update formatter and json schema

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

internal/constants.go

@@ -3,5 +3,5 @@ package internal
 const (
 	// JSONSchemaVersion is the current schema version output by the JSON encoder
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "16.0.18"
+	JSONSchemaVersion = "16.0.19"
 )

schema/json/schema-latest.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "anchore.io/schema/syft/json/16.0.18/document",
+  "$id": "anchore.io/schema/syft/json/16.0.19/document",
   "$ref": "#/$defs/Document",
   "$defs": {
     "AlpmDbEntry": {
@@ -1610,6 +1610,9 @@
         "purl": {
           "type": "string"
         },
+        "dependencies": {
+          "type": "string"
+        },
         "metadataType": {
           "type": "string"
         },
@@ -1773,7 +1776,8 @@
         "licenses",
         "language",
         "cpes",
-        "purl"
+        "purl",
+        "dependencies"
       ]
     },
     "PhpComposerAuthors": {

syft/format/internal/testutil/directory_input.go

@@ -121,7 +121,8 @@ func newDirectoryCatalog() *pkg.Collection {
 				},
 			},
 		},
-		PURL: "a-purl-2", // intentionally a bad pURL for test fixtures
+		PURL:         "a-purl-2", // intentionally a bad pURL for test fixtures
+		Dependencies: pkg.CompleteDependencies,
 		CPEs: []cpe.CPE{
 			cpe.Must("cpe:2.3:*:some:package:2:*:*:*:*:*:*:*", cpe.Source("")),
 		},
@@ -138,7 +139,8 @@ func newDirectoryCatalog() *pkg.Collection {
 			Package: "package-2",
 			Version: "2.0.1",
 		},
-		PURL: "pkg:deb/debian/package-2@2.0.1",
+		PURL:         "pkg:deb/debian/package-2@2.0.1",
+		Dependencies: pkg.CompleteDependencies,
 		CPEs: []cpe.CPE{
 			cpe.Must("cpe:2.3:*:some:package:2:*:*:*:*:*:*:*", cpe.Source("")),
 		},
@@ -163,6 +165,7 @@ func newDirectoryCatalogWithAuthorField() *pkg.Collection {
 		Licenses: pkg.NewLicenseSet(
 			pkg.NewLicense("MIT"),
 		),
+		Dependencies: pkg.CompleteDependencies,
 		Metadata: pkg.PythonPackage{
 			Name:    "package-1",
 			Version: "1.0.1",
@@ -190,7 +193,8 @@ func newDirectoryCatalogWithAuthorField() *pkg.Collection {
 			Package: "package-2",
 			Version: "2.0.1",
 		},
-		PURL: "pkg:deb/debian/package-2@2.0.1",
+		Dependencies: pkg.CompleteDependencies,
+		PURL:         "pkg:deb/debian/package-2@2.0.1",
 		CPEs: []cpe.CPE{
 			cpe.Must("cpe:2.3:*:some:package:2:*:*:*:*:*:*:*", "another-test-source"),
 		},

syft/format/internal/testutil/image_input.go

@@ -117,7 +117,8 @@ func populateImageCatalog(catalog *pkg.Collection, img *image.Image) {
 				Name:    "package-1",
 				Version: "1.0.1",
 			},
-			PURL: "a-purl-1", // intentionally a bad pURL for test fixtures
+			PURL:         "a-purl-1", // intentionally a bad pURL for test fixtures
+			Dependencies: pkg.CompleteDependencies,
 			CPEs: []cpe.CPE{
 				cpe.Must("cpe:2.3:*:some:package:1:*:*:*:*:*:*:*", cpe.GeneratedSource),
 			},
@@ -137,7 +138,8 @@ func populateImageCatalog(catalog *pkg.Collection, img *image.Image) {
 				Package: "package-2",
 				Version: "2.0.1",
 			},
-			PURL: "pkg:deb/debian/package-2@2.0.1",
+			PURL:         "pkg:deb/debian/package-2@2.0.1",
+			Dependencies: pkg.CompleteDependencies,
 			CPEs: []cpe.CPE{
 				cpe.Must("cpe:2.3:*:some:package:2:*:*:*:*:*:*:*", cpe.NVDDictionaryLookupSource),
 			},

syft/format/syftjson/encoder_test.go

@@ -141,10 +141,11 @@ func TestEncodeFullJSONDocument(t *testing.T) {
 				RealPath: "/a/place/a",
 			}),
 		),
-		Type:     pkg.PythonPkg,
+		Type:         pkg.PythonPkg,
-		FoundBy:  "the-cataloger-1",
+		FoundBy:      "the-cataloger-1",
-		Language: pkg.Python,
+		Language:     pkg.Python,
-		Licenses: pkg.NewLicenseSet(pkg.NewLicense("MIT")),
+		Licenses:     pkg.NewLicenseSet(pkg.NewLicense("MIT")),
+		Dependencies: pkg.CompleteDependencies,
 		Metadata: pkg.PythonPackage{
 			Name:    "package-1",
 			Version: "1.0.1",
@@ -164,8 +165,9 @@ func TestEncodeFullJSONDocument(t *testing.T) {
 				RealPath: "/b/place/b",
 			}),
 		),
-		Type:    pkg.DebPkg,
+		Type:         pkg.DebPkg,
-		FoundBy: "the-cataloger-2",
+		FoundBy:      "the-cataloger-2",
+		Dependencies: pkg.CompleteDependencies,
 		Metadata: pkg.DpkgDBEntry{
 			Package: "package-2",
 			Version: "2.0.1",

syft/format/syftjson/model/package.go

@@ -24,16 +24,17 @@ type Package struct {
 
 // PackageBasicData contains non-ambiguous values (type-wise) from pkg.Package.
 type PackageBasicData struct {
-	ID        string          `json:"id"`
+	ID           string                     `json:"id"`
-	Name      string          `json:"name"`
+	Name         string                     `json:"name"`
-	Version   string          `json:"version"`
+	Version      string                     `json:"version"`
-	Type      pkg.Type        `json:"type"`
+	Type         pkg.Type                   `json:"type"`
-	FoundBy   string          `json:"foundBy"`
+	FoundBy      string                     `json:"foundBy"`
-	Locations []file.Location `json:"locations"`
+	Locations    []file.Location            `json:"locations"`
-	Licenses  licenses        `json:"licenses"`
+	Licenses     licenses                   `json:"licenses"`
-	Language  pkg.Language    `json:"language"`
+	Language     pkg.Language               `json:"language"`
-	CPEs      cpes            `json:"cpes"`
+	CPEs         cpes                       `json:"cpes"`
-	PURL      string          `json:"purl"`
+	PURL         string                     `json:"purl"`
+	Dependencies pkg.DependencyCompleteness `json:"dependencies"`
 }
 
 type cpes []CPE

syft/format/syftjson/test-fixtures/snapshot/TestDirectoryEncoder.golden

@@ -28,6 +28,7 @@
     }
    ],
    "purl": "a-purl-2",
+   "dependencies": "complete",
    "metadataType": "python-package",
    "metadata": {
     "name": "package-1",
@@ -63,6 +64,7 @@
     }
    ],
    "purl": "pkg:deb/debian/package-2@2.0.1",
+   "dependencies": "complete",
    "metadataType": "dpkg-db-entry",
    "metadata": {
     "package": "package-2",

syft/format/syftjson/test-fixtures/snapshot/TestEncodeFullJSONDocument.golden

@@ -29,6 +29,7 @@
     }
    ],
    "purl": "a-purl-1",
+   "dependencies": "complete",
    "metadataType": "python-package",
    "metadata": {
     "name": "package-1",
@@ -60,6 +61,7 @@
     }
    ],
    "purl": "a-purl-2",
+   "dependencies": "complete",
    "metadataType": "dpkg-db-entry",
    "metadata": {
     "package": "package-2",

syft/format/syftjson/test-fixtures/snapshot/TestImageEncoder.golden

@@ -30,6 +30,7 @@
     }
    ],
    "purl": "a-purl-1",
+   "dependencies": "complete",
    "metadataType": "python-package",
    "metadata": {
     "name": "package-1",
@@ -62,6 +63,7 @@
     }
    ],
    "purl": "pkg:deb/debian/package-2@2.0.1",
+   "dependencies": "complete",
    "metadataType": "dpkg-db-entry",
    "metadata": {
     "package": "package-2",

syft/format/syftjson/to_format_model.go

@@ -259,16 +259,17 @@ func toPackageModel(p pkg.Package, cfg EncoderConfig) model.Package {
 
 	return model.Package{
 		PackageBasicData: model.PackageBasicData{
-			ID:        string(p.ID()),
+			ID:           string(p.ID()),
-			Name:      p.Name,
+			Name:         p.Name,
-			Version:   p.Version,
+			Version:      p.Version,
-			Type:      p.Type,
+			Type:         p.Type,
-			FoundBy:   p.FoundBy,
+			FoundBy:      p.FoundBy,
-			Locations: p.Locations.ToSlice(),
+			Locations:    p.Locations.ToSlice(),
-			Licenses:  licenses,
+			Licenses:     licenses,
-			Language:  p.Language,
+			Language:     p.Language,
-			CPEs:      cpes,
+			CPEs:         cpes,
-			PURL:      p.PURL,
+			PURL:         p.PURL,
+			Dependencies: p.Dependencies,
 		},
 		PackageCustomData: model.PackageCustomData{
 			MetadataType: metadataType(p.Metadata, cfg.Legacy),

syft/format/syftjson/to_syft_model.go

@@ -338,16 +338,17 @@ func toSyftPackage(p model.Package, idAliases map[string]string) pkg.Package {
 	}
 
 	out := pkg.Package{
-		Name:      p.Name,
+		Name:         p.Name,
-		Version:   p.Version,
+		Version:      p.Version,
-		FoundBy:   p.FoundBy,
+		FoundBy:      p.FoundBy,
-		Locations: file.NewLocationSet(p.Locations...),
+		Locations:    file.NewLocationSet(p.Locations...),
-		Licenses:  pkg.NewLicenseSet(toSyftLicenses(p.Licenses)...),
+		Licenses:     pkg.NewLicenseSet(toSyftLicenses(p.Licenses)...),
-		Language:  p.Language,
+		Language:     p.Language,
-		Type:      p.Type,
+		Type:         p.Type,
-		CPEs:      cpes,
+		CPEs:         cpes,
-		PURL:      p.PURL,
+		PURL:         p.PURL,
-		Metadata:  p.Metadata,
+		Dependencies: p.Dependencies,
+		Metadata:     p.Metadata,
 	}
 
 	// we don't know if this package ID is truly unique, however, we need to trust the user input in case there are

syft/pkg/dependencies.go

@@ -22,14 +22,14 @@ const (
 	CompleteDependencies DependencyCompleteness = "complete"
 
 	// MixedDependencies is a superset of complete. It indicates that the package has all of its direct dependencies
-	// resolved as well as one or all of indirect dependencies. What is notable about this is that direct and
+	// resolved as well as some or all of indirect dependencies. What is notable about this is that direct and
 	// indirect dependencies are linked directly to this package and are not separable (you cannot distinguish between
 	// a direct and indirect dependency from the perspective of this package).
 	MixedDependencies DependencyCompleteness = "mixed"
 
-	// IncompleteDependencies indicates that the package does not have all of its dependencies resolved. This is useful
+	// IncompleteDependencies indicates that the package does not have all of its direct dependencies resolved.
-	// in times when there is more than one mechanism at play for resolving dependencies and the cataloger only
+	// This is useful in times when there is more than one mechanism at play for resolving dependencies and the
-	// implements a subset of them, or in cases where the mechanism for resolving dependencies is limited.
+	// cataloger only implements a subset of them, or in cases where the mechanism for resolving dependencies is limited.
 	IncompleteDependencies DependencyCompleteness = "incomplete"
 )