Merge branch 'main' into camcui/main

* main:
  chore(deps): bump github.com/docker/docker (anchore#2827)
  fix(spdx): include required fields (anchore#2168)
  fix: add correct vendor for dnsmasq CPE (anchore#2659)
  fix: close temp rpmdb file (anchore#2792)
  chore(deps): bump github/codeql-action from 3.25.2 to 3.25.3 (anchore#2817)
  Fill in SPDX originator for all supported package types (anchore#2822)
  chore(deps): bump anchore/sbom-action from 0.15.10 to 0.15.11 (anchore#2821)
  update spdx license list to 3.23 (anchore#2818)

.github/workflows/codeql-analysis.yml

@@ -45,7 +45,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 #v3.25.2
+      uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 #v3.25.3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 #v3.25.2
+      uses: github/codeql-action/autobuild@d39d31e687223d841ef683f52467bd88e9b21c14 #v3.25.3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -70,4 +70,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 #v3.25.2
+      uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 #v3.25.3

.github/workflows/release.yaml

@@ -143,7 +143,7 @@ jobs:
           AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}
 
-      - uses: anchore/sbom-action@ab5d7b5f48981941c4c5d6bf33aeb98fe3bae38c #v0.15.10
+      - uses: anchore/sbom-action@7ccf588e3cf3cc2611714c2eeae48550fbc17552 #v0.15.11
         continue-on-error: true
         with:
           artifact-name: sbom.spdx.json

go.mod

@@ -29,7 +29,7 @@ require (
 	github.com/dave/jennifer v1.7.0
 	github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da
 	github.com/distribution/reference v0.6.0
-	github.com/docker/docker v26.1.0+incompatible
+	github.com/docker/docker v26.1.1+incompatible
 	github.com/dustin/go-humanize v1.0.1
 	github.com/elliotchance/phpserialize v1.4.0
 	github.com/facebookincubator/nvdtools v0.1.5

go.sum

@@ -223,8 +223,8 @@ github.com/docker/cli v24.0.0+incompatible h1:0+1VshNwBQzQAx9lOl+OYCTCEAD8fKs/qe
 github.com/docker/cli v24.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v26.1.0+incompatible h1:W1G9MPNbskA6VZWL7b3ZljTh0pXI68FpINx0GKaOdaM=
-github.com/docker/docker v26.1.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v26.1.1+incompatible h1:oI+4kkAgIwwb54b9OC7Xc3hSgu1RlJA/Lln/DF72djQ=
+github.com/docker/docker v26.1.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=

syft/format/common/spdxhelpers/to_format_model.go

@@ -245,6 +245,8 @@ func toRootPackage(s source.Description) *spdx.Package {
 			Supplier: helpers.NOASSERTION,
 		},
 		PackageDownloadLocation: helpers.NOASSERTION,
+		PackageLicenseConcluded: helpers.NOASSERTION,
+		PackageLicenseDeclared:  helpers.NOASSERTION,
 	}
 
 	if purl != nil {
@@ -517,9 +519,7 @@ func toPackageOriginator(p pkg.Package) *spdx.Originator {
 }
 
 func toPackageSupplier(p pkg.Package) *spdx.Supplier {
-	// this uses the Originator function for now until
-	// a better distinction can be made for supplier
-	kind, supplier := helpers.Originator(p)
+	kind, supplier := helpers.Supplier(p)
 	if kind == "" || supplier == "" {
 		return &spdx.Supplier{
 			Supplier: helpers.NOASSERTION,
@@ -624,6 +624,9 @@ func toFiles(s sbom.SBOM) (results []*spdx.File) {
 			Checksums:        toFileChecksums(digests),
 			FileName:         coordinates.RealPath,
 			FileTypes:        toFileTypes(metadata),
+			LicenseInfoInFiles: []string{ // required in SPDX 2.2
+				helpers.NOASSERTION,
+			},
 		})
 	}
 

syft/format/internal/spdxutil/helpers/originator_supplier.go

@@ -0,0 +1,210 @@
+package helpers
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+
+	"github.com/anchore/syft/internal"
+	"github.com/anchore/syft/syft/pkg"
+)
+
+const (
+	orgType    = "Organization"
+	personType = "Person"
+)
+
+// Originator needs to conform to the SPDX spec here:
+// https://spdx.github.io/spdx-spec/v2.2.2/package-information/#76-package-originator-field
+//
+// Definition:
+//
+//	If the package identified in the SPDX document originated from a different person or
+//	organization than identified as Package Supplier (see 7.5 above), this field identifies from
+//	where or whom the package originally came. In some cases, a package may be created and
+//	originally distributed by a different third party than the Package Supplier of the package.
+//	For example, the SPDX document identifies the package as glibc and the Package Supplier as
+//	Red Hat, but the Free Software Foundation is the Package Originator.
+//
+// Use NOASSERTION if:
+//
+//   - the SPDX document creator has attempted to but cannot reach a reasonable objective determination;
+//   - the SPDX document creator has made no attempt to determine this field; or
+//   - the SPDX document creator has intentionally provided no information (no meaning should be implied by doing so).
+//
+// Available options are: <omit>, NOASSERTION, Person: <person>, Organization: <org>
+// return values are: <type>, <value>
+func Originator(p pkg.Package) (typ string, author string) { // nolint: funlen
+	if !hasMetadata(p) {
+		return typ, author
+	}
+
+	switch metadata := p.Metadata.(type) {
+	case pkg.ApkDBEntry:
+		author = metadata.Maintainer
+
+	case pkg.DotnetPortableExecutableEntry:
+		typ = orgType
+		author = metadata.CompanyName
+
+	case pkg.DpkgDBEntry:
+		author = metadata.Maintainer
+
+	case pkg.JavaArchive:
+		if metadata.Manifest != nil {
+			author = metadata.Manifest.Main.MustGet("Specification-Vendor")
+			if author == "" {
+				author = metadata.Manifest.Main.MustGet("Implementation-Vendor")
+			}
+		}
+
+	case pkg.LinuxKernelModule:
+		author = metadata.Author
+
+	case pkg.PhpComposerLockEntry:
+		if len(metadata.Authors) > 0 {
+			entry := metadata.Authors[0]
+			author = formatPersonOrOrg(entry.Name, entry.Email)
+		}
+
+	case pkg.PhpComposerInstalledEntry:
+		if len(metadata.Authors) > 0 {
+			entry := metadata.Authors[0]
+			author = formatPersonOrOrg(entry.Name, entry.Email)
+		}
+
+	case pkg.RDescription:
+		// this is most likely to have a name and email
+		author = metadata.Maintainer
+
+		if author == "" {
+			author = metadata.Author
+		}
+
+	case pkg.NpmPackage:
+		author = metadata.Author
+
+	case pkg.PythonPackage:
+		author = formatPersonOrOrg(metadata.Author, metadata.AuthorEmail)
+
+	case pkg.RubyGemspec:
+		if len(metadata.Authors) > 0 {
+			author = metadata.Authors[0]
+		}
+	case pkg.RpmDBEntry:
+		typ = orgType
+		author = metadata.Vendor
+
+	case pkg.RpmArchive:
+		typ = orgType
+		author = metadata.Vendor
+
+	case pkg.WordpressPluginEntry:
+		// it seems that the vast majority of the time the author is an org, not a person
+		typ = orgType
+		author = metadata.Author
+	}
+
+	if typ == "" && author != "" {
+		typ = personType
+	}
+
+	return typ, parseAndFormatPersonOrOrg(author)
+}
+
+// Supplier needs to conform to the SPDX spec here:
+// https://spdx.github.io/spdx-spec/v2.2.2/package-information/#75-package-supplier-field
+//
+// Definition:
+//
+//	Identify the actual distribution source for the package/directory identified in the SPDX document. This might
+//	or might not be different from the originating distribution source for the package. The name of the Package Supplier
+//	shall be an organization or recognized author and not a web site. For example, SourceForge is a host website, not a
+//	supplier, the supplier for https://sourceforge.net/projects/bridge/ is “The Linux Foundation.”
+//
+// Use NOASSERTION if:
+//
+//   - the SPDX document creator has attempted to but cannot reach a reasonable objective determination;
+//   - the SPDX document creator has made no attempt to determine this field; or
+//   - the SPDX document creator has intentionally provided no information (no meaning should be implied by doing so).
+//
+// Available options are: <omit>, NOASSERTION, Person: <person>, Organization: <org>
+// return values are: <type>, <value>
+func Supplier(p pkg.Package) (typ string, author string) {
+	if !hasMetadata(p) {
+		return
+	}
+
+	if metadata, ok := p.Metadata.(pkg.AlpmDBEntry); ok {
+		// most indications here are that this is the person that is simply packaging the upstream software. Most
+		// of the time this is not the original author of the upstream software (which would be the originator).
+		// Though it is possible for users to be both the packager and the author, this code cannot distinct this
+		// case and sticks to the semantically correct interpretation of the "packager" (which says nothing about the
+		// authorship of the upstream software).
+		author = metadata.Packager
+	}
+
+	if author == "" {
+		// TODO: this uses the Originator function for now until a better distinction can be made for supplier
+		return Originator(p)
+	}
+
+	if typ == "" && author != "" {
+		typ = personType
+	}
+
+	return typ, parseAndFormatPersonOrOrg(author)
+}
+
+var nameEmailURLPattern = regexp.MustCompile(`^(?P<name>[^<>()]*)( <(?P<email>[^@]+@\w+\.\w+)>)?( \((?P<url>.*)\))?$`)
+
+func parseAndFormatPersonOrOrg(s string) string {
+	name, email, _ := parseNameEmailURL(s)
+	return formatPersonOrOrg(name, email)
+}
+
+func parseNameEmailURL(s string) (name, email, url string) {
+	fields := internal.MatchNamedCaptureGroups(nameEmailURLPattern, s)
+	name = strings.TrimSpace(fields["name"])
+	email = strings.TrimSpace(fields["email"])
+	url = strings.TrimSpace(fields["url"])
+
+	if email == "" {
+		if approximatesAsEmail(url) {
+			email = url
+			url = ""
+		} else if approximatesAsEmail(name) {
+			email = name
+			name = ""
+		}
+	}
+	return name, email, url
+}
+
+func approximatesAsEmail(s string) bool {
+	atIndex := strings.Index(s, "@")
+	if atIndex == -1 {
+		return false
+	}
+	dotIndex := strings.Index(s[atIndex:], ".")
+	return dotIndex != -1
+}
+
+func formatPersonOrOrg(name, email string) string {
+	name = strings.TrimSpace(name)
+	email = strings.TrimSpace(email)
+
+	blankName := name == ""
+	blankEmail := email == ""
+
+	if !blankEmail && !blankName {
+		return fmt.Sprintf("%s (%s)", name, email)
+	}
+	if !blankName && blankEmail {
+		return name
+	}
+	if blankName && !blankEmail {
+		return email
+	}
+	return ""
+}