update formatter and json schema

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

internal/constants.go

@@ -3,5 +3,5 @@ package internal
 const (
 	// JSONSchemaVersion is the current schema version output by the JSON encoder
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "16.0.18"
+	JSONSchemaVersion = "16.0.19"
 )

schema/json/schema-latest.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "anchore.io/schema/syft/json/16.0.18/document",
+  "$id": "anchore.io/schema/syft/json/16.0.19/document",
   "$ref": "#/$defs/Document",
   "$defs": {
     "AlpmDbEntry": {
@@ -1610,6 +1610,9 @@
         "purl": {
           "type": "string"
         },
+        "dependencies": {
+          "type": "string"
+        },
         "metadataType": {
           "type": "string"
         },
@@ -1773,7 +1776,8 @@
         "licenses",
         "language",
         "cpes",
-        "purl"
+        "purl",
+        "dependencies"
       ]
     },
     "PhpComposerAuthors": {

syft/format/internal/testutil/directory_input.go

@@ -122,6 +122,7 @@ func newDirectoryCatalog() *pkg.Collection {
 			},
 		},
 		PURL:         "a-purl-2", // intentionally a bad pURL for test fixtures
+		Dependencies: pkg.CompleteDependencies,
 		CPEs: []cpe.CPE{
 			cpe.Must("cpe:2.3:*:some:package:2:*:*:*:*:*:*:*", cpe.Source("")),
 		},
@@ -139,6 +140,7 @@ func newDirectoryCatalog() *pkg.Collection {
 			Version: "2.0.1",
 		},
 		PURL:         "pkg:deb/debian/package-2@2.0.1",
+		Dependencies: pkg.CompleteDependencies,
 		CPEs: []cpe.CPE{
 			cpe.Must("cpe:2.3:*:some:package:2:*:*:*:*:*:*:*", cpe.Source("")),
 		},
@@ -163,6 +165,7 @@ func newDirectoryCatalogWithAuthorField() *pkg.Collection {
 		Licenses: pkg.NewLicenseSet(
 			pkg.NewLicense("MIT"),
 		),
+		Dependencies: pkg.CompleteDependencies,
 		Metadata: pkg.PythonPackage{
 			Name:    "package-1",
 			Version: "1.0.1",
@@ -190,6 +193,7 @@ func newDirectoryCatalogWithAuthorField() *pkg.Collection {
 			Package: "package-2",
 			Version: "2.0.1",
 		},
+		Dependencies: pkg.CompleteDependencies,
 		PURL:         "pkg:deb/debian/package-2@2.0.1",
 		CPEs: []cpe.CPE{
 			cpe.Must("cpe:2.3:*:some:package:2:*:*:*:*:*:*:*", "another-test-source"),

syft/format/internal/testutil/image_input.go

@@ -118,6 +118,7 @@ func populateImageCatalog(catalog *pkg.Collection, img *image.Image) {
 				Version: "1.0.1",
 			},
 			PURL:         "a-purl-1", // intentionally a bad pURL for test fixtures
+			Dependencies: pkg.CompleteDependencies,
 			CPEs: []cpe.CPE{
 				cpe.Must("cpe:2.3:*:some:package:1:*:*:*:*:*:*:*", cpe.GeneratedSource),
 			},
@@ -138,6 +139,7 @@ func populateImageCatalog(catalog *pkg.Collection, img *image.Image) {
 				Version: "2.0.1",
 			},
 			PURL:         "pkg:deb/debian/package-2@2.0.1",
+			Dependencies: pkg.CompleteDependencies,
 			CPEs: []cpe.CPE{
 				cpe.Must("cpe:2.3:*:some:package:2:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 			},

syft/format/syftjson/encoder_test.go

@@ -145,6 +145,7 @@ func TestEncodeFullJSONDocument(t *testing.T) {
 		FoundBy:      "the-cataloger-1",
 		Language:     pkg.Python,
 		Licenses:     pkg.NewLicenseSet(pkg.NewLicense("MIT")),
+		Dependencies: pkg.CompleteDependencies,
 		Metadata: pkg.PythonPackage{
 			Name:    "package-1",
 			Version: "1.0.1",
@@ -166,6 +167,7 @@ func TestEncodeFullJSONDocument(t *testing.T) {
 		),
 		Type:         pkg.DebPkg,
 		FoundBy:      "the-cataloger-2",
+		Dependencies: pkg.CompleteDependencies,
 		Metadata: pkg.DpkgDBEntry{
 			Package: "package-2",
 			Version: "2.0.1",

syft/format/syftjson/model/package.go

@@ -34,6 +34,7 @@ type PackageBasicData struct {
 	Language     pkg.Language               `json:"language"`
 	CPEs         cpes                       `json:"cpes"`
 	PURL         string                     `json:"purl"`
+	Dependencies pkg.DependencyCompleteness `json:"dependencies"`
 }
 
 type cpes []CPE

syft/format/syftjson/test-fixtures/snapshot/TestDirectoryEncoder.golden

@@ -28,6 +28,7 @@
     }
    ],
    "purl": "a-purl-2",
+   "dependencies": "complete",
    "metadataType": "python-package",
    "metadata": {
     "name": "package-1",
@@ -63,6 +64,7 @@
     }
    ],
    "purl": "pkg:deb/debian/package-2@2.0.1",
+   "dependencies": "complete",
    "metadataType": "dpkg-db-entry",
    "metadata": {
     "package": "package-2",

syft/format/syftjson/test-fixtures/snapshot/TestEncodeFullJSONDocument.golden

@@ -29,6 +29,7 @@
     }
    ],
    "purl": "a-purl-1",
+   "dependencies": "complete",
    "metadataType": "python-package",
    "metadata": {
     "name": "package-1",
@@ -60,6 +61,7 @@
     }
    ],
    "purl": "a-purl-2",
+   "dependencies": "complete",
    "metadataType": "dpkg-db-entry",
    "metadata": {
     "package": "package-2",

syft/format/syftjson/test-fixtures/snapshot/TestImageEncoder.golden

@@ -30,6 +30,7 @@
     }
    ],
    "purl": "a-purl-1",
+   "dependencies": "complete",
    "metadataType": "python-package",
    "metadata": {
     "name": "package-1",
@@ -62,6 +63,7 @@
     }
    ],
    "purl": "pkg:deb/debian/package-2@2.0.1",
+   "dependencies": "complete",
    "metadataType": "dpkg-db-entry",
    "metadata": {
     "package": "package-2",

syft/format/syftjson/to_format_model.go

@@ -269,6 +269,7 @@ func toPackageModel(p pkg.Package, cfg EncoderConfig) model.Package {
 			Language:     p.Language,
 			CPEs:         cpes,
 			PURL:         p.PURL,
+			Dependencies: p.Dependencies,
 		},
 		PackageCustomData: model.PackageCustomData{
 			MetadataType: metadataType(p.Metadata, cfg.Legacy),

syft/format/syftjson/to_syft_model.go

@@ -347,6 +347,7 @@ func toSyftPackage(p model.Package, idAliases map[string]string) pkg.Package {
 		Type:         p.Type,
 		CPEs:         cpes,
 		PURL:         p.PURL,
+		Dependencies: p.Dependencies,
 		Metadata:     p.Metadata,
 	}
 

syft/pkg/dependencies.go

@@ -22,14 +22,14 @@ const (
 	CompleteDependencies DependencyCompleteness = "complete"
 
 	// MixedDependencies is a superset of complete. It indicates that the package has all of its direct dependencies
-	// resolved as well as one or all of indirect dependencies. What is notable about this is that direct and
+	// resolved as well as some or all of indirect dependencies. What is notable about this is that direct and
 	// indirect dependencies are linked directly to this package and are not separable (you cannot distinguish between
 	// a direct and indirect dependency from the perspective of this package).
 	MixedDependencies DependencyCompleteness = "mixed"
 
-	// IncompleteDependencies indicates that the package does not have all of its dependencies resolved. This is useful
+	// IncompleteDependencies indicates that the package does not have all of its direct dependencies resolved.
-	// in times when there is more than one mechanism at play for resolving dependencies and the cataloger only
+	// This is useful in times when there is more than one mechanism at play for resolving dependencies and the
-	// implements a subset of them, or in cases where the mechanism for resolving dependencies is limited.
+	// cataloger only implements a subset of them, or in cases where the mechanism for resolving dependencies is limited.
 	IncompleteDependencies DependencyCompleteness = "incomplete"
 )