oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 16:33:21 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,378 Commits 60 Branches 243 Tags
Commit Graph

1378 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
dependabot[bot]
b77c104aa6
chore(deps): bump github/codeql-action from 1 to 2 (#1473) 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1 to 2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v1...v2)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-18 09:38:06 -05:00
dependabot[bot]
10ca7f56ab
chore(deps): bump actions/setup-go from 2 to 3 (#1472) 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2 to 3.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](https://github.com/actions/setup-go/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-01-18 09:37:45 -05:00
Luca Comellini
6b2dc08ffb
Add dependabot (#1451) 
Signed-off-by: Luca Comellini <luca.com@gmail.com>

Signed-off-by: Luca Comellini <luca.com@gmail.com>
 2023-01-18 09:29:24 -05:00
Christopher Angelo Phillips
03971ace43
chore: use checkout v3 with new depth (#1471) v0.66.2 2023-01-17 21:26:39 +00:00
Christopher Angelo Phillips
07aee798b0
chore: use checkout v2 for tag depth (#1470) 2023-01-17 21:03:29 +00:00
Keith Zantow
6cf668f749
fix: nil panic in graalvm cataloger (#1468) 
* normalize error handling and recover from panics while parsing binaries
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
 2023-01-17 19:06:24 +00:00
Alex Goodman
2ec4371c95
add linter for type assertion checks (#1469) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2023-01-17 14:00:03 -05:00
Weston Steimel
fc4d28f365
fix: bump golang.org/x/net to v0.4.0 (#1467) 
resolves reporting of CVE-2022-41717

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-01-17 17:02:34 +00:00
Weston Steimel
5290dfb9c2
fix: bump golang.org/x/text to v0.3.8 (#1466) 
This resolves reporting of GHSA-69ch-w2m2-3vjp

Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
 2023-01-17 15:50:02 +00:00
Alex Goodman
05611c283d
bootstrap within composite action (#1461) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2023-01-17 10:04:22 -05:00
Keith Zantow
934644232a
chore: revert GolangBinMetadata name and make analogous GolangModMetadata (#1458) 2023-01-13 16:46:12 -05:00
Florian Klink
641bccc79b
README: update Nix installation instructions (#1455) 
22.05 has been released, update the instructions.

Signed-off-by: Florian Klink <flokli@flokli.de>
 2023-01-13 15:43:25 +00:00
Keith Zantow
ac94bf530c
fix: update graalvm cataloger to fix panic (#1454) 
Fixes https://github.com/anchore/syft/issues/1453
v0.66.1 		2023-01-12 17:42:13 -05:00
Weston Steimel
e87cfe7319
chore: remove bumping cosign in go.mod when updating bootstrap tools (#1452) 2023-01-12 16:21:01 -05:00
Asi Greenholts
260cb4c72d
feat: Add the origin field to the output format of syftjson (#1327) 
* moved the relevant fields to the Metadata field

Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io>

* added metadata types

Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io>

* Added hashes to metadata of packge-lock.json and Pipfile.lock

Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io>

* move package metadata types to "pkg" package

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* re-generate json schema to include new npm, python, and binary metadatas

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
v0.66.0 		2023-01-12 15:03:05 -05:00
Keith Zantow
85bddaa43d
chore: update schema (#1449) 2023-01-12 14:25:47 -05:00
Arnout Engelen
a864dc9505
feat: prefer known CPE vendors over other candidates (#1294) 
* feat: prefer known CPE vendors over other candidates

All ASF projects will be under the `apache` vendor in CPE, and
indeed this is already one of the candidates, but the logic
for selecting the 'most specific' CPE string would select for
example `apache_software_foundation` or `commons-text`.

This is not necessarily 'wrong' in the CPE candidate selection
logic: there is no way to reliably determine the right candidate.
I think it makes sense to use specific data around the vendor
candidate generation, somewhat similar to
'defaultCandidateAdditions'.

Unfortunately there are still a few CVE's for old (pre-5.x,
long unsupported) tomcat versions that are actually tagged with
`apache_software_foundation`, but I'm not sure those are worth
spending time on.

Signed-off-by: Arnout Engelen <arnout@bzzt.net>

* chore: swap out array of vendors for set data structure

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Signed-off-by: Arnout Engelen <arnout@bzzt.net>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
 2023-01-12 19:16:53 +00:00
Christopher Angelo Phillips
44e8ae2577
fix: update attestation code to remove library dependencies and shellout for keyless flow (#1442) 
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
 2023-01-12 17:22:05 +00:00
Chapman Pendery
ac8f72fdd1
feat: add BeamVM Hex support (#1073) 
* feat: initial commit providing mix support

Signed-off-by: cpendery <cpendery@vt.edu>

* feat: add rebar parser

Signed-off-by: cpendery <cpendery@vt.edu>

* fix: add beam/hex everywhere else required for Syft runtime

Signed-off-by: cpendery <cpendery@vt.edu>

* style: fix lints

Signed-off-by: cpendery <cpendery@vt.edu>

* ci: fix failing tests

Signed-off-by: cpendery <cpendery@vt.edu>

* docs: update with new supported languages

Signed-off-by: cpendery <cpendery@vt.edu>

* chore: update elixir/erlang catalogers to generic cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Signed-off-by: cpendery <cpendery@vt.edu>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
 2023-01-12 12:10:46 -05:00
witchcraze
e063471c66
feat: add apache httpd binary classifier (#1448) 
Signed-off-by: witchcraze <witchcraze@gmail.com>
 2023-01-12 10:50:01 -05:00
Batuhan Apaydın
645debe7a4
chore: claim artifacthub package ownership from developer-guy (#881) 
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
 2023-01-11 15:25:42 -05:00
mikcl
4bfb849310
Parallel package catalog processing (#1355) 
* catalog: run cataloggers concurrently

Signed-off-by: mikcl <mikesmikes400@gmail.com>

* frontend: expose workers as a configurable option

Signed-off-by: mikcl <mikesmikes400@gmail.com>

* fixup! frontend: expose workers as a configurable option

Signed-off-by: mikcl <mikesmikes400@gmail.com>

* update logging statements

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* test: assert for debug logging

Signed-off-by: mikcl <mikesmikes400@gmail.com>

Signed-off-by: mikcl <mikesmikes400@gmail.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
 2023-01-11 15:18:02 -05:00
witchcraze
d524bd5fc3
feat: Add php binary catalogers (#1444) 
* add php classifier
Signed-off-by: witchcraze <witchcraze@gmail.com>

* make lint-fix
Signed-off-by: witchcraze <witchcraze@gmail.com>
 2023-01-11 13:46:20 -05:00
anchore-actions-token-generator[bot]
a8416d674b
Update syft bootstrap tools to latest versions. (#1443) 
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
 2023-01-11 12:50:40 -05:00
Keith Zantow
725529f43f
fix: duplicate file in tar archive causes read to fail (#1445) 2023-01-10 14:55:02 -05:00
William Blair
e480443c8c
Add support for GraalVM Native Image executables. (#1276) 
Signed-off-by: William Blair <william.blair@oracle.com>
 2023-01-06 18:31:22 -05:00
Benji Visser
db386baf81
Add redis binary classifier (#1438) 
Signed-off-by: Benji Visser <benji@093b.org>
 2023-01-06 12:50:48 -05:00
Christopher Angelo Phillips
795a63f1c9
docs: add cataloger construction summary (#1434) 2023-01-05 17:03:00 +00:00
anchore-actions-token-generator[bot]
d4f9993b8d
chore: update bootstrap tools to latest versions. (#1428) 2023-01-05 10:20:58 -05:00
Benji Visser
bb6fc6525c
Add alpine type to purl (#1431) 
Signed-off-by: Benji Visser <benji@093b.org>
 2023-01-04 17:35:46 -05:00
Benji Visser
bc1edb9c8a
adding purl types for binary classifiers (#1435) 
Signed-off-by: Benji Visser <benji@093b.org>
v0.65.0 		2023-01-04 11:34:37 -05:00
Keith Zantow
64be0a1072
chore: refactor basic CPE functionality to its own package (#1436) 2023-01-04 11:26:28 -05:00
Justin Chadwell
e3d6ffd30e
fix: typo in os.Getwd error message (#1433) 
Signed-off-by: Justin Chadwell <me@jedevc.com>
 2023-01-03 14:56:20 +00:00
Justin Chadwell
8d36b21237
fix: additional excessive go binary warnings (#1432) 
The original fix b125ea83baa30dc981e82f4ddd384602f778f090 didn't catch
all the excessive warnings, it seems like getArches can also be called
on binaries that aren't neccessarily go binaries, so the messages from
this should also be Trace instead of Warn.

Signed-off-by: Justin Chadwell <me@jedevc.com>
 2023-01-03 09:54:08 -05:00
Rui Chen
6a7d6e6071
docs: migrate to homebrew-core (#1427) 2023-01-02 08:16:32 -05:00
Keith Zantow
e1e489a284
fix: unicode output in cyclonedx-json format (#1420) v0.64.0 2022-12-23 08:37:47 -05:00
Keith Zantow
b125ea83ba
fix: excessive go binary warnings (#1424) 2022-12-23 08:36:49 -05:00
Christopher Angelo Phillips
3690f979b3
feat: update spdx format model to produce valid spdx json documents (#1418) 2022-12-21 15:56:03 -05:00
Alex Goodman
5dd726fc86
clean package names in python parsers (#1417) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2022-12-21 18:31:49 +00:00
Christopher Angelo Phillips
c8b8b1ca11
docs: update schema name to 2.3 (#1416) 2022-12-20 02:57:19 +00:00
Keith Zantow
7b08608adb
feat: add h1digest when scanning go.mod (#1405) 
Fixes https://github.com/anchore/syft/issues/1277
 2022-12-20 02:18:35 +00:00
dja-fr
82f32c7301
feat: Add license parsing for java (#1385) 2022-12-19 20:10:15 -05:00
Keith Zantow
4ffbeeeea5
fix: cyclonedx component type for binaries (#1406) 2022-12-19 19:49:27 -05:00
Keith Zantow
b1d6dae203
fix: openjdk detection pattern (#1415) 2022-12-19 19:49:04 -05:00
Christopher Angelo Phillips
0f1e8fca14
bug: spdx checksum empty array; allow syft to generate SHA1 for spdx-tag-value documents (#1404) 2022-12-20 00:10:35 +00:00
Thomas Klausner
8b38549b79
Add NetBSD support. (#1412) 2022-12-19 16:59:50 -05:00
Christopher Angelo Phillips
23a3173c9f
feat: add catalog delete (#1377) v0.63.0 2022-12-12 12:55:12 -05:00
Keith Zantow
17aa8287e6
docs: remove file classifier (#1397) 2022-12-08 16:50:29 +00:00
Christopher Angelo Phillips
730d3e3187
chore: update latest cyclonedx library (#1390) 2022-12-08 11:36:08 -05:00
Keith Zantow
997fbdfcf3
feat: Add Java binary catalogers (#1392) 2022-12-08 10:50:28 -05:00