Mirrors/grype
2
0
Fork 0
mirror of https://github.com/anchore/grype synced 2024-11-10 06:34:13 +00:00
Code Issues Projects Releases Packages Wiki Activity

Update syft, jotframe, and validations pipeline (#512)

Browse source 
* update syft and jotframe

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update validations and release pipeline

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* moved terminal package to golang.org/x/term

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update integration tests to account for package relationships

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add license exception for xz

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update Location and Coordinate references

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove benchmark tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* remove mac acceptance tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* add syft-grype relationship notes in DEVELOPING.md

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
This commit is contained in:
Alex Goodman 2021-11-30 13:10:07 -05:00 committed by GitHub
parent 7e8ee40996
commit 51e1b6307b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
20 changed files with 1030 additions and 258 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
.bouncer.yaml
View file

@ -7,6 +7,12 @@ permit:
ignore-packages:
# packageurl-go is released under the MIT license located in the root of the repo at /mit.LICENSE
- github.com/anchore/packageurl-go
# tools-golang is released under the Apache License, version 2.0 (Apache-2.0)
# https://github.com/spdx/tools-golang/blob/main/LICENSE.code
- github.com/spdx/tools-golang
# from: https://github.com/xi2/xz/blob/master/LICENSE
# All these files have been put into the public domain.
# You can do whatever you want with these files.
- github.com/xi2/xz

10
.github/scripts/syft-released-version-check.sh vendored Executable file
View file

@ -0,0 +1,10 @@
#!/usr/bin/env sh
SYFT_LINE=$(cat go.mod | grep github.com/anchore/syft)
if [ "$(echo $SYFT_LINE | grep -o '-' | wc -l)" -gt "1" ]; then
echo "syft version is not a released version! $SYFT_LINE"
exit 1
else
echo 'syft version is a released version!'
fi

57
.github/workflows/release.yaml vendored
View file

@ -1,21 +1,21 @@
name: 'Release'
name: "Release"
on:
push:
# take no actions on push to any branch...
branches-ignore:
- '**'
- "**"
# ... only act on release tags
tags:
- 'v*'
- "v*"
env:
GO_VERSION: "1.16.x"
jobs:
wait-for-checks:
quality-gate:
environment: release
runs-on: ubuntu-latest # This OS choice is arbitrary. None of the steps in this job are specific to either Linux or macOS.
steps:
- uses: actions/checkout@v2
# we don't want to release commits that have been pushed and tagged, but not necessarily merged onto main
@ -30,46 +30,57 @@ jobs:
id: static-analysis
with:
token: ${{ secrets.GITHUB_TOKEN }}
# This check name is defined as the circle-ci workflow name (in .github/workflows/static-unit-integration.yaml)
checkName: "Static-Analysis (1.16.x, ubuntu-latest)"
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
checkName: "Static analysis"
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Check unit + integration results (latest go version)
- name: Check unit test results
uses: fountainhead/action-wait-for-check@v1.0.0
id: unit-integration
id: unit
with:
token: ${{ secrets.GITHUB_TOKEN }}
# This check name is defined as the circle-ci workflow name (in .github/workflows/static-unit-integration.yaml)
checkName: "Tests (1.16.x, ubuntu-latest)"
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
checkName: "Unit tests"
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Build snapshot artifacts
- name: Check integration test results
uses: fountainhead/action-wait-for-check@v1.0.0
id: snapshot
id: integration
with:
token: ${{ secrets.GITHUB_TOKEN }}
# This check name is defined as the github actions job name (in .github/workflows/acceptance-test.yaml)
checkName: "Build-Snapshot-Artifacts"
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
checkName: "Integration tests"
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Check inline comparison test results
- name: Check acceptance test results (linux)
uses: fountainhead/action-wait-for-check@v1.0.0
id: inline-compare
id: acceptance-linux
with:
token: ${{ secrets.GITHUB_TOKEN }}
# This check name is defined as the github action job name (in .github/workflows/acceptance-test.yaml)
checkName: "Inline-Compare"
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
checkName: "Acceptance tests (Linux)"
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Check cli test results (linux)
uses: fountainhead/action-wait-for-check@v1.0.0
id: cli-linux
with:
token: ${{ secrets.GITHUB_TOKEN }}
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
checkName: "CLI tests (Linux)"
ref: ${{ github.event.pull_request.head.sha || github.sha }}
- name: Quality gate
if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit-integration.outputs.conclusion != 'success' || steps.inline-compare.outputs.conclusion != 'success' || steps.snapshot.outputs.conclusion != 'success'
if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit.outputs.conclusion != 'success' || steps.integration.outputs.conclusion != 'success' || steps.cli-linux.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success'
run: |
echo "Static Analysis Status: ${{ steps.static-analysis.conclusion }}"
echo "Unit & Integration Test Status: ${{ steps.unit-integration.outputs.conclusion }}"
echo "Build Snapshot Artifacts Status: ${{ steps.snapshot.outputs.conclusion }}"
echo "Inline Compare Status: ${{ steps.inline-compare.outputs.conclusion }}"
echo "Unit Test Status: ${{ steps.unit.outputs.conclusion }}"
echo "Integration Test Status: ${{ steps.integration.outputs.conclusion }}"
echo "Acceptance Test (Linux) Status: ${{ steps.acceptance-linux.outputs.conclusion }}"
echo "CLI Test (Linux) Status: ${{ steps.cli-linux.outputs.conclusion }}"
false
release:
needs: [ wait-for-checks ]
runs-on: macos-latest # Due to our code signing process, it's vital that we run our release steps on macOS.

102
.github/workflows/static-unit-integration.yaml vendored
View file

@ -1,102 +0,0 @@
name: 'Static Analysis + Unit + Integration'
on:
workflow_dispatch:
push:
pull_request:
jobs:
Static-Analysis:
strategy:
matrix:
go-version: [1.16.x]
platform: [ubuntu-latest]
runs-on: ${{ matrix.platform }}
steps:
- uses: actions/setup-go@v2
with:
go-version: ${{ matrix.go-version }}
- uses: actions/checkout@v2
- name: Restore bootstrap cache
id: bootstrap-cache
uses: actions/cache@v2
with:
path: |
~/go/pkg/mod
${{ github.workspace }}/.tmp
key: ${{ runner.os }}-go-${{ matrix.go-version }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
- name: Bootstrap project dependencies
if: steps.bootstrap-cache.outputs.cache-hit != 'true'
run: make bootstrap
- name: Bootstrap CI dependencies
run: make ci-bootstrap
- name: Run static analysis
run: make static-analysis
Tests:
strategy:
matrix:
go-version: [1.16.x]
platform: [ubuntu-latest]
runs-on: ${{ matrix.platform }}
steps:
- uses: actions/setup-go@v2
with:
go-version: ${{ matrix.go-version }}
- uses: actions/checkout@v2
- name: Restore bootstrap cache
id: bootstrap-cache
uses: actions/cache@v2
with:
path: |
~/go/pkg/mod
${{ github.workspace }}/.tmp
key: ${{ runner.os }}-go-${{ matrix.go-version }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
- name: Bootstrap project dependencies
if: steps.bootstrap-cache.outputs.cache-hit != 'true'
run: make bootstrap
- name: Bootstrap CI dependencies
run: make ci-bootstrap
- name: Run unit tests
run: make unit
- name: Validate grype output against the CycloneDX schema
run: make validate-cyclonedx-schema
- name: Build key for integration tar cache
run: make integration-fingerprint
- name: Restore integration test cache
uses: actions/cache@v2
with:
path: ${{ github.workspace }}/test/integration/test-fixtures/cache
key: ${{ runner.os }}-integration-test-cache-${{ hashFiles('test/integration/test-fixtures/cache.fingerprint') }}
- name: Build key for CLI tar cache
run: make cli-fingerprint
- name: Restore cli test cache
uses: actions/cache@v2
with:
path: ${{ github.workspace }}/test/cli/test-fixtures/cache
key: ${{ runner.os }}-cli-test-cache-${{ hashFiles('test/cli/test-fixtures/cache.fingerprint') }}
- name: Run integration tests
run: make integration
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Run CLI tests
run: make cli

245
.github/workflows/validations.yaml vendored Normal file
View file

@ -0,0 +1,245 @@
name: "Validations"
on:
workflow_dispatch:
push:
pull_request:
env:
GO_VERSION: "1.16.x"
jobs:
Static-Analysis:
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
name: "Static analysis"
runs-on: ubuntu-20.04
steps:
- uses: actions/setup-go@v2
with:
go-version: ${{ env.GO_VERSION }}
- uses: actions/checkout@v2
- name: Restore tool cache
id: tool-cache
uses: actions/cache@v2.1.3
with:
path: ${{ github.workspace }}/.tmp
key: ${{ runner.os }}-tool-${{ hashFiles('Makefile') }}
- name: Restore go cache
id: go-cache
uses: actions/cache@v2.1.3
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ env.GO_VERSION }}-
- name: (cache-miss) Bootstrap all project dependencies
if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true'
run: make bootstrap
- name: Bootstrap CI environment dependencies
run: make ci-bootstrap
- name: Run static analysis
run: make static-analysis
# allow for PRs to skip validating the syft version to allow for incremental updates of syft before release.
# In this way checks against the main branch (which are required for release) will fail, but PR checks will not
- name: Ensure syft version is a release version
run: |
echo "GitHub reference: ${GITHUB_REF##*/}"
git fetch origin main
git merge-base --is-ancestor ${GITHUB_REF##*/} origin/main && make validate-syft-release-version || echo "skipping syft version check"
Unit-Test:
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
name: "Unit tests"
runs-on: ubuntu-20.04
steps:
- uses: actions/setup-go@v2
with:
go-version: ${{ env.GO_VERSION }}
- uses: actions/checkout@v2
- name: Restore tool cache
id: tool-cache
uses: actions/cache@v2.1.3
with:
path: ${{ github.workspace }}/.tmp
key: ${{ runner.os }}-tool-${{ hashFiles('Makefile') }}
- name: Restore go cache
id: go-cache
uses: actions/cache@v2.1.3
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ env.GO_VERSION }}-
- name: (cache-miss) Bootstrap all project dependencies
if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true'
run: make bootstrap
- name: Bootstrap CI environment dependencies
run: make ci-bootstrap
- name: Run unit tests
run: make unit
- uses: actions/upload-artifact@v2
with:
name: unit-test-results
path: test/results/**/*
Integration-Test:
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
name: "Integration tests"
runs-on: ubuntu-20.04
steps:
- uses: actions/setup-go@v2
with:
go-version: ${{ env.GO_VERSION }}
- uses: actions/checkout@v2
- name: Restore tool cache
id: tool-cache
uses: actions/cache@v2.1.3
with:
path: ${{ github.workspace }}/.tmp
key: ${{ runner.os }}-tool-${{ hashFiles('Makefile') }}
- name: Restore go cache
id: go-cache
uses: actions/cache@v2.1.3
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ env.GO_VERSION }}-
- name: (cache-miss) Bootstrap all project dependencies
if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true'
run: make bootstrap
- name: Bootstrap CI environment dependencies
run: make ci-bootstrap
- name: Validate syft output against the CycloneDX schema
run: make validate-cyclonedx-schema
- name: Build key for tar cache
run: make integration-fingerprint
- name: Restore integration test cache
uses: actions/cache@v2.1.3
with:
path: ${{ github.workspace }}/test/integration/test-fixtures/cache
key: ${{ runner.os }}-integration-test-cache-${{ hashFiles('test/integration/test-fixtures/cache.fingerprint') }}
- name: Run integration tests
run: make integration
Build-Snapshot-Artifacts:
name: "Build snapshot artifacts"
runs-on: ubuntu-20.04
steps:
- uses: actions/setup-go@v2
with:
go-version: ${{ env.GO_VERSION }}
- uses: actions/checkout@v2
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Restore tool cache
id: tool-cache
uses: actions/cache@v2.1.3
with:
path: ${{ github.workspace }}/.tmp
key: ${{ runner.os }}-tool-${{ hashFiles('Makefile') }}
- name: Restore go cache
id: go-cache
uses: actions/cache@v2.1.3
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ env.GO_VERSION }}-
- name: (cache-miss) Bootstrap all project dependencies
if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true'
run: make bootstrap
- name: Build snapshot artifacts
run: make snapshot
- uses: actions/upload-artifact@v2
with:
name: artifacts
path: snapshot/**/*
Acceptance-Linux:
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
name: "Acceptance tests (Linux)"
needs: [Build-Snapshot-Artifacts]
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v2
- uses: actions/download-artifact@v2
with:
name: artifacts
path: snapshot
- name: Run Acceptance Tests (Linux)
run: make acceptance-linux
Cli-Linux:
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
name: "CLI tests (Linux)"
needs: [Build-Snapshot-Artifacts]
runs-on: ubuntu-20.04
steps:
- uses: actions/setup-go@v2
with:
go-version: ${{ env.GO_VERSION }}
- uses: actions/checkout@v2
- name: Restore go cache
id: go-cache
uses: actions/cache@v2.1.3
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ env.GO_VERSION }}-
- name: (cache-miss) Bootstrap go dependencies
if: steps.go-cache.outputs.cache-hit != 'true'
run: make bootstrap-go
- name: Build key for tar cache
run: make cli-fingerprint
- name: Restore CLI test cache
uses: actions/cache@v2.1.3
with:
path: ${{ github.workspace }}/test/cli/test-fixtures/cache
key: ${{ runner.os }}-cli-test-cache-${{ hashFiles('test/cli/test-fixtures/cache.fingerprint') }}
- uses: actions/download-artifact@v2
with:
name: artifacts
path: snapshot
- name: Run CLI Tests (Linux)
run: make cli

9
DEVELOPING.md
View file

@ -10,6 +10,15 @@ After cloning do the following:
Checkout `make help` to see what other actions you can take.
## Relationship to Syft
Grype uses Syft as a library for all-things related to obtaining and parsing the given scan target (pulling container
images, parsing container images, indexing directories, cataloging packages, etc). Releases of Grype should
always use released versions of Syft (commits that are tagged and show up in the GitHub releases page). However,
continually integrating unreleased Syft changes into Grype incrementally is encouraged
(e.g. `go get github.com/anchore/syft@main`) as long as by the time a release is cut the Syft version is updated
to a released version (e.g. `go get github.com/anchore/syft@v<semantic-version>`).
## Inspecting the database
The currently supported database format is Sqlite3. Install `sqlite3` in your system and ensure that the `sqlite3` executable is available in your path. Ask `grype` about the location of the database, which will be different depending on the operating system:

33
Makefile
View file

@ -66,25 +66,34 @@ test: unit validate-cyclonedx-schema integration acceptance-linux cli ## Run all
help:
@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "$(BOLD)$(CYAN)%-25s$(RESET)%s\n", $$1, $$2}'
ci-bootstrap: bootstrap
.PHONY: ci-bootstrap
ci-bootstrap:
DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y bc jq libxml2-utils
.PHONY: bootstrap
bootstrap: ## Download and install all go dependencies (+ prep tooling in the ./tmp dir)
$(call title,Bootstrapping dependencies)
@pwd
.PHONY:
ci-bootstrap-mac:
github_changelog_generator --version || sudo gem install github_changelog_generator
# prep temp dirs
mkdir -p $(TEMPDIR)
$(RESULTSDIR):
mkdir -p $(RESULTSDIR)
# install go dependencies
go mod download
$(TEMPDIR):
mkdir -p $(TEMPDIR)
.PHONY: bootstrap-tools
bootstrap-tools: $(TEMPDIR)
curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(TEMPDIR)/ v1.42.1
curl -sSfL https://raw.githubusercontent.com/wagoodman/go-bouncer/master/bouncer.sh | sh -s -- -b $(TEMPDIR)/ v0.2.0
curl -sSfL https://raw.githubusercontent.com/anchore/chronicle/main/install.sh | sh -s -- -b $(TEMPDIR)/ v0.3.0
.github/scripts/goreleaser-install.sh -b $(TEMPDIR)/ v0.177.0
curl -sSfL https://raw.githubusercontent.com/anchore/chronicle/main/install.sh | sh -s -- -b $(TEMPDIR)/ v0.2.0-beta
.PHONY: bootstrap-go
bootstrap-go:
go mod download
.PHONY: bootstrap
bootstrap: $(RESULTSDIR) bootstrap-go bootstrap-tools ## Download and install all go dependencies (+ prep tooling in the ./tmp dir)
$(call title,Bootstrapping dependencies)
.PHONY: static-analysis
static-analysis: lint check-go-mod-tidy check-licenses validate-grype-db-schema
@ -215,6 +224,10 @@ validate-grype-test-config:
echo "Found \"update-url\" in CLI testing config. Cannot release if previous CLI testing did not use production (default) values"; \
fi'
.PHONY: validate-syft-release-version
validate-syft-release-version:
@./.github/scripts/syft-released-version-check.sh
.PHONY: release
release: clean-dist validate-grype-test-config CHANGELOG.md ## Build and publish final binaries and packages. Intended to be run only on macOS.
$(call title,Publishing release artifacts)

20
go.mod
View file

@ -8,21 +8,21 @@ require (
github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04
github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4
github.com/anchore/grype-db v0.0.0-20211119195714-911ff7162dc6
github.com/anchore/stereoscope v0.0.0-20211024152658-003132a67c10
github.com/anchore/syft v0.30.1
github.com/anchore/stereoscope v0.0.0-20211116152349-7e4e1b56a15d
github.com/anchore/syft v0.30.2-0.20211123195417-bd9007fc0e3d
github.com/bmatcuk/doublestar/v2 v2.0.4
github.com/docker/docker v17.12.0-ce-rc1.0.20200309214505-aa6a9891b09c+incompatible
github.com/docker/docker v20.10.11+incompatible
github.com/dustin/go-humanize v1.0.0
github.com/facebookincubator/nvdtools v0.1.4
github.com/gabriel-vasile/mimetype v1.3.0
github.com/go-test/deep v1.0.7
github.com/google/go-cmp v0.4.1
github.com/google/go-cmp v0.5.6
github.com/google/uuid v1.2.0
github.com/gookit/color v1.4.2
github.com/hashicorp/go-cleanhttp v0.5.2
github.com/hashicorp/go-getter v1.5.9
github.com/hashicorp/go-multierror v1.1.0
github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a
github.com/jinzhu/copier v0.3.2
github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
github.com/mitchellh/go-homedir v1.1.0
@ -31,15 +31,15 @@ require (
github.com/scylladb/go-set v1.0.2
github.com/sergi/go-diff v1.1.0
github.com/sirupsen/logrus v1.8.1
github.com/spf13/afero v1.3.2
github.com/spf13/cobra v1.0.1-0.20200909172742-8a63648dd905
github.com/spf13/afero v1.6.0
github.com/spf13/cobra v1.2.1
github.com/spf13/pflag v1.0.5
github.com/spf13/viper v1.7.0
github.com/spf13/viper v1.8.1
github.com/stretchr/testify v1.7.0
github.com/wagoodman/go-partybus v0.0.0-20210627031916-db1f5573bbc5
github.com/wagoodman/go-progress v0.0.0-20200807221327-51d465df1451
github.com/wagoodman/jotframe v0.0.0-20200730190914-3517092dd163
github.com/wagoodman/jotframe v0.0.0-20211129225309-56b0d0a4aebb
github.com/x-cray/logrus-prefixed-formatter v0.5.2
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
gopkg.in/yaml.v2 v2.4.0
)

703
go.sum
View file

File diff suppressed because it is too large Load diff

28
grype/match/ignore_test.go
View file

@ -29,9 +29,7 @@ var (
Version: "0.5.2",
Type: "deb",
Locations: []source.Location{
{
RealPath: "/path/that/has/dive",
},
source.NewLocation("/path/that/has/dive"),
},
},
},
@ -47,10 +45,7 @@ var (
Version: "100.0.50",
Type: "gem",
Locations: []source.Location{
{
RealPath: "/real/path/with/reach",
VirtualPath: "/virtual/path/that/has/reach",
},
source.NewVirtualLocation("/real/path/with/reach", "/virtual/path/that/has/reach"),
},
},
},
@ -66,10 +61,7 @@ var (
Version: "100.0.51",
Type: "gem",
Locations: []source.Location{
{
RealPath: "/real/path/with/beach",
VirtualPath: "/virtual/path/that/has/beach",
},
source.NewVirtualLocation("/real/path/with/beach", "/virtual/path/that/has/beach"),
},
},
},
@ -85,10 +77,7 @@ var (
Version: "100.0.52",
Type: "gem",
Locations: []source.Location{
{
RealPath: "/real/path/with/speach",
VirtualPath: "/virtual/path/that/has/speach",
},
source.NewVirtualLocation("/real/path/with/speach", "/virtual/path/that/has/speach"),
},
},
},
@ -279,13 +268,8 @@ var (
Name: "a-pkg",
Version: "1.0",
Locations: []source.Location{
{
RealPath: "/some/path",
},
{
RealPath: "/some/path",
VirtualPath: "/some/virtual/path",
},
source.NewLocation("/some/path"),
source.NewVirtualLocation("/some/path", "/some/virtual/path"),
},
Type: "rpm",
},

4
grype/pkg/package.go
View file

@ -25,7 +25,7 @@ type Package struct {
Metadata interface{} // This is NOT the syft metadata! Only the select data needed for vulnerability matching
}
func New(p *pkg.Package) Package {
func New(p pkg.Package) Package {
var metadata interface{}
switch p.MetadataType {
@ -74,7 +74,7 @@ func New(p *pkg.Package) Package {
}
return Package{
ID: ID(p.ID),
ID: ID(p.ID()),
Name: p.Name,
Version: p.Version,
Locations: p.Locations,

2
grype/pkg/package_test.go
View file

@ -226,7 +226,7 @@ func TestNew_MetadataExtraction(t *testing.T) {
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
observedMetadataTypes.Add(string(test.syftPkg.MetadataType))
assert.Equal(t, test.metadata, New(&test.syftPkg).Metadata)
assert.Equal(t, test.metadata, New(test.syftPkg).Metadata)
})
}

2
grype/pkg/syft_provider.go
View file

@ -17,7 +17,7 @@ func syftProvider(userInput string, scopeOpt source.Scope, registryOptions *imag
}
defer cleanup()
catalog, theDistro, err := syft.CatalogPackages(src, scopeOpt)
catalog, _, theDistro, err := syft.CatalogPackages(src, scopeOpt)
if err != nil {
return nil, Context{}, err
}

20
grype/pkg/syft_sbom_provider_test.go
View file

@ -35,10 +35,10 @@ func TestParseSyftJSON(t *testing.T) {
Name: "alpine-baselayout",
Version: "3.2.0-r6",
Locations: []source.Location{
{
source.NewLocationFromCoordinates(source.Coordinates{
RealPath: "/lib/apk/db/installed",
FileSystemID: "sha256:93cf4cfb673c7e16a9e74f731d6767b70b92a0b7c9f59d06efd72fbff535371c",
},
}),
},
Language: "",
Licenses: []string{
@ -56,10 +56,10 @@ func TestParseSyftJSON(t *testing.T) {
Name: "fake",
Version: "1.2.0-r0",
Locations: []source.Location{
{
source.NewLocationFromCoordinates(source.Coordinates{
RealPath: "/lib/apk/db/installed",
FileSystemID: "sha256:93cf4cfb673c7e16a9e74f731d6767b70b92a0b7c9f59d06efd72fbff535371c",
},
}),
},
Language: "lang",
Licenses: []string{
@ -77,10 +77,10 @@ func TestParseSyftJSON(t *testing.T) {
Name: "gmp",
Version: "6.2.0-r0",
Locations: []source.Location{
{
source.NewLocationFromCoordinates(source.Coordinates{
RealPath: "/lib/apk/db/installed",
FileSystemID: "sha256:93cf4cfb673c7e16a9e74f731d6767b70b92a0b7c9f59d06efd72fbff535371c",
},
}),
},
Language: "the-lang",
Licenses: []string{
@ -178,10 +178,10 @@ var springImageTestCase = struct {
Name: "charsets",
Version: "",
Locations: []source.Location{
{
source.NewLocationFromCoordinates(source.Coordinates{
RealPath: "/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/charsets.jar",
FileSystemID: "sha256:a1a6ceadb701ab4e6c93b243dc2a0daedc8cee23a24203845ecccd5784cd1393",
},
}),
},
Language: "java",
Licenses: []string{},
@ -197,10 +197,10 @@ var springImageTestCase = struct {
Name: "tomcat-embed-el",
Version: "9.0.27",
Locations: []source.Location{
{
source.NewLocationFromCoordinates(source.Coordinates{
RealPath: "/app/libs/tomcat-embed-el-9.0.27.jar",
FileSystemID: "sha256:89504f083d3f15322f97ae240df44650203f24427860db1b3d32e66dd05940e4",
},
}),
},
Language: "java",
Licenses: []string{},

2
grype/presenter/json/presenter_test.go
View file

@ -193,7 +193,7 @@ func TestJsonDirsPresenter(t *testing.T) {
Type: syftPkg.DebPkg,
FoundBy: "the-cataloger-1",
Locations: []syftSource.Location{
{RealPath: "/some/path/pkg1"},
syftSource.NewLocation("/some/path/pkg1"),
},
MetadataType: syftPkg.DpkgMetadataType,
Metadata: syftPkg.DpkgMetadata{

4
grype/presenter/models/models_helpers.go
View file

@ -89,7 +89,7 @@ func generatePackages(t *testing.T) []pkg.Package {
Version: "1.1.1",
Type: syftPkg.DebPkg,
Locations: []syftSource.Location{
{RealPath: "/somefile-1.txt"},
syftSource.NewLocation("/somefile-1.txt"),
},
CPEs: []syftPkg.CPE{
{
@ -106,7 +106,7 @@ func generatePackages(t *testing.T) []pkg.Package {
Version: "2.2.2",
Type: syftPkg.DebPkg,
Locations: []syftSource.Location{
{RealPath: "/somefile-2.txt"},
syftSource.NewLocation("/somefile-2.txt"),
},
},
}

25
grype/presenter/models/package.go
View file

@ -8,15 +8,15 @@ import (
// Package is meant to be only the fields that are needed when displaying a single pkg.Package object for the JSON presenter.
type Package struct {
Name string `json:"name"`
Version string `json:"version"`
Type syftPkg.Type `json:"type"`
Locations []syftSource.Location `json:"locations"`
Language syftPkg.Language `json:"language"`
Licenses []string `json:"licenses"`
CPEs []string `json:"cpes"`
PURL string `json:"purl"`
Metadata interface{} `json:"metadata"`
Name string `json:"name"`
Version string `json:"version"`
Type syftPkg.Type `json:"type"`
Locations []syftSource.Coordinates `json:"locations"`
Language syftPkg.Language `json:"language"`
Licenses []string `json:"licenses"`
CPEs []string `json:"cpes"`
PURL string `json:"purl"`
Metadata interface{} `json:"metadata"`
}
func newPackage(p pkg.Package) Package {
@ -30,10 +30,15 @@ func newPackage(p pkg.Package) Package {
licenses = make([]string, 0)
}
var coordinates = make([]syftSource.Coordinates, 0)
for _, l := range p.Locations {
coordinates = append(coordinates, l.Coordinates)
}
return Package{
Name: p.Name,
Version: p.Version,
Locations: p.Locations,
Locations: coordinates,
Licenses: licenses,
Language: p.Language,
Type: p.Type,

6
internal/ui/select.go
View file

@ -7,7 +7,7 @@ import (
"io"
"os"
"golang.org/x/crypto/ssh/terminal"
"golang.org/x/term"
)
// TODO: build tags to exclude options from windows
@ -18,8 +18,8 @@ import (
// are environmental problems (e.g. cannot write to the terminal). A writer is provided to capture the output of
// the final SBOM report.
func Select(verbose, quiet bool, reportWriter io.Writer) (uis []UI) {
isStdoutATty := terminal.IsTerminal(int(os.Stdout.Fd()))
isStderrATty := terminal.IsTerminal(int(os.Stderr.Fd()))
isStdoutATty := term.IsTerminal(int(os.Stdout.Fd()))
isStderrATty := term.IsTerminal(int(os.Stderr.Fd()))
notATerminal := !isStderrATty && !isStdoutATty
switch {

7
test/integration/match_by_image_test.go
View file

@ -83,7 +83,7 @@ func addPythonMatches(t *testing.T, theSource source.Source, catalog *syftPkg.Ca
packages := catalog.PackagesByPath("/python/dist-info/METADATA")
if len(packages) != 1 {
for _, p := range packages {
t.Logf("Python Package: %s %+v", p.ID, p)
t.Logf("Python Package: %s %+v", p.ID(), p)
}
t.Fatalf("problem with upstream syft cataloger (python)")
@ -145,7 +145,7 @@ func addRubyMatches(t *testing.T, theSource source.Source, catalog *syftPkg.Cata
}
func addJavaMatches(t *testing.T, theSource source.Source, catalog *syftPkg.Catalog, theStore *mockStore, theResult *match.Matches) {
packages := make([]*syftPkg.Package, 0)
packages := make([]syftPkg.Package, 0)
for p := range catalog.Enumerate(syftPkg.JavaPkg) {
packages = append(packages, p)
}
@ -353,7 +353,8 @@ func TestMatchByImage(t *testing.T) {
}
defer cleanup()
theCatalog, theDistro, err := syft.CatalogPackages(theSource, source.SquashedScope)
// TODO: relationships are not verified at this time
theCatalog, _, theDistro, err := syft.CatalogPackages(theSource, source.SquashedScope)
if err != nil {
t.Fatalf("could not get the source obj: %+v", err)
}

3
test/integration/utils_test.go
View file

@ -69,7 +69,8 @@ func getSyftSBOM(t testing.TB, image string) string {
t.Cleanup(cleanup)
scope := source.SquashedScope
catalog, distro, err := syft.CatalogPackages(src, scope)
// TODO: relationships are not verified at this time
catalog, _, distro, err := syft.CatalogPackages(src, scope)
sbom := sbom.SBOM{
Artifacts: sbom.Artifacts{