diff --git a/syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json b/syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json
index 5cbbf42fe..c13a33988 100644
--- a/syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json
+++ b/syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json
@@ -1,5 +1,138 @@
{
"ecosystems": {
+ "go_modules": {
+ "aahframe.work": [
+ "cpe:2.3:a:aahframework:aah:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/Masterminds/goutils": [
+ "cpe:2.3:a:goutils_project:goutils:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/SimonWaldherr/zplgfa": [
+ "cpe:2.3:a:simonwaldherr:zplgfa:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/apptainer/apptainer": [
+ "cpe:2.3:a:lfprojects:apptainer:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/aws/aws-sdk-go": [
+ "cpe:2.3:a:amazon:aws_software_development_kit:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/b3log/wide": [
+ "cpe:2.3:a:wide_project:wide:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/charmbracelet/soft-serve": [
+ "cpe:2.3:a:charm:soft_serve:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/containers/psgo": [
+ "cpe:2.3:a:psgo_project:psgo:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/crewjam/saml": [
+ "cpe:2.3:a:saml_project:saml:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/deis/workflow-manager#section-readme": [
+ "cpe:2.3:a:deis:workflow_manager:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/disintegration/imaging": [
+ "cpe:2.3:a:disintegration:imaging:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/ecnepsnai/web": [
+ "cpe:2.3:a:web_project:web:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/free5gc/udm": [
+ "cpe:2.3:a:free5gc:udm:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/ginuerzh/gost": [
+ "cpe:2.3:a:go_simple_tunnel_project:go_simple_tunnel:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/go-resty/resty/v2": [
+ "cpe:2.3:a:resty_project:resty:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/gofiber/template/django": [
+ "cpe:2.3:a:gofiber:django:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/gofiber/template/django/v2": [
+ "cpe:2.3:a:gofiber:django:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/gofiber/template/django/v3": [
+ "cpe:2.3:a:gofiber:django:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/gookit/goutil": [
+ "cpe:2.3:a:go_util_project:go_util:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/hamba/avro/v2": [
+ "cpe:2.3:a:avro_project:avro:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/jumpserver/koko/pkg/koko": [
+ "cpe:2.3:a:fit2cloud:koko:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/libp2p/go-libp2p": [
+ "cpe:2.3:a:protocol:libp2p:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/mojocn/base64Captcha": [
+ "cpe:2.3:a:mojotv:base64captcha:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/moov-io/signedxml": [
+ "cpe:2.3:a:moov:signedxml:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/mukul-shaunik/play-with-docker": [
+ "cpe:2.3:a:play-with-docker:play_with_docker:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/nektos/act/pkg/model": [
+ "cpe:2.3:a:act_project:act:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/notaryproject/notation-go": [
+ "cpe:2.3:a:notaryproject:notation-go:*:*:*:*:*:*:*:*"
+ ],
+ "github.com/ntbosscher/gobase": [
+ "cpe:2.3:a:gobase_project:gobase:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/proglottis/gpgme": [
+ "cpe:2.3:a:gpgme_project:gpgme:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/sap/cloud-security-client-go": [
+ "cpe:2.3:a:sap:cloud-security-client-go:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/sigstore/gitsign": [
+ "cpe:2.3:a:sigstore:gitsign:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/square/squalor": [
+ "cpe:2.3:a:square:squalor:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/valyala/fasthttp": [
+ "cpe:2.3:a:fasthttp_project:fasthttp:*:*:*:*:*:*:*:*"
+ ],
+ "github.com/whilp/git-urls": [
+ "cpe:2.3:a:git-urls_project:git-urls:*:*:*:*:*:go:*:*"
+ ],
+ "golang.org/x/crypto/ssh": [
+ "cpe:2.3:a:golang:package_ssh:*:*:*:*:*:*:*:*",
+ "cpe:2.3:a:golang:ssh:*:*:*:*:*:*:*:*"
+ ],
+ "golang.org/x/image": [
+ "cpe:2.3:a:golang:image:*:*:*:*:*:go:*:*"
+ ],
+ "golang.org/x/image/tiff": [
+ "cpe:2.3:a:golang:tiff:*:*:*:*:*:go:*:*"
+ ],
+ "golang.org/x/net": [
+ "cpe:2.3:a:golang:networking:*:*:*:*:*:go:*:*"
+ ],
+ "golang.org/x/net/http2": [
+ "cpe:2.3:a:golang:http2:*:*:*:*:*:*:*:*",
+ "cpe:2.3:a:golang:http2:*:*:*:*:*:go:*:*"
+ ],
+ "golang.org/x/net/http2/h2c": [
+ "cpe:2.3:a:golang:h2c:*:*:*:*:*:go:*:*"
+ ],
+ "golang.org/x/net/http2/hpack": [
+ "cpe:2.3:a:golang:hpack:*:*:*:*:*:go:*:*"
+ ],
+ "golang.org/x/text": [
+ "cpe:2.3:a:golang:text:*:*:*:*:*:*:*:*"
+ ],
+ "gopkg.in/yaml.v3": [
+ "cpe:2.3:a:yaml_project:yaml:*:*:*:*:*:go:*:*"
+ ]
+ },
"jenkins_plugins": {
"DotCi": [
"cpe:2.3:a:jenkins:dotci:*:*:*:*:*:jenkins:*:*"
diff --git a/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/generate.go b/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/generate.go
index 643a80e79..04a308273 100644
--- a/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/generate.go
+++ b/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/generate.go
@@ -115,6 +115,7 @@ const (
prefixForPHPPecl = "https://pecl.php.net/"
prefixForPHPPeclHTTP = "http://pecl.php.net/"
prefixForPHPComposer = "https://packagist.org/packages/"
+ prefixForGoModules = "https://pkg.go.dev/"
)
// indexCPEList creates an index of CPEs by ecosystem.
@@ -160,6 +161,9 @@ func indexCPEList(list CpeList) *dictionary.Indexed {
case strings.HasPrefix(ref, prefixForPHPComposer):
addEntryForPHPComposerPackage(indexed, ref, cpeItemName)
+
+ case strings.HasPrefix(ref, prefixForGoModules):
+ addEntryForGoModulePackage(indexed, ref, cpeItemName)
}
}
}
@@ -312,3 +316,16 @@ func addEntryForPHPComposerPackage(indexed *dictionary.Indexed, ref string, cpeI
updateIndex(indexed, dictionary.EcosystemPHPComposer, ref, cpeItemName)
}
+
+func addEntryForGoModulePackage(indexed *dictionary.Indexed, ref string, cpeItemName string) {
+ // Prune off the non-package-name parts of the URL
+ ref = strings.Split(ref, "?")[0]
+ ref = strings.TrimPrefix(ref, prefixForGoModules)
+
+ // Ignore the vulnerability reports endpoints
+ if strings.HasPrefix(ref, "vuln/") {
+ return
+ }
+
+ updateIndex(indexed, dictionary.EcosystemGoModules, ref, cpeItemName)
+}
diff --git a/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/generate_test.go b/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/generate_test.go
index c62c1fde2..48167b17d 100644
--- a/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/generate_test.go
+++ b/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/generate_test.go
@@ -230,6 +230,19 @@ func Test_addEntryFuncs(t *testing.T) {
},
},
},
+ {
+ name: "addEntryForGoModulePackage",
+ addEntryFunc: addEntryForGoModulePackage,
+ inputRef: "https://pkg.go.dev/github.com/abc/123?whatever=xvgfhfhf",
+ inputCpeItemName: "cpe:2.3:a:abc:123:*:*:*:*:*:go:*:*",
+ expectedIndexed: dictionary.Indexed{
+ EcosystemPackages: map[string]dictionary.Packages{
+ dictionary.EcosystemGoModules: {
+ "github.com/abc/123": dictionary.NewSet("cpe:2.3:a:abc:123:*:*:*:*:*:go:*:*"),
+ },
+ },
+ },
+ },
}
for _, tt := range tests {
diff --git a/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/testdata/expected-cpe-index.json b/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/testdata/expected-cpe-index.json
index 25038235c..294c687c9 100644
--- a/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/testdata/expected-cpe-index.json
+++ b/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/testdata/expected-cpe-index.json
@@ -1,5 +1,19 @@
{
"ecosystems": {
+ "go_modules": {
+ "aahframe.work": [
+ "cpe:2.3:a:aahframework:aah:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/ecnepsnai/web": [
+ "cpe:2.3:a:web_project:web:*:*:*:*:*:go:*:*"
+ ],
+ "github.com/square/squalor": [
+ "cpe:2.3:a:square:squalor:*:*:*:*:*:go:*:*"
+ ],
+ "gopkg.in/yaml.v3": [
+ "cpe:2.3:a:yaml_project:yaml:*:*:*:*:*:go:*:*"
+ ]
+ },
"jenkins_plugins": {
"anchore-container-scanner": [
"cpe:2.3:a:anchore:container_image_scanner:*:*:*:*:*:jenkins:*:*",
diff --git a/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/testdata/official-cpe-dictionary_v2.3.xml b/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/testdata/official-cpe-dictionary_v2.3.xml
index 476be12d0..6aeeba82f 100644
--- a/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/testdata/official-cpe-dictionary_v2.3.xml
+++ b/syft/pkg/cataloger/internal/cpegenerate/dictionary/index-generator/testdata/official-cpe-dictionary_v2.3.xml
@@ -25048,6 +25048,51 @@
+
+ Square Squalor - for Go
+
+ Advisory
+ Version
+ Product
+
+
+
+
+ Tar-utils Project Tar-utils - for Go
+
+ Project
+ Advisory
+
+
+
+
+ Web Project Web 1.0.0 for Go
+
+ Change Log
+ Product
+ Project
+
+
+
+
+ aah framework aah for Go
+
+ Product
+ Advisory
+ Vendor
+ Change Log
+
+
+
+
+ YAML Project YAML 2.3.0 for Go
+
+ Project
+ Project
+ Version
+
+
+
diff --git a/syft/pkg/cataloger/internal/cpegenerate/dictionary/types.go b/syft/pkg/cataloger/internal/cpegenerate/dictionary/types.go
index 96d5d67de..e44477779 100644
--- a/syft/pkg/cataloger/internal/cpegenerate/dictionary/types.go
+++ b/syft/pkg/cataloger/internal/cpegenerate/dictionary/types.go
@@ -16,6 +16,7 @@ const (
EcosystemPHPComposer = "php_composer"
EcosystemJenkinsPlugins = "jenkins_plugins"
EcosystemRustCrates = "rust_crates"
+ EcosystemGoModules = "go_modules"
)
type Indexed struct {
diff --git a/syft/pkg/cataloger/internal/cpegenerate/generate.go b/syft/pkg/cataloger/internal/cpegenerate/generate.go
index 3d6ac5590..3d58ea9f5 100644
--- a/syft/pkg/cataloger/internal/cpegenerate/generate.go
+++ b/syft/pkg/cataloger/internal/cpegenerate/generate.go
@@ -93,6 +93,9 @@ func FromDictionaryFind(p pkg.Package) ([]cpe.CPE, bool) {
case pkg.PhpPeclPkg:
cpes, ok = dict.EcosystemPackages[dictionary.EcosystemPHPPecl][p.Name]
+ case pkg.GoModulePkg:
+ cpes, ok = dict.EcosystemPackages[dictionary.EcosystemGoModules][p.Name]
+
default:
// The dictionary doesn't support this package type yet.
return parsedCPEs, false