oss/syft - syft - Sa' Rocí Solutions

oss/syft

mirror of https://github.com/anchore/syft.git synced 2025-11-21 10:23:18 +01:00

Author	SHA1	Message	Date
cpendery	2b8e15b638	feat: add use-all-catalogers flag (#1050 )	2022-06-27 10:24:45 -04:00
Miki	d5e12ff89c	Updates parsing of `yarn.lock` to use `resolved` URLs that are pulled from yarn and npm registries (#926 ) Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-06-24 11:05:25 -04:00
Jonas Xavier	1d14f22e45	add pom.xml cataloger (#1055 ) Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-06-22 14:19:10 -04:00
Tom Fay	3f6afd572a	Add support for CBL-Mariner distroless images (#1045 )	2022-06-21 13:27:03 -04:00
Alex Goodman	ea611dab5f	Add catalogers configuration (#1038 ) * Option to enable specific language or ecosystem cataloger Signed-off-by: ramanan-ravi <ramanan@deepfence.io> Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * Disable dotnet cataloger Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * Option to enable specific language or ecosystem cataloger Signed-off-by: Ramanan Ravikumar <ramanan@deepfence.io> Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * rename "enable-cataloger" option to "catalogers" Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add cli test for --catalogers option Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update readme with latest cataloger names Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * enable dotnet cataloger Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix linting Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix cataloger imports Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update readme with alpmdb cataloger config example Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: ramanan-ravi <ramanan@deepfence.io>	2022-06-21 13:06:25 +00:00
Morten Linderud	e72d68b0c6	Add pacman (alpm) parser support (#943 ) Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-06-13 18:51:37 +00:00
Ryan Moran	5e2ab0874d	Read Description from dpkg status files (#996 )	2022-06-06 16:59:35 -04:00
Jonas Xavier	0aea55f880	add main module field to go bin metadata (#1026 ) * add main module field to go bin metadata Signed-off-by: Jonas Xavier <jonasx@anchore.com> * udpate json ouput schema to 3.2.4 Signed-off-by: Jonas Xavier <jonasx@anchore.com> * clean up fixture Signed-off-by: Jonas Xavier <jonasx@anchore.com>	2022-06-03 23:12:09 +00:00
Jonas Xavier	caff67289a	Add filters to package cataloger (#1021 ) * Add filters to package cataloger This PR adds filters so a package without name or version doesn't go in the list of all discovered packages. Integration and cli tests were added to validate the feature. Signed-off-by: Jonas Xavier <jonasx@anchore.com> * add nolint:funlen to cataloger/catalog.go Signed-off-by: Jonas Xavier <jonasx@anchore.com> * don't require package version Signed-off-by: Jonas Xavier <jonasx@anchore.com> * add package filtering to generic and python cataloger also removes cli tests in favor of integration and unit tests Signed-off-by: Jonas Xavier <jonasx@anchore.com> * drop nolint:funlen Signed-off-by: Jonas Xavier <jonasx@anchore.com> * check for no-removal operation Signed-off-by: Jonas Xavier <jonasx@anchore.com> * remove unused fixtures Signed-off-by: Jonas Xavier <jonasx@anchore.com> * rename no-version file to hide semantic version Signed-off-by: Jonas Xavier <jonasx@anchore.com> * drop integration tests and add pkg func for validation Signed-off-by: Jonas Xavier <jonasx@anchore.com> * python cataloger use global pkg validation Signed-off-by: Jonas Xavier <jonasx@anchore.com> * check for valid packages on deb/go/rpm catalogers Signed-off-by: Jonas Xavier <jonasx@anchore.com> * update rpm cataloger after rebase Signed-off-by: Jonas Xavier <jonasx@anchore.com> * nit with pointers Signed-off-by: Jonas Xavier <jonasx@anchore.com> * simpler use of package validation Signed-off-by: Jonas Xavier <jonasx@anchore.com> * remmove double pkg validations Signed-off-by: Jonas Xavier <jonasx@anchore.com> * rename func param to artifactsToExclude Signed-off-by: Jonas Xavier <jonasx@anchore.com> * add test for relationships and bug fix Signed-off-by: Jonas Xavier <jonasx@anchore.com> * feedback changes Signed-off-by: Jonas Xavier <jonasx@anchore.com>	2022-06-03 13:17:43 -04:00
Tom Fay	3db3efacdc	Support RPM distros with newer RPM db formats (#1018 ) * Support RPM distros with newer db formats Recent RPM distros (Fedora 33+, CBL-Mariner 2.0+, amazonlinux 2022+) use an sqlite package database in /var/lib/rpm/rpmdb.sqlite, or "ndb" format (SUSE). Remove anchore's fork in favour of the upstream, https://github.com/knqyf263/go-rpmdb, to gain support for these formats. Signed-off-by: Tom Fay <tomfay@microsoft.com> * add exception for modernc.org repos Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * shorten rpmdb helper function Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Alex Goodman <alex.goodman@anchore.com>	2022-05-31 17:25:22 -04:00
Jonas Xavier	c990f425a6	Longer CPEs for golang modules to avoid false positives (#1006 ) * golang module CPE with full path Signed-off-by: Jonas Xavier <jonasx@anchore.com> * add note on longer Golang CPEs Signed-off-by: Jonas Xavier <jonasx@anchore.com>	2022-05-23 10:39:34 -07:00
mikey strauss	d41afe05eb	Malformed licenses field in package json warn not skip (#1004 ) * Malformed licenses field in package json warn not skip Signed-off-by: houdini91 <mdstrauss91@gmail.com> * liceneses failed warn fix Signed-off-by: houdini91 <mdstrauss91@gmail.com> * package.json malformed licenses unitest Signed-off-by: houdini91 <mdstrauss91@gmail.com>	2022-05-19 13:10:34 -07:00
Christian Kotzbauer	1cea0ecd5c	feat: add initial dotnet-support (#951 ) * feat: add initial dotnet-support Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: add path, sha512 and hashpath Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: add missing dot Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix: lint warnings Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * fix CLI test package counts to account for dotnet Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix: updated packagurl-go Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de> * tidy go.sum Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update json schema Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Alex Goodman <alex.goodman@anchore.com>	2022-05-05 15:32:02 -04:00
Jonas Xavier	2fc344aba4	golang cataloger - main module version as is (#986 ) Signed-off-by: Jonas Xavier <jonasx@anchore.com>	2022-05-05 00:01:00 -07:00
Jonas Xavier	ab289933da	read Go main module version as is - (devel) (#981 ) * read Go main module version as is - (devel) Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com> * fix package test with default (devel) main module Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>	2022-05-04 10:47:13 -07:00
Dan Luhring	37927b8b23	reduce logging severity for non-Go binaries (#983 )	2022-05-03 09:38:14 -04:00
Jon McEwen	7304bbf8ee	fix: #953 Derive language from pURL - https://github.com/anchore/syft … (#957 ) Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-04-26 11:51:24 -04:00
Weston Steimel	15e45a8ce1	add additional vendors for springframework (#945 ) The Official CPE dictionary currently contains entries for springframework with three different vendors: springsource, vmware, and pivotal_software. This appears to be because ownership has changed over time. Signed-off-by: Weston Steimel <weston.steimel@anchore.com>	2022-04-11 14:38:52 +01:00
Christopher Angelo Phillips	782b2e3348	Add digest property to parent and nested java package metadata (#941 )	2022-04-08 15:12:32 -04:00
Oscar Hallgren	1aeda6bb50	use filepath.Base() instead of path.Base() for temp files (#882 )	2022-04-01 10:42:22 -04:00
Alex Goodman	f24bbc1838	Deduplicate packages across multiple container image layers (#930 )	2022-03-31 15:45:51 -04:00
Eric Larssen	cb3e73e308	Add dart support (#919 ) Co-authored-by: Alex Goodman <alex.goodman@anchore.com>	2022-03-31 15:44:55 -04:00
Jonas Xavier	c0b547bdb2	Less verbose logging in Golang Cataloger (#904 ) * Less verbose logging in Golang Cataloger Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * debug for known gray errors Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * only show warnings when a binary is not a go executable Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Alex Goodman <alex.goodman@anchore.com>	2022-03-22 10:19:18 -07:00
Alex Goodman	7f9edf346a	Bump golangci-lint to 1.45.0 (#909 )	2022-03-22 11:02:36 -04:00
Jonas Xavier	6ef3e45ffc	Use go 1.18 buildinfo to catalog binaries (#827 ) * initial working version Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * added build settings to pkg metadata wip - unit tests Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * handle mach-O FatFiles Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * add support to mod replace fixed golang catalger tests trying GH Actions with go 1.18rc1 Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * log error Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * use go-macholibre for extraction Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * cleaner tests Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * add version to main module Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * check macho file with macholibre Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * run golangci in its own workflow Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * wip - golangci workflow Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix golangci wf yml Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix golangci wf yml Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * wip - golangci wf Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * wip - golangci wf Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * get arch from bin file headers upgrade macholibre Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * test new stereoscope lazy reader interface Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * remove devel version from golang cataloger Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * switch github workflows to go1.18 stable Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * add union reader interface in golang cataloger update stereoscope Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * simpler golangci validation Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix makefile Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * get archs refactor Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * nolint for golang version Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix go bin tests Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * feedback changes Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * golangci nolint needs a \n before package Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * cleanup Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * move golangci-lint to its own jobs again Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix ci yaml Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * add support for xcoff files add arch assets to test bin file types Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * clean up golangci-lint config Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * nolint for xcoff Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * explain nolints Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * remove unused xcoff testdata assets Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * make go bin test-fixtures in docker Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix make clean with -f Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * update json output schema Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * update schema version in test fixture Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * feedback changes Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * explain possible empty main module Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>	2022-03-16 17:07:02 -07:00
Kenny Moens	7cd3201fe9	Support the .be top-level domain (#873 ) Signed-off-by: Kenny Moens <kenny.moens@cipalschaubroeck.be>	2022-03-15 10:59:13 -04:00
Frankie G-J	44a6e00f7a	Include vendored modules in Go Module package list (#883 ) * include vendored modules in package slice Signed-off-by: Frankie Gallina-Jones <frankieg@vmware.com> * add explanatory comments Signed-off-by: Frankie Gallina-Jones <frankieg@vmware.com>	2022-03-11 12:57:33 -05:00
cipher-ardvark	f2617285d0	Update yarn.lock parser to support latest (berry v3) format (#868 ) * add test cases for yarn parser regex Signed-off-by: Patrick Glass <patrickglass@gmail.com> * update yarn.lock parser to support yarn berry Add support for Yarn v3 (berry) which changes the output Collapse regex for parsing scoped and non-scoped packages Add tests for the regex to ensure backwards compatability and to catch issues with future changes. Signed-off-by: Patrick Glass <patrickglass@gmail.com> * simplify yarn test expressions Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Patrick Glass <patrickglass@gmail.com> Co-authored-by: Alex Goodman <alex.goodman@anchore.com>	2022-03-08 12:07:54 -05:00
Alex Goodman	4af32c5bee	Migrate format definitions to sbom package (#864 )	2022-03-04 17:22:40 -05:00
Christopher Angelo Phillips	bb3d713b97	cpe generation update (#850 ) * do not allow empty CPE to be returned as part of a packages list Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>	2022-02-25 17:06:05 -05:00
Alex Goodman	738b3b60a5	Add exception for handlebars java package to generate nodejs CPE (#837 )	2022-02-22 17:29:28 -05:00
Keith Zantow	20c1d14f6e	Add CycloneDX decoder (#811 )	2022-02-18 11:19:02 -05:00
Jonas Xavier	4b16737b2f	ignore minor parsing error when reading dpkg status files (#786 ) * ignore minor parsing error when reading dpkg status files helps with https://github.com/anchore/syft/issues/733 Question: should we add a smarter parser to guess approximate installed-size value? Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * add datasize lib to help dpkg parsing added unit tests to expand coverage of dpkg parsing Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * drop parse error added unit tests to handleNewKeyValue Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * don't return parsing errors from dpkg Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * test higher level functions Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * return parsing err to let cataloger handle it Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * feedback changes Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * ignore key parsing error log warning with relevant context Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * go mod tidy Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * add context info to log lines simpler error assertion Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * use error.As to assert error in chain Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>	2022-02-17 14:05:11 -08:00
Dan Luhring	641c44f449	Fix panic in requirements.txt parsing (#834 ) * Stable sort for pipfile.lock parsing Signed-off-by: Dan Luhring <dan+github@luhrings.com> * Adjust python parsing tests to use go-cmp Signed-off-by: Dan Luhring <dan+github@luhrings.com> * Add failing cases for requirements.txt parsing Signed-off-by: Dan Luhring <dan+github@luhrings.com> * Fix failing cases for requirements.txt parsing Signed-off-by: Dan Luhring <dan+github@luhrings.com> * Refactor parseRequirementsTxt Signed-off-by: Dan Luhring <dan+github@luhrings.com> * Fix static-analysis failure Signed-off-by: Dan Luhring <dan+github@luhrings.com> * Fix comment Signed-off-by: Dan Luhring <dan+github@luhrings.com>	2022-02-17 10:00:16 -05:00
Alex Goodman	ca032434b3	Add pURL generation for java packages + fix NPM pURL generation (#812 ) * enhance pURL generation for java packages Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * optionally split out npm namespaces for pURL generation Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * nit updates Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-02-10 13:46:38 -05:00
Alex Goodman	f38b0b7256	Refactor install.sh (#765 ) * [wip] get assets based on gh api Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * put install.sh download_asset fn under test Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * put install.sh install_asset fn under test Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * use zip for darwin installs Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix install.sh negative test cases Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * allow errors to propagate in install.sh Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * remove exit on error from install.sh tests Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add more docs around install.sh helpers Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add integration tests for install.sh Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add install.sh testing to pipeline Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add install test cache to CI Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * make colors globally available Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * test download against github release Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * always test release-based install against latest release Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * use better install.sh test names Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-02-01 16:58:47 -05:00
Alex Goodman	d7a23e4bb2	Extract language and package type from pURLs on SBOM decode (#777 ) * add language detection from pURLs Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add package type detection from pURLs Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add cargo and npm pURL support Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix npm tests and linting Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-01-27 09:35:16 -05:00
Alex Goodman	1350d6c5bf	Improve package URL support (#754 ) * rename npm metadata struct Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * improve os package URLs Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * improve language package URLs Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * wire up composer pURL method Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-01-19 22:30:29 +00:00
Alex Goodman	829e500aa9	Add additional PHP metadata (#753 ) * add php related metadata Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * enable decoding of php metadata for syftjson format Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add php metadata to json schema Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-01-19 11:42:16 -05:00
Weston Steimel	46dcc84f1a	support .sar for java ecosystem (#748 ) Signed-off-by: Weston Steimel <weston.steimel@gmail.com>	2022-01-18 09:22:02 -05:00
Alex Goodman	706f291679	Replace distro type (#742 ) * remove strong distro type Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * bump json schema to v3 (breaking distro shape) Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix linting Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * allow for v2 decoding of distro idLikes field in v3 json decoder Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix casing in simple linux release name Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * use discovered name as pretty name in simple linux release Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-01-12 12:13:42 -05:00
Alex Goodman	38c4b17847	Add support for searching for jars within archives (#734 ) * add support for searching jars within archives Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add package cataloger config options Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * address review comments + factor out safeCopy helper Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update config docs regarding package archive search options Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * show that unindexed archive cataloging defaults to false Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * remove lies about -s Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * address review comments Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update search archive note about java Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2022-01-06 21:40:51 +00:00
Sambhav Kothari	2a7325a965	Fix CPE encode/decode when it contains special chars (#714 ) * Fix CPE generation when the generated CPE contains invalid characters Currently syft seems to generate invalid CPEs which do not conform with the official CPE spec. This is because the underlying nvdtools library is not a completely spec compliant implementation and has some interesting bugs/issues. The following are the list of issues I have encountered with nvdtools: 1. It parses strings which are not CPEs incorrectly as valid CPEs. This messes up our filter function which is supposed to filter out any incorrect CPEs we generate. In order to fix this, I have introduced a new regex in the NewCPE function which follows the upstream spec and filters out any incorrect CPEs. 2. Introduce wfn.WFNize for any cpe attributes we infer from packages. This ensures that we are escaping and quoting any special characters before putting them into CPEs. Note that nvdtools has yet another bug in the WFNize function, specifically the "addSlashesAt" part of the function which stops the loop as soon as it encounters ":" a valid character for a WFN attribute after quoting, but the way nvdtools handles it causes it to truncate strings that container ":". As a result strings like "prefix:1.2" which would have been quoted as "prefix\:1.2" end up becoming "prefix" instead causing loss of information and incorrect CPEs being generated. As a result in such cases, we remove out strings containing ":" in any part entirely for now. This is similar to the way we were handling CPE filtering in the past with http urls as vendor strings 3. Add special handling for version which contain ":" due to epochs in debian and rpm. In this case, we strip out the parts before ":" i.e. the epoch and only output the actual function. This ensures we are not discarding valid version strings due to pt #.2. In the future we should look at moving to a more spec compliant cpe parsing library to avoid such shenanigans. Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Remove WFNize for input strings WFNize seems to not be part of the standard as per https://pkg.go.dev/github.com/facebookincubator/nvdtools@v0.1.4/wfn#WFNize and seems to have bugs/issues with encode/decode cycles, so I am just removing it at this point and relying on the CPE regex to filter out invalid CPEs for now. Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Quote the string on decode to ensure consistent CPE string generation Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Add test cases for round-tripping the CPE and fix strip slashes Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Add comprehensive tests for cpe parsing Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Use strings.Builder instead of byte buffer Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net>	2022-01-06 09:56:53 -05:00
Weston Steimel	d9aa54cd00	support .par for java ecosystems (#727 ) Signed-off-by: Weston Steimel <weston.steimel@gmail.com>	2022-01-04 16:40:27 -05:00
Jonas Galvão Xavier	211b188120	Add lpkg as java package format (#694 ) * add lpkg support to java cataloger linter clean up Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix comment formatting Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * add filename test for lpkg Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * commment on lpkg file extension tests Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix comment typo Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * fix import format Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * simpler test validation Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>	2021-12-22 16:34:52 -08:00
Sambhav Kothari	cc20a8f341	Add tests for direct-url information and add it to the output purl (#708 ) * add direct_url.json fields to python metadata Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com> * rename DirectURLOrigin struct; add stub for file Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com> * add detection for direct_url.json Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com> * Add tests for direct-url information and add it to the output purl Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Update golden snapshot ids after adding new python package metadata field Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> * Add test names for packageurl tests Signed-off-by: Sambhav Kothari <skothari44@bloomberg.net> Co-authored-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>	2021-12-20 15:54:25 -05:00
Alex Goodman	a27907659d	Performance improvements around package ID (#698 ) * set package ID in catalogers and improve hashing performance Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update setting ID + tests Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2021-12-16 08:55:53 -05:00
Alex Goodman	727b84ce0d	prefer warning over erroring out when parsing java manifests (#688 ) Signed-off-by: Alex Goodman <alex.goodman@anchore.com>	2021-12-14 12:17:05 -05:00
Dan Luhring	85ac5bcbf8	Handle extra empty lines in Java manifest parsing (#687 ) * Add failing test for extra empty lines in manifest Signed-off-by: Dan Luhring <dan+github@luhrings.com> * Handle extra empty lines in Java manifests Signed-off-by: Dan Luhring <dan+github@luhrings.com>	2021-12-14 11:53:50 -05:00
Jonas Galvão Xavier	d3804d1a82	ignore target link files based on path (#667 ) * ignore target link files based on path log when files are actually indexed add test for sym link resolution golang test nits Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com> * nil catalog should act like an empty catalog Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * remove dir path filtering in favor of file type filtering Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * split out addPathToIndex into specialized functions Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add test for nul catalog enumeration Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * conditionally discover MIME types for file based on file resolver index Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * change logging around cataloging Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add tests to cover possible infinite symlink loop for resolver Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Alex Goodman <alex.goodman@anchore.com>	2021-12-13 20:49:11 -05:00

1 2 3

114 Commits