Mirrors/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft synced 2024-09-20 22:21:56 +00:00
Code Issues Projects Releases Packages Wiki Activity
1655 commits 65 branches 208 tags 119 MiB
Commit graph

1655 commits

This branch
This branch
All branches
Author SHA1 Message Date
Alex Goodman
cb0214ec1d
fill out new version notice (#2042) 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2023-08-18 16:03:11 -04:00
Keith Zantow
4762ba0943
feat: use java package names to determine known groupids (#2032) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-08-17 12:55:25 -04:00
Keith Zantow
d1635971a1
fix: inconsistent removal of binaries by overlap (#2036) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-08-17 15:27:31 +00:00
Mark Galpin
9467bd66c2
fix: CycloneDX relationships not output or decoded properly (#1974) 
Signed-off-by: Mark Galpin <mark@tidelift.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Mark Galpin <mark@tidelift.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
 2023-08-17 11:02:12 -04:00
Keith Zantow
59107324ce
chore: restore cataloger.DefaultConfig (#2028) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-08-14 20:28:07 +00:00
Keith Zantow
b3d7ba569b
fix: read direct package files when decoding SPDX tag-value (#2014) 
* fix: read direct package files when decoding SPDX tag-value

---------

Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-08-14 11:37:24 -04:00
anchore-actions-token-generator[bot]
c7fe58683d
chore(deps): update bootstrap tools to latest versions (#2022) 
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
 2023-08-14 11:36:15 -04:00
anchore-actions-token-generator[bot]
28b06dae25
chore(deps): update CPE dictionary index (#2025) 
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
 2023-08-14 11:35:57 -04:00
anchore-actions-token-generator[bot]
a90cff1cd2
chore(deps): update bootstrap tools to latest versions (#2012) 
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
 2023-08-10 13:20:09 -04:00
dependabot[bot]
82eafeaf4a
chore(deps): bump github.com/vifraa/gopom from 0.2.2 to 1.0.0 (#2008) 
* chore(deps): bump github.com/vifraa/gopom from 0.2.2 to 1.0.0
* refactor: update consumer code to use new optional values

Bumps [github.com/vifraa/gopom](https://github.com/vifraa/gopom) from 0.2.2 to 1.0.0.
- [Release notes](https://github.com/vifraa/gopom/releases)
- [Commits](https://github.com/vifraa/gopom/compare/v0.2.2...v1.0.0)

---
updated-dependencies:
- dependency-name: github.com/vifraa/gopom
  dependency-type: direct:production
  update-type: version-update:semver-major
...
---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-08-09 17:22:51 -04:00
Christopher Angelo Phillips
541c8d339b
1948-filter-pkg-by-type (#2011) 
---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-08-09 16:05:52 -04:00
dependabot[bot]
6bf6f85584
chore(deps): bump github.com/dave/jennifer from 1.6.1 to 1.7.0 (#2009) 
Bumps [github.com/dave/jennifer](https://github.com/dave/jennifer) from 1.6.1 to 1.7.0.
- [Commits](https://github.com/dave/jennifer/compare/v1.6.1...v1.7.0)

---
updated-dependencies:
- dependency-name: github.com/dave/jennifer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-08-09 14:46:11 -04:00
Keith Zantow
c7272fd6a5
fix: SPDX license values and download location (#2007) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-08-08 15:55:50 -04:00
Christopher Angelo Phillips
466da7cbda
931: binary cataloger exclusion defaults for ownership by overlap (#1948) 
Fixes #931

PR #1948 introduces a new implicit exclusion for binary packages that overlap by file ownership and have certain characteristics:

1) the relationship between packages is OwnershipByFileOverlap
2) the parent package is an "os" package - see changelog for included catalogers
3) the child is a synthetic package generated by the binary cataloger - see changelog for included catalogers
4) the package names are identical

---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-08-08 13:00:52 -04:00
dependabot[bot]
2fc65094b7
chore(deps): bump golang.org/x/net from 0.13.0 to 0.14.0 (#2004) 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.13.0 to 0.14.0.
- [Commits](https://github.com/golang/net/compare/v0.13.0...v0.14.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-08-07 10:34:00 -04:00
dependabot[bot]
d7ff77072a
chore(deps): bump modernc.org/sqlite from 1.24.0 to 1.25.0 (#1998) 
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.24.0 to 1.25.0.
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.24.0...v1.25.0)

---
updated-dependencies:
- dependency-name: modernc.org/sqlite
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-08-04 14:24:31 -04:00
Christopher Angelo Phillips
78660022bf
test: add coverage for new rpmdb paths (#1999) 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-08-04 13:04:36 -04:00
Keith Zantow
aaf767f8d3
chore: improve spdx purl decoding (#1996) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-08-04 11:43:21 -04:00
Keith Zantow
79014ed8c8
fix: gradle lockfile parser groupId handling (#1995) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-08-04 11:42:26 -04:00
Christopher Angelo Phillips
e774006052
fix: update glob to use newer usr/lib/sysimage path (#1997) 
See this link for details on the path migration for the rpmdb
https://fedoraproject.org/wiki/Changes/RelocateRPMToUsr

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-08-03 16:23:50 -07:00
Nicholas R. Smith
1d6d5f7f5f
fix: opkg search glob (#1994) 
Signed-off-by: Nicholas R. Smith <nicholas_smith@selinc.com>
 2023-08-03 19:33:11 +00:00
Sem Provoost
433a7b8a42
feat: nginx binary classifier (#1988) 
Signed-off-by: SemProvoost <27961543+SemProvoost@users.noreply.github.com>
 2023-08-03 13:09:31 -04:00
Nicholas R. Smith
e55277f26d
Expand deb cataloger to include opkg (#1985) 
* Add opkg info directory and status file to deb cataloger

opkg uses the same or nearly the same metadata and structure as Debian:
**/lib/opkg/status lists status information for all packages
**/lib/opkg/info/opkg.conffiles is a list of configuration files
**/lib/opkg/info/*.list contains files and directories installed by the package
**/lib/opkg/info/*.preinst are scripts to run before installation
**/lib/opkg/info/*.postinst are scripts to run after installation
**/lib/opkg/info/*.postrm are scripts to run after package removal
**/lib/opkg/info/*.control provides package metadata

Signed-off-by: Nicholas R. Smith <nicholas_smith@selinc.com>

---------

Signed-off-by: Nicholas R. Smith <nicholas_smith@selinc.com>
Co-authored-by: Nicholas R. Smith <nicholas_smith@selinc.com>
 2023-08-03 12:33:14 -04:00
anchore-actions-token-generator[bot]
c2b4231cc3
chore(deps): update bootstrap tools to latest versions (#1991) 
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
 2023-08-03 10:53:29 -04:00
dependabot[bot]
c150b4e358
chore(deps): bump github.com/google/go-containerregistry (#1993) 
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.2 to 0.16.1.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.15.2...v0.16.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-08-03 10:53:09 -04:00
Keith Zantow
3f0475efb7
chore: update bubbly to fix hanging (#1990) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-08-02 10:28:35 -04:00
dependabot[bot]
2e376d067f
chore(deps): bump golang.org/x/net from 0.12.0 to 0.13.0 (#1989) 2023-08-02 14:16:49 +00:00
Christopher Angelo Phillips
8e893dfc20
feat: use originator logic to fill supplier (#1980) 
* feat: use Originator to fill supplier for NTIA minimum
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-08-01 17:19:49 -04:00
Alex Goodman
756d0f29af
add metadata types to all cpe test fixtures (#1982) 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2023-07-31 16:35:09 -04:00
Keith Zantow
e2f7befbfb
fix: default image source name to user input (#1979) 
* fix: default image source name to user input

Signed-off-by: Keith Zantow <kzantow@gmail.com>

* chore: add test

Signed-off-by: Keith Zantow <kzantow@gmail.com>

---------

Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-07-31 17:29:18 +00:00
anchore-actions-token-generator[bot]
f14742b3f3
chore(deps): update stereoscope to d1f3d766295ed3c8362ac1be68070e2a1dba4d03 (#1975) 
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
 2023-07-31 12:02:33 -04:00
Christopher Angelo Phillips
3aae316456
chore: update to latest commit in tools-golang (#1969) 
* chore: update to latest commit in tools-golang

---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-07-27 15:29:22 -04:00
Alex Goodman
063e9da65d
Guess unpinned versions in python requirements.txt (#1966) 
* feat: python requirements.txt parsing inclusive

Signed-off-by: manifestori <ori@manifestcyber.com>

* refactor: parseVersion

Signed-off-by: manifestori <ori@manifestcyber.com>

* add python config for optional requirements version constraint resolution

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* allow for python requirements metadata to be optional

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* restore cyclonedx dependency

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: manifestori <ori@manifestcyber.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: manifestori <ori@manifestcyber.com>
 2023-07-27 14:26:59 -04:00
dependabot[bot]
bf1102c3f1
chore(deps): bump github.com/vifraa/gopom from 0.2.1 to 0.2.2 (#1965) 
Bumps [github.com/vifraa/gopom](https://github.com/vifraa/gopom) from 0.2.1 to 0.2.2.
- [Release notes](https://github.com/vifraa/gopom/releases)
- [Commits](https://github.com/vifraa/gopom/compare/v0.2.1...v0.2.2)

---
updated-dependencies:
- dependency-name: github.com/vifraa/gopom
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-07-27 13:28:42 -04:00
Alex Goodman
bbd2d42dbb
Fix panic condition on docker pull failure (#1968) 
* [wip] add image pull error handlers

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix panic and ui hang on docker pull failure

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* linter fix

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2023-07-27 11:32:02 -04:00
Alex Goodman
d84120f499
bump JSON schema to account for simplified python env markers (#1967) 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2023-07-27 14:13:17 +00:00
Keith Zantow
9480f10ccd
feat: support top-level SPDX package and graph (#1934) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-07-26 13:54:32 -04:00
dependabot[bot]
1e4d26f526
chore(deps): bump github.com/go-git/go-git/v5 from 5.8.0 to 5.8.1 (#1959) 
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.8.0 to 5.8.1.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.8.0...v5.8.1)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-07-26 13:34:03 +00:00
Tristan Farkas
e1c1832f84
Add cataloger for Swift Package Manager. (#1919) 
Signed-off-by: Tristan Farkas <Tristan.Farkas@axis.com>
 2023-07-25 14:35:21 -04:00
anchore-actions-token-generator[bot]
9a73380f29
chore(deps): update stereoscope to d515761c6ca2743a67d7d08053db69235ae76d1d (#1953) 
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
 2023-07-25 10:49:21 -04:00
dependabot[bot]
2e718cf865
chore(deps): bump github.com/docker/docker (#1955) 
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.2+incompatible to 24.0.5+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v24.0.2...v24.0.5)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-07-25 10:37:16 -04:00
dependabot[bot]
4000a84624
chore(deps): bump github.com/go-git/go-git/v5 from 5.7.0 to 5.8.0 (#1951) 
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.7.0 to 5.8.0.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.7.0...v5.8.0)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-07-24 11:28:54 -04:00
Dan Luhring
99d172f0d1
Introduce indexed embedded CPE dictionary (#1897) 
* Introduce indexed embedded CPE dictionary

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

* Don't generate cpe-index on make snapshot

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

* Add unit tests for individual addEntry funcs

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

* migrate CPE index build to go generate and add periodic workflow

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add test to ensure generated cpe index is wired up to function that uses it

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2023-07-21 13:54:19 +00:00
dependabot[bot]
3f5c601620
chore(deps): bump github.com/gookit/color from 1.5.3 to 1.5.4 (#1949) 
Bumps [github.com/gookit/color](https://github.com/gookit/color) from 1.5.3 to 1.5.4.
- [Release notes](https://github.com/gookit/color/releases)
- [Commits](https://github.com/gookit/color/compare/v1.5.3...v1.5.4)

---
updated-dependencies:
- dependency-name: github.com/gookit/color
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-07-21 08:50:47 -04:00
Dan Luhring
8478e0bef7
Add support for parsing .NET assemblies (#1943) 
* Add support for parsing .NET assemblies

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: 69c33fe4d77357d843c11590f3b07825bc6249ac

* Add dll and exe files

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: b9d204efa6d2ef385b5fbb7a59a3474ecabea641

* Add PE cataloger to directory catalogers

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: 9711c00d9da92e2887e0c1f92edd740ea5345849

* Don't set language to dotnet for PEs

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: 368313fddac9160d8a06a01ebe8c5ac7990232f5

* Fix spelling of cataloger in constructor

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: e42fd77b2f8b6d42e076a84f6cce386861260941

* Adjust which cases in PE parsing return errors

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

Former-commit-id: 95b25f8fc3a7d4e18fe30e489b09851f316795ff

* remove build binary from branch

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

Former-commit-id: fa54c0d0aef0998d5520e9f44cae51f5f9cd38a2

* Fix failing CLI tests

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>

---------

Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2023-07-19 15:34:07 -04:00
Christopher Angelo Phillips
0327fdc88a
docs: capture artifactory dev settings from 1895 (#1947) 
* docs: capture artifactory dev settings from 1895

---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-07-19 16:54:18 +00:00
Alex Goodman
88b3d1e9bb remove build binary and add explicit git ignore 
Former-commit-id: 6455f2d8a5f1910b4a8b681ddef79919886d638d
 2023-07-18 14:06:34 -04:00
Christopher Angelo Phillips
204b790012 docs: update docs with new docker specific instructions (#1941) 
* docs: update docs with new docker specific instructions
---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Former-commit-id: c67c76e84df84e3e24aa307637d884ca8b7e3eea
 2023-07-17 18:19:21 +00:00
Alex Goodman
35699f6fdc
remove jotframe UI (#1932) 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2023-07-13 13:21:52 -04:00
Christopher Angelo Phillips
2e7fd031d4
fix: remove indirect dependency of circl v1.1.0 (#1940) 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-07-13 12:30:37 -04:00