When the goModCataloger processes a Replace directive it currently adds the new
package to the resulting package list, but does not remove the old one unless
the path is unchanged.
Based on an existing comment in the code, removing the old one seems to be the
intended behavior, and results in a more expected end-result, so this does so.
Signed-off-by: Russell Haering <russellhaering@gmail.com>
* chore: Reduce length of readme, moving lengthy content to the wiki
https://github.com/anchore/syft/wiki
---------
Signed-off-by: Alan Pope <alan@popey.com>
* use pkg values in relationship fields
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add linter rule for using values in relationships
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use new cmptest package for comparing relationships
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* create cmptest for common cmp.Diff options in test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* condense matches for relationship ruleguard
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove relationship type from rules
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* restore build tag
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* suggest using values
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* nil check pkgs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add internal dependency resolver
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* refactor dependency relationship resolution to common object
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* replace cataloger decorator with generic processor
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* refactor resolver to be a single function
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use common dependency specifier for debian
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use common dependency specifier for arch
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use common dependency specifier for alpine
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* allow for generic pkg and rel assertions in testpkg helper
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* do not allow for empty results
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* move stable deduplicate comment
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove relationship resolver type
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
This PR adds DependencyOf relationships when ELF packages have been discovered by the binary cataloger. The discovered file.Executable type has a []ImportedLibraries that's read from the file when discovered by syft. By mapping these imported libraries back to the package collection, syft is able to create relationships showing which packages are dependencies of other packages by just reading metadata from the ELF executable.
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Brian Ebarb <ebarb.brian@sers.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
This commit updates the the link from the former, unofficial nixos wiki page to the new https://wiki.nixos.org
ref: NixOS/foundation#113
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
Previously, the file resolver was created from incorrect calls
(path.Join instead of filepath.Join) which resulted Go license searches
always missing on Windows. Use filepath.* functions when initializing
the Go config, and when the unindexed file resolver is being created.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* add alpm relationships
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* tweak reader linter rule to check for reader impl
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update JSON schema with alpm dependency information
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore: ruleguard to enforce defer use
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* fix go.mod location
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: defer close in linux release identifier
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: better lint suggestion
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: refactor binary classifier to defer close
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: defer close readers in gentoo cataloger
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: make go license parsing defer close readers
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: defer closing readers in alpine apm parser
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: defer close readers in graalvm parser
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: defer close readers in debian package parser
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: defer close readers in alpm parser
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: defer close readers in executable file cataloger
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: defer close readers in javascript license parser
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: defer close readers in go mod parser
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* restore version file update on release
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* allow for shallower fetch depth
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* always close ELF cataloger file handles
The elf-binary-package-cataloger does its own file IO to account for the
possibility of a logical ELF package being broken across multiple
physical files. However, this casued it to skip the normal invocation
pattern in the generic cataloger code that prevented file leaks. Ensure
this cataloger always closes its file handles.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* defer closing of generic cataloger file handles
Otherwise, a panicking cataloger could leak file handles.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* add unit test for file closed on panic parser
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* make invoke parser a static function
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* push error logging down into invoke parser
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* fix(spdx): include required fields
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* chore: missed update due to refactoring
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* chore: update tools-golang
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* chore: add test with packageVerificationCode included and excluded
Signed-off-by: Keith Zantow <kzantow@gmail.com>
---------
Signed-off-by: Keith Zantow <kzantow@gmail.com>
