* feat: Add license enrichment from pypi to python packages
* Implement license caching and improve test coverage
---------
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* update NVD CPE dictionary processor to use API
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* pass linting with exceptions
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alan Pope <alan.pope@anchore.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
* add nix DB cataloger
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add derivation path to nix store pkg metadata
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* go mod tidy
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* allow for derivation path to be optional
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* repin build image and disable syscall filtering
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump storage capacity
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* track nix derivation details on packages
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* image fixture should have derivation examples
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Add support for PHP Pear and unify PECL with it
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove log statements
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix struct comment
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add combined deps.json + pe binary cataloger
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* deprecate pe and deps standalone catalogers
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* parse resource names + add tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix integration and CLI tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add some helpful code comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* allow for dropping Dep packages that are missing DLLs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* migrate json schema changes to 24
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* keep application configuration
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* correct config help
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* [wip] detect claims of dlls within deps.json
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* [wip] fix tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add assembly repack detection
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* .net package count is lower due to dll claim requirement
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* feat: add Debian archive (.deb) file cataloger
Add a cataloger that parses Debian package (.deb) archive files directly,
allowing Syft to discover packages from .deb files without requiring
them to be installed on the system. This implements issue #3315.
Key features:
- Parse .deb AR archives to extract package metadata
- Support for gzip, xz, and zstd compressed control files
- Extract package metadata from control files
- Process file information from md5sums files
- Mark configuration files from conffiles entries
- Handle trailing slashes in archive member names
Signed-off-by: Alan Pope <alan.pope@anchore.com>
* chore: run go mod tidy to fix failing workflow
Signed-off-by: Alan Pope <alan.pope@anchore.com>
* add license processing to dpkg archive cataloger + add tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update json schema with dpkg archive type
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alan Pope <alan.pope@anchore.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* prototype: start bitnami cataloger
Bitnami images have spdx SBOMs at predictable paths, and Syft could more
accurately identify the software in these images by scanning those
SBOMs. Start work on this by forking the sbom-cataloger as a new
bitnami-cataloger.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* wire up bitnami cataloger to run on images by default
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* feat: add support for Bitnami cataloguer
Signed-off-by: juan131 <jariza@vmware.com>
* feat: use a better SPDX sample for unit tests
Signed-off-by: juan131 <jariza@vmware.com>
* bugfix: only report bitnami pkgs
Signed-off-by: juan131 <jariza@vmware.com>
* feat: adapt JSON schema, spdxutil and packagemetadata
Signed-off-by: juan131 <jariza@vmware.com>
* bugfix: integration tests
Signed-off-by: juan131 <jariza@vmware.com>
* feat: implement FileOwner interface
Signed-off-by: juan131 <jariza@vmware.com>
* bugfix: update json schema
Signed-off-by: juan131 <jariza@vmware.com>
* [wip] add bitnami owned files and fix binary package ownership filtering
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* feat: obtain bitnami pkg files based on SPDX relationships tree
Signed-off-by: juan131 <jariza@vmware.com>
* preserve type switches
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* rename bitnami entry metadata type
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* restrict find main pkg logic
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add missing graalvm source info
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bugfix: integration tests
Signed-off-by: juan131 <jariza@vmware.com>
* bugfix: mod tidy
Signed-off-by: juan131 <jariza@vmware.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: juan131 <jariza@vmware.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add file catalogers to selection configuration
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix typos
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* warn when there is conflicting file cataloging configuration
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* allow for explicit removal of all package and file tasks
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address PR feedback
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Especially when scanning a single binary file, the
cargo-auditable-binary-cataloger should run and report the rust binary's
dependencies:
```
scan --select-catalogers rust <binary_file>
```
This is in line with other binary catalogers, such as the
go-module-binary-cataloger.
Signed-off-by: Ariel Miculas-Trif <amiculas@cisco.com>
* add jvm cataloger
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* simplify version selection
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* CPEs from JVM cataloger should be declared
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* ensure package overlap is enabled for sensitive use cases
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* more permissive glob
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Add cataloger for Erlang OTP applications
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
* Add OTP Package type and Purl for ErLang
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
* remove erlang OTP metadata type
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use OTP purl type
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* restore otp fixture and adjust tests for dir-only results
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* turn off the SBOM cataloger by default
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix integration tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* re-add linux kernel cataloger
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* ensure there is at least a directory or image tag on each task
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix CLI tests to account for kernel finding (+2)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove existing cataloging API
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add file cataloging config
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add package cataloging config
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add configs for cross-cutting concerns
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* rename CLI option configs to not require import aliases later
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update all nested structs for the Catalog struct
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update Catalog cli options
- add new cataloger selection options (selection and default)
- remove the excludeBinaryOverlapByOwnership
- deprecate "catalogers" flag
- add new javascript configuration
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* migrate relationship capabilities to separate internal package
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* refactor golang cataloger to use configuration options when creating packages
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* create internal object to facilitate reading from and writing to an SBOM
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* create a command-like object (task) to facilitate partial SBOM creation
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add cataloger selection capability
- be able to parse string expressions into a set of resolved actions against sets
- be able to use expressions to select/add/remove tasks to/from the final set of tasks to run
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add package, file, and environment related tasks
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update existing file catalogers to use nested UI elements
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add CreateSBOMConfig that drives the SBOM creation process
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* capture SBOM creation info as a struct
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add CreateSBOM() function
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update docs with SBOM selection help + breaking changes
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix multiple override default inputs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix deprecation flag printing to stdout
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* refactor cataloger selection description to separate object
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address review comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* keep expression errors and show specific suggestions only
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address additional review feedback
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address more review comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* addressed additional PR review feedback
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix file selection references
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove guess language data generation option
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add tests for coordinatesForSelection
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* rename relationship attributes
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add descriptions to relationships config fields
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* improve documentation around configuration options
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add explicit errors around legacy config entries
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
