From 0b835856bc62129f8bde2ba2d672138ca7d73c2e Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Wed, 26 Jun 2024 01:52:08 -0400 Subject: [PATCH 01/51] feat: report unknowns in sbom Signed-off-by: Keith Zantow --- internal/file/zip_file_manifest.go | 6 +- internal/file/zip_read_closer.go | 8 +- internal/task/executor.go | 26 ++- internal/task/file_tasks.go | 21 +- internal/task/package_task_factory.go | 7 +- internal/task/unknowns_tasks.go | 68 ++++++ internal/unknown/errors.go | 167 ++++++++++++++ internal/unknown/errors_test.go | 213 ++++++++++++++++++ syft/create_sbom_config.go | 18 ++ syft/file/cataloger/executable/cataloger.go | 29 ++- syft/file/cataloger/filecontent/cataloger.go | 13 +- syft/file/cataloger/filedigest/cataloger.go | 8 +- syft/file/cataloger/filemetadata/cataloger.go | 6 +- syft/file/coordinates.go | 4 + syft/format/syftjson/model/file.go | 1 + syft/format/syftjson/to_format_model.go | 6 + syft/format/syftjson/to_syft_model.go | 7 + syft/pkg/cataloger/arch/parse_alpm_db.go | 43 ++-- .../cataloger/binary/classifier_cataloger.go | 13 +- .../cataloger/binary/elf_package_cataloger.go | 9 +- .../parse_dotnet_portable_executable.go | 12 +- syft/pkg/cataloger/elixir/parse_mix_lock.go | 8 +- syft/pkg/cataloger/erlang/parse_otp_app.go | 3 +- syft/pkg/cataloger/generic/cataloger.go | 12 +- .../gentoo/parse_portage_contents.go | 2 +- syft/pkg/cataloger/githubactions/package.go | 9 +- .../githubactions/parse_composite_action.go | 18 +- .../cataloger/githubactions/parse_workflow.go | 35 +-- syft/pkg/cataloger/golang/parse_go_binary.go | 6 +- syft/pkg/cataloger/golang/scan_binary.go | 23 +- .../pkg/cataloger/haskell/parse_stack_lock.go | 2 +- .../pkg/cataloger/haskell/parse_stack_yaml.go | 2 +- syft/pkg/cataloger/java/archive_parser.go | 10 +- .../javascript/parse_package_json.go | 2 +- syft/pkg/cataloger/kernel/cataloger.go | 7 +- syft/pkg/cataloger/lua/parse_rockspec.go | 3 +- .../cataloger/python/parse_requirements.go | 6 +- syft/pkg/cataloger/python/parse_setup.go | 5 +- syft/pkg/cataloger/redhat/parse_rpm_db.go | 16 +- .../cataloger/redhat/parse_rpm_manifest.go | 6 +- syft/pkg/cataloger/rust/parse_audit_binary.go | 16 +- .../cataloger/swift/parse_package_resolved.go | 2 +- syft/sbom/sbom.go | 4 + .../test-fixtures/image-unknowns/Dockerfile | 2 + test/cli/test-fixtures/image-unknowns/exe | 0 .../image-unknowns/executable-script | 2 + .../image-unknowns/package-lock.json | 3 + .../image-unknowns/unextracted.tar.gz | 0 .../image-unknowns/unextracted.zip | 0 .../image-unknowns/unknown-readable.jar | Bin 0 -> 209 bytes .../image-unknowns/unknown-unreadable.jar | 0 test/cli/unknowns_test.go | 39 ++++ test/cli/utils_test.go | 27 ++- 53 files changed, 800 insertions(+), 155 deletions(-) create mode 100644 internal/task/unknowns_tasks.go create mode 100644 internal/unknown/errors.go create mode 100644 internal/unknown/errors_test.go create mode 100644 test/cli/test-fixtures/image-unknowns/Dockerfile create mode 100644 test/cli/test-fixtures/image-unknowns/exe create mode 100755 test/cli/test-fixtures/image-unknowns/executable-script create mode 100644 test/cli/test-fixtures/image-unknowns/package-lock.json create mode 100644 test/cli/test-fixtures/image-unknowns/unextracted.tar.gz create mode 100644 test/cli/test-fixtures/image-unknowns/unextracted.zip create mode 100644 test/cli/test-fixtures/image-unknowns/unknown-readable.jar create mode 100644 test/cli/test-fixtures/image-unknowns/unknown-unreadable.jar create mode 100644 test/cli/unknowns_test.go diff --git a/internal/file/zip_file_manifest.go b/internal/file/zip_file_manifest.go index 6306ca6b07d..ac61e6ae98e 100644 --- a/internal/file/zip_file_manifest.go +++ b/internal/file/zip_file_manifest.go @@ -1,7 +1,6 @@ package file import ( - "fmt" "os" "sort" "strings" @@ -19,12 +18,13 @@ func NewZipFileManifest(archivePath string) (ZipFileManifest, error) { zipReader, err := OpenZip(archivePath) manifest := make(ZipFileManifest) if err != nil { - return manifest, fmt.Errorf("unable to open zip archive (%s): %w", archivePath, err) + log.Debugf("unable to open zip archive (%s): %v", archivePath, err) + return manifest, err } defer func() { err = zipReader.Close() if err != nil { - log.Warnf("unable to close zip archive (%s): %+v", archivePath, err) + log.Debugf("unable to close zip archive (%s): %+v", archivePath, err) } }() diff --git a/internal/file/zip_read_closer.go b/internal/file/zip_read_closer.go index 5722092dbf4..ed0d56dc113 100644 --- a/internal/file/zip_read_closer.go +++ b/internal/file/zip_read_closer.go @@ -7,6 +7,8 @@ import ( "fmt" "io" "os" + + "github.com/anchore/syft/internal/log" ) // directoryEndLen, readByf, directoryEnd, and findSignatureInBlock were copied from the golang stdlib, specifically: @@ -45,7 +47,8 @@ func OpenZip(filepath string) (*ZipReadCloser, error) { // need to find the start of the archive and keep track of this offset. offset, err := findArchiveStartOffset(f, fi.Size()) if err != nil { - return nil, fmt.Errorf("cannot find beginning of zip archive=%q : %w", filepath, err) + log.Debugf("cannot find beginning of zip archive=%q : %v", filepath, err) + return nil, err } if _, err := f.Seek(0, io.SeekStart); err != nil { @@ -56,7 +59,8 @@ func OpenZip(filepath string) (*ZipReadCloser, error) { r, err := zip.NewReader(io.NewSectionReader(f, int64(offset), size), size) if err != nil { - return nil, fmt.Errorf("unable to open ZipReadCloser @ %q: %w", filepath, err) + log.Debugf("unable to open ZipReadCloser @ %q: %v", filepath, err) + return nil, err } return &ZipReadCloser{ diff --git a/internal/task/executor.go b/internal/task/executor.go index 5ba48b58aa0..a17d32f2267 100644 --- a/internal/task/executor.go +++ b/internal/task/executor.go @@ -9,8 +9,10 @@ import ( "github.com/hashicorp/go-multierror" "github.com/anchore/syft/internal/sbomsync" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/event/monitor" "github.com/anchore/syft/syft/file" + "github.com/anchore/syft/syft/sbom" ) type Executor struct { @@ -33,6 +35,12 @@ func NewTaskExecutor(tasks []Task, numWorkers int) *Executor { } func (p *Executor) Execute(ctx context.Context, resolver file.Resolver, s sbomsync.Builder, prog *monitor.CatalogerTaskProgress) error { + var lock sync.Mutex + withLock := func(fn func()) { + lock.Lock() + defer lock.Unlock() + fn() + } var errs error wg := &sync.WaitGroup{} for i := 0; i < p.numWorkers; i++ { @@ -46,9 +54,21 @@ func (p *Executor) Execute(ctx context.Context, resolver file.Resolver, s sbomsy return } - if err := runTaskSafely(ctx, tsk, resolver, s); err != nil { - errs = multierror.Append(errs, fmt.Errorf("failed to run task: %w", err)) - prog.SetError(err) + err := runTaskSafely(ctx, tsk, resolver, s) + unknowns, err := unknown.ExtractCoordinateErrors(err) + s.(sbomsync.Accessor).WriteToSBOM(func(sb *sbom.SBOM) { + for _, u := range unknowns { + if sb.Artifacts.Unknowns == nil { + sb.Artifacts.Unknowns = map[file.Coordinates][]string{} + } + sb.Artifacts.Unknowns[u.Coordinates] = append(sb.Artifacts.Unknowns[u.Coordinates], u.Reason.Error()) + } + }) + if err != nil { + withLock(func() { + errs = multierror.Append(errs, fmt.Errorf("failed to run task: %w", err)) + prog.SetError(err) + }) } prog.Increment() } diff --git a/internal/task/file_tasks.go b/internal/task/file_tasks.go index 857f6e4238e..c11005aa0e5 100644 --- a/internal/task/file_tasks.go +++ b/internal/task/file_tasks.go @@ -3,7 +3,6 @@ package task import ( "context" "crypto" - "fmt" "github.com/anchore/syft/internal/sbomsync" "github.com/anchore/syft/syft/artifact" @@ -32,15 +31,12 @@ func NewFileDigestCatalogerTask(selection file.Selection, hashers ...crypto.Hash } result, err := digestsCataloger.Catalog(ctx, resolver, coordinates...) - if err != nil { - return fmt.Errorf("unable to catalog file digests: %w", err) - } accessor.WriteToSBOM(func(sbom *sbom.SBOM) { sbom.Artifacts.FileDigests = result }) - return nil + return err } return NewTask("file-digest-cataloger", fn) @@ -62,15 +58,12 @@ func NewFileMetadataCatalogerTask(selection file.Selection) Task { } result, err := metadataCataloger.Catalog(ctx, resolver, coordinates...) - if err != nil { - return err - } accessor.WriteToSBOM(func(sbom *sbom.SBOM) { sbom.Artifacts.FileMetadata = result }) - return nil + return err } return NewTask("file-metadata-cataloger", fn) @@ -87,15 +80,12 @@ func NewFileContentCatalogerTask(cfg filecontent.Config) Task { accessor := builder.(sbomsync.Accessor) result, err := cat.Catalog(ctx, resolver) - if err != nil { - return err - } accessor.WriteToSBOM(func(sbom *sbom.SBOM) { sbom.Artifacts.FileContents = result }) - return nil + return err } return NewTask("file-content-cataloger", fn) @@ -112,15 +102,12 @@ func NewExecutableCatalogerTask(selection file.Selection, cfg executable.Config) accessor := builder.(sbomsync.Accessor) result, err := cat.Catalog(resolver) - if err != nil { - return err - } accessor.WriteToSBOM(func(sbom *sbom.SBOM) { sbom.Artifacts.Executables = result }) - return nil + return err } return NewTask("file-executable-cataloger", fn) diff --git a/internal/task/package_task_factory.go b/internal/task/package_task_factory.go index 0ee59810f6d..10ef6b63950 100644 --- a/internal/task/package_task_factory.go +++ b/internal/task/package_task_factory.go @@ -82,7 +82,7 @@ func (f PackageTaskFactories) Tasks(cfg CatalogingFactoryConfig) ([]Task, error) // NewPackageTask creates a Task function for a generic pkg.Cataloger, honoring the common configuration options. // -//nolint:funlen +//nolint:funlen,gocognit func NewPackageTask(cfg CatalogingFactoryConfig, c pkg.Cataloger, tags ...string) Task { fn := func(ctx context.Context, resolver file.Resolver, sbom sbomsync.Builder) error { catalogerName := c.Name() @@ -101,9 +101,6 @@ func NewPackageTask(cfg CatalogingFactoryConfig, c pkg.Cataloger, tags ...string t := bus.StartCatalogerTask(info, -1, "") pkgs, relationships, err := c.Catalog(ctx, resolver) - if err != nil { - return fmt.Errorf("unable to catalog packages with %q: %w", c.Name(), err) - } log.WithFields("cataloger", c.Name()).Debugf("discovered %d packages", len(pkgs)) @@ -147,7 +144,7 @@ func NewPackageTask(cfg CatalogingFactoryConfig, c pkg.Cataloger, tags ...string t.SetCompleted() log.WithFields("name", c.Name()).Trace("package cataloger completed") - return nil + return err } tags = append(tags, pkgcataloging.PackageTag) diff --git a/internal/task/unknowns_tasks.go b/internal/task/unknowns_tasks.go new file mode 100644 index 00000000000..e3a6bc9c9b3 --- /dev/null +++ b/internal/task/unknowns_tasks.go @@ -0,0 +1,68 @@ +package task + +import ( + "context" + "fmt" + + "github.com/mholt/archiver/v3" + + "github.com/anchore/syft/internal/sbomsync" + "github.com/anchore/syft/syft/file" + "github.com/anchore/syft/syft/sbom" +) + +type UnknownsConfig struct { + IncludeExecutablesWithoutPackages bool + IncludeUnexpandedArchives bool +} + +func DefaultUnknownsConfig() UnknownsConfig { + return UnknownsConfig{ + IncludeExecutablesWithoutPackages: true, + IncludeUnexpandedArchives: true, + } +} + +func NewUnknownsFinalizeTask(cfg UnknownsConfig) Task { + return NewTask("unknowns-finalize", cfg.processUnknowns) +} + +// processUnknowns removes unknown entries that have valid packages reported for the locations +func (c UnknownsConfig) processUnknowns(_ context.Context, _ file.Resolver, builder sbomsync.Builder) error { + accessor := builder.(sbomsync.Accessor) + accessor.WriteToSBOM(func(s *sbom.SBOM) { + allPackageCoords := file.NewCoordinateSet() + for p := range s.Artifacts.Packages.Enumerate() { + allPackageCoords.Add(p.Locations.CoordinateSet().ToSlice()...) + } + + for coords := range s.Artifacts.Unknowns { + if !allPackageCoords.Contains(coords) { + continue + } + delete(s.Artifacts.Unknowns, coords) + } + + if s.Artifacts.Unknowns == nil { + s.Artifacts.Unknowns = map[file.Coordinates][]string{} + } + + if c.IncludeExecutablesWithoutPackages { + for coords := range s.Artifacts.Executables { + if !allPackageCoords.Contains(coords) { + s.Artifacts.Unknowns[coords] = append(s.Artifacts.Unknowns[coords], fmt.Sprintf("no package identified in executable file: %s", coords.RealPath)) + } + } + } + + if c.IncludeUnexpandedArchives { + for coords := range s.Artifacts.FileMetadata { + unarchiver, notArchiveErr := archiver.ByExtension(coords.RealPath) + if unarchiver != nil && notArchiveErr == nil && !allPackageCoords.Contains(coords) { + s.Artifacts.Unknowns[coords] = append(s.Artifacts.Unknowns[coords], fmt.Sprintf("archive not extracted: %s", coords.RealPath)) + } + } + } + }) + return nil +} diff --git a/internal/unknown/errors.go b/internal/unknown/errors.go new file mode 100644 index 00000000000..a7e8f13de2e --- /dev/null +++ b/internal/unknown/errors.go @@ -0,0 +1,167 @@ +package unknown + +import ( + "errors" + "fmt" + "strings" + + "github.com/anchore/syft/syft/file" +) + +type hasCoordinates interface { + GetCoordinates() file.Coordinates +} + +type CoordinateError struct { + Coordinates file.Coordinates + Reason error +} + +var _ error = (*CoordinateError)(nil) + +func (u *CoordinateError) Error() string { + if u.Coordinates.FileSystemID == "" { + return fmt.Sprintf("%s: %v", u.Coordinates.RealPath, u.Reason) + } + return fmt.Sprintf("%s (%s): %v", u.Coordinates.RealPath, u.Coordinates.FileSystemID, u.Reason) +} + +// New returns a new CoordinateError unless the reason is a CoordinateError itself, in which case +// reason will be returned directly or if reason is nil, nil will be returned +func New(coords hasCoordinates, reason error) *CoordinateError { + if reason == nil { + return nil + } + coordinates := coords.GetCoordinates() + reasonCoordinateError := &CoordinateError{} + if errors.As(reason, &reasonCoordinateError) { + // if the reason is already a coordinate error, it is potentially for a different location, + // so we do not want to surface this location having an error + return reasonCoordinateError + } + return &CoordinateError{ + Coordinates: coordinates, + Reason: reason, + } +} + +// Newf returns a new CoordinateError with a reason of an error created from given format and args +func Newf(coords hasCoordinates, format string, args ...any) *CoordinateError { + return New(coords, fmt.Errorf(format, args...)) +} + +// Append returns an error joined to the first error/set of errors, with a new CoordinateError appended to the end +func Append(errs error, coords hasCoordinates, reason error) error { + return Join(errs, New(coords, reason)) +} + +// Appendf returns an error joined to the first error/set of errors, with a new CoordinateError appended to the end, +// created from the given reason and args +func Appendf(errs error, coords hasCoordinates, format string, args ...any) error { + return Append(errs, coords, fmt.Errorf(format, args...)) +} + +// Join joins the provided sets of errors together in a flattened manner, taking into account nested errors created +// from other sources, including errors.Join, multierror.Append, and unknown.Join +func Join(errs ...error) error { + var out []error + for _, err := range errs { + out = append(out, flatten(err)...) + } + if len(out) == 1 { + return out[0] + } + return errors.Join(out...) +} + +// Joinf joins the provided sets of errors together in a flattened manner, taking into account nested errors created +// from other sources, including errors.Join, multierror.Append, and unknown.Join and appending a new error, +// created from the format and args provided -- the error is NOT a CoordinateError +func Joinf(errs error, format string, args ...any) error { + return Join(errs, fmt.Errorf(format, args...)) +} + +// ExtractCoordinateErrors extracts all coordinate errors returned, and any _additional_ errors in the graph +// are encapsulated in the second, error return parameter +func ExtractCoordinateErrors(err error) (coordinateErrors []CoordinateError, remainingErrors error) { + remainingErrors = visitErrors(err, func(e error) error { + if coordinateError, _ := e.(*CoordinateError); coordinateError != nil { + coordinateErrors = append(coordinateErrors, *coordinateError) + return nil + } + return e + }) + return coordinateErrors, remainingErrors +} + +func flatten(errs ...error) []error { + var out []error + for _, err := range errs { + if err == nil { + continue + } + // turn all errors nested under a coordinate error to individual coordinate errors + if e, ok := err.(*CoordinateError); ok { + if e == nil { + continue + } + for _, r := range flatten(e.Reason) { + out = append(out, New(e.Coordinates, r)) + } + } else + // from multierror.Append + if e, ok := err.(interface{ WrappedErrors() []error }); ok { + if e == nil { + continue + } + out = append(out, flatten(e.WrappedErrors()...)...) + } else + // from errors.Join + if e, ok := err.(interface{ Unwrap() []error }); ok { + if e == nil { + continue + } + out = append(out, flatten(e.Unwrap()...)...) + } else { + out = append(out, err) + } + } + return out +} + +// visitErrors visits every wrapped error. the returned error replaces the provided error, null errors are omitted from +// the object graph +func visitErrors(err error, fn func(error) error) error { + // unwrap errors from errors.Join + if errs, ok := err.(interface{ Unwrap() []error }); ok { + var out []error + for _, e := range errs.Unwrap() { + out = append(out, visitErrors(e, fn)) + } + // errors.Join omits nil errors and will return nil if all passed errors are nil + return errors.Join(out...) + } + // unwrap errors from multierror.Append -- these also implement Unwrap() error, so check this first + if errs, ok := err.(interface{ WrappedErrors() []error }); ok { + var out []error + for _, e := range errs.WrappedErrors() { + out = append(out, visitErrors(e, fn)) + } + // errors.Join omits nil errors and will return nil if all passed errors are nil + return errors.Join(out...) + } + // unwrap singly wrapped errors + if e, ok := err.(interface{ Unwrap() error }); ok { + wrapped := e.Unwrap() + got := visitErrors(wrapped, fn) + if got == nil { + return nil + } + if wrapped.Error() != got.Error() { + prefix := strings.TrimSuffix(err.Error(), wrapped.Error()) + return fmt.Errorf("%s%w", prefix, got) + } + return err + } + return fn(err) +} diff --git a/internal/unknown/errors_test.go b/internal/unknown/errors_test.go new file mode 100644 index 00000000000..886e0c5bd59 --- /dev/null +++ b/internal/unknown/errors_test.go @@ -0,0 +1,213 @@ +package unknown + +import ( + "errors" + "fmt" + "strings" + "testing" + + "github.com/stretchr/testify/require" + + "github.com/anchore/syft/syft/file" +) + +func Test_visitErrors(t *testing.T) { + tests := []struct { + name string `` + in error + transform func(error) error + expected string + }{ + { + name: "return", + in: fmt.Errorf("err1"), + transform: func(e error) error { + return e + }, + expected: "err1", + }, + { + name: "omit", + in: fmt.Errorf("err1"), + transform: func(_ error) error { + return nil + }, + expected: "", + }, + { + name: "wrapped return", + in: fmt.Errorf("wrapped: %w", fmt.Errorf("err1")), + transform: func(e error) error { + return e + }, + expected: "wrapped: err1", + }, + { + name: "wrapped omit", + in: fmt.Errorf("wrapped: %w", fmt.Errorf("err1")), + transform: func(e error) error { + if e.Error() == "err1" { + return nil + } + return e + }, + expected: "", + }, + { + name: "joined return", + in: errors.Join(fmt.Errorf("err1"), fmt.Errorf("err2")), + transform: func(e error) error { + return e + }, + expected: "err1\nerr2", + }, + { + name: "joined omit", + in: errors.Join(fmt.Errorf("err1"), fmt.Errorf("err2")), + transform: func(_ error) error { + return nil + }, + expected: "", + }, + { + name: "joined omit first", + in: errors.Join(fmt.Errorf("err1"), fmt.Errorf("err2")), + transform: func(e error) error { + if e.Error() == "err1" { + return nil + } + return e + }, + expected: "err2", + }, + { + name: "joined wrapped return", + in: errors.Join(fmt.Errorf("wrapped: %w", fmt.Errorf("err1")), fmt.Errorf("err2")), + transform: func(e error) error { + return e + }, + expected: "wrapped: err1\nerr2", + }, + { + name: "joined wrapped omit first", + in: errors.Join(fmt.Errorf("wrapped: %w", fmt.Errorf("err1")), fmt.Errorf("err2")), + transform: func(e error) error { + if e.Error() == "err1" { + return nil + } + return e + }, + expected: "err2", + }, + } + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + gotErr := visitErrors(test.in, test.transform) + got := fmt.Sprintf("%v", gotErr) + require.Equal(t, test.expected, got) + }) + } +} + +func Test_Join(t *testing.T) { + tests := []struct { + name string `` + in []error + expected string + }{ + { + name: "basic", + in: []error{fmt.Errorf("err")}, + expected: "err", + }, + { + name: "wrapped", + in: []error{fmt.Errorf("outer: %w", fmt.Errorf("err"))}, + expected: "outer: err", + }, + { + name: "wrapped joined", + in: []error{errors.Join(fmt.Errorf("outer: %w", fmt.Errorf("err1")), fmt.Errorf("err2"))}, + expected: "outer: err1\nerr2", + }, + } + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + got := Join(test.in...) + if test.expected == "" { + require.Nil(t, got) + return + } + require.NotNil(t, got) + require.Equal(t, test.expected, got.Error()) + }) + } +} + +func Test_flatten(t *testing.T) { + coords := file.Coordinates{ + RealPath: "real/path", + } + e1 := fmt.Errorf("e1") + e2 := fmt.Errorf("e2") + c1 := New(coords, fmt.Errorf("c1")) + c2 := New(coords, fmt.Errorf("c2")) + tests := []struct { + name string `` + in error + expected string + }{ + { + name: "basic", + in: errors.Join(e1, e2), + expected: "e1//e2", + }, + { + name: "coords", + in: New(coords, e1), + expected: "real/path: e1", + }, + { + name: "coords with joined children", + in: New(coords, errors.Join(e1, e2)), + expected: "real/path: e1//real/path: e2", + }, + { + name: "very nested", + in: errors.Join(errors.Join(errors.Join(errors.Join(e1, c1), e2), c2), e2), + expected: "e1//real/path: c1//e2//real/path: c2//e2", + }, + } + toString := func(errs ...error) string { + var parts []string + for _, e := range errs { + parts = append(parts, e.Error()) + } + return strings.Join(parts, "//") + } + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + got := flatten(test.in) + require.NotNil(t, got) + require.Equal(t, test.expected, toString(got...)) + }) + } +} + +func Test_Append(t *testing.T) { + e1 := New(file.NewLocation("l1"), fmt.Errorf("e1")) + e2 := Append(e1, file.NewLocation("l2"), fmt.Errorf("e2")) + e3 := Appendf(e2, file.NewLocation("l3"), "%s", "e3") + require.Equal(t, "l1: e1\nl2: e2\nl3: e3", e3.Error()) + + e1 = New(file.NewLocation("l1"), nil) + require.Nil(t, e1) + e2 = Append(e1, file.NewLocation("l2"), fmt.Errorf("e2")) + e3 = Appendf(e2, file.NewLocation("l3"), "%s", "e3") + require.Equal(t, "l2: e2\nl3: e3", e3.Error()) + + e1 = New(file.NewLocation("l1"), fmt.Errorf("e1")) + e2 = Append(e1, file.NewLocation("l2"), nil) + e3 = Appendf(e2, file.NewLocation("l3"), "%s", "e3") + require.Equal(t, "l1: e1\nl3: e3", e3.Error()) +} diff --git a/syft/create_sbom_config.go b/syft/create_sbom_config.go index 1f7deb18d72..ca9212152d8 100644 --- a/syft/create_sbom_config.go +++ b/syft/create_sbom_config.go @@ -165,6 +165,7 @@ func (c *CreateSBOMConfig) makeTaskGroups(src source.Description) ([][]task.Task // generate package and file tasks based on the configuration environmentTasks := c.environmentTasks() relationshipsTasks := c.relationshipTasks(src) + unknownTasks := c.unknownTasks() fileTasks := c.fileTasks() pkgTasks, selectionEvidence, err := c.packageTasks(src) if err != nil { @@ -184,6 +185,11 @@ func (c *CreateSBOMConfig) makeTaskGroups(src source.Description) ([][]task.Task taskGroups = append(taskGroups, relationshipsTasks) } + // all unknown cleanup should happen after almost everything else + if len(unknownTasks) > 0 { + taskGroups = append(taskGroups, unknownTasks) + } + // identifying the environment (i.e. the linux release) must be done first as this is required for package cataloging taskGroups = append( [][]task.Task{ @@ -329,6 +335,18 @@ func (c *CreateSBOMConfig) environmentTasks() []task.Task { return tsks } +// unknownTasks returns a set of tasks that perform any necessary post-processing +// to identify SBOM elements as unknowns +func (c *CreateSBOMConfig) unknownTasks() []task.Task { + var tasks []task.Task + + if t := task.NewUnknownsFinalizeTask(task.DefaultUnknownsConfig()); t != nil { + tasks = append(tasks, t) + } + + return tasks +} + func (c *CreateSBOMConfig) validate() error { if c.Relationships.ExcludeBinaryPackagesWithFileOwnershipOverlap { if !c.Relationships.PackageFileOwnershipOverlap { diff --git a/syft/file/cataloger/executable/cataloger.go b/syft/file/cataloger/executable/cataloger.go index b0f10e15d02..971774c9e77 100644 --- a/syft/file/cataloger/executable/cataloger.go +++ b/syft/file/cataloger/executable/cataloger.go @@ -15,6 +15,7 @@ import ( "github.com/anchore/syft/internal/bus" "github.com/anchore/syft/internal/log" "github.com/anchore/syft/internal/mimetype" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/event/monitor" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/internal/unionreader" @@ -45,6 +46,8 @@ func NewCataloger(cfg Config) *Cataloger { } func (i *Cataloger) Catalog(resolver file.Resolver) (map[file.Coordinates]file.Executable, error) { + var errs error + locs, err := resolver.FilesByMIMEType(i.config.MIMETypes...) if err != nil { return nil, fmt.Errorf("unable to get file locations for binaries: %w", err) @@ -61,7 +64,11 @@ func (i *Cataloger) Catalog(resolver file.Resolver) (map[file.Coordinates]file.E for _, loc := range locs { prog.AtomicStage.Set(loc.Path()) - exec := processExecutableLocation(loc, resolver) + exec, err := processExecutableLocation(loc, resolver) + if err != nil { + errs = unknown.Append(errs, loc, err) + continue + } if exec != nil { prog.Increment() @@ -74,30 +81,29 @@ func (i *Cataloger) Catalog(resolver file.Resolver) (map[file.Coordinates]file.E prog.AtomicStage.Set(fmt.Sprintf("%s executables", humanize.Comma(prog.Current()))) prog.SetCompleted() - return results, nil + return results, errs } -func processExecutableLocation(loc file.Location, resolver file.Resolver) *file.Executable { +func processExecutableLocation(loc file.Location, resolver file.Resolver) (*file.Executable, error) { reader, err := resolver.FileContentsByLocation(loc) if err != nil { - // TODO: known-unknowns log.WithFields("error", err).Warnf("unable to get file contents for %q", loc.RealPath) - return nil + return nil, fmt.Errorf("unable to get file contents: %w", err) } defer internal.CloseAndLogError(reader, loc.RealPath) uReader, err := unionreader.GetUnionReader(reader) if err != nil { - // TODO: known-unknowns log.WithFields("error", err).Warnf("unable to get union reader for %q", loc.RealPath) - return nil + return nil, fmt.Errorf("unable to get union reader: %w", err) } exec, err := processExecutable(loc, uReader) if err != nil { log.WithFields("error", err).Warnf("unable to process executable %q", loc.RealPath) + return nil, fmt.Errorf("unable to process executable %w", err) } - return exec + return exec, nil } func catalogingProgress(locations int64) *monitor.CatalogerTaskProgress { @@ -157,6 +163,7 @@ func processExecutable(loc file.Location, reader unionreader.UnionReader) (*file } if format == "" { + // this is not an "unknown", so just log -- this binary does not have parseable data in it log.Debugf("unable to determine executable format for %q", loc.RealPath) return nil, nil } @@ -166,15 +173,15 @@ func processExecutable(loc file.Location, reader unionreader.UnionReader) (*file switch format { case file.ELF: if err := findELFFeatures(&data, reader); err != nil { - log.WithFields("error", err).Tracef("unable to determine ELF features for %q", loc.RealPath) + return nil, fmt.Errorf("unable to determine ELF features: %w", err) } case file.PE: if err := findPEFeatures(&data, reader); err != nil { - log.WithFields("error", err).Tracef("unable to determine PE features for %q", loc.RealPath) + return nil, fmt.Errorf("unable to determine PE features: %w", err) } case file.MachO: if err := findMachoFeatures(&data, reader); err != nil { - log.WithFields("error", err).Tracef("unable to determine Macho features for %q", loc.RealPath) + return nil, fmt.Errorf("unable to determine Macho features: %w", err) } } diff --git a/syft/file/cataloger/filecontent/cataloger.go b/syft/file/cataloger/filecontent/cataloger.go index 36a411d3949..b88257308e0 100644 --- a/syft/file/cataloger/filecontent/cataloger.go +++ b/syft/file/cataloger/filecontent/cataloger.go @@ -13,6 +13,7 @@ import ( "github.com/anchore/syft/internal/bus" intFile "github.com/anchore/syft/internal/file" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/event/monitor" "github.com/anchore/syft/syft/file" ) @@ -46,6 +47,7 @@ func NewCataloger(cfg Config) *Cataloger { func (i *Cataloger) Catalog(_ context.Context, resolver file.Resolver) (map[file.Coordinates]string, error) { results := make(map[file.Coordinates]string) var locations []file.Location + var errs error locations, err := resolver.FilesByGlob(i.globs...) if err != nil { @@ -59,8 +61,9 @@ func (i *Cataloger) Catalog(_ context.Context, resolver file.Resolver) (map[file metadata, err := resolver.FileMetadataByLocation(location) if err != nil { + errs = unknown.Append(errs, location, err) prog.SetError(err) - return nil, err + continue } if i.skipFilesAboveSizeInBytes > 0 && metadata.Size() > i.skipFilesAboveSizeInBytes { @@ -69,12 +72,12 @@ func (i *Cataloger) Catalog(_ context.Context, resolver file.Resolver) (map[file result, err := i.catalogLocation(resolver, location) if internal.IsErrPathPermission(err) { - log.Debugf("file contents cataloger skipping - %+v", err) + errs = unknown.Append(errs, location, fmt.Errorf("permission error reading file contents: %w", err)) continue } if err != nil { - prog.SetError(err) - return nil, err + errs = unknown.Append(errs, location, err) + continue } prog.Increment() @@ -87,7 +90,7 @@ func (i *Cataloger) Catalog(_ context.Context, resolver file.Resolver) (map[file prog.AtomicStage.Set(fmt.Sprintf("%s files", humanize.Comma(prog.Current()))) prog.SetCompleted() - return results, nil + return results, errs } func (i *Cataloger) catalogLocation(resolver file.Resolver, location file.Location) (string, error) { diff --git a/syft/file/cataloger/filedigest/cataloger.go b/syft/file/cataloger/filedigest/cataloger.go index e5d8c347e96..f8aa9ace116 100644 --- a/syft/file/cataloger/filedigest/cataloger.go +++ b/syft/file/cataloger/filedigest/cataloger.go @@ -13,6 +13,7 @@ import ( "github.com/anchore/syft/internal/bus" intFile "github.com/anchore/syft/internal/file" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/event/monitor" "github.com/anchore/syft/syft/file" intCataloger "github.com/anchore/syft/syft/file/cataloger/internal" @@ -33,6 +34,7 @@ func NewCataloger(hashes []crypto.Hash) *Cataloger { func (i *Cataloger) Catalog(ctx context.Context, resolver file.Resolver, coordinates ...file.Coordinates) (map[file.Coordinates][]file.Digest, error) { results := make(map[file.Coordinates][]file.Digest) var locations []file.Location + var errs error if len(coordinates) == 0 { locations = intCataloger.AllRegularFiles(ctx, resolver) @@ -58,12 +60,14 @@ func (i *Cataloger) Catalog(ctx context.Context, resolver file.Resolver, coordin if internal.IsErrPathPermission(err) { log.Debugf("file digests cataloger skipping %q: %+v", location.RealPath, err) + errs = unknown.Append(errs, location, err) continue } if err != nil { prog.SetError(err) - return nil, fmt.Errorf("failed to process file %q: %w", location.RealPath, err) + errs = unknown.Append(errs, location, err) + continue } prog.Increment() @@ -76,7 +80,7 @@ func (i *Cataloger) Catalog(ctx context.Context, resolver file.Resolver, coordin prog.AtomicStage.Set(fmt.Sprintf("%s files", humanize.Comma(prog.Current()))) prog.SetCompleted() - return results, nil + return results, errs } func (i *Cataloger) catalogLocation(resolver file.Resolver, location file.Location) ([]file.Digest, error) { diff --git a/syft/file/cataloger/filemetadata/cataloger.go b/syft/file/cataloger/filemetadata/cataloger.go index e6935df73d7..b158e751ddc 100644 --- a/syft/file/cataloger/filemetadata/cataloger.go +++ b/syft/file/cataloger/filemetadata/cataloger.go @@ -8,6 +8,7 @@ import ( "github.com/anchore/syft/internal/bus" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/event/monitor" "github.com/anchore/syft/syft/file" ) @@ -20,6 +21,7 @@ func NewCataloger() *Cataloger { } func (i *Cataloger) Catalog(ctx context.Context, resolver file.Resolver, coordinates ...file.Coordinates) (map[file.Coordinates]file.Metadata, error) { + var errs error results := make(map[file.Coordinates]file.Metadata) var locations <-chan file.Location ctx, cancel := context.WithCancel(ctx) @@ -34,7 +36,7 @@ func (i *Cataloger) Catalog(ctx context.Context, resolver file.Resolver, coordin for _, c := range coordinates { locs, err := resolver.FilesByPath(c.RealPath) if err != nil { - log.Warn("unable to get file locations for path %q: %w", c.RealPath, err) + errs = unknown.Append(errs, c, err) continue } for _, loc := range locs { @@ -71,7 +73,7 @@ func (i *Cataloger) Catalog(ctx context.Context, resolver file.Resolver, coordin prog.AtomicStage.Set(fmt.Sprintf("%s locations", humanize.Comma(prog.Current()))) prog.SetCompleted() - return results, nil + return results, errs } func catalogingProgress(locations int64) *monitor.CatalogerTaskProgress { diff --git a/syft/file/coordinates.go b/syft/file/coordinates.go index 16256c31b17..0d6cd0ec34a 100644 --- a/syft/file/coordinates.go +++ b/syft/file/coordinates.go @@ -39,3 +39,7 @@ func (c Coordinates) String() string { } return fmt.Sprintf("Location<%s>", str) } + +func (c Coordinates) GetCoordinates() Coordinates { + return c +} diff --git a/syft/format/syftjson/model/file.go b/syft/format/syftjson/model/file.go index a98349f4104..0ce0d92b306 100644 --- a/syft/format/syftjson/model/file.go +++ b/syft/format/syftjson/model/file.go @@ -13,6 +13,7 @@ type File struct { Digests []file.Digest `json:"digests,omitempty"` Licenses []FileLicense `json:"licenses,omitempty"` Executable *file.Executable `json:"executable,omitempty"` + Unknowns []string `json:"unknowns,omitempty"` } type FileMetadataEntry struct { diff --git a/syft/format/syftjson/to_format_model.go b/syft/format/syftjson/to_format_model.go index 42ec48f77d2..a5cd128a8b4 100644 --- a/syft/format/syftjson/to_format_model.go +++ b/syft/format/syftjson/to_format_model.go @@ -101,6 +101,11 @@ func toFile(s sbom.SBOM) []model.File { contents = contentsForLocation } + var unknowns []string + if unknownsForLocation, exists := artifacts.Unknowns[coordinates]; exists { + unknowns = unknownsForLocation + } + var licenses []model.FileLicense for _, l := range artifacts.FileLicenses[coordinates] { var evidence *model.FileLicenseEvidence @@ -132,6 +137,7 @@ func toFile(s sbom.SBOM) []model.File { Contents: contents, Licenses: licenses, Executable: executable, + Unknowns: unknowns, }) } diff --git a/syft/format/syftjson/to_syft_model.go b/syft/format/syftjson/to_syft_model.go index b2b1916e26d..154b8fa8e65 100644 --- a/syft/format/syftjson/to_syft_model.go +++ b/syft/format/syftjson/to_syft_model.go @@ -38,6 +38,7 @@ func toSyftModel(doc model.Document) *sbom.SBOM { FileContents: fileArtifacts.FileContents, FileLicenses: fileArtifacts.FileLicenses, Executables: fileArtifacts.Executables, + Unknowns: fileArtifacts.Unknowns, LinuxDistribution: toSyftLinuxRelease(doc.Distro), }, Source: *toSyftSourceData(doc.Source), @@ -66,6 +67,7 @@ func deduplicateErrors(errors []error) []string { return errorMessages } +//nolint:funlen func toSyftFiles(files []model.File) sbom.Artifacts { ret := sbom.Artifacts{ FileMetadata: make(map[file.Coordinates]file.Metadata), @@ -73,6 +75,7 @@ func toSyftFiles(files []model.File) sbom.Artifacts { FileContents: make(map[file.Coordinates]string), FileLicenses: make(map[file.Coordinates][]file.License), Executables: make(map[file.Coordinates]file.Executable), + Unknowns: make(map[file.Coordinates][]string), } for _, f := range files { @@ -130,6 +133,10 @@ func toSyftFiles(files []model.File) sbom.Artifacts { if f.Executable != nil { ret.Executables[coord] = *f.Executable } + + if len(f.Unknowns) > 0 { + ret.Unknowns[coord] = f.Unknowns + } } return ret diff --git a/syft/pkg/cataloger/arch/parse_alpm_db.go b/syft/pkg/cataloger/arch/parse_alpm_db.go index cb068df8156..98366c60429 100644 --- a/syft/pkg/cataloger/arch/parse_alpm_db.go +++ b/syft/pkg/cataloger/arch/parse_alpm_db.go @@ -17,6 +17,7 @@ import ( "github.com/anchore/syft/internal" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -41,6 +42,8 @@ type parsedData struct { // parseAlpmDB parses the arch linux pacman database flat-files and returns the packages and relationships found within. func parseAlpmDB(_ context.Context, resolver file.Resolver, env *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) { + var errs error + data, err := parseAlpmDBEntry(reader) if err != nil { return nil, nil, err @@ -54,8 +57,14 @@ func parseAlpmDB(_ context.Context, resolver file.Resolver, env *generic.Environ // replace the files found the pacman database with the files from the mtree These contain more metadata and // thus more useful. - files, fileLoc := fetchPkgFiles(base, resolver) - backups, backupLoc := fetchBackupFiles(base, resolver) + files, fileLoc, err := fetchPkgFiles(base, resolver) + if err != nil { + errs = unknown.Join(errs, err) + } + backups, backupLoc, err := fetchBackupFiles(base, resolver) + if err != nil { + errs = unknown.Join(errs, err) + } var locs []file.Location if fileLoc != nil { @@ -69,7 +78,7 @@ func parseAlpmDB(_ context.Context, resolver file.Resolver, env *generic.Environ } if data.Package == "" { - return nil, nil, nil + return nil, nil, errs } return []pkg.Package{ @@ -79,63 +88,63 @@ func parseAlpmDB(_ context.Context, resolver file.Resolver, env *generic.Environ reader.Location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation), locs..., ), - }, nil, nil + }, nil, errs } -func fetchPkgFiles(base string, resolver file.Resolver) ([]pkg.AlpmFileRecord, *file.Location) { +func fetchPkgFiles(base string, resolver file.Resolver) ([]pkg.AlpmFileRecord, *file.Location, error) { // TODO: probably want to use MTREE and PKGINFO here target := path.Join(base, "mtree") loc, err := getLocation(target, resolver) if err != nil { log.WithFields("error", err, "path", target).Trace("failed to find mtree file") - return []pkg.AlpmFileRecord{}, nil + return []pkg.AlpmFileRecord{}, nil, unknown.New(loc, fmt.Errorf("failed to find mtree file: %w", err)) } if loc == nil { - return []pkg.AlpmFileRecord{}, nil + return []pkg.AlpmFileRecord{}, nil, nil } reader, err := resolver.FileContentsByLocation(*loc) if err != nil { - return []pkg.AlpmFileRecord{}, nil + return []pkg.AlpmFileRecord{}, nil, unknown.New(loc, fmt.Errorf("failed to get contents: %w", err)) } defer internal.CloseAndLogError(reader, loc.RealPath) pkgFiles, err := parseMtree(reader) if err != nil { log.WithFields("error", err, "path", target).Trace("failed to parse mtree file") - return []pkg.AlpmFileRecord{}, nil + return []pkg.AlpmFileRecord{}, nil, unknown.New(loc, fmt.Errorf("failed to parse mtree: %w", err)) } - return pkgFiles, loc + return pkgFiles, loc, nil } -func fetchBackupFiles(base string, resolver file.Resolver) ([]pkg.AlpmFileRecord, *file.Location) { +func fetchBackupFiles(base string, resolver file.Resolver) ([]pkg.AlpmFileRecord, *file.Location, error) { // We only really do this to get any backup database entries from the files database target := filepath.Join(base, "files") loc, err := getLocation(target, resolver) if err != nil { log.WithFields("error", err, "path", target).Trace("failed to find alpm files") - return []pkg.AlpmFileRecord{}, nil + return []pkg.AlpmFileRecord{}, nil, unknown.New(loc, fmt.Errorf("failed to find alpm files: %w", err)) } if loc == nil { - return []pkg.AlpmFileRecord{}, nil + return []pkg.AlpmFileRecord{}, nil, nil } reader, err := resolver.FileContentsByLocation(*loc) if err != nil { - return []pkg.AlpmFileRecord{}, nil + return []pkg.AlpmFileRecord{}, nil, unknown.New(loc, fmt.Errorf("failed to get contents: %w", err)) } defer internal.CloseAndLogError(reader, loc.RealPath) filesMetadata, err := parseAlpmDBEntry(reader) if err != nil { - return []pkg.AlpmFileRecord{}, nil + return []pkg.AlpmFileRecord{}, nil, unknown.New(loc, fmt.Errorf("failed to parse alpm db entry: %w", err)) } if filesMetadata != nil { - return filesMetadata.Backup, loc + return filesMetadata.Backup, loc, nil } - return []pkg.AlpmFileRecord{}, loc + return []pkg.AlpmFileRecord{}, loc, nil } func parseAlpmDBEntry(reader io.Reader) (*parsedData, error) { diff --git a/syft/pkg/cataloger/binary/classifier_cataloger.go b/syft/pkg/cataloger/binary/classifier_cataloger.go index 7352202d4d8..62a9baa5403 100644 --- a/syft/pkg/cataloger/binary/classifier_cataloger.go +++ b/syft/pkg/cataloger/binary/classifier_cataloger.go @@ -8,6 +8,7 @@ import ( "encoding/json" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -59,12 +60,14 @@ func (c cataloger) Name() string { func (c cataloger) Catalog(_ context.Context, resolver file.Resolver) ([]pkg.Package, []artifact.Relationship, error) { var packages []pkg.Package var relationships []artifact.Relationship + var errs error for _, cls := range c.classifiers { log.WithFields("classifier", cls.Class).Trace("cataloging binaries") newPkgs, err := catalog(resolver, cls) if err != nil { - log.WithFields("error", err, "classifier", cls.Class).Warn("unable to catalog binary package: %w", err) + log.WithFields("error", err, "classifier", cls.Class).Warn("unable to catalog binary package: %v", err) + errs = unknown.Join(errs, err) continue } newPackages: @@ -82,7 +85,7 @@ func (c cataloger) Catalog(_ context.Context, resolver file.Resolver) ([]pkg.Pac } } - return packages, relationships, nil + return packages, relationships, errs } // mergePackages merges information from the extra package into the target package @@ -98,6 +101,7 @@ func mergePackages(target *pkg.Package, extra *pkg.Package) { } func catalog(resolver file.Resolver, cls Classifier) (packages []pkg.Package, err error) { + var errs error locations, err := resolver.FilesByGlob(cls.FileGlob) if err != nil { return nil, err @@ -105,11 +109,12 @@ func catalog(resolver file.Resolver, cls Classifier) (packages []pkg.Package, er for _, location := range locations { pkgs, err := cls.EvidenceMatcher(cls, matcherContext{resolver: resolver, location: location}) if err != nil { - return nil, err + errs = unknown.Append(errs, location, err) + continue } packages = append(packages, pkgs...) } - return packages, nil + return packages, errs } // packagesMatch returns true if the binary packages "match" based on basic criteria diff --git a/syft/pkg/cataloger/binary/elf_package_cataloger.go b/syft/pkg/cataloger/binary/elf_package_cataloger.go index ae2b94d9e52..822b0739375 100644 --- a/syft/pkg/cataloger/binary/elf_package_cataloger.go +++ b/syft/pkg/cataloger/binary/elf_package_cataloger.go @@ -11,6 +11,7 @@ import ( "github.com/anchore/syft/internal" "github.com/anchore/syft/internal/log" "github.com/anchore/syft/internal/mimetype" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/internal/unionreader" @@ -52,6 +53,7 @@ func (c *elfPackageCataloger) Name() string { } func (c *elfPackageCataloger) Catalog(_ context.Context, resolver file.Resolver) ([]pkg.Package, []artifact.Relationship, error) { + var errs error locations, err := resolver.FilesByMIMEType(mimetype.ExecutableMIMETypeSet.List()...) if err != nil { return nil, nil, fmt.Errorf("unable to get binary files by mime type: %w", err) @@ -62,7 +64,8 @@ func (c *elfPackageCataloger) Catalog(_ context.Context, resolver file.Resolver) for _, location := range locations { notes, key, err := parseElfPackageNotes(resolver, location, c) if err != nil { - return nil, nil, err + errs = unknown.Append(errs, location, err) + continue } if notes == nil { continue @@ -87,7 +90,7 @@ func (c *elfPackageCataloger) Catalog(_ context.Context, resolver file.Resolver) // why not return relationships? We have an executable cataloger that will note the dynamic libraries imported by // each binary. After all files and packages are processed there is a final task that creates package-to-package // and package-to-file relationships based on the dynamic libraries imported by each binary. - return pkgs, nil, nil + return pkgs, nil, errs } func parseElfPackageNotes(resolver file.Resolver, location file.Location, c *elfPackageCataloger) (*elfBinaryPackageNotes, elfPackageKey, error) { @@ -104,7 +107,7 @@ func parseElfPackageNotes(resolver file.Resolver, location file.Location, c *elf if err != nil { log.WithFields("file", location.Path(), "error", err).Trace("unable to parse ELF notes") - return nil, elfPackageKey{}, nil + return nil, elfPackageKey{}, err } if notes == nil { diff --git a/syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable.go b/syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable.go index 3ec83f2298f..81049405ba0 100644 --- a/syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable.go +++ b/syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable.go @@ -28,30 +28,26 @@ func parseDotnetPortableExecutable(_ context.Context, _ file.Resolver, _ *generi peFile, err := pe.NewBytes(by, &pe.Options{}) if err != nil { - // TODO: known-unknown log.Tracef("unable to create PE instance for file '%s': %v", f.RealPath, err) - return nil, nil, nil + return nil, nil, fmt.Errorf("unable to create PE instance for file '%s': %v", f.RealPath, err) } err = peFile.Parse() if err != nil { - // TODO: known-unknown log.Tracef("unable to parse PE file '%s': %v", f.RealPath, err) - return nil, nil, nil + return nil, nil, fmt.Errorf("unable to parse PE file '%s': %v", f.RealPath, err) } versionResources, err := peFile.ParseVersionResources() if err != nil { - // TODO: known-unknown log.Tracef("unable to parse version resources in PE file: %s: %v", f.RealPath, err) - return nil, nil, nil + return nil, nil, fmt.Errorf("unable to parse version resources in PE file: %s: %v", f.RealPath, err) } dotNetPkg, err := buildDotNetPackage(versionResources, f) if err != nil { - // TODO: known-unknown log.Tracef("unable to build dotnet package: %v", err) - return nil, nil, nil + return nil, nil, fmt.Errorf("unable to build dotnet package: %v", err) } return []pkg.Package{dotNetPkg}, nil, nil diff --git a/syft/pkg/cataloger/elixir/parse_mix_lock.go b/syft/pkg/cataloger/elixir/parse_mix_lock.go index 28ba38c3d63..ba286d2b89b 100644 --- a/syft/pkg/cataloger/elixir/parse_mix_lock.go +++ b/syft/pkg/cataloger/elixir/parse_mix_lock.go @@ -9,6 +9,7 @@ import ( "regexp" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -22,25 +23,30 @@ var mixLockDelimiter = regexp.MustCompile(`[%{}\n" ,:]+`) // parseMixLock parses a mix.lock and returns the discovered Elixir packages. func parseMixLock(_ context.Context, _ file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) { + var errs error r := bufio.NewReader(reader) var packages []pkg.Package + lineNum := 0 for { + lineNum++ line, err := r.ReadString('\n') switch { case errors.Is(io.EOF, err): - return packages, nil, nil + return packages, nil, errs case err != nil: return nil, nil, fmt.Errorf("failed to parse mix.lock file: %w", err) } tokens := mixLockDelimiter.Split(line, -1) if len(tokens) < 6 { + errs = unknown.Appendf(errs, reader, "unable to read mix lock line %d: %s", lineNum, line) continue } name, version, hash, hashExt := tokens[1], tokens[4], tokens[5], tokens[len(tokens)-2] if name == "" { log.WithFields("path", reader.RealPath).Debug("skipping empty package name from mix.lock file") + errs = unknown.Appendf(errs, reader, "skipping empty package name from mix.lock file, for line: %d: %s", lineNum, line) continue } diff --git a/syft/pkg/cataloger/erlang/parse_otp_app.go b/syft/pkg/cataloger/erlang/parse_otp_app.go index dcea41c18e1..09edd1b3ae1 100644 --- a/syft/pkg/cataloger/erlang/parse_otp_app.go +++ b/syft/pkg/cataloger/erlang/parse_otp_app.go @@ -2,6 +2,7 @@ package erlang import ( "context" + "fmt" "github.com/anchore/syft/internal/log" "github.com/anchore/syft/syft/artifact" @@ -17,7 +18,7 @@ func parseOTPApp(_ context.Context, _ file.Resolver, _ *generic.Environment, rea // there are multiple file formats that use the *.app extension, so it's possible that this is not an OTP app file at all // ... which means we should not return an error here log.WithFields("error", err).Trace("unable to parse Erlang OTP app") - return nil, nil, nil + return nil, nil, fmt.Errorf("unable to parse Erlang OTP app") } var packages []pkg.Package diff --git a/syft/pkg/cataloger/generic/cataloger.go b/syft/pkg/cataloger/generic/cataloger.go index 49e1b47b936..0fba7cf7a79 100644 --- a/syft/pkg/cataloger/generic/cataloger.go +++ b/syft/pkg/cataloger/generic/cataloger.go @@ -6,6 +6,7 @@ import ( "github.com/anchore/go-logger" "github.com/anchore/syft/internal" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/linux" @@ -151,6 +152,7 @@ func (c *Cataloger) Name() string { func (c *Cataloger) Catalog(ctx context.Context, resolver file.Resolver) ([]pkg.Package, []artifact.Relationship, error) { var packages []pkg.Package var relationships []artifact.Relationship + var errs error logger := log.Nested("cataloger", c.upstreamCataloger) @@ -166,7 +168,8 @@ func (c *Cataloger) Catalog(ctx context.Context, resolver file.Resolver) ([]pkg. discoveredPackages, discoveredRelationships, err := invokeParser(ctx, resolver, location, logger, parser, &env) if err != nil { - continue // logging is handled within invokeParser + // parsers may return errors and valid packages / relationships + errs = unknown.Append(errs, location, err) } for _, p := range discoveredPackages { @@ -176,7 +179,7 @@ func (c *Cataloger) Catalog(ctx context.Context, resolver file.Resolver) ([]pkg. relationships = append(relationships, discoveredRelationships...) } - return c.process(ctx, resolver, packages, relationships, nil) + return c.process(ctx, resolver, packages, relationships, errs) } func (c *Cataloger) process(ctx context.Context, resolver file.Resolver, pkgs []pkg.Package, rels []artifact.Relationship, err error) ([]pkg.Package, []artifact.Relationship, error) { @@ -196,11 +199,10 @@ func invokeParser(ctx context.Context, resolver file.Resolver, location file.Loc discoveredPackages, discoveredRelationships, err := parser(ctx, resolver, env, file.NewLocationReadCloser(location, contentReader)) if err != nil { - logger.WithFields("location", location.RealPath, "error", err).Warnf("cataloger failed") - return nil, nil, err + logger.WithFields("location", location.RealPath, "error", err).Warnf("cataloger returned errors") } - return discoveredPackages, discoveredRelationships, nil + return discoveredPackages, discoveredRelationships, err } // selectFiles takes a set of file trees and resolves and file references of interest for future cataloging diff --git a/syft/pkg/cataloger/gentoo/parse_portage_contents.go b/syft/pkg/cataloger/gentoo/parse_portage_contents.go index 553976ea251..56370d0124b 100644 --- a/syft/pkg/cataloger/gentoo/parse_portage_contents.go +++ b/syft/pkg/cataloger/gentoo/parse_portage_contents.go @@ -35,7 +35,7 @@ func parsePortageContents(_ context.Context, resolver file.Resolver, _ *generic. name, version := cpvMatch[1], cpvMatch[2] if name == "" || version == "" { log.WithFields("path", reader.Location.RealPath).Warnf("failed to parse portage name and version") - return nil, nil, nil + return nil, nil, fmt.Errorf("failed to parse portage name and version") } p := pkg.Package{ diff --git a/syft/pkg/cataloger/githubactions/package.go b/syft/pkg/cataloger/githubactions/package.go index 7d6341d3c2c..ff1567a913a 100644 --- a/syft/pkg/cataloger/githubactions/package.go +++ b/syft/pkg/cataloger/githubactions/package.go @@ -1,6 +1,7 @@ package githubactions import ( + "fmt" "strings" "github.com/anchore/packageurl-go" @@ -9,19 +10,19 @@ import ( "github.com/anchore/syft/syft/pkg" ) -func newPackageFromUsageStatement(use string, location file.Location) *pkg.Package { +func newPackageFromUsageStatement(use string, location file.Location) (*pkg.Package, error) { name, version := parseStepUsageStatement(use) if name == "" { log.WithFields("file", location.RealPath, "statement", use).Trace("unable to parse github action usage statement") - return nil + return nil, fmt.Errorf("unable to parse github action usage statement") } if strings.Contains(name, ".github/workflows/") { - return newGithubActionWorkflowPackageUsage(name, version, location) + return newGithubActionWorkflowPackageUsage(name, version, location), nil } - return newGithubActionPackageUsage(name, version, location) + return newGithubActionPackageUsage(name, version, location), nil } func newGithubActionWorkflowPackageUsage(name, version string, workflowLocation file.Location) *pkg.Package { diff --git a/syft/pkg/cataloger/githubactions/parse_composite_action.go b/syft/pkg/cataloger/githubactions/parse_composite_action.go index 99a20d282e7..3236679deab 100644 --- a/syft/pkg/cataloger/githubactions/parse_composite_action.go +++ b/syft/pkg/cataloger/githubactions/parse_composite_action.go @@ -7,6 +7,7 @@ import ( "gopkg.in/yaml.v3" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -24,14 +25,14 @@ type compositeActionRunsDef struct { } func parseCompositeActionForActionUsage(_ context.Context, _ file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) { - contents, err := io.ReadAll(reader) - if err != nil { - return nil, nil, fmt.Errorf("unable to read yaml composite action file: %w", err) + contents, errs := io.ReadAll(reader) + if errs != nil { + return nil, nil, fmt.Errorf("unable to read yaml composite action file: %w", errs) } var ca compositeActionDef - if err = yaml.Unmarshal(contents, &ca); err != nil { - return nil, nil, fmt.Errorf("unable to parse yaml composite action file: %w", err) + if errs = yaml.Unmarshal(contents, &ca); errs != nil { + return nil, nil, fmt.Errorf("unable to parse yaml composite action file: %w", errs) } // we use a collection to help with deduplication before raising to higher level processing @@ -42,11 +43,14 @@ func parseCompositeActionForActionUsage(_ context.Context, _ file.Resolver, _ *g continue } - p := newPackageFromUsageStatement(step.Uses, reader.Location) + p, err := newPackageFromUsageStatement(step.Uses, reader.Location) + if err != nil { + errs = unknown.Append(errs, reader, err) + } if p != nil { pkgs.Add(*p) } } - return pkgs.Sorted(), nil, nil + return pkgs.Sorted(), nil, errs } diff --git a/syft/pkg/cataloger/githubactions/parse_workflow.go b/syft/pkg/cataloger/githubactions/parse_workflow.go index 880248cca10..2480caf08ff 100644 --- a/syft/pkg/cataloger/githubactions/parse_workflow.go +++ b/syft/pkg/cataloger/githubactions/parse_workflow.go @@ -7,6 +7,7 @@ import ( "gopkg.in/yaml.v3" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -37,14 +38,14 @@ type stepDef struct { } func parseWorkflowForWorkflowUsage(_ context.Context, _ file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) { - contents, err := io.ReadAll(reader) - if err != nil { - return nil, nil, fmt.Errorf("unable to read yaml workflow file: %w", err) + contents, errs := io.ReadAll(reader) + if errs != nil { + return nil, nil, fmt.Errorf("unable to read yaml workflow file: %w", errs) } var wf workflowDef - if err = yaml.Unmarshal(contents, &wf); err != nil { - return nil, nil, fmt.Errorf("unable to parse yaml workflow file: %w", err) + if errs = yaml.Unmarshal(contents, &wf); errs != nil { + return nil, nil, fmt.Errorf("unable to parse yaml workflow file: %w", errs) } // we use a collection to help with deduplication before raising to higher level processing @@ -52,25 +53,28 @@ func parseWorkflowForWorkflowUsage(_ context.Context, _ file.Resolver, _ *generi for _, job := range wf.Jobs { if job.Uses != "" { - p := newPackageFromUsageStatement(job.Uses, reader.Location) + p, err := newPackageFromUsageStatement(job.Uses, reader.Location) + if err != nil { + errs = unknown.Append(errs, reader, err) + } if p != nil { pkgs.Add(*p) } } } - return pkgs.Sorted(), nil, nil + return pkgs.Sorted(), nil, errs } func parseWorkflowForActionUsage(_ context.Context, _ file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) { - contents, err := io.ReadAll(reader) - if err != nil { - return nil, nil, fmt.Errorf("unable to read yaml workflow file: %w", err) + contents, errs := io.ReadAll(reader) + if errs != nil { + return nil, nil, fmt.Errorf("unable to read yaml workflow file: %w", errs) } var wf workflowDef - if err = yaml.Unmarshal(contents, &wf); err != nil { - return nil, nil, fmt.Errorf("unable to parse yaml workflow file: %w", err) + if errs = yaml.Unmarshal(contents, &wf); errs != nil { + return nil, nil, fmt.Errorf("unable to parse yaml workflow file: %w", errs) } // we use a collection to help with deduplication before raising to higher level processing @@ -81,12 +85,15 @@ func parseWorkflowForActionUsage(_ context.Context, _ file.Resolver, _ *generic. if step.Uses == "" { continue } - p := newPackageFromUsageStatement(step.Uses, reader.Location) + p, err := newPackageFromUsageStatement(step.Uses, reader.Location) + if err != nil { + errs = unknown.Append(errs, reader, err) + } if p != nil { pkgs.Add(*p) } } } - return pkgs.Sorted(), nil, nil + return pkgs.Sorted(), nil, errs } diff --git a/syft/pkg/cataloger/golang/parse_go_binary.go b/syft/pkg/cataloger/golang/parse_go_binary.go index 88600355cc7..e07a29f778c 100644 --- a/syft/pkg/cataloger/golang/parse_go_binary.go +++ b/syft/pkg/cataloger/golang/parse_go_binary.go @@ -65,9 +65,9 @@ func (c *goBinaryCataloger) parseGoBinary(_ context.Context, resolver file.Resol if err != nil { return nil, nil, err } + defer internal.CloseAndLogError(reader.ReadCloser, reader.RealPath) - mods := scanFile(unionReader, reader.RealPath) - internal.CloseAndLogError(reader.ReadCloser, reader.RealPath) + mods, errs := scanFile(reader.Location, unionReader) var rels []artifact.Relationship for _, mod := range mods { @@ -80,7 +80,7 @@ func (c *goBinaryCataloger) parseGoBinary(_ context.Context, resolver file.Resol pkgs = append(pkgs, depPkgs...) } - return pkgs, rels, nil + return pkgs, rels, errs } func createModuleRelationships(main pkg.Package, deps []pkg.Package) []artifact.Relationship { diff --git a/syft/pkg/cataloger/golang/scan_binary.go b/syft/pkg/cataloger/golang/scan_binary.go index 846e34a11b4..c6a3cfc340c 100644 --- a/syft/pkg/cataloger/golang/scan_binary.go +++ b/syft/pkg/cataloger/golang/scan_binary.go @@ -9,6 +9,8 @@ import ( "github.com/kastenhq/goversion/version" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" + "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/internal/unionreader" ) @@ -19,20 +21,21 @@ type extendedBuildInfo struct { } // scanFile scans file to try to report the Go and module versions. -func scanFile(reader unionreader.UnionReader, filename string) []*extendedBuildInfo { +func scanFile(location file.Location, reader unionreader.UnionReader) ([]*extendedBuildInfo, error) { // NOTE: multiple readers are returned to cover universal binaries, which are files // with more than one binary - readers, err := unionreader.GetReaders(reader) - if err != nil { - log.WithFields("error", err).Warnf("failed to open a golang binary") - return nil + readers, errs := unionreader.GetReaders(reader) + if errs != nil { + log.WithFields("error", errs).Warnf("failed to open a golang binary") + return nil, fmt.Errorf("failed to open a golang binary: %w", errs) } var builds []*extendedBuildInfo for _, r := range readers { bi, err := getBuildInfo(r) if err != nil { - log.WithFields("file", filename, "error", err).Trace("unable to read golang buildinfo") + log.WithFields("file", location.RealPath, "error", err).Trace("unable to read golang buildinfo") + continue } // it's possible the reader just isn't a go binary, in which case just skip it @@ -42,23 +45,25 @@ func scanFile(reader unionreader.UnionReader, filename string) []*extendedBuildI v, err := getCryptoInformation(r) if err != nil { - log.WithFields("file", filename, "error", err).Trace("unable to read golang version info") + log.WithFields("file", location.RealPath, "error", err).Trace("unable to read golang version info") // don't skip this build info. // we can still catalog packages, even if we can't get the crypto information + errs = unknown.Appendf(errs, location, "unable to read golang version info: %w", err) } arch := getGOARCH(bi.Settings) if arch == "" { arch, err = getGOARCHFromBin(r) if err != nil { - log.WithFields("file", filename, "error", err).Trace("unable to read golang arch info") + log.WithFields("file", location.RealPath, "error", err).Trace("unable to read golang arch info") // don't skip this build info. // we can still catalog packages, even if we can't get the arch information + errs = unknown.Appendf(errs, location, "unable to read golang arch info: %w", err) } } builds = append(builds, &extendedBuildInfo{bi, v, arch}) } - return builds + return builds, errs } func getCryptoInformation(reader io.ReaderAt) ([]string, error) { diff --git a/syft/pkg/cataloger/haskell/parse_stack_lock.go b/syft/pkg/cataloger/haskell/parse_stack_lock.go index eb8b854754f..9765543547e 100644 --- a/syft/pkg/cataloger/haskell/parse_stack_lock.go +++ b/syft/pkg/cataloger/haskell/parse_stack_lock.go @@ -50,7 +50,7 @@ func parseStackLock(_ context.Context, _ file.Resolver, _ *generic.Environment, if err := yaml.Unmarshal(bytes, &lockFile); err != nil { log.WithFields("error", err).Tracef("failed to parse stack.yaml.lock file %q", reader.RealPath) - return nil, nil, nil + return nil, nil, fmt.Errorf("failed to parse stack.yaml.lock file") } var ( diff --git a/syft/pkg/cataloger/haskell/parse_stack_yaml.go b/syft/pkg/cataloger/haskell/parse_stack_yaml.go index 4ecb6af96ac..137695073a8 100644 --- a/syft/pkg/cataloger/haskell/parse_stack_yaml.go +++ b/syft/pkg/cataloger/haskell/parse_stack_yaml.go @@ -31,7 +31,7 @@ func parseStackYaml(_ context.Context, _ file.Resolver, _ *generic.Environment, if err := yaml.Unmarshal(bytes, &stackFile); err != nil { log.WithFields("error", err).Tracef("failed to parse stack.yaml file %q", reader.RealPath) - return nil, nil, nil + return nil, nil, fmt.Errorf("failed to parse stack.yaml file") } var pkgs []pkg.Package diff --git a/syft/pkg/cataloger/java/archive_parser.go b/syft/pkg/cataloger/java/archive_parser.go index 134e8f18af3..f9fc3a72387 100644 --- a/syft/pkg/cataloger/java/archive_parser.go +++ b/syft/pkg/cataloger/java/archive_parser.go @@ -11,6 +11,7 @@ import ( intFile "github.com/anchore/syft/internal/file" "github.com/anchore/syft/internal/licenses" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -133,6 +134,9 @@ func (j *archiveParser) parse(ctx context.Context) ([]pkg.Package, []artifact.Re } pkgs = append(pkgs, nestedPkgs...) relationships = append(relationships, nestedRelationships...) + } else { + // TODO detect if there are nested archives before indicating they were not searched + err = unknown.Appendf(err, j.location, "not searched for nested archives") } // lastly, add the parent package to the list (assuming the parent exists) @@ -153,7 +157,11 @@ func (j *archiveParser) parse(ctx context.Context) ([]pkg.Package, []artifact.Re p.SetID() } - return pkgs, relationships, nil + if len(pkgs) == 0 { + err = unknown.Appendf(err, j.location, "no package identified in archive") + } + + return pkgs, relationships, err } // discoverMainPackage parses the root Java manifest used as the parent package to all discovered nested packages. diff --git a/syft/pkg/cataloger/javascript/parse_package_json.go b/syft/pkg/cataloger/javascript/parse_package_json.go index b1677ae8870..95eb6136ff5 100644 --- a/syft/pkg/cataloger/javascript/parse_package_json.go +++ b/syft/pkg/cataloger/javascript/parse_package_json.go @@ -66,7 +66,7 @@ func parsePackageJSON(_ context.Context, _ file.Resolver, _ *generic.Environment if !p.hasNameAndVersionValues() { log.Debugf("encountered package.json file without a name and/or version field, ignoring (path=%q)", reader.Path()) - return nil, nil, nil + return nil, nil, fmt.Errorf("encountered package.json file without a name and/or version field") } pkgs = append( diff --git a/syft/pkg/cataloger/kernel/cataloger.go b/syft/pkg/cataloger/kernel/cataloger.go index d0cc4d131bf..877e9819bd1 100644 --- a/syft/pkg/cataloger/kernel/cataloger.go +++ b/syft/pkg/cataloger/kernel/cataloger.go @@ -6,9 +6,8 @@ package kernel import ( "context" - "github.com/hashicorp/go-multierror" - "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -62,7 +61,7 @@ func (l linuxKernelCataloger) Catalog(ctx context.Context, resolver file.Resolve kernelPackages, kernelRelationships, err := generic.NewCataloger(l.Name()).WithParserByGlobs(parseLinuxKernelFile, kernelArchiveGlobs...).Catalog(ctx, resolver) if err != nil { - errs = multierror.Append(errs, err) + errs = unknown.Join(errs, err) } allRelationships = append(allRelationships, kernelRelationships...) @@ -71,7 +70,7 @@ func (l linuxKernelCataloger) Catalog(ctx context.Context, resolver file.Resolve if l.cfg.CatalogModules { modulePackages, moduleRelationships, err := generic.NewCataloger(l.Name()).WithParserByGlobs(parseLinuxKernelModuleFile, kernelModuleGlobs...).Catalog(ctx, resolver) if err != nil { - errs = multierror.Append(errs, err) + errs = unknown.Join(errs, err) } allPackages = append(allPackages, modulePackages...) diff --git a/syft/pkg/cataloger/lua/parse_rockspec.go b/syft/pkg/cataloger/lua/parse_rockspec.go index a11709fa8e5..de109e77e5d 100644 --- a/syft/pkg/cataloger/lua/parse_rockspec.go +++ b/syft/pkg/cataloger/lua/parse_rockspec.go @@ -2,6 +2,7 @@ package lua import ( "context" + "fmt" "strings" "github.com/anchore/syft/internal/log" @@ -30,7 +31,7 @@ func parseRockspec(_ context.Context, _ file.Resolver, _ *generic.Environment, r doc, err := parseRockspecData(reader) if err != nil { log.WithFields("error", err).Trace("unable to parse Rockspec app") - return nil, nil, nil + return nil, nil, fmt.Errorf("unable to parse Rockspec app: %w", err) } var name, version, license, homepage, description, url string diff --git a/syft/pkg/cataloger/python/parse_requirements.go b/syft/pkg/cataloger/python/parse_requirements.go index 7ef49f6627c..ceef32698a6 100644 --- a/syft/pkg/cataloger/python/parse_requirements.go +++ b/syft/pkg/cataloger/python/parse_requirements.go @@ -13,6 +13,7 @@ import ( "github.com/anchore/syft/internal" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -94,6 +95,7 @@ func newRequirementsParser(cfg CatalogerConfig) requirementsParser { // parseRequirementsTxt takes a Python requirements.txt file, returning all Python packages that are locked to a // specific version. func (rp requirementsParser) parseRequirementsTxt(_ context.Context, _ file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) { + var errs error var packages []pkg.Package scanner := bufio.NewScanner(reader) @@ -126,6 +128,7 @@ func (rp requirementsParser) parseRequirementsTxt(_ context.Context, _ file.Reso req := newRequirement(line) if req == nil { log.WithFields("path", reader.RealPath).Warnf("unable to parse requirements.txt line: %q", line) + errs = unknown.Appendf(errs, reader, "unable to parse requirements.txt line: %q", line) continue } @@ -134,6 +137,7 @@ func (rp requirementsParser) parseRequirementsTxt(_ context.Context, _ file.Reso if version == "" { log.WithFields("path", reader.RealPath).Tracef("unable to determine package version in requirements.txt line: %q", line) + errs = unknown.Appendf(errs, reader, "unable to determine package version in requirements.txt line: %q", line) continue } @@ -158,7 +162,7 @@ func (rp requirementsParser) parseRequirementsTxt(_ context.Context, _ file.Reso return nil, nil, fmt.Errorf("failed to parse python requirements file: %w", err) } - return packages, nil, nil + return packages, nil, errs } func parseVersion(version string, guessFromConstraint bool) string { diff --git a/syft/pkg/cataloger/python/parse_setup.go b/syft/pkg/cataloger/python/parse_setup.go index ccbe916f544..2763a38a200 100644 --- a/syft/pkg/cataloger/python/parse_setup.go +++ b/syft/pkg/cataloger/python/parse_setup.go @@ -7,6 +7,7 @@ import ( "strings" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -24,6 +25,7 @@ var _ generic.Parser = parseSetup var pinnedDependency = regexp.MustCompile(`['"]\W?(\w+\W?==\W?[\w.]*)`) func parseSetup(_ context.Context, _ file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) { + var errs error var packages []pkg.Package scanner := bufio.NewScanner(reader) @@ -51,6 +53,7 @@ func parseSetup(_ context.Context, _ file.Resolver, _ *generic.Environment, read if name == "" || version == "" { log.WithFields("path", reader.RealPath).Debugf("unable to parse package in setup.py line: %q", line) + errs = unknown.Appendf(errs, reader, "unable to parse package in setup.py line: %q", line) continue } @@ -65,7 +68,7 @@ func parseSetup(_ context.Context, _ file.Resolver, _ *generic.Environment, read } } - return packages, nil, nil + return packages, nil, errs } func hasTemplateDirective(s string) bool { diff --git a/syft/pkg/cataloger/redhat/parse_rpm_db.go b/syft/pkg/cataloger/redhat/parse_rpm_db.go index d2954213703..016bb13f65c 100644 --- a/syft/pkg/cataloger/redhat/parse_rpm_db.go +++ b/syft/pkg/cataloger/redhat/parse_rpm_db.go @@ -9,6 +9,7 @@ import ( rpmdb "github.com/knqyf263/go-rpmdb/pkg" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/linux" @@ -58,11 +59,15 @@ func parseRpmDB(_ context.Context, resolver file.Resolver, env *generic.Environm distro = env.LinuxRelease } + var errs error for _, entry := range pkgList { if entry == nil { continue } + files, err := extractRpmFileRecords(resolver, *entry) + errs = unknown.Join(errs, err) + metadata := pkg.RpmDBEntry{ Name: entry.Name, Version: entry.Version, @@ -73,7 +78,7 @@ func parseRpmDB(_ context.Context, resolver file.Resolver, env *generic.Environm Vendor: entry.Vendor, Size: entry.Size, ModularityLabel: &entry.Modularitylabel, - Files: extractRpmFileRecords(resolver, *entry), + Files: files, Provides: entry.Provides, Requires: entry.Requires, } @@ -88,6 +93,7 @@ func parseRpmDB(_ context.Context, resolver file.Resolver, env *generic.Environm if !pkg.IsValid(&p) { log.WithFields("location", reader.RealPath, "pkg", fmt.Sprintf("%s@%s", entry.Name, entry.Version)). Warn("ignoring invalid package found in RPM DB") + errs = unknown.Appendf(errs, reader, "invalild package found; name: %s, version: %s", entry.Name, entry.Version) continue } @@ -95,7 +101,7 @@ func parseRpmDB(_ context.Context, resolver file.Resolver, env *generic.Environm allPkgs = append(allPkgs, p) } - return allPkgs, nil, nil + return allPkgs, nil, errs } // The RPM naming scheme is [name]-[version]-[release]-[arch], where version is implicitly expands to [epoch]:[version]. @@ -111,13 +117,13 @@ func toELVersion(epoch *int, version, release string) string { return fmt.Sprintf("%s-%s", version, release) } -func extractRpmFileRecords(resolver file.PathResolver, entry rpmdb.PackageInfo) []pkg.RpmFileRecord { +func extractRpmFileRecords(resolver file.PathResolver, entry rpmdb.PackageInfo) ([]pkg.RpmFileRecord, error) { var records = make([]pkg.RpmFileRecord, 0) files, err := entry.InstalledFiles() if err != nil { log.Warnf("unable to parse listing of installed files for RPM DB entry: %s", err.Error()) - return records + return records, fmt.Errorf("unable to parse listing of installed files for RPM DB entry: %w", err) } for _, record := range files { @@ -137,5 +143,5 @@ func extractRpmFileRecords(resolver file.PathResolver, entry rpmdb.PackageInfo) }) } } - return records + return records, nil } diff --git a/syft/pkg/cataloger/redhat/parse_rpm_manifest.go b/syft/pkg/cataloger/redhat/parse_rpm_manifest.go index 9c0185aef00..a927a6da1d0 100644 --- a/syft/pkg/cataloger/redhat/parse_rpm_manifest.go +++ b/syft/pkg/cataloger/redhat/parse_rpm_manifest.go @@ -8,6 +8,7 @@ import ( "strings" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -19,6 +20,7 @@ func parseRpmManifest(_ context.Context, _ file.Resolver, _ *generic.Environment r := bufio.NewReader(reader) allPkgs := make([]pkg.Package, 0) + var errs error for { line, err := r.ReadString('\n') if err != nil { @@ -35,11 +37,13 @@ func parseRpmManifest(_ context.Context, _ file.Resolver, _ *generic.Environment metadata, err := newMetadataFromManifestLine(strings.TrimSuffix(line, "\n")) if err != nil { log.Warnf("unable to parse RPM manifest entry: %+v", err) + errs = unknown.Appendf(errs, reader, "unable to parse RPM manifest entry: %+v", err) continue } if metadata == nil { log.Warn("unable to parse RPM manifest entry: no metadata found") + errs = unknown.Appendf(errs, reader, "unable to parse RPM manifest entry: no metadata found") continue } @@ -53,5 +57,5 @@ func parseRpmManifest(_ context.Context, _ file.Resolver, _ *generic.Environment allPkgs = append(allPkgs, p) } - return allPkgs, nil, nil + return allPkgs, nil, errs } diff --git a/syft/pkg/cataloger/rust/parse_audit_binary.go b/syft/pkg/cataloger/rust/parse_audit_binary.go index afa09a058cf..25525e91656 100644 --- a/syft/pkg/cataloger/rust/parse_audit_binary.go +++ b/syft/pkg/cataloger/rust/parse_audit_binary.go @@ -3,6 +3,7 @@ package rust import ( "context" "errors" + "fmt" rustaudit "github.com/microsoft/go-rustaudit" @@ -23,21 +24,22 @@ func parseAuditBinary(_ context.Context, _ file.Resolver, _ *generic.Environment return nil, nil, err } - for _, versionInfo := range parseAuditBinaryEntry(unionReader, reader.RealPath) { + infos, err := parseAuditBinaryEntry(unionReader, reader.RealPath) + for _, versionInfo := range infos { pkgs = append(pkgs, newPackagesFromAudit(reader.Location, versionInfo)...) } - return pkgs, nil, nil + return pkgs, nil, err } // scanFile scans file to try to report the Rust crate dependencies -func parseAuditBinaryEntry(reader unionreader.UnionReader, filename string) []rustaudit.VersionInfo { +func parseAuditBinaryEntry(reader unionreader.UnionReader, filename string) ([]rustaudit.VersionInfo, error) { // NOTE: multiple readers are returned to cover universal binaries, which are files // with more than one binary readers, err := unionreader.GetReaders(reader) if err != nil { log.Warnf("rust cataloger: failed to open a binary: %v", err) - return nil + return nil, fmt.Errorf("rust cataloger: failed to open a binary: %w", err) } var versionInfos []rustaudit.VersionInfo @@ -48,14 +50,14 @@ func parseAuditBinaryEntry(reader unionreader.UnionReader, filename string) []ru if errors.Is(err, rustaudit.ErrNoRustDepInfo) { // since the cataloger can only select executables and not distinguish if they are a Rust-compiled // binary, we should not show warnings/logs in this case. - return nil + return nil, nil } log.Tracef("rust cataloger: unable to read dependency information (file=%q): %v", filename, err) - return nil + return nil, fmt.Errorf("rust cataloger: unable to read dependency information: %w", err) } versionInfos = append(versionInfos, versionInfo) } - return versionInfos + return versionInfos, nil } diff --git a/syft/pkg/cataloger/swift/parse_package_resolved.go b/syft/pkg/cataloger/swift/parse_package_resolved.go index 71ccb13ea21..5bd023e8945 100644 --- a/syft/pkg/cataloger/swift/parse_package_resolved.go +++ b/syft/pkg/cataloger/swift/parse_package_resolved.go @@ -71,7 +71,7 @@ func parsePackageResolved(_ context.Context, _ file.Resolver, _ *generic.Environ if packageResolvedData["version"] == nil { log.Trace("no version found in Package.resolved file, skipping") - return nil, nil, nil + return nil, nil, fmt.Errorf("no version found in Package.resolved file") } version, ok := packageResolvedData["version"].(float64) diff --git a/syft/sbom/sbom.go b/syft/sbom/sbom.go index b3f3cd74ff9..4dc5833c24e 100644 --- a/syft/sbom/sbom.go +++ b/syft/sbom/sbom.go @@ -26,6 +26,7 @@ type Artifacts struct { FileContents map[file.Coordinates]string FileLicenses map[file.Coordinates][]file.License Executables map[file.Coordinates]file.Executable + Unknowns map[file.Coordinates][]string LinuxDistribution *linux.Release } @@ -60,6 +61,9 @@ func (s SBOM) AllCoordinates() []file.Coordinates { for coordinates := range s.Artifacts.FileDigests { set.Add(coordinates) } + for coordinates := range s.Artifacts.Unknowns { + set.Add(coordinates) + } for _, relationship := range s.Relationships { for _, coordinates := range extractCoordinates(relationship) { set.Add(coordinates) diff --git a/test/cli/test-fixtures/image-unknowns/Dockerfile b/test/cli/test-fixtures/image-unknowns/Dockerfile new file mode 100644 index 00000000000..2dbaafb03d6 --- /dev/null +++ b/test/cli/test-fixtures/image-unknowns/Dockerfile @@ -0,0 +1,2 @@ +FROM alpine@sha256:c5c5fda71656f28e49ac9c5416b3643eaa6a108a8093151d6d1afc9463be8e33 +COPY . /home/files diff --git a/test/cli/test-fixtures/image-unknowns/exe b/test/cli/test-fixtures/image-unknowns/exe new file mode 100644 index 00000000000..e69de29bb2d diff --git a/test/cli/test-fixtures/image-unknowns/executable-script b/test/cli/test-fixtures/image-unknowns/executable-script new file mode 100755 index 00000000000..07c90f31c81 --- /dev/null +++ b/test/cli/test-fixtures/image-unknowns/executable-script @@ -0,0 +1,2 @@ +#!/bin/sh +echo "hello" diff --git a/test/cli/test-fixtures/image-unknowns/package-lock.json b/test/cli/test-fixtures/image-unknowns/package-lock.json new file mode 100644 index 00000000000..6649985c546 --- /dev/null +++ b/test/cli/test-fixtures/image-unknowns/package-lock.json @@ -0,0 +1,3 @@ +invalid [{ + +}] \ No newline at end of file diff --git a/test/cli/test-fixtures/image-unknowns/unextracted.tar.gz b/test/cli/test-fixtures/image-unknowns/unextracted.tar.gz new file mode 100644 index 00000000000..e69de29bb2d diff --git a/test/cli/test-fixtures/image-unknowns/unextracted.zip b/test/cli/test-fixtures/image-unknowns/unextracted.zip new file mode 100644 index 00000000000..e69de29bb2d diff --git a/test/cli/test-fixtures/image-unknowns/unknown-readable.jar b/test/cli/test-fixtures/image-unknowns/unknown-readable.jar new file mode 100644 index 0000000000000000000000000000000000000000..a4defd8b54f2c8d6d4ca6ce5e1d326c2d14e9d18 GIT binary patch literal 209 zcmWIWW@Zs#-~hsFVaFmEpgJ|J0ew`sW^a`JOuw9&pOz?8%eikC+$&yxBQg%r4%R1S$fV7vRmvB*Kia g3t0|i7Yw{@1hI&)Il!Bh4WyJ22m^t17Kp Date: Wed, 26 Jun 2024 02:12:11 -0400 Subject: [PATCH 02/51] chore: bump schema Signed-off-by: Keith Zantow --- internal/constants.go | 2 +- schema/json/schema-16.0.15.json | 2543 +++++++++++++++++++++++++++++++ schema/json/schema-latest.json | 8 +- 3 files changed, 2551 insertions(+), 2 deletions(-) create mode 100644 schema/json/schema-16.0.15.json diff --git a/internal/constants.go b/internal/constants.go index 478556fdb4f..6d1dd197439 100644 --- a/internal/constants.go +++ b/internal/constants.go @@ -3,5 +3,5 @@ package internal const ( // JSONSchemaVersion is the current schema version output by the JSON encoder // This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment. - JSONSchemaVersion = "16.0.14" + JSONSchemaVersion = "16.0.15" ) diff --git a/schema/json/schema-16.0.15.json b/schema/json/schema-16.0.15.json new file mode 100644 index 00000000000..934d154e642 --- /dev/null +++ b/schema/json/schema-16.0.15.json @@ -0,0 +1,2543 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "anchore.io/schema/syft/json/16.0.15/document", + "$ref": "#/$defs/Document", + "$defs": { + "AlpmDbEntry": { + "properties": { + "basepackage": { + "type": "string" + }, + "package": { + "type": "string" + }, + "version": { + "type": "string" + }, + "description": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "packager": { + "type": "string" + }, + "url": { + "type": "string" + }, + "validation": { + "type": "string" + }, + "reason": { + "type": "integer" + }, + "files": { + "items": { + "$ref": "#/$defs/AlpmFileRecord" + }, + "type": "array" + }, + "backup": { + "items": { + "$ref": "#/$defs/AlpmFileRecord" + }, + "type": "array" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "depends": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "basepackage", + "package", + "version", + "description", + "architecture", + "size", + "packager", + "url", + "validation", + "reason", + "files", + "backup" + ] + }, + "AlpmFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "type": { + "type": "string" + }, + "uid": { + "type": "string" + }, + "gid": { + "type": "string" + }, + "time": { + "type": "string", + "format": "date-time" + }, + "size": { + "type": "string" + }, + "link": { + "type": "string" + }, + "digest": { + "items": { + "$ref": "#/$defs/Digest" + }, + "type": "array" + } + }, + "type": "object" + }, + "ApkDbEntry": { + "properties": { + "package": { + "type": "string" + }, + "originPackage": { + "type": "string" + }, + "maintainer": { + "type": "string" + }, + "version": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "url": { + "type": "string" + }, + "description": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "installedSize": { + "type": "integer" + }, + "pullDependencies": { + "items": { + "type": "string" + }, + "type": "array" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "pullChecksum": { + "type": "string" + }, + "gitCommitOfApkPort": { + "type": "string" + }, + "files": { + "items": { + "$ref": "#/$defs/ApkFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "package", + "originPackage", + "maintainer", + "version", + "architecture", + "url", + "description", + "size", + "installedSize", + "pullDependencies", + "provides", + "pullChecksum", + "gitCommitOfApkPort", + "files" + ] + }, + "ApkFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "ownerUid": { + "type": "string" + }, + "ownerGid": { + "type": "string" + }, + "permissions": { + "type": "string" + }, + "digest": { + "$ref": "#/$defs/Digest" + } + }, + "type": "object", + "required": [ + "path" + ] + }, + "BinarySignature": { + "properties": { + "matches": { + "items": { + "$ref": "#/$defs/ClassifierMatch" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "matches" + ] + }, + "CConanFileEntry": { + "properties": { + "ref": { + "type": "string" + } + }, + "type": "object", + "required": [ + "ref" + ] + }, + "CConanInfoEntry": { + "properties": { + "ref": { + "type": "string" + }, + "package_id": { + "type": "string" + } + }, + "type": "object", + "required": [ + "ref" + ] + }, + "CConanLockEntry": { + "properties": { + "ref": { + "type": "string" + }, + "package_id": { + "type": "string" + }, + "prev": { + "type": "string" + }, + "requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "build_requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "py_requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "options": { + "$ref": "#/$defs/KeyValues" + }, + "path": { + "type": "string" + }, + "context": { + "type": "string" + } + }, + "type": "object", + "required": [ + "ref" + ] + }, + "CConanLockV2Entry": { + "properties": { + "ref": { + "type": "string" + }, + "packageID": { + "type": "string" + }, + "username": { + "type": "string" + }, + "channel": { + "type": "string" + }, + "recipeRevision": { + "type": "string" + }, + "packageRevision": { + "type": "string" + }, + "timestamp": { + "type": "string" + } + }, + "type": "object", + "required": [ + "ref" + ] + }, + "CPE": { + "properties": { + "cpe": { + "type": "string" + }, + "source": { + "type": "string" + } + }, + "type": "object", + "required": [ + "cpe" + ] + }, + "ClassifierMatch": { + "properties": { + "classifier": { + "type": "string" + }, + "location": { + "$ref": "#/$defs/Location" + } + }, + "type": "object", + "required": [ + "classifier", + "location" + ] + }, + "CocoaPodfileLockEntry": { + "properties": { + "checksum": { + "type": "string" + } + }, + "type": "object", + "required": [ + "checksum" + ] + }, + "Coordinates": { + "properties": { + "path": { + "type": "string" + }, + "layerID": { + "type": "string" + } + }, + "type": "object", + "required": [ + "path" + ] + }, + "DartPubspecLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "hosted_url": { + "type": "string" + }, + "vcs_url": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version" + ] + }, + "Descriptor": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "configuration": true + }, + "type": "object", + "required": [ + "name", + "version" + ] + }, + "Digest": { + "properties": { + "algorithm": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object", + "required": [ + "algorithm", + "value" + ] + }, + "Document": { + "properties": { + "artifacts": { + "items": { + "$ref": "#/$defs/Package" + }, + "type": "array" + }, + "artifactRelationships": { + "items": { + "$ref": "#/$defs/Relationship" + }, + "type": "array" + }, + "files": { + "items": { + "$ref": "#/$defs/File" + }, + "type": "array" + }, + "source": { + "$ref": "#/$defs/Source" + }, + "distro": { + "$ref": "#/$defs/LinuxRelease" + }, + "descriptor": { + "$ref": "#/$defs/Descriptor" + }, + "schema": { + "$ref": "#/$defs/Schema" + } + }, + "type": "object", + "required": [ + "artifacts", + "artifactRelationships", + "source", + "distro", + "descriptor", + "schema" + ] + }, + "DotnetDepsEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "path": { + "type": "string" + }, + "sha512": { + "type": "string" + }, + "hashPath": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "path", + "sha512", + "hashPath" + ] + }, + "DotnetPortableExecutableEntry": { + "properties": { + "assemblyVersion": { + "type": "string" + }, + "legalCopyright": { + "type": "string" + }, + "comments": { + "type": "string" + }, + "internalName": { + "type": "string" + }, + "companyName": { + "type": "string" + }, + "productName": { + "type": "string" + }, + "productVersion": { + "type": "string" + } + }, + "type": "object", + "required": [ + "assemblyVersion", + "legalCopyright", + "companyName", + "productName", + "productVersion" + ] + }, + "DpkgDbEntry": { + "properties": { + "package": { + "type": "string" + }, + "source": { + "type": "string" + }, + "version": { + "type": "string" + }, + "sourceVersion": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "maintainer": { + "type": "string" + }, + "installedSize": { + "type": "integer" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "depends": { + "items": { + "type": "string" + }, + "type": "array" + }, + "preDepends": { + "items": { + "type": "string" + }, + "type": "array" + }, + "files": { + "items": { + "$ref": "#/$defs/DpkgFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "package", + "source", + "version", + "sourceVersion", + "architecture", + "maintainer", + "installedSize", + "files" + ] + }, + "DpkgFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "digest": { + "$ref": "#/$defs/Digest" + }, + "isConfigFile": { + "type": "boolean" + } + }, + "type": "object", + "required": [ + "path", + "isConfigFile" + ] + }, + "ELFSecurityFeatures": { + "properties": { + "symbolTableStripped": { + "type": "boolean" + }, + "stackCanary": { + "type": "boolean" + }, + "nx": { + "type": "boolean" + }, + "relRO": { + "type": "string" + }, + "pie": { + "type": "boolean" + }, + "dso": { + "type": "boolean" + }, + "safeStack": { + "type": "boolean" + }, + "cfi": { + "type": "boolean" + }, + "fortify": { + "type": "boolean" + } + }, + "type": "object", + "required": [ + "symbolTableStripped", + "nx", + "relRO", + "pie", + "dso" + ] + }, + "ElfBinaryPackageNoteJsonPayload": { + "properties": { + "type": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "osCPE": { + "type": "string" + }, + "os": { + "type": "string" + }, + "osVersion": { + "type": "string" + }, + "system": { + "type": "string" + }, + "vendor": { + "type": "string" + }, + "sourceRepo": { + "type": "string" + }, + "commit": { + "type": "string" + } + }, + "type": "object" + }, + "ElixirMixLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "pkgHash": { + "type": "string" + }, + "pkgHashExt": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "pkgHash", + "pkgHashExt" + ] + }, + "ErlangRebarLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "pkgHash": { + "type": "string" + }, + "pkgHashExt": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "pkgHash", + "pkgHashExt" + ] + }, + "Executable": { + "properties": { + "format": { + "type": "string" + }, + "hasExports": { + "type": "boolean" + }, + "hasEntrypoint": { + "type": "boolean" + }, + "importedLibraries": { + "items": { + "type": "string" + }, + "type": "array" + }, + "elfSecurityFeatures": { + "$ref": "#/$defs/ELFSecurityFeatures" + } + }, + "type": "object", + "required": [ + "format", + "hasExports", + "hasEntrypoint", + "importedLibraries" + ] + }, + "File": { + "properties": { + "id": { + "type": "string" + }, + "location": { + "$ref": "#/$defs/Coordinates" + }, + "metadata": { + "$ref": "#/$defs/FileMetadataEntry" + }, + "contents": { + "type": "string" + }, + "digests": { + "items": { + "$ref": "#/$defs/Digest" + }, + "type": "array" + }, + "licenses": { + "items": { + "$ref": "#/$defs/FileLicense" + }, + "type": "array" + }, + "executable": { + "$ref": "#/$defs/Executable" + }, + "unknowns": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "id", + "location" + ] + }, + "FileLicense": { + "properties": { + "value": { + "type": "string" + }, + "spdxExpression": { + "type": "string" + }, + "type": { + "type": "string" + }, + "evidence": { + "$ref": "#/$defs/FileLicenseEvidence" + } + }, + "type": "object", + "required": [ + "value", + "spdxExpression", + "type" + ] + }, + "FileLicenseEvidence": { + "properties": { + "confidence": { + "type": "integer" + }, + "offset": { + "type": "integer" + }, + "extent": { + "type": "integer" + } + }, + "type": "object", + "required": [ + "confidence", + "offset", + "extent" + ] + }, + "FileMetadataEntry": { + "properties": { + "mode": { + "type": "integer" + }, + "type": { + "type": "string" + }, + "linkDestination": { + "type": "string" + }, + "userID": { + "type": "integer" + }, + "groupID": { + "type": "integer" + }, + "mimeType": { + "type": "string" + }, + "size": { + "type": "integer" + } + }, + "type": "object", + "required": [ + "mode", + "type", + "userID", + "groupID", + "mimeType", + "size" + ] + }, + "GoModuleBuildinfoEntry": { + "properties": { + "goBuildSettings": { + "$ref": "#/$defs/KeyValues" + }, + "goCompiledVersion": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "h1Digest": { + "type": "string" + }, + "mainModule": { + "type": "string" + }, + "goCryptoSettings": { + "items": { + "type": "string" + }, + "type": "array" + }, + "goExperiments": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "goCompiledVersion", + "architecture" + ] + }, + "GoModuleEntry": { + "properties": { + "h1Digest": { + "type": "string" + } + }, + "type": "object" + }, + "HaskellHackageStackEntry": { + "properties": { + "pkgHash": { + "type": "string" + } + }, + "type": "object" + }, + "HaskellHackageStackLockEntry": { + "properties": { + "pkgHash": { + "type": "string" + }, + "snapshotURL": { + "type": "string" + } + }, + "type": "object" + }, + "IDLikes": { + "items": { + "type": "string" + }, + "type": "array" + }, + "JavaArchive": { + "properties": { + "virtualPath": { + "type": "string" + }, + "manifest": { + "$ref": "#/$defs/JavaManifest" + }, + "pomProperties": { + "$ref": "#/$defs/JavaPomProperties" + }, + "pomProject": { + "$ref": "#/$defs/JavaPomProject" + }, + "digest": { + "items": { + "$ref": "#/$defs/Digest" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "virtualPath" + ] + }, + "JavaManifest": { + "properties": { + "main": { + "$ref": "#/$defs/KeyValues" + }, + "sections": { + "items": { + "$ref": "#/$defs/KeyValues" + }, + "type": "array" + } + }, + "type": "object" + }, + "JavaPomParent": { + "properties": { + "groupId": { + "type": "string" + }, + "artifactId": { + "type": "string" + }, + "version": { + "type": "string" + } + }, + "type": "object", + "required": [ + "groupId", + "artifactId", + "version" + ] + }, + "JavaPomProject": { + "properties": { + "path": { + "type": "string" + }, + "parent": { + "$ref": "#/$defs/JavaPomParent" + }, + "groupId": { + "type": "string" + }, + "artifactId": { + "type": "string" + }, + "version": { + "type": "string" + }, + "name": { + "type": "string" + }, + "description": { + "type": "string" + }, + "url": { + "type": "string" + } + }, + "type": "object", + "required": [ + "path", + "groupId", + "artifactId", + "version", + "name" + ] + }, + "JavaPomProperties": { + "properties": { + "path": { + "type": "string" + }, + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "artifactId": { + "type": "string" + }, + "version": { + "type": "string" + }, + "scope": { + "type": "string" + }, + "extraFields": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object", + "required": [ + "path", + "name", + "groupId", + "artifactId", + "version" + ] + }, + "JavascriptNpmPackage": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "author": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "description": { + "type": "string" + }, + "url": { + "type": "string" + }, + "private": { + "type": "boolean" + } + }, + "type": "object", + "required": [ + "name", + "version", + "author", + "homepage", + "description", + "url", + "private" + ] + }, + "JavascriptNpmPackageLockEntry": { + "properties": { + "resolved": { + "type": "string" + }, + "integrity": { + "type": "string" + } + }, + "type": "object", + "required": [ + "resolved", + "integrity" + ] + }, + "JavascriptYarnLockEntry": { + "properties": { + "resolved": { + "type": "string" + }, + "integrity": { + "type": "string" + } + }, + "type": "object", + "required": [ + "resolved", + "integrity" + ] + }, + "KeyValue": { + "properties": { + "key": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object", + "required": [ + "key", + "value" + ] + }, + "KeyValues": { + "items": { + "$ref": "#/$defs/KeyValue" + }, + "type": "array" + }, + "License": { + "properties": { + "value": { + "type": "string" + }, + "spdxExpression": { + "type": "string" + }, + "type": { + "type": "string" + }, + "urls": { + "items": { + "type": "string" + }, + "type": "array" + }, + "locations": { + "items": { + "$ref": "#/$defs/Location" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value", + "spdxExpression", + "type", + "urls", + "locations" + ] + }, + "LinuxKernelArchive": { + "properties": { + "name": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "version": { + "type": "string" + }, + "extendedVersion": { + "type": "string" + }, + "buildTime": { + "type": "string" + }, + "author": { + "type": "string" + }, + "format": { + "type": "string" + }, + "rwRootFS": { + "type": "boolean" + }, + "swapDevice": { + "type": "integer" + }, + "rootDevice": { + "type": "integer" + }, + "videoMode": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "architecture", + "version" + ] + }, + "LinuxKernelModule": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "sourceVersion": { + "type": "string" + }, + "path": { + "type": "string" + }, + "description": { + "type": "string" + }, + "author": { + "type": "string" + }, + "license": { + "type": "string" + }, + "kernelVersion": { + "type": "string" + }, + "versionMagic": { + "type": "string" + }, + "parameters": { + "patternProperties": { + ".*": { + "$ref": "#/$defs/LinuxKernelModuleParameter" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "LinuxKernelModuleParameter": { + "properties": { + "type": { + "type": "string" + }, + "description": { + "type": "string" + } + }, + "type": "object" + }, + "LinuxRelease": { + "properties": { + "prettyName": { + "type": "string" + }, + "name": { + "type": "string" + }, + "id": { + "type": "string" + }, + "idLike": { + "$ref": "#/$defs/IDLikes" + }, + "version": { + "type": "string" + }, + "versionID": { + "type": "string" + }, + "versionCodename": { + "type": "string" + }, + "buildID": { + "type": "string" + }, + "imageID": { + "type": "string" + }, + "imageVersion": { + "type": "string" + }, + "variant": { + "type": "string" + }, + "variantID": { + "type": "string" + }, + "homeURL": { + "type": "string" + }, + "supportURL": { + "type": "string" + }, + "bugReportURL": { + "type": "string" + }, + "privacyPolicyURL": { + "type": "string" + }, + "cpeName": { + "type": "string" + }, + "supportEnd": { + "type": "string" + } + }, + "type": "object" + }, + "Location": { + "properties": { + "path": { + "type": "string" + }, + "layerID": { + "type": "string" + }, + "accessPath": { + "type": "string" + }, + "annotations": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object", + "required": [ + "path", + "accessPath" + ] + }, + "LuarocksPackage": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "license": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "description": { + "type": "string" + }, + "url": { + "type": "string" + }, + "dependencies": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object", + "required": [ + "name", + "version", + "license", + "homepage", + "description", + "url", + "dependencies" + ] + }, + "MicrosoftKbPatch": { + "properties": { + "product_id": { + "type": "string" + }, + "kb": { + "type": "string" + } + }, + "type": "object", + "required": [ + "product_id", + "kb" + ] + }, + "NixStoreEntry": { + "properties": { + "outputHash": { + "type": "string" + }, + "output": { + "type": "string" + }, + "files": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "outputHash", + "files" + ] + }, + "Package": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "type": { + "type": "string" + }, + "foundBy": { + "type": "string" + }, + "locations": { + "items": { + "$ref": "#/$defs/Location" + }, + "type": "array" + }, + "licenses": { + "$ref": "#/$defs/licenses" + }, + "language": { + "type": "string" + }, + "cpes": { + "$ref": "#/$defs/cpes" + }, + "purl": { + "type": "string" + }, + "metadataType": { + "type": "string" + }, + "metadata": { + "anyOf": [ + { + "type": "null" + }, + { + "$ref": "#/$defs/AlpmDbEntry" + }, + { + "$ref": "#/$defs/ApkDbEntry" + }, + { + "$ref": "#/$defs/BinarySignature" + }, + { + "$ref": "#/$defs/CConanFileEntry" + }, + { + "$ref": "#/$defs/CConanInfoEntry" + }, + { + "$ref": "#/$defs/CConanLockEntry" + }, + { + "$ref": "#/$defs/CConanLockV2Entry" + }, + { + "$ref": "#/$defs/CocoaPodfileLockEntry" + }, + { + "$ref": "#/$defs/DartPubspecLockEntry" + }, + { + "$ref": "#/$defs/DotnetDepsEntry" + }, + { + "$ref": "#/$defs/DotnetPortableExecutableEntry" + }, + { + "$ref": "#/$defs/DpkgDbEntry" + }, + { + "$ref": "#/$defs/ElfBinaryPackageNoteJsonPayload" + }, + { + "$ref": "#/$defs/ElixirMixLockEntry" + }, + { + "$ref": "#/$defs/ErlangRebarLockEntry" + }, + { + "$ref": "#/$defs/GoModuleBuildinfoEntry" + }, + { + "$ref": "#/$defs/GoModuleEntry" + }, + { + "$ref": "#/$defs/HaskellHackageStackEntry" + }, + { + "$ref": "#/$defs/HaskellHackageStackLockEntry" + }, + { + "$ref": "#/$defs/JavaArchive" + }, + { + "$ref": "#/$defs/JavascriptNpmPackage" + }, + { + "$ref": "#/$defs/JavascriptNpmPackageLockEntry" + }, + { + "$ref": "#/$defs/JavascriptYarnLockEntry" + }, + { + "$ref": "#/$defs/LinuxKernelArchive" + }, + { + "$ref": "#/$defs/LinuxKernelModule" + }, + { + "$ref": "#/$defs/LuarocksPackage" + }, + { + "$ref": "#/$defs/MicrosoftKbPatch" + }, + { + "$ref": "#/$defs/NixStoreEntry" + }, + { + "$ref": "#/$defs/PhpComposerInstalledEntry" + }, + { + "$ref": "#/$defs/PhpComposerLockEntry" + }, + { + "$ref": "#/$defs/PhpPeclEntry" + }, + { + "$ref": "#/$defs/PortageDbEntry" + }, + { + "$ref": "#/$defs/PythonPackage" + }, + { + "$ref": "#/$defs/PythonPipRequirementsEntry" + }, + { + "$ref": "#/$defs/PythonPipfileLockEntry" + }, + { + "$ref": "#/$defs/PythonPoetryLockEntry" + }, + { + "$ref": "#/$defs/RDescription" + }, + { + "$ref": "#/$defs/RpmArchive" + }, + { + "$ref": "#/$defs/RpmDbEntry" + }, + { + "$ref": "#/$defs/RubyGemspec" + }, + { + "$ref": "#/$defs/RustCargoAuditEntry" + }, + { + "$ref": "#/$defs/RustCargoLockEntry" + }, + { + "$ref": "#/$defs/SwiftPackageManagerLockEntry" + }, + { + "$ref": "#/$defs/WordpressPluginEntry" + } + ] + } + }, + "type": "object", + "required": [ + "id", + "name", + "version", + "type", + "foundBy", + "locations", + "licenses", + "language", + "cpes", + "purl" + ] + }, + "PhpComposerAuthors": { + "properties": { + "name": { + "type": "string" + }, + "email": { + "type": "string" + }, + "homepage": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name" + ] + }, + "PhpComposerExternalReference": { + "properties": { + "type": { + "type": "string" + }, + "url": { + "type": "string" + }, + "reference": { + "type": "string" + }, + "shasum": { + "type": "string" + } + }, + "type": "object", + "required": [ + "type", + "url", + "reference" + ] + }, + "PhpComposerInstalledEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "source": { + "$ref": "#/$defs/PhpComposerExternalReference" + }, + "dist": { + "$ref": "#/$defs/PhpComposerExternalReference" + }, + "require": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "provide": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "require-dev": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "suggest": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "license": { + "items": { + "type": "string" + }, + "type": "array" + }, + "type": { + "type": "string" + }, + "notification-url": { + "type": "string" + }, + "bin": { + "items": { + "type": "string" + }, + "type": "array" + }, + "authors": { + "items": { + "$ref": "#/$defs/PhpComposerAuthors" + }, + "type": "array" + }, + "description": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "keywords": { + "items": { + "type": "string" + }, + "type": "array" + }, + "time": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "source", + "dist" + ] + }, + "PhpComposerLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "source": { + "$ref": "#/$defs/PhpComposerExternalReference" + }, + "dist": { + "$ref": "#/$defs/PhpComposerExternalReference" + }, + "require": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "provide": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "require-dev": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "suggest": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "license": { + "items": { + "type": "string" + }, + "type": "array" + }, + "type": { + "type": "string" + }, + "notification-url": { + "type": "string" + }, + "bin": { + "items": { + "type": "string" + }, + "type": "array" + }, + "authors": { + "items": { + "$ref": "#/$defs/PhpComposerAuthors" + }, + "type": "array" + }, + "description": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "keywords": { + "items": { + "type": "string" + }, + "type": "array" + }, + "time": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "source", + "dist" + ] + }, + "PhpPeclEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "license": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version" + ] + }, + "PortageDbEntry": { + "properties": { + "installedSize": { + "type": "integer" + }, + "files": { + "items": { + "$ref": "#/$defs/PortageFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "installedSize", + "files" + ] + }, + "PortageFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "digest": { + "$ref": "#/$defs/Digest" + } + }, + "type": "object", + "required": [ + "path" + ] + }, + "PythonDirectURLOriginInfo": { + "properties": { + "url": { + "type": "string" + }, + "commitId": { + "type": "string" + }, + "vcs": { + "type": "string" + } + }, + "type": "object", + "required": [ + "url" + ] + }, + "PythonFileDigest": { + "properties": { + "algorithm": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object", + "required": [ + "algorithm", + "value" + ] + }, + "PythonFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "digest": { + "$ref": "#/$defs/PythonFileDigest" + }, + "size": { + "type": "string" + } + }, + "type": "object", + "required": [ + "path" + ] + }, + "PythonPackage": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "author": { + "type": "string" + }, + "authorEmail": { + "type": "string" + }, + "platform": { + "type": "string" + }, + "files": { + "items": { + "$ref": "#/$defs/PythonFileRecord" + }, + "type": "array" + }, + "sitePackagesRootPath": { + "type": "string" + }, + "topLevelPackages": { + "items": { + "type": "string" + }, + "type": "array" + }, + "directUrlOrigin": { + "$ref": "#/$defs/PythonDirectURLOriginInfo" + }, + "requiresPython": { + "type": "string" + }, + "requiresDist": { + "items": { + "type": "string" + }, + "type": "array" + }, + "providesExtra": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "author", + "authorEmail", + "platform", + "sitePackagesRootPath" + ] + }, + "PythonPipRequirementsEntry": { + "properties": { + "name": { + "type": "string" + }, + "extras": { + "items": { + "type": "string" + }, + "type": "array" + }, + "versionConstraint": { + "type": "string" + }, + "url": { + "type": "string" + }, + "markers": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "versionConstraint" + ] + }, + "PythonPipfileLockEntry": { + "properties": { + "hashes": { + "items": { + "type": "string" + }, + "type": "array" + }, + "index": { + "type": "string" + } + }, + "type": "object", + "required": [ + "hashes", + "index" + ] + }, + "PythonPoetryLockDependencyEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "optional": { + "type": "boolean" + }, + "markers": { + "type": "string" + }, + "extras": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "optional" + ] + }, + "PythonPoetryLockEntry": { + "properties": { + "index": { + "type": "string" + }, + "dependencies": { + "items": { + "$ref": "#/$defs/PythonPoetryLockDependencyEntry" + }, + "type": "array" + }, + "extras": { + "items": { + "$ref": "#/$defs/PythonPoetryLockExtraEntry" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "index", + "dependencies" + ] + }, + "PythonPoetryLockExtraEntry": { + "properties": { + "name": { + "type": "string" + }, + "dependencies": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "dependencies" + ] + }, + "RDescription": { + "properties": { + "title": { + "type": "string" + }, + "description": { + "type": "string" + }, + "author": { + "type": "string" + }, + "maintainer": { + "type": "string" + }, + "url": { + "items": { + "type": "string" + }, + "type": "array" + }, + "repository": { + "type": "string" + }, + "built": { + "type": "string" + }, + "needsCompilation": { + "type": "boolean" + }, + "imports": { + "items": { + "type": "string" + }, + "type": "array" + }, + "depends": { + "items": { + "type": "string" + }, + "type": "array" + }, + "suggests": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "Relationship": { + "properties": { + "parent": { + "type": "string" + }, + "child": { + "type": "string" + }, + "type": { + "type": "string" + }, + "metadata": true + }, + "type": "object", + "required": [ + "parent", + "child", + "type" + ] + }, + "RpmArchive": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "epoch": { + "oneOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ] + }, + "architecture": { + "type": "string" + }, + "release": { + "type": "string" + }, + "sourceRpm": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "vendor": { + "type": "string" + }, + "modularityLabel": { + "type": "string" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "files": { + "items": { + "$ref": "#/$defs/RpmFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "epoch", + "architecture", + "release", + "sourceRpm", + "size", + "vendor", + "files" + ] + }, + "RpmDbEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "epoch": { + "oneOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ] + }, + "architecture": { + "type": "string" + }, + "release": { + "type": "string" + }, + "sourceRpm": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "vendor": { + "type": "string" + }, + "modularityLabel": { + "type": "string" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "files": { + "items": { + "$ref": "#/$defs/RpmFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "epoch", + "architecture", + "release", + "sourceRpm", + "size", + "vendor", + "files" + ] + }, + "RpmFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "size": { + "type": "integer" + }, + "digest": { + "$ref": "#/$defs/Digest" + }, + "userName": { + "type": "string" + }, + "groupName": { + "type": "string" + }, + "flags": { + "type": "string" + } + }, + "type": "object", + "required": [ + "path", + "mode", + "size", + "digest", + "userName", + "groupName", + "flags" + ] + }, + "RubyGemspec": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "files": { + "items": { + "type": "string" + }, + "type": "array" + }, + "authors": { + "items": { + "type": "string" + }, + "type": "array" + }, + "homepage": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version" + ] + }, + "RustCargoAuditEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "source": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "source" + ] + }, + "RustCargoLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "source": { + "type": "string" + }, + "checksum": { + "type": "string" + }, + "dependencies": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "source", + "checksum", + "dependencies" + ] + }, + "Schema": { + "properties": { + "version": { + "type": "string" + }, + "url": { + "type": "string" + } + }, + "type": "object", + "required": [ + "version", + "url" + ] + }, + "Source": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "type": { + "type": "string" + }, + "metadata": true + }, + "type": "object", + "required": [ + "id", + "name", + "version", + "type", + "metadata" + ] + }, + "SwiftPackageManagerLockEntry": { + "properties": { + "revision": { + "type": "string" + } + }, + "type": "object", + "required": [ + "revision" + ] + }, + "WordpressPluginEntry": { + "properties": { + "pluginInstallDirectory": { + "type": "string" + }, + "author": { + "type": "string" + }, + "authorUri": { + "type": "string" + } + }, + "type": "object", + "required": [ + "pluginInstallDirectory" + ] + }, + "cpes": { + "items": { + "$ref": "#/$defs/CPE" + }, + "type": "array" + }, + "licenses": { + "items": { + "$ref": "#/$defs/License" + }, + "type": "array" + } + } +} diff --git a/schema/json/schema-latest.json b/schema/json/schema-latest.json index 028f3004b6d..934d154e642 100644 --- a/schema/json/schema-latest.json +++ b/schema/json/schema-latest.json @@ -1,6 +1,6 @@ { "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "anchore.io/schema/syft/json/16.0.14/document", + "$id": "anchore.io/schema/syft/json/16.0.15/document", "$ref": "#/$defs/Document", "$defs": { "AlpmDbEntry": { @@ -777,6 +777,12 @@ }, "executable": { "$ref": "#/$defs/Executable" + }, + "unknowns": { + "items": { + "type": "string" + }, + "type": "array" } }, "type": "object", From de79c958d1fd35bb66fbf268da7e92cdebc73350 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Wed, 26 Jun 2024 09:47:38 -0400 Subject: [PATCH 03/51] chore: fix test Signed-off-by: Keith Zantow --- test/cli/unknowns_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/cli/unknowns_test.go b/test/cli/unknowns_test.go index 03ae3c024f0..00eac1d246c 100644 --- a/test/cli/unknowns_test.go +++ b/test/cli/unknowns_test.go @@ -19,9 +19,9 @@ func Test_Unknowns(t *testing.T) { env: map[string]string{"SYFT_FORMAT_PRETTY": "true"}, assertions: []traitAssertion{ assertJsonReport, - assertInOutput(`"unknowns":["no package identified in executable file"]`), - assertInOutput(`"unknowns":["unable to read files from java archive"]`), - assertInOutput(`"unknowns":["no package identified in archive"]`), + assertInOutput(`no package identified in executable file`), + assertInOutput(`unable to read files from java archive`), + assertInOutput(`no package identified in archive`), assertSuccessfulReturnCode, }, }, From 36987cfb0d833e5640e4b4bd86aa80a1343e3ef6 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Wed, 26 Jun 2024 12:25:28 -0400 Subject: [PATCH 04/51] chore: update tests Signed-off-by: Keith Zantow --- internal/unknown/errors.go | 3 + internal/unknown/errors_test.go | 5 ++ syft/create_sbom_config_test.go | 15 +++++ syft/format/syftjson/decoder_test.go | 1 + syft/format/syftjson/to_syft_model_test.go | 2 + syft/pkg/cataloger/arch/parse_alpm_db.go | 55 ++++++++----------- .../binary/classifier_cataloger_test.go | 2 +- .../internal/pkgtest/test_generic_parser.go | 6 +- 8 files changed, 53 insertions(+), 36 deletions(-) diff --git a/internal/unknown/errors.go b/internal/unknown/errors.go index a7e8f13de2e..2acaa171979 100644 --- a/internal/unknown/errors.go +++ b/internal/unknown/errors.go @@ -71,6 +71,9 @@ func Join(errs ...error) error { if len(out) == 1 { return out[0] } + if len(out) == 0 { + return nil + } return errors.Join(out...) } diff --git a/internal/unknown/errors_test.go b/internal/unknown/errors_test.go index 886e0c5bd59..2c9788f9803 100644 --- a/internal/unknown/errors_test.go +++ b/internal/unknown/errors_test.go @@ -130,6 +130,11 @@ func Test_Join(t *testing.T) { in: []error{errors.Join(fmt.Errorf("outer: %w", fmt.Errorf("err1")), fmt.Errorf("err2"))}, expected: "outer: err1\nerr2", }, + { + name: "all nil", + in: []error{nil, nil, nil}, + expected: "", + }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) { diff --git a/syft/create_sbom_config_test.go b/syft/create_sbom_config_test.go index 8c74b57cd50..c5c1800eb1b 100644 --- a/syft/create_sbom_config_test.go +++ b/syft/create_sbom_config_test.go @@ -90,6 +90,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { pkgCatalogerNamesWithTagOrName(t, "image"), fileCatalogerNames(true, true, true), relationshipCatalogerNames(), + unknownsFinalizeTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -108,6 +109,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { pkgCatalogerNamesWithTagOrName(t, "directory"), fileCatalogerNames(true, true, true), relationshipCatalogerNames(), + unknownsFinalizeTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -127,6 +129,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { pkgCatalogerNamesWithTagOrName(t, "directory"), fileCatalogerNames(true, true, true), relationshipCatalogerNames(), + unknownsFinalizeTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -145,6 +148,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { pkgCatalogerNamesWithTagOrName(t, "image"), fileCatalogerNames(false, true, true), // note: the digest cataloger is not included relationshipCatalogerNames(), + unknownsFinalizeTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -163,6 +167,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { pkgCatalogerNamesWithTagOrName(t, "image"), // note: there are no file catalogers in their own group relationshipCatalogerNames(), + unknownsFinalizeTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -184,6 +189,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { fileCatalogerNames(true, true, true)..., ), relationshipCatalogerNames(), + unknownsFinalizeTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -204,6 +210,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { addTo(pkgCatalogerNamesWithTagOrName(t, "image"), "persistent"), fileCatalogerNames(true, true, true), relationshipCatalogerNames(), + unknownsFinalizeTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -224,6 +231,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { addTo(pkgCatalogerNamesWithTagOrName(t, "directory"), "persistent"), fileCatalogerNames(true, true, true), relationshipCatalogerNames(), + unknownsFinalizeTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -244,6 +252,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { addTo(pkgIntersect("image", "javascript"), "persistent"), fileCatalogerNames(true, true, true), relationshipCatalogerNames(), + unknownsFinalizeTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -265,6 +274,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { addTo(pkgCatalogerNamesWithTagOrName(t, "image"), "user-provided"), fileCatalogerNames(true, true, true), relationshipCatalogerNames(), + unknownsFinalizeTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -285,6 +295,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { pkgCatalogerNamesWithTagOrName(t, "image"), fileCatalogerNames(true, true, true), relationshipCatalogerNames(), + unknownsFinalizeTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -385,6 +396,10 @@ func relationshipCatalogerNames() []string { return []string{"relationships-cataloger"} } +func unknownsFinalizeTaskNames() []string { + return []string{"unknowns-finalize"} +} + func environmentCatalogerNames() []string { return []string{"environment-cataloger"} } diff --git a/syft/format/syftjson/decoder_test.go b/syft/format/syftjson/decoder_test.go index daa019dc4fb..27a6813b93b 100644 --- a/syft/format/syftjson/decoder_test.go +++ b/syft/format/syftjson/decoder_test.go @@ -221,6 +221,7 @@ func Test_encodeDecodeFileMetadata(t *testing.T) { }, }, }, + Unknowns: map[file.Coordinates][]string{}, Executables: map[file.Coordinates]file.Executable{ c: { Format: file.ELF, diff --git a/syft/format/syftjson/to_syft_model_test.go b/syft/format/syftjson/to_syft_model_test.go index 5559db2953c..babba6345ff 100644 --- a/syft/format/syftjson/to_syft_model_test.go +++ b/syft/format/syftjson/to_syft_model_test.go @@ -234,6 +234,7 @@ func Test_toSyftFiles(t *testing.T) { FileMetadata: map[file.Coordinates]file.Metadata{}, FileDigests: map[file.Coordinates][]file.Digest{}, Executables: map[file.Coordinates]file.Executable{}, + Unknowns: make(map[file.Coordinates][]string), }, }, { @@ -349,6 +350,7 @@ func Test_toSyftFiles(t *testing.T) { t.Run(tt.name, func(t *testing.T) { tt.want.FileContents = make(map[file.Coordinates]string) tt.want.FileLicenses = make(map[file.Coordinates][]file.License) + tt.want.Unknowns = make(map[file.Coordinates][]string) assert.Equal(t, tt.want, toSyftFiles(tt.files)) }) } diff --git a/syft/pkg/cataloger/arch/parse_alpm_db.go b/syft/pkg/cataloger/arch/parse_alpm_db.go index 98366c60429..4c79abb8ff3 100644 --- a/syft/pkg/cataloger/arch/parse_alpm_db.go +++ b/syft/pkg/cataloger/arch/parse_alpm_db.go @@ -55,24 +55,19 @@ func parseAlpmDB(_ context.Context, resolver file.Resolver, env *generic.Environ base := path.Dir(reader.RealPath) + var locs []file.Location + // replace the files found the pacman database with the files from the mtree These contain more metadata and // thus more useful. files, fileLoc, err := fetchPkgFiles(base, resolver) - if err != nil { - errs = unknown.Join(errs, err) - } - backups, backupLoc, err := fetchBackupFiles(base, resolver) - if err != nil { - errs = unknown.Join(errs, err) - } - - var locs []file.Location - if fileLoc != nil { + errs = unknown.Join(errs, err) + if err == nil { locs = append(locs, fileLoc.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.SupportingEvidenceAnnotation)) data.Files = files } - - if backupLoc != nil { + backups, backupLoc, err := fetchBackupFiles(base, resolver) + errs = unknown.Join(errs, err) + if err == nil { locs = append(locs, backupLoc.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.SupportingEvidenceAnnotation)) data.Backup = backups } @@ -91,55 +86,48 @@ func parseAlpmDB(_ context.Context, resolver file.Resolver, env *generic.Environ }, nil, errs } -func fetchPkgFiles(base string, resolver file.Resolver) ([]pkg.AlpmFileRecord, *file.Location, error) { +func fetchPkgFiles(base string, resolver file.Resolver) ([]pkg.AlpmFileRecord, file.Location, error) { // TODO: probably want to use MTREE and PKGINFO here target := path.Join(base, "mtree") loc, err := getLocation(target, resolver) if err != nil { log.WithFields("error", err, "path", target).Trace("failed to find mtree file") - return []pkg.AlpmFileRecord{}, nil, unknown.New(loc, fmt.Errorf("failed to find mtree file: %w", err)) - } - if loc == nil { - return []pkg.AlpmFileRecord{}, nil, nil + return []pkg.AlpmFileRecord{}, loc, unknown.New(loc, fmt.Errorf("failed to find mtree file: %w", err)) } - - reader, err := resolver.FileContentsByLocation(*loc) + reader, err := resolver.FileContentsByLocation(loc) if err != nil { - return []pkg.AlpmFileRecord{}, nil, unknown.New(loc, fmt.Errorf("failed to get contents: %w", err)) + return []pkg.AlpmFileRecord{}, loc, unknown.New(loc, fmt.Errorf("failed to get contents: %w", err)) } defer internal.CloseAndLogError(reader, loc.RealPath) pkgFiles, err := parseMtree(reader) if err != nil { log.WithFields("error", err, "path", target).Trace("failed to parse mtree file") - return []pkg.AlpmFileRecord{}, nil, unknown.New(loc, fmt.Errorf("failed to parse mtree: %w", err)) + return []pkg.AlpmFileRecord{}, loc, unknown.New(loc, fmt.Errorf("failed to parse mtree: %w", err)) } return pkgFiles, loc, nil } -func fetchBackupFiles(base string, resolver file.Resolver) ([]pkg.AlpmFileRecord, *file.Location, error) { +func fetchBackupFiles(base string, resolver file.Resolver) ([]pkg.AlpmFileRecord, file.Location, error) { // We only really do this to get any backup database entries from the files database target := filepath.Join(base, "files") loc, err := getLocation(target, resolver) if err != nil { log.WithFields("error", err, "path", target).Trace("failed to find alpm files") - return []pkg.AlpmFileRecord{}, nil, unknown.New(loc, fmt.Errorf("failed to find alpm files: %w", err)) - } - if loc == nil { - return []pkg.AlpmFileRecord{}, nil, nil + return []pkg.AlpmFileRecord{}, loc, unknown.New(loc, fmt.Errorf("failed to find alpm files: %w", err)) } - reader, err := resolver.FileContentsByLocation(*loc) + reader, err := resolver.FileContentsByLocation(loc) if err != nil { - return []pkg.AlpmFileRecord{}, nil, unknown.New(loc, fmt.Errorf("failed to get contents: %w", err)) + return []pkg.AlpmFileRecord{}, loc, unknown.New(loc, fmt.Errorf("failed to get contents: %w", err)) } defer internal.CloseAndLogError(reader, loc.RealPath) filesMetadata, err := parseAlpmDBEntry(reader) if err != nil { - return []pkg.AlpmFileRecord{}, nil, unknown.New(loc, fmt.Errorf("failed to parse alpm db entry: %w", err)) + return []pkg.AlpmFileRecord{}, loc, unknown.New(loc, fmt.Errorf("failed to parse alpm db entry: %w", err)) } if filesMetadata != nil { return filesMetadata.Backup, loc, nil @@ -180,20 +168,21 @@ func newScanner(reader io.Reader) *bufio.Scanner { return scanner } -func getLocation(path string, resolver file.Resolver) (*file.Location, error) { +func getLocation(path string, resolver file.Resolver) (file.Location, error) { + loc := file.NewLocation(path) locs, err := resolver.FilesByPath(path) if err != nil { - return nil, err + return loc, err } if len(locs) == 0 { - return nil, fmt.Errorf("could not find file: %s", path) + return loc, fmt.Errorf("could not find file: %s", path) } if len(locs) > 1 { log.WithFields("path", path).Trace("multiple files found for path, using first path") } - return &locs[0], nil + return locs[0], nil } func parseDatabase(b *bufio.Scanner) (*parsedData, error) { diff --git a/syft/pkg/cataloger/binary/classifier_cataloger_test.go b/syft/pkg/cataloger/binary/classifier_cataloger_test.go index 978e457554c..48a07a4884b 100644 --- a/syft/pkg/cataloger/binary/classifier_cataloger_test.go +++ b/syft/pkg/cataloger/binary/classifier_cataloger_test.go @@ -1387,7 +1387,7 @@ func Test_Cataloger_ResilientToErrors(t *testing.T) { resolver := &panicyResolver{} _, _, err := c.Catalog(context.Background(), resolver) - assert.NoError(t, err) + assert.Error(t, err) assert.True(t, resolver.searchCalled) } diff --git a/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go b/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go index a3cf11dece8..0e4d1dfee15 100644 --- a/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go +++ b/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go @@ -48,7 +48,6 @@ type CatalogTester struct { func NewCatalogTester() *CatalogTester { return &CatalogTester{ - wantErr: require.NoError, locationComparer: cmptest.DefaultLocationComparer, licenseComparer: cmptest.DefaultLicenseComparer, packageStringer: stringPackage, @@ -226,7 +225,10 @@ func (p *CatalogTester) IgnoreUnfulfilledPathResponses(paths ...string) *Catalog func (p *CatalogTester) TestParser(t *testing.T, parser generic.Parser) { t.Helper() pkgs, relationships, err := parser(context.Background(), p.resolver, p.env, p.reader) - p.wantErr(t, err) + // catalogers return errors for unknowns, only test if this is explicitly requested + if p.wantErr != nil { + p.wantErr(t, err) + } p.assertPkgs(t, pkgs, relationships) } From 73e32e6720cb9dec3e93dd8147df336db8fb95ae Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Wed, 26 Jun 2024 13:28:22 -0400 Subject: [PATCH 05/51] chore: update tests Signed-off-by: Keith Zantow --- syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go b/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go index 0e4d1dfee15..03149a9db94 100644 --- a/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go +++ b/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go @@ -225,7 +225,7 @@ func (p *CatalogTester) IgnoreUnfulfilledPathResponses(paths ...string) *Catalog func (p *CatalogTester) TestParser(t *testing.T, parser generic.Parser) { t.Helper() pkgs, relationships, err := parser(context.Background(), p.resolver, p.env, p.reader) - // catalogers return errors for unknowns, only test if this is explicitly requested + // parsers return errors for unknowns, only test if this is explicitly requested if p.wantErr != nil { p.wantErr(t, err) } @@ -250,7 +250,10 @@ func (p *CatalogTester) TestCataloger(t *testing.T, cataloger pkg.Cataloger) { } if p.assertResultExpectations { - p.wantErr(t, err) + // catalogers return errors for unknowns, only test if this is explicitly requested + if p.wantErr != nil { + p.wantErr(t, err) + } p.assertPkgs(t, pkgs, relationships) } From 84ab50afb389ba9fb3c852479d08fd8884f1785e Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Wed, 26 Jun 2024 15:11:33 -0400 Subject: [PATCH 06/51] chore: properly report unscanned jars, remove duplicate errors Signed-off-by: Keith Zantow --- internal/task/executor.go | 24 ++++++++++++------- internal/unknown/errors.go | 19 ++++++++++++++- internal/unknown/errors_test.go | 15 ++++++++++++ syft/pkg/cataloger/java/archive_parser.go | 15 ++++++++---- .../pkg/cataloger/java/archive_parser_test.go | 10 ++++++-- 5 files changed, 67 insertions(+), 16 deletions(-) diff --git a/internal/task/executor.go b/internal/task/executor.go index a17d32f2267..3fefbb262f8 100644 --- a/internal/task/executor.go +++ b/internal/task/executor.go @@ -56,14 +56,9 @@ func (p *Executor) Execute(ctx context.Context, resolver file.Resolver, s sbomsy err := runTaskSafely(ctx, tsk, resolver, s) unknowns, err := unknown.ExtractCoordinateErrors(err) - s.(sbomsync.Accessor).WriteToSBOM(func(sb *sbom.SBOM) { - for _, u := range unknowns { - if sb.Artifacts.Unknowns == nil { - sb.Artifacts.Unknowns = map[file.Coordinates][]string{} - } - sb.Artifacts.Unknowns[u.Coordinates] = append(sb.Artifacts.Unknowns[u.Coordinates], u.Reason.Error()) - } - }) + if len(unknowns) > 0 { + appendUnknowns(s, unknowns) + } if err != nil { withLock(func() { errs = multierror.Append(errs, fmt.Errorf("failed to run task: %w", err)) @@ -80,6 +75,19 @@ func (p *Executor) Execute(ctx context.Context, resolver file.Resolver, s sbomsy return errs } +func appendUnknowns(builder sbomsync.Builder, unknowns []unknown.CoordinateError) { + if accessor, ok := builder.(sbomsync.Accessor); ok { + accessor.WriteToSBOM(func(sb *sbom.SBOM) { + for _, u := range unknowns { + if sb.Artifacts.Unknowns == nil { + sb.Artifacts.Unknowns = map[file.Coordinates][]string{} + } + sb.Artifacts.Unknowns[u.Coordinates] = append(sb.Artifacts.Unknowns[u.Coordinates], u.Reason.Error()) + } + }) + } +} + func runTaskSafely(ctx context.Context, t Task, resolver file.Resolver, s sbomsync.Builder) (err error) { // handle individual cataloger panics defer func() { diff --git a/internal/unknown/errors.go b/internal/unknown/errors.go index 2acaa171979..eebf4f9dba0 100644 --- a/internal/unknown/errors.go +++ b/internal/unknown/errors.go @@ -66,7 +66,13 @@ func Appendf(errs error, coords hasCoordinates, format string, args ...any) erro func Join(errs ...error) error { var out []error for _, err := range errs { - out = append(out, flatten(err)...) + // append errors, de-duplicated + for _, e := range flatten(err) { + if containsErr(out, e) { + continue + } + out = append(out, e) + } } if len(out) == 1 { return out[0] @@ -132,6 +138,17 @@ func flatten(errs ...error) []error { return out } +// containsErr returns true if an error with the exact same error message is present +func containsErr(out []error, err error) bool { + msg := err.Error() + for _, e := range out { + if e.Error() == msg { + return true + } + } + return false +} + // visitErrors visits every wrapped error. the returned error replaces the provided error, null errors are omitted from // the object graph func visitErrors(err error, fn func(error) error) error { diff --git a/internal/unknown/errors_test.go b/internal/unknown/errors_test.go index 2c9788f9803..b9a9d7cd5f2 100644 --- a/internal/unknown/errors_test.go +++ b/internal/unknown/errors_test.go @@ -130,6 +130,21 @@ func Test_Join(t *testing.T) { in: []error{errors.Join(fmt.Errorf("outer: %w", fmt.Errorf("err1")), fmt.Errorf("err2"))}, expected: "outer: err1\nerr2", }, + { + name: "duplicates", + in: []error{fmt.Errorf("err1"), fmt.Errorf("err1"), fmt.Errorf("err2")}, + expected: "err1\nerr2", + }, + { + name: "nested duplicates", + in: []error{errors.Join(fmt.Errorf("err1"), fmt.Errorf("err2")), fmt.Errorf("err1"), fmt.Errorf("err2")}, + expected: "err1\nerr2", + }, + { + name: "nested duplicates coords", + in: []error{New(file.NewLocation("l1"), errors.Join(fmt.Errorf("err1"), fmt.Errorf("err2"))), fmt.Errorf("err1"), fmt.Errorf("err2")}, + expected: "l1: err1\nl1: err2\nerr1\nerr2", + }, { name: "all nil", in: []error{nil, nil, nil}, diff --git a/syft/pkg/cataloger/java/archive_parser.go b/syft/pkg/cataloger/java/archive_parser.go index f9fc3a72387..63d1cc4790d 100644 --- a/syft/pkg/cataloger/java/archive_parser.go +++ b/syft/pkg/cataloger/java/archive_parser.go @@ -6,6 +6,7 @@ import ( "fmt" "os" "path" + "slices" "strings" intFile "github.com/anchore/syft/internal/file" @@ -126,17 +127,21 @@ func (j *archiveParser) parse(ctx context.Context) ([]pkg.Package, []artifact.Re } pkgs = append(pkgs, auxPkgs...) + var errs error if j.detectNested { // find nested java archive packages nestedPkgs, nestedRelationships, err := j.discoverPkgsFromNestedArchives(ctx, parentPkg) if err != nil { - return nil, nil, err + errs = unknown.Append(errs, j.location, err) } pkgs = append(pkgs, nestedPkgs...) relationships = append(relationships, nestedRelationships...) } else { - // TODO detect if there are nested archives before indicating they were not searched - err = unknown.Appendf(err, j.location, "not searched for nested archives") + nestedArchives := j.fileManifest.GlobMatch(false, "**/*.{jar,war}") + if len(nestedArchives) > 0 { + slices.Sort(nestedArchives) + errs = unknown.Appendf(errs, j.location, "nested archives not cataloged: %v", strings.Join(nestedArchives, ", ")) + } } // lastly, add the parent package to the list (assuming the parent exists) @@ -158,10 +163,10 @@ func (j *archiveParser) parse(ctx context.Context) ([]pkg.Package, []artifact.Re } if len(pkgs) == 0 { - err = unknown.Appendf(err, j.location, "no package identified in archive") + errs = unknown.Appendf(errs, j.location, "no package identified in archive") } - return pkgs, relationships, err + return pkgs, relationships, errs } // discoverMainPackage parses the root Java manifest used as the parent package to all discovered nested packages. diff --git a/syft/pkg/cataloger/java/archive_parser_test.go b/syft/pkg/cataloger/java/archive_parser_test.go index 7d7164196c3..2e73145442e 100644 --- a/syft/pkg/cataloger/java/archive_parser_test.go +++ b/syft/pkg/cataloger/java/archive_parser_test.go @@ -176,10 +176,12 @@ func TestParseJar(t *testing.T) { fixture string expected map[string]pkg.Package ignoreExtras []string + wantErr require.ErrorAssertionFunc }{ { name: "example-jenkins-plugin", fixture: "test-fixtures/java-builds/packages/example-jenkins-plugin.hpi", + wantErr: require.Error, // there are nested jars, which are not scanned and result in unknown errors ignoreExtras: []string{ "Plugin-Version", // has dynamic date "Built-By", // podman returns the real UID @@ -238,6 +240,7 @@ func TestParseJar(t *testing.T) { { name: "example-java-app-gradle", fixture: "test-fixtures/java-builds/packages/example-java-app-gradle-0.1.0.jar", + wantErr: require.NoError, // no nested jars expected: map[string]pkg.Package{ "example-java-app-gradle": { Name: "example-java-app-gradle", @@ -311,6 +314,7 @@ func TestParseJar(t *testing.T) { { name: "example-java-app-maven", fixture: "test-fixtures/java-builds/packages/example-java-app-maven-0.1.0.jar", + wantErr: require.NoError, // no nested jars ignoreExtras: []string{ "Build-Jdk", // can't guarantee the JDK used at build time "Built-By", // podman returns the real UID @@ -432,13 +436,15 @@ func TestParseJar(t *testing.T) { require.NoError(t, err) actual, _, err := parser.parse(context.Background()) - require.NoError(t, err) + if test.wantErr != nil { + test.wantErr(t, err) + } if len(actual) != len(test.expected) { for _, a := range actual { t.Log(" ", a) } - t.Fatalf("unexpected package count: %d!=%d", len(actual), len(test.expected)) + t.Fatalf("unexpected package count; expected: %d got: %d", len(test.expected), len(actual)) } var parent *pkg.Package From f51c166c53441a10cddcb5c77f6254e79a21ee81 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Wed, 26 Jun 2024 15:23:32 -0400 Subject: [PATCH 07/51] chore: fix nested archive "glob" match Signed-off-by: Keith Zantow --- syft/pkg/cataloger/java/archive_parser.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/syft/pkg/cataloger/java/archive_parser.go b/syft/pkg/cataloger/java/archive_parser.go index 63d1cc4790d..d81d96b2c1a 100644 --- a/syft/pkg/cataloger/java/archive_parser.go +++ b/syft/pkg/cataloger/java/archive_parser.go @@ -137,7 +137,8 @@ func (j *archiveParser) parse(ctx context.Context) ([]pkg.Package, []artifact.Re pkgs = append(pkgs, nestedPkgs...) relationships = append(relationships, nestedRelationships...) } else { - nestedArchives := j.fileManifest.GlobMatch(false, "**/*.{jar,war}") + // .jar and .war files are present in archives, are others? or generally just consider them top-level? + nestedArchives := j.fileManifest.GlobMatch(true, "*.jar", "*.war") if len(nestedArchives) > 0 { slices.Sort(nestedArchives) errs = unknown.Appendf(errs, j.location, "nested archives not cataloged: %v", strings.Join(nestedArchives, ", ")) From ac75cd7953d49b9da8b2fa759ad7b3ad088b8b4a Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Wed, 26 Jun 2024 17:14:49 -0400 Subject: [PATCH 08/51] chore: adjust a few error messages Signed-off-by: Keith Zantow --- internal/task/unknowns_tasks.go | 5 ++--- .../dotnet/parse_dotnet_portable_executable.go | 14 +++++++------- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/internal/task/unknowns_tasks.go b/internal/task/unknowns_tasks.go index e3a6bc9c9b3..efd4883674b 100644 --- a/internal/task/unknowns_tasks.go +++ b/internal/task/unknowns_tasks.go @@ -2,7 +2,6 @@ package task import ( "context" - "fmt" "github.com/mholt/archiver/v3" @@ -50,7 +49,7 @@ func (c UnknownsConfig) processUnknowns(_ context.Context, _ file.Resolver, buil if c.IncludeExecutablesWithoutPackages { for coords := range s.Artifacts.Executables { if !allPackageCoords.Contains(coords) { - s.Artifacts.Unknowns[coords] = append(s.Artifacts.Unknowns[coords], fmt.Sprintf("no package identified in executable file: %s", coords.RealPath)) + s.Artifacts.Unknowns[coords] = append(s.Artifacts.Unknowns[coords], "no package identified in executable file") } } } @@ -59,7 +58,7 @@ func (c UnknownsConfig) processUnknowns(_ context.Context, _ file.Resolver, buil for coords := range s.Artifacts.FileMetadata { unarchiver, notArchiveErr := archiver.ByExtension(coords.RealPath) if unarchiver != nil && notArchiveErr == nil && !allPackageCoords.Contains(coords) { - s.Artifacts.Unknowns[coords] = append(s.Artifacts.Unknowns[coords], fmt.Sprintf("archive not extracted: %s", coords.RealPath)) + s.Artifacts.Unknowns[coords] = append(s.Artifacts.Unknowns[coords], "archive not cataloged") } } } diff --git a/syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable.go b/syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable.go index 81049405ba0..4ea4d1c18d7 100644 --- a/syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable.go +++ b/syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable.go @@ -29,25 +29,25 @@ func parseDotnetPortableExecutable(_ context.Context, _ file.Resolver, _ *generi peFile, err := pe.NewBytes(by, &pe.Options{}) if err != nil { log.Tracef("unable to create PE instance for file '%s': %v", f.RealPath, err) - return nil, nil, fmt.Errorf("unable to create PE instance for file '%s': %v", f.RealPath, err) + return nil, nil, err } err = peFile.Parse() if err != nil { log.Tracef("unable to parse PE file '%s': %v", f.RealPath, err) - return nil, nil, fmt.Errorf("unable to parse PE file '%s': %v", f.RealPath, err) + return nil, nil, err } versionResources, err := peFile.ParseVersionResources() if err != nil { log.Tracef("unable to parse version resources in PE file: %s: %v", f.RealPath, err) - return nil, nil, fmt.Errorf("unable to parse version resources in PE file: %s: %v", f.RealPath, err) + return nil, nil, fmt.Errorf("unable to parse version resources in PE file: %w", err) } dotNetPkg, err := buildDotNetPackage(versionResources, f) if err != nil { - log.Tracef("unable to build dotnet package: %v", err) - return nil, nil, fmt.Errorf("unable to build dotnet package: %v", err) + log.Tracef("unable to build dotnet package for: %v %v", f.RealPath, err) + return nil, nil, err } return []pkg.Package{dotNetPkg}, nil, nil @@ -56,12 +56,12 @@ func parseDotnetPortableExecutable(_ context.Context, _ file.Resolver, _ *generi func buildDotNetPackage(versionResources map[string]string, f file.LocationReadCloser) (dnpkg pkg.Package, err error) { name := findName(versionResources) if name == "" { - return dnpkg, fmt.Errorf("unable to find PE name in file: %s", f.RealPath) + return dnpkg, fmt.Errorf("unable to find PE name in file") } version := findVersion(versionResources) if version == "" { - return dnpkg, fmt.Errorf("unable to find PE version in file: %s", f.RealPath) + return dnpkg, fmt.Errorf("unable to find PE version in file") } metadata := pkg.DotnetPortableExecutableEntry{ From 0847460699051d6e75b7433d37767f9dd9dcc02d Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Wed, 26 Jun 2024 17:57:03 -0400 Subject: [PATCH 09/51] fix: consider metadata FileOwners Signed-off-by: Keith Zantow --- internal/task/unknowns_tasks.go | 71 +++++++++++++++++++++------------ 1 file changed, 46 insertions(+), 25 deletions(-) diff --git a/internal/task/unknowns_tasks.go b/internal/task/unknowns_tasks.go index efd4883674b..138360c108a 100644 --- a/internal/task/unknowns_tasks.go +++ b/internal/task/unknowns_tasks.go @@ -4,9 +4,11 @@ import ( "context" "github.com/mholt/archiver/v3" + "github.com/scylladb/go-set/strset" "github.com/anchore/syft/internal/sbomsync" "github.com/anchore/syft/syft/file" + "github.com/anchore/syft/syft/pkg" "github.com/anchore/syft/syft/sbom" ) @@ -29,39 +31,58 @@ func NewUnknownsFinalizeTask(cfg UnknownsConfig) Task { // processUnknowns removes unknown entries that have valid packages reported for the locations func (c UnknownsConfig) processUnknowns(_ context.Context, _ file.Resolver, builder sbomsync.Builder) error { accessor := builder.(sbomsync.Accessor) - accessor.WriteToSBOM(func(s *sbom.SBOM) { - allPackageCoords := file.NewCoordinateSet() - for p := range s.Artifacts.Packages.Enumerate() { - allPackageCoords.Add(p.Locations.CoordinateSet().ToSlice()...) - } + accessor.WriteToSBOM(c.finalize) + return nil +} - for coords := range s.Artifacts.Unknowns { - if !allPackageCoords.Contains(coords) { - continue - } - delete(s.Artifacts.Unknowns, coords) +func (c UnknownsConfig) finalize(s *sbom.SBOM) { + hasPackageReference := coordinateReferenceLookup(s) + + for coords := range s.Artifacts.Unknowns { + if !hasPackageReference(coords) { + continue } + delete(s.Artifacts.Unknowns, coords) + } + + if s.Artifacts.Unknowns == nil { + s.Artifacts.Unknowns = map[file.Coordinates][]string{} + } - if s.Artifacts.Unknowns == nil { - s.Artifacts.Unknowns = map[file.Coordinates][]string{} + if c.IncludeExecutablesWithoutPackages { + for coords := range s.Artifacts.Executables { + if !hasPackageReference(coords) { + s.Artifacts.Unknowns[coords] = append(s.Artifacts.Unknowns[coords], "no package identified in executable file") + } } + } - if c.IncludeExecutablesWithoutPackages { - for coords := range s.Artifacts.Executables { - if !allPackageCoords.Contains(coords) { - s.Artifacts.Unknowns[coords] = append(s.Artifacts.Unknowns[coords], "no package identified in executable file") - } + if c.IncludeUnexpandedArchives { + for coords := range s.Artifacts.FileMetadata { + unarchiver, notArchiveErr := archiver.ByExtension(coords.RealPath) + if unarchiver != nil && notArchiveErr == nil && !hasPackageReference(coords) { + s.Artifacts.Unknowns[coords] = append(s.Artifacts.Unknowns[coords], "archive not cataloged") } } + } +} + +func coordinateReferenceLookup(s *sbom.SBOM) func(coords file.Coordinates) bool { + allPackageCoords := file.NewCoordinateSet() + for p := range s.Artifacts.Packages.Enumerate() { + allPackageCoords.Add(p.Locations.CoordinateSet().ToSlice()...) + } - if c.IncludeUnexpandedArchives { - for coords := range s.Artifacts.FileMetadata { - unarchiver, notArchiveErr := archiver.ByExtension(coords.RealPath) - if unarchiver != nil && notArchiveErr == nil && !allPackageCoords.Contains(coords) { - s.Artifacts.Unknowns[coords] = append(s.Artifacts.Unknowns[coords], "archive not cataloged") - } + allMetadataFiles := strset.New() + for p := range s.Artifacts.Packages.Enumerate() { + if f, ok := p.Metadata.(pkg.FileOwner); ok { + for _, o := range f.OwnedFiles() { + allMetadataFiles.Add(o) } } - }) - return nil + } + + return func(coords file.Coordinates) bool { + return allPackageCoords.Contains(coords) || allMetadataFiles.Has(coords.RealPath) + } } From 8d04a362feea141cd3750c36f09a8c91385196da Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Wed, 26 Jun 2024 18:15:07 -0400 Subject: [PATCH 10/51] chore: delete apk db Signed-off-by: Keith Zantow --- test/cli/test-fixtures/image-unknowns/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/test/cli/test-fixtures/image-unknowns/Dockerfile b/test/cli/test-fixtures/image-unknowns/Dockerfile index 2dbaafb03d6..503f6808d0c 100644 --- a/test/cli/test-fixtures/image-unknowns/Dockerfile +++ b/test/cli/test-fixtures/image-unknowns/Dockerfile @@ -1,2 +1,3 @@ FROM alpine@sha256:c5c5fda71656f28e49ac9c5416b3643eaa6a108a8093151d6d1afc9463be8e33 +RUN rm -rf /lib/apk/db/installed COPY . /home/files From 93598105cb95d712caed99983cc6d296dbca9582 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Mon, 8 Jul 2024 09:35:05 -0400 Subject: [PATCH 11/51] chore: fix unknown coordinate lookups Signed-off-by: Keith Zantow --- internal/task/unknowns_tasks.go | 46 +++++++++++++++++++++++++-------- 1 file changed, 35 insertions(+), 11 deletions(-) diff --git a/internal/task/unknowns_tasks.go b/internal/task/unknowns_tasks.go index 138360c108a..307e25b72de 100644 --- a/internal/task/unknowns_tasks.go +++ b/internal/task/unknowns_tasks.go @@ -4,8 +4,8 @@ import ( "context" "github.com/mholt/archiver/v3" - "github.com/scylladb/go-set/strset" + "github.com/anchore/syft/internal/log" "github.com/anchore/syft/internal/sbomsync" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -29,14 +29,16 @@ func NewUnknownsFinalizeTask(cfg UnknownsConfig) Task { } // processUnknowns removes unknown entries that have valid packages reported for the locations -func (c UnknownsConfig) processUnknowns(_ context.Context, _ file.Resolver, builder sbomsync.Builder) error { +func (c UnknownsConfig) processUnknowns(_ context.Context, resolver file.Resolver, builder sbomsync.Builder) error { accessor := builder.(sbomsync.Accessor) - accessor.WriteToSBOM(c.finalize) + accessor.WriteToSBOM(func(s *sbom.SBOM) { + c.finalize(resolver, s) + }) return nil } -func (c UnknownsConfig) finalize(s *sbom.SBOM) { - hasPackageReference := coordinateReferenceLookup(s) +func (c UnknownsConfig) finalize(resolver file.Resolver, s *sbom.SBOM) { + hasPackageReference := coordinateReferenceLookup(resolver, s) for coords := range s.Artifacts.Unknowns { if !hasPackageReference(coords) { @@ -67,22 +69,44 @@ func (c UnknownsConfig) finalize(s *sbom.SBOM) { } } -func coordinateReferenceLookup(s *sbom.SBOM) func(coords file.Coordinates) bool { +func coordinateReferenceLookup(resolver file.Resolver, s *sbom.SBOM) func(coords file.Coordinates) bool { allPackageCoords := file.NewCoordinateSet() + + // include all directly included locations that result in packages for p := range s.Artifacts.Packages.Enumerate() { allPackageCoords.Add(p.Locations.CoordinateSet().ToSlice()...) } - allMetadataFiles := strset.New() + // include owned files, for example specified by package managers. + // relationships for these owned files may be disabled, but we always want to include them for p := range s.Artifacts.Packages.Enumerate() { if f, ok := p.Metadata.(pkg.FileOwner); ok { - for _, o := range f.OwnedFiles() { - allMetadataFiles.Add(o) + for _, ownedFilePath := range f.OwnedFiles() { + // resolve these owned files, as they may have symlinks + // but coordinates we will test against are always absolute paths + locations, err := resolver.FilesByPath(ownedFilePath) + if err != nil { + log.Debugf("unable to resolve owned file '%s': %v", ownedFilePath, err) + } + for _, loc := range locations { + allPackageCoords.Add(loc.Coordinates) + } } } } - return func(coords file.Coordinates) bool { - return allPackageCoords.Contains(coords) || allMetadataFiles.Has(coords.RealPath) + // include relationships + for _, r := range s.Relationships { + _, fromPkgOk := r.From.(pkg.Package) + fromFile, fromFileOk := r.From.(file.Coordinates) + _, toPkgOk := r.To.(pkg.Package) + toFile, toFileOk := r.To.(file.Coordinates) + if fromPkgOk && toFileOk { + allPackageCoords.Add(toFile) + } else if fromFileOk && toPkgOk { + allPackageCoords.Add(fromFile) + } } + + return allPackageCoords.Contains } From 5b772c78eb31bd4cd0e27836666426ba6f0e1b13 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Mon, 8 Jul 2024 10:39:40 -0400 Subject: [PATCH 12/51] chore: update test image for hidden packages test Signed-off-by: Keith Zantow --- test/cli/scan_cmd_test.go | 6 +++--- test/cli/test-fixtures/image-hidden-packages/Dockerfile | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/test/cli/scan_cmd_test.go b/test/cli/scan_cmd_test.go index 555f0856b61..2cf37e6132b 100644 --- a/test/cli/scan_cmd_test.go +++ b/test/cli/scan_cmd_test.go @@ -143,7 +143,7 @@ func TestPackagesCmdFlags(t *testing.T) { name: "squashed-scope-flag-hidden-packages", args: []string{"scan", "-o", "json", "-s", "squashed", hiddenPackagesImage}, assertions: []traitAssertion{ - assertPackageCount(162), + assertPackageCount(14), assertNotInOutput("vsftpd"), // hidden package assertSuccessfulReturnCode, }, @@ -152,7 +152,7 @@ func TestPackagesCmdFlags(t *testing.T) { name: "all-layers-scope-flag", args: []string{"scan", "-o", "json", "-s", "all-layers", hiddenPackagesImage}, assertions: []traitAssertion{ - assertPackageCount(163), // packages are now deduplicated for this case + assertPackageCount(19), // packages are now deduplicated for this case assertInOutput("all-layers"), assertInOutput("vsftpd"), // hidden package assertSuccessfulReturnCode, @@ -165,7 +165,7 @@ func TestPackagesCmdFlags(t *testing.T) { "SYFT_SCOPE": "all-layers", }, assertions: []traitAssertion{ - assertPackageCount(163), // packages are now deduplicated for this case + assertPackageCount(19), // packages are now deduplicated for this case assertInOutput("all-layers"), assertInOutput("vsftpd"), // hidden package assertSuccessfulReturnCode, diff --git a/test/cli/test-fixtures/image-hidden-packages/Dockerfile b/test/cli/test-fixtures/image-hidden-packages/Dockerfile index 1150209e8b2..f4a0cb49404 100644 --- a/test/cli/test-fixtures/image-hidden-packages/Dockerfile +++ b/test/cli/test-fixtures/image-hidden-packages/Dockerfile @@ -1,4 +1,4 @@ -FROM centos:7.9.2009@sha256:dead07b4d8ed7e29e98de0f4504d87e8880d4347859d839686a31da35a3b532f +FROM alpine:3.20.1@sha256:dabf91b69c191a1a0a1628fd6bdd029c0c4018041c7f052870bb13c5a222ae76 # all-layers scope should pickup on vsftpd -RUN yum install -y vsftpd -RUN yum remove -y vsftpd +RUN apk update && apk add -f vsftpd +RUN apk del -f vsftpd From 5b193e5b7f26606ffdc62b8f4d60b6e979ccd173 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Mon, 12 Aug 2024 17:34:58 -0400 Subject: [PATCH 13/51] chore: alpine unknowns + test Signed-off-by: Keith Zantow --- syft/pkg/cataloger/alpine/cataloger_test.go | 8 ++++ syft/pkg/cataloger/alpine/parse_apk_db.go | 6 ++- .../corrupt/lib/apk/db/installed | 43 +++++++++++++++++++ .../internal/pkgtest/test_generic_parser.go | 14 +++--- 4 files changed, 63 insertions(+), 8 deletions(-) create mode 100644 syft/pkg/cataloger/alpine/test-fixtures/corrupt/lib/apk/db/installed diff --git a/syft/pkg/cataloger/alpine/cataloger_test.go b/syft/pkg/cataloger/alpine/cataloger_test.go index 8ac6eaa8ed3..fff8e77f4ed 100644 --- a/syft/pkg/cataloger/alpine/cataloger_test.go +++ b/syft/pkg/cataloger/alpine/cataloger_test.go @@ -190,6 +190,14 @@ func TestApkDBCataloger(t *testing.T) { } +func Test_corruptDb(t *testing.T) { + pkgtest.NewCatalogTester(). + FromDirectory(t, "test-fixtures/corrupt"). + WithCompareOptions(cmpopts.IgnoreFields(pkg.ApkDBEntry{}, "Files", "GitCommit", "Checksum")). + WithError(). + TestCataloger(t, NewDBCataloger()) +} + func TestCatalogerDependencyTree(t *testing.T) { assertion := func(t *testing.T, pkgs []pkg.Package, relationships []artifact.Relationship) { expected := map[string][]string{ diff --git a/syft/pkg/cataloger/alpine/parse_apk_db.go b/syft/pkg/cataloger/alpine/parse_apk_db.go index 5948e303554..983c70e8b51 100644 --- a/syft/pkg/cataloger/alpine/parse_apk_db.go +++ b/syft/pkg/cataloger/alpine/parse_apk_db.go @@ -4,6 +4,7 @@ import ( "bufio" "context" "fmt" + "github.com/anchore/syft/internal/unknown" "io" "path" "regexp" @@ -38,6 +39,7 @@ type parsedData struct { func parseApkDB(_ context.Context, resolver file.Resolver, env *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) { scanner := bufio.NewScanner(reader) + var errs error var apks []parsedData var currentEntry parsedData entryParsingInProgress := false @@ -81,10 +83,12 @@ func parseApkDB(_ context.Context, resolver file.Resolver, env *generic.Environm field := parseApkField(line) if field == nil { log.Warnf("unable to parse field data from line %q", line) + errs = unknown.Appendf(errs, reader, "unable to parse field data from line %q", line) continue } if len(field.name) == 0 { log.Warnf("failed to parse field name from line %q", line) + errs = unknown.Appendf(errs, reader, "failed to parse field name from line %q", line) continue } if len(field.value) == 0 { @@ -131,7 +135,7 @@ func parseApkDB(_ context.Context, resolver file.Resolver, env *generic.Environm pkgs = append(pkgs, newPackage(apk, r, reader.Location)) } - return pkgs, nil, nil + return pkgs, nil, errs } func findReleases(resolver file.Resolver, dbPath string) []linux.Release { diff --git a/syft/pkg/cataloger/alpine/test-fixtures/corrupt/lib/apk/db/installed b/syft/pkg/cataloger/alpine/test-fixtures/corrupt/lib/apk/db/installed new file mode 100644 index 00000000000..b1f971acc27 --- /dev/null +++ b/syft/pkg/cataloger/alpine/test-fixtures/corrupt/lib/apk/db/installed @@ -0,0 +1,43 @@ +this is a corrupt db + +C:Q1v4QhLje3kWlC8DJj+ZfJTjlJRSU= +P:alpine-baselayout-data +V:3.2.0-r22 +A:x86_64 +S:11435 +I:73728 +o:alpine-baselayout +t:1655134784 +c:cb70ca5c6d6db0399d2dd09189c5d57827bce5cd +r:alpine-baselayout +F:etc +R:fstab +Z:Q11Q7hNe8QpDS531guqCdrXBzoA/o= +R:group +Z:Q13K+olJg5ayzHSVNUkggZJXuB+9Y= +R:hostname +Z:Q16nVwYVXP/tChvUPdukVD2ifXOmc= +R:hosts +Z:Q1BD6zJKZTRWyqGnPi4tSfd3krsMU= +R:inittab +Z:Q1TsthbhW7QzWRe1E/NKwTOuD4pHc= +R:modules +Z:Q1toogjUipHGcMgECgPJX64SwUT1M= +R:mtab +a:0:0:777 +Z:Q1kiljhXXH1LlQroHsEJIkPZg2eiw= +R:passwd +Z:Q1TchuuLUfur0izvfZQZxgN/LJhB8= +R:profile +Z:Q1F3DgXUP+jNZDknmQPPb5t9FSfDg= +R:protocols +Z:Q1omKlp3vgGq2ZqYzyD/KHNdo8rDc= +R:services +Z:Q19WLCv5ItKg4MH7RWfNRh1I7byQc= +R:shadow +a:0:42:640 +Z:Q1ltrPIAW2zHeDiajsex2Bdmq3uqA= +R:shells +Z:Q1ojm2YdpCJ6B/apGDaZ/Sdb2xJkA= +R:sysctl.conf +Z:Q14upz3tfnNxZkIEsUhWn7Xoiw96g= diff --git a/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go b/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go index 88d54058780..2025d8d45c5 100644 --- a/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go +++ b/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go @@ -112,7 +112,6 @@ func (p *CatalogTester) WithEnv(env *generic.Environment) *CatalogTester { } func (p *CatalogTester) WithError() *CatalogTester { - p.assertResultExpectations = true p.wantErr = require.Error return p } @@ -225,7 +224,7 @@ func (p *CatalogTester) IgnoreUnfulfilledPathResponses(paths ...string) *Catalog func (p *CatalogTester) TestParser(t *testing.T, parser generic.Parser) { t.Helper() pkgs, relationships, err := parser(context.Background(), p.resolver, p.env, p.reader) - // parsers return errors for unknowns, only test if this is explicitly requested + // only test for errors if explicitly requested if p.wantErr != nil { p.wantErr(t, err) } @@ -249,11 +248,12 @@ func (p *CatalogTester) TestCataloger(t *testing.T, cataloger pkg.Cataloger) { assert.ElementsMatchf(t, p.expectedContentQueries, resolver.AllContentQueries(), "unexpected content queries observed: diff %s", cmp.Diff(p.expectedContentQueries, resolver.AllContentQueries())) } + // only test for errors if explicitly requested + if p.wantErr != nil { + p.wantErr(t, err) + } + if p.assertResultExpectations { - // catalogers return errors for unknowns, only test if this is explicitly requested - if p.wantErr != nil { - p.wantErr(t, err) - } p.assertPkgs(t, pkgs, relationships) } @@ -261,7 +261,7 @@ func (p *CatalogTester) TestCataloger(t *testing.T, cataloger pkg.Cataloger) { a(t, pkgs, relationships) } - if !p.assertResultExpectations && len(p.customAssertions) == 0 { + if !p.assertResultExpectations && len(p.customAssertions) == 0 && p.wantErr == nil { resolver.PruneUnfulfilledPathResponses(p.ignoreUnfulfilledPathResponses, p.ignoreAnyUnfulfilledPaths...) // if we aren't testing the results, we should focus on what was searched for (for glob-centric tests) From 84a2fa08f7e22396a9f658d76e8e283c544b52f1 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Mon, 12 Aug 2024 17:40:20 -0400 Subject: [PATCH 14/51] chore: alpm unknowns + test Signed-off-by: Keith Zantow --- syft/pkg/cataloger/arch/cataloger_test.go | 8 +++++ .../var/lib/pacman/local/corrupt-0.2.1-3/desc | 34 +++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 syft/pkg/cataloger/arch/test-fixtures/installed/var/lib/pacman/local/corrupt-0.2.1-3/desc diff --git a/syft/pkg/cataloger/arch/cataloger_test.go b/syft/pkg/cataloger/arch/cataloger_test.go index 0badcb828fb..e6152524612 100644 --- a/syft/pkg/cataloger/arch/cataloger_test.go +++ b/syft/pkg/cataloger/arch/cataloger_test.go @@ -11,6 +11,14 @@ import ( "github.com/anchore/syft/syft/pkg/cataloger/internal/pkgtest" ) +func TestAlpmUnknowns(t *testing.T) { + pkgtest.NewCatalogTester(). + FromDirectory(t, "test-fixtures/installed"). + WithCompareOptions(cmpopts.IgnoreFields(pkg.AlpmFileRecord{}, "Time")). + WithError(). + TestCataloger(t, NewDBCataloger()) +} + func TestAlpmCataloger(t *testing.T) { gmpDbLocation := file.NewLocation("var/lib/pacman/local/gmp-6.2.1-2/desc") treeSitterDbLocation := file.NewLocation("var/lib/pacman/local/tree-sitter-0.22.6-1/desc") diff --git a/syft/pkg/cataloger/arch/test-fixtures/installed/var/lib/pacman/local/corrupt-0.2.1-3/desc b/syft/pkg/cataloger/arch/test-fixtures/installed/var/lib/pacman/local/corrupt-0.2.1-3/desc new file mode 100644 index 00000000000..ff403145b1b --- /dev/null +++ b/syft/pkg/cataloger/arch/test-fixtures/installed/var/lib/pacman/local/corrupt-0.2.1-3/desc @@ -0,0 +1,34 @@ +%NME% +tree-sitter + +%VER.6-1 + +%BASE% +tree-sitter + +%DESC% +Incremental parsing library + + +%BUILDDATE% +1714945746 + +%INSTALLDATE% +1715026360 + +%PACKA@archlinux.org> + +%SIZE% +223539 + +%REASON% +1 + +%LICENSE% +MIT + +%VALIDATION% +pgp + +%PROVIDE +libtree-sitter.so=0-64 From c382c4638e4f0d1fa466b3f49ed49249933bfff1 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Mon, 12 Aug 2024 18:03:04 -0400 Subject: [PATCH 15/51] chore: elf unknowns + test Signed-off-by: Keith Zantow --- .../cataloger/binary/elf_package_cataloger.go | 2 +- .../binary/elf_package_cataloger_test.go | 4 ++ .../elf-test-fixtures/Dockerfile | 5 +- .../elfbinwithcorrupt/elfsrc/hello_world.cpp | 6 +++ .../elfbinwithcorrupt/elfsrc/hello_world.h | 8 ++++ .../elfbinwithcorrupt/elfsrc/makefile | 48 +++++++++++++++++++ .../elfbinwithcorrupt/elfsrc/testbin.cpp | 8 ++++ .../elfbinwithcorrupt/makefile | 18 +++++++ 8 files changed, 97 insertions(+), 2 deletions(-) create mode 100644 syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/elfsrc/hello_world.cpp create mode 100644 syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/elfsrc/hello_world.h create mode 100644 syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/elfsrc/makefile create mode 100644 syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/elfsrc/testbin.cpp create mode 100644 syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/makefile diff --git a/syft/pkg/cataloger/binary/elf_package_cataloger.go b/syft/pkg/cataloger/binary/elf_package_cataloger.go index 822b0739375..24b4c0b08c0 100644 --- a/syft/pkg/cataloger/binary/elf_package_cataloger.go +++ b/syft/pkg/cataloger/binary/elf_package_cataloger.go @@ -176,7 +176,7 @@ func getELFNotes(r file.LocationReadCloser) (*elfBinaryPackageNotes, error) { if len(notes) > headerSize { var metadata elfBinaryPackageNotes newPayload := bytes.TrimRight(notes[headerSize:], "\x00") - if err := json.Unmarshal(newPayload, &metadata); err == nil { + if err = json.Unmarshal(newPayload, &metadata); err == nil { return &metadata, nil } log.WithFields("file", r.Location.Path(), "error", err).Trace("unable to unmarshal ELF package notes as JSON") diff --git a/syft/pkg/cataloger/binary/elf_package_cataloger_test.go b/syft/pkg/cataloger/binary/elf_package_cataloger_test.go index d9a97cc6476..3a2055d0196 100644 --- a/syft/pkg/cataloger/binary/elf_package_cataloger_test.go +++ b/syft/pkg/cataloger/binary/elf_package_cataloger_test.go @@ -1,6 +1,7 @@ package binary import ( + "github.com/stretchr/testify/require" "testing" "github.com/anchore/syft/syft/file" @@ -14,6 +15,7 @@ func Test_ELF_Package_Cataloger(t *testing.T) { name string fixture string expected []pkg.Package + wantErr require.ErrorAssertionFunc }{ { name: "go case", @@ -63,6 +65,7 @@ func Test_ELF_Package_Cataloger(t *testing.T) { }, }, }, + wantErr: require.Error, }, { name: "fedora 64 bit binaries", @@ -116,6 +119,7 @@ func Test_ELF_Package_Cataloger(t *testing.T) { WithImageResolver(t, v.fixture). IgnoreLocationLayer(). // this fixture can be rebuilt, thus the layer ID will change Expects(v.expected, nil). + WithErrorAssertion(v.wantErr). TestCataloger(t, NewELFPackageCataloger()) }) } diff --git a/syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/Dockerfile b/syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/Dockerfile index a5efa56eb3f..cbda8d0cb3b 100644 --- a/syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/Dockerfile +++ b/syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/Dockerfile @@ -4,11 +4,14 @@ RUN dnf update -y; \ dnf clean all RUN mkdir -p /usr/local/bin/elftests/elfbinwithnestedlib RUN mkdir -p /usr/local/bin/elftests/elfbinwithsisterlib +RUN mkdir -p /usr/local/bin/elftests/elfbinwithcorrupt COPY ./elfbinwithnestedlib /usr/local/bin/elftests/elfbinwithnestedlib COPY ./elfbinwithsisterlib /usr/local/bin/elftests/elfbinwithsisterlib +COPY ./elfbinwithcorrupt /usr/local/bin/elftests/elfbinwithcorrupt ENV LD_LIBRARY_PATH=/usr/local/bin/elftests/elfbinwithnestedlib/bin/lib WORKDIR /usr/local/bin/elftests/elfbinwithnestedlib/ RUN make WORKDIR /usr/local/bin/elftests/elfbinwithsisterlib RUN make - +WORKDIR /usr/local/bin/elftests/elfbinwithcorrupt +RUN make diff --git a/syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/elfsrc/hello_world.cpp b/syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/elfsrc/hello_world.cpp new file mode 100644 index 00000000000..9da59af37b5 --- /dev/null +++ b/syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/elfsrc/hello_world.cpp @@ -0,0 +1,6 @@ +#include +#include "hello_world.h" + +void print_hello_world() { + std::cout << "Hello, World!" << std::endl; +} diff --git a/syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/elfsrc/hello_world.h b/syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/elfsrc/hello_world.h new file mode 100644 index 00000000000..d4193a60961 --- /dev/null +++ b/syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/elfsrc/hello_world.h @@ -0,0 +1,8 @@ + +#ifndef HELLO_WORLD_H +#define HELLO_WORLD_H + +// Function declaration for printing "Hello, World!" to stdout +void print_hello_world(); + +#endif // HELLO_WORLD_H diff --git a/syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/elfsrc/makefile b/syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/elfsrc/makefile new file mode 100644 index 00000000000..9b471a878a5 --- /dev/null +++ b/syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/elfsrc/makefile @@ -0,0 +1,48 @@ +LDFLAGS := -L/lib64 -lstdc++ + +SRC_DIR := ./ +BUILD_DIR := ../build +BIN_DIR := ../bin +LIB_DIR := $(BIN_DIR)/lib + +LIB_NAME := hello_world +LIB_SRC := $(SRC_DIR)/hello_world.cpp +LIB_OBJ := $(BUILD_DIR)/$(LIB_NAME).o +LIB_SO := $(LIB_DIR)/lib$(LIB_NAME).so + +EXECUTABLE := elfbinwithnestedlib +EXEC_SRC := $(SRC_DIR)/testbin.cpp +EXEC_OBJ := $(BUILD_DIR)/$(EXECUTABLE).o + + + +all: testfixture + +$(LIB_SO): $(LIB_OBJ) | $(LIB_DIR) + $(CC) -shared -o $@ $< + echo '{ corrupt json "system": "syftsys","name": "libhello_world.so","version": "0.01","pure:0.01"}' | objcopy --add-section .note.package=/dev/stdin --set-section-flags .note.package=noload,readonly $@ + +$(LIB_OBJ): $(LIB_SRC) | $(BUILD_DIR) + $(CC) $(CFLAGS) -fPIC -c $< -o $@ + +$(EXEC_OBJ): $(EXEC_SRC) | $(BUILD_DIR) + $(CC) $(CFLAGS) -c $< -o $@ + +$(BIN_DIR): + mkdir -p $(BIN_DIR) +$(BUILD_DIR): + mkdir -p $(BUILD_DIR) +$(LIB_DIR): + mkdir -p $(LIB_DIR) + +$(BIN_DIR)/$(EXECUTABLE): $(EXEC_OBJ) $(LIB_SO) | $(BIN_DIR) + $(CC) $(CFLAGS) -o $@ $^ -L$(LIB_DIR) -l$(LIB_NAME) $(LDFLAGS) + echo '{corrupt json ..._syfttestfixture:0.01"}' | objcopy --add-section .note.package=/dev/stdin --set-section-flags .note.package=noload,readonly $@ + +testfixture: $(BIN_DIR)/$(EXECUTABLE) + +clean: + rm -rf $(BUILD_DIR) $(LIB_DIR) $(BIN_DIR) $(EXECUTABLE) + +.PHONY: all clean + diff --git a/syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/elfsrc/testbin.cpp b/syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/elfsrc/testbin.cpp new file mode 100644 index 00000000000..58a6e10506a --- /dev/null +++ b/syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/elfsrc/testbin.cpp @@ -0,0 +1,8 @@ +#include "hello_world.h" + +int main() { + // Call the function from the shared library + print_hello_world(); + + return 0; +} diff --git a/syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/makefile b/syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/makefile new file mode 100644 index 00000000000..b53f429a381 --- /dev/null +++ b/syft/pkg/cataloger/binary/test-fixtures/elf-test-fixtures/elfbinwithcorrupt/makefile @@ -0,0 +1,18 @@ +CC = g++ +CFLAGS = -std=c++17 -Wall -Wextra -pedantic +BUILD_DIR := ./build +BIN_DIR := ./bin +LIB_DIR := $(BIN_DIR)/lib + + + +all: testfixtures + +testfixtures: + $(MAKE) -C elfsrc + +clean: + rm -rf $(BUILD_DIR) $(BIN_DIR) + +.PHONY: all clean testfixtures + From b0c0d42fd2e491b4020cfc5ad027c3f2acb69bd0 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Mon, 12 Aug 2024 18:42:50 -0400 Subject: [PATCH 16/51] chore: conan lock unknowns + test Signed-off-by: Keith Zantow --- syft/pkg/cataloger/cpp/parse_conanlock_test.go | 7 +++++++ .../pkg/cataloger/cpp/test-fixtures/corrupt/conan.lock | 10 ++++++++++ 2 files changed, 17 insertions(+) create mode 100644 syft/pkg/cataloger/cpp/test-fixtures/corrupt/conan.lock diff --git a/syft/pkg/cataloger/cpp/parse_conanlock_test.go b/syft/pkg/cataloger/cpp/parse_conanlock_test.go index da143fe51b3..23fe24c28c4 100644 --- a/syft/pkg/cataloger/cpp/parse_conanlock_test.go +++ b/syft/pkg/cataloger/cpp/parse_conanlock_test.go @@ -373,3 +373,10 @@ func TestParseConanLockV2(t *testing.T) { pkgtest.TestFileParser(t, fixture, parseConanLock, expected, expectedRelationships) } + +func Test_corruptConanlock(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/corrupt/conan.lock"). + WithError(). + TestParser(t, parseConanLock) +} diff --git a/syft/pkg/cataloger/cpp/test-fixtures/corrupt/conan.lock b/syft/pkg/cataloger/cpp/test-fixtures/corrupt/conan.lock new file mode 100644 index 00000000000..c7e82d59c95 --- /dev/null +++ b/syft/pkg/cataloger/cpp/test-fixtures/corrupt/conan.lock @@ -0,0 +1,10 @@ +{ + corrupt json + version": "0.5", + "requires": [ + "sound32/1.0#83d4b7bf607b3b60a6546f8b58b5cdd7%1675278904.0791488", + "matrix/1.1#905c3f0babc520684c84127378fefdd0%1675278901.7527816" + ], + "build_requires": [], + "python_requires": [] +} From 9e40008d52a6bf6d1483db62b27b75caa8db746c Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Mon, 12 Aug 2024 18:53:12 -0400 Subject: [PATCH 17/51] chore: dart unknowns + test Signed-off-by: Keith Zantow --- syft/pkg/cataloger/dart/parse_pubspec_lock_test.go | 7 +++++++ syft/pkg/cataloger/dart/test-fixtures/corrupt/pubspec.lock | 7 +++++++ 2 files changed, 14 insertions(+) create mode 100644 syft/pkg/cataloger/dart/test-fixtures/corrupt/pubspec.lock diff --git a/syft/pkg/cataloger/dart/parse_pubspec_lock_test.go b/syft/pkg/cataloger/dart/parse_pubspec_lock_test.go index 6904b88c6d6..5aa5fc702b5 100644 --- a/syft/pkg/cataloger/dart/parse_pubspec_lock_test.go +++ b/syft/pkg/cataloger/dart/parse_pubspec_lock_test.go @@ -106,3 +106,10 @@ func TestParsePubspecLock(t *testing.T) { pkgtest.TestFileParser(t, fixture, parsePubspecLock, expected, expectedRelationships) } + +func Test_corruptPubspecLock(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/corrupt/pubspec.lock"). + WithError(). + TestParser(t, parsePubspecLock) +} diff --git a/syft/pkg/cataloger/dart/test-fixtures/corrupt/pubspec.lock b/syft/pkg/cataloger/dart/test-fixtures/corrupt/pubspec.lock new file mode 100644 index 00000000000..583bf6702dd --- /dev/null +++ b/syft/pkg/cataloger/dart/test-fixtures/corrupt/pubspec.lock @@ -0,0 +1,7 @@ +pa +kages: + ale: + dependency: transitive + descr +s ps: + dart: ">=2.12.0 <3.0.0" From a0127f8a90cadb0c19abb1eb987df74cfba15afb Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 13 Aug 2024 10:39:51 -0400 Subject: [PATCH 18/51] chore: debian unknowns + test Signed-off-by: Keith Zantow --- syft/pkg/cataloger/debian/parse_dpkg_db_test.go | 11 +++++++++++ .../test-fixtures/var/lib/dpkg/status.d/corrupt | 6 ++++++ 2 files changed, 17 insertions(+) create mode 100644 syft/pkg/cataloger/debian/test-fixtures/var/lib/dpkg/status.d/corrupt diff --git a/syft/pkg/cataloger/debian/parse_dpkg_db_test.go b/syft/pkg/cataloger/debian/parse_dpkg_db_test.go index 603de91e3a6..e50e90fd9d6 100644 --- a/syft/pkg/cataloger/debian/parse_dpkg_db_test.go +++ b/syft/pkg/cataloger/debian/parse_dpkg_db_test.go @@ -257,6 +257,17 @@ func Test_parseDpkgStatus(t *testing.T) { } } +func Test_corruptEntry(t *testing.T) { + f, err := os.Open("test-fixtures/var/lib/dpkg/status.d/corrupt") + require.NoError(t, err) + t.Cleanup(func() { require.NoError(t, f.Close()) }) + + reader := bufio.NewReader(f) + + _, err = parseDpkgStatus(reader) + require.Error(t, err) +} + func TestSourceVersionExtract(t *testing.T) { tests := []struct { name string diff --git a/syft/pkg/cataloger/debian/test-fixtures/var/lib/dpkg/status.d/corrupt b/syft/pkg/cataloger/debian/test-fixtures/var/lib/dpkg/status.d/corrupt new file mode 100644 index 00000000000..aadb721975d --- /dev/null +++ b/syft/pkg/cataloger/debian/test-fixtures/var/lib/dpkg/status.d/corrupt @@ -0,0 +1,6 @@ +Pakij: apt +Stratus: install ok installed +Prioority: required +Section: admin +Insterface to the configuration settings + * apt-key as an interface to manage authentication keys From f7644b5c46823fa9c94e4558356dbef604743e2b Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 13 Aug 2024 10:47:31 -0400 Subject: [PATCH 19/51] chore: dotnet unknowns + test Signed-off-by: Keith Zantow --- syft/pkg/cataloger/alpine/parse_apk_db.go | 2 +- syft/pkg/cataloger/binary/elf_package_cataloger_test.go | 3 ++- syft/pkg/cataloger/dotnet/parse_dotnet_deps_test.go | 7 +++++++ .../dotnet/parse_dotnet_portable_executable_test.go | 7 +++++++ 4 files changed, 17 insertions(+), 2 deletions(-) diff --git a/syft/pkg/cataloger/alpine/parse_apk_db.go b/syft/pkg/cataloger/alpine/parse_apk_db.go index 983c70e8b51..02cde97f349 100644 --- a/syft/pkg/cataloger/alpine/parse_apk_db.go +++ b/syft/pkg/cataloger/alpine/parse_apk_db.go @@ -4,7 +4,6 @@ import ( "bufio" "context" "fmt" - "github.com/anchore/syft/internal/unknown" "io" "path" "regexp" @@ -13,6 +12,7 @@ import ( "github.com/anchore/syft/internal" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/linux" diff --git a/syft/pkg/cataloger/binary/elf_package_cataloger_test.go b/syft/pkg/cataloger/binary/elf_package_cataloger_test.go index 3a2055d0196..0325b3083ad 100644 --- a/syft/pkg/cataloger/binary/elf_package_cataloger_test.go +++ b/syft/pkg/cataloger/binary/elf_package_cataloger_test.go @@ -1,9 +1,10 @@ package binary import ( - "github.com/stretchr/testify/require" "testing" + "github.com/stretchr/testify/require" + "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" "github.com/anchore/syft/syft/pkg/cataloger/internal/pkgtest" diff --git a/syft/pkg/cataloger/dotnet/parse_dotnet_deps_test.go b/syft/pkg/cataloger/dotnet/parse_dotnet_deps_test.go index bdf40851ab2..84878c86c1c 100644 --- a/syft/pkg/cataloger/dotnet/parse_dotnet_deps_test.go +++ b/syft/pkg/cataloger/dotnet/parse_dotnet_deps_test.go @@ -9,6 +9,13 @@ import ( "github.com/anchore/syft/syft/pkg/cataloger/internal/pkgtest" ) +func Test_corruptDotnetDeps(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/glob-paths/src/something.deps.json"). + WithError(). + TestParser(t, parseDotnetDeps) +} + func TestParseDotnetDeps(t *testing.T) { fixture := "test-fixtures/TestLibrary.deps.json" fixtureLocationSet := file.NewLocationSet(file.NewLocation(fixture)) diff --git a/syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable_test.go b/syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable_test.go index 4d915a50d2f..2be417d6a8e 100644 --- a/syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable_test.go +++ b/syft/pkg/cataloger/dotnet/parse_dotnet_portable_executable_test.go @@ -297,6 +297,13 @@ func TestParseDotnetPortableExecutable(t *testing.T) { } } +func Test_corruptDotnetPE(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/glob-paths/src/something.exe"). + WithError(). + TestParser(t, parseDotnetPortableExecutable) +} + func Test_extractVersion(t *testing.T) { tests := []struct { input string From 55deeb151eb11611493d0d6b33d24a1d262f1dd8 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 13 Aug 2024 11:02:10 -0400 Subject: [PATCH 20/51] chore: erlang unknowns + test Signed-off-by: Keith Zantow --- syft/pkg/cataloger/erlang/parse_otp_app_test.go | 7 +++++++ syft/pkg/cataloger/erlang/parse_rebar_lock_test.go | 7 +++++++ .../erlang/test-fixtures/corrupt/rabbitmq.app | 9 +++++++++ .../cataloger/erlang/test-fixtures/corrupt/rebar.lock | 11 +++++++++++ 4 files changed, 34 insertions(+) create mode 100644 syft/pkg/cataloger/erlang/test-fixtures/corrupt/rabbitmq.app create mode 100644 syft/pkg/cataloger/erlang/test-fixtures/corrupt/rebar.lock diff --git a/syft/pkg/cataloger/erlang/parse_otp_app_test.go b/syft/pkg/cataloger/erlang/parse_otp_app_test.go index 9c0abf16edb..93c0aa238a9 100644 --- a/syft/pkg/cataloger/erlang/parse_otp_app_test.go +++ b/syft/pkg/cataloger/erlang/parse_otp_app_test.go @@ -41,3 +41,10 @@ func TestParseOTPApplication(t *testing.T) { }) } } + +func Test_corruptOtpApp(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/corrupt/rabbitmq.app"). + WithError(). + TestParser(t, parseOTPApp) +} diff --git a/syft/pkg/cataloger/erlang/parse_rebar_lock_test.go b/syft/pkg/cataloger/erlang/parse_rebar_lock_test.go index 00d7a273066..67e309cd313 100644 --- a/syft/pkg/cataloger/erlang/parse_rebar_lock_test.go +++ b/syft/pkg/cataloger/erlang/parse_rebar_lock_test.go @@ -255,3 +255,10 @@ func TestParseRebarLock(t *testing.T) { }) } } + +func Test_corruptRebarLock(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/corrupt/rebar.lock"). + WithError(). + TestParser(t, parseRebarLock) +} diff --git a/syft/pkg/cataloger/erlang/test-fixtures/corrupt/rabbitmq.app b/syft/pkg/cataloger/erlang/test-fixtures/corrupt/rabbitmq.app new file mode 100644 index 00000000000..5c8f73fd067 --- /dev/null +++ b/syft/pkg/cataloger/erlang/test-fixtures/corrupt/rabbitmq.app @@ -0,0 +1,9 @@ +cation, 'rabbit', [ + {description, "RabbitMQ"}, + {vsn, "3.12.10"}, + {id, "v3.12.9-9-g1f61ca8"}, + {modules, ['amqqueue','background_gc']}, + {optional_itmq-server#1593 + {channel_max, 2047} + ]} +]}. \ No newline at end of file diff --git a/syft/pkg/cataloger/erlang/test-fixtures/corrupt/rebar.lock b/syft/pkg/cataloger/erlang/test-fixtures/corrupt/rebar.lock new file mode 100644 index 00000000000..ea6afc2a641 --- /dev/null +++ b/syft/pkg/cataloger/erlang/test-fixtures/corrupt/rebar.lock @@ -0,0 +1,11 @@ +{"1.2.0", +[{<<"certifi{pkg,<<"certifi">>,<<"2.9.0">>},0}, + {<<"idna">>,{pkg,<<"idpkg,<<"parse_trans">>,<<"3.3.1">>},0}, + {<<"ssl_verify_fun">>,{pkg,<<"ssl_verify_fun">>,<<"1.1.6">>},0}, + {<<"unicode_util_compat">>,{pkg,<<"unicode_util_compat">>,<<"0.7.0">>},0}]}. +[ +{pkg_hash,[ + {<<"certifi">>, <<"6F2A475689DD47F19FB74334859D460A2DC4E3252A3324BD2111B8F0429E7E21">>}, + {<<"idna">>, <<"8A63070E9F7D0C62EB9D9FCB360A7DE382448200FBBD1B106CC96D3D8099DF8D">>}, + {<<"metrics">>, <<"25F094DEA2CDA98213CECC3AEFF09E940299D950904393B2A29D191C346A8486">>}, + {<<"mimerl From dba43b8d469a6c40e673cf8b2e854e4e11506d5e Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 13 Aug 2024 11:29:23 -0400 Subject: [PATCH 21/51] chore: generic unknowns Signed-off-by: Keith Zantow --- syft/pkg/cataloger/generic/cataloger_test.go | 25 ++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/syft/pkg/cataloger/generic/cataloger_test.go b/syft/pkg/cataloger/generic/cataloger_test.go index e971b4459f4..1941b93f389 100644 --- a/syft/pkg/cataloger/generic/cataloger_test.go +++ b/syft/pkg/cataloger/generic/cataloger_test.go @@ -10,6 +10,7 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -187,3 +188,27 @@ func TestClosesFileOnParserPanic(t *testing.T) { }) require.True(t, spy.closed) } + +func Test_genericCatalogerReturnsErrors(t *testing.T) { + genericErrorReturning := NewCataloger("error returning").WithParserByGlobs(func(ctx context.Context, resolver file.Resolver, environment *Environment, locationReader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) { + return []pkg.Package{ + { + Name: "some-package-" + locationReader.Path(), + }, + }, nil, unknown.Newf(locationReader, "unable to read") + }, "**/*") + + m := file.NewMockResolverForPaths( + "test-fixtures/a-path.txt", + "test-fixtures/empty.txt", + ) + + got, _, errs := genericErrorReturning.Catalog(context.TODO(), m) + + // require packages and errors + require.NotEmpty(t, got) + + unknowns, others := unknown.ExtractCoordinateErrors(errs) + require.NotEmpty(t, unknowns) + require.Empty(t, others) +} From 488e5a154591c98c9e9dcf828807d3c0fb82ad98 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 13 Aug 2024 11:50:31 -0400 Subject: [PATCH 22/51] chore: github action unknowns Signed-off-by: Keith Zantow --- .../githubactions/parse_composite_action_test.go | 7 +++++++ .../githubactions/parse_workflow_test.go | 14 ++++++++++++++ .../test-fixtures/corrupt/composite-action.yaml | 13 +++++++++++++ .../corrupt/workflow-multi-job.yaml | 16 ++++++++++++++++ 4 files changed, 50 insertions(+) create mode 100644 syft/pkg/cataloger/githubactions/test-fixtures/corrupt/composite-action.yaml create mode 100644 syft/pkg/cataloger/githubactions/test-fixtures/corrupt/workflow-multi-job.yaml diff --git a/syft/pkg/cataloger/githubactions/parse_composite_action_test.go b/syft/pkg/cataloger/githubactions/parse_composite_action_test.go index e39e18e1a32..080d8081667 100644 --- a/syft/pkg/cataloger/githubactions/parse_composite_action_test.go +++ b/syft/pkg/cataloger/githubactions/parse_composite_action_test.go @@ -33,3 +33,10 @@ func Test_parseCompositeActionForActionUsage(t *testing.T) { var expectedRelationships []artifact.Relationship pkgtest.TestFileParser(t, fixture, parseCompositeActionForActionUsage, expected, expectedRelationships) } + +func Test_corruptCompositeAction(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/corrupt/composite-action.yaml"). + WithError(). + TestParser(t, parseCompositeActionForActionUsage) +} diff --git a/syft/pkg/cataloger/githubactions/parse_workflow_test.go b/syft/pkg/cataloger/githubactions/parse_workflow_test.go index f5e5128b41f..52c4e1ebd0c 100644 --- a/syft/pkg/cataloger/githubactions/parse_workflow_test.go +++ b/syft/pkg/cataloger/githubactions/parse_workflow_test.go @@ -86,3 +86,17 @@ func Test_parseWorkflowForWorkflowUsage(t *testing.T) { var expectedRelationships []artifact.Relationship pkgtest.TestFileParser(t, fixture, parseWorkflowForWorkflowUsage, expected, expectedRelationships) } + +func Test_corruptActionWorkflow(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/corrupt/workflow-multi-job.yaml"). + WithError(). + TestParser(t, parseWorkflowForActionUsage) +} + +func Test_corruptWorkflowWorkflow(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/corrupt/workflow-multi-job.yaml"). + WithError(). + TestParser(t, parseWorkflowForWorkflowUsage) +} diff --git a/syft/pkg/cataloger/githubactions/test-fixtures/corrupt/composite-action.yaml b/syft/pkg/cataloger/githubactions/test-fixtures/corrupt/composite-action.yaml new file mode 100644 index 00000000000..44526253e18 --- /dev/null +++ b/syft/pkg/cataloger/githubactions/test-fixtures/corrupt/composite-action.yaml @@ -0,0 +1,13 @@ +name: "Bootstrap" +description: "Bootstrap all tools and dependencies" +ints: + go-version: + descrapt-packages: + description: "Space delimited list of tools to install via apt" + default: "libxml2-utils" + +rns: + us all cache fingerprints + shell: bash + run: make fingerprints + diff --git a/syft/pkg/cataloger/githubactions/test-fixtures/corrupt/workflow-multi-job.yaml b/syft/pkg/cataloger/githubactions/test-fixtures/corrupt/workflow-multi-job.yaml new file mode 100644 index 00000000000..f9c2c057040 --- /dev/null +++ b/syft/pkg/cataloger/githubactions/test-fixtures/corrupt/workflow-multi-job.yaml @@ -0,0 +1,16 @@ +name: "Validations" + +on: + workflow_dispatch: + pull_request: + push: + branches: + - main + +jbs + + Statnapshot + key: snapshot-build-${{ github.run_id }} + + - name: Run CLI Tests (Linux) + run: make cli From f981dd2c9d1effeb48ac0be5ab834047b8668e2f Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 13 Aug 2024 12:16:17 -0400 Subject: [PATCH 23/51] chore: golang unknowns Signed-off-by: Keith Zantow --- syft/pkg/cataloger/golang/parse_go_mod_test.go | 8 ++++++++ .../pkg/cataloger/golang/test-fixtures/corrupt/go.mod | 11 +++++++++++ .../pkg/cataloger/golang/test-fixtures/corrupt/go.sum | 4 ++++ 3 files changed, 23 insertions(+) create mode 100644 syft/pkg/cataloger/golang/test-fixtures/corrupt/go.mod create mode 100644 syft/pkg/cataloger/golang/test-fixtures/corrupt/go.sum diff --git a/syft/pkg/cataloger/golang/parse_go_mod_test.go b/syft/pkg/cataloger/golang/parse_go_mod_test.go index 19ae7f33b70..20538e4c78d 100644 --- a/syft/pkg/cataloger/golang/parse_go_mod_test.go +++ b/syft/pkg/cataloger/golang/parse_go_mod_test.go @@ -157,3 +157,11 @@ func Test_GoSumHashes(t *testing.T) { }) } } + +func Test_corruptGoMod(t *testing.T) { + c := NewGoModuleFileCataloger(DefaultCatalogerConfig().WithSearchRemoteLicenses(false)) + pkgtest.NewCatalogTester(). + FromDirectory(t, "test-fixtures/corrupt"). + WithError(). + TestCataloger(t, c) +} diff --git a/syft/pkg/cataloger/golang/test-fixtures/corrupt/go.mod b/syft/pkg/cataloger/golang/test-fixtures/corrupt/go.mod new file mode 100644 index 00000000000..1e345eec5e6 --- /dev/null +++ b/syft/pkg/cataloger/golang/test-fixtures/corrupt/go.mod @@ -0,0 +1,11 @@ +module github.com/anchore/syft + +go 1.18 + +ruire ( + github.com/CycloneDX/cyclonedx-go v0.7.0 + github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d + github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect +) + +replace github.com/CycloneDX/cyclonedx-go => github.com/CycloneDX/cyclonedx-go v0.6.0 diff --git a/syft/pkg/cataloger/golang/test-fixtures/corrupt/go.sum b/syft/pkg/cataloger/golang/test-fixtures/corrupt/go.sum new file mode 100644 index 00000000000..e80236bebe8 --- /dev/null +++ b/syft/pkg/cataloger/golang/test-fixtures/corrupt/go.sum @@ -0,0 +1,4 @@ +github.com/CycloneDX/cyclonedx-go v0.6.0/go.mod h1:nQCiF4Tvrg5Ieu8qPhYMvzPGMu5I7fANZkrSsJjl5mg= +github.com/Cycpansi v0.0.0-20180116102854-5a71ef0e047d h1:licZJFw2RwpHMqeKTCYkitsPqHNxTmd4SNR5r94FGM8= +github6IF +github.com/stretchr/test4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= From 8e64d0d9c9da59b502c34c36a0b5b85505e9b145 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 13 Aug 2024 12:58:42 -0400 Subject: [PATCH 24/51] chore: unknowns configuration Signed-off-by: Keith Zantow --- cmd/syft/internal/options/catalog.go | 12 ++++++++++++ cmd/syft/internal/options/unknowns.go | 28 +++++++++++++++++++++++++++ internal/task/unknowns_tasks.go | 21 +++++++------------- syft/cataloging/unknowns.go | 13 +++++++++++++ syft/create_sbom_config.go | 9 ++++++++- 5 files changed, 68 insertions(+), 15 deletions(-) create mode 100644 cmd/syft/internal/options/unknowns.go create mode 100644 syft/cataloging/unknowns.go diff --git a/cmd/syft/internal/options/catalog.go b/cmd/syft/internal/options/catalog.go index 99359abec51..e123e95ba8c 100644 --- a/cmd/syft/internal/options/catalog.go +++ b/cmd/syft/internal/options/catalog.go @@ -50,6 +50,9 @@ type Catalog struct { Platform string `yaml:"platform" json:"platform" mapstructure:"platform"` Source sourceConfig `yaml:"source" json:"source" mapstructure:"source"` Exclusions []string `yaml:"exclude" json:"exclude" mapstructure:"exclude"` + + // configuration for inclusion of unknown information within elements + Unknowns unknownsConfig `yaml:"unknowns" mapstructure:"unknowns"` } var _ interface { @@ -67,6 +70,7 @@ func DefaultCatalog() Catalog { Java: defaultJavaConfig(), File: defaultFileConfig(), Relationships: defaultRelationshipsConfig(), + Unknowns: defaultUnknowns(), Source: defaultSourceConfig(), Parallelism: 1, } @@ -77,6 +81,7 @@ func (cfg Catalog) ToSBOMConfig(id clio.Identification) *syft.CreateSBOMConfig { WithTool(id.Name, id.Version). WithParallelism(cfg.Parallelism). WithRelationshipsConfig(cfg.ToRelationshipsConfig()). + WithUnknownsConfig(cfg.ToUnknownsConfig()). WithSearchConfig(cfg.ToSearchConfig()). WithPackagesConfig(cfg.ToPackagesConfig()). WithFilesConfig(cfg.ToFilesConfig()). @@ -102,6 +107,13 @@ func (cfg Catalog) ToRelationshipsConfig() cataloging.RelationshipsConfig { } } +func (cfg Catalog) ToUnknownsConfig() cataloging.UnknownsConfig { + return cataloging.UnknownsConfig{ + IncludeExecutablesWithoutPackages: cfg.Unknowns.ExecutablesWithoutPackages, + IncludeUnexpandedArchives: cfg.Unknowns.UnexpandedArchives, + } +} + func (cfg Catalog) ToFilesConfig() filecataloging.Config { hashers, err := intFile.Hashers(cfg.File.Metadata.Digests...) if err != nil { diff --git a/cmd/syft/internal/options/unknowns.go b/cmd/syft/internal/options/unknowns.go new file mode 100644 index 00000000000..8355afb5904 --- /dev/null +++ b/cmd/syft/internal/options/unknowns.go @@ -0,0 +1,28 @@ +package options + +import ( + "github.com/anchore/clio" + "github.com/anchore/syft/syft/cataloging" +) + +type unknownsConfig struct { + ExecutablesWithoutPackages bool `json:"executables-without-packages" yaml:"executables-without-packages" mapstructure:"executables-without-packages"` + UnexpandedArchives bool `json:"unexpanded-archives" yaml:"unexpanded-archives" mapstructure:"unexpanded-archives"` +} + +var _ interface { + clio.FieldDescriber +} = (*unknownsConfig)(nil) + +func (o *unknownsConfig) DescribeFields(descriptions clio.FieldDescriptionSet) { + descriptions.Add(&o.ExecutablesWithoutPackages, `include executables without any identified packages`) + descriptions.Add(&o.UnexpandedArchives, `include archives which were not expanded and searched`) +} + +func defaultUnknowns() unknownsConfig { + def := cataloging.DefaultUnknownsConfig() + return unknownsConfig{ + ExecutablesWithoutPackages: def.IncludeExecutablesWithoutPackages, + UnexpandedArchives: def.IncludeUnexpandedArchives, + } +} diff --git a/internal/task/unknowns_tasks.go b/internal/task/unknowns_tasks.go index 307e25b72de..cb6710f3034 100644 --- a/internal/task/unknowns_tasks.go +++ b/internal/task/unknowns_tasks.go @@ -7,29 +7,22 @@ import ( "github.com/anchore/syft/internal/log" "github.com/anchore/syft/internal/sbomsync" + "github.com/anchore/syft/syft/cataloging" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" "github.com/anchore/syft/syft/sbom" ) -type UnknownsConfig struct { - IncludeExecutablesWithoutPackages bool - IncludeUnexpandedArchives bool +func NewUnknownsFinalizeTask(cfg cataloging.UnknownsConfig) Task { + return NewTask("unknowns-finalize", unknownsFinalizeTask{cfg}.processUnknowns) } -func DefaultUnknownsConfig() UnknownsConfig { - return UnknownsConfig{ - IncludeExecutablesWithoutPackages: true, - IncludeUnexpandedArchives: true, - } -} - -func NewUnknownsFinalizeTask(cfg UnknownsConfig) Task { - return NewTask("unknowns-finalize", cfg.processUnknowns) +type unknownsFinalizeTask struct { + cataloging.UnknownsConfig } // processUnknowns removes unknown entries that have valid packages reported for the locations -func (c UnknownsConfig) processUnknowns(_ context.Context, resolver file.Resolver, builder sbomsync.Builder) error { +func (c unknownsFinalizeTask) processUnknowns(_ context.Context, resolver file.Resolver, builder sbomsync.Builder) error { accessor := builder.(sbomsync.Accessor) accessor.WriteToSBOM(func(s *sbom.SBOM) { c.finalize(resolver, s) @@ -37,7 +30,7 @@ func (c UnknownsConfig) processUnknowns(_ context.Context, resolver file.Resolve return nil } -func (c UnknownsConfig) finalize(resolver file.Resolver, s *sbom.SBOM) { +func (c unknownsFinalizeTask) finalize(resolver file.Resolver, s *sbom.SBOM) { hasPackageReference := coordinateReferenceLookup(resolver, s) for coords := range s.Artifacts.Unknowns { diff --git a/syft/cataloging/unknowns.go b/syft/cataloging/unknowns.go new file mode 100644 index 00000000000..a82aa191b2d --- /dev/null +++ b/syft/cataloging/unknowns.go @@ -0,0 +1,13 @@ +package cataloging + +type UnknownsConfig struct { + IncludeExecutablesWithoutPackages bool + IncludeUnexpandedArchives bool +} + +func DefaultUnknownsConfig() UnknownsConfig { + return UnknownsConfig{ + IncludeExecutablesWithoutPackages: true, + IncludeUnexpandedArchives: true, + } +} diff --git a/syft/create_sbom_config.go b/syft/create_sbom_config.go index ca9212152d8..8cd7713a3a1 100644 --- a/syft/create_sbom_config.go +++ b/syft/create_sbom_config.go @@ -21,6 +21,7 @@ type CreateSBOMConfig struct { // required configuration input to specify how cataloging should be performed Search cataloging.SearchConfig Relationships cataloging.RelationshipsConfig + Unknowns cataloging.UnknownsConfig DataGeneration cataloging.DataGenerationConfig Packages pkgcataloging.Config Files filecataloging.Config @@ -105,6 +106,12 @@ func (c *CreateSBOMConfig) WithRelationshipsConfig(cfg cataloging.RelationshipsC return c } +// WithUnknownsConfig allows for defining the specific behavior dealing with unknowns +func (c *CreateSBOMConfig) WithUnknownsConfig(cfg cataloging.UnknownsConfig) *CreateSBOMConfig { + c.Unknowns = cfg + return c +} + // WithDataGenerationConfig allows for defining what data elements that cannot be discovered from the underlying // target being scanned that should be generated after package creation. func (c *CreateSBOMConfig) WithDataGenerationConfig(cfg cataloging.DataGenerationConfig) *CreateSBOMConfig { @@ -340,7 +347,7 @@ func (c *CreateSBOMConfig) environmentTasks() []task.Task { func (c *CreateSBOMConfig) unknownTasks() []task.Task { var tasks []task.Task - if t := task.NewUnknownsFinalizeTask(task.DefaultUnknownsConfig()); t != nil { + if t := task.NewUnknownsFinalizeTask(c.Unknowns); t != nil { tasks = append(tasks, t) } From a31f547cc227f773610f5ff33745f447cb97383e Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 13 Aug 2024 14:01:56 -0400 Subject: [PATCH 25/51] chore: haskell unknowns Signed-off-by: Keith Zantow --- syft/pkg/cataloger/haskell/parse_stack_lock_test.go | 7 +++++++ syft/pkg/cataloger/haskell/parse_stack_yaml_test.go | 7 +++++++ .../cataloger/haskell/test-fixtures/corrupt/stack.yaml | 6 ++++++ .../haskell/test-fixtures/corrupt/stack.yaml.lock | 8 ++++++++ 4 files changed, 28 insertions(+) create mode 100644 syft/pkg/cataloger/haskell/test-fixtures/corrupt/stack.yaml create mode 100644 syft/pkg/cataloger/haskell/test-fixtures/corrupt/stack.yaml.lock diff --git a/syft/pkg/cataloger/haskell/parse_stack_lock_test.go b/syft/pkg/cataloger/haskell/parse_stack_lock_test.go index 682aa343234..ee84ae092a6 100644 --- a/syft/pkg/cataloger/haskell/parse_stack_lock_test.go +++ b/syft/pkg/cataloger/haskell/parse_stack_lock_test.go @@ -130,3 +130,10 @@ func TestParseStackLock(t *testing.T) { pkgtest.TestFileParser(t, fixture, parseStackLock, expectedPkgs, expectedRelationships) } + +func Test_corruptStackLock(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/corrupt/stack.yaml.lock"). + WithError(). + TestParser(t, parseStackLock) +} diff --git a/syft/pkg/cataloger/haskell/parse_stack_yaml_test.go b/syft/pkg/cataloger/haskell/parse_stack_yaml_test.go index 1aa82535797..ee458639648 100644 --- a/syft/pkg/cataloger/haskell/parse_stack_yaml_test.go +++ b/syft/pkg/cataloger/haskell/parse_stack_yaml_test.go @@ -110,3 +110,10 @@ func TestParseStackYaml(t *testing.T) { pkgtest.TestFileParser(t, fixture, parseStackYaml, expectedPkgs, expectedRelationships) } + +func Test_corruptStackYaml(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/corrupt/stack.yaml"). + WithError(). + TestParser(t, parseStackYaml) +} diff --git a/syft/pkg/cataloger/haskell/test-fixtures/corrupt/stack.yaml b/syft/pkg/cataloger/haskell/test-fixtures/corrupt/stack.yaml new file mode 100644 index 00000000000..918d0bce7fd --- /dev/null +++ b/syft/pkg/cataloger/haskell/test-fixtures/corrupt/stack.yaml @@ -0,0 +1,6 @@ +flag +extra-package-dbs: [] +packa@sha256:fbcf49ecfc3d4da53e797fd0275264cba776ffa324ee223e2a3f4ec2d2c9c4a6,2165 + - stm-2.5.0.2@sha256:e4dc6473faaa75fbd7eccab4e3ee1d651d75bb0e49946ef0b8b751ccde771a55,2314 +ghc-options: + "$everything": -haddock diff --git a/syft/pkg/cataloger/haskell/test-fixtures/corrupt/stack.yaml.lock b/syft/pkg/cataloger/haskell/test-fixtures/corrupt/stack.yaml.lock new file mode 100644 index 00000000000..138e87ad516 --- /dev/null +++ b/syft/pkg/cataloger/haskell/test-fixtures/corrupt/stack.yaml.lock @@ -0,0 +1,8 @@ +packages +-comp +al: + commit: a5847301404583e16d55cd4d051b8e605d704fbc + git: https://github.com/runtimeverification/haskell-backend.git + subdir: kore +snapshots +- complete//raw.github From 036f0e6cf6d785a3dc8c2766148c824daa0beb1e Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 13 Aug 2024 14:25:34 -0400 Subject: [PATCH 26/51] chore: java unknowns Signed-off-by: Keith Zantow --- .../cataloger/internal/pkgtest/test_generic_parser.go | 8 ++++++++ syft/pkg/cataloger/java/archive_parser_test.go | 8 ++++++++ syft/pkg/cataloger/java/parse_pom_xml.go | 5 ++++- syft/pkg/cataloger/java/parse_pom_xml_test.go | 8 ++++++++ .../cataloger/java/tar_wrapped_archive_parser_test.go | 9 +++++++++ .../pkg/cataloger/java/test-fixtures/corrupt/example.jar | 1 + .../pkg/cataloger/java/test-fixtures/corrupt/example.tar | 1 + syft/pkg/cataloger/java/test-fixtures/corrupt/pom.xml | 1 + 8 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 syft/pkg/cataloger/java/test-fixtures/corrupt/example.jar create mode 100644 syft/pkg/cataloger/java/test-fixtures/corrupt/example.tar create mode 100644 syft/pkg/cataloger/java/test-fixtures/corrupt/pom.xml diff --git a/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go b/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go index 2025d8d45c5..5a8c3dc4ee2 100644 --- a/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go +++ b/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go @@ -17,6 +17,7 @@ import ( "github.com/anchore/stereoscope/pkg/imagetest" "github.com/anchore/syft/internal/cmptest" "github.com/anchore/syft/internal/relationship" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/linux" @@ -116,6 +117,13 @@ func (p *CatalogTester) WithError() *CatalogTester { return p } +func (p *CatalogTester) WithUnknownError() *CatalogTester { + p.wantErr = func(t require.TestingT, err error, i ...interface{}) { + require.ErrorIs(t, err, &unknown.CoordinateError{}) + } + return p +} + func (p *CatalogTester) WithErrorAssertion(a require.ErrorAssertionFunc) *CatalogTester { p.wantErr = a return p diff --git a/syft/pkg/cataloger/java/archive_parser_test.go b/syft/pkg/cataloger/java/archive_parser_test.go index 8f93092ced1..6fa0acc4755 100644 --- a/syft/pkg/cataloger/java/archive_parser_test.go +++ b/syft/pkg/cataloger/java/archive_parser_test.go @@ -1494,3 +1494,11 @@ func run(t testing.TB, cmd *exec.Cmd) { func ptr[T any](value T) *T { return &value } + +func Test_corruptJarArchive(t *testing.T) { + ap := newGenericArchiveParserAdapter(DefaultArchiveCatalogerConfig()) + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/corrupt/example.jar"). + WithError(). + TestParser(t, ap.parseJavaArchive) +} diff --git a/syft/pkg/cataloger/java/parse_pom_xml.go b/syft/pkg/cataloger/java/parse_pom_xml.go index d9fe4b2c25a..4f619d4bc5b 100644 --- a/syft/pkg/cataloger/java/parse_pom_xml.go +++ b/syft/pkg/cataloger/java/parse_pom_xml.go @@ -15,6 +15,7 @@ import ( "github.com/anchore/syft/internal" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -41,11 +42,13 @@ func (p pomXMLCataloger) Catalog(ctx context.Context, fileResolver file.Resolver r := newMavenResolver(fileResolver, p.cfg) + var errs error var poms []*gopom.Project for _, pomLocation := range locations { pom, err := readPomFromLocation(fileResolver, pomLocation) if err != nil || pom == nil { log.WithFields("error", err, "pomLocation", pomLocation).Debug("error while reading pom") + errs = unknown.Appendf(errs, pomLocation, "error reading pom.xml: %w", err) continue } @@ -60,7 +63,7 @@ func (p pomXMLCataloger) Catalog(ctx context.Context, fileResolver file.Resolver for _, pom := range poms { pkgs = append(pkgs, processPomXML(ctx, r, pom, r.pomLocations[pom])...) } - return pkgs, nil, nil + return pkgs, nil, errs } func readPomFromLocation(fileResolver file.Resolver, pomLocation file.Location) (*gopom.Project, error) { diff --git a/syft/pkg/cataloger/java/parse_pom_xml_test.go b/syft/pkg/cataloger/java/parse_pom_xml_test.go index 45650049072..f80a6762840 100644 --- a/syft/pkg/cataloger/java/parse_pom_xml_test.go +++ b/syft/pkg/cataloger/java/parse_pom_xml_test.go @@ -705,3 +705,11 @@ func getCommonsTextExpectedPackages() []pkg.Package { }, } } + +func Test_corruptPomXml(t *testing.T) { + c := NewPomCataloger(DefaultArchiveCatalogerConfig()) + pkgtest.NewCatalogTester(). + FromDirectory(t, "test-fixtures/corrupt"). + WithError(). + TestCataloger(t, c) +} diff --git a/syft/pkg/cataloger/java/tar_wrapped_archive_parser_test.go b/syft/pkg/cataloger/java/tar_wrapped_archive_parser_test.go index 24b1b55f5c7..089d19eb1dc 100644 --- a/syft/pkg/cataloger/java/tar_wrapped_archive_parser_test.go +++ b/syft/pkg/cataloger/java/tar_wrapped_archive_parser_test.go @@ -10,6 +10,7 @@ import ( "github.com/stretchr/testify/require" "github.com/anchore/syft/syft/file" + "github.com/anchore/syft/syft/pkg/cataloger/internal/pkgtest" ) func Test_parseTarWrappedJavaArchive(t *testing.T) { @@ -57,3 +58,11 @@ func Test_parseTarWrappedJavaArchive(t *testing.T) { }) } } + +func Test_corruptTarArchive(t *testing.T) { + ap := newGenericTarWrappedJavaArchiveParser(DefaultArchiveCatalogerConfig()) + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/corrupt/example.tar"). + WithError(). + TestParser(t, ap.parseTarWrappedJavaArchive) +} diff --git a/syft/pkg/cataloger/java/test-fixtures/corrupt/example.jar b/syft/pkg/cataloger/java/test-fixtures/corrupt/example.jar new file mode 100644 index 00000000000..8944cbcc070 --- /dev/null +++ b/syft/pkg/cataloger/java/test-fixtures/corrupt/example.jar @@ -0,0 +1 @@ +example archive diff --git a/syft/pkg/cataloger/java/test-fixtures/corrupt/example.tar b/syft/pkg/cataloger/java/test-fixtures/corrupt/example.tar new file mode 100644 index 00000000000..8944cbcc070 --- /dev/null +++ b/syft/pkg/cataloger/java/test-fixtures/corrupt/example.tar @@ -0,0 +1 @@ +example archive diff --git a/syft/pkg/cataloger/java/test-fixtures/corrupt/pom.xml b/syft/pkg/cataloger/java/test-fixtures/corrupt/pom.xml new file mode 100644 index 00000000000..11183e1abe7 --- /dev/null +++ b/syft/pkg/cataloger/java/test-fixtures/corrupt/pom.xml @@ -0,0 +1 @@ + \ No newline at end of file From 08047b3056263d39e1b89be2c22b9ec71eb92d9e Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 13 Aug 2024 15:19:32 -0400 Subject: [PATCH 27/51] chore: javascript unknowns Signed-off-by: Keith Zantow --- .../pkg/cataloger/internal/pkgtest/test_generic_parser.go | 8 -------- syft/pkg/cataloger/javascript/parse_package_json_test.go | 7 +++++++ syft/pkg/cataloger/javascript/parse_package_lock_test.go | 8 ++++++++ syft/pkg/cataloger/javascript/parse_pnpm_lock_test.go | 7 +++++++ .../javascript/test-fixtures/corrupt/package-lock.json | 4 ++++ .../javascript/test-fixtures/corrupt/package.json | 5 +++++ .../javascript/test-fixtures/corrupt/pnpm-lock.yaml | 7 +++++++ 7 files changed, 38 insertions(+), 8 deletions(-) create mode 100644 syft/pkg/cataloger/javascript/test-fixtures/corrupt/package-lock.json create mode 100644 syft/pkg/cataloger/javascript/test-fixtures/corrupt/package.json create mode 100644 syft/pkg/cataloger/javascript/test-fixtures/corrupt/pnpm-lock.yaml diff --git a/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go b/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go index 5a8c3dc4ee2..2025d8d45c5 100644 --- a/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go +++ b/syft/pkg/cataloger/internal/pkgtest/test_generic_parser.go @@ -17,7 +17,6 @@ import ( "github.com/anchore/stereoscope/pkg/imagetest" "github.com/anchore/syft/internal/cmptest" "github.com/anchore/syft/internal/relationship" - "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/linux" @@ -117,13 +116,6 @@ func (p *CatalogTester) WithError() *CatalogTester { return p } -func (p *CatalogTester) WithUnknownError() *CatalogTester { - p.wantErr = func(t require.TestingT, err error, i ...interface{}) { - require.ErrorIs(t, err, &unknown.CoordinateError{}) - } - return p -} - func (p *CatalogTester) WithErrorAssertion(a require.ErrorAssertionFunc) *CatalogTester { p.wantErr = a return p diff --git a/syft/pkg/cataloger/javascript/parse_package_json_test.go b/syft/pkg/cataloger/javascript/parse_package_json_test.go index 5c544580a89..74c9a0b7470 100644 --- a/syft/pkg/cataloger/javascript/parse_package_json_test.go +++ b/syft/pkg/cataloger/javascript/parse_package_json_test.go @@ -189,6 +189,13 @@ func TestParsePackageJSON(t *testing.T) { } } +func Test_corruptPackageJSON(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/corrupt/package.json"). + WithError(). + TestParser(t, parsePackageJSON) +} + func TestParsePackageJSON_Partial(t *testing.T) { // see https://github.com/anchore/syft/issues/311 const fixtureFile = "test-fixtures/pkg-json/package-partial.json" diff --git a/syft/pkg/cataloger/javascript/parse_package_lock_test.go b/syft/pkg/cataloger/javascript/parse_package_lock_test.go index 98448bf7b43..b3ba527bb7b 100644 --- a/syft/pkg/cataloger/javascript/parse_package_lock_test.go +++ b/syft/pkg/cataloger/javascript/parse_package_lock_test.go @@ -333,3 +333,11 @@ func TestParsePackageLockLicenseWithArray(t *testing.T) { adapter := newGenericPackageLockAdapter(CatalogerConfig{}) pkgtest.TestFileParser(t, fixture, adapter.parsePackageLock, expectedPkgs, expectedRelationships) } + +func Test_corruptPackageLock(t *testing.T) { + gap := newGenericPackageLockAdapter(DefaultCatalogerConfig()) + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/corrupt/package-lock.json"). + WithError(). + TestParser(t, gap.parsePackageLock) +} diff --git a/syft/pkg/cataloger/javascript/parse_pnpm_lock_test.go b/syft/pkg/cataloger/javascript/parse_pnpm_lock_test.go index 7c0ed1c4db8..8b5ed7d0ae0 100644 --- a/syft/pkg/cataloger/javascript/parse_pnpm_lock_test.go +++ b/syft/pkg/cataloger/javascript/parse_pnpm_lock_test.go @@ -144,3 +144,10 @@ func TestParsePnpmV6Lock(t *testing.T) { pkgtest.TestFileParser(t, fixture, parsePnpmLock, expectedPkgs, expectedRelationships) } + +func Test_corruptPnpmLock(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/corrupt/pnpm-lock.yaml"). + WithError(). + TestParser(t, parsePnpmLock) +} diff --git a/syft/pkg/cataloger/javascript/test-fixtures/corrupt/package-lock.json b/syft/pkg/cataloger/javascript/test-fixtures/corrupt/package-lock.json new file mode 100644 index 00000000000..a13d744c1a1 --- /dev/null +++ b/syft/pkg/cataloger/javascript/test-fixtures/corrupt/package-lock.json @@ -0,0 +1,4 @@ +{ + "requires": true, + "lockfi +} diff --git a/syft/pkg/cataloger/javascript/test-fixtures/corrupt/package.json b/syft/pkg/cataloger/javascript/test-fixtures/corrupt/package.json new file mode 100644 index 00000000000..209f9ad58db --- /dev/null +++ b/syft/pkg/cataloger/javascript/test-fixtures/corrupt/package.json @@ -0,0 +1,5 @@ +{ + "version": "6.14.6", + "name"node": "6 >=6.2.0 || 8 || >=9.3.0" + } +} \ No newline at end of file diff --git a/syft/pkg/cataloger/javascript/test-fixtures/corrupt/pnpm-lock.yaml b/syft/pkg/cataloger/javascript/test-fixtures/corrupt/pnpm-lock.yaml new file mode 100644 index 00000000000..5717c62b427 --- /dev/null +++ b/syft/pkg/cataloger/javascript/test-fixtures/corrupt/pnpm-lock.yaml @@ -0,0 +1,7 @@ +lockfileVersion: 5.4 + +specifi +lution: {integrity: sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw==} + dev: true + + # removed other packages From 5357f9396c68b988c4934db247c9e7b591f75b1b Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 13 Aug 2024 15:55:21 -0400 Subject: [PATCH 28/51] chore: lua unknowns test Signed-off-by: Keith Zantow --- syft/pkg/cataloger/lua/parse_rockspec_test.go | 7 +++++++ .../lua/test-fixtures/corrupt/bad-1.23.0-0.rockspec | 5 +++++ 2 files changed, 12 insertions(+) create mode 100644 syft/pkg/cataloger/lua/test-fixtures/corrupt/bad-1.23.0-0.rockspec diff --git a/syft/pkg/cataloger/lua/parse_rockspec_test.go b/syft/pkg/cataloger/lua/parse_rockspec_test.go index f429a9dc771..a85cda58c3a 100644 --- a/syft/pkg/cataloger/lua/parse_rockspec_test.go +++ b/syft/pkg/cataloger/lua/parse_rockspec_test.go @@ -106,3 +106,10 @@ func TestParseRockspec(t *testing.T) { }) } } + +func Test_corruptRockspec(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/corrupt/bad-1.23.0-0.rockspec"). + WithError(). + TestParser(t, parseRockspec) +} diff --git a/syft/pkg/cataloger/lua/test-fixtures/corrupt/bad-1.23.0-0.rockspec b/syft/pkg/cataloger/lua/test-fixtures/corrupt/bad-1.23.0-0.rockspec new file mode 100644 index 00000000000..d2ed1d025e2 --- /dev/null +++ b/syft/pkg/cataloger/lua/test-fixtures/corrupt/bad-1.23.0-0.rockspec @@ -0,0 +1,5 @@ +package = {"kon + +3.7.0-0" +rockspec_fo} +} From a18c70e609aaa627b262fd3e1fae644f5b905d0b Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 13 Aug 2024 16:15:28 -0400 Subject: [PATCH 29/51] chore: php unknowns test Signed-off-by: Keith Zantow --- syft/pkg/cataloger/php/parse_composer_lock_test.go | 7 +++++++ syft/pkg/cataloger/php/parse_installed_json_test.go | 7 +++++++ syft/pkg/cataloger/php/parse_pecl_serialized_test.go | 7 +++++++ 3 files changed, 21 insertions(+) diff --git a/syft/pkg/cataloger/php/parse_composer_lock_test.go b/syft/pkg/cataloger/php/parse_composer_lock_test.go index ae01097e255..1da97c42d2e 100644 --- a/syft/pkg/cataloger/php/parse_composer_lock_test.go +++ b/syft/pkg/cataloger/php/parse_composer_lock_test.go @@ -113,3 +113,10 @@ func TestParseComposerFileLock(t *testing.T) { } pkgtest.TestFileParser(t, fixture, parseComposerLock, expectedPkgs, expectedRelationships) } + +func Test_corruptComposerLock(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/glob-paths/src/composer.lock"). + WithError(). + TestParser(t, parseComposerLock) +} diff --git a/syft/pkg/cataloger/php/parse_installed_json_test.go b/syft/pkg/cataloger/php/parse_installed_json_test.go index abc29863c2b..7e0c06c3203 100644 --- a/syft/pkg/cataloger/php/parse_installed_json_test.go +++ b/syft/pkg/cataloger/php/parse_installed_json_test.go @@ -142,3 +142,10 @@ func TestParseInstalledJsonComposerV1(t *testing.T) { }) } } + +func Test_corruptInstalledJSON(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/glob-paths/src/installed.json"). + WithError(). + TestParser(t, parseInstalledJSON) +} diff --git a/syft/pkg/cataloger/php/parse_pecl_serialized_test.go b/syft/pkg/cataloger/php/parse_pecl_serialized_test.go index 7f685ffdaee..84f84ea7282 100644 --- a/syft/pkg/cataloger/php/parse_pecl_serialized_test.go +++ b/syft/pkg/cataloger/php/parse_pecl_serialized_test.go @@ -33,3 +33,10 @@ func TestParsePeclSerialized(t *testing.T) { } pkgtest.TestFileParser(t, fixture, parsePeclSerialized, expectedPkgs, expectedRelationships) } + +func Test_corruptPecl(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/glob-paths/php/.registry/.channel.pecl.php.net/memcached.reg"). + WithError(). + TestParser(t, parseComposerLock) +} From fbb41586abd6d59ee755b2b3b59292ace82d264f Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 13 Aug 2024 16:59:41 -0400 Subject: [PATCH 30/51] chore: python unknowns test Signed-off-by: Keith Zantow --- syft/pkg/cataloger/python/parse_pipfile_lock_test.go | 7 +++++++ syft/pkg/cataloger/python/parse_poetry_lock_test.go | 7 +++++++ syft/pkg/cataloger/python/parse_requirements_test.go | 8 ++++++++ syft/pkg/cataloger/python/parse_setup.go | 5 +---- 4 files changed, 23 insertions(+), 4 deletions(-) diff --git a/syft/pkg/cataloger/python/parse_pipfile_lock_test.go b/syft/pkg/cataloger/python/parse_pipfile_lock_test.go index 60ec99c70e9..051bfd78ae2 100644 --- a/syft/pkg/cataloger/python/parse_pipfile_lock_test.go +++ b/syft/pkg/cataloger/python/parse_pipfile_lock_test.go @@ -80,3 +80,10 @@ func TestParsePipFileLock(t *testing.T) { pkgtest.TestFileParser(t, fixture, parsePipfileLock, expectedPkgs, expectedRelationships) } + +func Test_corruptPipfileLock(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/glob-paths/src/Pipfile.lock"). + WithError(). + TestParser(t, parsePipfileLock) +} diff --git a/syft/pkg/cataloger/python/parse_poetry_lock_test.go b/syft/pkg/cataloger/python/parse_poetry_lock_test.go index 1a6c1beb797..0cb0030a2e5 100644 --- a/syft/pkg/cataloger/python/parse_poetry_lock_test.go +++ b/syft/pkg/cataloger/python/parse_poetry_lock_test.go @@ -81,3 +81,10 @@ func TestParsePoetryLock(t *testing.T) { pkgtest.TestFileParser(t, fixture, parsePoetryLock, expectedPkgs, expectedRelationships) } + +func Test_corruptPoetryLock(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/glob-paths/src/poetry.lock"). + WithError(). + TestParser(t, parsePoetryLock) +} diff --git a/syft/pkg/cataloger/python/parse_requirements_test.go b/syft/pkg/cataloger/python/parse_requirements_test.go index cd796955c80..6573b13d620 100644 --- a/syft/pkg/cataloger/python/parse_requirements_test.go +++ b/syft/pkg/cataloger/python/parse_requirements_test.go @@ -353,3 +353,11 @@ func Test_parseVersion(t *testing.T) { }) } } + +func Test_corruptRequirementsTxt(t *testing.T) { + rp := newRequirementsParser(DefaultCatalogerConfig()) + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/glob-paths/src/requirements.txt"). + WithError(). + TestParser(t, rp.parseRequirementsTxt) +} diff --git a/syft/pkg/cataloger/python/parse_setup.go b/syft/pkg/cataloger/python/parse_setup.go index 2763a38a200..ccbe916f544 100644 --- a/syft/pkg/cataloger/python/parse_setup.go +++ b/syft/pkg/cataloger/python/parse_setup.go @@ -7,7 +7,6 @@ import ( "strings" "github.com/anchore/syft/internal/log" - "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -25,7 +24,6 @@ var _ generic.Parser = parseSetup var pinnedDependency = regexp.MustCompile(`['"]\W?(\w+\W?==\W?[\w.]*)`) func parseSetup(_ context.Context, _ file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) { - var errs error var packages []pkg.Package scanner := bufio.NewScanner(reader) @@ -53,7 +51,6 @@ func parseSetup(_ context.Context, _ file.Resolver, _ *generic.Environment, read if name == "" || version == "" { log.WithFields("path", reader.RealPath).Debugf("unable to parse package in setup.py line: %q", line) - errs = unknown.Appendf(errs, reader, "unable to parse package in setup.py line: %q", line) continue } @@ -68,7 +65,7 @@ func parseSetup(_ context.Context, _ file.Resolver, _ *generic.Environment, read } } - return packages, nil, errs + return packages, nil, nil } func hasTemplateDirective(s string) bool { From 3ec0800678b173abc5118d6c87a28995ba69ce99 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 13 Aug 2024 17:13:38 -0400 Subject: [PATCH 31/51] chore: redhat unknowns test Signed-off-by: Keith Zantow --- syft/pkg/cataloger/redhat/parse_rpm_archive_test.go | 7 +++++++ syft/pkg/cataloger/redhat/parse_rpm_db_test.go | 7 +++++++ syft/pkg/cataloger/redhat/parse_rpm_manifest.go | 6 +----- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/syft/pkg/cataloger/redhat/parse_rpm_archive_test.go b/syft/pkg/cataloger/redhat/parse_rpm_archive_test.go index dddf81a9c9d..287c63c0bea 100644 --- a/syft/pkg/cataloger/redhat/parse_rpm_archive_test.go +++ b/syft/pkg/cataloger/redhat/parse_rpm_archive_test.go @@ -94,3 +94,10 @@ func TestParseRpmFiles(t *testing.T) { }) } } + +func Test_corruptRpmArchive(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/bad/bad.rpm"). + WithError(). + TestParser(t, parseRpmArchive) +} diff --git a/syft/pkg/cataloger/redhat/parse_rpm_db_test.go b/syft/pkg/cataloger/redhat/parse_rpm_db_test.go index a1da936182f..7572642c88a 100644 --- a/syft/pkg/cataloger/redhat/parse_rpm_db_test.go +++ b/syft/pkg/cataloger/redhat/parse_rpm_db_test.go @@ -214,6 +214,13 @@ func TestToElVersion(t *testing.T) { } } +func Test_corruptRpmDbEntry(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/glob-paths/usr/lib/sysimage/rpm/Packages.db"). + WithError(). + TestParser(t, parseRpmDB) +} + func intRef(i int) *int { return &i } diff --git a/syft/pkg/cataloger/redhat/parse_rpm_manifest.go b/syft/pkg/cataloger/redhat/parse_rpm_manifest.go index a927a6da1d0..9c0185aef00 100644 --- a/syft/pkg/cataloger/redhat/parse_rpm_manifest.go +++ b/syft/pkg/cataloger/redhat/parse_rpm_manifest.go @@ -8,7 +8,6 @@ import ( "strings" "github.com/anchore/syft/internal/log" - "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -20,7 +19,6 @@ func parseRpmManifest(_ context.Context, _ file.Resolver, _ *generic.Environment r := bufio.NewReader(reader) allPkgs := make([]pkg.Package, 0) - var errs error for { line, err := r.ReadString('\n') if err != nil { @@ -37,13 +35,11 @@ func parseRpmManifest(_ context.Context, _ file.Resolver, _ *generic.Environment metadata, err := newMetadataFromManifestLine(strings.TrimSuffix(line, "\n")) if err != nil { log.Warnf("unable to parse RPM manifest entry: %+v", err) - errs = unknown.Appendf(errs, reader, "unable to parse RPM manifest entry: %+v", err) continue } if metadata == nil { log.Warn("unable to parse RPM manifest entry: no metadata found") - errs = unknown.Appendf(errs, reader, "unable to parse RPM manifest entry: no metadata found") continue } @@ -57,5 +53,5 @@ func parseRpmManifest(_ context.Context, _ file.Resolver, _ *generic.Environment allPkgs = append(allPkgs, p) } - return allPkgs, nil, errs + return allPkgs, nil, nil } From 22a17b86bdfa707584ebcc075c45ecbb41f96f30 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 13 Aug 2024 17:20:54 -0400 Subject: [PATCH 32/51] chore: rust unknowns test Signed-off-by: Keith Zantow --- syft/pkg/cataloger/rust/cataloger_test.go | 7 +++++++ syft/pkg/cataloger/rust/parse_cargo_lock_test.go | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/syft/pkg/cataloger/rust/cataloger_test.go b/syft/pkg/cataloger/rust/cataloger_test.go index 494b8cfbff5..3a7a356db21 100644 --- a/syft/pkg/cataloger/rust/cataloger_test.go +++ b/syft/pkg/cataloger/rust/cataloger_test.go @@ -97,3 +97,10 @@ func Test_AuditBinaryCataloger_Globs(t *testing.T) { }) } } + +func Test_corruptAuditBinary(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/glob-paths/partial-binary"). + WithError(). + TestParser(t, parseAuditBinary) +} diff --git a/syft/pkg/cataloger/rust/parse_cargo_lock_test.go b/syft/pkg/cataloger/rust/parse_cargo_lock_test.go index 6e12fb809ee..4239297795d 100644 --- a/syft/pkg/cataloger/rust/parse_cargo_lock_test.go +++ b/syft/pkg/cataloger/rust/parse_cargo_lock_test.go @@ -191,3 +191,10 @@ func TestParseCargoLock(t *testing.T) { pkgtest.TestFileParser(t, fixture, parseCargoLock, expectedPkgs, expectedRelationships) } + +func Test_corruptCargoLock(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/glob-paths/src/Cargo.lock"). + WithError(). + TestParser(t, parseCargoLock) +} From f4d02cecd0f1a3a2edc29db03f7b942425dfc617 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 13 Aug 2024 17:21:00 -0400 Subject: [PATCH 33/51] chore: sbom unknowns test Signed-off-by: Keith Zantow --- syft/pkg/cataloger/sbom/cataloger_test.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/syft/pkg/cataloger/sbom/cataloger_test.go b/syft/pkg/cataloger/sbom/cataloger_test.go index ad6aea71d1d..e53b14ae780 100644 --- a/syft/pkg/cataloger/sbom/cataloger_test.go +++ b/syft/pkg/cataloger/sbom/cataloger_test.go @@ -450,3 +450,10 @@ func Test_Cataloger_Globs(t *testing.T) { }) } } + +func Test_corruptSBOM(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/glob-paths/app.spdx.json"). + WithError(). + TestParser(t, parseSBOM) +} From 0bda741d7dcb0db183fd31d35d8087cc91201a21 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 13 Aug 2024 17:24:18 -0400 Subject: [PATCH 34/51] chore: swift unknowns test Signed-off-by: Keith Zantow --- syft/pkg/cataloger/swift/parse_package_resolved_test.go | 7 +++++++ syft/pkg/cataloger/swift/parse_podfile_lock_test.go | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/syft/pkg/cataloger/swift/parse_package_resolved_test.go b/syft/pkg/cataloger/swift/parse_package_resolved_test.go index 499e705f672..bf16d7542e1 100644 --- a/syft/pkg/cataloger/swift/parse_package_resolved_test.go +++ b/syft/pkg/cataloger/swift/parse_package_resolved_test.go @@ -134,3 +134,10 @@ func TestParsePackageResolved_versionNotANumber(t *testing.T) { pkgtest.NewCatalogTester().FromFile(t, fixture).WithError().TestParser(t, parsePackageResolved) } + +func Test_corruptPackageResolved(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/bad-version-packages.resolved"). + WithError(). + TestParser(t, parsePackageResolved) +} diff --git a/syft/pkg/cataloger/swift/parse_podfile_lock_test.go b/syft/pkg/cataloger/swift/parse_podfile_lock_test.go index 4a3ec2bbc4a..0abdd0d7cec 100644 --- a/syft/pkg/cataloger/swift/parse_podfile_lock_test.go +++ b/syft/pkg/cataloger/swift/parse_podfile_lock_test.go @@ -273,3 +273,10 @@ func TestParsePodfileLock(t *testing.T) { pkgtest.TestFileParser(t, fixture, parsePodfileLock, expectedPkgs, expectedRelationships) } + +func Test_corruptPodfile(t *testing.T) { + pkgtest.NewCatalogTester(). + FromFile(t, "test-fixtures/glob-paths/src/Podfile.lock"). + WithError(). + TestParser(t, parsePodfileLock) +} From e34a4000d1c00cc5102c48ba6e735e72cb2ddeb6 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 13 Aug 2024 17:39:13 -0400 Subject: [PATCH 35/51] chore: update schema version Signed-off-by: Keith Zantow --- internal/constants.go | 2 +- schema/json/schema-16.0.15.json | 6 - schema/json/schema-16.0.16.json | 2588 +++++++++++++++++++++++++++++++ schema/json/schema-latest.json | 2 +- 4 files changed, 2590 insertions(+), 8 deletions(-) create mode 100644 schema/json/schema-16.0.16.json diff --git a/internal/constants.go b/internal/constants.go index 6d1dd197439..93b0093ab6a 100644 --- a/internal/constants.go +++ b/internal/constants.go @@ -3,5 +3,5 @@ package internal const ( // JSONSchemaVersion is the current schema version output by the JSON encoder // This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment. - JSONSchemaVersion = "16.0.15" + JSONSchemaVersion = "16.0.16" ) diff --git a/schema/json/schema-16.0.15.json b/schema/json/schema-16.0.15.json index 1363f4fbf81..1bab78aa6ba 100644 --- a/schema/json/schema-16.0.15.json +++ b/schema/json/schema-16.0.15.json @@ -777,12 +777,6 @@ }, "executable": { "$ref": "#/$defs/Executable" - }, - "unknowns": { - "items": { - "type": "string" - }, - "type": "array" } }, "type": "object", diff --git a/schema/json/schema-16.0.16.json b/schema/json/schema-16.0.16.json new file mode 100644 index 00000000000..d01f078ed20 --- /dev/null +++ b/schema/json/schema-16.0.16.json @@ -0,0 +1,2588 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "anchore.io/schema/syft/json/16.0.16/document", + "$ref": "#/$defs/Document", + "$defs": { + "AlpmDbEntry": { + "properties": { + "basepackage": { + "type": "string" + }, + "package": { + "type": "string" + }, + "version": { + "type": "string" + }, + "description": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "packager": { + "type": "string" + }, + "url": { + "type": "string" + }, + "validation": { + "type": "string" + }, + "reason": { + "type": "integer" + }, + "files": { + "items": { + "$ref": "#/$defs/AlpmFileRecord" + }, + "type": "array" + }, + "backup": { + "items": { + "$ref": "#/$defs/AlpmFileRecord" + }, + "type": "array" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "depends": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "basepackage", + "package", + "version", + "description", + "architecture", + "size", + "packager", + "url", + "validation", + "reason", + "files", + "backup" + ] + }, + "AlpmFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "type": { + "type": "string" + }, + "uid": { + "type": "string" + }, + "gid": { + "type": "string" + }, + "time": { + "type": "string", + "format": "date-time" + }, + "size": { + "type": "string" + }, + "link": { + "type": "string" + }, + "digest": { + "items": { + "$ref": "#/$defs/Digest" + }, + "type": "array" + } + }, + "type": "object" + }, + "ApkDbEntry": { + "properties": { + "package": { + "type": "string" + }, + "originPackage": { + "type": "string" + }, + "maintainer": { + "type": "string" + }, + "version": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "url": { + "type": "string" + }, + "description": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "installedSize": { + "type": "integer" + }, + "pullDependencies": { + "items": { + "type": "string" + }, + "type": "array" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "pullChecksum": { + "type": "string" + }, + "gitCommitOfApkPort": { + "type": "string" + }, + "files": { + "items": { + "$ref": "#/$defs/ApkFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "package", + "originPackage", + "maintainer", + "version", + "architecture", + "url", + "description", + "size", + "installedSize", + "pullDependencies", + "provides", + "pullChecksum", + "gitCommitOfApkPort", + "files" + ] + }, + "ApkFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "ownerUid": { + "type": "string" + }, + "ownerGid": { + "type": "string" + }, + "permissions": { + "type": "string" + }, + "digest": { + "$ref": "#/$defs/Digest" + } + }, + "type": "object", + "required": [ + "path" + ] + }, + "BinarySignature": { + "properties": { + "matches": { + "items": { + "$ref": "#/$defs/ClassifierMatch" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "matches" + ] + }, + "CConanFileEntry": { + "properties": { + "ref": { + "type": "string" + } + }, + "type": "object", + "required": [ + "ref" + ] + }, + "CConanInfoEntry": { + "properties": { + "ref": { + "type": "string" + }, + "package_id": { + "type": "string" + } + }, + "type": "object", + "required": [ + "ref" + ] + }, + "CConanLockEntry": { + "properties": { + "ref": { + "type": "string" + }, + "package_id": { + "type": "string" + }, + "prev": { + "type": "string" + }, + "requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "build_requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "py_requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "options": { + "$ref": "#/$defs/KeyValues" + }, + "path": { + "type": "string" + }, + "context": { + "type": "string" + } + }, + "type": "object", + "required": [ + "ref" + ] + }, + "CConanLockV2Entry": { + "properties": { + "ref": { + "type": "string" + }, + "packageID": { + "type": "string" + }, + "username": { + "type": "string" + }, + "channel": { + "type": "string" + }, + "recipeRevision": { + "type": "string" + }, + "packageRevision": { + "type": "string" + }, + "timestamp": { + "type": "string" + } + }, + "type": "object", + "required": [ + "ref" + ] + }, + "CPE": { + "properties": { + "cpe": { + "type": "string" + }, + "source": { + "type": "string" + } + }, + "type": "object", + "required": [ + "cpe" + ] + }, + "ClassifierMatch": { + "properties": { + "classifier": { + "type": "string" + }, + "location": { + "$ref": "#/$defs/Location" + } + }, + "type": "object", + "required": [ + "classifier", + "location" + ] + }, + "CocoaPodfileLockEntry": { + "properties": { + "checksum": { + "type": "string" + } + }, + "type": "object", + "required": [ + "checksum" + ] + }, + "Coordinates": { + "properties": { + "path": { + "type": "string" + }, + "layerID": { + "type": "string" + } + }, + "type": "object", + "required": [ + "path" + ] + }, + "DartPubspecLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "hosted_url": { + "type": "string" + }, + "vcs_url": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version" + ] + }, + "Descriptor": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "configuration": true + }, + "type": "object", + "required": [ + "name", + "version" + ] + }, + "Digest": { + "properties": { + "algorithm": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object", + "required": [ + "algorithm", + "value" + ] + }, + "Document": { + "properties": { + "artifacts": { + "items": { + "$ref": "#/$defs/Package" + }, + "type": "array" + }, + "artifactRelationships": { + "items": { + "$ref": "#/$defs/Relationship" + }, + "type": "array" + }, + "files": { + "items": { + "$ref": "#/$defs/File" + }, + "type": "array" + }, + "source": { + "$ref": "#/$defs/Source" + }, + "distro": { + "$ref": "#/$defs/LinuxRelease" + }, + "descriptor": { + "$ref": "#/$defs/Descriptor" + }, + "schema": { + "$ref": "#/$defs/Schema" + } + }, + "type": "object", + "required": [ + "artifacts", + "artifactRelationships", + "source", + "distro", + "descriptor", + "schema" + ] + }, + "DotnetDepsEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "path": { + "type": "string" + }, + "sha512": { + "type": "string" + }, + "hashPath": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "path", + "sha512", + "hashPath" + ] + }, + "DotnetPortableExecutableEntry": { + "properties": { + "assemblyVersion": { + "type": "string" + }, + "legalCopyright": { + "type": "string" + }, + "comments": { + "type": "string" + }, + "internalName": { + "type": "string" + }, + "companyName": { + "type": "string" + }, + "productName": { + "type": "string" + }, + "productVersion": { + "type": "string" + } + }, + "type": "object", + "required": [ + "assemblyVersion", + "legalCopyright", + "companyName", + "productName", + "productVersion" + ] + }, + "DpkgDbEntry": { + "properties": { + "package": { + "type": "string" + }, + "source": { + "type": "string" + }, + "version": { + "type": "string" + }, + "sourceVersion": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "maintainer": { + "type": "string" + }, + "installedSize": { + "type": "integer" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "depends": { + "items": { + "type": "string" + }, + "type": "array" + }, + "preDepends": { + "items": { + "type": "string" + }, + "type": "array" + }, + "files": { + "items": { + "$ref": "#/$defs/DpkgFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "package", + "source", + "version", + "sourceVersion", + "architecture", + "maintainer", + "installedSize", + "files" + ] + }, + "DpkgFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "digest": { + "$ref": "#/$defs/Digest" + }, + "isConfigFile": { + "type": "boolean" + } + }, + "type": "object", + "required": [ + "path", + "isConfigFile" + ] + }, + "ELFSecurityFeatures": { + "properties": { + "symbolTableStripped": { + "type": "boolean" + }, + "stackCanary": { + "type": "boolean" + }, + "nx": { + "type": "boolean" + }, + "relRO": { + "type": "string" + }, + "pie": { + "type": "boolean" + }, + "dso": { + "type": "boolean" + }, + "safeStack": { + "type": "boolean" + }, + "cfi": { + "type": "boolean" + }, + "fortify": { + "type": "boolean" + } + }, + "type": "object", + "required": [ + "symbolTableStripped", + "nx", + "relRO", + "pie", + "dso" + ] + }, + "ElfBinaryPackageNoteJsonPayload": { + "properties": { + "type": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "osCPE": { + "type": "string" + }, + "os": { + "type": "string" + }, + "osVersion": { + "type": "string" + }, + "system": { + "type": "string" + }, + "vendor": { + "type": "string" + }, + "sourceRepo": { + "type": "string" + }, + "commit": { + "type": "string" + } + }, + "type": "object" + }, + "ElixirMixLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "pkgHash": { + "type": "string" + }, + "pkgHashExt": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "pkgHash", + "pkgHashExt" + ] + }, + "ErlangRebarLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "pkgHash": { + "type": "string" + }, + "pkgHashExt": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "pkgHash", + "pkgHashExt" + ] + }, + "Executable": { + "properties": { + "format": { + "type": "string" + }, + "hasExports": { + "type": "boolean" + }, + "hasEntrypoint": { + "type": "boolean" + }, + "importedLibraries": { + "items": { + "type": "string" + }, + "type": "array" + }, + "elfSecurityFeatures": { + "$ref": "#/$defs/ELFSecurityFeatures" + } + }, + "type": "object", + "required": [ + "format", + "hasExports", + "hasEntrypoint", + "importedLibraries" + ] + }, + "File": { + "properties": { + "id": { + "type": "string" + }, + "location": { + "$ref": "#/$defs/Coordinates" + }, + "metadata": { + "$ref": "#/$defs/FileMetadataEntry" + }, + "contents": { + "type": "string" + }, + "digests": { + "items": { + "$ref": "#/$defs/Digest" + }, + "type": "array" + }, + "licenses": { + "items": { + "$ref": "#/$defs/FileLicense" + }, + "type": "array" + }, + "executable": { + "$ref": "#/$defs/Executable" + }, + "unknowns": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "id", + "location" + ] + }, + "FileLicense": { + "properties": { + "value": { + "type": "string" + }, + "spdxExpression": { + "type": "string" + }, + "type": { + "type": "string" + }, + "evidence": { + "$ref": "#/$defs/FileLicenseEvidence" + } + }, + "type": "object", + "required": [ + "value", + "spdxExpression", + "type" + ] + }, + "FileLicenseEvidence": { + "properties": { + "confidence": { + "type": "integer" + }, + "offset": { + "type": "integer" + }, + "extent": { + "type": "integer" + } + }, + "type": "object", + "required": [ + "confidence", + "offset", + "extent" + ] + }, + "FileMetadataEntry": { + "properties": { + "mode": { + "type": "integer" + }, + "type": { + "type": "string" + }, + "linkDestination": { + "type": "string" + }, + "userID": { + "type": "integer" + }, + "groupID": { + "type": "integer" + }, + "mimeType": { + "type": "string" + }, + "size": { + "type": "integer" + } + }, + "type": "object", + "required": [ + "mode", + "type", + "userID", + "groupID", + "mimeType", + "size" + ] + }, + "GoModuleBuildinfoEntry": { + "properties": { + "goBuildSettings": { + "$ref": "#/$defs/KeyValues" + }, + "goCompiledVersion": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "h1Digest": { + "type": "string" + }, + "mainModule": { + "type": "string" + }, + "goCryptoSettings": { + "items": { + "type": "string" + }, + "type": "array" + }, + "goExperiments": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "goCompiledVersion", + "architecture" + ] + }, + "GoModuleEntry": { + "properties": { + "h1Digest": { + "type": "string" + } + }, + "type": "object" + }, + "HaskellHackageStackEntry": { + "properties": { + "pkgHash": { + "type": "string" + } + }, + "type": "object" + }, + "HaskellHackageStackLockEntry": { + "properties": { + "pkgHash": { + "type": "string" + }, + "snapshotURL": { + "type": "string" + } + }, + "type": "object" + }, + "IDLikes": { + "items": { + "type": "string" + }, + "type": "array" + }, + "JavaArchive": { + "properties": { + "virtualPath": { + "type": "string" + }, + "manifest": { + "$ref": "#/$defs/JavaManifest" + }, + "pomProperties": { + "$ref": "#/$defs/JavaPomProperties" + }, + "pomProject": { + "$ref": "#/$defs/JavaPomProject" + }, + "digest": { + "items": { + "$ref": "#/$defs/Digest" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "virtualPath" + ] + }, + "JavaManifest": { + "properties": { + "main": { + "$ref": "#/$defs/KeyValues" + }, + "sections": { + "items": { + "$ref": "#/$defs/KeyValues" + }, + "type": "array" + } + }, + "type": "object" + }, + "JavaPomParent": { + "properties": { + "groupId": { + "type": "string" + }, + "artifactId": { + "type": "string" + }, + "version": { + "type": "string" + } + }, + "type": "object", + "required": [ + "groupId", + "artifactId", + "version" + ] + }, + "JavaPomProject": { + "properties": { + "path": { + "type": "string" + }, + "parent": { + "$ref": "#/$defs/JavaPomParent" + }, + "groupId": { + "type": "string" + }, + "artifactId": { + "type": "string" + }, + "version": { + "type": "string" + }, + "name": { + "type": "string" + }, + "description": { + "type": "string" + }, + "url": { + "type": "string" + } + }, + "type": "object", + "required": [ + "path", + "groupId", + "artifactId", + "version", + "name" + ] + }, + "JavaPomProperties": { + "properties": { + "path": { + "type": "string" + }, + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "artifactId": { + "type": "string" + }, + "version": { + "type": "string" + }, + "scope": { + "type": "string" + }, + "extraFields": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object", + "required": [ + "path", + "name", + "groupId", + "artifactId", + "version" + ] + }, + "JavascriptNpmPackage": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "author": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "description": { + "type": "string" + }, + "url": { + "type": "string" + }, + "private": { + "type": "boolean" + } + }, + "type": "object", + "required": [ + "name", + "version", + "author", + "homepage", + "description", + "url", + "private" + ] + }, + "JavascriptNpmPackageLockEntry": { + "properties": { + "resolved": { + "type": "string" + }, + "integrity": { + "type": "string" + } + }, + "type": "object", + "required": [ + "resolved", + "integrity" + ] + }, + "JavascriptYarnLockEntry": { + "properties": { + "resolved": { + "type": "string" + }, + "integrity": { + "type": "string" + } + }, + "type": "object", + "required": [ + "resolved", + "integrity" + ] + }, + "KeyValue": { + "properties": { + "key": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object", + "required": [ + "key", + "value" + ] + }, + "KeyValues": { + "items": { + "$ref": "#/$defs/KeyValue" + }, + "type": "array" + }, + "License": { + "properties": { + "value": { + "type": "string" + }, + "spdxExpression": { + "type": "string" + }, + "type": { + "type": "string" + }, + "urls": { + "items": { + "type": "string" + }, + "type": "array" + }, + "locations": { + "items": { + "$ref": "#/$defs/Location" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value", + "spdxExpression", + "type", + "urls", + "locations" + ] + }, + "LinuxKernelArchive": { + "properties": { + "name": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "version": { + "type": "string" + }, + "extendedVersion": { + "type": "string" + }, + "buildTime": { + "type": "string" + }, + "author": { + "type": "string" + }, + "format": { + "type": "string" + }, + "rwRootFS": { + "type": "boolean" + }, + "swapDevice": { + "type": "integer" + }, + "rootDevice": { + "type": "integer" + }, + "videoMode": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "architecture", + "version" + ] + }, + "LinuxKernelModule": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "sourceVersion": { + "type": "string" + }, + "path": { + "type": "string" + }, + "description": { + "type": "string" + }, + "author": { + "type": "string" + }, + "license": { + "type": "string" + }, + "kernelVersion": { + "type": "string" + }, + "versionMagic": { + "type": "string" + }, + "parameters": { + "patternProperties": { + ".*": { + "$ref": "#/$defs/LinuxKernelModuleParameter" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "LinuxKernelModuleParameter": { + "properties": { + "type": { + "type": "string" + }, + "description": { + "type": "string" + } + }, + "type": "object" + }, + "LinuxRelease": { + "properties": { + "prettyName": { + "type": "string" + }, + "name": { + "type": "string" + }, + "id": { + "type": "string" + }, + "idLike": { + "$ref": "#/$defs/IDLikes" + }, + "version": { + "type": "string" + }, + "versionID": { + "type": "string" + }, + "versionCodename": { + "type": "string" + }, + "buildID": { + "type": "string" + }, + "imageID": { + "type": "string" + }, + "imageVersion": { + "type": "string" + }, + "variant": { + "type": "string" + }, + "variantID": { + "type": "string" + }, + "homeURL": { + "type": "string" + }, + "supportURL": { + "type": "string" + }, + "bugReportURL": { + "type": "string" + }, + "privacyPolicyURL": { + "type": "string" + }, + "cpeName": { + "type": "string" + }, + "supportEnd": { + "type": "string" + } + }, + "type": "object" + }, + "Location": { + "properties": { + "path": { + "type": "string" + }, + "layerID": { + "type": "string" + }, + "accessPath": { + "type": "string" + }, + "annotations": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object", + "required": [ + "path", + "accessPath" + ] + }, + "LuarocksPackage": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "license": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "description": { + "type": "string" + }, + "url": { + "type": "string" + }, + "dependencies": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object", + "required": [ + "name", + "version", + "license", + "homepage", + "description", + "url", + "dependencies" + ] + }, + "MicrosoftKbPatch": { + "properties": { + "product_id": { + "type": "string" + }, + "kb": { + "type": "string" + } + }, + "type": "object", + "required": [ + "product_id", + "kb" + ] + }, + "NixStoreEntry": { + "properties": { + "outputHash": { + "type": "string" + }, + "output": { + "type": "string" + }, + "files": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "outputHash", + "files" + ] + }, + "Package": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "type": { + "type": "string" + }, + "foundBy": { + "type": "string" + }, + "locations": { + "items": { + "$ref": "#/$defs/Location" + }, + "type": "array" + }, + "licenses": { + "$ref": "#/$defs/licenses" + }, + "language": { + "type": "string" + }, + "cpes": { + "$ref": "#/$defs/cpes" + }, + "purl": { + "type": "string" + }, + "metadataType": { + "type": "string" + }, + "metadata": { + "anyOf": [ + { + "type": "null" + }, + { + "$ref": "#/$defs/AlpmDbEntry" + }, + { + "$ref": "#/$defs/ApkDbEntry" + }, + { + "$ref": "#/$defs/BinarySignature" + }, + { + "$ref": "#/$defs/CConanFileEntry" + }, + { + "$ref": "#/$defs/CConanInfoEntry" + }, + { + "$ref": "#/$defs/CConanLockEntry" + }, + { + "$ref": "#/$defs/CConanLockV2Entry" + }, + { + "$ref": "#/$defs/CocoaPodfileLockEntry" + }, + { + "$ref": "#/$defs/DartPubspecLockEntry" + }, + { + "$ref": "#/$defs/DotnetDepsEntry" + }, + { + "$ref": "#/$defs/DotnetPortableExecutableEntry" + }, + { + "$ref": "#/$defs/DpkgDbEntry" + }, + { + "$ref": "#/$defs/ElfBinaryPackageNoteJsonPayload" + }, + { + "$ref": "#/$defs/ElixirMixLockEntry" + }, + { + "$ref": "#/$defs/ErlangRebarLockEntry" + }, + { + "$ref": "#/$defs/GoModuleBuildinfoEntry" + }, + { + "$ref": "#/$defs/GoModuleEntry" + }, + { + "$ref": "#/$defs/HaskellHackageStackEntry" + }, + { + "$ref": "#/$defs/HaskellHackageStackLockEntry" + }, + { + "$ref": "#/$defs/JavaArchive" + }, + { + "$ref": "#/$defs/JavascriptNpmPackage" + }, + { + "$ref": "#/$defs/JavascriptNpmPackageLockEntry" + }, + { + "$ref": "#/$defs/JavascriptYarnLockEntry" + }, + { + "$ref": "#/$defs/LinuxKernelArchive" + }, + { + "$ref": "#/$defs/LinuxKernelModule" + }, + { + "$ref": "#/$defs/LuarocksPackage" + }, + { + "$ref": "#/$defs/MicrosoftKbPatch" + }, + { + "$ref": "#/$defs/NixStoreEntry" + }, + { + "$ref": "#/$defs/PhpComposerInstalledEntry" + }, + { + "$ref": "#/$defs/PhpComposerLockEntry" + }, + { + "$ref": "#/$defs/PhpPeclEntry" + }, + { + "$ref": "#/$defs/PortageDbEntry" + }, + { + "$ref": "#/$defs/PythonPackage" + }, + { + "$ref": "#/$defs/PythonPipRequirementsEntry" + }, + { + "$ref": "#/$defs/PythonPipfileLockEntry" + }, + { + "$ref": "#/$defs/PythonPoetryLockEntry" + }, + { + "$ref": "#/$defs/RDescription" + }, + { + "$ref": "#/$defs/RpmArchive" + }, + { + "$ref": "#/$defs/RpmDbEntry" + }, + { + "$ref": "#/$defs/RubyGemspec" + }, + { + "$ref": "#/$defs/RustCargoAuditEntry" + }, + { + "$ref": "#/$defs/RustCargoLockEntry" + }, + { + "$ref": "#/$defs/SwiftPackageManagerLockEntry" + }, + { + "$ref": "#/$defs/SwiplpackPackage" + }, + { + "$ref": "#/$defs/WordpressPluginEntry" + } + ] + } + }, + "type": "object", + "required": [ + "id", + "name", + "version", + "type", + "foundBy", + "locations", + "licenses", + "language", + "cpes", + "purl" + ] + }, + "PhpComposerAuthors": { + "properties": { + "name": { + "type": "string" + }, + "email": { + "type": "string" + }, + "homepage": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name" + ] + }, + "PhpComposerExternalReference": { + "properties": { + "type": { + "type": "string" + }, + "url": { + "type": "string" + }, + "reference": { + "type": "string" + }, + "shasum": { + "type": "string" + } + }, + "type": "object", + "required": [ + "type", + "url", + "reference" + ] + }, + "PhpComposerInstalledEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "source": { + "$ref": "#/$defs/PhpComposerExternalReference" + }, + "dist": { + "$ref": "#/$defs/PhpComposerExternalReference" + }, + "require": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "provide": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "require-dev": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "suggest": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "license": { + "items": { + "type": "string" + }, + "type": "array" + }, + "type": { + "type": "string" + }, + "notification-url": { + "type": "string" + }, + "bin": { + "items": { + "type": "string" + }, + "type": "array" + }, + "authors": { + "items": { + "$ref": "#/$defs/PhpComposerAuthors" + }, + "type": "array" + }, + "description": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "keywords": { + "items": { + "type": "string" + }, + "type": "array" + }, + "time": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "source", + "dist" + ] + }, + "PhpComposerLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "source": { + "$ref": "#/$defs/PhpComposerExternalReference" + }, + "dist": { + "$ref": "#/$defs/PhpComposerExternalReference" + }, + "require": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "provide": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "require-dev": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "suggest": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "license": { + "items": { + "type": "string" + }, + "type": "array" + }, + "type": { + "type": "string" + }, + "notification-url": { + "type": "string" + }, + "bin": { + "items": { + "type": "string" + }, + "type": "array" + }, + "authors": { + "items": { + "$ref": "#/$defs/PhpComposerAuthors" + }, + "type": "array" + }, + "description": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "keywords": { + "items": { + "type": "string" + }, + "type": "array" + }, + "time": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "source", + "dist" + ] + }, + "PhpPeclEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "license": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version" + ] + }, + "PortageDbEntry": { + "properties": { + "installedSize": { + "type": "integer" + }, + "files": { + "items": { + "$ref": "#/$defs/PortageFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "installedSize", + "files" + ] + }, + "PortageFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "digest": { + "$ref": "#/$defs/Digest" + } + }, + "type": "object", + "required": [ + "path" + ] + }, + "PythonDirectURLOriginInfo": { + "properties": { + "url": { + "type": "string" + }, + "commitId": { + "type": "string" + }, + "vcs": { + "type": "string" + } + }, + "type": "object", + "required": [ + "url" + ] + }, + "PythonFileDigest": { + "properties": { + "algorithm": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object", + "required": [ + "algorithm", + "value" + ] + }, + "PythonFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "digest": { + "$ref": "#/$defs/PythonFileDigest" + }, + "size": { + "type": "string" + } + }, + "type": "object", + "required": [ + "path" + ] + }, + "PythonPackage": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "author": { + "type": "string" + }, + "authorEmail": { + "type": "string" + }, + "platform": { + "type": "string" + }, + "files": { + "items": { + "$ref": "#/$defs/PythonFileRecord" + }, + "type": "array" + }, + "sitePackagesRootPath": { + "type": "string" + }, + "topLevelPackages": { + "items": { + "type": "string" + }, + "type": "array" + }, + "directUrlOrigin": { + "$ref": "#/$defs/PythonDirectURLOriginInfo" + }, + "requiresPython": { + "type": "string" + }, + "requiresDist": { + "items": { + "type": "string" + }, + "type": "array" + }, + "providesExtra": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "author", + "authorEmail", + "platform", + "sitePackagesRootPath" + ] + }, + "PythonPipRequirementsEntry": { + "properties": { + "name": { + "type": "string" + }, + "extras": { + "items": { + "type": "string" + }, + "type": "array" + }, + "versionConstraint": { + "type": "string" + }, + "url": { + "type": "string" + }, + "markers": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "versionConstraint" + ] + }, + "PythonPipfileLockEntry": { + "properties": { + "hashes": { + "items": { + "type": "string" + }, + "type": "array" + }, + "index": { + "type": "string" + } + }, + "type": "object", + "required": [ + "hashes", + "index" + ] + }, + "PythonPoetryLockDependencyEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "optional": { + "type": "boolean" + }, + "markers": { + "type": "string" + }, + "extras": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "optional" + ] + }, + "PythonPoetryLockEntry": { + "properties": { + "index": { + "type": "string" + }, + "dependencies": { + "items": { + "$ref": "#/$defs/PythonPoetryLockDependencyEntry" + }, + "type": "array" + }, + "extras": { + "items": { + "$ref": "#/$defs/PythonPoetryLockExtraEntry" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "index", + "dependencies" + ] + }, + "PythonPoetryLockExtraEntry": { + "properties": { + "name": { + "type": "string" + }, + "dependencies": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "dependencies" + ] + }, + "RDescription": { + "properties": { + "title": { + "type": "string" + }, + "description": { + "type": "string" + }, + "author": { + "type": "string" + }, + "maintainer": { + "type": "string" + }, + "url": { + "items": { + "type": "string" + }, + "type": "array" + }, + "repository": { + "type": "string" + }, + "built": { + "type": "string" + }, + "needsCompilation": { + "type": "boolean" + }, + "imports": { + "items": { + "type": "string" + }, + "type": "array" + }, + "depends": { + "items": { + "type": "string" + }, + "type": "array" + }, + "suggests": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "Relationship": { + "properties": { + "parent": { + "type": "string" + }, + "child": { + "type": "string" + }, + "type": { + "type": "string" + }, + "metadata": true + }, + "type": "object", + "required": [ + "parent", + "child", + "type" + ] + }, + "RpmArchive": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "epoch": { + "oneOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ] + }, + "architecture": { + "type": "string" + }, + "release": { + "type": "string" + }, + "sourceRpm": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "vendor": { + "type": "string" + }, + "modularityLabel": { + "type": "string" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "files": { + "items": { + "$ref": "#/$defs/RpmFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "epoch", + "architecture", + "release", + "sourceRpm", + "size", + "vendor", + "files" + ] + }, + "RpmDbEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "epoch": { + "oneOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ] + }, + "architecture": { + "type": "string" + }, + "release": { + "type": "string" + }, + "sourceRpm": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "vendor": { + "type": "string" + }, + "modularityLabel": { + "type": "string" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "files": { + "items": { + "$ref": "#/$defs/RpmFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "epoch", + "architecture", + "release", + "sourceRpm", + "size", + "vendor", + "files" + ] + }, + "RpmFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "size": { + "type": "integer" + }, + "digest": { + "$ref": "#/$defs/Digest" + }, + "userName": { + "type": "string" + }, + "groupName": { + "type": "string" + }, + "flags": { + "type": "string" + } + }, + "type": "object", + "required": [ + "path", + "mode", + "size", + "digest", + "userName", + "groupName", + "flags" + ] + }, + "RubyGemspec": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "files": { + "items": { + "type": "string" + }, + "type": "array" + }, + "authors": { + "items": { + "type": "string" + }, + "type": "array" + }, + "homepage": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version" + ] + }, + "RustCargoAuditEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "source": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "source" + ] + }, + "RustCargoLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "source": { + "type": "string" + }, + "checksum": { + "type": "string" + }, + "dependencies": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "source", + "checksum", + "dependencies" + ] + }, + "Schema": { + "properties": { + "version": { + "type": "string" + }, + "url": { + "type": "string" + } + }, + "type": "object", + "required": [ + "version", + "url" + ] + }, + "Source": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "type": { + "type": "string" + }, + "metadata": true + }, + "type": "object", + "required": [ + "id", + "name", + "version", + "type", + "metadata" + ] + }, + "SwiftPackageManagerLockEntry": { + "properties": { + "revision": { + "type": "string" + } + }, + "type": "object", + "required": [ + "revision" + ] + }, + "SwiplpackPackage": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "author": { + "type": "string" + }, + "authorEmail": { + "type": "string" + }, + "packager": { + "type": "string" + }, + "packagerEmail": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "dependencies": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "author", + "authorEmail", + "packager", + "packagerEmail", + "homepage", + "dependencies" + ] + }, + "WordpressPluginEntry": { + "properties": { + "pluginInstallDirectory": { + "type": "string" + }, + "author": { + "type": "string" + }, + "authorUri": { + "type": "string" + } + }, + "type": "object", + "required": [ + "pluginInstallDirectory" + ] + }, + "cpes": { + "items": { + "$ref": "#/$defs/CPE" + }, + "type": "array" + }, + "licenses": { + "items": { + "$ref": "#/$defs/License" + }, + "type": "array" + } + } +} diff --git a/schema/json/schema-latest.json b/schema/json/schema-latest.json index 1363f4fbf81..d01f078ed20 100644 --- a/schema/json/schema-latest.json +++ b/schema/json/schema-latest.json @@ -1,6 +1,6 @@ { "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "anchore.io/schema/syft/json/16.0.15/document", + "$id": "anchore.io/schema/syft/json/16.0.16/document", "$ref": "#/$defs/Document", "$defs": { "AlpmDbEntry": { From 18422a8219b96ebcf7c7544f5ce1d5962dce45af Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Wed, 14 Aug 2024 16:21:13 -0400 Subject: [PATCH 36/51] chore: elf unknowns Signed-off-by: Keith Zantow --- syft/file/cataloger/executable/elf.go | 67 ++++++++++--------- syft/file/cataloger/executable/elf_test.go | 48 ++++++++++++- .../test-fixtures/elf/project/Makefile | 9 ++- 3 files changed, 88 insertions(+), 36 deletions(-) diff --git a/syft/file/cataloger/executable/elf.go b/syft/file/cataloger/executable/elf.go index dec6abd34ed..1d9e5853fbe 100644 --- a/syft/file/cataloger/executable/elf.go +++ b/syft/file/cataloger/executable/elf.go @@ -8,6 +8,7 @@ import ( "github.com/scylladb/go-set/strset" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/internal/unionreader" ) @@ -20,8 +21,8 @@ func findELFFeatures(data *file.Executable, reader unionreader.UnionReader) erro libs, err := f.ImportedLibraries() if err != nil { - // TODO: known-unknowns log.WithFields("error", err).Trace("unable to read imported libraries from elf file") + err = unknown.Joinf(err, "unable to read imported libraries from elf file: %w", err) libs = nil } @@ -30,24 +31,24 @@ func findELFFeatures(data *file.Executable, reader unionreader.UnionReader) erro } data.ImportedLibraries = libs - data.ELFSecurityFeatures = findELFSecurityFeatures(f) + data.ELFSecurityFeatures = findELFSecurityFeatures(&err, f) data.HasEntrypoint = elfHasEntrypoint(f) - data.HasExports = elfHasExports(f) + data.HasExports = elfHasExports(&err, f) - return nil + return err } -func findELFSecurityFeatures(f *elf.File) *file.ELFSecurityFeatures { +func findELFSecurityFeatures(errs *error, f *elf.File) *file.ELFSecurityFeatures { return &file.ELFSecurityFeatures{ SymbolTableStripped: isElfSymbolTableStripped(f), - StackCanary: checkElfStackCanary(f), + StackCanary: checkElfStackCanary(errs, f), NoExecutable: checkElfNXProtection(f), - RelocationReadOnly: checkElfRelROProtection(f), - PositionIndependentExecutable: isELFPIE(f), + RelocationReadOnly: checkElfRelROProtection(errs, f), + PositionIndependentExecutable: isELFPIE(errs, f), DynamicSharedObject: isELFDSO(f), - LlvmSafeStack: checkLLVMSafeStack(f), - LlvmControlFlowIntegrity: checkLLVMControlFlowIntegrity(f), - ClangFortifySource: checkClangFortifySource(f), + LlvmSafeStack: checkLLVMSafeStack(errs, f), + LlvmControlFlowIntegrity: checkLLVMControlFlowIntegrity(errs, f), + ClangFortifySource: checkClangFortifySource(errs, f), } } @@ -55,15 +56,15 @@ func isElfSymbolTableStripped(file *elf.File) bool { return file.Section(".symtab") == nil } -func checkElfStackCanary(file *elf.File) *bool { - return hasAnyDynamicSymbols(file, "__stack_chk_fail", "__stack_chk_guard") +func checkElfStackCanary(errs *error, file *elf.File) *bool { + return hasAnyDynamicSymbols(errs, file, "__stack_chk_fail", "__stack_chk_guard") } -func hasAnyDynamicSymbols(file *elf.File, symbolNames ...string) *bool { +func hasAnyDynamicSymbols(errs *error, file *elf.File, symbolNames ...string) *bool { dynSyms, err := file.DynamicSymbols() if err != nil { - // TODO: known-unknowns log.WithFields("error", err).Trace("unable to read dynamic symbols from elf file") + *errs = unknown.Joinf(*errs, "unable to read dynamic symbols from elf file: %w", err) return nil } @@ -93,10 +94,10 @@ func checkElfNXProtection(file *elf.File) bool { return false } -func checkElfRelROProtection(f *elf.File) file.RelocationReadOnly { +func checkElfRelROProtection(errs *error, f *elf.File) file.RelocationReadOnly { // background on relro https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro hasRelro := false - hasBindNow := hasBindNowDynTagOrFlag(f) + hasBindNow := hasBindNowDynTagOrFlag(errs, f) for _, prog := range f.Progs { if prog.Type == elf.PT_GNU_RELRO { @@ -115,7 +116,7 @@ func checkElfRelROProtection(f *elf.File) file.RelocationReadOnly { } } -func hasBindNowDynTagOrFlag(f *elf.File) bool { +func hasBindNowDynTagOrFlag(errs *error, f *elf.File) bool { if hasElfDynTag(f, elf.DT_BIND_NOW) { // support older binaries... return true @@ -123,14 +124,14 @@ func hasBindNowDynTagOrFlag(f *elf.File) bool { // "DT_BIND_NOW ... use has been superseded by the DF_BIND_NOW flag" // source: https://refspecs.linuxbase.org/elf/gabi4+/ch5.dynamic.html - return hasElfDynFlag(f, elf.DF_BIND_NOW) + return hasElfDynFlag(errs, f, elf.DF_BIND_NOW) } -func hasElfDynFlag(f *elf.File, flag elf.DynFlag) bool { +func hasElfDynFlag(errs *error, f *elf.File, flag elf.DynFlag) bool { vals, err := f.DynValue(elf.DT_FLAGS) if err != nil { - // TODO: known-unknowns log.WithFields("error", err).Trace("unable to read DT_FLAGS from elf file") + *errs = unknown.Joinf(*errs, "unable to read DT_FLAGS from elf file: %w", err) return false } for _, val := range vals { @@ -141,11 +142,11 @@ func hasElfDynFlag(f *elf.File, flag elf.DynFlag) bool { return false } -func hasElfDynFlag1(f *elf.File, flag elf.DynFlag1) bool { +func hasElfDynFlag1(errs *error, f *elf.File, flag elf.DynFlag1) bool { vals, err := f.DynValue(elf.DT_FLAGS_1) if err != nil { - // TODO: known-unknowns log.WithFields("error", err).Trace("unable to read DT_FLAGS_1 from elf file") + *errs = unknown.Joinf(*errs, "unable to read DT_FLAGS_1 from elf file: %w", err) return false } for _, val := range vals { @@ -185,26 +186,26 @@ func hasElfDynTag(f *elf.File, tag elf.DynTag) bool { return false } -func isELFPIE(f *elf.File) bool { +func isELFPIE(errs *error, f *elf.File) bool { // being a shared object is not sufficient to be a PIE, the explicit flag must be set also - return isELFDSO(f) && hasElfDynFlag1(f, elf.DF_1_PIE) + return isELFDSO(f) && hasElfDynFlag1(errs, f, elf.DF_1_PIE) } func isELFDSO(f *elf.File) bool { return f.Type == elf.ET_DYN } -func checkLLVMSafeStack(file *elf.File) *bool { +func checkLLVMSafeStack(errs *error, file *elf.File) *bool { // looking for the presence of https://github.com/microsoft/compiler-rt/blob/30b3b8cb5c9a0854f2f40f187c6f6773561a35f2/lib/safestack/safestack.cc#L207 - return hasAnyDynamicSymbols(file, "__safestack_init") + return hasAnyDynamicSymbols(errs, file, "__safestack_init") } -func checkLLVMControlFlowIntegrity(file *elf.File) *bool { +func checkLLVMControlFlowIntegrity(errs *error, file *elf.File) *bool { // look for any symbols that are functions and end with ".cfi" dynSyms, err := file.Symbols() if err != nil { - // TODO: known-unknowns log.WithFields("error", err).Trace("unable to read symbols from elf file") + *errs = unknown.Joinf(*errs, "unable to read symbols from elf file: %w", err) return nil } @@ -222,11 +223,11 @@ func isFunction(sym elf.Symbol) bool { var fortifyPattern = regexp.MustCompile(`__\w+_chk@.+`) -func checkClangFortifySource(file *elf.File) *bool { +func checkClangFortifySource(errs *error, file *elf.File) *bool { dynSyms, err := file.Symbols() if err != nil { - // TODO: known-unknowns log.WithFields("error", err).Trace("unable to read symbols from elf file") + *errs = unknown.Joinf(*errs, "unable to read symbols from elf file: %w", err) return nil } @@ -244,7 +245,7 @@ func elfHasEntrypoint(f *elf.File) bool { return f.Entry > 0 } -func elfHasExports(f *elf.File) bool { +func elfHasExports(errs *error, f *elf.File) bool { // this is akin to: // nm -D --defined-only ./path/to/bin | grep ' T \| W \| B ' // where: @@ -254,7 +255,7 @@ func elfHasExports(f *elf.File) bool { // really anything that is not marked with 'U' (undefined) is considered an export. symbols, err := f.DynamicSymbols() if err != nil { - // TODO: known-unknowns? + *errs = unknown.Joinf(*errs, "unable to get ELF dynamic symbols: %w", err) return false } diff --git a/syft/file/cataloger/executable/elf_test.go b/syft/file/cataloger/executable/elf_test.go index 45477589106..12212b1c894 100644 --- a/syft/file/cataloger/executable/elf_test.go +++ b/syft/file/cataloger/executable/elf_test.go @@ -4,6 +4,7 @@ import ( "debug/elf" "os" "path/filepath" + "strings" "testing" "github.com/google/go-cmp/cmp" @@ -11,6 +12,7 @@ import ( "github.com/stretchr/testify/require" "github.com/anchore/syft/syft/file" + "github.com/anchore/syft/syft/internal/fileresolver" "github.com/anchore/syft/syft/internal/unionreader" ) @@ -27,6 +29,7 @@ func Test_findELFSecurityFeatures(t *testing.T) { name string fixture string want *file.ELFSecurityFeatures + wantErr require.ErrorAssertionFunc wantStripped bool }{ { @@ -149,7 +152,9 @@ func Test_findELFSecurityFeatures(t *testing.T) { f, err := elf.NewFile(readerForFixture(t, tt.fixture)) require.NoError(t, err) - got := findELFSecurityFeatures(f) + var errs error + got := findELFSecurityFeatures(&errs, f) + require.NoError(t, errs) if d := cmp.Diff(tt.want, got); d != "" { t.Errorf("findELFSecurityFeatures() mismatch (-want +got):\n%s", d) @@ -220,7 +225,46 @@ func Test_elfHasExports(t *testing.T) { t.Run(tt.name, func(t *testing.T) { f, err := elf.NewFile(readerForFixture(t, tt.fixture)) require.NoError(t, err) - assert.Equal(t, tt.want, elfHasExports(f)) + assert.Equal(t, tt.want, elfHasExports(&err, f)) + require.NoError(t, err) }) } } + +func Test_elfUnknowns(t *testing.T) { + tests := []struct { + name string + fixture string + wantErr require.ErrorAssertionFunc + }{ + { + name: "unknown truncated", + fixture: "test-fixtures/elf/bin/with_pie_bad", + wantErr: func(t require.TestingT, err error, _ ...interface{}) { + require.ErrorContains(t, err, "unable to read dynamic symbols from elf file") + }, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + c := NewCataloger(DefaultConfig()) + resolver := newFileResolver(t, tt.fixture) + _, err := c.Catalog(resolver) + tt.wantErr(t, err) + }) + } +} + +func newFileResolver(t *testing.T, file string) *fileresolver.Directory { + t.Helper() + dir := filepath.Dir(file) + filename := filepath.Base(file) + resolver, err := fileresolver.NewFromDirectory(dir, "", func(_ string, path string, _ os.FileInfo, _ error) error { + if !strings.HasSuffix(path, filename) { + return fileresolver.ErrSkipPath + } + return nil + }) + require.NoError(t, err) + return resolver +} diff --git a/syft/file/cataloger/executable/test-fixtures/elf/project/Makefile b/syft/file/cataloger/executable/test-fixtures/elf/project/Makefile index 17edd3f81b2..9bd16140c5b 100644 --- a/syft/file/cataloger/executable/test-fixtures/elf/project/Makefile +++ b/syft/file/cataloger/executable/test-fixtures/elf/project/Makefile @@ -37,10 +37,11 @@ LIB_SRC := lib.c BIN := ../bin BINS := $(BIN)/no_protection $(BIN)/with_nx $(BIN)/pie_false_positive.so $(BIN)/with_pie $(BIN)/with_canary $(BIN)/with_relro $(BIN)/with_partial_relro $(BIN)/with_rpath $(BIN)/with_runpath $(BIN)/with_safestack $(BIN)/with_cfi $(BIN)/with_fortify $(BIN)/protected +BADS := $(BIN)/with_pie_bad #.PHONY: verify $(BIN)/no_protection $(BIN)/with_nx $(BIN)/pie_false_positive.so $(BIN)/with_pie $(BIN)/with_canary $(BIN)/with_relro $(BIN)/with_partial_relro $(BIN)/with_rpath $(BIN)/with_runpath $(BIN)/with_safestack $(BIN)/with_cfi $(BIN)/with_fortify $(BIN)/protected .PHONY: verify clean all -all: $(BINS) +all: $(BINS) $(BADS) $(BIN)/no_protection : $(SRC) @@ -56,6 +57,12 @@ $(BIN)/pie_false_positive.so: $(LIB_SRC) $(BIN)/with_pie: $(SRC) gcc $< -o $@ $(GCCFLAGS) $(NO_CANARY) $(NO_NX) $(NO_RELRO) $(PIE) +$(BIN)/with_pie_bad: $(BIN)/with_pie + # original size: 18688 + cp $(BIN)/with_pie $(BIN)/with_pie_bad + dd if=/dev/zero of=$(BIN)/with_pie_bad bs=100 count=170 seek=16 conv=notrunc + chmod +x $(BIN)/with_pie_bad + $(BIN)/with_canary: $(SRC) gcc $< -o $@ $(GCCFLAGS) $(CANARY) $(NO_NX) $(NO_RELRO) $(NO_PIE) From a99d4a630bb97515e09cc64efa277b5fe063462b Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Wed, 14 Aug 2024 18:45:44 -0400 Subject: [PATCH 37/51] chore: fix elf unknowns Signed-off-by: Keith Zantow --- syft/file/cataloger/executable/cataloger.go | 26 ++++++++++----------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/syft/file/cataloger/executable/cataloger.go b/syft/file/cataloger/executable/cataloger.go index 971774c9e77..7de2b33b0d0 100644 --- a/syft/file/cataloger/executable/cataloger.go +++ b/syft/file/cataloger/executable/cataloger.go @@ -67,7 +67,6 @@ func (i *Cataloger) Catalog(resolver file.Resolver) (map[file.Coordinates]file.E exec, err := processExecutableLocation(loc, resolver) if err != nil { errs = unknown.Append(errs, loc, err) - continue } if exec != nil { @@ -98,12 +97,7 @@ func processExecutableLocation(loc file.Location, resolver file.Resolver) (*file return nil, fmt.Errorf("unable to get union reader: %w", err) } - exec, err := processExecutable(loc, uReader) - if err != nil { - log.WithFields("error", err).Warnf("unable to process executable %q", loc.RealPath) - return nil, fmt.Errorf("unable to process executable %w", err) - } - return exec, nil + return processExecutable(loc, uReader) } func catalogingProgress(locations int64) *monitor.CatalogerTaskProgress { @@ -159,6 +153,7 @@ func processExecutable(loc file.Location, reader unionreader.UnionReader) (*file format, err := findExecutableFormat(reader) if err != nil { + log.Debugf("unable to determine executable kind for %v: %v", loc.RealPath, err) return nil, fmt.Errorf("unable to determine executable kind: %w", err) } @@ -172,16 +167,19 @@ func processExecutable(loc file.Location, reader unionreader.UnionReader) (*file switch format { case file.ELF: - if err := findELFFeatures(&data, reader); err != nil { - return nil, fmt.Errorf("unable to determine ELF features: %w", err) + if err = findELFFeatures(&data, reader); err != nil { + log.WithFields("error", err).Tracef("unable to determine ELF features for %q", loc.RealPath) + err = fmt.Errorf("unable to determine ELF features: %w", err) } case file.PE: - if err := findPEFeatures(&data, reader); err != nil { - return nil, fmt.Errorf("unable to determine PE features: %w", err) + if err = findPEFeatures(&data, reader); err != nil { + log.WithFields("error", err).Tracef("unable to determine PE features for %q", loc.RealPath) + err = fmt.Errorf("unable to determine PE features: %w", err) } case file.MachO: - if err := findMachoFeatures(&data, reader); err != nil { - return nil, fmt.Errorf("unable to determine Macho features: %w", err) + if err = findMachoFeatures(&data, reader); err != nil { + log.WithFields("error", err).Tracef("unable to determine Macho features for %q", loc.RealPath) + err = fmt.Errorf("unable to determine Macho features: %w", err) } } @@ -190,7 +188,7 @@ func processExecutable(loc file.Location, reader unionreader.UnionReader) (*file data.ImportedLibraries = []string{} } - return &data, nil + return &data, err } func findExecutableFormat(reader unionreader.UnionReader) (file.ExecutableFormat, error) { From 2c6e3d3c78cb720dbbaa488c7b99c89ded4b4241 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Thu, 15 Aug 2024 11:04:16 -0400 Subject: [PATCH 38/51] chore: comment Signed-off-by: Keith Zantow --- syft/create_sbom_config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/syft/create_sbom_config.go b/syft/create_sbom_config.go index 8cd7713a3a1..7c6ad228111 100644 --- a/syft/create_sbom_config.go +++ b/syft/create_sbom_config.go @@ -192,7 +192,7 @@ func (c *CreateSBOMConfig) makeTaskGroups(src source.Description) ([][]task.Task taskGroups = append(taskGroups, relationshipsTasks) } - // all unknown cleanup should happen after almost everything else + // all unknowns tasks should happen after all scanning is complete if len(unknownTasks) > 0 { taskGroups = append(taskGroups, unknownTasks) } From 9bccf5d2f9fa8e6e1da47340eada7c202be65391 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Mon, 26 Aug 2024 14:02:32 -0400 Subject: [PATCH 39/51] chore: option to leave unknowns when packages found Signed-off-by: Keith Zantow --- cmd/syft/internal/options/unknowns.go | 3 +++ internal/task/unknowns_tasks.go | 10 ++++++---- syft/cataloging/unknowns.go | 2 ++ 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/cmd/syft/internal/options/unknowns.go b/cmd/syft/internal/options/unknowns.go index 8355afb5904..e26694902fa 100644 --- a/cmd/syft/internal/options/unknowns.go +++ b/cmd/syft/internal/options/unknowns.go @@ -6,6 +6,7 @@ import ( ) type unknownsConfig struct { + RemoveWhenPackagesDefined bool `json:"remove-when-packages-defined" yaml:"remove-when-packages-defined" mapstructure:"remove-when-packages-defined"` ExecutablesWithoutPackages bool `json:"executables-without-packages" yaml:"executables-without-packages" mapstructure:"executables-without-packages"` UnexpandedArchives bool `json:"unexpanded-archives" yaml:"unexpanded-archives" mapstructure:"unexpanded-archives"` } @@ -15,6 +16,7 @@ var _ interface { } = (*unknownsConfig)(nil) func (o *unknownsConfig) DescribeFields(descriptions clio.FieldDescriptionSet) { + descriptions.Add(&o.RemoveWhenPackagesDefined, `remove unknown errors on files with discovered packages`) descriptions.Add(&o.ExecutablesWithoutPackages, `include executables without any identified packages`) descriptions.Add(&o.UnexpandedArchives, `include archives which were not expanded and searched`) } @@ -22,6 +24,7 @@ func (o *unknownsConfig) DescribeFields(descriptions clio.FieldDescriptionSet) { func defaultUnknowns() unknownsConfig { def := cataloging.DefaultUnknownsConfig() return unknownsConfig{ + RemoveWhenPackagesDefined: def.RemoveWhenPackagesDefined, ExecutablesWithoutPackages: def.IncludeExecutablesWithoutPackages, UnexpandedArchives: def.IncludeUnexpandedArchives, } diff --git a/internal/task/unknowns_tasks.go b/internal/task/unknowns_tasks.go index cb6710f3034..f8ef0deb3f8 100644 --- a/internal/task/unknowns_tasks.go +++ b/internal/task/unknowns_tasks.go @@ -33,11 +33,13 @@ func (c unknownsFinalizeTask) processUnknowns(_ context.Context, resolver file.R func (c unknownsFinalizeTask) finalize(resolver file.Resolver, s *sbom.SBOM) { hasPackageReference := coordinateReferenceLookup(resolver, s) - for coords := range s.Artifacts.Unknowns { - if !hasPackageReference(coords) { - continue + if c.RemoveWhenPackagesDefined { + for coords := range s.Artifacts.Unknowns { + if !hasPackageReference(coords) { + continue + } + delete(s.Artifacts.Unknowns, coords) } - delete(s.Artifacts.Unknowns, coords) } if s.Artifacts.Unknowns == nil { diff --git a/syft/cataloging/unknowns.go b/syft/cataloging/unknowns.go index a82aa191b2d..ad3f55fea6c 100644 --- a/syft/cataloging/unknowns.go +++ b/syft/cataloging/unknowns.go @@ -1,12 +1,14 @@ package cataloging type UnknownsConfig struct { + RemoveWhenPackagesDefined bool IncludeExecutablesWithoutPackages bool IncludeUnexpandedArchives bool } func DefaultUnknownsConfig() UnknownsConfig { return UnknownsConfig{ + RemoveWhenPackagesDefined: true, IncludeExecutablesWithoutPackages: true, IncludeUnexpandedArchives: true, } From 0fce8be721b55c4ca4da25ae80eb730fb4f1ec5b Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 27 Aug 2024 00:51:31 -0400 Subject: [PATCH 40/51] chore: make package.json less noisy Signed-off-by: Keith Zantow --- syft/pkg/cataloger/javascript/parse_package_json.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/syft/pkg/cataloger/javascript/parse_package_json.go b/syft/pkg/cataloger/javascript/parse_package_json.go index 95eb6136ff5..b1677ae8870 100644 --- a/syft/pkg/cataloger/javascript/parse_package_json.go +++ b/syft/pkg/cataloger/javascript/parse_package_json.go @@ -66,7 +66,7 @@ func parsePackageJSON(_ context.Context, _ file.Resolver, _ *generic.Environment if !p.hasNameAndVersionValues() { log.Debugf("encountered package.json file without a name and/or version field, ignoring (path=%q)", reader.Path()) - return nil, nil, fmt.Errorf("encountered package.json file without a name and/or version field") + return nil, nil, nil } pkgs = append( From 4f3052414a68c9a6459bfb45cc0e5aa9d57cbf1c Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 27 Aug 2024 14:34:08 -0400 Subject: [PATCH 41/51] chore: reduce some logging Signed-off-by: Keith Zantow --- syft/pkg/cataloger/java/archive_parser.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/syft/pkg/cataloger/java/archive_parser.go b/syft/pkg/cataloger/java/archive_parser.go index 4132e22a57f..2b589f56826 100644 --- a/syft/pkg/cataloger/java/archive_parser.go +++ b/syft/pkg/cataloger/java/archive_parser.go @@ -296,14 +296,14 @@ func (j *archiveParser) findLicenseFromJavaMetadata(ctx context.Context, groupID if parsedPom != nil { pomLicenses, err = j.maven.resolveLicenses(ctx, parsedPom.project) if err != nil { - log.WithFields("error", err, "mavenID", j.maven.resolveMavenID(ctx, parsedPom.project)).Debug("error attempting to resolve pom licenses") + log.WithFields("error", err, "mavenID", j.maven.resolveMavenID(ctx, parsedPom.project)).Trace("error attempting to resolve pom licenses") } } if err == nil && len(pomLicenses) == 0 { pomLicenses, err = j.maven.findLicenses(ctx, groupID, artifactID, version) if err != nil { - log.WithFields("error", err, "mavenID", mavenID{groupID, artifactID, version}).Debug("error attempting to find licenses") + log.WithFields("error", err, "mavenID", mavenID{groupID, artifactID, version}).Trace("error attempting to find licenses") } } @@ -313,7 +313,7 @@ func (j *archiveParser) findLicenseFromJavaMetadata(ctx context.Context, groupID groupID = strings.Join(packages[:len(packages)-1], ".") pomLicenses, err = j.maven.findLicenses(ctx, groupID, artifactID, version) if err != nil { - log.WithFields("error", err, "mavenID", mavenID{groupID, artifactID, version}).Debug("error attempting to find sub-group licenses") + log.WithFields("error", err, "mavenID", mavenID{groupID, artifactID, version}).Trace("error attempting to find sub-group licenses") } } @@ -643,7 +643,7 @@ func newPackageFromMavenData(ctx context.Context, r *mavenResolver, pomPropertie } if err != nil { - log.WithFields("error", err, "mavenID", mavenID{pomProperties.GroupID, pomProperties.ArtifactID, pomProperties.Version}).Debug("error attempting to resolve licenses") + log.WithFields("error", err, "mavenID", mavenID{pomProperties.GroupID, pomProperties.ArtifactID, pomProperties.Version}).Trace("error attempting to resolve licenses") } licenses := make([]pkg.License, 0) From 34777751ebfd1216aafd93191a6b409d1ca45100 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Tue, 27 Aug 2024 15:47:17 -0400 Subject: [PATCH 42/51] chore: reduce some more logging Signed-off-by: Keith Zantow --- syft/pkg/cataloger/java/maven_resolver.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/syft/pkg/cataloger/java/maven_resolver.go b/syft/pkg/cataloger/java/maven_resolver.go index e7e73b0be80..3e831a25db8 100644 --- a/syft/pkg/cataloger/java/maven_resolver.go +++ b/syft/pkg/cataloger/java/maven_resolver.go @@ -72,7 +72,7 @@ func (r *mavenResolver) getPropertyValue(ctx context.Context, propertyValue *str } resolved, err := r.resolveExpression(ctx, resolutionContext, *propertyValue, nil) if err != nil { - log.WithFields("error", err, "propertyValue", *propertyValue).Debug("error resolving maven property") + log.WithFields("error", err, "propertyValue", *propertyValue).Trace("error resolving maven property") return "" } return resolved From cbe369b53d35304f39693b2862485fdd7d11f21c Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Fri, 30 Aug 2024 11:00:09 -0400 Subject: [PATCH 43/51] chore: add more unknown detection Signed-off-by: Keith Zantow --- internal/task/executor.go | 6 +++--- internal/task/unknowns_tasks.go | 19 +++++++++++++------ .../{errors.go => coordinate_error.go} | 9 +++++++++ ...rrors_test.go => coordinate_error_test.go} | 2 +- syft/create_sbom_config.go | 8 ++++---- .../cataloger/binary/classifier_cataloger.go | 5 +++-- syft/pkg/cataloger/cpp/parse_conanfile.go | 3 ++- syft/pkg/cataloger/cpp/parse_conanlock.go | 3 ++- syft/pkg/cataloger/dart/parse_pubspec_lock.go | 3 ++- syft/pkg/cataloger/debian/parse_dpkg_db.go | 3 ++- .../pkg/cataloger/dotnet/parse_dotnet_deps.go | 3 ++- syft/pkg/cataloger/elixir/parse_mix_lock.go | 3 +++ syft/pkg/cataloger/erlang/parse_rebar_lock.go | 3 ++- .../pkg/cataloger/haskell/parse_stack_lock.go | 3 ++- .../pkg/cataloger/haskell/parse_stack_yaml.go | 3 ++- .../javascript/parse_package_json.go | 2 +- .../javascript/parse_package_lock.go | 3 ++- .../cataloger/javascript/parse_pnpm_lock.go | 3 ++- .../cataloger/javascript/parse_yarn_lock.go | 3 ++- syft/pkg/cataloger/php/parse_composer_lock.go | 3 ++- .../pkg/cataloger/php/parse_installed_json.go | 3 ++- .../pkg/cataloger/python/parse_poetry_lock.go | 3 ++- .../cataloger/python/parse_requirements.go | 2 +- syft/pkg/cataloger/redhat/parse_rpm_db.go | 4 ++++ .../cataloger/redhat/parse_rpm_manifest.go | 3 ++- syft/pkg/cataloger/ruby/parse_gemfile_lock.go | 3 ++- syft/pkg/cataloger/rust/parse_cargo_lock.go | 3 ++- .../cataloger/swift/parse_package_resolved.go | 3 ++- .../pkg/cataloger/swift/parse_podfile_lock.go | 3 ++- 29 files changed, 80 insertions(+), 37 deletions(-) rename internal/unknown/{errors.go => coordinate_error.go} (95%) rename internal/unknown/{errors_test.go => coordinate_error_test.go} (99%) diff --git a/internal/task/executor.go b/internal/task/executor.go index 3fefbb262f8..993fb5b9799 100644 --- a/internal/task/executor.go +++ b/internal/task/executor.go @@ -57,7 +57,7 @@ func (p *Executor) Execute(ctx context.Context, resolver file.Resolver, s sbomsy err := runTaskSafely(ctx, tsk, resolver, s) unknowns, err := unknown.ExtractCoordinateErrors(err) if len(unknowns) > 0 { - appendUnknowns(s, unknowns) + appendUnknowns(s, tsk.Name(), unknowns) } if err != nil { withLock(func() { @@ -75,14 +75,14 @@ func (p *Executor) Execute(ctx context.Context, resolver file.Resolver, s sbomsy return errs } -func appendUnknowns(builder sbomsync.Builder, unknowns []unknown.CoordinateError) { +func appendUnknowns(builder sbomsync.Builder, taskName string, unknowns []unknown.CoordinateError) { if accessor, ok := builder.(sbomsync.Accessor); ok { accessor.WriteToSBOM(func(sb *sbom.SBOM) { for _, u := range unknowns { if sb.Artifacts.Unknowns == nil { sb.Artifacts.Unknowns = map[file.Coordinates][]string{} } - sb.Artifacts.Unknowns[u.Coordinates] = append(sb.Artifacts.Unknowns[u.Coordinates], u.Reason.Error()) + sb.Artifacts.Unknowns[u.Coordinates] = append(sb.Artifacts.Unknowns[u.Coordinates], formatUnknown(u.Reason.Error(), taskName)) } }) } diff --git a/internal/task/unknowns_tasks.go b/internal/task/unknowns_tasks.go index f8ef0deb3f8..243ba950288 100644 --- a/internal/task/unknowns_tasks.go +++ b/internal/task/unknowns_tasks.go @@ -2,6 +2,7 @@ package task import ( "context" + "strings" "github.com/mholt/archiver/v3" @@ -13,16 +14,18 @@ import ( "github.com/anchore/syft/syft/sbom" ) -func NewUnknownsFinalizeTask(cfg cataloging.UnknownsConfig) Task { - return NewTask("unknowns-finalize", unknownsFinalizeTask{cfg}.processUnknowns) +const unknownsLabelerTaskName = "unknowns-labeler" + +func NewUnknownsLabelerTask(cfg cataloging.UnknownsConfig) Task { + return NewTask(unknownsLabelerTaskName, unknownsLabelerTask{cfg}.processUnknowns) } -type unknownsFinalizeTask struct { +type unknownsLabelerTask struct { cataloging.UnknownsConfig } // processUnknowns removes unknown entries that have valid packages reported for the locations -func (c unknownsFinalizeTask) processUnknowns(_ context.Context, resolver file.Resolver, builder sbomsync.Builder) error { +func (c unknownsLabelerTask) processUnknowns(_ context.Context, resolver file.Resolver, builder sbomsync.Builder) error { accessor := builder.(sbomsync.Accessor) accessor.WriteToSBOM(func(s *sbom.SBOM) { c.finalize(resolver, s) @@ -30,7 +33,7 @@ func (c unknownsFinalizeTask) processUnknowns(_ context.Context, resolver file.R return nil } -func (c unknownsFinalizeTask) finalize(resolver file.Resolver, s *sbom.SBOM) { +func (c unknownsLabelerTask) finalize(resolver file.Resolver, s *sbom.SBOM) { hasPackageReference := coordinateReferenceLookup(resolver, s) if c.RemoveWhenPackagesDefined { @@ -49,7 +52,7 @@ func (c unknownsFinalizeTask) finalize(resolver file.Resolver, s *sbom.SBOM) { if c.IncludeExecutablesWithoutPackages { for coords := range s.Artifacts.Executables { if !hasPackageReference(coords) { - s.Artifacts.Unknowns[coords] = append(s.Artifacts.Unknowns[coords], "no package identified in executable file") + s.Artifacts.Unknowns[coords] = append(s.Artifacts.Unknowns[coords], formatUnknown("no package identified in executable file", unknownsLabelerTaskName)) } } } @@ -64,6 +67,10 @@ func (c unknownsFinalizeTask) finalize(resolver file.Resolver, s *sbom.SBOM) { } } +func formatUnknown(err string, task ...string) string { + return strings.Join(task, "/") + ": " + err +} + func coordinateReferenceLookup(resolver file.Resolver, s *sbom.SBOM) func(coords file.Coordinates) bool { allPackageCoords := file.NewCoordinateSet() diff --git a/internal/unknown/errors.go b/internal/unknown/coordinate_error.go similarity index 95% rename from internal/unknown/errors.go rename to internal/unknown/coordinate_error.go index eebf4f9dba0..52ab2c10ba7 100644 --- a/internal/unknown/errors.go +++ b/internal/unknown/coordinate_error.go @@ -90,6 +90,15 @@ func Joinf(errs error, format string, args ...any) error { return Join(errs, fmt.Errorf(format, args...)) } +// IfEmptyf returns a new Errorf-formatted error, only when the provided slice is empty or nil when +// the slice has entries +func IfEmptyf[T any](emptyTest []T, format string, args ...any) error { + if len(emptyTest) == 0 { + return fmt.Errorf(format, args...) + } + return nil +} + // ExtractCoordinateErrors extracts all coordinate errors returned, and any _additional_ errors in the graph // are encapsulated in the second, error return parameter func ExtractCoordinateErrors(err error) (coordinateErrors []CoordinateError, remainingErrors error) { diff --git a/internal/unknown/errors_test.go b/internal/unknown/coordinate_error_test.go similarity index 99% rename from internal/unknown/errors_test.go rename to internal/unknown/coordinate_error_test.go index b9a9d7cd5f2..95b89b3d209 100644 --- a/internal/unknown/errors_test.go +++ b/internal/unknown/coordinate_error_test.go @@ -13,7 +13,7 @@ import ( func Test_visitErrors(t *testing.T) { tests := []struct { - name string `` + name string in error transform func(error) error expected string diff --git a/syft/create_sbom_config.go b/syft/create_sbom_config.go index 7c6ad228111..fa0e066d207 100644 --- a/syft/create_sbom_config.go +++ b/syft/create_sbom_config.go @@ -172,7 +172,7 @@ func (c *CreateSBOMConfig) makeTaskGroups(src source.Description) ([][]task.Task // generate package and file tasks based on the configuration environmentTasks := c.environmentTasks() relationshipsTasks := c.relationshipTasks(src) - unknownTasks := c.unknownTasks() + unknownTasks := c.unknownsTasks() fileTasks := c.fileTasks() pkgTasks, selectionEvidence, err := c.packageTasks(src) if err != nil { @@ -342,12 +342,12 @@ func (c *CreateSBOMConfig) environmentTasks() []task.Task { return tsks } -// unknownTasks returns a set of tasks that perform any necessary post-processing +// unknownsTasks returns a set of tasks that perform any necessary post-processing // to identify SBOM elements as unknowns -func (c *CreateSBOMConfig) unknownTasks() []task.Task { +func (c *CreateSBOMConfig) unknownsTasks() []task.Task { var tasks []task.Task - if t := task.NewUnknownsFinalizeTask(c.Unknowns); t != nil { + if t := task.NewUnknownsLabelerTask(c.Unknowns); t != nil { tasks = append(tasks, t) } diff --git a/syft/pkg/cataloger/binary/classifier_cataloger.go b/syft/pkg/cataloger/binary/classifier_cataloger.go index 62a9baa5403..05e1c622a07 100644 --- a/syft/pkg/cataloger/binary/classifier_cataloger.go +++ b/syft/pkg/cataloger/binary/classifier_cataloger.go @@ -6,6 +6,7 @@ package binary import ( "context" "encoding/json" + "fmt" "github.com/anchore/syft/internal/log" "github.com/anchore/syft/internal/unknown" @@ -66,8 +67,8 @@ func (c cataloger) Catalog(_ context.Context, resolver file.Resolver) ([]pkg.Pac log.WithFields("classifier", cls.Class).Trace("cataloging binaries") newPkgs, err := catalog(resolver, cls) if err != nil { - log.WithFields("error", err, "classifier", cls.Class).Warn("unable to catalog binary package: %v", err) - errs = unknown.Join(errs, err) + log.WithFields("error", err, "classifier", cls.Class).Debugf("unable to catalog binary package: %v", err) + errs = unknown.Join(errs, fmt.Errorf("%s: %w", cls.Class, err)) continue } newPackages: diff --git a/syft/pkg/cataloger/cpp/parse_conanfile.go b/syft/pkg/cataloger/cpp/parse_conanfile.go index 622acbdcb3c..2885b6f71b5 100644 --- a/syft/pkg/cataloger/cpp/parse_conanfile.go +++ b/syft/pkg/cataloger/cpp/parse_conanfile.go @@ -8,6 +8,7 @@ import ( "io" "strings" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -25,7 +26,7 @@ func parseConanfile(_ context.Context, _ file.Resolver, _ *generic.Environment, line, err := r.ReadString('\n') switch { case errors.Is(err, io.EOF): - return pkgs, nil, nil + return pkgs, nil, unknown.IfEmptyf(pkgs, "unable to determine packages") case err != nil: return nil, nil, fmt.Errorf("failed to parse conanfile.txt file: %w", err) } diff --git a/syft/pkg/cataloger/cpp/parse_conanlock.go b/syft/pkg/cataloger/cpp/parse_conanlock.go index efdfcf08d42..1a1aa4d124d 100644 --- a/syft/pkg/cataloger/cpp/parse_conanlock.go +++ b/syft/pkg/cataloger/cpp/parse_conanlock.go @@ -5,6 +5,7 @@ import ( "encoding/json" "strings" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -72,7 +73,7 @@ func parseConanLock(_ context.Context, _ file.Resolver, _ *generic.Environment, } } - return pkgs, relationships, nil + return pkgs, relationships, unknown.IfEmptyf(pkgs, "unable to determine packages") } // handleConanLockV1 handles the parsing of conan lock v1 files (aka v0.4) diff --git a/syft/pkg/cataloger/dart/parse_pubspec_lock.go b/syft/pkg/cataloger/dart/parse_pubspec_lock.go index 12009659a16..ebf41f822da 100644 --- a/syft/pkg/cataloger/dart/parse_pubspec_lock.go +++ b/syft/pkg/cataloger/dart/parse_pubspec_lock.go @@ -9,6 +9,7 @@ import ( "gopkg.in/yaml.v3" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -85,7 +86,7 @@ func parsePubspecLock(_ context.Context, _ file.Resolver, _ *generic.Environment ) } - return pkgs, nil, nil + return pkgs, nil, unknown.IfEmptyf(pkgs, "unable to determine packages") } func (p *pubspecLockPackage) getVcsURL() string { diff --git a/syft/pkg/cataloger/debian/parse_dpkg_db.go b/syft/pkg/cataloger/debian/parse_dpkg_db.go index 87428d608fb..1edac3941b4 100644 --- a/syft/pkg/cataloger/debian/parse_dpkg_db.go +++ b/syft/pkg/cataloger/debian/parse_dpkg_db.go @@ -14,6 +14,7 @@ import ( "github.com/anchore/syft/internal" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -37,7 +38,7 @@ func parseDpkgDB(_ context.Context, resolver file.Resolver, env *generic.Environ pkgs = append(pkgs, newDpkgPackage(m, reader.Location, resolver, env.LinuxRelease)) } - return pkgs, nil, nil + return pkgs, nil, unknown.IfEmptyf(pkgs, "unable to determine packages") } // parseDpkgStatus is a parser function for Debian DB status contents, returning all Debian packages listed. diff --git a/syft/pkg/cataloger/dotnet/parse_dotnet_deps.go b/syft/pkg/cataloger/dotnet/parse_dotnet_deps.go index 496148a35cb..2d980ca4ef3 100644 --- a/syft/pkg/cataloger/dotnet/parse_dotnet_deps.go +++ b/syft/pkg/cataloger/dotnet/parse_dotnet_deps.go @@ -8,6 +8,7 @@ import ( "github.com/anchore/syft/internal/log" "github.com/anchore/syft/internal/relationship" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -126,5 +127,5 @@ func parseDotnetDeps(_ context.Context, _ file.Resolver, _ *generic.Environment, // this will only consider package-to-package relationships. relationship.Sort(relationships) - return pkgs, relationships, nil + return pkgs, relationships, unknown.IfEmptyf(pkgs, "unable to determine packages") } diff --git a/syft/pkg/cataloger/elixir/parse_mix_lock.go b/syft/pkg/cataloger/elixir/parse_mix_lock.go index aa96e18ad12..adcdfbd9e8e 100644 --- a/syft/pkg/cataloger/elixir/parse_mix_lock.go +++ b/syft/pkg/cataloger/elixir/parse_mix_lock.go @@ -33,6 +33,9 @@ func parseMixLock(_ context.Context, _ file.Resolver, _ *generic.Environment, re line, err := r.ReadString('\n') switch { case errors.Is(err, io.EOF): + if errs == nil { + errs = unknown.IfEmptyf(packages, "unable to determine packages") + } return packages, nil, errs case err != nil: return nil, nil, fmt.Errorf("failed to parse mix.lock file: %w", err) diff --git a/syft/pkg/cataloger/erlang/parse_rebar_lock.go b/syft/pkg/cataloger/erlang/parse_rebar_lock.go index a173ec81bfd..e77053419cd 100644 --- a/syft/pkg/cataloger/erlang/parse_rebar_lock.go +++ b/syft/pkg/cataloger/erlang/parse_rebar_lock.go @@ -4,6 +4,7 @@ import ( "context" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -95,7 +96,7 @@ func parseRebarLock(_ context.Context, _ file.Resolver, _ *generic.Environment, p.SetID() packages = append(packages, *p) } - return packages, nil, nil + return packages, nil, unknown.IfEmptyf(packages, "unable to determine packages") } // integrity check diff --git a/syft/pkg/cataloger/haskell/parse_stack_lock.go b/syft/pkg/cataloger/haskell/parse_stack_lock.go index 9765543547e..505e2a61265 100644 --- a/syft/pkg/cataloger/haskell/parse_stack_lock.go +++ b/syft/pkg/cataloger/haskell/parse_stack_lock.go @@ -9,6 +9,7 @@ import ( "gopkg.in/yaml.v3" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -82,7 +83,7 @@ func parseStackLock(_ context.Context, _ file.Resolver, _ *generic.Environment, ) } - return pkgs, nil, nil + return pkgs, nil, unknown.IfEmptyf(pkgs, "unable to determine packages") } func parseStackPackageEncoding(pkgEncoding string) (name, version, hash string) { diff --git a/syft/pkg/cataloger/haskell/parse_stack_yaml.go b/syft/pkg/cataloger/haskell/parse_stack_yaml.go index 137695073a8..d762a2b0660 100644 --- a/syft/pkg/cataloger/haskell/parse_stack_yaml.go +++ b/syft/pkg/cataloger/haskell/parse_stack_yaml.go @@ -8,6 +8,7 @@ import ( "gopkg.in/yaml.v3" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -50,5 +51,5 @@ func parseStackYaml(_ context.Context, _ file.Resolver, _ *generic.Environment, ) } - return pkgs, nil, nil + return pkgs, nil, unknown.IfEmptyf(pkgs, "unable to determine packages") } diff --git a/syft/pkg/cataloger/javascript/parse_package_json.go b/syft/pkg/cataloger/javascript/parse_package_json.go index b1677ae8870..1a3fb3d20fd 100644 --- a/syft/pkg/cataloger/javascript/parse_package_json.go +++ b/syft/pkg/cataloger/javascript/parse_package_json.go @@ -66,7 +66,7 @@ func parsePackageJSON(_ context.Context, _ file.Resolver, _ *generic.Environment if !p.hasNameAndVersionValues() { log.Debugf("encountered package.json file without a name and/or version field, ignoring (path=%q)", reader.Path()) - return nil, nil, nil + return nil, nil, fmt.Errorf("skipping package.json with insufficient package information: name: '%s', version: '%s'", p.Name, p.Version) } pkgs = append( diff --git a/syft/pkg/cataloger/javascript/parse_package_lock.go b/syft/pkg/cataloger/javascript/parse_package_lock.go index 1c7564cc3fe..ec8a2b60029 100644 --- a/syft/pkg/cataloger/javascript/parse_package_lock.go +++ b/syft/pkg/cataloger/javascript/parse_package_lock.go @@ -9,6 +9,7 @@ import ( "strings" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -100,7 +101,7 @@ func (a genericPackageLockAdapter) parsePackageLock(_ context.Context, resolver pkg.Sort(pkgs) - return pkgs, nil, nil + return pkgs, nil, unknown.IfEmptyf(pkgs, "unable to determine packages") } func (licenses *packageLockLicense) UnmarshalJSON(data []byte) (err error) { diff --git a/syft/pkg/cataloger/javascript/parse_pnpm_lock.go b/syft/pkg/cataloger/javascript/parse_pnpm_lock.go index 4936f7a2b37..8c7257a3847 100644 --- a/syft/pkg/cataloger/javascript/parse_pnpm_lock.go +++ b/syft/pkg/cataloger/javascript/parse_pnpm_lock.go @@ -11,6 +11,7 @@ import ( "gopkg.in/yaml.v3" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -94,7 +95,7 @@ func parsePnpmLock(_ context.Context, resolver file.Resolver, _ *generic.Environ pkg.Sort(pkgs) - return pkgs, nil, nil + return pkgs, nil, unknown.IfEmptyf(pkgs, "unable to determine packages") } func hasPkg(pkgs []pkg.Package, name, version string) bool { diff --git a/syft/pkg/cataloger/javascript/parse_yarn_lock.go b/syft/pkg/cataloger/javascript/parse_yarn_lock.go index 73dcd30018d..94aa430a4ba 100644 --- a/syft/pkg/cataloger/javascript/parse_yarn_lock.go +++ b/syft/pkg/cataloger/javascript/parse_yarn_lock.go @@ -8,6 +8,7 @@ import ( "github.com/scylladb/go-set/strset" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -112,7 +113,7 @@ func (a genericYarnLockAdapter) parseYarnLock(_ context.Context, resolver file.R pkg.Sort(pkgs) - return pkgs, nil, nil + return pkgs, nil, unknown.IfEmptyf(pkgs, "unable to determine packages") } func findPackageName(line string) string { diff --git a/syft/pkg/cataloger/php/parse_composer_lock.go b/syft/pkg/cataloger/php/parse_composer_lock.go index 4abb66c2449..5348e6ffcd1 100644 --- a/syft/pkg/cataloger/php/parse_composer_lock.go +++ b/syft/pkg/cataloger/php/parse_composer_lock.go @@ -7,6 +7,7 @@ import ( "fmt" "io" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -48,5 +49,5 @@ func parseComposerLock(_ context.Context, _ file.Resolver, _ *generic.Environmen } } - return pkgs, nil, nil + return pkgs, nil, unknown.IfEmptyf(pkgs, "unable to determine packages") } diff --git a/syft/pkg/cataloger/php/parse_installed_json.go b/syft/pkg/cataloger/php/parse_installed_json.go index f1498d9316f..b7c7d9d3243 100644 --- a/syft/pkg/cataloger/php/parse_installed_json.go +++ b/syft/pkg/cataloger/php/parse_installed_json.go @@ -7,6 +7,7 @@ import ( "fmt" "io" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -69,5 +70,5 @@ func parseInstalledJSON(_ context.Context, _ file.Resolver, _ *generic.Environme } } - return pkgs, nil, nil + return pkgs, nil, unknown.IfEmptyf(pkgs, "unable to determine packages") } diff --git a/syft/pkg/cataloger/python/parse_poetry_lock.go b/syft/pkg/cataloger/python/parse_poetry_lock.go index 84e67ddb589..2b75f51b871 100644 --- a/syft/pkg/cataloger/python/parse_poetry_lock.go +++ b/syft/pkg/cataloger/python/parse_poetry_lock.go @@ -8,6 +8,7 @@ import ( "github.com/BurntSushi/toml" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -57,7 +58,7 @@ func parsePoetryLock(_ context.Context, _ file.Resolver, _ *generic.Environment, // since we would never expect to create relationships for packages across multiple poetry.lock files // we should do this on a file parser level (each poetry.lock) instead of a cataloger level (across all // poetry.lock files) - return pkgs, dependency.Resolve(poetryLockDependencySpecifier, pkgs), nil + return pkgs, dependency.Resolve(poetryLockDependencySpecifier, pkgs), unknown.IfEmptyf(pkgs, "unable to determine packages") } func poetryLockPackages(reader file.LocationReadCloser) ([]pkg.Package, error) { diff --git a/syft/pkg/cataloger/python/parse_requirements.go b/syft/pkg/cataloger/python/parse_requirements.go index 781c696c5ba..7d5d1d8a4ef 100644 --- a/syft/pkg/cataloger/python/parse_requirements.go +++ b/syft/pkg/cataloger/python/parse_requirements.go @@ -162,7 +162,7 @@ func (rp requirementsParser) parseRequirementsTxt(_ context.Context, _ file.Reso return nil, nil, fmt.Errorf("failed to parse python requirements file: %w", err) } - return packages, nil, errs + return packages, nil, unknown.Join(errs, unknown.IfEmptyf(packages, "unable to determine packages")) } func parseVersion(version string, guessFromConstraint bool) string { diff --git a/syft/pkg/cataloger/redhat/parse_rpm_db.go b/syft/pkg/cataloger/redhat/parse_rpm_db.go index 3e5ba435527..785b2c9adc3 100644 --- a/syft/pkg/cataloger/redhat/parse_rpm_db.go +++ b/syft/pkg/cataloger/redhat/parse_rpm_db.go @@ -102,6 +102,10 @@ func parseRpmDB(_ context.Context, resolver file.Resolver, env *generic.Environm allPkgs = append(allPkgs, p) } + if errs == nil && len(allPkgs) == 0 { + errs = fmt.Errorf("unable to determine packages") + } + return allPkgs, nil, errs } diff --git a/syft/pkg/cataloger/redhat/parse_rpm_manifest.go b/syft/pkg/cataloger/redhat/parse_rpm_manifest.go index 9c0185aef00..3e44ba8fdfe 100644 --- a/syft/pkg/cataloger/redhat/parse_rpm_manifest.go +++ b/syft/pkg/cataloger/redhat/parse_rpm_manifest.go @@ -8,6 +8,7 @@ import ( "strings" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -53,5 +54,5 @@ func parseRpmManifest(_ context.Context, _ file.Resolver, _ *generic.Environment allPkgs = append(allPkgs, p) } - return allPkgs, nil, nil + return allPkgs, nil, unknown.IfEmptyf(allPkgs, "unable to determine packages") } diff --git a/syft/pkg/cataloger/ruby/parse_gemfile_lock.go b/syft/pkg/cataloger/ruby/parse_gemfile_lock.go index 6c5432db883..748727bcc18 100644 --- a/syft/pkg/cataloger/ruby/parse_gemfile_lock.go +++ b/syft/pkg/cataloger/ruby/parse_gemfile_lock.go @@ -7,6 +7,7 @@ import ( "github.com/scylladb/go-set/strset" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -54,7 +55,7 @@ func parseGemFileLockEntries(_ context.Context, _ file.Resolver, _ *generic.Envi if err := scanner.Err(); err != nil { return nil, nil, err } - return pkgs, nil, nil + return pkgs, nil, unknown.IfEmptyf(pkgs, "unable to determine packages") } func isDependencyLine(line string) bool { diff --git a/syft/pkg/cataloger/rust/parse_cargo_lock.go b/syft/pkg/cataloger/rust/parse_cargo_lock.go index d1ef3db1261..01e9fd87e0a 100644 --- a/syft/pkg/cataloger/rust/parse_cargo_lock.go +++ b/syft/pkg/cataloger/rust/parse_cargo_lock.go @@ -6,6 +6,7 @@ import ( "github.com/pelletier/go-toml" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -46,5 +47,5 @@ func parseCargoLock(_ context.Context, _ file.Resolver, _ *generic.Environment, ) } - return pkgs, nil, nil + return pkgs, nil, unknown.IfEmptyf(pkgs, "unable to determine packages") } diff --git a/syft/pkg/cataloger/swift/parse_package_resolved.go b/syft/pkg/cataloger/swift/parse_package_resolved.go index 17785bc78e1..4fc3965c911 100644 --- a/syft/pkg/cataloger/swift/parse_package_resolved.go +++ b/syft/pkg/cataloger/swift/parse_package_resolved.go @@ -8,6 +8,7 @@ import ( "io" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -97,7 +98,7 @@ func parsePackageResolved(_ context.Context, _ file.Resolver, _ *generic.Environ ), ) } - return pkgs, nil, nil + return pkgs, nil, unknown.IfEmptyf(pkgs, "unable to determine packages") } func pinsForVersion(data map[string]interface{}, version float64) ([]packagePin, error) { diff --git a/syft/pkg/cataloger/swift/parse_podfile_lock.go b/syft/pkg/cataloger/swift/parse_podfile_lock.go index 680dd0caa8d..43803a9f8ea 100644 --- a/syft/pkg/cataloger/swift/parse_podfile_lock.go +++ b/syft/pkg/cataloger/swift/parse_podfile_lock.go @@ -8,6 +8,7 @@ import ( "gopkg.in/yaml.v3" + "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -71,5 +72,5 @@ func parsePodfileLock(_ context.Context, _ file.Resolver, _ *generic.Environment ) } - return pkgs, nil, nil + return pkgs, nil, unknown.IfEmptyf(pkgs, "unable to determine packages") } From 63ea24a29b4de828878065e894534d1663b1e335 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Fri, 6 Sep 2024 16:25:51 -0400 Subject: [PATCH 44/51] chore: reduce logging level for unknown errors in generic cataloger Signed-off-by: Keith Zantow --- syft/pkg/cataloger/generic/cataloger.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/syft/pkg/cataloger/generic/cataloger.go b/syft/pkg/cataloger/generic/cataloger.go index 0fba7cf7a79..f955ed35076 100644 --- a/syft/pkg/cataloger/generic/cataloger.go +++ b/syft/pkg/cataloger/generic/cataloger.go @@ -199,7 +199,8 @@ func invokeParser(ctx context.Context, resolver file.Resolver, location file.Loc discoveredPackages, discoveredRelationships, err := parser(ctx, resolver, env, file.NewLocationReadCloser(location, contentReader)) if err != nil { - logger.WithFields("location", location.RealPath, "error", err).Warnf("cataloger returned errors") + // these errors are propagated up, and are likely to be coordinate errors + logger.WithFields("location", location.RealPath, "error", err).Trace("cataloger returned errors") } return discoveredPackages, discoveredRelationships, err From 1f3231eeba0bb4804efaaf029d4c533988eb7d8e Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Fri, 6 Sep 2024 21:17:39 -0400 Subject: [PATCH 45/51] chore: lint-fix Signed-off-by: Keith Zantow --- internal/task/package_task_factory.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/task/package_task_factory.go b/internal/task/package_task_factory.go index 71304f43b25..7e27055df87 100644 --- a/internal/task/package_task_factory.go +++ b/internal/task/package_task_factory.go @@ -82,7 +82,7 @@ func (f PackageTaskFactories) Tasks(cfg CatalogingFactoryConfig) ([]Task, error) } // NewPackageTask creates a Task function for a generic pkg.Cataloger, honoring the common configuration options. -func NewPackageTask(cfg CatalogingFactoryConfig, c pkg.Cataloger, tags ...string) Task { +func NewPackageTask(cfg CatalogingFactoryConfig, c pkg.Cataloger, tags ...string) Task { fn := func(ctx context.Context, resolver file.Resolver, sbom sbomsync.Builder) error { catalogerName := c.Name() log.WithFields("name", catalogerName).Trace("starting package cataloger") From 653677ea2e9ec966e89e0a06c91aaffc2aa3c660 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Fri, 13 Sep 2024 10:58:22 -0400 Subject: [PATCH 46/51] fix: performance issue in unknowns.Join checking for duplicates Signed-off-by: Keith Zantow --- internal/unknown/coordinate_error.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/internal/unknown/coordinate_error.go b/internal/unknown/coordinate_error.go index 52ab2c10ba7..c357f786e1d 100644 --- a/internal/unknown/coordinate_error.go +++ b/internal/unknown/coordinate_error.go @@ -3,6 +3,7 @@ package unknown import ( "errors" "fmt" + "github.com/anchore/syft/internal/log" "strings" "github.com/anchore/syft/syft/file" @@ -147,11 +148,15 @@ func flatten(errs ...error) []error { return out } -// containsErr returns true if an error with the exact same error message is present +// containsErr returns true if a duplicate error is found func containsErr(out []error, err error) bool { - msg := err.Error() + defer func() { + if err := recover(); err != nil { + log.Tracef("error comparing errors: %v", err) + } + }() for _, e := range out { - if e.Error() == msg { + if e == err { return true } } From 95caede2f5f98fff06f57ce7261a041d74a29bcf Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Fri, 13 Sep 2024 14:21:48 -0400 Subject: [PATCH 47/51] chore: lint-fix Signed-off-by: Keith Zantow --- internal/unknown/coordinate_error.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/unknown/coordinate_error.go b/internal/unknown/coordinate_error.go index c357f786e1d..46bc53e11b1 100644 --- a/internal/unknown/coordinate_error.go +++ b/internal/unknown/coordinate_error.go @@ -3,9 +3,9 @@ package unknown import ( "errors" "fmt" - "github.com/anchore/syft/internal/log" "strings" + "github.com/anchore/syft/internal/log" "github.com/anchore/syft/syft/file" ) From c04dfdec98fc142d1b91dcaf869fc6c3164530a7 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Fri, 13 Sep 2024 15:19:56 -0400 Subject: [PATCH 48/51] chore: fix tests, generate new schema Signed-off-by: Keith Zantow --- internal/constants.go | 2 +- internal/unknown/coordinate_error_test.go | 7 +- schema/json/schema-16.0.17.json | 2635 +++++++++++++++++++++ schema/json/schema-latest.json | 2 +- syft/create_sbom_config_test.go | 26 +- 5 files changed, 2655 insertions(+), 17 deletions(-) create mode 100644 schema/json/schema-16.0.17.json diff --git a/internal/constants.go b/internal/constants.go index 93b0093ab6a..e21291830b4 100644 --- a/internal/constants.go +++ b/internal/constants.go @@ -3,5 +3,5 @@ package internal const ( // JSONSchemaVersion is the current schema version output by the JSON encoder // This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment. - JSONSchemaVersion = "16.0.16" + JSONSchemaVersion = "16.0.17" ) diff --git a/internal/unknown/coordinate_error_test.go b/internal/unknown/coordinate_error_test.go index 95b89b3d209..27c53a5ff6d 100644 --- a/internal/unknown/coordinate_error_test.go +++ b/internal/unknown/coordinate_error_test.go @@ -110,6 +110,9 @@ func Test_visitErrors(t *testing.T) { } func Test_Join(t *testing.T) { + err1 := fmt.Errorf("err1") + err2 := fmt.Errorf("err2") + tests := []struct { name string `` in []error @@ -132,12 +135,12 @@ func Test_Join(t *testing.T) { }, { name: "duplicates", - in: []error{fmt.Errorf("err1"), fmt.Errorf("err1"), fmt.Errorf("err2")}, + in: []error{err1, err1, err2}, expected: "err1\nerr2", }, { name: "nested duplicates", - in: []error{errors.Join(fmt.Errorf("err1"), fmt.Errorf("err2")), fmt.Errorf("err1"), fmt.Errorf("err2")}, + in: []error{errors.Join(err1, err2), err1, err2}, expected: "err1\nerr2", }, { diff --git a/schema/json/schema-16.0.17.json b/schema/json/schema-16.0.17.json new file mode 100644 index 00000000000..5b4a2a2027c --- /dev/null +++ b/schema/json/schema-16.0.17.json @@ -0,0 +1,2635 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "anchore.io/schema/syft/json/16.0.17/document", + "$ref": "#/$defs/Document", + "$defs": { + "AlpmDbEntry": { + "properties": { + "basepackage": { + "type": "string" + }, + "package": { + "type": "string" + }, + "version": { + "type": "string" + }, + "description": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "packager": { + "type": "string" + }, + "url": { + "type": "string" + }, + "validation": { + "type": "string" + }, + "reason": { + "type": "integer" + }, + "files": { + "items": { + "$ref": "#/$defs/AlpmFileRecord" + }, + "type": "array" + }, + "backup": { + "items": { + "$ref": "#/$defs/AlpmFileRecord" + }, + "type": "array" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "depends": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "basepackage", + "package", + "version", + "description", + "architecture", + "size", + "packager", + "url", + "validation", + "reason", + "files", + "backup" + ] + }, + "AlpmFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "type": { + "type": "string" + }, + "uid": { + "type": "string" + }, + "gid": { + "type": "string" + }, + "time": { + "type": "string", + "format": "date-time" + }, + "size": { + "type": "string" + }, + "link": { + "type": "string" + }, + "digest": { + "items": { + "$ref": "#/$defs/Digest" + }, + "type": "array" + } + }, + "type": "object" + }, + "ApkDbEntry": { + "properties": { + "package": { + "type": "string" + }, + "originPackage": { + "type": "string" + }, + "maintainer": { + "type": "string" + }, + "version": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "url": { + "type": "string" + }, + "description": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "installedSize": { + "type": "integer" + }, + "pullDependencies": { + "items": { + "type": "string" + }, + "type": "array" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "pullChecksum": { + "type": "string" + }, + "gitCommitOfApkPort": { + "type": "string" + }, + "files": { + "items": { + "$ref": "#/$defs/ApkFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "package", + "originPackage", + "maintainer", + "version", + "architecture", + "url", + "description", + "size", + "installedSize", + "pullDependencies", + "provides", + "pullChecksum", + "gitCommitOfApkPort", + "files" + ] + }, + "ApkFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "ownerUid": { + "type": "string" + }, + "ownerGid": { + "type": "string" + }, + "permissions": { + "type": "string" + }, + "digest": { + "$ref": "#/$defs/Digest" + } + }, + "type": "object", + "required": [ + "path" + ] + }, + "BinarySignature": { + "properties": { + "matches": { + "items": { + "$ref": "#/$defs/ClassifierMatch" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "matches" + ] + }, + "CConanFileEntry": { + "properties": { + "ref": { + "type": "string" + } + }, + "type": "object", + "required": [ + "ref" + ] + }, + "CConanInfoEntry": { + "properties": { + "ref": { + "type": "string" + }, + "package_id": { + "type": "string" + } + }, + "type": "object", + "required": [ + "ref" + ] + }, + "CConanLockEntry": { + "properties": { + "ref": { + "type": "string" + }, + "package_id": { + "type": "string" + }, + "prev": { + "type": "string" + }, + "requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "build_requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "py_requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "options": { + "$ref": "#/$defs/KeyValues" + }, + "path": { + "type": "string" + }, + "context": { + "type": "string" + } + }, + "type": "object", + "required": [ + "ref" + ] + }, + "CConanLockV2Entry": { + "properties": { + "ref": { + "type": "string" + }, + "packageID": { + "type": "string" + }, + "username": { + "type": "string" + }, + "channel": { + "type": "string" + }, + "recipeRevision": { + "type": "string" + }, + "packageRevision": { + "type": "string" + }, + "timestamp": { + "type": "string" + } + }, + "type": "object", + "required": [ + "ref" + ] + }, + "CPE": { + "properties": { + "cpe": { + "type": "string" + }, + "source": { + "type": "string" + } + }, + "type": "object", + "required": [ + "cpe" + ] + }, + "ClassifierMatch": { + "properties": { + "classifier": { + "type": "string" + }, + "location": { + "$ref": "#/$defs/Location" + } + }, + "type": "object", + "required": [ + "classifier", + "location" + ] + }, + "CocoaPodfileLockEntry": { + "properties": { + "checksum": { + "type": "string" + } + }, + "type": "object", + "required": [ + "checksum" + ] + }, + "Coordinates": { + "properties": { + "path": { + "type": "string" + }, + "layerID": { + "type": "string" + } + }, + "type": "object", + "required": [ + "path" + ] + }, + "DartPubspecLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "hosted_url": { + "type": "string" + }, + "vcs_url": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version" + ] + }, + "Descriptor": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "configuration": true + }, + "type": "object", + "required": [ + "name", + "version" + ] + }, + "Digest": { + "properties": { + "algorithm": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object", + "required": [ + "algorithm", + "value" + ] + }, + "Document": { + "properties": { + "artifacts": { + "items": { + "$ref": "#/$defs/Package" + }, + "type": "array" + }, + "artifactRelationships": { + "items": { + "$ref": "#/$defs/Relationship" + }, + "type": "array" + }, + "files": { + "items": { + "$ref": "#/$defs/File" + }, + "type": "array" + }, + "source": { + "$ref": "#/$defs/Source" + }, + "distro": { + "$ref": "#/$defs/LinuxRelease" + }, + "descriptor": { + "$ref": "#/$defs/Descriptor" + }, + "schema": { + "$ref": "#/$defs/Schema" + } + }, + "type": "object", + "required": [ + "artifacts", + "artifactRelationships", + "source", + "distro", + "descriptor", + "schema" + ] + }, + "DotnetDepsEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "path": { + "type": "string" + }, + "sha512": { + "type": "string" + }, + "hashPath": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "path", + "sha512", + "hashPath" + ] + }, + "DotnetPortableExecutableEntry": { + "properties": { + "assemblyVersion": { + "type": "string" + }, + "legalCopyright": { + "type": "string" + }, + "comments": { + "type": "string" + }, + "internalName": { + "type": "string" + }, + "companyName": { + "type": "string" + }, + "productName": { + "type": "string" + }, + "productVersion": { + "type": "string" + } + }, + "type": "object", + "required": [ + "assemblyVersion", + "legalCopyright", + "companyName", + "productName", + "productVersion" + ] + }, + "DpkgDbEntry": { + "properties": { + "package": { + "type": "string" + }, + "source": { + "type": "string" + }, + "version": { + "type": "string" + }, + "sourceVersion": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "maintainer": { + "type": "string" + }, + "installedSize": { + "type": "integer" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "depends": { + "items": { + "type": "string" + }, + "type": "array" + }, + "preDepends": { + "items": { + "type": "string" + }, + "type": "array" + }, + "files": { + "items": { + "$ref": "#/$defs/DpkgFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "package", + "source", + "version", + "sourceVersion", + "architecture", + "maintainer", + "installedSize", + "files" + ] + }, + "DpkgFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "digest": { + "$ref": "#/$defs/Digest" + }, + "isConfigFile": { + "type": "boolean" + } + }, + "type": "object", + "required": [ + "path", + "isConfigFile" + ] + }, + "ELFSecurityFeatures": { + "properties": { + "symbolTableStripped": { + "type": "boolean" + }, + "stackCanary": { + "type": "boolean" + }, + "nx": { + "type": "boolean" + }, + "relRO": { + "type": "string" + }, + "pie": { + "type": "boolean" + }, + "dso": { + "type": "boolean" + }, + "safeStack": { + "type": "boolean" + }, + "cfi": { + "type": "boolean" + }, + "fortify": { + "type": "boolean" + } + }, + "type": "object", + "required": [ + "symbolTableStripped", + "nx", + "relRO", + "pie", + "dso" + ] + }, + "ElfBinaryPackageNoteJsonPayload": { + "properties": { + "type": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "osCPE": { + "type": "string" + }, + "os": { + "type": "string" + }, + "osVersion": { + "type": "string" + }, + "system": { + "type": "string" + }, + "vendor": { + "type": "string" + }, + "sourceRepo": { + "type": "string" + }, + "commit": { + "type": "string" + } + }, + "type": "object" + }, + "ElixirMixLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "pkgHash": { + "type": "string" + }, + "pkgHashExt": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "pkgHash", + "pkgHashExt" + ] + }, + "ErlangRebarLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "pkgHash": { + "type": "string" + }, + "pkgHashExt": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "pkgHash", + "pkgHashExt" + ] + }, + "Executable": { + "properties": { + "format": { + "type": "string" + }, + "hasExports": { + "type": "boolean" + }, + "hasEntrypoint": { + "type": "boolean" + }, + "importedLibraries": { + "items": { + "type": "string" + }, + "type": "array" + }, + "elfSecurityFeatures": { + "$ref": "#/$defs/ELFSecurityFeatures" + } + }, + "type": "object", + "required": [ + "format", + "hasExports", + "hasEntrypoint", + "importedLibraries" + ] + }, + "File": { + "properties": { + "id": { + "type": "string" + }, + "location": { + "$ref": "#/$defs/Coordinates" + }, + "metadata": { + "$ref": "#/$defs/FileMetadataEntry" + }, + "contents": { + "type": "string" + }, + "digests": { + "items": { + "$ref": "#/$defs/Digest" + }, + "type": "array" + }, + "licenses": { + "items": { + "$ref": "#/$defs/FileLicense" + }, + "type": "array" + }, + "executable": { + "$ref": "#/$defs/Executable" + }, + "unknowns": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "id", + "location" + ] + }, + "FileLicense": { + "properties": { + "value": { + "type": "string" + }, + "spdxExpression": { + "type": "string" + }, + "type": { + "type": "string" + }, + "evidence": { + "$ref": "#/$defs/FileLicenseEvidence" + } + }, + "type": "object", + "required": [ + "value", + "spdxExpression", + "type" + ] + }, + "FileLicenseEvidence": { + "properties": { + "confidence": { + "type": "integer" + }, + "offset": { + "type": "integer" + }, + "extent": { + "type": "integer" + } + }, + "type": "object", + "required": [ + "confidence", + "offset", + "extent" + ] + }, + "FileMetadataEntry": { + "properties": { + "mode": { + "type": "integer" + }, + "type": { + "type": "string" + }, + "linkDestination": { + "type": "string" + }, + "userID": { + "type": "integer" + }, + "groupID": { + "type": "integer" + }, + "mimeType": { + "type": "string" + }, + "size": { + "type": "integer" + } + }, + "type": "object", + "required": [ + "mode", + "type", + "userID", + "groupID", + "mimeType", + "size" + ] + }, + "GoModuleBuildinfoEntry": { + "properties": { + "goBuildSettings": { + "$ref": "#/$defs/KeyValues" + }, + "goCompiledVersion": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "h1Digest": { + "type": "string" + }, + "mainModule": { + "type": "string" + }, + "goCryptoSettings": { + "items": { + "type": "string" + }, + "type": "array" + }, + "goExperiments": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "goCompiledVersion", + "architecture" + ] + }, + "GoModuleEntry": { + "properties": { + "h1Digest": { + "type": "string" + } + }, + "type": "object" + }, + "HaskellHackageStackEntry": { + "properties": { + "pkgHash": { + "type": "string" + } + }, + "type": "object" + }, + "HaskellHackageStackLockEntry": { + "properties": { + "pkgHash": { + "type": "string" + }, + "snapshotURL": { + "type": "string" + } + }, + "type": "object" + }, + "IDLikes": { + "items": { + "type": "string" + }, + "type": "array" + }, + "JavaArchive": { + "properties": { + "virtualPath": { + "type": "string" + }, + "manifest": { + "$ref": "#/$defs/JavaManifest" + }, + "pomProperties": { + "$ref": "#/$defs/JavaPomProperties" + }, + "pomProject": { + "$ref": "#/$defs/JavaPomProject" + }, + "digest": { + "items": { + "$ref": "#/$defs/Digest" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "virtualPath" + ] + }, + "JavaManifest": { + "properties": { + "main": { + "$ref": "#/$defs/KeyValues" + }, + "sections": { + "items": { + "$ref": "#/$defs/KeyValues" + }, + "type": "array" + } + }, + "type": "object" + }, + "JavaPomParent": { + "properties": { + "groupId": { + "type": "string" + }, + "artifactId": { + "type": "string" + }, + "version": { + "type": "string" + } + }, + "type": "object", + "required": [ + "groupId", + "artifactId", + "version" + ] + }, + "JavaPomProject": { + "properties": { + "path": { + "type": "string" + }, + "parent": { + "$ref": "#/$defs/JavaPomParent" + }, + "groupId": { + "type": "string" + }, + "artifactId": { + "type": "string" + }, + "version": { + "type": "string" + }, + "name": { + "type": "string" + }, + "description": { + "type": "string" + }, + "url": { + "type": "string" + } + }, + "type": "object", + "required": [ + "path", + "groupId", + "artifactId", + "version", + "name" + ] + }, + "JavaPomProperties": { + "properties": { + "path": { + "type": "string" + }, + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "artifactId": { + "type": "string" + }, + "version": { + "type": "string" + }, + "scope": { + "type": "string" + }, + "extraFields": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object", + "required": [ + "path", + "name", + "groupId", + "artifactId", + "version" + ] + }, + "JavascriptNpmPackage": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "author": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "description": { + "type": "string" + }, + "url": { + "type": "string" + }, + "private": { + "type": "boolean" + } + }, + "type": "object", + "required": [ + "name", + "version", + "author", + "homepage", + "description", + "url", + "private" + ] + }, + "JavascriptNpmPackageLockEntry": { + "properties": { + "resolved": { + "type": "string" + }, + "integrity": { + "type": "string" + } + }, + "type": "object", + "required": [ + "resolved", + "integrity" + ] + }, + "JavascriptYarnLockEntry": { + "properties": { + "resolved": { + "type": "string" + }, + "integrity": { + "type": "string" + } + }, + "type": "object", + "required": [ + "resolved", + "integrity" + ] + }, + "KeyValue": { + "properties": { + "key": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object", + "required": [ + "key", + "value" + ] + }, + "KeyValues": { + "items": { + "$ref": "#/$defs/KeyValue" + }, + "type": "array" + }, + "License": { + "properties": { + "value": { + "type": "string" + }, + "spdxExpression": { + "type": "string" + }, + "type": { + "type": "string" + }, + "urls": { + "items": { + "type": "string" + }, + "type": "array" + }, + "locations": { + "items": { + "$ref": "#/$defs/Location" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value", + "spdxExpression", + "type", + "urls", + "locations" + ] + }, + "LinuxKernelArchive": { + "properties": { + "name": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "version": { + "type": "string" + }, + "extendedVersion": { + "type": "string" + }, + "buildTime": { + "type": "string" + }, + "author": { + "type": "string" + }, + "format": { + "type": "string" + }, + "rwRootFS": { + "type": "boolean" + }, + "swapDevice": { + "type": "integer" + }, + "rootDevice": { + "type": "integer" + }, + "videoMode": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "architecture", + "version" + ] + }, + "LinuxKernelModule": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "sourceVersion": { + "type": "string" + }, + "path": { + "type": "string" + }, + "description": { + "type": "string" + }, + "author": { + "type": "string" + }, + "license": { + "type": "string" + }, + "kernelVersion": { + "type": "string" + }, + "versionMagic": { + "type": "string" + }, + "parameters": { + "patternProperties": { + ".*": { + "$ref": "#/$defs/LinuxKernelModuleParameter" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "LinuxKernelModuleParameter": { + "properties": { + "type": { + "type": "string" + }, + "description": { + "type": "string" + } + }, + "type": "object" + }, + "LinuxRelease": { + "properties": { + "prettyName": { + "type": "string" + }, + "name": { + "type": "string" + }, + "id": { + "type": "string" + }, + "idLike": { + "$ref": "#/$defs/IDLikes" + }, + "version": { + "type": "string" + }, + "versionID": { + "type": "string" + }, + "versionCodename": { + "type": "string" + }, + "buildID": { + "type": "string" + }, + "imageID": { + "type": "string" + }, + "imageVersion": { + "type": "string" + }, + "variant": { + "type": "string" + }, + "variantID": { + "type": "string" + }, + "homeURL": { + "type": "string" + }, + "supportURL": { + "type": "string" + }, + "bugReportURL": { + "type": "string" + }, + "privacyPolicyURL": { + "type": "string" + }, + "cpeName": { + "type": "string" + }, + "supportEnd": { + "type": "string" + } + }, + "type": "object" + }, + "Location": { + "properties": { + "path": { + "type": "string" + }, + "layerID": { + "type": "string" + }, + "accessPath": { + "type": "string" + }, + "annotations": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object", + "required": [ + "path", + "accessPath" + ] + }, + "LuarocksPackage": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "license": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "description": { + "type": "string" + }, + "url": { + "type": "string" + }, + "dependencies": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object", + "required": [ + "name", + "version", + "license", + "homepage", + "description", + "url", + "dependencies" + ] + }, + "MicrosoftKbPatch": { + "properties": { + "product_id": { + "type": "string" + }, + "kb": { + "type": "string" + } + }, + "type": "object", + "required": [ + "product_id", + "kb" + ] + }, + "NixStoreEntry": { + "properties": { + "outputHash": { + "type": "string" + }, + "output": { + "type": "string" + }, + "files": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "outputHash", + "files" + ] + }, + "OpamPackage": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "licenses": { + "items": { + "type": "string" + }, + "type": "array" + }, + "url": { + "type": "string" + }, + "checksum": { + "items": { + "type": "string" + }, + "type": "array" + }, + "homepage": { + "type": "string" + }, + "dependencies": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "licenses", + "url", + "checksum", + "homepage", + "dependencies" + ] + }, + "Package": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "type": { + "type": "string" + }, + "foundBy": { + "type": "string" + }, + "locations": { + "items": { + "$ref": "#/$defs/Location" + }, + "type": "array" + }, + "licenses": { + "$ref": "#/$defs/licenses" + }, + "language": { + "type": "string" + }, + "cpes": { + "$ref": "#/$defs/cpes" + }, + "purl": { + "type": "string" + }, + "metadataType": { + "type": "string" + }, + "metadata": { + "anyOf": [ + { + "type": "null" + }, + { + "$ref": "#/$defs/AlpmDbEntry" + }, + { + "$ref": "#/$defs/ApkDbEntry" + }, + { + "$ref": "#/$defs/BinarySignature" + }, + { + "$ref": "#/$defs/CConanFileEntry" + }, + { + "$ref": "#/$defs/CConanInfoEntry" + }, + { + "$ref": "#/$defs/CConanLockEntry" + }, + { + "$ref": "#/$defs/CConanLockV2Entry" + }, + { + "$ref": "#/$defs/CocoaPodfileLockEntry" + }, + { + "$ref": "#/$defs/DartPubspecLockEntry" + }, + { + "$ref": "#/$defs/DotnetDepsEntry" + }, + { + "$ref": "#/$defs/DotnetPortableExecutableEntry" + }, + { + "$ref": "#/$defs/DpkgDbEntry" + }, + { + "$ref": "#/$defs/ElfBinaryPackageNoteJsonPayload" + }, + { + "$ref": "#/$defs/ElixirMixLockEntry" + }, + { + "$ref": "#/$defs/ErlangRebarLockEntry" + }, + { + "$ref": "#/$defs/GoModuleBuildinfoEntry" + }, + { + "$ref": "#/$defs/GoModuleEntry" + }, + { + "$ref": "#/$defs/HaskellHackageStackEntry" + }, + { + "$ref": "#/$defs/HaskellHackageStackLockEntry" + }, + { + "$ref": "#/$defs/JavaArchive" + }, + { + "$ref": "#/$defs/JavascriptNpmPackage" + }, + { + "$ref": "#/$defs/JavascriptNpmPackageLockEntry" + }, + { + "$ref": "#/$defs/JavascriptYarnLockEntry" + }, + { + "$ref": "#/$defs/LinuxKernelArchive" + }, + { + "$ref": "#/$defs/LinuxKernelModule" + }, + { + "$ref": "#/$defs/LuarocksPackage" + }, + { + "$ref": "#/$defs/MicrosoftKbPatch" + }, + { + "$ref": "#/$defs/NixStoreEntry" + }, + { + "$ref": "#/$defs/OpamPackage" + }, + { + "$ref": "#/$defs/PhpComposerInstalledEntry" + }, + { + "$ref": "#/$defs/PhpComposerLockEntry" + }, + { + "$ref": "#/$defs/PhpPeclEntry" + }, + { + "$ref": "#/$defs/PortageDbEntry" + }, + { + "$ref": "#/$defs/PythonPackage" + }, + { + "$ref": "#/$defs/PythonPipRequirementsEntry" + }, + { + "$ref": "#/$defs/PythonPipfileLockEntry" + }, + { + "$ref": "#/$defs/PythonPoetryLockEntry" + }, + { + "$ref": "#/$defs/RDescription" + }, + { + "$ref": "#/$defs/RpmArchive" + }, + { + "$ref": "#/$defs/RpmDbEntry" + }, + { + "$ref": "#/$defs/RubyGemspec" + }, + { + "$ref": "#/$defs/RustCargoAuditEntry" + }, + { + "$ref": "#/$defs/RustCargoLockEntry" + }, + { + "$ref": "#/$defs/SwiftPackageManagerLockEntry" + }, + { + "$ref": "#/$defs/SwiplpackPackage" + }, + { + "$ref": "#/$defs/WordpressPluginEntry" + } + ] + } + }, + "type": "object", + "required": [ + "id", + "name", + "version", + "type", + "foundBy", + "locations", + "licenses", + "language", + "cpes", + "purl" + ] + }, + "PhpComposerAuthors": { + "properties": { + "name": { + "type": "string" + }, + "email": { + "type": "string" + }, + "homepage": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name" + ] + }, + "PhpComposerExternalReference": { + "properties": { + "type": { + "type": "string" + }, + "url": { + "type": "string" + }, + "reference": { + "type": "string" + }, + "shasum": { + "type": "string" + } + }, + "type": "object", + "required": [ + "type", + "url", + "reference" + ] + }, + "PhpComposerInstalledEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "source": { + "$ref": "#/$defs/PhpComposerExternalReference" + }, + "dist": { + "$ref": "#/$defs/PhpComposerExternalReference" + }, + "require": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "provide": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "require-dev": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "suggest": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "license": { + "items": { + "type": "string" + }, + "type": "array" + }, + "type": { + "type": "string" + }, + "notification-url": { + "type": "string" + }, + "bin": { + "items": { + "type": "string" + }, + "type": "array" + }, + "authors": { + "items": { + "$ref": "#/$defs/PhpComposerAuthors" + }, + "type": "array" + }, + "description": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "keywords": { + "items": { + "type": "string" + }, + "type": "array" + }, + "time": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "source", + "dist" + ] + }, + "PhpComposerLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "source": { + "$ref": "#/$defs/PhpComposerExternalReference" + }, + "dist": { + "$ref": "#/$defs/PhpComposerExternalReference" + }, + "require": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "provide": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "require-dev": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "suggest": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "license": { + "items": { + "type": "string" + }, + "type": "array" + }, + "type": { + "type": "string" + }, + "notification-url": { + "type": "string" + }, + "bin": { + "items": { + "type": "string" + }, + "type": "array" + }, + "authors": { + "items": { + "$ref": "#/$defs/PhpComposerAuthors" + }, + "type": "array" + }, + "description": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "keywords": { + "items": { + "type": "string" + }, + "type": "array" + }, + "time": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "source", + "dist" + ] + }, + "PhpPeclEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "license": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version" + ] + }, + "PortageDbEntry": { + "properties": { + "installedSize": { + "type": "integer" + }, + "files": { + "items": { + "$ref": "#/$defs/PortageFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "installedSize", + "files" + ] + }, + "PortageFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "digest": { + "$ref": "#/$defs/Digest" + } + }, + "type": "object", + "required": [ + "path" + ] + }, + "PythonDirectURLOriginInfo": { + "properties": { + "url": { + "type": "string" + }, + "commitId": { + "type": "string" + }, + "vcs": { + "type": "string" + } + }, + "type": "object", + "required": [ + "url" + ] + }, + "PythonFileDigest": { + "properties": { + "algorithm": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object", + "required": [ + "algorithm", + "value" + ] + }, + "PythonFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "digest": { + "$ref": "#/$defs/PythonFileDigest" + }, + "size": { + "type": "string" + } + }, + "type": "object", + "required": [ + "path" + ] + }, + "PythonPackage": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "author": { + "type": "string" + }, + "authorEmail": { + "type": "string" + }, + "platform": { + "type": "string" + }, + "files": { + "items": { + "$ref": "#/$defs/PythonFileRecord" + }, + "type": "array" + }, + "sitePackagesRootPath": { + "type": "string" + }, + "topLevelPackages": { + "items": { + "type": "string" + }, + "type": "array" + }, + "directUrlOrigin": { + "$ref": "#/$defs/PythonDirectURLOriginInfo" + }, + "requiresPython": { + "type": "string" + }, + "requiresDist": { + "items": { + "type": "string" + }, + "type": "array" + }, + "providesExtra": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "author", + "authorEmail", + "platform", + "sitePackagesRootPath" + ] + }, + "PythonPipRequirementsEntry": { + "properties": { + "name": { + "type": "string" + }, + "extras": { + "items": { + "type": "string" + }, + "type": "array" + }, + "versionConstraint": { + "type": "string" + }, + "url": { + "type": "string" + }, + "markers": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "versionConstraint" + ] + }, + "PythonPipfileLockEntry": { + "properties": { + "hashes": { + "items": { + "type": "string" + }, + "type": "array" + }, + "index": { + "type": "string" + } + }, + "type": "object", + "required": [ + "hashes", + "index" + ] + }, + "PythonPoetryLockDependencyEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "optional": { + "type": "boolean" + }, + "markers": { + "type": "string" + }, + "extras": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "optional" + ] + }, + "PythonPoetryLockEntry": { + "properties": { + "index": { + "type": "string" + }, + "dependencies": { + "items": { + "$ref": "#/$defs/PythonPoetryLockDependencyEntry" + }, + "type": "array" + }, + "extras": { + "items": { + "$ref": "#/$defs/PythonPoetryLockExtraEntry" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "index", + "dependencies" + ] + }, + "PythonPoetryLockExtraEntry": { + "properties": { + "name": { + "type": "string" + }, + "dependencies": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "dependencies" + ] + }, + "RDescription": { + "properties": { + "title": { + "type": "string" + }, + "description": { + "type": "string" + }, + "author": { + "type": "string" + }, + "maintainer": { + "type": "string" + }, + "url": { + "items": { + "type": "string" + }, + "type": "array" + }, + "repository": { + "type": "string" + }, + "built": { + "type": "string" + }, + "needsCompilation": { + "type": "boolean" + }, + "imports": { + "items": { + "type": "string" + }, + "type": "array" + }, + "depends": { + "items": { + "type": "string" + }, + "type": "array" + }, + "suggests": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "Relationship": { + "properties": { + "parent": { + "type": "string" + }, + "child": { + "type": "string" + }, + "type": { + "type": "string" + }, + "metadata": true + }, + "type": "object", + "required": [ + "parent", + "child", + "type" + ] + }, + "RpmArchive": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "epoch": { + "oneOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ] + }, + "architecture": { + "type": "string" + }, + "release": { + "type": "string" + }, + "sourceRpm": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "vendor": { + "type": "string" + }, + "modularityLabel": { + "type": "string" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "files": { + "items": { + "$ref": "#/$defs/RpmFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "epoch", + "architecture", + "release", + "sourceRpm", + "size", + "vendor", + "files" + ] + }, + "RpmDbEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "epoch": { + "oneOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ] + }, + "architecture": { + "type": "string" + }, + "release": { + "type": "string" + }, + "sourceRpm": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "vendor": { + "type": "string" + }, + "modularityLabel": { + "type": "string" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "files": { + "items": { + "$ref": "#/$defs/RpmFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "epoch", + "architecture", + "release", + "sourceRpm", + "size", + "vendor", + "files" + ] + }, + "RpmFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "size": { + "type": "integer" + }, + "digest": { + "$ref": "#/$defs/Digest" + }, + "userName": { + "type": "string" + }, + "groupName": { + "type": "string" + }, + "flags": { + "type": "string" + } + }, + "type": "object", + "required": [ + "path", + "mode", + "size", + "digest", + "userName", + "groupName", + "flags" + ] + }, + "RubyGemspec": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "files": { + "items": { + "type": "string" + }, + "type": "array" + }, + "authors": { + "items": { + "type": "string" + }, + "type": "array" + }, + "homepage": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version" + ] + }, + "RustCargoAuditEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "source": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "source" + ] + }, + "RustCargoLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "source": { + "type": "string" + }, + "checksum": { + "type": "string" + }, + "dependencies": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "source", + "checksum", + "dependencies" + ] + }, + "Schema": { + "properties": { + "version": { + "type": "string" + }, + "url": { + "type": "string" + } + }, + "type": "object", + "required": [ + "version", + "url" + ] + }, + "Source": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "type": { + "type": "string" + }, + "metadata": true + }, + "type": "object", + "required": [ + "id", + "name", + "version", + "type", + "metadata" + ] + }, + "SwiftPackageManagerLockEntry": { + "properties": { + "revision": { + "type": "string" + } + }, + "type": "object", + "required": [ + "revision" + ] + }, + "SwiplpackPackage": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "author": { + "type": "string" + }, + "authorEmail": { + "type": "string" + }, + "packager": { + "type": "string" + }, + "packagerEmail": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "dependencies": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "author", + "authorEmail", + "packager", + "packagerEmail", + "homepage", + "dependencies" + ] + }, + "WordpressPluginEntry": { + "properties": { + "pluginInstallDirectory": { + "type": "string" + }, + "author": { + "type": "string" + }, + "authorUri": { + "type": "string" + } + }, + "type": "object", + "required": [ + "pluginInstallDirectory" + ] + }, + "cpes": { + "items": { + "$ref": "#/$defs/CPE" + }, + "type": "array" + }, + "licenses": { + "items": { + "$ref": "#/$defs/License" + }, + "type": "array" + } + } +} diff --git a/schema/json/schema-latest.json b/schema/json/schema-latest.json index 3dcf2d3d2b2..5b4a2a2027c 100644 --- a/schema/json/schema-latest.json +++ b/schema/json/schema-latest.json @@ -1,6 +1,6 @@ { "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "anchore.io/schema/syft/json/16.0.16/document", + "$id": "anchore.io/schema/syft/json/16.0.17/document", "$ref": "#/$defs/Document", "$defs": { "AlpmDbEntry": { diff --git a/syft/create_sbom_config_test.go b/syft/create_sbom_config_test.go index c5c1800eb1b..64a9a2a0af4 100644 --- a/syft/create_sbom_config_test.go +++ b/syft/create_sbom_config_test.go @@ -90,7 +90,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { pkgCatalogerNamesWithTagOrName(t, "image"), fileCatalogerNames(true, true, true), relationshipCatalogerNames(), - unknownsFinalizeTaskNames(), + unknownsTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -109,7 +109,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { pkgCatalogerNamesWithTagOrName(t, "directory"), fileCatalogerNames(true, true, true), relationshipCatalogerNames(), - unknownsFinalizeTaskNames(), + unknownsTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -129,7 +129,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { pkgCatalogerNamesWithTagOrName(t, "directory"), fileCatalogerNames(true, true, true), relationshipCatalogerNames(), - unknownsFinalizeTaskNames(), + unknownsTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -148,7 +148,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { pkgCatalogerNamesWithTagOrName(t, "image"), fileCatalogerNames(false, true, true), // note: the digest cataloger is not included relationshipCatalogerNames(), - unknownsFinalizeTaskNames(), + unknownsTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -167,7 +167,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { pkgCatalogerNamesWithTagOrName(t, "image"), // note: there are no file catalogers in their own group relationshipCatalogerNames(), - unknownsFinalizeTaskNames(), + unknownsTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -189,7 +189,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { fileCatalogerNames(true, true, true)..., ), relationshipCatalogerNames(), - unknownsFinalizeTaskNames(), + unknownsTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -210,7 +210,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { addTo(pkgCatalogerNamesWithTagOrName(t, "image"), "persistent"), fileCatalogerNames(true, true, true), relationshipCatalogerNames(), - unknownsFinalizeTaskNames(), + unknownsTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -231,7 +231,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { addTo(pkgCatalogerNamesWithTagOrName(t, "directory"), "persistent"), fileCatalogerNames(true, true, true), relationshipCatalogerNames(), - unknownsFinalizeTaskNames(), + unknownsTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -252,7 +252,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { addTo(pkgIntersect("image", "javascript"), "persistent"), fileCatalogerNames(true, true, true), relationshipCatalogerNames(), - unknownsFinalizeTaskNames(), + unknownsTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -274,7 +274,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { addTo(pkgCatalogerNamesWithTagOrName(t, "image"), "user-provided"), fileCatalogerNames(true, true, true), relationshipCatalogerNames(), - unknownsFinalizeTaskNames(), + unknownsTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -295,7 +295,7 @@ func TestCreateSBOMConfig_makeTaskGroups(t *testing.T) { pkgCatalogerNamesWithTagOrName(t, "image"), fileCatalogerNames(true, true, true), relationshipCatalogerNames(), - unknownsFinalizeTaskNames(), + unknownsTaskNames(), }, wantManifest: &catalogerManifest{ Requested: pkgcataloging.SelectionRequest{ @@ -396,8 +396,8 @@ func relationshipCatalogerNames() []string { return []string{"relationships-cataloger"} } -func unknownsFinalizeTaskNames() []string { - return []string{"unknowns-finalize"} +func unknownsTaskNames() []string { + return []string{"unknowns-labeler"} } func environmentCatalogerNames() []string { From 113ffffd578ac265a82b268c125117a2a8ebca67 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Fri, 13 Sep 2024 16:29:04 -0400 Subject: [PATCH 49/51] chore: update tests Signed-off-by: Keith Zantow --- syft/pkg/cataloger/debian/parse_dpkg_db_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/syft/pkg/cataloger/debian/parse_dpkg_db_test.go b/syft/pkg/cataloger/debian/parse_dpkg_db_test.go index e50e90fd9d6..50ab3485ba4 100644 --- a/syft/pkg/cataloger/debian/parse_dpkg_db_test.go +++ b/syft/pkg/cataloger/debian/parse_dpkg_db_test.go @@ -323,7 +323,7 @@ func Test_parseDpkgStatus_negativeCases(t *testing.T) { { name: "no more packages", input: `Package: apt`, - wantErr: require.NoError, + wantErr: requireAs(errors.New("unable to determine packages")), }, { name: "duplicated key", From cd7351678069ca45d31a8acdf380f8dcd6bd7c95 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Fri, 4 Oct 2024 16:21:11 -0400 Subject: [PATCH 50/51] chore: surface package.json files with no name or version Signed-off-by: Keith Zantow --- internal/constants.go | 2 +- schema/json/schema-16.0.18.json | 2727 +++++++++++++++++ schema/json/schema-latest.json | 2 +- .../javascript/parse_package_json.go | 12 +- .../javascript/parse_package_json_test.go | 13 +- 5 files changed, 2743 insertions(+), 13 deletions(-) create mode 100644 schema/json/schema-16.0.18.json diff --git a/internal/constants.go b/internal/constants.go index e21291830b4..4dd27cf7953 100644 --- a/internal/constants.go +++ b/internal/constants.go @@ -3,5 +3,5 @@ package internal const ( // JSONSchemaVersion is the current schema version output by the JSON encoder // This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment. - JSONSchemaVersion = "16.0.17" + JSONSchemaVersion = "16.0.18" ) diff --git a/schema/json/schema-16.0.18.json b/schema/json/schema-16.0.18.json new file mode 100644 index 00000000000..936582e2d22 --- /dev/null +++ b/schema/json/schema-16.0.18.json @@ -0,0 +1,2727 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "anchore.io/schema/syft/json/16.0.18/document", + "$ref": "#/$defs/Document", + "$defs": { + "AlpmDbEntry": { + "properties": { + "basepackage": { + "type": "string" + }, + "package": { + "type": "string" + }, + "version": { + "type": "string" + }, + "description": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "packager": { + "type": "string" + }, + "url": { + "type": "string" + }, + "validation": { + "type": "string" + }, + "reason": { + "type": "integer" + }, + "files": { + "items": { + "$ref": "#/$defs/AlpmFileRecord" + }, + "type": "array" + }, + "backup": { + "items": { + "$ref": "#/$defs/AlpmFileRecord" + }, + "type": "array" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "depends": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "basepackage", + "package", + "version", + "description", + "architecture", + "size", + "packager", + "url", + "validation", + "reason", + "files", + "backup" + ] + }, + "AlpmFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "type": { + "type": "string" + }, + "uid": { + "type": "string" + }, + "gid": { + "type": "string" + }, + "time": { + "type": "string", + "format": "date-time" + }, + "size": { + "type": "string" + }, + "link": { + "type": "string" + }, + "digest": { + "items": { + "$ref": "#/$defs/Digest" + }, + "type": "array" + } + }, + "type": "object" + }, + "ApkDbEntry": { + "properties": { + "package": { + "type": "string" + }, + "originPackage": { + "type": "string" + }, + "maintainer": { + "type": "string" + }, + "version": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "url": { + "type": "string" + }, + "description": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "installedSize": { + "type": "integer" + }, + "pullDependencies": { + "items": { + "type": "string" + }, + "type": "array" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "pullChecksum": { + "type": "string" + }, + "gitCommitOfApkPort": { + "type": "string" + }, + "files": { + "items": { + "$ref": "#/$defs/ApkFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "package", + "originPackage", + "maintainer", + "version", + "architecture", + "url", + "description", + "size", + "installedSize", + "pullDependencies", + "provides", + "pullChecksum", + "gitCommitOfApkPort", + "files" + ] + }, + "ApkFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "ownerUid": { + "type": "string" + }, + "ownerGid": { + "type": "string" + }, + "permissions": { + "type": "string" + }, + "digest": { + "$ref": "#/$defs/Digest" + } + }, + "type": "object", + "required": [ + "path" + ] + }, + "BinarySignature": { + "properties": { + "matches": { + "items": { + "$ref": "#/$defs/ClassifierMatch" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "matches" + ] + }, + "CConanFileEntry": { + "properties": { + "ref": { + "type": "string" + } + }, + "type": "object", + "required": [ + "ref" + ] + }, + "CConanInfoEntry": { + "properties": { + "ref": { + "type": "string" + }, + "package_id": { + "type": "string" + } + }, + "type": "object", + "required": [ + "ref" + ] + }, + "CConanLockEntry": { + "properties": { + "ref": { + "type": "string" + }, + "package_id": { + "type": "string" + }, + "prev": { + "type": "string" + }, + "requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "build_requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "py_requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "options": { + "$ref": "#/$defs/KeyValues" + }, + "path": { + "type": "string" + }, + "context": { + "type": "string" + } + }, + "type": "object", + "required": [ + "ref" + ] + }, + "CConanLockV2Entry": { + "properties": { + "ref": { + "type": "string" + }, + "packageID": { + "type": "string" + }, + "username": { + "type": "string" + }, + "channel": { + "type": "string" + }, + "recipeRevision": { + "type": "string" + }, + "packageRevision": { + "type": "string" + }, + "timestamp": { + "type": "string" + } + }, + "type": "object", + "required": [ + "ref" + ] + }, + "CPE": { + "properties": { + "cpe": { + "type": "string" + }, + "source": { + "type": "string" + } + }, + "type": "object", + "required": [ + "cpe" + ] + }, + "ClassifierMatch": { + "properties": { + "classifier": { + "type": "string" + }, + "location": { + "$ref": "#/$defs/Location" + } + }, + "type": "object", + "required": [ + "classifier", + "location" + ] + }, + "CocoaPodfileLockEntry": { + "properties": { + "checksum": { + "type": "string" + } + }, + "type": "object", + "required": [ + "checksum" + ] + }, + "Coordinates": { + "properties": { + "path": { + "type": "string" + }, + "layerID": { + "type": "string" + } + }, + "type": "object", + "required": [ + "path" + ] + }, + "DartPubspecLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "hosted_url": { + "type": "string" + }, + "vcs_url": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version" + ] + }, + "Descriptor": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "configuration": true + }, + "type": "object", + "required": [ + "name", + "version" + ] + }, + "Digest": { + "properties": { + "algorithm": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object", + "required": [ + "algorithm", + "value" + ] + }, + "Document": { + "properties": { + "artifacts": { + "items": { + "$ref": "#/$defs/Package" + }, + "type": "array" + }, + "artifactRelationships": { + "items": { + "$ref": "#/$defs/Relationship" + }, + "type": "array" + }, + "files": { + "items": { + "$ref": "#/$defs/File" + }, + "type": "array" + }, + "source": { + "$ref": "#/$defs/Source" + }, + "distro": { + "$ref": "#/$defs/LinuxRelease" + }, + "descriptor": { + "$ref": "#/$defs/Descriptor" + }, + "schema": { + "$ref": "#/$defs/Schema" + } + }, + "type": "object", + "required": [ + "artifacts", + "artifactRelationships", + "source", + "distro", + "descriptor", + "schema" + ] + }, + "DotnetDepsEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "path": { + "type": "string" + }, + "sha512": { + "type": "string" + }, + "hashPath": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "path", + "sha512", + "hashPath" + ] + }, + "DotnetPortableExecutableEntry": { + "properties": { + "assemblyVersion": { + "type": "string" + }, + "legalCopyright": { + "type": "string" + }, + "comments": { + "type": "string" + }, + "internalName": { + "type": "string" + }, + "companyName": { + "type": "string" + }, + "productName": { + "type": "string" + }, + "productVersion": { + "type": "string" + } + }, + "type": "object", + "required": [ + "assemblyVersion", + "legalCopyright", + "companyName", + "productName", + "productVersion" + ] + }, + "DpkgDbEntry": { + "properties": { + "package": { + "type": "string" + }, + "source": { + "type": "string" + }, + "version": { + "type": "string" + }, + "sourceVersion": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "maintainer": { + "type": "string" + }, + "installedSize": { + "type": "integer" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "depends": { + "items": { + "type": "string" + }, + "type": "array" + }, + "preDepends": { + "items": { + "type": "string" + }, + "type": "array" + }, + "files": { + "items": { + "$ref": "#/$defs/DpkgFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "package", + "source", + "version", + "sourceVersion", + "architecture", + "maintainer", + "installedSize", + "files" + ] + }, + "DpkgFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "digest": { + "$ref": "#/$defs/Digest" + }, + "isConfigFile": { + "type": "boolean" + } + }, + "type": "object", + "required": [ + "path", + "isConfigFile" + ] + }, + "ELFSecurityFeatures": { + "properties": { + "symbolTableStripped": { + "type": "boolean" + }, + "stackCanary": { + "type": "boolean" + }, + "nx": { + "type": "boolean" + }, + "relRO": { + "type": "string" + }, + "pie": { + "type": "boolean" + }, + "dso": { + "type": "boolean" + }, + "safeStack": { + "type": "boolean" + }, + "cfi": { + "type": "boolean" + }, + "fortify": { + "type": "boolean" + } + }, + "type": "object", + "required": [ + "symbolTableStripped", + "nx", + "relRO", + "pie", + "dso" + ] + }, + "ElfBinaryPackageNoteJsonPayload": { + "properties": { + "type": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "osCPE": { + "type": "string" + }, + "os": { + "type": "string" + }, + "osVersion": { + "type": "string" + }, + "system": { + "type": "string" + }, + "vendor": { + "type": "string" + }, + "sourceRepo": { + "type": "string" + }, + "commit": { + "type": "string" + } + }, + "type": "object" + }, + "ElixirMixLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "pkgHash": { + "type": "string" + }, + "pkgHashExt": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "pkgHash", + "pkgHashExt" + ] + }, + "ErlangRebarLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "pkgHash": { + "type": "string" + }, + "pkgHashExt": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "pkgHash", + "pkgHashExt" + ] + }, + "Executable": { + "properties": { + "format": { + "type": "string" + }, + "hasExports": { + "type": "boolean" + }, + "hasEntrypoint": { + "type": "boolean" + }, + "importedLibraries": { + "items": { + "type": "string" + }, + "type": "array" + }, + "elfSecurityFeatures": { + "$ref": "#/$defs/ELFSecurityFeatures" + } + }, + "type": "object", + "required": [ + "format", + "hasExports", + "hasEntrypoint", + "importedLibraries" + ] + }, + "File": { + "properties": { + "id": { + "type": "string" + }, + "location": { + "$ref": "#/$defs/Coordinates" + }, + "metadata": { + "$ref": "#/$defs/FileMetadataEntry" + }, + "contents": { + "type": "string" + }, + "digests": { + "items": { + "$ref": "#/$defs/Digest" + }, + "type": "array" + }, + "licenses": { + "items": { + "$ref": "#/$defs/FileLicense" + }, + "type": "array" + }, + "executable": { + "$ref": "#/$defs/Executable" + }, + "unknowns": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "id", + "location" + ] + }, + "FileLicense": { + "properties": { + "value": { + "type": "string" + }, + "spdxExpression": { + "type": "string" + }, + "type": { + "type": "string" + }, + "evidence": { + "$ref": "#/$defs/FileLicenseEvidence" + } + }, + "type": "object", + "required": [ + "value", + "spdxExpression", + "type" + ] + }, + "FileLicenseEvidence": { + "properties": { + "confidence": { + "type": "integer" + }, + "offset": { + "type": "integer" + }, + "extent": { + "type": "integer" + } + }, + "type": "object", + "required": [ + "confidence", + "offset", + "extent" + ] + }, + "FileMetadataEntry": { + "properties": { + "mode": { + "type": "integer" + }, + "type": { + "type": "string" + }, + "linkDestination": { + "type": "string" + }, + "userID": { + "type": "integer" + }, + "groupID": { + "type": "integer" + }, + "mimeType": { + "type": "string" + }, + "size": { + "type": "integer" + } + }, + "type": "object", + "required": [ + "mode", + "type", + "userID", + "groupID", + "mimeType", + "size" + ] + }, + "GoModuleBuildinfoEntry": { + "properties": { + "goBuildSettings": { + "$ref": "#/$defs/KeyValues" + }, + "goCompiledVersion": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "h1Digest": { + "type": "string" + }, + "mainModule": { + "type": "string" + }, + "goCryptoSettings": { + "items": { + "type": "string" + }, + "type": "array" + }, + "goExperiments": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "goCompiledVersion", + "architecture" + ] + }, + "GoModuleEntry": { + "properties": { + "h1Digest": { + "type": "string" + } + }, + "type": "object" + }, + "HaskellHackageStackEntry": { + "properties": { + "pkgHash": { + "type": "string" + } + }, + "type": "object" + }, + "HaskellHackageStackLockEntry": { + "properties": { + "pkgHash": { + "type": "string" + }, + "snapshotURL": { + "type": "string" + } + }, + "type": "object" + }, + "IDLikes": { + "items": { + "type": "string" + }, + "type": "array" + }, + "JavaArchive": { + "properties": { + "virtualPath": { + "type": "string" + }, + "manifest": { + "$ref": "#/$defs/JavaManifest" + }, + "pomProperties": { + "$ref": "#/$defs/JavaPomProperties" + }, + "pomProject": { + "$ref": "#/$defs/JavaPomProject" + }, + "digest": { + "items": { + "$ref": "#/$defs/Digest" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "virtualPath" + ] + }, + "JavaJvmInstallation": { + "properties": { + "release": { + "$ref": "#/$defs/JavaVMRelease" + }, + "files": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "release", + "files" + ] + }, + "JavaManifest": { + "properties": { + "main": { + "$ref": "#/$defs/KeyValues" + }, + "sections": { + "items": { + "$ref": "#/$defs/KeyValues" + }, + "type": "array" + } + }, + "type": "object" + }, + "JavaPomParent": { + "properties": { + "groupId": { + "type": "string" + }, + "artifactId": { + "type": "string" + }, + "version": { + "type": "string" + } + }, + "type": "object", + "required": [ + "groupId", + "artifactId", + "version" + ] + }, + "JavaPomProject": { + "properties": { + "path": { + "type": "string" + }, + "parent": { + "$ref": "#/$defs/JavaPomParent" + }, + "groupId": { + "type": "string" + }, + "artifactId": { + "type": "string" + }, + "version": { + "type": "string" + }, + "name": { + "type": "string" + }, + "description": { + "type": "string" + }, + "url": { + "type": "string" + } + }, + "type": "object", + "required": [ + "path", + "groupId", + "artifactId", + "version", + "name" + ] + }, + "JavaPomProperties": { + "properties": { + "path": { + "type": "string" + }, + "name": { + "type": "string" + }, + "groupId": { + "type": "string" + }, + "artifactId": { + "type": "string" + }, + "version": { + "type": "string" + }, + "scope": { + "type": "string" + }, + "extraFields": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object", + "required": [ + "path", + "name", + "groupId", + "artifactId", + "version" + ] + }, + "JavaVMRelease": { + "properties": { + "implementor": { + "type": "string" + }, + "implementorVersion": { + "type": "string" + }, + "javaRuntimeVersion": { + "type": "string" + }, + "javaVersion": { + "type": "string" + }, + "javaVersionDate": { + "type": "string" + }, + "libc": { + "type": "string" + }, + "modules": { + "items": { + "type": "string" + }, + "type": "array" + }, + "osArch": { + "type": "string" + }, + "osName": { + "type": "string" + }, + "osVersion": { + "type": "string" + }, + "source": { + "type": "string" + }, + "buildSource": { + "type": "string" + }, + "buildSourceRepo": { + "type": "string" + }, + "sourceRepo": { + "type": "string" + }, + "fullVersion": { + "type": "string" + }, + "semanticVersion": { + "type": "string" + }, + "buildInfo": { + "type": "string" + }, + "jvmVariant": { + "type": "string" + }, + "jvmVersion": { + "type": "string" + }, + "imageType": { + "type": "string" + }, + "buildType": { + "type": "string" + } + }, + "type": "object" + }, + "JavascriptNpmPackage": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "author": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "description": { + "type": "string" + }, + "url": { + "type": "string" + }, + "private": { + "type": "boolean" + } + }, + "type": "object", + "required": [ + "name", + "version", + "author", + "homepage", + "description", + "url", + "private" + ] + }, + "JavascriptNpmPackageLockEntry": { + "properties": { + "resolved": { + "type": "string" + }, + "integrity": { + "type": "string" + } + }, + "type": "object", + "required": [ + "resolved", + "integrity" + ] + }, + "JavascriptYarnLockEntry": { + "properties": { + "resolved": { + "type": "string" + }, + "integrity": { + "type": "string" + } + }, + "type": "object", + "required": [ + "resolved", + "integrity" + ] + }, + "KeyValue": { + "properties": { + "key": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object", + "required": [ + "key", + "value" + ] + }, + "KeyValues": { + "items": { + "$ref": "#/$defs/KeyValue" + }, + "type": "array" + }, + "License": { + "properties": { + "value": { + "type": "string" + }, + "spdxExpression": { + "type": "string" + }, + "type": { + "type": "string" + }, + "urls": { + "items": { + "type": "string" + }, + "type": "array" + }, + "locations": { + "items": { + "$ref": "#/$defs/Location" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "value", + "spdxExpression", + "type", + "urls", + "locations" + ] + }, + "LinuxKernelArchive": { + "properties": { + "name": { + "type": "string" + }, + "architecture": { + "type": "string" + }, + "version": { + "type": "string" + }, + "extendedVersion": { + "type": "string" + }, + "buildTime": { + "type": "string" + }, + "author": { + "type": "string" + }, + "format": { + "type": "string" + }, + "rwRootFS": { + "type": "boolean" + }, + "swapDevice": { + "type": "integer" + }, + "rootDevice": { + "type": "integer" + }, + "videoMode": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "architecture", + "version" + ] + }, + "LinuxKernelModule": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "sourceVersion": { + "type": "string" + }, + "path": { + "type": "string" + }, + "description": { + "type": "string" + }, + "author": { + "type": "string" + }, + "license": { + "type": "string" + }, + "kernelVersion": { + "type": "string" + }, + "versionMagic": { + "type": "string" + }, + "parameters": { + "patternProperties": { + ".*": { + "$ref": "#/$defs/LinuxKernelModuleParameter" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "LinuxKernelModuleParameter": { + "properties": { + "type": { + "type": "string" + }, + "description": { + "type": "string" + } + }, + "type": "object" + }, + "LinuxRelease": { + "properties": { + "prettyName": { + "type": "string" + }, + "name": { + "type": "string" + }, + "id": { + "type": "string" + }, + "idLike": { + "$ref": "#/$defs/IDLikes" + }, + "version": { + "type": "string" + }, + "versionID": { + "type": "string" + }, + "versionCodename": { + "type": "string" + }, + "buildID": { + "type": "string" + }, + "imageID": { + "type": "string" + }, + "imageVersion": { + "type": "string" + }, + "variant": { + "type": "string" + }, + "variantID": { + "type": "string" + }, + "homeURL": { + "type": "string" + }, + "supportURL": { + "type": "string" + }, + "bugReportURL": { + "type": "string" + }, + "privacyPolicyURL": { + "type": "string" + }, + "cpeName": { + "type": "string" + }, + "supportEnd": { + "type": "string" + } + }, + "type": "object" + }, + "Location": { + "properties": { + "path": { + "type": "string" + }, + "layerID": { + "type": "string" + }, + "accessPath": { + "type": "string" + }, + "annotations": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object", + "required": [ + "path", + "accessPath" + ] + }, + "LuarocksPackage": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "license": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "description": { + "type": "string" + }, + "url": { + "type": "string" + }, + "dependencies": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object", + "required": [ + "name", + "version", + "license", + "homepage", + "description", + "url", + "dependencies" + ] + }, + "MicrosoftKbPatch": { + "properties": { + "product_id": { + "type": "string" + }, + "kb": { + "type": "string" + } + }, + "type": "object", + "required": [ + "product_id", + "kb" + ] + }, + "NixStoreEntry": { + "properties": { + "outputHash": { + "type": "string" + }, + "output": { + "type": "string" + }, + "files": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "outputHash", + "files" + ] + }, + "OpamPackage": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "licenses": { + "items": { + "type": "string" + }, + "type": "array" + }, + "url": { + "type": "string" + }, + "checksum": { + "items": { + "type": "string" + }, + "type": "array" + }, + "homepage": { + "type": "string" + }, + "dependencies": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "licenses", + "url", + "checksum", + "homepage", + "dependencies" + ] + }, + "Package": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "type": { + "type": "string" + }, + "foundBy": { + "type": "string" + }, + "locations": { + "items": { + "$ref": "#/$defs/Location" + }, + "type": "array" + }, + "licenses": { + "$ref": "#/$defs/licenses" + }, + "language": { + "type": "string" + }, + "cpes": { + "$ref": "#/$defs/cpes" + }, + "purl": { + "type": "string" + }, + "metadataType": { + "type": "string" + }, + "metadata": { + "anyOf": [ + { + "type": "null" + }, + { + "$ref": "#/$defs/AlpmDbEntry" + }, + { + "$ref": "#/$defs/ApkDbEntry" + }, + { + "$ref": "#/$defs/BinarySignature" + }, + { + "$ref": "#/$defs/CConanFileEntry" + }, + { + "$ref": "#/$defs/CConanInfoEntry" + }, + { + "$ref": "#/$defs/CConanLockEntry" + }, + { + "$ref": "#/$defs/CConanLockV2Entry" + }, + { + "$ref": "#/$defs/CocoaPodfileLockEntry" + }, + { + "$ref": "#/$defs/DartPubspecLockEntry" + }, + { + "$ref": "#/$defs/DotnetDepsEntry" + }, + { + "$ref": "#/$defs/DotnetPortableExecutableEntry" + }, + { + "$ref": "#/$defs/DpkgDbEntry" + }, + { + "$ref": "#/$defs/ElfBinaryPackageNoteJsonPayload" + }, + { + "$ref": "#/$defs/ElixirMixLockEntry" + }, + { + "$ref": "#/$defs/ErlangRebarLockEntry" + }, + { + "$ref": "#/$defs/GoModuleBuildinfoEntry" + }, + { + "$ref": "#/$defs/GoModuleEntry" + }, + { + "$ref": "#/$defs/HaskellHackageStackEntry" + }, + { + "$ref": "#/$defs/HaskellHackageStackLockEntry" + }, + { + "$ref": "#/$defs/JavaArchive" + }, + { + "$ref": "#/$defs/JavaJvmInstallation" + }, + { + "$ref": "#/$defs/JavascriptNpmPackage" + }, + { + "$ref": "#/$defs/JavascriptNpmPackageLockEntry" + }, + { + "$ref": "#/$defs/JavascriptYarnLockEntry" + }, + { + "$ref": "#/$defs/LinuxKernelArchive" + }, + { + "$ref": "#/$defs/LinuxKernelModule" + }, + { + "$ref": "#/$defs/LuarocksPackage" + }, + { + "$ref": "#/$defs/MicrosoftKbPatch" + }, + { + "$ref": "#/$defs/NixStoreEntry" + }, + { + "$ref": "#/$defs/OpamPackage" + }, + { + "$ref": "#/$defs/PhpComposerInstalledEntry" + }, + { + "$ref": "#/$defs/PhpComposerLockEntry" + }, + { + "$ref": "#/$defs/PhpPeclEntry" + }, + { + "$ref": "#/$defs/PortageDbEntry" + }, + { + "$ref": "#/$defs/PythonPackage" + }, + { + "$ref": "#/$defs/PythonPipRequirementsEntry" + }, + { + "$ref": "#/$defs/PythonPipfileLockEntry" + }, + { + "$ref": "#/$defs/PythonPoetryLockEntry" + }, + { + "$ref": "#/$defs/RDescription" + }, + { + "$ref": "#/$defs/RpmArchive" + }, + { + "$ref": "#/$defs/RpmDbEntry" + }, + { + "$ref": "#/$defs/RubyGemspec" + }, + { + "$ref": "#/$defs/RustCargoAuditEntry" + }, + { + "$ref": "#/$defs/RustCargoLockEntry" + }, + { + "$ref": "#/$defs/SwiftPackageManagerLockEntry" + }, + { + "$ref": "#/$defs/SwiplpackPackage" + }, + { + "$ref": "#/$defs/WordpressPluginEntry" + } + ] + } + }, + "type": "object", + "required": [ + "id", + "name", + "version", + "type", + "foundBy", + "locations", + "licenses", + "language", + "cpes", + "purl" + ] + }, + "PhpComposerAuthors": { + "properties": { + "name": { + "type": "string" + }, + "email": { + "type": "string" + }, + "homepage": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name" + ] + }, + "PhpComposerExternalReference": { + "properties": { + "type": { + "type": "string" + }, + "url": { + "type": "string" + }, + "reference": { + "type": "string" + }, + "shasum": { + "type": "string" + } + }, + "type": "object", + "required": [ + "type", + "url", + "reference" + ] + }, + "PhpComposerInstalledEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "source": { + "$ref": "#/$defs/PhpComposerExternalReference" + }, + "dist": { + "$ref": "#/$defs/PhpComposerExternalReference" + }, + "require": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "provide": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "require-dev": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "suggest": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "license": { + "items": { + "type": "string" + }, + "type": "array" + }, + "type": { + "type": "string" + }, + "notification-url": { + "type": "string" + }, + "bin": { + "items": { + "type": "string" + }, + "type": "array" + }, + "authors": { + "items": { + "$ref": "#/$defs/PhpComposerAuthors" + }, + "type": "array" + }, + "description": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "keywords": { + "items": { + "type": "string" + }, + "type": "array" + }, + "time": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "source", + "dist" + ] + }, + "PhpComposerLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "source": { + "$ref": "#/$defs/PhpComposerExternalReference" + }, + "dist": { + "$ref": "#/$defs/PhpComposerExternalReference" + }, + "require": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "provide": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "require-dev": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "suggest": { + "patternProperties": { + ".*": { + "type": "string" + } + }, + "type": "object" + }, + "license": { + "items": { + "type": "string" + }, + "type": "array" + }, + "type": { + "type": "string" + }, + "notification-url": { + "type": "string" + }, + "bin": { + "items": { + "type": "string" + }, + "type": "array" + }, + "authors": { + "items": { + "$ref": "#/$defs/PhpComposerAuthors" + }, + "type": "array" + }, + "description": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "keywords": { + "items": { + "type": "string" + }, + "type": "array" + }, + "time": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "source", + "dist" + ] + }, + "PhpPeclEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "license": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version" + ] + }, + "PortageDbEntry": { + "properties": { + "installedSize": { + "type": "integer" + }, + "files": { + "items": { + "$ref": "#/$defs/PortageFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "installedSize", + "files" + ] + }, + "PortageFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "digest": { + "$ref": "#/$defs/Digest" + } + }, + "type": "object", + "required": [ + "path" + ] + }, + "PythonDirectURLOriginInfo": { + "properties": { + "url": { + "type": "string" + }, + "commitId": { + "type": "string" + }, + "vcs": { + "type": "string" + } + }, + "type": "object", + "required": [ + "url" + ] + }, + "PythonFileDigest": { + "properties": { + "algorithm": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object", + "required": [ + "algorithm", + "value" + ] + }, + "PythonFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "digest": { + "$ref": "#/$defs/PythonFileDigest" + }, + "size": { + "type": "string" + } + }, + "type": "object", + "required": [ + "path" + ] + }, + "PythonPackage": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "author": { + "type": "string" + }, + "authorEmail": { + "type": "string" + }, + "platform": { + "type": "string" + }, + "files": { + "items": { + "$ref": "#/$defs/PythonFileRecord" + }, + "type": "array" + }, + "sitePackagesRootPath": { + "type": "string" + }, + "topLevelPackages": { + "items": { + "type": "string" + }, + "type": "array" + }, + "directUrlOrigin": { + "$ref": "#/$defs/PythonDirectURLOriginInfo" + }, + "requiresPython": { + "type": "string" + }, + "requiresDist": { + "items": { + "type": "string" + }, + "type": "array" + }, + "providesExtra": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "author", + "authorEmail", + "platform", + "sitePackagesRootPath" + ] + }, + "PythonPipRequirementsEntry": { + "properties": { + "name": { + "type": "string" + }, + "extras": { + "items": { + "type": "string" + }, + "type": "array" + }, + "versionConstraint": { + "type": "string" + }, + "url": { + "type": "string" + }, + "markers": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "versionConstraint" + ] + }, + "PythonPipfileLockEntry": { + "properties": { + "hashes": { + "items": { + "type": "string" + }, + "type": "array" + }, + "index": { + "type": "string" + } + }, + "type": "object", + "required": [ + "hashes", + "index" + ] + }, + "PythonPoetryLockDependencyEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "optional": { + "type": "boolean" + }, + "markers": { + "type": "string" + }, + "extras": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "optional" + ] + }, + "PythonPoetryLockEntry": { + "properties": { + "index": { + "type": "string" + }, + "dependencies": { + "items": { + "$ref": "#/$defs/PythonPoetryLockDependencyEntry" + }, + "type": "array" + }, + "extras": { + "items": { + "$ref": "#/$defs/PythonPoetryLockExtraEntry" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "index", + "dependencies" + ] + }, + "PythonPoetryLockExtraEntry": { + "properties": { + "name": { + "type": "string" + }, + "dependencies": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "dependencies" + ] + }, + "RDescription": { + "properties": { + "title": { + "type": "string" + }, + "description": { + "type": "string" + }, + "author": { + "type": "string" + }, + "maintainer": { + "type": "string" + }, + "url": { + "items": { + "type": "string" + }, + "type": "array" + }, + "repository": { + "type": "string" + }, + "built": { + "type": "string" + }, + "needsCompilation": { + "type": "boolean" + }, + "imports": { + "items": { + "type": "string" + }, + "type": "array" + }, + "depends": { + "items": { + "type": "string" + }, + "type": "array" + }, + "suggests": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "Relationship": { + "properties": { + "parent": { + "type": "string" + }, + "child": { + "type": "string" + }, + "type": { + "type": "string" + }, + "metadata": true + }, + "type": "object", + "required": [ + "parent", + "child", + "type" + ] + }, + "RpmArchive": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "epoch": { + "oneOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ] + }, + "architecture": { + "type": "string" + }, + "release": { + "type": "string" + }, + "sourceRpm": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "vendor": { + "type": "string" + }, + "modularityLabel": { + "type": "string" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "files": { + "items": { + "$ref": "#/$defs/RpmFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "epoch", + "architecture", + "release", + "sourceRpm", + "size", + "vendor", + "files" + ] + }, + "RpmDbEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "epoch": { + "oneOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ] + }, + "architecture": { + "type": "string" + }, + "release": { + "type": "string" + }, + "sourceRpm": { + "type": "string" + }, + "size": { + "type": "integer" + }, + "vendor": { + "type": "string" + }, + "modularityLabel": { + "type": "string" + }, + "provides": { + "items": { + "type": "string" + }, + "type": "array" + }, + "requires": { + "items": { + "type": "string" + }, + "type": "array" + }, + "files": { + "items": { + "$ref": "#/$defs/RpmFileRecord" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "epoch", + "architecture", + "release", + "sourceRpm", + "size", + "vendor", + "files" + ] + }, + "RpmFileRecord": { + "properties": { + "path": { + "type": "string" + }, + "mode": { + "type": "integer" + }, + "size": { + "type": "integer" + }, + "digest": { + "$ref": "#/$defs/Digest" + }, + "userName": { + "type": "string" + }, + "groupName": { + "type": "string" + }, + "flags": { + "type": "string" + } + }, + "type": "object", + "required": [ + "path", + "mode", + "size", + "digest", + "userName", + "groupName", + "flags" + ] + }, + "RubyGemspec": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "files": { + "items": { + "type": "string" + }, + "type": "array" + }, + "authors": { + "items": { + "type": "string" + }, + "type": "array" + }, + "homepage": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version" + ] + }, + "RustCargoAuditEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "source": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "version", + "source" + ] + }, + "RustCargoLockEntry": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "source": { + "type": "string" + }, + "checksum": { + "type": "string" + }, + "dependencies": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "source", + "checksum", + "dependencies" + ] + }, + "Schema": { + "properties": { + "version": { + "type": "string" + }, + "url": { + "type": "string" + } + }, + "type": "object", + "required": [ + "version", + "url" + ] + }, + "Source": { + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "type": { + "type": "string" + }, + "metadata": true + }, + "type": "object", + "required": [ + "id", + "name", + "version", + "type", + "metadata" + ] + }, + "SwiftPackageManagerLockEntry": { + "properties": { + "revision": { + "type": "string" + } + }, + "type": "object", + "required": [ + "revision" + ] + }, + "SwiplpackPackage": { + "properties": { + "name": { + "type": "string" + }, + "version": { + "type": "string" + }, + "author": { + "type": "string" + }, + "authorEmail": { + "type": "string" + }, + "packager": { + "type": "string" + }, + "packagerEmail": { + "type": "string" + }, + "homepage": { + "type": "string" + }, + "dependencies": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "required": [ + "name", + "version", + "author", + "authorEmail", + "packager", + "packagerEmail", + "homepage", + "dependencies" + ] + }, + "WordpressPluginEntry": { + "properties": { + "pluginInstallDirectory": { + "type": "string" + }, + "author": { + "type": "string" + }, + "authorUri": { + "type": "string" + } + }, + "type": "object", + "required": [ + "pluginInstallDirectory" + ] + }, + "cpes": { + "items": { + "$ref": "#/$defs/CPE" + }, + "type": "array" + }, + "licenses": { + "items": { + "$ref": "#/$defs/License" + }, + "type": "array" + } + } +} diff --git a/schema/json/schema-latest.json b/schema/json/schema-latest.json index b56168ec1be..936582e2d22 100644 --- a/schema/json/schema-latest.json +++ b/schema/json/schema-latest.json @@ -1,6 +1,6 @@ { "$schema": "https://json-schema.org/draft/2020-12/schema", - "$id": "anchore.io/schema/syft/json/16.0.17/document", + "$id": "anchore.io/schema/syft/json/16.0.18/document", "$ref": "#/$defs/Document", "$defs": { "AlpmDbEntry": { diff --git a/syft/pkg/cataloger/javascript/parse_package_json.go b/syft/pkg/cataloger/javascript/parse_package_json.go index 1a3fb3d20fd..5213032cf30 100644 --- a/syft/pkg/cataloger/javascript/parse_package_json.go +++ b/syft/pkg/cataloger/javascript/parse_package_json.go @@ -11,7 +11,6 @@ import ( "github.com/mitchellh/mapstructure" "github.com/anchore/syft/internal" - "github.com/anchore/syft/internal/log" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -64,11 +63,8 @@ func parsePackageJSON(_ context.Context, _ file.Resolver, _ *generic.Environment return nil, nil, fmt.Errorf("failed to parse package.json file: %w", err) } - if !p.hasNameAndVersionValues() { - log.Debugf("encountered package.json file without a name and/or version field, ignoring (path=%q)", reader.Path()) - return nil, nil, fmt.Errorf("skipping package.json with insufficient package information: name: '%s', version: '%s'", p.Name, p.Version) - } - + // always create a package, regardless of having a valid name and/or version, + // a compliance filter later will remove these packages based on compliance rules pkgs = append( pkgs, newPackageJSONPackage(p, reader.Location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)), @@ -203,10 +199,6 @@ func licensesFromJSON(b []byte) ([]npmPackageLicense, error) { return nil, errors.New("unmarshal failed") } -func (p packageJSON) hasNameAndVersionValues() bool { - return p.Name != "" && p.Version != "" -} - // this supports both windows and unix paths var filepathSeparator = regexp.MustCompile(`[\\/]`) diff --git a/syft/pkg/cataloger/javascript/parse_package_json_test.go b/syft/pkg/cataloger/javascript/parse_package_json_test.go index 74c9a0b7470..d4afc8911bc 100644 --- a/syft/pkg/cataloger/javascript/parse_package_json_test.go +++ b/syft/pkg/cataloger/javascript/parse_package_json_test.go @@ -199,7 +199,18 @@ func Test_corruptPackageJSON(t *testing.T) { func TestParsePackageJSON_Partial(t *testing.T) { // see https://github.com/anchore/syft/issues/311 const fixtureFile = "test-fixtures/pkg-json/package-partial.json" - pkgtest.TestFileParser(t, fixtureFile, parsePackageJSON, nil, nil) + // raise package.json files as packages with any information we find, these will be filtered out + // according to compliance rules later + expectedPkgs := []pkg.Package{ + { + Language: pkg.JavaScript, + Type: pkg.NpmPkg, + PURL: packageURL("", ""), + Metadata: pkg.NpmPackage{}, + Locations: file.NewLocationSet(file.NewLocation(fixtureFile)), + }, + } + pkgtest.TestFileParser(t, fixtureFile, parsePackageJSON, expectedPkgs, nil) } func Test_pathContainsNodeModulesDirectory(t *testing.T) { From e9f506026d6b9eac0f984cda5f0bffbfdb581d06 Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Mon, 7 Oct 2024 15:32:53 -0400 Subject: [PATCH 51/51] remove unknown usage from elf security feature cataloger Signed-off-by: Alex Goodman --- syft/file/cataloger/executable/elf.go | 57 +++++++++---------- syft/file/cataloger/executable/elf_test.go | 46 +-------------- .../test-fixtures/elf/project/Makefile | 9 +-- 3 files changed, 29 insertions(+), 83 deletions(-) diff --git a/syft/file/cataloger/executable/elf.go b/syft/file/cataloger/executable/elf.go index 1d9e5853fbe..b9d2205cfa5 100644 --- a/syft/file/cataloger/executable/elf.go +++ b/syft/file/cataloger/executable/elf.go @@ -31,24 +31,24 @@ func findELFFeatures(data *file.Executable, reader unionreader.UnionReader) erro } data.ImportedLibraries = libs - data.ELFSecurityFeatures = findELFSecurityFeatures(&err, f) + data.ELFSecurityFeatures = findELFSecurityFeatures(f) data.HasEntrypoint = elfHasEntrypoint(f) - data.HasExports = elfHasExports(&err, f) + data.HasExports = elfHasExports(f) return err } -func findELFSecurityFeatures(errs *error, f *elf.File) *file.ELFSecurityFeatures { +func findELFSecurityFeatures(f *elf.File) *file.ELFSecurityFeatures { return &file.ELFSecurityFeatures{ SymbolTableStripped: isElfSymbolTableStripped(f), - StackCanary: checkElfStackCanary(errs, f), + StackCanary: checkElfStackCanary(f), NoExecutable: checkElfNXProtection(f), - RelocationReadOnly: checkElfRelROProtection(errs, f), - PositionIndependentExecutable: isELFPIE(errs, f), + RelocationReadOnly: checkElfRelROProtection(f), + PositionIndependentExecutable: isELFPIE(f), DynamicSharedObject: isELFDSO(f), - LlvmSafeStack: checkLLVMSafeStack(errs, f), - LlvmControlFlowIntegrity: checkLLVMControlFlowIntegrity(errs, f), - ClangFortifySource: checkClangFortifySource(errs, f), + LlvmSafeStack: checkLLVMSafeStack(f), + LlvmControlFlowIntegrity: checkLLVMControlFlowIntegrity(f), + ClangFortifySource: checkClangFortifySource(f), } } @@ -56,15 +56,14 @@ func isElfSymbolTableStripped(file *elf.File) bool { return file.Section(".symtab") == nil } -func checkElfStackCanary(errs *error, file *elf.File) *bool { - return hasAnyDynamicSymbols(errs, file, "__stack_chk_fail", "__stack_chk_guard") +func checkElfStackCanary(file *elf.File) *bool { + return hasAnyDynamicSymbols(file, "__stack_chk_fail", "__stack_chk_guard") } -func hasAnyDynamicSymbols(errs *error, file *elf.File, symbolNames ...string) *bool { +func hasAnyDynamicSymbols(file *elf.File, symbolNames ...string) *bool { dynSyms, err := file.DynamicSymbols() if err != nil { log.WithFields("error", err).Trace("unable to read dynamic symbols from elf file") - *errs = unknown.Joinf(*errs, "unable to read dynamic symbols from elf file: %w", err) return nil } @@ -94,10 +93,10 @@ func checkElfNXProtection(file *elf.File) bool { return false } -func checkElfRelROProtection(errs *error, f *elf.File) file.RelocationReadOnly { +func checkElfRelROProtection(f *elf.File) file.RelocationReadOnly { // background on relro https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro hasRelro := false - hasBindNow := hasBindNowDynTagOrFlag(errs, f) + hasBindNow := hasBindNowDynTagOrFlag(f) for _, prog := range f.Progs { if prog.Type == elf.PT_GNU_RELRO { @@ -116,7 +115,7 @@ func checkElfRelROProtection(errs *error, f *elf.File) file.RelocationReadOnly { } } -func hasBindNowDynTagOrFlag(errs *error, f *elf.File) bool { +func hasBindNowDynTagOrFlag(f *elf.File) bool { if hasElfDynTag(f, elf.DT_BIND_NOW) { // support older binaries... return true @@ -124,14 +123,13 @@ func hasBindNowDynTagOrFlag(errs *error, f *elf.File) bool { // "DT_BIND_NOW ... use has been superseded by the DF_BIND_NOW flag" // source: https://refspecs.linuxbase.org/elf/gabi4+/ch5.dynamic.html - return hasElfDynFlag(errs, f, elf.DF_BIND_NOW) + return hasElfDynFlag(f, elf.DF_BIND_NOW) } -func hasElfDynFlag(errs *error, f *elf.File, flag elf.DynFlag) bool { +func hasElfDynFlag(f *elf.File, flag elf.DynFlag) bool { vals, err := f.DynValue(elf.DT_FLAGS) if err != nil { log.WithFields("error", err).Trace("unable to read DT_FLAGS from elf file") - *errs = unknown.Joinf(*errs, "unable to read DT_FLAGS from elf file: %w", err) return false } for _, val := range vals { @@ -142,11 +140,10 @@ func hasElfDynFlag(errs *error, f *elf.File, flag elf.DynFlag) bool { return false } -func hasElfDynFlag1(errs *error, f *elf.File, flag elf.DynFlag1) bool { +func hasElfDynFlag1(f *elf.File, flag elf.DynFlag1) bool { vals, err := f.DynValue(elf.DT_FLAGS_1) if err != nil { log.WithFields("error", err).Trace("unable to read DT_FLAGS_1 from elf file") - *errs = unknown.Joinf(*errs, "unable to read DT_FLAGS_1 from elf file: %w", err) return false } for _, val := range vals { @@ -186,26 +183,25 @@ func hasElfDynTag(f *elf.File, tag elf.DynTag) bool { return false } -func isELFPIE(errs *error, f *elf.File) bool { +func isELFPIE(f *elf.File) bool { // being a shared object is not sufficient to be a PIE, the explicit flag must be set also - return isELFDSO(f) && hasElfDynFlag1(errs, f, elf.DF_1_PIE) + return isELFDSO(f) && hasElfDynFlag1(f, elf.DF_1_PIE) } func isELFDSO(f *elf.File) bool { return f.Type == elf.ET_DYN } -func checkLLVMSafeStack(errs *error, file *elf.File) *bool { +func checkLLVMSafeStack(file *elf.File) *bool { // looking for the presence of https://github.com/microsoft/compiler-rt/blob/30b3b8cb5c9a0854f2f40f187c6f6773561a35f2/lib/safestack/safestack.cc#L207 - return hasAnyDynamicSymbols(errs, file, "__safestack_init") + return hasAnyDynamicSymbols(file, "__safestack_init") } -func checkLLVMControlFlowIntegrity(errs *error, file *elf.File) *bool { +func checkLLVMControlFlowIntegrity(file *elf.File) *bool { // look for any symbols that are functions and end with ".cfi" dynSyms, err := file.Symbols() if err != nil { log.WithFields("error", err).Trace("unable to read symbols from elf file") - *errs = unknown.Joinf(*errs, "unable to read symbols from elf file: %w", err) return nil } @@ -223,11 +219,10 @@ func isFunction(sym elf.Symbol) bool { var fortifyPattern = regexp.MustCompile(`__\w+_chk@.+`) -func checkClangFortifySource(errs *error, file *elf.File) *bool { +func checkClangFortifySource(file *elf.File) *bool { dynSyms, err := file.Symbols() if err != nil { log.WithFields("error", err).Trace("unable to read symbols from elf file") - *errs = unknown.Joinf(*errs, "unable to read symbols from elf file: %w", err) return nil } @@ -245,7 +240,7 @@ func elfHasEntrypoint(f *elf.File) bool { return f.Entry > 0 } -func elfHasExports(errs *error, f *elf.File) bool { +func elfHasExports(f *elf.File) bool { // this is akin to: // nm -D --defined-only ./path/to/bin | grep ' T \| W \| B ' // where: @@ -255,7 +250,7 @@ func elfHasExports(errs *error, f *elf.File) bool { // really anything that is not marked with 'U' (undefined) is considered an export. symbols, err := f.DynamicSymbols() if err != nil { - *errs = unknown.Joinf(*errs, "unable to get ELF dynamic symbols: %w", err) + log.WithFields("error", err).Trace("unable to get ELF dynamic symbols") return false } diff --git a/syft/file/cataloger/executable/elf_test.go b/syft/file/cataloger/executable/elf_test.go index 12212b1c894..fd3536cca60 100644 --- a/syft/file/cataloger/executable/elf_test.go +++ b/syft/file/cataloger/executable/elf_test.go @@ -4,7 +4,6 @@ import ( "debug/elf" "os" "path/filepath" - "strings" "testing" "github.com/google/go-cmp/cmp" @@ -12,7 +11,6 @@ import ( "github.com/stretchr/testify/require" "github.com/anchore/syft/syft/file" - "github.com/anchore/syft/syft/internal/fileresolver" "github.com/anchore/syft/syft/internal/unionreader" ) @@ -152,9 +150,7 @@ func Test_findELFSecurityFeatures(t *testing.T) { f, err := elf.NewFile(readerForFixture(t, tt.fixture)) require.NoError(t, err) - var errs error - got := findELFSecurityFeatures(&errs, f) - require.NoError(t, errs) + got := findELFSecurityFeatures(f) if d := cmp.Diff(tt.want, got); d != "" { t.Errorf("findELFSecurityFeatures() mismatch (-want +got):\n%s", d) @@ -225,46 +221,8 @@ func Test_elfHasExports(t *testing.T) { t.Run(tt.name, func(t *testing.T) { f, err := elf.NewFile(readerForFixture(t, tt.fixture)) require.NoError(t, err) - assert.Equal(t, tt.want, elfHasExports(&err, f)) + assert.Equal(t, tt.want, elfHasExports(f)) require.NoError(t, err) }) } } - -func Test_elfUnknowns(t *testing.T) { - tests := []struct { - name string - fixture string - wantErr require.ErrorAssertionFunc - }{ - { - name: "unknown truncated", - fixture: "test-fixtures/elf/bin/with_pie_bad", - wantErr: func(t require.TestingT, err error, _ ...interface{}) { - require.ErrorContains(t, err, "unable to read dynamic symbols from elf file") - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - c := NewCataloger(DefaultConfig()) - resolver := newFileResolver(t, tt.fixture) - _, err := c.Catalog(resolver) - tt.wantErr(t, err) - }) - } -} - -func newFileResolver(t *testing.T, file string) *fileresolver.Directory { - t.Helper() - dir := filepath.Dir(file) - filename := filepath.Base(file) - resolver, err := fileresolver.NewFromDirectory(dir, "", func(_ string, path string, _ os.FileInfo, _ error) error { - if !strings.HasSuffix(path, filename) { - return fileresolver.ErrSkipPath - } - return nil - }) - require.NoError(t, err) - return resolver -} diff --git a/syft/file/cataloger/executable/test-fixtures/elf/project/Makefile b/syft/file/cataloger/executable/test-fixtures/elf/project/Makefile index 9bd16140c5b..17edd3f81b2 100644 --- a/syft/file/cataloger/executable/test-fixtures/elf/project/Makefile +++ b/syft/file/cataloger/executable/test-fixtures/elf/project/Makefile @@ -37,11 +37,10 @@ LIB_SRC := lib.c BIN := ../bin BINS := $(BIN)/no_protection $(BIN)/with_nx $(BIN)/pie_false_positive.so $(BIN)/with_pie $(BIN)/with_canary $(BIN)/with_relro $(BIN)/with_partial_relro $(BIN)/with_rpath $(BIN)/with_runpath $(BIN)/with_safestack $(BIN)/with_cfi $(BIN)/with_fortify $(BIN)/protected -BADS := $(BIN)/with_pie_bad #.PHONY: verify $(BIN)/no_protection $(BIN)/with_nx $(BIN)/pie_false_positive.so $(BIN)/with_pie $(BIN)/with_canary $(BIN)/with_relro $(BIN)/with_partial_relro $(BIN)/with_rpath $(BIN)/with_runpath $(BIN)/with_safestack $(BIN)/with_cfi $(BIN)/with_fortify $(BIN)/protected .PHONY: verify clean all -all: $(BINS) $(BADS) +all: $(BINS) $(BIN)/no_protection : $(SRC) @@ -57,12 +56,6 @@ $(BIN)/pie_false_positive.so: $(LIB_SRC) $(BIN)/with_pie: $(SRC) gcc $< -o $@ $(GCCFLAGS) $(NO_CANARY) $(NO_NX) $(NO_RELRO) $(PIE) -$(BIN)/with_pie_bad: $(BIN)/with_pie - # original size: 18688 - cp $(BIN)/with_pie $(BIN)/with_pie_bad - dd if=/dev/zero of=$(BIN)/with_pie_bad bs=100 count=170 seek=16 conv=notrunc - chmod +x $(BIN)/with_pie_bad - $(BIN)/with_canary: $(SRC) gcc $< -o $@ $(GCCFLAGS) $(CANARY) $(NO_NX) $(NO_RELRO) $(NO_PIE)