From 10c3cc27e8154f11b8ac00bd5a5ac50f8666b34c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 27 Apr 2023 11:58:59 -0400 Subject: [PATCH 1/6] chore(deps): bump modernc.org/sqlite from 1.22.0 to 1.22.1 (#1768) Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.22.0 to 1.22.1. - [Release notes](https://gitlab.com/cznic/sqlite/tags) - [Commits](https://gitlab.com/cznic/sqlite/compare/v1.22.0...v1.22.1) --- updated-dependencies: - dependency-name: modernc.org/sqlite dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 5c7166943b1..d441608bde9 100644 --- a/go.mod +++ b/go.mod @@ -66,7 +66,7 @@ require ( github.com/vbatts/go-mtree v0.5.3 golang.org/x/exp v0.0.0-20230202163644-54bba9f4231b gopkg.in/yaml.v3 v3.0.1 - modernc.org/sqlite v1.22.0 + modernc.org/sqlite v1.22.1 ) require ( @@ -153,7 +153,7 @@ require ( lukechampine.com/uint128 v1.2.0 // indirect modernc.org/cc/v3 v3.40.0 // indirect modernc.org/ccgo/v3 v3.16.13 // indirect - modernc.org/libc v1.22.4 // indirect + modernc.org/libc v1.22.5 // indirect modernc.org/mathutil v1.5.0 // indirect modernc.org/memory v1.5.0 // indirect modernc.org/opt v0.1.3 // indirect diff --git a/go.sum b/go.sum index 1c4890cadca..06b350e0092 100644 --- a/go.sum +++ b/go.sum @@ -1182,22 +1182,22 @@ modernc.org/ccgo/v3 v3.16.13 h1:Mkgdzl46i5F/CNR/Kj80Ri59hC8TKAhZrYSaqvkwzUw= modernc.org/ccgo/v3 v3.16.13/go.mod h1:2Quk+5YgpImhPjv2Qsob1DnZ/4som1lJTodubIcoUkY= modernc.org/ccorpus v1.11.6 h1:J16RXiiqiCgua6+ZvQot4yUuUy8zxgqbqEEUuGPlISk= modernc.org/httpfs v1.0.6 h1:AAgIpFZRXuYnkjftxTAZwMIiwEqAfk8aVB2/oA6nAeM= -modernc.org/libc v1.22.4 h1:wymSbZb0AlrjdAVX3cjreCHTPCpPARbQXNz6BHPzdwQ= -modernc.org/libc v1.22.4/go.mod h1:jj+Z7dTNX8fBScMVNRAYZ/jF91K8fdT2hYMThc3YjBY= +modernc.org/libc v1.22.5 h1:91BNch/e5B0uPbJFgqbxXuOnxBQjlS//icfQEGmvyjE= +modernc.org/libc v1.22.5/go.mod h1:jj+Z7dTNX8fBScMVNRAYZ/jF91K8fdT2hYMThc3YjBY= modernc.org/mathutil v1.5.0 h1:rV0Ko/6SfM+8G+yKiyI830l3Wuz1zRutdslNoQ0kfiQ= modernc.org/mathutil v1.5.0/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E= modernc.org/memory v1.5.0 h1:N+/8c5rE6EqugZwHii4IFsaJ7MUhoWX07J5tC/iI5Ds= modernc.org/memory v1.5.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU= modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4= modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0= -modernc.org/sqlite v1.22.0 h1:Uo+wEWePCspy4SAu0w2VbzUHEftOs7yoaWX/cYjsq84= -modernc.org/sqlite v1.22.0/go.mod h1:cxbLkB5WS32DnQqeH4h4o1B0eMr8W/y8/RGuxQ3JsC0= +modernc.org/sqlite v1.22.1 h1:P2+Dhp5FR1RlVRkQ3dDfCiv3Ok8XPxqpe70IjYVA9oE= +modernc.org/sqlite v1.22.1/go.mod h1:OrDj17Mggn6MhE+iPbBNf7RGKODDE9NFT0f3EwDzJqk= modernc.org/strutil v1.1.3 h1:fNMm+oJklMGYfU9Ylcywl0CO5O6nTfaowNsh2wpPjzY= modernc.org/strutil v1.1.3/go.mod h1:MEHNA7PdEnEwLvspRMtWTNnp2nnyvMfkimT1NKNAGbw= -modernc.org/tcl v1.15.1 h1:mOQwiEK4p7HruMZcwKTZPw/aqtGM4aY00uzWhlKKYws= +modernc.org/tcl v1.15.2 h1:C4ybAYCGJw968e+Me18oW55kD/FexcHbqH2xak1ROSY= modernc.org/token v1.0.1 h1:A3qvTqOwexpfZZeyI0FeGPDlSWX5pjZu9hF4lU+EKWg= modernc.org/token v1.0.1/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM= -modernc.org/z v1.7.0 h1:xkDw/KepgEjeizO2sNco+hqYkU12taxQFqPEmgm1GWE= +modernc.org/z v1.7.3 h1:zDJf6iHjrnB+WRD88stbXokugjyc0/pB91ri1gO6LZY= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= From 5f3d4d285ba6ef911c3e03b29cfbc4cac0f9b6e0 Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Mon, 1 May 2023 10:19:58 -0400 Subject: [PATCH 2/6] rename sbom.PackageCatalog to sbom.Packages (#1773) Signed-off-by: Alex Goodman --- cmd/syft/cli/eventloop/tasks.go | 2 +- syft/formats/common/cyclonedxhelpers/decoder.go | 4 ++-- .../common/cyclonedxhelpers/decoder_test.go | 4 ++-- syft/formats/common/cyclonedxhelpers/format.go | 2 +- syft/formats/common/spdxhelpers/to_format_model.go | 4 ++-- syft/formats/common/spdxhelpers/to_syft_model.go | 4 ++-- .../common/spdxhelpers/to_syft_model_test.go | 2 +- syft/formats/cyclonedxjson/decoder_test.go | 2 +- syft/formats/cyclonedxxml/decoder_test.go | 2 +- syft/formats/github/encoder.go | 2 +- syft/formats/github/encoder_test.go | 4 ++-- syft/formats/internal/testutils/utils.go | 8 ++++---- syft/formats/spdxjson/decoder_test.go | 4 ++-- syft/formats/spdxtagvalue/encoder_test.go | 2 +- syft/formats/syftjson/decoder_test.go | 4 ++-- syft/formats/syftjson/encoder_test.go | 2 +- syft/formats/syftjson/to_format_model.go | 2 +- syft/formats/syftjson/to_syft_model.go | 2 +- syft/formats/syftjson/to_syft_model_test.go | 4 ++-- syft/formats/table/encoder.go | 2 +- syft/formats/text/encoder.go | 2 +- syft/pkg/cataloger/sbom/cataloger.go | 2 +- syft/sbom/sbom.go | 2 +- .../all_layers_squashed_comparison_test.go | 4 ++-- test/integration/catalog_packages_test.go | 14 +++++++------- test/integration/mariner_distroless_test.go | 2 +- test/integration/node_packages_test.go | 4 ++-- test/integration/package_deduplication_test.go | 6 +++--- .../regression_apk_scanner_buffer_size_test.go | 2 +- .../regression_go_bin_scanner_arch_test.go | 2 +- test/integration/rust_audit_binary_test.go | 2 +- test/integration/sbom_cataloger_test.go | 2 +- test/integration/sqlite_rpmdb_test.go | 2 +- test/integration/utils_test.go | 4 ++-- 34 files changed, 56 insertions(+), 56 deletions(-) diff --git a/cmd/syft/cli/eventloop/tasks.go b/cmd/syft/cli/eventloop/tasks.go index b610c86cec8..56bbcc93535 100644 --- a/cmd/syft/cli/eventloop/tasks.go +++ b/cmd/syft/cli/eventloop/tasks.go @@ -47,7 +47,7 @@ func generateCatalogPackagesTask(app *config.Application) (Task, error) { task := func(results *sbom.Artifacts, src *source.Source) ([]artifact.Relationship, error) { packageCatalog, relationships, theDistro, err := syft.CatalogPackages(src, app.ToCatalogerConfig()) - results.PackageCatalog = packageCatalog + results.Packages = packageCatalog results.LinuxDistribution = theDistro return relationships, err diff --git a/syft/formats/common/cyclonedxhelpers/decoder.go b/syft/formats/common/cyclonedxhelpers/decoder.go index 9cb3a016157..727c668a403 100644 --- a/syft/formats/common/cyclonedxhelpers/decoder.go +++ b/syft/formats/common/cyclonedxhelpers/decoder.go @@ -54,7 +54,7 @@ func ToSyftModel(bom *cyclonedx.BOM) (*sbom.SBOM, error) { s := &sbom.SBOM{ Artifacts: sbom.Artifacts{ - PackageCatalog: pkg.NewCollection(), + Packages: pkg.NewCollection(), LinuxDistribution: linuxReleaseFromComponents(*bom.Components), }, Source: extractComponents(bom.Metadata), @@ -95,7 +95,7 @@ func collectPackages(component *cyclonedx.Component, s *sbom.SBOM, idMap map[str } // TODO there must be a better way than needing to call this manually: p.SetID() - s.Artifacts.PackageCatalog.Add(*p) + s.Artifacts.Packages.Add(*p) } if component.Components != nil { diff --git a/syft/formats/common/cyclonedxhelpers/decoder_test.go b/syft/formats/common/cyclonedxhelpers/decoder_test.go index 70f648e78a2..4daa4f8c8b8 100644 --- a/syft/formats/common/cyclonedxhelpers/decoder_test.go +++ b/syft/formats/common/cyclonedxhelpers/decoder_test.go @@ -210,7 +210,7 @@ func Test_decode(t *testing.T) { assert.Equal(t, e.ver, sbom.Artifacts.LinuxDistribution.VersionID) } if e.pkg != "" { - for p := range sbom.Artifacts.PackageCatalog.Enumerate() { + for p := range sbom.Artifacts.Packages.Enumerate() { if e.pkg != p.Name { continue } @@ -238,7 +238,7 @@ func Test_decode(t *testing.T) { if e.relation != "" { foundRelation := false for _, r := range sbom.Relationships { - p := sbom.Artifacts.PackageCatalog.Package(r.To.ID()) + p := sbom.Artifacts.Packages.Package(r.To.ID()) if e.relation == p.Name { foundRelation = true break diff --git a/syft/formats/common/cyclonedxhelpers/format.go b/syft/formats/common/cyclonedxhelpers/format.go index 0894d67b36e..2facf558d92 100644 --- a/syft/formats/common/cyclonedxhelpers/format.go +++ b/syft/formats/common/cyclonedxhelpers/format.go @@ -25,7 +25,7 @@ func ToFormatModel(s sbom.SBOM) *cyclonedx.BOM { cdxBOM.SerialNumber = uuid.New().URN() cdxBOM.Metadata = toBomDescriptor(internal.ApplicationName, s.Descriptor.Version, s.Source) - packages := s.Artifacts.PackageCatalog.Sorted() + packages := s.Artifacts.Packages.Sorted() components := make([]cyclonedx.Component, len(packages)) for i, p := range packages { components[i] = encodeComponent(p) diff --git a/syft/formats/common/spdxhelpers/to_format_model.go b/syft/formats/common/spdxhelpers/to_format_model.go index 266478f8dc4..3f88e07c8a2 100644 --- a/syft/formats/common/spdxhelpers/to_format_model.go +++ b/syft/formats/common/spdxhelpers/to_format_model.go @@ -123,10 +123,10 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document { // Cardinality: optional, one CreatorComment: "", }, - Packages: toPackages(s.Artifacts.PackageCatalog, s), + Packages: toPackages(s.Artifacts.Packages, s), Files: toFiles(s), Relationships: relationships, - OtherLicenses: toOtherLicenses(s.Artifacts.PackageCatalog), + OtherLicenses: toOtherLicenses(s.Artifacts.Packages), } } diff --git a/syft/formats/common/spdxhelpers/to_syft_model.go b/syft/formats/common/spdxhelpers/to_syft_model.go index afd5dd59591..aa03ce99610 100644 --- a/syft/formats/common/spdxhelpers/to_syft_model.go +++ b/syft/formats/common/spdxhelpers/to_syft_model.go @@ -33,7 +33,7 @@ func ToSyftModel(doc *spdx.Document) (*sbom.SBOM, error) { s := &sbom.SBOM{ Source: src, Artifacts: sbom.Artifacts{ - PackageCatalog: pkg.NewCollection(), + Packages: pkg.NewCollection(), FileMetadata: map[source.Coordinates]source.FileMetadata{}, FileDigests: map[source.Coordinates][]file.Digest{}, LinuxDistribution: findLinuxReleaseByPURL(doc), @@ -110,7 +110,7 @@ func collectSyftPackages(s *sbom.SBOM, spdxIDMap map[string]interface{}, doc *sp for _, p := range doc.Packages { syftPkg := toSyftPackage(p) spdxIDMap[string(p.PackageSPDXIdentifier)] = syftPkg - s.Artifacts.PackageCatalog.Add(*syftPkg) + s.Artifacts.Packages.Add(*syftPkg) } } diff --git a/syft/formats/common/spdxhelpers/to_syft_model_test.go b/syft/formats/common/spdxhelpers/to_syft_model_test.go index b7dbadb4b61..a4b5c1e81d9 100644 --- a/syft/formats/common/spdxhelpers/to_syft_model_test.go +++ b/syft/formats/common/spdxhelpers/to_syft_model_test.go @@ -91,7 +91,7 @@ func TestToSyftModel(t *testing.T) { assert.NotNil(t, sbom) - pkgs := sbom.Artifacts.PackageCatalog.Sorted() + pkgs := sbom.Artifacts.Packages.Sorted() assert.Len(t, pkgs, 2) diff --git a/syft/formats/cyclonedxjson/decoder_test.go b/syft/formats/cyclonedxjson/decoder_test.go index e561ff13757..f969732a160 100644 --- a/syft/formats/cyclonedxjson/decoder_test.go +++ b/syft/formats/cyclonedxjson/decoder_test.go @@ -57,7 +57,7 @@ func Test_decodeJSON(t *testing.T) { split = strings.SplitN(pkg, ":", 2) name = split[0] version = split[1] - for p := range bom.Artifacts.PackageCatalog.Enumerate() { + for p := range bom.Artifacts.Packages.Enumerate() { if p.Name == name { assert.Equal(t, version, p.Version) continue pkgs diff --git a/syft/formats/cyclonedxxml/decoder_test.go b/syft/formats/cyclonedxxml/decoder_test.go index 7a664333995..ca0622abc52 100644 --- a/syft/formats/cyclonedxxml/decoder_test.go +++ b/syft/formats/cyclonedxxml/decoder_test.go @@ -57,7 +57,7 @@ func Test_decodeXML(t *testing.T) { split = strings.SplitN(pkg, ":", 2) name = split[0] version = split[1] - for p := range bom.Artifacts.PackageCatalog.Enumerate() { + for p := range bom.Artifacts.Packages.Enumerate() { if p.Name == name { assert.Equal(t, version, p.Version) continue pkgs diff --git a/syft/formats/github/encoder.go b/syft/formats/github/encoder.go index 6a2b2b66bed..e03c7f504de 100644 --- a/syft/formats/github/encoder.go +++ b/syft/formats/github/encoder.go @@ -107,7 +107,7 @@ func toPath(s source.Metadata, p pkg.Package) string { func toGithubManifests(s *sbom.SBOM) Manifests { manifests := map[string]*Manifest{} - for _, p := range s.Artifacts.PackageCatalog.Sorted() { + for _, p := range s.Artifacts.Packages.Sorted() { path := toPath(s.Source, p) manifest, ok := manifests[path] if !ok { diff --git a/syft/formats/github/encoder_test.go b/syft/formats/github/encoder_test.go index 427f6246774..ba405dad63c 100644 --- a/syft/formats/github/encoder_test.go +++ b/syft/formats/github/encoder_test.go @@ -28,7 +28,7 @@ func Test_toGithubModel(t *testing.T) { VersionID: "18.04", IDLike: []string{"debian"}, }, - PackageCatalog: pkg.NewCollection(), + Packages: pkg.NewCollection(), }, } for _, p := range []pkg.Package{ @@ -71,7 +71,7 @@ func Test_toGithubModel(t *testing.T) { nil, "", ).ToString() - s.Artifacts.PackageCatalog.Add(p) + s.Artifacts.Packages.Add(p) } actual := toGithubModel(&s) diff --git a/syft/formats/internal/testutils/utils.go b/syft/formats/internal/testutils/utils.go index 8014d3fdb90..b72ccfa6f9a 100644 --- a/syft/formats/internal/testutils/utils.go +++ b/syft/formats/internal/testutils/utils.go @@ -119,7 +119,7 @@ func ImageInput(t testing.TB, testImage string, options ...ImageOption) sbom.SBO return sbom.SBOM{ Artifacts: sbom.Artifacts{ - PackageCatalog: catalog, + Packages: catalog, LinuxDistribution: &linux.Release{ PrettyName: "debian", Name: "debian", @@ -200,7 +200,7 @@ func DirectoryInput(t testing.TB) sbom.SBOM { return sbom.SBOM{ Artifacts: sbom.Artifacts{ - PackageCatalog: catalog, + Packages: catalog, LinuxDistribution: &linux.Release{ PrettyName: "debian", Name: "debian", @@ -231,7 +231,7 @@ func DirectoryInputWithAuthorField(t testing.TB) sbom.SBOM { return sbom.SBOM{ Artifacts: sbom.Artifacts{ - PackageCatalog: catalog, + Packages: catalog, LinuxDistribution: &linux.Release{ PrettyName: "debian", Name: "debian", @@ -359,7 +359,7 @@ func newDirectoryCatalogWithAuthorField() *pkg.Collection { //nolint:gosec func AddSampleFileRelationships(s *sbom.SBOM) { - catalog := s.Artifacts.PackageCatalog.Sorted() + catalog := s.Artifacts.Packages.Sorted() s.Artifacts.FileMetadata = map[source.Coordinates]source.FileMetadata{} files := []string{"/f1", "/f2", "/d1/f3", "/d2/f4", "/z1/f5", "/a1/f6"} diff --git a/syft/formats/spdxjson/decoder_test.go b/syft/formats/spdxjson/decoder_test.go index 574fb0ba2d9..58602b9d27f 100644 --- a/syft/formats/spdxjson/decoder_test.go +++ b/syft/formats/spdxjson/decoder_test.go @@ -73,11 +73,11 @@ func TestSPDXJSONDecoder(t *testing.T) { } if test.packages != nil { - assert.Equal(t, sbom.Artifacts.PackageCatalog.PackageCount(), len(test.packages)) + assert.Equal(t, sbom.Artifacts.Packages.PackageCount(), len(test.packages)) packages: for _, pkgName := range test.packages { - for _, p := range sbom.Artifacts.PackageCatalog.Sorted() { + for _, p := range sbom.Artifacts.Packages.Sorted() { if p.Name == pkgName { continue packages } diff --git a/syft/formats/spdxtagvalue/encoder_test.go b/syft/formats/spdxtagvalue/encoder_test.go index 1623dfed02e..5d95f639799 100644 --- a/syft/formats/spdxtagvalue/encoder_test.go +++ b/syft/formats/spdxtagvalue/encoder_test.go @@ -49,7 +49,7 @@ func TestSPDXJSONSPDXIDs(t *testing.T) { Format(), sbom.SBOM{ Artifacts: sbom.Artifacts{ - PackageCatalog: pkg.NewCollection(pkgs...), + Packages: pkg.NewCollection(pkgs...), }, Relationships: nil, Source: source.Metadata{ diff --git a/syft/formats/syftjson/decoder_test.go b/syft/formats/syftjson/decoder_test.go index 06d41711dad..de9ab7bcf7c 100644 --- a/syft/formats/syftjson/decoder_test.go +++ b/syft/formats/syftjson/decoder_test.go @@ -29,8 +29,8 @@ func TestEncodeDecodeCycle(t *testing.T) { t.Errorf("metadata difference: %+v", d) } - actualPackages := actualSBOM.Artifacts.PackageCatalog.Sorted() - for idx, p := range originalSBOM.Artifacts.PackageCatalog.Sorted() { + actualPackages := actualSBOM.Artifacts.Packages.Sorted() + for idx, p := range originalSBOM.Artifacts.Packages.Sorted() { if !assert.Equal(t, p.Name, actualPackages[idx].Name) { t.Errorf("different package at idx=%d: %s vs %s", idx, p.Name, actualPackages[idx].Name) continue diff --git a/syft/formats/syftjson/encoder_test.go b/syft/formats/syftjson/encoder_test.go index de8663ef983..6f627baf6ef 100644 --- a/syft/formats/syftjson/encoder_test.go +++ b/syft/formats/syftjson/encoder_test.go @@ -100,7 +100,7 @@ func TestEncodeFullJSONDocument(t *testing.T) { s := sbom.SBOM{ Artifacts: sbom.Artifacts{ - PackageCatalog: catalog, + Packages: catalog, FileMetadata: map[source.Coordinates]source.FileMetadata{ source.NewLocation("/a/place").Coordinates: { Mode: 0775, diff --git a/syft/formats/syftjson/to_format_model.go b/syft/formats/syftjson/to_format_model.go index 685fa210498..c242b4eef9e 100644 --- a/syft/formats/syftjson/to_format_model.go +++ b/syft/formats/syftjson/to_format_model.go @@ -26,7 +26,7 @@ func ToFormatModel(s sbom.SBOM) model.Document { } return model.Document{ - Artifacts: toPackageModels(s.Artifacts.PackageCatalog), + Artifacts: toPackageModels(s.Artifacts.Packages), ArtifactRelationships: toRelationshipModel(s.Relationships), Files: toFile(s), Secrets: toSecrets(s.Artifacts.Secrets), diff --git a/syft/formats/syftjson/to_syft_model.go b/syft/formats/syftjson/to_syft_model.go index b81a0043f2e..cbc03726f58 100644 --- a/syft/formats/syftjson/to_syft_model.go +++ b/syft/formats/syftjson/to_syft_model.go @@ -28,7 +28,7 @@ func toSyftModel(doc model.Document) (*sbom.SBOM, error) { return &sbom.SBOM{ Artifacts: sbom.Artifacts{ - PackageCatalog: catalog, + Packages: catalog, FileMetadata: fileArtifacts.FileMetadata, FileDigests: fileArtifacts.FileDigests, LinuxDistribution: toSyftLinuxRelease(doc.Distro), diff --git a/syft/formats/syftjson/to_syft_model_test.go b/syft/formats/syftjson/to_syft_model_test.go index b3dcc2cffa3..6a42d468a42 100644 --- a/syft/formats/syftjson/to_syft_model_test.go +++ b/syft/formats/syftjson/to_syft_model_test.go @@ -119,11 +119,11 @@ func Test_idsHaveChanged(t *testing.T) { r := s.Relationships[0] - from := s.Artifacts.PackageCatalog.Package(r.From.ID()) + from := s.Artifacts.Packages.Package(r.From.ID()) assert.NotNil(t, from) assert.Equal(t, "pkg-1", from.Name) - to := s.Artifacts.PackageCatalog.Package(r.To.ID()) + to := s.Artifacts.Packages.Package(r.To.ID()) assert.NotNil(t, to) assert.Equal(t, "pkg-2", to.Name) } diff --git a/syft/formats/table/encoder.go b/syft/formats/table/encoder.go index 458d6eb6d60..7b6c817b7f2 100644 --- a/syft/formats/table/encoder.go +++ b/syft/formats/table/encoder.go @@ -15,7 +15,7 @@ func encoder(output io.Writer, s sbom.SBOM) error { var rows [][]string columns := []string{"Name", "Version", "Type"} - for _, p := range s.Artifacts.PackageCatalog.Sorted() { + for _, p := range s.Artifacts.Packages.Sorted() { row := []string{ p.Name, p.Version, diff --git a/syft/formats/text/encoder.go b/syft/formats/text/encoder.go index 49619346e8b..d16ef17989a 100644 --- a/syft/formats/text/encoder.go +++ b/syft/formats/text/encoder.go @@ -34,7 +34,7 @@ func encoder(output io.Writer, s sbom.SBOM) error { // populate artifacts... rows := 0 - for _, p := range s.Artifacts.PackageCatalog.Sorted() { + for _, p := range s.Artifacts.Packages.Sorted() { fmt.Fprintf(w, "[%s]\n", p.Name) fmt.Fprintln(w, " Version:\t", p.Version) fmt.Fprintln(w, " Type:\t", string(p.Type)) diff --git a/syft/pkg/cataloger/sbom/cataloger.go b/syft/pkg/cataloger/sbom/cataloger.go index 17e6618e6cd..3b7f9c14bec 100644 --- a/syft/pkg/cataloger/sbom/cataloger.go +++ b/syft/pkg/cataloger/sbom/cataloger.go @@ -42,7 +42,7 @@ func parseSBOM(_ source.FileResolver, _ *generic.Environment, reader source.Loca var pkgs []pkg.Package var relationships []artifact.Relationship - for _, p := range s.Artifacts.PackageCatalog.Sorted() { + for _, p := range s.Artifacts.Packages.Sorted() { // replace all locations on the package with the location of the SBOM file. // Why not keep the original list of locations? Since the "locations" field is meant to capture // where there is evidence of this file, and the catalogers have not run against any file other than, diff --git a/syft/sbom/sbom.go b/syft/sbom/sbom.go index 582f7280994..68f1b960152 100644 --- a/syft/sbom/sbom.go +++ b/syft/sbom/sbom.go @@ -20,7 +20,7 @@ type SBOM struct { } type Artifacts struct { - PackageCatalog *pkg.Collection + Packages *pkg.Collection FileMetadata map[source.Coordinates]source.FileMetadata FileDigests map[source.Coordinates][]file.Digest FileContents map[source.Coordinates]string diff --git a/test/integration/all_layers_squashed_comparison_test.go b/test/integration/all_layers_squashed_comparison_test.go index 419fe7071c9..39973cbfaa3 100644 --- a/test/integration/all_layers_squashed_comparison_test.go +++ b/test/integration/all_layers_squashed_comparison_test.go @@ -11,8 +11,8 @@ func Test_AllLayersIncludesSquashed(t *testing.T) { allLayers, _ := catalogFixtureImage(t, "image-suse-all-layers", source.AllLayersScope, nil) squashed, _ := catalogFixtureImage(t, "image-suse-all-layers", source.SquashedScope, nil) - lenAllLayers := len(allLayers.Artifacts.PackageCatalog.Sorted()) - lenSquashed := len(squashed.Artifacts.PackageCatalog.Sorted()) + lenAllLayers := len(allLayers.Artifacts.Packages.Sorted()) + lenSquashed := len(squashed.Artifacts.Packages.Sorted()) if lenAllLayers < lenSquashed { t.Errorf("squashed has more packages than all-layers: %d > %d", lenSquashed, lenAllLayers) diff --git a/test/integration/catalog_packages_test.go b/test/integration/catalog_packages_test.go index e958d982b2d..7819889385f 100644 --- a/test/integration/catalog_packages_test.go +++ b/test/integration/catalog_packages_test.go @@ -100,7 +100,7 @@ func TestPkgCoverageImage(t *testing.T) { t.Run(c.name, func(t *testing.T) { pkgCount := 0 - for a := range sbom.Artifacts.PackageCatalog.Enumerate(c.pkgType) { + for a := range sbom.Artifacts.Packages.Enumerate(c.pkgType) { if a.Language.String() != "" { observedLanguages.Add(a.Language.String()) } @@ -127,7 +127,7 @@ func TestPkgCoverageImage(t *testing.T) { if pkgCount != len(c.pkgInfo)+c.duplicates { t.Logf("Discovered packages of type %+v", c.pkgType) - for a := range sbom.Artifacts.PackageCatalog.Enumerate(c.pkgType) { + for a := range sbom.Artifacts.Packages.Enumerate(c.pkgType) { t.Log(" ", a) } t.Fatalf("unexpected package count: %d!=%d", pkgCount, len(c.pkgInfo)) @@ -176,7 +176,7 @@ func TestPkgCoverageDirectory(t *testing.T) { t.Run(test.name, func(t *testing.T) { actualPkgCount := 0 - for actualPkg := range sbom.Artifacts.PackageCatalog.Enumerate(test.pkgType) { + for actualPkg := range sbom.Artifacts.Packages.Enumerate(test.pkgType) { observedLanguages.Add(actualPkg.Language.String()) observedPkgs.Add(string(actualPkg.Type)) @@ -207,7 +207,7 @@ func TestPkgCoverageDirectory(t *testing.T) { } if actualPkgCount != len(test.pkgInfo)+test.duplicates { - for actualPkg := range sbom.Artifacts.PackageCatalog.Enumerate(test.pkgType) { + for actualPkg := range sbom.Artifacts.Packages.Enumerate(test.pkgType) { t.Log(" ", actualPkg) } t.Fatalf("unexpected package count: %d!=%d", actualPkgCount, len(test.pkgInfo)) @@ -246,7 +246,7 @@ func TestPkgCoverageCatalogerConfiguration(t *testing.T) { definedLanguages := internal.NewStringSet() definedLanguages.Add("rust") - for actualPkg := range sbom.Artifacts.PackageCatalog.Enumerate() { + for actualPkg := range sbom.Artifacts.Packages.Enumerate() { observedLanguages.Add(actualPkg.Language.String()) } @@ -270,7 +270,7 @@ func TestPkgCoverageImage_HasEvidence(t *testing.T) { for _, c := range cases { t.Run(c.name, func(t *testing.T) { - for a := range sbom.Artifacts.PackageCatalog.Enumerate(c.pkgType) { + for a := range sbom.Artifacts.Packages.Enumerate(c.pkgType) { assert.NotEmpty(t, a.Locations.ToSlice(), "package %q has no locations (type=%q)", a.Name, a.Type) for _, l := range a.Locations.ToSlice() { if _, exists := l.Annotations[pkg.EvidenceAnnotationKey]; !exists { @@ -300,7 +300,7 @@ func TestPkgCoverageDirectory_HasEvidence(t *testing.T) { for _, c := range cases { t.Run(c.name, func(t *testing.T) { - for a := range sbom.Artifacts.PackageCatalog.Enumerate(c.pkgType) { + for a := range sbom.Artifacts.Packages.Enumerate(c.pkgType) { assert.NotEmpty(t, a.Locations.ToSlice(), "package %q has no locations (type=%q)", a.Name, a.Type) for _, l := range a.Locations.ToSlice() { if _, exists := l.Annotations[pkg.EvidenceAnnotationKey]; !exists { diff --git a/test/integration/mariner_distroless_test.go b/test/integration/mariner_distroless_test.go index b54c1c073d9..95c457cea84 100644 --- a/test/integration/mariner_distroless_test.go +++ b/test/integration/mariner_distroless_test.go @@ -12,7 +12,7 @@ func TestMarinerDistroless(t *testing.T) { expectedPkgs := 12 actualPkgs := 0 - for range sbom.Artifacts.PackageCatalog.Enumerate(pkg.RpmPkg) { + for range sbom.Artifacts.Packages.Enumerate(pkg.RpmPkg) { actualPkgs += 1 } diff --git a/test/integration/node_packages_test.go b/test/integration/node_packages_test.go index 071b96a56fc..b26725ea435 100644 --- a/test/integration/node_packages_test.go +++ b/test/integration/node_packages_test.go @@ -14,7 +14,7 @@ func TestNpmPackageLockDirectory(t *testing.T) { foundPackages := internal.NewStringSet() - for actualPkg := range sbom.Artifacts.PackageCatalog.Enumerate(pkg.NpmPkg) { + for actualPkg := range sbom.Artifacts.Packages.Enumerate(pkg.NpmPkg) { for _, actualLocation := range actualPkg.Locations.ToSlice() { if strings.Contains(actualLocation.RealPath, "node_modules") { t.Errorf("found packages from package-lock.json in node_modules: %s", actualLocation) @@ -36,7 +36,7 @@ func TestYarnPackageLockDirectory(t *testing.T) { foundPackages := internal.NewStringSet() expectedPackages := internal.NewStringSet("async@0.9.2", "async@3.2.3", "merge-objects@1.0.5", "should-type@1.3.0", "@4lolo/resize-observer-polyfill@1.5.2") - for actualPkg := range sbom.Artifacts.PackageCatalog.Enumerate(pkg.NpmPkg) { + for actualPkg := range sbom.Artifacts.Packages.Enumerate(pkg.NpmPkg) { for _, actualLocation := range actualPkg.Locations.ToSlice() { if strings.Contains(actualLocation.RealPath, "node_modules") { t.Errorf("found packages from yarn.lock in node_modules: %s", actualLocation) diff --git a/test/integration/package_deduplication_test.go b/test/integration/package_deduplication_test.go index 1d33062d53b..912267f1273 100644 --- a/test/integration/package_deduplication_test.go +++ b/test/integration/package_deduplication_test.go @@ -65,15 +65,15 @@ func TestPackageDeduplication(t *testing.T) { t.Run(string(tt.scope), func(t *testing.T) { sbom, _ := catalogFixtureImage(t, "image-vertical-package-dups", tt.scope, nil) - for _, p := range sbom.Artifacts.PackageCatalog.Sorted() { + for _, p := range sbom.Artifacts.Packages.Sorted() { if p.Type == pkg.BinaryPkg { assert.NotEmpty(t, p.Name) } } - assert.Equal(t, tt.packageCount, sbom.Artifacts.PackageCatalog.PackageCount()) + assert.Equal(t, tt.packageCount, sbom.Artifacts.Packages.PackageCount()) for name, expectedInstanceCount := range tt.instanceCount { - pkgs := sbom.Artifacts.PackageCatalog.PackagesByName(name) + pkgs := sbom.Artifacts.Packages.PackagesByName(name) // with multiple packages with the same name, something is wrong (or this is the wrong fixture) require.Len(t, pkgs, expectedInstanceCount) diff --git a/test/integration/regression_apk_scanner_buffer_size_test.go b/test/integration/regression_apk_scanner_buffer_size_test.go index a04cbe3e64c..3549d52ee14 100644 --- a/test/integration/regression_apk_scanner_buffer_size_test.go +++ b/test/integration/regression_apk_scanner_buffer_size_test.go @@ -14,7 +14,7 @@ func TestRegression212ApkBufferSize(t *testing.T) { expectedPkgs := 58 actualPkgs := 0 - for range sbom.Artifacts.PackageCatalog.Enumerate(pkg.ApkPkg) { + for range sbom.Artifacts.Packages.Enumerate(pkg.ApkPkg) { actualPkgs += 1 } diff --git a/test/integration/regression_go_bin_scanner_arch_test.go b/test/integration/regression_go_bin_scanner_arch_test.go index 2465d5dabd1..8a51a9a77f2 100644 --- a/test/integration/regression_go_bin_scanner_arch_test.go +++ b/test/integration/regression_go_bin_scanner_arch_test.go @@ -20,7 +20,7 @@ func TestRegressionGoArchDiscovery(t *testing.T) { var actualELF, actualWIN, actualMACOS int - for p := range sbom.Artifacts.PackageCatalog.Enumerate(pkg.GoModulePkg) { + for p := range sbom.Artifacts.Packages.Enumerate(pkg.GoModulePkg) { for _, l := range p.Locations.ToSlice() { switch { case strings.Contains(l.RealPath, "elf"): diff --git a/test/integration/rust_audit_binary_test.go b/test/integration/rust_audit_binary_test.go index d97c9c73887..57baf46af36 100644 --- a/test/integration/rust_audit_binary_test.go +++ b/test/integration/rust_audit_binary_test.go @@ -12,7 +12,7 @@ func TestRustAudit(t *testing.T) { expectedPkgs := 2 actualPkgs := 0 - for range sbom.Artifacts.PackageCatalog.Enumerate(pkg.RustPkg) { + for range sbom.Artifacts.Packages.Enumerate(pkg.RustPkg) { actualPkgs += 1 } diff --git a/test/integration/sbom_cataloger_test.go b/test/integration/sbom_cataloger_test.go index f7be5416431..6faebbd13d9 100644 --- a/test/integration/sbom_cataloger_test.go +++ b/test/integration/sbom_cataloger_test.go @@ -17,7 +17,7 @@ func TestSbomCataloger(t *testing.T) { expectedGoModCatalogerPkgs := 2 actualSbomPkgs := 0 actualGoModPkgs := 0 - for pkg := range sbom.Artifacts.PackageCatalog.Enumerate(pkg.GoModulePkg) { + for pkg := range sbom.Artifacts.Packages.Enumerate(pkg.GoModulePkg) { if pkg.FoundBy == "go-mod-file-cataloger" { actualGoModPkgs += 1 } else if pkg.FoundBy == "sbom-cataloger" { diff --git a/test/integration/sqlite_rpmdb_test.go b/test/integration/sqlite_rpmdb_test.go index c151b4b6e62..fd3dfa98a01 100644 --- a/test/integration/sqlite_rpmdb_test.go +++ b/test/integration/sqlite_rpmdb_test.go @@ -16,7 +16,7 @@ func TestSqliteRpm(t *testing.T) { expectedPkgs := 139 actualPkgs := 0 - for range sbom.Artifacts.PackageCatalog.Enumerate(pkg.RpmPkg) { + for range sbom.Artifacts.Packages.Enumerate(pkg.RpmPkg) { actualPkgs += 1 } diff --git a/test/integration/utils_test.go b/test/integration/utils_test.go index 693d057c010..77f50045051 100644 --- a/test/integration/utils_test.go +++ b/test/integration/utils_test.go @@ -33,7 +33,7 @@ func catalogFixtureImage(t *testing.T, fixtureImageName string, scope source.Sco return sbom.SBOM{ Artifacts: sbom.Artifacts{ - PackageCatalog: pkgCatalog, + Packages: pkgCatalog, LinuxDistribution: actualDistro, }, Relationships: relationships, @@ -68,7 +68,7 @@ func catalogDirectory(t *testing.T, dir string) (sbom.SBOM, *source.Source) { return sbom.SBOM{ Artifacts: sbom.Artifacts{ - PackageCatalog: pkgCatalog, + Packages: pkgCatalog, LinuxDistribution: actualDistro, }, Relationships: relationships, From dd458a2b33257643e8880cc6bc013c184874f5d6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 May 2023 16:43:16 -0400 Subject: [PATCH 3/6] chore(deps): bump github.com/docker/docker (#1767) Bumps [github.com/docker/docker](https://github.com/docker/docker) from 23.0.4+incompatible to 23.0.5+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v23.0.4...v23.0.5) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index d441608bde9..22d2105c939 100644 --- a/go.mod +++ b/go.mod @@ -54,7 +54,7 @@ require ( github.com/anchore/go-logger v0.0.0-20220728155337-03b66a5207d8 github.com/anchore/stereoscope v0.0.0-20230412183729-8602f1afc574 github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da - github.com/docker/docker v23.0.4+incompatible + github.com/docker/docker v23.0.5+incompatible github.com/go-git/go-billy/v5 v5.4.1 github.com/go-git/go-git/v5 v5.6.1 github.com/google/go-containerregistry v0.14.0 diff --git a/go.sum b/go.sum index 06b350e0092..4c377bef6c9 100644 --- a/go.sum +++ b/go.sum @@ -165,8 +165,8 @@ github.com/docker/cli v23.0.1+incompatible h1:LRyWITpGzl2C9e9uGxzisptnxAn1zfZKXy github.com/docker/cli v23.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68= github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v23.0.4+incompatible h1:Kd3Bh9V/rO+XpTP/BLqM+gx8z7+Yb0AA2Ibj+nNo4ek= -github.com/docker/docker v23.0.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v23.0.5+incompatible h1:DaxtlTJjFSnLOXVNUBU1+6kXGz2lpDoEAH6QoxaSg8k= +github.com/docker/docker v23.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= From 95a04cadea725be77c221d9bba340de82fad99a7 Mon Sep 17 00:00:00 2001 From: Filip Pytloun Date: Tue, 2 May 2023 22:43:52 +0200 Subject: [PATCH 4/6] Search /usr/share for rpmdb to fix scan on ostree-managed images (#1756) Fixes: https://github.com/anchore/syft/issues/1755 Signed-off-by: Filip Pytloun Co-authored-by: Alex Goodman --- syft/pkg/cataloger/rpm/cataloger_test.go | 3 +++ .../rpm/test-fixtures/glob-paths/usr/share/rpm/Packages | 1 + .../rpm/test-fixtures/glob-paths/usr/share/rpm/Packages.db | 1 + .../rpm/test-fixtures/glob-paths/usr/share/rpm/rpmdb.sqlite | 1 + syft/pkg/rpm_metadata.go | 4 +++- 5 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/Packages create mode 100644 syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/Packages.db create mode 100644 syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/rpmdb.sqlite diff --git a/syft/pkg/cataloger/rpm/cataloger_test.go b/syft/pkg/cataloger/rpm/cataloger_test.go index ca8907e2101..92b920532cd 100644 --- a/syft/pkg/cataloger/rpm/cataloger_test.go +++ b/syft/pkg/cataloger/rpm/cataloger_test.go @@ -16,6 +16,9 @@ func Test_DBCataloger_Globs(t *testing.T) { name: "obtain DB files", fixture: "test-fixtures/glob-paths", expected: []string{ + "usr/share/rpm/Packages", + "usr/share/rpm/Packages.db", + "usr/share/rpm/rpmdb.sqlite", "var/lib/rpm/Packages", "var/lib/rpm/Packages.db", "var/lib/rpm/rpmdb.sqlite", diff --git a/syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/Packages b/syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/Packages new file mode 100644 index 00000000000..882b6040c5d --- /dev/null +++ b/syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/Packages @@ -0,0 +1 @@ +bogus \ No newline at end of file diff --git a/syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/Packages.db b/syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/Packages.db new file mode 100644 index 00000000000..882b6040c5d --- /dev/null +++ b/syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/Packages.db @@ -0,0 +1 @@ +bogus \ No newline at end of file diff --git a/syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/rpmdb.sqlite b/syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/rpmdb.sqlite new file mode 100644 index 00000000000..882b6040c5d --- /dev/null +++ b/syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/rpmdb.sqlite @@ -0,0 +1 @@ +bogus \ No newline at end of file diff --git a/syft/pkg/rpm_metadata.go b/syft/pkg/rpm_metadata.go index 1491b4900d7..899147d1765 100644 --- a/syft/pkg/rpm_metadata.go +++ b/syft/pkg/rpm_metadata.go @@ -8,10 +8,12 @@ import ( "github.com/anchore/syft/syft/file" ) +// /var/lib/rpm/... is the typical path for most distributions +// /usr/share/rpm/... is common for rpm-ostree distributions (coreos-like) // Packages is the legacy Berkely db based format // Packages.db is the "ndb" format used in SUSE // rpmdb.sqlite is the sqlite format used in fedora + derivates -const RpmDBGlob = "**/var/lib/rpm/{Packages,Packages.db,rpmdb.sqlite}" +const RpmDBGlob = "**/{var/lib,usr/share}/rpm/{Packages,Packages.db,rpmdb.sqlite}" // Used in CBL-Mariner distroless images const RpmManifestGlob = "**/var/lib/rpmmanifest/container-manifest-2" From 645206735e5e56884a699417262428aeebc68197 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 2 May 2023 16:52:18 -0400 Subject: [PATCH 5/6] chore: add more detail on SPDX file IDs (#1769) --- .../common/spdxhelpers/to_format_model.go | 26 ++++++++++-- .../spdxhelpers/to_format_model_test.go | 41 ++++++++++++++++++ .../TestSPDXJSONDirectoryEncoder.golden | 6 +-- .../snapshot/TestSPDXJSONImageEncoder.golden | 6 +-- .../snapshot/TestSPDXRelationshipOrder.golden | 30 ++++++------- .../snapshot/TestSPDXJSONSPDXIDs.golden | 6 +-- .../snapshot/TestSPDXRelationshipOrder.golden | 42 +++++++++---------- .../TestSPDXTagValueDirectoryEncoder.golden | 6 +-- .../TestSPDXTagValueImageEncoder.golden | 6 +-- 9 files changed, 114 insertions(+), 55 deletions(-) diff --git a/syft/formats/common/spdxhelpers/to_format_model.go b/syft/formats/common/spdxhelpers/to_format_model.go index 3f88e07c8a2..a6877bcaa3a 100644 --- a/syft/formats/common/spdxhelpers/to_format_model.go +++ b/syft/formats/common/spdxhelpers/to_format_model.go @@ -4,6 +4,7 @@ package spdxhelpers import ( "crypto/sha1" "fmt" + "path" "sort" "strings" "time" @@ -131,13 +132,30 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document { } func toSPDXID(identifiable artifact.Identifiable) spdx.ElementID { + maxLen := 40 id := "" - if p, ok := identifiable.(pkg.Package); ok { - id = SanitizeElementID(fmt.Sprintf("Package-%+v-%s-%s", p.Type, p.Name, p.ID())) - } else { + switch it := identifiable.(type) { + case pkg.Package: + id = SanitizeElementID(fmt.Sprintf("Package-%s-%s-%s", it.Type, it.Name, it.ID())) + case source.Coordinates: + p := "" + parts := strings.Split(it.RealPath, "/") + for i := len(parts); i > 0; i-- { + part := parts[i-1] + if len(part) == 0 { + continue + } + if i < len(parts) && len(p)+len(part)+3 > maxLen { + p = "..." + p + break + } + p = path.Join(part, p) + } + id = SanitizeElementID(fmt.Sprintf("File-%s-%s", p, it.ID())) + default: id = string(identifiable.ID()) } - // NOTE: the spdx libraries prepend SPDXRef-, so we don't do it here + // NOTE: the spdx library prepend SPDXRef-, so we don't do it here return spdx.ElementID(id) } diff --git a/syft/formats/common/spdxhelpers/to_format_model_test.go b/syft/formats/common/spdxhelpers/to_format_model_test.go index 7002b90ef6a..f0b4f42ced8 100644 --- a/syft/formats/common/spdxhelpers/to_format_model_test.go +++ b/syft/formats/common/spdxhelpers/to_format_model_test.go @@ -2,6 +2,7 @@ package spdxhelpers import ( "fmt" + "regexp" "testing" "github.com/spdx/tools-golang/spdx" @@ -501,3 +502,43 @@ func Test_OtherLicenses(t *testing.T) { }) } } + +func Test_toSPDXID(t *testing.T) { + tests := []struct { + name string + it artifact.Identifiable + expected string + }{ + { + name: "short filename", + it: source.Coordinates{ + RealPath: "/short/path/file.txt", + }, + expected: "File-short-path-file.txt", + }, + { + name: "long filename", + it: source.Coordinates{ + RealPath: "/some/long/path/with/a/lot/of-text/that-contains-a/file.txt", + }, + expected: "File-...a-lot-of-text-that-contains-a-file.txt", + }, + { + name: "package", + it: pkg.Package{ + Type: pkg.NpmPkg, + Name: "some-package", + }, + expected: "Package-npm-some-package", + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + got := string(toSPDXID(test.it)) + // trim the hash + got = regexp.MustCompile(`-[a-z0-9]*$`).ReplaceAllString(got, "") + require.Equal(t, test.expected, got) + }) + } +} diff --git a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden index 4ef14120dfe..60e4c4f49fa 100644 --- a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden +++ b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden @@ -3,14 +3,14 @@ "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "/some/path", - "documentNamespace": "https://anchore.com/syft/dir/some/path-1fe34646-a616-48c7-974b-3d1e27d406e3", + "documentNamespace": "https://anchore.com/syft/dir/some/path-4029b5ec-6d70-4c0c-aedf-b61c8f5ea93c", "creationInfo": { - "licenseListVersion": "3.19", + "licenseListVersion": "3.20", "creators": [ "Organization: Anchore, Inc", "Tool: syft-v0.42.0-bogus" ], - "created": "2023-01-20T21:41:03Z" + "created": "2023-05-02T18:24:17Z" }, "packages": [ { diff --git a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden index 8a5214f293f..51eab30a6b7 100644 --- a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden +++ b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden @@ -3,14 +3,14 @@ "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "user-image-input", - "documentNamespace": "https://anchore.com/syft/image/user-image-input-33759ac3-6006-4f2c-bdc4-f40b9287a7f0", + "documentNamespace": "https://anchore.com/syft/image/user-image-input-6b0c6ff8-0f5f-4d95-8c1b-eb966d400804", "creationInfo": { - "licenseListVersion": "3.19", + "licenseListVersion": "3.20", "creators": [ "Organization: Anchore, Inc", "Tool: syft-v0.42.0-bogus" ], - "created": "2023-01-20T21:41:03Z" + "created": "2023-05-02T18:24:18Z" }, "packages": [ { diff --git a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden index 9e8e1453cc1..74481255a51 100644 --- a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden +++ b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden @@ -3,14 +3,14 @@ "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "user-image-input", - "documentNamespace": "https://anchore.com/syft/image/user-image-input-ce98f51f-b483-4e93-9a15-5a8a16d35de6", + "documentNamespace": "https://anchore.com/syft/image/user-image-input-ec2f9b25-22ca-46b8-b7f4-484994fe126c", "creationInfo": { - "licenseListVersion": "3.19", + "licenseListVersion": "3.20", "creators": [ "Organization: Anchore, Inc", "Tool: syft-v0.42.0-bogus" ], - "created": "2023-01-20T21:41:03Z" + "created": "2023-05-02T18:24:18Z" }, "packages": [ { @@ -61,7 +61,7 @@ "files": [ { "fileName": "/a1/f6", - "SPDXID": "SPDXRef-9c2f7510199b17f6", + "SPDXID": "SPDXRef-File-a1-f6-9c2f7510199b17f6", "fileTypes": [ "OTHER" ], @@ -76,7 +76,7 @@ }, { "fileName": "/d1/f3", - "SPDXID": "SPDXRef-c6f5b29dca12661f", + "SPDXID": "SPDXRef-File-d1-f3-c6f5b29dca12661f", "fileTypes": [ "OTHER" ], @@ -91,7 +91,7 @@ }, { "fileName": "/d2/f4", - "SPDXID": "SPDXRef-c641caa71518099f", + "SPDXID": "SPDXRef-File-d2-f4-c641caa71518099f", "fileTypes": [ "OTHER" ], @@ -106,7 +106,7 @@ }, { "fileName": "/f1", - "SPDXID": "SPDXRef-5265a4dde3edbf7c", + "SPDXID": "SPDXRef-File-f1-5265a4dde3edbf7c", "fileTypes": [ "OTHER" ], @@ -121,7 +121,7 @@ }, { "fileName": "/f2", - "SPDXID": "SPDXRef-f9e49132a4b96ccd", + "SPDXID": "SPDXRef-File-f2-f9e49132a4b96ccd", "fileTypes": [ "OTHER" ], @@ -136,7 +136,7 @@ }, { "fileName": "/z1/f5", - "SPDXID": "SPDXRef-839d99ee67d9d174", + "SPDXID": "SPDXRef-File-z1-f5-839d99ee67d9d174", "fileTypes": [ "OTHER" ], @@ -153,32 +153,32 @@ "relationships": [ { "spdxElementId": "SPDXRef-Package-python-package-1-66ba429119b8bec6", - "relatedSpdxElement": "SPDXRef-5265a4dde3edbf7c", + "relatedSpdxElement": "SPDXRef-File-f1-5265a4dde3edbf7c", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-python-package-1-66ba429119b8bec6", - "relatedSpdxElement": "SPDXRef-839d99ee67d9d174", + "relatedSpdxElement": "SPDXRef-File-z1-f5-839d99ee67d9d174", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-python-package-1-66ba429119b8bec6", - "relatedSpdxElement": "SPDXRef-9c2f7510199b17f6", + "relatedSpdxElement": "SPDXRef-File-a1-f6-9c2f7510199b17f6", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-python-package-1-66ba429119b8bec6", - "relatedSpdxElement": "SPDXRef-c641caa71518099f", + "relatedSpdxElement": "SPDXRef-File-d2-f4-c641caa71518099f", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-python-package-1-66ba429119b8bec6", - "relatedSpdxElement": "SPDXRef-c6f5b29dca12661f", + "relatedSpdxElement": "SPDXRef-File-d1-f3-c6f5b29dca12661f", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-python-package-1-66ba429119b8bec6", - "relatedSpdxElement": "SPDXRef-f9e49132a4b96ccd", + "relatedSpdxElement": "SPDXRef-File-f2-f9e49132a4b96ccd", "relationshipType": "CONTAINS" }, { diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden index c017916c28f..6a7e5f7bb02 100644 --- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden +++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden @@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: foobar/baz -DocumentNamespace: https://anchore.com/syft/dir/foobar/baz-478e410d-7fad-472c-b4e9-a4068ef28160 -LicenseListVersion: 3.19 +DocumentNamespace: https://anchore.com/syft/dir/foobar/baz-9c1f31fb-7c72-40a6-8c81-3a08590000a2 +LicenseListVersion: 3.20 Creator: Organization: Anchore, Inc Creator: Tool: syft-v0.42.0-bogus -Created: 2022-12-21T03:39:05Z +Created: 2023-05-02T18:24:33Z ##### Package: @at-sign diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden index 94cd399de23..b9fd089b4e3 100644 --- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden +++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden @@ -2,46 +2,46 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: user-image-input -DocumentNamespace: https://anchore.com/syft/image/user-image-input-73433e8c-364f-42b6-b5b7-9a4da8799868 -LicenseListVersion: 3.19 +DocumentNamespace: https://anchore.com/syft/image/user-image-input-5be37b11-b99a-47ff-8725-3984e323d129 +LicenseListVersion: 3.20 Creator: Organization: Anchore, Inc Creator: Tool: syft-v0.42.0-bogus -Created: 2022-12-21T03:39:05Z +Created: 2023-05-02T18:24:33Z ##### Unpackaged files -FileName: /f1 -SPDXID: SPDXRef-5265a4dde3edbf7c +FileName: /a1/f6 +SPDXID: SPDXRef-File-a1-f6-9c2f7510199b17f6 FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION -FileName: /z1/f5 -SPDXID: SPDXRef-839d99ee67d9d174 +FileName: /d1/f3 +SPDXID: SPDXRef-File-d1-f3-c6f5b29dca12661f FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION -FileName: /a1/f6 -SPDXID: SPDXRef-9c2f7510199b17f6 +FileName: /d2/f4 +SPDXID: SPDXRef-File-d2-f4-c641caa71518099f FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION -FileName: /d2/f4 -SPDXID: SPDXRef-c641caa71518099f +FileName: /f1 +SPDXID: SPDXRef-File-f1-5265a4dde3edbf7c FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION -FileName: /d1/f3 -SPDXID: SPDXRef-c6f5b29dca12661f +FileName: /f2 +SPDXID: SPDXRef-File-f2-f9e49132a4b96ccd FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION -FileName: /f2 -SPDXID: SPDXRef-f9e49132a4b96ccd +FileName: /z1/f5 +SPDXID: SPDXRef-File-z1-f5-839d99ee67d9d174 FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION @@ -76,11 +76,11 @@ ExternalRef: PACKAGE-MANAGER purl a-purl-1 ##### Relationships -Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-5265a4dde3edbf7c -Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-839d99ee67d9d174 -Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-9c2f7510199b17f6 -Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-c641caa71518099f -Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-c6f5b29dca12661f -Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-f9e49132a4b96ccd +Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-File-f1-5265a4dde3edbf7c +Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-File-z1-f5-839d99ee67d9d174 +Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-File-a1-f6-9c2f7510199b17f6 +Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-File-d2-f4-c641caa71518099f +Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-File-d1-f3-c6f5b29dca12661f +Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-File-f2-f9e49132a4b96ccd Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-DOCUMENT diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden index 7bd71f05f05..ae9062bb890 100644 --- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden +++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden @@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: /some/path -DocumentNamespace: https://anchore.com/syft/dir/some/path-1d303762-46d2-47b5-9c81-defa91387275 -LicenseListVersion: 3.19 +DocumentNamespace: https://anchore.com/syft/dir/some/path-0f346656-6d10-4dec-b549-a256468cbd35 +LicenseListVersion: 3.20 Creator: Organization: Anchore, Inc Creator: Tool: syft-v0.42.0-bogus -Created: 2022-12-21T03:39:05Z +Created: 2023-05-02T18:24:33Z ##### Package: package-2 diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden index df1cb1467d3..88fbe92b8f6 100644 --- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden +++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden @@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: user-image-input -DocumentNamespace: https://anchore.com/syft/image/user-image-input-559af225-63af-4bc0-94fb-bce94913bcfa -LicenseListVersion: 3.19 +DocumentNamespace: https://anchore.com/syft/image/user-image-input-4ce1e7c7-642f-4428-bb44-1b48b8edf74d +LicenseListVersion: 3.20 Creator: Organization: Anchore, Inc Creator: Tool: syft-v0.42.0-bogus -Created: 2022-12-21T03:39:05Z +Created: 2023-05-02T18:24:33Z ##### Package: package-2 From d63a1f5f8016f82839ac5b19b971f694fdb58422 Mon Sep 17 00:00:00 2001 From: Jeff Squyres Date: Thu, 4 May 2023 15:36:22 -0400 Subject: [PATCH 6/6] chore(docs): Update lists of catalogers (#1780) Signed-off-by: Jeff Squyres --- README.md | 109 +++++++++++++++++++------------ syft/pkg/cataloger/cataloger.go | 112 ++++++++++++++++---------------- 2 files changed, 124 insertions(+), 97 deletions(-) diff --git a/README.md b/README.md index 948a38ae805..7ec9ef00aea 100644 --- a/README.md +++ b/README.md @@ -152,39 +152,53 @@ This default behavior can be overridden with the `default-image-pull-source` con ##### Image Scanning: - alpmdb -- rpmdb -- dpkgdb - apkdb +- binary +- dotnet-deps +- dpkgdb +- go-module-binary +- graalvm-native-image +- java +- javascript-package +- linux-kernel +- nix-store +- php-composer-installed - portage -- ruby-gemspec - python-package -- php-composer-installed Cataloger -- javascript-package -- java -- go-module-binary -- dotnet-deps +- rpm-db +- ruby-gemspec +- sbom ##### Directory Scanning: - alpmdb - apkdb +- binary +- cocoapods +- conan +- dartlang-lock +- dotnet-deps - dpkgdb +- elixir-mix-lock +- erlang-rebar-lock +- go-mod-file +- go-module-binary +- graalvm-native-image +- haskell +- java +- java-gradle-lockfile +- java-pom +- javascript-lock +- linux-kernel +- nix-store +- php-composer-lock - portage -- rpmdb -- ruby-gemfile - python-index - python-package -- php-composer-lock -- javascript-lock -- java -- java-pom -- go-module-binary -- go-mod-file +- rpm-db +- rpm-file +- ruby-gemfile - rust-cargo-lock -- dartlang-lock -- dotnet-deps -- cocoapods -- conan -- hackage +- sbom ##### Non Default: - cargo-auditable-binary @@ -462,26 +476,39 @@ platform: "" # set the list of package catalogers to use when generating the SBOM # default = empty (cataloger set determined automatically by the source type [image or file/directory]) # catalogers: -# - ruby-gemfile -# - ruby-gemspec -# - python-index -# - python-package -# - javascript-lock -# - javascript-package -# - php-composer-installed -# - php-composer-lock -# - alpmdb -# - dpkgdb -# - rpmdb -# - java -# - apkdb -# - go-module-binary -# - go-mod-file -# - dartlang-lock -# - rust -# - dotnet-deps -# rust-audit-binary scans Rust binaries built with https://github.com/Shnatsel/rust-audit -# - rust-audit-binary +# - alpmdb-cataloger +# - apkdb-cataloger +# - binary-cataloger +# - cargo-auditable-binary-cataloger +# - cocoapods-cataloger +# - conan-cataloger +# - dartlang-lock-cataloger +# - dotnet-deps-cataloger +# - dpkgdb-cataloger +# - elixir-mix-lock-cataloger +# - erlang-rebar-lock-cataloger +# - go-mod-file-cataloger +# - go-module-binary-cataloger +# - graalvm-native-image-cataloger +# - haskell-cataloger +# - java-cataloger +# - java-gradle-lockfile-cataloger +# - java-pom-cataloger +# - javascript-lock-cataloger +# - javascript-package-cataloger +# - linux-kernel-cataloger +# - nix-store-cataloger +# - php-composer-installed-cataloger +# - php-composer-lock-cataloger +# - portage-cataloger +# - python-index-cataloger +# - python-package-cataloger +# - rpm-db-cataloger +# - rpm-file-cataloger +# - ruby-gemfile-cataloger +# - ruby-gemspec-cataloger +# - rust-cargo-lock-cataloger +# - sbom-cataloger catalogers: # cataloging packages is exposed through the packages and power-user subcommands diff --git a/syft/pkg/cataloger/cataloger.go b/syft/pkg/cataloger/cataloger.go index ca1ca085877..c4eaa485072 100644 --- a/syft/pkg/cataloger/cataloger.go +++ b/syft/pkg/cataloger/cataloger.go @@ -41,22 +41,22 @@ const AllCatalogersPattern = "all" func ImageCatalogers(cfg Config) []pkg.Cataloger { return filterCatalogers([]pkg.Cataloger{ alpm.NewAlpmdbCataloger(), - ruby.NewGemSpecCataloger(), - python.NewPythonPackageCataloger(), - php.NewComposerInstalledCataloger(), - javascript.NewPackageCataloger(), + apkdb.NewApkdbCataloger(), + binary.NewCataloger(), deb.NewDpkgdbCataloger(), - rpm.NewRpmDBCataloger(), + dotnet.NewDotnetDepsCataloger(), + golang.NewGoModuleBinaryCataloger(cfg.Go()), java.NewJavaCataloger(cfg.Java()), java.NewNativeImageCataloger(), - apkdb.NewApkdbCataloger(), - golang.NewGoModuleBinaryCataloger(cfg.Go()), - dotnet.NewDotnetDepsCataloger(), - portage.NewPortageCataloger(), + javascript.NewPackageCataloger(), + kernel.NewLinuxKernelCataloger(cfg.Kernel()), nix.NewStoreCataloger(), + php.NewComposerInstalledCataloger(), + portage.NewPortageCataloger(), + python.NewPythonPackageCataloger(), + rpm.NewRpmDBCataloger(), + ruby.NewGemSpecCataloger(), sbom.NewSBOMCataloger(), - binary.NewCataloger(), - kernel.NewLinuxKernelCataloger(cfg.Kernel()), }, cfg.Catalogers) } @@ -64,34 +64,34 @@ func ImageCatalogers(cfg Config) []pkg.Cataloger { func DirectoryCatalogers(cfg Config) []pkg.Cataloger { return filterCatalogers([]pkg.Cataloger{ alpm.NewAlpmdbCataloger(), - ruby.NewGemFileLockCataloger(), - python.NewPythonIndexCataloger(), - python.NewPythonPackageCataloger(), - php.NewComposerLockCataloger(), - javascript.NewLockCataloger(), - deb.NewDpkgdbCataloger(), - rpm.NewRpmDBCataloger(), - rpm.NewFileCataloger(), - java.NewJavaCataloger(cfg.Java()), - java.NewJavaPomCataloger(), - java.NewNativeImageCataloger(), - java.NewJavaGradleLockfileCataloger(), apkdb.NewApkdbCataloger(), - golang.NewGoModuleBinaryCataloger(cfg.Go()), - golang.NewGoModFileCataloger(cfg.Go()), - rust.NewCargoLockCataloger(), + binary.NewCataloger(), + cpp.NewConanCataloger(), dart.NewPubspecLockCataloger(), + deb.NewDpkgdbCataloger(), dotnet.NewDotnetDepsCataloger(), - swift.NewCocoapodsCataloger(), - cpp.NewConanCataloger(), - portage.NewPortageCataloger(), - haskell.NewHackageCataloger(), - sbom.NewSBOMCataloger(), - binary.NewCataloger(), elixir.NewMixLockCataloger(), erlang.NewRebarLockCataloger(), + golang.NewGoModFileCataloger(cfg.Go()), + golang.NewGoModuleBinaryCataloger(cfg.Go()), + haskell.NewHackageCataloger(), + java.NewJavaCataloger(cfg.Java()), + java.NewJavaGradleLockfileCataloger(), + java.NewJavaPomCataloger(), + java.NewNativeImageCataloger(), + javascript.NewLockCataloger(), kernel.NewLinuxKernelCataloger(cfg.Kernel()), nix.NewStoreCataloger(), + php.NewComposerLockCataloger(), + portage.NewPortageCataloger(), + python.NewPythonIndexCataloger(), + python.NewPythonPackageCataloger(), + rpm.NewFileCataloger(), + rpm.NewRpmDBCataloger(), + ruby.NewGemFileLockCataloger(), + rust.NewCargoLockCataloger(), + sbom.NewSBOMCataloger(), + swift.NewCocoapodsCataloger(), }, cfg.Catalogers) } @@ -99,38 +99,38 @@ func DirectoryCatalogers(cfg Config) []pkg.Cataloger { func AllCatalogers(cfg Config) []pkg.Cataloger { return filterCatalogers([]pkg.Cataloger{ alpm.NewAlpmdbCataloger(), - ruby.NewGemFileLockCataloger(), - ruby.NewGemSpecCataloger(), - python.NewPythonIndexCataloger(), - python.NewPythonPackageCataloger(), - javascript.NewLockCataloger(), - javascript.NewPackageCataloger(), + apkdb.NewApkdbCataloger(), + binary.NewCataloger(), + cpp.NewConanCataloger(), + dart.NewPubspecLockCataloger(), deb.NewDpkgdbCataloger(), - rpm.NewRpmDBCataloger(), - rpm.NewFileCataloger(), + dotnet.NewDotnetDepsCataloger(), + elixir.NewMixLockCataloger(), + erlang.NewRebarLockCataloger(), + golang.NewGoModFileCataloger(cfg.Go()), + golang.NewGoModuleBinaryCataloger(cfg.Go()), + haskell.NewHackageCataloger(), java.NewJavaCataloger(cfg.Java()), + java.NewJavaGradleLockfileCataloger(), java.NewJavaPomCataloger(), java.NewNativeImageCataloger(), - java.NewJavaGradleLockfileCataloger(), - apkdb.NewApkdbCataloger(), - golang.NewGoModuleBinaryCataloger(cfg.Go()), - golang.NewGoModFileCataloger(cfg.Go()), - rust.NewCargoLockCataloger(), - rust.NewAuditBinaryCataloger(), - dart.NewPubspecLockCataloger(), - dotnet.NewDotnetDepsCataloger(), + javascript.NewLockCataloger(), + javascript.NewPackageCataloger(), + kernel.NewLinuxKernelCataloger(cfg.Kernel()), + nix.NewStoreCataloger(), php.NewComposerInstalledCataloger(), php.NewComposerLockCataloger(), - swift.NewCocoapodsCataloger(), - cpp.NewConanCataloger(), portage.NewPortageCataloger(), - haskell.NewHackageCataloger(), + python.NewPythonIndexCataloger(), + python.NewPythonPackageCataloger(), + rpm.NewFileCataloger(), + rpm.NewRpmDBCataloger(), + ruby.NewGemFileLockCataloger(), + ruby.NewGemSpecCataloger(), + rust.NewAuditBinaryCataloger(), + rust.NewCargoLockCataloger(), sbom.NewSBOMCataloger(), - binary.NewCataloger(), - elixir.NewMixLockCataloger(), - erlang.NewRebarLockCataloger(), - kernel.NewLinuxKernelCataloger(cfg.Kernel()), - nix.NewStoreCataloger(), + swift.NewCocoapodsCataloger(), }, cfg.Catalogers) }