* Option to enable specific language or ecosystem cataloger
Signed-off-by: ramanan-ravi <ramanan@deepfence.io>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Disable dotnet cataloger
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* Option to enable specific language or ecosystem cataloger
Signed-off-by: Ramanan Ravikumar <ramanan@deepfence.io>
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* rename "enable-cataloger" option to "catalogers"
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* add cli test for --catalogers option
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update readme with latest cataloger names
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* enable dotnet cataloger
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix linting
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* fix cataloger imports
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* update readme with alpmdb cataloger config example
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: ramanan-ravi <ramanan@deepfence.io>
* add template output
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* remove dead code
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* fix template cli flag
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* implement template's own format type
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* simpler code
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* fix readme link to Go template
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* simpler func signature patter
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* nit
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* fix linter error
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* add main module field to go bin metadata
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* udpate json ouput schema to 3.2.4
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* clean up fixture
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* Add filters to package cataloger
This PR adds filters so a package without name or version doesn't go in
the list of all discovered packages.
Integration and cli tests were added to validate the feature.
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* add nolint:funlen to cataloger/catalog.go
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* don't require package version
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* add package filtering to generic and python cataloger
also removes cli tests in favor of integration and unit tests
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* drop nolint:funlen
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* check for no-removal operation
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* remove unused fixtures
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* rename no-version file to hide semantic version
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* drop integration tests and add pkg func for validation
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* python cataloger use global pkg validation
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* check for valid packages on deb/go/rpm catalogers
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* update rpm cataloger after rebase
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* nit with pointers
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* simpler use of package validation
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* remmove double pkg validations
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* rename func param to artifactsToExclude
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* add test for relationships and bug fix
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* feedback changes
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* Support RPM distros with newer db formats
Recent RPM distros (Fedora 33+, CBL-Mariner 2.0+, amazonlinux 2022+)
use an sqlite package database in /var/lib/rpm/rpmdb.sqlite, or
"ndb" format (SUSE).
Remove anchore's fork in favour of the upstream,
https://github.com/knqyf263/go-rpmdb, to gain support for
these formats.
Signed-off-by: Tom Fay <tomfay@microsoft.com>
* add exception for modernc.org repos
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
* shorten rpmdb helper function
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* golang module CPE with full path
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* add note on longer Golang CPEs
Signed-off-by: Jonas Xavier <jonasx@anchore.com>
* Fix "bad output format" for `github-json` output
Signed-off-by: Steven Maude <git@stevenmaude.co.uk>
* Update formats in README
Signed-off-by: Steven Maude <git@stevenmaude.co.uk>
* Run `make lint-fix`
Signed-off-by: Steven Maude <git@stevenmaude.co.uk>
* read Go main module version as is - (devel)
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
* fix package test with default (devel) main module
Signed-off-by: Jonas Galvão Xavier <jonasx@anchore.com>
The Official CPE dictionary currently contains entries for springframework with three different vendors: springsource, vmware, and pivotal_software. This appears to be because ownership has changed over time.
Signed-off-by: Weston Steimel <weston.steimel@anchore.com>
* Add failing test for dir resolver panic
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
* Fix panic
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
* Implement fmt.Stringer with format.ID
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
* Add failing test for formats processing empty SBOMs
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
* Account for nil SPDX document during Syft model conversion
Signed-off-by: Dan Luhring <dan+github@luhrings.com>
* Less verbose logging in Golang Cataloger
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* debug for known gray errors
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* only show warnings when a binary is not a go executable
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
* initial working version
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* added build settings to pkg metadata
wip - unit tests
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* handle mach-O FatFiles
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add support to mod replace
fixed golang catalger tests
trying GH Actions with go 1.18rc1
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* log error
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* use go-macholibre for extraction
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* cleaner tests
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add version to main module
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* check macho file with macholibre
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* run golangci in its own workflow
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* wip - golangci workflow
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix golangci wf yml
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix golangci wf yml
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* wip - golangci wf
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* wip - golangci wf
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* get arch from bin file headers
upgrade macholibre
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* test new stereoscope lazy reader interface
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* remove devel version from golang cataloger
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* switch github workflows to go1.18 stable
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add union reader interface in golang cataloger
update stereoscope
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* go mod tidy
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* simpler golangci validation
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix makefile
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* get archs refactor
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* nolint for golang version
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix go bin tests
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* feedback changes
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* golangci nolint needs a \n before package
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* cleanup
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* move golangci-lint to its own jobs again
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix ci yaml
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add support for xcoff files
add arch assets to test bin file types
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* clean up golangci-lint config
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* nolint for xcoff
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* explain nolints
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* remove unused xcoff testdata assets
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* make go bin test-fixtures in docker
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* fix make clean with -f
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* update json output schema
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* update schema version in test fixture
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* feedback changes
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* explain possible empty main module
Signed-off-by: Jonas Galvão Xavier <jonas.agx@gmail.com>
* add test cases for yarn parser regex
Signed-off-by: Patrick Glass <patrickglass@gmail.com>
* update yarn.lock parser to support yarn berry
Add support for Yarn v3 (berry) which changes the output
Collapse regex for parsing scoped and non-scoped packages
Add tests for the regex to ensure backwards compatability
and to catch issues with future changes.
Signed-off-by: Patrick Glass <patrickglass@gmail.com>
* simplify yarn test expressions
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
Co-authored-by: Patrick Glass <patrickglass@gmail.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
Add source.NewFromRegistry function so that the syft attest command can always explicitly ask for an OCIRegistry provider rather than rely on local daemon detection for image sources.
Attestation can not be used where local images loaded in a daemon are the source. Digest values for the layer identification step in attestation can sometimes vary across workstations.
This fix makes it so that attest is generating an SBOM for, and attesting to, a source that exists in an OCI registry. It should never load a source from a local user docker/podman daemon.
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
