* add first-level archive processing when input is a file
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add license exception for github.com/xi2/xz
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* always return cleanup function
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* change source.NewFromFile log entry to warn
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* ensure file source always has cleanup function
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* ensure we are always preferring the unarchive cleanup function for source
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* split source.Location and create source.Coordinates for minimal path addressing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* move coordinates into separate file
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Update syft/source/coordinates.go
Co-authored-by: Dan Luhring <luhring@users.noreply.github.com>
* migrate pkg.ID and pkg.Relationship to artifact package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* return relationships from tasks
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix more tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add artifact.Identifiable by Identity() method
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove catalog ID assignment
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* adjust spdx helpers to use copy of packages
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* stabilize package ID relative to encode-decode format cycles
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename Identity() to ID()
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use zero value for nils in ID generation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* enable source.Location to be identifiable
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* hoist up package relationship discovery to analysis stage
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update ownership-by-file-overlap relationship description
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add test reminders to put new relationships under test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* adjust PHP composer.lock parser function to return relationships
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add fallback to user input if source hint fails
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* refactor for smaller functions
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update functions to pass Location
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update unit tests to pass new locations
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* fix image source.FileResolvers to include layer info
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add non-empty location in golang binary cataloger testing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* [wip] single sbom doc
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix more tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update cli tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove scope in import path
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* swap SPDX tag-value formatter to single sbom document
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bust CLI cache
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update fixture to byte diff
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* byte for byte
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* bust the cache
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* who needs cache
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add jar for testing
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* no more bit flips
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update apk with the delta for image and directory cases
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* restore cache workflow
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* stop hidding command from help doc
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* do not index irregular files
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix fixture dir and err name
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* improve the description of irregular files
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* explicitly check indexed file name
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* use anchore fork of go-presenter
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* drop coverage threshold
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add new spdx tag-value format
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove public presenter package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* allow for cataloging a single file
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use all catalogers for file schemes
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove existing spdxjson presenter + helpers
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add new spdx22json format
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add common sdpxhelpers (migrated)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use new common spdx helpers
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* wire up new spdx22json format object
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove lossless syft-specific property bags
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove spdxjson decoder and validator
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add nil checks in spdx test helpers
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove empty default case
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use explicit golden snapshot
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add new cyclonedx format object
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove cyclonedx presenter
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove cyclonedx presenter call
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove dependence on golden images for format tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* wire up new formt + rename all-presenters ref
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add CLI test to ensure that all formats can be expressed as report output
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add cyclonedx version and encoding format to package name
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* optionally preserve format snapshot images
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting + text unit tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update build tags, ui support, and stereoscope, and release for windows support
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add new format pattern
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add syftjson format
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add internal formats helper
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add SBOM encode/decode to lib API
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove json presenter + update presenter tests to use common utils
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove presenter format enum type + add formats shim in presenter helper
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add MustCPE helper for tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update usage of format enum
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add test fixtures for encode/decode tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix integration test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* migrate format detection to use reader
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* address review comments
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Don't check the Built-By flag
Signed-off-by: Josh Bressers <josh@bress.net>
* Remove alpine pinning to resolve conflict with main
Signed-off-by: Josh Bressers <josh@bress.net>
* remove mod and cargo from image cataloger
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update test error messages for clear failures
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add query by MIME type to source.FileResolver
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* import stereoscope lib changes to find mime type
- add bin cataloger
- add bin parser
- add mime type go utils
- import new resolver
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* add go std library code to unpack bin
- keep them in their own (original) files
- add note for "this code was copied from"
- comment the lines the required changing
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* add query by MIME type to source.FileResolver
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* pull in stereoscope MIME type feature
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Fix CPE set comparison mismatch
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add failing test to assert CPE generation excludes URLs
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Add removeByCondition method to fieldCandidateSet
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Prevent invalid CPE values for products and vendors
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Introduce removeWhere and rename filter to condition
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Refactor fieldCandidateSet and condition logic
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* Move CPE parsing filter to end of CPE generation
Signed-off-by: Dan Luhring <dan.luhring@anchore.com>
* add Type conversion to remove strong distro type limit
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* update signatures to be correct variable from os-release
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
* consider additional vendor candidates for ruby, python, rpm, npm, and java
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add java pom.xml processing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* allow for downstream transform control in cpe generation processing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* migrate CPE generation logic to dedicated package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* split java manifest groupID extraction into two tiers
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* extract groupID from pom parent project during CPE generation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update java groupID processing tests to cover multi-tier approach
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix constructor names for cpe.fieldCandidate
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename helper function to startsWithTopLevelDomain
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add nil changes for java manifest sections
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update comment to reflect parsing maven files
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* split out java description parsing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* split out pom parent processing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* simplify vendorsFromGroupIDs and associated tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* simplify test type for vendorsFromGroupIDs
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* copy candidate varidations to new instances
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename CPE generation string util functions
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add an explanation around fieldCandidate
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* simplify type for the cpe.fieldCandidateSet
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* make CPE filter function names more readable
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update groupIDsFromJavaManifest to use a guard clause
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* extract groupID extraction from artifactID fields into a separate function
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* bump goreleaser version to combat failure
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* adjust CPE specificity sorting to include field length and bias certain fields
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* remove * vendor values from CPE generation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* re-enable generating CPEs for jenkins and jira plugins
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* improve CPE generation logic based on java artifactID and groupID
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add ruby-lang as target software candidate for gems in CPE generation logic
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename filterCpes to filterCPEs
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* refactor CPE filters and groupID processing (for linting)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* use ruby-lang as vendor candidate not target software
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* address PR comments for CPE generation
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* change directory resolver to ignore system runtime paths + drive by index
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add event/etui support for filesystem indexing (for dir resolver)
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add warnings for path indexing problems
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add directory resolver index tests
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* improve testing around directory resolver
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* renamed p var to path when not conflicting with import
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* pull docker image in CLI dir scan timeout test
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* ensure file not exist errors do not stop directory resolver indexing
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* split UI from event handling
Signed-off-by: Alex Goodman <wagoodman@gmail.com>
* add event loop tests
Signed-off-by: Alex Goodman <wagoodman@gmail.com>
* use stereoscope cleanup function during signal handling
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* correct error wrapping in packages cmd
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* migrate ui event handlers to ui package
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* clarify command worker input var + remove dead comments
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
