* add dpkg evidence support
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use path over filepath
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Test CPE attributes correctly returns error
Previously, this method incorrectly return an empty Attributes object
and a nil error, leading to callers attempting to use the empty
attributes object.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: merge with main and refactor call that relied on old nil behavior
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
* test: add test to cover new OSCPE err pattern
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
* add jvm cataloger
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* simplify version selection
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* CPEs from JVM cataloger should be declared
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* ensure package overlap is enabled for sensitive use cases
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* more permissive glob
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add policy for empty name and version
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* default stub version
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* modifying ids requires augmenting relationships
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore(deps): update tools to latest versions
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* chore: disable gosec(G115)
A change to the rule gosec(G115) made a large amount of FP for gosec appear when updating to the
latest golang-ci linter.
https://github.com/securego/gosec/issues/1185https://github.com/securego/gosec/pull/1149
We're going to ignore this rule for the time being while waiting for gosec to get updates so that
bound checking and example snippets of `valid` code is added for this rule
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
---------
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
The existing syft binary classifiers already specify any known CPEs for
the defined binary; however, sometimes these end up getting suppressed
(such as when there are ELF notes extracted) and the CPE generator ends
up being used instead. This adds enough detail to at least ensure the
correct ones get appended to the generation list for the currently
covered classifiers.
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
* fix: improve groupid extraction for Jenkins plugins
Consider the `Group-Id` java manifest property as this is typically set
for Jenkins plugins if there is no pom file
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
* test: update java purl integration test image
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
---------
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
- Correct retrieval of package name when main POM file exists
- Address issue where wrong package name was retrieved for certain jars
- Example case: 'jansi' jar containing multiple jars like 'jansi-win32'
- Ensure true is returned when filename matches the artifact ID, prevent random retrieval by checking prefix and suffix
- Use fallback check with suffix and prefix if no POM properties file matches the exact artifact name
Signed-off-by: dor-hayun <dor.hayun@mend.io>
Co-authored-by: dor-hayun <dor.hayun@mend.io>
* chore: basic fix
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
* test: make sure ldflags are prefixed with v
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
