* add test cases for yarn parser regex
Signed-off-by: Patrick Glass <patrickglass@gmail.com>
* update yarn.lock parser to support yarn berry
Add support for Yarn v3 (berry) which changes the output
Collapse regex for parsing scoped and non-scoped packages
Add tests for the regex to ensure backwards compatability
and to catch issues with future changes.
Signed-off-by: Patrick Glass <patrickglass@gmail.com>
* simplify yarn test expressions
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Patrick Glass <patrickglass@gmail.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
Add source.NewFromRegistry function so that the syft attest command can always explicitly ask for an OCIRegistry provider rather than rely on local daemon detection for image sources.
Attestation can not be used where local images loaded in a daemon are the source. Digest values for the layer identification step in attestation can sometimes vary across workstations.
This fix makes it so that attest is generating an SBOM for, and attesting to, a source that exists in an OCI registry. It should never load a source from a local user docker/podman daemon.
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
add syft attest command to produce an attestation as application/vnd.in-toto+json to standard out using on disk PKI
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* ignore minor parsing error when reading dpkg status files
helps with https://github.com/anchore/syft/issues/733
Question: should we add a smarter parser to guess approximate installed-size
value?
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add datasize lib to help dpkg parsing
added unit tests to expand coverage of dpkg parsing
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* drop parse error
added unit tests to handleNewKeyValue
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* don't return parsing errors from dpkg
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* test higher level functions
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* return parsing err to let cataloger handle it
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* feedback changes
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* ignore key parsing error
log warning with relevant context
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add context info to log lines
simpler error assertion
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* use error.As to assert error in chain
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* bump golang crypto to resolve CVE-2020-29652
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* go mod tidy
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* update stereoscope
fetches latest fixes for UI
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* use context when getting image
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* use SYFT_LOG_FILE
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* enable debug logs when SYFT_LOG_FILE is set
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* set log.file and add tests
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* test log file in temp directory
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add note on binding refactor
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* remove unused function
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* reduce parallelism of builds and increase install.sh test setup buffer
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* change logging mechanism for signing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* restore automatic parallelism determination for goreleaser
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rm logging goreleaser version
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use a port that is porbably not in use
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* template cli test args
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
