mirror of
https://github.com/anchore/syft.git
synced 2026-03-29 21:23:24 +02:00
e38851143e
* chore: centralize temp files and prefer streaming IO Catalogers that create temp files ad-hoc can easily forget cleanup, leaking files on disk. Similarly, io.ReadAll is convenient but risks OOM on large or malicious inputs. Introduce internal/tmpdir to manage all cataloger temp storage under a single root directory with automatic cleanup. Prefer streaming parsers (bufio.Scanner, json/yaml.NewDecoder, io.LimitReader) over buffering entire inputs into memory. Add ruleguard rules to enforce both practices going forward. Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * chore: go back to old release parsing Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * simplify to limit reader in version check Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * chore: regex change postponed Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> * simplify supplement release to limitreader Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com> --------- Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
60 lines
1.8 KiB
Go
60 lines
1.8 KiB
Go
package nix
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"github.com/anchore/syft/syft/artifact"
|
|
"github.com/anchore/syft/syft/file"
|
|
"github.com/anchore/syft/syft/pkg"
|
|
)
|
|
|
|
type Config struct {
|
|
// CaptureOwnedFiles determines whether to record the list of files owned by each Nix package discovered in the store. Recording owned files provides more detailed information but increases processing time and memory usage.
|
|
// app-config: nix.capture-owned-files
|
|
CaptureOwnedFiles bool `json:"capture-owned-files" yaml:"capture-owned-files" mapstructure:"capture-owned-files"`
|
|
}
|
|
|
|
func (c Config) WithCaptureOwnedFiles(set bool) Config {
|
|
c.CaptureOwnedFiles = set
|
|
return c
|
|
}
|
|
|
|
func DefaultConfig() Config {
|
|
return Config{
|
|
CaptureOwnedFiles: false,
|
|
}
|
|
}
|
|
|
|
// cataloger finds package outputs installed in the Nix store location (/nix/store/*) or in the internal nix database (/nix/var/nix/db/db.sqlite).
|
|
type cataloger struct {
|
|
dbParser dbCataloger
|
|
storeCataloger storeCataloger
|
|
}
|
|
|
|
func NewCataloger(cfg Config) pkg.Cataloger {
|
|
name := "nix-cataloger"
|
|
return cataloger{
|
|
dbParser: newDBCataloger(cfg, name),
|
|
storeCataloger: newStoreCataloger(cfg, name),
|
|
}
|
|
}
|
|
|
|
func (c cataloger) Name() string {
|
|
return c.dbParser.catalogerName
|
|
}
|
|
|
|
func (c cataloger) Catalog(ctx context.Context, resolver file.Resolver) ([]pkg.Package, []artifact.Relationship, error) {
|
|
// always try the DB cataloger first (based off of information recorded by actions taken by nix tooling)
|
|
pkgs, rels, err := c.dbParser.catalog(ctx, resolver)
|
|
if err != nil {
|
|
return nil, nil, fmt.Errorf("failed to catalog nix packages from database: %w", err)
|
|
}
|
|
if len(pkgs) > 0 {
|
|
return pkgs, rels, nil
|
|
}
|
|
|
|
// there are no results from the DB cataloger, then use the store path cataloger (not as accurate / detailed in information)
|
|
return c.storeCataloger.Catalog(ctx, resolver)
|
|
}
|