Pull in syft v0.14.0 and further decouple presenters from Syft

.github/workflows/acceptance-test.yaml

@@ -10,7 +10,7 @@ on:
       - v*
 
 env:
-  GO_VERSION: "1.14.x"
+  GO_VERSION: "1.16.x"
 
 jobs:
   # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline

.github/workflows/release.yaml

@@ -9,7 +9,7 @@ on:
       - 'v*'
 
 env:
-  GO_VERSION: "1.14.x"
+  GO_VERSION: "1.16.x"
 
 jobs:
   wait-for-checks:

.github/workflows/static-unit-integration.yaml

@@ -8,7 +8,7 @@ jobs:
   Static-Analysis:
     strategy:
       matrix:
-        go-version: [1.x]
+        go-version: [1.16.x]
         platform: [ubuntu-latest]
     runs-on: ${{ matrix.platform }}
     steps:
@@ -41,8 +41,7 @@ jobs:
   Tests:
     strategy:
       matrix:
-        # test the lower bounds of support, and the latest available
-        go-version: [1.13.x, 1.x]
+        go-version: [1.16.x]
         platform: [ubuntu-latest]
     runs-on: ${{ matrix.platform }}
     steps:

cmd/root.go

@@ -36,10 +36,12 @@ const (
 	FailOnFlag = "fail-on"
 )
 
-var rootCmd = &cobra.Command{
-	Use:   fmt.Sprintf("%s [IMAGE]", internal.ApplicationName),
-	Short: "A vulnerability scanner for container images and filesystems",
-	Long: format.Tprintf(`
+var (
+	presenterOpt presenter.Option
+	rootCmd      = &cobra.Command{
+		Use:   fmt.Sprintf("%s [IMAGE]", internal.ApplicationName),
+		Short: "A vulnerability scanner for container images and filesystems",
+		Long: format.Tprintf(`
 Supports the following image sources:
     {{.appName}} yourrepo/yourimage:tag     defaults to using images from a Docker daemon
     {{.appName}} path/to/yourproject        a Docker tar, OCI tar, OCI directory, or generic filesystem directory 
@@ -56,53 +58,63 @@ You can also pipe in Syft JSON directly:
 	syft yourimage:tag -o json | {{.appName}}
 
 `, map[string]interface{}{
-		"appName": internal.ApplicationName,
-	}),
-	Args: validateRootArgs,
-	Run: func(cmd *cobra.Command, args []string) {
-		if appConfig.Dev.ProfileCPU {
-			f, err := os.Create("cpu.profile")
-			if err != nil {
-				log.Errorf("unable to create CPU profile: %+v", err)
-			} else {
-				err := pprof.StartCPUProfile(f)
+			"appName": internal.ApplicationName,
+		}),
+		Args: validateRootArgs,
+		PreRunE: func(cmd *cobra.Command, args []string) error {
+			// set the presenter
+			presenterOption := presenter.ParseOption(appConfig.Output)
+			if presenterOption == presenter.UnknownPresenter {
+				return fmt.Errorf("unsupported --output value '%s', supported values: %+v", appConfig.Output, presenter.Options)
+			}
+			presenterOpt = presenterOption
+			return nil
+		},
+		Run: func(cmd *cobra.Command, args []string) {
+			if appConfig.Dev.ProfileCPU {
+				f, err := os.Create("cpu.profile")
 				if err != nil {
-					log.Errorf("unable to start CPU profile: %+v", err)
+					log.Errorf("unable to create CPU profile: %+v", err)
+				} else {
+					err := pprof.StartCPUProfile(f)
+					if err != nil {
+						log.Errorf("unable to start CPU profile: %+v", err)
+					}
 				}
 			}
-		}
 
-		err := runDefaultCmd(cmd, args)
+			err := runDefaultCmd(cmd, args)
 
-		if appConfig.Dev.ProfileCPU {
-			pprof.StopCPUProfile()
-		}
+			if appConfig.Dev.ProfileCPU {
+				pprof.StopCPUProfile()
+			}
 
-		if err != nil {
-			var grypeErr grypeerr.ExpectedErr
-			if errors.As(err, &grypeErr) {
-				fmt.Fprintln(os.Stderr, format.Red.Format(grypeErr.Error()))
-			} else {
-				log.Errorf(err.Error())
+			if err != nil {
+				var grypeErr grypeerr.ExpectedErr
+				if errors.As(err, &grypeErr) {
+					fmt.Fprintln(os.Stderr, format.Red.Format(grypeErr.Error()))
+				} else {
+					log.Errorf(err.Error())
+				}
+				os.Exit(1)
 			}
-			os.Exit(1)
-		}
-	},
-	ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
-		// Since we use ValidArgsFunction, Cobra will call this AFTER having parsed all flags and arguments provided
-		dockerImageRepoTags, err := listLocalDockerImages(toComplete)
-		if err != nil {
-			// Indicates that an error occurred and completions should be ignored
-			return []string{"completion failed"}, cobra.ShellCompDirectiveError
-		}
-		if len(dockerImageRepoTags) == 0 {
-			return []string{"no docker images found"}, cobra.ShellCompDirectiveError
-		}
-		// ShellCompDirectiveDefault indicates that the shell will perform its default behavior after completions have
-		// been provided (without implying other possible directives)
-		return dockerImageRepoTags, cobra.ShellCompDirectiveDefault
-	},
-}
+		},
+		ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+			// Since we use ValidArgsFunction, Cobra will call this AFTER having parsed all flags and arguments provided
+			dockerImageRepoTags, err := listLocalDockerImages(toComplete)
+			if err != nil {
+				// Indicates that an error occurred and completions should be ignored
+				return []string{"completion failed"}, cobra.ShellCompDirectiveError
+			}
+			if len(dockerImageRepoTags) == 0 {
+				return []string{"no docker images found"}, cobra.ShellCompDirectiveError
+			}
+			// ShellCompDirectiveDefault indicates that the shell will perform its default behavior after completions have
+			// been provided (without implying other possible directives)
+			return dockerImageRepoTags, cobra.ShellCompDirectiveDefault
+		},
+	}
+)
 
 func validateRootArgs(cmd *cobra.Command, args []string) error {
 	// the user must specify at least one argument OR wait for input on stdin IF it is a pipe
@@ -216,7 +228,7 @@ func startWorker(userInput string, failOnSeverity *vulnerability.Severity) <-cha
 
 		bus.Publish(partybus.Event{
 			Type:  event.VulnerabilityScanningFinished,
-			Value: presenter.GetPresenter(appConfig.PresenterOpt, matches, packages, context, metadataProvider),
+			Value: presenter.GetPresenter(presenterOpt, matches, packages, context, metadataProvider, *appConfig),
 		})
 	}()
 	return errs

go.mod

@@ -7,8 +7,8 @@ require (
 	github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04
 	github.com/anchore/go-version v1.2.2-0.20200810141238-330bef18dbca
 	github.com/anchore/grype-db v0.0.0-20210322113357-5aec8a7cb962
-	github.com/anchore/stereoscope v0.0.0-20210105001222-7beea73cb7e5
-	github.com/anchore/syft v0.12.4
+	github.com/anchore/stereoscope v0.0.0-20210323182342-47b72675ff65
+	github.com/anchore/syft v0.14.1-0.20210328180625-0f26681ac514
 	github.com/docker/docker v17.12.0-ce-rc1.0.20200309214505-aa6a9891b09c+incompatible
 	github.com/dustin/go-humanize v1.0.0
 	github.com/facebookincubator/nvdtools v0.1.4

go.sum

@@ -102,32 +102,31 @@ github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbt
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/StackExchange/wmi v0.0.0-20180116203802-5d049714c4a6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
+github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d/go.mod h1:asat636LX7Bqt5lYEZ27JNDcqxfjdBQuJ/MM4CN/Lzo=
 github.com/adrg/xdg v0.2.1 h1:VSVdnH7cQ7V+B33qSJHTCRlNgra1607Q8PzEmnvb2Ic=
 github.com/adrg/xdg v0.2.1/go.mod h1:ZuOshBmzV4Ta+s23hdfFZnBsdzmoR3US0d7ErpqSbTQ=
-github.com/alecthomas/jsonschema v0.0.0-20200530073317-71f438968921/go.mod h1:/n6+1/DWPltRLWL/VKyUxg6tzsl5kHUCcraimt4vr60=
+github.com/alecthomas/jsonschema v0.0.0-20210301060011-54c507b6f074/go.mod h1:/n6+1/DWPltRLWL/VKyUxg6tzsl5kHUCcraimt4vr60=
 github.com/alecthomas/kingpin v2.2.6+incompatible/go.mod h1:59OFYbFVLKQKq+mqrL6Rw5bR0c3ACQaawgXx0QYndlE=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
 github.com/alicebob/sqlittle v1.4.0 h1:vgYt0nAjhdf/hg52MjKJ84g/uTzBPfrvI+VUBrIghxA=
 github.com/alicebob/sqlittle v1.4.0/go.mod h1:Co1L1qxHqCwf41puWhk2HOodojR0mcsAV4BIt8byZh8=
-github.com/anchore/client-go v0.0.0-20201216213038-a486b838e238/go.mod h1:FaODhIA06mxO1E6R32JE0TL1JWZZkmjRIAd4ULvHUKk=
+github.com/anchore/client-go v0.0.0-20210222170800-9c70f9b80bcf/go.mod h1:FaODhIA06mxO1E6R32JE0TL1JWZZkmjRIAd4ULvHUKk=
 github.com/anchore/go-rpmdb v0.0.0-20201106153645-0043963c2e12 h1:xbeIbn5F52JVx3RUIajxCj8b0y+9lywspql4sFhcxWQ=
 github.com/anchore/go-rpmdb v0.0.0-20201106153645-0043963c2e12/go.mod h1:juoyWXIj7sJ1IDl4E/KIfyLtovbs5XQVSIdaQifFQT8=
 github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04 h1:VzprUTpc0vW0nnNKJfJieyH/TZ9UYAnTZs5/gHTdAe8=
 github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04/go.mod h1:6dK64g27Qi1qGQZ67gFmBFvEHScy0/C8qhQhNe5B5pQ=
 github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
 github.com/anchore/go-version v1.2.2-0.20200810141238-330bef18dbca h1:rLyc7Rih769rYABQe4nBPt3jHJd/snBuVvKKGoy5HEc=
 github.com/anchore/go-version v1.2.2-0.20200810141238-330bef18dbca/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
-github.com/anchore/grype-db v0.0.0-20210305133912-73d851717b00 h1:s+Sb0Ij5fHSbzpoV8aLBeZAGSLpRQClHdkqPoOHQ7ao=
-github.com/anchore/grype-db v0.0.0-20210305133912-73d851717b00/go.mod h1:LINmipRzG88vnJEWvgMMDVCFH1qZsj7+bjmpERlSyaA=
 github.com/anchore/grype-db v0.0.0-20210322113357-5aec8a7cb962 h1:yW3xed7hbEjdmEXRnBFit5AGN0exPIFgE1jgW9bks+Q=
 github.com/anchore/grype-db v0.0.0-20210322113357-5aec8a7cb962/go.mod h1:LINmipRzG88vnJEWvgMMDVCFH1qZsj7+bjmpERlSyaA=
-github.com/anchore/stereoscope v0.0.0-20210105001222-7beea73cb7e5 h1:NGRfS6BZKElgiMbqdoH9iQn+6oxT7CJdZYrqgwvGkWY=
-github.com/anchore/stereoscope v0.0.0-20210105001222-7beea73cb7e5/go.mod h1:BMdPL0QEIYfpjQ3M7sHYZvuh6+vcomqF3TMHL8gr6Vw=
-github.com/anchore/syft v0.12.4 h1:fP1AyeDv85A2K/W0xoeBxYyMVWz+QXJVgGyaa1Q6/w4=
-github.com/anchore/syft v0.12.4/go.mod h1:dxcpTsSz1lxSbmq2hrNQA3Ngma1RcYo80s/tpMrVT90=
+github.com/anchore/stereoscope v0.0.0-20210323182342-47b72675ff65 h1:r3tiir6UCgj/YeTqy4s2bfhZ9SuJYNlXx1Z9e/eLrbI=
+github.com/anchore/stereoscope v0.0.0-20210323182342-47b72675ff65/go.mod h1:G7tFR0iI9r6AvibmXKA9v010pRS1IIJgd0t6fOMDxCw=
+github.com/anchore/syft v0.14.1-0.20210328180625-0f26681ac514 h1:4VDFr+zPUu2avWszCviXgF5dk+QqsUIvqMnHwVfMC+A=
+github.com/anchore/syft v0.14.1-0.20210328180625-0f26681ac514/go.mod h1:ltkH8fstNZ3P6ZhDT2Ih14C1tAw5zdlnmTPRtp1vppY=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNgfBlViaCIJKLlCJ6/fmUseuG0wVQ=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/andybalholm/cascadia v1.1.0/go.mod h1:GsXiBklL0woXo1j/WYWtSYYC4ouU9PqHO0sqidkEA4Y=

grype/pkg/package.go

@@ -9,7 +9,7 @@ import (
 )
 
 // ID represents a unique value for each package added to a package catalog.
-type ID int64
+type ID string
 
 // Package represents an application or library that has been bundled into a distributable format.
 type Package struct {
@@ -65,7 +65,7 @@ func New(p *pkg.Package) Package {
 	}
 
 	return Package{
-		id:        ID(p.ID()),
+		id:        ID(p.ID),
 		Name:      p.Name,
 		Version:   p.Version,
 		Locations: p.Locations,