Commit graph

1848 commits

Author SHA1 Message Date
Keith Zantow
a50a0f77d2
fix: capture root command stdout (#2364)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-11-28 15:04:28 -05:00
William Murphy
ea4a6747eb
fix: hardcode xalan group ID (#2368)
According to maven central, the package called "xalan" should just have
the group ID xalan, but currently syft isn't able to find that.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-11-28 14:40:03 -05:00
Alex Goodman
1cfc4c7387
Normalize cataloger configuration patterns (#2365)
* normalize cataloger patterns

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* remove central reference for maven configurable

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-11-28 17:02:43 +00:00
Alex Goodman
4d0da703bf
normalize enums to lowercase with hyphens (#2363)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-11-28 11:02:20 -05:00
anchore-actions-token-generator[bot]
4ee6be3777
chore(deps): update tools to latest versions (#2358)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
2023-11-28 10:22:57 -05:00
dependabot[bot]
5d44e49d2f
chore(deps): bump github.com/spf13/afero from 1.10.0 to 1.11.0 (#2361)
Bumps [github.com/spf13/afero](https://github.com/spf13/afero) from 1.10.0 to 1.11.0.
- [Release notes](https://github.com/spf13/afero/releases)
- [Commits](https://github.com/spf13/afero/compare/v1.10.0...v1.11.0)

---
updated-dependencies:
- dependency-name: github.com/spf13/afero
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-28 10:22:21 -05:00
dependabot[bot]
5dd3b127b0
chore(deps): bump github.com/go-git/go-git/v5 from 5.10.0 to 5.10.1 (#2362)
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.10.0 to 5.10.1.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Commits](https://github.com/go-git/go-git/compare/v5.10.0...v5.10.1)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-28 10:21:59 -05:00
William Murphy
ce4b31757a
fix: index file itself when file scan path has symlink (#2359)
Previously, building the index of the filesystem when source was file
would fail if part of the path syft was passed to the file included a
symlinked directory, resulting in cataloging misses.

---------

Signed-off-by: Will Murphy <will.murphy@anchore.com>
2023-11-28 09:41:28 -05:00
dependabot[bot]
c08b0990ca
chore(deps): bump github/codeql-action from 2.22.7 to 2.22.8 (#2351)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.7 to 2.22.8.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](66b90a5db1...407ffafae6)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-24 06:42:30 -05:00
Alex Goodman
8ee209a5ae
use read lock in pkg collection (#2341)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-11-21 13:48:25 -05:00
Alex Goodman
4712246897
Fix the attest command (#2337)
* fix attest command

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* add notification on how to access the attestation

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix integration test

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-11-21 18:29:58 +00:00
Weston Steimel
ebeb768f59
fix: add manual namespace mapping for org.springframework jars (#2345)
Signed-off-by: Weston Steimel <weston.steimel@proton.me>
2023-11-21 18:28:10 +00:00
Duane May
d4733fac1d
Add binary classifiers for MySQL and MariaDB (#2316)
* Add MySQL and MariaDB binary classifiers

Signed-off-by: Duane May <duanemay@gmail.com>
Signed-off-by: Duane May <mduane@vmware.com>

* use smallest possible binary fixtures

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Duane May <duanemay@gmail.com>
Signed-off-by: Duane May <mduane@vmware.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-11-21 16:54:41 +00:00
David Dooling
34774a0e10
Enhance redis binary classifier (#2329)
Allow existing matcher to match host identifiers longer than 12
characters. The binaries distributed by redis have the version before
payload, so add a matcher for that. Add test fixtures covering these
scenarios.

Signed-off-by: David Dooling <david.dooling@docker.com>
2023-11-21 16:24:59 +00:00
dependabot[bot]
1c582f0aa5
chore(deps): bump anchore/sbom-action from 0.14.3 to 0.15.0 (#2344)
Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.14.3 to 0.15.0.
- [Release notes](https://github.com/anchore/sbom-action/releases)
- [Commits](78fc58e266...fd74a6fb98)

---
updated-dependencies:
- dependency-name: anchore/sbom-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-21 11:12:43 -05:00
Weston Steimel
9d766c0325
fix: add manual namespace mapping for org.springframework.security jars (#2343)
Signed-off-by: Weston Steimel <weston.steimel@proton.me>
2023-11-21 13:46:34 +00:00
Weston Steimel
5751b43608
fix: add manual namespace mapping for org.bouncycastle jars (#2342)
Signed-off-by: Weston Steimel <weston.steimel@proton.me>
2023-11-21 08:17:07 -05:00
Alex Goodman
51d015d5ea
Update developer docs to represent the current package layout (#2340)
---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-11-20 15:06:18 -05:00
Alex Goodman
5565bdef0c
Remove the power-user command and related catalogers (#2306)
* remove the power-user command

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* remove secrets + classifier catalogers

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* bump json schema

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* regenerate json schema

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-11-20 15:44:28 +00:00
Alex Goodman
1676934c63
Add "pretty" json configuration and change default behavior to be space-efficient (#2275)
* expose underlying format options

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* remove escape html options and address PR feedback

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* incorporate PR feedback

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix cli test

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-11-20 15:29:34 +00:00
anchore-actions-token-generator[bot]
7cfb5f630a
chore(deps): update stereoscope to 3610f4ef3e83e8ff2edf8859e8916bce326fa260 (#2336)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2023-11-17 20:53:01 +00:00
Christopher Angelo Phillips
ba80e490c2
feat: allow for stdout to be buffered on each command (#2335)
* feat: add preRun func to version to restore stdout

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* test: add test to capture version in output

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

* change stdout buffering to log to be opt-in per command

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* fix tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-11-17 14:14:13 -05:00
Keith Zantow
1c787f436f
fix: prevent writing non-report output to stdout (#2324)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-11-16 17:45:25 -05:00
dependabot[bot]
c7eb3f4c93
chore(deps): bump github/codeql-action from 2.22.6 to 2.22.7 (#2332)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.6 to 2.22.7.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](689fdc5193...66b90a5db1)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-16 09:22:23 -05:00
Alex Goodman
11a8cde8e4
export metadata type helper (#2328)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-11-15 19:05:18 +00:00
Weston Steimel
dcd062cffb
fix(java): add manual groupid mappings for org.apache.velocity jars (#2327)
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-11-15 17:44:36 +00:00
Weston Steimel
b9294976ef
fix(java): skip maven bundle plugin logic if vendor id and symbolic name match (#2326)
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
2023-11-15 17:44:15 +00:00
Colm O hEigeartaigh
3e8a2304e8
Refine license searching from groupIDFromJavaMetadata to allow for having the artfactId in the groupId (#2313)
Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
2023-11-15 10:04:31 -05:00
anchore-actions-token-generator[bot]
e04d90fc9a
chore(deps): update tools to latest versions (#2325)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
2023-11-15 10:02:27 -05:00
anchore-actions-token-generator[bot]
0f39917999
chore(deps): update tools to latest versions (#2318)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
2023-11-14 12:01:47 -05:00
Colm O hEigeartaigh
0652998b9b
Add license for golang stdlib (#2317)
Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
2023-11-14 11:53:07 -05:00
dependabot[bot]
43bdf6e1b2
chore(deps): bump github/codeql-action from 2.22.5 to 2.22.6 (#2321)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.22.5 to 2.22.6.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](74483a38d3...689fdc5193)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-14 11:35:59 -05:00
Benji Visser
9aa9e0e09a
docs: Update README.md for dotnet-portable-executable (#2322)
Signed-off-by: Benji Visser <benji@093b.org>
2023-11-14 10:37:56 -05:00
Colm O hEigeartaigh
7ccbadff34
Fall back to searching maven central using groupIDFromJavaMetadata (#2295)
Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
2023-11-10 22:02:53 -05:00
Alex Goodman
3f13d209a5
rename file.Location.VirtualPath to AccessPath (#2288)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-11-09 11:30:08 -06:00
anchore-actions-token-generator[bot]
baa3dc74d3
chore(deps): update tools to latest versions (#2308)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
2023-11-09 08:07:59 -08:00
dependabot[bot]
58f310c390
chore(deps): bump github.com/gkampitakis/go-snaps from 0.4.11 to 0.4.12 (#2310)
Bumps [github.com/gkampitakis/go-snaps](https://github.com/gkampitakis/go-snaps) from 0.4.11 to 0.4.12.
- [Release notes](https://github.com/gkampitakis/go-snaps/releases)
- [Commits](https://github.com/gkampitakis/go-snaps/compare/v0.4.11...v0.4.12)

---
updated-dependencies:
- dependency-name: github.com/gkampitakis/go-snaps
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-09 08:06:50 -08:00
dependabot[bot]
a383239217
chore(deps): bump golang.org/x/net from 0.17.0 to 0.18.0 (#2311)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.17.0 to 0.18.0.
- [Commits](https://github.com/golang/net/compare/v0.17.0...v0.18.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-09 08:06:19 -08:00
Benji Visser
0891d35e07
include image labels in cycloneDX SBOM (#2294)
* include image labels in SBOM

Signed-off-by: Benji Visser <benji@093b.org>

* update tests

Signed-off-by: Benji Visser <benji@093b.org>

* gocritic

Signed-off-by: Benji Visser <benji@093b.org>

* add properties

Signed-off-by: Benji Visser <benji@093b.org>

* add decoder

Signed-off-by: Benji Visser <benji@093b.org>

* update golden snapshots

Signed-off-by: Benji Visser <benji@093b.org>

* decodeProperties

Signed-off-by: Benji Visser <benji@093b.org>

* add test

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* remove the snapshot test changes

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* restore snapshots

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Benji Visser <benji@093b.org>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-11-08 23:13:04 +00:00
Alex Goodman
502971a1b2
Add accessPath on Location objects to syft-json output (#2287)
* add accessPath on Location objects to syft-json output

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* generate json schema v12.0.1

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-11-08 17:05:30 -06:00
Colm O hEigeartaigh
dc14dbb326
SPDX file has duplicate sha256 tag in versionInfo (#2300)
* SPDX file has duplicate sha256 tag in versionInfo

Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>

* add tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2023-11-08 22:49:31 +00:00
Colm O hEigeartaigh
bae5a2e741
Check maven central as well for licenses in parents poms for nested jars (#2302)
Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
2023-11-08 10:26:12 -08:00
dependabot[bot]
220655743b
chore(deps): bump github.com/spf13/cobra from 1.7.0 to 1.8.0 (#2293)
Bumps [github.com/spf13/cobra](https://github.com/spf13/cobra) from 1.7.0 to 1.8.0.
- [Release notes](https://github.com/spf13/cobra/releases)
- [Commits](https://github.com/spf13/cobra/compare/v1.7.0...v1.8.0)

---
updated-dependencies:
- dependency-name: github.com/spf13/cobra
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-08 10:23:40 -08:00
anchore-actions-token-generator[bot]
9fce006b8f
chore(deps): update tools to latest versions (#2301)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
2023-11-08 09:33:59 -08:00
Keith Zantow
d91c2dd842
fix: identify cyclone-json without $schema (#2303)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
2023-11-08 11:54:22 -05:00
Christopher Angelo Phillips
9b98785aab
chore: setup release task before calling go releaser (#2297)
* chore: update release command to use config at repo root

---------

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
2023-11-07 16:33:06 +00:00
anchore-actions-token-generator[bot]
ad977ee0a1
chore(deps): update tools to latest versions (#2296)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
2023-11-07 06:44:39 -08:00
anchore-actions-token-generator[bot]
9eac737fe2
chore(deps): update tools to latest versions (#2289)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
2023-11-06 09:23:46 -05:00
anchore-actions-token-generator[bot]
4ba92ac43b
chore(deps): update CPE dictionary index (#2290)
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
2023-11-06 09:23:24 -05:00
dependabot[bot]
a4b895d31f
chore(deps): bump golang.org/x/mod from 0.13.0 to 0.14.0 (#2292)
Bumps [golang.org/x/mod](https://github.com/golang/mod) from 0.13.0 to 0.14.0.
- [Commits](https://github.com/golang/mod/compare/v0.13.0...v0.14.0)

---
updated-dependencies:
- dependency-name: golang.org/x/mod
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-11-06 14:12:40 +00:00