diff --git a/.binny.yaml b/.binny.yaml index 5366b9a880f..2b2abad3b99 100644 --- a/.binny.yaml +++ b/.binny.yaml @@ -103,7 +103,7 @@ tools: # used for running all local and CI tasks - name: task version: - want: v3.40.0 + want: v3.40.1 method: github-release with: repo: go-task/task @@ -111,7 +111,7 @@ tools: # used for triggering a release - name: gh version: - want: v2.63.1 + want: v2.63.2 method: github-release with: repo: cli/cli @@ -119,7 +119,7 @@ tools: # used to upload test fixture cache - name: oras version: - want: v1.2.0 + want: v1.2.1 method: github-release with: repo: oras-project/oras @@ -127,7 +127,7 @@ tools: # used to upload test fixture cache - name: yq version: - want: v4.44.5 + want: v4.44.6 method: github-release with: repo: mikefarah/yq diff --git a/.github/workflows/benchmark-testing.yaml b/.github/workflows/benchmark-testing.yaml index 4d979044963..f410ab42af4 100644 --- a/.github/workflows/benchmark-testing.yaml +++ b/.github/workflows/benchmark-testing.yaml @@ -23,7 +23,7 @@ jobs: uses: ./.github/actions/bootstrap - name: Restore base benchmark result - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a #v4.1.2 + uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 #v4.2.0 with: path: test/results/benchmark-main.txt # use base sha for PR or new commit hash for main push in benchmark result key diff --git a/.github/workflows/validations.yaml b/.github/workflows/validations.yaml index f370f5dde5a..ca2700c92ea 100644 --- a/.github/workflows/validations.yaml +++ b/.github/workflows/validations.yaml @@ -78,7 +78,7 @@ jobs: # why not use actions/upload-artifact? It is very slow (3 minutes to upload ~600MB of data, vs 10 seconds with this approach). # see https://github.com/actions/upload-artifact/issues/199 for more info - name: Upload snapshot artifacts - uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a #v4.1.2 + uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 #v4.2.0 with: # we need to preserve the snapshot data itself as well as the task data that confirms if the # snapshot build is stale or not. Otherwise the downstream jobs will attempt to rebuild the snapshot @@ -104,7 +104,7 @@ jobs: - name: Download snapshot build id: snapshot-cache - uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a #v4.1.2 + uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 #v4.2.0 with: path: | snapshot @@ -152,7 +152,7 @@ jobs: - name: Download snapshot build id: snapshot-cache - uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a #v4.1.2 + uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 #v4.2.0 with: path: | snapshot @@ -187,7 +187,7 @@ jobs: - name: Download snapshot build id: snapshot-cache - uses: actions/cache/restore@6849a6489940f00c2f30c0fb92c6274307ccb58a #v4.1.2 + uses: actions/cache/restore@1bd1e32a3bdc45362d1e726936510720a7c30a57 #v4.2.0 with: path: | snapshot diff --git a/DEVELOPING.md b/DEVELOPING.md index 5dd88e2746e..fd14963dfd5 100644 --- a/DEVELOPING.md +++ b/DEVELOPING.md @@ -367,11 +367,11 @@ package under test and should always be updated by invoking `go test` on the spe update flag provided. Many of the `Format` tests make use of this approach, where the raw SBOM report is saved in the repo and the test -compares that SBOM with what is generated from the latest presenter code. For instance, at the time of this writing -the CycloneDX presenter snapshots can be updated by running: +compares that SBOM with what is generated from the latest presenter code. The following command can be used to +update the golden files for the various snapshot tests: ```bash -go test ./internal/formats -update-cyclonedx +make update-format-golden-files ``` These flags are defined at the top of the test files that have tests that use the snapshot files. diff --git a/Taskfile.yaml b/Taskfile.yaml index 5e7f2c000ee..248e2c8ee74 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -191,6 +191,14 @@ tasks: ## Testing tasks ################################# + update-format-golden-files: + desc: "Update golden (i.e. snapshot) files used by unit tests" + cmds: + - go test ./syft/format/spdxjson -update-spdx-json + - go test ./syft/format/spdxtagvalue -update-spdx-tv + - go test ./syft/format/cyclonedxxml -update-cyclonedx-xml + - go test ./syft/format/cyclonedxjson -update-cyclonedx-json + - go test ./syft/format/syftjson -update-json unit: desc: Run unit tests diff --git a/go.mod b/go.mod index 976fb30a383..8b2683b4b6a 100644 --- a/go.mod +++ b/go.mod @@ -79,7 +79,7 @@ require ( github.com/zyedidia/generic v1.2.2-0.20230320175451-4410d2372cb1 go.uber.org/goleak v1.3.0 golang.org/x/mod v0.22.0 - golang.org/x/net v0.31.0 + golang.org/x/net v0.32.0 gopkg.in/yaml.v3 v3.0.1 modernc.org/sqlite v1.34.2 ) @@ -90,7 +90,7 @@ require ( github.com/BurntSushi/toml v1.4.0 github.com/OneOfOne/xxhash v1.2.8 github.com/adrg/xdg v0.5.3 - github.com/magiconair/properties v1.8.7 + github.com/magiconair/properties v1.8.9 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 ) @@ -231,11 +231,11 @@ require ( go.opentelemetry.io/otel/trace v1.24.0 // indirect go.uber.org/atomic v1.9.0 // indirect go.uber.org/multierr v1.9.0 // indirect - golang.org/x/crypto v0.29.0 // indirect - golang.org/x/sync v0.9.0 // indirect - golang.org/x/sys v0.27.0 // indirect - golang.org/x/term v0.26.0 // indirect - golang.org/x/text v0.20.0 // indirect + golang.org/x/crypto v0.30.0 // indirect + golang.org/x/sync v0.10.0 // indirect + golang.org/x/sys v0.28.0 // indirect + golang.org/x/term v0.27.0 // indirect + golang.org/x/text v0.21.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c // indirect google.golang.org/grpc v1.62.1 // indirect diff --git a/go.sum b/go.sum index 7ef2831eccc..bb85de1d8f8 100644 --- a/go.sum +++ b/go.sum @@ -527,8 +527,8 @@ github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69 github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0= github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w= github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= -github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY= -github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= +github.com/magiconair/properties v1.8.9 h1:nWcCbLq1N2v/cpNsy5WvQ37Fb+YElfq20WJ/a8RkpQM= +github.com/magiconair/properties v1.8.9/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= github.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo= github.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= @@ -867,8 +867,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ= -golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg= +golang.org/x/crypto v0.30.0 h1:RwoQn3GkWiMkzlX562cLB7OxWvjH1L8xutO2WoJcRoY= +golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -953,8 +953,8 @@ golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= -golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= +golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI= +golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -984,8 +984,8 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ= -golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= +golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1061,12 +1061,12 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s= -golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.26.0 h1:WEQa6V3Gja/BhNxg540hBip/kkaYtRg3cxg4oXSw4AU= -golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E= +golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= +golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1077,8 +1077,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug= -golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/syft/format/common/spdxhelpers/to_format_model.go b/syft/format/common/spdxhelpers/to_format_model.go index 2802bf61218..a394666a94b 100644 --- a/syft/format/common/spdxhelpers/to_format_model.go +++ b/syft/format/common/spdxhelpers/to_format_model.go @@ -248,6 +248,7 @@ func toRootPackage(s source.Description) *spdx.Package { PackageSupplier: &spdx.Supplier{ Supplier: helpers.NOASSERTION, }, + PackageCopyrightText: helpers.NOASSERTION, PackageDownloadLocation: helpers.NOASSERTION, PackageLicenseConcluded: helpers.NOASSERTION, PackageLicenseDeclared: helpers.NOASSERTION, @@ -638,10 +639,11 @@ func toFiles(s sbom.SBOM) (results []*spdx.File) { FileSPDXIdentifier: toSPDXID(coordinates), FileComment: comment, // required, no attempt made to determine license information - LicenseConcluded: noAssertion, - Checksums: toFileChecksums(digests), - FileName: relativePath, - FileTypes: toFileTypes(metadata), + LicenseConcluded: noAssertion, + FileCopyrightText: noAssertion, + Checksums: toFileChecksums(digests), + FileName: relativePath, + FileTypes: toFileTypes(metadata), LicenseInfoInFiles: []string{ // required in SPDX 2.2 helpers.NOASSERTION, }, diff --git a/syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden b/syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden new file mode 100644 index 00000000000..737aed46893 --- /dev/null +++ b/syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden @@ -0,0 +1,106 @@ +{ + "spdxVersion": "SPDX-2.3", + "dataLicense": "CC0-1.0", + "SPDXID": "SPDXRef-DOCUMENT", + "name": "user-image-input", + "documentNamespace":"redacted", + "creationInfo": { + "licenseListVersion":"redacted", + "creators": [ + "Organization: Anchore, Inc", + "Tool: syft-v0.42.0-bogus" + ], + "created":"redacted" + }, + "packages": [ + { + "name": "package-1", + "SPDXID": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450", + "versionInfo": "1.0.1", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: /somefile-1.txt", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "MIT", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:*:some:package:1:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "a-purl-1" + } + ] + }, + { + "name": "package-2", + "SPDXID": "SPDXRef-Package-deb-package-2-4b756c6f6fb127a3", + "versionInfo": "2.0.1", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from DPKG DB: /somefile-2.txt", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:*:some:package:2:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:deb/debian/package-2@2.0.1" + } + ] + }, + { + "name": "user-image-input", + "SPDXID": "SPDXRef-DocumentRoot-Image-user-image-input", + "versionInfo": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368" + } + ], + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/user-image-input@sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368?arch=" + } + ], + "primaryPackagePurpose": "CONTAINER" + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-DocumentRoot-Image-user-image-input", + "relatedSpdxElement": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Image-user-image-input", + "relatedSpdxElement": "SPDXRef-Package-deb-package-2-4b756c6f6fb127a3", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-DocumentRoot-Image-user-image-input", + "relationshipType": "DESCRIBES" + } + ] +} diff --git a/syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden new file mode 100644 index 00000000000..91df6366f1c --- /dev/null +++ b/syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden @@ -0,0 +1,246 @@ +{ + "spdxVersion": "SPDX-2.3", + "dataLicense": "CC0-1.0", + "SPDXID": "SPDXRef-DOCUMENT", + "name": "user-image-input", + "documentNamespace":"redacted", + "creationInfo": { + "licenseListVersion":"redacted", + "creators": [ + "Organization: Anchore, Inc", + "Tool: syft-v0.42.0-bogus" + ], + "created":"redacted" + }, + "packages": [ + { + "name": "package-1", + "SPDXID": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450", + "versionInfo": "1.0.1", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: /somefile-1.txt", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "MIT", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:*:some:package:1:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "a-purl-1" + } + ] + }, + { + "name": "package-2", + "SPDXID": "SPDXRef-Package-deb-package-2-4b756c6f6fb127a3", + "versionInfo": "2.0.1", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from DPKG DB: /somefile-2.txt", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:*:some:package:2:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:deb/debian/package-2@2.0.1" + } + ] + }, + { + "name": "user-image-input", + "SPDXID": "SPDXRef-DocumentRoot-Image-user-image-input", + "versionInfo": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368" + } + ], + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/user-image-input@sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368?arch=" + } + ], + "primaryPackagePurpose": "CONTAINER" + } + ], + "files": [ + { + "fileName": "/a1/f6", + "SPDXID": "SPDXRef-File-a1-f6-9c2f7510199b17f6", + "fileTypes": [ + "OTHER" + ], + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "0000000000000000000000000000000000000000" + } + ], + "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], + "copyrightText": "NOASSERTION" + }, + { + "fileName": "/d1/f3", + "SPDXID": "SPDXRef-File-d1-f3-c6f5b29dca12661f", + "fileTypes": [ + "OTHER" + ], + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "0000000000000000000000000000000000000000" + } + ], + "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], + "copyrightText": "NOASSERTION" + }, + { + "fileName": "/d2/f4", + "SPDXID": "SPDXRef-File-d2-f4-c641caa71518099f", + "fileTypes": [ + "OTHER" + ], + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "0000000000000000000000000000000000000000" + } + ], + "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], + "copyrightText": "NOASSERTION" + }, + { + "fileName": "/f1", + "SPDXID": "SPDXRef-File-f1-5265a4dde3edbf7c", + "fileTypes": [ + "OTHER" + ], + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "0000000000000000000000000000000000000000" + } + ], + "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], + "copyrightText": "NOASSERTION" + }, + { + "fileName": "/f2", + "SPDXID": "SPDXRef-File-f2-f9e49132a4b96ccd", + "fileTypes": [ + "OTHER" + ], + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "0000000000000000000000000000000000000000" + } + ], + "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], + "copyrightText": "NOASSERTION" + }, + { + "fileName": "/z1/f5", + "SPDXID": "SPDXRef-File-z1-f5-839d99ee67d9d174", + "fileTypes": [ + "OTHER" + ], + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "0000000000000000000000000000000000000000" + } + ], + "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], + "copyrightText": "NOASSERTION" + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450", + "relatedSpdxElement": "SPDXRef-File-f1-5265a4dde3edbf7c", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450", + "relatedSpdxElement": "SPDXRef-File-z1-f5-839d99ee67d9d174", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450", + "relatedSpdxElement": "SPDXRef-File-a1-f6-9c2f7510199b17f6", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450", + "relatedSpdxElement": "SPDXRef-File-d2-f4-c641caa71518099f", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450", + "relatedSpdxElement": "SPDXRef-File-d1-f3-c6f5b29dca12661f", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450", + "relatedSpdxElement": "SPDXRef-File-f2-f9e49132a4b96ccd", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Image-user-image-input", + "relatedSpdxElement": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Image-user-image-input", + "relatedSpdxElement": "SPDXRef-Package-deb-package-2-4b756c6f6fb127a3", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-DocumentRoot-Image-user-image-input", + "relationshipType": "DESCRIBES" + } + ] +} diff --git a/syft/format/internal/testutil/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/syft/format/internal/testutil/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden index 88814632962..90b0e78e6bd 100644 Binary files a/syft/format/internal/testutil/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden and b/syft/format/internal/testutil/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden differ diff --git a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDX22JSONRequredProperties.golden b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDX22JSONRequredProperties.golden index 118247b1dc0..8614a8c6d1e 100644 --- a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDX22JSONRequredProperties.golden +++ b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDX22JSONRequredProperties.golden @@ -48,7 +48,7 @@ }, { "SPDXID": "SPDXRef-DocumentRoot-Unknown-", - "copyrightText": "", + "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "licenseConcluded": "NOASSERTION", @@ -71,7 +71,7 @@ "licenseInfoInFiles": [ "NOASSERTION" ], - "copyrightText": "", + "copyrightText": "NOASSERTION", "comment": "layerID: ac897d978b6c38749a1" } ], diff --git a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden index 35433f6f547..6298e796a7f 100644 --- a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden +++ b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden @@ -69,6 +69,7 @@ "filesAnalyzed": false, "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", "primaryPackagePurpose": "FILE" } ], diff --git a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden index 737aed46893..f2c43a5efcf 100644 --- a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden +++ b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden @@ -76,6 +76,7 @@ ], "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", diff --git a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden index 54533ae4ccf..138166baa28 100644 --- a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden +++ b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden @@ -76,6 +76,7 @@ ], "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -103,7 +104,7 @@ "licenseInfoInFiles": [ "NOASSERTION" ], - "copyrightText": "" + "copyrightText": "NOASSERTION" }, { "fileName": "/d1/f3", @@ -121,7 +122,7 @@ "licenseInfoInFiles": [ "NOASSERTION" ], - "copyrightText": "" + "copyrightText": "NOASSERTION" }, { "fileName": "/d2/f4", @@ -139,7 +140,7 @@ "licenseInfoInFiles": [ "NOASSERTION" ], - "copyrightText": "" + "copyrightText": "NOASSERTION" }, { "fileName": "/f1", @@ -157,7 +158,7 @@ "licenseInfoInFiles": [ "NOASSERTION" ], - "copyrightText": "" + "copyrightText": "NOASSERTION" }, { "fileName": "/f2", @@ -175,7 +176,7 @@ "licenseInfoInFiles": [ "NOASSERTION" ], - "copyrightText": "" + "copyrightText": "NOASSERTION" }, { "fileName": "/z1/f5", @@ -193,7 +194,7 @@ "licenseInfoInFiles": [ "NOASSERTION" ], - "copyrightText": "" + "copyrightText": "NOASSERTION" } ], "relationships": [ diff --git a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden index dd946aa235b..626f0ea53d2 100644 --- a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden +++ b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden @@ -18,6 +18,7 @@ PrimaryPackagePurpose: FILE FilesAnalyzed: false PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION ##### Package: @at-sign diff --git a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden index 75cab71eb79..ac7a8585dcf 100644 --- a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden +++ b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden @@ -16,6 +16,7 @@ FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION LicenseInfoInFile: NOASSERTION +FileCopyrightText: NOASSERTION FileName: /d1/f3 SPDXID: SPDXRef-File-d1-f3-c6f5b29dca12661f @@ -23,6 +24,7 @@ FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION LicenseInfoInFile: NOASSERTION +FileCopyrightText: NOASSERTION FileName: /d2/f4 SPDXID: SPDXRef-File-d2-f4-c641caa71518099f @@ -30,6 +32,7 @@ FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION LicenseInfoInFile: NOASSERTION +FileCopyrightText: NOASSERTION FileName: /f1 SPDXID: SPDXRef-File-f1-5265a4dde3edbf7c @@ -37,6 +40,7 @@ FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION LicenseInfoInFile: NOASSERTION +FileCopyrightText: NOASSERTION FileName: /f2 SPDXID: SPDXRef-File-f2-f9e49132a4b96ccd @@ -44,6 +48,7 @@ FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION LicenseInfoInFile: NOASSERTION +FileCopyrightText: NOASSERTION FileName: /z1/f5 SPDXID: SPDXRef-File-z1-f5-839d99ee67d9d174 @@ -51,6 +56,7 @@ FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION LicenseInfoInFile: NOASSERTION +FileCopyrightText: NOASSERTION ##### Package: user-image-input @@ -64,6 +70,7 @@ FilesAnalyzed: false PackageChecksum: SHA256: 2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368 PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION ExternalRef: PACKAGE-MANAGER purl pkg:oci/user-image-input@sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368?arch= ##### Package: package-2 diff --git a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden index bccd8acc0f2..77a52d6f30f 100644 --- a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden +++ b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden @@ -18,6 +18,7 @@ PrimaryPackagePurpose: FILE FilesAnalyzed: false PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION ##### Package: package-2 diff --git a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden index c93fb63298f..8818fda7ae4 100644 --- a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden +++ b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden @@ -20,6 +20,7 @@ FilesAnalyzed: false PackageChecksum: SHA256: 2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368 PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION ExternalRef: PACKAGE-MANAGER purl pkg:oci/user-image-input@sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368?arch= ##### Package: package-2 diff --git a/syft/format/syftjson/test-fixtures/snapshot/TestImageEncoder.golden b/syft/format/syftjson/test-fixtures/snapshot/TestImageEncoder.golden index f013f2026a0..5168d855cdc 100644 --- a/syft/format/syftjson/test-fixtures/snapshot/TestImageEncoder.golden +++ b/syft/format/syftjson/test-fixtures/snapshot/TestImageEncoder.golden @@ -9,7 +9,7 @@ "locations": [ { "path": "/somefile-1.txt", - "layerID": "sha256:100d5a55f9032faead28b7427fa3e650e4f0158f86ea89d06e1489df00cb8c6f", + "layerID": "sha256:dfefe618c89b08fef0f9c7f1a2682521dddbe03d6678f4a9fb9b078381d8eb45", "accessPath": "/somefile-1.txt" } ], @@ -49,7 +49,7 @@ "locations": [ { "path": "/somefile-2.txt", - "layerID": "sha256:000fb9200890d3a19138478b20023023c0dce1c54352007c2863716780f049eb", + "layerID": "sha256:38ddc2847fb6bcafd7401b4bf27c10014b5d60e2400bc188890c7cb7cdd7cd6c", "accessPath": "/somefile-2.txt" } ], @@ -77,13 +77,13 @@ ], "artifactRelationships": [], "source": { - "id": "34d40fdc6ca13e9a3fa18415db216b50bff047716fae7d95a225c09732fe83fb", + "id": "62d3f24eca2930d1ebfe6ee78ef47964fd8dc624b2e22886275facf322d1720a", "name": "user-image-input", "version": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368", "type": "image", "metadata": { "userInput": "user-image-input", - "imageID": "sha256:bf783ea304a3f02b5c7d2ece521800f5e2182e65ed5bb5116f578e17d6e82be4", + "imageID": "sha256:35a6658e24fab92eae9ec6fc252dec58986c4c007891758d4d37c7e43fbbe0c5", "manifestDigest": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368", "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "tags": [ @@ -93,17 +93,17 @@ "layers": [ { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", - "digest": "sha256:100d5a55f9032faead28b7427fa3e650e4f0158f86ea89d06e1489df00cb8c6f", + "digest": "sha256:dfefe618c89b08fef0f9c7f1a2682521dddbe03d6678f4a9fb9b078381d8eb45", "size": 22 }, { "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", - "digest": "sha256:000fb9200890d3a19138478b20023023c0dce1c54352007c2863716780f049eb", + "digest": "sha256:38ddc2847fb6bcafd7401b4bf27c10014b5d60e2400bc188890c7cb7cdd7cd6c", "size": 16 } ], - "manifest": "eyJzY2hlbWFWZXJzaW9uIjoyLCJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiY29uZmlnIjp7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuY29udGFpbmVyLmltYWdlLnYxK2pzb24iLCJzaXplIjo2NzIsImRpZ2VzdCI6InNoYTI1NjpiZjc4M2VhMzA0YTNmMDJiNWM3ZDJlY2U1MjE4MDBmNWUyMTgyZTY1ZWQ1YmI1MTE2ZjU3OGUxN2Q2ZTgyYmU0In0sImxheWVycyI6W3sibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjIwNDgsImRpZ2VzdCI6InNoYTI1NjoxMDBkNWE1NWY5MDMyZmFlYWQyOGI3NDI3ZmEzZTY1MGU0ZjAxNThmODZlYTg5ZDA2ZTE0ODlkZjAwY2I4YzZmIn0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6MjA0OCwiZGlnZXN0Ijoic2hhMjU2OjAwMGZiOTIwMDg5MGQzYTE5MTM4NDc4YjIwMDIzMDIzYzBkY2UxYzU0MzUyMDA3YzI4NjM3MTY3ODBmMDQ5ZWIifV19", - "config": "eyJhcmNoaXRlY3R1cmUiOiJhcm02NCIsImNvbmZpZyI6eyJFbnYiOlsiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iXSwiV29ya2luZ0RpciI6Ii8iLCJPbkJ1aWxkIjpudWxsfSwiY3JlYXRlZCI6IjIwMjMtMDktMjhUMTI6MjM6MzUuNDAwNjcyODg1WiIsImhpc3RvcnkiOlt7ImNyZWF0ZWQiOiIyMDIzLTA5LTI4VDEyOjIzOjM1LjM5Mzk4NjUxWiIsImNyZWF0ZWRfYnkiOiJBREQgZmlsZS0xLnR4dCAvc29tZWZpbGUtMS50eHQgIyBidWlsZGtpdCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIn0seyJjcmVhdGVkIjoiMjAyMy0wOS0yOFQxMjoyMzozNS40MDA2NzI4ODVaIiwiY3JlYXRlZF9ieSI6IkFERCBmaWxlLTIudHh0IC9zb21lZmlsZS0yLnR4dCAjIGJ1aWxka2l0IiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAifV0sIm9zIjoibGludXgiLCJyb290ZnMiOnsidHlwZSI6ImxheWVycyIsImRpZmZfaWRzIjpbInNoYTI1NjoxMDBkNWE1NWY5MDMyZmFlYWQyOGI3NDI3ZmEzZTY1MGU0ZjAxNThmODZlYTg5ZDA2ZTE0ODlkZjAwY2I4YzZmIiwic2hhMjU2OjAwMGZiOTIwMDg5MGQzYTE5MTM4NDc4YjIwMDIzMDIzYzBkY2UxYzU0MzUyMDA3YzI4NjM3MTY3ODBmMDQ5ZWIiXX19", + "manifest": "eyJzY2hlbWFWZXJzaW9uIjoyLCJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiY29uZmlnIjp7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuY29udGFpbmVyLmltYWdlLnYxK2pzb24iLCJzaXplIjo2NTgsImRpZ2VzdCI6InNoYTI1NjozNWE2NjU4ZTI0ZmFiOTJlYWU5ZWM2ZmMyNTJkZWM1ODk4NmM0YzAwNzg5MTc1OGQ0ZDM3YzdlNDNmYmJlMGM1In0sImxheWVycyI6W3sibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjIwNDgsImRpZ2VzdCI6InNoYTI1NjpkZmVmZTYxOGM4OWIwOGZlZjBmOWM3ZjFhMjY4MjUyMWRkZGJlMDNkNjY3OGY0YTlmYjliMDc4MzgxZDhlYjQ1In0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6MjA0OCwiZGlnZXN0Ijoic2hhMjU2OjM4ZGRjMjg0N2ZiNmJjYWZkNzQwMWI0YmYyN2MxMDAxNGI1ZDYwZTI0MDBiYzE4ODg5MGM3Y2I3Y2RkN2NkNmMifV19", + "config": "eyJhcmNoaXRlY3R1cmUiOiJhbWQ2NCIsImNvbmZpZyI6eyJFbnYiOlsiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iXSwiV29ya2luZ0RpciI6Ii8ifSwiY3JlYXRlZCI6IjIwMjQtMTEtMDRUMDQ6MTM6NDMuMzQwNTA3MTc1WiIsImhpc3RvcnkiOlt7ImNyZWF0ZWQiOiIyMDI0LTExLTA0VDA0OjEzOjQzLjMyMDg2OTk2OFoiLCJjcmVhdGVkX2J5IjoiQUREIGZpbGUtMS50eHQgL3NvbWVmaWxlLTEudHh0ICMgYnVpbGRraXQiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCJ9LHsiY3JlYXRlZCI6IjIwMjQtMTEtMDRUMDQ6MTM6NDMuMzQwNTA3MTc1WiIsImNyZWF0ZWRfYnkiOiJBREQgZmlsZS0yLnR4dCAvc29tZWZpbGUtMi50eHQgIyBidWlsZGtpdCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIn1dLCJvcyI6ImxpbnV4Iiwicm9vdGZzIjp7InR5cGUiOiJsYXllcnMiLCJkaWZmX2lkcyI6WyJzaGEyNTY6ZGZlZmU2MThjODliMDhmZWYwZjljN2YxYTI2ODI1MjFkZGRiZTAzZDY2NzhmNGE5ZmI5YjA3ODM4MWQ4ZWI0NSIsInNoYTI1NjozOGRkYzI4NDdmYjZiY2FmZDc0MDFiNGJmMjdjMTAwMTRiNWQ2MGUyNDAwYmMxODg4OTBjN2NiN2NkZDdjZDZjIl19fQ==", "repoDigests": [], "architecture": "", "os": "" diff --git a/syft/format/text/test-fixtures/snapshot/TestTextImageEncoder.golden b/syft/format/text/test-fixtures/snapshot/TestTextImageEncoder.golden index 0c49cecc049..87504c73e12 100644 --- a/syft/format/text/test-fixtures/snapshot/TestTextImageEncoder.golden +++ b/syft/format/text/test-fixtures/snapshot/TestTextImageEncoder.golden @@ -1,11 +1,11 @@ [Image] Layer: 0 - Digest: sha256:100d5a55f9032faead28b7427fa3e650e4f0158f86ea89d06e1489df00cb8c6f + Digest: sha256:dfefe618c89b08fef0f9c7f1a2682521dddbe03d6678f4a9fb9b078381d8eb45 Size: 22 MediaType: application/vnd.docker.image.rootfs.diff.tar.gzip Layer: 1 - Digest: sha256:000fb9200890d3a19138478b20023023c0dce1c54352007c2863716780f049eb + Digest: sha256:38ddc2847fb6bcafd7401b4bf27c10014b5d60e2400bc188890c7cb7cdd7cd6c Size: 16 MediaType: application/vnd.docker.image.rootfs.diff.tar.gzip diff --git a/syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json b/syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json index bd58ebb117e..24723d1bd90 100644 --- a/syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json +++ b/syft/pkg/cataloger/internal/cpegenerate/dictionary/data/cpe-index.json @@ -7055,6 +7055,9 @@ "aajoda-testimonials": [ "cpe:2.3:a:aajoda:aajoda_testimonials:*:*:*:*:*:wordpress:*:*" ], + "ab-categories-search-widget": [ + "cpe:2.3:a:agustinberasategui:ab_categories_search_widget:*:*:*:*:*:wordpress:*:*" + ], "ab-google-map-travel": [ "cpe:2.3:a:ab_google_map_travel_project:ab_google_map_travel:*:*:*:*:*:wordpress:*:*" ], @@ -7133,6 +7136,12 @@ "accommodation-system": [ "cpe:2.3:a:accommodation-system_project:accommodation-system:*:*:*:*:*:wordpress:*:*" ], + "accordion-image-menu": [ + "cpe:2.3:a:alaingonzalez:accordion_image_menu:*:*:*:*:*:wordpress:*:*" + ], + "accordion-title-for-elementor": [ + "cpe:2.3:a:migaweb:accordion_title_for_elementor:*:*:*:*:*:wordpress:*:*" + ], "accordions": [ "cpe:2.3:a:pickplugins:accordion:*:*:*:*:*:wordpress:*:*" ], @@ -7174,6 +7183,12 @@ "acf-to-rest-api": [ "cpe:2.3:a:acf_to_rest_api_project:acf_to_rest_api:*:*:*:*:*:wordpress:*:*" ], + "acl-floating-cart-for-woocommerce": [ + "cpe:2.3:a:amadercodelab:acl_floating_cart_for_woocommerce:*:*:*:*:*:wordpress:*:*" + ], + "acnoo-flutter-api": [ + "cpe:2.3:a:acnoo:flutter_api:*:*:*:*:*:wordpress:*:*" + ], "aco-product-labels-for-woocommerce": [ "cpe:2.3:a:acowebs:product_labels_for_woocommerce_\\(sale_badges\\):*:*:*:*:*:wordpress:*:*" ], @@ -7370,6 +7385,9 @@ "advanced-booking-calendar": [ "cpe:2.3:a:elbtide:advanced_booking_calendar:*:*:*:*:*:wordpress:*:*" ], + "advanced-category-and-custom-taxonomy-image": [ + "cpe:2.3:a:sajjadhsagor:advanced_category_and_custom_taxonomy_image:*:*:*:*:*:wordpress:*:*" + ], "advanced-category-template": [ "cpe:2.3:a:praveengoswami:advanced_category_template:*:*:*:*:*:wordpress:*:*" ], @@ -7454,6 +7472,9 @@ "affiliates-manager": [ "cpe:2.3:a:wpaffiliatemanager:affiliates_manager:*:*:*:*:*:wordpress:*:*" ], + "affiliatex": [ + "cpe:2.3:a:affiliatexblocks:affiliatex:*:*:*:*:*:wordpress:*:*" + ], "afterpay-gateway-for-woocommerce": [ "cpe:2.3:a:afterpay:afterpay_gateway_for_woocommerce:*:*:*:*:*:wordpress:*:*" ], @@ -7493,6 +7514,9 @@ "ajax-load-more": [ "cpe:2.3:a:connekthq:ajax_load_more:*:*:*:*:*:wordpress:*:*" ], + "ajax-load-more-anything": [ + "cpe:2.3:a:addonmaster:load_more_anything:*:*:*:*:*:wordpress:*:*" + ], "ajax-pagination": [ "cpe:2.3:a:ajax-pagination_project:ajax-pagination:*:*:*:*:*:wordpress:*:*" ], @@ -7619,6 +7643,9 @@ "amen": [ "cpe:2.3:a:amen_project:amen:*:*:*:*:*:*:wordpress:*" ], + "amilia-store": [ + "cpe:2.3:a:amilia:store:*:*:*:*:*:wordpress:*:*" + ], "amministrazione-aperta": [ "cpe:2.3:a:amministrazione_aperta_project:amministrazione_aperta:*:*:*:*:*:wordpress:*:*" ], @@ -7719,6 +7746,12 @@ "ap-pricing-tables-lite": [ "cpe:2.3:a:accesspressthemes:ap_pricing_tables_lite:*:*:*:*:*:wordpress:*:*" ], + "apa-banner-slider": [ + "cpe:2.3:a:apa:apa_banner_slider:*:*:*:*:*:wordpress:*:*" + ], + "apa-register-newsletter-form": [ + "cpe:2.3:a:apa:apa_register_newsletter_form:*:*:*:*:*:wordpress:*:*" + ], "apex-notification-bar-lite": [ "cpe:2.3:a:accesspressthemes:apex_notification_bar_lite:*:*:*:*:*:wordpress:*:*" ], @@ -9782,6 +9815,9 @@ "display-custom-post": [ "cpe:2.3:a:vikasvatsa:display_custom_post:*:*:*:*:*:wordpress:*:*" ], + "display-medium-posts": [ + "cpe:2.3:a:acekyd:display_medium_posts:*:*:*:*:*:wordpress:*:*" + ], "display-metadata": [ "cpe:2.3:a:display_post_meta\\,_term_meta\\,_comment_meta\\,_and_user_meta_project:display_post_meta\\,_term_meta\\,_comment_meta\\,_and_user_meta:*:*:*:*:*:wordpress:*:*" ], @@ -9812,12 +9848,18 @@ "dmsguestbook": [ "cpe:2.3:a:dmsguestbook_project:dmsguestbook:*:*:*:*:*:wordpress:*:*" ], + "dn-popup": [ + "cpe:2.3:a:digireturn:dn_popup:*:*:*:*:*:wordpress:*:*" + ], "document-emberdder": [ "cpe:2.3:a:bplugins:document_embedder:*:*:*:*:*:wordpress:*:*" ], "documentor-lite": [ "cpe:2.3:a:documentor_project:documentor:*:*:*:*:*:wordpress:*:*" ], + "documentpress-display-any-document-on-your-site": [ + "cpe:2.3:a:abdullahirfan:documentpress:*:*:*:*:*:wordpress:*:*" + ], "dofollow-case-by-case": [ "cpe:2.3:a:apasionados:dofollow_case_by_case:*:*:*:*:*:wordpress:*:*" ], @@ -10019,6 +10061,9 @@ "easy-custom-code": [ "cpe:2.3:a:web357:easy_custom_code:*:*:*:*:*:wordpress:*:*" ], + "easy-demo-importer": [ + "cpe:2.3:a:sigmadevs:easy_demo_importer:*:*:*:*:*:wordpress:*:*" + ], "easy-digital-downloads": [ "cpe:2.3:a:sandhillsdev:easy_digital_downloads:*:*:*:*:*:wordpress:*:*" ], @@ -10303,6 +10348,9 @@ "enable-media-replace": [ "cpe:2.3:a:shortpixel:enable_media_replace:*:*:*:*:*:wordpress:*:*" ], + "enable-shortcodes-inside-widgetscomments-and-experts": [ + "cpe:2.3:a:aftabhusain:enable_shortcodes_inside_widgets\\,comments_and_experts:*:*:*:*:*:wordpress:*:*" + ], "enable-svg": [ "cpe:2.3:a:room_34_creative_services:enable_svg:*:*:*:*:*:wordpress:*:*" ], @@ -10698,6 +10746,9 @@ "fgallery": [ "cpe:2.3:a:fgallery_project:fgallery:*:*:*:*:*:wordpress:*:*" ], + "fifthsegment-whitelist": [ + "cpe:2.3:a:abdullahirfan:whitelist:*:*:*:*:*:wordpress:*:*" + ], "file-away": [ "cpe:2.3:a:file_away_project:file_away:*:*:*:*:*:wordpress:*:*" ], @@ -10931,7 +10982,7 @@ ], "formidable": [ "cpe:2.3:a:strategy11:formidable_form_builder:*:*:*:*:*:wordpress:*:*", - "cpe:2.3:a:strategy11:formidable_forms:*:*:*:*:*:wordpress:*:*" + "cpe:2.3:a:strategy11:formidable_forms:*:*:*:*:free:wordpress:*:*" ], "formidable-sms": [ "cpe:2.3:a:mediaburst:formidable:*:*:*:*:*:wordpress:*:*" @@ -11224,6 +11275,9 @@ "giveaway": [ "cpe:2.3:a:satollo:giveaway:*:*:*:*:*:wordpress:*:*" ], + "gixaw-chat": [ + "cpe:2.3:a:adeelraza:gixaw_chat:*:*:*:*:*:wordpress:*:*" + ], "glass": [ "cpe:2.3:a:codeblab:glass:*:*:*:*:*:wordpress:*:*" ], @@ -11579,6 +11633,9 @@ "honeypot-for-wp-comment": [ "cpe:2.3:a:prasidhdamalla:honeypot_for_wp_comment:*:*:*:*:*:wordpress:*:*" ], + "hoo-addons-for-elementor": [ + "cpe:2.3:a:hoosoft:hoo_addons_for_elementor:*:*:*:*:*:wordpress:*:*" + ], "horizontal-scrolling-announcement": [ "cpe:2.3:a:gopiplus:horizontal_scrolling_announcement:*:*:*:*:*:wordpress:*:*" ], @@ -11682,6 +11739,9 @@ "hungarian-pickup-points-for-woocommerce": [ "cpe:2.3:a:visztpeter:package_points_and_shipping_labels_for_woocommerce:*:*:*:*:*:wordpress:*:*" ], + "hunk-companion": [ + "cpe:2.3:a:themehunk:hunk_companion:*:*:*:*:*:wordpress:*:*" + ], "hyphenator": [ "cpe:2.3:a:benedictb\\/maciejgryniuk:hyphenator:*:*:*:*:*:wordpress:*:*" ], @@ -12368,6 +12428,9 @@ "learnpress": [ "cpe:2.3:a:thimpress:learnpress:*:*:*:*:*:wordpress:*:*" ], + "learnpress-import-export": [ + "cpe:2.3:a:thimpress:learnpress_export_import:*:*:*:*:*:wordpress:*:*" + ], "leenkme": [ "cpe:2.3:a:leenk:leenk.me:*:*:*:*:*:wordpress:*:*" ], @@ -12737,6 +12800,9 @@ "marmoset-viewer": [ "cpe:2.3:a:marmoset:marmoset_viewer:*:*:*:*:*:wordpress:*:*" ], + "marquee-elementor": [ + "cpe:2.3:a:anasedreesi:marquee_elementor_with_posts:*:*:*:*:*:wordpress:*:*" + ], "martins-link-network": [ "cpe:2.3:a:martinstools:free_\\\u0026_easy_link_building:*:*:*:*:*:wordpress:*:*" ], @@ -12846,6 +12912,9 @@ "megamenu": [ "cpe:2.3:a:megamenu:max_mega_menu:*:*:*:*:*:wordpress:*:*" ], + "mejorcluster": [ + "cpe:2.3:a:javierloureiro:el_mejor_cluster:*:*:*:*:*:wordpress:*:*" + ], "meks-audio-player": [ "cpe:2.3:a:mekshq:meks_audio_player:*:*:*:*:*:wordpress:*:*" ], @@ -13404,6 +13473,9 @@ "nmedia-user-file-uploader": [ "cpe:2.3:a:najeebmedia:frontend_file_manager_plugin:*:*:*:*:*:wordpress:*:*" ], + "nmr-strava-activities": [ + "cpe:2.3:a:mirceatm:nmr_strava_activities:*:*:*:*:*:wordpress:*:*" + ], "no-future-posts": [ "cpe:2.3:a:no_future_posts_project:no_future_posts:*:*:*:*:*:wordpress:*:*" ], @@ -13597,6 +13669,9 @@ "orbisius-child-theme-creator": [ "cpe:2.3:a:orbisius:child_theme_creator:*:*:*:*:*:wordpress:*:*" ], + "order-attachments-for-woocommerce": [ + "cpe:2.3:a:directsoftware:order_attachments_for_woocommerce:*:*:*:*:*:wordpress:*:*" + ], "order-auto-complete-for-woocommerce": [ "cpe:2.3:a:order_auto_complete_for_woocommerce_project:order_auto_complete_for_woocommerce:*:*:*:*:*:wordpress:*:*" ], @@ -13678,6 +13753,9 @@ "page-or-post-clone": [ "cpe:2.3:a:carlosfazenda:page_and_post_clone:*:*:*:*:*:wordpress:*:*" ], + "page-parts": [ + "cpe:2.3:a:benhuson:page_parts:*:*:*:*:*:wordpress:*:*" + ], "page-scroll-to-id": [ "cpe:2.3:a:page_scroll_to_id_project:page_scroll_to_id:*:*:*:*:*:wordpress:*:*" ], @@ -14861,6 +14939,9 @@ "rise-blocks": [ "cpe:2.3:a:eaglevisionit:rise_blocks:*:*:*:*:*:wordpress:*:*" ], + "risk-warning-bar": [ + "cpe:2.3:a:aliazlan:risk_warning_bar:*:*:*:*:*:wordpress:*:*" + ], "rk-responsive-contact-form": [ "cpe:2.3:a:rkdownload:rk-responsive-contact-form:*:*:*:*:*:wordpress:*:*" ], @@ -14956,6 +15037,9 @@ "salat-times": [ "cpe:2.3:a:salat_times_project:salat_times:*:*:*:*:*:wordpress:*:*" ], + "sales-page-addon": [ + "cpe:2.3:a:nicheaddons:sales_page_addon:*:*:*:*:*:wordpress:*:*" + ], "salesmanago": [ "cpe:2.3:a:salesmanago:salesmanago:*:*:*:*:*:wordpress:*:*" ], @@ -15075,6 +15159,9 @@ "select-all-categories-and-taxonomies-change-checkbox-to-radio-buttons": [ "cpe:2.3:a:mooveagency:select_all_categories_and_taxonomies\\,_change_checkbox_to_radio_buttons:*:*:*:*:*:wordpress:*:*" ], + "selection-lite": [ + "cpe:2.3:a:merkulove:selection_lite:*:*:*:*:*:wordpress:*:*" + ], "sell-downloads": [ "cpe:2.3:a:codepeople:sell_downloads:*:*:*:*:*:wordpress:*:*" ], @@ -15242,6 +15329,9 @@ "shortcodes-finder": [ "cpe:2.3:a:scribit:shortcodes_finder:*:*:*:*:*:wordpress:*:*" ], + "shortcodes-for-amp-web-stories-and-elementor-widget": [ + "cpe:2.3:a:coolplugins:web_stories_widgets_for_elementor:*:*:*:*:*:wordpress:*:*" + ], "shortcodes-ui": [ "cpe:2.3:a:bainternet:shortcodes_ui:*:*:*:*:*:wordpress:*:*" ], @@ -15650,6 +15740,9 @@ "slider-blocks": [ "cpe:2.3:a:makegutenblock:gutslider:*:*:*:*:*:wordpress:*:*" ], + "slider-comparison-image-before-and-after": [ + "cpe:2.3:a:artembovkun:slider_comparison_image_before_and_after:*:*:*:*:*:wordpress:*:*" + ], "slider-hero": [ "cpe:2.3:a:quantumcloud:slider_hero:*:*:*:*:*:wordpress:*:*" ], @@ -15787,6 +15880,9 @@ "social-icons-widget-by-wpzoom": [ "cpe:2.3:a:wpzoom:social_icons_widget:*:*:*:*:free:wordpress:*:*" ], + "social-link-groups": [ + "cpe:2.3:a:acespritech:social_link_groups:*:*:*:*:*:wordpress:*:*" + ], "social-locker": [ "cpe:2.3:a:byonepress:social_locker:*:*:*:*:*:wordpress:*:*" ], @@ -16063,6 +16159,9 @@ "stylist": [ "cpe:2.3:a:stylist_project:stylist:*:*:*:*:*:wordpress:*:*" ], + "subaccounts-for-woocommerce": [ + "cpe:2.3:a:mediaticus:subaccounts_for_woocommerce:*:*:*:*:*:wordpress:*:*" + ], "subscribe-sidebar": [ "cpe:2.3:a:blubrry:subscribe_sidebar:*:*:*:*:*:wordpress:*:*" ], @@ -16107,6 +16206,9 @@ "supersaas-appointment-scheduling": [ "cpe:2.3:a:supersaas:supersaas:*:*:*:*:*:wordpress:*:*" ], + "support-chat": [ + "cpe:2.3:a:ninjateam:click_to_chat:*:*:*:*:*:wordpress:*:*" + ], "supportcandy": [ "cpe:2.3:a:supportcandy:supportcandy:*:*:*:*:*:wordpress:*:*" ], @@ -16307,6 +16409,9 @@ "the-moneytizer": [ "cpe:2.3:a:themoneytizer:the_moneytizer:*:*:*:*:*:wordpress:*:*" ], + "the-plus-addons-for-block-editor": [ + "cpe:2.3:a:posimyth:nexter_blocks:*:*:*:*:*:wordpress:*:*" + ], "the-plus-addons-for-elementor-page-builder": [ "cpe:2.3:a:posimyth:the_plus_addons_for_elementor:*:*:*:*:free:wordpress:*:*", "cpe:2.3:a:posimyth:the_plus_addons_for_elementor_page_builder_lite:*:*:*:*:*:wordpress:*:*" @@ -16558,6 +16663,9 @@ "tutor": [ "cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:*" ], + "tutor-lms-elementor-addons": [ + "cpe:2.3:a:themeum:tutor_lms_elementor_addons:*:*:*:*:*:wordpress:*:*" + ], "tutor-lms-migration-tool": [ "cpe:2.3:a:themeum:tutor_lms_-_migration_tool:*:*:*:*:*:wordpress:*:*" ], @@ -16761,6 +16869,9 @@ "unlimited-addons-for-wpbakery-page-builder": [ "cpe:2.3:a:unitecms:unlimited_addons_for_wpbakery_page_builder:*:*:*:*:*:wordpress:*:*" ], + "unlimited-blocks": [ + "cpe:2.3:a:themehunk:gutenberg_blocks:*:*:*:*:*:wordpress:*:*" + ], "unlimited-elements-for-elementor": [ "cpe:2.3:a:unlimited-elements:unlimited_elements_for_elementor:*:*:*:*:*:wordpress:*:*" ], @@ -17046,6 +17157,9 @@ "w3-total-cache": [ "cpe:2.3:a:boldgrid:w3_total_cache:*:*:*:*:*:wordpress:*:*" ], + "w3speedster-wp": [ + "cpe:2.3:a:w3speedster:w3speedster:*:*:*:*:*:wordpress:*:*" + ], "w4-post-list": [ "cpe:2.3:a:w4_post_list_project:w4_post_list:*:*:*:*:*:wordpress:*:*" ], @@ -17962,6 +18076,12 @@ "wp-custom-post-template": [ "cpe:2.3:a:dotsquares:wp_custom_post_template:*:*:*:*:*:wordpress:*:*" ], + "wp-custom-taxonomy-image": [ + "cpe:2.3:a:aftabhusain:category_and_taxonomy_image:*:*:*:*:*:wordpress:*:*" + ], + "wp-custom-taxonomy-meta": [ + "cpe:2.3:a:aftabhusain:category_and_taxonomy_meta_fields:*:*:*:*:*:wordpress:*:*" + ], "wp-custom-widget-area": [ "cpe:2.3:a:kishorkhambu:wp_custom_widget_area:*:*:*:*:*:wordpress:*:*" ], @@ -18171,7 +18291,7 @@ "cpe:2.3:a:pixelite:wp_fullcalendar:*:*:*:*:*:wordpress:*:*" ], "wp-fundraising-donation": [ - "cpe:2.3:a:wpmet:wp_fundraising_donation_and_crowdfunding_platform:*:*:*:*:*:wordpress:*:*" + "cpe:2.3:a:wpmet:fundengine:*:*:*:*:*:wordpress:*:*" ], "wp-gallery-metabox": [ "cpe:2.3:a:wp_gallery_metabox_project:wp_gallery_metabox:*:*:*:*:*:wordpress:*:*" @@ -18581,6 +18701,9 @@ "wp-publications": [ "cpe:2.3:a:wp-publications_project:wp-publications:*:*:*:*:*:wordpress:*:*" ], + "wp-quick-setup": [ + "cpe:2.3:a:antonhoelstad:wp_quick_setup:*:*:*:*:*:wordpress:*:*" + ], "wp-quicklatex": [ "cpe:2.3:a:holoborodko:wp_quicklatex:*:*:*:*:*:wordpress:*:*" ], @@ -18652,6 +18775,9 @@ "wp-secure-maintainance": [ "cpe:2.3:a:wpexperts:wp_secure_maintenance:*:*:*:*:*:wordpress:*:*" ], + "wp-security-audit-log": [ + "cpe:2.3:a:melapress:wp_activity_log:*:*:*:*:*:wordpress:*:*" + ], "wp-security-hardening": [ "cpe:2.3:a:getastra:wp_hardening:*:*:*:*:*:wordpress:*:*" ], @@ -18685,6 +18811,9 @@ "wp-shoutbox-live-chat": [ "cpe:2.3:a:wp_live_chat_shoutbox_project:wp_live_chat_shoutbox:*:*:*:*:*:wordpress:*:*" ], + "wp-show-more": [ + "cpe:2.3:a:jamos:wp_show_more:*:*:*:*:*:wordpress:*:*" + ], "wp-show-posts": [ "cpe:2.3:a:wp_show_posts_project:wp_show_posts:*:*:*:*:*:wordpress:*:*" ], @@ -18848,6 +18977,9 @@ "wp-terms-popup": [ "cpe:2.3:a:linksoftwarellc:wp_terms_popup:*:*:*:*:*:wordpress:*:*" ], + "wp-test-email": [ + "cpe:2.3:a:boopathirajan:wp_test_email:*:*:*:*:*:wordpress:*:*" + ], "wp-testimonial-widget": [ "cpe:2.3:a:starkdigital:wp_testimonial_widget:*:*:*:*:*:wordpress:*:*" ], @@ -19332,6 +19464,9 @@ "yotpo-reviews-for-woocommerce": [ "cpe:2.3:a:yotpo_reviews_for_woocommerce_project:yotpo_reviews_for_woocommerce:*:*:*:*:*:wordpress:*:*" ], + "yotpo-social-reviews-for-woocommerce": [ + "cpe:2.3:a:yotpo:yotpo:*:*:*:*:*:wordpress:*:*" + ], "yourchannel": [ "cpe:2.3:a:plugin:yourchannel:*:*:*:*:*:wordpress:*:*" ], diff --git a/syft/pkg/cataloger/rust/cataloger.go b/syft/pkg/cataloger/rust/cataloger.go index 8951f1b2864..3f83f522347 100644 --- a/syft/pkg/cataloger/rust/cataloger.go +++ b/syft/pkg/cataloger/rust/cataloger.go @@ -9,6 +9,8 @@ import ( "github.com/anchore/syft/syft/pkg/cataloger/generic" ) +const cargoAuditBinaryCatalogerName = "cargo-auditable-binary-cataloger" + // NewCargoLockCataloger returns a new Rust Cargo lock file cataloger object. func NewCargoLockCataloger() pkg.Cataloger { return generic.NewCataloger("rust-cargo-lock-cataloger"). @@ -18,6 +20,6 @@ func NewCargoLockCataloger() pkg.Cataloger { // NewAuditBinaryCataloger returns a new Rust auditable binary cataloger object that can detect dependencies // in binaries produced with https://github.com/Shnatsel/rust-audit func NewAuditBinaryCataloger() pkg.Cataloger { - return generic.NewCataloger("cargo-auditable-binary-cataloger"). + return generic.NewCataloger(cargoAuditBinaryCatalogerName). WithParserByMimeTypes(parseAuditBinary, mimetype.ExecutableMIMETypeSet.List()...) } diff --git a/syft/pkg/cataloger/rust/cataloger_test.go b/syft/pkg/cataloger/rust/cataloger_test.go index 3a7a356db21..62b7bc099c4 100644 --- a/syft/pkg/cataloger/rust/cataloger_test.go +++ b/syft/pkg/cataloger/rust/cataloger_test.go @@ -3,48 +3,270 @@ package rust import ( "testing" + "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" "github.com/anchore/syft/syft/pkg/cataloger/internal/pkgtest" ) func TestNewAuditBinaryCataloger(t *testing.T) { + locations := file.NewLocationSet(file.NewVirtualLocation("/usr/local/bin/hello_world", "/usr/local/bin/hello_world")) + + argh := pkg.Package{ + Name: "argh", + Version: "0.1.12", + PURL: "pkg:cargo/argh@0.1.12", + FoundBy: "cargo-auditable-binary-cataloger", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Metadata: pkg.RustBinaryAuditEntry{ + Name: "argh", + Version: "0.1.12", + Source: "crates.io", + }, + } + + arghDerive := pkg.Package{ + Name: "argh_derive", + Version: "0.1.12", + PURL: "pkg:cargo/argh_derive@0.1.12", + FoundBy: "cargo-auditable-binary-cataloger", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Metadata: pkg.RustBinaryAuditEntry{ + Name: "argh_derive", + Version: "0.1.12", + Source: "crates.io", + }, + } + + arghShared := pkg.Package{ + Name: "argh_shared", + Version: "0.1.12", + PURL: "pkg:cargo/argh_shared@0.1.12", + FoundBy: "cargo-auditable-binary-cataloger", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Metadata: pkg.RustBinaryAuditEntry{ + Name: "argh_shared", + Version: "0.1.12", + Source: "crates.io", + }, + } + + helloWorld := pkg.Package{ + Name: "hello_world", + Version: "0.1.0", + PURL: "pkg:cargo/hello_world@0.1.0", + FoundBy: "cargo-auditable-binary-cataloger", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Metadata: pkg.RustBinaryAuditEntry{ + Name: "hello_world", + Version: "0.1.0", + Source: "local", + }, + } + + procMacro2 := pkg.Package{ + Name: "proc-macro2", + Version: "1.0.92", + PURL: "pkg:cargo/proc-macro2@1.0.92", + FoundBy: "cargo-auditable-binary-cataloger", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Metadata: pkg.RustBinaryAuditEntry{ + Name: "proc-macro2", + Version: "1.0.92", + Source: "crates.io", + }, + } + + quote := pkg.Package{ + Name: "quote", + Version: "1.0.37", + PURL: "pkg:cargo/quote@1.0.37", + FoundBy: "cargo-auditable-binary-cataloger", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Metadata: pkg.RustBinaryAuditEntry{ + Name: "quote", + Version: "1.0.37", + Source: "crates.io", + }, + } + + serde := pkg.Package{ + Name: "serde", + Version: "1.0.215", + PURL: "pkg:cargo/serde@1.0.215", + FoundBy: "cargo-auditable-binary-cataloger", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Metadata: pkg.RustBinaryAuditEntry{ + Name: "serde", + Version: "1.0.215", + Source: "crates.io", + }, + } + + serdeDerive := pkg.Package{ + Name: "serde_derive", + Version: "1.0.215", + PURL: "pkg:cargo/serde_derive@1.0.215", + FoundBy: "cargo-auditable-binary-cataloger", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Metadata: pkg.RustBinaryAuditEntry{ + Name: "serde_derive", + Version: "1.0.215", + Source: "crates.io", + }, + } + + syn := pkg.Package{ + Name: "syn", + Version: "2.0.90", + PURL: "pkg:cargo/syn@2.0.90", + FoundBy: "cargo-auditable-binary-cataloger", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Metadata: pkg.RustBinaryAuditEntry{ + Name: "syn", + Version: "2.0.90", + Source: "crates.io", + }, + } + + unicodeIdent := pkg.Package{ + Name: "unicode-ident", + Version: "1.0.14", + PURL: "pkg:cargo/unicode-ident@1.0.14", + FoundBy: "cargo-auditable-binary-cataloger", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Metadata: pkg.RustBinaryAuditEntry{ + Name: "unicode-ident", + Version: "1.0.14", + Source: "crates.io", + }, + } expectedPkgs := []pkg.Package{ + argh, + arghDerive, + arghShared, + helloWorld, + procMacro2, + quote, + serde, + serdeDerive, + syn, + unicodeIdent, + } + + expectedRelationships := []artifact.Relationship{ { - Name: "auditable", - Version: "0.1.0", - PURL: "pkg:cargo/auditable@0.1.0", - FoundBy: "cargo-auditable-binary-cataloger", - Locations: file.NewLocationSet(file.NewVirtualLocation("/hello-auditable", "/hello-auditable")), - Language: pkg.Rust, - Type: pkg.RustPkg, - Metadata: pkg.RustBinaryAuditEntry{ - Name: "auditable", - Version: "0.1.0", - Source: "local", - }, + From: argh, + To: helloWorld, + Type: artifact.DependencyOfRelationship, }, { - Name: "hello-auditable", - Version: "0.1.0", - PURL: "pkg:cargo/hello-auditable@0.1.0", - FoundBy: "cargo-auditable-binary-cataloger", - Locations: file.NewLocationSet(file.NewVirtualLocation("/hello-auditable", "/hello-auditable")), - Language: pkg.Rust, - Type: pkg.RustPkg, - Metadata: pkg.RustBinaryAuditEntry{ - Name: "hello-auditable", - Version: "0.1.0", - Source: "local", - }, + From: arghDerive, + To: argh, + Type: artifact.DependencyOfRelationship, + }, + { + From: arghShared, + To: argh, + Type: artifact.DependencyOfRelationship, + }, + { + From: arghShared, + To: arghDerive, + Type: artifact.DependencyOfRelationship, + }, + { + From: procMacro2, + To: arghDerive, + Type: artifact.DependencyOfRelationship, + }, + { + From: procMacro2, + To: quote, + Type: artifact.DependencyOfRelationship, + }, + { + From: procMacro2, + To: serdeDerive, + Type: artifact.DependencyOfRelationship, + }, + { + From: procMacro2, + To: syn, + Type: artifact.DependencyOfRelationship, + }, + { + From: quote, + To: arghDerive, + Type: artifact.DependencyOfRelationship, + }, + { + From: quote, + To: serdeDerive, + Type: artifact.DependencyOfRelationship, + }, + { + From: quote, + To: syn, + Type: artifact.DependencyOfRelationship, + }, + { + From: serde, + To: arghShared, + Type: artifact.DependencyOfRelationship, + }, + { + From: serdeDerive, + To: serde, + Type: artifact.DependencyOfRelationship, + }, + { + From: syn, + To: arghDerive, + Type: artifact.DependencyOfRelationship, + }, + { + From: syn, + To: serdeDerive, + Type: artifact.DependencyOfRelationship, + }, + { + From: unicodeIdent, + To: procMacro2, + Type: artifact.DependencyOfRelationship, + }, + { + From: unicodeIdent, + To: syn, + Type: artifact.DependencyOfRelationship, }, } pkgtest.NewCatalogTester(). WithImageResolver(t, "image-audit"). IgnoreLocationLayer(). // this fixture can be rebuilt, thus the layer ID will change - Expects(expectedPkgs, nil). + Expects(expectedPkgs, expectedRelationships). TestCataloger(t, NewAuditBinaryCataloger()) } diff --git a/syft/pkg/cataloger/rust/package.go b/syft/pkg/cataloger/rust/package.go index be67d96a936..6af92745df6 100644 --- a/syft/pkg/cataloger/rust/package.go +++ b/syft/pkg/cataloger/rust/package.go @@ -25,19 +25,6 @@ func newPackageFromCargoMetadata(m pkg.RustCargoLockEntry, locations ...file.Loc return p } -func newPackagesFromAudit(location file.Location, versionInfo rustaudit.VersionInfo) []pkg.Package { - var pkgs []pkg.Package - - for _, dep := range versionInfo.Packages { - p := newPackageFromAudit(&dep, location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)) - if pkg.IsValid(&p) && dep.Kind == rustaudit.Runtime { - pkgs = append(pkgs, p) - } - } - - return pkgs -} - func newPackageFromAudit(dep *rustaudit.Package, locations ...file.Location) pkg.Package { p := pkg.Package{ Name: dep.Name, @@ -46,6 +33,7 @@ func newPackageFromAudit(dep *rustaudit.Package, locations ...file.Location) pkg Language: pkg.Rust, Type: pkg.RustPkg, Locations: file.NewLocationSet(locations...), + FoundBy: cargoAuditBinaryCatalogerName, Metadata: pkg.RustBinaryAuditEntry{ Name: dep.Name, Version: dep.Version, diff --git a/syft/pkg/cataloger/rust/parse_audit_binary.go b/syft/pkg/cataloger/rust/parse_audit_binary.go index 25525e91656..76e1509b7f0 100644 --- a/syft/pkg/cataloger/rust/parse_audit_binary.go +++ b/syft/pkg/cataloger/rust/parse_audit_binary.go @@ -5,9 +5,10 @@ import ( "errors" "fmt" - rustaudit "github.com/microsoft/go-rustaudit" + "github.com/microsoft/go-rustaudit" "github.com/anchore/syft/internal/log" + "github.com/anchore/syft/internal/relationship" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/internal/unionreader" @@ -18,6 +19,7 @@ import ( // Catalog identifies executables then attempts to read Rust dependency information from them func parseAuditBinary(_ context.Context, _ file.Resolver, _ *generic.Environment, reader file.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) { var pkgs []pkg.Package + var relationships []artifact.Relationship unionReader, err := unionreader.GetUnionReader(reader.ReadCloser) if err != nil { @@ -26,10 +28,12 @@ func parseAuditBinary(_ context.Context, _ file.Resolver, _ *generic.Environment infos, err := parseAuditBinaryEntry(unionReader, reader.RealPath) for _, versionInfo := range infos { - pkgs = append(pkgs, newPackagesFromAudit(reader.Location, versionInfo)...) + auditPkgs, auditRelationships := processAuditVersionInfo(reader.Location, versionInfo) + pkgs = append(pkgs, auditPkgs...) + relationships = append(relationships, auditRelationships...) } - return pkgs, nil, err + return pkgs, relationships, err } // scanFile scans file to try to report the Rust crate dependencies @@ -61,3 +65,64 @@ func parseAuditBinaryEntry(reader unionreader.UnionReader, filename string) ([]r return versionInfos, nil } + +// auditPkgPair is a helper struct to track the original index of the package in the original audit report + the syft package created for it +type auditPkgPair struct { + pkg *pkg.Package + rustPkg rustaudit.Package + index int +} + +func processAuditVersionInfo(location file.Location, versionInfo rustaudit.VersionInfo) ([]pkg.Package, []artifact.Relationship) { + var pkgs []pkg.Package + + // first pass: create packages for all runtime dependencies (skip dev and invalid dependencies) + pairsByOgIndex := make(map[int]auditPkgPair) + for idx, dep := range versionInfo.Packages { + p := newPackageFromAudit(&dep, location.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)) + pair := auditPkgPair{ + rustPkg: dep, + index: idx, + } + if pkg.IsValid(&p) && dep.Kind == rustaudit.Runtime { + pkgs = append(pkgs, p) + pair.pkg = &pkgs[len(pkgs)-1] + } + pairsByOgIndex[idx] = pair + } + + // second pass: create relationships between any packages created + // we have all the original audit package indices + info, but not all audit packages will have syft packages. + // we need to be careful to not create relationships for packages that were not created. + var rels []artifact.Relationship + for _, parentPair := range pairsByOgIndex { + // the rust-audit report lists dependencies by index from the original version info object. We need to find + // the syft packages created for each listed dependency from that original object. + for _, ogPkgIndex := range parentPair.rustPkg.Dependencies { + if ogPkgIndex >= uint(len(versionInfo.Packages)) { + log.WithFields("pkg", parentPair.pkg).Trace("cargo audit dependency index out of range: %d", ogPkgIndex) + continue + } + depPair, ok := pairsByOgIndex[int(ogPkgIndex)] + if !ok { + log.WithFields("pkg", parentPair.pkg).Trace("cargo audit dependency not found: %d", ogPkgIndex) + continue + } + + if depPair.pkg == nil || parentPair.pkg == nil { + // skip relationships for syft packages that were not created from the original report (no matter the reason) + continue + } + + rels = append(rels, artifact.Relationship{ + From: *depPair.pkg, + To: *parentPair.pkg, + Type: artifact.DependencyOfRelationship, + }) + } + } + + relationship.Sort(rels) + + return pkgs, rels +} diff --git a/syft/pkg/cataloger/rust/parse_cargo_lock.go b/syft/pkg/cataloger/rust/parse_cargo_lock.go index d800eec7a74..79c6d07c175 100644 --- a/syft/pkg/cataloger/rust/parse_cargo_lock.go +++ b/syft/pkg/cataloger/rust/parse_cargo_lock.go @@ -3,14 +3,17 @@ package rust import ( "context" "fmt" + "strings" "github.com/pelletier/go-toml" + "github.com/anchore/syft/internal/log" "github.com/anchore/syft/internal/unknown" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" "github.com/anchore/syft/syft/pkg/cataloger/generic" + "github.com/anchore/syft/syft/pkg/cataloger/internal/dependency" ) var _ generic.Parser = parseCargoLock @@ -33,7 +36,6 @@ func parseCargoLock(_ context.Context, _ file.Resolver, _ *generic.Environment, } var pkgs []pkg.Package - pkgIndex := make(map[string]int) for _, p := range m.Packages { if p.Dependencies == nil { @@ -47,36 +49,42 @@ func parseCargoLock(_ context.Context, _ file.Resolver, _ *generic.Environment, pkgs, newPkg, ) - newIx := len(pkgs) - 1 - // Cargo.lock dependencies are strings that are the name of a package, if that - // is unambiguous, or a string like "name version" if the name alone is not - // ambiguous. Set both keys in the map, since we don't know which key is - // going to be used until we're trying to resolve dependencies. If the - // first key is overwritten, that means the package name was an ambiguous dependency - // and "name version" will be used as the key anyway. - keys := []string{ - newPkg.Name, - fmt.Sprintf("%s %s", newPkg.Name, newPkg.Version), - } - for _, k := range keys { - pkgIndex[k] = newIx - } } - var relationships []artifact.Relationship - for _, p := range pkgs { - meta := p.Metadata.(pkg.RustCargoLockEntry) - for _, d := range meta.Dependencies { - i, ok := pkgIndex[d] - if !ok { - continue - } - relationships = append(relationships, artifact.Relationship{ - From: p, - To: pkgs[i], - Type: artifact.DependencyOfRelationship, - }) + + return pkgs, dependency.Resolve(dependencySpecification, pkgs), unknown.IfEmptyf(pkgs, "unable to determine packages") +} + +func dependencySpecification(p pkg.Package) dependency.Specification { + rustMeta, ok := p.Metadata.(pkg.RustCargoLockEntry) + if !ok { + log.Tracef("cataloger failed to extract rust Cargo.lock metadata for package %+v", p.Name) + return dependency.Specification{} + } + + // Cargo.lock dependencies are strings that are the name of a package, if that + // is unambiguous, or a string like "name version" if the name alone is not + // ambiguous, or strings like "name version (source)" if "name version" is ambiguous. + // Provide all the strings, since we don't know which string will be used. + // In other words, each package "provides" 3 entries, one for each name format, + // and each package "requires" whatever it actually requires based on the Cargo.lock. + provides := []string{ + p.Name, + fmt.Sprintf("%s %s", p.Name, p.Version), + } + + if rustMeta.Source != "" { + src := rustMeta.Source + if strings.HasPrefix(src, "git") && strings.Contains(src, "#") { + src = strings.Split(src, "#")[0] } + + provides = append(provides, fmt.Sprintf("%s %s (%s)", p.Name, p.Version, src)) } - return pkgs, relationships, unknown.IfEmptyf(pkgs, "unable to determine packages") + return dependency.Specification{ + ProvidesRequires: dependency.ProvidesRequires{ + Provides: provides, + Requires: rustMeta.Dependencies, + }, + } } diff --git a/syft/pkg/cataloger/rust/parse_cargo_lock_test.go b/syft/pkg/cataloger/rust/parse_cargo_lock_test.go index 2d7d2b4b639..15313f55a9d 100644 --- a/syft/pkg/cataloger/rust/parse_cargo_lock_test.go +++ b/syft/pkg/cataloger/rust/parse_cargo_lock_test.go @@ -3,6 +3,8 @@ package rust import ( "testing" + "github.com/stretchr/testify/assert" + "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -279,50 +281,557 @@ func TestParseCargoLock(t *testing.T) { expectedRelationships := []artifact.Relationship{ { - From: ansiTerm, + To: ansiTerm, + From: winapi, + Type: artifact.DependencyOfRelationship, + }, + { + To: errno, + From: windowsSys52, + Type: artifact.DependencyOfRelationship, + }, + { + To: nom, + From: memchr, + Type: artifact.DependencyOfRelationship, + }, + { + To: nom, + From: versionCheck, + Type: artifact.DependencyOfRelationship, + }, + { + To: schannel, + From: windowsSys59, + Type: artifact.DependencyOfRelationship, + }, + { + To: unicodeBidi, + From: matches, + Type: artifact.DependencyOfRelationship, + }, + { To: winapi, + From: winAPIi686PCWindowsGNU, Type: artifact.DependencyOfRelationship, }, { - From: errno, - To: windowsSys52, + To: winapi, + From: winAPIx8664PCWindowsGNU, Type: artifact.DependencyOfRelationship, }, + } + + pkgtest.TestFileParser(t, fixture, parseCargoLock, expectedPkgs, expectedRelationships) +} + +func TestCargoLockWithGitDependencies(t *testing.T) { + fixture := "test-fixtures/Cargo.lock-with-git-deps" + locations := file.NewLocationSet(file.NewLocation(fixture)) + + ahoCorasick := pkg.Package{ + Name: "aho-corasick", + Version: "1.1.3", + PURL: "pkg:cargo/aho-corasick@1.1.3", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Licenses: pkg.NewLicenseSet(), + Metadata: pkg.RustCargoLockEntry{ + Name: "aho-corasick", + Version: "1.1.3", + Source: "registry+https://github.com/rust-lang/crates.io-index", + Checksum: "8e60d3430d3a69478ad0993f19238d2df97c507009a52b3c10addcd7f6bcb916", + Dependencies: []string{ + "memchr", + }, + }, + } + + helloWorld := pkg.Package{ + Name: "hello_world", + Version: "0.1.0", + PURL: "pkg:cargo/hello_world@0.1.0", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Licenses: pkg.NewLicenseSet(), + Metadata: pkg.RustCargoLockEntry{ + Name: "hello_world", + Version: "0.1.0", + Dependencies: []string{ + "nom-regex", + "regex 1.11.1 (git+https://github.com/rust-lang/regex.git)", + }, + }, + } + + memchr := pkg.Package{ + Name: "memchr", + Version: "2.7.4", + PURL: "pkg:cargo/memchr@2.7.4", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Licenses: pkg.NewLicenseSet(), + Metadata: pkg.RustCargoLockEntry{ + Name: "memchr", + Version: "2.7.4", + Source: "registry+https://github.com/rust-lang/crates.io-index", + Checksum: "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3", + Dependencies: []string{}, + }, + } + + minimalLexical := pkg.Package{ + Name: "minimal-lexical", + Version: "0.2.1", + PURL: "pkg:cargo/minimal-lexical@0.2.1", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Licenses: pkg.NewLicenseSet(), + Metadata: pkg.RustCargoLockEntry{ + Name: "minimal-lexical", + Version: "0.2.1", + Source: "registry+https://github.com/rust-lang/crates.io-index", + Checksum: "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a", + Dependencies: []string{}, + }, + } + + nom := pkg.Package{ + Name: "nom", + Version: "7.1.3", + PURL: "pkg:cargo/nom@7.1.3", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Licenses: pkg.NewLicenseSet(), + Metadata: pkg.RustCargoLockEntry{ + Name: "nom", + Version: "7.1.3", + Source: "registry+https://github.com/rust-lang/crates.io-index", + Checksum: "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a", + Dependencies: []string{ + "memchr", + "minimal-lexical", + }, + }, + } + + nomRegex := pkg.Package{ + Name: "nom-regex", + Version: "0.2.0", + PURL: "pkg:cargo/nom-regex@0.2.0", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Licenses: pkg.NewLicenseSet(), + Metadata: pkg.RustCargoLockEntry{ + Name: "nom-regex", + Version: "0.2.0", + Source: "registry+https://github.com/rust-lang/crates.io-index", + Checksum: "72e5c7731c4c1370b61604ed52a2475e861aac9e08dec9f23903d4ddfdc91c18", + Dependencies: []string{ + "nom", + "regex 1.11.1 (registry+https://github.com/rust-lang/crates.io-index)", + }, + }, + } + + regexCrates := pkg.Package{ + Name: "regex", + Version: "1.11.1", + PURL: "pkg:cargo/regex@1.11.1", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Licenses: pkg.NewLicenseSet(), + Metadata: pkg.RustCargoLockEntry{ + Name: "regex", + Version: "1.11.1", + Source: "registry+https://github.com/rust-lang/crates.io-index", + Checksum: "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191", + Dependencies: []string{ + "aho-corasick", + "memchr", + "regex-automata 0.4.9 (registry+https://github.com/rust-lang/crates.io-index)", + "regex-syntax 0.8.5 (registry+https://github.com/rust-lang/crates.io-index)", + }, + }, + } + + regexGit := pkg.Package{ + Name: "regex", + Version: "1.11.1", + PURL: "pkg:cargo/regex@1.11.1", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Licenses: pkg.NewLicenseSet(), + Metadata: pkg.RustCargoLockEntry{ + Name: "regex", + Version: "1.11.1", + Source: "git+https://github.com/rust-lang/regex.git#1a069b9232c607b34c4937122361aa075ef573fa", + Dependencies: []string{ + "aho-corasick", + "memchr", + "regex-automata 0.4.9 (git+https://github.com/rust-lang/regex.git)", + "regex-syntax 0.8.5 (git+https://github.com/rust-lang/regex.git)", + }, + }, + } + + regexAutomataCrates := pkg.Package{ + Name: "regex-automata", + Version: "0.4.9", + PURL: "pkg:cargo/regex-automata@0.4.9", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Licenses: pkg.NewLicenseSet(), + Metadata: pkg.RustCargoLockEntry{ + Name: "regex-automata", + Version: "0.4.9", + Source: "registry+https://github.com/rust-lang/crates.io-index", + Checksum: "809e8dc61f6de73b46c85f4c96486310fe304c434cfa43669d7b40f711150908", + Dependencies: []string{ + "aho-corasick", + "memchr", + "regex-syntax 0.8.5 (registry+https://github.com/rust-lang/crates.io-index)", + }, + }, + } + + regexAutomataGit := pkg.Package{ + Name: "regex-automata", + Version: "0.4.9", + PURL: "pkg:cargo/regex-automata@0.4.9", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Licenses: pkg.NewLicenseSet(), + Metadata: pkg.RustCargoLockEntry{ + Name: "regex-automata", + Version: "0.4.9", + Source: "git+https://github.com/rust-lang/regex.git#1a069b9232c607b34c4937122361aa075ef573fa", + Dependencies: []string{ + "aho-corasick", + "memchr", + "regex-syntax 0.8.5 (git+https://github.com/rust-lang/regex.git)", + }, + }, + } + + regexSyntaxCrates := pkg.Package{ + Name: "regex-syntax", + Version: "0.8.5", + PURL: "pkg:cargo/regex-syntax@0.8.5", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Licenses: pkg.NewLicenseSet(), + Metadata: pkg.RustCargoLockEntry{ + Name: "regex-syntax", + Version: "0.8.5", + Source: "registry+https://github.com/rust-lang/crates.io-index", + Checksum: "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c", + Dependencies: []string{}, + }, + } + + regexSyntaxGit := pkg.Package{ + Name: "regex-syntax", + Version: "0.8.5", + PURL: "pkg:cargo/regex-syntax@0.8.5", + Locations: locations, + Language: pkg.Rust, + Type: pkg.RustPkg, + Licenses: pkg.NewLicenseSet(), + Metadata: pkg.RustCargoLockEntry{ + Name: "regex-syntax", + Version: "0.8.5", + Source: "git+https://github.com/rust-lang/regex.git#1a069b9232c607b34c4937122361aa075ef573fa", + Dependencies: []string{}, + }, + } + + expectedPkgs := []pkg.Package{ + ahoCorasick, helloWorld, memchr, minimalLexical, nom, nomRegex, regexCrates, regexGit, + regexAutomataCrates, regexAutomataGit, regexSyntaxCrates, regexSyntaxGit, + } + expectedRelationships := []artifact.Relationship{ { - From: nom, - To: memchr, + From: memchr, + To: ahoCorasick, + Type: artifact.DependencyOfRelationship, + }, + { + From: nomRegex, + To: helloWorld, + Type: artifact.DependencyOfRelationship, + }, + { + From: regexGit, + To: helloWorld, + Type: artifact.DependencyOfRelationship, + }, + { + From: memchr, + To: nom, + Type: artifact.DependencyOfRelationship, + }, + { + From: minimalLexical, + To: nom, Type: artifact.DependencyOfRelationship, }, { From: nom, - To: versionCheck, + To: nomRegex, Type: artifact.DependencyOfRelationship, }, { - From: schannel, - To: windowsSys59, + From: regexCrates, + To: nomRegex, Type: artifact.DependencyOfRelationship, }, { - From: unicodeBidi, - To: matches, + From: ahoCorasick, + To: regexCrates, Type: artifact.DependencyOfRelationship, }, { - From: winapi, - To: winAPIi686PCWindowsGNU, + From: memchr, + To: regexCrates, Type: artifact.DependencyOfRelationship, }, { - From: winapi, - To: winAPIx8664PCWindowsGNU, + From: regexAutomataCrates, + To: regexCrates, + Type: artifact.DependencyOfRelationship, + }, + { + From: regexSyntaxCrates, + To: regexCrates, + Type: artifact.DependencyOfRelationship, + }, + { + From: regexSyntaxCrates, + To: regexAutomataCrates, + Type: artifact.DependencyOfRelationship, + }, + { + From: ahoCorasick, + To: regexGit, + Type: artifact.DependencyOfRelationship, + }, + { + From: memchr, + To: regexGit, + Type: artifact.DependencyOfRelationship, + }, + { + From: regexAutomataGit, + To: regexGit, + Type: artifact.DependencyOfRelationship, + }, + { + From: regexSyntaxGit, + To: regexAutomataGit, + Type: artifact.DependencyOfRelationship, + }, + { + From: regexSyntaxGit, + To: regexGit, + Type: artifact.DependencyOfRelationship, + }, + { + From: ahoCorasick, + To: regexAutomataCrates, + Type: artifact.DependencyOfRelationship, + }, + { + From: memchr, + To: regexAutomataCrates, + Type: artifact.DependencyOfRelationship, + }, + { + From: ahoCorasick, + To: regexAutomataGit, + Type: artifact.DependencyOfRelationship, + }, + { + From: memchr, + To: regexAutomataGit, Type: artifact.DependencyOfRelationship, }, } + // what I know so far - it's not sorting, it's not pkgtest.TestFileParser(t, fixture, parseCargoLock, expectedPkgs, expectedRelationships) } +func TestCargoLockDependencySpecification(t *testing.T) { + tests := []struct { + name string + p pkg.Package + provides []string + requires []string + }{ + { + name: "requires git source", + p: pkg.Package{ + Name: "hello_world", + Version: "0.1.0", + PURL: "pkg:cargo/hello_world@0.1.0", + Locations: file.NewLocationSet(), + Language: pkg.Rust, + Type: pkg.RustPkg, + Licenses: pkg.NewLicenseSet(), + Metadata: pkg.RustCargoLockEntry{ + Name: "hello_world", + Version: "0.1.0", + Dependencies: []string{ + "nom-regex", + "regex 1.11.1 (git+https://github.com/rust-lang/regex.git)", + }, + }, + }, + provides: []string{ + "hello_world", + "hello_world 0.1.0", + }, + requires: []string{ + "nom-regex", + "regex 1.11.1 (git+https://github.com/rust-lang/regex.git)", + }, + }, + { + name: "provides git source", + p: pkg.Package{ + Name: "regex-automata", + Version: "0.4.9", + PURL: "pkg:cargo/regex-automata@0.4.9", + Locations: file.NewLocationSet(), + Language: pkg.Rust, + Type: pkg.RustPkg, + Licenses: pkg.NewLicenseSet(), + Metadata: pkg.RustCargoLockEntry{ + Name: "regex-automata", + Version: "0.4.9", + Source: "git+https://github.com/rust-lang/regex.git#1a069b9232c607b34c4937122361aa075ef573fa", + Dependencies: []string{ + "aho-corasick", + "memchr", + "regex-syntax 0.8.5 (git+https://github.com/rust-lang/regex.git)", + }, + }, + }, + provides: []string{ + "regex-automata", + "regex-automata 0.4.9", + "regex-automata 0.4.9 (git+https://github.com/rust-lang/regex.git)", + }, + requires: []string{ + "aho-corasick", + "memchr", + "regex-syntax 0.8.5 (git+https://github.com/rust-lang/regex.git)", + }, + }, + { + name: "regex-automata git", + p: pkg.Package{ + Name: "regex-automata", + Version: "0.4.9", + PURL: "pkg:cargo/regex-automata@0.4.9", + Locations: file.NewLocationSet(), + Language: pkg.Rust, + Type: pkg.RustPkg, + Licenses: pkg.NewLicenseSet(), + Metadata: pkg.RustCargoLockEntry{ + Name: "regex-automata", + Version: "0.4.9", + Source: "git+https://github.com/rust-lang/regex.git#1a069b9232c607b34c4937122361aa075ef573fa", + Dependencies: []string{ + "aho-corasick", + "memchr", + "regex-syntax 0.8.5 (git+https://github.com/rust-lang/regex.git)", + }, + }, + }, + provides: []string{ + "regex-automata", + "regex-automata 0.4.9", + "regex-automata 0.4.9 (git+https://github.com/rust-lang/regex.git)", + }, + requires: []string{ + "aho-corasick", + "memchr", + "regex-syntax 0.8.5 (git+https://github.com/rust-lang/regex.git)", + }, + }, + { + name: "regex-syntax git", + p: pkg.Package{ + Name: "regex-syntax", + Version: "0.8.5", + PURL: "pkg:cargo/regex-syntax@0.8.5", + Locations: file.NewLocationSet(), + Language: pkg.Rust, + Type: pkg.RustPkg, + Licenses: pkg.NewLicenseSet(), + Metadata: pkg.RustCargoLockEntry{ + Name: "regex-syntax", + Version: "0.8.5", + Source: "git+https://github.com/rust-lang/regex.git#1a069b9232c607b34c4937122361aa075ef573fa", + Dependencies: []string{}, + }, + }, + provides: []string{ + "regex-syntax", + "regex-syntax 0.8.5", + "regex-syntax 0.8.5 (git+https://github.com/rust-lang/regex.git)", + }, + requires: []string{}, + }, + { + name: "regex-syntax crates", + p: pkg.Package{ + Name: "regex-syntax", + Version: "0.8.5", + PURL: "pkg:cargo/regex-syntax@0.8.5", + Locations: file.NewLocationSet(), + Language: pkg.Rust, + Type: pkg.RustPkg, + Licenses: pkg.NewLicenseSet(), + Metadata: pkg.RustCargoLockEntry{ + Name: "regex-syntax", + Version: "0.8.5", + Source: "registry+https://github.com/rust-lang/crates.io-index", + Checksum: "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c", + Dependencies: []string{}, + }, + }, + provides: []string{ + "regex-syntax", + "regex-syntax 0.8.5", + "regex-syntax 0.8.5 (registry+https://github.com/rust-lang/crates.io-index)", + }, + requires: []string{}, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + spec := dependencySpecification(test.p) + assert.Equal(t, test.provides, spec.Provides) + assert.Equal(t, test.requires, spec.Requires) + }) + } +} + func Test_corruptCargoLock(t *testing.T) { pkgtest.NewCatalogTester(). FromFile(t, "test-fixtures/glob-paths/src/Cargo.lock"). diff --git a/syft/pkg/cataloger/rust/test-fixtures/Cargo.lock-with-git-deps b/syft/pkg/cataloger/rust/test-fixtures/Cargo.lock-with-git-deps new file mode 100644 index 00000000000..d9b7c7121bd --- /dev/null +++ b/syft/pkg/cataloger/rust/test-fixtures/Cargo.lock-with-git-deps @@ -0,0 +1,107 @@ +# This file is automatically @generated by Cargo. +# It is not intended for manual editing. +version = 3 + +[[package]] +name = "aho-corasick" +version = "1.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8e60d3430d3a69478ad0993f19238d2df97c507009a52b3c10addcd7f6bcb916" +dependencies = [ + "memchr", +] + +[[package]] +name = "hello_world" +version = "0.1.0" +dependencies = [ + "nom-regex", + "regex 1.11.1 (git+https://github.com/rust-lang/regex.git)", +] + +[[package]] +name = "memchr" +version = "2.7.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3" + +[[package]] +name = "minimal-lexical" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a" + +[[package]] +name = "nom" +version = "7.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a" +dependencies = [ + "memchr", + "minimal-lexical", +] + +[[package]] +name = "nom-regex" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "72e5c7731c4c1370b61604ed52a2475e861aac9e08dec9f23903d4ddfdc91c18" +dependencies = [ + "nom", + "regex 1.11.1 (registry+https://github.com/rust-lang/crates.io-index)", +] + +[[package]] +name = "regex" +version = "1.11.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191" +dependencies = [ + "aho-corasick", + "memchr", + "regex-automata 0.4.9 (registry+https://github.com/rust-lang/crates.io-index)", + "regex-syntax 0.8.5 (registry+https://github.com/rust-lang/crates.io-index)", +] + +[[package]] +name = "regex" +version = "1.11.1" +source = "git+https://github.com/rust-lang/regex.git#1a069b9232c607b34c4937122361aa075ef573fa" +dependencies = [ + "aho-corasick", + "memchr", + "regex-automata 0.4.9 (git+https://github.com/rust-lang/regex.git)", + "regex-syntax 0.8.5 (git+https://github.com/rust-lang/regex.git)", +] + +[[package]] +name = "regex-automata" +version = "0.4.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "809e8dc61f6de73b46c85f4c96486310fe304c434cfa43669d7b40f711150908" +dependencies = [ + "aho-corasick", + "memchr", + "regex-syntax 0.8.5 (registry+https://github.com/rust-lang/crates.io-index)", +] + +[[package]] +name = "regex-automata" +version = "0.4.9" +source = "git+https://github.com/rust-lang/regex.git#1a069b9232c607b34c4937122361aa075ef573fa" +dependencies = [ + "aho-corasick", + "memchr", + "regex-syntax 0.8.5 (git+https://github.com/rust-lang/regex.git)", +] + +[[package]] +name = "regex-syntax" +version = "0.8.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c" + +[[package]] +name = "regex-syntax" +version = "0.8.5" +source = "git+https://github.com/rust-lang/regex.git#1a069b9232c607b34c4937122361aa075ef573fa" diff --git a/syft/pkg/cataloger/rust/test-fixtures/image-audit/Cargo.lock b/syft/pkg/cataloger/rust/test-fixtures/image-audit/Cargo.lock new file mode 100644 index 00000000000..c00250ea60f --- /dev/null +++ b/syft/pkg/cataloger/rust/test-fixtures/image-audit/Cargo.lock @@ -0,0 +1,96 @@ +# This file is automatically @generated by Cargo. +# It is not intended for manual editing. +version = 3 + +[[package]] +name = "argh" +version = "0.1.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7af5ba06967ff7214ce4c7419c7d185be7ecd6cc4965a8f6e1d8ce0398aad219" +dependencies = [ + "argh_derive", + "argh_shared", +] + +[[package]] +name = "argh_derive" +version = "0.1.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "56df0aeedf6b7a2fc67d06db35b09684c3e8da0c95f8f27685cb17e08413d87a" +dependencies = [ + "argh_shared", + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "argh_shared" +version = "0.1.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5693f39141bda5760ecc4111ab08da40565d1771038c4a0250f03457ec707531" +dependencies = [ + "serde", +] + +[[package]] +name = "hello_world" +version = "0.1.0" +dependencies = [ + "argh", +] + +[[package]] +name = "proc-macro2" +version = "1.0.92" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "37d3544b3f2748c54e147655edb5025752e2303145b5aefb3c3ea2c78b973bb0" +dependencies = [ + "unicode-ident", +] + +[[package]] +name = "quote" +version = "1.0.37" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b5b9d34b8991d19d98081b46eacdd8eb58c6f2b201139f7c5f643cc155a633af" +dependencies = [ + "proc-macro2", +] + +[[package]] +name = "serde" +version = "1.0.215" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6513c1ad0b11a9376da888e3e0baa0077f1aed55c17f50e7b2397136129fb88f" +dependencies = [ + "serde_derive", +] + +[[package]] +name = "serde_derive" +version = "1.0.215" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ad1e866f866923f252f05c889987993144fb74e722403468a4ebd70c3cd756c0" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "syn" +version = "2.0.90" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "919d3b74a5dd0ccd15aeb8f93e7006bd9e14c295087c9896a110f490752bcf31" +dependencies = [ + "proc-macro2", + "quote", + "unicode-ident", +] + +[[package]] +name = "unicode-ident" +version = "1.0.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "adb9e6ca4f869e1180728b7950e35922a7fc6397f7b641499e8f3ef06e50dc83" diff --git a/syft/pkg/cataloger/rust/test-fixtures/image-audit/Cargo.toml b/syft/pkg/cataloger/rust/test-fixtures/image-audit/Cargo.toml new file mode 100644 index 00000000000..649c3178267 --- /dev/null +++ b/syft/pkg/cataloger/rust/test-fixtures/image-audit/Cargo.toml @@ -0,0 +1,7 @@ +[package] +name = "hello_world" +version = "0.1.0" +edition = "2021" + +[dependencies] +argh = "0.1" diff --git a/syft/pkg/cataloger/rust/test-fixtures/image-audit/Dockerfile b/syft/pkg/cataloger/rust/test-fixtures/image-audit/Dockerfile index f86c781dcae..23a3b3d499d 100644 --- a/syft/pkg/cataloger/rust/test-fixtures/image-audit/Dockerfile +++ b/syft/pkg/cataloger/rust/test-fixtures/image-audit/Dockerfile @@ -1 +1,14 @@ -FROM docker.io/tofay/hello-rust-auditable:latest@sha256:1d35d1e007180b3f7500aae5e27560697909132ca9a6d480c4c825534c1c47a9 \ No newline at end of file +FROM rust:1.74.0 AS builder + +WORKDIR /app + +RUN cargo install cargo-auditable --locked +COPY Cargo.toml Cargo.lock ./ +COPY src ./src +RUN cargo fetch +RUN cargo auditable build --release + +FROM scratch + +COPY --from=builder /app/target/release/hello_world /usr/local/bin/hello_world + diff --git a/syft/pkg/cataloger/rust/test-fixtures/image-audit/src/main.rs b/syft/pkg/cataloger/rust/test-fixtures/image-audit/src/main.rs new file mode 100644 index 00000000000..6f9e66167c2 --- /dev/null +++ b/syft/pkg/cataloger/rust/test-fixtures/image-audit/src/main.rs @@ -0,0 +1,13 @@ +use argh::FromArgs; + +#[derive(FromArgs)] +#[argh(description = "A simple Hello World CLI application.")] +struct Args { + #[argh(option, description = "name to greet")] + name: String, +} + +fn main() { + let args: Args = argh::from_env(); + println!("Hello, {}!", args.name); +} \ No newline at end of file diff --git a/test/cli/spdx_tooling_validation_test.go b/test/cli/spdx_tooling_validation_test.go index cb3d789e75f..257c848772c 100644 --- a/test/cli/spdx_tooling_validation_test.go +++ b/test/cli/spdx_tooling_validation_test.go @@ -50,6 +50,18 @@ func TestSpdxValidationTooling(t *testing.T) { images: images, env: env, }, + { + name: "spdx validation tooling tag value", + syftArgs: []string{"scan", "-o", "spdx@2.2"}, + images: images, + env: env, + }, + { + name: "spdx validation tooling json", + syftArgs: []string{"scan", "-o", "spdx-json@2.2"}, + images: images, + env: env, + }, } for _, test := range tests {