* chore: stop re-exporting wfn.Attributes
Previously, Syft re-exported wfn.Attributes from the nvdtools package as
a member of the Package struct. However, Syft doesn't own this struct,
and so after Syft 1.0, might be forced to bump a semver major version
due to a breaking change in wfn.Attributes. Rather than incur this risk
going into 1.0, instead replace Syft's use of wfn.Attributes with Syft's
own cpe.CPE type. That type has some pass-through calls to
wfn.Attributes, but hides the dependency from the rest of the
application.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: make cpe.CPE type a Stringer
Previously, the cpe.CPE type was an alias for wfn.Attributes from
nvdtools. Now that it is a type we control, make the String method take
the CPE as a receiver, rather than as a normal parameter, so that Syft's
cpe.CPE type implements Stringer.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* remove api deprecations
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove deprecated NAME cli flag
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* turn off the SBOM cataloger by default
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix integration tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* re-add linux kernel cataloger
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* ensure there is at least a directory or image tag on each task
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix CLI tests to account for kernel finding (+2)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
The previous implementation would leak a goroutine if the caller of
AllLocations stopped iterating early. Now, accept a context so that the
caller can cancel the AllLocations iterator rather than leak the
goroutine.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* deduplicate digests from user configuration
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* backout pointer reciever change on imageSource
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: remove second call to finalize as the task handles it
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: add test to protect against dupe relationships in final SBOM
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
To reduce toil in this repo, enable dependabot PRs to be automatically
approved, but not merged. They are not automatically merged because if
the default GitHub token is used to automatically merge a PR, the
resulting commit will not trigger workflows on main. Rather than
generate a more potent token, just automatically review them, which
reduces toil by eliminating several clicks and page loads for
maintainers who are trying to merge dependabot PRs.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* add cataloger list command
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore: tidy go mod
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
* remove existing cataloging API
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add file cataloging config
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add package cataloging config
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add configs for cross-cutting concerns
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* rename CLI option configs to not require import aliases later
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update all nested structs for the Catalog struct
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update Catalog cli options
- add new cataloger selection options (selection and default)
- remove the excludeBinaryOverlapByOwnership
- deprecate "catalogers" flag
- add new javascript configuration
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* migrate relationship capabilities to separate internal package
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* refactor golang cataloger to use configuration options when creating packages
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* create internal object to facilitate reading from and writing to an SBOM
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* create a command-like object (task) to facilitate partial SBOM creation
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add cataloger selection capability
- be able to parse string expressions into a set of resolved actions against sets
- be able to use expressions to select/add/remove tasks to/from the final set of tasks to run
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add package, file, and environment related tasks
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update existing file catalogers to use nested UI elements
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add CreateSBOMConfig that drives the SBOM creation process
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* capture SBOM creation info as a struct
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add CreateSBOM() function
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update docs with SBOM selection help + breaking changes
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix multiple override default inputs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix deprecation flag printing to stdout
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* refactor cataloger selection description to separate object
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address review comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* keep expression errors and show specific suggestions only
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address additional review feedback
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address more review comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* addressed additional PR review feedback
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix file selection references
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove guess language data generation option
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add tests for coordinatesForSelection
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* rename relationship attributes
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add descriptions to relationships config fields
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* improve documentation around configuration options
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add explicit errors around legacy config entries
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* test: strip fixtures of any execution permissions
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* chore: add lint check for large files
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* add helper script to capture binary snippets
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore: update scripts and add new dir output for snippets
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: update erlang test to new generated format
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: update memcached to new generator pattern
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: update openjdk to named version
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: move openjdk lts to versioned folder
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: rename unversioned java to versioned folders
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: migrate bash fixture to new snippet workflow
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: update script to size 600 bytes
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: update go classifier to new snippet workflow
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: move haproxy new new snippet
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: add flatter haproxy example
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: update tests to new pattern
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: final version of snippet script
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* [wip] download bin helpers
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add manager for binary cataloger test fixtures
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add remaining binary cataloger patterns and snippets
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* adjust gitignore to be more permissive to snippets
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add rust darwin snippets
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* skip tests that are missing full binaries
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address PR feedback
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add tests for binary test fixture manager
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* highlight rows that do not have binaries or snippets
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump fixture limit to 1K (found exceptions when adding snippets)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add redis and postgres snippets
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* improve formating of fixture listing
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
