Add tests for direct-url information and add it to the output purl (#708)

* add direct_url.json fields to python metadata Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com> * rename DirectURLOrigin struct; add stub for file Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com> * add detection for direct_url.json Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com> * Add tests for direct-url information and add it to the output purl Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Update golden snapshot ids after adding new python package metadata field Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Add test names for packageurl tests Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> Co-authored-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
2025-11-18 17:03:17 +01:00 · 2021-12-20 20:54:25 +00:00 · 2021-12-20 20:54:25 +00:00 · cc20a8f341
commit cc20a8f341
parent 006ba9b557
12 changed files with 169 additions and 30 deletions
--- a/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryPresenter.golden
+++ b/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryPresenter.golden
@ -3,7 +3,7 @@
 "name": "/some/path",
 "spdxVersion": "SPDX-2.2",
 "creationInfo": {
-  "created": "2021-12-15T23:56:14.459753Z",
+  "created": "2021-12-20T19:12:47.869816Z",
  "creators": [
   "Organization: Anchore, Inc",
   "Tool: syft-[not provided]"
@ -11,10 +11,10 @@
  "licenseListVersion": "3.15"
 },
 "dataLicense": "CC0-1.0",
- "documentNamespace": "https://anchore.com/syft/dir/some/path-7ed51d00-2c50-4c6d-aedc-271ed41009cb",
+ "documentNamespace": "https://anchore.com/syft/dir/some/path-4b896ded-7852-4e31-b764-136b53bdf346",
 "packages": [
  {
-   "SPDXID": "SPDXRef-96e6e51fe8ba6d8b",
+   "SPDXID": "SPDXRef-1d97af55efe9512f",
   "name": "package-1",
   "licenseConcluded": "MIT",
   "downloadLocation": "NOASSERTION",
--- a/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImagePresenter.golden
+++ b/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImagePresenter.golden
@ -3,7 +3,7 @@
 "name": "user-image-input",
 "spdxVersion": "SPDX-2.2",
 "creationInfo": {
-  "created": "2021-12-15T23:56:14.468453Z",
+  "created": "2021-12-20T19:13:07.647486Z",
  "creators": [
   "Organization: Anchore, Inc",
   "Tool: syft-[not provided]"
@ -11,10 +11,10 @@
  "licenseListVersion": "3.15"
 },
 "dataLicense": "CC0-1.0",
- "documentNamespace": "https://anchore.com/syft/image/user-image-input-f7c12e3a-8390-4f0d-a4a9-7d756e7e8d7d",
+ "documentNamespace": "https://anchore.com/syft/image/user-image-input-174da656-1824-4bd3-8604-28919f8a65bc",
 "packages": [
  {
-   "SPDXID": "SPDXRef-b8995af4e6171091",
+   "SPDXID": "SPDXRef-d16127444133b5c1",
   "name": "package-1",
   "licenseConcluded": "MIT",
   "downloadLocation": "NOASSERTION",
@ -36,7 +36,7 @@
   "versionInfo": "1.0.1"
  },
  {
-   "SPDXID": "SPDXRef-73f796c846875b9e",
+   "SPDXID": "SPDXRef-24907357f3705420",
   "name": "package-2",
   "licenseConcluded": "NONE",
   "downloadLocation": "NOASSERTION",
--- a/internal/formats/spdx22json/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
+++ b/internal/formats/spdx22json/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
--- a/internal/formats/syftjson/test-fixtures/snapshot/TestDirectoryPresenter.golden
+++ b/internal/formats/syftjson/test-fixtures/snapshot/TestDirectoryPresenter.golden
@ -1,7 +1,7 @@
 {
 "artifacts": [
  {
-   "id": "96e6e51fe8ba6d8b",
+   "id": "1d97af55efe9512f",
   "name": "package-1",
   "version": "1.0.1",
   "type": "python",
--- a/internal/formats/syftjson/test-fixtures/snapshot/TestEncodeFullJSONDocument.golden
+++ b/internal/formats/syftjson/test-fixtures/snapshot/TestEncodeFullJSONDocument.golden
@ -1,7 +1,7 @@
 {
 "artifacts": [
  {
-   "id": "2a5c2dadd6f80c07",
+   "id": "d9a7c58726ab4bef",
   "name": "package-1",
   "version": "1.0.1",
   "type": "python",
--- a/internal/formats/syftjson/test-fixtures/snapshot/TestImagePresenter.golden
+++ b/internal/formats/syftjson/test-fixtures/snapshot/TestImagePresenter.golden
@ -1,7 +1,7 @@
 {
 "artifacts": [
  {
-   "id": "b8995af4e6171091",
+   "id": "d16127444133b5c1",
   "name": "package-1",
   "version": "1.0.1",
   "type": "python",
@ -9,7 +9,7 @@
   "locations": [
    {
     "path": "/somefile-1.txt",
-     "layerID": "sha256:fb6beecb75b39f4bb813dbf177e501edd5ddb3e69bb45cedeb78c676ee1b7a59"
+     "layerID": "sha256:16e64541f2ddf59a90391ce7bb8af90313f7d373f2105d88f3d3267b72e0ebab"
    }
   ],
   "licenses": [
@ -32,7 +32,7 @@
   }
  },
  {
-   "id": "73f796c846875b9e",
+   "id": "24907357f3705420",
   "name": "package-2",
   "version": "2.0.1",
   "type": "deb",
@ -40,7 +40,7 @@
   "locations": [
    {
     "path": "/somefile-2.txt",
-     "layerID": "sha256:319b588ce64253a87b533c8ed01cf0025e0eac98e7b516e12532957e1244fdec"
+     "layerID": "sha256:de6c235f76ea24c8503ec08891445b5d6a8bdf8249117ed8d8b0b6fb3ebe4f67"
    }
   ],
   "licenses": [],
@ -67,7 +67,7 @@
  "type": "image",
  "target": {
   "userInput": "user-image-input",
-   "imageID": "sha256:2480160b55bec40c44d3b145c7b2c1c47160db8575c3dcae086d76b9370ae7ca",
+   "imageID": "sha256:9624b89704d23fa5f61b427379d172dac91dc7a508c4d7dea7aed0e04a4cf39e",
   "manifestDigest": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368",
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "tags": [
@ -77,17 +77,17 @@
   "layers": [
    {
     "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
-     "digest": "sha256:fb6beecb75b39f4bb813dbf177e501edd5ddb3e69bb45cedeb78c676ee1b7a59",
+     "digest": "sha256:16e64541f2ddf59a90391ce7bb8af90313f7d373f2105d88f3d3267b72e0ebab",
     "size": 22
    },
    {
     "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
-     "digest": "sha256:319b588ce64253a87b533c8ed01cf0025e0eac98e7b516e12532957e1244fdec",
+     "digest": "sha256:de6c235f76ea24c8503ec08891445b5d6a8bdf8249117ed8d8b0b6fb3ebe4f67",
     "size": 16
    }
   ],
-   "manifest": "eyJzY2hlbWFWZXJzaW9uIjoyLCJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiY29uZmlnIjp7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuY29udGFpbmVyLmltYWdlLnYxK2pzb24iLCJzaXplIjo2NjcsImRpZ2VzdCI6InNoYTI1NjoyNDgwMTYwYjU1YmVjNDBjNDRkM2IxNDVjN2IyYzFjNDcxNjBkYjg1NzVjM2RjYWUwODZkNzZiOTM3MGFlN2NhIn0sImxheWVycyI6W3sibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjIwNDgsImRpZ2VzdCI6InNoYTI1NjpmYjZiZWVjYjc1YjM5ZjRiYjgxM2RiZjE3N2U1MDFlZGQ1ZGRiM2U2OWJiNDVjZWRlYjc4YzY3NmVlMWI3YTU5In0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6MjA0OCwiZGlnZXN0Ijoic2hhMjU2OjMxOWI1ODhjZTY0MjUzYTg3YjUzM2M4ZWQwMWNmMDAyNWUwZWFjOThlN2I1MTZlMTI1MzI5NTdlMTI0NGZkZWMifV19",
+   "manifest": "eyJzY2hlbWFWZXJzaW9uIjoyLCJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiY29uZmlnIjp7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuY29udGFpbmVyLmltYWdlLnYxK2pzb24iLCJzaXplIjo2NjcsImRpZ2VzdCI6InNoYTI1Njo5NjI0Yjg5NzA0ZDIzZmE1ZjYxYjQyNzM3OWQxNzJkYWM5MWRjN2E1MDhjNGQ3ZGVhN2FlZDBlMDRhNGNmMzllIn0sImxheWVycyI6W3sibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjIwNDgsImRpZ2VzdCI6InNoYTI1NjoxNmU2NDU0MWYyZGRmNTlhOTAzOTFjZTdiYjhhZjkwMzEzZjdkMzczZjIxMDVkODhmM2QzMjY3YjcyZTBlYmFiIn0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6MjA0OCwiZGlnZXN0Ijoic2hhMjU2OmRlNmMyMzVmNzZlYTI0Yzg1MDNlYzA4ODkxNDQ1YjVkNmE4YmRmODI0OTExN2VkOGQ4YjBiNmZiM2ViZTRmNjcifV19",
-   "config": "eyJhcmNoaXRlY3R1cmUiOiJhbWQ2NCIsImNvbmZpZyI6eyJFbnYiOlsiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iXSwiV29ya2luZ0RpciI6Ii8iLCJPbkJ1aWxkIjpudWxsfSwiY3JlYXRlZCI6IjIwMjEtMTAtMDRUMTE6NDA6MDAuNjM4Mzk0NVoiLCJoaXN0b3J5IjpbeyJjcmVhdGVkIjoiMjAyMS0xMC0wNFQxMTo0MDowMC41OTA3MzE2WiIsImNyZWF0ZWRfYnkiOiJBREQgZmlsZS0xLnR4dCAvc29tZWZpbGUtMS50eHQgIyBidWlsZGtpdCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIn0seyJjcmVhdGVkIjoiMjAyMS0xMC0wNFQxMTo0MDowMC42MzgzOTQ1WiIsImNyZWF0ZWRfYnkiOiJBREQgZmlsZS0yLnR4dCAvc29tZWZpbGUtMi50eHQgIyBidWlsZGtpdCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIn1dLCJvcyI6ImxpbnV4Iiwicm9vdGZzIjp7InR5cGUiOiJsYXllcnMiLCJkaWZmX2lkcyI6WyJzaGEyNTY6ZmI2YmVlY2I3NWIzOWY0YmI4MTNkYmYxNzdlNTAxZWRkNWRkYjNlNjliYjQ1Y2VkZWI3OGM2NzZlZTFiN2E1OSIsInNoYTI1NjozMTliNTg4Y2U2NDI1M2E4N2I1MzNjOGVkMDFjZjAwMjVlMGVhYzk4ZTdiNTE2ZTEyNTMyOTU3ZTEyNDRmZGVjIl19fQ==",
+   "config": "eyJhcmNoaXRlY3R1cmUiOiJhbWQ2NCIsImNvbmZpZyI6eyJFbnYiOlsiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iXSwiV29ya2luZ0RpciI6Ii8iLCJPbkJ1aWxkIjpudWxsfSwiY3JlYXRlZCI6IjIwMjEtMTItMDFUMTI6MTM6NDMuNDAxMzkxNFoiLCJoaXN0b3J5IjpbeyJjcmVhdGVkIjoiMjAyMS0xMi0wMVQxMjoxMzo0My4zNDM2MzQyWiIsImNyZWF0ZWRfYnkiOiJBREQgZmlsZS0xLnR4dCAvc29tZWZpbGUtMS50eHQgIyBidWlsZGtpdCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIn0seyJjcmVhdGVkIjoiMjAyMS0xMi0wMVQxMjoxMzo0My40MDEzOTE0WiIsImNyZWF0ZWRfYnkiOiJBREQgZmlsZS0yLnR4dCAvc29tZWZpbGUtMi50eHQgIyBidWlsZGtpdCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIn1dLCJvcyI6ImxpbnV4Iiwicm9vdGZzIjp7InR5cGUiOiJsYXllcnMiLCJkaWZmX2lkcyI6WyJzaGEyNTY6MTZlNjQ1NDFmMmRkZjU5YTkwMzkxY2U3YmI4YWY5MDMxM2Y3ZDM3M2YyMTA1ZDg4ZjNkMzI2N2I3MmUwZWJhYiIsInNoYTI1NjpkZTZjMjM1Zjc2ZWEyNGM4NTAzZWMwODg5MTQ0NWI1ZDZhOGJkZjgyNDkxMTdlZDhkOGIwYjZmYjNlYmU0ZjY3Il19fQ==",
   "repoDigests": []
  }
 },
--- a/internal/formats/syftjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
+++ b/internal/formats/syftjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
--- a/syft/pkg/cataloger/package_url_test.go
+++ b/syft/pkg/cataloger/package_url_test.go
@ -10,11 +10,13 @@ import (
 func TestPackageURL(t *testing.T) {
 	tests := []struct {
 		name     string
 		pkg      pkg.Package
 		distro   *distro.Distro
 		expected string
 	}{
 		{
 			name: "golang",
 			pkg: pkg.Package{
 				Name:    "github.com/anchore/syft",
 				Version: "v0.1.0",
@ -23,14 +25,38 @@ func TestPackageURL(t *testing.T) {
 			expected: "pkg:golang/github.com/anchore/syft@v0.1.0",
 		},
 		{
 			name: "pip with vcs url",
 			pkg: pkg.Package{
 				Name:    "bad-name",
 				Version: "bad-v0.1.0",
 				Type:    pkg.PythonPkg,
 				Metadata: pkg.PythonPackageMetadata{
 					Name:    "name",
 					Version: "v0.1.0",
 					DirectURLOrigin: &pkg.PythonDirectURLOriginInfo{
 						VCS:      "git",
 						URL:      "https://github.com/test/test.git",
 						CommitID: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
 					},
 				},
 			},
 			expected: "pkg:pypi/name@v0.1.0?vcs_url=git+https:%2F%2Fgithub.com%2Ftest%2Ftest.git@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
 		},
 		{
 			name: "pip without vcs url",
 			pkg: pkg.Package{
 				Name:    "bad-name",
 				Version: "bad-v0.1.0",
 				Type:    pkg.PythonPkg,
 				Metadata: pkg.PythonPackageMetadata{
 					Name:    "name",
 					Version: "v0.1.0",
 				},
 			},
 			expected: "pkg:pypi/name@v0.1.0",
 		},
 		{
 			name: "gem",
 			pkg: pkg.Package{
 				Name:    "name",
 				Version: "v0.1.0",
@ -39,6 +65,7 @@ func TestPackageURL(t *testing.T) {
 			expected: "pkg:gem/name@v0.1.0",
 		},
 		{
 			name: "npm",
 			pkg: pkg.Package{
 				Name:    "name",
 				Version: "v0.1.0",
@ -47,6 +74,7 @@ func TestPackageURL(t *testing.T) {
 			expected: "pkg:npm/name@v0.1.0",
 		},
 		{
 			name: "deb with arch",
 			distro: &distro.Distro{
 				Type: distro.Ubuntu,
 			},
@ -63,6 +91,7 @@ func TestPackageURL(t *testing.T) {
 			expected: "pkg:deb/ubuntu/name@v0.1.0?arch=amd64",
 		},
 		{
 			name: "deb with epoch",
 			distro: &distro.Distro{
 				Type: distro.CentOS,
 			},
@ -81,6 +110,7 @@ func TestPackageURL(t *testing.T) {
 			expected: "pkg:rpm/centos/name@0.1.0-3?arch=amd64&epoch=2",
 		},
 		{
 			name: "deb with nil epoch",
 			distro: &distro.Distro{
 				Type: distro.CentOS,
 			},
@ -99,6 +129,7 @@ func TestPackageURL(t *testing.T) {
 			expected: "pkg:rpm/centos/name@0.1.0-3?arch=amd64",
 		},
 		{
 			name: "deb with unknown distro",
 			distro: &distro.Distro{
 				Type: distro.UnknownDistroType,
 			},
@ -110,6 +141,7 @@ func TestPackageURL(t *testing.T) {
 			expected: "pkg:deb/name@v0.1.0",
 		},
 		{
 			name: "cargo",
 			pkg: pkg.Package{
 				Name:    "name",
 				Version: "v0.1.0",
@ -120,7 +152,7 @@ func TestPackageURL(t *testing.T) {
 	}
 	for _, test := range tests {
-		t.Run(string(test.pkg.Type)+"|"+test.expected, func(t *testing.T) {
+		t.Run(test.name, func(t *testing.T) {
 			actual := generatePackageURL(test.pkg, test.distro)
 			if actual != test.expected {
 				dmp := diffmatchpatch.New()
--- a/syft/pkg/cataloger/python/package_cataloger.go
+++ b/syft/pkg/cataloger/python/package_cataloger.go
@ -2,7 +2,9 @@ package python
 import (
 	"bufio"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"path/filepath"
 	"github.com/anchore/syft/internal"
@ -152,6 +154,40 @@ func (c *PackageCataloger) fetchTopLevelPackages(resolver source.FileResolver, m
 	return pkgs, sources, nil
 }
 func (c *PackageCataloger) fetchDirectURLData(resolver source.FileResolver, metadataLocation source.Location) (d *pkg.PythonDirectURLOriginInfo, sources []source.Location, err error) {
 	parentDir := filepath.Dir(metadataLocation.RealPath)
 	directURLPath := filepath.Join(parentDir, "direct_url.json")
 	directURLLocation := resolver.RelativeFileByPath(metadataLocation, directURLPath)
 	if directURLLocation == nil {
 		return nil, nil, nil
 	}
 	sources = append(sources, *directURLLocation)
 	directURLContents, err := resolver.FileContentsByLocation(*directURLLocation)
 	if err != nil {
 		return nil, nil, err
 	}
 	defer internal.CloseAndLogError(directURLContents, directURLLocation.VirtualPath)
 	buffer, err := ioutil.ReadAll(directURLContents)
 	if err != nil {
 		return nil, nil, err
 	}
 	var directURLJson pkg.DirectURLOrigin
 	if err := json.Unmarshal(buffer, &directURLJson); err != nil {
 		return nil, nil, err
 	}
 	return &pkg.PythonDirectURLOriginInfo{
 		URL:      directURLJson.URL,
 		CommitID: directURLJson.VCSInfo.CommitID,
 		VCS:      directURLJson.VCSInfo.VCS,
 	}, sources, nil
 }
 // assembleEggOrWheelMetadata discovers and accumulates python package metadata from multiple file sources and returns a single metadata object as well as a list of files where the metadata was derived from.
 func (c *PackageCataloger) assembleEggOrWheelMetadata(resolver source.FileResolver, metadataLocation source.Location) (*pkg.PythonPackageMetadata, []source.Location, error) {
 	var sources = []source.Location{metadataLocation}
@ -183,5 +219,13 @@ func (c *PackageCataloger) assembleEggOrWheelMetadata(resolver source.FileResolv
 	sources = append(sources, s...)
 	metadata.TopLevelPackages = p
 	// attach any direct-url package data found for the given wheel/egg installation
 	d, s, err := c.fetchDirectURLData(resolver, metadataLocation)
 	if err != nil {
 		return nil, nil, err
 	}
 	sources = append(sources, s...)
 	metadata.DirectURLOrigin = d
 	return &metadata, sources, nil
 }
--- a/syft/pkg/cataloger/python/package_cataloger_test.go
+++ b/syft/pkg/cataloger/python/package_cataloger_test.go
@ -55,6 +55,7 @@ func TestPythonPackageWheelCataloger(t *testing.T) {
 				"test-fixtures/dist-info/METADATA",
 				"test-fixtures/dist-info/RECORD",
 				"test-fixtures/dist-info/top_level.txt",
 				"test-fixtures/dist-info/direct_url.json",
 			},
 			expectedPackage: pkg.Package{
 				Name:         "Pygments",
@ -82,6 +83,7 @@ func TestPythonPackageWheelCataloger(t *testing.T) {
 						{Path: "pygments/x_util.py", Digest: &pkg.PythonFileDigest{"sha256", "qpzzsOW31KT955agi-7NS--90I0iNiJCyLJQnRCHgKI="}, Size: "10778"},
 					},
 					TopLevelPackages: []string{"pygments", "something_else"},
 					DirectURLOrigin:  &pkg.PythonDirectURLOriginInfo{URL: "https://github.com/python-test/test.git", VCS: "git", CommitID: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"},
 				},
 			},
 		},
--- a/syft/pkg/cataloger/python/test-fixtures/dist-info/direct_url.json
+++ b/syft/pkg/cataloger/python/test-fixtures/dist-info/direct_url.json
@ -0,0 +1 @@
 {"url": "https://github.com/python-test/test.git", "vcs_info": {"commit_id": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "vcs": "git"}}
--- a/syft/pkg/python_package_metadata.go
+++ b/syft/pkg/python_package_metadata.go
@ -1,8 +1,10 @@
 package pkg
 import (
 	"fmt"
 	"sort"
 	"github.com/anchore/packageurl-go"
 	"github.com/scylladb/go-set/strset"
 )
@ -21,6 +23,12 @@ type PythonFileRecord struct {
 	Size   string            `json:"size,omitempty"`
 }
 type PythonDirectURLOriginInfo struct {
 	URL      string `json:"url"`
 	CommitID string `json:"commitId,omitempty"`
 	VCS      string `json:"vcs,omitempty"`
 }
 // PythonPackageMetadata represents all captured data for a python egg or wheel package.
 type PythonPackageMetadata struct {
 	Name                 string                     `json:"name" mapstruct:"Name"`
@ -32,6 +40,28 @@ type PythonPackageMetadata struct {
 	Files                []PythonFileRecord         `json:"files,omitempty"`
 	SitePackagesRootPath string                     `json:"sitePackagesRootPath"`
 	TopLevelPackages     []string                   `json:"topLevelPackages,omitempty"`
 	DirectURLOrigin      *PythonDirectURLOriginInfo `json:"directUrlOrigin,omitempty"`
 }
 type DirectURLOrigin struct {
 	URL         string      `json:"url"`
 	VCSInfo     VCSInfo     `json:"vcs_info"`
 	ArchiveInfo ArchiveInfo `json:"archive_info"`
 	DirInfo     DirInfo     `json:"dir_info"`
 }
 type DirInfo struct {
 	Editable bool `json:"editable"`
 }
 type ArchiveInfo struct {
 	Hash string `json:"hash"`
 }
 type VCSInfo struct {
 	CommitID          string `json:"commit_id"`
 	VCS               string `json:"vcs"`
 	RequestedRevision string `json:"requested_revision"`
 }
 func (m PythonPackageMetadata) OwnedFiles() (result []string) {
@ -45,3 +75,33 @@ func (m PythonPackageMetadata) OwnedFiles() (result []string) {
 	sort.Strings(result)
 	return result
 }
 func (m PythonPackageMetadata) PackageURL() string {
 	// generate a purl from the package data
 	pURL := packageurl.NewPackageURL(
 		packageurl.TypePyPi,
 		"",
 		m.Name,
 		m.Version,
 		m.purlQualifiers(),
 		"")
 	return pURL.ToString()
 }
 func (m PythonPackageMetadata) purlQualifiers() packageurl.Qualifiers {
 	q := packageurl.Qualifiers{}
 	if m.DirectURLOrigin != nil {
 		q = append(q, m.DirectURLOrigin.vcsURLQualifier()...)
 	}
 	return q
 }
 func (p PythonDirectURLOriginInfo) vcsURLQualifier() packageurl.Qualifiers {
 	if p.VCS != "" {
 		// Taken from https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst#known-qualifiers-keyvalue-pairs
 		// packageurl-go still doesn't support all qualifier names
 		return packageurl.Qualifiers{{Key: "vcs_url", Value: fmt.Sprintf("%s+%s@%s", p.VCS, p.URL, p.CommitID)}}
 	}
 	return packageurl.Qualifiers{}
 }
		`@ -0,0 +1 @@`
							`{"url": "https://github.com/python-test/test.git", "vcs_info": {"commit_id": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "vcs": "git"}}`