Capture file ownership relationships from portage ecosystem (#1702)

* add portage as file owners

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix tests

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* fix linting

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

* update json schema with NPM files

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

---------

Signed-off-by: Alex Goodman <alex.goodman@anchore.com>

internal/constants.go

@@ -6,5 +6,5 @@ const (
 
 	// JSONSchemaVersion is the current schema version output by the JSON encoder
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "7.0.1"
+	JSONSchemaVersion = "7.1.0"
 )

syft/formats/syftjson/test-fixtures/snapshot/TestDirectoryEncoder.golden

@@ -89,7 +89,7 @@
   }
  },
  "schema": {
-  "version": "6.2.0",
-  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-6.2.0.json"
+  "version": "7.1.0",
+  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-7.1.0.json"
  }
 }

syft/formats/syftjson/test-fixtures/snapshot/TestEncodeFullJSONDocument.golden

@@ -185,7 +185,7 @@
   }
  },
  "schema": {
-  "version": "6.2.0",
-  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-6.2.0.json"
+  "version": "7.1.0",
+  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-7.1.0.json"
  }
 }

syft/formats/syftjson/test-fixtures/snapshot/TestImageEncoder.golden

@@ -112,7 +112,7 @@
   }
  },
  "schema": {
-  "version": "6.2.0",
-  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-6.2.0.json"
+  "version": "7.1.0",
+  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-7.1.0.json"
  }
 }

syft/pkg/cataloger/javascript/package.go

@@ -28,13 +28,14 @@ func newPackageJSONPackage(u packageJSON, locations ...source.Location) pkg.Pack
 		Type:         pkg.NpmPkg,
 		MetadataType: pkg.NpmPackageJSONMetadataType,
 		Metadata: pkg.NpmPackageJSONMetadata{
-			Name:     u.Name,
-			Version:  u.Version,
-			Author:   u.Author.AuthorString(),
-			Homepage: u.Homepage,
-			URL:      u.Repository.URL,
-			Licenses: licenses,
-			Private:  u.Private,
+			Name:        u.Name,
+			Version:     u.Version,
+			Author:      u.Author.AuthorString(),
+			Homepage:    u.Homepage,
+			URL:         u.Repository.URL,
+			Licenses:    licenses,
+			Private:     u.Private,
+			Description: u.Description,
 		},
 	}
 

syft/pkg/cataloger/javascript/parse_package_json_test.go

@@ -26,12 +26,13 @@ func TestParsePackageJSON(t *testing.T) {
 				Language:     pkg.JavaScript,
 				MetadataType: pkg.NpmPackageJSONMetadataType,
 				Metadata: pkg.NpmPackageJSONMetadata{
-					Name:     "npm",
-					Version:  "6.14.6",
-					Author:   "Isaac Z. Schlueter <i@izs.me> (http://blog.izs.me)",
-					Homepage: "https://docs.npmjs.com/",
-					URL:      "https://github.com/npm/cli",
-					Licenses: []string{"Artistic-2.0"},
+					Name:        "npm",
+					Version:     "6.14.6",
+					Author:      "Isaac Z. Schlueter <i@izs.me> (http://blog.izs.me)",
+					Homepage:    "https://docs.npmjs.com/",
+					URL:         "https://github.com/npm/cli",
+					Licenses:    []string{"Artistic-2.0"},
+					Description: "a package manager for JavaScript",
 				},
 			},
 		},
@@ -46,12 +47,13 @@ func TestParsePackageJSON(t *testing.T) {
 				Language:     pkg.JavaScript,
 				MetadataType: pkg.NpmPackageJSONMetadataType,
 				Metadata: pkg.NpmPackageJSONMetadata{
-					Name:     "npm",
-					Version:  "6.14.6",
-					Author:   "Isaac Z. Schlueter <i@izs.me> (http://blog.izs.me)",
-					Homepage: "https://docs.npmjs.com/",
-					URL:      "https://github.com/npm/cli",
-					Licenses: []string{"ISC"},
+					Name:        "npm",
+					Version:     "6.14.6",
+					Author:      "Isaac Z. Schlueter <i@izs.me> (http://blog.izs.me)",
+					Homepage:    "https://docs.npmjs.com/",
+					URL:         "https://github.com/npm/cli",
+					Licenses:    []string{"ISC"},
+					Description: "a package manager for JavaScript",
 				},
 			},
 		},
@@ -66,12 +68,13 @@ func TestParsePackageJSON(t *testing.T) {
 				Language:     pkg.JavaScript,
 				MetadataType: pkg.NpmPackageJSONMetadataType,
 				Metadata: pkg.NpmPackageJSONMetadata{
-					Name:     "npm",
-					Version:  "6.14.6",
-					Author:   "Isaac Z. Schlueter <i@izs.me> (http://blog.izs.me)",
-					Homepage: "https://docs.npmjs.com/",
-					URL:      "https://github.com/npm/cli",
-					Licenses: []string{"MIT", "Apache-2.0"},
+					Name:        "npm",
+					Version:     "6.14.6",
+					Author:      "Isaac Z. Schlueter <i@izs.me> (http://blog.izs.me)",
+					Homepage:    "https://docs.npmjs.com/",
+					URL:         "https://github.com/npm/cli",
+					Licenses:    []string{"MIT", "Apache-2.0"},
+					Description: "a package manager for JavaScript",
 				},
 			},
 		},
@@ -86,12 +89,13 @@ func TestParsePackageJSON(t *testing.T) {
 				Language:     pkg.JavaScript,
 				MetadataType: pkg.NpmPackageJSONMetadataType,
 				Metadata: pkg.NpmPackageJSONMetadata{
-					Name:     "npm",
-					Version:  "6.14.6",
-					Author:   "Isaac Z. Schlueter <i@izs.me> (http://blog.izs.me)",
-					Homepage: "https://docs.npmjs.com/",
-					URL:      "https://github.com/npm/cli",
-					Licenses: nil,
+					Name:        "npm",
+					Version:     "6.14.6",
+					Author:      "Isaac Z. Schlueter <i@izs.me> (http://blog.izs.me)",
+					Homepage:    "https://docs.npmjs.com/",
+					URL:         "https://github.com/npm/cli",
+					Licenses:    nil,
+					Description: "a package manager for JavaScript",
 				},
 			},
 		},
@@ -106,12 +110,13 @@ func TestParsePackageJSON(t *testing.T) {
 				Language:     pkg.JavaScript,
 				MetadataType: pkg.NpmPackageJSONMetadataType,
 				Metadata: pkg.NpmPackageJSONMetadata{
-					Name:     "npm",
-					Version:  "6.14.6",
-					Author:   "Isaac Z. Schlueter <i@izs.me> (http://blog.izs.me)",
-					Homepage: "https://docs.npmjs.com/",
-					URL:      "https://github.com/npm/cli",
-					Licenses: []string{},
+					Name:        "npm",
+					Version:     "6.14.6",
+					Author:      "Isaac Z. Schlueter <i@izs.me> (http://blog.izs.me)",
+					Homepage:    "https://docs.npmjs.com/",
+					URL:         "https://github.com/npm/cli",
+					Licenses:    []string{},
+					Description: "a package manager for JavaScript",
 				},
 			},
 		},
@@ -126,12 +131,13 @@ func TestParsePackageJSON(t *testing.T) {
 				Language:     pkg.JavaScript,
 				MetadataType: pkg.NpmPackageJSONMetadataType,
 				Metadata: pkg.NpmPackageJSONMetadata{
-					Name:     "npm",
-					Version:  "6.14.6",
-					Author:   "Isaac Z. Schlueter <i@izs.me> (http://blog.izs.me)",
-					Homepage: "https://docs.npmjs.com/",
-					URL:      "https://github.com/npm/cli",
-					Licenses: []string{"Artistic-2.0"},
+					Name:        "npm",
+					Version:     "6.14.6",
+					Author:      "Isaac Z. Schlueter <i@izs.me> (http://blog.izs.me)",
+					Homepage:    "https://docs.npmjs.com/",
+					URL:         "https://github.com/npm/cli",
+					Licenses:    []string{"Artistic-2.0"},
+					Description: "a package manager for JavaScript",
 				},
 			},
 		},
@@ -146,12 +152,13 @@ func TestParsePackageJSON(t *testing.T) {
 				Language:     pkg.JavaScript,
 				MetadataType: pkg.NpmPackageJSONMetadataType,
 				Metadata: pkg.NpmPackageJSONMetadata{
-					Name:     "function-bind",
-					Version:  "1.1.1",
-					Author:   "Raynos <raynos2@gmail.com>",
-					Homepage: "https://github.com/Raynos/function-bind",
-					URL:      "git://github.com/Raynos/function-bind.git",
-					Licenses: []string{"MIT"},
+					Name:        "function-bind",
+					Version:     "1.1.1",
+					Author:      "Raynos <raynos2@gmail.com>",
+					Homepage:    "https://github.com/Raynos/function-bind",
+					URL:         "git://github.com/Raynos/function-bind.git",
+					Licenses:    []string{"MIT"},
+					Description: "Implementation of Function.prototype.bind",
 				},
 			},
 		},
@@ -166,13 +173,14 @@ func TestParsePackageJSON(t *testing.T) {
 				Language:     pkg.JavaScript,
 				MetadataType: pkg.NpmPackageJSONMetadataType,
 				Metadata: pkg.NpmPackageJSONMetadata{
-					Name:     "npm",
-					Version:  "6.14.6",
-					Author:   "Isaac Z. Schlueter <i@izs.me> (http://blog.izs.me)",
-					Homepage: "https://docs.npmjs.com/",
-					URL:      "https://github.com/npm/cli",
-					Licenses: []string{"Artistic-2.0"},
-					Private:  true,
+					Name:        "npm",
+					Version:     "6.14.6",
+					Author:      "Isaac Z. Schlueter <i@izs.me> (http://blog.izs.me)",
+					Homepage:    "https://docs.npmjs.com/",
+					URL:         "https://github.com/npm/cli",
+					Licenses:    []string{"Artistic-2.0"},
+					Private:     true,
+					Description: "a package manager for JavaScript",
 				},
 			},
 		},

syft/pkg/gem_metadata.go

@@ -2,8 +2,23 @@ package pkg
 
 // GemMetadata represents all metadata parsed from the gemspec file
 type GemMetadata struct {
-	Name     string   `mapstructure:"name" json:"name"`
-	Version  string   `mapstructure:"version" json:"version"`
+	Name    string `mapstructure:"name" json:"name"`
+	Version string `mapstructure:"version" json:"version"`
+	// note regarding if Files can contribute to GemMetadata being able to implement FileOwner: this list is a
+	// "logical" list of files, not a list of paths that can be used to find the files without additional processing.
+	//
+	// For example: The "bundler" gem has a file entry of:
+	//   "lib/bundler/vendor/uri/lib/uri/ldap.rb"
+	// but the actual file is located at:
+	//   "/usr/local/lib/ruby/3.2.0/bundler/vendor/uri/lib/uri/ldap.rb"
+	// which do not match (the "lib" prefix is missing even for relative processing).
+	//
+	// without additional information about:
+	// 	- the gem installation path
+	// 	- the ruby installation path
+	// 	- the ruby version
+	// 	- environment variables (e.g. GEM_HOME) that may affect the gem installation path
+	// ... we can't reliably determine the full path to the file on disk, thus cannot implement FileOwner (...yet...).
 	Files    []string `mapstructure:"files" json:"files,omitempty"`
 	Authors  []string `mapstructure:"authors" json:"authors,omitempty"`
 	Licenses []string `mapstructure:"licenses" json:"licenses,omitempty"`

syft/pkg/npm_package_json_metadata.go

@@ -4,7 +4,6 @@ package pkg
 type NpmPackageJSONMetadata struct {
 	Name        string   `mapstructure:"name" json:"name"`
 	Version     string   `mapstructure:"version" json:"version"`
-	Files       []string `mapstructure:"files" json:"files,omitempty"`
 	Author      string   `mapstructure:"author" json:"author"`
 	Licenses    []string `mapstructure:"licenses" json:"licenses"`
 	Homepage    string   `mapstructure:"homepage" json:"homepage"`

syft/pkg/portage_metadata.go

@@ -1,9 +1,15 @@
 package pkg
 
 import (
+	"sort"
+
+	"github.com/scylladb/go-set/strset"
+
 	"github.com/anchore/syft/syft/file"
 )
 
+var _ FileOwner = (*PortageMetadata)(nil)
+
 // PortageMetadata represents all captured data for a Package package DB entry.
 type PortageMetadata struct {
 	InstalledSize int                 `mapstructure:"InstalledSize" json:"installedSize" cyclonedx:"installedSize"`
@@ -15,3 +21,15 @@ type PortageFileRecord struct {
 	Path   string       `json:"path"`
 	Digest *file.Digest `json:"digest,omitempty"`
 }
+
+func (m PortageMetadata) OwnedFiles() (result []string) {
+	s := strset.New()
+	for _, f := range m.Files {
+		if f.Path != "" {
+			s.Add(f.Path)
+		}
+	}
+	result = s.List()
+	sort.Strings(result)
+	return result
+}