oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 08:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,263 Commits 60 Branches 243 Tags
Commit Graph

1263 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Keith Zantow
85bddaa43d
chore: update schema (#1449) 2023-01-12 14:25:47 -05:00
Arnout Engelen
a864dc9505
feat: prefer known CPE vendors over other candidates (#1294) 
* feat: prefer known CPE vendors over other candidates

All ASF projects will be under the `apache` vendor in CPE, and
indeed this is already one of the candidates, but the logic
for selecting the 'most specific' CPE string would select for
example `apache_software_foundation` or `commons-text`.

This is not necessarily 'wrong' in the CPE candidate selection
logic: there is no way to reliably determine the right candidate.
I think it makes sense to use specific data around the vendor
candidate generation, somewhat similar to
'defaultCandidateAdditions'.

Unfortunately there are still a few CVE's for old (pre-5.x,
long unsupported) tomcat versions that are actually tagged with
`apache_software_foundation`, but I'm not sure those are worth
spending time on.

Signed-off-by: Arnout Engelen <arnout@bzzt.net>

* chore: swap out array of vendors for set data structure

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Signed-off-by: Arnout Engelen <arnout@bzzt.net>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
 2023-01-12 19:16:53 +00:00
Christopher Angelo Phillips
44e8ae2577
fix: update attestation code to remove library dependencies and shellout for keyless flow (#1442) 
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
 2023-01-12 17:22:05 +00:00
Chapman Pendery
ac8f72fdd1
feat: add BeamVM Hex support (#1073) 
* feat: initial commit providing mix support

Signed-off-by: cpendery <cpendery@vt.edu>

* feat: add rebar parser

Signed-off-by: cpendery <cpendery@vt.edu>

* fix: add beam/hex everywhere else required for Syft runtime

Signed-off-by: cpendery <cpendery@vt.edu>

* style: fix lints

Signed-off-by: cpendery <cpendery@vt.edu>

* ci: fix failing tests

Signed-off-by: cpendery <cpendery@vt.edu>

* docs: update with new supported languages

Signed-off-by: cpendery <cpendery@vt.edu>

* chore: update elixir/erlang catalogers to generic cataloger

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Signed-off-by: cpendery <cpendery@vt.edu>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
 2023-01-12 12:10:46 -05:00
witchcraze
e063471c66
feat: add apache httpd binary classifier (#1448) 
Signed-off-by: witchcraze <witchcraze@gmail.com>
 2023-01-12 10:50:01 -05:00
Batuhan Apaydın
645debe7a4
chore: claim artifacthub package ownership from developer-guy (#881) 
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
 2023-01-11 15:25:42 -05:00
mikcl
4bfb849310
Parallel package catalog processing (#1355) 
* catalog: run cataloggers concurrently

Signed-off-by: mikcl <mikesmikes400@gmail.com>

* frontend: expose workers as a configurable option

Signed-off-by: mikcl <mikesmikes400@gmail.com>

* fixup! frontend: expose workers as a configurable option

Signed-off-by: mikcl <mikesmikes400@gmail.com>

* update logging statements

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* test: assert for debug logging

Signed-off-by: mikcl <mikesmikes400@gmail.com>

Signed-off-by: mikcl <mikesmikes400@gmail.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
 2023-01-11 15:18:02 -05:00
witchcraze
d524bd5fc3
feat: Add php binary catalogers (#1444) 
* add php classifier
Signed-off-by: witchcraze <witchcraze@gmail.com>

* make lint-fix
Signed-off-by: witchcraze <witchcraze@gmail.com>
 2023-01-11 13:46:20 -05:00
anchore-actions-token-generator[bot]
a8416d674b
Update syft bootstrap tools to latest versions. (#1443) 
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
 2023-01-11 12:50:40 -05:00
Keith Zantow
725529f43f
fix: duplicate file in tar archive causes read to fail (#1445) 2023-01-10 14:55:02 -05:00
William Blair
e480443c8c
Add support for GraalVM Native Image executables. (#1276) 
Signed-off-by: William Blair <william.blair@oracle.com>
 2023-01-06 18:31:22 -05:00
Benji Visser
db386baf81
Add redis binary classifier (#1438) 
Signed-off-by: Benji Visser <benji@093b.org>
 2023-01-06 12:50:48 -05:00
Christopher Angelo Phillips
795a63f1c9
docs: add cataloger construction summary (#1434) 2023-01-05 17:03:00 +00:00
anchore-actions-token-generator[bot]
d4f9993b8d
chore: update bootstrap tools to latest versions. (#1428) 2023-01-05 10:20:58 -05:00
Benji Visser
bb6fc6525c
Add alpine type to purl (#1431) 
Signed-off-by: Benji Visser <benji@093b.org>
 2023-01-04 17:35:46 -05:00
Benji Visser
bc1edb9c8a
adding purl types for binary classifiers (#1435) 
Signed-off-by: Benji Visser <benji@093b.org>
v0.65.0 		2023-01-04 11:34:37 -05:00
Keith Zantow
64be0a1072
chore: refactor basic CPE functionality to its own package (#1436) 2023-01-04 11:26:28 -05:00
Justin Chadwell
e3d6ffd30e
fix: typo in os.Getwd error message (#1433) 
Signed-off-by: Justin Chadwell <me@jedevc.com>
 2023-01-03 14:56:20 +00:00
Justin Chadwell
8d36b21237
fix: additional excessive go binary warnings (#1432) 
The original fix b125ea83baa30dc981e82f4ddd384602f778f090 didn't catch
all the excessive warnings, it seems like getArches can also be called
on binaries that aren't neccessarily go binaries, so the messages from
this should also be Trace instead of Warn.

Signed-off-by: Justin Chadwell <me@jedevc.com>
 2023-01-03 09:54:08 -05:00
Rui Chen
6a7d6e6071
docs: migrate to homebrew-core (#1427) 2023-01-02 08:16:32 -05:00
Keith Zantow
e1e489a284
fix: unicode output in cyclonedx-json format (#1420) v0.64.0 2022-12-23 08:37:47 -05:00
Keith Zantow
b125ea83ba
fix: excessive go binary warnings (#1424) 2022-12-23 08:36:49 -05:00
Christopher Angelo Phillips
3690f979b3
feat: update spdx format model to produce valid spdx json documents (#1418) 2022-12-21 15:56:03 -05:00
Alex Goodman
5dd726fc86
clean package names in python parsers (#1417) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2022-12-21 18:31:49 +00:00
Christopher Angelo Phillips
c8b8b1ca11
docs: update schema name to 2.3 (#1416) 2022-12-20 02:57:19 +00:00
Keith Zantow
7b08608adb
feat: add h1digest when scanning go.mod (#1405) 
Fixes https://github.com/anchore/syft/issues/1277
 2022-12-20 02:18:35 +00:00
dja-fr
82f32c7301
feat: Add license parsing for java (#1385) 2022-12-19 20:10:15 -05:00
Keith Zantow
4ffbeeeea5
fix: cyclonedx component type for binaries (#1406) 2022-12-19 19:49:27 -05:00
Keith Zantow
b1d6dae203
fix: openjdk detection pattern (#1415) 2022-12-19 19:49:04 -05:00
Christopher Angelo Phillips
0f1e8fca14
bug: spdx checksum empty array; allow syft to generate SHA1 for spdx-tag-value documents (#1404) 2022-12-20 00:10:35 +00:00
Thomas Klausner
8b38549b79
Add NetBSD support. (#1412) 2022-12-19 16:59:50 -05:00
Christopher Angelo Phillips
23a3173c9f
feat: add catalog delete (#1377) v0.63.0 2022-12-12 12:55:12 -05:00
Keith Zantow
17aa8287e6
docs: remove file classifier (#1397) 2022-12-08 16:50:29 +00:00
Christopher Angelo Phillips
730d3e3187
chore: update latest cyclonedx library (#1390) 2022-12-08 11:36:08 -05:00
Keith Zantow
997fbdfcf3
feat: Add Java binary catalogers (#1392) 2022-12-08 10:50:28 -05:00
Marc-Etienne Vargenau
13ceed9336
chore: Update SPDX license list to 3.19 (#1389) 2022-12-08 10:29:27 -05:00
Chapman Pendery
668f102340
fix: add manual vendor/product removal to fix false flags (#1070) 
Closes https://github.com/anchore/syft/issues/1066
Closes https://github.com/anchore/grype/issues/800
Closes https://github.com/anchore/grype/issues/491
 2022-12-08 09:57:42 -05:00
anchore-actions-token-generator[bot]
f1a124209a
Update Stereoscope to c5ff155d72f166e2332e160a75c3ff2b8e9c7e2e (#1395) 
Signed-off-by: GitHub <noreply@github.com>
 2022-12-08 08:32:49 +00:00
Keith Zantow
5dbb3fc41d
chore: fix test busybox image sha (#1393) 2022-12-07 20:15:39 -05:00
Keith Zantow
614ea00905
fix: go version not properly identified in binary (#1384) 2022-12-02 13:24:36 -05:00
anchore-actions-token-generator[bot]
247b054ab5
Update Stereoscope to 3b80d983223f6e6fc2d33b0ffa003d30268418e9 (#1376) 
Signed-off-by: GitHub <noreply@github.com>

Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: wagoodman <wagoodman@users.noreply.github.com>
v0.62.3 		2022-11-30 16:11:57 +00:00
Keith Zantow
9e43725951
fix: Update node binary package name (#1375) 2022-11-30 10:30:57 -05:00
Keith Zantow
4f39287216
feat: Generic Binary Cataloger (#1336) 2022-11-29 18:28:10 -05:00
Alex Goodman
7a69e2129b
recover from bad parsing of golang binary (#1371) 
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
 2022-11-29 15:56:46 +00:00
Dan Luhring
f6996f7b9a
Fix parsing of apk databases with large entries (#1365) 
Closes https://github.com/anchore/syft/issues/1354
 2022-11-29 10:16:36 -05:00
anchore-actions-token-generator[bot]
bd523bdb5d
Update syft bootstrap tools to latest versions. (#1369) 
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
 2022-11-29 10:13:00 -05:00
Christopher Angelo Phillips
0cbd0cc703
fix: guard for locations < 1 in alpmdb parse (#1366) v0.62.2 2022-11-28 15:43:18 +00:00
Christopher Angelo Phillips
b290a445ca
fix: remove cabal.project.freeze panic on last pkg (#1363) 2022-11-23 22:33:18 +00:00
Christopher Angelo Phillips
bcfe38c009
fix: requirements.txt - return unicode only letter/num for version (#1361) 2022-11-22 10:43:05 -05:00
anchore-actions-token-generator[bot]
74967a28ea
Update syft bootstrap tools to latest versions. (#1356) 
Co-authored-by: spiffcs <spiffcs@users.noreply.github.com>
 2022-11-21 09:57:49 -05:00