Stage/vuls - vuls - Gitea: Git with a cup of tea

Stage/vuls

Author	SHA1	Message	Date
Shunichi Shinohara	8f4025120d	(fix) Exclude dev dependencies from npm's package-lock.json and Fix Java DB download endpoint (#1893 ) * (fix) Exclude dev dependencies from npm's package-lock.json * chore(integration) update * choir(integration) add lib scan names to makefile * fix(javadb) add schema version only once	2024-04-17 17:23:57 +09:00
tk007	be7b9114cc	feat(PackageURL):add package URL for library scan result (#1862 ) * add: package url in model.Library * feat(trivy-to-vuls): add purl for library scan result * feat(scanner/library): add purl for lockfile scan result * fix: model.Library test * fix: trivy-to-vuls test data * fix: panic case to generate purl * fix: add blank line * fix: trivy-to-vuls for using Trivy version 0.49.0 or earlier * fix: remove comment * fix: remove print * fix: testcase for Package.Identifier does not exist version * fix: add blank line * fix: expected libs * fix: PackageURL -> PURL * fix: blank line	2024-03-07 16:21:15 +09:00
Shunichi Shinohara	351cf4f712	Update trivy from 0.35.0 to 0.49.1 (#1806 ) * Update trivy 0.35.0->0.48.0 - Specify oras-go 1.2.4 in indirect dependencies docker/docker changes a part of its API at 24.0 - registry: return concrete service type · moby/moby@7b3acdf - `7b3acdff5d (diff-8325eae896b1149bf92c826d07fc29005b1b102000b766ffa5a238d791e0849bR18-R21)` oras-go 1.2.3 uses 23.0.1 and trivy transitively depends on docker/docker 24.y.z. There is a build error between oras-go and docker/dockr. - Update disabled analyzers - Update language scanners, enable all of them * move javadb init to scan.go * Add options for java db init() * Update scanner/base.go * Remove unused codes * Add some lock file names * Typo fix * Remove space character (0x20) * Add java-db options for integration scan * Minor fomartting fix * minor fix * conda is NOT supported by Trivy for library scan * Configure trivy log in report command too * Init trivy in scanner * Use trivy's jar.go and replace client which does almost nothing * mv jar.go * Add sha1 hash to result and add filepath for report phase * Undo added 'vuls scan' options * Update oras-go to 1.2.4 * Move Java DB related config items to report side * Add java db search in detect phase * filter top level jar only * Update trivy to 0.49.1 * go mod tidy * Update to newer interface * Refine lock file list, h/t MaineK00n * Avoid else clauses if possible, h/t MaineK00n * Avoid missing word for find and lang types, h/t MaineK00n * Add missing ecosystems, h/t MaineK00n * Add comments why to use custom jar analyzer, h/t MaineK00n * Misc * Misc * Misc * Include go-dep-parser's pares.go for modification * Move digest field from LibraryScanner to Library * Use inner jars sha1 for each * Add Seek to file head before handling zip file entry * Leave Digest feild empty for entries from pom.xml * Don't import python/pkg (don't look into package.json) * Make privete where private is sufficient * Remove duplicate after Java DB lookup * misc * go mod tidy * Comment out ruby/gemspec * misc * Comment out python/packaging * misc * Use custom jar * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/jar.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update models/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/base.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/parse.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Missing changes in name change * Update models/github.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update models/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update models/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update models/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/base.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/base.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update scanner/trivy/jar/jar.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Don't import fanal/types at github.go * Rewrite code around java db initialization * Add comment * refactor * Close java db client * rename * Let LibraryScanner have java db client * Update detector/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * Update detector/library.go Co-authored-by: MaineK00n <mainek00n.1229@gmail.com> * inline variable * misc * Fix typo --------- Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>	2024-02-28 14:25:58 +09:00
dependabot[bot]	139f3a81b6	chore(deps): bump github.com/aquasecurity/trivy from 0.27.1 to 0.30.0 (#1494 ) * chore(deps): bump github.com/aquasecurity/trivy from 0.27.1 to 0.30.0 Bumps [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) from 0.27.1 to 0.30.0. - [Release notes](https://github.com/aquasecurity/trivy/releases) - [Changelog](https://github.com/aquasecurity/trivy/blob/main/goreleaser.yml) - [Commits](https://github.com/aquasecurity/trivy/compare/v0.27.1...v0.30.0) --- updated-dependencies: - dependency-name: github.com/aquasecurity/trivy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump github.com/aquasecurity/trivy from 0.30.0 to 0.30.2 * fix(library): change fanal to trivy/pkg/fanal * chore: update integration Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: MaineK00n <mainek00n.1229@gmail.com>	2022-07-25 16:47:57 +09:00
Kota Kanbe	aac5ef1438	feat: update-trivy (#1316 ) * feat: update-trivy * add v2 parser * implement v2 * refactor * feat: add show version to future-vuls * add test case for v2 * trivy v0.20.0 * support --list-all-pkgs * fix lint err * add test case for jar * add a test case for gemspec in container * remove v1 parser and change Library struct * Changed the field name in the model struct LibraryScanner * add comment * fix comment * fix comment * chore * add struct tag	2021-10-08 17:22:06 +09:00
Kota Kanbe	e553f8b4c5	feat(trivy): go mod update trivy v0.17.2 (#1235 ) * feat(trivy): go mod update trivy v0.17.2 * wg.Wait * fix reporting * fix test case * add gemfile.lock of redmine to integration test * fix(test): add Pipfile.lock * add poetry.lock to integration test * add composer.lock to integration test * add integration test case	2021-05-12 18:27:55 +09:00
Kota Kanbe	03579126fd	refactor(config): localize config used like a global variable (#1179 ) * refactor(report): LocalFileWriter * refactor -format-json * refacotr: -format-one-email * refactor: -format-csv * refactor: -gzip * refactor: -format-full-text * refactor: -format-one-line-text * refactor: -format-list * refacotr: remove -to-* from config * refactor: IgnoreGitHubDismissed * refactor: GitHub * refactor: IgnoreUnsocred * refactor: diff * refacotr: lang * refacotr: cacheDBPath * refactor: Remove config references * refactor: ScanResults * refacotr: constant pkg * chore: comment * refactor: scanner * refactor: scanner * refactor: serverapi.go * refactor: serverapi * refactor: change pkg structure * refactor: serverapi.go * chore: remove emtpy file * fix(scan): remove -ssh-native-insecure option * fix(scan): remove the deprecated option `keypassword`	2021-02-25 05:54:17 +09:00

7 Commits