feat: index known CPEs for go modules (#2816)

Signed-off-by: Weston Steimel <commits@weston.slmail.me>
2025-11-17 08:23:15 +01:00 · 2024-04-26 14:55:05 +01:00 · 2024-04-26 14:55:05 +01:00 · 8640f978ba
commit 8640f978ba
parent 13b06dad45
7 changed files with 226 additions and 0 deletions
--- a/syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json
+++ b/syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json
@ -1,5 +1,138 @@
 {
  "ecosystems": {
+    "go_modules": {
+      "aahframe.work": [
+        "cpe:2.3:a:aahframework:aah:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/Masterminds/goutils": [
+        "cpe:2.3:a:goutils_project:goutils:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/SimonWaldherr/zplgfa": [
+        "cpe:2.3:a:simonwaldherr:zplgfa:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/apptainer/apptainer": [
+        "cpe:2.3:a:lfprojects:apptainer:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/aws/aws-sdk-go": [
+        "cpe:2.3:a:amazon:aws_software_development_kit:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/b3log/wide": [
+        "cpe:2.3:a:wide_project:wide:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/charmbracelet/soft-serve": [
+        "cpe:2.3:a:charm:soft_serve:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/containers/psgo": [
+        "cpe:2.3:a:psgo_project:psgo:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/crewjam/saml": [
+        "cpe:2.3:a:saml_project:saml:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/deis/workflow-manager#section-readme": [
+        "cpe:2.3:a:deis:workflow_manager:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/disintegration/imaging": [
+        "cpe:2.3:a:disintegration:imaging:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/ecnepsnai/web": [
+        "cpe:2.3:a:web_project:web:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/free5gc/udm": [
+        "cpe:2.3:a:free5gc:udm:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/ginuerzh/gost": [
+        "cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/go-resty/resty/v2": [
+        "cpe:2.3:a:resty_project:resty:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/gofiber/template/django": [
+        "cpe:2.3:a:gofiber:django:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/gofiber/template/django/v2": [
+        "cpe:2.3:a:gofiber:django:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/gofiber/template/django/v3": [
+        "cpe:2.3:a:gofiber:django:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/gookit/goutil": [
+        "cpe:2.3:a:go_util_project:go_util:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/hamba/avro/v2": [
+        "cpe:2.3:a:avro_project:avro:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/jumpserver/koko/pkg/koko": [
+        "cpe:2.3:a:fit2cloud:koko:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/libp2p/go-libp2p": [
+        "cpe:2.3:a:protocol:libp2p:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/mojocn/base64Captcha": [
+        "cpe:2.3:a:mojotv:base64captcha:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/moov-io/signedxml": [
+        "cpe:2.3:a:moov:signedxml:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/mukul-shaunik/play-with-docker": [
+        "cpe:2.3:a:play-with-docker:play_with_docker:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/nektos/act/pkg/model": [
+        "cpe:2.3:a:act_project:act:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/notaryproject/notation-go": [
+        "cpe:2.3:a:notaryproject:notation-go:*:*:*:*:*:*:*:*"
+      ],
+      "github.com/ntbosscher/gobase": [
+        "cpe:2.3:a:gobase_project:gobase:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/proglottis/gpgme": [
+        "cpe:2.3:a:gpgme_project:gpgme:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/sap/cloud-security-client-go": [
+        "cpe:2.3:a:sap:cloud-security-client-go:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/sigstore/gitsign": [
+        "cpe:2.3:a:sigstore:gitsign:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/square/squalor": [
+        "cpe:2.3:a:square:squalor:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/valyala/fasthttp": [
+        "cpe:2.3:a:fasthttp_project:fasthttp:*:*:*:*:*:*:*:*"
+      ],
+      "github.com/whilp/git-urls": [
+        "cpe:2.3:a:git-urls_project:git-urls:*:*:*:*:*:go:*:*"
+      ],
+      "golang.org/x/crypto/ssh": [
+        "cpe:2.3:a:golang:package_ssh:*:*:*:*:*:*:*:*",
+        "cpe:2.3:a:golang:ssh:*:*:*:*:*:*:*:*"
+      ],
+      "golang.org/x/image": [
+        "cpe:2.3:a:golang:image:*:*:*:*:*:go:*:*"
+      ],
+      "golang.org/x/image/tiff": [
+        "cpe:2.3:a:golang:tiff:*:*:*:*:*:go:*:*"
+      ],
+      "golang.org/x/net": [
+        "cpe:2.3:a:golang:networking:*:*:*:*:*:go:*:*"
+      ],
+      "golang.org/x/net/http2": [
+        "cpe:2.3:a:golang:http2:*:*:*:*:*:*:*:*",
+        "cpe:2.3:a:golang:http2:*:*:*:*:*:go:*:*"
+      ],
+      "golang.org/x/net/http2/h2c": [
+        "cpe:2.3:a:golang:h2c:*:*:*:*:*:go:*:*"
+      ],
+      "golang.org/x/net/http2/hpack": [
+        "cpe:2.3:a:golang:hpack:*:*:*:*:*:go:*:*"
+      ],
+      "golang.org/x/text": [
+        "cpe:2.3:a:golang:text:*:*:*:*:*:*:*:*"
+      ],
+      "gopkg.in/yaml.v3": [
+        "cpe:2.3:a:yaml_project:yaml:*:*:*:*:*:go:*:*"
+      ]
+    },
    "jenkins_plugins": {
      "DotCi": [
        "cpe:2.3:a:jenkins:dotci:*:*:*:*:*:jenkins:*:*"
--- a/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/generate.go
+++ b/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/generate.go
@ -115,6 +115,7 @@ const (
 	prefixForPHPPecl              = "https://pecl.php.net/"
 	prefixForPHPPeclHTTP          = "http://pecl.php.net/"
 	prefixForPHPComposer          = "https://packagist.org/packages/"
+	prefixForGoModules            = "https://pkg.go.dev/"
 )

 // indexCPEList creates an index of CPEs by ecosystem.
@ -160,6 +161,9 @@ func indexCPEList(list CpeList) *dictionary.Indexed {

 			case strings.HasPrefix(ref, prefixForPHPComposer):
 				addEntryForPHPComposerPackage(indexed, ref, cpeItemName)
+
+			case strings.HasPrefix(ref, prefixForGoModules):
+				addEntryForGoModulePackage(indexed, ref, cpeItemName)
 			}
 		}
 	}
@ -312,3 +316,16 @@ func addEntryForPHPComposerPackage(indexed *dictionary.Indexed, ref string, cpeI

 	updateIndex(indexed, dictionary.EcosystemPHPComposer, ref, cpeItemName)
 }
+
+func addEntryForGoModulePackage(indexed *dictionary.Indexed, ref string, cpeItemName string) {
+	// Prune off the non-package-name parts of the URL
+	ref = strings.Split(ref, "?")[0]
+	ref = strings.TrimPrefix(ref, prefixForGoModules)
+
+	// Ignore the vulnerability reports endpoints
+	if strings.HasPrefix(ref, "vuln/") {
+		return
+	}
+
+	updateIndex(indexed, dictionary.EcosystemGoModules, ref, cpeItemName)
+}
--- a/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/generate_test.go
+++ b/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/generate_test.go
@ -230,6 +230,19 @@ func Test_addEntryFuncs(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:             "addEntryForGoModulePackage",
+			addEntryFunc:     addEntryForGoModulePackage,
+			inputRef:         "https://pkg.go.dev/github.com/abc/123?whatever=xvgfhfhf",
+			inputCpeItemName: "cpe:2.3:a:abc:123:*:*:*:*:*:go:*:*",
+			expectedIndexed: dictionary.Indexed{
+				EcosystemPackages: map[string]dictionary.Packages{
+					dictionary.EcosystemGoModules: {
+						"github.com/abc/123": dictionary.NewSet("cpe:2.3:a:abc:123:*:*:*:*:*:go:*:*"),
+					},
+				},
+			},
+		},
 	}

 	for _, tt := range tests {
--- a/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/testdata/expected-cpe-index.json
+++ b/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/testdata/expected-cpe-index.json
@ -1,5 +1,19 @@
 {
  "ecosystems": {
+    "go_modules": {
+      "aahframe.work": [
+        "cpe:2.3:a:aahframework:aah:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/ecnepsnai/web": [
+        "cpe:2.3:a:web_project:web:*:*:*:*:*:go:*:*"
+      ],
+      "github.com/square/squalor": [
+        "cpe:2.3:a:square:squalor:*:*:*:*:*:go:*:*"
+      ],
+      "gopkg.in/yaml.v3": [
+        "cpe:2.3:a:yaml_project:yaml:*:*:*:*:*:go:*:*"
+      ]
+    },
    "jenkins_plugins": {
      "anchore-container-scanner": [
        "cpe:2.3:a:anchore:container_image_scanner:*:*:*:*:*:jenkins:*:*",
--- a/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/testdata/official-cpe-dictionary_v2.3.xml
+++ b/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/testdata/official-cpe-dictionary_v2.3.xml
@ -25048,6 +25048,51 @@
    </references>
    <cpe-23:cpe23-item name="cpe:2.3:a:jenkins:anchore_container_image_scanner:1.0.1:*:*:*:*:jenkins:*:*"/>
  </cpe-item>
+  <cpe-item name="cpe:/a:square:squalor:-::~~~go~~">
+    <title xml:lang="en-US">Square Squalor - for Go</title>
+    <references>
+      <reference href="https://github.com/square/squalor/commit/f6f0a47cc344711042eb0970cb423e6950ba3f93">Advisory</reference>
+      <reference href="https://pkg.go.dev/github.com/square/squalor?tab=versions">Version</reference>
+      <reference href="https://square.github.io/">Product</reference>
+    </references>
+    <cpe-23:cpe23-item name="cpe:2.3:a:square:squalor:-:*:*:*:*:go:*:*"/>
+  </cpe-item>
+  <cpe-item name="cpe:/a:tar-utils_project:tar-utils:-::~~~go~~">
+    <title xml:lang="en-US">Tar-utils Project Tar-utils - for Go</title>
+    <references>
+      <reference href="https://github.com/whyrusleeping/tar-utils">Project</reference>
+      <reference href="https://pkg.go.dev/vuln/GO-2021-0106">Advisory</reference>
+    </references>
+    <cpe-23:cpe23-item name="cpe:2.3:a:tar-utils_project:tar-utils:-:*:*:*:*:go:*:*"/>
+  </cpe-item>
+  <cpe-item name="cpe:/a:web_project:web:1.0.0::~~~go~~">
+    <title xml:lang="en-US">Web Project Web 1.0.0 for Go</title>
+    <references>
+      <reference href="https://github.com/ecnepsnai/web/releases">Change Log</reference>
+      <reference href="https://github.com/ecnepsnai/web">Product</reference>
+      <reference href="https://pkg.go.dev/github.com/ecnepsnai/web">Project</reference>
+    </references>
+    <cpe-23:cpe23-item name="cpe:2.3:a:web_project:web:1.0.0:*:*:*:*:go:*:*"/>
+  </cpe-item>
+  <cpe-item name="cpe:/a:aahframework:aah:-::~~~go~~">
+    <title xml:lang="en-US">aah framework aah for Go</title>
+    <references>
+      <reference href="https://pkg.go.dev/aahframe.work">Product</reference>
+      <reference href="https://pkg.go.dev/vuln/GO-2020-0033">Advisory</reference>
+      <reference href="https://aahframework.org/">Vendor</reference>
+      <reference href="https://github.com/go-aah/aah/releases">Change Log</reference>
+    </references>
+    <cpe-23:cpe23-item name="cpe:2.3:a:aahframework:aah:-:*:*:*:*:go:*:*"/>
+  </cpe-item>
+  <cpe-item name="cpe:/a:yaml_project:yaml:2.3.0::~~~go~~">
+    <title xml:lang="en-US">YAML Project YAML 2.3.0 for Go</title>
+    <references>
+      <reference href="https://pkg.go.dev/gopkg.in/yaml.v3">Project</reference>
+      <reference href="https://github.com/go-yaml/yaml">Project</reference>
+      <reference href="https://github.com/go-yaml/yaml/tags">Version</reference>
+    </references>
+    <cpe-23:cpe23-item name="cpe:2.3:a:yaml_project:yaml:2.3.0:*:*:*:*:go:*:*"/>
+  </cpe-item>
 </cpe-list>
 </cpe-list>
 </cpe-list>
--- a/syft/pkg/cataloger/internal/cpegenerate/dictionary/types.go
+++ b/syft/pkg/cataloger/internal/cpegenerate/dictionary/types.go
@ -16,6 +16,7 @@ const (
 	EcosystemPHPComposer    = "php_composer"
 	EcosystemJenkinsPlugins = "jenkins_plugins"
 	EcosystemRustCrates     = "rust_crates"
+	EcosystemGoModules      = "go_modules"
 )

 type Indexed struct {
--- a/syft/pkg/cataloger/internal/cpegenerate/generate.go
+++ b/syft/pkg/cataloger/internal/cpegenerate/generate.go
@ -93,6 +93,9 @@ func FromDictionaryFind(p pkg.Package) ([]cpe.CPE, bool) {
 	case pkg.PhpPeclPkg:
 		cpes, ok = dict.EcosystemPackages[dictionary.EcosystemPHPPecl][p.Name]

+	case pkg.GoModulePkg:
+		cpes, ok = dict.EcosystemPackages[dictionary.EcosystemGoModules][p.Name]
+
 	default:
 		// The dictionary doesn't support this package type yet.
 		return parsedCPEs, false