Commit 28ba28c
committed
Fixing Merge Conflict in Transform.Go (vaibhav-rf#4)
* give install script uploader contents: read (anchore#3489)
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* Govulndb OSV transformer (anchore#3485)
* govulndb osv
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* add fixed dates to govulndb osv transformer
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* enforce lowercase ids on cache
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* chore(deps): update tool versions (anchore#3488)
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
* chore(deps): update quality gate database (anchore#3478)
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
* feat(scan): add support for a Zarf scan target (anchore#3366)
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
* fix: respect withdrawn status of Go Vuln DB OSV records (anchore#3495)
Otherwise we get false positives. Includes a matcher test to assert that
Grype does not find withdrawn go vulns.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* chore(deps): update anchore dependencies (anchore#3487)
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
* test: add test fixtures for multi RHSA records from vunnel (anchore#3480)
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* fix: avoid panic on invalid RHEL version IDs (anchore#3490)
Signed-off-by: Jeremy Spilman <jeremy.spilman@anchore.com>
* chore(deps): bump the actions-minor-patch group across 2 directories with 7 updates (anchore#3503)
Bumps the actions-minor-patch group with 6 updates in the / directory:
| Package | From | To |
| --- | --- | --- |
| [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |
| [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |
| [anchore/workflows/.github/workflows/check-gate.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |
| [actions/checkout](https://github.com/actions/checkout) | `6.0.2` | `6.0.3` |
| [anchore/workflows/.github/workflows/release-install-script.yaml](https://github.com/anchore/workflows) | `0.7.0` | `0.7.2` |
| [github/codeql-action](https://github.com/github/codeql-action) | `4.36.0` | `4.36.2` |
Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [anchore/go-make](https://github.com/anchore/go-make).
Updates `anchore/workflows/.github/workflows/codeql.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b3e328b...b0c30a8)
Updates `anchore/workflows/.github/workflows/check-version-available.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b3e328b...b0c30a8)
Updates `anchore/workflows/.github/workflows/check-gate.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b3e328b...b0c30a8)
Updates `actions/checkout` from 6.0.2 to 6.0.3
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@de0fac2...df4cb1c)
Updates `anchore/workflows/.github/workflows/release-install-script.yaml` from 0.7.0 to 0.7.2
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b3e328b...b0c30a8)
Updates `github/codeql-action` from 4.36.0 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@7211b7c...8aad20d)
Updates `anchore/go-make` from 0.5.0 to 0.6.0
- [Release notes](https://github.com/anchore/go-make/releases)
- [Commits](anchore/go-make@9de27be...39fe5f7)
---
updated-dependencies:
- dependency-name: anchore/workflows/.github/workflows/codeql.yaml
dependency-version: 0.7.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml
dependency-version: 0.7.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/check-gate.yaml
dependency-version: 0.7.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: actions-minor-patch
- dependency-name: actions/checkout
dependency-version: 6.0.3
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: actions-minor-patch
- dependency-name: anchore/workflows/.github/workflows/release-install-script.yaml
dependency-version: 0.7.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: actions-minor-patch
- dependency-name: github/codeql-action
dependency-version: 4.36.2
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: actions-minor-patch
- dependency-name: anchore/go-make
dependency-version: 0.6.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: actions-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* exclude linux-kbuild deb indirect matches by default (anchore#3506)
Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
* Add OSV Model generator (anchore#3499)
* Add OSV Model generator
Previously, there was an OSV scanner repository that exported a
models.Vulnerability struct we could use. That repository deprecated
their exported models and the models in grype are falling behind.
Therefore, add a generator target that generates our own models based on
the latest v1 JSON scehma from the official OSV spec repository. In this
way automation can PR new models in.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* less coupled generator
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* parse severity as singular and drop entry type
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Remove v1 from file names
If we need a v2 model, we should have a package with v2 in the path so
that both can be imported. v1 in a filename is just noise.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore(deps): bump github.com/anchore/go-make (anchore#3502)
Bumps the go-minor-patch group with 1 update in the /.make directory: [github.com/anchore/go-make](https://github.com/anchore/go-make).
Updates `github.com/anchore/go-make` from 0.5.0 to 0.6.0
- [Release notes](https://github.com/anchore/go-make/releases)
- [Commits](anchore/go-make@v0.5.0...v0.6.0)
---
updated-dependencies:
- dependency-name: github.com/anchore/go-make
dependency-version: 0.6.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix(go-vulndb): merge in custom ranges when applicable (anchore#3514)
* fix(go-vulndb): merge in custom ranges when applicable
Go OSV data has the standard OSV ranges, but also has custom ranges.
Packages that do non-standard go versioning, for example by pushing a
tag that starts with v2.x.y but not adding a /v2 in their module path,
get relegated to the custom ranges field. In other words, there is one
affected range for "strictly go versioning compliant versions" and
another set of ranges for "version control tags that are not perfectly
compliant".
Previously, Grype just ignore this second bucket of version ranges,
resulting in a meaningful number of false positives. Fix this by, if
custom ranges are present, stripping out unbounded (e.g. > 0) ranges
from the regular ranges and then unioning the two range sets.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* cleanup: avoid double parsing ranges, clean up comments
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* fix up go vuln db transformer
Includes using mapstructure to deserialize custom fields, and some
readability refactors.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* fix: disable go stdlib CPE matching by default. (anchore#3517)
Previously, because GHSA does not cover the go stdlib, in order to avoid
false negatives on the go stdlib, CPE matching had to be used. However,
grype now includes the Go Vuln DB data it its database, which does
include the stdlib as if a regular go module, so this CPE fallback can
be disabled by default, fixing many false positives.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* chore(deps): bump the go-minor-patch group across 1 directory with 2 updates (anchore#3518)
Bumps the go-minor-patch group with 2 updates in the / directory: [golang.org/x/text](https://github.com/golang/text) and [golang.org/x/tools](https://github.com/golang/tools).
Updates `golang.org/x/text` from 0.37.0 to 0.38.0
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.37.0...v0.38.0)
Updates `golang.org/x/tools` from 0.45.0 to 0.46.0
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.45.0...v0.46.0)
---
updated-dependencies:
- dependency-name: golang.org/x/text
dependency-version: 0.38.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
- dependency-name: golang.org/x/tools
dependency-version: 0.46.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go-minor-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix(hummingbird): mark hummingbird distro as rolling (anchore#3521)
Previous hummingbird work incorrectly marked only the search side
(data.go) as having a rolling label. Therefore also mark hummingbird as
a rolling distro at database creation time.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* refactor release pipeline: TAG_TOKEN, skip-checks gate, go-make bump, dependabot/zizmor/gci cleanup (anchore#3524)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore(deps): bump github.com/containerd/containerd/v2 (anchore#3525)
Bumps [github.com/containerd/containerd/v2](https://github.com/containerd/containerd) from 2.3.1 to 2.3.2.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/containerd@v2.3.1...v2.3.2)
---
updated-dependencies:
- dependency-name: github.com/containerd/containerd/v2
dependency-version: 2.3.2
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix(govulndb): mix floors from custom ranges as appropriate (anchore#3522)
Previously, lower and upper bounds on vulnerable windows would be ORed
together if part of the range was reported in osv standard affected
events and the other part was reported in OSV ecosystem-specific
custom_ranges events. Fix the merge logic so that floors from the custom
ranges have the correct effect.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* fix(govulndb): only emit records for stdlib (anchore#3527)
* fix(govulndb): only emit records for stdlib
For third party go packages, go vuln db has some very strange version
ranges, and this has caused a number of false positive reports.
Additionally, for most of them, Grype currently reports both a GHSA and
a GO record, resulting in user confusion.
However, there is one key class of record available in the go vuln db
that is not in GHSA: records affecting the go stdlib itself (that is,
the core parts of the langage that are statically linked into every go
binary).
Therefore, for now, emit only records relating to the go stdlib. Future
enhancements can pull in additional data related to third party go
packages in go vuln db.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* Clean up some additional test fixtures
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* Update go-make to v0.8.0 (anchore#3528)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore(units): account for changes in Syft and fix stale listing file (anchore#3532)
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* feat(govulndb): emit golang.org/x/net vulns from govlundb (anchore#3534)
These packages are not covered by GHSA and generally have well-formed
versions, so emit them.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* chore(deps): update anchore dependencies (anchore#3498)
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
* chore(deps): bump actions/checkout from 6.0.3 to 7.0.0 (anchore#3535)
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.3 to 7.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@df4cb1c...9c091bb)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-version: 7.0.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): update quality gate database (anchore#3543)
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
* feat: populate package architecture for matching (anchore#3504)
* feat: populate package architecture for matching
Enable matchers to filter on architecture-specific vulnerabilities or
fixes.
There are basically three changes here: First, wire up the package
collection creator to populate architecture on the packages when an
image is scanned or an sbom is loaded in Grype. Second, wire up the
architecture package qualifier so that if a vulnerability or fix
specifies that it is only applicable to a particular architecture, the
matchers will respect this, and third, in the RPM matcher, specify
`arch=src` when synthesizing the upstream package to search by (rather
than letting it inherit the binary package's architecture).
The qualifier logic is like this: If either the package or the DB record
has a blank architecture, the filtering is a noop. If the package has a
specific architecture and the DB record has 'src', the package is
qualified, because a disclosure or fix in a src RPM for example is
assumed to affect things built from it. If the DB record and the package
both have specific binary architectures, but they don't match, e.g.
x86_64 != aarch64, the package is not qualified and filters out.
Architecture qualifiers are canonicalized at match time so, for example,
an RPM that has x86_64 architecture is a qualified package on a vuln
that affects "amd64" processors (assuming distro and everything else
line up). This canonicalization is probably more important for future
expansion since a given distro will probably use the same architecture
strings as their own package manager.
Hummingbird also has a special "binary-no-arch-specified" architecture
that means, "this is not a src RPM". That is so that in Hummingbird
data, if we have a package that says, 'upstream=glibc' in its PURL, and
we have a glibc vuln against the binary but not the src RPM, we can
fitler out this false positive. If a DB record has
'binary-no-arch-specified' as its architecture, any package that has any
non-src architecture (or a blank architecture) is qualified, but src
architecture is not.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* Make architecture aliases data driven
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* handle noarch / all arch
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* Wire up end-to-end architecture specific matching for OL
OracleLinux had some existing false positives where the x86_64 package
was fixed in an earlier version of the RPM than the aarch64 version,
resulting in false positives when Grype checked against the aarch64
version. Add a dbtest for this scenario and update the RPM matcher and
OS transformer to fix this case.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* move setting src arch on upstream to helper
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* exhaustive tests for package arch qualifier
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* fix(zarf): swap warn messages for debug (anchore#3545)
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
* chore(deps): bump anchore/workflows/.github/workflows/check-version-available.yaml (anchore#3547)
Bumps [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows) from 0.7.2 to 0.8.0.
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b0c30a8...7212994)
---
updated-dependencies:
- dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml
dependency-version: 0.8.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump zizmorcore/zizmor-action from 0.5.6 to 0.5.7 (anchore#3549)
Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.5.6 to 0.5.7.
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases)
- [Commits](zizmorcore/zizmor-action@5f14fd0...192e21d)
---
updated-dependencies:
- dependency-name: zizmorcore/zizmor-action
dependency-version: 0.5.7
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump anchore/workflows/.github/workflows/codeql.yaml (anchore#3548)
Bumps [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows) from 0.7.2 to 0.8.0.
- [Release notes](https://github.com/anchore/workflows/releases)
- [Commits](anchore/workflows@b0c30a8...7212994)
---
updated-dependencies:
- dependency-name: anchore/workflows/.github/workflows/codeql.yaml
dependency-version: 0.8.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump golang.org/x/tools from 0.46.0 to 0.47.0 (anchore#3550)
Bumps [golang.org/x/tools](https://github.com/golang/tools) from 0.46.0 to 0.47.0.
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](golang/tools@v0.46.0...v0.47.0)
---
updated-dependencies:
- dependency-name: golang.org/x/tools
dependency-version: 0.47.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump actions/cache/restore in /.github/actions/bootstrap (anchore#3556)
Bumps [actions/cache/restore](https://github.com/actions/cache) from 5.0.5 to 6.1.0.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@27d5ce7...55cc834)
---
updated-dependencies:
- dependency-name: actions/cache/restore
dependency-version: 6.1.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump actions/cache from 5.0.5 to 6.1.0 (anchore#3551)
Bumps [actions/cache](https://github.com/actions/cache) from 5.0.5 to 6.1.0.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@27d5ce7...55cc834)
---
updated-dependencies:
- dependency-name: actions/cache
dependency-version: 6.1.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump anchore/go-make/.github/actions/setup (anchore#3555)
Bumps [anchore/go-make/.github/actions/setup](https://github.com/anchore/go-make) from 0.6.0 to 0.8.0.
- [Release notes](https://github.com/anchore/go-make/releases)
- [Commits](anchore/go-make@39fe5f7...430e217)
---
updated-dependencies:
- dependency-name: anchore/go-make/.github/actions/setup
dependency-version: 0.8.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump actions/cache in /.github/actions/bootstrap (anchore#3558)
Bumps [actions/cache](https://github.com/actions/cache) from 5.0.5 to 6.1.0.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@27d5ce7...55cc834)
---
updated-dependencies:
- dependency-name: actions/cache
dependency-version: 6.1.0
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* chore(deps): bump gorm.io/gorm from 1.31.1 to 1.31.2 (anchore#3557)
Bumps [gorm.io/gorm](https://github.com/go-gorm/gorm) from 1.31.1 to 1.31.2.
- [Release notes](https://github.com/go-gorm/gorm/releases)
- [Commits](go-gorm/gorm@v1.31.1...v1.31.2)
---
updated-dependencies:
- dependency-name: gorm.io/gorm
dependency-version: 1.31.2
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Signed-off-by: Brandt Keller <brandt.keller@defenseunicorns.com>
Signed-off-by: Jeremy Spilman <jeremy.spilman@anchore.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@anchore.com>
Co-authored-by: anchore-oss-update-bot <anchore-oss-update-bot@users.noreply.github.com>
Co-authored-by: Brandt Keller <43887158+brandtkeller@users.noreply.github.com>
Co-authored-by: Jeremy Spilman <jeremy.spilman@anchore.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Weston Steimel <author@code.w.steimel.me.uk>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Janit Lodha <janit.lodha@rapidfort.com>1 parent d7ff0ed commit 28ba28c
101 files changed
Lines changed: 5048 additions & 557 deletions
File tree
- .github
- actions/bootstrap
- workflows
- .make
- cmd/grype/cli
- commands
- options
- grype
- db
- internal/provider/unmarshal
- osvmodel
- generate
- provider
- v6
- build
- transformers
- csafvex
- osv
- testdata
- os
- distro
- internal/packagemetadata
- matcher
- golang
- testdata/govulndb-go
- govulndb
- results
- internal
- rpm
- testdata
- oracle
- oracle
- results/ol@7
- rhel-multi-rhsa
- rhel
- results/rhel@9
- pkg
- qualifier/architecture
- presenter
- cyclonedx/testdata/snapshot
- internal
- json/testdata/snapshot
- models
- internal/dbtest
- test/quality
Some content is hidden
Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
7 | 7 | | |
8 | 8 | | |
9 | 9 | | |
10 | | - | |
| 10 | + | |
11 | 11 | | |
12 | 12 | | |
13 | 13 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
29 | 29 | | |
30 | 30 | | |
31 | 31 | | |
32 | | - | |
| 32 | + | |
33 | 33 | | |
34 | 34 | | |
35 | 35 | | |
| |||
51 | 51 | | |
52 | 52 | | |
53 | 53 | | |
54 | | - | |
| 54 | + | |
55 | 55 | | |
56 | 56 | | |
57 | 57 | | |
| |||
63 | 63 | | |
64 | 64 | | |
65 | 65 | | |
66 | | - | |
| 66 | + | |
67 | 67 | | |
68 | 68 | | |
69 | 69 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | | - | |
3 | | - | |
4 | | - | |
5 | | - | |
6 | | - | |
7 | | - | |
8 | | - | |
9 | | - | |
10 | | - | |
11 | 2 | | |
12 | 3 | | |
13 | 4 | | |
| |||
30 | 21 | | |
31 | 22 | | |
32 | 23 | | |
33 | | - | |
34 | | - | |
35 | | - | |
36 | | - | |
37 | | - | |
38 | | - | |
39 | | - | |
40 | | - | |
41 | 24 | | |
42 | 25 | | |
43 | 26 | | |
| |||
51 | 34 | | |
52 | 35 | | |
53 | 36 | | |
54 | | - | |
55 | | - | |
56 | | - | |
57 | | - | |
58 | | - | |
59 | | - | |
60 | | - | |
61 | | - | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
16 | | - | |
| 16 | + | |
17 | 17 | | |
18 | 18 | | |
19 | 19 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
13 | 13 | | |
14 | 14 | | |
15 | 15 | | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
16 | 21 | | |
17 | 22 | | |
18 | 23 | | |
19 | 24 | | |
20 | 25 | | |
21 | | - | |
| 26 | + | |
22 | 27 | | |
23 | 28 | | |
24 | 29 | | |
25 | 30 | | |
| 31 | + | |
26 | 32 | | |
27 | 33 | | |
28 | 34 | | |
29 | | - | |
| 35 | + | |
30 | 36 | | |
31 | 37 | | |
32 | 38 | | |
| |||
39 | 45 | | |
40 | 46 | | |
41 | 47 | | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
42 | 56 | | |
43 | 57 | | |
44 | 58 | | |
45 | 59 | | |
46 | 60 | | |
47 | 61 | | |
48 | 62 | | |
49 | | - | |
| 63 | + | |
50 | 64 | | |
51 | 65 | | |
52 | 66 | | |
| |||
73 | 87 | | |
74 | 88 | | |
75 | 89 | | |
76 | | - | |
77 | | - | |
| 90 | + | |
| 91 | + | |
78 | 92 | | |
79 | 93 | | |
80 | 94 | | |
| |||
95 | 109 | | |
96 | 110 | | |
97 | 111 | | |
98 | | - | |
| 112 | + | |
| 113 | + | |
| 114 | + | |
99 | 115 | | |
100 | 116 | | |
101 | 117 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
26 | 26 | | |
27 | 27 | | |
28 | 28 | | |
29 | | - | |
| 29 | + | |
30 | 30 | | |
31 | 31 | | |
32 | 32 | | |
| |||
44 | 44 | | |
45 | 45 | | |
46 | 46 | | |
47 | | - | |
| 47 | + | |
48 | 48 | | |
49 | 49 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
20 | 20 | | |
21 | 21 | | |
22 | 22 | | |
23 | | - | |
| 23 | + | |
24 | 24 | | |
25 | 25 | | |
26 | 26 | | |
27 | 27 | | |
28 | | - | |
| 28 | + | |
29 | 29 | | |
30 | 30 | | |
31 | 31 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
17 | 17 | | |
18 | 18 | | |
19 | 19 | | |
20 | | - | |
| 20 | + | |
21 | 21 | | |
22 | 22 | | |
23 | 23 | | |
| |||
34 | 34 | | |
35 | 35 | | |
36 | 36 | | |
37 | | - | |
| 37 | + | |
38 | 38 | | |
39 | 39 | | |
40 | 40 | | |
| |||
53 | 53 | | |
54 | 54 | | |
55 | 55 | | |
56 | | - | |
| 56 | + | |
57 | 57 | | |
58 | 58 | | |
59 | 59 | | |
| |||
114 | 114 | | |
115 | 115 | | |
116 | 116 | | |
117 | | - | |
| 117 | + | |
118 | 118 | | |
119 | 119 | | |
120 | 120 | | |
| |||
124 | 124 | | |
125 | 125 | | |
126 | 126 | | |
127 | | - | |
| 127 | + | |
128 | 128 | | |
129 | 129 | | |
130 | 130 | | |
| |||
138 | 138 | | |
139 | 139 | | |
140 | 140 | | |
141 | | - | |
| 141 | + | |
142 | 142 | | |
143 | 143 | | |
144 | 144 | | |
| |||
171 | 171 | | |
172 | 172 | | |
173 | 173 | | |
174 | | - | |
| 174 | + | |
175 | 175 | | |
176 | 176 | | |
177 | 177 | | |
| |||
193 | 193 | | |
194 | 194 | | |
195 | 195 | | |
196 | | - | |
| 196 | + | |
197 | 197 | | |
198 | 198 | | |
199 | 199 | | |
| |||
220 | 220 | | |
221 | 221 | | |
222 | 222 | | |
223 | | - | |
| 223 | + | |
224 | 224 | | |
225 | 225 | | |
226 | 226 | | |
| |||
242 | 242 | | |
243 | 243 | | |
244 | 244 | | |
245 | | - | |
| 245 | + | |
246 | 246 | | |
247 | 247 | | |
248 | 248 | | |
| |||
259 | 259 | | |
260 | 260 | | |
261 | 261 | | |
262 | | - | |
| 262 | + | |
263 | 263 | | |
264 | 264 | | |
265 | 265 | | |
| |||
269 | 269 | | |
270 | 270 | | |
271 | 271 | | |
272 | | - | |
| 272 | + | |
273 | 273 | | |
274 | 274 | | |
275 | 275 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | | - | |
2 | | - | |
3 | | - | |
4 | | - | |
5 | | - | |
6 | | - | |
| 1 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
86 | 86 | | |
87 | 87 | | |
88 | 88 | | |
| 89 | + | |
89 | 90 | | |
90 | | - | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
91 | 98 | | |
92 | 99 | | |
93 | 100 | | |
| |||
0 commit comments