* remove power-user document shape
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add power-user specific fields to syft-json format
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* port remaining spdx-json relationships to sbom model
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add coordinate set
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add SBOM file path helper
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use internal mimetype helper in go binary cataloger
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add new package-of relationship
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update json schema to v2
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* replace power-user presenter with syft-json format
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix tests and linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove "package-of" relationship (in favor of "contains")
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add tests for spdx22json format encoding enhancements
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update TODO and log entries
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* introduce sbom.Descriptor
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* split source.Location and create source.Coordinates for minimal path addressing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* move coordinates into separate file
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Update syft/source/coordinates.go
Co-authored-by: Dan Luhring <luhring@users.noreply.github.com>
* migrate pkg.ID and pkg.Relationship to artifact package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* return relationships from tasks
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix more tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add artifact.Identifiable by Identity() method
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove catalog ID assignment
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* adjust spdx helpers to use copy of packages
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* stabilize package ID relative to encode-decode format cycles
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename Identity() to ID()
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use zero value for nils in ID generation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* enable source.Location to be identifiable
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* hoist up package relationship discovery to analysis stage
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update ownership-by-file-overlap relationship description
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add test reminders to put new relationships under test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* adjust PHP composer.lock parser function to return relationships
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update functions to pass Location
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update unit tests to pass new locations
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* fix image source.FileResolvers to include layer info
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add non-empty location in golang binary cataloger testing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* allow for cataloging a single file
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use all catalogers for file schemes
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add new format pattern
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add syftjson format
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add internal formats helper
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add SBOM encode/decode to lib API
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove json presenter + update presenter tests to use common utils
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove presenter format enum type + add formats shim in presenter helper
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add MustCPE helper for tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update usage of format enum
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add test fixtures for encode/decode tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix integration test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* migrate format detection to use reader
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* address review comments
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Don't check the Built-By flag
Signed-off-by: Josh Bressers <josh@bress.net>
* Remove alpine pinning to resolve conflict with main
Signed-off-by: Josh Bressers <josh@bress.net>
* remove mod and cargo from image cataloger
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update test error messages for clear failures
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add query by MIME type to source.FileResolver
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* import stereoscope lib changes to find mime type
- add bin cataloger
- add bin parser
- add mime type go utils
- import new resolver
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add go std library code to unpack bin
- keep them in their own (original) files
- add note for "this code was copied from"
- comment the lines the required changing
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* add query by MIME type to source.FileResolver
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* pull in stereoscope MIME type feature
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Fix CPE set comparison mismatch
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add failing test to assert CPE generation excludes URLs
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add removeByCondition method to fieldCandidateSet
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Prevent invalid CPE values for products and vendors
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Introduce removeWhere and rename filter to condition
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Refactor fieldCandidateSet and condition logic
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Move CPE parsing filter to end of CPE generation
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* consider additional vendor candidates for ruby, python, rpm, npm, and java
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add java pom.xml processing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* allow for downstream transform control in cpe generation processing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* migrate CPE generation logic to dedicated package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* split java manifest groupID extraction into two tiers
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* extract groupID from pom parent project during CPE generation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update java groupID processing tests to cover multi-tier approach
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix constructor names for cpe.fieldCandidate
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename helper function to startsWithTopLevelDomain
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add nil changes for java manifest sections
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update comment to reflect parsing maven files
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* split out java description parsing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* split out pom parent processing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* simplify vendorsFromGroupIDs and associated tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* simplify test type for vendorsFromGroupIDs
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* copy candidate varidations to new instances
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename CPE generation string util functions
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add an explanation around fieldCandidate
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* simplify type for the cpe.fieldCandidateSet
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* make CPE filter function names more readable
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update groupIDsFromJavaManifest to use a guard clause
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* extract groupID extraction from artifactID fields into a separate function
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump goreleaser version to combat failure
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* adjust CPE specificity sorting to include field length and bias certain fields
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove * vendor values from CPE generation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* re-enable generating CPEs for jenkins and jira plugins
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* improve CPE generation logic based on java artifactID and groupID
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add ruby-lang as target software candidate for gems in CPE generation logic
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename filterCpes to filterCPEs
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* refactor CPE filters and groupID processing (for linting)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use ruby-lang as vendor candidate not target software
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* address PR comments for CPE generation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add initial spdx support
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* expose FileOwner and use in SPDX presenter
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add initial json support for SPDX
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add remaining package fields
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add spdx license list generation + tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* keep fileOwner unexported from pkg
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* restore cli test util
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add external refs to spdx tag-value format
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add golang support to CPE generation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use tag-value format as default "spdx" format flavor
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add tests around spdx presenters + refactor presenter tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add bouncer exception for spdx tools-golang repo
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove spdx model questions
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* enhance cpe generation for group id and filtering
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename group id const + add doc comment for HasAnyOfPrefixes
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
