Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add support for jar scanning #239

Merged
merged 1 commit into from
Sep 7, 2024
Merged

feat: Add support for jar scanning #239

merged 1 commit into from
Sep 7, 2024

Conversation

abhisek
Copy link
Member

@abhisek abhisek commented Sep 5, 2024
edited
Loading

This PR actually introduces two non-breaking changes.

  1. Support scanning Java archive
  2. Introduce new --manifest and -M scan flag to evolve beyond just scanning lockfiles

-M also support embedded type so that we can specify different paths with different manifest / lockfile type. Example

./vet scan -M jar:$HOME/demo-client-java/build/libs/demo-client-java-0.0.1-SNAPSHOT.jar

Here we are explicitly stating that the path should be treated as jar (supported parser)

Screenshot 2024-09-05 at 6 01 52 PM

Fix #238

@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 5, 2024
edited
Loading

vet Summary Report

This report is generated by vet

Policy Checks

  • ✅ Vulnerability
  • ✅ Malware
  • ✅ License
  • ❌ Popularity
  • ❌ Maintenance
  • ❌ Security Posture
  • ✅ Threats

New Packages

  • ⚠️ [Go] google.golang.org/genproto/googleapis/api@0.0.0-20240903143218-8af14fe29dc1
  • ⚠️ [Go] github.com/mitchellh/go-homedir@1.1.0
  • ✅ [Go] github.com/google/go-cmp@0.6.0
  • ✅ [Go] github.com/pelletier/go-toml/v2@2.2.3
  • ✅ [Go] github.com/moby/sys/mountinfo@0.7.2
  • ⚠️ [Go] github.com/pierrec/lz4/v4@4.1.21
  • ⚠️ [Go] github.com/nwaples/rardecode@1.1.3
  • ⚠️ [Go] github.com/scylladb/go-set@1.0.3-0.20200225121959-cc7b2070d91e
  • ⚠️ [Go] github.com/anchore/clio@0.0.0-20240806233806-4c50c054c508
  • ⚠️ [Go] google.golang.org/genproto/googleapis/rpc@0.0.0-20240903143218-8af14fe29dc1
  • ⚠️ [Go] github.com/magiconair/properties@1.8.7
  • ⚠️ [Go] github.com/containerd/errdefs@0.1.0
  • ⚠️ [Go] github.com/opencontainers/go-digest@1.0.0
  • ⚠️ [Go] github.com/becheran/wildmatch-go@1.0.0
  • ✅ [Go] golang.org/x/oauth2@0.23.0
  • ✅ [Go] github.com/mholt/archiver/v3@3.5.1
  • ⚠️ [Go] github.com/spf13/afero@1.11.0
  • ⚠️ [Go] github.com/facebookincubator/nvdtools@0.1.5
  • ⚠️ [Go] github.com/sagikazarmark/slog-shim@0.1.0
  • ⚠️ [Go] github.com/xo/terminfo@0.0.0-20220910002029-abceb7e1c41e
  • ✅ [Go] github.com/spf13/viper@1.19.0
  • ✅ [Go] k8s.io/utils@0.0.0-20240902221715-702e33fdd3c3
  • ✅ [Go] github.com/google/osv-scanner@1.8.4
  • ✅ [Go] github.com/anchore/syft@1.11.1
  • ⚠️ [Go] github.com/klauspost/pgzip@1.2.6
  • ⚠️ [Go] github.com/pkg/profile@1.7.0
  • ⚠️ [Go] github.com/mitchellh/hashstructure/v2@2.0.2
  • ✅ [Go] github.com/google/pprof@0.0.0-20240903155634-a8630aee4ab9
  • ✅ [Go] github.com/hashicorp/hcl@1.0.0
  • ✅ [Go] github.com/bytedance/sonic@1.12.2
  • ✅ [Go] github.com/prometheus/client_golang@1.20.3
  • ✅ [Go] github.com/smacker/go-tree-sitter@0.0.0-20240827094217-dd81d9e9be82
  • ✅ [Go] github.com/dop251/goja@0.0.0-20240828124009-016eb7256539
  • ✅ [Go] golang.org/x/text@0.18.0
  • ⚠️ [Go] github.com/anchore/fangs@0.0.0-20240904151251-ac0148f53e5d
  • ✅ [Go] golang.org/x/arch@0.10.0
  • ⚠️ [Go] github.com/wagoodman/go-partybus@0.0.0-20230516145632-8ccac152c651
  • ⚠️ [Go] github.com/wagoodman/go-progress@0.0.0-20230925121702-07e42b3cdba0
  • ⚠️ [Go] github.com/pborman/indent@1.2.1
  • ✅ [Go] github.com/go-restruct/restruct@1.2.0-alpha
  • ✅ [Go] golang.org/x/exp@0.0.0-20240904232852-e7e105dedf7e
  • ⚠️ [Go] github.com/dsnet/compress@0.0.2-0.20210315054119-f66993602bf5
  • ⚠️ [Go] github.com/subosito/gotenv@1.6.0
  • ⚠️ [Go] github.com/docker/docker-credential-helpers@0.8.2
  • ✅ [Go] github.com/docker/cli@27.2.0+incompatible
  • ✅ [Go] github.com/adrg/xdg@0.5.0
  • ✅ [Go] github.com/sourcegraph/conc@0.3.0
  • ✅ [Go] github.com/Masterminds/semver/v3@3.3.0
  • ⚠️ [Go] github.com/anchore/go-macholibre@0.0.0-20240116161251-5df1434a0b50
  • ⚠️ [Go] github.com/iancoleman/strcase@0.3.0
  • ⚠️ [Go] github.com/sylabs/squashfs@1.0.0
  • ✅ [Go] github.com/felixge/fgprof@0.9.5
  • ✅ [Go] github.com/fsnotify/fsnotify@1.7.0
  • ✅ [Go] golang.org/x/term@0.24.0
  • ⚠️ [Go] github.com/docker/go-connections@0.5.0
  • ✅ [Go] github.com/spf13/cast@1.7.0
  • ✅ [Go] golang.org/x/crypto@0.27.0
  • ✅ [Go] github.com/hashicorp/go-multierror@1.1.1
  • ✅ [Go] golang.org/x/net@0.29.0
  • ✅ [Go] github.com/jinzhu/copier@0.4.0
  • ✅ [Go] github.com/prometheus/common@0.59.1
  • ⚠️ [Go] github.com/hashicorp/errwrap@1.1.0
  • ⚠️ [Go] github.com/anchore/go-logger@0.0.0-20240217160628-ee28a485904f
  • ⚠️ [Go] github.com/therootcompany/xz@1.0.1
  • ✅ [Go] github.com/github/go-spdx/v2@2.3.1
  • ✅ [Go] github.com/containerd/containerd@1.7.21
  • ⚠️ [Go] github.com/sagikazarmark/locafero@0.6.0
  • ⚠️ [Go] github.com/acobaugh/osrelease@0.1.0
  • ⚠️ [Go] github.com/anchore/packageurl-go@0.1.1-0.20240507183024-848e011fc24f
  • ⚠️ [Go] github.com/vifraa/gopom@1.0.0
  • ✅ [Go] golang.org/x/sys@0.25.0
  • ⚠️ [Go] github.com/saintfish/chardet@0.0.0-20230101081208-5e3ef4b5456d
  • ⚠️ [Go] github.com/google/licensecheck@0.3.1
  • ⚠️ [Go] github.com/ulikunitz/xz@0.5.12
  • ✅ [Go] golang.org/x/mod@0.21.0
  • ✅ [Go] github.com/bmatcuk/doublestar/v4@4.6.1
  • ✅ [Go] google.golang.org/grpc@1.66.0
  • ⚠️ [Go] github.com/xi2/xz@0.0.0-20171230120015-48954b6210f8
  • ✅ [Go] github.com/gookit/color@1.5.4
  • ✅ [Go] github.com/anchore/stereoscope@0.0.3
  • ✅ [Go] github.com/google/go-containerregistry@0.20.2
  • ✅ [Go] github.com/cloudflare/circl@1.4.0

Packages Violating Policy

[Go] google.golang.org/genproto/googleapis/api@0.0.0-20240903143218-8af14fe29dc1 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component release pipeline appear to use dangerous workflows

[Go] github.com/mitchellh/go-homedir@1.1.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/pierrec/lz4/v4@4.1.21 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/nwaples/rardecode@1.1.3 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/scylladb/go-set@1.0.3-0.20200225121959-cc7b2070d91e 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/anchore/clio@0.0.0-20240806233806-4c50c054c508 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component popularity is low by Github stars count
  • ⚡ Use an alternative package that is popular

[Go] google.golang.org/genproto/googleapis/rpc@0.0.0-20240903143218-8af14fe29dc1 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component release pipeline appear to use dangerous workflows

[Go] github.com/magiconair/properties@1.8.7 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/containerd/errdefs@0.1.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component popularity is low by Github stars count
  • ⚡ Use an alternative package that is popular

[Go] github.com/opencontainers/go-digest@1.0.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/becheran/wildmatch-go@1.0.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component popularity is low by Github stars count
  • ⚡ Use an alternative package that is popular

[Go] github.com/spf13/afero@1.11.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/facebookincubator/nvdtools@0.1.5 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/sagikazarmark/slog-shim@0.1.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component popularity is low by Github stars count
  • ⚡ Use an alternative package that is popular

[Go] github.com/xo/terminfo@0.0.0-20220910002029-abceb7e1c41e 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/klauspost/pgzip@1.2.6 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/pkg/profile@1.7.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/mitchellh/hashstructure/v2@2.0.2 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/anchore/fangs@0.0.0-20240904151251-ac0148f53e5d 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component popularity is low by Github stars count
  • ⚡ Use an alternative package that is popular

[Go] github.com/wagoodman/go-partybus@0.0.0-20230516145632-8ccac152c651 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component popularity is low by Github stars count
  • ⚡ Use an alternative package that is popular

[Go] github.com/wagoodman/go-progress@0.0.0-20230925121702-07e42b3cdba0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component popularity is low by Github stars count
  • ⚡ Use an alternative package that is popular

[Go] github.com/pborman/indent@1.2.1 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component popularity is low by Github stars count
  • ⚡ Use an alternative package that is popular

[Go] github.com/dsnet/compress@0.0.2-0.20210315054119-f66993602bf5 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/subosito/gotenv@1.6.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/docker/docker-credential-helpers@0.8.2 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/anchore/go-macholibre@0.0.0-20240116161251-5df1434a0b50 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component popularity is low by Github stars count
  • ⚡ Use an alternative package that is popular

[Go] github.com/iancoleman/strcase@0.3.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/sylabs/squashfs@1.0.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component popularity is low by Github stars count
  • ⚡ Use an alternative package that is popular

[Go] github.com/docker/go-connections@0.5.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/hashicorp/errwrap@1.1.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/anchore/go-logger@0.0.0-20240217160628-ee28a485904f 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component popularity is low by Github stars count
  • ⚡ Use an alternative package that is popular

[Go] github.com/therootcompany/xz@1.0.1 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component popularity is low by Github stars count
  • ⚡ Use an alternative package that is popular

[Go] github.com/sagikazarmark/locafero@0.6.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component popularity is low by Github stars count
  • ⚡ Use an alternative package that is popular

[Go] github.com/acobaugh/osrelease@0.1.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/anchore/packageurl-go@0.1.1-0.20240507183024-848e011fc24f 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component popularity is low by Github stars count
  • ⚡ Use an alternative package that is popular

[Go] github.com/vifraa/gopom@1.0.0 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/saintfish/chardet@0.0.0-20230101081208-5e3ef4b5456d 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/google/licensecheck@0.3.1 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/ulikunitz/xz@0.5.12 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

[Go] github.com/xi2/xz@0.0.0-20171230120015-48954b6210f8 🔗

  • ➡️ Found in manifest go.mod
  • ⚠️ Component appears to be unmaintained

@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

cloudflare-workers-and-pages bot commented Sep 5, 2024
edited
Loading

Deploying safedep-vet with  Cloudflare Pages  Cloudflare Pages

Latest commit: a69cd67
Status: ✅  Deploy successful!
Preview URL: https://4184e618.safedep-vet.pages.dev
Branch Preview URL: https://feat-238-add-jar-scanning-su.safedep-vet.pages.dev

View logs

@abhisek abhisek self-assigned this Sep 5, 2024
@abhisek abhisek force-pushed the feat/238-add-jar-scanning-support branch from 7e1a5a5 to 2c02e6f Compare September 5, 2024 12:33
@abhisek abhisek requested a review from c0d3G33k September 5, 2024 12:33
@abhisek abhisek force-pushed the feat/238-add-jar-scanning-support branch 4 times, most recently from 04414be to 058235e Compare September 7, 2024 10:11
@abhisek
feat: Add support for jar scanning
a69cd67 
refactor: Parser target resolver to re-use from lockfile and directory reader

feat: Add support for scope based parse target resolution

refactor: Dir reader to use config struct

test: Fix directory reader tests

refactor: Rename parser utils to resolver

doc: Add jar scanning example in README.md
@abhisek abhisek force-pushed the feat/238-add-jar-scanning-support branch from 058235e to a69cd67 Compare September 7, 2024 10:15
@abhisek abhisek merged commit 3776460 into main Sep 7, 2024
8 of 10 checks passed
@abhisek abhisek deleted the feat/238-add-jar-scanning-support branch September 7, 2024 10:37
This was referenced Oct 15, 2024
Open
Closed
This was referenced Nov 15, 2024
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@c0d3G33k c0d3G33k c0d3G33k approved these changes

Assignees

@abhisek abhisek

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for enumerating Java JAR for Packages
2 participants
@abhisek @c0d3G33k