groupByParentDir treats every .safetensors file in a directory as a shard of
one model. Spell out that assumption and its trade-off
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
readSafeTensorsHeader pre-allocated the declared header length, which is
read straight from the file and bounded only by the 100MB ceiling. A
short file declaring a huge header could force a large allocation it never
fills. Read incrementally via io.ReadAll(io.LimitReader(...)) and verify the
full header was actually present
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
* fixed dotnet cataloger can't find packages from deps.json in linux elf, fixed#4514
Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* split bundle and PE concerns
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* limit resource usage of readall call
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* removed duplicat
Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* make sure the first 4 bytes in elf arent lostt
Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* revert readelfbundle func, check size of readdeps json
Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* revert readelfbundle func, check size of readdeps json, fixed#4514
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* move dotnet net8 linux fixture to testdata convention
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address malformed elf size claims + add tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* dont key off of cataloger name in testing
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Rez Moss <hi@rezmoss.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
* fix(template): expose sprig date functions in Go templates
Replace HermeticTxtFuncMap with TxtFuncMap to expose date/time
functions (now, date, dateInZone, etc.) while still excluding
security-sensitive env/expandenv functions.
Users can now use date functions in templates, e.g.:
{{ now | unixEpoch }}
{{ now | date "2006-01-02" }}
Fixes#2372
Signed-off-by: Sputnik-MAC <sputnik.mac.001@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* invert to add functions to the hermetic set, not the other way around
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Sputnik-MAC <sputnik.mac.001@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Add support for MIT and Heimdal Kerberos 5 library detection
Signed-off-by: Nadim Zubidat <nadimz@users.noreply.github.com>
* support 2-component case
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Nadim Zubidat <nadimz@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Nadim Zubidat <nadimz@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* ruby/gemspec: resolve simple #{s.name}/#{s.version} interpolation
Reported in anchore/syft#4720: scanning projects that depend on gems
like formatador leaks literal Ruby interpolation into the emitted
SBOM, e.g.
"externalReferences": [
{ "url": "https://github.com/geemus/#{s.name}", "type": "website" }
]
because formatador.gemspec uses
s.homepage = "https://github.com/geemus/#{s.name}"
and parseGemSpecEntries reads the file as plain text instead of
evaluating it. The interpolation leaks through the captured homepage
field and on into any externalReferences entry the cataloger produces.
Dependency Track then rejects the whole BOM because '{' and '}' are
not valid IRI-reference characters (RFC 3987).
Add a post-parse pass that substitutes the common interpolation forms
(#{s.name}, #{gem.name}, #{name}, and the matching #{*.version}
variants) in captured string fields using values already parsed from
the same gemspec. Anything still containing '#{' after best-effort
substitution is an unresolvable Ruby expression, and for URL-like
fields (currently just homepage) we drop the field entirely so the
SBOM is always schema-valid; callers would rather miss a homepage URL
than emit one that breaks downstream tools.
Adds testdata/formatador.gemspec, a minimal real-world gemspec using
the #{s.name} pattern, plus a new parser test asserting that the
homepage field comes out fully resolved.
Fixes#4720
Signed-off-by: Sai Asish Y <say.apm35@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* improve test cases
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Sai Asish Y <say.apm35@gmail.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
adds dependency-of relationships between elixir locked packages, matching how other
ecosystem catalogers (alpine, arch, debian, redhat, python) express the
dependency graph via the shared dependency.Processor/Specifier mechanism.
Signed-off-by: Chris Greeno <cgreeno@gmail.com>
Borland Package Library (.bpl) files are standard Windows PE/DLL files
used in Delphi and C++Builder ecosystems. This adds the .bpl glob
pattern to the PE file discovery so these files are cataloged alongside
.dll and .exe files.
* fix(purl-backfill): respect arch qualifier
Previously, when constructing rpm, alpm, and apk metadata struct from a
PURL, Syft would ignore the arch qualifier. Start respecting that
qualifier.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* chore: fix static analysis
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* Clean up control flow in PURL backfill code
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>