This PR adds DependencyOf relationships when ELF packages have been discovered by the binary cataloger. The discovered file.Executable type has a []ImportedLibraries that's read from the file when discovered by syft. By mapping these imported libraries back to the package collection, syft is able to create relationships showing which packages are dependencies of other packages by just reading metadata from the ELF executable.
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Brian Ebarb <ebarb.brian@sers.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add alpm relationships
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* tweak reader linter rule to check for reader impl
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update JSON schema with alpm dependency information
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
It is possible that a given package has multiple known "official" CPEs
active in the dictionary at once, so the index should support a slice of
CPE strings per package
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
* Adding the resolved and integrity fields of yarn.lock to the parsed metadata. This addition is similar to the metadata added when parsing package-lock.json.
Signed-off-by: asi-cider <88270351+asi-cider@users.noreply.github.com>
* fix comment
Signed-off-by: asi-cider <88270351+asi-cider@users.noreply.github.com>
* Adding the Index field to metadeta when parsing poetry.lock similarly to the existing Pipfile metadata
Signed-off-by: asi-cider <88270351+asi-cider@users.noreply.github.com>
* fixing struct accoding to tests
Signed-off-by: asi-cider <88270351+asi-cider@users.noreply.github.com>
* remove old schema change
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove empty constants
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* re-generate JSON schema
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update document ref
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix linting
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: asi-cider <88270351+asi-cider@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Add cataloger for Erlang OTP applications
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
* Add OTP Package type and Purl for ErLang
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
* remove erlang OTP metadata type
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use OTP purl type
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* restore otp fixture and adjust tests for dir-only results
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add detection of ELF security features
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix linting
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update json schema with file executable data
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update expected fixure when no tty present
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* more detailed differ
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use json differ
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove json schema addition
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* regenerate json schema
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix mimtype set ref
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Syft can get CPEs from several source, including generating them based on
package data, finding them in the NVD CPE dictionary, or finding them declared
in a manifest or existing SBOM. Record where Syft got CPEs so that consumers of
SBOMs can reason about how trustworthy they are.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* turn off the SBOM cataloger by default
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix integration tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* re-add linux kernel cataloger
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* ensure there is at least a directory or image tag on each task
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix CLI tests to account for kernel finding (+2)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* deduplicate digests from user configuration
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* backout pointer reciever change on imageSource
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove existing cataloging API
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add file cataloging config
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add package cataloging config
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add configs for cross-cutting concerns
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* rename CLI option configs to not require import aliases later
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update all nested structs for the Catalog struct
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update Catalog cli options
- add new cataloger selection options (selection and default)
- remove the excludeBinaryOverlapByOwnership
- deprecate "catalogers" flag
- add new javascript configuration
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* migrate relationship capabilities to separate internal package
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* refactor golang cataloger to use configuration options when creating packages
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* create internal object to facilitate reading from and writing to an SBOM
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* create a command-like object (task) to facilitate partial SBOM creation
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add cataloger selection capability
- be able to parse string expressions into a set of resolved actions against sets
- be able to use expressions to select/add/remove tasks to/from the final set of tasks to run
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add package, file, and environment related tasks
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update existing file catalogers to use nested UI elements
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add CreateSBOMConfig that drives the SBOM creation process
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* capture SBOM creation info as a struct
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add CreateSBOM() function
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update docs with SBOM selection help + breaking changes
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix multiple override default inputs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix deprecation flag printing to stdout
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* refactor cataloger selection description to separate object
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address review comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* keep expression errors and show specific suggestions only
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address additional review feedback
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address more review comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* addressed additional PR review feedback
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix file selection references
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove guess language data generation option
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add tests for coordinatesForSelection
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* rename relationship attributes
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add descriptions to relationships config fields
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* improve documentation around configuration options
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add explicit errors around legacy config entries
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* [wip]
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* distinct the package metadata functions
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove metadata type from package core model
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* incorporate review feedback for names
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add RPM archive metadata and split parser helpers
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* clarify the python package metadata type
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* rename the KB metadata type
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* break hackage and composer types by use case
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* linting fix
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix encoding and decoding for syft-json and cyclonedx
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump json schema to 11
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update cyclonedx-json snapshots
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update cyclonedx-xml snapshots
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update spdx-json snapshots
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update spdx-tv snapshots
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update syft-json snapshots
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* correct metadata type in stack yaml parser test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix bom-ref redactor for cyclonedx-xml
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add tests for legacy package metadata names
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* regenerate json schema v11
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix legacy HackageMetadataType reflect type value check
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix linting
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* packagemetadata discovery should account for type shadowing
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix linting
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix cli tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump json schema version to v12
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update json schema to incorporate changes from main
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add syft-json legacy config option
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add tests around v11-v12 json decoding
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add docs for SYFT_JSON_LEGACY
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* rename structs to be compliant with new naming scheme
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* split up sbom.Format into encode and decode ops
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update cmd pkg to inject format configs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump cyclonedx schema to 1.5
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* redact image metadata from github encoder tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add more testing around format decoder identify
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add test case for format version options
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix cli tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix CLI test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* [wip] - review comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* keep encoder creation out of post load function
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* keep decider and identify functions
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add a few more doc comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove format encoder default function helpers
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address PR feedback
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* move back to streaming based decode functions
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* with common convention for encoder constructors
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix tests and allow for encoders to be created from cli options
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix cli tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix linting
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* buffer reads from stdin to support seeking
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove internal string set
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* incorporate changes from #2227
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* beef up the pkg.License.Merg() doc string
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Add additional license filenames
Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
* add comment about the license list being manually updated
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add relationships for deb packages
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update snapshots
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump json schema
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* small refactor to remove duplicate code
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add registry certificate verification support
* replace stereoscope version
* modify go.mod
* pull in stereoscope update
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* rename registry cert options, add docs, and add test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update to account for changes in anchore/stereoscope#195
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix cli tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: lishituo <24578666@qq.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Fixes#931
PR #1948 introduces a new implicit exclusion for binary packages that overlap by file ownership and have certain characteristics:
1) the relationship between packages is OwnershipByFileOverlap
2) the parent package is an "os" package - see changelog for included catalogers
3) the child is a synthetic package generated by the binary cataloger - see changelog for included catalogers
4) the package names are identical
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* Add support for parsing .NET assemblies
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Former-commit-id: 69c33fe4d77357d843c11590f3b07825bc6249ac
* Add dll and exe files
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Former-commit-id: b9d204efa6d2ef385b5fbb7a59a3474ecabea641
* Add PE cataloger to directory catalogers
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Former-commit-id: 9711c00d9da92e2887e0c1f92edd740ea5345849
* Don't set language to dotnet for PEs
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Former-commit-id: 368313fddac9160d8a06a01ebe8c5ac7990232f5
* Fix spelling of cataloger in constructor
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Former-commit-id: e42fd77b2f8b6d42e076a84f6cce386861260941
* Adjust which cases in PE parsing return errors
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Former-commit-id: 95b25f8fc3a7d4e18fe30e489b09851f316795ff
* remove build binary from branch
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Former-commit-id: fa54c0d0aef0998d5520e9f44cae51f5f9cd38a2
* Fix failing CLI tests
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
---------
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: or-later suffix has been updated to consider deprecated +
If a given license has the suffix "or-later" it previously could have
been considered or represented with a "+". Example "GFDL-1.0-or-later"
could have been represented as "GFDL-1.0+". This PR allows the license
list generation to consider "or-later" as == to "+" when generating
permutations for upgrading deprecated licenses.
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* add bubbletea UI
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* swap pipeline to go 1.20.x and add attest guard for cosign binary
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update note in developing.md about the required golang version
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix merge conflict for windows path handling
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* temp test for attest handler
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add addtional test iterations for background reader
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
