* add language detection from pURLs
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add package type detection from pURLs
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add cargo and npm pURL support
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix npm tests and linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* [CycloneDX] Add artifactID and groupID to the cycloneDX properties
Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com>
* update comment
Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com>
* additional checks for value
Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com>
* fill group filed with groupID in the case of Java
Signed-off-by: Peter Balogh <p.balogh.sa@gmail.com>
* fix linter warning
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* add php related metadata
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* enable decoding of php metadata for syftjson format
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add php metadata to json schema
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Update Syft formats for SyftJson
This change will introduce omitempty struct tag to PackageCustomData.
This struct tag will cause null and empty values to be dropped on serialization
for consumers downstream.
Signed-off-by: Toure Dunnon <toure.dunnon@anchore.com>
* Updated the golden files for syftjson to allow for proper
test coverage.
Signed-off-by: Toure Dunnon <toure.dunnon@anchore.com>
* Add tests for image and directory syftjson source
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
* Add failing test case for file source unmarshaling
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
* Fix file source unmarshaling
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
* Add test case for unknown source type
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
* draft outline for developing docs
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update outline
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* list testing dependencies
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix header indention
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix title
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove strong distro type
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump json schema to v3 (breaking distro shape)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* allow for v2 decoding of distro idLikes field in v3 json decoder
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix casing in simple linux release name
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use discovered name as pretty name in simple linux release
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update goreleaser with windows checksums
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* update format to be closer to our previous implementation
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* remove linux replacement
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* typo
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* bump stereoscope version to remove old containerd
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* go mod tidy
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Support Windows Directory Resolver
Add function that converts windows to posix functionality
Add function that converts posix to windows
Add build tags to remove windows developer environment errors
redact carriage return specific windows issues
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* Fix CPE generation when the generated CPE contains invalid characters
Currently syft seems to generate invalid CPEs which do not
conform with the official CPE spec. This is because the underlying
nvdtools library is not a completely spec compliant implementation
and has some interesting bugs/issues.
The following are the list of issues I have encountered with nvdtools:
1. It parses strings which are not CPEs incorrectly as valid CPEs. This
messes up our filter function which is supposed to filter out any
incorrect CPEs we generate. In order to fix this, I have introduced
a new regex in the NewCPE function which follows the upstream spec and
filters out any incorrect CPEs.
2. Introduce wfn.WFNize for any cpe attributes we infer from packages.
This ensures that we are escaping and quoting any special characters
before putting them into CPEs. Note that nvdtools has yet another bug
in the WFNize function, specifically the "addSlashesAt" part of the
function which stops the loop as soon as it encounters ":" a valid
character for a WFN attribute after quoting, but the way nvdtools
handles it causes it to truncate strings that container ":". As a result
strings like "prefix:1.2" which would have been quoted as "prefix\:1.2"
end up becoming "prefix" instead causing loss of information and
incorrect CPEs being generated. As a result in such cases, we remove out
strings containing ":" in any part entirely for now. This is similar
to the way we were handling CPE filtering in the past with http urls as
vendor strings
3. Add special handling for version which contain ":" due to epochs in
debian and rpm. In this case, we strip out the parts before ":" i.e.
the epoch and only output the actual function. This ensures we are not
discarding valid version strings due to pt #.2.
In the future we should look at moving to a more spec compliant cpe
parsing library to avoid such shenanigans.
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
* Remove WFNize for input strings
WFNize seems to not be part of the standard as per
https://pkg.go.dev/github.com/facebookincubator/nvdtools@v0.1.4/wfn#WFNize
and seems to have bugs/issues with encode/decode cycles, so I am
just removing it at this point and relying on the CPE regex to filter
out invalid CPEs for now.
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
* Quote the string on decode to ensure consistent CPE string generation
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
* Add test cases for round-tripping the CPE and fix strip slashes
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
* Add comprehensive tests for cpe parsing
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
* Use strings.Builder instead of byte buffer
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
* add lpkg support to java cataloger
linter clean up
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix comment formatting
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add filename test for lpkg
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* commment on lpkg file extension tests
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix comment typo
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix import format
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* simpler test validation
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add direct_url.json fields to python metadata
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* rename DirectURLOrigin struct; add stub for file
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add detection for direct_url.json
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* Add tests for direct-url information and add it to the output purl
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
* Update golden snapshot ids after adding new python package metadata field
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
* Add test names for packageurl tests
Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>
Co-authored-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* set package ID in catalogers and improve hashing performance
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update setting ID + tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Add failing test for extra empty lines in manifest
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
* Handle extra empty lines in Java manifests
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
* M1 install.sh script should use zip
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add arm64 binary extraction
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* ignore target link files based on path
log when files are actually indexed
add test for sym link resolution
golang test nits
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* nil catalog should act like an empty catalog
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove dir path filtering in favor of file type filtering
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* split out addPathToIndex into specialized functions
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add test for nul catalog enumeration
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* conditionally discover MIME types for file based on file resolver index
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* change logging around cataloging
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add tests to cover possible infinite symlink loop for resolver
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* Add failing test for missing versions
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
* Look through all named sections for version
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
* Consistent installation of yajsv
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
* Adjust output text for test assertion
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
* recover from panics in stdlib binary parsing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add CLI test to cover regression case
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add cataloging within universal binaries
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update json test fixtures
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add comments + correct 32 bit multi arch magic check
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
