------------------------------------------------------------------- Fri Jan 27 06:09:00 UTC 2023 - kastl@b1-systems.de - Update to version 0.56.0: * Update Syft to v0.68.1 (#1086) * chore: update grype quality gate (#1085) * chore(deps): bump github.com/sigstore/sigstore from 1.4.4 to 1.5.1 (#1081) * chore(deps): bump actions/setup-python from 4.3.0 to 4.5.0 (#1075) * chore(deps): bump anchore/sbom-action from 0.13.1 to 0.13.2 (#1076) * chore(deps): bump actions/upload-artifact from 3.1.1 to 3.1.2 (#1077) * chore(deps): bump actions/download-artifact from 3.0.1 to 3.0.2 (#1074) * chore(deps): bump ossf/scorecard-action from 2.0.6 to 2.1.2 (#1078) * chore(deps): bump github.com/pkg/profile from 1.6.0 to 1.7.0 (#1079) * chore(deps): bump github.com/gabriel-vasile/mimetype from 1.4.0 to 1.4.1 (#1080) * chore(deps): bump github.com/Masterminds/sprig/v3 from 3.2.2 to 3.2.3 (#1083) * chore: align makefile and bootstrap tools scripts more with syft (#1073) * chore: enable dependabot on gomod and GitHub actions (#1072) * Update grype bootstrap tools to latest versions. (#1070) * fix: always include severity in cyclonedx output (#1067) * Update Syft to v0.68.0 (#1064) * Add protobuf FPs to default ignore list (#1062) * chore: update Syft to v0.66.2 (#1060) * Update grype bootstrap tools to latest versions. (#1055) * feat: allow grype db diff to specify local db directories (#1058) * chore: claim artifacthub package ownership from developer-guy (#661) * chore: add github token to quality tests (#1056) * chore: update yardstick to diagnose intermittent failures (#1054) * Update grype bootstrap tools to latest versions. (#1048) ------------------------------------------------------------------- Thu Jan 05 14:00:43 UTC 2023 - kastl@b1-systems.de - Update to version 0.55.0: * fix: sort vulnerability results (#1052) * Adding internal/file/hasher test cases (#1049) * fix: orient by cve merging (#1046) * Update Syft to v0.64.0 (#1047) * fix: update removing results based on ownership-by-file-overlap (#1045) * feat: swap custom cyclone-dx model for cyclone-dx library (#1038) * chore: add GitLab Community Edition image to quality gate (#1035) ------------------------------------------------------------------- Fri Dec 16 12:39:08 UTC 2022 - kastl@b1-systems.de - Update to version 0.54.0: * Update Syft to v0.63.0 (#1037) * fix: Exclude binary packages that have overlap by file ownership relationship (#1024) * docs: update quality gate docs (#1032) * Optionally orient results by CVE (#1020) * chore: bump yardstick to latest commit (#1027) * Update Syft to v0.62.3 (#1026) * chore: change CVE example to official sample (#1028) * fix: Table format sorting (#1023) * fix: update architecture release for to ppc64le (#1021) * Update grype bootstrap tools to latest versions. (#1017) * Update Syft to v0.62.2 (#1018) * chore: update quality gate with latest label data (#1016) * chore: update digest for test fixture dockerfile (#1015) * test: remove presenter tests reliance on docker from unit suite (#1013) * fix: swapped base container images (#1011) * chore: update default packages to read (#1007) ------------------------------------------------------------------- Tue Nov 22 07:29:31 UTC 2022 - kastl@b1-systems.de - Update to version 0.53.1: * Update Syft to v0.62.1 (#1006) * Update grype bootstrap tools to latest versions. (#1004) * scoped: token release for content write on image assets (#1002) ------------------------------------------------------------------- Sat Nov 19 12:05:00 UTC 2022 - kastl@b1-systems.de - Update to version 0.53.0: * chore: bump syft version v0.62.0 (#1000) * feat: vulnerability namespacing support for rolling distros (#997) * chore: bump quality gate images and label data (#995) * feat: add strong distro type for wolfi (#996) * chore: pin dependencies (#994) * chore: code-ql top level read check (#993) * Add SECURITY.md (#989) * chore: update codeql to pinned v2 with correct write permissions * Update token permissions to be read-only (#988) * Enable the Scorecard Github Action and badge (#929) ------------------------------------------------------------------- Tue Nov 15 15:42:37 UTC 2022 - kastl@b1-systems.de - Update to version 0.52.0: * chore: update syft to v0.60.3 (#978) * feat: consider well-known false-positive generating CPE target SW components in match filtering logic (#961) * chore: grype quality pipeline latest label updates and images (#976) * Implemented new CLI flag: --show-suppressed (#966) * fix: update case for alpine:edge correct vuln feed (#965) * PURL input results in incorrect artifact in JSON output (#968) * Update grype bootstrap tools to latest versions. (#956) ------------------------------------------------------------------- Tue Oct 18 05:12:14 UTC 2022 - kastl@b1-systems.de - Update to version 0.51.0: * implement v5 db schema to support improved matching between rpm appstream modules (#944) * Update Syft to v0.59.0 (#957) * expand quality gate image set to include rpm appstreams-related images (#952) * Update grype bootstrap tools to latest versions. (#947) * chore: add more quality gate images (#950) * Add in-depth quality gate checks (#949) * Update Syft to v0.58.0 (#941) * Update grype bootstrap tools to latest versions. (#945) * Update grype bootstrap tools to latest versions. (#935) * Update Syft to v0.57.0 (#930) ------------------------------------------------------------------- Wed Sep 21 08:31:07 UTC 2022 - kastl@b1-systems.de - Update to version 0.50.2: * Update Syft to v0.57.0 (#930) * Correct falsely copied app-name 'syft' in example (#922) * Bump github.com/sigstore/cosign from 1.11.1 to 1.12.0 (#927) * Update grype bootstrap tools to latest versions. (#925) ------------------------------------------------------------------- Wed Sep 14 05:40:23 UTC 2022 - kastl@b1-systems.de - Update to version 0.50.1: * Update Syft to v0.56.0 (#919) ------------------------------------------------------------------- Tue Sep 13 12:42:49 UTC 2022 - kastl@b1-systems.de - Update to version 0.50.0: * Add support for scanning RPM files (#917) * remove arch typo - add debug/reg s390x (#915) * grype release message update (#914) * feat: extract use cpes in matching logic to be configurable (#911) * docs: add Singularity to "features" in README (#912) ------------------------------------------------------------------- Wed Sep 07 05:39:15 UTC 2022 - kastl@b1-systems.de - Update to version 0.49.0: * docs: improve Singularity image source docs (#910) * Add Singularity image source (#908) * Update grype bootstrap tools to latest versions. (#907) * Update Syft to v0.55.0 (#906) * Update grype bootstrap tools to latest versions. (#905) * Update grype bootstrap tools to latest versions. (#903) * Update grype bootstrap tools to latest versions. (#896) * Add blurbs about building and running from source (#893) * Fix docker build typo (#891) ------------------------------------------------------------------- Wed Sep 07 05:36:24 UTC 2022 - kastl@b1-systems.de - Update to version 0.48.0: * disable CPE match filtering based on target software component for java packages (#889) * Update grype bootstrap tools to latest versions. (#886) * fix getting latest gosimports version (#885) * workflow to create automated PRs to update bootstrap tools (#883) * Add s390x build support (#720) * fix: only show distro warning if distro packages exist (#875) ------------------------------------------------------------------- Wed Sep 07 05:33:41 UTC 2022 - kastl@b1-systems.de - Update to version 0.47.0: * Update Syft to v0.54.0 (#881) * Update README.md (#871) * Update README.md (#868) ------------------------------------------------------------------- Wed Sep 07 05:30:47 UTC 2022 - kastl@b1-systems.de - Update to version 0.46.0: * test: rm mustConst since unused (#860) * Update Syft to v0.53.4 (#856) * feat: enrich db check cmd feedback (#853) * update syft version location for Makefile (#865) ------------------------------------------------------------------- Wed Sep 07 05:28:51 UTC 2022 - kastl@b1-systems.de - Update to version 0.45.0: * remove env variable dependencies and keychain from signing script (#864) * macos-latest for signing (#863) * move docker release into separate release workflow (#862) * revert to old docker action (#861) * additional readOptions added per 855 (#857) * Ensure database access is readonly (#854) * push older version for mac runner stability (#852) * bump bouncer to v0.4.0 (#851) * feat: simple input case to request vulnerability data via purl (#795) * update golanci-lint, goreleaser, cosign (#850) * fix: db diff default has flipped base/target url (#845) ------------------------------------------------------------------- Tue Jul 26 11:28:54 UTC 2022 - kastl@b1-systems.de - Update to version 0.44.0: * add env variables and keychain for GHCR publish (#843) * update grype to use syft v0.52.0 (#838) * add debug distroless image to published images (#835) * add new line for help block (#834) * add Gentoo matching support (#813) * feat: add filtering support using target software field in cpe (#810) ------------------------------------------------------------------- Tue Jul 19 08:19:48 UTC 2022 - kastl@b1-systems.de - Update to version 0.43.0: * Add new matcher files for golang => remove main module FP matches (#829) * Fix a cyclonedxvex typo and fix the schema document from (#830) * feat: add --only-notfixed flag (#828) * add DBCloser. Clients can aviod db connection leak if vulnerability db is loaded many times (#825) ------------------------------------------------------------------- Sat Jul 16 19:00:16 UTC 2022 - kastl@b1-systems.de - Update to version 0.42.0: * bump syft version to v0.51.0 (#822) * feat: implement `grype db diff` command (#812) * fix typo in log message (#819) ------------------------------------------------------------------- Wed Jul 06 18:11:46 UTC 2022 - kastl@b1-systems.de - Update to version 0.41.0: * update syft to v0.50.0 (#818) * Finalize v4 Grype schema (#803) * docs: update to include rust (#814) * feat: add diffing 2 databases to v3 store functionality (#789) * fix: add support for partybus ui on `grype db update` cmd (#806) * Added Docker example to Readme (#769) * fix: add vex json & xml to listed formats (#802) * docs: update php listing to be more clear that the `.json` file isn't indexed (#808) ------------------------------------------------------------------- Mon Jun 27 13:20:36 UTC 2022 - kastl@b1-systems.de - Update to version 0.40.1: * update syft => v0.49.0 (#804) * remove oss meetup message (#799) * fix: add fixed versions to cyclonedxjson output (#763) * docs: update to include php (#793) ------------------------------------------------------------------- Wed Jun 22 08:33:50 UTC 2022 - kastl@b1-systems.de - Update to version 0.40.0: * update grype to latest syft patch v0.48.1 (#790) * fix: add golang to documentation (#788) * fix: accept templates with custom functions (#786) * add db staleness check (#785) * feat: add compose workflow for local dev (#783) * ignore gemfile rich version for semVer comparison (#776) * Support namespace and language as additional criteria for ignoring vulnerability matches (#780) ------------------------------------------------------------------- Wed Jun 22 08:19:33 UTC 2022 - kastl@b1-systems.de - Update to version 0.39.0: * update syft version to v0.47.0 (#781) * use anchore fork of glebarez/sqlite (#778) * template: Check sanity for template file (#674) * Add announcement for Anchore OSS Meetup (#775) * Bump github.com/hashicorp/go-getter from 1.5.11 to 1.6.1 (#770) * publish release to reduce user friction (#766) * Update Syft to v0.46.3 (#761) * Add reference to logrus logging levels (#758) * README: add MacPorts install info (#759) ------------------------------------------------------------------- Mon Jun 6 19:46:12 UTC 2022 - Johannes Kastl - new package grype at version 0.38.0: A vulnerability scanner for container images and filesystems