oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-20 01:43:17 +01:00
Code Issues Packages Projects Releases Wiki Activity
3,034 Commits 64 Branches 244 Tags
Commit Graph

1230 Commits

Author SHA1 Message Date
Weston Steimel
5ab43bafec
fix: improve known CPEs and set NVD as source for all current binary classifiers (#3167) 
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
 2024-08-27 17:36:34 +01:00
Alex Goodman
e9a8c27be1
respond to authoratative CPEs from catalogers (#3166) 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2024-08-27 10:26:35 -04:00
Weston Steimel
99be365f62
fix: use official CPE for curl binary cataloger (#3164) 
The official CPE for curl is `cpe:2.3🅰️haxx:curl:*:*:*:*:*:*:*:*`

Signed-off-by: Weston Steimel <commits@weston.slmail.me>
 2024-08-27 14:03:19 +01:00
anchore-actions-token-generator[bot]
0cd6185716
chore(deps): update CPE dictionary index (#3161) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
 2024-08-26 10:07:44 -04:00
anchore-actions-token-generator[bot]
dad253785e
chore(deps): update tools to latest versions (#3144) 2024-08-23 14:42:12 -04:00
KrysGor
cff9d494df
feat: detect curl binaries (#3146) 2024-08-23 14:41:08 -04:00
Keith Zantow
73b9d5aa42
fix: mysql 8.0.3x binary detection (#3142) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2024-08-21 09:48:28 -04:00
Keith Zantow
95b4a88256
fix: logging for remote network calls (#3140) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2024-08-20 11:45:33 -04:00
anchore-actions-token-generator[bot]
511cc9c2d5
chore(deps): update CPE dictionary index (#3135) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
 2024-08-19 12:49:43 -04:00
anchore-actions-token-generator[bot]
4b7ae0ed3b
chore(deps): update tools to latest versions (#3121) 
* chore(deps): update tools to latest versions

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* chore: update code to reflect new linter settings for error messages

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>

---------

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: spiffcs <32073428+spiffcs@users.noreply.github.com>
 2024-08-16 17:56:36 +00:00
Lucas Rodriguez
cd3b828905
fix: add nil check to CycloneDX toBomProperties (#3119) 
Signed-off-by: Lucas Rodriguez <lucas.rodriguez9616@gmail.com>
 2024-08-13 16:02:15 -04:00
Lukas Voetmand
3161e1847e
fix: read CycloneDX BOM components from metadata (#3092) 
Signed-off-by: dervoeti <lukas.voetmand@stackable.tech>
 2024-08-12 16:37:23 -04:00
Weston Steimel
df1e5b57fe
fix: improve groupid extraction for Jenkins plugins (#2815) 
* fix: improve groupid extraction for Jenkins plugins

Consider the `Group-Id` java manifest property as this is typically set
for Jenkins plugins if there is no pom file

Signed-off-by: Weston Steimel <commits@weston.slmail.me>

* test: update java purl integration test image

Signed-off-by: Weston Steimel <commits@weston.slmail.me>

---------

Signed-off-by: Weston Steimel <commits@weston.slmail.me>
 2024-08-12 13:01:44 -04:00
anchore-actions-token-generator[bot]
d2b33f1acb
chore(deps): update CPE dictionary index (#3116) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
 2024-08-12 16:57:47 +00:00
GGMU
91cf066db6
support .kar files (#3113) 
* add kar

Signed-off-by: tomersein <tomersein@gmail.com>
 2024-08-12 12:10:03 -04:00
Keith Zantow
cf85450e08
chore: fix failing python relationship test (#3117) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2024-08-12 12:07:47 -04:00
anchore-actions-token-generator[bot]
214a0498e0
chore(deps): update CPE dictionary index (#3094) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
 2024-08-06 13:07:48 -04:00
Gijs Calis
9d40d1152e
feat: improved java maven property resolution (#2769) 
Signed-off-by: Gijs Calis <51088038+GijsCalis@users.noreply.github.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
 2024-08-05 11:30:47 -04:00
Harippriya Sivapatham
cc15edca62
fix: use organization for package supplier when reading Java vendor fields (#3093) 
Signed-off-by: Harippriya Sivapatham <harippriyasivapatham@gmail.com>
 2024-08-03 16:00:55 -04:00
Dor Hayun
48f1e975f0
fix: update 'guessMainPackageNameAndVersionFromPomInfo' and 'artifactIDMatchesFilename' (#3054) 
- Correct retrieval of package name when main POM file exists
- Address issue where wrong package name was retrieved for certain jars
- Example case: 'jansi' jar containing multiple jars like 'jansi-win32'
- Ensure true is returned when filename matches the artifact ID, prevent random retrieval by checking prefix and suffix
- Use fallback check with suffix and prefix if no POM properties file matches the exact artifact name

Signed-off-by: dor-hayun <dor.hayun@mend.io>
Co-authored-by: dor-hayun <dor.hayun@mend.io>
 2024-08-01 13:47:15 -04:00
Christopher Angelo Phillips
c84cb2cf84
fix: update mainModuleVersion function to always prefix v to findings (#3087) 
* chore: basic fix
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
* test: make sure ldflags are prefixed with v
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
 2024-08-01 11:29:07 -04:00
Laurent Goderre
92d63df6f5
Added the SWI Prolog (swipl) ecosystem (#3076) 
* Add binary classifier for swipl

Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>

* Added cataloger for SWI Prolog Pack packages

Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>

---------

Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
 2024-07-31 16:13:26 -04:00
Keith Zantow
a4b5dcd0df
fix: improve determinism in java archive identification (#3085) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2024-07-30 12:02:52 -04:00
anchore-actions-token-generator[bot]
a2042e629c
chore(deps): update CPE dictionary index (#3079) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
 2024-07-29 10:03:59 -04:00
witchcraze
490e05adb2
fix: traefik classifier (#3077) 
Signed-off-by: witchcraze <witchcraze@gmail.com>
 2024-07-29 09:46:51 -04:00
mikcl
1cd75b7d68
python-cataloger: fix normalization test (#3073) 
Signed-off-by: mikcl <mikesmikes400@gmail.com>
 2024-07-25 15:45:14 -04:00
Laurent Goderre
4882d2e8ce
Only match ldflag version if it matches the main module or targets main.version (#3062) 
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
 2024-07-25 13:56:55 -04:00
mikcl
b3848f780f
python cataloger: allow dots in python package names (#3070) 
Signed-off-by: mikcl <mikesmikes400@gmail.com>
 2024-07-25 13:56:10 -04:00
mikcl
36f95d6828
python-cataloger: normalize package names (#3069) 
Signed-off-by: mikcl <mikesmikes400@gmail.com>
 2024-07-25 13:54:13 -04:00
Keith Zantow
741c8fb9bd
fix: SPDX output performance with many relationships (#3053) 2024-07-24 10:14:20 -04:00
Alex Goodman
9573f557d1
better go mod detection from partial package builds (#3060) 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2024-07-24 09:34:40 -04:00
dependabot[bot]
fe7c5a7174
chore(deps): bump github.com/charmbracelet/lipgloss from 0.11.1 to 0.12.1 (#3040) 
* chore(deps): bump github.com/charmbracelet/lipgloss

Bumps [github.com/charmbracelet/lipgloss](https://github.com/charmbracelet/lipgloss) from 0.11.1 to 0.12.1.
- [Release notes](https://github.com/charmbracelet/lipgloss/releases)
- [Changelog](https://github.com/charmbracelet/lipgloss/blob/master/.goreleaser.yml)
- [Commits](https://github.com/charmbracelet/lipgloss/compare/v0.11.1...v0.12.1)

---
updated-dependencies:
- dependency-name: github.com/charmbracelet/lipgloss
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore: pin fedora linux/amd64 to sha

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
 2024-07-22 10:43:17 -07:00
Keith Zantow
125c787e40
chore: add debug logging for errors reading RPM files (#3051) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2024-07-22 13:05:04 -04:00
anchore-actions-token-generator[bot]
bfe6f5204a
chore(deps): update CPE dictionary index (#3035) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
 2024-07-22 08:56:58 -07:00
Keith Zantow
ba31c2f1ae
fix: include CPEs with Maven groupId as vendor (#3045) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2024-07-17 11:23:58 -07:00
William Murphy
75902b0540
fix: stop panicking on "devel" version go stdlib (#3043) 
Previously, if a Go binary was cataloged with build info indicating that
the go compiler version used was "deve", syft would panic on a nil
pointer dereference. Instead, skip creating a Go stdlib reference and
relationship for such a package.

Signed-off-by: Will Murphy <will.murphy@anchore.com>
 2024-07-16 09:51:14 -04:00
Keith Zantow
278b72d39b
chore: pin fedora image for elf binary test (#3041) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2024-07-15 16:37:09 +00:00
Christopher Angelo Phillips
f7ffcc534f
fix: stabilize cpe sorting during collection sort (#3009) 2024-07-09 14:24:21 -04:00
Laurent Goderre
b101f44aba
Map the downloadLocation field for PHP Composer packages (#3011) 
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
 2024-07-09 09:01:58 -07:00
anchore-actions-token-generator[bot]
04c861bf77
chore(deps): update CPE dictionary index (#3016) 2024-07-08 08:13:17 -04:00
Alex Goodman
573440b7cf
Infer the package type from ELF package notes (#3008) 
* fix ELF package types to be honored

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* prefer OS packages over binary packages when there are duplicates

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2024-07-02 16:07:08 -04:00
anchore-actions-token-generator[bot]
7f3ca65cf6
chore(deps): update CPE dictionary index (#3002) 2024-07-01 15:02:15 -04:00
Danielle Featherstone
5283c4687a
feat: version 3 support for swift package manager of the resolved files (#3001) 
Signed-off-by: Danielle Featherstone <dfeatherstone@fearless.tech>
 2024-07-01 14:27:37 -04:00
Laurent Goderre
ceced5eb27
Add detection of Erlang in Alpine linux (#2996) 
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
 2024-06-25 14:40:40 -07:00
anchore-actions-token-generator[bot]
1eae9333a9
chore(deps): update CPE dictionary index (#2986) 
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
 2024-06-24 08:27:29 -07:00
Keith Zantow
bd1c1d260c
fix: handle errors reading go licenses (#2985) 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
 2024-06-24 10:27:03 -04:00
Rajan Agaskar
ae0683074e
feat: update syft to generate cyclone-dx 1.6 by default (#2978) 
- Resolves #2974
- add detailed instructions re: updating schemas (a necessary task
  when a new CycloneDX spec version becomes available).
- The DefaultVersion constant has been updated to "1.6" -- it's not
  clear to me how this is used at this time (it may be redundant given
  other code), but effectively unless a specific spec version is
  configured, `syft` will emit the "most recent" spec version available
  for cyclonedx. Users who wish to pin back to a "older" specVersion
  (e.g. to preserve compatibilty with utilities that have not yet bumped
  to latest) can either set this in a syft config file or pass a
  name@spec_version pair to the output flag (e.g. `-o
  cyclonedx-json@1.5=some-1.5-spec-bom.cdx.json`)
- Regenerate relevant .golden files (there seems to be a way to do this
  via flags, but I couldn't quite figure out the right set to pass
  correctly, esp. since (as a relative go novice) I found it difficult
  to run just a single test file. I ended up "brute-forcing it" by
  changing the *updateSnapshot val to "true" and running it in Goland.
  A brief comment giving an example of regenerating fixtures usage would
  be helpful.

Signed-off-by: Rajan Agaskar <ragaskar@gmail.com>
 2024-06-21 08:51:27 -07:00
Laurent Goderre
7a35de04ee
fix: detection of arangodb 3.12 (#2979) 
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
 2024-06-20 11:11:03 -04:00
Christopher Angelo Phillips
22d5731482
fix: fix parsing for complex toml types (#2965) 
* fix: fix parsing for complex toml types
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
 2024-06-14 19:32:17 +00:00
Weston Steimel
d5cd5f6091
feat: index known CPEs for wordpress plugins and themes (#2963) 
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
 2024-06-14 14:39:43 +01:00