oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-19 17:33:18 +01:00
Code Issues Packages Projects Releases Wiki Activity
3,048 Commits 64 Branches 244 Tags
Commit Graph

1233 Commits

Author SHA1 Message Date
Mikail
f2caf45695
fix: properly decode SPDX license expressions in CycloneDX format (#3175) 
Signed-off-by: Mikail Kocak <mikail-gh@pm.me>
 2024-08-29 11:05:43 -04:00
Keith Zantow
11d77b4a94
fix: cycles resolving relative path parent poms with parent-defined variables (#3170) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2024-08-28 15:12:13 -04:00
Weston Steimel
2c25f81b68
fix: improve generated cpes for binaries with existing classifiers (#3169) 
The existing syft binary classifiers already specify any known CPEs for
the defined binary; however, sometimes these end up getting suppressed
(such as when there are ELF notes extracted) and the CPE generator ends
up being used instead.  This adds enough detail to at least ensure the
correct ones get appended to the generation list for the currently
covered classifiers.

Signed-off-by: Weston Steimel <commits@weston.slmail.me>
 2024-08-28 16:46:35 +01:00
Weston Steimel
5ab43bafec
fix: improve known CPEs and set NVD as source for all current binary classifiers (#3167) 
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
 2024-08-27 17:36:34 +01:00
Alex Goodman
e9a8c27be1
respond to authoratative CPEs from catalogers (#3166) 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2024-08-27 10:26:35 -04:00
Weston Steimel
99be365f62
fix: use official CPE for curl binary cataloger (#3164) 
The official CPE for curl is `cpe:2.3🅰️haxx:curl:*:*:*:*:*:*:*:*`

Signed-off-by: Weston Steimel <commits@weston.slmail.me>
 2024-08-27 14:03:19 +01:00
anchore-actions-token-generator[bot]
0cd6185716
chore(deps): update CPE dictionary index (#3161) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
 2024-08-26 10:07:44 -04:00
anchore-actions-token-generator[bot]
dad253785e
chore(deps): update tools to latest versions (#3144) 2024-08-23 14:42:12 -04:00
KrysGor
cff9d494df
feat: detect curl binaries (#3146) 2024-08-23 14:41:08 -04:00
Keith Zantow
73b9d5aa42
fix: mysql 8.0.3x binary detection (#3142) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2024-08-21 09:48:28 -04:00
Keith Zantow
95b4a88256
fix: logging for remote network calls (#3140) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2024-08-20 11:45:33 -04:00
anchore-actions-token-generator[bot]
511cc9c2d5
chore(deps): update CPE dictionary index (#3135) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
 2024-08-19 12:49:43 -04:00
anchore-actions-token-generator[bot]
4b7ae0ed3b
chore(deps): update tools to latest versions (#3121) 
* chore(deps): update tools to latest versions

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: update code to reflect new linter settings for error messages

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>

---------

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
 2024-08-16 17:56:36 +00:00
Lucas Rodriguez
cd3b828905
fix: add nil check to CycloneDX toBomProperties (#3119) 
Signed-off-by: Lucas Rodriguez <lucas.rodriguez9616@gmail.com>
 2024-08-13 16:02:15 -04:00
Lukas Voetmand
3161e1847e
fix: read CycloneDX BOM components from metadata (#3092) 
Signed-off-by: dervoeti <lukas.voetmand@stackable.tech>
 2024-08-12 16:37:23 -04:00
Weston Steimel
df1e5b57fe
fix: improve groupid extraction for Jenkins plugins (#2815) 
* fix: improve groupid extraction for Jenkins plugins

Consider the `Group-Id` java manifest property as this is typically set
for Jenkins plugins if there is no pom file

Signed-off-by: Weston Steimel <commits@weston.slmail.me>

* test: update java purl integration test image

Signed-off-by: Weston Steimel <commits@weston.slmail.me>

---------

Signed-off-by: Weston Steimel <commits@weston.slmail.me>
 2024-08-12 13:01:44 -04:00
anchore-actions-token-generator[bot]
d2b33f1acb
chore(deps): update CPE dictionary index (#3116) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
 2024-08-12 16:57:47 +00:00
GGMU
91cf066db6
support .kar files (#3113) 
* add kar

Signed-off-by: tomersein <tomersein@gmail.com>
 2024-08-12 12:10:03 -04:00
Keith Zantow
cf85450e08
chore: fix failing python relationship test (#3117) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2024-08-12 12:07:47 -04:00
anchore-actions-token-generator[bot]
214a0498e0
chore(deps): update CPE dictionary index (#3094) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
 2024-08-06 13:07:48 -04:00
Gijs Calis
9d40d1152e
feat: improved java maven property resolution (#2769) 
Signed-off-by: Gijs Calis <51088038+GijsCalis@users.noreply.github.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
 2024-08-05 11:30:47 -04:00
Harippriya Sivapatham
cc15edca62
fix: use organization for package supplier when reading Java vendor fields (#3093) 
Signed-off-by: Harippriya Sivapatham <harippriyasivapatham@gmail.com>
 2024-08-03 16:00:55 -04:00
Dor Hayun
48f1e975f0
fix: update 'guessMainPackageNameAndVersionFromPomInfo' and 'artifactIDMatchesFilename' (#3054) 
- Correct retrieval of package name when main POM file exists
- Address issue where wrong package name was retrieved for certain jars
- Example case: 'jansi' jar containing multiple jars like 'jansi-win32'
- Ensure true is returned when filename matches the artifact ID, prevent random retrieval by checking prefix and suffix
- Use fallback check with suffix and prefix if no POM properties file matches the exact artifact name

Signed-off-by: dor-hayun <dor.hayun@mend.io>
Co-authored-by: dor-hayun <dor.hayun@mend.io>
 2024-08-01 13:47:15 -04:00
Christopher Angelo Phillips
c84cb2cf84
fix: update mainModuleVersion function to always prefix v to findings (#3087) 
* chore: basic fix
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
* test: make sure ldflags are prefixed with v
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
 2024-08-01 11:29:07 -04:00
Laurent Goderre
92d63df6f5
Added the SWI Prolog (swipl) ecosystem (#3076) 
* Add binary classifier for swipl

Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>

* Added cataloger for SWI Prolog Pack packages

Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>

---------

Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
 2024-07-31 16:13:26 -04:00
Keith Zantow
a4b5dcd0df
fix: improve determinism in java archive identification (#3085) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2024-07-30 12:02:52 -04:00
anchore-actions-token-generator[bot]
a2042e629c
chore(deps): update CPE dictionary index (#3079) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
 2024-07-29 10:03:59 -04:00
witchcraze
490e05adb2
fix: traefik classifier (#3077) 
Signed-off-by: witchcraze <witchcraze@gmail.com>
 2024-07-29 09:46:51 -04:00
mikcl
1cd75b7d68
python-cataloger: fix normalization test (#3073) 
Signed-off-by: mikcl <mikesmikes400@gmail.com>
 2024-07-25 15:45:14 -04:00
Laurent Goderre
4882d2e8ce
Only match ldflag version if it matches the main module or targets main.version (#3062) 
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
 2024-07-25 13:56:55 -04:00
mikcl
b3848f780f
python cataloger: allow dots in python package names (#3070) 
Signed-off-by: mikcl <mikesmikes400@gmail.com>
 2024-07-25 13:56:10 -04:00
mikcl
36f95d6828
python-cataloger: normalize package names (#3069) 
Signed-off-by: mikcl <mikesmikes400@gmail.com>
 2024-07-25 13:54:13 -04:00
Keith Zantow
741c8fb9bd
fix: SPDX output performance with many relationships (#3053) 2024-07-24 10:14:20 -04:00
Alex Goodman
9573f557d1
better go mod detection from partial package builds (#3060) 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2024-07-24 09:34:40 -04:00
dependabot[bot]
fe7c5a7174
chore(deps): bump github.com/charmbracelet/lipgloss from 0.11.1 to 0.12.1 (#3040) 
* chore(deps): bump github.com/charmbracelet/lipgloss

Bumps [github.com/charmbracelet/lipgloss](https://github.com/charmbracelet/lipgloss) from 0.11.1 to 0.12.1.
- [Release notes](https://github.com/charmbracelet/lipgloss/releases)
- [Changelog](https://github.com/charmbracelet/lipgloss/blob/master/.goreleaser.yml)
- [Commits](https://github.com/charmbracelet/lipgloss/compare/v0.11.1...v0.12.1)

---
updated-dependencies:
- dependency-name: github.com/charmbracelet/lipgloss
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: pin fedora linux/amd64 to sha

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
 2024-07-22 10:43:17 -07:00
Keith Zantow
125c787e40
chore: add debug logging for errors reading RPM files (#3051) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2024-07-22 13:05:04 -04:00
anchore-actions-token-generator[bot]
bfe6f5204a
chore(deps): update CPE dictionary index (#3035) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
 2024-07-22 08:56:58 -07:00
Keith Zantow
ba31c2f1ae
fix: include CPEs with Maven groupId as vendor (#3045) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2024-07-17 11:23:58 -07:00
William Murphy
75902b0540
fix: stop panicking on "devel" version go stdlib (#3043) 
Previously, if a Go binary was cataloged with build info indicating that
the go compiler version used was "deve", syft would panic on a nil
pointer dereference. Instead, skip creating a Go stdlib reference and
relationship for such a package.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
 2024-07-16 09:51:14 -04:00
Keith Zantow
278b72d39b
chore: pin fedora image for elf binary test (#3041) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2024-07-15 16:37:09 +00:00
Christopher Angelo Phillips
f7ffcc534f
fix: stabilize cpe sorting during collection sort (#3009) 2024-07-09 14:24:21 -04:00
Laurent Goderre
b101f44aba
Map the downloadLocation field for PHP Composer packages (#3011) 
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
 2024-07-09 09:01:58 -07:00
anchore-actions-token-generator[bot]
04c861bf77
chore(deps): update CPE dictionary index (#3016) 2024-07-08 08:13:17 -04:00
Alex Goodman
573440b7cf
Infer the package type from ELF package notes (#3008) 
* fix ELF package types to be honored

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* prefer OS packages over binary packages when there are duplicates

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2024-07-02 16:07:08 -04:00
anchore-actions-token-generator[bot]
7f3ca65cf6
chore(deps): update CPE dictionary index (#3002) 2024-07-01 15:02:15 -04:00
Danielle Featherstone
5283c4687a
feat: version 3 support for swift package manager of the resolved files (#3001) 
Signed-off-by: Danielle Featherstone <dfeatherstone@fearless.tech>
 2024-07-01 14:27:37 -04:00
Laurent Goderre
ceced5eb27
Add detection of Erlang in Alpine linux (#2996) 
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
 2024-06-25 14:40:40 -07:00
anchore-actions-token-generator[bot]
1eae9333a9
chore(deps): update CPE dictionary index (#2986) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
 2024-06-24 08:27:29 -07:00
Keith Zantow
bd1c1d260c
fix: handle errors reading go licenses (#2985) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2024-06-24 10:27:03 -04:00
Rajan Agaskar
ae0683074e
feat: update syft to generate cyclone-dx 1.6 by default (#2978) 
- Resolves #2974
- add detailed instructions re: updating schemas (a necessary task
  when a new CycloneDX spec version becomes available).
- The DefaultVersion constant has been updated to "1.6" -- it's not
  clear to me how this is used at this time (it may be redundant given
  other code), but effectively unless a specific spec version is
  configured, `syft` will emit the "most recent" spec version available
  for cyclonedx. Users who wish to pin back to a "older" specVersion
  (e.g. to preserve compatibilty with utilities that have not yet bumped
  to latest) can either set this in a syft config file or pass a
  name@spec_version pair to the output flag (e.g. `-o
  cyclonedx-json@1.5=some-1.5-spec-bom.cdx.json`)
- Regenerate relevant .golden files (there seems to be a way to do this
  via flags, but I couldn't quite figure out the right set to pass
  correctly, esp. since (as a relative go novice) I found it difficult
  to run just a single test file. I ended up "brute-forcing it" by
  changing the *updateSnapshot val to "true" and running it in Goland.
  A brief comment giving an example of regenerating fixtures usage would
  be helpful.

Signed-off-by: Rajan Agaskar <ragaskar@gmail.com>
 2024-06-21 08:51:27 -07:00