Commit graph

1433 commits

Author SHA1 Message Date
Christopher Angelo Phillips
4601ca3735
fix: update field plurality of 8.0.0 schema before release (#1820)
to keep things consistent across the schema we want Locations and URLs to be plural fields now that they are fields on the License struct
---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-05-16 13:05:48 -04:00
Christopher Angelo Phillips
1a2a49840b
fix: update cataloger to check for expressions before split (#1819)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-05-16 16:04:28 +00:00
Christopher Angelo Phillips
42fa9e4965
feat: update syft license concept to complex struct (#1743)
this PR makes the following changes to update the underlying license model to have more expressive capabilities
it also provides some guarantee's surrounding the license values themselves

- Licenses are updated from string -> pkg.LicenseSet which contain pkg.License with the following fields:
- original `Value` read by syft
- If it's possible to construct licenses will always have a valid SPDX expression for downstream consumption
- the above is run against a generated list of SPDX license ID to try and find the correct ID
- SPDX concluded vs declared is added to the new struct
- URL source for license is added to the new struct
- Location source is added to the new struct to show where the expression was pulled from
2023-05-15 16:23:39 -04:00
Shane Alvarez
8046f09562
fix: cyclonedx depends-on relationship inverted (#1816)
Signed-off-by: Shane Alvarez <shane.alv@gmail.com>
2023-05-15 09:59:26 -04:00
mikey strauss
b4ed599481
fix: retain sbom cataloger relationships (#1509)
Signed-off-by: Eitan Goldenstein <eitan@scribesecurity.com>
Co-authored-by: Eitan Goldenstein <eitan@scribesecurity.com>
2023-05-15 09:57:21 -04:00
William Murphy
e925d9d4a5
feat: warn if parsing newer SBOM (#1810)
If syft is asked to parse an SBOM that was written by a newer version of
syft, emit a warning, since the current version of syft doesn't know about 
fields that may be added in the future.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-05-11 08:55:27 -04:00
William Murphy
da3624644a
feat: Add R cataloger (#1790)
Add a cataloger that detects installed R packages by looking for DESCRIPTION
files. The base R package is now picked up in coverageImage tests in
test/cli/packages_cmd_test.go, so increment expected package counts for the
tests that use that image.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-05-10 12:30:11 -04:00
Bob Callaway
0580328ad9
update cosign to v2 release (different go module) (#1805)
Signed-off-by: Bob Callaway <bcallaway@google.com>
2023-05-10 11:12:37 -04:00
William Murphy
291da8cd12
fix: Reduce log spam on unknown relationship type (#1797)
Rather than log a warning for every instance of an unknown relationship type,
or similar error, log a count of how many times each of these errors is
raised.

---------

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-05-10 09:51:12 -04:00
anchore-actions-token-generator[bot]
8a3cbf2fdd
chore(deps): update bootstrap tools to latest versions (#1807) 2023-05-10 08:25:36 -04:00
dependabot[bot]
ef08d0fa39
chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 (#1802)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.9.0 to 0.10.0.
- [Commits](https://github.com/golang/net/compare/v0.9.0...v0.10.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-09 11:59:39 -04:00
dependabot[bot]
75d625b697
chore(deps): bump github.com/docker/docker (#1795)
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 23.0.5+incompatible to 23.0.6+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v23.0.5...v23.0.6)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-08 12:45:50 -04:00
dependabot[bot]
88ba8b78fc
chore(deps): bump github.com/google/go-containerregistry (#1796)
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.14.0 to 0.15.1.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.14.0...v0.15.1)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-08 12:45:30 -04:00
anchore-actions-token-generator[bot]
3f19aa589c
chore(deps): update bootstrap tools to latest versions (#1792) 2023-05-07 13:23:41 -04:00
William Murphy
630c18e0d3
Print package list when extra packages found (#1791)
The tests in test/cli/packages_cmd_test.go are hard to debug when different
packages are found in different environments. For example, CI runs and M1 macs
have been observed to have different package counts. Therefore, if the test is
about to fail, log a sorted list of the packages that were found, so that it is
easy to compare failures of these tests.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-05-05 15:57:13 -04:00
anchore-actions-token-generator[bot]
1860bab24b
chore(deps): update bootstrap tools to latest versions (#1786) 2023-05-05 14:57:02 -04:00
dependabot[bot]
e31839a370
chore(deps): bump golang.org/x/term from 0.7.0 to 0.8.0 (#1787) 2023-05-05 18:56:40 +00:00
Josh Bressers
0f1aed4477
Update the CPE generation for spring-security-core (#1789)
* Update the CPE generation for spring-security-core
* Add vendor test for spring-security

Signed-off-by: Josh Bressers <josh@bress.net>

---------

Signed-off-by: Josh Bressers <josh@bress.net>
2023-05-05 15:41:41 +00:00
Keith Zantow
ddb338d834
chore: do not HTML escape PackageURLs (#1782)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-05-05 10:08:04 -04:00
Keith Zantow
354c72bbf4
chore: do not include kernel module cataloger by default (#1784) 2023-05-05 09:54:24 -04:00
Jeff Squyres
d63a1f5f80
chore(docs): Update lists of catalogers (#1780)
Signed-off-by: Jeff Squyres <jeff@squyres.com>
2023-05-04 15:36:22 -04:00
Keith Zantow
645206735e
chore: add more detail on SPDX file IDs (#1769) 2023-05-02 16:52:18 -04:00
Filip Pytloun
95a04cadea
Search /usr/share for rpmdb to fix scan on ostree-managed images (#1756)
Fixes: https://github.com/anchore/syft/issues/1755

Signed-off-by: Filip Pytloun <filip@pytloun.cz>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
2023-05-02 16:43:52 -04:00
dependabot[bot]
dd458a2b33
chore(deps): bump github.com/docker/docker (#1767)
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 23.0.4+incompatible to 23.0.5+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v23.0.4...v23.0.5)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-02 16:43:16 -04:00
Alex Goodman
5f3d4d285b
rename sbom.PackageCatalog to sbom.Packages (#1773)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2023-05-01 10:19:58 -04:00
dependabot[bot]
10c3cc27e8
chore(deps): bump modernc.org/sqlite from 1.22.0 to 1.22.1 (#1768)
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.22.0 to 1.22.1.
- [Release notes](https://gitlab.com/cznic/sqlite/tags)
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.22.0...v1.22.1)

---
updated-dependencies:
- dependency-name: modernc.org/sqlite
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-04-27 11:58:59 -04:00
Shane Dell
a07bfe7dfa
Create python requirements metadata (#1759)
- Create new metadata struct and type for python requirements.
- Update parsing of python requirements to use python requirements metadata.
- Remove extras and url from line. Add them to metadata instead.
- Add unit test to test that extras are removed from package name.
- Update test to look at requirements metadata.
- Will need updated in future to support more than just == for the version constraint.
- Update JSON schema data

Closes anchore/grype#1246
Closes anchore/grype#1251

Signed-off-by: Shane Dell <shanedell100@gmail.com>
2023-04-27 09:04:30 -04:00
Keith Zantow
451cb9d5ca
chore: update test redactor ordering (#1765)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-04-26 20:42:43 +00:00
Alex Goodman
fd02bef0a3
rename pkg.Catalog to pkg.Collection (#1764)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2023-04-26 13:56:33 -04:00
dependabot[bot]
02bd52728e
chore(deps): bump modernc.org/sqlite from 1.21.2 to 1.22.0 (#1758)
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.21.2 to 1.22.0.
- [Release notes](https://gitlab.com/cznic/sqlite/tags)
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.21.2...v1.22.0)

---
updated-dependencies:
- dependency-name: modernc.org/sqlite
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-04-26 10:37:49 -04:00
Christopher Angelo Phillips
c038f13d44
chore: go-rpmdb update (#1757)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
2023-04-24 10:34:13 -04:00
dependabot[bot]
8102ad4edc
chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.1-0.20221222100750-41a1ac565cce to 0.7.1 (#1706) 2023-04-24 10:20:12 -04:00
Shane Dell
13485ca5e7
fix: Improve pnpm support (#1752)
Signed-off-by: Shane Dell <shanedell100@gmail.com>
2023-04-21 17:58:23 +00:00
Alex Lehman
b2b332e8b2
feat: Add template func hasField (#1754)
Signed-off-by: Lehman, Alex <alex.lehman@gtri.gatech.edu>
2023-04-21 09:34:06 -04:00
Christopher Angelo Phillips
a42bac6fcc
fix: only cache java packages and not source content (#1750)
* fix: only cache java packages and not source content

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* fix: add gradle to matched files for ci checksum

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-04-19 16:07:34 -04:00
Shane Dell
98a6c6efbe
Add sections of interest for Gemfile.lock cataloger (#1749)
- Updated tests to reflect the new sections being added to show they function properly.

Closes #1660

Signed-off-by: Shane Dell <shanedell100@gmail.com>
2023-04-19 12:18:17 -04:00
Christopher Angelo Phillips
55a90a2ee0
fix: update cache.fingerprint file to java-builds dir (#1748)
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-04-19 12:17:07 -04:00
Shane Dell
6e835fd8fc
Add ALPM Metadata to CYCLONEDX and SPDX output formats (#1747)
Signed-off-by: Shane Dell <shanedell100@gmail.com>
2023-04-18 11:53:02 -04:00
Weston Steimel
ee80349ea0
chore: bump stereoscope to latest version (#1741)
Resolves reporting of GHSA-hw7c-3rfg-p46j

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-04-18 15:44:03 +00:00
anchore-actions-token-generator[bot]
52b54bbad9
chore(deps): update bootstrap tools to latest versions (#1744)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
2023-04-18 10:25:02 -04:00
dependabot[bot]
66d9c5637b
chore(deps): bump github.com/docker/docker (#1746)
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 23.0.3+incompatible to 23.0.4+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v23.0.3...v23.0.4)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-04-18 10:22:41 -04:00
Shane Dell
244b797a19
Create consul binary classifier (#1738)
* Create consul binary classifier

Closes #1590

Signed-off-by: Shane Dell <shanedell100@gmail.com>

* Create test for consul binary classifier

Signed-off-by: Shane Dell <shanedell100@gmail.com>

* Update version for consul. Add note that about consul version matcher is brittle

Signed-off-by: Shane Dell <shanedell100@gmail.com>

---------

Signed-off-by: Shane Dell <shanedell100@gmail.com>
2023-04-17 12:26:07 -04:00
anchore-actions-token-generator[bot]
95176d7e0c
chore(deps): update bootstrap tools to latest versions (#1740)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-04-17 12:06:35 -04:00
Alex Goodman
5a7bab972c
Fix kernel cataloger test fixtures (#1742)
* pin kernel and modules version for kernel fixtures

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* cache kernel fixtures in CI

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update CLI test image with pinned kernel deps

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update the kernel version found in integration tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

---------

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2023-04-17 11:44:46 -04:00
Avi Deitcher
b69259534d
feat: Support scanning license files in golang packages over the network (#1630)
Signed-off-by: Avi Deitcher <avi@deitcher.net>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
2023-04-14 15:13:29 -04:00
Alex Goodman
44422853be
Add package-to-file location evidence relationships (#1698)
* add evident-by relationship

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* wire up evident-by relationship geneation

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* handle evident-by relationship in spdx formats

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix decoding file info for syft json format

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump json schema to incorporate file size attribute

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* refactor to create relationships for primary evidence only

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix linting

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove unused 7.0.2 json schema

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

---------

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2023-04-14 15:08:46 -04:00
Avi Deitcher
cc731c7b19
Add Linux Kernel cataloger (#1694)
* add kernel handler

Signed-off-by: Avi Deitcher <avi@deitcher.net>

* [wip] combine kernel and kernel module cataloging

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* [wip] combine kernel and kernel module cataloging

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Avi Deitcher <avi@deitcher.net>

* rename Kernel package to LinuxKernel package

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* split kernel and module packages within cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* wire up application configuration with kernel cataloger options

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* dont use references for packages on relationships

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix linting and tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* kernel cataloger should be resistent to partial failure

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* log upon kernel module metadata missing

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add tests for linux kernel cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update integration tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update cli package test counts

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add evidence annotations for kernel packages

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* reduce noise in cli test output

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* missed cli test to reduce noise for

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix package counts

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update docs with linux kernel cataloging refs

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump json schema with new metadata fields

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

---------

Signed-off-by: Avi Deitcher <avi@deitcher.net>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: <>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
2023-04-14 14:33:36 -04:00
Alex Goodman
5d156b8241
Add annotations for evidence on package locations (#1723)
* add location annotations + deb evidence annotations

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* rename LocationData struct and Annotation helper function

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add failing integration test for evidence coverage

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add evidence to aplm cataloger locations

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* change location annotation helper to return a location copy

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add evidence to binary cataloger locations

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* updated remaining catalogers with location annotations

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix unit tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix linting

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* bump json schema

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* partial addressing of review comments

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* rename location.WithAnnotation

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

---------

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2023-04-13 17:02:29 -04:00
Alex Goodman
05715489c4
add format make target (#1733)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2023-04-12 14:36:38 -04:00
Shane Dell
661d256b85
Update tests to not fail on Mac M1's. (#1730)
Closes #1673

Signed-off-by: Shane Dell <shanedell100@gmail.com>
2023-04-12 11:11:05 -04:00