Merge branch 'main' into PR

* main: (70 commits) fix: add php catalogers to all catalogers (anchore#1065) feat: add use-all-catalogers flag (anchore#1050) Updates parsing of `yarn.lock` to use `resolved` URLs that are pulled from yarn and npm registries (anchore#926) remove OSS Meetup message (anchore#1057) add pom.xml cataloger (anchore#1055) Add support for CBL-Mariner distroless images (anchore#1045) Add catalogers configuration (anchore#1038) add template output (anchore#1051) update stereoscope to latest version (anchore#1052) update zip_read_closer to incorporate zip64 support (anchore#1041) Add pacman (alpm) parser support (anchore#943) Update of README.md (anchore#1027) bump cosign to v1.9.0 to resolve reporting of GHSA-66x3-6cw3-v5gj (anchore#1025) add workflows to test new project automation (anchore#1023) improve LanguageByName and add unit tests (anchore#1034) Read Description from dpkg status files (anchore#996) Add announcement for Anchore OSS Virtual Meetup (anchore#1033) add main module field to go bin metadata (anchore#1026) Add filters to package cataloger (anchore#1021) change draft to false for release process (anchore#1016) ... Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
jonasagx · Jun 27, 2022 · 55c1775 · 55c1775
2 parents 3d6b631 + 73262c7
commit 55c1775
Show file tree

Hide file tree

Showing 364 changed files with 14,060 additions and 14,838 deletions.
diff --git a/.bouncer.yaml b/.bouncer.yaml
@@ -5,6 +5,7 @@ permit:
   - MPL.*
   - ISC
 ignore-packages:
+  - .
   # packageurl-go is released under the MIT license located in the root of the repo at /mit.LICENSE
   - github.com/anchore/packageurl-go
 
@@ -20,3 +21,32 @@ ignore-packages:
   # All these files have been put into the public domain.
   # You can do whatever you want with these files.
   - github.com/xi2/xz
+
+  # from: https://gitlab.com/cznic/sqlite/-/blob/v1.15.4/LICENSE
+  # This is a BSD-3-Clause license
+  - modernc.org/libc
+  - modernc.org/libc/errno
+  - modernc.org/libc/fcntl
+  - modernc.org/libc/fts
+  - modernc.org/libc/grp
+  - modernc.org/libc/langinfo
+  - modernc.org/libc/limits
+  - modernc.org/libc/netdb
+  - modernc.org/libc/netinet/in
+  - modernc.org/libc/poll
+  - modernc.org/libc/pthread
+  - modernc.org/libc/pwd
+  - modernc.org/libc/signal
+  - modernc.org/libc/stdio
+  - modernc.org/libc/stdlib
+  - modernc.org/libc/sys/socket
+  - modernc.org/libc/sys/stat
+  - modernc.org/libc/sys/types
+  - modernc.org/libc/termios
+  - modernc.org/libc/time
+  - modernc.org/libc/unistd
+  - modernc.org/libc/utime
+  - modernc.org/libc/uuid/uuid
+  - modernc.org/libc/wctype
+  - modernc.org/mathutil
+  - modernc.org/memory
diff --git a/.github/scripts/apple-signing/setup-prod.sh b/.github/scripts/apple-signing/setup-prod.sh
@@ -21,6 +21,14 @@ fi
 if [ -z "$DOCKER_PASSWORD" ]; then
   exit_with_error "DOCKER_PASSWORD not set"
 fi
+
+if [ -z "$GHCR_USERNAME" ]; then
+  exit_with_error "GHCR_USERNAME not set"
+fi
+
+if [ -z "$GHCR_PASSWORD" ]; then
+  exit_with_error "GHCR_PASSWORD not set"
+fi
 set -u
 
 # setup_signing
@@ -41,4 +49,5 @@ setup_signing() {
 
   commentary "log into docker -- required for publishing (since the default keychain has now been replaced)"
   echo "${DOCKER_PASSWORD}" | docker login docker.io -u "${DOCKER_USERNAME}"  --password-stdin
+  echo "${GHCR_PASSWORD}" | docker login ghcr.io -u "${GHCR_USERNAME}"  --password-stdin
 }
diff --git a/.github/workflows/issues.yaml b/.github/workflows/issues.yaml
@@ -0,0 +1,17 @@
+# Uses https://github.com/actions/add-to-project example to add issues to Anchore OSS project
+name: Add issues to OSS project
+
+on:
+  issues:
+    types:
+      - opened
+
+jobs:
+  add-to-project:
+    name: Add issue to project
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/add-to-project@main
+        with:
+          project-url: https://github.com/orgs/anchore/projects/22
+          github-token: ${{ secrets.CI_WRITE_GITHUB_TOKEN }}
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -0,0 +1,17 @@
+# Uses https://github.com/actions/add-to-project example to add PR to Anchore OSS project
+name: Add pr to OSS project
+
+on:
+  pull_request:
+    types:
+      - opened
+
+jobs:
+  add-to-project:
+    name: Add pr to project
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/add-to-project@main
+        with:
+          project-url: https://github.com/orgs/anchore/projects/22
+          github-token: ${{ secrets.CI_WRITE_GITHUB_TOKEN }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -94,6 +94,8 @@ jobs:
     needs: [quality-gate]
     # due to our code signing process, it's vital that we run our release steps on macOS
     runs-on: macos-latest
+    permissions:
+      packages: write
     steps:
       - uses: docker-practice/actions-setup-docker@v1
 
@@ -128,6 +130,8 @@ jobs:
       - name: Build & publish release artifacts
         run: make release
         env:
+          GHCR_USERNAME: ${{ github.actor }}
+          GHCR_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           DOCKER_USERNAME: ${{ secrets.TOOLBOX_DOCKER_USER }}
           DOCKER_PASSWORD: ${{ secrets.TOOLBOX_DOCKER_PASS }}
           # we use a different token than GITHUB_SECRETS to additionally allow updating the homebrew repos

diff --git a/.github/workflows/update-stereoscope-release.yml b/.github/workflows/update-stereoscope-release.yml
@@ -0,0 +1,51 @@
+name: PR for latest Stereoscope release
+on:
+  schedule:
+    - cron: "0 8 * * *" # 3 AM EST
+
+  workflow_dispatch:
+
+env:
+  GO_VERSION: "1.18.x"
+  GO_STABLE_VERSION: true
+
+jobs:
+  upgrade-stereoscope:
+    runs-on: ubuntu-latest
+    if: github.repository == 'anchore/syft' # only run for main repo
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          stable: ${{ env.GO_STABLE_VERSION }}
+
+      - run: |
+          LATEST_VERSION=$(git ls-remote https://github.com/anchore/stereoscope main | head -n1 | awk '{print $1;}')
+
+          # update go.mod
+          go get github.com/anchore/stereoscope@$LATEST_VERSION
+          go mod tidy
+
+          # export the version for use with create-pull-request
+          echo "::set-output name=LATEST_VERSION::$LATEST_VERSION"
+        id: latest-version
+
+      - uses: tibdex/github-app-token@v1
+        id: generate-token
+        with:
+          app_id: ${{ secrets.TOKEN_APP_ID }}
+          private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
+
+      - uses: peter-evans/create-pull-request@v4
+        with:
+          signoff: true
+          delete-branch: true
+          branch: auto/latest
+          labels: dependencies
+          commit-message: "Update Stereoscope to ${{ steps.latest-version.outputs.LATEST_VERSION }}"
+          title: "Update Stereoscope to ${{ steps.latest-version.outputs.LATEST_VERSION }}"
+          body: |
+            Update Stereoscope to ${{ steps.latest-version.outputs.LATEST_VERSION }}
+          token: ${{ steps.generate-token.outputs.token }}
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -1,6 +1,6 @@
 release:
   prerelease: auto
-  draft: true
+  draft: false
 
 env:
   # required to support multi architecture docker builds
@@ -12,6 +12,7 @@ before:
 
 builds:
   - id: linux-build
+    dir: ./cmd/syft
     binary: syft
     goos:
       - linux
@@ -32,6 +33,7 @@ builds:
       -X github.com/anchore/syft/internal/version.gitDescription={{.Summary}}
 
   - id: darwin-build
+    dir: ./cmd/syft
     binary: syft
     goos:
       - darwin
@@ -49,6 +51,7 @@ builds:
         - ./.github/scripts/apple-signing/sign.sh "{{ .Path }}" "{{ .IsSnapshot }}" "{{ .Target }}"
 
   - id: windows-build
+    dir: ./cmd/syft
     binary: syft
     goos:
       - windows
@@ -99,6 +102,11 @@ dockers:
       - "anchore/syft:{{ .Tag }}-amd64"
       - "anchore/syft:v{{ .Major }}-amd64"
       - "anchore/syft:v{{ .Major }}.{{ .Minor }}-amd64"
+      - "ghcr.io/anchore/syft:latest"
+      - "ghcr.io/anchore/syft:{{ .Tag }}-amd64"
+      - "ghcr.io/anchore/syft:v{{ .Major }}-amd64"
+      - "ghcr.io/anchore/syft:v{{ .Major }}.{{ .Minor }}-amd64"
+    goarch: amd64
     dockerfile: Dockerfile
     use: buildx
     build_flag_templates:
@@ -112,6 +120,9 @@ dockers:
       - "anchore/syft:{{ .Tag }}-arm64v8"
       - "anchore/syft:v{{ .Major }}-arm64v8"
       - "anchore/syft:v{{ .Major }}.{{ .Minor }}-arm64v8"
+      - "ghcr.io/anchore/syft:{{ .Tag }}-arm64v8"
+      - "ghcr.io/anchore/syft:v{{ .Major }}-arm64v8"
+      - "ghcr.io/anchore/syft:v{{ .Major }}.{{ .Minor }}-arm64v8"
     goarch: arm64
     dockerfile: Dockerfile
     use: buildx
@@ -131,3 +142,11 @@ docker_manifests:
     image_templates:
       - anchore/syft:v{{ .Major }}.{{ .Minor }}-amd64
       - anchore/syft:v{{ .Major }}.{{ .Minor }}-arm64v8
+  - name_template: ghcr.io/anchore/syft:{{ .Tag }}
+    image_templates:
+      - ghcr.io/anchore/syft:v{{ .Major }}.{{ .Minor }}-amd64
+      - ghcr.io/anchore/syft:v{{ .Major }}.{{ .Minor }}-arm64v8
+  - name_template: ghcr.io/anchore/syft:latest
+    image_templates:
+      - ghcr.io/anchore/syft:v{{ .Major }}.{{ .Minor }}-amd64
+      - ghcr.io/anchore/syft:v{{ .Major }}.{{ .Minor }}-arm64v8
diff --git a/Makefile b/Makefile
@@ -147,7 +147,7 @@ lint-fix: ## Auto-format all source code + run golangci lint fixers
 
 .PHONY: check-licenses
 check-licenses: ## Ensure transitive dependencies are compliant with the current license policy
-	$(TEMPDIR)/bouncer check
+	$(TEMPDIR)/bouncer check ./cmd/syft
 
 check-go-mod-tidy:
 	@ .github/scripts/go-mod-tidy-check.sh && echo "go.mod and go.sum are tidy!"
@@ -305,7 +305,7 @@ cli: $(SNAPSHOTDIR) ## Run CLI tests
 	chmod 755 "$(SNAPSHOT_BIN)"
 	$(SNAPSHOT_BIN) version
 	SYFT_BINARY_LOCATION='$(SNAPSHOT_BIN)' \
-		go test -count=1 -v ./test/cli
+		go test -count=1 -timeout=15m -v ./test/cli
 
 .PHONY: changelog
 changelog: clean-changelog CHANGELOG.md