Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package grype for openSUSE:Factory checked
in at 2022-07-19 17:19:52
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/grype (Old)
and /work/SRC/openSUSE:Factory/.grype.new.1523 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grype"
Tue Jul 19 17:19:52 2022 rev:6 rq:990096 version:0.43.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/grype/grype.changes 2022-07-18
18:34:02.621766556 +0200
+++ /work/SRC/openSUSE:Factory/.grype.new.1523/grype.changes 2022-07-19
17:20:26.112452488 +0200
@@ -1,0 +2,9 @@
+Tue Jul 19 08:19:48 UTC 2022 - ka...@b1-systems.de
+
+- Update to version 0.43.0:
+ * Add new matcher files for golang => remove main module FP matches (#829)
+ * Fix a cyclonedxvex typo and fix the schema document from (#830)
+ * feat: add --only-notfixed flag (#828)
+ * add DBCloser. Clients can aviod db connection leak if vulnerability db is
loaded many times (#825)
+
+-------------------------------------------------------------------
Old:
----
grype-0.42.0.tar.gz
New:
----
grype-0.43.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ grype.spec ++++++
--- /var/tmp/diff_new_pack.ZvmSfX/_old 2022-07-19 17:20:27.492454327 +0200
+++ /var/tmp/diff_new_pack.ZvmSfX/_new 2022-07-19 17:20:27.496454333 +0200
@@ -19,7 +19,7 @@
%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
Name: grype
-Version: 0.42.0
+Version: 0.43.0
Release: 0
Summary: A vulnerability scanner for container images and filesystems
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.ZvmSfX/_old 2022-07-19 17:20:27.528454376 +0200
+++ /var/tmp/diff_new_pack.ZvmSfX/_new 2022-07-19 17:20:27.528454376 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/anchore/grype</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">v0.42.0</param>
+ <param name="revision">v0.43.0</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>
@@ -17,7 +17,7 @@
<param name="compression">gz</param>
</service>
<service name="go_modules" mode="disabled">
- <param name="archive">grype-0.42.0.tar.gz</param>
+ <param name="archive">grype-0.43.0.tar.gz</param>
</service>
</services>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.ZvmSfX/_old 2022-07-19 17:20:27.548454402 +0200
+++ /var/tmp/diff_new_pack.ZvmSfX/_new 2022-07-19 17:20:27.552454408 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/anchore/grype</param>
- <param
name="changesrevision">cb6bddfeeb2273a43328653d1c2a5887d58d3b3e</param></service></servicedata>
+ <param
name="changesrevision">addbd07b4f8cbfea283e10ffbd30e4cc6bfbfc0a</param></service></servicedata>
(No newline at EOF)
++++++ grype-0.42.0.tar.gz -> grype-0.43.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/README.md new/grype-0.43.0/README.md
--- old/grype-0.42.0/README.md 2022-07-11 21:15:12.000000000 +0200
+++ new/grype-0.43.0/README.md 2022-07-18 19:14:03.000000000 +0200
@@ -364,6 +364,8 @@
apk-tools 2.10.6-r0 2.10.7-r0 CVE-2021-36159 Critical
```
+If you want Grype to only report vulnerabilities **that do not have a
confirmed fix**, you can use the `--only-notfixed` flag. (This automatically
adds [ignore rules](#specifying-matches-to-ignore) into Grype's configuration,
such that vulnerabilities that are fixed will be ignored.)
+
## Grype's database
When Grype performs a scan for vulnerabilities, it does so using a
vulnerability database that's stored on your local filesystem, which is
constructed by pulling data from a variety of publicly available vulnerability
data sources. These sources include:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/cmd/root.go new/grype-0.43.0/cmd/root.go
--- old/grype-0.42.0/cmd/root.go 2022-07-11 21:15:12.000000000 +0200
+++ new/grype-0.43.0/cmd/root.go 2022-07-18 19:14:03.000000000 +0200
@@ -43,6 +43,10 @@
{FixState: string(grypeDb.UnknownFixState)},
}
+var ignoreFixedMatches = []match.IgnoreRule{
+ {FixState: string(grypeDb.FixedState)},
+}
+
var (
rootCmd = &cobra.Command{
Use: fmt.Sprintf("%s [IMAGE]", internal.ApplicationName),
@@ -147,6 +151,11 @@
"ignore matches for vulnerabilities that are not fixed",
)
+ flags.BoolP(
+ "only-notfixed", "", false,
+ "ignore matches for vulnerabilities that are fixed",
+ )
+
flags.StringArrayP(
"exclude", "", nil,
"exclude paths from being scanned using a glob expression",
@@ -200,6 +209,10 @@
return err
}
+ if err := viper.BindPFlag("only-notfixed",
flags.Lookup("only-notfixed")); err != nil {
+ return err
+ }
+
if err := viper.BindPFlag("exclude", flags.Lookup("exclude")); err !=
nil {
return err
}
@@ -284,6 +297,7 @@
var store *store.Store
var status *db.Status
+ var dbCloser *db.Closer
var packages []pkg.Package
var context pkg.Context
var wg = &sync.WaitGroup{}
@@ -294,7 +308,7 @@
go func() {
defer wg.Done()
log.Debug("loading DB")
- store, status, err =
grype.LoadVulnerabilityDB(appConfig.DB.ToCuratorConfig(),
appConfig.DB.AutoUpdate)
+ store, status, dbCloser, err =
grype.LoadVulnerabilityDB(appConfig.DB.ToCuratorConfig(),
appConfig.DB.AutoUpdate)
if err = validateDBLoad(err, status); err != nil {
errs <- err
return
@@ -318,10 +332,18 @@
return
}
+ if dbCloser != nil {
+ defer dbCloser.Close()
+ }
+
if appConfig.OnlyFixed {
appConfig.Ignore = append(appConfig.Ignore,
ignoreNonFixedMatches...)
}
+ if appConfig.OnlyNotFixed {
+ appConfig.Ignore = append(appConfig.Ignore,
ignoreFixedMatches...)
+ }
+
applyDistroHint(&context, appConfig)
matchers := matcher.NewDefaultMatchers(matcher.Config{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/grype/db/curator.go
new/grype-0.43.0/grype/db/curator.go
--- old/grype-0.42.0/grype/db/curator.go 2022-07-11 21:15:12.000000000
+0200
+++ new/grype-0.43.0/grype/db/curator.go 2022-07-18 19:14:03.000000000
+0200
@@ -77,15 +77,15 @@
return c.targetSchema
}
-func (c *Curator) GetStore() (grypeDB.StoreReader, error) {
+func (c *Curator) GetStore() (grypeDB.StoreReader, grypeDB.DBCloser, error) {
// ensure the DB is ok
_, err := c.validateIntegrity(c.dbDir)
if err != nil {
- return nil, fmt.Errorf("vulnerability database is invalid (run
db update to correct): %+v", err)
+ return nil, nil, fmt.Errorf("vulnerability database is invalid
(run db update to correct): %+v", err)
}
s, err := store.New(c.dbPath, false)
- return s, err
+ return s, s, err
}
func (c *Curator) Status() Status {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/grype/db/db_closer.go
new/grype-0.43.0/grype/db/db_closer.go
--- old/grype-0.42.0/grype/db/db_closer.go 1970-01-01 01:00:00.000000000
+0100
+++ new/grype-0.43.0/grype/db/db_closer.go 2022-07-18 19:14:03.000000000
+0200
@@ -0,0 +1,9 @@
+package db
+
+import v4 "github.com/anchore/grype/grype/db/v4"
+
+// Closer lets receiver close the db connection and free any allocated db
resources.
+// It's especially useful if vulnerability DB loaded repeatedly during some
periodic SBOM scanning process.
+type Closer struct {
+ v4.DBCloser
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/grype/db/v4/store/store.go
new/grype-0.43.0/grype/db/v4/store/store.go
--- old/grype-0.42.0/grype/db/v4/store/store.go 2022-07-11 21:15:12.000000000
+0200
+++ new/grype-0.43.0/grype/db/v4/store/store.go 2022-07-18 19:14:03.000000000
+0200
@@ -263,6 +263,11 @@
func (s *store) Close() {
s.db.Exec("VACUUM;")
+
+ sqlDB, err := s.db.DB()
+ if err != nil {
+ _ = sqlDB.Close()
+ }
}
// GetAllVulnerabilities gets all vulnerabilities in the database
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/grype/db/v4/store.go
new/grype-0.43.0/grype/db/v4/store.go
--- old/grype-0.42.0/grype/db/v4/store.go 2022-07-11 21:15:12.000000000
+0200
+++ new/grype-0.43.0/grype/db/v4/store.go 2022-07-18 19:14:03.000000000
+0200
@@ -3,6 +3,7 @@
type Store interface {
StoreReader
StoreWriter
+ DBCloser
}
type StoreReader interface {
@@ -18,9 +19,12 @@
VulnerabilityStoreWriter
VulnerabilityMetadataStoreWriter
VulnerabilityMatchExclusionStoreWriter
- Close()
}
type DiffReader interface {
DiffStore(s StoreReader) (*[]Diff, error)
}
+
+type DBCloser interface {
+ Close()
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/grype/differ/differ.go
new/grype-0.43.0/grype/differ/differ.go
--- old/grype-0.42.0/grype/differ/differ.go 2022-07-11 21:15:12.000000000
+0200
+++ new/grype-0.43.0/grype/differ/differ.go 2022-07-18 19:14:03.000000000
+0200
@@ -117,16 +117,20 @@
}
func (d *Differ) DiffDatabases() (*[]v4.Diff, error) {
- baseStore, err := d.baseCurator.GetStore()
+ baseStore, baseDBCloser, err := d.baseCurator.GetStore()
if err != nil {
return nil, err
}
- targetStore, err := d.targetCurator.GetStore()
+ defer baseDBCloser.Close()
+
+ targetStore, targetDBCloser, err := d.targetCurator.GetStore()
if err != nil {
return nil, err
}
+ defer targetDBCloser.Close()
+
return baseStore.DiffStore(targetStore)
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/grype/lib.go
new/grype-0.43.0/grype/lib.go
--- old/grype-0.42.0/grype/lib.go 2022-07-11 21:15:12.000000000 +0200
+++ new/grype-0.43.0/grype/lib.go 2022-07-18 19:14:03.000000000 +0200
@@ -38,30 +38,30 @@
return matcher.FindMatches(store, d, matchers, packages)
}
-func LoadVulnerabilityDB(cfg db.Config, update bool) (*store.Store,
*db.Status, error) {
+func LoadVulnerabilityDB(cfg db.Config, update bool) (*store.Store,
*db.Status, *db.Closer, error) {
dbCurator, err := db.NewCurator(cfg)
if err != nil {
- return nil, nil, err
+ return nil, nil, nil, err
}
if update {
log.Debug("looking for updates on vulnerability database")
_, err := dbCurator.Update()
if err != nil {
- return nil, nil, err
+ return nil, nil, nil, err
}
}
- storeReader, err := dbCurator.GetStore()
+ storeReader, dbCloser, err := dbCurator.GetStore()
if err != nil {
- return nil, nil, err
+ return nil, nil, nil, err
}
status := dbCurator.Status()
p, err := db.NewVulnerabilityProvider(storeReader)
if err != nil {
- return nil, &status, err
+ return nil, &status, nil, err
}
s := &store.Store{
@@ -70,7 +70,9 @@
ExclusionProvider: db.NewMatchExclusionProvider(storeReader),
}
- return s, &status, nil
+ closer := &db.Closer{DBCloser: dbCloser}
+
+ return s, &status, closer, nil
}
func SetLogger(logger logger.Logger) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/grype/match/matcher_type.go
new/grype-0.43.0/grype/match/matcher_type.go
--- old/grype-0.42.0/grype/match/matcher_type.go 2022-07-11
21:15:12.000000000 +0200
+++ new/grype-0.43.0/grype/match/matcher_type.go 2022-07-18
19:14:03.000000000 +0200
@@ -12,6 +12,7 @@
DotnetMatcher MatcherType = "dotnet-matcher"
JavascriptMatcher MatcherType = "javascript-matcher"
MsrcMatcher MatcherType = "msrc-matcher"
+ GoModuleMatcher MatcherType = "go-module-matcher"
)
var AllMatcherTypes = []MatcherType{
@@ -24,6 +25,7 @@
DotnetMatcher,
JavascriptMatcher,
MsrcMatcher,
+ GoModuleMatcher,
}
type MatcherType string
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/grype/matcher/golang/matcher.go
new/grype-0.43.0/grype/matcher/golang/matcher.go
--- old/grype-0.42.0/grype/matcher/golang/matcher.go 1970-01-01
01:00:00.000000000 +0100
+++ new/grype-0.43.0/grype/matcher/golang/matcher.go 2022-07-18
19:14:03.000000000 +0200
@@ -0,0 +1,42 @@
+package golang
+
+import (
+ "strings"
+
+ "github.com/anchore/grype/grype/distro"
+ "github.com/anchore/grype/grype/match"
+ "github.com/anchore/grype/grype/pkg"
+ "github.com/anchore/grype/grype/search"
+ "github.com/anchore/grype/grype/vulnerability"
+ syftPkg "github.com/anchore/syft/syft/pkg"
+)
+
+type Matcher struct {
+}
+
+func (m *Matcher) PackageTypes() []syftPkg.Type {
+ return []syftPkg.Type{syftPkg.GoModulePkg}
+}
+
+func (m *Matcher) Type() match.MatcherType {
+ return match.GoModuleMatcher
+}
+
+func (m *Matcher) Match(store vulnerability.Provider, d *distro.Distro, p
pkg.Package) ([]match.Match, error) {
+ matches := make([]match.Match, 0)
+ metadata := pkg.GolangBinMetadata{}
+ if p.Metadata != nil {
+ metadata = p.Metadata.(pkg.GolangBinMetadata)
+ }
+
+ // Golang currently does not have a standard way of incorporating the
vcs version
+ // into the compiled binary: https://github.com/golang/go/issues/50603
+ // current version information for the main module is incomplete
leading to multiple FP
+ // TODO: remove this exclusion when vcs information is included in
future go version
+ isNotCorrected := strings.HasPrefix(p.Version, "v0.0.0-") ||
strings.HasPrefix(p.Version, "(devel)")
+ if p.Name == metadata.MainModule && isNotCorrected {
+ return matches, nil
+ }
+
+ return search.ByCriteria(store, d, p, m.Type(),
search.CommonCriteria...)
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/grype/matcher/golang/matcher_test.go
new/grype-0.43.0/grype/matcher/golang/matcher_test.go
--- old/grype-0.42.0/grype/matcher/golang/matcher_test.go 1970-01-01
01:00:00.000000000 +0100
+++ new/grype-0.43.0/grype/matcher/golang/matcher_test.go 2022-07-18
19:14:03.000000000 +0200
@@ -0,0 +1,70 @@
+package golang
+
+import (
+ "testing"
+
+ "github.com/google/uuid"
+ "github.com/stretchr/testify/assert"
+
+ "github.com/anchore/grype/grype/distro"
+ "github.com/anchore/grype/grype/pkg"
+ "github.com/anchore/grype/grype/version"
+ "github.com/anchore/grype/grype/vulnerability"
+ syftPkg "github.com/anchore/syft/syft/pkg"
+)
+
+func TestMatcherGolang_DropMainPackage(t *testing.T) {
+ p := pkg.Package{
+ ID: pkg.ID(uuid.NewString()),
+ Name: "istio.io/istio",
+ Version: "v0.0.0-20220606222826-f59ce19ec6b6",
+ Type: syftPkg.GoModulePkg,
+ MetadataType: pkg.GolangBinMetadataType,
+ Metadata: pkg.GolangBinMetadata{
+ MainModule: "istio.io/istio",
+ },
+ }
+
+ matcher := Matcher{}
+ store := newMockProvider()
+
+ actual, _ := matcher.Match(store, nil, p)
+ assert.Len(t, actual, 0, "unexpected match count; should not match main
module")
+}
+
+func newMockProvider() *mockProvider {
+ mp := mockProvider{
+ data:
make(map[syftPkg.Language]map[string][]vulnerability.Vulnerability),
+ }
+
+ mp.populateData()
+
+ return &mp
+}
+
+type mockProvider struct {
+ data map[syftPkg.Language]map[string][]vulnerability.Vulnerability
+}
+
+func (mp *mockProvider) populateData() {
+ mp.data[syftPkg.Go] = map[string][]vulnerability.Vulnerability{
+ "istio.io/istio": {
+ {
+ Constraint: version.MustGetConstraint("<5.0.7",
version.UnknownFormat),
+ ID: "CVE-2013-fake-BAD",
+ },
+ },
+ }
+}
+
+func (mp *mockProvider) GetByCPE(p syftPkg.CPE)
([]vulnerability.Vulnerability, error) {
+ return []vulnerability.Vulnerability{}, nil
+}
+
+func (mp *mockProvider) GetByDistro(d *distro.Distro, p pkg.Package)
([]vulnerability.Vulnerability, error) {
+ return []vulnerability.Vulnerability{}, nil
+}
+
+func (mp *mockProvider) GetByLanguage(l syftPkg.Language, p pkg.Package)
([]vulnerability.Vulnerability, error) {
+ return mp.data[l][p.Name], nil
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/grype/matcher/matchers.go
new/grype-0.43.0/grype/matcher/matchers.go
--- old/grype-0.42.0/grype/matcher/matchers.go 2022-07-11 21:15:12.000000000
+0200
+++ new/grype-0.43.0/grype/matcher/matchers.go 2022-07-18 19:14:03.000000000
+0200
@@ -10,6 +10,7 @@
"github.com/anchore/grype/grype/matcher/apk"
"github.com/anchore/grype/grype/matcher/dotnet"
"github.com/anchore/grype/grype/matcher/dpkg"
+ "github.com/anchore/grype/grype/matcher/golang"
"github.com/anchore/grype/grype/matcher/java"
"github.com/anchore/grype/grype/matcher/javascript"
"github.com/anchore/grype/grype/matcher/msrc"
@@ -45,6 +46,7 @@
java.NewJavaMatcher(mc.Java),
&javascript.Matcher{},
&apk.Matcher{},
+ &golang.Matcher{},
&msrc.Matcher{},
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/grype/pkg/golang_bin_metadata.go
new/grype-0.43.0/grype/pkg/golang_bin_metadata.go
--- old/grype-0.42.0/grype/pkg/golang_bin_metadata.go 1970-01-01
01:00:00.000000000 +0100
+++ new/grype-0.43.0/grype/pkg/golang_bin_metadata.go 2022-07-18
19:14:03.000000000 +0200
@@ -0,0 +1,9 @@
+package pkg
+
+type GolangBinMetadata struct {
+ BuildSettings map[string]string `json:"goBuildSettings,omitempty"`
+ GoCompiledVersion string `json:"goCompiledVersion"`
+ Architecture string `json:"architecture"`
+ H1Digest string `json:"h1Digest,omitempty"`
+ MainModule string `json:"mainModule,omitempty"`
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/grype/pkg/metadata.go
new/grype-0.43.0/grype/pkg/metadata.go
--- old/grype-0.42.0/grype/pkg/metadata.go 2022-07-11 21:15:12.000000000
+0200
+++ new/grype-0.43.0/grype/pkg/metadata.go 2022-07-18 19:14:03.000000000
+0200
@@ -6,7 +6,8 @@
const (
// this is the full set of data shapes that can be represented within
the pkg.Package.Metadata field
- UnknownMetadataType MetadataType = "UnknownMetadata"
- JavaMetadataType MetadataType = "JavaMetadata"
- RpmdbMetadataType MetadataType = "RpmdbMetadata"
+ UnknownMetadataType MetadataType = "UnknownMetadata"
+ JavaMetadataType MetadataType = "JavaMetadata"
+ RpmdbMetadataType MetadataType = "RpmdbMetadata"
+ GolangBinMetadataType MetadataType = "GolangBinMetadata"
)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/grype/pkg/package.go
new/grype-0.43.0/grype/pkg/package.go
--- old/grype-0.42.0/grype/pkg/package.go 2022-07-11 21:15:12.000000000
+0200
+++ new/grype-0.43.0/grype/pkg/package.go 2022-07-18 19:14:03.000000000
+0200
@@ -89,6 +89,11 @@
var metadataType MetadataType
switch p.MetadataType {
+ case pkg.GolangBinMetadataType:
+ if m := golangBinDataFromPkg(p); m != nil {
+ metadata = *m
+ metadataType = GolangBinMetadataType
+ }
case pkg.DpkgMetadataType:
upstreams = dpkgDataFromPkg(p)
case pkg.RpmdbMetadataType:
@@ -109,6 +114,20 @@
return metadataType, metadata, upstreams
}
+func golangBinDataFromPkg(p pkg.Package) (m *GolangBinMetadata) {
+ metadata := &GolangBinMetadata{}
+ if value, ok := p.Metadata.(pkg.GolangBinMetadata); ok {
+ if value.BuildSettings != nil {
+ metadata.BuildSettings = value.BuildSettings
+ }
+ metadata.GoCompiledVersion = value.GoCompiledVersion
+ metadata.Architecture = value.Architecture
+ metadata.H1Digest = value.H1Digest
+ metadata.MainModule = value.MainModule
+ }
+ return metadata
+}
+
func dpkgDataFromPkg(p pkg.Package) (upstreams []UpstreamPackage) {
if value, ok := p.Metadata.(pkg.DpkgMetadata); ok {
if value.Source != "" {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/grype/pkg/package_test.go
new/grype-0.43.0/grype/pkg/package_test.go
--- old/grype-0.42.0/grype/pkg/package_test.go 2022-07-11 21:15:12.000000000
+0200
+++ new/grype-0.43.0/grype/pkg/package_test.go 2022-07-18 19:14:03.000000000
+0200
@@ -251,10 +251,18 @@
syftPkg: syftPkg.Package{
MetadataType: syftPkg.GolangBinMetadataType,
Metadata: syftPkg.GolangBinMetadata{
+ BuildSettings: map[string]string{},
GoCompiledVersion: "1.0.0",
H1Digest: "a",
+ MainModule: "myMainModule",
},
},
+ metadata: GolangBinMetadata{
+ BuildSettings: map[string]string{},
+ GoCompiledVersion: "1.0.0",
+ H1Digest: "a",
+ MainModule: "myMainModule",
+ },
},
{
name: "php-composer-metadata",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/internal/config/application.go
new/grype-0.43.0/internal/config/application.go
--- old/grype-0.42.0/internal/config/application.go 2022-07-11
21:15:12.000000000 +0200
+++ new/grype-0.43.0/internal/config/application.go 2022-07-18
19:14:03.000000000 +0200
@@ -38,6 +38,7 @@
Quiet bool `yaml:"quiet" json:"quiet"
mapstructure:"quiet"` // -q,
indicates to not show any status output to stderr (ETUI or logging UI)
CheckForAppUpdate bool
`yaml:"check-for-app-update" json:"check-for-app-update"
mapstructure:"check-for-app-update"` // whether to check for an application
update on start up or not
OnlyFixed bool `yaml:"only-fixed"
json:"only-fixed" mapstructure:"only-fixed"` //
only fail if detected vulns have a fix
+ OnlyNotFixed bool `yaml:"only-notfixed"
json:"only-notfixed" mapstructure:"only-notfixed"` // only
fail if detected vulns don't have a fix
Platform string `yaml:"platform"
json:"platform" mapstructure:"platform"` //
--platform, override the target platform for a container image
CliOptions CliOnlyOptions `yaml:"-" json:"-"`
Search search `yaml:"search"
json:"search" mapstructure:"search"`
@@ -87,6 +88,7 @@
// set the default values for primitive fields in this struct
v.SetDefault("check-for-app-update", true)
v.SetDefault("only-fixed", false)
+ v.SetDefault("only-notfixed", false)
// for each field in the configuration struct, see if the field
implements the defaultValueLoader interface and invoke it if it does
value := reflect.ValueOf(cfg)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/schema/cyclonedxvex/Makefile
new/grype-0.43.0/schema/cyclonedxvex/Makefile
--- old/grype-0.42.0/schema/cyclonedxvex/Makefile 2022-07-11
21:15:12.000000000 +0200
+++ new/grype-0.43.0/schema/cyclonedxvex/Makefile 2022-07-18
19:14:03.000000000 +0200
@@ -5,10 +5,10 @@
.PHONY: validate-schema-xml
validate-schema-xml:
- go run ../../main.go -c ../../test/grype-test-config.yaml ubuntu:latest
-vv -o embedded-cyclondex-vex-xml > bom.xml
+ go run ../../main.go -c ../../test/grype-test-config.yaml ubuntu:latest
-vv -o embedded-cyclonedx-vex-xml > bom.xml
xmllint --noout --schema ./cyclonedx.xsd bom.xml
.PHONY: validate-schema-json
validate-schema-json:
- go run ../../main.go -c ../../test/grype-test-config.yaml ubuntu:latest
-vv -o embedded-cyclondex-vex-json > bom.json
+ go run ../../main.go -c ../../test/grype-test-config.yaml ubuntu:latest
-vv -o embedded-cyclonedx-vex-json > bom.json
../../.tmp/yajsv -s cyclonedx.json bom.json
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/schema/cyclonedxvex/cyclonedx.xsd
new/grype-0.43.0/schema/cyclonedxvex/cyclonedx.xsd
--- old/grype-0.42.0/schema/cyclonedxvex/cyclonedx.xsd 2022-07-11
21:15:12.000000000 +0200
+++ new/grype-0.43.0/schema/cyclonedxvex/cyclonedx.xsd 2022-07-18
19:14:03.000000000 +0200
@@ -2014,6 +2014,16 @@
</xs:sequence>
</xs:complexType>
</xs:element>
+ <xs:element name="properties" type="bom:propertiesType"
minOccurs="0" maxOccurs="1">
+ <xs:annotation>
+ <xs:documentation>Provides the ability to document
properties in a key/value store.
+ This provides flexibility to include data not
officially supported in the standard
+ without having to use additional namespaces or create
extensions. Property names
+ of interest to the general public are encouraged to be
registered in the
+ CycloneDX Property Taxonomy -
https://github.com/CycloneDX/cyclonedx-property-taxonomy.
+ Formal registration is OPTIONAL.</xs:documentation>
+ </xs:annotation>
+ </xs:element>
</xs:sequence>
<xs:attribute name="bom-ref" type="bom:refType">
<xs:annotation>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/grype-0.42.0/test/integration/compare_sbom_input_vs_lib_test.go
new/grype-0.43.0/test/integration/compare_sbom_input_vs_lib_test.go
--- old/grype-0.42.0/test/integration/compare_sbom_input_vs_lib_test.go
2022-07-11 21:15:12.000000000 +0200
+++ new/grype-0.43.0/test/integration/compare_sbom_input_vs_lib_test.go
2022-07-18 19:14:03.000000000 +0200
@@ -43,13 +43,17 @@
}
// get a grype DB
- store, _, err := grype.LoadVulnerabilityDB(db.Config{
+ store, _, closer, err := grype.LoadVulnerabilityDB(db.Config{
DBRootDir: "test-fixtures/grype-db",
ListingURL: getListingURL(),
ValidateByHashOnGet: false,
}, true)
assert.NoError(t, err)
+ if closer != nil {
+ defer closer.Close()
+ }
+
definedPkgTypes := strset.New()
for _, p := range syftPkg.AllPkgs {
definedPkgTypes.Add(string(p))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/test/integration/db_mock_test.go
new/grype-0.43.0/test/integration/db_mock_test.go
--- old/grype-0.42.0/test/integration/db_mock_test.go 2022-07-11
21:15:12.000000000 +0200
+++ new/grype-0.43.0/test/integration/db_mock_test.go 2022-07-18
19:14:03.000000000 +0200
@@ -70,6 +70,22 @@
},
},
},
+ "github:language:go": {
+ "github.com/anchore/coverage":
[]grypeDB.Vulnerability{
+ {
+ ID:
"CVE-coverage-main-module-vuln",
+ VersionConstraint: "< 1.4.0",
+ VersionFormat: "unknown",
+ },
+ },
+ "github.com/google/uuid":
[]grypeDB.Vulnerability{
+ {
+ ID:
"CVE-uuid-vuln",
+ VersionConstraint: "< 1.4.0",
+ VersionFormat: "unknown",
+ },
+ },
+ },
"github:language:javascript": {
"npm": []grypeDB.Vulnerability{
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/grype-0.42.0/test/integration/match_by_image_test.go
new/grype-0.43.0/test/integration/match_by_image_test.go
--- old/grype-0.42.0/test/integration/match_by_image_test.go 2022-07-11
21:15:12.000000000 +0200
+++ new/grype-0.43.0/test/integration/match_by_image_test.go 2022-07-18
19:14:03.000000000 +0200
@@ -190,6 +190,44 @@
})
}
+func addGolangMatches(t *testing.T, theSource source.Source, catalog
*syftPkg.Catalog, theStore *mockStore, theResult *match.Matches) {
+ packages := catalog.PackagesByPath("/go-app")
+ if len(packages) != 2 {
+ t.Logf("Golang Packages: %+v", packages)
+ t.Fatalf("problem with upstream syft cataloger (golang)")
+ }
+
+ for _, p := range packages {
+ thePkg := pkg.New(p)
+ theVuln := theStore.backend["github:language:go"][p.Name][0]
+ vulnObj, err := vulnerability.NewVulnerability(theVuln)
+ if err != nil {
+ t.Fatalf("failed to create vuln obj: %+v", err)
+ }
+
+ // no vuln match supported for main module
+ if p.Name != "github.com/anchore/coverage" {
+ theResult.Add(match.Match{
+ Vulnerability: *vulnObj,
+ Package: thePkg,
+ Details: []match.Detail{
+ {
+ Type:
match.ExactDirectMatch,
+ Confidence: 1.0,
+ SearchedBy:
map[string]interface{}{
+ "langauge": "go",
+ },
+ Found: map[string]interface{}{
+ "constraint": " < 1.4.0
(golang)",
+ },
+ Matcher: match.GoModuleMatcher,
+ },
+ },
+ })
+ }
+ }
+}
+
func addJavaMatches(t *testing.T, theSource source.Source, catalog
*syftPkg.Catalog, theStore *mockStore, theResult *match.Matches) {
packages := make([]syftPkg.Package, 0)
for p := range catalog.Enumerate(syftPkg.JavaPkg) {
@@ -314,7 +352,6 @@
t.Fatalf("failed to create vuln obj: %+v", err)
}
theResult.Add(match.Match{
-
Vulnerability: *vulnObj,
Package: thePkg,
Details: []match.Detail{
@@ -337,7 +374,6 @@
}
func TestMatchByImage(t *testing.T) {
-
observedMatchers := internal.NewStringSet()
definedMatchers := internal.NewStringSet()
for _, l := range match.AllMatcherTypes {
@@ -358,6 +394,7 @@
addDpkgMatches(t, theSource, catalog, theStore,
&expectedMatches)
addJavascriptMatches(t, theSource, catalog,
theStore, &expectedMatches)
addDotnetMatches(t, theSource, catalog,
theStore, &expectedMatches)
+ addGolangMatches(t, theSource, catalog,
theStore, &expectedMatches)
return expectedMatches
},
},
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/grype-0.42.0/test/integration/test-fixtures/image-debian-match-coverage/Dockerfile
new/grype-0.43.0/test/integration/test-fixtures/image-debian-match-coverage/Dockerfile
---
old/grype-0.42.0/test/integration/test-fixtures/image-debian-match-coverage/Dockerfile
2022-07-11 21:15:12.000000000 +0200
+++
new/grype-0.43.0/test/integration/test-fixtures/image-debian-match-coverage/Dockerfile
2022-07-18 19:14:03.000000000 +0200
@@ -1,2 +1,8 @@
+FROM golang:1.16
+WORKDIR /go/src/github.com/anchore/test/
+COPY golang/ ./
+RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o go-app .
+
FROM scratch
+COPY --from=0 /go/src/github.com/anchore/test/go-app ./
COPY . .
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/grype-0.42.0/test/integration/test-fixtures/image-debian-match-coverage/golang/go.mod
new/grype-0.43.0/test/integration/test-fixtures/image-debian-match-coverage/golang/go.mod
---
old/grype-0.42.0/test/integration/test-fixtures/image-debian-match-coverage/golang/go.mod
1970-01-01 01:00:00.000000000 +0100
+++
new/grype-0.43.0/test/integration/test-fixtures/image-debian-match-coverage/golang/go.mod
2022-07-18 19:14:03.000000000 +0200
@@ -0,0 +1,5 @@
+module github.com/anchore/coverage
+
+go 1.18
+
+require github.com/google/uuid v1.3.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/grype-0.42.0/test/integration/test-fixtures/image-debian-match-coverage/golang/go.sum
new/grype-0.43.0/test/integration/test-fixtures/image-debian-match-coverage/golang/go.sum
---
old/grype-0.42.0/test/integration/test-fixtures/image-debian-match-coverage/golang/go.sum
1970-01-01 01:00:00.000000000 +0100
+++
new/grype-0.43.0/test/integration/test-fixtures/image-debian-match-coverage/golang/go.sum
2022-07-18 19:14:03.000000000 +0200
@@ -0,0 +1,2 @@
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod
h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/grype-0.42.0/test/integration/test-fixtures/image-debian-match-coverage/golang/main.go
new/grype-0.43.0/test/integration/test-fixtures/image-debian-match-coverage/golang/main.go
---
old/grype-0.42.0/test/integration/test-fixtures/image-debian-match-coverage/golang/main.go
1970-01-01 01:00:00.000000000 +0100
+++
new/grype-0.43.0/test/integration/test-fixtures/image-debian-match-coverage/golang/main.go
2022-07-18 19:14:03.000000000 +0200
@@ -0,0 +1,11 @@
+package main
+
+import (
+ "fmt"
+
+ "github.com/google/uuid"
+)
+
+func main() {
+ fmt.Println(uuid.New())
+}
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/grype/vendor.tar.gz
/work/SRC/openSUSE:Factory/.grype.new.1523/vendor.tar.gz differ: char 5, line 1
