* Add MySQL and MariaDB binary classifiers
Signed-off-by: Duane May <duanemay@gmail.com>
Signed-off-by: Duane May <mduane@vmware.com>
* use smallest possible binary fixtures
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Duane May <duanemay@gmail.com>
Signed-off-by: Duane May <mduane@vmware.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Allow existing matcher to match host identifiers longer than 12
characters. The binaries distributed by redis have the version before
payload, so add a matcher for that. Add test fixtures covering these
scenarios.
Signed-off-by: David Dooling <david.dooling@docker.com>
* expose underlying format options
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove escape html options and address PR feedback
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* incorporate PR feedback
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix cli test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* SPDX file has duplicate sha256 tag in versionInfo
Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
* add tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
- Add a new Java configuration option to recursively search parent poms for licenses
---------
Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
* follow convention for naming catalogers
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix cataloger name example
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
This adds PURLs when scanning Gradle lock files.
Unintuitively the correct PURL type appears to be `maven` as opposed to
`gradle`. See https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst
- `gradle` for Gradle plugins
- `maven` for Maven JARs and related artifacts
Signed-off-by: Robbie Vanbrabant <robbie@monzo.com>
* test: remove dll files and updates tests to use versionResources
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: update integration tests with dot net coverage
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* chore: move test cases to appropriate blocks
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* fix: chmod only the dll
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* fix: add primary annotation key to packages
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* chore: bump number of packages with new dotnet package
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* fix: update parsing logic to remove empty space
* tests: update with test cases provided by community
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* Read a license from a parent pom stored in Maven Central
---------
Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
* [wip]
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* distinct the package metadata functions
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove metadata type from package core model
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* incorporate review feedback for names
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add RPM archive metadata and split parser helpers
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* clarify the python package metadata type
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* rename the KB metadata type
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* break hackage and composer types by use case
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* linting fix
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix encoding and decoding for syft-json and cyclonedx
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump json schema to 11
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update cyclonedx-json snapshots
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update cyclonedx-xml snapshots
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update spdx-json snapshots
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update spdx-tv snapshots
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update syft-json snapshots
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* correct metadata type in stack yaml parser test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix bom-ref redactor for cyclonedx-xml
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add tests for legacy package metadata names
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* regenerate json schema v11
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix legacy HackageMetadataType reflect type value check
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix linting
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* packagemetadata discovery should account for type shadowing
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix linting
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix cli tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump json schema version to v12
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update json schema to incorporate changes from main
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add syft-json legacy config option
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add tests around v11-v12 json decoding
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add docs for SYFT_JSON_LEGACY
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* rename structs to be compliant with new naming scheme
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* split up sbom.Format into encode and decode ops
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update cmd pkg to inject format configs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump cyclonedx schema to 1.5
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* redact image metadata from github encoder tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add more testing around format decoder identify
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add test case for format version options
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix cli tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix CLI test
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* [wip] - review comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* keep encoder creation out of post load function
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* keep decider and identify functions
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add a few more doc comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove format encoder default function helpers
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* address PR feedback
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* move back to streaming based decode functions
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* with common convention for encoder constructors
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix tests and allow for encoders to be created from cli options
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix cli tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix linting
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* buffer reads from stdin to support seeking
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* feat: add conaninfo.txt parser to detect conan packages in docker images
Signed-off-by: Stefan Profanter <stefan.profanter@agile-robots.com>
* fix: add NewConanInfoCataloger as a separate cataloger
Signed-off-by: Stefan Profanter <stefan.profanter@agile-robots.com>
---------
Signed-off-by: Stefan Profanter <stefan.profanter@agile-robots.com>
* Add ruby.NewGemSpecCataloger to DirectoryCatalogers.
Signed-off-by: Evan <chaol@vmware.com>
* fixed tests
Signed-off-by: Evan <chaol@vmware.com>
* Addressed review comment
Signed-off-by: Evan <chaol@vmware.com>
* Remove NewInstalledGemSpecCataloger from default dir catalogers
Because the files that the installed gemspec cataloger work off of are a
subset of the files that the more general gemspec cataloger will work
off of, we shouldn't have both of them on by default, since this could
result in finding the same package twice.
Signed-off-by: Will Murphy <will.murphy@anchore.com>
---------
Signed-off-by: Evan <chaol@vmware.com>
Signed-off-by: Will Murphy <will.murphy@anchore.com>
Co-authored-by: Will Murphy <will.murphy@anchore.com>
* added download locatoin (resolved) when cataloging a directory - javascript ecosystem- npm - packag-lock
Signed-off by Auston(Aoxiang) Zhang <auston.zhang@dal.ca>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* chore: get DCO to fire
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Auston-Zhang <ax706429@dal.ca>
* fix: allow packages to be captured from DIST/EGG case
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: update expected glob paths
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* account for maven bundle plugin and fix filename matching
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add in-repo jar tests based on metadata to cover #2130
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* tests: fix test merge commit
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
* remove internal string set
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* incorporate changes from #2227
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* beef up the pkg.License.Merg() doc string
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* survive invalid input in swift parser
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add empty file
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add relationships for deb packages
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* update snapshots
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump json schema
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* small refactor to remove duplicate code
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* Parse the Maven license from the pom.xml if not contained in the manifest
Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
* chore: restore 10.0.2 schema
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* chore: generate new 11.0.1 schema
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* refactor: remove schema change
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* test: update unit tests to align with new pattern
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* chore: pr feedback
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* chore: remove struct tags
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
* keep license name and url semantics preserved on the pkg object
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Co-authored-by: Christopher Phillips <christopher.phillips@anchore.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
adds a unique synthetic package to the SBOM output that represents the go compiler when it is detected as a part of a package discovered by the go binary cataloger.
When using an SBOM generated by syft - downstream vulnerability scanners now have the opportunity to detect/report on the PURL/CPEs attached to the new stdlib package.
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
