When base is set, it should appear identically to when we scan the root
filesystem - and as a result, the path should begin with the path
separator.
E.g. when scanning the root `./target/` with the same base,
`target/bin/busybox` should appear in the output as `/bin/busybox`, not
as previously as `bin/busybox`.
Signed-off-by: Justin Chadwell <me@jedevc.com>
* source: avoid second-step of symlink resolution in directory resolver
We can use the already existing file tree to peform symlink resolution
for FilesByPath, instead of traversing the symlinks again.
This moves all of the symlink logic into the indexing code, and then we
can rely on syft's resolution algorithm over the index in this part of
the codebase.
Signed-off-by: Justin Chadwell <me@jedevc.com>
* source: add base parameter to directory resolver
The new base parameter is an optional parameter for the directory
resolver that resolves all symlinks relative to this root. There are two
intended use cases:
- base = "/". The previous behavior, symlinks are resolved relative to
the root filesystem.
- base = path. Symlinks are resolved relative to the target filesystem,
allowing correct behavior when scanning unpacked container filesystems
on disk.
Signed-off-by: Justin Chadwell <me@jedevc.com>
* source: add tests for new base parameter
Signed-off-by: Justin Chadwell <me@jedevc.com>
---------
Signed-off-by: Justin Chadwell <me@jedevc.com>
* fix AssertEncoderAgainstGoldenSnapshot calls to conditionally update
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* chore: redact schema versions from syftjson comparison
Signed-off-by: Keith Zantow <kzantow@gmail.com>
* chore: does not need a multiline expression
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
* Add failing test for strip version specifiers panic
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* Fix test
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* Prevent panic scenario in helper func
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* Fix lint issue
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
* add tests for apk stripVersionSpecifier() and remove caller empty value check
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Dan Luhring <dluhring@chainguard.dev>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* binary cataloger should continue on errors
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* test: add redirect for cmd stderr stdout
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: image update for test failure
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
* normalize error handling and recover from panics while parsing binaries
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* moved the relevant fields to the Metadata field
Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io>
* added metadata types
Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io>
* Added hashes to metadata of packge-lock.json and Pipfile.lock
Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io>
* move package metadata types to "pkg" package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* re-generate json schema to include new npm, python, and binary metadatas
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Asaf Greenholts <asaf@cidersecurity.io>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* feat: prefer known CPE vendors over other candidates
All ASF projects will be under the `apache` vendor in CPE, and
indeed this is already one of the candidates, but the logic
for selecting the 'most specific' CPE string would select for
example `apache_software_foundation` or `commons-text`.
This is not necessarily 'wrong' in the CPE candidate selection
logic: there is no way to reliably determine the right candidate.
I think it makes sense to use specific data around the vendor
candidate generation, somewhat similar to
'defaultCandidateAdditions'.
Unfortunately there are still a few CVE's for old (pre-5.x,
long unsupported) tomcat versions that are actually tagged with
`apache_software_foundation`, but I'm not sure those are worth
spending time on.
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
* chore: swap out array of vendors for set data structure
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Signed-off-by: Arnout Engelen <arnout@bzzt.net>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
The original fix b125ea83baa30dc981e82f4ddd384602f778f090 didn't catch
all the excessive warnings, it seems like getArches can also be called
on binaries that aren't neccessarily go binaries, so the messages from
this should also be Trace instead of Warn.
Signed-off-by: Justin Chadwell <me@jedevc.com>
