* add support for reading ELF package notes with section header
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add systemd elf package fields to json schema
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Brian Ebarb <ebarb.brian@gmail.com>
feat: add License component to elf binary packages
Signed-off-by: Brian Ebarb <ebarb.brian@gmail.com>
feat: fix elf_package_cataloger test
feat: elf package cataloger unit test updates
* [wip] add initial poetry.lock relationship support
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* provide generic set for basic types
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* dependency resolver should allow for conditional deps
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add tests for poetry lock relationship additions
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update schema with python poetry dependency refs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* dep specification data structure should not be recursive in nature
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: only skip tmpfs mounts for some paths
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* refactor and add tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add regression test for archive processing
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump to golang 1.22
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove rule 1 and add more tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
The namespace value of `redhat` signifies this as an RPM package
produced and distributed by Red Hat.
Using "rhel" in the namespace is not correct.
Signed-off-by: Ralph Bean <rbean@redhat.com>
* Add lua/rocksepc support for variables substitution
* Lua: Skip expressions in rockspec packages
* Lua: Add support for concatenation of string and variables
* Lua: Skip expressions in local
* Lua: Skip build sections in Rockspec files
* Lua: skip function blocks in Rockspec
* Lua: Add support for multi variable per line
---------
Signed-off-by: Laurent Goderre <laurent.goderre@docker.com>
* Handle GOEXPERIMENTs in go version
Signed-off-by: Jon Johnson <jon.johnson@chainguard.dev>
* bump JSON schema
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Jon Johnson <jon.johnson@chainguard.dev>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
* add python package relationships
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* nil for empty relationships collections
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* new json schema for optional python requiremenets
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update format snapshots for python packages
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* decompose python parsers more + add tests around plural fields
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update JSON schema with python dep refs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
When the goModCataloger processes a Replace directive it currently adds the new
package to the resulting package list, but does not remove the old one unless
the path is unchanged.
Based on an existing comment in the code, removing the old one seems to be the
intended behavior, and results in a more expected end-result, so this does so.
Signed-off-by: Russell Haering <russellhaering@gmail.com>
* use pkg values in relationship fields
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add linter rule for using values in relationships
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use new cmptest package for comparing relationships
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* create cmptest for common cmp.Diff options in test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* condense matches for relationship ruleguard
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove relationship type from rules
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* restore build tag
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* suggest using values
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* nil check pkgs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add internal dependency resolver
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* refactor dependency relationship resolution to common object
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* replace cataloger decorator with generic processor
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* refactor resolver to be a single function
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use common dependency specifier for debian
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use common dependency specifier for arch
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* use common dependency specifier for alpine
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* allow for generic pkg and rel assertions in testpkg helper
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* do not allow for empty results
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* move stable deduplicate comment
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove relationship resolver type
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
This PR adds DependencyOf relationships when ELF packages have been discovered by the binary cataloger. The discovered file.Executable type has a []ImportedLibraries that's read from the file when discovered by syft. By mapping these imported libraries back to the package collection, syft is able to create relationships showing which packages are dependencies of other packages by just reading metadata from the ELF executable.
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Brian Ebarb <ebarb.brian@sers.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Previously, the file resolver was created from incorrect calls
(path.Join instead of filepath.Join) which resulted Go license searches
always missing on Windows. Use filepath.* functions when initializing
the Go config, and when the unindexed file resolver is being created.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* add alpm relationships
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* tweak reader linter rule to check for reader impl
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update JSON schema with alpm dependency information
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore: ruleguard to enforce defer use
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* fix go.mod location
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: defer close in linux release identifier
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: better lint suggestion
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: refactor binary classifier to defer close
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: defer close readers in gentoo cataloger
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: make go license parsing defer close readers
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: defer closing readers in alpine apm parser
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: defer close readers in graalvm parser
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: defer close readers in debian package parser
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: defer close readers in alpm parser
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: defer close readers in executable file cataloger
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: defer close readers in javascript license parser
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* chore: defer close readers in go mod parser
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* always close ELF cataloger file handles
The elf-binary-package-cataloger does its own file IO to account for the
possibility of a logical ELF package being broken across multiple
physical files. However, this casued it to skip the normal invocation
pattern in the generic cataloger code that prevented file leaks. Ensure
this cataloger always closes its file handles.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* defer closing of generic cataloger file handles
Otherwise, a panicking cataloger could leak file handles.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* add unit test for file closed on panic parser
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* make invoke parser a static function
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* push error logging down into invoke parser
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* fix(spdx): include required fields
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* chore: missed update due to refactoring
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* chore: update tools-golang
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* chore: add test with packageVerificationCode included and excluded
Signed-off-by: Keith Zantow <kzantow@gmail.com>
---------
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* add failing test + beef up doc comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* cover more metadata types in spdx originator processing
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: re-use embedded union reader if possible
Previously, because file.LocationReadCloser embeds a ReadCloser that
might be a UnionReader, but doesn't implement the interface itself, the
type assertion would fall and Syft would fall back to io.ReadAll to
enable seeking on the underlying reader, resulting in a potentially
large extra allocation.
Instead, check whether the passed ReadCloser is a
file.LocationReadCloser, and if so, try to use the embedded ReadCloser
as a UnionReader.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* lint fix
Signed-off-by: Will Murphy <will.murphy@anchore.com>
* Assert that underlying reader is returned
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
