Will Murphy
a3bd5145d2
wire up bitnami cataloger to run on images by default
...
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2024-10-08 14:14:23 -04:00
Will Murphy
6a33b80048
prototype: start bitnami cataloger
...
Bitnami images have spdx SBOMs at predictable paths, and Syft could more
accurately identify the software in these images by scanning those
SBOMs. Start work on this by forking the sbom-cataloger as a new
bitnami-cataloger.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2024-10-08 09:34:01 -04:00
Keith Zantow
ccbee94b87
feat: report unknowns in sbom ( #2998 )
...
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-10-07 16:11:37 -04:00
dependabot[bot]
4d7ed9f749
chore(deps): bump sigstore/cosign-installer from 3.6.0 to 3.7.0 ( #3299 )
...
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer ) from 3.6.0 to 3.7.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases )
- [Commits](https://github.com/sigstore/cosign-installer/compare/v3.6.0...v3.7.0 )
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-07 15:21:34 -04:00
anchore-actions-token-generator[bot]
4c4e5cb06c
chore(deps): update stereoscope to efa76446cc1c7e6c4117350943a2754b2453aec4 ( #3301 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: kzantow <3009477+kzantow@users.noreply.github.com>
2024-10-07 15:21:26 -04:00
dependabot[bot]
8b6159dbd8
chore(deps): bump golang.org/x/net from 0.29.0 to 0.30.0 ( #3304 )
...
Bumps [golang.org/x/net](https://github.com/golang/net ) from 0.29.0 to 0.30.0.
- [Commits](https://github.com/golang/net/compare/v0.29.0...v0.30.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/net
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-07 15:20:38 -04:00
dependabot[bot]
7b30ce15d7
chore(deps): bump actions/cache from 4.0.2 to 4.1.0 ( #3305 )
...
Bumps [actions/cache](https://github.com/actions/cache ) from 4.0.2 to 4.1.0.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](0c45773b62...2cdf405574
2024-10-07 15:20:29 -04:00
anchore-actions-token-generator[bot]
27ee203495
chore(deps): update CPE dictionary index ( #3302 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
2024-10-07 15:20:12 -04:00
Piotr Radkowski
3b9c55d28b
Fix: Parse package.json with non-standard fields in 'author' section ( #3300 )
...
* Improved parsing of package.json 'author' section
Signed-off-by: Piotr Radkowski <piotr.radkowski@contractors.roche.com>
* test: parse 'package.json' files with non-standard fields in author section
Signed-off-by: Piotr Radkowski <piotr.radkowski@contractors.roche.com>
---------
Signed-off-by: Piotr Radkowski <piotr.radkowski@contractors.roche.com>
Co-authored-by: Piotr Radkowski <piotr.radkowski@contractors.roche.com>
2024-10-07 10:26:04 -04:00
dependabot[bot]
25f5c6729f
chore(deps): bump github/codeql-action from 3.26.10 to 3.26.11 ( #3298 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.26.10 to 3.26.11.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](e2b3eafc8d...6db8d6351f
2024-10-05 09:25:01 -04:00
William Murphy
0d457142cc
chore: add pull request template ( #3294 )
...
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
2024-10-05 09:05:11 -04:00
anchore-actions-token-generator[bot]
fc8457418a
chore(deps): update tools to latest versions ( #3296 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-10-05 07:32:32 -04:00
Alex Goodman
13c6876906
Track supporting DPKG evidence ( #3228 )
...
* add dpkg evidence support
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use path over filepath
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-10-04 11:07:29 -04:00
William Murphy
770fdc53ea
Fix: make failed CPE validation correctly return error ( #2762 )
...
* Test CPE attributes correctly returns error
Previously, this method incorrectly return an empty Attributes object
and a nil error, leading to callers attempting to use the empty
attributes object.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: merge with main and refactor call that relied on old nil behavior
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
* test: add test to cover new OSCPE err pattern
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
2024-10-03 16:42:57 -04:00
dependabot[bot]
32c0d1e673
chore(deps): bump github.com/jedib0t/go-pretty/v6 from 6.5.9 to 6.6.0 ( #3293 )
...
Bumps [github.com/jedib0t/go-pretty/v6](https://github.com/jedib0t/go-pretty ) from 6.5.9 to 6.6.0.
- [Release notes](https://github.com/jedib0t/go-pretty/releases )
- [Commits](https://github.com/jedib0t/go-pretty/compare/v6.5.9...v6.6.0 )
---
updated-dependencies:
- dependency-name: github.com/jedib0t/go-pretty/v6
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-10-03 10:14:13 -04:00
witchcraze
263ea6b1bb
feat: update haproxy classifier ( #3277 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2024-10-02 15:10:39 -04:00
anchore-actions-token-generator[bot]
cc4f62b3d4
chore(deps): update tools to latest versions ( #3291 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-10-02 09:07:25 -04:00
Niv Govrin
dbad17de9e
fix: don't use builtin scanner in licensecheck ( #3290 )
...
Signed-off-by: Niv Govrin <nivgo@oligosecurity.io>
2024-10-01 13:53:54 -04:00
anchore-actions-token-generator[bot]
93beceb4a2
chore(deps): update CPE dictionary index ( #3288 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
2024-10-01 10:50:15 -04:00
dependabot[bot]
9b242b0309
chore(deps): bump github/codeql-action from 3.26.9 to 3.26.10 ( #3289 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.26.9 to 3.26.10.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](461ef6c76d...e2b3eafc8d
2024-10-01 10:48:46 -04:00
witchcraze
f5f8005fe0
update redis classifier ( #3281 )
...
* update redis classifier
Signed-off-by: witchcraze <witchcraze@gmail.com>
* Remove snippets to pass Validation.
In this case, 9000 byte was required...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2024-09-30 15:37:47 -04:00
witchcraze
2a3d171c10
fix: improve node classifier version matching ( #3284 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2024-09-27 08:53:35 -04:00
witchcraze
1a746b2c05
fix: update ruby classifier for -rc, -dev, etc. versions ( #3285 )
...
Signed-off-by: witchcraze <witchcraze@gmail.com>
2024-09-27 08:51:50 -04:00
anchore-actions-token-generator[bot]
e37c4686c2
chore(deps): update CPE dictionary index ( #3262 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
2024-09-26 13:49:18 -04:00
dependabot[bot]
5393cd5dec
chore(deps): bump github.com/docker/docker ( #3264 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 27.3.0+incompatible to 27.3.1+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v27.3.0...v27.3.1 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-26 13:49:02 -04:00
dependabot[bot]
f9ef9cf1dc
chore(deps): bump github/codeql-action from 3.26.8 to 3.26.9 ( #3275 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.26.8 to 3.26.9.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](294a9d9291...461ef6c76d
2024-09-26 13:48:45 -04:00
anchore-actions-token-generator[bot]
16122eb32d
chore(deps): update stereoscope to dc10ea61fd18efa45b516eda4de8bc19d8322429 ( #3280 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: kzantow <3009477+kzantow@users.noreply.github.com>
2024-09-26 13:48:33 -04:00
dependabot[bot]
39b2bf5518
chore(deps): bump actions/checkout from 4.1.7 to 4.2.0 ( #3283 )
...
Bumps [actions/checkout](https://github.com/actions/checkout ) from 4.1.7 to 4.2.0.
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](692973e3d9...d632683dd7
2024-09-26 13:48:12 -04:00
Alex Goodman
d7005d7d8c
add awaiting response management ( #3272 )
...
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-09-25 08:56:21 -04:00
Christian Dupuis
92c1ddec5a
fix: correct excluded mount point comparison to file paths ( #3269 )
...
Signed-off-by: Christian Dupuis <cd@docker.com>
2024-09-24 17:05:16 -04:00
Alex Goodman
01de99b253
Add JVM cataloger ( #3217 )
...
* add jvm cataloger
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* simplify version selection
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* CPEs from JVM cataloger should be declared
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* ensure package overlap is enabled for sensitive use cases
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* more permissive glob
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-09-23 17:21:38 -04:00
Laurent Goderre
7815d8e4d9
feat: classifier for Dart lang binaries ( #3265 )
...
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
2024-09-23 14:21:31 -04:00
Alex Goodman
963ea594c8
Add compliance policy for empty name and version ( #3257 )
...
* add policy for empty name and version
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* default stub version
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* modifying ids requires augmenting relationships
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-09-20 12:50:47 -04:00
dependabot[bot]
60bbd24031
chore(deps): bump github.com/github/go-spdx/v2 from 2.3.1 to 2.3.2 ( #3254 )
...
Bumps [github.com/github/go-spdx/v2](https://github.com/github/go-spdx ) from 2.3.1 to 2.3.2.
- [Release notes](https://github.com/github/go-spdx/releases )
- [Commits](https://github.com/github/go-spdx/compare/v2.3.1...v2.3.2 )
---
updated-dependencies:
- dependency-name: github.com/github/go-spdx/v2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-20 10:50:16 -04:00
dependabot[bot]
7c12e3f3b3
chore(deps): bump peter-evans/create-pull-request from 7.0.3 to 7.0.5 ( #3255 )
...
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request ) from 7.0.3 to 7.0.5.
- [Release notes](https://github.com/peter-evans/create-pull-request/releases )
- [Commits](6cd32fd936...5e914681df
2024-09-20 10:50:03 -04:00
dependabot[bot]
9b5cf1db51
chore(deps): bump github/codeql-action from 3.26.7 to 3.26.8 ( #3256 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.26.7 to 3.26.8.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](8214744c54...294a9d9291
2024-09-20 10:49:55 -04:00
anchore-actions-token-generator[bot]
a08ea86aa6
chore(deps): update tools to latest versions ( #3259 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-09-20 10:49:37 -04:00
dependabot[bot]
98c96ce361
chore(deps): bump github.com/docker/docker ( #3260 )
...
Bumps [github.com/docker/docker](https://github.com/docker/docker ) from 27.2.1+incompatible to 27.3.0+incompatible.
- [Release notes](https://github.com/docker/docker/releases )
- [Commits](https://github.com/docker/docker/compare/v27.2.1...v27.3.0 )
---
updated-dependencies:
- dependency-name: github.com/docker/docker
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-20 10:49:22 -04:00
Krystian G.
6a95a5f2ed
feat: add binary classifiers for lighttp, proftpd, zstd, xz, gzip, jq, and sqlcipher ( #3252 )
...
* feat: detect lighttpd binaries
Signed-off-by: Krystian Gorny <krystian.gorny@wipotec.com>
* feat: detect proftpd binaries
Signed-off-by: Krystian Gorny <krystian.gorny@wipotec.com>
* feat: detect zstd binaries
Signed-off-by: Krystian Gorny <krystian.gorny@wipotec.com>
* feat: detect xz utils binarie
Signed-off-by: Krystian Gorny <krystian.gorny@wipotec.com>
* feat: detect gzip binaries
Signed-off-by: Krystian Gorny <krystian.gorny@wipotec.com>
* feat: detect sqlcipher binaries
Signed-off-by: Krystian Gorny <krystian.gorny@wipotec.com>
* feat: detect jq binaries
Signed-off-by: Krystian Gorny <krystian.gorny@wipotec.com>
* add tests + snippets
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Krystian Gorny <krystian.gorny@wipotec.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Krystian Gorny <krystian.gorny@wipotec.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
2024-09-19 13:21:02 +00:00
Krystian G.
cb0de97bc3
fix: capture-snippet.sh can handle leading whitespaces now ( #3249 ) ( #3250 )
...
Signed-off-by: Gorny Krystian <krystian.gorny@wipotec.com>
Co-authored-by: Gorny Krystian <krystian.gorny@wipotec.com>
2024-09-19 09:15:54 -04:00
anchore-actions-token-generator[bot]
50016c3172
chore(deps): update tools to latest versions ( #3251 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-09-19 09:15:12 -04:00
anchore-actions-token-generator[bot]
a2f12fef0c
chore(deps): update tools to latest versions ( #3247 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-09-18 13:13:24 -04:00
anchore-actions-token-generator[bot]
7934696463
chore(deps): update tools to latest versions ( #3243 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-09-17 12:30:07 -04:00
dependabot[bot]
b9efac4d78
chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.9.0 to 0.9.1 ( #3242 )
...
Bumps [github.com/CycloneDX/cyclonedx-go](https://github.com/CycloneDX/cyclonedx-go ) from 0.9.0 to 0.9.1.
- [Release notes](https://github.com/CycloneDX/cyclonedx-go/releases )
- [Changelog](https://github.com/CycloneDX/cyclonedx-go/blob/master/.goreleaser.yml )
- [Commits](https://github.com/CycloneDX/cyclonedx-go/compare/v0.9.0...v0.9.1 )
---
updated-dependencies:
- dependency-name: github.com/CycloneDX/cyclonedx-go
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-16 11:54:12 -04:00
dependabot[bot]
48c1c45d12
chore(deps): bump github/codeql-action from 3.26.6 to 3.26.7 ( #3241 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 3.26.6 to 3.26.7.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](4dd16135b6...8214744c54
2024-09-16 11:54:01 -04:00
dependabot[bot]
9cc3641ac6
chore(deps): bump peter-evans/create-pull-request from 7.0.2 to 7.0.3 ( #3240 )
...
Bumps [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request ) from 7.0.2 to 7.0.3.
- [Release notes](https://github.com/peter-evans/create-pull-request/releases )
- [Commits](d121e62763...6cd32fd936
2024-09-16 11:53:51 -04:00
anchore-actions-token-generator[bot]
7b4feb7c16
chore(deps): update tools to latest versions ( #3231 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-09-16 09:09:11 -04:00
anchore-actions-token-generator[bot]
41e9630409
chore(deps): update CPE dictionary index ( #3232 )
...
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
2024-09-16 09:08:50 -04:00
anchore-actions-token-generator[bot]
58100fec9f
chore(deps): update tools to latest versions ( #3205 )
...
* chore(deps): update tools to latest versions
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* chore: disable gosec(G115)
A change to the rule gosec(G115) made a large amount of FP for gosec appear when updating to the
latest golang-ci linter.
https://github.com/securego/gosec/issues/1185
https://github.com/securego/gosec/pull/1149
We're going to ignore this rule for the time being while waiting for gosec to get updates so that
bound checking and example snippets of `valid` code is added for this rule
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
---------
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
2024-09-13 15:05:50 -04:00
dependabot[bot]
834027e32d
chore(deps): bump github.com/charmbracelet/bubbletea from 1.1.0 to 1.1.1 ( #3225 )
...
Bumps [github.com/charmbracelet/bubbletea](https://github.com/charmbracelet/bubbletea ) from 1.1.0 to 1.1.1.
- [Release notes](https://github.com/charmbracelet/bubbletea/releases )
- [Changelog](https://github.com/charmbracelet/bubbletea/blob/main/.goreleaser.yml )
- [Commits](https://github.com/charmbracelet/bubbletea/compare/v1.1.0...v1.1.1 )
---
updated-dependencies:
- dependency-name: github.com/charmbracelet/bubbletea
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-09-13 13:51:17 -04:00
