* binary cataloger should continue on errors
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* test: add redirect for cmd stderr stdout
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: image update for test failure
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
* normalize error handling and recover from panics while parsing binaries
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* moved the relevant fields to the Metadata field
Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io>
* added metadata types
Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io>
* Added hashes to metadata of packge-lock.json and Pipfile.lock
Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io>
* move package metadata types to "pkg" package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* re-generate json schema to include new npm, python, and binary metadatas
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* feat: prefer known CPE vendors over other candidates
All ASF projects will be under the `apache` vendor in CPE, and
indeed this is already one of the candidates, but the logic
for selecting the 'most specific' CPE string would select for
example `apache_software_foundation` or `commons-text`.
This is not necessarily 'wrong' in the CPE candidate selection
logic: there is no way to reliably determine the right candidate.
I think it makes sense to use specific data around the vendor
candidate generation, somewhat similar to
'defaultCandidateAdditions'.
Unfortunately there are still a few CVE's for old (pre-5.x,
long unsupported) tomcat versions that are actually tagged with
`apache_software_foundation`, but I'm not sure those are worth
spending time on.
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
* chore: swap out array of vendors for set data structure
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
The original fix b125ea83baa30dc981e82f4ddd384602f778f090 didn't catch
all the excessive warnings, it seems like getArches can also be called
on binaries that aren't neccessarily go binaries, so the messages from
this should also be Trace instead of Warn.
Signed-off-by: Justin Chadwell <me@jedevc.com>
