* feat: support vulnerability status
* feat: show status in table
* don't add `fixed` status in debian/redhat
* update test golden files
* add Status in rpc
* update docs
* update ignore-status example
* add ignore-status in integration test
* docs: add the explanation for statuses
---------
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
* add Dev field for Package
* fix integration test
* update docs
* feat(cli): add include-dev flag
* bump go-dep-parser
* update docs
* add integration test
* refactor
* refactor
* fix integration test
* refactor: rename flag to include-dev-deps
* update docs
* update docs
* filter dev deps when scanning packages
* add flag support for server mode
* refactor: remove comment that might confuse
* refactor: move --include-dev-deps to the scanner flag group
* refactor: not return apps
* docs: update
---------
Co-authored-by: knqyf263 <knqyf263@gmail.com>
* wip: Add a failing test to demo severity override
Signed-off-by: Simarpreet Singh <simar@linux.com>
* scan.go: Return osFound for use in determining vendor.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* pkg: Fix ScanImage return in case an OSFound
Signed-off-by: Simarpreet Singh <simar@linux.com>
* scan_test: Include a package-lock.json for happy path
Signed-off-by: Simarpreet Singh <simar@linux.com>
* wip: Add a test to include various reportResult types
Signed-off-by: Simarpreet Singh <simar@linux.com>
* Makefile: Add a target to generate mocks.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Pass reportType as argument for FillInfo.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Add other types of vulnerabilities.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* integration: Update golden files.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* ospkg: Fix FillInfo for ospkg/server
Signed-off-by: Simarpreet Singh <simar@linux.com>
* rpc: Add os.Family type to Response.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability_test.go: Add case where no vendor severity exists.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Fallback to NVD if it exists.
Also add tests for other cases.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* rpc: Fix a few sites with reportType info and tests.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Remove VendorSeverity from displayed results
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Add vulnerability source information.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Add VendorSeverity logic for lightDB as well.
This commit also makes FillInfo logic common to both light and full DBs.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* remove some crufty TODOs
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability_test: Add a case for light db for documentation purposes
Signed-off-by: Simarpreet Singh <simar@linux.com>
* mod: update trivy-db to point to master
Signed-off-by: Simarpreet Singh <simar@linux.com>
* scan_test: Remove cruft and bring back test cases
Signed-off-by: Simarpreet Singh <simar@linux.com>
* scan_test: Add pkg Type to mock return
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: reorder err check after err
Signed-off-by: Simarpreet Singh <simar@linux.com>
* client_test: Fix import ordering
Signed-off-by: Simarpreet Singh <simar@linux.com>
* convert.go: Use result.Type
Signed-off-by: Simarpreet Singh <simar@linux.com>
* convert: Use result.Type and simplify ConvertFromRpcResults signature
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Refactor calls to getVendorSeverity
Signed-off-by: Simarpreet Singh <simar@linux.com>
* integration: Remove centos-7-critical.json.golden
There's no critical vulnerability in CentOS 7 anymore.
In addition this test was not adding any value that is already
not covered by existing tests cases.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* rpc: Include severity source in tests.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* integration: Update test db to include VendorSeverity.
Test DB is now a snapshot of full database from trivy-db.
Also update golden files to include SeveritySource.
Signed-off-by: Simarpreet Singh <simar@linux.com>
* vulnerability: Make centos7 use RHEL vendor severities
Signed-off-by: Simarpreet Singh <simar@linux.com>
* refactor(docker_conf): rename and remove unnecessary options
* feat(rpc): define new API
* fix(cli): change default timeout
* fix(import): fix package names
* refactor(vulnerability): remove old mock
* refactor(utils): remove un-needed functions
* feat(cache): implement cache communicating with a server
* refactor(scan): separate scan function as local scanner
* test(scanner): add tests for ScanImage
* refactor(scan): remove unused options
* test(vulnerability): generate mock
* refactor(server): split a file
* feat(server): implement new RPC server
* feat(client): implement new RPC client
* fix(cache): use new cache interface
* fix(standalone): use new scanner
* fix(client): use new scanner
* fix(server): pass cache
* test(integration): make sure an error is not nil before calling the method
* fix(mod): update dependencies
* test(integration): ensure the image load finishes
* feat(docker): support DOCKER_HOST and DOCKER_CERT_PATH
* chore(mod): update dependencies
* refactor(rpc): remove old client
* feat(server): support old API for backward compatibility
* fix(server): check a schema version of JSON cache
* fix(rpc): add a version to packages
* feat(rpc): add PutImage
* test: rename expectations
* refactor(cache): rename LayerCache to ImageCache
* refactor: rename ImageInfo to ImageReference
* fix(applier): pass image_id to ApplyLayer
* feat(cache): handle image cache
* chore(mod): update dependencies
* refactor(server): pass only config
* feat(cli): add -removed-pkgs option
* refactor(err): wrap errors
