Merge remote-tracking branch 'upstream/main' into fail-on-cant-check-…

…db-update
anchore · Jul 26, 2024 · 43397e3 · 43397e3
2 parents e38fdba + 16a7e4d
commit 43397e3
Show file tree

Hide file tree

Showing 373 changed files with 30,248 additions and 10,265 deletions.
diff --git a/.binny.yaml b/.binny.yaml
@@ -0,0 +1,119 @@
+tools:
+  # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!)
+  - name: binny
+    version:
+      want: v0.8.0
+    method: github-release
+    with:
+      repo: anchore/binny
+
+  # used to produce SBOMs during release
+  - name: syft
+    version:
+      want: latest
+    method: github-release
+    with:
+      repo: anchore/syft
+
+  # used to sign mac binaries at release
+  - name: quill
+    version:
+      want: v0.4.2
+    method: github-release
+    with:
+      repo: anchore/quill
+
+  # used for linting
+  - name: golangci-lint
+    version:
+      want: v1.59.1
+    method: github-release
+    with:
+      repo: golangci/golangci-lint
+
+  # used for showing the changelog at release
+  - name: glow
+    version:
+      want: v1.5.1
+    method: github-release
+    with:
+      repo: charmbracelet/glow
+
+  # used for signing the checksums file at release
+  - name: cosign
+    version:
+      want: v2.3.0
+    method: github-release
+    with:
+      repo: sigstore/cosign
+
+  # used in integration tests to verify JSON schemas
+  - name: yajsv
+    version:
+      want: v1.4.1
+    method: github-release
+    with:
+      repo: neilpa/yajsv
+
+  # used to release all artifacts
+  - name: goreleaser
+    version:
+      want: v2.1.0
+    method: github-release
+    with:
+      repo: goreleaser/goreleaser
+
+  # used for organizing imports during static analysis
+  - name: gosimports
+    version:
+      want: v0.3.8
+    method: github-release
+    with:
+      repo: rinchsan/gosimports
+
+  # used at release to generate the changelog
+  - name: chronicle
+    version:
+      want: v0.8.0
+    method: github-release
+    with:
+      repo: anchore/chronicle
+
+  # used during static analysis for license compliance
+  - name: bouncer
+    version:
+      want: v0.4.0
+    method: github-release
+    with:
+      repo: wagoodman/go-bouncer
+
+  # used for running all local and CI tasks
+  - name: task
+    version:
+      want: v3.38.0
+    method: github-release
+    with:
+      repo: go-task/task
+
+  # used for triggering a release
+  - name: gh
+    version:
+      want: v2.53.0
+    method: github-release
+    with:
+      repo: cli/cli
+
+  # used for integration tests
+  - name: skopeo
+    version:
+      want: v1.15.2
+    method: go-install
+    with:
+      module: github.com/containers/skopeo
+      entrypoint: cmd/skopeo
+      args:
+        - "-tags"
+        - containers_image_openpgp
+      env:
+        - CGO_ENABLED=0
+        - GO_DYN_FLAGS=""
diff --git a/.chronicle.yaml b/.chronicle.yaml
@@ -0,0 +1,2 @@
+enforce-v0: true # don't make breaking-change label bump major version before 1.0.
+title: ""
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -13,6 +13,18 @@ assignees: ''
 
 **How to reproduce it (as minimally and precisely as possible)**:
 
+<!--
+If possible, please include a link to an artifact grype can scan, instructions to make
+one, or upload it on this issue. Some suggestions:
+
+1. Link to Dockerhub, GitHub, GitLab, maven central, quay.io, etc to a public
+   artifact we can try scanning
+2. A Dockerfile that we can build and scan
+3. A simple script that creates a directory exhibiting the issue, for example a
+   list of `npm install` commands
+
+Please also include the grype command and any configuration used.
+-->
 **Anything else we need to know?**:
 
 **Environment**:

diff --git a/.github/actions/bootstrap/action.yaml b/.github/actions/bootstrap/action.yaml
@@ -4,89 +4,55 @@ inputs:
   go-version:
     description: "Go version to install"
     required: true
-    default: "1.19.x"
+    default: "1.22.x"
   python-version:
     description: "Python version to install"
     required: true
     default: "3.10"
-  use-go-cache:
-    description: "Restore go cache"
+  go-dependencies:
+    description: "Download go dependencies"
     required: true
     default: "true"
   cache-key-prefix:
     description: "Prefix all cache keys with this value"
     required: true
-    default: "831180ac25"
-  build-cache-key-prefix:
-    description: "Prefix build cache key with this value"
+    default: "1ac8281053"
+  compute-fingerprints:
+    description: "Compute test fixture fingerprints"
     required: true
-    default: "f8b6d31dea"
+    default: "true"
   bootstrap-apt-packages:
     description: "Space delimited list of tools to install via apt"
     default: "libxml2-utils"
 
 runs:
   using: "composite"
   steps:
-    - uses: actions/setup-go@v3
+    # note: go mod and build is automatically cached on default with v4+
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      if: inputs.go-version != ''
       with:
         go-version: ${{ inputs.go-version }}
 
     - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0
       with:
         python-version: ${{ inputs.python-version }}
 
-    - name: Restore python cache
-      id: python-venv-cache
-      uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
-      with:
-        path: |
-          test/quality/venv
-          test/quality/vulnerability-match-labels/venv
-        key: ${{ runner.os }}-python-${{ inputs.python-version }}-${{ hashFiles('**/test/quality/**/requirements.txt') }}
-        restore-keys: |
-          ${{ runner.os }}-python-${{ env.python-version }}-
-
     - name: Restore tool cache
       id: tool-cache
-      uses: actions/cache@v3
+      uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
       with:
-        path: ${{ github.workspace }}/.tmp
-        key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-tool-${{ hashFiles('Makefile') }}
+        path: ${{ github.workspace }}/.tool
+        key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-tool-${{ hashFiles('.binny.yaml') }}
 
-    # note: we need to keep restoring the go mod cache before bootstrapping tools since `go install` is used in
-    # some installations of project tools.
-    - name: Restore go module cache
-      id: go-mod-cache
-      if: inputs.use-go-cache == 'true'
-      uses: actions/cache@v3
-      with:
-        path: |
-          ~/go/pkg/mod
-        key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-go-${{ inputs.go-version }}-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ inputs.cache-key-prefix }}-${{ runner.os }}-go-${{ inputs.go-version }}-
-
-    - name: (cache-miss) Bootstrap project tools
+    - name: Install project tools
       shell: bash
-      if: steps.tool-cache.outputs.cache-hit != 'true'
-      run: make bootstrap-tools
-
-    - name: Restore go build cache
-      id: go-cache
-      if: inputs.use-go-cache == 'true'
-      uses: actions/cache@v3
-      with:
-        path: |
-          ~/.cache/go-build
-        key: ${{ inputs.cache-key-prefix }}-${{ inputs.build-cache-key-prefix }}-${{ runner.os }}-go-${{ inputs.go-version }}-${{ hashFiles('**/go.sum') }}
-        restore-keys: |
-          ${{ inputs.cache-key-prefix }}-${{ inputs.build-cache-key-prefix }}-${{ runner.os }}-go-${{ inputs.go-version }}-
+      run: make tools
 
-    - name: (cache-miss) Bootstrap go dependencies
+    - name: Install go dependencies
+      if: inputs.go-dependencies == 'true'
       shell: bash
-      if: steps.go-mod-cache.outputs.cache-hit != 'true' && inputs.use-go-cache == 'true'
-      run: make bootstrap-go
+      run: make ci-bootstrap-go
 
     - name: Install apt packages
       if: inputs.bootstrap-apt-packages != ''
@@ -95,5 +61,6 @@ runs:
         DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y ${{ inputs.bootstrap-apt-packages }}
 
     - name: Create all cache fingerprints
+      if: inputs.compute-fingerprints == 'true'
       shell: bash
       run: make fingerprints
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -4,7 +4,16 @@ updates:
     directory: "/"
     schedule:
       interval: daily
+
+  - package-ecosystem: "github-actions"
+    directory: "/.github/actions/boostrap"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+
   - package-ecosystem: "gomod"
     directory: "/"
     schedule:
-      interval: daily
+      interval: daily
diff --git a/.github/scripts/check-syft-version-is-release.sh b/.github/scripts/check-syft-version-is-release.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -e
+
+version=$(grep -E "github.com/anchore/syft" go.mod | awk '{print $NF}')
+
+# ensure that the version is a release version (not a commit hash)
+# a release in this case means that the go tooling resolved the version to a tag
+# this does not guarantee that the tag has a github release associated with it
+if [[ ! $version =~ ^v[0-9]+\.[0-9]+\.[0-9]?$ ]]; then
+    echo "syft version in go.mod is not a release version: $version"
+    echo "please update the version in go.mod to a release version and try again"
+    exit 1
+else
+    echo "syft version in go.mod is a release version: $version"
+fi
diff --git a/.github/scripts/go-mod-tidy-check.sh b/.github/scripts/go-mod-tidy-check.sh
@@ -4,19 +4,18 @@ set -eu
 ORIGINAL_STATE_DIR=$(mktemp -d "TEMP-original-state-XXXXXXXXX")
 TIDY_STATE_DIR=$(mktemp -d "TEMP-tidy-state-XXXXXXXXX")
 
-trap "cp -v ${ORIGINAL_STATE_DIR}/* ./ && rm -fR ${ORIGINAL_STATE_DIR} ${TIDY_STATE_DIR}" EXIT
+trap "cp -p ${ORIGINAL_STATE_DIR}/* ./ && git update-index -q --refresh && rm -fR ${ORIGINAL_STATE_DIR} ${TIDY_STATE_DIR}" EXIT
 
-echo "Capturing original state of files..."
-cp -v go.mod go.sum "${ORIGINAL_STATE_DIR}"
+# capturing original state of files...
+cp go.mod go.sum "${ORIGINAL_STATE_DIR}"
 
-echo "Capturing state of go.mod and go.sum after running go mod tidy..."
+# capturing state of go.mod and go.sum after running go mod tidy...
 go mod tidy
-cp -v go.mod go.sum "${TIDY_STATE_DIR}"
-echo ""
+cp go.mod go.sum "${TIDY_STATE_DIR}"
 
 set +e
 
-# Detect difference between the git HEAD state and the go mod tidy state
+# detect difference between the git HEAD state and the go mod tidy state
 DIFF_MOD=$(diff -u "${ORIGINAL_STATE_DIR}/go.mod" "${TIDY_STATE_DIR}/go.mod")
 DIFF_SUM=$(diff -u "${ORIGINAL_STATE_DIR}/go.sum" "${TIDY_STATE_DIR}/go.sum")
 

diff --git a/.github/scripts/syft-released-version-check.sh b/.github/scripts/syft-released-version-check.sh
diff --git a/.github/scripts/trigger-release.sh b/.github/scripts/trigger-release.sh
@@ -9,6 +9,9 @@ if ! [ -x "$(command -v gh)" ]; then
     exit 1
 fi
 
+# we want to stop the release as early as possible if the version is not a release version
+./.github/scripts/check-syft-version-is-release.sh
+
 gh auth status
 
 # we need all of the git state to determine the next version. Since tagging is done by

diff --git a/.github/scripts/update-version-file.sh b/.github/scripts/update-version-file.sh
@@ -2,8 +2,8 @@
 set -ue
 
 BIN="grype"
-DISTDIR=$1
-VERSION=$2
+VERSION_FILE="VERSION"
+VERSION=$1
 
 # the source of truth as to whether we want to notify users of an update is if the release just created is NOT
 # flagged as a pre-release on github
@@ -12,10 +12,9 @@ if [[ "$(curl -SsL https://api.github.com/repos/anchore/${BIN}/releases/tags/${V
    exit 0
 fi
 
-echo "creating and publishing version file"
+echo "creating and publishing version file (${VERSION})"
 
 # create a version file for version-update checks
-VERSION_FILE="${DISTDIR}/VERSION"
 echo "${VERSION}" | tee "${VERSION_FILE}"
 
 # upload the version file that supports the application version update check

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -43,10 +43,10 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Utilize Go Module Cache
-      uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+      uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
       with:
         path: |
           ~/go/pkg/mod
@@ -56,14 +56,14 @@ jobs:
           ${{ runner.os }}-go-
 
     - name: Set correct version of Golang to use during CodeQL run
-      uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
-        go-version: '1.19'
+        go-version: '1.21'
         check-latest: true
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@7df0ce34898d659f95c0c4a09eaa8d4e32ee64db # v2.2.12
+      uses: github/codeql-action/init@5cf07d8b700b67e235fbb65cbc84f69c0cf10464 # v3.25.14
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -85,4 +85,4 @@ jobs:
       run: make grype
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@7df0ce34898d659f95c0c4a09eaa8d4e32ee64db # v2.2.12
+      uses: github/codeql-action/analyze@5cf07d8b700b67e235fbb65cbc84f69c0cf10464 # v3.25.14