argocd binary classifier

[y12studio]

What would you like to be added:

binary classifiers for argocd, helm and kustomize.

Why is this needed:

argocd is widely used and is usually not installed with a package manager inside docker images.

pullCount : 100M+
from https://hub.docker.com/r/argoproj/argocd

Additional context:
current ouput from syft 0.72.0

$ syft -q packages argoproj/argocd:v2.6.2 | grep -E 'argocd|helm|kustomize'
helm.sh/helm/v3                                                              v0.0.0-20221214143859-835b7334cfe2                 go-module  
sigs.k8s.io/kustomize/api                                                    v0.11.4                                            go-module  
sigs.k8s.io/kustomize/api                                                    v0.12.1                                            go-module  
sigs.k8s.io/kustomize/cmd/config                                             v0.10.9                                            go-module  
sigs.k8s.io/kustomize/kustomize/v4                                           v0.0.0-20220802162801-56d82a8378df                 go-module  
sigs.k8s.io/kustomize/kyaml                                                  v0.13.6                                            go-module  
sigs.k8s.io/kustomize/kyaml                                                  v0.13.9                                            go-module  

$ syft -q packages argoproj/argocd:v2.6.2 -o json | grep -E '2.3:a:[.]?argo|2.3:a:helm|2.3:a:kustomize'
    "cpe:2.3:a:argoproj:argo-cd\\/v2:v0.0.0-20230216145252-6e02f8b23201:*:*:*:*:*:*:*",
    "cpe:2.3:a:argoproj:argo_cd\\/v2:v0.0.0-20230216145252-6e02f8b23201:*:*:*:*:*:*:*"
    "cpe:2.3:a:argoproj:gitops-engine:v0.7.1-0.20221208230615-917f5a0f16d5:*:*:*:*:*:*:*",
    "cpe:2.3:a:argoproj:gitops_engine:v0.7.1-0.20221208230615-917f5a0f16d5:*:*:*:*:*:*:*"
    "cpe:2.3:a:argoproj:notifications-engine:v0.3.1-0.20221203221941-490d98afd1d6:*:*:*:*:*:*:*",
    "cpe:2.3:a:argoproj:notifications_engine:v0.3.1-0.20221203221941-490d98afd1d6:*:*:*:*:*:*:*"
    "cpe:2.3:a:argoproj:pkg:v0.13.7-0.20221221191914-44694015343d:*:*:*:*:*:*:*"
    "cpe:2.3:a:helm:v3:v0.0.0-20221214143859-835b7334cfe2:*:*:*:*:*:*:*"
    "cpe:2.3:a:kustomize:api:v0.11.4:*:*:*:*:*:*:*"
    "cpe:2.3:a:kustomize:api:v0.12.1:*:*:*:*:*:*:*"
    "cpe:2.3:a:kustomize:api:v0.12.1:*:*:*:*:*:*:*"
    "cpe:2.3:a:kustomize:cmd\\/config:v0.10.9:*:*:*:*:*:*:*"
    "cpe:2.3:a:kustomize:kustomize\\/v4:v0.0.0-20220802162801-56d82a8378df:*:*:*:*:*:*:*"
    "cpe:2.3:a:kustomize:kyaml:v0.13.6:*:*:*:*:*:*:*"
    "cpe:2.3:a:kustomize:kyaml:v0.13.9:*:*:*:*:*:*:*"
    "cpe:2.3:a:kustomize:kyaml:v0.13.9:*:*:*:*:*:*:*"

cpe used should be

$ go run cmd/syft/main.go argoproj/argocd:v2.6.2 | grep -E 'argocd|helm|kustomize'
argocd                                                                       2.6.2                                              binary     
helm                                                                         3.10.3                                             binary     
helm.sh/helm/v3                                                              v0.0.0-20221214143859-835b7334cfe2                 go-module  
kustomize                                                                    4.5.7                                              binary     
sigs.k8s.io/kustomize/api                                                    v0.11.4                                            go-module  
sigs.k8s.io/kustomize/api                                                    v0.12.1                                            go-module  
sigs.k8s.io/kustomize/cmd/config                                             v0.10.9                                            go-module  
sigs.k8s.io/kustomize/kustomize/v4                                           v0.0.0-20220802162801-56d82a8378df                 go-module  
sigs.k8s.io/kustomize/kyaml                                                  v0.13.6                                            go-module  
sigs.k8s.io/kustomize/kyaml                                                  v0.13.9                                            go-module 

$ go run cmd/syft/main.go argoproj/argocd:v2.6.2 -o json | grep -E '2.3:a:[.]?argo|2.3:a:helm|2.3:a:kustomize'
    "cpe:2.3:a:argoproj:argocd:2.6.2:*:*:*:*:*:*:*",
    "cpe:2.3:a:argocd:argocd:2.6.2:*:*:*:*:*:*:*"
    "cpe:2.3:a:argoproj:argo-cd\\/v2:v0.0.0-20230216145252-6e02f8b23201:*:*:*:*:*:*:*",
    "cpe:2.3:a:argoproj:argo_cd\\/v2:v0.0.0-20230216145252-6e02f8b23201:*:*:*:*:*:*:*"
    "cpe:2.3:a:argoproj:gitops-engine:v0.7.1-0.20221208230615-917f5a0f16d5:*:*:*:*:*:*:*",
    "cpe:2.3:a:argoproj:gitops_engine:v0.7.1-0.20221208230615-917f5a0f16d5:*:*:*:*:*:*:*"
    "cpe:2.3:a:argoproj:notifications-engine:v0.3.1-0.20221203221941-490d98afd1d6:*:*:*:*:*:*:*",
    "cpe:2.3:a:argoproj:notifications_engine:v0.3.1-0.20221203221941-490d98afd1d6:*:*:*:*:*:*:*"
    "cpe:2.3:a:argoproj:pkg:v0.13.7-0.20221221191914-44694015343d:*:*:*:*:*:*:*"
    "cpe:2.3:a:helm:helm:3.10.3:*:*:*:*:*:*:*",
    "cpe:2.3:a:helm:helm:3.10.3:*:*:*:*:*:*:*"
    "cpe:2.3:a:helm:v3:v0.0.0-20221214143859-835b7334cfe2:*:*:*:*:*:*:*"
    "cpe:2.3:a:kustomize:kustomize:4.5.7:*:*:*:*:*:*:*",
    "cpe:2.3:a:kustomize:kustomize:4.5.7:*:*:*:*:*:*:*"
    "cpe:2.3:a:kustomize:api:v0.11.4:*:*:*:*:*:*:*"
    "cpe:2.3:a:kustomize:api:v0.12.1:*:*:*:*:*:*:*"
    "cpe:2.3:a:kustomize:api:v0.12.1:*:*:*:*:*:*:*"
    "cpe:2.3:a:kustomize:cmd\\/config:v0.10.9:*:*:*:*:*:*:*"
    "cpe:2.3:a:kustomize:kustomize\\/v4:v0.0.0-20220802162801-56d82a8378df:*:*:*:*:*:*:*"
    "cpe:2.3:a:kustomize:kyaml:v0.13.6:*:*:*:*:*:*:*"
    "cpe:2.3:a:kustomize:kyaml:v0.13.9:*:*:*:*:*:*:*"
    "cpe:2.3:a:kustomize:kyaml:v0.13.9:*:*:*:*:*:*:*"

argoproj/argocd:v2.5.11 used for text fixtures

# https://hub.docker.com/r/argoproj/argocd/tags

TARGET_IMG=argoproj/argocd:v2.5.11
DEV_IMG=foo1234
docker build -t ${DEV_IMG} - <<EOF
FROM ${TARGET_IMG}
USER root
RUN apt-get update && apt-get install -y binutils
EOF

docker run -i --entrypoint=sh ${DEV_IMG} <<'EOF'
echo "===> argocd version"
/usr/local/bin/argocd version
echo "===> strings argocd"
strings /usr/local/bin/argocd | grep '2\.5\.11'
echo "===> helm version"
/usr/local/bin/helm version
echo "===> strings helm"
strings /usr/local/bin/helm | grep '3\.10\.3'
echo "===> kustomize version"
/usr/local/bin/kustomize version
echo "===> strings kustomize"
strings /usr/local/bin/kustomize | grep '4\.5\.7'
EOF

text fixtures

===> argocd version
argocd: v2.5.11+6dd7989
  BuildDate: 2023-02-16T15:06:40Z
  GitCommit: 6dd79895e248cc0980bcaf6c6bafdc9afbbf80cb
  GitTreeState: clean
  GoVersion: go1.18.10
  Compiler: gc
  Platform: linux/amd64
time="2023-02-23T04:07:38Z" level=fatal msg="Argo CD server address unspecified"
===> strings argocd
2.5.11
build   -ldflags="-X github.com/argoproj/argo-cd/v2/common.version=2.5.11 -X github.com/argoproj/argo-cd/v2/common.buildDate=2023-02-16T15:06:40Z -X github.com/argoproj/argo-cd/v2/common.gitCommit=6dd79895e248cc0980bcaf6c6bafdc9afbbf80cb -X github.com/argoproj/argo-cd/v2/common.gitTreeState=clean -X github.com/argoproj/argo-cd/v2/common.kubectlVersion=v0.24.2 -extldflags \"-static\""
build   -ldflags="-X github.com/argoproj/argo-cd/v2/common.version=2.5.11 -X github.com/argoproj/argo-cd/v2/common.buildDate=2023-02-16T15:06:40Z -X github.com/argoproj/argo-cd/v2/common.gitCommit=6dd79895e248cc0980bcaf6c6bafdc9afbbf80cb -X github.com/argoproj/argo-cd/v2/common.gitTreeState=clean -X github.com/argoproj/argo-cd/v2/common.kubectlVersion=v0.24.2 -extldflags \"-static\""
===> helm version
version.BuildInfo{Version:"v3.10.3", GitCommit:"835b7334cfe2e5e27870ab3ed4135f136eecc704", GitTreeState:"clean", GoVersion:"go1.18.9"}
===> strings helm
v3.10.3
===> kustomize version
{Version:kustomize/v4.5.7 GitCommit:56d82a8378dfc8dc3b3b1085e5a6e67b82966bd7 BuildDate:2022-08-02T16:35:54Z GoOs:linux GoArch:amd64}
===> strings kustomize
kustomize/v4.5.7
build   -ldflags="-s -X sigs.k8s.io/kustomize/api/provenance.version=kustomize/v4.5.7 -X sigs.k8s.io/kustomize/api/provenance.gitCommit=56d82a8378dfc8dc3b3b1085e5a6e67b82966bd7 -X sigs.k8s.io/kustomize/api/provenance.buildDate=2022-08-02T16:35:54Z "
build   -ldflags="-s -X sigs.k8s.io/kustomize/api/provenance.version=kustomize/v4.5.7 -X sigs.k8s.io/kustomize/api/provenance.gitCommit=56d82a8378dfc8dc3b3b1085e5a6e67b82966bd7 -X sigs.k8s.io/kustomize/api/provenance.buildDate=2022-08-02T16:35:54Z "

git diff

--- a/syft/pkg/cataloger/binary/default_classifiers.go
+++ b/syft/pkg/cataloger/binary/default_classifiers.go
@@ -175,6 +175,96 @@ var defaultClassifiers = []classifier{
 		Package: "traefik",
 		PURL:    mustPURL("pkg:generic/traefik@version"),
 	},
+	{
+		Class:    "argocd",
+		FileGlob: "**/argocd",
+		EvidenceMatcher: fileContentsVersionMatcher(
+			`(?m)common\.version=(?P<version>[0-9]+\.[0-9]+\.[0-9]+)`),
+		Package: "argocd",
+		PURL:    mustPURL("pkg:generic/argocd@version"),
+		CPEs:    singleCPE("cpe:2.3:a:argoproj:argocd:*:*:*:*:*:*:*"),
+	},
+	{
+		Class:    "helm",
+		FileGlob: "**/helm",
+		EvidenceMatcher: fileContentsVersionMatcher(
+			`(?m)\x00v(?P<version>[0-9]+\.[0-9]+\.[0-9]+)\x00`),
+		Package: "helm",
+		PURL:    mustPURL("pkg:generic/helm@version"),
+		CPEs:    singleCPE("cpe:2.3:a:helm:helm:*:*:*:*:*:*:*"),
+	},
+	{
+		Class:    "kustomize",
+		FileGlob: "**/kustomize",
+		EvidenceMatcher: fileContentsVersionMatcher(
+			`(?m)version=kustomize/v(?P<version>[0-9]+\.[0-9]+\.[0-9]+)`),
+		Package: "kustomize",
+		PURL:    mustPURL("pkg:generic/kustomize@version"),
+		CPEs:    singleCPE("cpe:2.3:a:kustomize:kustomize:*:*:*:*:*:*:*"),
+	},
 	{
 		Class:    "postgresql-binary",
 		FileGlob: "**/postgres",

[tgerla]

Hi @y12studio, thank you very much! Would you be able to submit this as a GitHub pull request and we will take a look and consider it for inclusion? Please let us know if you need help with that, and thanks again for the contribution.

We would need to update the PURLs from pkg:generic to pkg:golang.

[y12studio]

@tgerla Certainly, Syft is a highly commendable project. I would be delighted to help with its ongoing development.