This fixes an issue where filenames containing a period that aren't a
group ID, such as some-jar.12.jar, would be mistakenly be reported as
having the name "12" by syft, instead of the name "some-jar.12".
It works by testing whether the parts of the filename split on "."
are all valid Java identifiers.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* with release signature of checksums file
* attach SBOMs to the release
* update acceptance tests
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* migrate CPE generation logic to internal
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove create function
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Added test for golang package that include subpath into the module
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
* Implement golang purl subpath
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
---------
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
* use the json schema as input for templating
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix cli tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* unexport as many types and functions from cataloger packages as possible
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* capture type and signature information in convention test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* check that we return pkg.Cataloger from constructors
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* internalize majority of cmd package and migrate integration tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add internal api encoder
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* create internal representation of all formats
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* export capability to get default encoders
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* restore test fixtures
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore: stop re-exporting wfn.Attributes
Previously, Syft re-exported wfn.Attributes from the nvdtools package as
a member of the Package struct. However, Syft doesn't own this struct,
and so after Syft 1.0, might be forced to bump a semver major version
due to a breaking change in wfn.Attributes. Rather than incur this risk
going into 1.0, instead replace Syft's use of wfn.Attributes with Syft's
own cpe.CPE type. That type has some pass-through calls to
wfn.Attributes, but hides the dependency from the rest of the
application.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: make cpe.CPE type a Stringer
Previously, the cpe.CPE type was an alias for wfn.Attributes from
nvdtools. Now that it is a type we control, make the String method take
the CPE as a receiver, rather than as a normal parameter, so that Syft's
cpe.CPE type implements Stringer.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* remove api deprecations
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove deprecated NAME cli flag
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* turn off the SBOM cataloger by default
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix integration tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* re-add linux kernel cataloger
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* ensure there is at least a directory or image tag on each task
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix CLI tests to account for kernel finding (+2)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
The previous implementation would leak a goroutine if the caller of
AllLocations stopped iterating early. Now, accept a context so that the
caller can cancel the AllLocations iterator rather than leak the
goroutine.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* deduplicate digests from user configuration
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* backout pointer reciever change on imageSource
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: remove second call to finalize as the task handles it
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: add test to protect against dupe relationships in final SBOM
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
To reduce toil in this repo, enable dependabot PRs to be automatically
approved, but not merged. They are not automatically merged because if
the default GitHub token is used to automatically merge a PR, the
resulting commit will not trigger workflows on main. Rather than
generate a more potent token, just automatically review them, which
reduces toil by eliminating several clicks and page loads for
maintainers who are trying to merge dependabot PRs.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
