* [wip] put in initial fix
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* capture expected behavior of dir resolver in tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update tests + comments to reflect current dir resolver behavior
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add additional test cases
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix additional tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix bad merge conflict resolution
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
---------
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* migrate location structs to file package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* replace source.Location refs with file package call
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove hardlink test for file based catalogers
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove hardlink test for all-regular-files testing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* migrate file resolver implementations to separate package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* [wip] migrate resolvers to internal
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* migrate resolvers to syft/internal
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
---------
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: <>
* wip
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* with golang bin ldflags refactor
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add test for golang binary cataloger for ldflag extraction
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove binary classfiers that overlap with new go ldflags detection
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
---------
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Weston Steimel <weston.steimel@anchore.com>
* pull in fileinfo changes from stereoscope #172
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix CLI test assumption about the docker daemon
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
---------
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: <>
to keep things consistent across the schema we want Locations and URLs to be plural fields now that they are fields on the License struct
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
this PR makes the following changes to update the underlying license model to have more expressive capabilities
it also provides some guarantee's surrounding the license values themselves
- Licenses are updated from string -> pkg.LicenseSet which contain pkg.License with the following fields:
- original `Value` read by syft
- If it's possible to construct licenses will always have a valid SPDX expression for downstream consumption
- the above is run against a generated list of SPDX license ID to try and find the correct ID
- SPDX concluded vs declared is added to the new struct
- URL source for license is added to the new struct
- Location source is added to the new struct to show where the expression was pulled from
If syft is asked to parse an SBOM that was written by a newer version of
syft, emit a warning, since the current version of syft doesn't know about
fields that may be added in the future.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Add a cataloger that detects installed R packages by looking for DESCRIPTION
files. The base R package is now picked up in coverageImage tests in
test/cli/packages_cmd_test.go, so increment expected package counts for the
tests that use that image.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Rather than log a warning for every instance of an unknown relationship type,
or similar error, log a count of how many times each of these errors is
raised.
---------
Signed-off-by: Will Murphy <will.murphy@anchore.com>
- Create new metadata struct and type for python requirements.
- Update parsing of python requirements to use python requirements metadata.
- Remove extras and url from line. Add them to metadata instead.
- Add unit test to test that extras are removed from package name.
- Update test to look at requirements metadata.
- Will need updated in future to support more than just == for the version constraint.
- Update JSON schema data
Closesanchore/grype#1246Closesanchore/grype#1251
Signed-off-by: Shane Dell <shanedell100@gmail.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* fix: only cache java packages and not source content
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* fix: add gradle to matched files for ci checksum
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* Create consul binary classifier
Closes#1590
Signed-off-by: Shane Dell <shanedell100@gmail.com>
* Create test for consul binary classifier
Signed-off-by: Shane Dell <shanedell100@gmail.com>
* Update version for consul. Add note that about consul version matcher is brittle
Signed-off-by: Shane Dell <shanedell100@gmail.com>
---------
Signed-off-by: Shane Dell <shanedell100@gmail.com>
* pin kernel and modules version for kernel fixtures
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* cache kernel fixtures in CI
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update CLI test image with pinned kernel deps
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update the kernel version found in integration tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
---------
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Avi Deitcher <avi@deitcher.net>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* add evident-by relationship
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* wire up evident-by relationship geneation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* handle evident-by relationship in spdx formats
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix decoding file info for syft json format
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump json schema to incorporate file size attribute
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* refactor to create relationships for primary evidence only
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove unused 7.0.2 json schema
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
---------
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add kernel handler
Signed-off-by: Avi Deitcher <avi@deitcher.net>
* [wip] combine kernel and kernel module cataloging
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* [wip] combine kernel and kernel module cataloging
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Avi Deitcher <avi@deitcher.net>
* rename Kernel package to LinuxKernel package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* split kernel and module packages within cataloger
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* wire up application configuration with kernel cataloger options
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* dont use references for packages on relationships
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting and tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* kernel cataloger should be resistent to partial failure
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* log upon kernel module metadata missing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add tests for linux kernel cataloger
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update integration tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update cli package test counts
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add evidence annotations for kernel packages
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* reduce noise in cli test output
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* missed cli test to reduce noise for
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix package counts
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update docs with linux kernel cataloging refs
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump json schema with new metadata fields
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
---------
Signed-off-by: Avi Deitcher <avi@deitcher.net>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: <>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
