Skip to content

Commit 28ba28c

Browse files
committed
Fixing Merge Conflict in Transform.Go (vaibhav-rf#4)
* give install script uploader contents: read (anchore#3489) Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * Govulndb OSV transformer (anchore#3485) * govulndb osv Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * add fixed dates to govulndb osv transformer Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * enforce lowercase ids on cache Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * chore(deps): update tool versions (anchore#3488) Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> * chore(deps): update quality gate database (anchore#3478) Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> * feat(scan): add support for a Zarf scan target (anchore#3366) Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com> * fix: respect withdrawn status of Go Vuln DB OSV records (anchore#3495) Otherwise we get false positives. Includes a matcher test to assert that Grype does not find withdrawn go vulns. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * chore(deps): update anchore dependencies (anchore#3487) Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> * test: add test fixtures for multi RHSA records from vunnel (anchore#3480) Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * fix: avoid panic on invalid RHEL version IDs (anchore#3490) Signed-off-by: Jeremy Spilman <jeremy.spilman@anchore.com> * chore(deps): bump the actions-minor-patch group across 2 directories with 7 updates (anchore#3503) Bumps the actions-minor-patch group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [anchore/workflows/.github/workflows/check-gate.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [actions/checkout](https://github.com/actions/checkout) | `6.0.2` | `6.0.3` | | [anchore/workflows/.github/workflows/release-install-script.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.36.0` | `4.36.2` | Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [anchore/go-make](https://github.com/anchore/go-make). Updates `anchore/workflows/.github/workflows/codeql.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b3e328b...b0c30a8) Updates `anchore/workflows/.github/workflows/check-version-available.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b3e328b...b0c30a8) Updates `anchore/workflows/.github/workflows/check-gate.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b3e328b...b0c30a8) Updates `actions/checkout` from 6.0.2 to 6.0.3 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) Updates `anchore/workflows/.github/workflows/release-install-script.yaml` from 0.7.0 to 0.7.2 - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b3e328b...b0c30a8) Updates `github/codeql-action` from 4.36.0 to 4.36.2 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@7211b7c...8aad20d) Updates `anchore/go-make` from 0.5.0 to 0.6.0 - [Release notes](https://github.com/anchore/go-make/releases) - [Commits](anchore/go-make@9de27be...39fe5f7) --- updated-dependencies: - dependency-name: anchore/workflows/.github/workflows/codeql.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/check-gate.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/release-install-script.yaml dependency-version: 0.7.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: github/codeql-action dependency-version: 4.36.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: anchore/go-make dependency-version: 0.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * exclude linux-kbuild deb indirect matches by default (anchore#3506) Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk> * Add OSV Model generator (anchore#3499) * Add OSV Model generator Previously, there was an OSV scanner repository that exported a models.Vulnerability struct we could use. That repository deprecated their exported models and the models in grype are falling behind. Therefore, add a generator target that generates our own models based on the latest v1 JSON scehma from the official OSV spec repository. In this way automation can PR new models in. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * less coupled generator Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * parse severity as singular and drop entry type Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * Remove v1 from file names If we need a v2 model, we should have a package with v2 in the path so that both can be imported. v1 in a filename is just noise. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> * chore(deps): bump github.com/anchore/go-make (anchore#3502) Bumps the go-minor-patch group with 1 update in the /.make directory: [github.com/anchore/go-make](https://github.com/anchore/go-make). Updates `github.com/anchore/go-make` from 0.5.0 to 0.6.0 - [Release notes](https://github.com/anchore/go-make/releases) - [Commits](anchore/go-make@v0.5.0...v0.6.0) --- updated-dependencies: - dependency-name: github.com/anchore/go-make dependency-version: 0.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(go-vulndb): merge in custom ranges when applicable (anchore#3514) * fix(go-vulndb): merge in custom ranges when applicable Go OSV data has the standard OSV ranges, but also has custom ranges. Packages that do non-standard go versioning, for example by pushing a tag that starts with v2.x.y but not adding a /v2 in their module path, get relegated to the custom ranges field. In other words, there is one affected range for "strictly go versioning compliant versions" and another set of ranges for "version control tags that are not perfectly compliant". Previously, Grype just ignore this second bucket of version ranges, resulting in a meaningful number of false positives. Fix this by, if custom ranges are present, stripping out unbounded (e.g. > 0) ranges from the regular ranges and then unioning the two range sets. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * cleanup: avoid double parsing ranges, clean up comments Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * fix up go vuln db transformer Includes using mapstructure to deserialize custom fields, and some readability refactors. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * fix: disable go stdlib CPE matching by default. (anchore#3517) Previously, because GHSA does not cover the go stdlib, in order to avoid false negatives on the go stdlib, CPE matching had to be used. However, grype now includes the Go Vuln DB data it its database, which does include the stdlib as if a regular go module, so this CPE fallback can be disabled by default, fixing many false positives. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * chore(deps): bump the go-minor-patch group across 1 directory with 2 updates (anchore#3518) Bumps the go-minor-patch group with 2 updates in the / directory: [golang.org/x/text](https://github.com/golang/text) and [golang.org/x/tools](https://github.com/golang/tools). Updates `golang.org/x/text` from 0.37.0 to 0.38.0 - [Release notes](https://github.com/golang/text/releases) - [Commits](golang/text@v0.37.0...v0.38.0) Updates `golang.org/x/tools` from 0.45.0 to 0.46.0 - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.45.0...v0.46.0) --- updated-dependencies: - dependency-name: golang.org/x/text dependency-version: 0.38.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch - dependency-name: golang.org/x/tools dependency-version: 0.46.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(hummingbird): mark hummingbird distro as rolling (anchore#3521) Previous hummingbird work incorrectly marked only the search side (data.go) as having a rolling label. Therefore also mark hummingbird as a rolling distro at database creation time. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * refactor release pipeline: TAG_TOKEN, skip-checks gate, go-make bump, dependabot/zizmor/gci cleanup (anchore#3524) Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * chore(deps): bump github.com/containerd/containerd/v2 (anchore#3525) Bumps [github.com/containerd/containerd/v2](https://github.com/containerd/containerd) from 2.3.1 to 2.3.2. - [Release notes](https://github.com/containerd/containerd/releases) - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - [Commits](containerd/containerd@v2.3.1...v2.3.2) --- updated-dependencies: - dependency-name: github.com/containerd/containerd/v2 dependency-version: 2.3.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * fix(govulndb): mix floors from custom ranges as appropriate (anchore#3522) Previously, lower and upper bounds on vulnerable windows would be ORed together if part of the range was reported in osv standard affected events and the other part was reported in OSV ecosystem-specific custom_ranges events. Fix the merge logic so that floors from the custom ranges have the correct effect. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * fix(govulndb): only emit records for stdlib (anchore#3527) * fix(govulndb): only emit records for stdlib For third party go packages, go vuln db has some very strange version ranges, and this has caused a number of false positive reports. Additionally, for most of them, Grype currently reports both a GHSA and a GO record, resulting in user confusion. However, there is one key class of record available in the go vuln db that is not in GHSA: records affecting the go stdlib itself (that is, the core parts of the langage that are statically linked into every go binary). Therefore, for now, emit only records relating to the go stdlib. Future enhancements can pull in additional data related to third party go packages in go vuln db. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * Clean up some additional test fixtures Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * Update go-make to v0.8.0 (anchore#3528) Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * chore(units): account for changes in Syft and fix stale listing file (anchore#3532) Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * feat(govulndb): emit golang.org/x/net vulns from govlundb (anchore#3534) These packages are not covered by GHSA and generally have well-formed versions, so emit them. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * chore(deps): update anchore dependencies (anchore#3498) Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> * chore(deps): bump actions/checkout from 6.0.3 to 7.0.0 (anchore#3535) Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.3 to 7.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@df4cb1c...9c091bb) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): update quality gate database (anchore#3543) Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> * feat: populate package architecture for matching (anchore#3504) * feat: populate package architecture for matching Enable matchers to filter on architecture-specific vulnerabilities or fixes. There are basically three changes here: First, wire up the package collection creator to populate architecture on the packages when an image is scanned or an sbom is loaded in Grype. Second, wire up the architecture package qualifier so that if a vulnerability or fix specifies that it is only applicable to a particular architecture, the matchers will respect this, and third, in the RPM matcher, specify `arch=src` when synthesizing the upstream package to search by (rather than letting it inherit the binary package's architecture). The qualifier logic is like this: If either the package or the DB record has a blank architecture, the filtering is a noop. If the package has a specific architecture and the DB record has 'src', the package is qualified, because a disclosure or fix in a src RPM for example is assumed to affect things built from it. If the DB record and the package both have specific binary architectures, but they don't match, e.g. x86_64 != aarch64, the package is not qualified and filters out. Architecture qualifiers are canonicalized at match time so, for example, an RPM that has x86_64 architecture is a qualified package on a vuln that affects "amd64" processors (assuming distro and everything else line up). This canonicalization is probably more important for future expansion since a given distro will probably use the same architecture strings as their own package manager. Hummingbird also has a special "binary-no-arch-specified" architecture that means, "this is not a src RPM". That is so that in Hummingbird data, if we have a package that says, 'upstream=glibc' in its PURL, and we have a glibc vuln against the binary but not the src RPM, we can fitler out this false positive. If a DB record has 'binary-no-arch-specified' as its architecture, any package that has any non-src architecture (or a blank architecture) is qualified, but src architecture is not. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * Make architecture aliases data driven Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * handle noarch / all arch Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * Wire up end-to-end architecture specific matching for OL OracleLinux had some existing false positives where the x86_64 package was fixed in an earlier version of the RPM than the aarch64 version, resulting in false positives when Grype checked against the aarch64 version. Add a dbtest for this scenario and update the RPM matcher and OS transformer to fix this case. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * move setting src arch on upstream to helper Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * exhaustive tests for package arch qualifier Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * fix(zarf): swap warn messages for debug (anchore#3545) Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com> * chore(deps): bump anchore/workflows/.github/workflows/check-version-available.yaml (anchore#3547) Bumps [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) from 0.7.2 to 0.8.0. - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b0c30a8...7212994) --- updated-dependencies: - dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml dependency-version: 0.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump zizmorcore/zizmor-action from 0.5.6 to 0.5.7 (anchore#3549) Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.5.6 to 0.5.7. - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](zizmorcore/zizmor-action@5f14fd0...192e21d) --- updated-dependencies: - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anchore/workflows/.github/workflows/codeql.yaml (anchore#3548) Bumps [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) from 0.7.2 to 0.8.0. - [Release notes](https://github.com/anchore/workflows/releases) - [Commits](anchore/workflows@b0c30a8...7212994) --- updated-dependencies: - dependency-name: anchore/workflows/.github/workflows/codeql.yaml dependency-version: 0.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump golang.org/x/tools from 0.46.0 to 0.47.0 (anchore#3550) Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.46.0 to 0.47.0. - [Release notes](https://github.com/golang/tools/releases) - [Commits](golang/tools@v0.46.0...v0.47.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-version: 0.47.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/cache/restore in /.github/actions/bootstrap (anchore#3556) Bumps [actions/cache/restore](https://github.com/actions/cache) from 5.0.5 to 6.1.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@27d5ce7...55cc834) --- updated-dependencies: - dependency-name: actions/cache/restore dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/cache from 5.0.5 to 6.1.0 (anchore#3551) Bumps [actions/cache](https://github.com/actions/cache) from 5.0.5 to 6.1.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@27d5ce7...55cc834) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump anchore/go-make/.github/actions/setup (anchore#3555) Bumps [anchore/go-make/.github/actions/setup](https://github.com/anchore/go-make) from 0.6.0 to 0.8.0. - [Release notes](https://github.com/anchore/go-make/releases) - [Commits](anchore/go-make@39fe5f7...430e217) --- updated-dependencies: - dependency-name: anchore/go-make/.github/actions/setup dependency-version: 0.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump actions/cache in /.github/actions/bootstrap (anchore#3558) Bumps [actions/cache](https://github.com/actions/cache) from 5.0.5 to 6.1.0. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@27d5ce7...55cc834) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump gorm.io/gorm from 1.31.1 to 1.31.2 (anchore#3557) Bumps [gorm.io/gorm](https://github.com/go-gorm/gorm) from 1.31.1 to 1.31.2. - [Release notes](https://github.com/go-gorm/gorm/releases) - [Commits](go-gorm/gorm@v1.31.1...v1.31.2) --- updated-dependencies: - dependency-name: gorm.io/gorm dependency-version: 1.31.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com> Signed-off-by: Jeremy Spilman <jeremy.spilman@anchore.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@anchore.com> Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com> Co-authored-by: Brandt Keller <43887158+brandtkeller@users.noreply.github.com> Co-authored-by: Jeremy Spilman <jeremy.spilman@anchore.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Weston Steimel <author@code.w.steimel.me.uk> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com> Signed-off-by: Janit Lodha <janit.lodha@rapidfort.com>
1 parent d7ff0ed commit 28ba28c

101 files changed

Lines changed: 5048 additions & 557 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.binny.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ tools:
77
# used for integration tests
88
- name: skopeo
99
version:
10-
want: v1.22.2
10+
want: v1.23.0
1111
method: go-install
1212
with:
1313
module: github.com/containers/skopeo

.github/actions/bootstrap/action.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ inputs:
2929
runs:
3030
using: "composite"
3131
steps:
32-
- uses: anchore/go-make/.github/actions/setup@9de27be11ed73e2f9d5406a836a492b7d8aa1225 # v0.5.0
32+
- uses: anchore/go-make/.github/actions/setup@430e2175bb166bfd138ef75466adbcc8ddab875f # v0.8.0
3333
with:
3434
go-version: ${{ inputs.go-version }}
3535
cache-key-prefix: ${{ inputs.cache-key-prefix }}
@@ -51,7 +51,7 @@ runs:
5151
# restore-only on non-default branches and forks to prevent untrusted runs from polluting the cache
5252
- name: Restore test fixture cache
5353
id: test-fixture-cache-restore
54-
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
54+
uses: actions/cache/restore@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
5555
if: ${{ inputs.cache-test-fixtures == 'true' && (github.ref != format('refs/heads/{0}', github.event.repository.default_branch) || github.event.repository.fork == true) }}
5656
with:
5757
path: |
@@ -63,7 +63,7 @@ runs:
6363
# read+write only on the default branch of the upstream repo
6464
- name: Restore and save test fixture cache
6565
id: test-fixture-cache
66-
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
66+
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
6767
if: ${{ inputs.cache-test-fixtures == 'true' && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && github.event.repository.fork == false }}
6868
with:
6969
path: |

.github/dependabot.yaml

Lines changed: 0 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,4 @@
11
# Dependabot configuration
2-
#
3-
# Grouping behavior (see inline comments for details):
4-
# - Minor + patch updates: grouped into a single PR per ecosystem
5-
# - Major version bumps: individual PR per dependency
6-
# - Security updates: individual PR per dependency
7-
#
8-
# Note: "patch" refers to semver version bumps (1.2.3 -> 1.2.4), not security fixes.
9-
# Security updates are identified separately via GitHub's Advisory Database and
10-
# can be any version bump (patch, minor, or major) that fixes a known CVE.
112

123
version: 2
134

@@ -30,14 +21,6 @@ updates:
3021
- dependency-name: "github.com/aquasecurity/go-version"
3122
- dependency-name: "github.com/knqyf263/go-apk-version"
3223
- dependency-name: "github.com/knqyf263/go-deb-version"
33-
groups:
34-
go-minor-patch:
35-
applies-to: version-updates # security updates get individual PRs
36-
patterns:
37-
- "*"
38-
update-types: # major omitted, gets individual PRs
39-
- "minor"
40-
- "patch"
4124

4225
- package-ecosystem: "github-actions"
4326
directories:
@@ -51,11 +34,3 @@ updates:
5134
open-pull-requests-limit: 10
5235
labels:
5336
- "dependencies"
54-
groups:
55-
actions-minor-patch:
56-
applies-to: version-updates # security updates get individual PRs
57-
patterns:
58-
- "*"
59-
update-types: # major omitted, gets individual PRs
60-
- "minor"
61-
- "patch"

.github/workflows/codeql.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ permissions: {}
1313
jobs:
1414
analyze:
1515
name: Analyze
16-
uses: anchore/workflows/.github/workflows/codeql.yaml@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0
16+
uses: anchore/workflows/.github/workflows/codeql.yaml@7212994dc8fc3a53fe9c8e766ab5b4ddd16ea3d4 # v0.8.0
1717
permissions:
1818
security-events: write
1919
packages: read

.github/workflows/release.yaml

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -13,20 +13,26 @@ on:
1313
version:
1414
description: tag the latest commit on main with the given version (prefixed with v)
1515
required: true
16+
skip-checks:
17+
description: skip the check-gate (release even if checks haven't passed on main)
18+
type: boolean
19+
default: false
20+
required: false
1621

1722
jobs:
1823
version-available:
1924
permissions:
2025
contents: read # for the most recent tags
21-
uses: anchore/workflows/.github/workflows/check-version-available.yaml@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0
26+
uses: anchore/workflows/.github/workflows/check-version-available.yaml@7212994dc8fc3a53fe9c8e766ab5b4ddd16ea3d4 # v0.8.0
2227
with:
2328
version: ${{ github.event.inputs.version }}
2429

2530
check-gate:
31+
if: ${{ !inputs.skip-checks }}
2632
permissions:
2733
contents: read
2834
checks: read # required for getting the status of specific check names
29-
uses: anchore/workflows/.github/workflows/check-gate.yaml@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0
35+
uses: anchore/workflows/.github/workflows/check-gate.yaml@b0c30a80409130d329aaa356fd64a34d8c0b3375 # v0.7.2
3036
with:
3137
# these are checks that should be run on pull-request and merges to main.
3238
# we do NOT want to kick off a release if these have not been verified on main.
@@ -39,14 +45,22 @@ jobs:
3945
# not all actions are guaranteed to be idempotent.
4046
release:
4147
needs: [check-gate, version-available]
48+
# run even when check-gate is skipped, but never when version-available
49+
# failed/was skipped, nor when check-gate failed or was cancelled. note:
50+
# always() disables the implicit success() gate on ALL needs, so the
51+
# version-available requirement must be re-asserted explicitly here.
52+
if: >-
53+
${{ always()
54+
&& needs.version-available.result == 'success'
55+
&& !contains(fromJSON('["failure", "cancelled"]'), needs.check-gate.result) }}
4256
environment: release
4357
runs-on: ubuntu-24.04
4458
permissions:
4559
contents: write
4660
packages: write
4761
id-token: write
4862
steps:
49-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
63+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #v7.0.0
5064
with:
5165
fetch-depth: 0
5266
persist-credentials: true
@@ -73,8 +87,8 @@ jobs:
7387
- name: Build & publish release artifacts
7488
run: make ci-release
7589
env:
76-
# for pushing tags (requires write access to content, but not packages)
77-
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
90+
# for pushing tags (does not inherit workflow permissions)
91+
TAG_TOKEN: ${{ secrets.TAG_TOKEN }}
7892
RELEASE_VERSION: ${{ github.event.inputs.version }}
7993
# for mac signing and notarization...
8094
QUILL_SIGN_P12: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_CHAIN }}
@@ -95,7 +109,9 @@ jobs:
95109
release-install-script:
96110
needs: [release]
97111
if: ${{ needs.release.result == 'success' }}
98-
uses: anchore/workflows/.github/workflows/release-install-script.yaml@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0
112+
permissions:
113+
contents: read
114+
uses: anchore/workflows/.github/workflows/release-install-script.yaml@b0c30a80409130d329aaa356fd64a34d8c0b3375 # v0.7.2
99115
with:
100116
tag: ${{ github.event.inputs.version }}
101117
secrets:

.github/workflows/scorecards.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ jobs:
2626

2727
steps:
2828
- name: "Checkout code"
29-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
29+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3030
with:
3131
persist-credentials: false
3232

@@ -44,6 +44,6 @@ jobs:
4444

4545
# Upload the results to GitHub's code scanning dashboard.
4646
- name: "Upload to code-scanning"
47-
uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
47+
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
4848
with:
4949
sarif_file: results.sarif

.github/workflows/validate-github-actions.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,12 +20,12 @@ jobs:
2020
contents: read
2121
security-events: write # for uploading SARIF results
2222
steps:
23-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
23+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2424
with:
2525
persist-credentials: false
2626

2727
- name: "Run zizmor"
28-
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
28+
uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7
2929
with:
3030
# there is a pass/fail gate as a repo ruleset (if there is no ruleset configured then the action will pass by default)
3131
advanced-security: true

.github/workflows/validations.yaml

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ jobs:
1717
permissions:
1818
contents: read
1919
steps:
20-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
20+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2121
with:
2222
persist-credentials: false
2323

@@ -34,7 +34,7 @@ jobs:
3434
permissions:
3535
contents: read
3636
steps:
37-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
37+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3838
with:
3939
persist-credentials: false
4040

@@ -53,7 +53,7 @@ jobs:
5353
permissions:
5454
contents: read
5555
steps:
56-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
56+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
5757
with:
5858
submodules: true
5959
persist-credentials: false
@@ -114,7 +114,7 @@ jobs:
114114
permissions:
115115
contents: read
116116
steps:
117-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
117+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
118118
with:
119119
persist-credentials: false
120120

@@ -124,7 +124,7 @@ jobs:
124124
cache-test-fixtures: true
125125

126126
- name: Restore integration test cache
127-
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae #v5.0.5
127+
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 #v6.1.0
128128
with:
129129
path: ${{ github.workspace }}/test/integration/testdata/cache
130130
key: ${{ runner.os }}-integration-test-cache-${{ hashFiles('test/integration/testdata/cache.fingerprint') }}
@@ -138,7 +138,7 @@ jobs:
138138
permissions:
139139
contents: read
140140
steps:
141-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
141+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
142142
with:
143143
persist-credentials: false
144144

@@ -171,7 +171,7 @@ jobs:
171171
permissions:
172172
contents: read
173173
steps:
174-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
174+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #v7.0.0
175175
with:
176176
persist-credentials: false
177177

@@ -193,7 +193,7 @@ jobs:
193193

194194
- name: Restore install.sh test image cache
195195
id: install-test-image-cache
196-
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae #v5.0.5
196+
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 #v6.1.0
197197
with:
198198
path: ${{ github.workspace }}/test/install/cache
199199
key: ${{ runner.os }}-install-test-image-cache-${{ hashFiles('test/install/cache.fingerprint') }}
@@ -220,7 +220,7 @@ jobs:
220220
- name: Install Cosign
221221
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 #v4.1.2
222222

223-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
223+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #v7.0.0
224224
with:
225225
persist-credentials: false
226226

@@ -242,7 +242,7 @@ jobs:
242242

243243
- name: Restore docker image cache for compare testing
244244
id: mac-compare-testing-cache
245-
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae #v5.0.5
245+
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 #v6.1.0
246246
with:
247247
path: image.tar
248248
key: ${{ runner.os }}-${{ hashFiles('test/compare/mac.sh') }}
@@ -259,7 +259,7 @@ jobs:
259259
permissions:
260260
contents: read
261261
steps:
262-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
262+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #v7.0.0
263263
with:
264264
persist-credentials: false
265265

@@ -269,7 +269,7 @@ jobs:
269269
cache-test-fixtures: true
270270

271271
- name: Restore CLI test-fixture cache
272-
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae #v5.0.5
272+
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 #v6.1.0
273273
with:
274274
path: ${{ github.workspace }}/test/cli/testdata/cache
275275
key: ${{ runner.os }}-cli-test-cache-${{ hashFiles('test/cli/testdata/cache.fingerprint') }}

.github/zizmor.yml

Lines changed: 1 addition & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1 @@
1-
rules:
2-
unpinned-uses:
3-
config:
4-
policies:
5-
# anchore/workflows is an internal repository; using @main is acceptable
6-
anchore/*: any
1+
rules: {}

.golangci.yaml

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -86,8 +86,15 @@ issues:
8686

8787
formatters:
8888
enable:
89+
- gci
8990
- gofmt
90-
- goimports
91+
settings:
92+
gci:
93+
# See https://golangci-lint.run/docs/formatters/configuration/#gci
94+
sections:
95+
- standard # Standard section: captures all standard packages.
96+
- default # Default section: contains all imports that could not be matched to another section type.
97+
- prefix(github.com/anchore)
9198
exclusions:
9299
generated: lax
93100
paths:

0 commit comments

Comments
 (0)