-
Notifications
You must be signed in to change notification settings - Fork 594
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a cataloger that detects installed R packages by looking for DESCRIPTION files. Signed-off-by: Will Murphy <will.murphy@anchore.com>
- Loading branch information
1 parent
d63a1f5
commit 93d3c4a
Showing
24 changed files
with
522 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
package r | ||
|
||
import ( | ||
"github.com/anchore/syft/syft/pkg/cataloger/generic" | ||
) | ||
|
||
const catalogerName = "r-package-cataloger" | ||
|
||
// NewPackageCataloger returns a new R cataloger object based on detection of R package DESCRIPTION files. | ||
func NewPackageCataloger() *generic.Cataloger { | ||
return generic.NewCataloger(catalogerName). | ||
WithParserByGlobs(parseDescriptionFile, "**/DESCRIPTION") | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
package r | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/anchore/syft/syft/artifact" | ||
"github.com/anchore/syft/syft/pkg" | ||
"github.com/anchore/syft/syft/pkg/cataloger/internal/pkgtest" | ||
"github.com/anchore/syft/syft/source" | ||
) | ||
|
||
func TestRPackageCataloger(t *testing.T) { | ||
expectedPkgs := []pkg.Package{ | ||
{ | ||
Name: "base", | ||
Version: "4.3.0", | ||
FoundBy: "r-package-cataloger", | ||
Locations: source.NewLocationSet(source.NewLocation("base/DESCRIPTION")), | ||
Licenses: []string{"Part of R 4.3.0"}, | ||
Language: "R", | ||
Type: "R-package", | ||
PURL: "pkg:cran/base@4.3.0", | ||
MetadataType: "RDescriptionFileMetadataType", | ||
Metadata: pkg.RDescriptionFileMetadata{ | ||
Title: "The R Base Package", | ||
Description: "Base R functions.", | ||
Author: "R Core Team and contributors worldwide", | ||
Maintainer: "R Core Team <do-use-Contact-address@r-project.org>", | ||
Built: "R 4.3.0; ; 2023-04-21 11:33:09 UTC; unix", | ||
Suggests: []string{"methods"}, | ||
}, | ||
}, | ||
{ | ||
Name: "stringr", | ||
Version: "1.5.0.9000", | ||
FoundBy: "r-package-cataloger", | ||
Locations: source.NewLocationSet(source.NewLocation("stringr/DESCRIPTION")), | ||
Licenses: []string{"MIT + file LICENSE"}, | ||
Language: "R", | ||
Type: "R-package", | ||
PURL: "pkg:cran/stringr@1.5.0.9000", | ||
MetadataType: "RDescriptionFileMetadataType", | ||
Metadata: pkg.RDescriptionFileMetadata{ | ||
Title: "Simple, Consistent Wrappers for Common String Operations", | ||
Description: "A consistent, simple and easy to use set of wrappers around the fantastic 'stringi' package. All function and argument names (and positions) are consistent, all functions deal with \"NA\"'s and zero length vectors in the same way, and the output from one function is easy to feed into the input of another.", | ||
URL: []string{"https://stringr.tidyverse.org", "https://github.com/tidyverse/stringr"}, | ||
Imports: []string{ | ||
"cli", "glue (>= 1.6.1)", "lifecycle (>= 1.0.3)", "magrittr", | ||
"rlang (>= 1.0.0)", "stringi (>= 1.5.3)", "vctrs (>= 0.4.0)", | ||
}, | ||
Depends: []string{"R (>= 3.3)"}, | ||
Suggests: []string{"covr", "dplyr", "gt", "htmltools", "htmlwidgets", "knitr", "rmarkdown", "testthat (>= 3.0.0)", "tibble"}, | ||
}, | ||
}, | ||
} | ||
// TODO: relationships are not under test yet | ||
var expectedRelationships []artifact.Relationship | ||
|
||
pkgtest.NewCatalogTester().FromDirectory(t, "test-fixtures/installed").Expects(expectedPkgs, expectedRelationships).TestCataloger(t, NewPackageCataloger()) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
package r | ||
|
||
import ( | ||
"github.com/anchore/packageurl-go" | ||
"github.com/anchore/syft/syft/pkg" | ||
"github.com/anchore/syft/syft/source" | ||
) | ||
|
||
func newPackage(pd parseData, locations ...source.Location) pkg.Package { | ||
locationSet := source.NewLocationSet() | ||
for _, loc := range locations { | ||
locationSet.Add(loc.WithAnnotation(pkg.EvidenceAnnotationKey, pkg.PrimaryEvidenceAnnotation)) | ||
} | ||
result := pkg.Package{ | ||
Name: pd.Package, | ||
Version: pd.Version, | ||
FoundBy: catalogerName, | ||
Locations: locationSet, | ||
Licenses: []string{pd.License}, | ||
Language: "R", | ||
Type: pkg.Rpkg, | ||
PURL: packageURL(pd), | ||
MetadataType: pkg.RDescriptionFileMetadataType, | ||
Metadata: pd.RDescriptionFileMetadata, | ||
} | ||
|
||
result.Language = "R" | ||
result.FoundBy = catalogerName | ||
|
||
result.Licenses = []string{pd.License} | ||
result.Version = pd.Version | ||
result.SetID() | ||
return result | ||
} | ||
|
||
func packageURL(m parseData) string { | ||
return packageurl.NewPackageURL("cran", "", m.Package, m.Version, nil, "").ToString() | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,134 @@ | ||
package r | ||
|
||
import ( | ||
"bufio" | ||
"io" | ||
"regexp" | ||
"strings" | ||
|
||
"github.com/anchore/syft/syft/artifact" | ||
"github.com/anchore/syft/syft/pkg" | ||
"github.com/anchore/syft/syft/pkg/cataloger/generic" | ||
"github.com/anchore/syft/syft/source" | ||
) | ||
|
||
/* some examples of license strings found in DESCRIPTION files: | ||
find /usr/local/lib/R -name DESCRIPTION | xargs cat | grep 'License:' | sort | uniq | ||
License: GPL | ||
License: GPL (>= 2) | ||
License: GPL (>=2) | ||
License: GPL(>=2) | ||
License: GPL (>= 2) | file LICENCE | ||
License: GPL-2 | GPL-3 | ||
License: GPL-3 | ||
License: LGPL (>= 2) | ||
License: LGPL (>= 2.1) | ||
License: MIT + file LICENSE | ||
License: Part of R 4.3.0 | ||
License: Unlimited | ||
*/ | ||
|
||
func parseDescriptionFile(_ source.FileResolver, _ *generic.Environment, reader source.LocationReadCloser) ([]pkg.Package, []artifact.Relationship, error) { | ||
values := extractFieldsFromDescriptionFile(reader) | ||
m := parseDataFromDescriptionMap(values) | ||
return []pkg.Package{newPackage(m, []source.Location{reader.Location}...)}, nil, nil | ||
} | ||
|
||
type parseData struct { | ||
Package string | ||
Version string | ||
License string | ||
pkg.RDescriptionFileMetadata | ||
} | ||
|
||
func parseDataFromDescriptionMap(values map[string]string) parseData { | ||
return parseData{ | ||
License: values["License"], | ||
Package: values["Package"], | ||
Version: values["Version"], | ||
RDescriptionFileMetadata: pkg.RDescriptionFileMetadata{ | ||
Title: values["Title"], | ||
Description: cleanMultiLineValue(values["Description"]), | ||
Maintainer: values["Maintainer"], | ||
URL: commaSeparatedList(values["URL"]), | ||
Depends: commaSeparatedList(values["Depends"]), | ||
Imports: commaSeparatedList(values["Imports"]), | ||
Suggests: commaSeparatedList(values["Suggests"]), | ||
NeedsCompilation: yesNoToBool(values["NeedsCompilation"]), | ||
Author: values["Author"], | ||
Repository: values["Repository"], | ||
Built: values["Built"], | ||
}, | ||
} | ||
} | ||
|
||
func yesNoToBool(s string) bool { | ||
return strings.EqualFold(s, "yes") | ||
} | ||
|
||
func commaSeparatedList(s string) []string { | ||
var result []string | ||
split := strings.Split(s, ",") | ||
for _, piece := range split { | ||
value := strings.TrimSpace(piece) | ||
if value == "" { | ||
continue | ||
} | ||
result = append(result, value) | ||
} | ||
return result | ||
} | ||
|
||
var space = regexp.MustCompile(`\s+`) | ||
|
||
func cleanMultiLineValue(s string) string { | ||
return space.ReplaceAllString(s, " ") | ||
} | ||
|
||
func extractFieldsFromDescriptionFile(reader io.Reader) map[string]string { | ||
result := make(map[string]string) | ||
key := "" | ||
var valueFragment strings.Builder | ||
scanner := bufio.NewScanner(reader) | ||
|
||
for scanner.Scan() { | ||
line := scanner.Text() | ||
// line is like Key: Value -> start capturing value; close out previous value | ||
// line is like \t\t continued value -> append to existing value | ||
if len(line) == 0 { | ||
continue | ||
} | ||
if startsWithWhitespace(line) { | ||
// we're continuing a value | ||
if key == "" { | ||
continue | ||
} | ||
valueFragment.WriteByte('\n') | ||
valueFragment.WriteString(strings.TrimSpace(line)) | ||
} else { | ||
if key != "" { | ||
// capture previous value | ||
result[key] = valueFragment.String() | ||
key = "" | ||
valueFragment = strings.Builder{} | ||
} | ||
parts := strings.SplitN(line, ":", 2) | ||
if len(parts) != 2 { | ||
continue | ||
} | ||
key = parts[0] | ||
valueFragment.WriteString(strings.TrimSpace(parts[1])) | ||
} | ||
} | ||
if key != "" { | ||
result[key] = valueFragment.String() | ||
} | ||
return result | ||
} | ||
|
||
func startsWithWhitespace(s string) bool { | ||
if s == "" { | ||
return false | ||
} | ||
return s[0] == ' ' || s[0] == '\t' | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
package r | ||
|
||
import ( | ||
"os" | ||
"testing" | ||
|
||
"github.com/stretchr/testify/assert" | ||
"github.com/stretchr/testify/require" | ||
) | ||
|
||
func Test_extractFieldsFromDescriptionFile(t *testing.T) { | ||
tests := []struct { | ||
name string | ||
fixture string | ||
want map[string]string | ||
}{ | ||
{ | ||
name: "go case", | ||
fixture: "test-fixtures/map-parse/simple", | ||
want: map[string]string{ | ||
"Package": "base", | ||
"Version": "4.3.0", | ||
"Suggests": "methods", | ||
"Built": "R 4.3.0; ; 2023-04-21 11:33:09 UTC; unix", | ||
}, | ||
}, | ||
{ | ||
name: "bad cases", | ||
fixture: "test-fixtures/map-parse/bad", | ||
want: map[string]string{ | ||
"Key": "", | ||
"Whitespace": "", | ||
}, | ||
}, | ||
{ | ||
name: "multiline key-value", | ||
fixture: "test-fixtures/map-parse/multiline", | ||
want: map[string]string{ | ||
"Description": `A consistent, simple and easy to use set of wrappers around | ||
the fantastic 'stringi' package. All function and argument names (and | ||
positions) are consistent, all functions deal with "NA"'s and zero | ||
length vectors in the same way, and the output from one function is | ||
easy to feed into the input of another.`, | ||
"License": "MIT + file LICENSE", | ||
"Key": "value", | ||
}, | ||
}, | ||
{ | ||
name: "eof multiline", | ||
fixture: "test-fixtures/map-parse/eof-multiline", | ||
want: map[string]string{ | ||
"License": "MIT + file LICENSE", | ||
"Description": `A consistent, simple and easy to use set of wrappers around | ||
the fantastic 'stringi' package. All function and argument names (and | ||
positions) are consistent, all functions deal with "NA"'s and zero | ||
length vectors in the same way, and the output from one function is | ||
easy to feed into the input of another.`, | ||
}, | ||
}, | ||
} | ||
|
||
for _, test := range tests { | ||
t.Run(test.name, func(t *testing.T) { | ||
file, err := os.Open(test.fixture) | ||
require.NoError(t, err) | ||
|
||
result := extractFieldsFromDescriptionFile(file) | ||
|
||
assert.Equal(t, test.want, result) | ||
}) | ||
} | ||
|
||
} |
Oops, something went wrong.