Merge branch 'main' into 1577-license-revamp

* main:
  chore(docs): Update lists of catalogers (#1780)
  chore: add more detail on SPDX file IDs (#1769)
  Search /usr/share for rpmdb to fix scan on ostree-managed images (#1756)
  chore(deps): bump github.com/docker/docker (#1767)
  rename sbom.PackageCatalog to sbom.Packages (#1773)
  chore(deps): bump modernc.org/sqlite from 1.22.0 to 1.22.1 (#1768)

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>

README.md

@@ -152,39 +152,53 @@ This default behavior can be overridden with the `default-image-pull-source` con
 
 ##### Image Scanning:
 - alpmdb
-- rpmdb
-- dpkgdb
 - apkdb
+- binary
+- dotnet-deps
+- dpkgdb
+- go-module-binary
+- graalvm-native-image
+- java
+- javascript-package
+- linux-kernel
+- nix-store
+- php-composer-installed
 - portage
-- ruby-gemspec
 - python-package
-- php-composer-installed Cataloger
-- javascript-package
-- java
-- go-module-binary
-- dotnet-deps
+- rpm-db
+- ruby-gemspec
+- sbom
 
 ##### Directory Scanning:
 - alpmdb
 - apkdb
+- binary
+- cocoapods
+- conan
+- dartlang-lock
+- dotnet-deps
 - dpkgdb
+- elixir-mix-lock
+- erlang-rebar-lock
+- go-mod-file
+- go-module-binary
+- graalvm-native-image
+- haskell
+- java
+- java-gradle-lockfile
+- java-pom
+- javascript-lock
+- linux-kernel
+- nix-store
+- php-composer-lock
 - portage
-- rpmdb
-- ruby-gemfile
 - python-index
 - python-package
-- php-composer-lock
-- javascript-lock
-- java
-- java-pom
-- go-module-binary
-- go-mod-file
+- rpm-db
+- rpm-file
+- ruby-gemfile
 - rust-cargo-lock
-- dartlang-lock
-- dotnet-deps
-- cocoapods
-- conan
-- hackage
+- sbom
 
 ##### Non Default:
 - cargo-auditable-binary
@@ -462,26 +476,39 @@ platform: ""
 # set the list of package catalogers to use when generating the SBOM
 # default = empty (cataloger set determined automatically by the source type [image or file/directory])
 # catalogers:
-#   - ruby-gemfile
-#   - ruby-gemspec
-#   - python-index
-#   - python-package
-#   - javascript-lock
-#   - javascript-package
-#   - php-composer-installed
-#   - php-composer-lock
-#   - alpmdb
-#   - dpkgdb
-#   - rpmdb
-#   - java
-#   - apkdb
-#   - go-module-binary
-#   - go-mod-file
-#   - dartlang-lock
-#   - rust
-#   - dotnet-deps
-# rust-audit-binary scans Rust binaries built with https://github.com/Shnatsel/rust-audit
-#   - rust-audit-binary
+#   - alpmdb-cataloger
+#   - apkdb-cataloger
+#   - binary-cataloger
+#   - cargo-auditable-binary-cataloger
+#   - cocoapods-cataloger
+#   - conan-cataloger
+#   - dartlang-lock-cataloger
+#   - dotnet-deps-cataloger
+#   - dpkgdb-cataloger
+#   - elixir-mix-lock-cataloger
+#   - erlang-rebar-lock-cataloger
+#   - go-mod-file-cataloger
+#   - go-module-binary-cataloger
+#   - graalvm-native-image-cataloger
+#   - haskell-cataloger
+#   - java-cataloger
+#   - java-gradle-lockfile-cataloger
+#   - java-pom-cataloger
+#   - javascript-lock-cataloger
+#   - javascript-package-cataloger
+#   - linux-kernel-cataloger
+#   - nix-store-cataloger
+#   - php-composer-installed-cataloger
+#   - php-composer-lock-cataloger
+#   - portage-cataloger
+#   - python-index-cataloger
+#   - python-package-cataloger
+#   - rpm-db-cataloger
+#   - rpm-file-cataloger
+#   - ruby-gemfile-cataloger
+#   - ruby-gemspec-cataloger
+#   - rust-cargo-lock-cataloger
+#   - sbom-cataloger
 catalogers:
 
 # cataloging packages is exposed through the packages and power-user subcommands

cmd/syft/cli/eventloop/tasks.go

@@ -47,7 +47,7 @@ func generateCatalogPackagesTask(app *config.Application) (Task, error) {
 	task := func(results *sbom.Artifacts, src *source.Source) ([]artifact.Relationship, error) {
 		packageCatalog, relationships, theDistro, err := syft.CatalogPackages(src, app.ToCatalogerConfig())
 
-		results.PackageCatalog = packageCatalog
+		results.Packages = packageCatalog
 		results.LinuxDistribution = theDistro
 
 		return relationships, err

go.mod

@@ -54,7 +54,7 @@ require (
 	github.com/anchore/go-logger v0.0.0-20220728155337-03b66a5207d8
 	github.com/anchore/stereoscope v0.0.0-20230412183729-8602f1afc574
 	github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da
-	github.com/docker/docker v23.0.4+incompatible
+	github.com/docker/docker v23.0.1+incompatible
 	github.com/github/go-spdx/v2 v2.1.2
 	github.com/go-git/go-billy/v5 v5.4.1
 	github.com/go-git/go-git/v5 v5.6.1
@@ -67,7 +67,7 @@ require (
 	github.com/vbatts/go-mtree v0.5.3
 	golang.org/x/exp v0.0.0-20230202163644-54bba9f4231b
 	gopkg.in/yaml.v3 v3.0.1
-	modernc.org/sqlite v1.22.0
+	modernc.org/sqlite v1.20.3
 )
 
 require (
@@ -154,7 +154,7 @@ require (
 	lukechampine.com/uint128 v1.2.0 // indirect
 	modernc.org/cc/v3 v3.40.0 // indirect
 	modernc.org/ccgo/v3 v3.16.13 // indirect
-	modernc.org/libc v1.22.4 // indirect
+	modernc.org/libc v1.22.2 // indirect
 	modernc.org/mathutil v1.5.0 // indirect
 	modernc.org/memory v1.5.0 // indirect
 	modernc.org/opt v0.1.3 // indirect

go.sum

@@ -165,8 +165,8 @@ github.com/docker/cli v23.0.1+incompatible h1:LRyWITpGzl2C9e9uGxzisptnxAn1zfZKXy
 github.com/docker/cli v23.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68=
 github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v23.0.4+incompatible h1:Kd3Bh9V/rO+XpTP/BLqM+gx8z7+Yb0AA2Ibj+nNo4ek=
-github.com/docker/docker v23.0.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v23.0.1+incompatible h1:vjgvJZxprTTE1A37nm+CLNAdwu6xZekyoiVlUZEINcY=
+github.com/docker/docker v23.0.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
@@ -447,7 +447,7 @@ github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU=
 github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
-github.com/mattn/go-sqlite3 v1.14.16 h1:yOQRA0RpS5PFz/oikGwBEqvAWhWg5ufRz4ETLjwpU1Y=
+github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOjvxI=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
@@ -1184,19 +1184,19 @@ modernc.org/ccgo/v3 v3.16.13 h1:Mkgdzl46i5F/CNR/Kj80Ri59hC8TKAhZrYSaqvkwzUw=
 modernc.org/ccgo/v3 v3.16.13/go.mod h1:2Quk+5YgpImhPjv2Qsob1DnZ/4som1lJTodubIcoUkY=
 modernc.org/ccorpus v1.11.6 h1:J16RXiiqiCgua6+ZvQot4yUuUy8zxgqbqEEUuGPlISk=
 modernc.org/httpfs v1.0.6 h1:AAgIpFZRXuYnkjftxTAZwMIiwEqAfk8aVB2/oA6nAeM=
-modernc.org/libc v1.22.4 h1:wymSbZb0AlrjdAVX3cjreCHTPCpPARbQXNz6BHPzdwQ=
-modernc.org/libc v1.22.4/go.mod h1:jj+Z7dTNX8fBScMVNRAYZ/jF91K8fdT2hYMThc3YjBY=
+modernc.org/libc v1.22.2 h1:4U7v51GyhlWqQmwCHj28Rdq2Yzwk55ovjFrdPjs8Hb0=
+modernc.org/libc v1.22.2/go.mod h1:uvQavJ1pZ0hIoC/jfqNoMLURIMhKzINIWypNM17puug=
 modernc.org/mathutil v1.5.0 h1:rV0Ko/6SfM+8G+yKiyI830l3Wuz1zRutdslNoQ0kfiQ=
 modernc.org/mathutil v1.5.0/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
 modernc.org/memory v1.5.0 h1:N+/8c5rE6EqugZwHii4IFsaJ7MUhoWX07J5tC/iI5Ds=
 modernc.org/memory v1.5.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
 modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4=
 modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
-modernc.org/sqlite v1.22.0 h1:Uo+wEWePCspy4SAu0w2VbzUHEftOs7yoaWX/cYjsq84=
-modernc.org/sqlite v1.22.0/go.mod h1:cxbLkB5WS32DnQqeH4h4o1B0eMr8W/y8/RGuxQ3JsC0=
+modernc.org/sqlite v1.20.3 h1:SqGJMMxjj1PHusLxdYxeQSodg7Jxn9WWkaAQjKrntZs=
+modernc.org/sqlite v1.20.3/go.mod h1:zKcGyrICaxNTMEHSr1HQ2GUraP0j+845GYw37+EyT6A=
 modernc.org/strutil v1.1.3 h1:fNMm+oJklMGYfU9Ylcywl0CO5O6nTfaowNsh2wpPjzY=
 modernc.org/strutil v1.1.3/go.mod h1:MEHNA7PdEnEwLvspRMtWTNnp2nnyvMfkimT1NKNAGbw=
-modernc.org/tcl v1.15.1 h1:mOQwiEK4p7HruMZcwKTZPw/aqtGM4aY00uzWhlKKYws=
+modernc.org/tcl v1.15.0 h1:oY+JeD11qVVSgVvodMJsu7Edf8tr5E/7tuhF5cNYz34=
 modernc.org/token v1.0.1 h1:A3qvTqOwexpfZZeyI0FeGPDlSWX5pjZu9hF4lU+EKWg=
 modernc.org/token v1.0.1/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
 modernc.org/z v1.7.0 h1:xkDw/KepgEjeizO2sNco+hqYkU12taxQFqPEmgm1GWE=

syft/formats/common/cyclonedxhelpers/decoder.go

@@ -54,7 +54,7 @@ func ToSyftModel(bom *cyclonedx.BOM) (*sbom.SBOM, error) {
 
 	s := &sbom.SBOM{
 		Artifacts: sbom.Artifacts{
-			PackageCatalog:    pkg.NewCollection(),
+			Packages:          pkg.NewCollection(),
 			LinuxDistribution: linuxReleaseFromComponents(*bom.Components),
 		},
 		Source:     extractComponents(bom.Metadata),
@@ -95,7 +95,7 @@ func collectPackages(component *cyclonedx.Component, s *sbom.SBOM, idMap map[str
 		}
 		// TODO there must be a better way than needing to call this manually:
 		p.SetID()
-		s.Artifacts.PackageCatalog.Add(*p)
+		s.Artifacts.Packages.Add(*p)
 	}
 
 	if component.Components != nil {

syft/formats/common/cyclonedxhelpers/decoder_test.go

@@ -210,7 +210,7 @@ func Test_decode(t *testing.T) {
 					assert.Equal(t, e.ver, sbom.Artifacts.LinuxDistribution.VersionID)
 				}
 				if e.pkg != "" {
-					for p := range sbom.Artifacts.PackageCatalog.Enumerate() {
+					for p := range sbom.Artifacts.Packages.Enumerate() {
 						if e.pkg != p.Name {
 							continue
 						}
@@ -238,7 +238,7 @@ func Test_decode(t *testing.T) {
 						if e.relation != "" {
 							foundRelation := false
 							for _, r := range sbom.Relationships {
-								p := sbom.Artifacts.PackageCatalog.Package(r.To.ID())
+								p := sbom.Artifacts.Packages.Package(r.To.ID())
 								if e.relation == p.Name {
 									foundRelation = true
 									break

syft/formats/common/cyclonedxhelpers/format.go

@@ -25,7 +25,7 @@ func ToFormatModel(s sbom.SBOM) *cyclonedx.BOM {
 	cdxBOM.SerialNumber = uuid.New().URN()
 	cdxBOM.Metadata = toBomDescriptor(internal.ApplicationName, s.Descriptor.Version, s.Source)
 
-	packages := s.Artifacts.PackageCatalog.Sorted()
+	packages := s.Artifacts.Packages.Sorted()
 	components := make([]cyclonedx.Component, len(packages))
 	for i, p := range packages {
 		components[i] = encodeComponent(p)

syft/formats/common/spdxhelpers/to_format_model.go

@@ -4,6 +4,7 @@ package spdxhelpers
 import (
 	"crypto/sha1"
 	"fmt"
+	"path"
 	"sort"
 	"strings"
 	"time"
@@ -123,21 +124,38 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document {
 			// Cardinality: optional, one
 			CreatorComment: "",
 		},
-		Packages:      toPackages(s.Artifacts.PackageCatalog, s),
+		Packages:      toPackages(s.Artifacts.Packages, s),
 		Files:         toFiles(s),
 		Relationships: relationships,
-		OtherLicenses: toOtherLicenses(s.Artifacts.PackageCatalog),
+		OtherLicenses: toOtherLicenses(s.Artifacts.Packages),
 	}
 }
 
 func toSPDXID(identifiable artifact.Identifiable) spdx.ElementID {
+	maxLen := 40
 	id := ""
-	if p, ok := identifiable.(pkg.Package); ok {
-		id = SanitizeElementID(fmt.Sprintf("Package-%+v-%s-%s", p.Type, p.Name, p.ID()))
-	} else {
+	switch it := identifiable.(type) {
+	case pkg.Package:
+		id = SanitizeElementID(fmt.Sprintf("Package-%s-%s-%s", it.Type, it.Name, it.ID()))
+	case source.Coordinates:
+		p := ""
+		parts := strings.Split(it.RealPath, "/")
+		for i := len(parts); i > 0; i-- {
+			part := parts[i-1]
+			if len(part) == 0 {
+				continue
+			}
+			if i < len(parts) && len(p)+len(part)+3 > maxLen {
+				p = "..." + p
+				break
+			}
+			p = path.Join(part, p)
+		}
+		id = SanitizeElementID(fmt.Sprintf("File-%s-%s", p, it.ID()))
+	default:
 		id = string(identifiable.ID())
 	}
-	// NOTE: the spdx libraries prepend SPDXRef-, so we don't do it here
+	// NOTE: the spdx library prepend SPDXRef-, so we don't do it here
 	return spdx.ElementID(id)
 }
 

syft/formats/common/spdxhelpers/to_format_model_test.go

@@ -2,6 +2,7 @@ package spdxhelpers
 
 import (
 	"fmt"
+	"regexp"
 	"testing"
 
 	"github.com/spdx/tools-golang/spdx"
@@ -495,3 +496,43 @@ func Test_OtherLicenses(t *testing.T) {
 		})
 	}
 }
+
+func Test_toSPDXID(t *testing.T) {
+	tests := []struct {
+		name     string
+		it       artifact.Identifiable
+		expected string
+	}{
+		{
+			name: "short filename",
+			it: source.Coordinates{
+				RealPath: "/short/path/file.txt",
+			},
+			expected: "File-short-path-file.txt",
+		},
+		{
+			name: "long filename",
+			it: source.Coordinates{
+				RealPath: "/some/long/path/with/a/lot/of-text/that-contains-a/file.txt",
+			},
+			expected: "File-...a-lot-of-text-that-contains-a-file.txt",
+		},
+		{
+			name: "package",
+			it: pkg.Package{
+				Type: pkg.NpmPkg,
+				Name: "some-package",
+			},
+			expected: "Package-npm-some-package",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			got := string(toSPDXID(test.it))
+			// trim the hash
+			got = regexp.MustCompile(`-[a-z0-9]*$`).ReplaceAllString(got, "")
+			require.Equal(t, test.expected, got)
+		})
+	}
+}

syft/formats/common/spdxhelpers/to_syft_model.go

@@ -34,7 +34,7 @@ func ToSyftModel(doc *spdx.Document) (*sbom.SBOM, error) {
 	s := &sbom.SBOM{
 		Source: src,
 		Artifacts: sbom.Artifacts{
-			PackageCatalog:    pkg.NewCollection(),
+			Packages:          pkg.NewCollection(),
 			FileMetadata:      map[source.Coordinates]source.FileMetadata{},
 			FileDigests:       map[source.Coordinates][]file.Digest{},
 			LinuxDistribution: findLinuxReleaseByPURL(doc),
@@ -111,7 +111,7 @@ func collectSyftPackages(s *sbom.SBOM, spdxIDMap map[string]interface{}, doc *sp
 	for _, p := range doc.Packages {
 		syftPkg := toSyftPackage(p)
 		spdxIDMap[string(p.PackageSPDXIdentifier)] = syftPkg
-		s.Artifacts.PackageCatalog.Add(*syftPkg)
+		s.Artifacts.Packages.Add(*syftPkg)
 	}
 }
 

syft/formats/common/spdxhelpers/to_syft_model_test.go

@@ -91,7 +91,7 @@ func TestToSyftModel(t *testing.T) {
 
 	assert.NotNil(t, sbom)
 
-	pkgs := sbom.Artifacts.PackageCatalog.Sorted()
+	pkgs := sbom.Artifacts.Packages.Sorted()
 
 	assert.Len(t, pkgs, 2)