* [wip] initial syft api examples
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* smooth over some rough edges in the API
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* embed example file
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address review comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* change name of builder function
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Syft can get CPEs from several source, including generating them based on
package data, finding them in the NVD CPE dictionary, or finding them declared
in a manifest or existing SBOM. Record where Syft got CPEs so that consumers of
SBOMs can reason about how trustworthy they are.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Fix passing "--key" to the attest command. Additionally, pull in an update to
the clio CLI library to permit unit testing that flags and env vars are parsed
to the correct field on command options structs. This testing strategy was
needed here because testing attestation in an end to end test requires a
prohibitive amount of setup.
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
This fixes an issue where filenames containing a period that aren't a
group ID, such as some-jar.12.jar, would be mistakenly be reported as
having the name "12" by syft, instead of the name "some-jar.12".
It works by testing whether the parts of the filename split on "."
are all valid Java identifiers.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* with release signature of checksums file
* attach SBOMs to the release
* update acceptance tests
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* migrate CPE generation logic to internal
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove create function
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Added test for golang package that include subpath into the module
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
* Implement golang purl subpath
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
---------
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
* use the json schema as input for templating
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix cli tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* unexport as many types and functions from cataloger packages as possible
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* capture type and signature information in convention test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* check that we return pkg.Cataloger from constructors
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* internalize majority of cmd package and migrate integration tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add internal api encoder
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* create internal representation of all formats
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* export capability to get default encoders
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* restore test fixtures
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore: stop re-exporting wfn.Attributes
Previously, Syft re-exported wfn.Attributes from the nvdtools package as
a member of the Package struct. However, Syft doesn't own this struct,
and so after Syft 1.0, might be forced to bump a semver major version
due to a breaking change in wfn.Attributes. Rather than incur this risk
going into 1.0, instead replace Syft's use of wfn.Attributes with Syft's
own cpe.CPE type. That type has some pass-through calls to
wfn.Attributes, but hides the dependency from the rest of the
application.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: make cpe.CPE type a Stringer
Previously, the cpe.CPE type was an alias for wfn.Attributes from
nvdtools. Now that it is a type we control, make the String method take
the CPE as a receiver, rather than as a normal parameter, so that Syft's
cpe.CPE type implements Stringer.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* remove api deprecations
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove deprecated NAME cli flag
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* turn off the SBOM cataloger by default
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix integration tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* re-add linux kernel cataloger
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* ensure there is at least a directory or image tag on each task
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix CLI tests to account for kernel finding (+2)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
The previous implementation would leak a goroutine if the caller of
AllLocations stopped iterating early. Now, accept a context so that the
caller can cancel the AllLocations iterator rather than leak the
goroutine.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
