Previously, which PURL was generated depended on the order of key iteration
in maps. Also update an integ test that was apparently only passing because
of the previous issue.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* dont show the title in the release notes
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* dont upload assets on the release pipeline
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump action-slack action to v3.15.1
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove custom go mod and build cache
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* require ordering of relationships when comparing parser output
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* [wip] fix cataloger test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* change method of relationship sort to simple string dump
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Now that the test fixture pins to a particular digest, there's no need
for platform specific architecture switches in this test.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: update to latest stereoscope
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* chore: go mod tidy
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* add github actions usage cataloger
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update integration and cli tests with github actions sample
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add support for shared workflows
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* split github actions usage cataloger
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add source explanation for github action types
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* a github purl does not always mean the package is a github action
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* keep github action catalogers as dir only catalogers
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Many of these images have a slightly different sets of packages when the
arm64 variant is pulled, so that leaving this digest unpinned causes the
tests to fail on arm64 hosts. Pin the FROM lines to force stable
platform values regardless of host architecture.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Previously, there were some data races in syft. Right now, none are
detected, so check for data races on the overall command, and on unit
tests. (Checking for races on integration tests triples the time needed
for those tests, from ~1 minute to ~3 minutes on my workstation, so that
was not done at this time.)
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* fix: update codeql-analysis for go 1.21
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* nit: remove comment
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* Bump the golang.org/x/exp dependency and fix a build breakage.
---------
Signed-off-by: Dan Lorenc <dlorenc@chainguard.dev>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Otherwise, small renames like 'hudson-war-2.2.1.war' to 'hudson.war', would cause
syft to incorrectly catolog the archive.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
If crypto settings or arch cannot be determined, still attempt to catalog packages from
the build info, rather than panicking.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add registry certificate verification support
* replace stereoscope version
* modify go.mod
* pull in stereoscope update
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* rename registry cert options, add docs, and add test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update to account for changes in anchore/stereoscope#195
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix cli tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: lishituo <24578666@qq.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
