add syft attest command to produce an attestation as application/vnd.in-toto+json to standard out using on disk PKI
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* ignore minor parsing error when reading dpkg status files
helps with https://github.com/anchore/syft/issues/733
Question: should we add a smarter parser to guess approximate installed-size
value?
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add datasize lib to help dpkg parsing
added unit tests to expand coverage of dpkg parsing
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* drop parse error
added unit tests to handleNewKeyValue
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* don't return parsing errors from dpkg
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* test higher level functions
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* return parsing err to let cataloger handle it
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* feedback changes
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* ignore key parsing error
log warning with relevant context
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add context info to log lines
simpler error assertion
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* use error.As to assert error in chain
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* bump golang crypto to resolve CVE-2020-29652
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* go mod tidy
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* update stereoscope
fetches latest fixes for UI
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* use context when getting image
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* use SYFT_LOG_FILE
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* enable debug logs when SYFT_LOG_FILE is set
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* set log.file and add tests
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* test log file in temp directory
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add note on binding refactor
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* remove unused function
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* reduce parallelism of builds and increase install.sh test setup buffer
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* change logging mechanism for signing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* restore automatic parallelism determination for goreleaser
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rm logging goreleaser version
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use a port that is porbably not in use
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* template cli test args
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* refactor signing steps in release/snapshot workflows
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* show signing logs on snapshot or release failure
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update install.sh + tests to account for new goreleaser changes
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update cli tests to account for new goreleaser build names
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix acceptance test to use new snapshot bin path
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add notarization
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* address review comments
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update stereoscope
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix FilesByMIMEType tests
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* change expected mime types in unit tests
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* test stereoscope fix
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* remove mod replace and use latest stereoscope
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* [wip] get assets based on gh api
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* put install.sh download_asset fn under test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* put install.sh install_asset fn under test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use zip for darwin installs
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix install.sh negative test cases
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* allow errors to propagate in install.sh
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove exit on error from install.sh tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add more docs around install.sh helpers
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add integration tests for install.sh
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add install.sh testing to pipeline
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add install test cache to CI
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* make colors globally available
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* test download against github release
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* always test release-based install against latest release
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use better install.sh test names
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add language detection from pURLs
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add package type detection from pURLs
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add cargo and npm pURL support
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix npm tests and linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* [CycloneDX] Add artifactID and groupID to the cycloneDX properties
Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com>
* update comment
Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com>
* additional checks for value
Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com>
* fill group filed with groupID in the case of Java
Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com>
* fix linter warning
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
