Merge branch 'main' into table-output-color-severity

* main: (23 commits)
  Remove Docker section from DEVELOPING.md (anchore#1384)
  chore(deps): update bootstrap tools to latest versions (anchore#1381)
  chore(deps): bump github.com/docker/docker (anchore#1382)
  Port to new syft source API (anchore#1376)
  chore(deps): bump golang.org/x/term from 0.9.0 to 0.10.0 (anchore#1375)
  chore: bump quality gate labels and images (anchore#1374)
  chore(deps): update bootstrap tools to latest versions (anchore#1368)
  Add a simple CSV format template to the templates/ directory and tweak docs (anchore#1366)
  chore(deps): update Syft to v0.84.1 (anchore#1372)
  fix: Add more log4j-adjacent package ignore rules (anchore#1358)
  chore: bump the quality gate labels (anchore#1369)
  add oss community board auto-add workflow (anchore#1364)
  fix: totals for vulnerability matches (anchore#1359)
  chore(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 (anchore#1363)
  chore(deps): bump anchore/sbom-action from 0.14.2 to 0.14.3 (anchore#1357)
  Configure chronicle to pre-1.0 mode (anchore#1356)
  chore(deps): update Syft to v0.84.0 (anchore#1354)
  chore(deps): update bootstrap tools to latest versions (anchore#1353)
  chore(deps): update Syft to v0.83.1 (anchore#1352)
  chore(deps): bump golang.org/x/term from 0.8.0 to 0.9.0 (anchore#1350)
  ...

.chronicle.yaml

@@ -0,0 +1 @@
+enforce-v0: true # don't make breaking-change label bump major version before 1.0.

.github/workflows/codeql-analysis.yml

@@ -63,7 +63,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2.3.6
+      uses: github/codeql-action/init@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -85,4 +85,4 @@ jobs:
       run: make grype
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2.3.6
+      uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4

.github/workflows/oss-project-board-add.yaml

@@ -0,0 +1,16 @@
+name: Add to OSS board
+
+on:
+  issues:
+    types:
+      - opened
+      - reopened
+      - transferred
+      - labeled
+
+jobs:
+
+  run:
+    uses: "anchore/workflows/.github/workflows/oss-project-board-add.yaml@main"
+    secrets:
+      token: ${{ secrets.OSS_PROJECT_GH_TOKEN }}

.github/workflows/release.yaml

@@ -142,7 +142,7 @@ jobs:
           AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}
 
 
-      - uses: anchore/sbom-action@4d571ad1038a9cc29d676154ef265ab8f9027042 # v0.14.2
+      - uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
         continue-on-error: true
         with:
           artifact-name: sbom.spdx.json

.github/workflows/scorecards.yml

@@ -25,7 +25,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # tag=v2.1.3
+        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # tag=v2.2.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -38,6 +38,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@83f0fe6c4988d98a455712a27f0255212bba9bd4 # tag=v1.0.26
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # tag=v1.0.26
         with:
           sarif_file: results.sarif

.github/workflows/update-bootstrap-tools.yml

@@ -58,7 +58,7 @@ jobs:
           app_id: ${{ secrets.TOKEN_APP_ID }}
           private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
 
-      - uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 # v5.0.1
+      - uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
         with:
           signoff: true
           delete-branch: true

.github/workflows/update-syft-release.yml

@@ -44,7 +44,7 @@ jobs:
           app_id: ${{ secrets.TOKEN_APP_ID }}
           private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
 
-      - uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 # v5.0.1
+      - uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
         with:
           signoff: true
           delete-branch: true

CONTRIBUTING.md

@@ -2,6 +2,57 @@
 
 If you are looking to contribute to this project and want to open a GitHub pull request ("PR"), there are a few guidelines of what we are looking for in patches. Make sure you go through this document and ensure that your code proposal is aligned.
 
+## Setting up your environment
+
+Before you can contribute to Grype, you need to configure your development environment.
+
+### Debian setup
+
+You will need to install Go. The version on https://go.dev works best, using the system golang doesn't always work the way you might expect.
+
+Refer to the go.mod file in the root of this repo for the recommended version of Go to install.
+
+You will also need Docker. There's no reason the system packages shouldn't work, but we used the official Docker package. You can find instructions for installing Docker in Debian [here](https://docs.docker.com/engine/install/debian/).
+
+You also need to install some Debian packages
+
+```sh
+sudo apt-get install build-essential git libxml2-utils
+```
+
+## Configuring Git
+
+You will need to configure your git client with your name and email address. This is easily done from the command line.
+
+```text
+$ git config --global user.name "John Doe"
+$ git config --global user.email "john.doe@example.com"
+```
+
+This username and email address will matter later in this guide.
+
+## Fork the repo
+
+You should fork the Grype repo using the "Fork" button at the top right of the Grype GitHub [site](https://github.com/anchore/grype/). You will be doing your development in your fork, then submit a pull request to Grype. There are many resources how to use GitHub effectively, we will not cover those here.
+
+## Adding a feature or fix
+
+If you look at the Grype [Issue](https://github.com/anchore/grype/issues) there are plenty of bugs and feature requests. Maybe look at the [good first issue](https://github.com/anchore/grype/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22) list if you're not sure where to start.
+
+## Commit guidelines
+
+In the Grype project we like commits and pull requests (PR) to be easy to understand and review. Open source thrives best when everything happening is over documented and small enough to be understood.
+
+### Granular commits
+
+Please try to make every commit as simple as possible, but no simpler. The idea is that each commit should be a logical unit of code. Try not to commit too many tiny changes, for example every line changed in a file as a separate commit. And also try not to make a commit enormous, for example committing all your work at the end of the day.
+
+Rather than try to follow a strict guide on what is or is not best, we try to be flexible and simple in this space. Do what makes the most sense for the changes you are trying to include.
+
+### Commit title and description
+
+Remember that the message you leave for a commit is for the reviewer in the present, and for someone (maybe you) changing something in the future. Please make sure the title and description used is easy to understand and explains what was done. Jokes and clever comments generally don't age well in commit messages. Just the facts please.
+
 ## Sign off your work
 
 The `sign-off` is an added line at the end of the explanation for the commit, certifying that you wrote it or otherwise have the right to submit it as an open-source patch. By submitting a contribution, you agree to be bound by the terms of the DCO Version 1.1 and Apache License Version 2.0.
@@ -70,18 +121,6 @@ Date:   Mon Aug 1 11:27:13 2020 -0400
     Signed-off-by: John Doe <john.doe@example.com>
 ```
 
-
-[//]: # (TODO: Commit guidelines, granular commits)
-
-
-[//]: # (TODO: Commit guidelines, descriptive messages)
-
-
-[//]: # (TODO: Commit guidelines, commit title, extra body description)
-
-
-[//]: # (TODO: PR title and description)
-
 ## Test your changes
 
 This project has a `Makefile` which includes many helpers running both unit and integration tests. Although PRs will have automatic checks for these, it is useful to run them locally, ensuring they pass before submitting changes. Ensure you've bootstrapped once before running tests:
@@ -97,11 +136,30 @@ $ make unit
 $ make integration
 ```
 
+You can also run `make all` to run a more extensive test suite, but there is additional configuration that will be needed for those tests to run correctly. We will not cover the extra steps here.
+
+## Pull Request
+
+If you made it this far and all the tests are passing, it's time to submit a Pull Request (PR) for Grype. Submitting a PR is always a scary moment as what happens next can be an unknown. The Grype project strives to be easy to work with, we appreciate all contributions. Nobody is going to yell at you or try to make you feel bad. We love contributions and know how scary that first PR can be.
+
+### PR Title and Description
+
+Just like the commit title and description mentioned above, the PR title and description is very important for letting others know what's happening. Please include any details you think a reviewer will need to more properly review your PR.
+
+A PR that is very large or poorly described has a higher likelihood of being pushed to the end of the list. Reviewers like PRs they can understand and quickly review.
+
+### What to expect next
+
+Please be patient with the project. We try to review PRs in a timely manner, but this is highly dependent on all the other tasks we have going on. It's OK to ask for a status update every week or two, it's not OK to ask for a status update every day.
+
+It's very likely the reviewer will have questions and suggestions for changes to your PR. If your changes don't match the current style and flow of the other code, expect a request to change what you've done.
+
 ## Document your changes
 
-When proposed changes are modifying user-facing functionality or output, it is expected the PR will include updates to the documentation as well.
+And lastly, when proposed changes are modifying user-facing functionality or output, it is expected the PR will include updates to the documentation as well. Grype is not a project that is heavy on documentation. This will mostly be updating the README and help for the tool.
 
+If nobody knows new features exist, they can't use them!
 
 ## Security Vulnerabilities
 
-Found a security vulnerability? See in our [Security Policy](SECURITY.md) to see how to report it to be solved as soon as possible. 
+Found a security vulnerability? See in our [Security Policy](SECURITY.md) to see how to report it to be solved as soon as possible. 

DEVELOPING.md

@@ -4,8 +4,6 @@ There are a few useful things to know before diving into the codebase. This proj
 
 ## Getting started
 
-### Native Development
-
 After cloning do the following:
 
 1. run `go build main.go` to get a binary named `main` from the source (use `-o <name>` to get a differently named binary), or optionally `go run main.go` to run from source.
@@ -19,14 +17,6 @@ The main make tasks for common static analysis and testing are `lint`, `format`,
 
 See `make help` for all the current make tasks.
 
-### Docker Development
-
-This depends on Docker and Docker Compose
-
-1. run `docker-compose build grype` to build the local development container
-2. run `docker-compose run --rm grype bash` to enter into the container with all the bootstrapped dependencies installed.
-3. run `make` to verify everything is installed and working properly
-
 ## Relationship to Syft
 
 Grype uses Syft as a library for all-things related to obtaining and parsing the given scan target (pulling container

Makefile

@@ -10,11 +10,11 @@ CHRONICLE_CMD = $(TEMP_DIR)/chronicle
 GLOW_CMD = $(TEMP_DIR)/glow
 
 # Tool versions #################################
-GOLANGCILINT_VERSION := v1.53.2
+GOLANGCILINT_VERSION := v1.53.3
 GOSIMPORTS_VERSION := v0.3.8
 BOUNCER_VERSION := v0.4.0
 CHRONICLE_VERSION := v0.6.0
-GORELEASER_VERSION := v1.18.2
+GORELEASER_VERSION := v1.19.2
 YAJSV_VERSION := v1.4.1
 QUILL_VERSION := v0.2.0
 GLOW_VERSION := v1.5.1

README.md

@@ -267,20 +267,9 @@ Grype lets you define custom output formats, using [Go templates](https://golang
 
 - Grype's template processing uses the same data models as the `json` output format — so if you're wondering what data is available as you author a template, you can use the output from `grype <image> -o json` as a reference.
 
-**Example:** You could make Grype output data in CSV format by writing a Go template that renders CSV data and then running `grype <image> -o template -t ~/path/to/csv.tmpl`.
-
 **Please note:** Templates can access information about the system they are running on, such as environment variables. You should never run untrusted templates.
 
-Here's what the `csv.tmpl` file might look like:
-
-```gotemplate
-"Package","Version Installed","Vulnerability ID","Severity"
-{{- range .Matches}}
-"{{.Artifact.Name}}","{{.Artifact.Version}}","{{.Vulnerability.ID}}","{{.Vulnerability.Severity}}"
-{{- end}}
-```
-
-Which would produce output like:
+There are several example templates in the [templates](https://github.com/anchore/grype/tree/main/templates) directory in the Grype source which can serve a starting point for a custom output format. For example, [csv.tmpl](https://github.com/anchore/grype/blob/main/templates/csv.tmpl) produces a vulnerability report in CSV (comma separated value) format:
 
 ```text
 "Package","Version Installed","Vulnerability ID","Severity"
@@ -290,6 +279,8 @@ Which would produce output like:
 ...
 ```
 
+You can also find the template for the default "table" output format in the same place.
+
 Grype also includes a vast array of utility templating functions from [sprig](http://masterminds.github.io/sprig/) apart from the default golang [text/template](https://pkg.go.dev/text/template#hdr-Functions) to allow users to customize the output from Grype.
 
 ### Gating on severity of vulnerabilities

go.mod

@@ -10,9 +10,9 @@ require (
 	github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04
 	github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4
 	github.com/anchore/packageurl-go v0.1.1-0.20230104203445-02e0a6721501
-	github.com/anchore/stereoscope v0.0.0-20230522170632-e14bc4437b2e
+	github.com/anchore/stereoscope v0.0.0-20230627195312-cd49355d934e
 	github.com/bmatcuk/doublestar/v2 v2.0.4
-	github.com/docker/docker v24.0.2+incompatible
+	github.com/docker/docker v24.0.4+incompatible
 	github.com/dustin/go-humanize v1.0.1
 	github.com/facebookincubator/nvdtools v0.1.5
 	github.com/gabriel-vasile/mimetype v1.4.2
@@ -45,15 +45,15 @@ require (
 	github.com/wagoodman/go-progress v0.0.0-20230301185719-21920a456ad5
 	github.com/wagoodman/jotframe v0.0.0-20211129225309-56b0d0a4aebb
 	github.com/x-cray/logrus-prefixed-formatter v0.5.2
-	golang.org/x/term v0.8.0
+	golang.org/x/term v0.10.0
 	gopkg.in/yaml.v2 v2.4.0
 	gorm.io/gorm v1.23.10
 )
 
 require (
 	github.com/anchore/go-logger v0.0.0-20220728155337-03b66a5207d8
 	github.com/anchore/sqlite v1.4.6-0.20220607210448-bcc6ee5c4963
-	github.com/anchore/syft v0.83.0
+	github.com/anchore/syft v0.84.2-0.20230705174713-cfbb9f703bd7
 	github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/muesli/termenv v0.15.1
@@ -153,7 +153,7 @@ require (
 	github.com/sassoftware/go-rpmutils v0.2.0 // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
 	github.com/skeema/knownhosts v1.1.1 // indirect
-	github.com/spdx/tools-golang v0.5.1 // indirect
+	github.com/spdx/tools-golang v0.5.2 // indirect
 	github.com/spf13/cast v1.5.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect
@@ -171,14 +171,14 @@ require (
 	github.com/zclconf/go-cty v1.10.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.uber.org/goleak v1.2.0 // indirect
-	golang.org/x/crypto v0.9.0 // indirect
+	golang.org/x/crypto v0.10.0 // indirect
 	golang.org/x/exp v0.0.0-20230202163644-54bba9f4231b // indirect
-	golang.org/x/mod v0.10.0 // indirect
-	golang.org/x/net v0.10.0 // indirect
+	golang.org/x/mod v0.12.0 // indirect
+	golang.org/x/net v0.11.0 // indirect
 	golang.org/x/oauth2 v0.7.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
-	golang.org/x/sys v0.8.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/text v0.10.0 // indirect
 	golang.org/x/time v0.2.0 // indirect
 	golang.org/x/tools v0.8.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
@@ -197,7 +197,7 @@ require (
 	modernc.org/mathutil v1.5.0 // indirect
 	modernc.org/memory v1.5.0 // indirect
 	modernc.org/opt v0.1.3 // indirect
-	modernc.org/sqlite v1.23.0 // indirect
+	modernc.org/sqlite v1.23.1 // indirect
 	modernc.org/strutil v1.1.3 // indirect
 	modernc.org/token v1.1.0 // indirect
 )