diff --git a/README.md b/README.md index 948a38ae805..7ec9ef00aea 100644 --- a/README.md +++ b/README.md @@ -152,39 +152,53 @@ This default behavior can be overridden with the `default-image-pull-source` con ##### Image Scanning: - alpmdb -- rpmdb -- dpkgdb - apkdb +- binary +- dotnet-deps +- dpkgdb +- go-module-binary +- graalvm-native-image +- java +- javascript-package +- linux-kernel +- nix-store +- php-composer-installed - portage -- ruby-gemspec - python-package -- php-composer-installed Cataloger -- javascript-package -- java -- go-module-binary -- dotnet-deps +- rpm-db +- ruby-gemspec +- sbom ##### Directory Scanning: - alpmdb - apkdb +- binary +- cocoapods +- conan +- dartlang-lock +- dotnet-deps - dpkgdb +- elixir-mix-lock +- erlang-rebar-lock +- go-mod-file +- go-module-binary +- graalvm-native-image +- haskell +- java +- java-gradle-lockfile +- java-pom +- javascript-lock +- linux-kernel +- nix-store +- php-composer-lock - portage -- rpmdb -- ruby-gemfile - python-index - python-package -- php-composer-lock -- javascript-lock -- java -- java-pom -- go-module-binary -- go-mod-file +- rpm-db +- rpm-file +- ruby-gemfile - rust-cargo-lock -- dartlang-lock -- dotnet-deps -- cocoapods -- conan -- hackage +- sbom ##### Non Default: - cargo-auditable-binary @@ -462,26 +476,39 @@ platform: "" # set the list of package catalogers to use when generating the SBOM # default = empty (cataloger set determined automatically by the source type [image or file/directory]) # catalogers: -# - ruby-gemfile -# - ruby-gemspec -# - python-index -# - python-package -# - javascript-lock -# - javascript-package -# - php-composer-installed -# - php-composer-lock -# - alpmdb -# - dpkgdb -# - rpmdb -# - java -# - apkdb -# - go-module-binary -# - go-mod-file -# - dartlang-lock -# - rust -# - dotnet-deps -# rust-audit-binary scans Rust binaries built with https://github.com/Shnatsel/rust-audit -# - rust-audit-binary +# - alpmdb-cataloger +# - apkdb-cataloger +# - binary-cataloger +# - cargo-auditable-binary-cataloger +# - cocoapods-cataloger +# - conan-cataloger +# - dartlang-lock-cataloger +# - dotnet-deps-cataloger +# - dpkgdb-cataloger +# - elixir-mix-lock-cataloger +# - erlang-rebar-lock-cataloger +# - go-mod-file-cataloger +# - go-module-binary-cataloger +# - graalvm-native-image-cataloger +# - haskell-cataloger +# - java-cataloger +# - java-gradle-lockfile-cataloger +# - java-pom-cataloger +# - javascript-lock-cataloger +# - javascript-package-cataloger +# - linux-kernel-cataloger +# - nix-store-cataloger +# - php-composer-installed-cataloger +# - php-composer-lock-cataloger +# - portage-cataloger +# - python-index-cataloger +# - python-package-cataloger +# - rpm-db-cataloger +# - rpm-file-cataloger +# - ruby-gemfile-cataloger +# - ruby-gemspec-cataloger +# - rust-cargo-lock-cataloger +# - sbom-cataloger catalogers: # cataloging packages is exposed through the packages and power-user subcommands diff --git a/cmd/syft/cli/eventloop/tasks.go b/cmd/syft/cli/eventloop/tasks.go index b610c86cec8..56bbcc93535 100644 --- a/cmd/syft/cli/eventloop/tasks.go +++ b/cmd/syft/cli/eventloop/tasks.go @@ -47,7 +47,7 @@ func generateCatalogPackagesTask(app *config.Application) (Task, error) { task := func(results *sbom.Artifacts, src *source.Source) ([]artifact.Relationship, error) { packageCatalog, relationships, theDistro, err := syft.CatalogPackages(src, app.ToCatalogerConfig()) - results.PackageCatalog = packageCatalog + results.Packages = packageCatalog results.LinuxDistribution = theDistro return relationships, err diff --git a/go.mod b/go.mod index a0308e9e677..42f2251c976 100644 --- a/go.mod +++ b/go.mod @@ -54,7 +54,7 @@ require ( github.com/anchore/go-logger v0.0.0-20220728155337-03b66a5207d8 github.com/anchore/stereoscope v0.0.0-20230412183729-8602f1afc574 github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da - github.com/docker/docker v23.0.4+incompatible + github.com/docker/docker v23.0.1+incompatible github.com/github/go-spdx/v2 v2.1.2 github.com/go-git/go-billy/v5 v5.4.1 github.com/go-git/go-git/v5 v5.6.1 @@ -67,7 +67,7 @@ require ( github.com/vbatts/go-mtree v0.5.3 golang.org/x/exp v0.0.0-20230202163644-54bba9f4231b gopkg.in/yaml.v3 v3.0.1 - modernc.org/sqlite v1.22.0 + modernc.org/sqlite v1.20.3 ) require ( @@ -154,7 +154,7 @@ require ( lukechampine.com/uint128 v1.2.0 // indirect modernc.org/cc/v3 v3.40.0 // indirect modernc.org/ccgo/v3 v3.16.13 // indirect - modernc.org/libc v1.22.4 // indirect + modernc.org/libc v1.22.2 // indirect modernc.org/mathutil v1.5.0 // indirect modernc.org/memory v1.5.0 // indirect modernc.org/opt v0.1.3 // indirect diff --git a/go.sum b/go.sum index e2768863c86..028823cb9a5 100644 --- a/go.sum +++ b/go.sum @@ -165,8 +165,8 @@ github.com/docker/cli v23.0.1+incompatible h1:LRyWITpGzl2C9e9uGxzisptnxAn1zfZKXy github.com/docker/cli v23.0.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68= github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v23.0.4+incompatible h1:Kd3Bh9V/rO+XpTP/BLqM+gx8z7+Yb0AA2Ibj+nNo4ek= -github.com/docker/docker v23.0.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v23.0.1+incompatible h1:vjgvJZxprTTE1A37nm+CLNAdwu6xZekyoiVlUZEINcY= +github.com/docker/docker v23.0.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= @@ -447,7 +447,7 @@ github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/ github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI= github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU= github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= -github.com/mattn/go-sqlite3 v1.14.16 h1:yOQRA0RpS5PFz/oikGwBEqvAWhWg5ufRz4ETLjwpU1Y= +github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOjvxI= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI= github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE= @@ -1184,19 +1184,19 @@ modernc.org/ccgo/v3 v3.16.13 h1:Mkgdzl46i5F/CNR/Kj80Ri59hC8TKAhZrYSaqvkwzUw= modernc.org/ccgo/v3 v3.16.13/go.mod h1:2Quk+5YgpImhPjv2Qsob1DnZ/4som1lJTodubIcoUkY= modernc.org/ccorpus v1.11.6 h1:J16RXiiqiCgua6+ZvQot4yUuUy8zxgqbqEEUuGPlISk= modernc.org/httpfs v1.0.6 h1:AAgIpFZRXuYnkjftxTAZwMIiwEqAfk8aVB2/oA6nAeM= -modernc.org/libc v1.22.4 h1:wymSbZb0AlrjdAVX3cjreCHTPCpPARbQXNz6BHPzdwQ= -modernc.org/libc v1.22.4/go.mod h1:jj+Z7dTNX8fBScMVNRAYZ/jF91K8fdT2hYMThc3YjBY= +modernc.org/libc v1.22.2 h1:4U7v51GyhlWqQmwCHj28Rdq2Yzwk55ovjFrdPjs8Hb0= +modernc.org/libc v1.22.2/go.mod h1:uvQavJ1pZ0hIoC/jfqNoMLURIMhKzINIWypNM17puug= modernc.org/mathutil v1.5.0 h1:rV0Ko/6SfM+8G+yKiyI830l3Wuz1zRutdslNoQ0kfiQ= modernc.org/mathutil v1.5.0/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E= modernc.org/memory v1.5.0 h1:N+/8c5rE6EqugZwHii4IFsaJ7MUhoWX07J5tC/iI5Ds= modernc.org/memory v1.5.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU= modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4= modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0= -modernc.org/sqlite v1.22.0 h1:Uo+wEWePCspy4SAu0w2VbzUHEftOs7yoaWX/cYjsq84= -modernc.org/sqlite v1.22.0/go.mod h1:cxbLkB5WS32DnQqeH4h4o1B0eMr8W/y8/RGuxQ3JsC0= +modernc.org/sqlite v1.20.3 h1:SqGJMMxjj1PHusLxdYxeQSodg7Jxn9WWkaAQjKrntZs= +modernc.org/sqlite v1.20.3/go.mod h1:zKcGyrICaxNTMEHSr1HQ2GUraP0j+845GYw37+EyT6A= modernc.org/strutil v1.1.3 h1:fNMm+oJklMGYfU9Ylcywl0CO5O6nTfaowNsh2wpPjzY= modernc.org/strutil v1.1.3/go.mod h1:MEHNA7PdEnEwLvspRMtWTNnp2nnyvMfkimT1NKNAGbw= -modernc.org/tcl v1.15.1 h1:mOQwiEK4p7HruMZcwKTZPw/aqtGM4aY00uzWhlKKYws= +modernc.org/tcl v1.15.0 h1:oY+JeD11qVVSgVvodMJsu7Edf8tr5E/7tuhF5cNYz34= modernc.org/token v1.0.1 h1:A3qvTqOwexpfZZeyI0FeGPDlSWX5pjZu9hF4lU+EKWg= modernc.org/token v1.0.1/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM= modernc.org/z v1.7.0 h1:xkDw/KepgEjeizO2sNco+hqYkU12taxQFqPEmgm1GWE= diff --git a/syft/formats/common/cyclonedxhelpers/decoder.go b/syft/formats/common/cyclonedxhelpers/decoder.go index 9cb3a016157..727c668a403 100644 --- a/syft/formats/common/cyclonedxhelpers/decoder.go +++ b/syft/formats/common/cyclonedxhelpers/decoder.go @@ -54,7 +54,7 @@ func ToSyftModel(bom *cyclonedx.BOM) (*sbom.SBOM, error) { s := &sbom.SBOM{ Artifacts: sbom.Artifacts{ - PackageCatalog: pkg.NewCollection(), + Packages: pkg.NewCollection(), LinuxDistribution: linuxReleaseFromComponents(*bom.Components), }, Source: extractComponents(bom.Metadata), @@ -95,7 +95,7 @@ func collectPackages(component *cyclonedx.Component, s *sbom.SBOM, idMap map[str } // TODO there must be a better way than needing to call this manually: p.SetID() - s.Artifacts.PackageCatalog.Add(*p) + s.Artifacts.Packages.Add(*p) } if component.Components != nil { diff --git a/syft/formats/common/cyclonedxhelpers/decoder_test.go b/syft/formats/common/cyclonedxhelpers/decoder_test.go index 70f648e78a2..4daa4f8c8b8 100644 --- a/syft/formats/common/cyclonedxhelpers/decoder_test.go +++ b/syft/formats/common/cyclonedxhelpers/decoder_test.go @@ -210,7 +210,7 @@ func Test_decode(t *testing.T) { assert.Equal(t, e.ver, sbom.Artifacts.LinuxDistribution.VersionID) } if e.pkg != "" { - for p := range sbom.Artifacts.PackageCatalog.Enumerate() { + for p := range sbom.Artifacts.Packages.Enumerate() { if e.pkg != p.Name { continue } @@ -238,7 +238,7 @@ func Test_decode(t *testing.T) { if e.relation != "" { foundRelation := false for _, r := range sbom.Relationships { - p := sbom.Artifacts.PackageCatalog.Package(r.To.ID()) + p := sbom.Artifacts.Packages.Package(r.To.ID()) if e.relation == p.Name { foundRelation = true break diff --git a/syft/formats/common/cyclonedxhelpers/format.go b/syft/formats/common/cyclonedxhelpers/format.go index 0894d67b36e..2facf558d92 100644 --- a/syft/formats/common/cyclonedxhelpers/format.go +++ b/syft/formats/common/cyclonedxhelpers/format.go @@ -25,7 +25,7 @@ func ToFormatModel(s sbom.SBOM) *cyclonedx.BOM { cdxBOM.SerialNumber = uuid.New().URN() cdxBOM.Metadata = toBomDescriptor(internal.ApplicationName, s.Descriptor.Version, s.Source) - packages := s.Artifacts.PackageCatalog.Sorted() + packages := s.Artifacts.Packages.Sorted() components := make([]cyclonedx.Component, len(packages)) for i, p := range packages { components[i] = encodeComponent(p) diff --git a/syft/formats/common/spdxhelpers/to_format_model.go b/syft/formats/common/spdxhelpers/to_format_model.go index 2e807569039..fab27fe7531 100644 --- a/syft/formats/common/spdxhelpers/to_format_model.go +++ b/syft/formats/common/spdxhelpers/to_format_model.go @@ -4,6 +4,7 @@ package spdxhelpers import ( "crypto/sha1" "fmt" + "path" "sort" "strings" "time" @@ -123,21 +124,38 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document { // Cardinality: optional, one CreatorComment: "", }, - Packages: toPackages(s.Artifacts.PackageCatalog, s), + Packages: toPackages(s.Artifacts.Packages, s), Files: toFiles(s), Relationships: relationships, - OtherLicenses: toOtherLicenses(s.Artifacts.PackageCatalog), + OtherLicenses: toOtherLicenses(s.Artifacts.Packages), } } func toSPDXID(identifiable artifact.Identifiable) spdx.ElementID { + maxLen := 40 id := "" - if p, ok := identifiable.(pkg.Package); ok { - id = SanitizeElementID(fmt.Sprintf("Package-%+v-%s-%s", p.Type, p.Name, p.ID())) - } else { + switch it := identifiable.(type) { + case pkg.Package: + id = SanitizeElementID(fmt.Sprintf("Package-%s-%s-%s", it.Type, it.Name, it.ID())) + case source.Coordinates: + p := "" + parts := strings.Split(it.RealPath, "/") + for i := len(parts); i > 0; i-- { + part := parts[i-1] + if len(part) == 0 { + continue + } + if i < len(parts) && len(p)+len(part)+3 > maxLen { + p = "..." + p + break + } + p = path.Join(part, p) + } + id = SanitizeElementID(fmt.Sprintf("File-%s-%s", p, it.ID())) + default: id = string(identifiable.ID()) } - // NOTE: the spdx libraries prepend SPDXRef-, so we don't do it here + // NOTE: the spdx library prepend SPDXRef-, so we don't do it here return spdx.ElementID(id) } diff --git a/syft/formats/common/spdxhelpers/to_format_model_test.go b/syft/formats/common/spdxhelpers/to_format_model_test.go index 23cc2542ca0..1b94293d9a7 100644 --- a/syft/formats/common/spdxhelpers/to_format_model_test.go +++ b/syft/formats/common/spdxhelpers/to_format_model_test.go @@ -2,6 +2,7 @@ package spdxhelpers import ( "fmt" + "regexp" "testing" "github.com/spdx/tools-golang/spdx" @@ -495,3 +496,43 @@ func Test_OtherLicenses(t *testing.T) { }) } } + +func Test_toSPDXID(t *testing.T) { + tests := []struct { + name string + it artifact.Identifiable + expected string + }{ + { + name: "short filename", + it: source.Coordinates{ + RealPath: "/short/path/file.txt", + }, + expected: "File-short-path-file.txt", + }, + { + name: "long filename", + it: source.Coordinates{ + RealPath: "/some/long/path/with/a/lot/of-text/that-contains-a/file.txt", + }, + expected: "File-...a-lot-of-text-that-contains-a-file.txt", + }, + { + name: "package", + it: pkg.Package{ + Type: pkg.NpmPkg, + Name: "some-package", + }, + expected: "Package-npm-some-package", + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + got := string(toSPDXID(test.it)) + // trim the hash + got = regexp.MustCompile(`-[a-z0-9]*$`).ReplaceAllString(got, "") + require.Equal(t, test.expected, got) + }) + } +} diff --git a/syft/formats/common/spdxhelpers/to_syft_model.go b/syft/formats/common/spdxhelpers/to_syft_model.go index 16c0bebbf38..d7ce59ef1a7 100644 --- a/syft/formats/common/spdxhelpers/to_syft_model.go +++ b/syft/formats/common/spdxhelpers/to_syft_model.go @@ -34,7 +34,7 @@ func ToSyftModel(doc *spdx.Document) (*sbom.SBOM, error) { s := &sbom.SBOM{ Source: src, Artifacts: sbom.Artifacts{ - PackageCatalog: pkg.NewCollection(), + Packages: pkg.NewCollection(), FileMetadata: map[source.Coordinates]source.FileMetadata{}, FileDigests: map[source.Coordinates][]file.Digest{}, LinuxDistribution: findLinuxReleaseByPURL(doc), @@ -111,7 +111,7 @@ func collectSyftPackages(s *sbom.SBOM, spdxIDMap map[string]interface{}, doc *sp for _, p := range doc.Packages { syftPkg := toSyftPackage(p) spdxIDMap[string(p.PackageSPDXIdentifier)] = syftPkg - s.Artifacts.PackageCatalog.Add(*syftPkg) + s.Artifacts.Packages.Add(*syftPkg) } } diff --git a/syft/formats/common/spdxhelpers/to_syft_model_test.go b/syft/formats/common/spdxhelpers/to_syft_model_test.go index b7dbadb4b61..a4b5c1e81d9 100644 --- a/syft/formats/common/spdxhelpers/to_syft_model_test.go +++ b/syft/formats/common/spdxhelpers/to_syft_model_test.go @@ -91,7 +91,7 @@ func TestToSyftModel(t *testing.T) { assert.NotNil(t, sbom) - pkgs := sbom.Artifacts.PackageCatalog.Sorted() + pkgs := sbom.Artifacts.Packages.Sorted() assert.Len(t, pkgs, 2) diff --git a/syft/formats/cyclonedxjson/decoder_test.go b/syft/formats/cyclonedxjson/decoder_test.go index e561ff13757..f969732a160 100644 --- a/syft/formats/cyclonedxjson/decoder_test.go +++ b/syft/formats/cyclonedxjson/decoder_test.go @@ -57,7 +57,7 @@ func Test_decodeJSON(t *testing.T) { split = strings.SplitN(pkg, ":", 2) name = split[0] version = split[1] - for p := range bom.Artifacts.PackageCatalog.Enumerate() { + for p := range bom.Artifacts.Packages.Enumerate() { if p.Name == name { assert.Equal(t, version, p.Version) continue pkgs diff --git a/syft/formats/cyclonedxxml/decoder_test.go b/syft/formats/cyclonedxxml/decoder_test.go index 36bbdf8cb51..c0ab823ac46 100644 --- a/syft/formats/cyclonedxxml/decoder_test.go +++ b/syft/formats/cyclonedxxml/decoder_test.go @@ -58,7 +58,7 @@ func Test_decodeXML(t *testing.T) { split = strings.SplitN(pkg, ":", 2) name = split[0] version = split[1] - for p := range bom.Artifacts.PackageCatalog.Enumerate() { + for p := range bom.Artifacts.Packages.Enumerate() { if p.Name == name { assert.Equal(t, version, p.Version) continue pkgs diff --git a/syft/formats/github/encoder.go b/syft/formats/github/encoder.go index 6a2b2b66bed..e03c7f504de 100644 --- a/syft/formats/github/encoder.go +++ b/syft/formats/github/encoder.go @@ -107,7 +107,7 @@ func toPath(s source.Metadata, p pkg.Package) string { func toGithubManifests(s *sbom.SBOM) Manifests { manifests := map[string]*Manifest{} - for _, p := range s.Artifacts.PackageCatalog.Sorted() { + for _, p := range s.Artifacts.Packages.Sorted() { path := toPath(s.Source, p) manifest, ok := manifests[path] if !ok { diff --git a/syft/formats/github/encoder_test.go b/syft/formats/github/encoder_test.go index 427f6246774..ba405dad63c 100644 --- a/syft/formats/github/encoder_test.go +++ b/syft/formats/github/encoder_test.go @@ -28,7 +28,7 @@ func Test_toGithubModel(t *testing.T) { VersionID: "18.04", IDLike: []string{"debian"}, }, - PackageCatalog: pkg.NewCollection(), + Packages: pkg.NewCollection(), }, } for _, p := range []pkg.Package{ @@ -71,7 +71,7 @@ func Test_toGithubModel(t *testing.T) { nil, "", ).ToString() - s.Artifacts.PackageCatalog.Add(p) + s.Artifacts.Packages.Add(p) } actual := toGithubModel(&s) diff --git a/syft/formats/internal/testutils/utils.go b/syft/formats/internal/testutils/utils.go index a6efec20ba1..9c5d0ab22d6 100644 --- a/syft/formats/internal/testutils/utils.go +++ b/syft/formats/internal/testutils/utils.go @@ -119,7 +119,7 @@ func ImageInput(t testing.TB, testImage string, options ...ImageOption) sbom.SBO return sbom.SBOM{ Artifacts: sbom.Artifacts{ - PackageCatalog: catalog, + Packages: catalog, LinuxDistribution: &linux.Release{ PrettyName: "debian", Name: "debian", @@ -202,7 +202,7 @@ func DirectoryInput(t testing.TB) sbom.SBOM { return sbom.SBOM{ Artifacts: sbom.Artifacts{ - PackageCatalog: catalog, + Packages: catalog, LinuxDistribution: &linux.Release{ PrettyName: "debian", Name: "debian", @@ -233,7 +233,7 @@ func DirectoryInputWithAuthorField(t testing.TB) sbom.SBOM { return sbom.SBOM{ Artifacts: sbom.Artifacts{ - PackageCatalog: catalog, + Packages: catalog, LinuxDistribution: &linux.Release{ PrettyName: "debian", Name: "debian", @@ -365,7 +365,7 @@ func newDirectoryCatalogWithAuthorField() *pkg.Collection { //nolint:gosec func AddSampleFileRelationships(s *sbom.SBOM) { - catalog := s.Artifacts.PackageCatalog.Sorted() + catalog := s.Artifacts.Packages.Sorted() s.Artifacts.FileMetadata = map[source.Coordinates]source.FileMetadata{} files := []string{"/f1", "/f2", "/d1/f3", "/d2/f4", "/z1/f5", "/a1/f6"} diff --git a/syft/formats/spdxjson/decoder_test.go b/syft/formats/spdxjson/decoder_test.go index 574fb0ba2d9..58602b9d27f 100644 --- a/syft/formats/spdxjson/decoder_test.go +++ b/syft/formats/spdxjson/decoder_test.go @@ -73,11 +73,11 @@ func TestSPDXJSONDecoder(t *testing.T) { } if test.packages != nil { - assert.Equal(t, sbom.Artifacts.PackageCatalog.PackageCount(), len(test.packages)) + assert.Equal(t, sbom.Artifacts.Packages.PackageCount(), len(test.packages)) packages: for _, pkgName := range test.packages { - for _, p := range sbom.Artifacts.PackageCatalog.Sorted() { + for _, p := range sbom.Artifacts.Packages.Sorted() { if p.Name == pkgName { continue packages } diff --git a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden index e62150316d7..83299233cd7 100644 --- a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden +++ b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden @@ -3,14 +3,14 @@ "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "/some/path", - "documentNamespace": "https://anchore.com/syft/dir/some/path-afe11355-9222-421b-bbb1-df3792222872", + "documentNamespace": "https://anchore.com/syft/dir/some/path-72483330-d29b-4bca-8733-2d0f2b0ae64d", "creationInfo": { "licenseListVersion": "3.20", "creators": [ "Organization: Anchore, Inc", "Tool: syft-v0.42.0-bogus" ], - "created": "2023-04-27T13:57:38Z" + "created": "2023-05-04T20:37:22Z" }, "packages": [ { diff --git a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden index 7b213c3c84b..f15876a4225 100644 --- a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden +++ b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden @@ -3,14 +3,14 @@ "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "user-image-input", - "documentNamespace": "https://anchore.com/syft/image/user-image-input-03ea2ef0-c9cf-4c82-a3bd-095fa6b34bdb", + "documentNamespace": "https://anchore.com/syft/image/user-image-input-1fe53177-9e14-4830-9281-d0670fbd1c12", "creationInfo": { "licenseListVersion": "3.20", "creators": [ "Organization: Anchore, Inc", "Tool: syft-v0.42.0-bogus" ], - "created": "2023-04-27T13:57:38Z" + "created": "2023-05-04T20:37:23Z" }, "packages": [ { diff --git a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden index 89babba2dd8..4d86d0a96e2 100644 --- a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden +++ b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden @@ -3,14 +3,14 @@ "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "user-image-input", - "documentNamespace": "https://anchore.com/syft/image/user-image-input-c20c2bcd-33a1-42cc-b3de-2c8cf5534d01", + "documentNamespace": "https://anchore.com/syft/image/user-image-input-b4637c15-e4ca-421f-967f-e8d0c7cd4bf8", "creationInfo": { "licenseListVersion": "3.20", "creators": [ "Organization: Anchore, Inc", "Tool: syft-v0.42.0-bogus" ], - "created": "2023-04-27T13:57:38Z" + "created": "2023-05-04T20:37:23Z" }, "packages": [ { @@ -61,7 +61,7 @@ "files": [ { "fileName": "/a1/f6", - "SPDXID": "SPDXRef-9c2f7510199b17f6", + "SPDXID": "SPDXRef-File-a1-f6-9c2f7510199b17f6", "fileTypes": [ "OTHER" ], @@ -76,7 +76,7 @@ }, { "fileName": "/d1/f3", - "SPDXID": "SPDXRef-c6f5b29dca12661f", + "SPDXID": "SPDXRef-File-d1-f3-c6f5b29dca12661f", "fileTypes": [ "OTHER" ], @@ -91,7 +91,7 @@ }, { "fileName": "/d2/f4", - "SPDXID": "SPDXRef-c641caa71518099f", + "SPDXID": "SPDXRef-File-d2-f4-c641caa71518099f", "fileTypes": [ "OTHER" ], @@ -106,7 +106,7 @@ }, { "fileName": "/f1", - "SPDXID": "SPDXRef-5265a4dde3edbf7c", + "SPDXID": "SPDXRef-File-f1-5265a4dde3edbf7c", "fileTypes": [ "OTHER" ], @@ -121,7 +121,7 @@ }, { "fileName": "/f2", - "SPDXID": "SPDXRef-f9e49132a4b96ccd", + "SPDXID": "SPDXRef-File-f2-f9e49132a4b96ccd", "fileTypes": [ "OTHER" ], @@ -136,7 +136,7 @@ }, { "fileName": "/z1/f5", - "SPDXID": "SPDXRef-839d99ee67d9d174", + "SPDXID": "SPDXRef-File-z1-f5-839d99ee67d9d174", "fileTypes": [ "OTHER" ], @@ -153,32 +153,32 @@ "relationships": [ { "spdxElementId": "SPDXRef-Package-python-package-1-911cef0da9e28043", - "relatedSpdxElement": "SPDXRef-5265a4dde3edbf7c", + "relatedSpdxElement": "SPDXRef-File-f1-5265a4dde3edbf7c", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-python-package-1-911cef0da9e28043", - "relatedSpdxElement": "SPDXRef-839d99ee67d9d174", + "relatedSpdxElement": "SPDXRef-File-z1-f5-839d99ee67d9d174", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-python-package-1-911cef0da9e28043", - "relatedSpdxElement": "SPDXRef-9c2f7510199b17f6", + "relatedSpdxElement": "SPDXRef-File-a1-f6-9c2f7510199b17f6", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-python-package-1-911cef0da9e28043", - "relatedSpdxElement": "SPDXRef-c641caa71518099f", + "relatedSpdxElement": "SPDXRef-File-d2-f4-c641caa71518099f", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-python-package-1-911cef0da9e28043", - "relatedSpdxElement": "SPDXRef-c6f5b29dca12661f", + "relatedSpdxElement": "SPDXRef-File-d1-f3-c6f5b29dca12661f", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Package-python-package-1-911cef0da9e28043", - "relatedSpdxElement": "SPDXRef-f9e49132a4b96ccd", + "relatedSpdxElement": "SPDXRef-File-f2-f9e49132a4b96ccd", "relationshipType": "CONTAINS" }, { diff --git a/syft/formats/spdxtagvalue/encoder_test.go b/syft/formats/spdxtagvalue/encoder_test.go index 1623dfed02e..5d95f639799 100644 --- a/syft/formats/spdxtagvalue/encoder_test.go +++ b/syft/formats/spdxtagvalue/encoder_test.go @@ -49,7 +49,7 @@ func TestSPDXJSONSPDXIDs(t *testing.T) { Format(), sbom.SBOM{ Artifacts: sbom.Artifacts{ - PackageCatalog: pkg.NewCollection(pkgs...), + Packages: pkg.NewCollection(pkgs...), }, Relationships: nil, Source: source.Metadata{ diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden index ada7bbd2d89..70e3d959f77 100644 --- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden +++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden @@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: foobar/baz -DocumentNamespace: https://anchore.com/syft/dir/foobar/baz-c24cdbf9-e3f7-4624-9ea0-f66db3c70cbc +DocumentNamespace: https://anchore.com/syft/dir/foobar/baz-2bb5b039-33f5-471d-96ea-86e1fc70015a LicenseListVersion: 3.20 Creator: Organization: Anchore, Inc Creator: Tool: syft-v0.42.0-bogus -Created: 2023-04-27T13:58:15Z +Created: 2023-05-04T20:37:42Z ##### Package: @at-sign diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden index 7f0e8c89f78..a0b64d68453 100644 --- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden +++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden @@ -2,46 +2,46 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: user-image-input -DocumentNamespace: https://anchore.com/syft/image/user-image-input-51400c36-c4ca-4d24-b03b-60dbddc8e637 +DocumentNamespace: https://anchore.com/syft/image/user-image-input-b6c2db3a-7cc1-4507-ac76-36a30169e284 LicenseListVersion: 3.20 Creator: Organization: Anchore, Inc Creator: Tool: syft-v0.42.0-bogus -Created: 2023-04-27T13:58:15Z +Created: 2023-05-04T20:37:42Z ##### Unpackaged files -FileName: /f1 -SPDXID: SPDXRef-5265a4dde3edbf7c +FileName: /a1/f6 +SPDXID: SPDXRef-File-a1-f6-9c2f7510199b17f6 FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION -FileName: /z1/f5 -SPDXID: SPDXRef-839d99ee67d9d174 +FileName: /d1/f3 +SPDXID: SPDXRef-File-d1-f3-c6f5b29dca12661f FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION -FileName: /a1/f6 -SPDXID: SPDXRef-9c2f7510199b17f6 +FileName: /d2/f4 +SPDXID: SPDXRef-File-d2-f4-c641caa71518099f FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION -FileName: /d2/f4 -SPDXID: SPDXRef-c641caa71518099f +FileName: /f1 +SPDXID: SPDXRef-File-f1-5265a4dde3edbf7c FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION -FileName: /d1/f3 -SPDXID: SPDXRef-c6f5b29dca12661f +FileName: /f2 +SPDXID: SPDXRef-File-f2-f9e49132a4b96ccd FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION -FileName: /f2 -SPDXID: SPDXRef-f9e49132a4b96ccd +FileName: /z1/f5 +SPDXID: SPDXRef-File-z1-f5-839d99ee67d9d174 FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION @@ -76,11 +76,11 @@ ExternalRef: PACKAGE-MANAGER purl a-purl-1 ##### Relationships -Relationship: SPDXRef-Package-python-package-1-911cef0da9e28043 CONTAINS SPDXRef-5265a4dde3edbf7c -Relationship: SPDXRef-Package-python-package-1-911cef0da9e28043 CONTAINS SPDXRef-839d99ee67d9d174 -Relationship: SPDXRef-Package-python-package-1-911cef0da9e28043 CONTAINS SPDXRef-9c2f7510199b17f6 -Relationship: SPDXRef-Package-python-package-1-911cef0da9e28043 CONTAINS SPDXRef-c641caa71518099f -Relationship: SPDXRef-Package-python-package-1-911cef0da9e28043 CONTAINS SPDXRef-c6f5b29dca12661f -Relationship: SPDXRef-Package-python-package-1-911cef0da9e28043 CONTAINS SPDXRef-f9e49132a4b96ccd +Relationship: SPDXRef-Package-python-package-1-911cef0da9e28043 CONTAINS SPDXRef-File-f1-5265a4dde3edbf7c +Relationship: SPDXRef-Package-python-package-1-911cef0da9e28043 CONTAINS SPDXRef-File-z1-f5-839d99ee67d9d174 +Relationship: SPDXRef-Package-python-package-1-911cef0da9e28043 CONTAINS SPDXRef-File-a1-f6-9c2f7510199b17f6 +Relationship: SPDXRef-Package-python-package-1-911cef0da9e28043 CONTAINS SPDXRef-File-d2-f4-c641caa71518099f +Relationship: SPDXRef-Package-python-package-1-911cef0da9e28043 CONTAINS SPDXRef-File-d1-f3-c6f5b29dca12661f +Relationship: SPDXRef-Package-python-package-1-911cef0da9e28043 CONTAINS SPDXRef-File-f2-f9e49132a4b96ccd Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-DOCUMENT diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden index 894a07becbe..af6a06dbc04 100644 --- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden +++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden @@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: /some/path -DocumentNamespace: https://anchore.com/syft/dir/some/path-8f4a87ea-f0d1-4541-bef9-5ea1892a42d9 +DocumentNamespace: https://anchore.com/syft/dir/some/path-2380f2c5-b2f2-46c5-8193-ffe8588ad05b LicenseListVersion: 3.20 Creator: Organization: Anchore, Inc Creator: Tool: syft-v0.42.0-bogus -Created: 2023-04-27T13:58:14Z +Created: 2023-05-04T20:37:41Z ##### Package: package-2 diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden index d22b09f8b00..df3fca45c3f 100644 --- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden +++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden @@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: user-image-input -DocumentNamespace: https://anchore.com/syft/image/user-image-input-09fc593f-d792-49a5-bd67-10c26b1c472b +DocumentNamespace: https://anchore.com/syft/image/user-image-input-79b38e34-5eff-450a-a969-545dc36ec5c7 LicenseListVersion: 3.20 Creator: Organization: Anchore, Inc Creator: Tool: syft-v0.42.0-bogus -Created: 2023-04-27T13:58:15Z +Created: 2023-05-04T20:37:42Z ##### Package: package-2 diff --git a/syft/formats/syftjson/decoder_test.go b/syft/formats/syftjson/decoder_test.go index 06d41711dad..de9ab7bcf7c 100644 --- a/syft/formats/syftjson/decoder_test.go +++ b/syft/formats/syftjson/decoder_test.go @@ -29,8 +29,8 @@ func TestEncodeDecodeCycle(t *testing.T) { t.Errorf("metadata difference: %+v", d) } - actualPackages := actualSBOM.Artifacts.PackageCatalog.Sorted() - for idx, p := range originalSBOM.Artifacts.PackageCatalog.Sorted() { + actualPackages := actualSBOM.Artifacts.Packages.Sorted() + for idx, p := range originalSBOM.Artifacts.Packages.Sorted() { if !assert.Equal(t, p.Name, actualPackages[idx].Name) { t.Errorf("different package at idx=%d: %s vs %s", idx, p.Name, actualPackages[idx].Name) continue diff --git a/syft/formats/syftjson/encoder_test.go b/syft/formats/syftjson/encoder_test.go index 09edb3b5bc8..ed41fec62b0 100644 --- a/syft/formats/syftjson/encoder_test.go +++ b/syft/formats/syftjson/encoder_test.go @@ -100,7 +100,7 @@ func TestEncodeFullJSONDocument(t *testing.T) { s := sbom.SBOM{ Artifacts: sbom.Artifacts{ - PackageCatalog: catalog, + Packages: catalog, FileMetadata: map[source.Coordinates]source.FileMetadata{ source.NewLocation("/a/place").Coordinates: { Mode: 0775, diff --git a/syft/formats/syftjson/to_format_model.go b/syft/formats/syftjson/to_format_model.go index c425009a941..75d8e4f07c9 100644 --- a/syft/formats/syftjson/to_format_model.go +++ b/syft/formats/syftjson/to_format_model.go @@ -26,7 +26,7 @@ func ToFormatModel(s sbom.SBOM) model.Document { } return model.Document{ - Artifacts: toPackageModels(s.Artifacts.PackageCatalog), + Artifacts: toPackageModels(s.Artifacts.Packages), ArtifactRelationships: toRelationshipModel(s.Relationships), Files: toFile(s), Secrets: toSecrets(s.Artifacts.Secrets), diff --git a/syft/formats/syftjson/to_syft_model.go b/syft/formats/syftjson/to_syft_model.go index b81a0043f2e..cbc03726f58 100644 --- a/syft/formats/syftjson/to_syft_model.go +++ b/syft/formats/syftjson/to_syft_model.go @@ -28,7 +28,7 @@ func toSyftModel(doc model.Document) (*sbom.SBOM, error) { return &sbom.SBOM{ Artifacts: sbom.Artifacts{ - PackageCatalog: catalog, + Packages: catalog, FileMetadata: fileArtifacts.FileMetadata, FileDigests: fileArtifacts.FileDigests, LinuxDistribution: toSyftLinuxRelease(doc.Distro), diff --git a/syft/formats/syftjson/to_syft_model_test.go b/syft/formats/syftjson/to_syft_model_test.go index b3dcc2cffa3..6a42d468a42 100644 --- a/syft/formats/syftjson/to_syft_model_test.go +++ b/syft/formats/syftjson/to_syft_model_test.go @@ -119,11 +119,11 @@ func Test_idsHaveChanged(t *testing.T) { r := s.Relationships[0] - from := s.Artifacts.PackageCatalog.Package(r.From.ID()) + from := s.Artifacts.Packages.Package(r.From.ID()) assert.NotNil(t, from) assert.Equal(t, "pkg-1", from.Name) - to := s.Artifacts.PackageCatalog.Package(r.To.ID()) + to := s.Artifacts.Packages.Package(r.To.ID()) assert.NotNil(t, to) assert.Equal(t, "pkg-2", to.Name) } diff --git a/syft/formats/table/encoder.go b/syft/formats/table/encoder.go index 458d6eb6d60..7b6c817b7f2 100644 --- a/syft/formats/table/encoder.go +++ b/syft/formats/table/encoder.go @@ -15,7 +15,7 @@ func encoder(output io.Writer, s sbom.SBOM) error { var rows [][]string columns := []string{"Name", "Version", "Type"} - for _, p := range s.Artifacts.PackageCatalog.Sorted() { + for _, p := range s.Artifacts.Packages.Sorted() { row := []string{ p.Name, p.Version, diff --git a/syft/formats/text/encoder.go b/syft/formats/text/encoder.go index 49619346e8b..d16ef17989a 100644 --- a/syft/formats/text/encoder.go +++ b/syft/formats/text/encoder.go @@ -34,7 +34,7 @@ func encoder(output io.Writer, s sbom.SBOM) error { // populate artifacts... rows := 0 - for _, p := range s.Artifacts.PackageCatalog.Sorted() { + for _, p := range s.Artifacts.Packages.Sorted() { fmt.Fprintf(w, "[%s]\n", p.Name) fmt.Fprintln(w, " Version:\t", p.Version) fmt.Fprintln(w, " Type:\t", string(p.Type)) diff --git a/syft/pkg/cataloger/cataloger.go b/syft/pkg/cataloger/cataloger.go index ca1ca085877..c4eaa485072 100644 --- a/syft/pkg/cataloger/cataloger.go +++ b/syft/pkg/cataloger/cataloger.go @@ -41,22 +41,22 @@ const AllCatalogersPattern = "all" func ImageCatalogers(cfg Config) []pkg.Cataloger { return filterCatalogers([]pkg.Cataloger{ alpm.NewAlpmdbCataloger(), - ruby.NewGemSpecCataloger(), - python.NewPythonPackageCataloger(), - php.NewComposerInstalledCataloger(), - javascript.NewPackageCataloger(), + apkdb.NewApkdbCataloger(), + binary.NewCataloger(), deb.NewDpkgdbCataloger(), - rpm.NewRpmDBCataloger(), + dotnet.NewDotnetDepsCataloger(), + golang.NewGoModuleBinaryCataloger(cfg.Go()), java.NewJavaCataloger(cfg.Java()), java.NewNativeImageCataloger(), - apkdb.NewApkdbCataloger(), - golang.NewGoModuleBinaryCataloger(cfg.Go()), - dotnet.NewDotnetDepsCataloger(), - portage.NewPortageCataloger(), + javascript.NewPackageCataloger(), + kernel.NewLinuxKernelCataloger(cfg.Kernel()), nix.NewStoreCataloger(), + php.NewComposerInstalledCataloger(), + portage.NewPortageCataloger(), + python.NewPythonPackageCataloger(), + rpm.NewRpmDBCataloger(), + ruby.NewGemSpecCataloger(), sbom.NewSBOMCataloger(), - binary.NewCataloger(), - kernel.NewLinuxKernelCataloger(cfg.Kernel()), }, cfg.Catalogers) } @@ -64,34 +64,34 @@ func ImageCatalogers(cfg Config) []pkg.Cataloger { func DirectoryCatalogers(cfg Config) []pkg.Cataloger { return filterCatalogers([]pkg.Cataloger{ alpm.NewAlpmdbCataloger(), - ruby.NewGemFileLockCataloger(), - python.NewPythonIndexCataloger(), - python.NewPythonPackageCataloger(), - php.NewComposerLockCataloger(), - javascript.NewLockCataloger(), - deb.NewDpkgdbCataloger(), - rpm.NewRpmDBCataloger(), - rpm.NewFileCataloger(), - java.NewJavaCataloger(cfg.Java()), - java.NewJavaPomCataloger(), - java.NewNativeImageCataloger(), - java.NewJavaGradleLockfileCataloger(), apkdb.NewApkdbCataloger(), - golang.NewGoModuleBinaryCataloger(cfg.Go()), - golang.NewGoModFileCataloger(cfg.Go()), - rust.NewCargoLockCataloger(), + binary.NewCataloger(), + cpp.NewConanCataloger(), dart.NewPubspecLockCataloger(), + deb.NewDpkgdbCataloger(), dotnet.NewDotnetDepsCataloger(), - swift.NewCocoapodsCataloger(), - cpp.NewConanCataloger(), - portage.NewPortageCataloger(), - haskell.NewHackageCataloger(), - sbom.NewSBOMCataloger(), - binary.NewCataloger(), elixir.NewMixLockCataloger(), erlang.NewRebarLockCataloger(), + golang.NewGoModFileCataloger(cfg.Go()), + golang.NewGoModuleBinaryCataloger(cfg.Go()), + haskell.NewHackageCataloger(), + java.NewJavaCataloger(cfg.Java()), + java.NewJavaGradleLockfileCataloger(), + java.NewJavaPomCataloger(), + java.NewNativeImageCataloger(), + javascript.NewLockCataloger(), kernel.NewLinuxKernelCataloger(cfg.Kernel()), nix.NewStoreCataloger(), + php.NewComposerLockCataloger(), + portage.NewPortageCataloger(), + python.NewPythonIndexCataloger(), + python.NewPythonPackageCataloger(), + rpm.NewFileCataloger(), + rpm.NewRpmDBCataloger(), + ruby.NewGemFileLockCataloger(), + rust.NewCargoLockCataloger(), + sbom.NewSBOMCataloger(), + swift.NewCocoapodsCataloger(), }, cfg.Catalogers) } @@ -99,38 +99,38 @@ func DirectoryCatalogers(cfg Config) []pkg.Cataloger { func AllCatalogers(cfg Config) []pkg.Cataloger { return filterCatalogers([]pkg.Cataloger{ alpm.NewAlpmdbCataloger(), - ruby.NewGemFileLockCataloger(), - ruby.NewGemSpecCataloger(), - python.NewPythonIndexCataloger(), - python.NewPythonPackageCataloger(), - javascript.NewLockCataloger(), - javascript.NewPackageCataloger(), + apkdb.NewApkdbCataloger(), + binary.NewCataloger(), + cpp.NewConanCataloger(), + dart.NewPubspecLockCataloger(), deb.NewDpkgdbCataloger(), - rpm.NewRpmDBCataloger(), - rpm.NewFileCataloger(), + dotnet.NewDotnetDepsCataloger(), + elixir.NewMixLockCataloger(), + erlang.NewRebarLockCataloger(), + golang.NewGoModFileCataloger(cfg.Go()), + golang.NewGoModuleBinaryCataloger(cfg.Go()), + haskell.NewHackageCataloger(), java.NewJavaCataloger(cfg.Java()), + java.NewJavaGradleLockfileCataloger(), java.NewJavaPomCataloger(), java.NewNativeImageCataloger(), - java.NewJavaGradleLockfileCataloger(), - apkdb.NewApkdbCataloger(), - golang.NewGoModuleBinaryCataloger(cfg.Go()), - golang.NewGoModFileCataloger(cfg.Go()), - rust.NewCargoLockCataloger(), - rust.NewAuditBinaryCataloger(), - dart.NewPubspecLockCataloger(), - dotnet.NewDotnetDepsCataloger(), + javascript.NewLockCataloger(), + javascript.NewPackageCataloger(), + kernel.NewLinuxKernelCataloger(cfg.Kernel()), + nix.NewStoreCataloger(), php.NewComposerInstalledCataloger(), php.NewComposerLockCataloger(), - swift.NewCocoapodsCataloger(), - cpp.NewConanCataloger(), portage.NewPortageCataloger(), - haskell.NewHackageCataloger(), + python.NewPythonIndexCataloger(), + python.NewPythonPackageCataloger(), + rpm.NewFileCataloger(), + rpm.NewRpmDBCataloger(), + ruby.NewGemFileLockCataloger(), + ruby.NewGemSpecCataloger(), + rust.NewAuditBinaryCataloger(), + rust.NewCargoLockCataloger(), sbom.NewSBOMCataloger(), - binary.NewCataloger(), - elixir.NewMixLockCataloger(), - erlang.NewRebarLockCataloger(), - kernel.NewLinuxKernelCataloger(cfg.Kernel()), - nix.NewStoreCataloger(), + swift.NewCocoapodsCataloger(), }, cfg.Catalogers) } diff --git a/syft/pkg/cataloger/rpm/cataloger_test.go b/syft/pkg/cataloger/rpm/cataloger_test.go index ca8907e2101..92b920532cd 100644 --- a/syft/pkg/cataloger/rpm/cataloger_test.go +++ b/syft/pkg/cataloger/rpm/cataloger_test.go @@ -16,6 +16,9 @@ func Test_DBCataloger_Globs(t *testing.T) { name: "obtain DB files", fixture: "test-fixtures/glob-paths", expected: []string{ + "usr/share/rpm/Packages", + "usr/share/rpm/Packages.db", + "usr/share/rpm/rpmdb.sqlite", "var/lib/rpm/Packages", "var/lib/rpm/Packages.db", "var/lib/rpm/rpmdb.sqlite", diff --git a/syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/Packages b/syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/Packages new file mode 100644 index 00000000000..882b6040c5d --- /dev/null +++ b/syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/Packages @@ -0,0 +1 @@ +bogus \ No newline at end of file diff --git a/syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/Packages.db b/syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/Packages.db new file mode 100644 index 00000000000..882b6040c5d --- /dev/null +++ b/syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/Packages.db @@ -0,0 +1 @@ +bogus \ No newline at end of file diff --git a/syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/rpmdb.sqlite b/syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/rpmdb.sqlite new file mode 100644 index 00000000000..882b6040c5d --- /dev/null +++ b/syft/pkg/cataloger/rpm/test-fixtures/glob-paths/usr/share/rpm/rpmdb.sqlite @@ -0,0 +1 @@ +bogus \ No newline at end of file diff --git a/syft/pkg/cataloger/sbom/cataloger.go b/syft/pkg/cataloger/sbom/cataloger.go index 17e6618e6cd..3b7f9c14bec 100644 --- a/syft/pkg/cataloger/sbom/cataloger.go +++ b/syft/pkg/cataloger/sbom/cataloger.go @@ -42,7 +42,7 @@ func parseSBOM(_ source.FileResolver, _ *generic.Environment, reader source.Loca var pkgs []pkg.Package var relationships []artifact.Relationship - for _, p := range s.Artifacts.PackageCatalog.Sorted() { + for _, p := range s.Artifacts.Packages.Sorted() { // replace all locations on the package with the location of the SBOM file. // Why not keep the original list of locations? Since the "locations" field is meant to capture // where there is evidence of this file, and the catalogers have not run against any file other than, diff --git a/syft/pkg/rpm_metadata.go b/syft/pkg/rpm_metadata.go index b430cc2b760..41a825d94d7 100644 --- a/syft/pkg/rpm_metadata.go +++ b/syft/pkg/rpm_metadata.go @@ -8,10 +8,12 @@ import ( "github.com/anchore/syft/syft/file" ) +// /var/lib/rpm/... is the typical path for most distributions +// /usr/share/rpm/... is common for rpm-ostree distributions (coreos-like) // Packages is the legacy Berkely db based format // Packages.db is the "ndb" format used in SUSE // rpmdb.sqlite is the sqlite format used in fedora + derivates -const RpmDBGlob = "**/var/lib/rpm/{Packages,Packages.db,rpmdb.sqlite}" +const RpmDBGlob = "**/{var/lib,usr/share}/rpm/{Packages,Packages.db,rpmdb.sqlite}" // Used in CBL-Mariner distroless images const RpmManifestGlob = "**/var/lib/rpmmanifest/container-manifest-2" diff --git a/syft/sbom/sbom.go b/syft/sbom/sbom.go index a3e596e0b1b..7770027182b 100644 --- a/syft/sbom/sbom.go +++ b/syft/sbom/sbom.go @@ -20,7 +20,7 @@ type SBOM struct { } type Artifacts struct { - PackageCatalog *pkg.Collection + Packages *pkg.Collection FileMetadata map[source.Coordinates]source.FileMetadata FileDigests map[source.Coordinates][]file.Digest FileContents map[source.Coordinates]string diff --git a/test/integration/all_layers_squashed_comparison_test.go b/test/integration/all_layers_squashed_comparison_test.go index 419fe7071c9..39973cbfaa3 100644 --- a/test/integration/all_layers_squashed_comparison_test.go +++ b/test/integration/all_layers_squashed_comparison_test.go @@ -11,8 +11,8 @@ func Test_AllLayersIncludesSquashed(t *testing.T) { allLayers, _ := catalogFixtureImage(t, "image-suse-all-layers", source.AllLayersScope, nil) squashed, _ := catalogFixtureImage(t, "image-suse-all-layers", source.SquashedScope, nil) - lenAllLayers := len(allLayers.Artifacts.PackageCatalog.Sorted()) - lenSquashed := len(squashed.Artifacts.PackageCatalog.Sorted()) + lenAllLayers := len(allLayers.Artifacts.Packages.Sorted()) + lenSquashed := len(squashed.Artifacts.Packages.Sorted()) if lenAllLayers < lenSquashed { t.Errorf("squashed has more packages than all-layers: %d > %d", lenSquashed, lenAllLayers) diff --git a/test/integration/catalog_packages_test.go b/test/integration/catalog_packages_test.go index e958d982b2d..7819889385f 100644 --- a/test/integration/catalog_packages_test.go +++ b/test/integration/catalog_packages_test.go @@ -100,7 +100,7 @@ func TestPkgCoverageImage(t *testing.T) { t.Run(c.name, func(t *testing.T) { pkgCount := 0 - for a := range sbom.Artifacts.PackageCatalog.Enumerate(c.pkgType) { + for a := range sbom.Artifacts.Packages.Enumerate(c.pkgType) { if a.Language.String() != "" { observedLanguages.Add(a.Language.String()) } @@ -127,7 +127,7 @@ func TestPkgCoverageImage(t *testing.T) { if pkgCount != len(c.pkgInfo)+c.duplicates { t.Logf("Discovered packages of type %+v", c.pkgType) - for a := range sbom.Artifacts.PackageCatalog.Enumerate(c.pkgType) { + for a := range sbom.Artifacts.Packages.Enumerate(c.pkgType) { t.Log(" ", a) } t.Fatalf("unexpected package count: %d!=%d", pkgCount, len(c.pkgInfo)) @@ -176,7 +176,7 @@ func TestPkgCoverageDirectory(t *testing.T) { t.Run(test.name, func(t *testing.T) { actualPkgCount := 0 - for actualPkg := range sbom.Artifacts.PackageCatalog.Enumerate(test.pkgType) { + for actualPkg := range sbom.Artifacts.Packages.Enumerate(test.pkgType) { observedLanguages.Add(actualPkg.Language.String()) observedPkgs.Add(string(actualPkg.Type)) @@ -207,7 +207,7 @@ func TestPkgCoverageDirectory(t *testing.T) { } if actualPkgCount != len(test.pkgInfo)+test.duplicates { - for actualPkg := range sbom.Artifacts.PackageCatalog.Enumerate(test.pkgType) { + for actualPkg := range sbom.Artifacts.Packages.Enumerate(test.pkgType) { t.Log(" ", actualPkg) } t.Fatalf("unexpected package count: %d!=%d", actualPkgCount, len(test.pkgInfo)) @@ -246,7 +246,7 @@ func TestPkgCoverageCatalogerConfiguration(t *testing.T) { definedLanguages := internal.NewStringSet() definedLanguages.Add("rust") - for actualPkg := range sbom.Artifacts.PackageCatalog.Enumerate() { + for actualPkg := range sbom.Artifacts.Packages.Enumerate() { observedLanguages.Add(actualPkg.Language.String()) } @@ -270,7 +270,7 @@ func TestPkgCoverageImage_HasEvidence(t *testing.T) { for _, c := range cases { t.Run(c.name, func(t *testing.T) { - for a := range sbom.Artifacts.PackageCatalog.Enumerate(c.pkgType) { + for a := range sbom.Artifacts.Packages.Enumerate(c.pkgType) { assert.NotEmpty(t, a.Locations.ToSlice(), "package %q has no locations (type=%q)", a.Name, a.Type) for _, l := range a.Locations.ToSlice() { if _, exists := l.Annotations[pkg.EvidenceAnnotationKey]; !exists { @@ -300,7 +300,7 @@ func TestPkgCoverageDirectory_HasEvidence(t *testing.T) { for _, c := range cases { t.Run(c.name, func(t *testing.T) { - for a := range sbom.Artifacts.PackageCatalog.Enumerate(c.pkgType) { + for a := range sbom.Artifacts.Packages.Enumerate(c.pkgType) { assert.NotEmpty(t, a.Locations.ToSlice(), "package %q has no locations (type=%q)", a.Name, a.Type) for _, l := range a.Locations.ToSlice() { if _, exists := l.Annotations[pkg.EvidenceAnnotationKey]; !exists { diff --git a/test/integration/mariner_distroless_test.go b/test/integration/mariner_distroless_test.go index b54c1c073d9..95c457cea84 100644 --- a/test/integration/mariner_distroless_test.go +++ b/test/integration/mariner_distroless_test.go @@ -12,7 +12,7 @@ func TestMarinerDistroless(t *testing.T) { expectedPkgs := 12 actualPkgs := 0 - for range sbom.Artifacts.PackageCatalog.Enumerate(pkg.RpmPkg) { + for range sbom.Artifacts.Packages.Enumerate(pkg.RpmPkg) { actualPkgs += 1 } diff --git a/test/integration/node_packages_test.go b/test/integration/node_packages_test.go index 071b96a56fc..b26725ea435 100644 --- a/test/integration/node_packages_test.go +++ b/test/integration/node_packages_test.go @@ -14,7 +14,7 @@ func TestNpmPackageLockDirectory(t *testing.T) { foundPackages := internal.NewStringSet() - for actualPkg := range sbom.Artifacts.PackageCatalog.Enumerate(pkg.NpmPkg) { + for actualPkg := range sbom.Artifacts.Packages.Enumerate(pkg.NpmPkg) { for _, actualLocation := range actualPkg.Locations.ToSlice() { if strings.Contains(actualLocation.RealPath, "node_modules") { t.Errorf("found packages from package-lock.json in node_modules: %s", actualLocation) @@ -36,7 +36,7 @@ func TestYarnPackageLockDirectory(t *testing.T) { foundPackages := internal.NewStringSet() expectedPackages := internal.NewStringSet("async@0.9.2", "async@3.2.3", "merge-objects@1.0.5", "should-type@1.3.0", "@4lolo/resize-observer-polyfill@1.5.2") - for actualPkg := range sbom.Artifacts.PackageCatalog.Enumerate(pkg.NpmPkg) { + for actualPkg := range sbom.Artifacts.Packages.Enumerate(pkg.NpmPkg) { for _, actualLocation := range actualPkg.Locations.ToSlice() { if strings.Contains(actualLocation.RealPath, "node_modules") { t.Errorf("found packages from yarn.lock in node_modules: %s", actualLocation) diff --git a/test/integration/package_deduplication_test.go b/test/integration/package_deduplication_test.go index ff860c6293a..e0760cd37b3 100644 --- a/test/integration/package_deduplication_test.go +++ b/test/integration/package_deduplication_test.go @@ -65,15 +65,15 @@ func TestPackageDeduplication(t *testing.T) { t.Run(string(tt.scope), func(t *testing.T) { sbom, _ := catalogFixtureImage(t, "image-vertical-package-dups", tt.scope, nil) - for _, p := range sbom.Artifacts.PackageCatalog.Sorted() { + for _, p := range sbom.Artifacts.Packages.Sorted() { if p.Type == pkg.BinaryPkg { assert.NotEmpty(t, p.Name) } } - assert.Equal(t, tt.packageCount, sbom.Artifacts.PackageCatalog.PackageCount()) + assert.Equal(t, tt.packageCount, sbom.Artifacts.Packages.PackageCount()) for name, expectedInstanceCount := range tt.instanceCount { - pkgs := sbom.Artifacts.PackageCatalog.PackagesByName(name) + pkgs := sbom.Artifacts.Packages.PackagesByName(name) // with multiple packages with the same name, something is wrong (or this is the wrong fixture) require.Len(t, pkgs, expectedInstanceCount) diff --git a/test/integration/regression_apk_scanner_buffer_size_test.go b/test/integration/regression_apk_scanner_buffer_size_test.go index a04cbe3e64c..3549d52ee14 100644 --- a/test/integration/regression_apk_scanner_buffer_size_test.go +++ b/test/integration/regression_apk_scanner_buffer_size_test.go @@ -14,7 +14,7 @@ func TestRegression212ApkBufferSize(t *testing.T) { expectedPkgs := 58 actualPkgs := 0 - for range sbom.Artifacts.PackageCatalog.Enumerate(pkg.ApkPkg) { + for range sbom.Artifacts.Packages.Enumerate(pkg.ApkPkg) { actualPkgs += 1 } diff --git a/test/integration/regression_go_bin_scanner_arch_test.go b/test/integration/regression_go_bin_scanner_arch_test.go index 2465d5dabd1..8a51a9a77f2 100644 --- a/test/integration/regression_go_bin_scanner_arch_test.go +++ b/test/integration/regression_go_bin_scanner_arch_test.go @@ -20,7 +20,7 @@ func TestRegressionGoArchDiscovery(t *testing.T) { var actualELF, actualWIN, actualMACOS int - for p := range sbom.Artifacts.PackageCatalog.Enumerate(pkg.GoModulePkg) { + for p := range sbom.Artifacts.Packages.Enumerate(pkg.GoModulePkg) { for _, l := range p.Locations.ToSlice() { switch { case strings.Contains(l.RealPath, "elf"): diff --git a/test/integration/rust_audit_binary_test.go b/test/integration/rust_audit_binary_test.go index d97c9c73887..57baf46af36 100644 --- a/test/integration/rust_audit_binary_test.go +++ b/test/integration/rust_audit_binary_test.go @@ -12,7 +12,7 @@ func TestRustAudit(t *testing.T) { expectedPkgs := 2 actualPkgs := 0 - for range sbom.Artifacts.PackageCatalog.Enumerate(pkg.RustPkg) { + for range sbom.Artifacts.Packages.Enumerate(pkg.RustPkg) { actualPkgs += 1 } diff --git a/test/integration/sbom_cataloger_test.go b/test/integration/sbom_cataloger_test.go index f7be5416431..6faebbd13d9 100644 --- a/test/integration/sbom_cataloger_test.go +++ b/test/integration/sbom_cataloger_test.go @@ -17,7 +17,7 @@ func TestSbomCataloger(t *testing.T) { expectedGoModCatalogerPkgs := 2 actualSbomPkgs := 0 actualGoModPkgs := 0 - for pkg := range sbom.Artifacts.PackageCatalog.Enumerate(pkg.GoModulePkg) { + for pkg := range sbom.Artifacts.Packages.Enumerate(pkg.GoModulePkg) { if pkg.FoundBy == "go-mod-file-cataloger" { actualGoModPkgs += 1 } else if pkg.FoundBy == "sbom-cataloger" { diff --git a/test/integration/sqlite_rpmdb_test.go b/test/integration/sqlite_rpmdb_test.go index c151b4b6e62..fd3dfa98a01 100644 --- a/test/integration/sqlite_rpmdb_test.go +++ b/test/integration/sqlite_rpmdb_test.go @@ -16,7 +16,7 @@ func TestSqliteRpm(t *testing.T) { expectedPkgs := 139 actualPkgs := 0 - for range sbom.Artifacts.PackageCatalog.Enumerate(pkg.RpmPkg) { + for range sbom.Artifacts.Packages.Enumerate(pkg.RpmPkg) { actualPkgs += 1 } diff --git a/test/integration/utils_test.go b/test/integration/utils_test.go index 693d057c010..77f50045051 100644 --- a/test/integration/utils_test.go +++ b/test/integration/utils_test.go @@ -33,7 +33,7 @@ func catalogFixtureImage(t *testing.T, fixtureImageName string, scope source.Sco return sbom.SBOM{ Artifacts: sbom.Artifacts{ - PackageCatalog: pkgCatalog, + Packages: pkgCatalog, LinuxDistribution: actualDistro, }, Relationships: relationships, @@ -68,7 +68,7 @@ func catalogDirectory(t *testing.T, dir string) (sbom.SBOM, *source.Source) { return sbom.SBOM{ Artifacts: sbom.Artifacts{ - PackageCatalog: pkgCatalog, + Packages: pkgCatalog, LinuxDistribution: actualDistro, }, Relationships: relationships,