Mirrors/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft synced 2024-11-10 06:14:16 +00:00
Code Issues Projects Releases Packages Wiki Activity
1841 commits 73 branches 214 tags 132 MiB
Commit graph

346 commits

Author SHA1 Message Date
dependabot[bot]
284bae9d5f
chore(deps): bump github.com/spf13/afero from 1.9.3 to 1.9.4 (#1609) 
Bumps [github.com/spf13/afero](https://github.com/spf13/afero) from 1.9.3 to 1.9.4.
- [Release notes](https://github.com/spf13/afero/releases)
- [Commits](https://github.com/spf13/afero/compare/v1.9.3...v1.9.4)

---
updated-dependencies:
- dependency-name: github.com/spf13/afero
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-02-24 15:07:52 -05:00
anchore-actions-token-generator[bot]
aa151da5fe
Update Stereoscope to fab1c9638abc2c21cd53dca1f205f37d71148ee0 (#1604) 
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
 2023-02-22 19:08:35 +00:00
anchore-actions-token-generator[bot]
bb52a25c8a
Update Stereoscope to 529924d6d5aa6c708cceffc651883b6e1e27f5df (#1602) 
Signed-off-by: GitHub <noreply@github.com>
 2023-02-22 08:49:04 +00:00
anchore-actions-token-generator[bot]
2642a36161
Update Stereoscope to 4b5ebf8c7f4b81ca79c4c3f0af1d0723eab87d42 (#1576) 
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
 2023-02-16 10:22:43 -05:00
dependabot[bot]
1981b249f1
chore(deps): bump golang.org/x/net from 0.6.0 to 0.7.0 (#1574) 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.6.0 to 0.7.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.6.0...v0.7.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-02-15 12:54:55 -05:00
dependabot[bot]
3013c8b691
chore(deps): bump github.com/docker/docker (#1563) 
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 23.0.0+incompatible to 23.0.1+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v23.0.0...v23.0.1)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-02-10 10:43:19 -05:00
Alex Goodman
988041ba6d
Speed up cataloging by replacing globs searching with index lookups (#1510) 
* replace raw globs with index equivelent operations

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add cataloger test for alpm cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix import sorting for binary cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix linting for mock resolver

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* separate portage cataloger parser impl from cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* enhance cataloger pkgtest utils to account for resolver responses

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for alpm cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for apkdb cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for dpkg cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for cpp cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for dart cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for dotnet cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for elixir cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for erlang cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for golang cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for haskell cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for java cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for javascript cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for php cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for portage cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for python cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for rpm cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for rust cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for sbom cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for swift cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* allow generic catloger to run all mimetype searches at once

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove stutter from php and javascript cataloger constructors

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump stereoscope

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add tests for generic.Search

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add exceptions for java archive git ignore entries

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* enhance basename and extension resolver methods to be variadic

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* dont allow * prefix on extension searches

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add glob-based cataloger tests for ruby cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove unnecessary string casting

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* incorporate surfacing of leaf link resolitions from stereoscope results

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* [wip] switch to stereoscope file metadata

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* [wip + failing] revert to old globs but keep new resolvers

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* index files, links, and dirs within the directory resolver

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix several resolver bugs and inconsistencies

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* move format testutils to internal package

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update syft json to account for file type string normalization

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* split up directory resolver from indexing

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update docs to include details about searching

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* [wip] bump stereoscope to development version

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix linting

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* adjust symlinks fixture to be fixed to digest

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix all-locations resolver tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix test fixture reference

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* rename file.Type

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump stereoscope

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix PR comment to exclude extra *

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump to dev version of stereoscope

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump to final version of stereoscope

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* move observing resolver to pkgtest

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

---------

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2023-02-09 16:19:47 +00:00
dependabot[bot]
08804842fa
chore(deps): bump golang.org/x/net from 0.5.0 to 0.6.0 (#1558) 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.5.0 to 0.6.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.5.0...v0.6.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-02-09 09:01:56 -05:00
dependabot[bot]
48528efff3
chore(deps): bump golang.org/x/mod from 0.7.0 to 0.8.0 (#1552) 
Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.7.0 to 0.8.0.
- [Release notes](https://github.com/golang/mod/releases)
- [Commits](https://github.com/golang/mod/compare/v0.7.0...v0.8.0)

---
updated-dependencies:
- dependency-name: golang.org/x/mod
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-02-08 10:07:37 -05:00
dependabot[bot]
8d856a7c7b
chore(deps): bump golang.org/x/term from 0.4.0 to 0.5.0 (#1551) 
Bumps [golang.org/x/term](https://github.com/golang/term) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/golang/term/releases)
- [Commits](https://github.com/golang/term/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: golang.org/x/term
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-02-08 09:23:31 -05:00
anchore-actions-token-generator[bot]
95201840d2
Update Stereoscope to c49244e4d66f1ee789027ea23acc746968799c3b (#1539) 
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
 2023-02-07 10:05:18 -05:00
dependabot[bot]
ad8604c223
chore(deps): bump github.com/docker/docker (#1531) 
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 20.10.23+incompatible to 23.0.0+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v20.10.23...v23.0.0)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-02-02 10:53:22 -05:00
Keith Zantow
1530ef354f
chore: update spdx/tools-golang to v0.5.0-rc1 (#1503) 2023-01-31 11:53:16 -05:00
dependabot[bot]
21ba5d0806
chore(deps): bump github.com/google/go-containerregistry (#1513) 
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.12.1 to 0.13.0.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.12.1...v0.13.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-25 13:41:43 +00:00
dependabot[bot]
3269bc98d4
chore(deps): bump golang.org/x/mod from 0.6.0 to 0.7.0 (#1505) 
Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.6.0 to 0.7.0.
- [Release notes](https://github.com/golang/mod/releases)
- [Commits](https://github.com/golang/mod/compare/v0.6.0...v0.7.0)

---
updated-dependencies:
- dependency-name: golang.org/x/mod
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-23 15:01:25 -05:00
dependabot[bot]
7f3382f7eb
chore(deps): bump github.com/docker/docker (#1506) 
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 20.10.20+incompatible to 20.10.23+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v20.10.20...v20.10.23)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-23 14:58:39 -05:00
dependabot[bot]
65e5ff63f0
chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.2 to 3.2.3 (#1507) 
Bumps [github.com/Masterminds/sprig/v3](https://github.com/Masterminds/sprig) from 3.2.2 to 3.2.3.
- [Release notes](https://github.com/Masterminds/sprig/releases)
- [Changelog](https://github.com/Masterminds/sprig/blob/master/CHANGELOG.md)
- [Commits](https://github.com/Masterminds/sprig/compare/v3.2.2...v3.2.3)

---
updated-dependencies:
- dependency-name: github.com/Masterminds/sprig/v3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-23 14:48:22 -05:00
dependabot[bot]
d287c22b69
chore(deps): bump github.com/dustin/go-humanize from 1.0.0 to 1.0.1 (#1508) 
Bumps [github.com/dustin/go-humanize](https://github.com/dustin/go-humanize) from 1.0.0 to 1.0.1.
- [Release notes](https://github.com/dustin/go-humanize/releases)
- [Commits](https://github.com/dustin/go-humanize/compare/v1.0.0...v1.0.1)

---
updated-dependencies:
- dependency-name: github.com/dustin/go-humanize
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-23 14:48:00 -05:00
Luca Comellini
e8be93a8eb
Bump github.com/spdx/tools-golang to v0.4.0 (#1450) 
Signed-off-by: Luca Comellini <luca.com@gmail.com>
 2023-01-20 17:00:21 -05:00
dependabot[bot]
285112fe29
chore(deps): bump github.com/facebookincubator/nvdtools (#1499) 
Bumps [github.com/facebookincubator/nvdtools](https://github.com/facebookincubator/nvdtools) from 0.1.4 to 0.1.5.
- [Release notes](https://github.com/facebookincubator/nvdtools/releases)
- [Commits](https://github.com/facebookincubator/nvdtools/compare/v0.1.4...v0.1.5)

---
updated-dependencies:
- dependency-name: github.com/facebookincubator/nvdtools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-20 14:02:47 +00:00
dependabot[bot]
f29bea5921
chore(deps): bump github.com/jinzhu/copier from 0.3.2 to 0.3.5 (#1498) 
Bumps [github.com/jinzhu/copier](https://github.com/jinzhu/copier) from 0.3.2 to 0.3.5.
- [Release notes](https://github.com/jinzhu/copier/releases)
- [Commits](https://github.com/jinzhu/copier/compare/v0.3.2...v0.3.5)

---
updated-dependencies:
- dependency-name: github.com/jinzhu/copier
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-20 08:51:20 -05:00
dependabot[bot]
39cdbc42aa
chore(deps): bump github.com/vbatts/go-mtree from 0.5.0 to 0.5.2 (#1497) 
Bumps [github.com/vbatts/go-mtree](https://github.com/vbatts/go-mtree) from 0.5.0 to 0.5.2.
- [Release notes](https://github.com/vbatts/go-mtree/releases)
- [Changelog](https://github.com/vbatts/go-mtree/blob/main/releases.md)
- [Commits](https://github.com/vbatts/go-mtree/compare/v0.5.0...v0.5.2)

---
updated-dependencies:
- dependency-name: github.com/vbatts/go-mtree
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-20 08:50:59 -05:00
dependabot[bot]
27b62ce833
chore(deps): bump github.com/gookit/color from 1.4.2 to 1.5.2 (#1496) 
Bumps [github.com/gookit/color](https://github.com/gookit/color) from 1.4.2 to 1.5.2.
- [Release notes](https://github.com/gookit/color/releases)
- [Commits](https://github.com/gookit/color/compare/v1.4.2...v1.5.2)

---
updated-dependencies:
- dependency-name: github.com/gookit/color
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-20 08:50:37 -05:00
dependabot[bot]
499e7c4e16
chore(deps): bump github.com/spf13/viper from 1.14.0 to 1.15.0 (#1495) 
Bumps [github.com/spf13/viper](https://github.com/spf13/viper) from 1.14.0 to 1.15.0.
- [Release notes](https://github.com/spf13/viper/releases)
- [Commits](https://github.com/spf13/viper/compare/v1.14.0...v1.15.0)

---
updated-dependencies:
- dependency-name: github.com/spf13/viper
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-20 08:50:19 -05:00
dependabot[bot]
09a5baf523
chore(deps): bump github.com/spf13/viper from 1.13.0 to 1.14.0 (#1488) 
Bumps [github.com/spf13/viper](https://github.com/spf13/viper) from 1.13.0 to 1.14.0.
- [Release notes](https://github.com/spf13/viper/releases)
- [Commits](https://github.com/spf13/viper/compare/v1.13.0...v1.14.0)

---
updated-dependencies:
- dependency-name: github.com/spf13/viper
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-19 10:39:04 -05:00
dependabot[bot]
33c08c8545
chore(deps): bump github.com/bmatcuk/doublestar/v4 from 4.0.2 to 4.6.0 (#1489) 
Bumps [github.com/bmatcuk/doublestar/v4](https://github.com/bmatcuk/doublestar) from 4.0.2 to 4.6.0.
- [Release notes](https://github.com/bmatcuk/doublestar/releases)
- [Commits](https://github.com/bmatcuk/doublestar/compare/v4.0.2...v4.6.0)

---
updated-dependencies:
- dependency-name: github.com/bmatcuk/doublestar/v4
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-19 10:38:50 -05:00
dependabot[bot]
fd002db802
chore(deps): bump github.com/spf13/cobra from 1.6.0 to 1.6.1 (#1490) 
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.6.0 to 1.6.1.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](https://github.com/spf13/cobra/compare/v1.6.0...v1.6.1)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-19 14:16:50 +00:00
dependabot[bot]
cb3e4b8e49
chore(deps): bump github.com/go-test/deep from 1.0.8 to 1.1.0 (#1491) 
Bumps [github.com/go-test/deep](https://github.com/go-test/deep) from 1.0.8 to 1.1.0.
- [Release notes](https://github.com/go-test/deep/releases)
- [Changelog](https://github.com/go-test/deep/blob/master/CHANGES.md)
- [Commits](https://github.com/go-test/deep/compare/v1.0.8...v1.1.0)

---
updated-dependencies:
- dependency-name: github.com/go-test/deep
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-19 14:01:33 +00:00
dependabot[bot]
5917f8d8f9
chore(deps): bump github.com/google/go-containerregistry (#1487) 
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.11.0 to 0.12.1.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.11.0...v0.12.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-19 13:47:36 +00:00
dependabot[bot]
70e6d0f2e3
chore(deps): bump golang.org/x/net from 0.4.0 to 0.5.0 (#1475) 
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/golang/net/releases)
- [Commits](https://github.com/golang/net/compare/v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-18 14:39:50 +00:00
dependabot[bot]
31a763c46d
chore(deps): bump github.com/adrg/xdg from 0.3.3 to 0.4.0 (#1477) 
Bumps [github.com/adrg/xdg](https://github.com/adrg/xdg) from 0.3.3 to 0.4.0.
- [Release notes](https://github.com/adrg/xdg/releases)
- [Commits](https://github.com/adrg/xdg/compare/v0.3.3...v0.4.0)

---
updated-dependencies:
- dependency-name: github.com/adrg/xdg
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-18 09:39:35 -05:00
dependabot[bot]
ae6c9c2e97
chore(deps): bump github.com/sergi/go-diff from 1.2.0 to 1.3.1 (#1476) 
Bumps [github.com/sergi/go-diff](https://github.com/sergi/go-diff) from 1.2.0 to 1.3.1.
- [Release notes](https://github.com/sergi/go-diff/releases)
- [Commits](https://github.com/sergi/go-diff/compare/v1.2.0...v1.3.1)

---
updated-dependencies:
- dependency-name: github.com/sergi/go-diff
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-18 09:39:15 -05:00
dependabot[bot]
f6a0dd33d1
chore(deps): bump github.com/vifraa/gopom from 0.1.0 to 0.2.1 (#1474) 
Bumps [github.com/vifraa/gopom](https://github.com/vifraa/gopom) from 0.1.0 to 0.2.1.
- [Release notes](https://github.com/vifraa/gopom/releases)
- [Commits](https://github.com/vifraa/gopom/compare/v0.1.0...v0.2.1)

---
updated-dependencies:
- dependency-name: github.com/vifraa/gopom
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-18 09:38:30 -05:00
Weston Steimel
fc4d28f365
fix: bump golang.org/x/net to v0.4.0 (#1467) 
resolves reporting of CVE-2022-41717

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-01-17 17:02:34 +00:00
Weston Steimel
5290dfb9c2
fix: bump golang.org/x/text to v0.3.8 (#1466) 
This resolves reporting of GHSA-69ch-w2m2-3vjp

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-01-17 15:50:02 +00:00
Christopher Angelo Phillips
44e8ae2577
fix: update attestation code to remove library dependencies and shellout for keyless flow (#1442) 
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
 2023-01-12 17:22:05 +00:00
Benji Visser
bb6fc6525c
Add alpine type to purl (#1431) 
Signed-off-by: Benji Visser <benji@093b.org>
 2023-01-04 17:35:46 -05:00
Keith Zantow
e1e489a284
fix: unicode output in cyclonedx-json format (#1420) 2022-12-23 08:37:47 -05:00
Christopher Angelo Phillips
730d3e3187
chore: update latest cyclonedx library (#1390) 2022-12-08 11:36:08 -05:00
anchore-actions-token-generator[bot]
f1a124209a
Update Stereoscope to c5ff155d72f166e2332e160a75c3ff2b8e9c7e2e (#1395) 
Signed-off-by: GitHub <noreply@github.com>
 2022-12-08 08:32:49 +00:00
anchore-actions-token-generator[bot]
247b054ab5
Update Stereoscope to 3b80d983223f6e6fc2d33b0ffa003d30268418e9 (#1376) 
Signed-off-by: GitHub <noreply@github.com>

Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
 2022-11-30 16:11:57 +00:00
Keith Zantow
42cb0a47a4
feat: SPDX 2.3 support (#1311) 2022-11-18 08:54:39 -05:00
Alex Goodman
d7a51a69dd
Update java generic cataloger (#1329) 
* remove centralize pURL generation

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* port java cataloger to new generic cataloger pattern

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove common.GenericCataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update format test fixtures to reflect ID updates

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix package sort instability for encode-decode-encode cycles

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2022-11-09 14:55:54 +00:00
Weston Steimel
919c929798
update go-rpmdb to improve parsing of installed files (#1297) 2022-10-30 23:55:17 -04:00
Alex Goodman
d8c659b65b
replace logger interface with anchore/go-logger (#1279) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2022-10-21 15:12:14 +00:00
anchore-actions-token-generator[bot]
5568cc0dd5
Update syft bootstrap tools to latest versions. (#1267) 2022-10-21 09:42:13 -04:00
Arnaud J Le Hors
d3ee24017e
Use in-toto CycloneDX predicate to be compatible with cosign (#1270) 
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
 2022-10-19 09:37:52 -04:00
Keith Zantow
780e1c310c
refactor: Remove experimental Anchore Enterprise upload functionality (#1257) 2022-10-10 16:16:47 -04:00
anchore-actions-token-generator[bot]
d89e320dcd
Update syft bootstrap tools to latest versions. (#1254) 2022-10-07 13:54:42 -04:00
anchore-actions-token-generator[bot]
71187c6416
Update Stereoscope to d24c9d626b33fa720210b007a20767801827b532 (#1253) 
Co-authored-by: westonsteimel <westonsteimel@users.noreply.github.com>
 2022-10-06 22:04:49 -04:00
anchore-actions-token-generator[bot]
1fa4bab7a7
Update Stereoscope to 1b1b744a919964f38d14e1416fb3f25221b761ce (#1240) 
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
 2022-10-04 10:17:29 +01:00
anchore-actions-token-generator[bot]
911242accc
Update Stereoscope to 56552770e555d764ea72b99d3c810326b27ead4a (#1224) 
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
 2022-09-22 10:44:52 +01:00
anchore-actions-token-generator[bot]
ab6e1c4dc3
Update syft bootstrap tools to latest versions. (#1223) 
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
 2022-09-22 10:41:36 +01:00
anchore-actions-token-generator[bot]
0a1cd25ba5
Update bootstrap tools to latest versions. (#1204) 2022-09-14 15:28:08 -04:00
Keith Zantow
70db13d49e
Add RPM file scanning support (#1188) 2022-09-07 14:16:30 -04:00
Christopher Angelo Phillips
a7966a4d9d
update stereoscope to latest (#1181) 2022-08-29 19:28:19 +00:00
anchore-actions-token-generator[bot]
2c882f6239
Update syft bootstrap tools to latest versions. (#1176) 
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
 2022-08-25 09:14:24 -04:00
anchore-actions-token-generator[bot]
b0fc955e0c
Update syft bootstrap tools to latest versions. (#1171) 
* Update syft bootstrap tools to latest versions.

Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Co-authored-by: Weston Steimel <weston.steimel@anchore.com>
 2022-08-23 20:36:59 +01:00
anchore-actions-token-generator[bot]
1344889766
Update Stereoscope to 84004345484edb881f1cc1d841115da8abda06c3 (#1151) 
Signed-off-by: GitHub <noreply@github.com>

Co-authored-by: kzantow <kzantow@users.noreply.github.com>
 2022-08-09 08:59:35 +00:00
anchore-actions-token-generator[bot]
4df84d380d
Update Stereoscope to 1c79d5c84abcc54466417fcc17c844a4875888a1 (#1149) 
Signed-off-by: GitHub <noreply@github.com>

Co-authored-by: kzantow <kzantow@users.noreply.github.com>
 2022-08-06 10:52:42 -04:00
Weston Steimel
fce83321ba
bump cosign to v1.10.1 (#1144) 2022-08-04 19:03:57 +00:00
Keith Zantow
69bde44c6e
Update stereoscope to get rid of the replace directive (#1140) 2022-08-03 12:24:20 -04:00
Christopher Angelo Phillips
042304ee4c
Correct squashfs import and fix incorrect bouncer configuration (#1138) 2022-08-03 09:46:14 -04:00
Adam Hughes
d361d40cfa
Singularity Image Support (#974) 
* docs: add Singularity image support

Add "singularity-image" scheme to CLI documentation and README.

Signed-off-by: Adam Hughes <9903835+tri-adam@users.noreply.github.com>

* upgrade stereoscope + docs

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
 2022-08-02 11:42:46 -04:00
Tom Fay
b4c272885d
Bump go-rustaudit to support rustaudit 0.2.0 (#1127) 2022-08-01 09:20:31 -04:00
Tom Fay
9896ff1b1f
add a cataloger for binaries built with rust-audit (#1116) 
* add a cataloger for binaries built with rust-audit

Signed-off-by: Tom Fay <tomfay@microsoft.com>
 2022-07-28 18:17:38 +00:00
Weston Steimel
b720a3c81c
bump cosign to v1.10.0 (#1114) 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2022-07-22 09:41:38 -04:00
Marco Deicas
ba9adb17eb
Update sigstore/rekor dependency (#1112) 2022-07-21 09:17:16 -04:00
Christopher Angelo Phillips
64b4852c2a
moves go-rpmdb to latest; libc => v1.16.7 (#1098) 2022-07-12 10:30:21 -04:00
anchore-actions-token-generator[bot]
b3a7b912e1
Update Stereoscope to 777471f38c5b2f15c19d6cffe093ce6392d8040c (#1090) 
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
 2022-07-11 09:42:59 -04:00
anchore-actions-token-generator[bot]
c7fa498a1b
Update Stereoscope to cfbd966e5a8d11d73cd17adc8b8ab8468a086f1e (#1089) 
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
 2022-07-07 10:05:55 -04:00
anchore-actions-token-generator[bot]
1e3ffbebb9
Update Stereoscope to 5bd627c0f9ce7facbd63ed1f0cf894d97021aa5e (#1072) 
Co-authored-by: kzantow <kzantow@users.noreply.github.com>
 2022-06-29 10:18:41 -04:00
Jonas Xavier
aed1599c4d
add template output (#1051) 
* add template output

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* remove dead code

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix template cli flag

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* implement template's own format type

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* simpler code

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix readme link to Go template

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* feedback changes

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* simpler func signature patter

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* nit

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* fix linter error

Signed-off-by: Jonas Xavier <jonasx@anchore.com>
 2022-06-17 14:04:31 -04:00
Christopher Angelo Phillips
03e37044d4
update stereoscope to latest version (#1052) 2022-06-16 14:56:33 -04:00
Morten Linderud
e72d68b0c6
Add pacman (alpm) parser support (#943) 
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
 2022-06-13 18:51:37 +00:00
Weston Steimel
b8d1a46e7e
bump cosign to v1.9.0 to resolve reporting of GHSA-66x3-6cw3-v5gj (#1025) 
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
 2022-06-08 11:51:10 -04:00
Tom Fay
3db3efacdc
Support RPM distros with newer RPM db formats (#1018) 
* Support RPM distros with newer db formats

Recent RPM distros (Fedora 33+, CBL-Mariner 2.0+, amazonlinux 2022+)
use an sqlite package database in /var/lib/rpm/rpmdb.sqlite, or
"ndb" format (SUSE).

Remove anchore's fork in favour of the upstream,
https://github.com/knqyf263/go-rpmdb, to gain support for
these formats.

Signed-off-by: Tom Fay <tomfay@microsoft.com>

* add exception for modernc.org repos

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* shorten rpmdb helper function

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
 2022-05-31 17:25:22 -04:00
Jonas Xavier
0f5a9eed09
bump stereoscope version to include source path fix (#1005) 
* bump stereoscope version to include source path fix

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* go mod tidy

Signed-off-by: Jonas Xavier <jonasx@anchore.com>
 2022-05-18 13:53:53 -07:00
Weston Steimel
8420612724
bump cosign to v1.8.0 (#1003) 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2022-05-18 17:17:21 +01:00
Christian Kotzbauer
1cea0ecd5c
feat: add initial dotnet-support (#951) 
* feat: add initial dotnet-support

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

* fix: add path, sha512 and hashpath

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

* fix: add missing dot

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

* fix: lint warnings

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

* fix CLI test package counts to account for dotnet

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix: updated packagurl-go

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>

* tidy go.sum

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update json schema

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
 2022-05-05 15:32:02 -04:00
Christopher Angelo Phillips
03d51c36d0
golang.org/x/crypto upgrade (#979) 2022-05-02 21:33:40 +00:00
Christian Köberl
7d8ea39ee5
update to cyclonedx-go 0.5.2 (#971) 2022-04-28 10:42:12 -04:00
Christopher Angelo Phillips
6029dd7c2e
refactor command package to remove globals and add dependency injection 2022-04-26 18:23:03 +00:00
Alex Goodman
748cfbf006
Retry auth URL lookup without docker credentialhelper workaround (#939) 2022-04-06 16:27:13 +00:00
Alex Goodman
f157d7a862
Pull from DockerHub fails for public images when using SSO (#928) 2022-03-30 17:32:49 +00:00
Alex Goodman
cc2c0e57a0
bump strset version to fix 386 builds (#911) 2022-03-23 14:34:54 -04:00
Alex Goodman
5253da4b36
Rollback referencing docker config items (#912) 2022-03-23 18:33:41 +00:00
Alex Goodman
cffcaf5984
Improve docker config support (#906) 2022-03-22 11:02:54 -04:00
j-k
a644a45ef4
Correct go.mod to enforce go 1.18 (#897) 
Since syft now depends on debug/buildinfo go 1.18 is required to build
syft and as such go.mod needs updating

Signed-off-by: 06kellyjac <jack@control-plane.io>
 2022-03-21 15:38:32 -04:00
Alex Goodman
069aa68b63
Fix image cleanup when there is an error (#905) 2022-03-21 14:48:11 +00:00
Jonas Xavier
6ef3e45ffc
Use go 1.18 buildinfo to catalog binaries (#827) 
* initial working version

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* added build settings to pkg metadata

wip - unit tests

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* handle mach-O FatFiles

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* add support to mod replace

fixed golang catalger tests

trying GH Actions with go 1.18rc1

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* log error

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* use go-macholibre for extraction

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* cleaner tests

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* add version to main module

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* check macho file with macholibre

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* run golangci in its own workflow

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* wip - golangci workflow

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix golangci wf yml

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix golangci wf yml

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* wip - golangci wf

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* wip - golangci wf

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* get arch from bin file headers

upgrade macholibre

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* test new stereoscope lazy reader interface

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* remove devel version from golang cataloger

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* switch github workflows to go1.18 stable

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* add union reader interface in golang cataloger

update stereoscope

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* simpler golangci validation

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix makefile

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* get archs refactor

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* nolint for golang version

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix go bin tests

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* feedback changes

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* golangci nolint needs a \n before package

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* cleanup

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* move golangci-lint to its own jobs again

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix ci yaml

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* add support for xcoff files

add arch assets to test bin file types

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* clean up golangci-lint config

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* nolint for xcoff

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* explain nolints

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* remove unused xcoff testdata assets

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* make go bin test-fixtures in docker

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix make clean with -f

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* update json output schema

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* update schema version in test fixture

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* feedback changes

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* explain possible empty main module

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
 2022-03-16 17:07:02 -07:00
mikey strauss
95271fb10d
NPM PURLs are invalid (#832) 
Signed-off-by: houdini91 <mdstrauss91@gmail.com>
 2022-03-15 11:54:33 -04:00
Christopher Angelo Phillips
fa03723617
Upgrade vault api from v1.3.1 to v1.4.1 (#878) 
* move v1.3.1 => v1.4.1
* go mod tidy

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2022-03-09 15:11:07 -05:00
Sambhav Kothari
39737a2825
Update cyclonedx to v1.4 (#820) 2022-03-08 12:09:55 -05:00
Alex Goodman
5123f073c7
Update containerd via stereoscope (#870) 
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
 2022-03-07 17:37:20 +00:00
Alex Goodman
a86dd3704e
Add platform selection (#866) 2022-03-04 22:41:38 +00:00
Dan Luhring
1e75cb0418
Update to cosign v1.5.2 (#857) 2022-03-02 15:09:47 +00:00
Christopher Angelo Phillips
afc0c1acd9
855 attest registry source only (#856) 
Add source.NewFromRegistry function so that the syft attest command can always explicitly ask for an OCIRegistry provider rather than rely on local daemon detection for image sources.

Attestation can not be used where local images loaded in a daemon are the source. Digest values for the layer identification step in attestation can sometimes vary across workstations.

This fix makes it so that attest is generating an SBOM for, and attesting to, a source that exists in an OCI registry. It should never load a source from a local user docker/podman daemon.

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
 2022-03-01 23:16:42 -05:00
Alex Goodman
99bb93d0fe
Resolve symlinks when fetching file contents (#782) 2022-02-24 10:01:59 -05:00
Christopher Angelo Phillips
256e85bc12
510 - SBOM attestation stdout (#785) 
add syft attest command to produce an attestation as application/vnd.in-toto+json to standard out using on disk PKI

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2022-02-22 21:45:12 -05:00
Alex Goodman
51c6eb30f5
bump stereoscope to include functional options (#823) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2022-02-14 20:40:51 -05:00
Christopher Angelo Phillips
e1e9ccb401
update golang crypto library dependency (#815) 
* bump golang crypto to resolve CVE-2020-29652

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* go mod tidy

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2022-02-11 13:36:52 -05:00
Jonas Xavier
a04fa68539
Ensure completion of UI progress bar (#810) 
* update stereoscope

fetches latest fixes for UI

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* use context when getting image

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
 2022-02-09 11:23:58 -08:00
Keith Zantow
76f8205936
Suport SPDX SBOM decoding (#738) 2022-02-09 14:11:20 -05:00
Jonas Xavier
40423d8eee
update stereoscope version - include Podman support (#781) 
* update stereoscope

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix FilesByMIMEType tests

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* change expected mime types in unit tests

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* test stereoscope fix

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* remove mod replace and use latest stereoscope

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
 2022-02-01 14:47:15 -08:00
Alex Goodman
706f291679
Replace distro type (#742) 
* remove strong distro type

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump json schema to v3 (breaking distro shape)

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix linting

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* allow for v2 decoding of distro idLikes field in v3 json decoder

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix casing in simple linux release name

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* use discovered name as pretty name in simple linux release

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2022-01-12 12:13:42 -05:00
Christopher Angelo Phillips
b77ddfc29c
bump stereoscope version to remove old containerd (#741) 
* bump stereoscope version to remove old containerd

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* go mod tidy

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2022-01-10 13:40:24 -05:00
Keith Zantow
5e5312c72d
Add support for multiple output files in different formats (#732) 2022-01-06 17:52:20 -05:00
Alex Goodman
38c4b17847
Add support for searching for jars within archives (#734) 
* add support for searching jars within archives

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add package cataloger config options

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* address review comments + factor out safeCopy helper

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update config docs regarding package archive search options

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* show that unindexed archive cataloging defaults to false

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove lies about -s

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* address review comments

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update search archive note about java

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2022-01-06 21:40:51 +00:00
Dan Luhring
7de5e1288f
Fix unhelpful error message for oci-archive scheme (#705) 
* Improve error message

Signed-off-by: Dan Luhring <dan+github@luhrings.com>

* Return error from stereoscope immediately

Signed-off-by: Dan Luhring <dan+github@luhrings.com>

* Bump version of stereoscope

Signed-off-by: Dan Luhring <dan+github@luhrings.com>

* Conditionally retry image retrieval

Signed-off-by: Dan Luhring <dan+github@luhrings.com>

* Update error message for source construction failure

Signed-off-by: Dan Luhring <dan+github@luhrings.com>

* Update stereoscope

Signed-off-by: Dan Luhring <dan+github@luhrings.com>

* Retry image pull without predetermined image source

Signed-off-by: Dan Luhring <dan+github@luhrings.com>

* Add comment to image pull source determination

Signed-off-by: Dan Luhring <dan+github@luhrings.com>
 2021-12-22 18:53:23 +00:00
Jonas Galvão Xavier
5374a1dc6f
add cyclone-json output format (#635) 
* add cyclone json format

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* adapt format to sbom.SBOM structure

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* cycloneDX json output with official lib

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* add cycloneDX 1.3 schema output in xml

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix lints errors

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* tidying go mod

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* remove cycloneDX 1.2 format

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* update cycloneDX xml schema

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix cyclone according to schema

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* use RFC 2141 URN form of uuid for serial number

add schema validation for cycloneDX 1.3 JSON output

add yajsv cli for JSON schema validation during tests

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* tidying go mod up

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* go get json schema validator

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* install yajsv without mess with go mod

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* reuse code between cycloneDX json & xml encoders

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* add output options for cyclone XML

add bom.json to .gitignore

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* add cyclone json format

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* adapt format to sbom.SBOM structure

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* cycloneDX json output with official lib

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* add cycloneDX 1.3 schema output in xml

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix lints errors

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* tidying go mod

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* remove cycloneDX 1.2 format

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* update cycloneDX xml schema

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix cyclone according to schema

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* use RFC 2141 URN form of uuid for serial number

add schema validation for cycloneDX 1.3 JSON output

add yajsv cli for JSON schema validation during tests

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* tidying go mod up

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* go get json schema validator

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* install yajsv without mess with go mod

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* reuse code between cycloneDX json & xml encoders

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* add output options for cyclone XML

add bom.json to .gitignore

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* fix cyclone12xml removal

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* feedback changes

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>

* go mod tidy

Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
 2021-12-03 17:06:23 -08:00
Alex Goodman
22c4b275e7
bump containerd and image-spec (#654) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-12-03 16:12:43 +00:00
Alex Goodman
ffccfc8f3f
update stereoscope to bump docker dependency (#648) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-12-02 11:18:00 -05:00
Alex Goodman
00206233e6
use smaller jotframe event buffer (#647) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-11-30 11:23:16 -05:00
Alex Goodman
d76c868481
Catalog archive contents for single-file input (#637) 
* add first-level archive processing when input is a file

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add license exception for github.com/xi2/xz

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* always return cleanup function

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* change source.NewFromFile log entry to warn

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* ensure file source always has cleanup function

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* ensure we are always preferring the unarchive cleanup function for source

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-11-19 14:16:25 +00:00
Alex Goodman
9090c3a772
bump stereoscope, docker, and GGCR (#633) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-11-16 19:43:46 +00:00
Alex Goodman
ef627d82ef
Introduce relationships as first-class objects (#607) 
* migrate pkg.ID and pkg.Relationship to artifact package

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* return relationships from tasks

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix more tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add artifact.Identifiable by Identity() method

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix linting

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove catalog ID assignment

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* adjust spdx helpers to use copy of packages

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* stabilize package ID relative to encode-decode format cycles

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* rename Identity() to ID()

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* use zero value for nils in ID generation

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* enable source.Location to be identifiable

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* hoist up package relationship discovery to analysis stage

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update ownership-by-file-overlap relationship description

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add test reminders to put new relationships under test

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* adjust PHP composer.lock parser function to return relationships

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-11-16 14:14:13 -05:00
Alex Goodman
8ec3f1d102
Use anchore fork of go-presenter (#611) 
* use anchore fork of go-presenter

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* drop coverage threshold

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-11-02 18:09:26 +00:00
Alex Goodman
ecab44bba1
Add SPDX tag-value format object (#605) 
* add new spdx tag-value format

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove public presenter package

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-11-02 13:45:34 -04:00
Christopher Angelo Phillips
a2882ee810
Update package identifier to be constant across multiple syft run (#595) 
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
 2021-10-29 16:00:36 +00:00
Alex Goodman
ff5fa2dc1d
pull in space suffix fix (#587) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-10-25 10:14:17 -04:00
Christopher Angelo Phillips
10fa8dc7c9
Add windows support (#548) 
* update  build tags, ui support, and stereoscope, and release for windows support

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
 2021-10-21 12:49:36 -04:00
Christopher Angelo Phillips
3462e18af3
478 identify go binaries and extract mod information (#534) 
* add query by MIME type to source.FileResolver

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* import stereoscope lib changes to find mime type

- add bin cataloger
- add bin parser
- add mime type go utils
- import new resolver

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* add go std library code to unpack bin

- keep them in their own (original) files
- add note for "this code was copied from"
- comment the lines the required changing

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
 2021-10-07 12:16:38 -04:00
Alex Goodman
9189ed68df
Add query by MIME type to source.FileResolver (#529) 
* add query by MIME type to source.FileResolver

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* pull in stereoscope MIME type feature

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-10-05 20:50:53 -04:00
Dan Luhring
316d4341c8
Use Anchore fork of packageurl lib without replace directive (#512) 
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
 2021-09-22 15:04:09 -04:00
Alex Goodman
9fe1da8ee6
update go-rpmdb and restruct gomod references (#506) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-09-14 14:51:19 -04:00
Alex Goodman
abbba3fc19
Modify CPE vendor candidate generation approach (#484) 
* consider additional vendor candidates for ruby, python, rpm, npm, and java

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add java pom.xml processing

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* allow for downstream transform control in cpe generation processing

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* migrate CPE generation logic to dedicated package

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* split java manifest groupID extraction into two tiers

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* extract groupID from pom parent project during CPE generation

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update java groupID processing tests to cover multi-tier approach

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix constructor names for cpe.fieldCandidate

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* rename helper function to startsWithTopLevelDomain

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add nil changes for java manifest sections

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update comment to reflect parsing maven files

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* split out java description parsing

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* split out pom parent processing

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* simplify vendorsFromGroupIDs and associated tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* simplify test type for vendorsFromGroupIDs

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* copy candidate varidations to new instances

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* rename CPE generation string util functions

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add an explanation around fieldCandidate

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* simplify type for the cpe.fieldCandidateSet

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* make CPE filter function names more readable

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update groupIDsFromJavaManifest to use a guard clause

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* extract groupID extraction from artifactID fields into a separate function

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump goreleaser version to combat failure

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-09-03 14:21:25 -04:00
Keith Zantow
93b4bf9379
Add option to enable http registry connections (#482) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2021-08-17 12:52:51 -04:00
Keith Zantow
58f2be95fd
chore: update packageurl-go and add encoding tests for #351 (#481) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2021-08-13 15:39:52 -04:00
Alex Goodman
fee35dd175
redirect cursor hide/show to stderr (#456) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-06-30 13:10:00 -04:00
Alex Goodman
962e82297c
Split UI from event handling (#448) 
* split UI from event handling

Signed-off-by: Alex Goodman <wagoodman@gmail.com>

* add event loop tests

Signed-off-by: Alex Goodman <wagoodman@gmail.com>

* use stereoscope cleanup function during signal handling

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* correct error wrapping in packages cmd

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* migrate ui event handlers to ui package

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* clarify command worker input var + remove dead comments

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-06-29 18:28:09 +00:00
Alex Goodman
706322f826
Add SPDX support (#445) 
* add initial spdx support

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* expose FileOwner and use in SPDX presenter

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add initial json support for SPDX

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add remaining package fields

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add spdx license list generation + tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* keep fileOwner unexported from pkg

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* restore cli test util

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add external refs to spdx tag-value format

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add golang support to CPE generation

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* use tag-value format as default "spdx" format flavor

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add tests around spdx presenters + refactor presenter tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add bouncer exception for spdx tools-golang repo

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove spdx model questions

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-06-25 16:30:41 -04:00
Alex Goodman
2f81a2548c
allow for RPM package epoch to be optionally provided in the version string 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-06-02 15:28:12 -04:00
Dan Luhring
8be0d988e7
Fix go mod tidy release problem (#422) 
* Add go mod tidy check

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>

* Run go mod tidy

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
 2021-05-25 17:13:58 -04:00
Dan Luhring
17bbf840cf
Allow registry auth config without authority value (#420) 
* Allow registry auth config without authority value

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>

* Update CLI tests for new stereoscope log output

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
 2021-05-24 16:05:56 -04:00
Alex Goodman
0c7706f254
add extra RPM file record fields (user, group, flags) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-04-16 10:25:46 -04:00
Alex Goodman
2ff3f58730
pull in stereoscope manifest + repo digests on registry source 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-04-13 18:29:12 -04:00
Alex Goodman
c363b2b532
Add ability to pull images directly from a registry (#378) 
* add registry image source

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* use explicit source for fetching image + add scheme and registry tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* adjust test variable name and add credential helper function

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-04-13 13:30:57 +00:00
Alex Goodman
7ec0e3785f
bump stereoscope ; pull in fix to ensure credentials are not HTML encoded 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-04-05 14:20:49 -04:00
Alex Goodman
3ef30f99be
pull in stereoscope cache fix + add test cache makefile target helpers 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-03-23 14:31:59 -04:00
Alex Goodman
d420368ba9
add tests around new file metadata cataloger 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-03-23 11:00:59 -04:00
Alex Goodman
1d87f07da1
update pipeline with new levels of testing 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-03-22 10:58:07 -04:00
Alex Goodman
48a1d4711a
update presenter tests with json schema 1.0.3 examples + rename rust metadata type 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-03-22 09:44:55 -04:00
Alex Goodman
6d5ff0fd8e
Mark package relations by file ownership (#329) 
* add marking package relations by file ownership

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* correct json schema version; ensure fileOwners dont return dups; pin test pkg versions

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* extract package relationships into separate section

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* pull in client-go features for import of PackageRelationships

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* move unit test for ownership by files relationship further down

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* rename relationship to "ownership-by-file-overlap"

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-02-25 13:47:13 -05:00
Dan Luhring
3b4d4b186f
Bring in fix to zero layers panic from stereoscope 
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
 2021-02-01 11:54:30 -05:00
Alex Goodman
33c27c4f3d
add HasPath() to Resolver interface 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-01-04 19:39:49 -05:00
Alex Goodman
7f4e8ab97d
Fix symlink resolutions for constituent paths (#304) 
* bump stereoscope to pull in content API refactors

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* incorporate symlink fixes

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* with filetree.File() adjustments

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* regress all-layers scope to not include dead-links + default tests to squashed scope

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* restore all layers resolver glob behavior (custom + lazy link resolution)

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* incorporate filetree link resolution options and restore no-follow dead link option for resolvers

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* removed path from lower-level FileTree.File() calls

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump stereoscope to pull in latest link resolution fixes

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump doublestar to v2 for directory resolver

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-01-04 16:41:45 -05:00
Alex Goodman
d475e6280a
bump stereoscope to pull in content API refactors 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2021-01-04 14:07:14 -05:00
Alex Goodman
6aaf9ee712
Incorporate import changes + add image overwrite option (#294) 
* incorporate import changes + add image overwrite option

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update import tests to account for arbitrary json shape

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2020-12-18 16:59:30 -05:00
Alex Goodman
82c8a8e17b
add mem profile option and refactor python cataloger for batch requests 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2020-12-15 10:59:14 -05:00
Alex Goodman
52bac6e2fd
Add enterprise upload capability (#285) 
* add support to upload results to enterprise

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add package sbom upload

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add dockerfile support

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add manifest, index, and dockerfile import functions

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* schema version to json output + enhance json schema generation

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* modify package SBOM shape to be entire syft document + add etui updates

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add import image config and manifest support

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add config options for import to enterprise

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* incorporate final stereoscope and client-go deps

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2020-12-09 22:20:53 -05:00
Alex Goodman
3ce7eabc98
bump stereoscope to remove tree-catalog syft check 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2020-12-03 16:20:17 -05:00
Alex Goodman
2989d3d975
include CPEs with elementds from POM GroupId fields 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2020-12-01 08:00:49 -05:00
Dan Luhring
ae71b8832d
Update stereoscope version to fix opaque directory merge issue (#278) 
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
 2020-11-30 11:37:44 -05:00
Alex Goodman
8a17bfb69f
generate json schema from struct definitions 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2020-11-20 15:47:10 -05:00
Alex Goodman
3aaa0e5566
move package purl and cpes (identities) to pkg.Package 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2020-11-19 11:25:51 -05:00
Alex Goodman
aa0d444fd4
fix tests to use location instead of file.Reference 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2020-11-17 12:37:12 -05:00
Alex Goodman
6aba2f48d4
split out rpmdb file processing to helper + lint fixes 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2020-11-06 10:44:27 -05:00
Alex Goodman
8095cd9980
add rpmdb file info to cataloger 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2020-11-06 07:21:23 -05:00
Dan Luhring
f19cb03aa0
Update doublestar to include fix for open dirs issue (#240) 
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
 2020-10-26 11:19:25 -04:00
Alex Goodman
576fbc898b
rm stereoscope from testutils (#181) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2020-09-25 14:53:05 -04:00
Alex Goodman
3d91a66536
Add OCI support + use URI schemes for user image input (#178) 
* add oci support + update image schemes

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update docs to reflect OCI image sources + URI scheme change

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update to oci-dir

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump upstream stereoscope pin

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2020-09-25 10:24:24 -04:00
Samuel Dacanay
b467964044 port over shell completion w/ cobra from grype, find/replace, etc. 
Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com>
 2020-09-15 09:07:17 -07:00
Alex Goodman
8a4886ec0e
Add package URL support to the CycloneDX presenter (#164) 
* add package URL support to the CycloneDX presenter

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* wrap license tags with licenses

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2020-08-30 21:40:19 -04:00
Alex Goodman
95517d131a Improve overall documentation (#148) 
* improve overall documentation

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix tests to use scope.Resolver over scope

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2020-08-13 16:34:32 -04:00
Dan Luhring
47a0454084 Update dependencies (#147) 
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
 2020-08-13 12:12:05 -04:00
Alex Goodman
5042d371cf
migrate to anchore/go-rpmdb (#144) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2020-08-11 15:32:51 -04:00
Alex Goodman
2d452bf59e
Add inline-comparison as acceptance test (#130) 
* add inline-compare as acceptance test

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add additional RPM metadata

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add comments and doc strings to the compare-* make targets

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2020-08-10 10:33:44 -04:00
Alex Goodman
e2a874a277
finalize json output & add schema (#118) 2020-08-04 16:05:53 -04:00
Alex Goodman
8fe59c6f1a
bump stereoscope for docker pull + add UI elements for pull status (#117) 2020-08-03 16:03:47 -04:00
Alex Goodman
78515da285
replace zap logger with logrus (#116) 2020-08-01 11:56:38 -04:00
Alex Goodman
e3976596f3
pull in fix for bounds check progress formatting values in etui 2020-07-31 06:56:20 -04:00
Alex Goodman
271ba35c85
Export UI handlers for reuse in other tools (#113) 
* export UI handlers for reuse in other tools

* bump jotframe to fix cursor issues at frame close
 2020-07-30 15:16:58 -04:00
Alex Goodman
32071b0bf1
add default table presenter 2020-07-23 21:48:12 -04:00
Alex Goodman
ba4f63099d
Add release process (#89) 
* add check for app update; fix ETUI error handling

* validate user args

* add goreleaser support

* replace cgo dependencies (go-rpm) with go equivalents

* add acceptance tests against build snapshot

* add brew tap + acceptance test pipeline

* add mac acceptance tests

* fix compare makefile

* fix mac acceptance tests

* add release pipeline with wait checks

* add token to release step

* rm dir presenters int test

* enforce dpkg to be non interactive

Co-authored-by: Alfredo Deza <adeza@anchore.com>

* pin brew formulae

* pin skopeo to formulae url

* only run acceptance tests

Co-authored-by: Alfredo Deza <adeza@anchore.com>
 2020-07-23 10:52:44 -04:00
Alex Goodman
44c69f1f91
add go.mod cataloger (#97) 2020-07-23 08:17:30 -04:00
Alex Goodman
7ebb9f4e0b
Add check for app update (#88) 
* add check for app update; fix ETUI error handling

* validate user args
 2020-07-21 12:02:03 -04:00
Alfredo Deza
942cd6eb18 dependencies: add doublestar for recursive globbing support 
Signed-off-by: Alfredo Deza <adeza@anchore.com>
 2020-07-21 11:10:02 -04:00
Alex Goodman
e8d11eec69
add license validation (#80) 2020-07-13 13:07:20 -04:00
Alex Goodman
1896831c39
add rpmdb support; enhance integration tests 2020-07-06 12:55:11 -04:00
Alex Goodman
d59a19697d
add coverage + makefile improvements 2020-07-06 07:25:18 -04:00
Alex Goodman
926b5f2a50
add and use event bus for UI progress 2020-06-25 10:39:11 -04:00
Alex Goodman
cd94179985
add symlink content fetching support 2020-06-16 11:37:37 -04:00
Alex Goodman
83e96e8880
generalize common analyzer elements 2020-06-04 17:49:52 -04:00
Alex Goodman
f33720eaa1
add gem analyzer 2020-06-04 14:42:59 -04:00
Alex Goodman
cc724bff26
use filetree reader instead of filetree 2020-06-02 08:52:26 -04:00
Alex Goodman
45fbd05cf9
add first distro support 2020-06-01 10:46:06 -04:00
Alex Goodman
a0e48468c2
with package id 2020-05-29 16:06:31 -04:00
Alex Goodman
1b9effeb49
remove WithFields; add stereoscope logging 2020-05-23 19:22:52 -04:00
Alex Goodman
ae6feed8fc
add named logger + color formatting 2020-05-22 11:30:45 -04:00
Alex Goodman
3e71315195
add app config and logging interface 2020-05-21 15:25:59 -04:00
Alex Goodman
2471663d27
sync/fmt linting tasks with stereoscope 2020-05-21 09:37:20 -04:00
Alex Goodman
17b4b26fbb
update sterescope + add json presenter 2020-05-20 18:29:06 -04:00
Alfredo Deza
09cf5b9862 update go.mod and go.sum 
Signed-off-by: Alfredo Deza <adeza@anchore.com>
 2020-05-18 14:14:50 -04:00
Alex Goodman
1342cc5b06
add analysis coordination (with dummy analyzer) 2020-05-18 11:59:33 -04:00
Alex Goodman
1e5c7bb5c7
initial project structure 2020-05-12 10:45:18 -04:00