---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix(cpe-generation): set start and end date
Previously, the update job was silently failing because the NVD API
returns a 404 with no body if a start date is specified but not an end
date. Further, the API returns an error if more than 120 days are in
range of the start and end date.
Update the API client to:
1. Return a non-nil error on http 404
2. Chunk the date range into 120 day chunks
3. Pass start and end date to avoid errors.
Also add more tolerant timestamp parsing since the previous update job
would fail with timestamp format errors.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* refactor(cpe-generator): remove callbacks
Previously, this job had callbacks that were there to make sure that
incremental progress could be written to disk. However, incremental
progress was not being written to disk, and there were issues related to
the callbacks like double logging. Therefore, just remove the callbacks
and do simple imperative code to page through the API results.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
NVD uses "aomedia" as the vendor for libavif CVEs. This change adds
libavif to the APK package CPE candidate additions with "aomedia" as
an additional vendor, enabling Syft/Grype to match CVEs like
CVE-2025-48174 and CVE-2025-48175.
Signed-off-by: Peter Bücker <peter.buecker@gmail.com>
Signed-off-by: Alan Pope <alan@popey.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
* add info command from generated capabilities
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* correct gentoo and arch ecosystems
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* rename os pkg types
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* better binary cataloger description
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* expose metadata and pacakge types in json
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* expose json schema types
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add completeness tests for metadata types
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* latest generation
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix linting
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* improve testing a docs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix tests and linting
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* restore goreleaser config
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* tweak diagram
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix pdm
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore: java binary data
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* new capability descriptions for gguf and python
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* correct poetry lock integrity hash claim
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix compile error
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: remove purl version from overrides
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* fix lua deps ref
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* keep gguf as ai ecosystem
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* split packages.yaml to multiple files by go package
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* ensure tests do not use go test cache
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* sort json output for info command
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* docs: fix ocaml, php, and portage capabilities yaml
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* chore: update erlang capabilities
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* chore: update java capabilities
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* chore: update javascript capabilities
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* chore: update linux kernel capabilities
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* remove missing tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix package.yaml references
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* revert license list change
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* check for drift in capability descriptions
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* regenerate capabilities
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* test cleanup
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use fixture cache in static analysis
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* claim fixtures pre-req for cap generation
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update documentation with correct regeneration procedure
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore: ruby-gemspec-cataloger finds no dependencies
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* chore: fix python docs and config comment
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* chore: commit re-generated java yaml
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* add cataloger selection to caps command
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* re-generate cap yamls
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix tests for cataloger selection
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix cli test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add missing tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix linting
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* rename cmd to `cataloger info`
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* [wip] change capability description locations
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* [wip] continued
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* [wip] adjust for import cycles
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* correct docs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix linting
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* decompress upx packed binaries
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix linting and remove dead code
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* syft detect embedded deps.json,dotnet , fixed#4344
Signed-off-by: Rez Moss <hi@rezmoss.com>
* [wip] have pe utils process embedded dep.json
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* [wip] add PoC bundler processing
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* [wip] search for bundle marker within pe sections
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* put bundle parsing for multiple .net versions under test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fixed#4316 go mod with ver purl
Signed-off-by: Rez Moss <hi@rezmoss.com>
* go mod purl fixed, added func to handle go.mod
Signed-off-by: Rez Moss <hi@rezmoss.com>
* fix: use module name in PURL string everywhere
Signed-off-by: Keith Zantow <kzantow@gmail.com>
---------
Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
* fix:the os of an elf binary should be detected even when the os version is empty
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* chore:revoke the update of appCpe
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* chore:resume the testcase
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* fix:revoke the possible compromise to the json schema
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* fix:align with the json schema
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* add a json schema(pre-relase,may be in conflict with others')
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* chore:add a json schema
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* chore:revert the accidental change to 16.1.0
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* regression/fix:best effort to get the os info
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* chore:resume the previous json file
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* update the schema ver to 16.2.0
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* chore:no breaking behavior
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* chore: follow the guide of the README.md
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* appCpe is temporarily unused
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* preserve json field for osCPE
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Removes an accidental `fmt.Println("error", err)` that was left in
the javascript dependency parser. This causes noisy output to stdout
when parsing npm package-lock.json files that contain dependency
specifiers that aren't valid PURLs.
Signed-off-by: Chris Greeno <chris@fresha.com>
* Adding a second function to validate/correct urls that are just github repositories
Signed-off-by: Kendrick <kmartinix@gmail.com>
* Adding test case to capture github repositories
Signed-off-by: Kendrick <kmartinix@gmail.com>
---------
Signed-off-by: Kendrick <kmartinix@gmail.com>
---------
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Otherwise, we get test failures on macOS if macOS has decided to put
.DS_Store entries in the test fixtures.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Because package names in METADATA files may have upper case like
Werkzeug or Jinja2, but Syft artifacts have normalized names and are
lower case, like werkzeug or jinja2, Syft would miss emitting dependency
relationships. Therefore, normalize dependency names before comparing
with existing artifacts.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
