- Create new metadata struct and type for python requirements.
- Update parsing of python requirements to use python requirements metadata.
- Remove extras and url from line. Add them to metadata instead.
- Add unit test to test that extras are removed from package name.
- Update test to look at requirements metadata.
- Will need updated in future to support more than just == for the version constraint.
- Update JSON schema data
Closesanchore/grype#1246Closesanchore/grype#1251
Signed-off-by: Shane Dell <shanedell100@gmail.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* fix: only cache java packages and not source content
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* fix: add gradle to matched files for ci checksum
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* Create consul binary classifier
Closes#1590
Signed-off-by: Shane Dell <shanedell100@gmail.com>
* Create test for consul binary classifier
Signed-off-by: Shane Dell <shanedell100@gmail.com>
* Update version for consul. Add note that about consul version matcher is brittle
Signed-off-by: Shane Dell <shanedell100@gmail.com>
---------
Signed-off-by: Shane Dell <shanedell100@gmail.com>
* pin kernel and modules version for kernel fixtures
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* cache kernel fixtures in CI
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update CLI test image with pinned kernel deps
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update the kernel version found in integration tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
---------
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Avi Deitcher <avi@deitcher.net>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* add evident-by relationship
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* wire up evident-by relationship geneation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* handle evident-by relationship in spdx formats
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix decoding file info for syft json format
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump json schema to incorporate file size attribute
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* refactor to create relationships for primary evidence only
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove unused 7.0.2 json schema
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
---------
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add kernel handler
Signed-off-by: Avi Deitcher <avi@deitcher.net>
* [wip] combine kernel and kernel module cataloging
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* [wip] combine kernel and kernel module cataloging
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Avi Deitcher <avi@deitcher.net>
* rename Kernel package to LinuxKernel package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* split kernel and module packages within cataloger
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* wire up application configuration with kernel cataloger options
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* dont use references for packages on relationships
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting and tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* kernel cataloger should be resistent to partial failure
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* log upon kernel module metadata missing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add tests for linux kernel cataloger
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update integration tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update cli package test counts
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add evidence annotations for kernel packages
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* reduce noise in cli test output
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* missed cli test to reduce noise for
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix package counts
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update docs with linux kernel cataloging refs
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump json schema with new metadata fields
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
---------
Signed-off-by: Avi Deitcher <avi@deitcher.net>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: <>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
- Update README.md to show that nar is now supported.
- Created a java-archives/example.nar so that the tests wouldn't break.
- Add nar glob and as an option for pkgType.
Closes#1701
Signed-off-by: Shane Dell <shanedell100@gmail.com>
Update the license_list.go to have more permissible inputs for greater SPDXID matching.
EX:
GPL3 gpl3 gpl-3 and GPL-3 can all map to GPL-3.0-only
By moving all strings to lower and removing the "-" we're able to return valid SPDX license ID for a greater diversity of input strings.
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* add argocd, helm, kustomize and kubectl binary classifiers
* update golang PURL
* address PR faceback about binary/test-fixtures/Makefile
* remove the /v[n] suffix from the PURL in both argocd and helm
---------
Signed-off-by: y12studio <y12studio@gmail.com>
Adding APK OriginPackage CPE candidates to the child package
results in false positives in grype because it can't associate
CPE-based findings to the corresponding OriginPackage APK fixes.
This reverts changing the `upstream` in the PURL for APK packages
as the logic in Grype that uses it expects it to be an APK package
name. This also allows refactoring to unexport and move the APK
CPE candidate generation logic closer to where CPE generation occurs
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
This fixes some instances where the improved APK CPE generation
logic caused regressions for older alpine package APK metadata.
It now generates multiple "upstream" candidates with both name
and package type which reduces the amount of duplicated code in
the apk cpe gen logic. This also improves the handling of stream
version packages, so now we can correctly identify packages such
as ruby3.2-rexml as the rexml ruby gem.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
