Previously, if a Go binary was cataloged with build info indicating that
the go compiler version used was "deve", syft would panic on a nil
pointer dereference. Instead, skip creating a Go stdlib reference and
relationship for such a package.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* fix ELF package types to be honored
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* prefer OS packages over binary packages when there are duplicates
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
- Resolves#2974
- add detailed instructions re: updating schemas (a necessary task
when a new CycloneDX spec version becomes available).
- The DefaultVersion constant has been updated to "1.6" -- it's not
clear to me how this is used at this time (it may be redundant given
other code), but effectively unless a specific spec version is
configured, `syft` will emit the "most recent" spec version available
for cyclonedx. Users who wish to pin back to a "older" specVersion
(e.g. to preserve compatibilty with utilities that have not yet bumped
to latest) can either set this in a syft config file or pass a
name@spec_version pair to the output flag (e.g. `-o
cyclonedx-json@1.5=some-1.5-spec-bom.cdx.json`)
- Regenerate relevant .golden files (there seems to be a way to do this
via flags, but I couldn't quite figure out the right set to pass
correctly, esp. since (as a relative go novice) I found it difficult
to run just a single test file. I ended up "brute-forcing it" by
changing the *updateSnapshot val to "true" and running it in Goland.
A brief comment giving an example of regenerating fixtures usage would
be helpful.
Signed-off-by: Rajan Agaskar <ragaskar@gmail.com>
* add support for reading ELF package notes with section header
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add systemd elf package fields to json schema
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Brian Ebarb <ebarb.brian@gmail.com>
feat: add License component to elf binary packages
Signed-off-by: Brian Ebarb <ebarb.brian@gmail.com>
feat: fix elf_package_cataloger test
feat: elf package cataloger unit test updates
* [wip] add initial poetry.lock relationship support
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* provide generic set for basic types
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* dependency resolver should allow for conditional deps
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add tests for poetry lock relationship additions
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update schema with python poetry dependency refs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* dep specification data structure should not be recursive in nature
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: only skip tmpfs mounts for some paths
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* refactor and add tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add regression test for archive processing
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump to golang 1.22
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove rule 1 and add more tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
The namespace value of `redhat` signifies this as an RPM package
produced and distributed by Red Hat.
Using "rhel" in the namespace is not correct.
Signed-off-by: Ralph Bean <rbean@redhat.com>
* Add lua/rocksepc support for variables substitution
* Lua: Skip expressions in rockspec packages
* Lua: Add support for concatenation of string and variables
* Lua: Skip expressions in local
* Lua: Skip build sections in Rockspec files
* Lua: skip function blocks in Rockspec
* Lua: Add support for multi variable per line
---------
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
* Handle GOEXPERIMENTs in go version
Signed-off-by: Jon Johnson <jon.johnson@chainguard.dev>
* bump JSON schema
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Jon Johnson <jon.johnson@chainguard.dev>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
* add python package relationships
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* nil for empty relationships collections
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* new json schema for optional python requiremenets
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update format snapshots for python packages
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* decompose python parsers more + add tests around plural fields
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update JSON schema with python dep refs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
When the goModCataloger processes a Replace directive it currently adds the new
package to the resulting package list, but does not remove the old one unless
the path is unchanged.
Based on an existing comment in the code, removing the old one seems to be the
intended behavior, and results in a more expected end-result, so this does so.
Signed-off-by: Russell Haering <russellhaering@gmail.com>
