chore(deps): update dependency anchore/grype to v0.59.1 - autoclosed

[renovate]

This PR contains the following updates:

Package	Update	Change
anchore/grype	minor	v0.35.0 -> v0.59.1

---

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

---

Release Notes

anchore/grype

v0.59.1

Compare Source

Changelog

v0.59.1 (2023-03-09)

Full Changelog

Bug Fixes

• fix: correct APK CPE version comparison logic [PR #​1165] [westonsteimel]

v0.59.0

Compare Source

Changelog

v0.59.0 (2023-03-03)

Full Changelog

Added Features

• Add the total types of vulnerabilities in Grype output [Issue #​877] [PR #​946] [zhiburt]

Additional Changes

• chore: bump quality gate labels and syft version [PR #​1156] [westonsteimel]

v0.58.0

Compare Source

Changelog

v0.58.0 (2023-03-02)

Full Changelog

Security Fixes

• chore(deps): bump github.com/hashicorp/go-getter from 1.6.2 to 1.7.0 [PR #​1134] [dependabot]

Added Features

• add grype image to ArtifactHub [Issue #​613] [PR #​639] [developer-guy]

Bug Fixes

• Grype with version v.0.55 take 3 hour to scan the image [Issue #​1063]
• Unable to install Grype [Issue #​1102]

Additional Changes

• chore: update progress monitor handling [PR #​1149] [kzantow]
• distro: Disable support for Arch Linux [PR #​1152] [Foxboron]

v0.57.1

Compare Source

Changelog

v0.57.1 (2023-02-16)

Full Changelog

v0.57.0

Compare Source

Changelog

Updates

• Update to latest syft for faster indexing and SBOM generation when consuming source and not using the SBOM as an input

Full Changelog

Bug Fixes

• regression: Grype 0.54.0 does not find vulnerabilities in Nodejs runtime itself anymore [Issue #​1043]

Additional Changes

• bump yardstick to 2d30ea7 [PR #​1095] [wagoodman]
• chore: prune cosign dependency for grype builds [PR #​1100] [spiffcs]
• chore: bump yardstick for better quality gate filtering [PR #​1101] [westonsteimel]
• chore: add new images to quality gate [PR #​1106] [westonsteimel]
• fix: exclude OS packages from CPE target filtering [PR #​1130] [westonsteimel]
• fix: ignore some false-positives for ruby gems [PR #​1132] [westonsteimel]

v0.56.0

Compare Source

Changelog

v0.56.0 (2023-01-26)

Full Changelog

Added Features

• Allow db diff to specify local files [Issue #​1059] [PR #​1058] [kzantow]

Bug Fixes

• False positive CVE-2015-5237 for protobuf-go [Issue #​558] [PR #​1062] [luhring]
• Missing severities in embedded-cyclonedx-vex-json format since v0.55.0 [Issue #​1066] [PR #​1067] [kzantow]

v0.55.0

Compare Source

Changelog

v0.55.0 (2023-01-04)

Full Changelog

Added Features

• add documentation about air gap installation support [Issue #​509]
• Include Syft's cyclonedx component properties in Grype output [Issue #​951]

Bug Fixes

• OWASP dependency track is not listing vulnerabilities (cyclone dx format) from grype , syft is working however [Issue #​796]
• Failure scanning images with arch variant (e.g. arm/v7) [Issue #​831]
• Unnecessarily escaped output in CycloneDX [Issue #​959]
• SBOM cataloger and ownership-by-file-overlap relationships for packages [Issue #​1044]

v0.54.0

Compare Source

Changelog

v0.54.0 (2022-12-13)

Full Changelog

Added Features

• reporting the relevant CVE number when GHSA is reported [Issue #​204]
• Add official support for ppc64le [Issue #​404]

Bug Fixes

• False positive: redis vuln associated to somewhat unrelated python dependency [Issue #​491]
• False flagging [Issue #​800]
• grype db update error [Issue #​846]
• Grype debug image no longer contains busybox [Issue #​1010]

v0.53.1

Compare Source

Changelog

v0.53.1 (2022-11-21)

Full Changelog

v0.53.0

Compare Source

Changelog

v0.53.0 (2022-11-18)

Full Changelog

Added Features

• Enable the Scorecard Github Action and badge [Issue #​926]
• Update Grype to use use syft v0.62.0

v0.52.0

Compare Source

Changelog

v0.52.0 (2022-11-03)

Full Changelog

Added Features

• Show all vulnerabilities, even suppressed [Issue #​887]
• Ubuntu: Add as a Vulnerability Specification Source [Issue #​958]

Bug Fixes

• Grype inconsistence output squashed and all-layers representation [Issue #​894]
• Grype doesn't find CVE-2022-3358 [Issue #​954]
• Not applying Alpine secdb data correctly for "edge" [Issue #​964]
• Incorrect artifact entry in json report for grype v0.51.0 [Issue #​967]

v0.51.0

Compare Source

Changelog

v0.51.0 (2022-10-17)

Full Changelog

Features

• Upgrade to a new vulnerability database schema v5 [PR #​944]

Bug Fixes

• Grype is not reporting CVE-2018-1270 [Issue #​237]
• Grype does not recognize Debian fix for CVE-2022-37434 [Issue #​900]
• grype cannot be used, because modify syft CycloneDX format json result file. [Issue #​953]

v0.50.2

Compare Source

Changelog

(Unreleased) (2022-09-20)

Full Changelog

Added Features

• Add distro information into the CPE generation process [Issue #​141]
• allow development installations via install.sh [Issue #​253]

v0.50.1

Compare Source

Changelog

Full Changelog

Bug Fix

• Pin syft version to latest release to resolve pseudo version conflict

v0.50.0

Compare Source

Changelog

Full Changelog

Added Features

• 0.49.0 docker image does not support arm64 [Issue #​916]
• review rpm packages [[Issue #​570][https://github.com/anchore/grype/issues/570](https://github.com/anchore/grype/issues/570)0

v0.49.0

Compare Source

Changelog

(Unreleased) (2022-09-01)

Full Changelog

Added Features

• add basic instructions for compiling binaries to install readme [Issue #​581]
• How can grype scan manually installed dependencies? [Issue #​651]
• Flag to disable db check and update [Issue #​878]

Bug Fixes

• Java CVEs not detected from sparse CycloneDX SBOM [Issue #​723]
• Add support to bci images [Issue #​740]
• failed to catalog: could not fetch image (only on v0.47.0) [Issue #​882]

v0.48.0

Compare Source

Changelog

v0.48.0 (2022-08-24)

Full Changelog

Added Features

• enhancement: add support for s390x arch [Issue #​719]
• More accurate "no OS distribution" messaging [Issue #​748]

Fixed Bugs

• disable CPE match filtering based on target software component for java packages [PR #​889]

v0.47.0

Compare Source

Changelog

v0.47.0 (2022-08-17)

Full Changelog

Security

• Grype v0.46.0 reports a Critical vulnerability CVE-2022-35929 on itself [Issue #​880]

Bug Fixes

• GRYPE_DB_AUTO_UPDATE=false no longer works [Issue #​870]

v0.46.0

Compare Source

Changelog

v0.46.0 (2022-08-04)

Full Changelog

Added Features

• ux: db: update: append more information about the next update [Issue #​754]
• update syft to use latest version [v0.53.4]

v0.45.0

Compare Source

Changelog

v0.45.0 (2022-08-03)

Full Changelog

Added Features

• Accept simple package list as input [Issue #​516]
• Request vulnerability data by a single cpe string [Issue #​757]

Bug Fixes

• grype db diff default case inverted [Issue #​844]
• Grype slow on parallel execution [Issue #​855]
• Concurrent gyrpe runs result in SQLITE_BUSY error [Issue #​859]

v0.44.0

Compare Source

Changelog

v0.44.0 (2022-07-25)

Full Changelog

Added Features

• Filter CPE matches by target SW to reduce FPs [Issue #​390]
• Support ARM32 (linux/armv7) architecture [Issue #​595]

v0.43.0

Compare Source

Changelog

v0.43.0 (2022-07-18)

Full Changelog

Added Features

• Remove matching for main go module matcher [PR #​829]
• Add --only-notfixed to complete the existing and useful --only-fixed [Issue #​824]

Bug Fixes

• Cannot concurrently access sqlite DB within a single process [Issue #​155]
• False positive of CVE-2020-16250 and CVE-2020-16251 [Issue #​712]

v0.42.0

Compare Source

Changelog

v0.42.0 (2022-07-11)

Full Changelog

Added Features

• Templates for grype output. HTML template [Issue #​724]
• grype db diff command [Issue #​764]

Bug Fixes

• panic: runtime error: index out of range [0] with length 0 [Issue #​821]

v0.41.0

Compare Source

Changelog

v0.41.0 (2022-07-06)

Full Changelog

Features

• Upgrade to a new vulnerability database schema v4 [PR #​803]

Bug Fixes

• Grype Busy Box Vulnerabilities resolved [Issue #​510]
• Vulnerabilities now reported under php (composer) [Issue #​797]
• Grype outputs listed properly [Issue #​801]
• Grype db update command now shows spinner [Issue #​805]

v0.40.1

Compare Source

Changelog

v0.40.1 (2022-06-24)

Full Changelog

Features

• update syft to v0.49.0 release

Bug Fixes

• grype fixed version cyclonedxjson [Issue #​762]
• Include php in Grype supported languages [Issue #​792]

v0.40.0

Compare Source

Changelog

v0.40.0 (2022-06-17)

Full Changelog

Added Features

• Be clear about version and data staleness [Issue #​240]
• Add a dockerized workflow for local dev [Issue #​782]
• Update grype documentation to include golang [Issue #​787]

Bug Fixes

• "Matcher failed to parse version" when scanning a Ruby project using bundler 2.2.0 or newer [Issue #​767]
• GHSA-x24g-9w7v-vprh included in grype 0.38.0 [Issue #​779]
• Template pipelines don't seem to work in 0.39.0 [Issue #​784]

v0.39.0

Compare Source

Changelog

v0.39.0 (2022-06-09)

Full Changelog

Features

• Support newer versions of 'rpm' that use Sqlite for the db instead of BerkeleyDB [Issue #​469]

Bug Fixes

• Template errors don't lead to non-zero exit status [Issue #​623]
• Issues with Grype's handling of template output for invalid templates [Issue #​625]
• Grype reports some critical Vault CVE on itself [Issue #​676]

v0.38.0

Compare Source

Changelog

v0.38.0 (2022-05-23)

Full Changelog

Added Features

• Dotnet-Support [Issue #​736]

v0.37.0

Compare Source

Changelog

v0.37.0 (2022-05-13)

Full Changelog

Added Features

• Add Dotnet support [PR #​747] [ckotzbauer]

Security Fixes

• Bump github.com/hashicorp/go-getter from 1.5.9 to 1.5.11 [PR #​742] [dependabot]

Bug Fixes

• Unable to determine the OS distribution (Ubuntu 20.04.4 LTS) [Issue #​684]

v0.36.1

Compare Source

Changelog

v0.36.1 (2022-05-03)

Update grype to use syft v0.45.1 and reduce info level logging overload

Full Changelog

v0.36.0

Compare Source

Changelog

v0.36.0 (2022-04-29)

Full Changelog

Added Features

• Add support for cyclonedx 1.4 and VEX [Issue #​591]
• Read attestation file, validate attestation, produce vulnerability report [Issue #​644]

Bug Fixes

• Panic while running scan on directory [Issue #​715]

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.