oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 08:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: combine go module file and go source discovery into single cataloger (#4127)

Browse Source 
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
This commit is contained in:
Christopher Angelo Phillips 2025-08-26 15:35:44 -04:00 committed by GitHub
parent 170c4c41f4
commit 13ffeeb3d0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
26 changed files with 4518 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
go.mod
View File

@ -274,7 +274,7 @@ require (
golang.org/x/term v0.34.0 // indirect
golang.org/x/text v0.28.0 // indirect
golang.org/x/time v0.7.0 // indirect
golang.org/x/tools v0.35.0 // indirect
golang.org/x/tools v0.35.0
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
google.golang.org/api v0.203.0 // indirect
google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect

2
internal/constants.go
View File

@ -3,5 +3,5 @@ package internal
const (
// JSONSchemaVersion is the current schema version output by the JSON encoder
// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
JSONSchemaVersion = "16.0.38"
JSONSchemaVersion = "16.0.39"
)

3345
schema/json/schema-16.0.39.json Normal file
View File

File diff suppressed because it is too large Load Diff

28
schema/json/schema-latest.json
View File

@ -1,6 +1,6 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "anchore.io/schema/syft/json/16.0.38/document",
"$id": "anchore.io/schema/syft/json/16.0.39/document",
"$ref": "#/$defs/Document",
"$defs": {
"AlpmDbEntry": {
@ -1236,6 +1236,29 @@
},
"type": "object"
},
"GoSourceEntry": {
"properties": {
"h1Digest": {
"type": "string"
},
"os": {
"type": "string"
},
"architecture": {
"type": "string"
},
"buildTags": {
"type": "string"
},
"cgoEnabled": {
"type": "boolean"
}
},
"type": "object",
"required": [
"cgoEnabled"
]
},
"HaskellHackageStackEntry": {
"properties": {
"pkgHash": {
@ -2075,6 +2098,9 @@
{
"$ref": "#/$defs/GoModuleEntry"
},
{
"$ref": "#/$defs/GoSourceEntry"
},
{
"$ref": "#/$defs/HaskellHackageStackEntry"
},

1
syft/format/internal/spdxutil/helpers/originator_supplier_test.go
View File

@ -28,6 +28,7 @@ func Test_OriginatorSupplier(t *testing.T) {
pkg.ErlangRebarLockEntry{},
pkg.GolangBinaryBuildinfoEntry{},
pkg.GolangModuleEntry{},
pkg.GolangSourceEntry{},
pkg.HomebrewFormula{},
pkg.HackageStackYamlLockEntry{},
pkg.HackageStackYamlEntry{},

1
syft/internal/packagemetadata/generated.go
View File

@ -30,6 +30,7 @@ func AllTypes() []any {
pkg.GitHubActionsUseStatement{},
pkg.GolangBinaryBuildinfoEntry{},
pkg.GolangModuleEntry{},
pkg.GolangSourceEntry{},
pkg.HackageStackYamlEntry{},
pkg.HackageStackYamlLockEntry{},
pkg.HomebrewFormula{},

1
syft/internal/packagemetadata/names.go
View File

@ -82,6 +82,7 @@ var jsonTypes = makeJSONTypes(
jsonNames(pkg.GitHubActionsUseStatement{}, "github-actions-use-statement"),
jsonNames(pkg.GolangBinaryBuildinfoEntry{}, "go-module-buildinfo-entry", "GolangBinMetadata", "GolangMetadata"),
jsonNames(pkg.GolangModuleEntry{}, "go-module-entry", "GolangModMetadata"),
jsonNames(pkg.GolangSourceEntry{}, "go-source-entry"),
jsonNames(pkg.HackageStackYamlLockEntry{}, "haskell-hackage-stack-lock-entry", "HackageMetadataType"),
jsonNamesWithoutLookup(pkg.HackageStackYamlEntry{}, "haskell-hackage-stack-entry", "HackageMetadataType"), // the legacy value is split into two types, where the other is preferred
jsonNames(pkg.JavaArchive{}, "java-archive", "JavaMetadata"),

6
syft/internal/packagemetadata/names_test.go
View File

@ -347,6 +347,12 @@ func Test_JSONName_JSONLegacyName(t *testing.T) {
expectedJSONName: "go-module-entry",
expectedLegacyName: "GolangModMetadata",
},
{
name: "GolangSourceMetadata",
metadata: pkg.GolangSourceEntry{},
expectedJSONName: "go-source-entry",
expectedLegacyName: "go-source-entry",
},
{
name: "HackageStackYamlLockMetadata",
metadata: pkg.HackageStackYamlLockEntry{},

149
syft/pkg/cataloger/golang/license_finder.go Normal file
View File

@ -0,0 +1,149 @@
package golang
import (
"context"
"fmt"
"path/filepath"
"regexp"
"strings"
"github.com/spf13/afero"
"github.com/anchore/syft/syft/file"
"github.com/anchore/syft/syft/pkg"
)
// resolveModuleLicenses finds and parses license files for Go modules
func resolveModuleLicenses(ctx context.Context, pkgInfos []pkgInfo, fs afero.Fs) pkg.LicenseSet {
licenses := pkg.NewLicenseSet()
for _, info := range pkgInfos {
modDir, pkgDir, err := getAbsolutePkgPaths(info)
if err != nil {
continue
}
licenseFiles, err := findAllLicenseCandidatesUpwards(pkgDir, licenseRegexp, modDir, fs)
if err != nil {
continue
}
for _, f := range licenseFiles {
contents, err := fs.Open(f)
if err != nil {
continue
}
licenses.Add(pkg.NewLicensesFromReadCloserWithContext(ctx, file.NewLocationReadCloser(file.Location{}, contents))...)
_ = contents.Close()
}
}
return licenses
}
/*
findAllLicenseCandidatesUpwards performs a bubble-up search per package:
1. pkgInfos represents a sparse vertical distribution of packages within modules
2. we get more pkgInfos for free when the build configuration is updated
The recursion terminates via two conditions:
- When dir is outside stopAt boundary (happy case)
- When reaching filesystem root where parent == dir (edge case)
Note: The code does NOT follow symlinks. It returns a slice of absolute paths that
represent license file matches that are resolved independently of the bubble-up.
When we should consider redesign tip to stem:
- Reduced filesystem calls: Single traversal vs multiple per-package
- Path deduplication: Avoids re-scanning common parent directories
- Better for wide module structures: Efficient when many packages share parent paths
- We need to consider the case here where nested modules are visited by accident and licenses
are erroneously associated to a 'parent module'; bubble up currently prevents this
*/
func findAllLicenseCandidatesUpwards(dir string, r *regexp.Regexp, stopAt string, fs afero.Fs) ([]string, error) {
// Validate that both paths are absolute
if !filepath.IsAbs(dir) {
return nil, fmt.Errorf("dir must be an absolute path, got: %s", dir)
}
if !filepath.IsAbs(stopAt) {
return nil, fmt.Errorf("stopAt must be an absolute path, got: %s", stopAt)
}
licenses, err := findLicenseCandidates(dir, r, stopAt, fs)
if err != nil {
return nil, err
}
// Ensure we return an empty slice rather than nil for consistency
if licenses == nil {
return []string{}, nil
}
return licenses, nil
}
func findLicenseCandidates(dir string, r *regexp.Regexp, stopAt string, fs afero.Fs) ([]string, error) {
// stop if we've gone outside the stopAt directory
if !strings.HasPrefix(dir, stopAt) {
return []string{}, nil
}
licenses, err := findLicensesInDir(dir, r, fs)
if err != nil {
return nil, err
}
parent := filepath.Dir(dir)
// can't go any higher up the directory tree: "/" case
if parent == dir {
return licenses, nil
}
// search parent directory and combine results
parentLicenses, err := findLicenseCandidates(parent, r, stopAt, fs)
if err != nil {
return nil, err
}
// Combine current directory licenses with parent directory licenses
return append(licenses, parentLicenses...), nil
}
func getAbsolutePkgPaths(info pkgInfo) (modDir string, pkgDir string, err error) {
pkgDir, err = filepath.Abs(info.pkgDir)
if err != nil {
return modDir, pkgDir, err
}
modDir, err = filepath.Abs(info.moduleDir)
if err != nil {
return modDir, pkgDir, err
}
if !strings.HasPrefix(pkgDir, modDir) {
return modDir, pkgDir, fmt.Errorf("modDir %s should contain pkgDir %s", modDir, pkgDir)
}
return modDir, pkgDir, nil
}
func findLicensesInDir(dir string, r *regexp.Regexp, fs afero.Fs) ([]string, error) {
var licenses []string
dirContents, err := afero.ReadDir(fs, dir)
if err != nil {
return nil, err
}
for _, f := range dirContents {
if f.IsDir() {
continue
}
if r.MatchString(f.Name()) {
path := filepath.Join(dir, f.Name())
licenses = append(licenses, path)
}
}
return licenses, nil
}

220
syft/pkg/cataloger/golang/license_finder_test.go Normal file
View File

@ -0,0 +1,220 @@
package golang
import (
"testing"
"github.com/spf13/afero"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestFindAllLicenseCandidatesUpwards(t *testing.T) {
tests := []struct {
name string
setupFS func(afero.Fs)
startDir string
stopAt string
expectedFiles []string
expectedError bool
description string
}{
{
name: "normal traversal up to root",
startDir: "/project/subdir/deeper",
stopAt: "/project",
setupFS: func(fs afero.Fs) {
fs.MkdirAll("/project/subdir/deeper", 0755)
afero.WriteFile(fs, "/project/LICENSE", []byte("MIT"), 0644)
afero.WriteFile(fs, "/project/foobar", []byte("MIT"), 0644)
afero.WriteFile(fs, "/project/subdir/LICENSE.txt", []byte("Apache"), 0644)
afero.WriteFile(fs, "/project/subdir/deeper/COPYING", []byte("GPL"), 0644)
},
expectedFiles: []string{
"/project/subdir/deeper/COPYING",
"/project/subdir/LICENSE.txt",
"/project/LICENSE",
},
description: "Should find all license files traversing upward",
},
{
name: "stops at boundary directory",
startDir: "/project/subdir/deeper",
stopAt: "/project/subdir",
setupFS: func(fs afero.Fs) {
fs.MkdirAll("/project/subdir/deeper", 0755)
afero.WriteFile(fs, "/project/LICENSE", []byte("MIT"), 0644)
afero.WriteFile(fs, "/project/subdir/LICENSE.txt", []byte("Apache"), 0644)
afero.WriteFile(fs, "/project/subdir/deeper/COPYING", []byte("GPL"), 0644)
},
expectedFiles: []string{
"/project/subdir/deeper/COPYING",
"/project/subdir/LICENSE.txt",
},
description: "Should stop at stopAt boundary and not find LICENSE in /project",
},
{
name: "handles non-existent directory",
startDir: "/nonexistent",
stopAt: "/",
setupFS: func(fs afero.Fs) {
// Don't create the directory
},
expectedError: true,
description: "Should return error for non-existent directory",
},
{
name: "handles empty directory tree",
startDir: "/empty/dir/tree",
stopAt: "/empty",
setupFS: func(fs afero.Fs) {
fs.MkdirAll("/empty/dir/tree", 0755)
// No license files
},
expectedFiles: []string{},
description: "Should return empty slice when no license files found",
},
{
name: "handles directory at filesystem root",
startDir: "/",
stopAt: "/",
setupFS: func(fs afero.Fs) {
afero.WriteFile(fs, "/LICENSE", []byte("MIT"), 0644)
},
expectedFiles: []string{"/LICENSE"},
description: "Should handle traversal starting at root",
},
{
name: "ignores directories with license-like names",
startDir: "/project/subdir",
stopAt: "/project",
setupFS: func(fs afero.Fs) {
fs.MkdirAll("/project/subdir", 0755)
fs.MkdirAll("/project/LICENSE_DIR", 0755) // Directory, should be ignored
afero.WriteFile(fs, "/project/LICENSE", []byte("MIT"), 0644)
},
expectedFiles: []string{"/project/LICENSE"},
description: "Should ignore directories even if they match license pattern",
},
{
name: "startDir equals stopAt",
startDir: "/project",
stopAt: "/project",
setupFS: func(fs afero.Fs) {
fs.MkdirAll("/project", 0755)
afero.WriteFile(fs, "/project/LICENSE", []byte("MIT"), 0644)
},
expectedFiles: []string{"/project/LICENSE"},
description: "Should handle case where start equals stop directory",
},
{
name: "startDir is parent of stopAt (returns empty)",
startDir: "/",
stopAt: "/project",
setupFS: func(fs afero.Fs) {
fs.MkdirAll("/project", 0755)
afero.WriteFile(fs, "/LICENSE", []byte("MIT"), 0644)
},
expectedFiles: []string{},
description: "Should return empty when startDir is above stopAt",
},
{
name: "very deep nesting",
startDir: "/a/b/c/d/e/f/g/h/i/j",
stopAt: "/a",
setupFS: func(fs afero.Fs) {
fs.MkdirAll("/a/b/c/d/e/f/g/h/i/j", 0755)
afero.WriteFile(fs, "/a/LICENSE", []byte("MIT"), 0644)
afero.WriteFile(fs, "/a/b/c/d/e/NOTICE", []byte("Notice"), 0644)
},
expectedFiles: []string{
"/a/b/c/d/e/NOTICE",
"/a/LICENSE",
},
description: "Should handle deep directory nesting without stack overflow",
},
{
name: "relative dir path rejected",
startDir: "project/subdir",
stopAt: "/project",
setupFS: func(fs afero.Fs) {
fs.MkdirAll("/project/subdir", 0755)
},
expectedError: true,
description: "Should reject relative dir path",
},
{
name: "relative stopAt path rejected",
startDir: "/project/subdir",
stopAt: "project",
setupFS: func(fs afero.Fs) {
fs.MkdirAll("/project/subdir", 0755)
},
expectedError: true,
description: "Should reject relative stopAt path",
},
{
name: "stopAt is descendant of startDir",
startDir: "/project",
stopAt: "/project/subdir/deeper",
setupFS: func(fs afero.Fs) {
fs.MkdirAll("/project/subdir/deeper", 0755)
afero.WriteFile(fs, "/project/LICENSE", []byte("MIT"), 0644)
},
expectedFiles: []string{},
description: "Should return empty when stopAt is below startDir",
},
{
name: "disjoint paths",
startDir: "/foo/bar",
stopAt: "/baz/qux",
setupFS: func(fs afero.Fs) {
fs.MkdirAll("/foo/bar", 0755)
fs.MkdirAll("/baz/qux", 0755)
afero.WriteFile(fs, "/foo/bar/LICENSE", []byte("MIT"), 0644)
afero.WriteFile(fs, "/LICENSE", []byte("Root"), 0644)
},
expectedFiles: []string{},
description: "Should return empty for completely disjoint paths",
},
{
name: "empty stopAt rejected",
startDir: "/project/deep/path",
stopAt: "",
setupFS: func(fs afero.Fs) {
fs.MkdirAll("/project/deep/path", 0755)
},
expectedError: true,
description: "Should reject empty stopAt string",
},
{
name: "empty startDir rejected",
startDir: "",
stopAt: "/project",
setupFS: func(fs afero.Fs) {
fs.MkdirAll("/project", 0755)
},
expectedError: true,
description: "Should reject empty startDir string",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Create in-memory filesystem
fs := afero.NewMemMapFs()
tt.setupFS(fs)
// Run the function
result, err := findAllLicenseCandidatesUpwards(tt.startDir, licenseRegexp, tt.stopAt, fs)
// Check error expectation
if tt.expectedError {
assert.Error(t, err, tt.description)
return
}
require.NoError(t, err, tt.description)
assert.Equal(t, tt.expectedFiles, result, tt.description)
})
}
}

463
syft/pkg/cataloger/golang/parse_go_mod.go
View File

@ -4,20 +4,30 @@ import (
"bufio"
"context"
"fmt"
"go/build"
"io"
"path/filepath"
"regexp"
"sort"
"strings"
"github.com/spf13/afero"
"golang.org/x/mod/modfile"
"golang.org/x/tools/go/packages"
"github.com/anchore/syft/internal"
"github.com/anchore/syft/internal/log"
"github.com/anchore/syft/internal/unknown"
"github.com/anchore/syft/syft/artifact"
"github.com/anchore/syft/syft/file"
"github.com/anchore/syft/syft/pkg"
"github.com/anchore/syft/syft/pkg/cataloger/generic"
)
var (
licenseRegexp = regexp.MustCompile(`^(?i)((UN)?LICEN(S|C)E|COPYING|NOTICE).*$`)
)
type goModCataloger struct {
licenseResolver goLicenseResolver
}
@ -28,59 +38,322 @@ func newGoModCataloger(opts CatalogerConfig) *goModCataloger {
}
}
// parseGoModFile takes a go.mod and lists all packages discovered.
//
//nolint:funlen
// parseGoModFile takes a go.mod and tries to resolve and lists all packages discovered.
func (c *goModCataloger) parseGoModFile(ctx context.Context, resolver file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) {
packages := make(map[string]pkg.Package)
contents, err := io.ReadAll(reader)
if err != nil {
return nil, nil, fmt.Errorf("failed to read go module: %w", err)
}
f, err := modfile.Parse(reader.RealPath, contents, nil)
if err != nil {
return nil, nil, fmt.Errorf("failed to parse go module: %w", err)
}
modDir := filepath.Dir(string(reader.Location.Reference().RealPath))
digests, err := parseGoSumFile(resolver, reader)
if err != nil {
log.Debugf("unable to get go.sum: %v", err)
}
for _, m := range f.Require {
lics := c.licenseResolver.getLicenses(ctx, resolver, m.Mod.Path, m.Mod.Version)
packages[m.Mod.Path] = pkg.Package{
Name: m.Mod.Path,
Version: m.Mod.Version,
Licenses: pkg.NewLicenseSet(lics...),
Locations: file.NewLocationSet(reader.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)),
PURL: packageURL(m.Mod.Path, m.Mod.Version),
Language: pkg.Go,
Type: pkg.GoModulePkg,
Metadata: pkg.GolangModuleEntry{
H1Digest: digests[fmt.Sprintf("%s %s", m.Mod.Path, m.Mod.Version)],
},
// source analysis using go toolchain if available
syftSourcePackages, sourceModules, sourceDependencies, unknownErr := c.loadPackages(modDir, reader.Location)
catalogedModules, sourceModuleToPkg := c.catalogModules(ctx, syftSourcePackages, sourceModules, reader, digests)
relationships := buildModuleRelationships(catalogedModules, sourceDependencies, sourceModuleToPkg)
// base case go.mod file parsing
modFile, err := c.parseModFileContents(reader)
if err != nil {
return nil, nil, err
}
// only use mod packages NOT found in source analysis
goModPackages := c.createGoModPackages(ctx, resolver, modFile, sourceModules, reader, digests)
c.applyReplaceDirectives(ctx, resolver, modFile, goModPackages, reader, digests)
c.applyExcludeDirectives(modFile, goModPackages)
finalPkgs := c.assembleResults(catalogedModules, goModPackages)
return finalPkgs, relationships, unknownErr
}
// loadPackages uses golang.org/x/tools/go/packages to get dependency information.
func (c *goModCataloger) loadPackages(modDir string, loc file.Location) (pkgs map[string][]pkgInfo, modules map[string]*packages.Module, dependencies map[string][]string, unknownErr error) {
cfg := &packages.Config{
// Mode flags control what information is loaded for each package.
// Performance impact increases significantly with each additional flag:
//
// packages.NeedModule - Required for module metadata (path, version, replace directives).
// Essential for SBOM generation. Minimal performance impact.
//
// packages.NeedName - Required for package names & package Path. Minimal performance impact.
// Needed to identify packages and filter out standard library packages.
//
// packages.NeedFiles - Loads source file paths for each package.
// Moderate performance impact as it requires filesystem traversal.
// Required for license discovery.
//
// packages.NeedDeps - Loads the dependency graph between packages.
// High performance impact as it builds the complete import graph.
// Critical for generating accurate dependency relationships in SBOM.
//
// packages.NeedImports - Loads import information for each package.
// High performance impact, especially with large codebases.
// Required for building module-to-module dependency mappings.
//
// Adding flags like NeedTypes, NeedSyntax, or NeedTypesInfo would dramatically
// increase memory usage and processing time (10x+ slower) but are not needed
// for SBOM generation as we only require dependency and module metadata.
Mode: packages.NeedModule | packages.NeedName | packages.NeedFiles | packages.NeedDeps | packages.NeedImports,
Dir: modDir,
Tests: true,
}
// From Go documentation: "all" expands to all packages in the main module
// and their dependencies, including dependencies needed by tests.
//
// The special pattern "all" specifies all the active modules,
// first the main module and then dependencies sorted by module path.
// A pattern containing "..." specifies the active modules whose module paths match the pattern.
// On implementation we could not find a test case that differentiated between all and ...
// There may be a case where ... is non inclusive so we default to all for the inclusive guarantee
rootPkgs, err := packages.Load(cfg, "all")
if err != nil {
log.Debugf("error loading packages: %v", err)
}
// Check for any errors in loading
for _, p := range rootPkgs {
if len(p.Errors) > 0 {
// Log errors but continue processing
for _, e := range p.Errors {
log.Debugf("package load error for %s: %v", p.PkgPath, e)
unknownErr = unknown.Append(unknownErr, loc, err)
}
}
}
// remove any old packages and replace with new ones...
for _, m := range f.Replace {
lics := c.licenseResolver.getLicenses(ctx, resolver, m.New.Path, m.New.Version)
// note: dependencies have already pruned local imports and only focuses on module => module dependencies
return c.visitPackages(rootPkgs, loc, unknownErr)
}
// the old path and new path may be the same, in which case this is a noop,
// but if they're different we need to remove the old package.
// note that we may change the path but we should always reference the new version (since the old version
// cannot be trusted as a correct value).
type pkgInfo struct {
// pkgPath is the import path of the package.
pkgPath string
// modulePath is the module path of the package.
modulePath string
// pkgDir is the directory containing the package's source code.
pkgDir string
// moduleDir is the directory containing the module's source code.
moduleDir string
}
// visitPackages processes Go module import graphs to get all modules
func (c *goModCataloger) visitPackages(
rootPkgs []*packages.Package,
loc file.Location,
uke error,
) (pkgs map[string][]pkgInfo, modules map[string]*packages.Module, dependencies map[string][]string, unknownErr error) {
modules = make(map[string]*packages.Module)
// note: packages are specific to inside the module - they do not include transitive pkgInfo
// packages is used for identifying licensing documents for modules that could contain multiple licenses
// dependencies cover transitive module imports; see p.Imports array in packages.Visit
pkgs = make(map[string][]pkgInfo)
// dependencies are module => module dependencies
dependencies = make(map[string][]string)
// persist unknown errs from previous parts of the catalog
unknownErr = uke
// closure (p *Package) bool
// return bool determines whether the imports of package p are visited.
packages.Visit(rootPkgs, func(p *packages.Package) bool {
if len(p.Errors) > 0 {
for _, err := range p.Errors {
unknownErr = unknown.Append(unknownErr, loc, err)
}
return false
}
// skip for common causes
if shouldSkipVisit(p) {
return false
}
// different from above; we still might want to visit imports
// ignoring a package shouldn't end walking the tree
// since we need to get the full picture for license discovery
// for _, prefix := range c.config.IgnorePaths {
// if strings.HasPrefix(p.PkgPath, prefix) {
// return c.config.IncludeIgnoredDeps
// }
//}
pkgDir := resolvePkgDir(p)
if pkgDir == "" {
return true
}
module := newModule(p.Module)
if module.Dir == "" {
// We continue processing even when module.Dir is empty because we still want to:
// 1. Extract module dependencies from p.Imports for dependency graph construction
// 2. Create syft packages with available metadata (name, version, etc.)
// 3. Build relationships between modules even without complete filesystem info
// Not having the DIR here just means that we're not going to process the licenses
// Common causes for module.Dir being empty:
// - Vendored dependencies where Go toolchain loses some module metadata
// - Replace directives pointing to non-existent or inaccessible paths
// A known cause is that the module is vendored, so some information is lost.
isVendored := strings.Contains(pkgDir, "/vendor/")
if !isVendored {
log.Debugf("module %s does not have dir and it's not vendored", module.Path)
}
}
// extract module dependencies
for _, imp := range p.Imports {
if imp.Module != nil && imp.Module.Path != module.Path {
if dependencies[module.Path] == nil {
dependencies[module.Path] = []string{imp.Module.Path}
} else {
dependencies[module.Path] = append(dependencies[module.Path], imp.Module.Path)
}
}
}
pkgs[module.Path] = append(pkgs[module.Path], pkgInfo{
pkgPath: p.PkgPath,
modulePath: module.Path,
pkgDir: pkgDir,
moduleDir: module.Dir,
})
modules[p.Module.Path] = module
return true
}, nil)
return pkgs, modules, dependencies, unknownErr
}
// create syft packages from Go modules found by the go toolchain
func (c *goModCataloger) catalogModules(
ctx context.Context,
pkgs map[string][]pkgInfo,
modules map[string]*packages.Module,
reader file.LocationReadCloser,
digests map[string]string,
) ([]pkg.Package, map[string]artifact.Identifiable) {
syftPackages := make([]pkg.Package, 0)
moduleToPackage := make(map[string]artifact.Identifiable)
for _, m := range modules {
if isRelativeImportOrMain(m.Path) {
// relativeImport modules are already accounted for by their full module paths at other portions of syft's cataloging
// example: something like ../../ found as a module for go.mod b, which is sub to go.mod a is accounted for
// in another call to the goModCataloger when go.mod a is parsed
// local modules that use a "main" heuristic, no module naming (sometimes common pre go module support)
// are also not built as syft packages
continue
}
pkgInfos := pkgs[m.Path]
moduleLicenses := resolveModuleLicenses(ctx, pkgInfos, afero.NewOsFs())
// we do out of source lookups for module parsing
// locations are NOT included in the SBOM because of this
goModulePkg := pkg.Package{
Name: m.Path,
Version: m.Version,
Locations: file.NewLocationSet(reader.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)),
Licenses: moduleLicenses,
Language: pkg.Go,
Type: pkg.GoModulePkg,
PURL: packageURL(m.Path, m.Version),
Metadata: createSourceMetadata(digests[fmt.Sprintf("%s %s", m.Path, m.Version)]),
}
goModulePkg.SetID()
moduleToPackage[m.Path] = goModulePkg
syftPackages = append(syftPackages, goModulePkg)
}
return syftPackages, moduleToPackage
}
// buildModuleRelationships creates artifact relationships between Go modules.
func buildModuleRelationships(
syftPkgs []pkg.Package,
dependencies map[string][]string,
moduleToPkg map[string]artifact.Identifiable,
) []artifact.Relationship {
var rels []artifact.Relationship
seen := make(map[string]struct{})
for _, fromPkg := range syftPkgs {
for _, dep := range dependencies[fromPkg.Name] {
if dep == fromPkg.Name {
continue
}
toPkg, ok := moduleToPkg[dep]
if !ok {
continue
}
key := string(fromPkg.ID()) + string(toPkg.ID())
if _, exists := seen[key]; exists {
continue
}
rels = append(rels, artifact.Relationship{
From: toPkg, // dep
To: fromPkg, // parent
Type: artifact.DependencyOfRelationship,
})
seen[key] = struct{}{}
}
}
return rels
}
func (c *goModCataloger) parseModFileContents(reader file.LocationReadCloser) (*modfile.File, error) {
contents, err := io.ReadAll(reader)
if err != nil {
return nil, fmt.Errorf("failed to read go module: %w", err)
}
f, err := modfile.Parse(reader.RealPath, contents, nil)
if err != nil {
return nil, fmt.Errorf("failed to parse go module: %w", err)
}
return f, nil
}
// note this handles the deduplication from source by checking if the mod path exists in the sourceModules map
func (c *goModCataloger) createGoModPackages(ctx context.Context, resolver file.Resolver, modFile *modfile.File, sourceModules map[string]*packages.Module, reader file.LocationReadCloser, digests map[string]string) map[string]pkg.Package {
goModPackages := make(map[string]pkg.Package)
for _, m := range modFile.Require {
if _, exists := sourceModules[m.Mod.Path]; !exists {
lics := c.licenseResolver.getLicenses(ctx, resolver, m.Mod.Path, m.Mod.Version)
goModPkg := pkg.Package{
Name: m.Mod.Path,
Version: m.Mod.Version,
Licenses: pkg.NewLicenseSet(lics...),
Locations: file.NewLocationSet(reader.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)),
PURL: packageURL(m.Mod.Path, m.Mod.Version),
Language: pkg.Go,
Type: pkg.GoModulePkg,
Metadata: pkg.GolangModuleEntry{
H1Digest: digests[fmt.Sprintf("%s %s", m.Mod.Path, m.Mod.Version)],
},
}
goModPkg.SetID()
goModPackages[m.Mod.Path] = goModPkg
}
}
return goModPackages
}
// applyReplaceDirectives processes replace directives from go.mod
func (c *goModCataloger) applyReplaceDirectives(ctx context.Context, resolver file.Resolver, modFile *modfile.File, goModPackages map[string]pkg.Package, reader file.LocationReadCloser, digests map[string]string) {
for _, m := range modFile.Replace {
lics := c.licenseResolver.getLicenses(ctx, resolver, m.New.Path, m.New.Version)
var finalPath string
if !strings.HasPrefix(m.New.Path, ".") && !strings.HasPrefix(m.New.Path, "/") {
finalPath = m.New.Path
delete(packages, m.Old.Path)
delete(goModPackages, m.Old.Path)
} else {
finalPath = m.Old.Path
}
packages[finalPath] = pkg.Package{
goModPkg := pkg.Package{
Name: finalPath,
Version: m.New.Version,
Licenses: pkg.NewLicenseSet(lics...),
@ -92,26 +365,31 @@ func (c *goModCataloger) parseGoModFile(ctx context.Context, resolver file.Resol
H1Digest: digests[fmt.Sprintf("%s %s", finalPath, m.New.Version)],
},
}
goModPkg.SetID()
goModPackages[finalPath] = goModPkg
}
}
// remove any packages from the exclude fields
for _, m := range f.Exclude {
delete(packages, m.Mod.Path)
func (c *goModCataloger) applyExcludeDirectives(modFile *modfile.File, goModPackages map[string]pkg.Package) {
for _, m := range modFile.Exclude {
delete(goModPackages, m.Mod.Path)
}
}
pkgsSlice := make([]pkg.Package, len(packages))
idx := 0
for _, p := range packages {
p.SetID()
pkgsSlice[idx] = p
idx++
func (c *goModCataloger) assembleResults(catalogedPkgs []pkg.Package, goModPackages map[string]pkg.Package) []pkg.Package {
pkgsSlice := make([]pkg.Package, 0)
pkgsSlice = append(pkgsSlice, catalogedPkgs...)
for _, p := range goModPackages {
pkgsSlice = append(pkgsSlice, p)
}
sort.SliceStable(pkgsSlice, func(i, j int) bool {
return pkgsSlice[i].Name < pkgsSlice[j].Name
})
return pkgsSlice, nil, nil
return pkgsSlice
}
func parseGoSumFile(resolver file.Resolver, reader file.LocationReadCloser) (map[string]string, error) {
@ -151,3 +429,94 @@ func parseGoSumFile(resolver file.Resolver, reader file.LocationReadCloser) (map
return out, nil
}
// createSourceMetadata creates metadata for packages found through source analysis using build.Default
func createSourceMetadata(h1Digest string) pkg.GolangSourceEntry {
return pkg.GolangSourceEntry{
H1Digest: h1Digest,
OperatingSystem: build.Default.GOOS,
Architecture: build.Default.GOARCH,
BuildTags: strings.Join(build.Default.BuildTags, ","),
CgoEnabled: build.Default.CgoEnabled,
}
}
func resolvePkgDir(p *packages.Package) string {
switch {
case len(p.GoFiles) > 0:
return filepath.Dir(p.GoFiles[0])
case len(p.CompiledGoFiles) > 0:
return filepath.Dir(p.CompiledGoFiles[0])
case len(p.OtherFiles) > 0:
return filepath.Dir(p.OtherFiles[0])
default:
return ""
}
}
func shouldSkipVisit(p *packages.Package) bool {
// skip packages that don't have module info
if p.Module == nil {
return true
}
// skip stdlib
if isStdLib(p) {
return true
}
return false
}
// isStdLib returns true if this package is part of the Go standard library.
func isStdLib(pkg *packages.Package) bool {
if pkg.Name == "unsafe" {
// Special case unsafe stdlib, because it does not contain go files.
return true
}
if len(pkg.GoFiles) == 0 {
return false
}
prefix := build.Default.GOROOT
sep := string(filepath.Separator)
if !strings.HasSuffix(prefix, sep) {
prefix += sep
}
return strings.HasPrefix(pkg.GoFiles[0], prefix)
}
// handle replace directives
func newModule(mod *packages.Module) *packages.Module {
// Example of a module with replace directive: k8s.io/kubernetes => k8s.io/kubernetes v1.11.1
// {
// "Path": "k8s.io/kubernetes",
// "Version": "v0.17.9",
// "Replace": {
// "Path": "k8s.io/kubernetes",
// "Version": "v1.11.1",
// "Time": "2018-07-17T04:20:29Z",
// "Dir": "/home/gongyuan_kubeflow_org/go/pkg/mod/k8s.io/kubernetes@v1.11.1",
// "GoMod": "/home/gongyuan_kubeflow_org/go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.11.1.mod"
// },
// "Dir": "/home/gongyuan_kubeflow_org/go/pkg/mod/k8s.io/kubernetes@v1.11.1",
// "GoMod": "/home/gongyuan_kubeflow_org/go/pkg/mod/cache/download/k8s.io/kubernetes/@v/v1.11.1.mod"
// }
// handle replace directives
// Note, we specifically want to replace version field.
// Haven't confirmed, but we may also need to override the
// entire struct when using replace directive with local folders.
tmp := *mod
if tmp.Replace != nil {
tmp = *tmp.Replace
}
return &tmp
}
func isRelativeImportOrMain(p string) bool {
if p == "main" {
return true
}
// true for ".", "..", "./...", "../..."
return build.IsLocalImport(p)
}

180
syft/pkg/cataloger/golang/parse_go_mod_test.go
View File

@ -1,8 +1,13 @@
package golang
import (
"path/filepath"
"testing"
"github.com/google/go-cmp/cmp"
"github.com/stretchr/testify/require"
"github.com/anchore/syft/syft/artifact"
"github.com/anchore/syft/syft/file"
"github.com/anchore/syft/syft/internal/fileresolver"
"github.com/anchore/syft/syft/pkg"
@ -15,13 +20,13 @@ func TestParseGoMod(t *testing.T) {
expected []pkg.Package
}{
{
fixture: "test-fixtures/one-package",
fixture: "test-fixtures/go-mod-fixtures/one-package/go.mod",
expected: []pkg.Package{
{
Name: "github.com/bmatcuk/doublestar",
Version: "v1.3.1",
PURL: "pkg:golang/github.com/bmatcuk/doublestar@v1.3.1",
Locations: file.NewLocationSet(file.NewLocation("test-fixtures/one-package")),
Locations: file.NewLocationSet(file.NewLocation("test-fixtures/go-mod-fixtures/one-package/go.mod")),
Language: pkg.Go,
Type: pkg.GoModulePkg,
Metadata: pkg.GolangModuleEntry{},
@ -29,28 +34,28 @@ func TestParseGoMod(t *testing.T) {
},
},
{
fixture: "test-fixtures/relative-replace",
fixture: "test-fixtures/go-mod-fixtures/relative-replace/go.mod",
expected: []pkg.Package{
{
Name: "github.com/aws/aws-sdk-go-v2",
Version: "",
PURL: "pkg:golang/github.com/aws/aws-sdk-go-v2",
Locations: file.NewLocationSet(file.NewLocation("test-fixtures/relative-replace")),
Language: pkg.Go,
Type: pkg.GoModulePkg,
Locations: file.NewLocationSet(file.NewLocation("test-fixtures/go-mod-fixtures/relative-replace/go.mod")),
Metadata: pkg.GolangModuleEntry{},
},
},
},
{
fixture: "test-fixtures/many-packages",
fixture: "test-fixtures/go-mod-fixtures/many-packages/go.mod",
expected: []pkg.Package{
{
Name: "github.com/anchore/archiver/v3",
Version: "v3.5.2",
PURL: "pkg:golang/github.com/anchore/archiver@v3.5.2#v3",
Locations: file.NewLocationSet(file.NewLocation("test-fixtures/many-packages")),
Locations: file.NewLocationSet(file.NewLocation("test-fixtures/go-mod-fixtures/many-packages/go.mod")),
Language: pkg.Go,
Type: pkg.GoModulePkg,
Metadata: pkg.GolangModuleEntry{},
@ -59,7 +64,7 @@ func TestParseGoMod(t *testing.T) {
Name: "github.com/anchore/go-testutils",
Version: "v0.0.0-20200624184116-66aa578126db",
PURL: "pkg:golang/github.com/anchore/go-testutils@v0.0.0-20200624184116-66aa578126db",
Locations: file.NewLocationSet(file.NewLocation("test-fixtures/many-packages")),
Locations: file.NewLocationSet(file.NewLocation("test-fixtures/go-mod-fixtures/many-packages/go.mod")),
Language: pkg.Go,
Type: pkg.GoModulePkg,
Metadata: pkg.GolangModuleEntry{},
@ -68,7 +73,7 @@ func TestParseGoMod(t *testing.T) {
Name: "github.com/anchore/go-version",
Version: "v1.2.2-0.20200701162849-18adb9c92b9b",
PURL: "pkg:golang/github.com/anchore/go-version@v1.2.2-0.20200701162849-18adb9c92b9b",
Locations: file.NewLocationSet(file.NewLocation("test-fixtures/many-packages")),
Locations: file.NewLocationSet(file.NewLocation("test-fixtures/go-mod-fixtures/many-packages/go.mod")),
Language: pkg.Go,
Type: pkg.GoModulePkg,
Metadata: pkg.GolangModuleEntry{},
@ -77,7 +82,7 @@ func TestParseGoMod(t *testing.T) {
Name: "github.com/anchore/stereoscope",
Version: "v0.0.0-20200706164556-7cf39d7f4639",
PURL: "pkg:golang/github.com/anchore/stereoscope@v0.0.0-20200706164556-7cf39d7f4639",
Locations: file.NewLocationSet(file.NewLocation("test-fixtures/many-packages")),
Locations: file.NewLocationSet(file.NewLocation("test-fixtures/go-mod-fixtures/many-packages/go.mod")),
Language: pkg.Go,
Type: pkg.GoModulePkg,
Metadata: pkg.GolangModuleEntry{},
@ -86,7 +91,7 @@ func TestParseGoMod(t *testing.T) {
Name: "github.com/bmatcuk/doublestar",
Version: "v8.8.8",
PURL: "pkg:golang/github.com/bmatcuk/doublestar@v8.8.8",
Locations: file.NewLocationSet(file.NewLocation("test-fixtures/many-packages")),
Locations: file.NewLocationSet(file.NewLocation("test-fixtures/go-mod-fixtures/many-packages/go.mod")),
Language: pkg.Go,
Type: pkg.GoModulePkg,
Metadata: pkg.GolangModuleEntry{},
@ -95,7 +100,7 @@ func TestParseGoMod(t *testing.T) {
Name: "github.com/go-test/deep",
Version: "v1.0.6",
PURL: "pkg:golang/github.com/go-test/deep@v1.0.6",
Locations: file.NewLocationSet(file.NewLocation("test-fixtures/many-packages")),
Locations: file.NewLocationSet(file.NewLocation("test-fixtures/go-mod-fixtures/many-packages/go.mod")),
Language: pkg.Go,
Type: pkg.GoModulePkg,
Metadata: pkg.GolangModuleEntry{},
@ -179,3 +184,156 @@ func Test_corruptGoMod(t *testing.T) {
WithError().
TestCataloger(t, c)
}
func Test_parseGoSource_packageResolution(t *testing.T) {
tests := []struct {
name string
fixturePath string
config CatalogerConfig
expectedPkgs []string
expectedRels []string
expectedLicenses map[string][]string
}{
{
name: "go-source with direct, transitive, and deps of transitive",
fixturePath: filepath.Join("test-fixtures", "go-source"),
expectedPkgs: []string{
"anchore.io/not/real @ (go.mod)",
"github.com/davecgh/go-spew @ v1.1.1 (go.mod)",
"github.com/go-viper/mapstructure/v2 @ v2.2.1 (go.mod)",
"github.com/google/uuid @ v1.6.0 (go.mod)",
"github.com/pmezard/go-difflib @ v1.0.0 (go.mod)",
"github.com/sagikazarmark/locafero @ v0.7.0 (go.mod)",
"github.com/sirupsen/logrus @ v1.9.3 (go.mod)",
"github.com/sourcegraph/conc @ v0.3.0 (go.mod)",
"github.com/spf13/afero @ v1.12.0 (go.mod)",
"github.com/spf13/cast @ v1.7.1 (go.mod)",
"github.com/spf13/pflag @ v1.0.6 (go.mod)",
"github.com/spf13/viper @ v1.20.1 (go.mod)",
"github.com/stretchr/testify @ v1.10.0 (go.mod)",
"github.com/subosito/gotenv @ v1.6.0 (go.mod)",
"go.uber.org/multierr @ v1.10.0 (go.mod)",
"go.uber.org/zap @ v1.27.0 (go.mod)",
"golang.org/x/sys @ v0.33.0 (go.mod)",
"golang.org/x/text @ v0.21.0 (go.mod)",
"gopkg.in/yaml.v3 @ v3.0.1 (go.mod)",
"github.com/fsnotify/fsnotify @ v1.8.0 (go.mod)",
"github.com/pelletier/go-toml/v2 @ v2.2.3 (go.mod)",
"github.com/frankban/quicktest @ v1.14.6 (go.mod)",
"github.com/google/go-cmp @ v0.6.0 (go.mod)",
"github.com/kr/pretty @ v0.3.1 (go.mod)",
"github.com/kr/text @ v0.2.0 (go.mod)",
"github.com/rogpeppe/go-internal @ v1.9.0 (go.mod)",
"go.uber.org/goleak @ v1.3.0 (go.mod)",
"gopkg.in/check.v1 @ v1.0.0-20190902080502-41f04d3bba15 (go.mod)",
},
expectedRels: []string{
"github.com/davecgh/go-spew @ v1.1.1 (go.mod) [dependency-of] github.com/stretchr/testify @ v1.10.0 (go.mod)",
"github.com/frankban/quicktest @ v1.14.6 (go.mod) [dependency-of] github.com/spf13/cast @ v1.7.1 (go.mod)",
"github.com/fsnotify/fsnotify @ v1.8.0 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
"github.com/go-viper/mapstructure/v2 @ v2.2.1 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
"github.com/google/go-cmp @ v0.6.0 (go.mod) [dependency-of] github.com/frankban/quicktest @ v1.14.6 (go.mod)",
"github.com/google/uuid @ v1.6.0 (go.mod) [dependency-of] anchore.io/not/real @ (go.mod)",
"github.com/kr/pretty @ v0.3.1 (go.mod) [dependency-of] github.com/frankban/quicktest @ v1.14.6 (go.mod)",
"github.com/kr/pretty @ v0.3.1 (go.mod) [dependency-of] gopkg.in/check.v1 @ v1.0.0-20190902080502-41f04d3bba15 (go.mod)",
"github.com/kr/text @ v0.2.0 (go.mod) [dependency-of] github.com/kr/pretty @ v0.3.1 (go.mod)",
"github.com/pelletier/go-toml/v2 @ v2.2.3 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
"github.com/pmezard/go-difflib @ v1.0.0 (go.mod) [dependency-of] github.com/stretchr/testify @ v1.10.0 (go.mod)",
"github.com/rogpeppe/go-internal @ v1.9.0 (go.mod) [dependency-of] github.com/kr/pretty @ v0.3.1 (go.mod)",
"github.com/sagikazarmark/locafero @ v0.7.0 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
"github.com/sirupsen/logrus @ v1.9.3 (go.mod) [dependency-of] anchore.io/not/real @ (go.mod)",
"github.com/sourcegraph/conc @ v0.3.0 (go.mod) [dependency-of] github.com/sagikazarmark/locafero @ v0.7.0 (go.mod)",
"github.com/spf13/afero @ v1.12.0 (go.mod) [dependency-of] github.com/sagikazarmark/locafero @ v0.7.0 (go.mod)",
"github.com/spf13/afero @ v1.12.0 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
"github.com/spf13/cast @ v1.7.1 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
"github.com/spf13/pflag @ v1.0.6 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
"github.com/spf13/viper @ v1.20.1 (go.mod) [dependency-of] anchore.io/not/real @ (go.mod)",
"github.com/stretchr/testify @ v1.10.0 (go.mod) [dependency-of] anchore.io/not/real @ (go.mod)",
"github.com/stretchr/testify @ v1.10.0 (go.mod) [dependency-of] github.com/pelletier/go-toml/v2 @ v2.2.3 (go.mod)",
"github.com/stretchr/testify @ v1.10.0 (go.mod) [dependency-of] github.com/sagikazarmark/locafero @ v0.7.0 (go.mod)",
"github.com/stretchr/testify @ v1.10.0 (go.mod) [dependency-of] github.com/sirupsen/logrus @ v1.9.3 (go.mod)",
"github.com/stretchr/testify @ v1.10.0 (go.mod) [dependency-of] github.com/sourcegraph/conc @ v0.3.0 (go.mod)",
"github.com/stretchr/testify @ v1.10.0 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
"github.com/stretchr/testify @ v1.10.0 (go.mod) [dependency-of] github.com/subosito/gotenv @ v1.6.0 (go.mod)",
"github.com/stretchr/testify @ v1.10.0 (go.mod) [dependency-of] go.uber.org/multierr @ v1.10.0 (go.mod)",
"github.com/stretchr/testify @ v1.10.0 (go.mod) [dependency-of] go.uber.org/zap @ v1.27.0 (go.mod)",
"github.com/subosito/gotenv @ v1.6.0 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
"go.uber.org/goleak @ v1.3.0 (go.mod) [dependency-of] go.uber.org/zap @ v1.27.0 (go.mod)",
"go.uber.org/multierr @ v1.10.0 (go.mod) [dependency-of] go.uber.org/zap @ v1.27.0 (go.mod)",
"go.uber.org/zap @ v1.27.0 (go.mod) [dependency-of] anchore.io/not/real @ (go.mod)",
"golang.org/x/sys @ v0.33.0 (go.mod) [dependency-of] github.com/fsnotify/fsnotify @ v1.8.0 (go.mod)",
"golang.org/x/sys @ v0.33.0 (go.mod) [dependency-of] github.com/sirupsen/logrus @ v1.9.3 (go.mod)",
"golang.org/x/text @ v0.21.0 (go.mod) [dependency-of] github.com/spf13/afero @ v1.12.0 (go.mod)",
"golang.org/x/text @ v0.21.0 (go.mod) [dependency-of] github.com/subosito/gotenv @ v1.6.0 (go.mod)",
"gopkg.in/check.v1 @ v1.0.0-20190902080502-41f04d3bba15 (go.mod) [dependency-of] gopkg.in/yaml.v3 @ v3.0.1 (go.mod)",
"gopkg.in/yaml.v3 @ v3.0.1 (go.mod) [dependency-of] github.com/spf13/viper @ v1.20.1 (go.mod)",
"gopkg.in/yaml.v3 @ v3.0.1 (go.mod) [dependency-of] github.com/stretchr/testify @ v1.10.0 (go.mod)",
"gopkg.in/yaml.v3 @ v3.0.1 (go.mod) [dependency-of] go.uber.org/zap @ v1.27.0 (go.mod)",
},
expectedLicenses: map[string][]string{
"github.com/fsnotify/fsnotify": {"BSD-3-Clause"},
"github.com/go-viper/mapstructure/v2": {"MIT"},
"github.com/google/uuid": {"BSD-3-Clause"},
"github.com/pelletier/go-toml/v2": {"MIT"},
"github.com/sagikazarmark/locafero": {"MIT"},
"github.com/sirupsen/logrus": {"MIT"},
"github.com/sourcegraph/conc": {"MIT"},
"github.com/spf13/afero": {"Apache-2.0"},
"github.com/spf13/cast": {"MIT"},
"github.com/spf13/pflag": {"BSD-3-Clause"},
"github.com/spf13/viper": {"MIT"},
"github.com/subosito/gotenv": {"MIT"},
"go.uber.org/multierr": {"MIT"},
"go.uber.org/zap": {"MIT"},
"golang.org/x/sys": {"BSD-3-Clause"},
"golang.org/x/text": {"BSD-3-Clause"},
"gopkg.in/yaml.v3": {"Apache-2.0", "MIT"},
"github.com/davecgh/go-spew": {"ISC"},
"github.com/pmezard/go-difflib": {"BSD-3-Clause"},
"github.com/stretchr/testify": {"MIT"},
"github.com/frankban/quicktest": {"MIT"},
"github.com/google/go-cmp": {"BSD-3-Clause"},
"github.com/kr/text": {"MIT"},
"github.com/kr/pretty": {"MIT"},
"github.com/rogpeppe/go-internal": {"BSD-3-Clause"},
"go.uber.org/goleak": {"MIT"},
"gopkg.in/check.v1": {"BSD-2-Clause"},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
pkgtest.NewCatalogTester().
FromDirectory(t, tt.fixturePath).
ExpectsPackageStrings(tt.expectedPkgs).
ExpectsRelationshipStrings(tt.expectedRels).
ExpectsAssertion(func(t *testing.T, pkgs []pkg.Package, relationships []artifact.Relationship) {
for _, p := range pkgs {
if metadata, ok := p.Metadata.(pkg.GolangSourceEntry); ok {
// Validate that GolangSourceEntry metadata is present but don't assert on specific field values
// since these might vary across development machines
require.IsType(t, pkg.GolangSourceEntry{}, metadata, "expected GolangSourceEntry metadata for package %s", p.Name)
// Verify that the metadata struct is populated (non-zero values indicate go source method was used)
require.NotEmpty(t, metadata, "GolangSourceEntry metadata should not be empty for package %s", p.Name)
}
}
}).
ExpectsAssertion(func(t *testing.T, pkgs []pkg.Package, relationships []artifact.Relationship) {
actualLicenses := make(map[string][]string)
for _, p := range pkgs {
for _, l := range p.Licenses.ToSlice() {
if actualLicenses[p.Name] == nil {
actualLicenses[p.Name] = make([]string, 0)
}
actualLicenses[p.Name] = append(actualLicenses[p.Name], l.Value)
}
}
if diff := cmp.Diff(tt.expectedLicenses, actualLicenses); diff != "" {
t.Errorf("mismatch in licenses (-want +got):\n%s", diff)
}
}).
TestCataloger(t, NewGoModuleFileCataloger(CatalogerConfig{}))
})
}
}

0
syft/pkg/cataloger/golang/test-fixtures/many-packages → syft/pkg/cataloger/golang/test-fixtures/go-mod-fixtures/many-packages/go.mod
View File

0
syft/pkg/cataloger/golang/test-fixtures/one-package → syft/pkg/cataloger/golang/test-fixtures/go-mod-fixtures/one-package/go.mod
View File

1
syft/pkg/cataloger/golang/test-fixtures/go-mod-fixtures/one-package/go.sum Normal file
View File

@ -0,0 +1 @@
github.com/bmatcuk/doublestar v1.3.1/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE=

0
syft/pkg/cataloger/golang/test-fixtures/relative-replace → syft/pkg/cataloger/golang/test-fixtures/go-mod-fixtures/relative-replace/go.mod
View File

11
syft/pkg/cataloger/golang/test-fixtures/go-source/cmd/bin1/main.go Normal file
View File

@ -0,0 +1,11 @@
package main
import (
"anchore.io/not/real/pk1"
"anchore.io/not/real/pk2"
)
func main() {
pk1.Test()
pk2.Test()
}

11
syft/pkg/cataloger/golang/test-fixtures/go-source/cmd/bin2/main.go Normal file
View File

@ -0,0 +1,11 @@
package main
import (
"anchore.io/not/real/pk1"
"anchore.io/not/real/pk3"
)
func main() {
pk1.Test()
pk3.Zap()
}

29
syft/pkg/cataloger/golang/test-fixtures/go-source/go.mod Normal file
View File

@ -0,0 +1,29 @@
module anchore.io/not/real
go 1.24.3
require (
github.com/google/uuid v1.6.0
github.com/sirupsen/logrus v1.9.3
github.com/spf13/viper v1.20.1
github.com/stretchr/testify v1.10.0
go.uber.org/zap v1.27.0
)
require (
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/fsnotify/fsnotify v1.8.0 // indirect
github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
github.com/pelletier/go-toml/v2 v2.2.3 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/sagikazarmark/locafero v0.7.0 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect
github.com/spf13/afero v1.12.0 // indirect
github.com/spf13/cast v1.7.1 // indirect
github.com/spf13/pflag v1.0.6 // indirect
github.com/subosito/gotenv v1.6.0 // indirect
go.uber.org/multierr v1.10.0 // indirect
golang.org/x/sys v0.33.0 // indirect
golang.org/x/text v0.21.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)

60
syft/pkg/cataloger/golang/test-fixtures/go-source/go.sum Normal file
View File

@ -0,0 +1,60 @@
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss=
github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
github.com/sagikazarmark/locafero v0.7.0 h1:5MqpDsTGNDhY8sGp0Aowyf0qKsPrhewaLSsFaodPcyo=
github.com/sagikazarmark/locafero v0.7.0/go.mod h1:2za3Cg5rMaTMoG/2Ulr9AwtFaIppKXTRYnozin4aB5k=
github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
github.com/spf13/afero v1.12.0 h1:UcOPyRBYczmFn6yvphxkn9ZEOY65cpwGKb5mL36mrqs=
github.com/spf13/afero v1.12.0/go.mod h1:ZTlWwG4/ahT8W7T0WQ5uYmjI9duaLQGy3Q2OAl4sk/4=
github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y=
github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4=
github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
go.uber.org/multierr v1.10.0 h1:S0h4aNzvfcFsC3dRF1jLoaov7oRaKqRGC/pUEJ2yvPQ=
go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

17
syft/pkg/cataloger/golang/test-fixtures/go-source/pk1/pk1.go Normal file
View File

@ -0,0 +1,17 @@
package pk1
import (
"github.com/google/uuid"
log "github.com/sirupsen/logrus"
)
func Test() {
return
}
func NewID() string {
log.WithFields(log.Fields{
"animal": "walrus",
}).Info("A walrus appears")
return uuid.New().String()
}

12
syft/pkg/cataloger/golang/test-fixtures/go-source/pk1/pk1_test.go Normal file
View File

@ -0,0 +1,12 @@
package pk1
import (
"testing"
"github.com/stretchr/testify/assert"
)
func TestNewID(t *testing.T) {
id := NewID()
assert.NotEmpty(t, id)
}

5
syft/pkg/cataloger/golang/test-fixtures/go-source/pk2/pk2.go Normal file
View File

@ -0,0 +1,5 @@
package pk2
func Test() {
return
}

20
syft/pkg/cataloger/golang/test-fixtures/go-source/pk3/pk3.go Normal file
View File

@ -0,0 +1,20 @@
package pk3
import (
"time"
"github.com/spf13/viper"
"go.uber.org/zap"
)
func Zap() {
sugar := zap.NewExample().Sugar()
defer sugar.Sync()
sugar.Infow("failed to fetch URL",
"url", "http://example.com",
"attempt", 3,
"backoff", time.Second,
)
sugar.Infof("failed to fetch URL: %s", "http://example.com")
viper.SetDefault("ContentDir", "content")
}

7
syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go
View File

@ -5,6 +5,7 @@ import (
"fmt"
"io"
"os"
"path/filepath"
"sort"
"strings"
"sync"
@ -16,6 +17,7 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
stereofile "github.com/anchore/stereoscope/pkg/file"
"github.com/anchore/stereoscope/pkg/imagetest"
"github.com/anchore/syft/internal/cmptest"
"github.com/anchore/syft/internal/licenses"
@ -130,11 +132,14 @@ func (p *CatalogTester) FromFile(t *testing.T, path string) *CatalogTester {
return p
}
absPath, err := filepath.Abs(path)
require.NoError(t, err)
fixture, err := os.Open(path)
require.NoError(t, err)
p.reader = file.LocationReadCloser{
Location: file.NewLocation(fixture.Name()),
Location: file.NewVirtualLocationFromDirectory(fixture.Name(), fixture.Name(), *stereofile.NewFileReference(stereofile.Path(absPath))),
ReadCloser: fixture,
}
return p

9
syft/pkg/golang.go
View File

@ -15,3 +15,12 @@ type GolangBinaryBuildinfoEntry struct {
type GolangModuleEntry struct {
H1Digest string `json:"h1Digest,omitempty" cyclonedx:"h1Digest"`
}
// GolangSourceEntry represents all captured data for a Golang package found through source analysis
type GolangSourceEntry struct {
H1Digest string `json:"h1Digest,omitempty" cyclonedx:"h1Digest"`
OperatingSystem string `json:"os,omitempty" cyclonedx:"os"`
Architecture string `json:"architecture,omitempty" cyclonedx:"architecture"`
BuildTags string `json:"buildTags,omitempty" cyclonedx:"buildTags"`
CgoEnabled bool `json:"cgoEnabled" cyclonedx:"cgoEnabled"`
}