mirror of
https://github.com/anchore/syft.git
synced 2025-11-18 00:43:20 +01:00
bffe26bcc5
* prototype: start bitnami cataloger Bitnami images have spdx SBOMs at predictable paths, and Syft could more accurately identify the software in these images by scanning those SBOMs. Start work on this by forking the sbom-cataloger as a new bitnami-cataloger. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * wire up bitnami cataloger to run on images by default Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * feat: add support for Bitnami cataloguer Signed-off-by: juan131 <jariza@vmware.com> * feat: use a better SPDX sample for unit tests Signed-off-by: juan131 <jariza@vmware.com> * bugfix: only report bitnami pkgs Signed-off-by: juan131 <jariza@vmware.com> * feat: adapt JSON schema, spdxutil and packagemetadata Signed-off-by: juan131 <jariza@vmware.com> * bugfix: integration tests Signed-off-by: juan131 <jariza@vmware.com> * feat: implement FileOwner interface Signed-off-by: juan131 <jariza@vmware.com> * bugfix: update json schema Signed-off-by: juan131 <jariza@vmware.com> * [wip] add bitnami owned files and fix binary package ownership filtering Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * feat: obtain bitnami pkg files based on SPDX relationships tree Signed-off-by: juan131 <jariza@vmware.com> * preserve type switches Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * rename bitnami entry metadata type Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * restrict find main pkg logic Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add missing graalvm source info Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * bugfix: integration tests Signed-off-by: juan131 <jariza@vmware.com> * bugfix: mod tidy Signed-off-by: juan131 <jariza@vmware.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> Signed-off-by: juan131 <jariza@vmware.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
79 lines
2.6 KiB
Go
79 lines
2.6 KiB
Go
package task
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/anchore/syft/internal/relationship"
|
|
"github.com/anchore/syft/internal/relationship/binary"
|
|
"github.com/anchore/syft/internal/sbomsync"
|
|
"github.com/anchore/syft/syft/artifact"
|
|
"github.com/anchore/syft/syft/cataloging"
|
|
"github.com/anchore/syft/syft/file"
|
|
"github.com/anchore/syft/syft/sbom"
|
|
"github.com/anchore/syft/syft/source"
|
|
)
|
|
|
|
var _ artifact.Identifiable = (*sourceIdentifierAdapter)(nil)
|
|
|
|
type sourceIdentifierAdapter struct {
|
|
desc source.Description
|
|
}
|
|
|
|
func (s sourceIdentifierAdapter) ID() artifact.ID {
|
|
return artifact.ID(s.desc.ID)
|
|
}
|
|
|
|
func NewRelationshipsTask(cfg cataloging.RelationshipsConfig, src source.Description) Task {
|
|
fn := func(_ context.Context, resolver file.Resolver, builder sbomsync.Builder) error {
|
|
finalizeRelationships(
|
|
resolver,
|
|
builder,
|
|
cfg,
|
|
&sourceIdentifierAdapter{desc: src})
|
|
|
|
return nil
|
|
}
|
|
|
|
return NewTask("relationships-cataloger", fn)
|
|
}
|
|
|
|
func finalizeRelationships(resolver file.Resolver, builder sbomsync.Builder, cfg cataloging.RelationshipsConfig, src artifact.Identifiable) {
|
|
accessor := builder.(sbomsync.Accessor)
|
|
|
|
// remove ELF packages and Binary packages that are already
|
|
// represented by a source package (e.g. a package that is evident by some package manager)
|
|
builder.DeletePackages(binary.PackagesToRemove(accessor)...)
|
|
|
|
// add relationships showing packages that are evident by a file which is owned by another package (package-to-package)
|
|
if cfg.PackageFileOwnershipOverlap {
|
|
relationship.ByFileOwnershipOverlapWorker(accessor)
|
|
}
|
|
|
|
// conditionally remove binary packages based on file ownership overlap relationships found
|
|
// https://github.com/anchore/syft/issues/931
|
|
if cfg.ExcludeBinaryPackagesWithFileOwnershipOverlap {
|
|
relationship.ExcludeBinariesByFileOwnershipOverlap(accessor)
|
|
}
|
|
|
|
// add the new relationships for executables to the SBOM
|
|
newBinaryRelationships := binary.NewDependencyRelationships(resolver, accessor)
|
|
accessor.WriteToSBOM(func(s *sbom.SBOM) {
|
|
s.Relationships = append(s.Relationships, newBinaryRelationships...)
|
|
})
|
|
builder.AddRelationships(newBinaryRelationships...)
|
|
// add source "contains package" relationship (source-to-package)
|
|
var sourceRelationships []artifact.Relationship
|
|
accessor.ReadFromSBOM(func(s *sbom.SBOM) {
|
|
sourceRelationships = relationship.ToSource(src, s.Artifacts.Packages)
|
|
})
|
|
builder.AddRelationships(sourceRelationships...)
|
|
|
|
// add evident-by relationships (package-to-file)
|
|
var evidentByRelationships []artifact.Relationship
|
|
accessor.ReadFromSBOM(func(s *sbom.SBOM) {
|
|
evidentByRelationships = relationship.EvidentBy(s.Artifacts.Packages)
|
|
})
|
|
|
|
builder.AddRelationships(evidentByRelationships...)
|
|
}
|