Add source.NewFromRegistry function so that the syft attest command can always explicitly ask for an OCIRegistry provider rather than rely on local daemon detection for image sources.
Attestation can not be used where local images loaded in a daemon are the source. Digest values for the layer identification step in attestation can sometimes vary across workstations.
This fix makes it so that attest is generating an SBOM for, and attesting to, a source that exists in an OCI registry. It should never load a source from a local user docker/podman daemon.
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
add syft attest command to produce an attestation as application/vnd.in-toto+json to standard out using on disk PKI
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* ignore minor parsing error when reading dpkg status files
helps with https://github.com/anchore/syft/issues/733
Question: should we add a smarter parser to guess approximate installed-size
value?
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add datasize lib to help dpkg parsing
added unit tests to expand coverage of dpkg parsing
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* drop parse error
added unit tests to handleNewKeyValue
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* don't return parsing errors from dpkg
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* test higher level functions
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* return parsing err to let cataloger handle it
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* feedback changes
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* ignore key parsing error
log warning with relevant context
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add context info to log lines
simpler error assertion
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* use error.As to assert error in chain
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* bump golang crypto to resolve CVE-2020-29652
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* go mod tidy
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* update stereoscope
fetches latest fixes for UI
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* use context when getting image
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* use SYFT_LOG_FILE
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* enable debug logs when SYFT_LOG_FILE is set
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* set log.file and add tests
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* test log file in temp directory
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add note on binding refactor
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* remove unused function
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* reduce parallelism of builds and increase install.sh test setup buffer
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* change logging mechanism for signing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* restore automatic parallelism determination for goreleaser
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rm logging goreleaser version
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use a port that is porbably not in use
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* template cli test args
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* refactor signing steps in release/snapshot workflows
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* show signing logs on snapshot or release failure
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update install.sh + tests to account for new goreleaser changes
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update cli tests to account for new goreleaser build names
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix acceptance test to use new snapshot bin path
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add notarization
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* address review comments
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update stereoscope
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix FilesByMIMEType tests
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* change expected mime types in unit tests
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* test stereoscope fix
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* remove mod replace and use latest stereoscope
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* [wip] get assets based on gh api
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* put install.sh download_asset fn under test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* put install.sh install_asset fn under test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use zip for darwin installs
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix install.sh negative test cases
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* allow errors to propagate in install.sh
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove exit on error from install.sh tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add more docs around install.sh helpers
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add integration tests for install.sh
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add install.sh testing to pipeline
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add install test cache to CI
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* make colors globally available
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* test download against github release
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* always test release-based install against latest release
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use better install.sh test names
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
