Merge branch 'main' into 1241-source-relationships

* main:
  refactor: Remove experimental Anchore Enterprise upload functionality (#1257)
  Update syft bootstrap tools to latest versions. (#1254)
  Update Stereoscope to d24c9d626b33fa720210b007a20767801827b532 (#1253)
  Update syft bootstrap tools to latest versions. (#1244)
  fix apkdb checksum representation (#1247)

Makefile

@@ -7,13 +7,13 @@ LINTCMD = $(TEMPDIR)/golangci-lint run --tests=false --timeout=5m --config .gola
 GOIMPORTS_CMD = $(TEMPDIR)/gosimports -local github.com/anchore
 RELEASE_CMD=$(TEMPDIR)/goreleaser release --rm-dist
 SNAPSHOT_CMD=$(RELEASE_CMD) --skip-publish --snapshot
-GOLANGCILINT_VERSION = v1.49.0
+GOLANGCILINT_VERSION = v1.50.0
 GOSIMPORTS_VERSION = v0.3.2
 BOUNCER_VERSION = v0.4.0
 CHRONICLE_VERSION = v0.4.1
 GORELEASER_VERSION = v1.11.5
 YAJSV_VERSION = v1.4.1
-COSIGN_VERSION = v1.12.1
+COSIGN_VERSION = v1.13.0
 
 # formatting variables
 BOLD := $(shell tput -T linux bold)

README.md

@@ -610,28 +610,6 @@ log:
   # location to write the log file (default is not to have a log file)
   # same as SYFT_LOG_FILE env var
   file: ""
-
-# uploading package SBOM is exposed through the packages subcommand
-anchore:
-  # (feature-preview) the Anchore Enterprise Host or URL to upload results to (supported on Enterprise 3.0+)
-  # same as -H ; SYFT_ANCHORE_HOST env var
-  host: ""
-
-  # (feature-preview) the path after the host to the Anchore External API (supported on Enterprise 3.0+)
-  # same as SYFT_ANCHORE_PATH env var
-  path: ""
-
-  # (feature-preview) the username to authenticate against Anchore Enterprise (supported on Enterprise 3.0+)
-  # same as -u ; SYFT_ANCHORE_USERNAME env var
-  username: ""
-
-  # (feature-preview) the password to authenticate against Anchore Enterprise (supported on Enterprise 3.0+)
-  # same as -p ; SYFT_ANCHORE_PASSWORD env var
-  password: ""
-
-  # (feature-preview) path to dockerfile to be uploaded with the syft results to Anchore Enterprise (supported on Enterprise 3.0+)
-  # same as -d ; SYFT_ANCHORE_DOCKERFILE env var
-  dockerfile: ""
 ```
 
 ### Adding an SBOM to an image as an attestation using Syft

cmd/syft/cli/options/packages.go

@@ -14,19 +14,13 @@ import (
 )
 
 type PackagesOptions struct {
-	Scope                  string
-	Output                 []string
-	OutputTemplatePath     string
-	File                   string
-	Platform               string
-	Host                   string
-	Username               string
-	Password               string
-	Dockerfile             string
-	Exclude                []string
-	OverwriteExistingImage bool
-	ImportTimeout          uint
-	Catalogers             []string
+	Scope              string
+	Output             []string
+	OutputTemplatePath string
+	File               string
+	Platform           string
+	Exclude            []string
+	Catalogers         []string
 }
 
 var _ Interface = (*PackagesOptions)(nil)
@@ -47,30 +41,12 @@ func (o *PackagesOptions) AddFlags(cmd *cobra.Command, v *viper.Viper) error {
 	cmd.Flags().StringVarP(&o.Platform, "platform", "", "",
 		"an optional platform specifier for container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux')")
 
-	cmd.Flags().StringVarP(&o.Host, "host", "H", "",
-		"the hostname or URL of the Anchore Enterprise instance to upload to")
-
-	cmd.Flags().StringVarP(&o.Username, "username", "u", "",
-		"the username to authenticate against Anchore Enterprise")
-
-	cmd.Flags().StringVarP(&o.Password, "password", "p", "",
-		"the password to authenticate against Anchore Enterprise")
-
-	cmd.Flags().StringVarP(&o.Dockerfile, "dockerfile", "d", "",
-		"include dockerfile for upload to Anchore Enterprise")
-
 	cmd.Flags().StringArrayVarP(&o.Exclude, "exclude", "", nil,
 		"exclude paths from being scanned using a glob expression")
 
 	cmd.Flags().StringArrayVarP(&o.Catalogers, "catalogers", "", nil,
 		"enable one or more package catalogers")
 
-	cmd.Flags().BoolVarP(&o.OverwriteExistingImage, "overwrite-existing-image", "", false,
-		"overwrite an existing image during the upload to Anchore Enterprise")
-
-	cmd.Flags().UintVarP(&o.ImportTimeout, "import-timeout", "", 30,
-		"set a timeout duration (in seconds) for the upload to Anchore Enterprise")
-
 	return bindPackageConfigOptions(cmd.Flags(), v)
 }
 
@@ -105,31 +81,5 @@ func bindPackageConfigOptions(flags *pflag.FlagSet, v *viper.Viper) error {
 		return err
 	}
 
-	// Upload options //////////////////////////////////////////////////////////
-
-	if err := v.BindPFlag("anchore.host", flags.Lookup("host")); err != nil {
-		return err
-	}
-
-	if err := v.BindPFlag("anchore.username", flags.Lookup("username")); err != nil {
-		return err
-	}
-
-	if err := v.BindPFlag("anchore.password", flags.Lookup("password")); err != nil {
-		return err
-	}
-
-	if err := v.BindPFlag("anchore.dockerfile", flags.Lookup("dockerfile")); err != nil {
-		return err
-	}
-
-	if err := v.BindPFlag("anchore.overwrite-existing-image", flags.Lookup("overwrite-existing-image")); err != nil {
-		return err
-	}
-
-	if err := v.BindPFlag("anchore.import-timeout", flags.Lookup("import-timeout")); err != nil {
-		return err
-	}
-
 	return nil
 }

cmd/syft/cli/packages/packages.go

@@ -3,16 +3,13 @@ package packages
 import (
 	"context"
 	"fmt"
-	"io"
-	"os"
 
 	"github.com/wagoodman/go-partybus"
 
 	"github.com/anchore/stereoscope"
 	"github.com/anchore/syft/cmd/syft/cli/eventloop"
 	"github.com/anchore/syft/cmd/syft/cli/options"
 	"github.com/anchore/syft/internal"
-	"github.com/anchore/syft/internal/anchore"
 	"github.com/anchore/syft/internal/bus"
 	"github.com/anchore/syft/internal/config"
 	"github.com/anchore/syft/internal/log"
@@ -88,13 +85,6 @@ func execWorker(app *config.Application, si source.Input, writer sbom.Writer) <-
 			errs <- fmt.Errorf("no SBOM produced for %q", si.UserInput)
 		}
 
-		if app.Anchore.Host != "" {
-			if err := runPackageSbomUpload(src, *s, app); err != nil {
-				errs <- err
-				return
-			}
-		}
-
 		bus.Publish(partybus.Event{
 			Type:  event.Exit,
 			Value: func() error { return writer.Write(*s) },
@@ -144,55 +134,6 @@ func MergeRelationships(cs ...<-chan artifact.Relationship) (relationships []art
 	return relationships
 }
 
-func runPackageSbomUpload(src *source.Source, s sbom.SBOM, app *config.Application) error {
-	log.Infof("uploading results to %s", app.Anchore.Host)
-
-	if src.Metadata.Scheme != source.ImageScheme {
-		return fmt.Errorf("unable to upload results: only images are supported")
-	}
-
-	var dockerfileContents []byte
-	if app.Anchore.Dockerfile != "" {
-		if _, err := os.Stat(app.Anchore.Dockerfile); os.IsNotExist(err) {
-			return fmt.Errorf("unable dockerfile=%q does not exist: %w", app.Anchore.Dockerfile, err)
-		}
-
-		fh, err := os.Open(app.Anchore.Dockerfile)
-		if err != nil {
-			return fmt.Errorf("unable to open dockerfile=%q: %w", app.Anchore.Dockerfile, err)
-		}
-
-		dockerfileContents, err = io.ReadAll(fh)
-		if err != nil {
-			return fmt.Errorf("unable to read dockerfile=%q: %w", app.Anchore.Dockerfile, err)
-		}
-	}
-
-	c, err := anchore.NewClient(anchore.Configuration{
-		BaseURL:  app.Anchore.Host,
-		Username: app.Anchore.Username,
-		Password: app.Anchore.Password,
-	})
-
-	if err != nil {
-		return fmt.Errorf("failed to create anchore client: %w", err)
-	}
-
-	importCfg := anchore.ImportConfig{
-		ImageMetadata:           src.Image.Metadata,
-		SBOM:                    s,
-		Dockerfile:              dockerfileContents,
-		OverwriteExistingUpload: app.Anchore.OverwriteExistingImage,
-		Timeout:                 app.Anchore.ImportTimeout,
-	}
-
-	if err := c.Import(context.Background(), importCfg); err != nil {
-		return fmt.Errorf("failed to upload results to host=%s: %+v", app.Anchore.Host, err)
-	}
-
-	return nil
-}
-
 func validateOutputOptions(app *config.Application) error {
 	var usesTemplateOutput bool
 	for _, o := range app.Outputs {

go.mod

@@ -8,12 +8,10 @@ require (
 	github.com/acobaugh/osrelease v0.1.0
 	github.com/adrg/xdg v0.3.3
 	github.com/alecthomas/jsonschema v0.0.0-20210301060011-54c507b6f074
-	github.com/anchore/client-go v0.0.0-20210222170800-9c70f9b80bcf
 	github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb
 	github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04
 	github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b
 	github.com/anchore/packageurl-go v0.1.1-0.20220428202044-a072fa3cb6d7
-	github.com/antihax/optional v1.0.0
 	github.com/bmatcuk/doublestar/v4 v4.0.2
 	github.com/dustin/go-humanize v1.0.0
 	github.com/facebookincubator/nvdtools v0.1.4
@@ -55,16 +53,16 @@ require (
 
 require (
 	github.com/Masterminds/sprig/v3 v3.2.2
-	github.com/anchore/stereoscope v0.0.0-20221003160521-1b1b744a9199
+	github.com/anchore/stereoscope v0.0.0-20221006201143-d24c9d626b33
 	github.com/docker/docker v20.10.17+incompatible
 	github.com/google/go-containerregistry v0.11.0
 	github.com/in-toto/in-toto-golang v0.3.4-0.20220709202702-fa494aaa0add
 	github.com/knqyf263/go-rpmdb v0.0.0-20220629110411-9a3bd2ebb923
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/sassoftware/go-rpmutils v0.2.0
-	github.com/sigstore/cosign v1.12.1
+	github.com/sigstore/cosign v1.13.0
 	github.com/sigstore/rekor v0.12.1-0.20220915152154-4bb6f441c1b2
-	github.com/sigstore/sigstore v1.4.1
+	github.com/sigstore/sigstore v1.4.2
 	github.com/vbatts/go-mtree v0.5.0
 	gopkg.in/yaml.v3 v3.0.1
 )
@@ -99,20 +97,20 @@ require (
 	github.com/alibabacloud-go/tea-xml v1.1.2 // indirect
 	github.com/aliyun/credentials-go v1.2.3 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
-	github.com/aws/aws-sdk-go-v2 v1.16.14 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.17.5 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.12.18 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.15 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.21 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.15 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.22 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.16.16 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.17.7 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.12.20 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.23 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.24 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.15 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.11.21 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.16.17 // indirect
-	github.com/aws/smithy-go v1.13.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.11.23 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.16.19 // indirect
+	github.com/aws/smithy-go v1.13.3 // indirect
 	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220517224237-e6f29200ae04 // indirect
 	github.com/benbjohnson/clock v1.1.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
@@ -184,7 +182,7 @@ require (
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.2 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
@@ -236,21 +234,21 @@ require (
 	github.com/segmentio/ksuid v1.0.4 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
-	github.com/sigstore/fulcio v0.5.3 // indirect
+	github.com/sigstore/fulcio v0.6.0 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/soheilhy/cmux v0.1.5 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spiffe/go-spiffe/v2 v2.1.1 // indirect
 	github.com/stretchr/objx v0.4.0 // indirect
 	github.com/subosito/gotenv v1.4.1 // indirect
-	github.com/sylabs/sif/v2 v2.7.2 // indirect
+	github.com/sylabs/sif/v2 v2.8.1 // indirect
 	github.com/sylabs/squashfs v0.6.1 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
 	github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect
 	github.com/thales-e-security/pool v0.0.2 // indirect
 	github.com/therootcompany/xz v1.0.1 // indirect
-	github.com/theupdateframework/go-tuf v0.5.0 // indirect
+	github.com/theupdateframework/go-tuf v0.5.1-0.20220920170306-f237d7ca5b42 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/tjfoc/gmsm v1.3.2 // indirect
 	github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 // indirect
@@ -291,16 +289,16 @@ require (
 	go.uber.org/multierr v1.8.0 // indirect
 	go.uber.org/zap v1.23.0 // indirect
 	golang.org/x/exp v0.0.0-20220823124025-807a23277127 // indirect
-	golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094 // indirect
+	golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1 // indirect
 	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
-	golang.org/x/sys v0.0.0-20220907062415-87db552b00fd // indirect
+	golang.org/x/sys v0.0.0-20220919091848-fb04ddd9f9c8 // indirect
 	golang.org/x/text v0.3.8-0.20211004125949-5bd84dd9b33b // indirect
 	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
 	golang.org/x/tools v0.1.12 // indirect
 	golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
-	google.golang.org/api v0.96.0 // indirect
+	google.golang.org/api v0.98.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220805133916-01dd62135a58 // indirect
+	google.golang.org/genproto v0.0.0-20220920201722-2b89144ce006 // indirect
 	google.golang.org/grpc v1.49.0 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
@@ -335,7 +333,7 @@ require (
 	// go: warning: github.com/andybalholm/brotli@v1.0.1: retracted by module author: occasional panics and data corruption
 	github.com/andybalholm/brotli v1.0.4 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 // indirect
+	golang.org/x/crypto v0.0.0-20220919173607-35f4265a4bc0 // indirect
 )
 
 retract (