* Use file indexer when scanning with file source
Prevents filesystem walks when scanning a single file, to
optimise memory & scan times in case the scanned file
lives in a directory containing many files.
Signed-off-by: adammcclenaghan <adam@mcclenaghan.co.uk>
* Create filetree resolver
Shared behaviour for resolving indexed filetrees.
Signed-off-by: adammcclenaghan <adam@mcclenaghan.co.uk>
---------
Signed-off-by: adammcclenaghan <adam@mcclenaghan.co.uk>
* feat: update hasExtractedLicense field to include license-ref candidates
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
* feat: emit dependency relationships found in Cargo.lock
Include updating test Cargo.lock to have dependencies on multiple
versions of the same crate.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
With older versions of mariadb the binary name was `mysql`, so this
adjusts the binary classifier to additionally search for the expected
version pattern in `mysql` binaries.
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
* chore: don't try to parse empty string as CPE
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* chore: improve OS name and version extraction from ELF metadata
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Improves the go cataloger semver extraction logic to include getting the
release version of traefik. This is based off of the regex pattern that
already existed in the traefik binary classifier.
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Improved parsing of package.json 'author' section
Signed-off-by: Piotr Radkowski <piotr.radkowski@contractors.roche.com>
* test: parse 'package.json' files with non-standard fields in author section
Signed-off-by: Piotr Radkowski <piotr.radkowski@contractors.roche.com>
---------
Signed-off-by: Piotr Radkowski <piotr.radkowski@contractors.roche.com>
Co-authored-by: Piotr Radkowski <piotr.radkowski@contractors.roche.com>
* add dpkg evidence support
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use path over filepath
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Test CPE attributes correctly returns error
Previously, this method incorrectly return an empty Attributes object
and a nil error, leading to callers attempting to use the empty
attributes object.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: merge with main and refactor call that relied on old nil behavior
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
* test: add test to cover new OSCPE err pattern
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
* add jvm cataloger
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* simplify version selection
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* CPEs from JVM cataloger should be declared
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* ensure package overlap is enabled for sensitive use cases
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* more permissive glob
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add policy for empty name and version
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* default stub version
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* modifying ids requires augmenting relationships
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore(deps): update tools to latest versions
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* chore: disable gosec(G115)
A change to the rule gosec(G115) made a large amount of FP for gosec appear when updating to the
latest golang-ci linter.
https://github.com/securego/gosec/issues/1185https://github.com/securego/gosec/pull/1149
We're going to ignore this rule for the time being while waiting for gosec to get updates so that
bound checking and example snippets of `valid` code is added for this rule
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
---------
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
