Capture file ownership relationships from portage ecosystem (#1702)

* add portage as file owners Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix tests Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix linting Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update json schema with NPM files Signed-off-by: Alex Goodman <alex.goodman@anchore.com> --------- Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
2025-11-17 16:33:21 +01:00 · 2023-04-03 09:46:18 -04:00 · 2023-04-03 09:46:18 -04:00 · 681d250fdc
commit 681d250fdc
parent 2022ffa0e5
10 changed files with 1746 additions and 66 deletions
--- a/internal/constants.go
+++ b/internal/constants.go
@ -6,5 +6,5 @@ const (

 	// JSONSchemaVersion is the current schema version output by the JSON encoder
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "7.0.1"
+	JSONSchemaVersion = "7.1.0"
 )
--- a/schema/json/schema-7.1.0.json
+++ b/schema/json/schema-7.1.0.json
--- a/syft/formats/syftjson/test-fixtures/snapshot/TestDirectoryEncoder.golden
+++ b/syft/formats/syftjson/test-fixtures/snapshot/TestDirectoryEncoder.golden
@ -89,7 +89,7 @@
  }
 },
 "schema": {
-  "version": "6.2.0",
-  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-6.2.0.json"
+  "version": "7.1.0",
+  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-7.1.0.json"
 }
 }
--- a/syft/formats/syftjson/test-fixtures/snapshot/TestEncodeFullJSONDocument.golden
+++ b/syft/formats/syftjson/test-fixtures/snapshot/TestEncodeFullJSONDocument.golden
@ -185,7 +185,7 @@
  }
 },
 "schema": {
-  "version": "6.2.0",
-  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-6.2.0.json"
+  "version": "7.1.0",
+  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-7.1.0.json"
 }
 }
--- a/syft/formats/syftjson/test-fixtures/snapshot/TestImageEncoder.golden
+++ b/syft/formats/syftjson/test-fixtures/snapshot/TestImageEncoder.golden
@ -112,7 +112,7 @@
  }
 },
 "schema": {
-  "version": "6.2.0",
-  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-6.2.0.json"
+  "version": "7.1.0",
+  "url": "https://raw.githubusercontent.com/anchore/syft/main/schema/json/schema-7.1.0.json"
 }
 }
--- a/syft/pkg/cataloger/javascript/package.go
+++ b/syft/pkg/cataloger/javascript/package.go
@ -35,6 +35,7 @@ func newPackageJSONPackage(u packageJSON, locations ...source.Location) pkg.Pack
 			URL:         u.Repository.URL,
 			Licenses:    licenses,
 			Private:     u.Private,
+			Description: u.Description,
 		},
 	}

--- a/syft/pkg/cataloger/javascript/parse_package_json_test.go
+++ b/syft/pkg/cataloger/javascript/parse_package_json_test.go
@ -32,6 +32,7 @@ func TestParsePackageJSON(t *testing.T) {
 					Homepage:    "https://docs.npmjs.com/",
 					URL:         "https://github.com/npm/cli",
 					Licenses:    []string{"Artistic-2.0"},
+					Description: "a package manager for JavaScript",
 				},
 			},
 		},
@ -52,6 +53,7 @@ func TestParsePackageJSON(t *testing.T) {
 					Homepage:    "https://docs.npmjs.com/",
 					URL:         "https://github.com/npm/cli",
 					Licenses:    []string{"ISC"},
+					Description: "a package manager for JavaScript",
 				},
 			},
 		},
@ -72,6 +74,7 @@ func TestParsePackageJSON(t *testing.T) {
 					Homepage:    "https://docs.npmjs.com/",
 					URL:         "https://github.com/npm/cli",
 					Licenses:    []string{"MIT", "Apache-2.0"},
+					Description: "a package manager for JavaScript",
 				},
 			},
 		},
@ -92,6 +95,7 @@ func TestParsePackageJSON(t *testing.T) {
 					Homepage:    "https://docs.npmjs.com/",
 					URL:         "https://github.com/npm/cli",
 					Licenses:    nil,
+					Description: "a package manager for JavaScript",
 				},
 			},
 		},
@ -112,6 +116,7 @@ func TestParsePackageJSON(t *testing.T) {
 					Homepage:    "https://docs.npmjs.com/",
 					URL:         "https://github.com/npm/cli",
 					Licenses:    []string{},
+					Description: "a package manager for JavaScript",
 				},
 			},
 		},
@ -132,6 +137,7 @@ func TestParsePackageJSON(t *testing.T) {
 					Homepage:    "https://docs.npmjs.com/",
 					URL:         "https://github.com/npm/cli",
 					Licenses:    []string{"Artistic-2.0"},
+					Description: "a package manager for JavaScript",
 				},
 			},
 		},
@ -152,6 +158,7 @@ func TestParsePackageJSON(t *testing.T) {
 					Homepage:    "https://github.com/Raynos/function-bind",
 					URL:         "git://github.com/Raynos/function-bind.git",
 					Licenses:    []string{"MIT"},
+					Description: "Implementation of Function.prototype.bind",
 				},
 			},
 		},
@ -173,6 +180,7 @@ func TestParsePackageJSON(t *testing.T) {
 					URL:         "https://github.com/npm/cli",
 					Licenses:    []string{"Artistic-2.0"},
 					Private:     true,
+					Description: "a package manager for JavaScript",
 				},
 			},
 		},
--- a/syft/pkg/gem_metadata.go
+++ b/syft/pkg/gem_metadata.go
@ -4,6 +4,21 @@ package pkg
 type GemMetadata struct {
 	Name    string `mapstructure:"name" json:"name"`
 	Version string `mapstructure:"version" json:"version"`
+	// note regarding if Files can contribute to GemMetadata being able to implement FileOwner: this list is a
+	// "logical" list of files, not a list of paths that can be used to find the files without additional processing.
+	//
+	// For example: The "bundler" gem has a file entry of:
+	//   "lib/bundler/vendor/uri/lib/uri/ldap.rb"
+	// but the actual file is located at:
+	//   "/usr/local/lib/ruby/3.2.0/bundler/vendor/uri/lib/uri/ldap.rb"
+	// which do not match (the "lib" prefix is missing even for relative processing).
+	//
+	// without additional information about:
+	// 	- the gem installation path
+	// 	- the ruby installation path
+	// 	- the ruby version
+	// 	- environment variables (e.g. GEM_HOME) that may affect the gem installation path
+	// ... we can't reliably determine the full path to the file on disk, thus cannot implement FileOwner (...yet...).
 	Files    []string `mapstructure:"files" json:"files,omitempty"`
 	Authors  []string `mapstructure:"authors" json:"authors,omitempty"`
 	Licenses []string `mapstructure:"licenses" json:"licenses,omitempty"`
--- a/syft/pkg/npm_package_json_metadata.go
+++ b/syft/pkg/npm_package_json_metadata.go
@ -4,7 +4,6 @@ package pkg
 type NpmPackageJSONMetadata struct {
 	Name        string   `mapstructure:"name" json:"name"`
 	Version     string   `mapstructure:"version" json:"version"`
-	Files       []string `mapstructure:"files" json:"files,omitempty"`
 	Author      string   `mapstructure:"author" json:"author"`
 	Licenses    []string `mapstructure:"licenses" json:"licenses"`
 	Homepage    string   `mapstructure:"homepage" json:"homepage"`
--- a/syft/pkg/portage_metadata.go
+++ b/syft/pkg/portage_metadata.go
@ -1,9 +1,15 @@
 package pkg

 import (
+	"sort"
+
+	"github.com/scylladb/go-set/strset"
+
 	"github.com/anchore/syft/syft/file"
 )

+var _ FileOwner = (*PortageMetadata)(nil)
+
 // PortageMetadata represents all captured data for a Package package DB entry.
 type PortageMetadata struct {
 	InstalledSize int                 `mapstructure:"InstalledSize" json:"installedSize" cyclonedx:"installedSize"`
@ -15,3 +21,15 @@ type PortageFileRecord struct {
 	Path   string       `json:"path"`
 	Digest *file.Digest `json:"digest,omitempty"`
 }
+
+func (m PortageMetadata) OwnedFiles() (result []string) {
+	s := strset.New()
+	for _, f := range m.Files {
+		if f.Path != "" {
+			s.Add(f.Path)
+		}
+	}
+	result = s.List()
+	sort.Strings(result)
+	return result
+}