* Add failing test for strip version specifiers panic
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* Fix test
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* Prevent panic scenario in helper func
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* Fix lint issue
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* add tests for apk stripVersionSpecifier() and remove caller empty value check
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* binary cataloger should continue on errors
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* test: add redirect for cmd stderr stdout
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: image update for test failure
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
* normalize error handling and recover from panics while parsing binaries
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* moved the relevant fields to the Metadata field
Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io>
* added metadata types
Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io>
* Added hashes to metadata of packge-lock.json and Pipfile.lock
Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io>
* move package metadata types to "pkg" package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* re-generate json schema to include new npm, python, and binary metadatas
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* feat: prefer known CPE vendors over other candidates
All ASF projects will be under the `apache` vendor in CPE, and
indeed this is already one of the candidates, but the logic
for selecting the 'most specific' CPE string would select for
example `apache_software_foundation` or `commons-text`.
This is not necessarily 'wrong' in the CPE candidate selection
logic: there is no way to reliably determine the right candidate.
I think it makes sense to use specific data around the vendor
candidate generation, somewhat similar to
'defaultCandidateAdditions'.
Unfortunately there are still a few CVE's for old (pre-5.x,
long unsupported) tomcat versions that are actually tagged with
`apache_software_foundation`, but I'm not sure those are worth
spending time on.
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
* chore: swap out array of vendors for set data structure
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
The original fix b125ea83baa30dc981e82f4ddd384602f778f090 didn't catch
all the excessive warnings, it seems like getArches can also be called
on binaries that aren't neccessarily go binaries, so the messages from
this should also be Trace instead of Warn.
Signed-off-by: Justin Chadwell <me@jedevc.com>
This PR adds support for npm lockfile version 3, which drops the
"dependencies" key and uses "packages" instead. I've refactored the
lockfile parser to make the distinction between the versions explicit
rather than the implicit behaviour before. It _might_ be worth splitting
into separate files at some point, but the logic is so minimal that I
haven't done it.
Fixes#1203
Signed-off-by: Rob Cresswell <robcresswell@users.noreply.github.com>
* Fix type of pull deps and add support for provides
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
* [wip] apk dependency lookup
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update whitespace for linter
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* adjust test conditions
Signed-off-by: Timothy Gerla <tim@gerla.net>
* fix TODOs and improve Provides parser
* run simports after main merge
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* add tests to cover apk relationship parsing cases
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* generate JSON schema for breaking changes to apk metadata
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update tests to account for additional dependencies
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* [wip] fix relationship encoding for cyclonedx
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* simplify package relationships that can be expressed
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Timothy Gerla <tim@gerla.net>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Timothy Gerla <tim@gerla.net>
* remove centralize pURL generation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* port java cataloger to new generic cataloger pattern
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove common.GenericCataloger
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update format test fixtures to reflect ID updates
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix package sort instability for encode-decode-encode cycles
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* port swift cataloger to new generic cataloger pattern
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add cocopods metadata to json schema defs
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update json test fixture with latest schema version
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
