Mirrors/syft

mirror of https://github.com/anchore/syft synced 2024-11-10 06:14:16 +00:00

Author	SHA1	Message	Date
Christopher Angelo Phillips	f07581f504	Pr 1825 (#1865 ) chore: code cleanup Signed-off-by: guoguangwu <guoguangwu@magic-shield.com> --------- Signed-off-by: guoguangwu <guoguangwu@magic-shield.com> Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com> Co-authored-by: guoguangwu <guoguangwu@magic-shield.com>	2023-06-05 17:01:00 +00:00
dependabot[bot]	d676e5e781	chore(deps): bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 (#1862 ) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.2 to 1.9.3. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.2...v1.9.3) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-06-05 10:48:18 -04:00
dependabot[bot]	903d29b6f7	chore(deps): bump modernc.org/sqlite from 1.22.1 to 1.23.0 (#1863 ) Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.22.1 to 1.23.0. - [Commits](https://gitlab.com/cznic/sqlite/compare/v1.22.1...v1.23.0) --- updated-dependencies: - dependency-name: modernc.org/sqlite dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-06-05 10:47:59 -04:00
Keith Zantow	79a955b1a9	feat: source-version flag (#1859 )	2023-06-05 10:36:34 -04:00
dependabot[bot]	1bd9de9047	chore(deps): bump github.com/spf13/viper from 1.15.0 to 1.16.0 (#1851 ) Bumps [github.com/spf13/viper](https://github.com/spf13/viper) from 1.15.0 to 1.16.0. - [Release notes](https://github.com/spf13/viper/releases) - [Commits](https://github.com/spf13/viper/compare/v1.15.0...v1.16.0) --- updated-dependencies: - dependency-name: github.com/spf13/viper dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-06-01 08:35:14 -04:00
Avi Deitcher	68f8df9594	accept main.version ldflags even without vcs (#1855 ) Signed-off-by: Avi Deitcher <avi@deitcher.net>	2023-06-01 08:34:46 -04:00
James Neate	c69cdd9f4a	feat: add scope to pom properties (#1779 ) * feat: add scope to pom properties Signed-off-by: James Neate <jamesmneate@gmail.com> * fix: fixed conflict with schema bump Signed-off-by: James Neate <jamesmneate@gmail.com> --------- Signed-off-by: James Neate <jamesmneate@gmail.com>	2023-06-01 12:22:29 +00:00
dependabot[bot]	5842fc2a64	chore(deps): bump github.com/stretchr/testify from 1.8.3 to 1.8.4 (#1852 ) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.3 to 1.8.4. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.8.3...v1.8.4) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-05-30 13:48:54 -04:00
dependabot[bot]	f0307fdd62	chore(deps): bump github.com/docker/docker (#1849 ) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.1+incompatible to 24.0.2+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v24.0.1...v24.0.2) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-05-26 16:08:20 -04:00
Alex Goodman	74013d7da7	Add test to ensure package metadata is represented in the JSON schema (#1841 ) * [wip] try to reflect metadata types... probably wont work Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * refactor to add unit test to ensure there is coverage in the schema Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * [wip] generate metadata container Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add generation of metadata container struct for JSON schema generation Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix linting Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update linter script to account for code generation Signed-off-by: Alex Goodman <alex.goodman@anchore.com> --------- Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2023-05-25 13:26:56 -04:00
Alex Goodman	6afbffce28	Fix directory resolver to consider CWD and root path input correctly (#1840 ) * [wip] put in initial fix Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * capture expected behavior of dir resolver in tests Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update tests + comments to reflect current dir resolver behavior Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add additional test cases Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix linting Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix additional tests Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix bad merge conflict resolution Signed-off-by: Alex Goodman <alex.goodman@anchore.com> --------- Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2023-05-25 13:41:18 +00:00
Alex Goodman	07e76907f6	Migrate location-related structs to the file package (#1751 ) * migrate location structs to file package Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * replace source.Location refs with file package call Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix linting Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * remove hardlink test for file based catalogers Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * remove hardlink test for all-regular-files testing Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * migrate file resolver implementations to separate package Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix linting Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * [wip] migrate resolvers to internal Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * migrate resolvers to syft/internal Signed-off-by: Alex Goodman <alex.goodman@anchore.com> --------- Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Signed-off-by: <>	2023-05-24 17:06:38 -04:00
dependabot[bot]	4bf17a94b9	chore(deps): bump github.com/go-git/go-git/v5 from 5.6.1 to 5.7.0 (#1843 ) Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.6.1 to 5.7.0. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](https://github.com/go-git/go-git/compare/v5.6.1...v5.7.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-05-24 11:40:11 -04:00
Christopher Angelo Phillips	4ac8fdf6df	fix: add panic recovery for license parse (#1839 ) * fix: add panic recovery for license parse --------- Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>	2023-05-23 16:58:49 +00:00
Idan Frimark	087a6356b9	chore: return both failures when failed to retrieve an image with a scheme (#1801 ) Signed-off-by: Idan Frimark <idanf@cisco.com>	2023-05-23 10:32:12 -04:00
Alex Goodman	26c201f7f7	Extract go module versions from ldflags for binaries built by go (#1832 ) * wip Signed-off-by: Weston Steimel <weston.steimel@anchore.com> * with golang bin ldflags refactor Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add test for golang binary cataloger for ldflag extraction Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * remove binary classfiers that overlap with new go ldflags detection Signed-off-by: Alex Goodman <alex.goodman@anchore.com> --------- Signed-off-by: Weston Steimel <weston.steimel@anchore.com> Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Weston Steimel <weston.steimel@anchore.com>	2023-05-23 10:27:48 -04:00
Keith Zantow	a3c5550217	fix: duplicate packages, support pnpm lockfile v6 (#1778 )	2023-05-23 10:24:25 -04:00
anchore-actions-token-generator[bot]	798af57853	chore(deps): update stereoscope to e14bc4437b2eac481c5b6f101890b22df4f33596 (#1834 ) Signed-off-by: GitHub <noreply@github.com> Co-authored-by: kzantow <kzantow@users.noreply.github.com>	2023-05-23 10:18:39 -04:00
dependabot[bot]	f50302b2ba	chore(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.3 (#1829 ) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.2 to 1.8.3. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](https://github.com/stretchr/testify/compare/v1.8.2...v1.8.3) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-05-22 14:01:17 -04:00
dependabot[bot]	b09cf6c6b5	chore(deps): bump github.com/docker/docker (#1833 ) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 24.0.0+incompatible to 24.0.1+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v24.0.0...v24.0.1) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-05-22 13:07:24 -04:00
Alex Goodman	334a775cb9	Keep original FileInfo persisted on file.Metadata structs (#1794 ) * pull in fileinfo changes from stereoscope #172 Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix CLI test assumption about the docker daemon Signed-off-by: Alex Goodman <alex.goodman@anchore.com> --------- Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Signed-off-by: <>	2023-05-19 14:21:10 +00:00
dependabot[bot]	f1b6f38ea8	chore(deps): bump github.com/sirupsen/logrus from 1.9.1 to 1.9.2 (#1827 ) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.1 to 1.9.2. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.1...v1.9.2) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-05-19 09:01:05 -04:00
dependabot[bot]	f6f8332b7f	chore(deps): bump github.com/google/go-containerregistry (#1823 ) Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.15.1 to 0.15.2. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](https://github.com/google/go-containerregistry/compare/v0.15.1...v0.15.2) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-05-17 14:34:27 -04:00
dependabot[bot]	74351567ab	chore(deps): bump github.com/sirupsen/logrus from 1.9.0 to 1.9.1 (#1822 ) Bumps [github.com/sirupsen/logrus](https://github.com/sirupsen/logrus) from 1.9.0 to 1.9.1. - [Release notes](https://github.com/sirupsen/logrus/releases) - [Changelog](https://github.com/sirupsen/logrus/blob/master/CHANGELOG.md) - [Commits](https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.1) --- updated-dependencies: - dependency-name: github.com/sirupsen/logrus dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-05-17 14:33:48 -04:00
dependabot[bot]	51d4c9b4ab	chore(deps): bump github.com/docker/docker (#1824 ) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 23.0.6+incompatible to 24.0.0+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v23.0.6...v24.0.0) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-05-17 14:33:30 -04:00
Christopher Angelo Phillips	4601ca3735	fix: update field plurality of 8.0.0 schema before release (#1820 ) to keep things consistent across the schema we want Locations and URLs to be plural fields now that they are fields on the License struct --------- Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>	2023-05-16 13:05:48 -04:00
Christopher Angelo Phillips	1a2a49840b	fix: update cataloger to check for expressions before split (#1819 ) Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>	2023-05-16 16:04:28 +00:00
Christopher Angelo Phillips	42fa9e4965	feat: update syft license concept to complex struct (#1743 ) this PR makes the following changes to update the underlying license model to have more expressive capabilities it also provides some guarantee's surrounding the license values themselves - Licenses are updated from string -> pkg.LicenseSet which contain pkg.License with the following fields: - original `Value` read by syft - If it's possible to construct licenses will always have a valid SPDX expression for downstream consumption - the above is run against a generated list of SPDX license ID to try and find the correct ID - SPDX concluded vs declared is added to the new struct - URL source for license is added to the new struct - Location source is added to the new struct to show where the expression was pulled from	2023-05-15 16:23:39 -04:00
Shane Alvarez	8046f09562	fix: cyclonedx depends-on relationship inverted (#1816 ) Signed-off-by: Shane Alvarez <shane.alv@gmail.com>	2023-05-15 09:59:26 -04:00
mikey strauss	b4ed599481	fix: retain sbom cataloger relationships (#1509 ) Signed-off-by: Eitan Goldenstein <eitan@scribesecurity.com> Co-authored-by: Eitan Goldenstein <eitan@scribesecurity.com>	2023-05-15 09:57:21 -04:00
William Murphy	e925d9d4a5	feat: warn if parsing newer SBOM (#1810 ) If syft is asked to parse an SBOM that was written by a newer version of syft, emit a warning, since the current version of syft doesn't know about fields that may be added in the future. Signed-off-by: Will Murphy <will.murphy@anchore.com>	2023-05-11 08:55:27 -04:00
William Murphy	da3624644a	feat: Add R cataloger (#1790 ) Add a cataloger that detects installed R packages by looking for DESCRIPTION files. The base R package is now picked up in coverageImage tests in test/cli/packages_cmd_test.go, so increment expected package counts for the tests that use that image. Signed-off-by: Will Murphy <will.murphy@anchore.com>	2023-05-10 12:30:11 -04:00
Bob Callaway	0580328ad9	update cosign to v2 release (different go module) (#1805 ) Signed-off-by: Bob Callaway <bcallaway@google.com>	2023-05-10 11:12:37 -04:00
William Murphy	291da8cd12	fix: Reduce log spam on unknown relationship type (#1797 ) Rather than log a warning for every instance of an unknown relationship type, or similar error, log a count of how many times each of these errors is raised. --------- Signed-off-by: Will Murphy <will.murphy@anchore.com>	2023-05-10 09:51:12 -04:00
anchore-actions-token-generator[bot]	8a3cbf2fdd	chore(deps): update bootstrap tools to latest versions (#1807 )	2023-05-10 08:25:36 -04:00
dependabot[bot]	ef08d0fa39	chore(deps): bump golang.org/x/net from 0.9.0 to 0.10.0 (#1802 ) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.9.0 to 0.10.0. - [Commits](https://github.com/golang/net/compare/v0.9.0...v0.10.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-05-09 11:59:39 -04:00
dependabot[bot]	75d625b697	chore(deps): bump github.com/docker/docker (#1795 ) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 23.0.5+incompatible to 23.0.6+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v23.0.5...v23.0.6) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-05-08 12:45:50 -04:00
dependabot[bot]	88ba8b78fc	chore(deps): bump github.com/google/go-containerregistry (#1796 ) Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.14.0 to 0.15.1. - [Release notes](https://github.com/google/go-containerregistry/releases) - [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml) - [Commits](https://github.com/google/go-containerregistry/compare/v0.14.0...v0.15.1) --- updated-dependencies: - dependency-name: github.com/google/go-containerregistry dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-05-08 12:45:30 -04:00
anchore-actions-token-generator[bot]	3f19aa589c	chore(deps): update bootstrap tools to latest versions (#1792 )	2023-05-07 13:23:41 -04:00
William Murphy	630c18e0d3	Print package list when extra packages found (#1791 ) The tests in test/cli/packages_cmd_test.go are hard to debug when different packages are found in different environments. For example, CI runs and M1 macs have been observed to have different package counts. Therefore, if the test is about to fail, log a sorted list of the packages that were found, so that it is easy to compare failures of these tests. Signed-off-by: Will Murphy <will.murphy@anchore.com>	2023-05-05 15:57:13 -04:00
anchore-actions-token-generator[bot]	1860bab24b	chore(deps): update bootstrap tools to latest versions (#1786 )	2023-05-05 14:57:02 -04:00
dependabot[bot]	e31839a370	chore(deps): bump golang.org/x/term from 0.7.0 to 0.8.0 (#1787 )	2023-05-05 18:56:40 +00:00
Josh Bressers	0f1aed4477	Update the CPE generation for spring-security-core (#1789 ) * Update the CPE generation for spring-security-core * Add vendor test for spring-security Signed-off-by: Josh Bressers <josh@bress.net> --------- Signed-off-by: Josh Bressers <josh@bress.net>	2023-05-05 15:41:41 +00:00
Keith Zantow	ddb338d834	chore: do not HTML escape PackageURLs (#1782 ) Signed-off-by: Keith Zantow <kzantow@gmail.com>	2023-05-05 10:08:04 -04:00
Keith Zantow	354c72bbf4	chore: do not include kernel module cataloger by default (#1784 )	2023-05-05 09:54:24 -04:00
Jeff Squyres	d63a1f5f80	chore(docs): Update lists of catalogers (#1780 ) Signed-off-by: Jeff Squyres <jeff@squyres.com>	2023-05-04 15:36:22 -04:00
Keith Zantow	645206735e	chore: add more detail on SPDX file IDs (#1769 )	2023-05-02 16:52:18 -04:00
Filip Pytloun	95a04cadea	Search /usr/share for rpmdb to fix scan on ostree-managed images (#1756 ) Fixes: https://github.com/anchore/syft/issues/1755 Signed-off-by: Filip Pytloun <filip@pytloun.cz> Co-authored-by: Alex Goodman <alex.goodman@anchore.com>	2023-05-02 16:43:52 -04:00
dependabot[bot]	dd458a2b33	chore(deps): bump github.com/docker/docker (#1767 ) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 23.0.4+incompatible to 23.0.5+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v23.0.4...v23.0.5) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2023-05-02 16:43:16 -04:00
Alex Goodman	5f3d4d285b	rename sbom.PackageCatalog to sbom.Packages (#1773 ) Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2023-05-01 10:19:58 -04:00

1 2 3 4 5 ...

1458 commits