mirror of
https://github.com/anchore/syft.git
synced 2026-03-30 05:33:24 +02:00
b5e85c3ea5
* migrate fixtures to testdata
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: correct broken symlinks after testdata migration
The migration from test-fixtures to testdata broke several symlinks:
- elf-test-fixtures symlinks pointed to old test-fixtures paths
- elf-test-fixtures needed to be renamed to elf-testdata
- image-pkg-coverage symlink pointed to test-fixtures instead of testdata
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: handle missing classifiers/bin directory in Makefile
The clean-fingerprint target was failing when classifiers/bin doesn't
exist (e.g., on fresh clone without downloaded binaries).
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: add gitignore negation for jar/zip fixtures in test/cli
The jar and zip files in test/cli/testdata/image-unknowns were being
gitignored by the root .gitignore patterns. This caused them to be
untracked and not included when building docker images in CI, resulting
in Test_Unknowns failures since the test expects errors from corrupt
archive files that weren't present.
Add a .gitignore in test/cli/testdata to negate the exclusions for
these specific test fixture files.
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* switch fixture cache to v2
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* test: update expected versions for rebuilt fixtures
Update test expectations for packages that have been updated in
upstream repositories when docker images are rebuilt:
- glibc: 2.42-r4 → 2.43-r1 (wolfi)
- php: 8.2.29 → 8.2.30 (ubuntu/apache)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* upgrade go
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: add go-shlex dependency for testdata manager tool
The manager tool in syft/pkg/cataloger/binary/testdata/ imports
go-shlex, but since it's in a testdata directory, Go doesn't track
its dependencies. This caused CI failures when go.mod didn't
explicitly list the dependency.
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* refactor: move binary classifier manager to internal/
Move the manager tool from testdata/manager to internal/manager so
that Go properly tracks its dependencies. Code in testdata directories
is ignored by Go for dependency tracking, which caused CI failures
when go.mod didn't explicitly list transitive dependencies.
This is a cleaner solution than manually adding dependencies to go.mod
for code that happens to live in testdata.
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix: add gitignore negations for test fixtures blocked by root patterns
Multiple test fixtures were being blocked by root-level gitignore patterns
like bin/, *.jar, *.tar, and *.exe. This adds targeted .gitignore files with
negation patterns to allow these specific test fixtures to be tracked:
- syft/linux/testdata/os/busybox/bin/busybox (blocked by bin/)
- syft/pkg/cataloger/java/testdata/corrupt/example.{jar,tar} (blocked by *.jar, *.tar)
- syft/pkg/cataloger/binary/testdata/classifiers/snippets/go-version-hint/**/bin/go (blocked by bin/)
- syft/pkg/cataloger/bitnami/testdata/no-rel/.../bin/redis-server (blocked by bin/)
Also updates the bitnami test expectation to include the newly required
.gitignore files in the test fixture.
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* test: update glibc version expectation (2.43-r1 -> 2.43-r2)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add capability drift check as unit step
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* dont clear test observations before drift detection
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* bump stereoscope commit to main
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Cataloger Capabilities Documentation
This documentation describes the format and structure of cataloger capabilities YAML files.
File Organization
Capabilities are organized as follows:
- Cataloger capabilities: Located in
syft/pkg/cataloger/*/capabilities.yaml(one file per ecosystem, alongside the cataloger source code:golang/capabilities.yaml,python/capabilities.yaml, etc.) - Application configuration: Located in
internal/capabilities/appconfig.yaml
Each capabilities.yaml file is partially auto-generated. Run go generate ./internal/capabilities to regenerate.
- Fields marked AUTO-GENERATED will be updated during regeneration
- All capabilities sections are MANUAL - edit these to describe cataloger behavior
Capability Sections
There are two types of capability sections depending on cataloger type:
1. Generic Catalogers (type: generic)
- Have capabilities at the PARSER level
- Each parser function has its own capabilities section
- Allows different parsers within the same cataloger to have different capabilities
2. Custom Catalogers (type: custom)
- Have capabilities at the CATALOGER level
- Single capabilities section for the entire cataloger
Capabilities Format
Capabilities use a field-based format with defaults and optional conditional overrides:
capabilities:
- field: <field-name> # dot-notation path (e.g., "license", "dependency.depth")
default: <value> # value when no conditions match
conditions: # optional - conditional overrides evaluated in order
- when: {ConfigField: val} # when these config fields match (AND logic)
value: <override-value> # use this value instead
comment: "explanation" # optional - why this condition exists
evidence: # optional - source code references
- "StructName.FieldName"
comment: "explanation" # optional - general field explanation
Detector Conditions
Detectors (used by custom catalogers) can have optional conditions that control when they are active. This allows a single cataloger to have different detection behavior based on configuration.
Structure
detectors:
- method: glob # AUTO-GENERATED - detection method
criteria: ["**/*.jar"] # AUTO-GENERATED - patterns to match
comment: "always active" # MANUAL - optional explanation
- method: glob
criteria: ["**/*.zip"]
conditions: # MANUAL - when this detector is active
- when: {IncludeZipFiles: true} # config fields that must match
comment: "optional explanation"
comment: "ZIP detection requires config"
Notes
- Conditions reference fields from the cataloger's config struct
- Multiple conditions in the array use OR logic (any condition can activate)
- Multiple fields in a
whenclause use AND logic (all must match) - Detectors without conditions are always active
- Only custom catalogers support detectors with conditions
Condition Evaluation
- Conditions are evaluated in array order (first match wins)
- Multiple fields in a
whenclause use AND logic (all must match) - Multiple conditions in the array use OR logic (first matching condition)
- If no conditions match, the default value is used
Capability Fields
Standard capability field names and their value types:
license (boolean)
Whether license information is available.
Examples:
default: true # always available
default: false # never available
default: false # requires configuration
conditions:
- when: {SearchRemoteLicenses: true}
value: true
dependency.depth (array of strings)
Which dependency depths can be discovered.
Values: direct (immediate deps), indirect (transitive deps)
Examples:
default: [direct] # only immediate dependencies
default: [direct, indirect] # full transitive closure
default: [] # no dependency information
dependency.edges (string)
Relationships between nodes and completeness of the dependency graph.
Values:
""- dependencies found but no edges between them"flat"- single level of dependencies with edges to root package only"reduced"- transitive reduction (redundant edges removed)"complete"- all relationships with accurate direct and indirect edges
Examples:
default: complete
default: ""
dependency.kinds (array of strings)
Types of dependencies that can be discovered.
Values: runtime, dev, build, test, optional
Examples:
default: [runtime] # production dependencies only
default: [runtime, dev] # production and development
default: [runtime, dev, build] # all dependency types
default: [runtime] # with conditional dev deps
conditions:
- when: {IncludeDevDeps: true}
value: [runtime, dev]
package_manager.files.listing (boolean)
Whether file listings are available (which files belong to the package).
Examples:
default: true
default: false
conditions:
- when: {CaptureOwnedFiles: true}
value: true
package_manager.files.digests (boolean)
Whether file digests/checksums are included in listings.
Examples:
default: true
default: false
package_manager.package_integrity_hash (boolean)
Whether a hash for verifying package integrity is available.
Examples:
default: true
default: false
Examples
Simple cataloger with no configuration
capabilities:
- name: license
default: true
comment: "license field always present in package.json"
- name: dependency.depth
default: [direct]
- name: dependency.edges
default: ""
- name: dependency.kinds
default: [runtime]
comment: "devDependencies not parsed by this cataloger"
- name: package_manager.files.listing
default: false
- name: package_manager.files.digests
default: false
- name: package_manager.package_integrity_hash
default: false
Cataloger with configuration-dependent capabilities
capabilities:
- name: license
default: false
conditions:
- when: {SearchLocalModCacheLicenses: true}
value: true
comment: "searches for licenses in GOPATH mod cache"
- when: {SearchRemoteLicenses: true}
value: true
comment: "fetches licenses from proxy.golang.org"
comment: "license scanning requires configuration"
- name: dependency.depth
default: [direct, indirect]
- name: dependency.edges
default: flat
- name: dependency.kinds
default: [runtime, dev]
- name: package_manager.files.listing
default: false
- name: package_manager.files.digests
default: false
- name: package_manager.package_integrity_hash
default: true
evidence:
- "GolangBinaryBuildinfoEntry.H1Digest"