Mirrors/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft synced 2024-11-10 14:24:12 +00:00
Code Issues Projects Releases Packages Wiki Activity
1655 commits 73 branches 214 tags 132 MiB
Commit graph

1655 commits

This branch
This branch
All branches
Author SHA1 Message Date
Alex Goodman
100cf1003d
Remove more side effects from application config testing (#1684) 
* remove a few side effects from config testing

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix xdg config app name prefix

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* account for restoring and protecting xdg state throughout testing

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

---------

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2023-03-20 20:53:45 +00:00
Aidan Delaney
f11a7b5e9f
Deprecate config.yaml as valid config source; Add unit regression for correct config paths (#1640) 
Warn user of future deprecation of ./config.yaml for v1.0.0 release

---------

Signed-off-by: Aidan Delaney <adelaney21@bloomberg.net>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-03-20 15:13:35 -04:00
anchore-actions-token-generator[bot]
434aa7fd46
chore: Update syft bootstrap tools to latest versions. (#1682) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-03-20 13:20:48 -04:00
Marc-Etienne Vargenau
5fb0423b72
Update documentation: (#1680) 
- Syft is now outputing SPDX 2.3 by default
- Give syntax to get SPDX 2.2

Signed-off-by: Marc-Etienne Vargenau <marc-etienne.vargenau@nokia.com>
 2023-03-20 10:10:35 -04:00
anchore-actions-token-generator[bot]
7998520848
chore: Update Stereoscope to 7928713c391e20abaede6a029f4ce37b628a4c8b (#1681) 2023-03-18 10:32:39 -04:00
Keith Zantow
d05000ff21
fix: reduce logging for bad dpkg lines (#1675) 
* fix: reduce logging for bad dpkg lines to Trace level
---------

Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-03-17 13:08:51 -04:00
witchcraze
f66e77e2c6
fix ruby classifier (#1678) 
Signed-off-by: witchcraze <witchcraze@gmail.com>
 2023-03-17 09:42:20 -04:00
Christopher Angelo Phillips
928c4a55ff
feat: add shared dir for easier cleanup (#1676) 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-03-16 16:05:34 -04:00
dependabot[bot]
1899eb50d0
chore(deps): bump github.com/google/go-containerregistry (#1672) 
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.13.0 to 0.14.0.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.13.0...v0.14.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-03-16 12:07:47 -04:00
dependabot[bot]
b5ec4d4f08
chore(deps): bump actions/setup-go from 3 to 4 (#1671) 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-03-16 12:02:07 -04:00
Christopher Angelo Phillips
61362c04fa
fix: move defer after error to protect panic case (#1670) 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-03-15 15:29:10 -04:00
Joye Lin
e3140063d4
feat: add argocd, helm, kustomize and kubectl binary classifiers (#1663) 
* add argocd, helm, kustomize and kubectl binary classifiers
* update golang PURL
* address PR faceback about binary/test-fixtures/Makefile
* remove the /v[n] suffix from the PURL in both argocd and helm

---------

Signed-off-by: y12studio <y12studio@gmail.com>
 2023-03-15 14:53:22 -04:00
razzle
1d9ef34ec7
defer closing file (#1668) 
Signed-off-by: razzle <harry@razzle.cloud>
 2023-03-15 14:50:42 -04:00
Keith Zantow
302735097e
fix: remove author contributing to javascript CPEs (#1669) 2023-03-14 14:10:24 +00:00
Keith Zantow
cc0a376aba
fix: more python matching support (#1667) 2023-03-13 13:26:43 -04:00
anchore-actions-token-generator[bot]
b379dd9f27
Update syft bootstrap tools to latest versions. (#1666) 
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
 2023-03-13 10:40:13 -04:00
witchcraze
a81e0c8008
feat: add ruby classifier (#1665) 
Signed-off-by: witchcraze <witchcraze@gmail.com>
 2023-03-10 08:29:40 -05:00
anchore-actions-token-generator[bot]
41cbbe09b2
Update syft bootstrap tools to latest versions. (#1658) 2023-03-07 12:54:32 -05:00
Keith Zantow
7714bc0521
fix: improved Python binary detection (#1648) 2023-03-07 10:52:29 -05:00
Weston Steimel
096d2b7bff
fix: suppress some known incorrect vendor candidates for npm CPEs (#1659) 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-03-07 10:18:44 -05:00
Keith Zantow
7cfdffab5f
fix: sanitize SPDX LicenseRefs (#1657) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-03-06 10:55:23 -05:00
dependabot[bot]
f43953d225
chore(deps): bump golang.org/x/mod from 0.8.0 to 0.9.0 (#1655) 2023-03-06 15:49:34 +00:00
dependabot[bot]
eea1b48cbb
chore(deps): bump golang.org/x/net from 0.7.0 to 0.8.0 (#1653) 2023-03-06 15:38:34 +00:00
dependabot[bot]
a063cf300b
chore(deps): bump github.com/spf13/afero from 1.9.4 to 1.9.5 (#1654) 2023-03-06 15:21:35 +00:00
dependabot[bot]
b73903519c
chore(deps): bump golang.org/x/term from 0.5.0 to 0.6.0 (#1656) 2023-03-06 15:20:43 +00:00
Keith Zantow
304be4a5a1
fix: dotnet PURL types are invalid (#1649) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-03-03 16:45:20 -05:00
Weston Steimel
c4cbe211a3
feat: disable cpe vendor wildcards to reduce false positives (#1647) 
* improved parsing of vendor from github url

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* stop generating wildcard vendors

Add logic for parsing javascript and ruby package vendor candidates from
url and author fields and stop generating wildcard vendor candidates

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

---------

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-03-03 17:26:46 +00:00
Avi Deitcher
01230aa766
read relative etc/apk/repositories for alpine version when no OS provided (#1615) 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2023-03-02 13:04:56 -05:00
Keith Zantow
5f90d03718
fix: possible race condition (#1639) 2023-03-01 15:35:01 -05:00
Weston Steimel
e2ebc9769f
fix: remove APK OriginPackage cpe candidates (#1637) 
Adding APK OriginPackage CPE candidates to the child package
results in false positives in grype because it can't associate
CPE-based findings to the corresponding OriginPackage APK fixes.

This reverts changing the `upstream` in the PURL for APK packages
as the logic in Grype that uses it expects it to be an APK package
name.  This also allows refactoring to unexport and move the APK
CPE candidate generation logic closer to where CPE generation occurs

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-03-01 17:24:43 +00:00
Keith Zantow
2e6e3b0c74
fix: rebar lock file decoding panic (#1628) 2023-03-01 10:08:29 -05:00
Keith Zantow
24584a4d27
fix: handle individual cataloger panics (#1636) 2023-03-01 10:03:34 -05:00
Weston Steimel
8e1205f7ab
fix: apk product/vendor generation for old metadata (#1635) 
This fixes some instances where the improved APK CPE generation
logic caused regressions for older alpine package APK metadata.
It now generates multiple "upstream" candidates with both name
and package type which reduces the amount of duplicated code in
the apk cpe gen logic.  This also improves the handling of stream
version packages, so now we can correctly identify packages such
as ruby3.2-rexml as the rexml ruby gem.

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-03-01 14:58:35 +00:00
Weston Steimel
e92b0fa629
feat: rust toolchain binary cataloger (#1601) 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-03-01 14:53:37 +00:00
Weston Steimel
bcc0751a40
feat: retain go package info when no module declared (#1632) 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-03-01 14:26:44 +00:00
Weston Steimel
f1169e56fc
fix: improved CPE-generation for several more APK packages (#1631) 
* fix: correct vendor for musl

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: correct vendor for firefox and thunderbird

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: correct vendor/product for chromium

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: correct product for apache http server

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: correct product for tiff

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: correct vendor for ghostscript

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: correct vendor for openjpeg

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: correct vendor/product for xorg-server

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: correct vendor for podofo

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: correct vendor for wpa_supplicant

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

---------

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-03-01 08:55:40 -05:00
Christopher Angelo Phillips
98e737fc27
chore: update deprecated release flag (#1629) 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-02-27 15:57:56 -05:00
dependabot[bot]
ff34594284
chore(deps): bump actions/upload-artifact from 2 to 3 (#1627) 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 2 to 3.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-02-27 14:17:29 -05:00
Benji Visser
9e953b1da3
feat: add support for SUPPORT_END in /etc/os-release (#1612) 
Signed-off-by: Benji Visser <benji@093b.org>
 2023-02-27 13:43:19 -05:00
Weston Steimel
fbda21f4f4
fix: further improvements to CPE generation for apk packages (#1623) 
* fix: consider upstream logic during apk cpe gen
* fix: correct apk CPE for go
* fix: correct apk CPE for ruby
* fix: correct apk CPE for bazel
* fix: correct apk CPE for clang
* fix: correct apk CPE for openjdk
* fix: correct apk CPE for glibc
* fix: correct apk CPE for gli
* fix: correct apk CPE for bas
* fix: correct apk CPE for alsa-lib
* fix: correct apk CPE for alsa
* fix: determine apk cpe vendor from known URLs
* fix: add more url prefix->vendor mappings for apk
* refactor: allow reuse of vendor by url prefix logic
* feat: extract username as vendor candidate from github/gitlab

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-02-27 13:16:04 -05:00
dependabot[bot]
d23b4d4cbd
chore(deps): bump github.com/stretchr/testify from 1.8.1 to 1.8.2 (#1625) 
Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.1 to 1.8.2.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](https://github.com/stretchr/testify/compare/v1.8.1...v1.8.2)

---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-02-27 13:14:20 -05:00
dependabot[bot]
f3acff81f3
chore(deps): bump actions/checkout from 2 to 3 (#1626) 
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-02-27 13:14:03 -05:00
Nils Hanke
fa0a9fe8f9
feat: set cosign attest predicate type based on Syft output type (#1598) 
Signed-off-by: Nils Hanke <nils.hanke@outlook.de>
 2023-02-24 15:08:40 -05:00
dependabot[bot]
284bae9d5f
chore(deps): bump github.com/spf13/afero from 1.9.3 to 1.9.4 (#1609) 
Bumps [github.com/spf13/afero](https://github.com/spf13/afero) from 1.9.3 to 1.9.4.
- [Release notes](https://github.com/spf13/afero/releases)
- [Commits](https://github.com/spf13/afero/compare/v1.9.3...v1.9.4)

---
updated-dependencies:
- dependency-name: github.com/spf13/afero
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-02-24 15:07:52 -05:00
Weston Steimel
3ee1af0dc6
fix: correct apk purls for other distros (#1620) 
The apk purl spec allows for vendor-specific namespace.  I noticed
in the embedded SBOMs from wolfi that the purls are of the form
`pkg:apk/wolfi/curl@7.83.0-r0?arch=x86`, but the current logic in
syft actually prevents purl generation entirely if the distro isn't
alpine, so this corrects that behaviour.

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-02-24 15:07:07 -05:00
Weston Steimel
0c5f03235e
refactor: move apk upstream logic to apk metadata (#1619) 
* refactor: move apk upstream logic to apk metadata

Export the logic for parsing upstream APK package names
so it can be accessed from apk metadata objects directly.

This also tightens the upstream regex pattern as several
edge cases were being missed.

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: ensure correct handling for apk packages beginning with digits

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* fix: upstream generation for ruby

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

---------

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-02-24 15:59:19 +00:00
Keith Zantow
5e8aa4da5e
fix: decoding null apk metadata pullDependencies (#1614) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-02-23 19:55:49 +00:00
Benji Visser
abfec62219
feat: haproxy binary matcher (#1591) 
Signed-off-by: Benji Visser <benji@093b.org>
 2023-02-23 14:39:08 -05:00
Weston Steimel
0c05855131
fix: determine upstream for apk version streams (#1610) 
Determines better upstream package name for version-stream apk packages:

Examples:

- postgresql-13 -> postgresql
- postgresql15 -> postgresql
- go-1.19 -> go
- perl100.55 -> perl

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-02-23 17:32:34 +00:00
Weston Steimel
1150772d06
fix: improve CPE generation for curl APK (#1608) 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-02-23 17:32:12 +00:00