Merge branch 'main' into 835-keyless-attestation-upgrade

* main: (31 commits)
  reduce noise of log output (#976)
  add version info and remove double config call (#977)
  Rename syft-id to package-id (#970)
  update to cyclonedx-go 0.5.2 (#971)
  refactor command package to remove globals and add dependency injection
  fix: #953 Derive language from pURL - https://github.com/anchore/syft… (#957)
  Fix typo in CPE-parsing error (#966)
  Preserve syft IDs on SBOM decode (#963)
  Update GitHub format package_url and correlator (#961)
  Ensure SPDXIDs are valid (#955)
  Auto-PR needs to run go mod tidy (#958)
  Add workflow for automatic PR for new stereoscope updates (#954)
  Minor readme update to correct format information (#948)
  Update spdx22json to only take uppercase checksum algorithm (#946)
  add additional vendors for springframework (#945)
  Add digest property to parent and nested java package metadata (#941)
  Update write permissions and log into ghcr.io for release (#942)
  Retry auth URL lookup without docker credentialhelper workaround (#939)
  Ensure that all cyclonedx components have bom-refs (#914)
  Additionally publish docker images to GHCR (#934)
  ...

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

.bouncer.yaml

@@ -5,6 +5,7 @@ permit:
   - MPL.*
   - ISC
 ignore-packages:
+  - .
   # packageurl-go is released under the MIT license located in the root of the repo at /mit.LICENSE
   - github.com/anchore/packageurl-go
 

.github/scripts/apple-signing/setup-prod.sh

@@ -21,6 +21,14 @@ fi
 if [ -z "$DOCKER_PASSWORD" ]; then
   exit_with_error "DOCKER_PASSWORD not set"
 fi
+
+if [ -z "$GHCR_USERNAME" ]; then
+  exit_with_error "GHCR_USERNAME not set"
+fi
+
+if [ -z "$GHCR_PASSWORD" ]; then
+  exit_with_error "GHCR_PASSWORD not set"
+fi
 set -u
 
 # setup_signing
@@ -41,4 +49,5 @@ setup_signing() {
 
   commentary "log into docker -- required for publishing (since the default keychain has now been replaced)"
   echo "${DOCKER_PASSWORD}" | docker login docker.io -u "${DOCKER_USERNAME}"  --password-stdin
+  echo "${GHCR_PASSWORD}" | docker login ghcr.io -u "${GHCR_USERNAME}"  --password-stdin
 }

.github/workflows/release.yaml

@@ -94,6 +94,8 @@ jobs:
     needs: [quality-gate]
     # due to our code signing process, it's vital that we run our release steps on macOS
     runs-on: macos-latest
+    permissions:
+      packages: write
     steps:
       - uses: docker-practice/actions-setup-docker@v1
 
@@ -128,6 +130,8 @@ jobs:
       - name: Build & publish release artifacts
         run: make release
         env:
+          GHCR_USERNAME: ${{ github.actor }}
+          GHCR_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           DOCKER_USERNAME: ${{ secrets.TOOLBOX_DOCKER_USER }}
           DOCKER_PASSWORD: ${{ secrets.TOOLBOX_DOCKER_PASS }}
           # we use a different token than GITHUB_SECRETS to additionally allow updating the homebrew repos

.github/workflows/update-stereoscope-release.yml

@@ -0,0 +1,51 @@
+name: PR for latest Stereoscope release
+on:
+  schedule:
+    - cron: "0 8 * * *" # 3 AM EST
+
+  workflow_dispatch:
+
+env:
+  GO_VERSION: "1.18.x"
+  GO_STABLE_VERSION: true
+
+jobs:
+  upgrade-stereoscope:
+    runs-on: ubuntu-latest
+    if: github.repository == 'anchore/syft' # only run for main repo
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          stable: ${{ env.GO_STABLE_VERSION }}
+
+      - run: |
+          LATEST_VERSION=$(git ls-remote https://github.com/anchore/stereoscope main | head -n1 | awk '{print $1;}')
+
+          # update go.mod
+          go get github.com/anchore/stereoscope@$LATEST_VERSION
+          go mod tidy
+
+          # export the version for use with create-pull-request
+          echo "::set-output name=LATEST_VERSION::$LATEST_VERSION"
+        id: latest-version
+
+      - uses: tibdex/github-app-token@v1
+        id: generate-token
+        with:
+          app_id: ${{ secrets.TOKEN_APP_ID }}
+          private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
+
+      - uses: peter-evans/create-pull-request@v4
+        with:
+          signoff: true
+          delete-branch: true
+          branch: auto/latest
+          labels: dependencies
+          commit-message: "Update Stereoscope to ${{ steps.latest-version.outputs.LATEST_VERSION }}"
+          title: "Update Stereoscope to ${{ steps.latest-version.outputs.LATEST_VERSION }}"
+          body: |
+            Update Stereoscope to ${{ steps.latest-version.outputs.LATEST_VERSION }}
+          token: ${{ steps.generate-token.outputs.token }}

.goreleaser.yaml

@@ -12,6 +12,7 @@ before:
 
 builds:
   - id: linux-build
+    dir: ./cmd/syft
     binary: syft
     goos:
       - linux
@@ -32,6 +33,7 @@ builds:
       -X github.com/anchore/syft/internal/version.gitDescription={{.Summary}}
 
   - id: darwin-build
+    dir: ./cmd/syft
     binary: syft
     goos:
       - darwin
@@ -49,6 +51,7 @@ builds:
         - ./.github/scripts/apple-signing/sign.sh "{{ .Path }}" "{{ .IsSnapshot }}" "{{ .Target }}"
 
   - id: windows-build
+    dir: ./cmd/syft
     binary: syft
     goos:
       - windows
@@ -99,6 +102,11 @@ dockers:
       - "anchore/syft:{{ .Tag }}-amd64"
       - "anchore/syft:v{{ .Major }}-amd64"
       - "anchore/syft:v{{ .Major }}.{{ .Minor }}-amd64"
+      - "ghcr.io/anchore/syft:latest"
+      - "ghcr.io/anchore/syft:{{ .Tag }}-amd64"
+      - "ghcr.io/anchore/syft:v{{ .Major }}-amd64"
+      - "ghcr.io/anchore/syft:v{{ .Major }}.{{ .Minor }}-amd64"
+    goarch: amd64
     dockerfile: Dockerfile
     use: buildx
     build_flag_templates:
@@ -112,6 +120,9 @@ dockers:
       - "anchore/syft:{{ .Tag }}-arm64v8"
       - "anchore/syft:v{{ .Major }}-arm64v8"
       - "anchore/syft:v{{ .Major }}.{{ .Minor }}-arm64v8"
+      - "ghcr.io/anchore/syft:{{ .Tag }}-arm64v8"
+      - "ghcr.io/anchore/syft:v{{ .Major }}-arm64v8"
+      - "ghcr.io/anchore/syft:v{{ .Major }}.{{ .Minor }}-arm64v8"
     goarch: arm64
     dockerfile: Dockerfile
     use: buildx
@@ -131,3 +142,11 @@ docker_manifests:
     image_templates:
       - anchore/syft:v{{ .Major }}.{{ .Minor }}-amd64
       - anchore/syft:v{{ .Major }}.{{ .Minor }}-arm64v8
+  - name_template: ghcr.io/anchore/syft:{{ .Tag }}
+    image_templates:
+      - ghcr.io/anchore/syft:v{{ .Major }}.{{ .Minor }}-amd64
+      - ghcr.io/anchore/syft:v{{ .Major }}.{{ .Minor }}-arm64v8
+  - name_template: ghcr.io/anchore/syft:latest
+    image_templates:
+      - ghcr.io/anchore/syft:v{{ .Major }}.{{ .Minor }}-amd64
+      - ghcr.io/anchore/syft:v{{ .Major }}.{{ .Minor }}-arm64v8

Makefile

@@ -147,7 +147,7 @@ lint-fix: ## Auto-format all source code + run golangci lint fixers
 
 .PHONY: check-licenses
 check-licenses: ## Ensure transitive dependencies are compliant with the current license policy
-	$(TEMPDIR)/bouncer check
+	$(TEMPDIR)/bouncer check ./cmd/syft
 
 check-go-mod-tidy:
 	@ .github/scripts/go-mod-tidy-check.sh && echo "go.mod and go.sum are tidy!"
@@ -305,7 +305,7 @@ cli: $(SNAPSHOTDIR) ## Run CLI tests
 	chmod 755 "$(SNAPSHOT_BIN)"
 	$(SNAPSHOT_BIN) version
 	SYFT_BINARY_LOCATION='$(SNAPSHOT_BIN)' \
-		go test -count=1 -v ./test/cli
+		go test -count=1 -timeout=15m -v ./test/cli
 
 .PHONY: changelog
 changelog: clean-changelog CHANGELOG.md