* fix: use package id from cyclonedx when provided
Signed-off-by: James Neate <jamesmneate@gmail.com>
* override package IDs from converted SBOMs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix typo
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove extractSyftID function
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: James Neate <jamesmneate@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add nix DB cataloger
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add derivation path to nix store pkg metadata
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* go mod tidy
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* allow for derivation path to be optional
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* repin build image and disable syscall filtering
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump storage capacity
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* track nix derivation details on packages
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* image fixture should have derivation examples
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Update semver to v3. Fixes#3829
Signed-off-by: Alan Pope <alan.pope@anchore.com>
* use single instance of regex obj
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alan Pope <alan.pope@anchore.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Add support for PHP Pear and unify PECL with it
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove log statements
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix struct comment
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Resolve upstream symlinks correctly
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* in case of the root directory
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* for static analysis check pass
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* add unit test cases for the symlink scenarios
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
---------
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* fix the dpkg files pattern detection
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* consider slash before the path is concatenated
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* add test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add support for .NET libman files
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix when no libman detected
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add libman.json docs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* consider child dll claims for .NET packages from deps.json
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* make dll claim propagation configurable
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Modify the Regex version matcher for golang in the binary classifiers to make it compatible with golang tip images
Signed-off-by: Victor Hu <victorhu493@gmail.com>
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* Preliminary fix the regex matching for golang tip image and add the corresponding unit tests
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* consider VERSION.cache when it comes to golang tip images
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* consider VERSION.cache when it comes to golang tip images
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
---------
Signed-off-by: Victor Hu <victorhu493@gmail.com>
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* We only need to replace the name of a GoLang package when the name is a web link
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* make the detection of a localfile path pattern more easy
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* consider the m.New.Version so the granularity is narrowed
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* to pass the static-analysis
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* to pass the static-analysis
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
* add test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Yuntao Hu <victorhu493@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add version comment parsing support to github actions
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update json schema with github actions metadata
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add originator processing for github actions type
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* expand python license scanning to cover unclaimed files
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* speed up tests using the license scanner
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* clean up .NET runtime packages
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add runtime relationships
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove runtime references from binary package name
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add combined deps.json + pe binary cataloger
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* deprecate pe and deps standalone catalogers
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* parse resource names + add tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix integration and CLI tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add some helpful code comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* allow for dropping Dep packages that are missing DLLs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* migrate json schema changes to 24
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* keep application configuration
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* correct config help
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* [wip] detect claims of dlls within deps.json
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* [wip] fix tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add assembly repack detection
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* .net package count is lower due to dll claim requirement
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* feat: add Debian archive (.deb) file cataloger
Add a cataloger that parses Debian package (.deb) archive files directly,
allowing Syft to discover packages from .deb files without requiring
them to be installed on the system. This implements issue #3315.
Key features:
- Parse .deb AR archives to extract package metadata
- Support for gzip, xz, and zstd compressed control files
- Extract package metadata from control files
- Process file information from md5sums files
- Mark configuration files from conffiles entries
- Handle trailing slashes in archive member names
Signed-off-by: Alan Pope <alan.pope@anchore.com>
* chore: run go mod tidy to fix failing workflow
Signed-off-by: Alan Pope <alan.pope@anchore.com>
* add license processing to dpkg archive cataloger + add tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update json schema with dpkg archive type
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alan Pope <alan.pope@anchore.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: fetch Dart package versions from sdk entries
Packages that are provided by an SDK, mainly Flutter, will have their
version set to 0.0.0 in Dart's pubspec.lock file. Their actual version
is linked to that SDK, which is defined either as a version range or a
minimum supported version, rather than an explicit, single version.
The pubspec.lock file has a dedicated section to define those SDK
version range constraints, which is already stored internally when
parsing the file itself. The solution now is to look up such a package's
SDK name, retrieve the defined version range / lower version boundary,
and set the minimum supported version as the package's new version.
Signed-off-by: Sven Gregori <sven@craplab.fi>
* Ignore Dart package if SDK version cannot be fetched
Signed-off-by: Sven Gregori <sven@craplab.fi>
* fix linting issues
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Sven Gregori <sven@craplab.fi>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
