mirror of
https://github.com/anchore/syft.git
synced 2025-11-17 08:23:15 +01:00
c491dab35b
* feat: add parsing for uv.lock (#3268)
Signed-off-by: Joshua Kugler <tek30584@adobe.com>
* Still no tests, but much more complete
Next up: start writing tests! :)
Signed-off-by: Joshua Kugler <tek30584@adobe.com>
* chore: finish out functionality and write tests
Signed-off-by: Joshua Kugler <tek30584@adobe.com>
* Merge the .NET deps.json and PE binary catalogers (#3563)
* add combined deps.json + pe binary cataloger
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* deprecate pe and deps standalone catalogers
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* parse resource names + add tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* fix integration and CLI tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add some helpful code comments
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* allow for dropping Dep packages that are missing DLLs
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* migrate json schema changes to 24
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* keep application configuration
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* correct config help
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* [wip] detect claims of dlls within deps.json
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* [wip] fix tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add assembly repack detection
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* .net package count is lower due to dll claim requirement
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Joshua Kugler <tek30584@adobe.com>
* better .NET cpe generation (#3764)
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Joshua Kugler <tek30584@adobe.com>
* Better represent .NET runtime packages (#3768)
* clean up .NET runtime packages
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* add runtime relationships
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* remove runtime references from binary package name
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---------
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Joshua Kugler <tek30584@adobe.com>
* chore(deps): update CPE dictionary index (#3769)
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
Signed-off-by: Joshua Kugler <tek30584@adobe.com>
* chore(deps): bump modernc.org/sqlite from 1.36.1 to 1.37.0 (#3771)
Bumps [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) from 1.36.1 to 1.37.0.
- [Commits](https://gitlab.com/cznic/sqlite/compare/v1.36.1...v1.37.0)
---
updated-dependencies:
- dependency-name: modernc.org/sqlite
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Joshua Kugler <tek30584@adobe.com>
* chore(deps): bump 8398a7/action-slack from 3.16.2 to 3.18.0 (#3767)
Bumps [8398a7/action-slack](https://github.com/8398a7/action-slack) from 3.16.2 to 3.18.0.
- [Release notes](https://github.com/8398a7/action-slack/releases)
- [Commits](28ba43ae48...1750b5085f)
---
updated-dependencies:
- dependency-name: 8398a7/action-slack
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Joshua Kugler <tek30584@adobe.com>
* chore(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 (#3766)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.37.0 to 0.38.0.
- [Commits](https://github.com/golang/net/compare/v0.37.0...v0.38.0)
---
updated-dependencies:
- dependency-name: golang.org/x/net
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Joshua Kugler <tek30584@adobe.com>
* chore: move/modify code for lint issues
Signed-off-by: Joshua Kugler <tek30584@adobe.com>
* chore: make sure private structs are not exported
Signed-off-by: Joshua Kugler <tek30584@adobe.com>
* fix tests
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* generate json schema
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
* chore: update readme to include uv
Signed-off-by: Joshua Kugler <tek30584@adobe.com>
* chore: use uv as the package manager name
Signed-off-by: Joshua Kugler <tek30584@adobe.com>
---------
Signed-off-by: Joshua Kugler <tek30584@adobe.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: anchore-actions-token-generator[bot] <102182147+anchore-actions-token-generator[bot]@users.noreply.github.com>
Co-authored-by: wagoodman <590471+wagoodman@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
113 lines
4.5 KiB
Go
113 lines
4.5 KiB
Go
package pkg
|
|
|
|
import (
|
|
"sort"
|
|
|
|
"github.com/scylladb/go-set/strset"
|
|
)
|
|
|
|
var _ FileOwner = (*PythonPackage)(nil)
|
|
|
|
// PythonPackage represents all captured data for a python egg or wheel package (specifically as outlined in
|
|
// the PyPA core metadata specification https://packaging.python.org/en/latest/specifications/core-metadata/).
|
|
// Historically these were defined in PEPs 345, 314, and 241, but have been superseded by PEP 566. This means that this
|
|
// struct can (partially) express at least versions 1.0, 1.1, 1.2, 2.1, 2.2, and 2.3 of the metadata format.
|
|
type PythonPackage struct {
|
|
Name string `json:"name" mapstructure:"Name"`
|
|
Version string `json:"version" mapstructure:"Version"`
|
|
Author string `json:"author" mapstructure:"Author"`
|
|
AuthorEmail string `json:"authorEmail" mapstructure:"AuthorEmail"`
|
|
Platform string `json:"platform" mapstructure:"Platform"`
|
|
Files []PythonFileRecord `json:"files,omitempty"`
|
|
SitePackagesRootPath string `json:"sitePackagesRootPath"`
|
|
TopLevelPackages []string `json:"topLevelPackages,omitempty"`
|
|
DirectURLOrigin *PythonDirectURLOriginInfo `json:"directUrlOrigin,omitempty"`
|
|
RequiresPython string `json:"requiresPython,omitempty" mapstructure:"RequiresPython"`
|
|
RequiresDist []string `json:"requiresDist,omitempty" mapstructure:"RequiresDist"`
|
|
ProvidesExtra []string `json:"providesExtra,omitempty" mapstructure:"ProvidesExtra"`
|
|
}
|
|
|
|
// PythonFileDigest represents the file metadata for a single file attributed to a python package.
|
|
type PythonFileDigest struct {
|
|
Algorithm string `json:"algorithm"`
|
|
Value string `json:"value"`
|
|
}
|
|
|
|
// PythonFileRecord represents a single entry within a RECORD file for a python wheel or egg package
|
|
type PythonFileRecord struct {
|
|
Path string `json:"path"`
|
|
Digest *PythonFileDigest `json:"digest,omitempty"`
|
|
Size string `json:"size,omitempty"`
|
|
}
|
|
|
|
type PythonDirectURLOriginInfo struct {
|
|
URL string `json:"url"`
|
|
CommitID string `json:"commitId,omitempty"`
|
|
VCS string `json:"vcs,omitempty"`
|
|
}
|
|
|
|
func (m PythonPackage) OwnedFiles() (result []string) {
|
|
s := strset.New()
|
|
for _, f := range m.Files {
|
|
if f.Path != "" {
|
|
s.Add(f.Path)
|
|
}
|
|
}
|
|
result = s.List()
|
|
sort.Strings(result)
|
|
return result
|
|
}
|
|
|
|
// PythonPipfileLockEntry represents a single package entry within a Pipfile.lock file.
|
|
type PythonPipfileLockEntry struct {
|
|
Hashes []string `mapstructure:"hashes" json:"hashes"`
|
|
Index string `mapstructure:"index" json:"index"`
|
|
}
|
|
|
|
// PythonPoetryLockEntry represents a single package entry within a Pipfile.lock file.
|
|
type PythonPoetryLockEntry struct {
|
|
Index string `mapstructure:"index" json:"index"`
|
|
Dependencies []PythonPoetryLockDependencyEntry `json:"dependencies"`
|
|
Extras []PythonPoetryLockExtraEntry `json:"extras,omitempty"`
|
|
}
|
|
|
|
type PythonPoetryLockDependencyEntry struct {
|
|
Name string `json:"name"`
|
|
Version string `json:"version"`
|
|
Optional bool `json:"optional"`
|
|
Markers string `json:"markers,omitempty"`
|
|
Extras []string `json:"extras,omitempty"`
|
|
}
|
|
|
|
type PythonPoetryLockExtraEntry struct {
|
|
Name string `json:"name"`
|
|
Dependencies []string `json:"dependencies"`
|
|
}
|
|
|
|
// PythonRequirementsEntry represents a single entry within a [*-]requirements.txt file.
|
|
type PythonRequirementsEntry struct {
|
|
Name string `json:"name" mapstructure:"Name"`
|
|
Extras []string `json:"extras,omitempty" mapstructure:"Extras"`
|
|
VersionConstraint string `json:"versionConstraint" mapstructure:"VersionConstraint"`
|
|
URL string `json:"url,omitempty" mapstructure:"URL"`
|
|
Markers string `json:"markers,omitempty" mapstructure:"Markers"`
|
|
}
|
|
|
|
type PythonUvLockDependencyEntry struct {
|
|
Name string `json:"name"`
|
|
Optional bool `json:"optional"`
|
|
Markers string `json:"markers,omitempty"`
|
|
Extras []string `json:"extras,omitempty"`
|
|
}
|
|
|
|
type PythonUvLockExtraEntry struct {
|
|
Name string `json:"name"`
|
|
Dependencies []string `json:"dependencies"`
|
|
}
|
|
|
|
type PythonUvLockEntry struct {
|
|
Index string `mapstructure:"index" json:"index"`
|
|
Dependencies []PythonUvLockDependencyEntry `json:"dependencies"`
|
|
Extras []PythonUvLockExtraEntry `json:"extras,omitempty"`
|
|
}
|