Mirrors/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft synced 2024-11-10 06:14:16 +00:00
Code Issues Projects Releases Packages Wiki Activity
1472 commits 73 branches 214 tags 132 MiB
Commit graph

1472 commits

This branch
This branch
All branches
Author SHA1 Message Date
Keith Zantow
7845381331
chore: update tools-golang to v0.5.0 (#1717) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-04-05 13:59:52 -04:00
Alex Goodman
7464079a09
Add Nix cataloger (#1696) 
* Add Basic Nix Cataloger

Signed-off-by: Julio Tain Sueiras <juliosueiras@gmail.com>

* Update nix def for the latest syft definition

Signed-off-by: Julio Tain Sueiras <juliosueiras@gmail.com>

* capture nix package files on pkg.NixStoreMetadata

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix unit tests and linting

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update JSON schema

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* address review comments

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* Update syft/pkg/cataloger/nix/parse_nix_store_path_test.go

Co-authored-by: Florian Klink <flokli@flokli.de>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* support unstable version conventions

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update json schema relative to main branch

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update syft json with v7.1.1 schema

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix CLI tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove extra continue statement

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add Nix to list of supported ecosystems

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

---------

Signed-off-by: Julio Tain Sueiras <juliosueiras@gmail.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Julio Tain Sueiras <juliosueiras@gmail.com>
Co-authored-by: Florian Klink <flokli@flokli.de>
 2023-04-04 10:53:56 -04:00
Alex Goodman
8a574c9ed9
refactor spdx tooling test to reduce intermittent failures (#1707) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2023-04-03 18:43:28 +00:00
Alex Goodman
681d250fdc
Capture file ownership relationships from portage ecosystem (#1702) 
* add portage as file owners

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix linting

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update json schema with NPM files

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

---------

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2023-04-03 09:46:18 -04:00
Keith Zantow
2022ffa0e5
chore: update deprecated set-output calls (#1705) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-04-03 09:36:11 -04:00
Christopher Angelo Phillips
dfcc07e512
feat: Add config option to allow user to select the default image source location 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-03-31 10:04:10 -04:00
dependabot[bot]
2fa238af7c
chore(deps): bump github.com/docker/docker (#1699) 
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 23.0.1+incompatible to 23.0.2+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v23.0.1...v23.0.2)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-03-29 10:00:37 -04:00
anchore-actions-token-generator[bot]
63bbd1e3ed
chore(deps): update bootstrap tools to latest versions (#1697) 
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
 2023-03-27 09:17:34 -04:00
anchore-actions-token-generator[bot]
81b87dd108
chore(deps): update stereoscope to d7551b7f46f53179922d6229709d3d1602881080 (#1693) 
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
 2023-03-23 16:30:08 +00:00
Christopher Angelo Phillips
f473bb75a8
1577 spdxlicense generate (#1691) 
Update the license_list.go to have more permissible inputs for greater SPDXID matching.
EX:
GPL3 gpl3 gpl-3 and GPL-3 can all map to GPL-3.0-only

By moving all strings to lower and removing the "-" we're able to return valid SPDX license ID for a greater diversity of input strings.
---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-03-23 11:48:24 -04:00
dependabot[bot]
539bc2afcb
chore(deps): bump github.com/vbatts/go-mtree from 0.5.2 to 0.5.3 (#1692) 
Bumps [github.com/vbatts/go-mtree](https://github.com/vbatts/go-mtree) from 0.5.2 to 0.5.3.
- [Release notes](https://github.com/vbatts/go-mtree/releases)
- [Changelog](https://github.com/vbatts/go-mtree/blob/main/releases.md)
- [Commits](https://github.com/vbatts/go-mtree/compare/v0.5.2...v0.5.3)

---
updated-dependencies:
- dependency-name: github.com/vbatts/go-mtree
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-03-23 11:09:32 -04:00
Avi Deitcher
9fd532246a
feat: scan local go mod cache for licenses of golang packages (#1645) 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
 2023-03-23 10:38:15 -04:00
Keith Zantow
11e926ab2f
chore: fix flaky license sorting (#1690) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-03-22 14:41:49 -04:00
dependabot[bot]
168c5aed51
chore(deps): bump github.com/gookit/color from 1.5.2 to 1.5.3 (#1689) 2023-03-22 14:26:58 -04:00
Dan
d02c56aa5f
fix: shell completion by adding missing usage message required by spf13/cobra (#1688) 
Signed-off-by: DanHam <DanHam@users.noreply.github.com>
 2023-03-22 13:45:09 -04:00
anchore-actions-token-generator[bot]
829a71cd92
chore(deps): update bootstrap tools to latest versions (#1686) 2023-03-22 09:01:24 -04:00
Keith Zantow
34ace36a9e
chore: tweak some workflow text (#1685) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-03-21 11:08:49 -04:00
Alex Goodman
100cf1003d
Remove more side effects from application config testing (#1684) 
* remove a few side effects from config testing

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix xdg config app name prefix

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* account for restoring and protecting xdg state throughout testing

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

---------

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2023-03-20 20:53:45 +00:00
Aidan Delaney
f11a7b5e9f
Deprecate config.yaml as valid config source; Add unit regression for correct config paths (#1640) 
Warn user of future deprecation of ./config.yaml for v1.0.0 release

---------

Signed-off-by: Aidan Delaney <adelaney21@bloomberg.net>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-03-20 15:13:35 -04:00
anchore-actions-token-generator[bot]
434aa7fd46
chore: Update syft bootstrap tools to latest versions. (#1682) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-03-20 13:20:48 -04:00
Marc-Etienne Vargenau
5fb0423b72
Update documentation: (#1680) 
- Syft is now outputing SPDX 2.3 by default
- Give syntax to get SPDX 2.2

Signed-off-by: Marc-Etienne Vargenau <marc-etienne.vargenau@nokia.com>
 2023-03-20 10:10:35 -04:00
anchore-actions-token-generator[bot]
7998520848
chore: Update Stereoscope to 7928713c391e20abaede6a029f4ce37b628a4c8b (#1681) 2023-03-18 10:32:39 -04:00
Keith Zantow
d05000ff21
fix: reduce logging for bad dpkg lines (#1675) 
* fix: reduce logging for bad dpkg lines to Trace level
---------

Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-03-17 13:08:51 -04:00
witchcraze
f66e77e2c6
fix ruby classifier (#1678) 
Signed-off-by: witchcraze <witchcraze@gmail.com>
 2023-03-17 09:42:20 -04:00
Christopher Angelo Phillips
928c4a55ff
feat: add shared dir for easier cleanup (#1676) 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-03-16 16:05:34 -04:00
dependabot[bot]
1899eb50d0
chore(deps): bump github.com/google/go-containerregistry (#1672) 
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.13.0 to 0.14.0.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.13.0...v0.14.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-03-16 12:07:47 -04:00
dependabot[bot]
b5ec4d4f08
chore(deps): bump actions/setup-go from 3 to 4 (#1671) 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-03-16 12:02:07 -04:00
Christopher Angelo Phillips
61362c04fa
fix: move defer after error to protect panic case (#1670) 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
 2023-03-15 15:29:10 -04:00
Joye Lin
e3140063d4
feat: add argocd, helm, kustomize and kubectl binary classifiers (#1663) 
* add argocd, helm, kustomize and kubectl binary classifiers
* update golang PURL
* address PR faceback about binary/test-fixtures/Makefile
* remove the /v[n] suffix from the PURL in both argocd and helm

---------

Signed-off-by: y12studio <y12studio@gmail.com>
 2023-03-15 14:53:22 -04:00
razzle
1d9ef34ec7
defer closing file (#1668) 
Signed-off-by: razzle <harry@razzle.cloud>
 2023-03-15 14:50:42 -04:00
Keith Zantow
302735097e
fix: remove author contributing to javascript CPEs (#1669) 2023-03-14 14:10:24 +00:00
Keith Zantow
cc0a376aba
fix: more python matching support (#1667) 2023-03-13 13:26:43 -04:00
anchore-actions-token-generator[bot]
b379dd9f27
Update syft bootstrap tools to latest versions. (#1666) 
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
 2023-03-13 10:40:13 -04:00
witchcraze
a81e0c8008
feat: add ruby classifier (#1665) 
Signed-off-by: witchcraze <witchcraze@gmail.com>
 2023-03-10 08:29:40 -05:00
anchore-actions-token-generator[bot]
41cbbe09b2
Update syft bootstrap tools to latest versions. (#1658) 2023-03-07 12:54:32 -05:00
Keith Zantow
7714bc0521
fix: improved Python binary detection (#1648) 2023-03-07 10:52:29 -05:00
Weston Steimel
096d2b7bff
fix: suppress some known incorrect vendor candidates for npm CPEs (#1659) 
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-03-07 10:18:44 -05:00
Keith Zantow
7cfdffab5f
fix: sanitize SPDX LicenseRefs (#1657) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-03-06 10:55:23 -05:00
dependabot[bot]
f43953d225
chore(deps): bump golang.org/x/mod from 0.8.0 to 0.9.0 (#1655) 2023-03-06 15:49:34 +00:00
dependabot[bot]
eea1b48cbb
chore(deps): bump golang.org/x/net from 0.7.0 to 0.8.0 (#1653) 2023-03-06 15:38:34 +00:00
dependabot[bot]
a063cf300b
chore(deps): bump github.com/spf13/afero from 1.9.4 to 1.9.5 (#1654) 2023-03-06 15:21:35 +00:00
dependabot[bot]
b73903519c
chore(deps): bump golang.org/x/term from 0.5.0 to 0.6.0 (#1656) 2023-03-06 15:20:43 +00:00
Keith Zantow
304be4a5a1
fix: dotnet PURL types are invalid (#1649) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2023-03-03 16:45:20 -05:00
Weston Steimel
c4cbe211a3
feat: disable cpe vendor wildcards to reduce false positives (#1647) 
* improved parsing of vendor from github url

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

* stop generating wildcard vendors

Add logic for parsing javascript and ruby package vendor candidates from
url and author fields and stop generating wildcard vendor candidates

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>

---------

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-03-03 17:26:46 +00:00
Avi Deitcher
01230aa766
read relative etc/apk/repositories for alpine version when no OS provided (#1615) 
Signed-off-by: Avi Deitcher <avi@deitcher.net>
 2023-03-02 13:04:56 -05:00
Keith Zantow
5f90d03718
fix: possible race condition (#1639) 2023-03-01 15:35:01 -05:00
Weston Steimel
e2ebc9769f
fix: remove APK OriginPackage cpe candidates (#1637) 
Adding APK OriginPackage CPE candidates to the child package
results in false positives in grype because it can't associate
CPE-based findings to the corresponding OriginPackage APK fixes.

This reverts changing the `upstream` in the PURL for APK packages
as the logic in Grype that uses it expects it to be an APK package
name.  This also allows refactoring to unexport and move the APK
CPE candidate generation logic closer to where CPE generation occurs

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-03-01 17:24:43 +00:00
Keith Zantow
2e6e3b0c74
fix: rebar lock file decoding panic (#1628) 2023-03-01 10:08:29 -05:00
Keith Zantow
24584a4d27
fix: handle individual cataloger panics (#1636) 2023-03-01 10:03:34 -05:00
Weston Steimel
8e1205f7ab
fix: apk product/vendor generation for old metadata (#1635) 
This fixes some instances where the improved APK CPE generation
logic caused regressions for older alpine package APK metadata.
It now generates multiple "upstream" candidates with both name
and package type which reduces the amount of duplicated code in
the apk cpe gen logic.  This also improves the handling of stream
version packages, so now we can correctly identify packages such
as ruby3.2-rexml as the rexml ruby gem.

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-03-01 14:58:35 +00:00