From 9f9170a5f21044c0ab7e68b5720e07f823885f6c Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Fri, 14 Nov 2025 23:31:52 -0500 Subject: [PATCH] new capability descriptions for gguf and python Signed-off-by: Alex Goodman --- Taskfile.yaml | 2 + internal/capabilities/packages.yaml | 79 ++++++++++++++++++++++++++++- 2 files changed, 80 insertions(+), 1 deletion(-) diff --git a/Taskfile.yaml b/Taskfile.yaml index 0166e03c7..137920905 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -526,6 +526,8 @@ tasks: generate-capabilities: desc: Generate the capabilities data file cmds: + # remove all test observations prior to regenerating + - find ./syft/pkg -type f -name "test-observations.json" -exec rm -f {} \; # this is required to update test observations; such evidence is used to update the packages.yaml - "go test ./syft/pkg/..." - "go generate ./internal/capabilities/..." diff --git a/internal/capabilities/packages.yaml b/internal/capabilities/packages.yaml index 4bd4d94ea..76a18dc24 100644 --- a/internal/capabilities/packages.yaml +++ b/internal/capabilities/packages.yaml @@ -222,6 +222,10 @@ application: # AUTO-GENERATED - application-level config keys description: enumerate all files owned by packages found within Nix store paths - key: python.guess-unpinned-requirements description: when running across entries in requirements.txt that do not specify a specific version (e.g. "sqlalchemy >= 1.0.0, <= 2.0.0, != 3.0.0, <= 3.0.0"), attempt to guess what the version could be based on the version requirements specified (e.g. "1.0.0"). When enabled the lowest expressible version when given an arbitrary constraint will be used (even if that version may not be available/published). + - key: python.pypi-base-url + description: base Pypi url to use + - key: python.search-remote-licenses + description: enables Syft to use the network to fill in more detailed license information configs: # AUTO-GENERATED - config structs and their fields dotnet.CatalogerConfig: fields: @@ -310,6 +314,12 @@ configs: # AUTO-GENERATED - config structs and their fields - key: GuessUnpinnedRequirements description: GuessUnpinnedRequirements attempts to infer package versions from version constraints when no explicit version is specified in requirements files. app_key: python.guess-unpinned-requirements + - key: SearchRemoteLicenses + description: SearchRemoteLicenses enables querying the NPM registry API to retrieve license information for packages that are missing license data in their local metadata. + app_key: python.search-remote-licenses + - key: PypiBaseURL + description: PypiBaseURL specifies the base URL for the Pypi registry API used when searching for remote license information. + app_key: python.pypi-base-url catalogers: # alpm (arch / pacman) ################################################################################################# - ecosystem: alpm # MANUAL @@ -985,6 +995,26 @@ catalogers: cpes: - cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:* type: BinaryPkg + - method: glob + criteria: + - '**/elixir' + packages: + - class: elixir-binary + name: elixir + purl: pkg:generic/elixir + cpes: + - cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:* + type: BinaryPkg + - method: glob + criteria: + - '**/elixir/ebin/elixir.app' + packages: + - class: elixir-library + name: elixir + purl: pkg:generic/elixir + cpes: + - cpe:2.3:a:elixir-lang:elixir:*:*:*:*:*:*:*:* + type: BinaryPkg - method: glob criteria: - '**/java' @@ -2758,8 +2788,12 @@ catalogers: method: glob # AUTO-GENERATED criteria: # AUTO-GENERATED - '**/pnpm-lock.yaml' + metadata_types: # AUTO-GENERATED + - pkg.PnpmLockEntry package_types: # AUTO-GENERATED - npm + json_schema_types: # AUTO-GENERATED + - JavascriptPnpmLockEntry capabilities: # MANUAL - config-driven capability definitions - name: license default: false @@ -3505,7 +3539,7 @@ catalogers: default: false - name: package_manager.package_integrity_hash default: false - - function: parseSetup # AUTO-GENERATED + - function: parseSetupFile # AUTO-GENERATED detector: # AUTO-GENERATED method: glob # AUTO-GENERATED criteria: # AUTO-GENERATED @@ -4234,3 +4268,46 @@ catalogers: default: false - name: package_manager.package_integrity_hash default: false + - ecosystem: other # MANUAL + name: gguf-cataloger # AUTO-GENERATED + type: generic # AUTO-GENERATED + source: # AUTO-GENERATED + file: syft/pkg/cataloger/ai/cataloger.go + function: NewGGUFCataloger + selectors: # AUTO-GENERATED + - ai + - directory + - gguf + - image + - ml + - model + - package + parsers: # AUTO-GENERATED structure + - function: parseGGUFModel + detector: # AUTO-GENERATED + method: glob # AUTO-GENERATED + criteria: # AUTO-GENERATED + - '**/*.gguf' + metadata_types: # AUTO-GENERATED + - pkg.GGUFFileHeader + package_types: # AUTO-GENERATED + - model + json_schema_types: # AUTO-GENERATED + - GgufFileHeader + capabilities: # MANUAL - config-driven capability definitions + - name: license + default: true + - name: dependency.depth + default: [] + - name: dependency.edges + default: "" + - name: dependency.kinds + default: [] + - name: package_manager.files.listing + default: false + - name: package_manager.files.digests + default: false + - name: package_manager.package_integrity_hash + default: true + evidence: + - GGUFFileHeader.MetadataKeyValuesHash