* remove power-user document shape
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add power-user specific fields to syft-json format
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* port remaining spdx-json relationships to sbom model
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add coordinate set
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add SBOM file path helper
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use internal mimetype helper in go binary cataloger
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add new package-of relationship
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update json schema to v2
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* replace power-user presenter with syft-json format
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix tests and linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove "package-of" relationship (in favor of "contains")
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add tests for spdx22json format encoding enhancements
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update TODO and log entries
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* introduce sbom.Descriptor
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* migrate pkg.ID and pkg.Relationship to artifact package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* return relationships from tasks
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix more tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add artifact.Identifiable by Identity() method
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove catalog ID assignment
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* adjust spdx helpers to use copy of packages
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* stabilize package ID relative to encode-decode format cycles
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename Identity() to ID()
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use zero value for nils in ID generation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* enable source.Location to be identifiable
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* hoist up package relationship discovery to analysis stage
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update ownership-by-file-overlap relationship description
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add test reminders to put new relationships under test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* adjust PHP composer.lock parser function to return relationships
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* [wip] single sbom doc
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix more tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update cli tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove scope in import path
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* swap SPDX tag-value formatter to single sbom document
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bust CLI cache
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update fixture to byte diff
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* byte for byte
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* bust the cache
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* who needs cache
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add jar for testing
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* no more bit flips
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update apk with the delta for image and directory cases
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* restore cache workflow
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add new spdx tag-value format
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove public presenter package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* allow for cataloging a single file
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use all catalogers for file schemes
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add new cyclonedx format object
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove cyclonedx presenter
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove cyclonedx presenter call
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove dependence on golden images for format tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* wire up new formt + rename all-presenters ref
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add CLI test to ensure that all formats can be expressed as report output
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add cyclonedx version and encoding format to package name
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* optionally preserve format snapshot images
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting + text unit tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add new format pattern
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add syftjson format
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add internal formats helper
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add SBOM encode/decode to lib API
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove json presenter + update presenter tests to use common utils
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove presenter format enum type + add formats shim in presenter helper
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add MustCPE helper for tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update usage of format enum
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add test fixtures for encode/decode tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix integration test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* migrate format detection to use reader
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* address review comments
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* show help text when no args are given
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* repurpose the input args validation function
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* ensure app does not check for update in cli tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove mod and cargo from image cataloger
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update test error messages for clear failures
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add query by MIME type to source.FileResolver
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* import stereoscope lib changes to find mime type
- add bin cataloger
- add bin parser
- add mime type go utils
- import new resolver
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add go std library code to unpack bin
- keep them in their own (original) files
- add note for "this code was copied from"
- comment the lines the required changing
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* change directory resolver to ignore system runtime paths + drive by index
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add event/etui support for filesystem indexing (for dir resolver)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add warnings for path indexing problems
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add directory resolver index tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* improve testing around directory resolver
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* renamed p var to path when not conflicting with import
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* pull docker image in CLI dir scan timeout test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* ensure file not exist errors do not stop directory resolver indexing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add initial spdx support
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* expose FileOwner and use in SPDX presenter
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add initial json support for SPDX
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add remaining package fields
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add spdx license list generation + tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* keep fileOwner unexported from pkg
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* restore cli test util
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add external refs to spdx tag-value format
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add golang support to CPE generation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use tag-value format as default "spdx" format flavor
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add tests around spdx presenters + refactor presenter tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add bouncer exception for spdx tools-golang repo
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove spdx model questions
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Allow registry auth config without authority value
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Update CLI tests for new stereoscope log output
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* enhance cpe generation for group id and filtering
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename group id const + add doc comment for HasAnyOfPrefixes
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add registry image source
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use explicit source for fetching image + add scheme and registry tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* adjust test variable name and add credential helper function
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add initial secrets cataloger
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update ETUI elements with new catalogers (file metadata, digests, and secrets)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update secrets cataloger to read full contents into memory for searching
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* quick prototype of parallelization secret regex search
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* quick prototype with single aggregated regex
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* quick prototype for secret search line-by-line
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* quick prototype hybrid secrets search
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add secrets cataloger with line strategy
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* adjust verbiage towards SearchResults instead of Secrets + add tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update json schema with secrets cataloger results
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* address PR comments
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update readme with secrets config options
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* ensure file catalogers call AllLocations once
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Create independent build targets for Mac and Linux
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Create targets for macOS signing and notarization
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Create target for Linux packaging
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Update release workflow and leverage new make targets
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add release assets to release draft
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add homebrew formula release follow-up and improve Makefile
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add follow-up workflow for updating version check file
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Get rid of fetch depth 0 for checkout action
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add follow-up workflow for Docker images
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Restore wait-for-checks job
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Replace make functions with shell functions
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Account for envsubst command in bootstrap-ci-linux
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* move homebrew generation into script
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add release approval step; remove goreleaser; add docker image smoke testing in acceptance step
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* replace homebrew formula template file with heredoc template
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update release documentation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* add marking package relations by file ownership
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* correct json schema version; ensure fileOwners dont return dups; pin test pkg versions
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* extract package relationships into separate section
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* pull in client-go features for import of PackageRelationships
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* move unit test for ownership by files relationship further down
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename relationship to "ownership-by-file-overlap"
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump stereoscope to pull in content API refactors
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* incorporate symlink fixes
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* with filetree.File() adjustments
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* regress all-layers scope to not include dead-links + default tests to squashed scope
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* restore all layers resolver glob behavior (custom + lazy link resolution)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* incorporate filetree link resolution options and restore no-follow dead link option for resolvers
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* removed path from lower-level FileTree.File() calls
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump stereoscope to pull in latest link resolution fixes
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump doublestar to v2 for directory resolver
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add support to upload results to enterprise
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add package sbom upload
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add dockerfile support
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add manifest, index, and dockerfile import functions
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* schema version to json output + enhance json schema generation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* modify package SBOM shape to be entire syft document + add etui updates
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add import image config and manifest support
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add config options for import to enterprise
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* incorporate final stereoscope and client-go deps
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Add support for macOS signing and notarization
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Use Docker to run the changelog generator locally
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Adds java and npm package comparison
* Adds probable matching of extra packages syft found and missing packages that syft did not find (but inline did). This way there is a section of output that fuzzy-matches the package names to get a better sense of "real" problems (actual missing packages) vs slightly mismatched metadata during troubleshooting.
* Adds a set or probable missing packages to the report based on the probable matches (again, to aid in troubleshooting)
* Fixes image reference clean function to support references with registries
* Only shows metadata differences when the package was found by both inline and syft
* Splits the inline-compare code into more manageable pieces
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Remove and update TODOs
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Update TODO with link
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Expand matching of requirements.txt file to include any prefixes or suffixes
Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com>
* Add some test cases to integration test (ensure syft can pick up multiple requirements files)
Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com>
* Run lint-fix
Signed-off-by: Samuel Dacanay <sam.dacanay@anchore.com>
* add package URL support to the CycloneDX presenter
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* wrap license tags with licenses
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* ensure acceptance tests fail when results are piped
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix spelling in inline-compare python script
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add inline-compare as acceptance test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add additional RPM metadata
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add comments and doc strings to the compare-* make targets
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Minor cleanup
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Update pkg Type definition to string
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Implement poetry.lock parsing
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Address CI issues
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Integrate Alex's changes
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* add check for app update; fix ETUI error handling
* validate user args
* add goreleaser support
* replace cgo dependencies (go-rpm) with go equivalents
* add acceptance tests against build snapshot
* add brew tap + acceptance test pipeline
* add mac acceptance tests
* fix compare makefile
* fix mac acceptance tests
* add release pipeline with wait checks
* add token to release step
* rm dir presenters int test
* enforce dpkg to be non interactive
Co-authored-by: Alfredo Deza <adeza@anchore.com>
* pin brew formulae
* pin skopeo to formulae url
* only run acceptance tests
Co-authored-by: Alfredo Deza <adeza@anchore.com>
