* fixed#4316 go mod with ver purl
Signed-off-by: Rez Moss <hi@rezmoss.com>
* go mod purl fixed, added func to handle go.mod
Signed-off-by: Rez Moss <hi@rezmoss.com>
* fix: use module name in PURL string everywhere
Signed-off-by: Keith Zantow <kzantow@gmail.com>
---------
Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
* fix:the os of an elf binary should be detected even when the os version is empty
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* chore:revoke the update of appCpe
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* chore:resume the testcase
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* fix:revoke the possible compromise to the json schema
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* fix:align with the json schema
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* add a json schema(pre-relase,may be in conflict with others')
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* chore:add a json schema
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* chore:revert the accidental change to 16.1.0
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* regression/fix:best effort to get the os info
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* chore:resume the previous json file
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* update the schema ver to 16.2.0
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* chore:no breaking behavior
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* chore: follow the guide of the README.md
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* appCpe is temporarily unused
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* preserve json field for osCPE
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Removes an accidental `fmt.Println("error", err)` that was left in
the javascript dependency parser. This causes noisy output to stdout
when parsing npm package-lock.json files that contain dependency
specifiers that aren't valid PURLs.
Signed-off-by: Chris Greeno <chris@fresha.com>
---------
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Otherwise, we get test failures on macOS if macOS has decided to put
.DS_Store entries in the test fixtures.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Because package names in METADATA files may have upper case like
Werkzeug or Jinja2, but Syft artifacts have normalized names and are
lower case, like werkzeug or jinja2, Syft would miss emitting dependency
relationships. Therefore, normalize dependency names before comparing
with existing artifacts.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* feat: Add license enrichment from pypi to python packages
* Implement license caching and improve test coverage
---------
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* feat: Add dependency parsing to javascript package locks
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* Bump schema version
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* Add support for yarn and pnpm, excl. yarn v1
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* Add support for dependencies for v1 yarn lock files
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* Ensure schema is correctly generated
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* Fix tests
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* PR feedback
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
---------
Signed-off-by: Tim Olshansky <456103+timols@users.noreply.github.com>
* update NVD CPE dictionary processor to use API
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* pass linting with exceptions
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* binary(pe): canonicalize Ghostscript CPE to artifex:ghostscript and add generic purl for PE (#4275)\n\n- Detect Ghostscript via PE version resources and set purl pkg:generic/ghostscript@<version>\n- Add PE-specific CPE candidates: vendor 'artifex', product 'ghostscript'\n- Add focused unit tests for purl and CPE generation
Signed-off-by: kdt523 <krushna.datir231@vit.edu>
* fix: gofmt formatting for static analysis pass (pe-ghostscript-cpe-purl-4275)
Signed-off-by: kdt523 <krushna.datir231@vit.edu>
---------
Signed-off-by: kdt523 <krushna.datir231@vit.edu>
* feat(java): add support for .far archivesEnables the Java cataloger to recognize and catalog dependencies within .far files, which are used in Apache Sling applications.
Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com>
* feat(java): Add tests for .far (Feature Archive) file support
Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com>
---------
Signed-off-by: Kyounghoon Jang <matkimchi_@naver.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* ref: close source in test and examples
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
* ref: pretty file/directory source resolver (make them more similar)
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
* ref: move absoluteSymlinkFreePathToParent to file resolver
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
* revert breaking change
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
---------
Signed-off-by: Kudryavcev Nikolay <kydry.nikolau@gmail.com>
fix: identifying jar files with a single pom.xml and no pom.properties file
fix: test works with pom.xml being found, used and reported in metadata
Signed-off-by: Doug Clarke <douglas.clarke@oracle.com>
test: check for current project path and use
Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com>
---------
Signed-off-by: Doug Clarke <douglas.clarke@oracle.com>
Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <spiffcs@users.noreply.github.com>
* fix: add support for unquoted Python dependencies in setup.py
- Add regex pattern to match unquoted package==version format
- Handles common .split() pattern used in projects like mayan-edms
- Maintains backward compatibility with quoted dependencies
- Prevents duplicate package detection
Signed-off-by: Hala Ali alih16@vcu.edu
Signed-off-by: HalaAli198 <alih16@vcu.edu>
* fix: apply gofmt formatting
Signed-off-by: HalaAli198 <alih16@vcu.edu>
* lint: incorporate new changes and refactor complexity
Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com>
---------
Signed-off-by: HalaAli198 <alih16@vcu.edu>
Signed-off-by: Christopher Phillips <spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <spiffcs@users.noreply.github.com>
* Add support for identifying ffmpeg/libav libraries
Signed-off-by: Alan Pope <alan.pope@anchore.com>
* Undo my snippet-based confusion
Signed-off-by: Alan Pope <alan.pope@anchore.com>
* Put test fixture config back
Signed-off-by: Alan Pope <alan.pope@anchore.com>
---------
Signed-off-by: Alan Pope <alan.pope@anchore.com>
---------
Signed-off-by: Alan Pope <alan.pope@anchore.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Add ffmpeg binary cataloger
Signed-off-by: Alan Pope <alan.pope@anchore.com>
* add linux-amd64 snippet and test
Signed-off-by: Alan Pope <alan.pope@anchore.com>
* Widen scope of regex to two digit version numbers
Signed-off-by: Alan Pope <alan.pope@anchore.com>
* Add full test fixtures for ffmpeg
Signed-off-by: Alan Pope <alan.pope@anchore.com>
---------
Signed-off-by: Alan Pope <alan.pope@anchore.com>
Fixes#2250
---------
Signed-off-by: Alan Pope <alan.pope@anchore.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
