mirror of
https://github.com/anchore/syft.git
synced 2026-07-04 18:18:26 +02:00
* Vcpkg cataloger for vcpkg "Manifest Mode" Find and parse vcpkg-lock.json to get HEAD commit hash Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * just use local vcpkg git repo if it exists, clone it if it doesn't Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * Config opt for git remote clones for vcpkg and README update Signed-off-by: Gabriel Rau <gabetrau@gmail.com> * Look in vcpkg cache git repo for custom git repos Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * add triplet to metadata and support overlay-ports from config file Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * Add PURL to packages (not sure if this is correct) Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * flatten structs in pkg module and move vcpkg structs to resolver Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * account for overriden versions in toplevel manifest Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * generate json schema for vcpkg metadata Signed-off-by: Gabriel Rau <gabetrau@gmail.com> * test for basic vcpkg project dependencies for vcpkg registry to be pulled in add tree hashes and use correct git hash in builtin-baseline for helloworld test vcpkg-registry for testing that uses object hashes from syft repo fix broken tests Signed-off-by: Gabriel Rau <gabetrau@gmail.com> * formatting Signed-off-by: Gabriel Rau <gabetrau@gmail.com> * fix static-analysis violations Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix integration test failure Signed-off-by: Gabriel Rau <gabetrau@gmail.com> * remove uneeded files from vcpkg test fixture and use custom registry Signed-off-by: Gabriel Rau <gabetrau@gmail.com> * change vcpkg registry to anchore one Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * purl spec based on open PR Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * generate-json-schema Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * rebased and generate json schema 16.0.40 Signed-off-by: Gabriel Rau <gabetrau@gmail.com> * address low hanging fruit Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * handle additional comments Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * migrate to testdata Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * improve docs and testing Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix static analysis Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * remove license from pkg metadata Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * fix capabilities claim Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: Gabriel Rau <gabetrau@gmail.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
67 lines
6.0 KiB
YAML
67 lines
6.0 KiB
YAML
# Application-level configuration. See README.md for documentation.
|
|
# This file is partially auto-generated. Run 'go generate ./internal/capabilities' to regenerate.
|
|
|
|
application: # AUTO-GENERATED - application-level config keys
|
|
- key: cpp.vcpkg-allow-git-clone
|
|
description: enables Syft to use clone remote repositories for vcpkg custom git registries. (also useful if the builtin vcpkg registry is not cloned locally)
|
|
- key: dotnet.dep-packages-must-claim-dll
|
|
description: only keep dep.json packages which have a runtime/resource DLL claimed in the deps.json targets section (but not necessarily found on disk). The package is also included if any child package claims a DLL, even if the package itself does not claim a DLL.
|
|
- key: dotnet.dep-packages-must-have-dll
|
|
description: only keep dep.json packages which an executable on disk is found. The package is also included if a DLL is found for any child package, even if the package itself does not have a DLL.
|
|
- key: dotnet.exclude-project-references
|
|
description: exclude packages with type "project" from deps.json output (these are internal project references, not NuGet packages)
|
|
- key: dotnet.propagate-dll-claims-to-parents
|
|
description: treat DLL claims or on-disk evidence for child packages as DLL claims or on-disk evidence for any parent package
|
|
- key: dotnet.relax-dll-claims-when-bundling-detected
|
|
description: show all packages from the deps.json if bundling tooling is present as a dependency (e.g. ILRepack)
|
|
- key: golang.local-mod-cache-dir
|
|
description: specify an explicit go mod cache directory, if unset this defaults to $GOPATH/pkg/mod or $HOME/go/pkg/mod
|
|
- key: golang.local-vendor-dir
|
|
description: specify an explicit go vendor directory, if unset this defaults to ./vendor
|
|
- key: golang.main-module-version.from-build-settings
|
|
description: use the build settings (e.g. vcs.version & vcs.time) to craft a v0 pseudo version (e.g. v0.0.0-20220308212642-53e6d0aaf6fb) when a more accurate version cannot be found otherwise
|
|
- key: golang.main-module-version.from-contents
|
|
description: search for semver-like strings in the binary contents
|
|
- key: golang.main-module-version.from-ld-flags
|
|
description: look for LD flags that appear to be setting a version (e.g. -X main.version=1.0.0)
|
|
- key: golang.no-proxy
|
|
description: specifies packages which should not be fetched by proxy if unset this defaults to $GONOPROXY
|
|
- key: golang.proxy
|
|
description: remote proxy to use when retrieving go packages from the network, if unset this defaults to $GOPROXY followed by https://proxy.golang.org
|
|
- key: golang.search-local-mod-cache-licenses
|
|
description: search for go package licences in the GOPATH of the system running Syft, note that this is outside the container filesystem and potentially outside the root of a local directory scan
|
|
- key: golang.search-local-vendor-licenses
|
|
description: search for go package licences in the vendor folder on the system running Syft, note that this is outside the container filesystem and potentially outside the root of a local directory scan
|
|
- key: golang.search-remote-licenses
|
|
description: search for go package licences by retrieving the package from a network proxy
|
|
- key: golang.use-packages-lib
|
|
description: use the golang.org/x/tools/go/packages library, which executes golang tooling found on the path in addition to potential network access to get the most accurate results
|
|
- key: java.maven-local-repository-dir
|
|
description: override the default location of the local Maven repository. the default is the subdirectory '.m2/repository' in your home directory
|
|
- key: java.maven-url
|
|
description: maven repository to use, defaults to Maven central
|
|
- key: java.max-parent-recursive-depth
|
|
description: depth to recursively resolve parent POMs, no limit if <= 0
|
|
- key: java.resolve-transitive-dependencies
|
|
description: resolve transient dependencies such as those defined in a dependency's POM on Maven central
|
|
- key: java.use-maven-local-repository
|
|
description: 'use the local Maven repository to retrieve pom files. When Maven is installed and was previously used for building the software that is being scanned, then most pom files will be available in this repository on the local file system. this greatly speeds up scans. when all pom files are available in the local repository, then ''use-network'' is not needed. TIP: If you want to download all required pom files to the local repository without running a full build, run ''mvn help:effective-pom'' before performing the scan with syft.'
|
|
- key: java.use-network
|
|
description: enables Syft to use the network to fetch version and license information for packages when a parent or imported pom file is not found in the local maven repository. the pom files are downloaded from the remote Maven repository at 'maven-url'
|
|
- key: javascript.include-dev-dependencies
|
|
description: include development-scoped dependencies
|
|
- key: javascript.npm-base-url
|
|
description: base NPM url to use
|
|
- key: javascript.search-remote-licenses
|
|
description: enables Syft to use the network to fill in more detailed license information
|
|
- key: linux-kernel.catalog-modules
|
|
description: whether to catalog linux kernel modules found within lib/modules/** directories
|
|
- key: nix.capture-owned-files
|
|
description: enumerate all files owned by packages found within Nix store paths
|
|
- key: python.guess-unpinned-requirements
|
|
description: when running across entries in requirements.txt that do not specify a specific version (e.g. "sqlalchemy >= 1.0.0, <= 2.0.0, != 3.0.0, <= 3.0.0"), attempt to guess what the version could be based on the version requirements specified (e.g. "1.0.0"). When enabled the lowest expressible version when given an arbitrary constraint will be used (even if that version may not be available/published).
|
|
- key: python.pypi-base-url
|
|
description: base Pypi url to use
|
|
- key: python.search-remote-licenses
|
|
description: enables Syft to use the network to fill in more detailed license information
|