Keith Zantow
Keith Zantow
This PR updates the "build scripts" to use a go-based build scripting utility.
It would be great if the CLI functions which read SBOMs support reading from piped standard input. There are some cases where it is much more convenient to pipe output...
While adding nonroot images, a smoke test was added to ensure permissions worked, however this needs to be enhanced to explicitly use different sources, particularly `docker` and `registry`, as well...
While working on v6 I intended to do this refactoring but it got lost along the way. This PR adjusts the return type of the Matcher interface instead of returning...
Today, there is a somewhat hidden behavior that takes a package and depending on the type does a few different behaviors to get a set of names which are used...
In order to minimize changes for v6, there was not much changed between Vulnerability and VulnerabilityMetadata: `FindVulnerabilities` returns `Vulnerability` objects, and these are later used to fetch `VulnerabilityMetadata`. I _believe_...
A `PackageSearchNames` function was added to the `VulnerabilityProvider` [interface here](https://github.com/anchore/grype/blob/main/grype/vulnerability/provider.go#L23). This function is due to the fact that Java (and maybe other) packages have names in the v6 database stored...
While adding nonroot images, a smoke test was added to ensure permissions worked, however this needs to be enhanced to explicitly use different sources, particularly `docker` and `registry`, as well...
Configuration files described in SPDX with DESCRIBED_BY relationships are imported as Syft packages
SPDX import should exclude more packages depending on the relationships found. As reported in #3662, we should probably filter out packages with `DESCRIBED_BY` relationships, which appears to be used in...
# Description This PR adds more relationship-based package filtering, specifically for: * DESCRIBES * DESCRIBED_BY * GENERATES - Fixes #3983 NOTE: before merging this we should carefully review the SPDX...