* add version comment parsing support to github actions
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update json schema with github actions metadata
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add originator processing for github actions type
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* expand python license scanning to cover unclaimed files
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* speed up tests using the license scanner
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* clean up .NET runtime packages
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add runtime relationships
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove runtime references from binary package name
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add combined deps.json + pe binary cataloger
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* deprecate pe and deps standalone catalogers
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* parse resource names + add tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix integration and CLI tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add some helpful code comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* allow for dropping Dep packages that are missing DLLs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* migrate json schema changes to 24
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* keep application configuration
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* correct config help
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* [wip] detect claims of dlls within deps.json
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* [wip] fix tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add assembly repack detection
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* .net package count is lower due to dll claim requirement
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* feat: add Debian archive (.deb) file cataloger
Add a cataloger that parses Debian package (.deb) archive files directly,
allowing Syft to discover packages from .deb files without requiring
them to be installed on the system. This implements issue #3315.
Key features:
- Parse .deb AR archives to extract package metadata
- Support for gzip, xz, and zstd compressed control files
- Extract package metadata from control files
- Process file information from md5sums files
- Mark configuration files from conffiles entries
- Handle trailing slashes in archive member names
Signed-off-by: Alan Pope <alan.pope@anchore.com>
* chore: run go mod tidy to fix failing workflow
Signed-off-by: Alan Pope <alan.pope@anchore.com>
* add license processing to dpkg archive cataloger + add tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update json schema with dpkg archive type
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alan Pope <alan.pope@anchore.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: fetch Dart package versions from sdk entries
Packages that are provided by an SDK, mainly Flutter, will have their
version set to 0.0.0 in Dart's pubspec.lock file. Their actual version
is linked to that SDK, which is defined either as a version range or a
minimum supported version, rather than an explicit, single version.
The pubspec.lock file has a dedicated section to define those SDK
version range constraints, which is already stored internally when
parsing the file itself. The solution now is to look up such a package's
SDK name, retrieve the defined version range / lower version boundary,
and set the minimum supported version as the package's new version.
Signed-off-by: Sven Gregori <sven@craplab.fi>
* Ignore Dart package if SDK version cannot be fetched
Signed-off-by: Sven Gregori <sven@craplab.fi>
* fix linting issues
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Sven Gregori <sven@craplab.fi>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: sorting locations should consider pkg evidence
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* simplify location test options for comparison
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: improve fluent-bit binary detection regex pattern
This fixes issue #3133 by updating the regex pattern for fluent-bit binary detection
to better handle ANSI escape sequences and multiple null bytes between the version
string and "Fluent Bit" text. The change also makes the %s format specifier optional,
supporting all variations in fluent-bit binary signatures.
Signed-off-by: Alan Pope <alan.pope@anchore.com>
* test: add fluent-bit 1.7.0-dev-3 test fixture for issue #3133
Signed-off-by: Alan Pope <alan.pope@anchore.com>
---------
Signed-off-by: Alan Pope <alan.pope@anchore.com>
Signed-off-by: Tom Fay <tom@teamfay.co.uk>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Add downloadLocation URI validation
Signed-off-by: Stef Graces <stefgraces@hotmail.com>
* Update function names
Signed-off-by: Stef Graces <stefgraces@hotmail.com>
* Fixes for make lint-fix + Changes to when NONE and NOASSERTION in downloadLocation
Signed-off-by: Stef Graces <stefgraces@hotmail.com>
---------
Signed-off-by: Stef Graces <stefgraces@hotmail.com>
Co-authored-by: Keith Zantow <kzantow@gmail.com>
The bitnami cataloger assigns files under /opt/bitnami/PACKAGE to be
owned by PACKAGE unless they are otherwise owned. Previously, this main
package was identified only by relationships, leading to an edge case
where if there was a bitnami SBOM with a single package in it, there
were no relationships, and so there would be no main package to assign
the files to, leading to deduplication failures.
Instead, when encountering a bitnami SBOM with exactly one package in
it, assume that package is the main package of that SBOM.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* prototype: start bitnami cataloger
Bitnami images have spdx SBOMs at predictable paths, and Syft could more
accurately identify the software in these images by scanning those
SBOMs. Start work on this by forking the sbom-cataloger as a new
bitnami-cataloger.
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* wire up bitnami cataloger to run on images by default
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
* feat: add support for Bitnami cataloguer
Signed-off-by: juan131 <jariza@vmware.com>
* feat: use a better SPDX sample for unit tests
Signed-off-by: juan131 <jariza@vmware.com>
* bugfix: only report bitnami pkgs
Signed-off-by: juan131 <jariza@vmware.com>
* feat: adapt JSON schema, spdxutil and packagemetadata
Signed-off-by: juan131 <jariza@vmware.com>
* bugfix: integration tests
Signed-off-by: juan131 <jariza@vmware.com>
* feat: implement FileOwner interface
Signed-off-by: juan131 <jariza@vmware.com>
* bugfix: update json schema
Signed-off-by: juan131 <jariza@vmware.com>
* [wip] add bitnami owned files and fix binary package ownership filtering
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* feat: obtain bitnami pkg files based on SPDX relationships tree
Signed-off-by: juan131 <jariza@vmware.com>
* preserve type switches
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* rename bitnami entry metadata type
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* restrict find main pkg logic
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add missing graalvm source info
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bugfix: integration tests
Signed-off-by: juan131 <jariza@vmware.com>
* bugfix: mod tidy
Signed-off-by: juan131 <jariza@vmware.com>
---------
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Signed-off-by: juan131 <jariza@vmware.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
* feat: update to go 1.24.x
Update to building with go 1.24.x so that the main module version gets
set during `go build`
Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
* chore: bump golangci-lint for go 1.24.x support
Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
* chore: appease the updated linter
Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
* chore: fix test logging for go 1.24
Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
---------
Signed-off-by: Weston Steimel <author@code.w.steimel.me.uk>
* add file catalogers to selection configuration
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix typos
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* warn when there is conflicting file cataloging configuration
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* allow for explicit removal of all package and file tasks
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address PR feedback
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Instead of namespacing them to the specific distro version, such as
Leap or Tumbleweed, the namespace value is set to the vendor itself:
"opensuse".
Resolves#3534
Signed-off-by: Martin Prpič <mprpic@redhat.com>
* chore: bump packageurl-go with new parsing rules
* test: update expectedPURL in unit tests to match new % encoding
---------
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
