oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 16:33:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

Document additional json schema fields (#4356)

Browse Source 
* add documentation to key fields

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* regenerate json schema

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
This commit is contained in:
Alex Goodman 2025-11-10 16:29:06 -05:00 committed by GitHub
parent 78a4ab8ced
commit 66c78d44af
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
11 changed files with 509 additions and 227 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

237
schema/json/schema-16.0.42.json
View File

@ -130,7 +130,8 @@
"description": "Digests contains file content hashes for integrity verification" "description": "Digests contains file content hashes for integrity verification"
} }
}, },
"type": "object" "type": "object",
"description": "AlpmFileRecord represents a single file entry within an Arch Linux package with its associated metadata tracked by pacman."
}, },
"ApkDbEntry": { "ApkDbEntry": {
"properties": { "properties": {
@ -433,16 +434,19 @@
"CPE": { "CPE": {
"properties": { "properties": {
"cpe": { "cpe": {
"type": "string" "type": "string",
"description": "Value is the CPE string identifier."
}, },
"source": { "source": {
"type": "string" "type": "string",
"description": "Source is the source where this CPE was obtained or generated from."
} }
}, },
"type": "object", "type": "object",
"required": [ "required": [
"cpe" "cpe"
] ],
"description": "CPE represents a Common Platform Enumeration identifier used for matching packages to known vulnerabilities in security databases."
}, },
"ClassifierMatch": { "ClassifierMatch": {
"properties": { "properties": {
@ -747,19 +751,23 @@
"Descriptor": { "Descriptor": {
"properties": { "properties": {
"name": { "name": {
"type": "string" "type": "string",
"description": "Name is the name of the tool that generated this SBOM (e.g., \"syft\")."
}, },
"version": { "version": {
"type": "string" "type": "string",
"description": "Version is the version of the tool that generated this SBOM."
}, },
"configuration": true "configuration": {
"description": "Configuration contains the tool configuration used during SBOM generation."
}
}, },
"type": "object", "type": "object",
"required": [ "required": [
"name", "name",
"version" "version"
], ],
"description": "Descriptor describes what created the document as well as surrounding metadata" "description": "Descriptor identifies the tool that generated this SBOM document, including its name, version, and configuration used during catalog generation."
}, },
"Digest": { "Digest": {
"properties": { "properties": {
@ -1285,58 +1293,71 @@
"File": { "File": {
"properties": { "properties": {
"id": { "id": {
"type": "string" "type": "string",
"description": "ID is a unique identifier for this file within the SBOM."
}, },
"location": { "location": {
"$ref": "#/$defs/Coordinates" "$ref": "#/$defs/Coordinates",
"description": "Location is the file path and layer information where this file was found."
}, },
"metadata": { "metadata": {
"$ref": "#/$defs/FileMetadataEntry" "$ref": "#/$defs/FileMetadataEntry",
"description": "Metadata contains filesystem metadata such as permissions, ownership, and file type."
}, },
"contents": { "contents": {
"type": "string" "type": "string",
"description": "Contents is the file contents for small files."
}, },
"digests": { "digests": {
"items": { "items": {
"$ref": "#/$defs/Digest" "$ref": "#/$defs/Digest"
}, },
"type": "array" "type": "array",
"description": "Digests contains cryptographic hashes of the file contents."
}, },
"licenses": { "licenses": {
"items": { "items": {
"$ref": "#/$defs/FileLicense" "$ref": "#/$defs/FileLicense"
}, },
"type": "array" "type": "array",
"description": "Licenses contains license information discovered within this file."
}, },
"executable": { "executable": {
"$ref": "#/$defs/Executable" "$ref": "#/$defs/Executable",
"description": "Executable contains executable metadata if this file is a binary."
}, },
"unknowns": { "unknowns": {
"items": { "items": {
"type": "string" "type": "string"
}, },
"type": "array" "type": "array",
"description": "Unknowns contains unknown fields for forward compatibility."
} }
}, },
"type": "object", "type": "object",
"required": [ "required": [
"id", "id",
"location" "location"
] ],
"description": "File represents a file discovered during cataloging with its metadata, content digests, licenses, and relationships to packages."
}, },
"FileLicense": { "FileLicense": {
"properties": { "properties": {
"value": { "value": {
"type": "string" "type": "string",
"description": "Value is the raw license identifier or text as found in the file."
}, },
"spdxExpression": { "spdxExpression": {
"type": "string" "type": "string",
"description": "SPDXExpression is the parsed SPDX license expression."
}, },
"type": { "type": {
"type": "string" "type": "string",
"description": "Type is the license type classification (e.g., declared, concluded, discovered)."
}, },
"evidence": { "evidence": {
"$ref": "#/$defs/FileLicenseEvidence" "$ref": "#/$defs/FileLicenseEvidence",
"description": "Evidence contains supporting evidence for this license detection."
} }
}, },
"type": "object", "type": "object",
@ -1344,18 +1365,22 @@
"value", "value",
"spdxExpression", "spdxExpression",
"type" "type"
] ],
"description": "FileLicense represents license information discovered within a file's contents or metadata, including the matched license text and SPDX expression."
}, },
"FileLicenseEvidence": { "FileLicenseEvidence": {
"properties": { "properties": {
"confidence": { "confidence": {
"type": "integer" "type": "integer",
"description": "Confidence is the confidence score for this license detection (0-100)."
}, },
"offset": { "offset": {
"type": "integer" "type": "integer",
"description": "Offset is the byte offset where the license text starts in the file."
}, },
"extent": { "extent": {
"type": "integer" "type": "integer",
"description": "Extent is the length of the license text in bytes."
} }
}, },
"type": "object", "type": "object",
@ -1363,30 +1388,38 @@
"confidence", "confidence",
"offset", "offset",
"extent" "extent"
] ],
"description": "FileLicenseEvidence contains supporting evidence for a license detection in a file, including the byte offset, extent, and confidence level."
}, },
"FileMetadataEntry": { "FileMetadataEntry": {
"properties": { "properties": {
"mode": { "mode": {
"type": "integer" "type": "integer",
"description": "Mode is the Unix file permission mode in octal format."
}, },
"type": { "type": {
"type": "string" "type": "string",
"description": "Type is the file type (e.g., \"RegularFile\", \"Directory\", \"SymbolicLink\")."
}, },
"linkDestination": { "linkDestination": {
"type": "string" "type": "string",
"description": "LinkDestination is the target path for symbolic links."
}, },
"userID": { "userID": {
"type": "integer" "type": "integer",
"description": "UserID is the file owner user ID."
}, },
"groupID": { "groupID": {
"type": "integer" "type": "integer",
"description": "GroupID is the file owner group ID."
}, },
"mimeType": { "mimeType": {
"type": "string" "type": "string",
"description": "MIMEType is the MIME type of the file contents."
}, },
"size": { "size": {
"type": "integer" "type": "integer",
"description": "Size is the file size in bytes."
} }
}, },
"type": "object", "type": "object",
@ -1397,7 +1430,8 @@
"groupID", "groupID",
"mimeType", "mimeType",
"size" "size"
] ],
"description": "FileMetadataEntry contains filesystem-level metadata attributes such as permissions, ownership, type, and size for a cataloged file."
}, },
"GithubActionsUseStatement": { "GithubActionsUseStatement": {
"properties": { "properties": {
@ -1545,7 +1579,8 @@
"items": { "items": {
"type": "string" "type": "string"
}, },
"type": "array" "type": "array",
"description": "IDLikes represents a list of distribution IDs that this Linux distribution is similar to or derived from, as defined in os-release ID_LIKE field."
}, },
"JavaArchive": { "JavaArchive": {
"properties": { "properties": {
@ -1974,28 +2009,34 @@
"License": { "License": {
"properties": { "properties": {
"value": { "value": {
"type": "string" "type": "string",
"description": "Value is the raw license identifier or expression as found."
}, },
"spdxExpression": { "spdxExpression": {
"type": "string" "type": "string",
"description": "SPDXExpression is the parsed SPDX license expression."
}, },
"type": { "type": {
"type": "string" "type": "string",
"description": "Type is the license type classification (e.g., declared, concluded, discovered)."
}, },
"urls": { "urls": {
"items": { "items": {
"type": "string" "type": "string"
}, },
"type": "array" "type": "array",
"description": "URLs are URLs where license text or information can be found."
}, },
"locations": { "locations": {
"items": { "items": {
"$ref": "#/$defs/Location" "$ref": "#/$defs/Location"
}, },
"type": "array" "type": "array",
"description": "Locations are file locations where this license was discovered."
}, },
"contents": { "contents": {
"type": "string" "type": "string",
"description": "Contents is the full license text content."
} }
}, },
"type": "object", "type": "object",
@ -2005,7 +2046,8 @@
"type", "type",
"urls", "urls",
"locations" "locations"
] ],
"description": "License represents software license information discovered for a package, including SPDX expressions and supporting evidence locations."
}, },
"LinuxKernelArchive": { "LinuxKernelArchive": {
"properties": { "properties": {
@ -2130,64 +2172,84 @@
"LinuxRelease": { "LinuxRelease": {
"properties": { "properties": {
"prettyName": { "prettyName": {
"type": "string" "type": "string",
"description": "PrettyName is a human-readable operating system name with version."
}, },
"name": { "name": {
"type": "string" "type": "string",
"description": "Name is the operating system name without version information."
}, },
"id": { "id": {
"type": "string" "type": "string",
"description": "ID is the lower-case operating system identifier (e.g., \"ubuntu\", \"rhel\")."
}, },
"idLike": { "idLike": {
"$ref": "#/$defs/IDLikes" "$ref": "#/$defs/IDLikes",
"description": "IDLike is a list of operating system IDs this distribution is similar to or derived from."
}, },
"version": { "version": {
"type": "string" "type": "string",
"description": "Version is the operating system version including codename if available."
}, },
"versionID": { "versionID": {
"type": "string" "type": "string",
"description": "VersionID is the operating system version number or identifier."
}, },
"versionCodename": { "versionCodename": {
"type": "string" "type": "string",
"description": "VersionCodename is the operating system release codename (e.g., \"jammy\", \"bullseye\")."
}, },
"buildID": { "buildID": {
"type": "string" "type": "string",
"description": "BuildID is a build identifier for the operating system."
}, },
"imageID": { "imageID": {
"type": "string" "type": "string",
"description": "ImageID is an identifier for container or cloud images."
}, },
"imageVersion": { "imageVersion": {
"type": "string" "type": "string",
"description": "ImageVersion is the version for container or cloud images."
}, },
"variant": { "variant": {
"type": "string" "type": "string",
"description": "Variant is the operating system variant name (e.g., \"Server\", \"Workstation\")."
}, },
"variantID": { "variantID": {
"type": "string" "type": "string",
"description": "VariantID is the lower-case operating system variant identifier."
}, },
"homeURL": { "homeURL": {
"type": "string" "type": "string",
"description": "HomeURL is the homepage URL for the operating system."
}, },
"supportURL": { "supportURL": {
"type": "string" "type": "string",
"description": "SupportURL is the support or help URL for the operating system."
}, },
"bugReportURL": { "bugReportURL": {
"type": "string" "type": "string",
"description": "BugReportURL is the bug reporting URL for the operating system."
}, },
"privacyPolicyURL": { "privacyPolicyURL": {
"type": "string" "type": "string",
"description": "PrivacyPolicyURL is the privacy policy URL for the operating system."
}, },
"cpeName": { "cpeName": {
"type": "string" "type": "string",
"description": "CPEName is the Common Platform Enumeration name for the operating system."
}, },
"supportEnd": { "supportEnd": {
"type": "string" "type": "string",
"description": "SupportEnd is the end of support date or version identifier."
}, },
"extendedSupport": { "extendedSupport": {
"type": "boolean" "type": "boolean",
"description": "ExtendedSupport indicates whether extended security or support is available."
} }
}, },
"type": "object" "type": "object",
"description": "LinuxRelease contains Linux distribution identification and version information extracted from /etc/os-release or similar system files."
}, },
"Location": { "Location": {
"properties": { "properties": {
@ -2283,7 +2345,7 @@
"product_id", "product_id",
"kb" "kb"
], ],
"description": "MicrosoftKbPatch is slightly odd in how it is expected to map onto data." "description": "MicrosoftKbPatch represents a Windows Knowledge Base patch identifier associated with a specific Microsoft product from the MSRC (Microsoft Security Response Center)."
}, },
"NixDerivation": { "NixDerivation": {
"properties": { "properties": {
@ -3014,7 +3076,8 @@
"type": "object", "type": "object",
"required": [ "required": [
"integrity" "integrity"
] ],
"description": "PnpmLockResolution contains package resolution metadata from pnpm lockfiles, including the integrity hash used for verification."
}, },
"PortageDbEntry": { "PortageDbEntry": {
"properties": { "properties": {
@ -3501,22 +3564,28 @@
"Relationship": { "Relationship": {
"properties": { "properties": {
"parent": { "parent": {
"type": "string" "type": "string",
"description": "Parent is the ID of the parent artifact in this relationship."
}, },
"child": { "child": {
"type": "string" "type": "string",
"description": "Child is the ID of the child artifact in this relationship."
}, },
"type": { "type": {
"type": "string" "type": "string",
"description": "Type is the relationship type (e.g., \"contains\", \"dependency-of\", \"ancestor-of\")."
}, },
"metadata": true "metadata": {
"description": "Metadata contains additional relationship-specific metadata."
}
}, },
"type": "object", "type": "object",
"required": [ "required": [
"parent", "parent",
"child", "child",
"type" "type"
] ],
"description": "Relationship represents a directed relationship between two artifacts in the SBOM, such as package-contains-file or package-depends-on-package."
}, },
"RpmArchive": { "RpmArchive": {
"properties": { "properties": {
@ -3863,17 +3932,20 @@
"Schema": { "Schema": {
"properties": { "properties": {
"version": { "version": {
"type": "string" "type": "string",
"description": "Version is the JSON schema version for this document format."
}, },
"url": { "url": {
"type": "string" "type": "string",
"description": "URL is the URL to the JSON schema definition document."
} }
}, },
"type": "object", "type": "object",
"required": [ "required": [
"version", "version",
"url" "url"
] ],
"description": "Schema specifies the JSON schema version and URL reference that defines the structure and validation rules for this document format."
}, },
"SnapEntry": { "SnapEntry": {
"properties": { "properties": {
@ -3911,21 +3983,28 @@
"Source": { "Source": {
"properties": { "properties": {
"id": { "id": {
"type": "string" "type": "string",
"description": "ID is a unique identifier for the analyzed source artifact."
}, },
"name": { "name": {
"type": "string" "type": "string",
"description": "Name is the name of the analyzed artifact (e.g., image name, directory path)."
}, },
"version": { "version": {
"type": "string" "type": "string",
"description": "Version is the version of the analyzed artifact (e.g., image tag)."
}, },
"supplier": { "supplier": {
"type": "string" "type": "string",
"description": "Supplier is supplier information, which can be user-provided for NTIA minimum elements compliance."
}, },
"type": { "type": {
"type": "string" "type": "string",
"description": "Type is the source type (e.g., \"image\", \"directory\", \"file\")."
}, },
"metadata": true "metadata": {
"description": "Metadata contains additional source-specific metadata."
}
}, },
"type": "object", "type": "object",
"required": [ "required": [
@ -3935,7 +4014,7 @@
"type", "type",
"metadata" "metadata"
], ],
"description": "Instead, the Supplier can be determined by the user of syft and passed as a config or flag to help fulfill the NTIA minimum elements." "description": "Source represents the artifact that was analyzed to generate this SBOM, such as a container image, directory, or file archive."
}, },
"SwiftPackageManagerLockEntry": { "SwiftPackageManagerLockEntry": {
"properties": { "properties": {

237
schema/json/schema-latest.json
View File

@ -130,7 +130,8 @@
"description": "Digests contains file content hashes for integrity verification" "description": "Digests contains file content hashes for integrity verification"
} }
}, },
"type": "object" "type": "object",
"description": "AlpmFileRecord represents a single file entry within an Arch Linux package with its associated metadata tracked by pacman."
}, },
"ApkDbEntry": { "ApkDbEntry": {
"properties": { "properties": {
@ -433,16 +434,19 @@
"CPE": { "CPE": {
"properties": { "properties": {
"cpe": { "cpe": {
"type": "string" "type": "string",
"description": "Value is the CPE string identifier."
}, },
"source": { "source": {
"type": "string" "type": "string",
"description": "Source is the source where this CPE was obtained or generated from."
} }
}, },
"type": "object", "type": "object",
"required": [ "required": [
"cpe" "cpe"
] ],
"description": "CPE represents a Common Platform Enumeration identifier used for matching packages to known vulnerabilities in security databases."
}, },
"ClassifierMatch": { "ClassifierMatch": {
"properties": { "properties": {
@ -747,19 +751,23 @@
"Descriptor": { "Descriptor": {
"properties": { "properties": {
"name": { "name": {
"type": "string" "type": "string",
"description": "Name is the name of the tool that generated this SBOM (e.g., \"syft\")."
}, },
"version": { "version": {
"type": "string" "type": "string",
"description": "Version is the version of the tool that generated this SBOM."
}, },
"configuration": true "configuration": {
"description": "Configuration contains the tool configuration used during SBOM generation."
}
}, },
"type": "object", "type": "object",
"required": [ "required": [
"name", "name",
"version" "version"
], ],
"description": "Descriptor describes what created the document as well as surrounding metadata" "description": "Descriptor identifies the tool that generated this SBOM document, including its name, version, and configuration used during catalog generation."
}, },
"Digest": { "Digest": {
"properties": { "properties": {
@ -1285,58 +1293,71 @@
"File": { "File": {
"properties": { "properties": {
"id": { "id": {
"type": "string" "type": "string",
"description": "ID is a unique identifier for this file within the SBOM."
}, },
"location": { "location": {
"$ref": "#/$defs/Coordinates" "$ref": "#/$defs/Coordinates",
"description": "Location is the file path and layer information where this file was found."
}, },
"metadata": { "metadata": {
"$ref": "#/$defs/FileMetadataEntry" "$ref": "#/$defs/FileMetadataEntry",
"description": "Metadata contains filesystem metadata such as permissions, ownership, and file type."
}, },
"contents": { "contents": {
"type": "string" "type": "string",
"description": "Contents is the file contents for small files."
}, },
"digests": { "digests": {
"items": { "items": {
"$ref": "#/$defs/Digest" "$ref": "#/$defs/Digest"
}, },
"type": "array" "type": "array",
"description": "Digests contains cryptographic hashes of the file contents."
}, },
"licenses": { "licenses": {
"items": { "items": {
"$ref": "#/$defs/FileLicense" "$ref": "#/$defs/FileLicense"
}, },
"type": "array" "type": "array",
"description": "Licenses contains license information discovered within this file."
}, },
"executable": { "executable": {
"$ref": "#/$defs/Executable" "$ref": "#/$defs/Executable",
"description": "Executable contains executable metadata if this file is a binary."
}, },
"unknowns": { "unknowns": {
"items": { "items": {
"type": "string" "type": "string"
}, },
"type": "array" "type": "array",
"description": "Unknowns contains unknown fields for forward compatibility."
} }
}, },
"type": "object", "type": "object",
"required": [ "required": [
"id", "id",
"location" "location"
] ],
"description": "File represents a file discovered during cataloging with its metadata, content digests, licenses, and relationships to packages."
}, },
"FileLicense": { "FileLicense": {
"properties": { "properties": {
"value": { "value": {
"type": "string" "type": "string",
"description": "Value is the raw license identifier or text as found in the file."
}, },
"spdxExpression": { "spdxExpression": {
"type": "string" "type": "string",
"description": "SPDXExpression is the parsed SPDX license expression."
}, },
"type": { "type": {
"type": "string" "type": "string",
"description": "Type is the license type classification (e.g., declared, concluded, discovered)."
}, },
"evidence": { "evidence": {
"$ref": "#/$defs/FileLicenseEvidence" "$ref": "#/$defs/FileLicenseEvidence",
"description": "Evidence contains supporting evidence for this license detection."
} }
}, },
"type": "object", "type": "object",
@ -1344,18 +1365,22 @@
"value", "value",
"spdxExpression", "spdxExpression",
"type" "type"
] ],
"description": "FileLicense represents license information discovered within a file's contents or metadata, including the matched license text and SPDX expression."
}, },
"FileLicenseEvidence": { "FileLicenseEvidence": {
"properties": { "properties": {
"confidence": { "confidence": {
"type": "integer" "type": "integer",
"description": "Confidence is the confidence score for this license detection (0-100)."
}, },
"offset": { "offset": {
"type": "integer" "type": "integer",
"description": "Offset is the byte offset where the license text starts in the file."
}, },
"extent": { "extent": {
"type": "integer" "type": "integer",
"description": "Extent is the length of the license text in bytes."
} }
}, },
"type": "object", "type": "object",
@ -1363,30 +1388,38 @@
"confidence", "confidence",
"offset", "offset",
"extent" "extent"
] ],
"description": "FileLicenseEvidence contains supporting evidence for a license detection in a file, including the byte offset, extent, and confidence level."
}, },
"FileMetadataEntry": { "FileMetadataEntry": {
"properties": { "properties": {
"mode": { "mode": {
"type": "integer" "type": "integer",
"description": "Mode is the Unix file permission mode in octal format."
}, },
"type": { "type": {
"type": "string" "type": "string",
"description": "Type is the file type (e.g., \"RegularFile\", \"Directory\", \"SymbolicLink\")."
}, },
"linkDestination": { "linkDestination": {
"type": "string" "type": "string",
"description": "LinkDestination is the target path for symbolic links."
}, },
"userID": { "userID": {
"type": "integer" "type": "integer",
"description": "UserID is the file owner user ID."
}, },
"groupID": { "groupID": {
"type": "integer" "type": "integer",
"description": "GroupID is the file owner group ID."
}, },
"mimeType": { "mimeType": {
"type": "string" "type": "string",
"description": "MIMEType is the MIME type of the file contents."
}, },
"size": { "size": {
"type": "integer" "type": "integer",
"description": "Size is the file size in bytes."
} }
}, },
"type": "object", "type": "object",
@ -1397,7 +1430,8 @@
"groupID", "groupID",
"mimeType", "mimeType",
"size" "size"
] ],
"description": "FileMetadataEntry contains filesystem-level metadata attributes such as permissions, ownership, type, and size for a cataloged file."
}, },
"GithubActionsUseStatement": { "GithubActionsUseStatement": {
"properties": { "properties": {
@ -1545,7 +1579,8 @@
"items": { "items": {
"type": "string" "type": "string"
}, },
"type": "array" "type": "array",
"description": "IDLikes represents a list of distribution IDs that this Linux distribution is similar to or derived from, as defined in os-release ID_LIKE field."
}, },
"JavaArchive": { "JavaArchive": {
"properties": { "properties": {
@ -1974,28 +2009,34 @@
"License": { "License": {
"properties": { "properties": {
"value": { "value": {
"type": "string" "type": "string",
"description": "Value is the raw license identifier or expression as found."
}, },
"spdxExpression": { "spdxExpression": {
"type": "string" "type": "string",
"description": "SPDXExpression is the parsed SPDX license expression."
}, },
"type": { "type": {
"type": "string" "type": "string",
"description": "Type is the license type classification (e.g., declared, concluded, discovered)."
}, },
"urls": { "urls": {
"items": { "items": {
"type": "string" "type": "string"
}, },
"type": "array" "type": "array",
"description": "URLs are URLs where license text or information can be found."
}, },
"locations": { "locations": {
"items": { "items": {
"$ref": "#/$defs/Location" "$ref": "#/$defs/Location"
}, },
"type": "array" "type": "array",
"description": "Locations are file locations where this license was discovered."
}, },
"contents": { "contents": {
"type": "string" "type": "string",
"description": "Contents is the full license text content."
} }
}, },
"type": "object", "type": "object",
@ -2005,7 +2046,8 @@
"type", "type",
"urls", "urls",
"locations" "locations"
] ],
"description": "License represents software license information discovered for a package, including SPDX expressions and supporting evidence locations."
}, },
"LinuxKernelArchive": { "LinuxKernelArchive": {
"properties": { "properties": {
@ -2130,64 +2172,84 @@
"LinuxRelease": { "LinuxRelease": {
"properties": { "properties": {
"prettyName": { "prettyName": {
"type": "string" "type": "string",
"description": "PrettyName is a human-readable operating system name with version."
}, },
"name": { "name": {
"type": "string" "type": "string",
"description": "Name is the operating system name without version information."
}, },
"id": { "id": {
"type": "string" "type": "string",
"description": "ID is the lower-case operating system identifier (e.g., \"ubuntu\", \"rhel\")."
}, },
"idLike": { "idLike": {
"$ref": "#/$defs/IDLikes" "$ref": "#/$defs/IDLikes",
"description": "IDLike is a list of operating system IDs this distribution is similar to or derived from."
}, },
"version": { "version": {
"type": "string" "type": "string",
"description": "Version is the operating system version including codename if available."
}, },
"versionID": { "versionID": {
"type": "string" "type": "string",
"description": "VersionID is the operating system version number or identifier."
}, },
"versionCodename": { "versionCodename": {
"type": "string" "type": "string",
"description": "VersionCodename is the operating system release codename (e.g., \"jammy\", \"bullseye\")."
}, },
"buildID": { "buildID": {
"type": "string" "type": "string",
"description": "BuildID is a build identifier for the operating system."
}, },
"imageID": { "imageID": {
"type": "string" "type": "string",
"description": "ImageID is an identifier for container or cloud images."
}, },
"imageVersion": { "imageVersion": {
"type": "string" "type": "string",
"description": "ImageVersion is the version for container or cloud images."
}, },
"variant": { "variant": {
"type": "string" "type": "string",
"description": "Variant is the operating system variant name (e.g., \"Server\", \"Workstation\")."
}, },
"variantID": { "variantID": {
"type": "string" "type": "string",
"description": "VariantID is the lower-case operating system variant identifier."
}, },
"homeURL": { "homeURL": {
"type": "string" "type": "string",
"description": "HomeURL is the homepage URL for the operating system."
}, },
"supportURL": { "supportURL": {
"type": "string" "type": "string",
"description": "SupportURL is the support or help URL for the operating system."
}, },
"bugReportURL": { "bugReportURL": {
"type": "string" "type": "string",
"description": "BugReportURL is the bug reporting URL for the operating system."
}, },
"privacyPolicyURL": { "privacyPolicyURL": {
"type": "string" "type": "string",
"description": "PrivacyPolicyURL is the privacy policy URL for the operating system."
}, },
"cpeName": { "cpeName": {
"type": "string" "type": "string",
"description": "CPEName is the Common Platform Enumeration name for the operating system."
}, },
"supportEnd": { "supportEnd": {
"type": "string" "type": "string",
"description": "SupportEnd is the end of support date or version identifier."
}, },
"extendedSupport": { "extendedSupport": {
"type": "boolean" "type": "boolean",
"description": "ExtendedSupport indicates whether extended security or support is available."
} }
}, },
"type": "object" "type": "object",
"description": "LinuxRelease contains Linux distribution identification and version information extracted from /etc/os-release or similar system files."
}, },
"Location": { "Location": {
"properties": { "properties": {
@ -2283,7 +2345,7 @@
"product_id", "product_id",
"kb" "kb"
], ],
"description": "MicrosoftKbPatch is slightly odd in how it is expected to map onto data." "description": "MicrosoftKbPatch represents a Windows Knowledge Base patch identifier associated with a specific Microsoft product from the MSRC (Microsoft Security Response Center)."
}, },
"NixDerivation": { "NixDerivation": {
"properties": { "properties": {
@ -3014,7 +3076,8 @@
"type": "object", "type": "object",
"required": [ "required": [
"integrity" "integrity"
] ],
"description": "PnpmLockResolution contains package resolution metadata from pnpm lockfiles, including the integrity hash used for verification."
}, },
"PortageDbEntry": { "PortageDbEntry": {
"properties": { "properties": {
@ -3501,22 +3564,28 @@
"Relationship": { "Relationship": {
"properties": { "properties": {
"parent": { "parent": {
"type": "string" "type": "string",
"description": "Parent is the ID of the parent artifact in this relationship."
}, },
"child": { "child": {
"type": "string" "type": "string",
"description": "Child is the ID of the child artifact in this relationship."
}, },
"type": { "type": {
"type": "string" "type": "string",
"description": "Type is the relationship type (e.g., \"contains\", \"dependency-of\", \"ancestor-of\")."
}, },
"metadata": true "metadata": {
"description": "Metadata contains additional relationship-specific metadata."
}
}, },
"type": "object", "type": "object",
"required": [ "required": [
"parent", "parent",
"child", "child",
"type" "type"
] ],
"description": "Relationship represents a directed relationship between two artifacts in the SBOM, such as package-contains-file or package-depends-on-package."
}, },
"RpmArchive": { "RpmArchive": {
"properties": { "properties": {
@ -3863,17 +3932,20 @@
"Schema": { "Schema": {
"properties": { "properties": {
"version": { "version": {
"type": "string" "type": "string",
"description": "Version is the JSON schema version for this document format."
}, },
"url": { "url": {
"type": "string" "type": "string",
"description": "URL is the URL to the JSON schema definition document."
} }
}, },
"type": "object", "type": "object",
"required": [ "required": [
"version", "version",
"url" "url"
] ],
"description": "Schema specifies the JSON schema version and URL reference that defines the structure and validation rules for this document format."
}, },
"SnapEntry": { "SnapEntry": {
"properties": { "properties": {
@ -3911,21 +3983,28 @@
"Source": { "Source": {
"properties": { "properties": {
"id": { "id": {
"type": "string" "type": "string",
"description": "ID is a unique identifier for the analyzed source artifact."
}, },
"name": { "name": {
"type": "string" "type": "string",
"description": "Name is the name of the analyzed artifact (e.g., image name, directory path)."
}, },
"version": { "version": {
"type": "string" "type": "string",
"description": "Version is the version of the analyzed artifact (e.g., image tag)."
}, },
"supplier": { "supplier": {
"type": "string" "type": "string",
"description": "Supplier is supplier information, which can be user-provided for NTIA minimum elements compliance."
}, },
"type": { "type": {
"type": "string" "type": "string",
"description": "Type is the source type (e.g., \"image\", \"directory\", \"file\")."
}, },
"metadata": true "metadata": {
"description": "Metadata contains additional source-specific metadata."
}
}, },
"type": "object", "type": "object",
"required": [ "required": [
@ -3935,7 +4014,7 @@
"type", "type",
"metadata" "metadata"
], ],
"description": "Instead, the Supplier can be determined by the user of syft and passed as a config or flag to help fulfill the NTIA minimum elements." "description": "Source represents the artifact that was analyzed to generate this SBOM, such as a container image, directory, or file archive."
}, },
"SwiftPackageManagerLockEntry": { "SwiftPackageManagerLockEntry": {
"properties": { "properties": {

17
syft/format/syftjson/model/document.go
View File

@ -35,14 +35,23 @@ func (d *Document) UnmarshalJSON(data []byte) error {
return nil return nil
} }
// Descriptor describes what created the document as well as surrounding metadata // Descriptor identifies the tool that generated this SBOM document, including its name, version, and configuration used during catalog generation.
type Descriptor struct { type Descriptor struct {
Name string `json:"name"` // Name is the name of the tool that generated this SBOM (e.g., "syft").
Version string `json:"version"` Name string `json:"name"`
// Version is the version of the tool that generated this SBOM.
Version string `json:"version"`
// Configuration contains the tool configuration used during SBOM generation.
Configuration interface{} `json:"configuration,omitempty"` Configuration interface{} `json:"configuration,omitempty"`
} }
// Schema specifies the JSON schema version and URL reference that defines the structure and validation rules for this document format.
type Schema struct { type Schema struct {
// Version is the JSON schema version for this document format.
Version string `json:"version"` Version string `json:"version"`
URL string `json:"url"`
// URL is the URL to the JSON schema definition document.
URL string `json:"url"`
} }

84
syft/format/syftjson/model/file.go
View File

@ -10,25 +10,55 @@ import (
"github.com/anchore/syft/syft/license" "github.com/anchore/syft/syft/license"
) )
// File represents a file discovered during cataloging with its metadata, content digests, licenses, and relationships to packages.
type File struct { type File struct {
ID string `json:"id"` // ID is a unique identifier for this file within the SBOM.
Location file.Coordinates `json:"location"` ID string `json:"id"`
Metadata *FileMetadataEntry `json:"metadata,omitempty"`
Contents string `json:"contents,omitempty"` // Location is the file path and layer information where this file was found.
Digests []file.Digest `json:"digests,omitempty"` Location file.Coordinates `json:"location"`
Licenses []FileLicense `json:"licenses,omitempty"`
Executable *file.Executable `json:"executable,omitempty"` // Metadata contains filesystem metadata such as permissions, ownership, and file type.
Unknowns []string `json:"unknowns,omitempty"` Metadata *FileMetadataEntry `json:"metadata,omitempty"`
// Contents is the file contents for small files.
Contents string `json:"contents,omitempty"`
// Digests contains cryptographic hashes of the file contents.
Digests []file.Digest `json:"digests,omitempty"`
// Licenses contains license information discovered within this file.
Licenses []FileLicense `json:"licenses,omitempty"`
// Executable contains executable metadata if this file is a binary.
Executable *file.Executable `json:"executable,omitempty"`
// Unknowns contains unknown fields for forward compatibility.
Unknowns []string `json:"unknowns,omitempty"`
} }
// FileMetadataEntry contains filesystem-level metadata attributes such as permissions, ownership, type, and size for a cataloged file.
type FileMetadataEntry struct { type FileMetadataEntry struct {
Mode int `json:"mode"` // Mode is the Unix file permission mode in octal format.
Type string `json:"type"` Mode int `json:"mode"`
// Type is the file type (e.g., "RegularFile", "Directory", "SymbolicLink").
Type string `json:"type"`
// LinkDestination is the target path for symbolic links.
LinkDestination string `json:"linkDestination,omitempty"` LinkDestination string `json:"linkDestination,omitempty"`
UserID int `json:"userID"`
GroupID int `json:"groupID"` // UserID is the file owner user ID.
MIMEType string `json:"mimeType"` UserID int `json:"userID"`
Size int64 `json:"size"`
// GroupID is the file owner group ID.
GroupID int `json:"groupID"`
// MIMEType is the MIME type of the file contents.
MIMEType string `json:"mimeType"`
// Size is the file size in bytes.
Size int64 `json:"size"`
} }
type auxFileMetadataEntry FileMetadataEntry type auxFileMetadataEntry FileMetadataEntry
@ -82,17 +112,31 @@ type sbomImportLegacyFileMetadataEntry struct {
Size int64 `json:"Size"` Size int64 `json:"Size"`
} }
// FileLicense represents license information discovered within a file's contents or metadata, including the matched license text and SPDX expression.
type FileLicense struct { type FileLicense struct {
Value string `json:"value"` // Value is the raw license identifier or text as found in the file.
SPDXExpression string `json:"spdxExpression"` Value string `json:"value"`
Type license.Type `json:"type"`
Evidence *FileLicenseEvidence `json:"evidence,omitempty"` // SPDXExpression is the parsed SPDX license expression.
SPDXExpression string `json:"spdxExpression"`
// Type is the license type classification (e.g., declared, concluded, discovered).
Type license.Type `json:"type"`
// Evidence contains supporting evidence for this license detection.
Evidence *FileLicenseEvidence `json:"evidence,omitempty"`
} }
// FileLicenseEvidence contains supporting evidence for a license detection in a file, including the byte offset, extent, and confidence level.
type FileLicenseEvidence struct { type FileLicenseEvidence struct {
// Confidence is the confidence score for this license detection (0-100).
Confidence int `json:"confidence"` Confidence int `json:"confidence"`
Offset int `json:"offset"`
Extent int `json:"extent"` // Offset is the byte offset where the license text starts in the file.
Offset int `json:"offset"`
// Extent is the length of the license text in bytes.
Extent int `json:"extent"`
} }
type intOrStringFileType struct { type intOrStringFileType struct {

77
syft/format/syftjson/model/linux_release.go
View File

@ -4,28 +4,67 @@ import (
"encoding/json" "encoding/json"
) )
// IDLikes represents a list of distribution IDs that this Linux distribution is similar to or derived from, as defined in os-release ID_LIKE field.
type IDLikes []string type IDLikes []string
// LinuxRelease contains Linux distribution identification and version information extracted from /etc/os-release or similar system files.
type LinuxRelease struct { type LinuxRelease struct {
PrettyName string `json:"prettyName,omitempty"` // PrettyName is a human-readable operating system name with version.
Name string `json:"name,omitempty"` PrettyName string `json:"prettyName,omitempty"`
ID string `json:"id,omitempty"`
IDLike IDLikes `json:"idLike,omitempty"` // Name is the operating system name without version information.
Version string `json:"version,omitempty"` Name string `json:"name,omitempty"`
VersionID string `json:"versionID,omitempty"`
VersionCodename string `json:"versionCodename,omitempty"` // ID is the lower-case operating system identifier (e.g., "ubuntu", "rhel").
BuildID string `json:"buildID,omitempty"` ID string `json:"id,omitempty"`
ImageID string `json:"imageID,omitempty"`
ImageVersion string `json:"imageVersion,omitempty"` // IDLike is a list of operating system IDs this distribution is similar to or derived from.
Variant string `json:"variant,omitempty"` IDLike IDLikes `json:"idLike,omitempty"`
VariantID string `json:"variantID,omitempty"`
HomeURL string `json:"homeURL,omitempty"` // Version is the operating system version including codename if available.
SupportURL string `json:"supportURL,omitempty"` Version string `json:"version,omitempty"`
BugReportURL string `json:"bugReportURL,omitempty"`
PrivacyPolicyURL string `json:"privacyPolicyURL,omitempty"` // VersionID is the operating system version number or identifier.
CPEName string `json:"cpeName,omitempty"` VersionID string `json:"versionID,omitempty"`
SupportEnd string `json:"supportEnd,omitempty"`
ExtendedSupport bool `json:"extendedSupport,omitempty"` // VersionCodename is the operating system release codename (e.g., "jammy", "bullseye").
VersionCodename string `json:"versionCodename,omitempty"`
// BuildID is a build identifier for the operating system.
BuildID string `json:"buildID,omitempty"`
// ImageID is an identifier for container or cloud images.
ImageID string `json:"imageID,omitempty"`
// ImageVersion is the version for container or cloud images.
ImageVersion string `json:"imageVersion,omitempty"`
// Variant is the operating system variant name (e.g., "Server", "Workstation").
Variant string `json:"variant,omitempty"`
// VariantID is the lower-case operating system variant identifier.
VariantID string `json:"variantID,omitempty"`
// HomeURL is the homepage URL for the operating system.
HomeURL string `json:"homeURL,omitempty"`
// SupportURL is the support or help URL for the operating system.
SupportURL string `json:"supportURL,omitempty"`
// BugReportURL is the bug reporting URL for the operating system.
BugReportURL string `json:"bugReportURL,omitempty"`
// PrivacyPolicyURL is the privacy policy URL for the operating system.
PrivacyPolicyURL string `json:"privacyPolicyURL,omitempty"`
// CPEName is the Common Platform Enumeration name for the operating system.
CPEName string `json:"cpeName,omitempty"`
// SupportEnd is the end of support date or version identifier.
SupportEnd string `json:"supportEnd,omitempty"`
// ExtendedSupport indicates whether extended security or support is available.
ExtendedSupport bool `json:"extendedSupport,omitempty"`
} }
func (s *IDLikes) UnmarshalJSON(data []byte) error { func (s *IDLikes) UnmarshalJSON(data []byte) error {

32
syft/format/syftjson/model/package.go
View File

@ -36,22 +36,40 @@ type PackageBasicData struct {
PURL string `json:"purl"` PURL string `json:"purl"`
} }
// cpes is a collection of Common Platform Enumeration identifiers for a package.
type cpes []CPE type cpes []CPE
// CPE represents a Common Platform Enumeration identifier used for matching packages to known vulnerabilities in security databases.
type CPE struct { type CPE struct {
Value string `json:"cpe"` // Value is the CPE string identifier.
Value string `json:"cpe"`
// Source is the source where this CPE was obtained or generated from.
Source string `json:"source,omitempty"` Source string `json:"source,omitempty"`
} }
// licenses is a collection of license findings associated with a package.
type licenses []License type licenses []License
// License represents software license information discovered for a package, including SPDX expressions and supporting evidence locations.
type License struct { type License struct {
Value string `json:"value"` // Value is the raw license identifier or expression as found.
SPDXExpression string `json:"spdxExpression"` Value string `json:"value"`
Type license.Type `json:"type"`
URLs []string `json:"urls"` // SPDXExpression is the parsed SPDX license expression.
Locations []file.Location `json:"locations"` SPDXExpression string `json:"spdxExpression"`
Contents string `json:"contents,omitempty"`
// Type is the license type classification (e.g., declared, concluded, discovered).
Type license.Type `json:"type"`
// URLs are URLs where license text or information can be found.
URLs []string `json:"urls"`
// Locations are file locations where this license was discovered.
Locations []file.Location `json:"locations"`
// Contents is the full license text content.
Contents string `json:"contents,omitempty"`
} }
func newModelLicensesFromValues(licenses []string) (ml []License) { func newModelLicensesFromValues(licenses []string) (ml []License) {

14
syft/format/syftjson/model/relationship.go
View File

@ -1,8 +1,16 @@
package model package model
// Relationship represents a directed relationship between two artifacts in the SBOM, such as package-contains-file or package-depends-on-package.
type Relationship struct { type Relationship struct {
Parent string `json:"parent"` // Parent is the ID of the parent artifact in this relationship.
Child string `json:"child"` Parent string `json:"parent"`
Type string `json:"type"`
// Child is the ID of the child artifact in this relationship.
Child string `json:"child"`
// Type is the relationship type (e.g., "contains", "dependency-of", "ancestor-of").
Type string `json:"type"`
// Metadata contains additional relationship-specific metadata.
Metadata interface{} `json:"metadata,omitempty"` Metadata interface{} `json:"metadata,omitempty"`
} }

29
syft/format/syftjson/model/source.go
View File

@ -11,18 +11,25 @@ import (
"github.com/anchore/syft/syft/source" "github.com/anchore/syft/syft/source"
) )
// Source object represents the thing that was cataloged // Source represents the artifact that was analyzed to generate this SBOM, such as a container image, directory, or file archive.
// Note: syft currently makes no claims or runs any logic to determine the Supplier field below // The Supplier field can be provided by users to fulfill NTIA minimum elements requirements.
// Instead, the Supplier can be determined by the user of syft and passed as a config or flag to help fulfill
// the NTIA minimum elements. For mor information see the NTIA framing document below
// https://www.ntia.gov/files/ntia/publications/framingsbom_20191112.pdf
type Source struct { type Source struct {
ID string `json:"id"` // ID is a unique identifier for the analyzed source artifact.
Name string `json:"name"` ID string `json:"id"`
Version string `json:"version"`
Supplier string `json:"supplier,omitempty"` // Name is the name of the analyzed artifact (e.g., image name, directory path).
Type string `json:"type"` Name string `json:"name"`
// Version is the version of the analyzed artifact (e.g., image tag).
Version string `json:"version"`
// Supplier is supplier information, which can be user-provided for NTIA minimum elements compliance.
Supplier string `json:"supplier,omitempty"`
// Type is the source type (e.g., "image", "directory", "file").
Type string `json:"type"`
// Metadata contains additional source-specific metadata.
Metadata interface{} `json:"metadata"` Metadata interface{} `json:"metadata"`
} }

1
syft/pkg/alpm.go
View File

@ -58,6 +58,7 @@ type AlpmDBEntry struct {
Depends []string `mapstructure:"depends" json:"depends,omitempty"` Depends []string `mapstructure:"depends" json:"depends,omitempty"`
} }
// AlpmFileRecord represents a single file entry within an Arch Linux package with its associated metadata tracked by pacman.
type AlpmFileRecord struct { type AlpmFileRecord struct {
// Path is the file path relative to the filesystem root // Path is the file path relative to the filesystem root
Path string `mapstruture:"path" json:"path,omitempty"` Path string `mapstruture:"path" json:"path,omitempty"`

7
syft/pkg/microsoft.go
View File

@ -1,10 +1,7 @@
package pkg package pkg
// MicrosoftKbPatch is slightly odd in how it is expected to map onto data. // MicrosoftKbPatch represents a Windows Knowledge Base patch identifier associated with a specific Microsoft product from the MSRC (Microsoft Security Response Center).
// This is critical to grasp because there is no MSRC cataloger. The `ProductID` // This type captures both the product being patched and the KB article number for the update.
// field is expected to be the MSRC Product ID, for example:
// "Windows 10 Version 1703 for 32-bit Systems".
// `Kb` is expected to be the actual KB number, for example "5001028"
type MicrosoftKbPatch struct { type MicrosoftKbPatch struct {
// ProductID is MSRC Product ID (e.g. "Windows 10 Version 1703 for 32-bit Systems") // ProductID is MSRC Product ID (e.g. "Windows 10 Version 1703 for 32-bit Systems")
ProductID string `toml:"product_id" json:"product_id"` ProductID string `toml:"product_id" json:"product_id"`

1
syft/pkg/npm.go
View File

@ -48,6 +48,7 @@ type YarnLockEntry struct {
Dependencies map[string]string `mapstructure:"dependencies" json:"dependencies"` Dependencies map[string]string `mapstructure:"dependencies" json:"dependencies"`
} }
// PnpmLockResolution contains package resolution metadata from pnpm lockfiles, including the integrity hash used for verification.
type PnpmLockResolution struct { type PnpmLockResolution struct {
// Integrity is Subresource Integrity hash for verification (SRI format) // Integrity is Subresource Integrity hash for verification (SRI format)
Integrity string `mapstructure:"integrity" json:"integrity"` Integrity string `mapstructure:"integrity" json:"integrity"`