 1.0.0
* refactor: update consumer code to use new optional values
Bumps [github.com/vifraa/gopom](https://github.com/vifraa/gopom ) from 0.2.2 to 1.0.0.
- [Release notes](https://github.com/vifraa/gopom/releases )
- [Commits](https://github.com/vifraa/gopom/compare/v0.2.2...v1.0.0 )
---
updated-dependencies:
- dependency-name: github.com/vifraa/gopom
dependency-type: direct:production
update-type: version-update:semver-major
...
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-08-09 17:22:51 -04:00
Christopher Angelo Phillips
541c8d339b
1948-filter-pkg-by-type ( #2011 )
...
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-08-09 16:05:52 -04:00
dependabot[bot]
6bf6f85584
chore(deps): bump github.com/dave/jennifer from 1.6.1 to 1.7.0 ( #2009 )
...
Bumps [github.com/dave/jennifer](https://github.com/dave/jennifer ) from 1.6.1 to 1.7.0.
- [Commits](https://github.com/dave/jennifer/compare/v1.6.1...v1.7.0 )
---
updated-dependencies:
- dependency-name: github.com/dave/jennifer
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-08-09 14:46:11 -04:00
Keith Zantow
c7272fd6a5
fix: SPDX license values and download location ( #2007 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-08-08 15:55:50 -04:00
Christopher Angelo Phillips
466da7cbda
931: binary cataloger exclusion defaults for ownership by overlap ( #1948 )
...
Fixes #931
PR #1948 introduces a new implicit exclusion for binary packages that overlap by file ownership and have certain characteristics:
1) the relationship between packages is OwnershipByFileOverlap
2) the parent package is an "os" package - see changelog for included catalogers
3) the child is a synthetic package generated by the binary cataloger - see changelog for included catalogers
4) the package names are identical
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-08-08 13:00:52 -04:00
dependabot[bot]
2fc65094b7
chore(deps): bump golang.org/x/net from 0.13.0 to 0.14.0 ( #2004 )
...
Bumps [golang.org/x/net](https://github.com/golang/net ) from 0.13.0 to 0.14.0.
- [Commits](https://github.com/golang/net/compare/v0.13.0...v0.14.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/net
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-08-07 10:34:00 -04:00
dependabot[bot]
d7ff77072a
chore(deps): bump modernc.org/sqlite from 1.24.0 to 1.25.0 ( #1998 )
...
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite ) from 1.24.0 to 1.25.0.
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.24.0...v1.25.0 )
---
updated-dependencies:
- dependency-name: modernc.org/sqlite
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-08-04 14:24:31 -04:00
Christopher Angelo Phillips
78660022bf
test: add coverage for new rpmdb paths ( #1999 )
...
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-08-04 13:04:36 -04:00
Keith Zantow
aaf767f8d3
chore: improve spdx purl decoding ( #1996 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-08-04 11:43:21 -04:00
Keith Zantow
79014ed8c8
fix: gradle lockfile parser groupId handling ( #1995 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-08-04 11:42:26 -04:00
Christopher Angelo Phillips
e774006052
fix: update glob to use newer usr/lib/sysimage path ( #1997 )
...
See this link for details on the path migration for the rpmdb
https://fedoraproject.org/wiki/Changes/RelocateRPMToUsr
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-08-03 16:23:50 -07:00
Nicholas R. Smith
1d6d5f7f5f
fix: opkg search glob ( #1994 )
...
Signed-off-by: Nicholas R. Smith <nicholas_smith@selinc.com>
2023-08-03 19:33:11 +00:00
Sem Provoost
433a7b8a42
feat: nginx binary classifier ( #1988 )
...
Signed-off-by: SemProvoost <27961543+SemProvoost@users.noreply.github.com>
2023-08-03 13:09:31 -04:00
Nicholas R. Smith
e55277f26d
Expand deb cataloger to include opkg ( #1985 )
...
* Add opkg info directory and status file to deb cataloger
opkg uses the same or nearly the same metadata and structure as Debian:
**/lib/opkg/status lists status information for all packages
**/lib/opkg/info/opkg.conffiles is a list of configuration files
**/lib/opkg/info/*.list contains files and directories installed by the package
**/lib/opkg/info/*.preinst are scripts to run before installation
**/lib/opkg/info/*.postinst are scripts to run after installation
**/lib/opkg/info/*.postrm are scripts to run after package removal
**/lib/opkg/info/*.control provides package metadata
Signed-off-by: Nicholas R. Smith <nicholas_smith@selinc.com>
---------
Signed-off-by: Nicholas R. Smith <nicholas_smith@selinc.com>
Co-authored-by: Nicholas R. Smith <nicholas_smith@selinc.com>
2023-08-03 12:33:14 -04:00
anchore-actions-token-generator[bot]
c2b4231cc3
chore(deps): update bootstrap tools to latest versions ( #1991 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
2023-08-03 10:53:29 -04:00
dependabot[bot]
c150b4e358
chore(deps): bump github.com/google/go-containerregistry ( #1993 )
...
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry ) from 0.15.2 to 0.16.1.
- [Release notes](https://github.com/google/go-containerregistry/releases )
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml )
- [Commits](https://github.com/google/go-containerregistry/compare/v0.15.2...v0.16.1 )
---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-08-03 10:53:09 -04:00
Keith Zantow
3f0475efb7
chore: update bubbly to fix hanging ( #1990 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-08-02 10:28:35 -04:00
dependabot[bot]
2e376d067f
chore(deps): bump golang.org/x/net from 0.12.0 to 0.13.0 ( #1989 )
2023-08-02 14:16:49 +00:00
Christopher Angelo Phillips
8e893dfc20
feat: use originator logic to fill supplier ( #1980 )
...
* feat: use Originator to fill supplier for NTIA minimum
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-08-01 17:19:49 -04:00
Alex Goodman
756d0f29af
add metadata types to all cpe test fixtures ( #1982 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-07-31 16:35:09 -04:00
Keith Zantow
e2f7befbfb
fix: default image source name to user input ( #1979 )
...
* fix: default image source name to user input
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* chore: add test
Signed-off-by: Keith Zantow <kzantow@gmail.com>
---------
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-07-31 17:29:18 +00:00
anchore-actions-token-generator[bot]
f14742b3f3
chore(deps): update stereoscope to d1f3d766295ed3c8362ac1be68070e2a1dba4d03 ( #1975 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2023-07-31 12:02:33 -04:00
Christopher Angelo Phillips
3aae316456
chore: update to latest commit in tools-golang ( #1969 )
...
* chore: update to latest commit in tools-golang
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-07-27 15:29:22 -04:00
Alex Goodman
063e9da65d
Guess unpinned versions in python requirements.txt ( #1966 )
...
* feat: python requirements.txt parsing inclusive
Signed-off-by: manifestori <ori@manifestcyber.com>
* refactor: parseVersion
Signed-off-by: manifestori <ori@manifestcyber.com>
* add python config for optional requirements version constraint resolution
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* allow for python requirements metadata to be optional
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* restore cyclonedx dependency
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: manifestori <ori@manifestcyber.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: manifestori <ori@manifestcyber.com>
2023-07-27 14:26:59 -04:00
dependabot[bot]
bf1102c3f1
chore(deps): bump github.com/vifraa/gopom from 0.2.1 to 0.2.2 ( #1965 )
...
Bumps [github.com/vifraa/gopom](https://github.com/vifraa/gopom ) from 0.2.1 to 0.2.2.
- [Release notes](https://github.com/vifraa/gopom/releases )
- [Commits](https://github.com/vifraa/gopom/compare/v0.2.1...v0.2.2 )
---
updated-dependencies:
- dependency-name: github.com/vifraa/gopom
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-27 13:28:42 -04:00
Alex Goodman
bbd2d42dbb
Fix panic condition on docker pull failure ( #1968 )
...
* [wip] add image pull error handlers
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix panic and ui hang on docker pull failure
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* linter fix
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-07-27 11:32:02 -04:00
Alex Goodman
d84120f499
bump JSON schema to account for simplified python env markers ( #1967 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-07-27 14:13:17 +00:00
Keith Zantow
9480f10ccd
feat: support top-level SPDX package and graph ( #1934 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-07-26 13:54:32 -04:00
dependabot[bot]
1e4d26f526
chore(deps): bump github.com/go-git/go-git/v5 from 5.8.0 to 5.8.1 ( #1959 )
...
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git ) from 5.8.0 to 5.8.1.
- [Release notes](https://github.com/go-git/go-git/releases )
- [Commits](https://github.com/go-git/go-git/compare/v5.8.0...v5.8.1 )
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-26 13:34:03 +00:00
Tristan Farkas
e1c1832f84
Add cataloger for Swift Package Manager. ( #1919 )
...
Signed-off-by: Tristan Farkas <Tristan.Farkas@axis.com>
2023-07-25 14:35:21 -04:00
anchore-actions-token-generator[bot]
9a73380f29
chore(deps): update stereoscope to d515761c6ca2743a67d7d08053db69235ae76d1d ( #1953 )
...
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
2023-07-25 10:49:21 -04:00
dependabot[bot]
2e718cf865
chore(deps): bump github.com/docker/docker ( #1955 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 24.0.2+incompatible to 24.0.5+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v24.0.2...v24.0.5 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-25 10:37:16 -04:00
dependabot[bot]
4000a84624
chore(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.0 ( #1951 )
...
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git ) from 5.7.0 to 5.8.0.
- [Release notes](https://github.com/go-git/go-git/releases )
- [Commits](https://github.com/go-git/go-git/compare/v5.7.0...v5.8.0 )
---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-24 11:28:54 -04:00
Dan Luhring
99d172f0d1
Introduce indexed embedded CPE dictionary ( #1897 )
...
* Introduce indexed embedded CPE dictionary
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* Don't generate cpe-index on make snapshot
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* Add unit tests for individual addEntry funcs
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* migrate CPE index build to go generate and add periodic workflow
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add test to ensure generated cpe index is wired up to function that uses it
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-07-21 13:54:19 +00:00
dependabot[bot]
3f5c601620
chore(deps): bump github.com/gookit/color from 1.5.3 to 1.5.4 ( #1949 )
...
Bumps [github.com/gookit/color](https://github.com/gookit/color ) from 1.5.3 to 1.5.4.
- [Release notes](https://github.com/gookit/color/releases )
- [Commits](https://github.com/gookit/color/compare/v1.5.3...v1.5.4 )
---
updated-dependencies:
- dependency-name: github.com/gookit/color
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-21 08:50:47 -04:00
Dan Luhring
8478e0bef7
Add support for parsing .NET assemblies ( #1943 )
...
* Add support for parsing .NET assemblies
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Former-commit-id: 69c33fe4d77357d843c11590f3b07825bc6249ac
* Add dll and exe files
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Former-commit-id: b9d204efa6d2ef385b5fbb7a59a3474ecabea641
* Add PE cataloger to directory catalogers
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Former-commit-id: 9711c00d9da92e2887e0c1f92edd740ea5345849
* Don't set language to dotnet for PEs
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Former-commit-id: 368313fddac9160d8a06a01ebe8c5ac7990232f5
* Fix spelling of cataloger in constructor
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Former-commit-id: e42fd77b2f8b6d42e076a84f6cce386861260941
* Adjust which cases in PE parsing return errors
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Former-commit-id: 95b25f8fc3a7d4e18fe30e489b09851f316795ff
* remove build binary from branch
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Former-commit-id: fa54c0d0aef0998d5520e9f44cae51f5f9cd38a2
* Fix failing CLI tests
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
---------
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-07-19 15:34:07 -04:00
Christopher Angelo Phillips
0327fdc88a
docs: capture artifactory dev settings from 1895 ( #1947 )
...
* docs: capture artifactory dev settings from 1895
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-07-19 16:54:18 +00:00
Alex Goodman
88b3d1e9bb
remove build binary and add explicit git ignore
...
Former-commit-id: 6455f2d8a5f1910b4a8b681ddef79919886d638d
2023-07-18 14:06:34 -04:00
Christopher Angelo Phillips
204b790012
docs: update docs with new docker specific instructions ( #1941 )
...
* docs: update docs with new docker specific instructions
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Former-commit-id: c67c76e84df84e3e24aa307637d884ca8b7e3eea
2023-07-17 18:19:21 +00:00
Alex Goodman
35699f6fdc
remove jotframe UI ( #1932 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-07-13 13:21:52 -04:00
Christopher Angelo Phillips
2e7fd031d4
fix: remove indirect dependency of circl v1.1.0 ( #1940 )
...
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-07-13 12:30:37 -04:00