diff --git a/cmd/power_user.go b/cmd/power_user.go index c924f361d..56e705632 100644 --- a/cmd/power_user.go +++ b/cmd/power_user.go @@ -4,20 +4,17 @@ import ( "fmt" "os" - "github.com/anchore/syft/internal/formats/syftjson" - - "github.com/anchore/syft/syft/artifact" - "github.com/gookit/color" - - "github.com/anchore/syft/syft/sbom" - "github.com/anchore/stereoscope" "github.com/anchore/syft/internal" "github.com/anchore/syft/internal/bus" + "github.com/anchore/syft/internal/formats/syftjson" "github.com/anchore/syft/internal/log" "github.com/anchore/syft/internal/ui" + "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/event" + "github.com/anchore/syft/syft/sbom" "github.com/anchore/syft/syft/source" + "github.com/gookit/color" "github.com/pkg/profile" "github.com/spf13/cobra" "github.com/wagoodman/go-partybus" diff --git a/internal/formats/spdx22json/to_format_model.go b/internal/formats/spdx22json/to_format_model.go index b1ea09f1e..b12bd992a 100644 --- a/internal/formats/spdx22json/to_format_model.go +++ b/internal/formats/spdx22json/to_format_model.go @@ -8,18 +8,16 @@ import ( "strings" "time" - "github.com/anchore/syft/syft/file" - - "github.com/anchore/syft/syft/artifact" - - "github.com/anchore/syft/syft/sbom" - "github.com/anchore/syft/internal" "github.com/anchore/syft/internal/formats/common/spdxhelpers" "github.com/anchore/syft/internal/formats/spdx22json/model" + "github.com/anchore/syft/internal/log" "github.com/anchore/syft/internal/spdxlicense" "github.com/anchore/syft/internal/version" + "github.com/anchore/syft/syft/artifact" + "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" + "github.com/anchore/syft/syft/sbom" "github.com/anchore/syft/syft/source" "github.com/google/uuid" ) @@ -173,8 +171,7 @@ func toFiles(s sbom.SBOM) []model.File { results = append(results, model.File{ Item: model.Item{ Element: model.Element{ - SPDXID: string(coordinates.ID()), - // TODO: this is encoding layer id... is there a better way? + SPDXID: string(coordinates.ID()), Name: filepath.Base(coordinates.RealPath), Comment: comment, }, @@ -231,7 +228,7 @@ func toFileTypes(metadata *source.FileMetadata) (ty []string) { ty = append(ty, string(model.ArchiveFileType)) } - // TODO: source, spdx, and documentation + // TODO: add support for source, spdx, and documentation file types if len(ty) == 0 { ty = append(ty, string(model.OtherFileType)) } @@ -244,7 +241,7 @@ func toRelationships(relationships []artifact.Relationship) (result []model.Rela exists, relationshipType, comment := lookupRelationship(r.Type) if !exists { - // TODO: should we warn about lossyness here? + log.Warnf("unable to convert relationship from SPDX 2.2 JSON, dropping: %+v", r) continue } diff --git a/internal/formats/syftjson/encoder.go b/internal/formats/syftjson/encoder.go index d6c287494..b358554ac 100644 --- a/internal/formats/syftjson/encoder.go +++ b/internal/formats/syftjson/encoder.go @@ -8,7 +8,6 @@ import ( ) func encoder(output io.Writer, s sbom.SBOM, appConfig interface{}) error { - // TODO: application config not available yet doc := ToFormatModel(s, appConfig) enc := json.NewEncoder(output) diff --git a/syft/pkg/cataloger/catalog.go b/syft/pkg/cataloger/catalog.go index a78784056..4156b740f 100644 --- a/syft/pkg/cataloger/catalog.go +++ b/syft/pkg/cataloger/catalog.go @@ -45,7 +45,6 @@ func Catalog(resolver source.FileResolver, theDistro *distro.Distro, catalogers catalog := pkg.NewCatalog() var allRelationships []artifact.Relationship - // TODO: update to show relationships filesProcessed, packagesDiscovered := newMonitor() // perform analysis, accumulating errors for each failed analysis @@ -60,7 +59,6 @@ func Catalog(resolver source.FileResolver, theDistro *distro.Distro, catalogers catalogedPackages := len(packages) - // TODO: update to show relationships and files log.Debugf("package cataloger %q discovered %d packages", theCataloger.Name(), catalogedPackages) packagesDiscovered.N += int64(catalogedPackages) @@ -71,7 +69,6 @@ func Catalog(resolver source.FileResolver, theDistro *distro.Distro, catalogers // generate PURL p.PURL = generatePackageURL(p, theDistro) - // TODO: break out into another function (refactor this function) // create file-to-package relationships for files owned by the package owningRelationships, err := packageFileOwnershipRelationships(p, resolver) if err != nil { @@ -113,9 +110,11 @@ func packageFileOwnershipRelationships(p pkg.Package, resolver source.FilePathRe return nil, fmt.Errorf("unable to find path for path=%q: %w", path, err) } - // if len(locations) == 0 { - // // TODO: this is notable, we should at least log it(?)... however, ideally there is something in the SBOM about this - // } + if len(locations) == 0 { + // TODO: this is a known-unknown that could later be persisted in the SBOM (or as a validation failure) + log.Warnf("unable to find location which a package claims ownership of: %s", path) + continue + } for _, l := range locations { relationships = append(relationships, artifact.Relationship{