Merge remote-tracking branch 'origin/main' into 5p2O5pe25ouT/main

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

.chronicle.yaml

@@ -0,0 +1 @@
+enforce-v0: true # don't make breaking-change label bump major version before 1.0.

.github/actions/bootstrap/action.yaml

@@ -4,7 +4,7 @@ inputs:
   go-version:
     description: "Go version to install"
     required: true
-    default: "1.19.x"
+    default: "1.20.x"
   use-go-cache:
     description: "Restore go cache"
     required: true

.github/scripts/json-schema-drift-check.sh

@@ -1,27 +1,17 @@
 #!/usr/bin/env bash
 set -u
 
-if ! git diff-index --quiet HEAD --; then
-  git diff-index HEAD --
-  git --no-pager diff
-  echo "there are uncommitted changes, please commit them before running this check"
+if [ "$(git status --porcelain | wc -l)" -ne "0" ]; then
+  echo "  🔴 there are uncommitted changes, please commit them before running this check"
   exit 1
 fi
 
-success=true
-
 if ! make generate-json-schema; then
   echo "Generating json schema failed"
-  success=false
-fi
-
-if ! git diff-index --quiet HEAD --; then
-  git diff-index HEAD --
-  git --no-pager diff
-  echo "JSON schema drift detected!"
-  success=false
+  exit 1
 fi
 
-if ! $success; then
+if [ "$(git status --porcelain | wc -l)" -ne "0" ]; then
+  echo "  🔴 there are uncommitted changes, please commit them before running this check"
   exit 1
 fi

.github/workflows/oss-project-board-add.yaml

@@ -0,0 +1,16 @@
+name: Add to OSS board
+
+on:
+  issues:
+    types:
+      - opened
+      - reopened
+      - transferred
+      - labeled
+
+jobs:
+
+  run:
+    uses: "anchore/workflows/.github/workflows/oss-project-board-add.yaml@main"
+    secrets:
+      token: ${{ secrets.OSS_PROJECT_GH_TOKEN }}

.github/workflows/update-bootstrap-tools.yml

@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
 
 env:
-  GO_VERSION: "1.19.x"
+  GO_VERSION: "1.20.x"
   GO_STABLE_VERSION: true
 
 jobs:
@@ -28,7 +28,7 @@ jobs:
           GORELEASER_LATEST_VERSION=$(go list -m -json github.com/goreleaser/goreleaser@latest 2>/dev/null | jq -r '.Version')
           GOSIMPORTS_LATEST_VERSION=$(go list -m -json github.com/rinchsan/gosimports@latest 2>/dev/null | jq -r '.Version')
           YAJSV_LATEST_VERSION=$(go list -m -json github.com/neilpa/yajsv@latest 2>/dev/null | jq -r '.Version')
-          COSIGN_LATEST_VERSION=$(go list -m -json github.com/sigstore/cosign@latest 2>/dev/null | jq -r '.Version')
+          COSIGN_LATEST_VERSION=$(go list -m -json github.com/sigstore/cosign/v2@latest 2>/dev/null | jq -r '.Version')
           GLOW_LATEST_VERSION=$(go list -m -json github.com/charmbracelet/glow@latest 2>/dev/null | jq -r '.Version')
           
           # update version variables in the Makefile

.github/workflows/update-cpe-dictionary-index.yml

@@ -0,0 +1,43 @@
+name: PR to update CPE dictionary index
+on:
+  schedule:
+    - cron: "0 1 * * 1" # every monday at 1 AM
+
+  workflow_dispatch:
+
+env:
+  GO_VERSION: "1.20.x"
+  GO_STABLE_VERSION: true
+
+jobs:
+  upgrade-cpe-dictionary-index:
+    runs-on: ubuntu-latest
+    if: github.repository == 'anchore/syft' # only run for main repo
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          stable: ${{ env.GO_STABLE_VERSION }}
+
+      - run: |
+          make generate-cpe-dictionary-index
+
+      - uses: tibdex/github-app-token@v1
+        id: generate-token
+        with:
+          app_id: ${{ secrets.TOKEN_APP_ID }}
+          private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }}
+
+      - uses: peter-evans/create-pull-request@v5
+        with:
+          signoff: true
+          delete-branch: true
+          branch: auto/latest-cpe-dictionary-index
+          labels: dependencies
+          commit-message: "chore(deps): update CPE dictionary index"
+          title: "chore(deps): update CPE dictionary index"
+          body: |
+            Update CPE dictionary index based on the latest available CPE dictionary
+          token: ${{ steps.generate-token.outputs.token }}

.github/workflows/update-stereoscope-release.yml

@@ -6,7 +6,7 @@ on:
   workflow_dispatch:
 
 env:
-  GO_VERSION: "1.19.x"
+  GO_VERSION: "1.20.x"
   GO_STABLE_VERSION: true
 
 jobs:

.github/workflows/validations.yaml

@@ -34,33 +34,35 @@ jobs:
         uses: ./.github/actions/bootstrap
 
       - name: Restore Java test-fixture cache
-        id: unit-java-cache
         uses: actions/cache@v3
         with:
           path: syft/pkg/cataloger/java/test-fixtures/java-builds/packages
-          key: ${{ runner.os }}-unit-java-cache-${{ hashFiles( 'syft/pkg/cataloger/java/test-fixtures/java-builds/packages.fingerprint' ) }}
+          key: ${{ runner.os }}-unit-java-cache-${{ hashFiles( 'syft/pkg/cataloger/java/test-fixtures/java-builds/cache.fingerprint' ) }}
 
       - name: Restore RPM test-fixture cache
-        id: unit-rpm-cache
         uses: actions/cache@v3
         with:
           path: syft/pkg/cataloger/rpm/test-fixtures/rpms
           key: ${{ runner.os }}-unit-rpm-cache-${{ hashFiles( 'syft/pkg/cataloger/rpm/test-fixtures/rpms.fingerprint' ) }}
 
       - name: Restore go binary test-fixture cache
-        id: unit-go-binary-cache
         uses: actions/cache@v3
         with:
           path: syft/pkg/cataloger/golang/test-fixtures/archs/binaries
           key: ${{ runner.os }}-unit-go-binaries-cache-${{ hashFiles( 'syft/pkg/cataloger/golang/test-fixtures/archs/binaries.fingerprint' ) }}
 
       - name: Restore binary cataloger test-fixture cache
-        id: unit-binary-cataloger-cache
         uses: actions/cache@v3
         with:
           path: syft/pkg/cataloger/binary/test-fixtures/classifiers/dynamic
           key: ${{ runner.os }}-unit-binary-cataloger-cache-${{ hashFiles( 'syft/pkg/cataloger/binary/test-fixtures/cache.fingerprint' ) }}
 
+      - name: Restore Kernel test-fixture cache
+        uses: actions/cache@v3
+        with:
+          path: syft/pkg/cataloger/kernel/test-fixtures/cache
+          key: ${{ runner.os }}-unit-kernel-cache-${{ hashFiles( 'syft/pkg/cataloger/kernel/test-fixtures/cache.fingerprint' ) }}
+
       - name: Run unit tests
         run: make unit
 

.gitignore

@@ -1,3 +1,8 @@
+go.work
+go.work.sum
+/bin
+/.bin
+/build
 CHANGELOG.md
 VERSION
 /test/results
@@ -15,6 +20,7 @@ VERSION
 *.hpi
 *.zip
 .idea/
+*.iml
 *.log
 .images
 .tmp/

.golangci.yaml

@@ -12,7 +12,6 @@ linters:
   enable:
     - asciicheck
     - bodyclose
-    - depguard
     - dogsled
     - dupl
     - errcheck
@@ -57,6 +56,7 @@ run:
 
 # do not enable...
 #    - deadcode          # The owner seems to have abandoned the linter. Replaced by "unused".
+#    - depguard          # We don't have a configuration for this yet
 #    - goprintffuncname  # does not catch all cases and there are exceptions
 #    - nakedret          # does not catch all cases and should not fail a build
 #    - gochecknoglobals

CONTRIBUTORS.md

@@ -5,3 +5,7 @@ The following Syft components were contributed by external authors/organizations
 ## GraalVM Native Image
 
 A cataloger contributed by Oracle Corporation that extracts packages given within GraalVM Native Image SBOMs.
+
+## Swift Package Manager
+
+A cataloger contributed by Axis Communications that catalogs packages resolved by Swift Package Manager.

DEVELOPING.md

@@ -7,6 +7,25 @@ In order to test and develop in this repo you will need the following dependenci
 - docker
 - make
 
+### Docker settings for getting started
+Make sure you've updated your docker settings so the default docker socket path is available.
+
+Go to:
+
+docker -> settings -> advanced
+
+Make sure:
+
+```
+Allow the default Docker socket to be used
+```
+
+is checked.
+
+Also double check that the docker context being used is the default context. If it is not, run:
+
+`docker context use default`
+
 After cloning the following step can help you get setup:
 1. run `make bootstrap` to download go mod dependencies, create the `/.tmp` dir, and download helper utilities.
 2. run `make` to view the selection of developer commands in the Makefile
@@ -19,6 +38,26 @@ The main make tasks for common static analysis and testing are `lint`, `format`,
 
 See `make help` for all the current make tasks.
 
+### Internal Artifactory Settings
+
+**Not always applicable**
+
+Some companies have Artifactory setup internally as a solution for sourcing secure dependencies.
+If you're seeing an issue where the unit tests won't run because of the below error then this section might be relevant for your use case.
+
+```
+[ERROR] [ERROR] Some problems were encountered while processing the POMs
+```
+
+If you're dealing with an issue where the unit tests will not pull/build certain java fixtures check some of these settings:
+
+- a `settings.xml` file should be available to help you communicate with your internal artifactory deployment
+- this can be moved to `syft/pkg/cataloger/java/test-fixtures/java-builds/example-jenkins-plugin/` to help build the unit test-fixtures
+- you'll also want to modify the `build-example-jenkins-plugin.sh` to use `settings.xml`
+
+For more information on this setup and troubleshooting see [issue 1895](https://github.com/anchore/syft/issues/1895#issuecomment-1610085319)
+
+
 ## Architecture
 
 Syft is used to generate a Software Bill of Materials (SBOM) from different kinds of input.
@@ -167,12 +206,12 @@ always feel free to file an issue or reach out to us [on slack](https://anchore.
 
 #### Searching for files
 
-All catalogers are provided an instance of the [`source.FileResolver`](https://github.com/anchore/syft/blob/v0.70.0/syft/source/file_resolver.go#L8) to interface with the image and search for files. The implementations for these 
+All catalogers are provided an instance of the [`file.Resolver`](https://github.com/anchore/syft/blob/v0.70.0/syft/source/file_resolver.go#L8) to interface with the image and search for files. The implementations for these 
 abstractions leverage [`stereoscope`](https://github.com/anchore/stereoscope) in order to perform searching. Here is a 
 rough outline how that works:
 
-1. a stereoscope `file.Index` is searched based on the input given (a path, glob, or MIME type). The index is relatively fast to search, but requires results to be filtered down to the files that exist in the specific layer(s) of interest. This is done automatically by the `filetree.Searcher` abstraction. This abstraction will fallback to searching directly against the raw `filetree.FileTree` if the index does not contain the file(s) of interest. Note: the `filetree.Searcher` is used by the `source.FileResolver` abstraction.
-2. Once the set of files are returned from the `filetree.Searcher` the results are filtered down further to return the most unique file results. For example, you may have requested for files by a glob that returns multiple results. These results are filtered down to deduplicate by real files, so if a result contains two references to the same file, say one accessed via symlink and one accessed via the real path, then the real path reference is returned and the symlink reference is filtered out. If both were accessed by symlink then the first (by lexical order) is returned. This is done automatically by the `source.FileResolver` abstraction.
+1. a stereoscope `file.Index` is searched based on the input given (a path, glob, or MIME type). The index is relatively fast to search, but requires results to be filtered down to the files that exist in the specific layer(s) of interest. This is done automatically by the `filetree.Searcher` abstraction. This abstraction will fallback to searching directly against the raw `filetree.FileTree` if the index does not contain the file(s) of interest. Note: the `filetree.Searcher` is used by the `file.Resolver` abstraction.
+2. Once the set of files are returned from the `filetree.Searcher` the results are filtered down further to return the most unique file results. For example, you may have requested for files by a glob that returns multiple results. These results are filtered down to deduplicate by real files, so if a result contains two references to the same file, say one accessed via symlink and one accessed via the real path, then the real path reference is returned and the symlink reference is filtered out. If both were accessed by symlink then the first (by lexical order) is returned. This is done automatically by the `file.Resolver` abstraction.
 3. By the time results reach the `pkg.Cataloger` you are guaranteed to have a set of unique files that exist in the layer(s) of interest (relative to what the resolver supports).
 
 ## Testing

Makefile

@@ -10,15 +10,15 @@ CHRONICLE_CMD = $(TEMP_DIR)/chronicle
 GLOW_CMD = $(TEMP_DIR)/glow
 
 # Tool versions #################################
-GOLANGCILINT_VERSION := v1.52.2
+GOLANGCILINT_VERSION := v1.54.2
 GOSIMPORTS_VERSION := v0.3.8
 BOUNCER_VERSION := v0.4.0
-CHRONICLE_VERSION := v0.6.0
-GORELEASER_VERSION := v1.17.0
+CHRONICLE_VERSION := v0.7.0
+GORELEASER_VERSION := v1.20.0
 YAJSV_VERSION := v1.4.1
-COSIGN_VERSION := v1.13.1
+COSIGN_VERSION := v2.1.1
 QUILL_VERSION := v0.2.0
-GLOW_VERSION := v1.5.0
+GLOW_VERSION := v1.5.1
 
 # Formatting variables #################################
 BOLD := $(shell tput -T linux bold)
@@ -90,7 +90,7 @@ bootstrap-tools: $(TEMP_DIR)
 	# the only difference between goimports and gosimports is that gosimports removes extra whitespace between import blocks (see https://github.com/golang/go/issues/20818)
 	GOBIN="$(realpath $(TEMP_DIR))" go install github.com/rinchsan/gosimports/cmd/gosimports@$(GOSIMPORTS_VERSION)
 	GOBIN="$(realpath $(TEMP_DIR))" go install github.com/neilpa/yajsv@$(YAJSV_VERSION)
-	GOBIN="$(realpath $(TEMP_DIR))" go install github.com/sigstore/cosign/cmd/cosign@$(COSIGN_VERSION)
+	GOBIN="$(realpath $(TEMP_DIR))" go install github.com/sigstore/cosign/v2/cmd/cosign@$(COSIGN_VERSION)
 	GOBIN="$(realpath $(TEMP_DIR))" go install github.com/charmbracelet/glow@$(GLOW_VERSION)
 
 .PHONY: bootstrap-go
@@ -199,7 +199,7 @@ fingerprints:
 
 	# for JAVA BUILD test fixtures
 	cd syft/pkg/cataloger/java/test-fixtures/java-builds && \
-		make packages.fingerprint
+		make cache.fingerprint
 
 	# for GO BINARY test fixtures
 	cd syft/pkg/cataloger/golang/test-fixtures/archs && \
@@ -209,6 +209,10 @@ fingerprints:
 	cd syft/pkg/cataloger/rpm/test-fixtures && \
 		make rpms.fingerprint
 
+	# for Kernel test fixtures
+	cd syft/pkg/cataloger/kernel/test-fixtures && \
+		make cache.fingerprint
+
 	# for INSTALL integration test fixtures
 	cd test/install && \
 		make cache.fingerprint
@@ -294,22 +298,28 @@ compare-test-rpm-package-install: $(TEMP_DIR) $(SNAPSHOT_DIR)
 			$(TEMP_DIR)
 
 
-## Code generation targets #################################
+## Code and data generation targets #################################
 
 .PHONY: generate-json-schema
 generate-json-schema:  ## Generate a new json schema
-	cd schema/json && go run generate.go
+	cd syft/internal && go generate . && cd jsonschema && go run .
 
 .PHONY: generate-license-list
 generate-license-list:  ## Generate an updated spdx license list
 	go generate ./internal/spdxlicense/...
 	gofmt -s -w ./internal/spdxlicense
 
+.PHONY: generate-cpe-dictionary-index
+generate-cpe-dictionary-index:  ## Build the CPE index based off of the latest available CPE dictionary
+	$(call title,Building CPE index)
+	go generate ./syft/pkg/cataloger/common/cpe/dictionary
+
 
 ## Build-related targets #################################
 
 .PHONY: build
-build: $(SNAPSHOT_DIR)  ## Build release snapshot binaries and packages
+build:
+	CGO_ENABLED=0 go build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/syft
 
 $(SNAPSHOT_DIR):  ## Build snapshot release binaries and packages
 	$(call title,Building snapshot artifacts)