pkg

package
v0.84.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 20, 2023 License: Apache-2.0 Imports: 20 Imported by: 241

Documentation

Overview

Package pkg provides the data structures for a package, a package catalog, package types, and domain-specific metadata.

Index

Constants

View Source
const (
	EvidenceAnnotationKey        = "evidence"
	PrimaryEvidenceAnnotation    = "primary"
	SupportingEvidenceAnnotation = "supporting"
)
View Source
const (
	PURLQualifierArch   = "arch"
	PURLQualifierDistro = "distro"
	PURLQualifierEpoch  = "epoch"
	PURLQualifierVCSURL = "vcs_url"

	// PURLQualifierUpstream this qualifier is not in the pURL spec, but is used by grype to perform indirect matching based on source information
	PURLQualifierUpstream = "upstream"
)
View Source
const AlpmDBGlob = "**/var/lib/pacman/local/**/desc"
View Source
const AltRpmDBGlob = "**/rpm/{Packages,Packages.db,rpmdb.sqlite}"

AltRpmDBGlob allows db matches against new locations introduced in fedora:{36,37} See https://github.com/anchore/syft/issues/1077 for larger context

View Source
const ApkDBGlob = "**/lib/apk/db/installed"
View Source
const DpkgDBGlob = "**/var/lib/dpkg/{status,status.d/**}"
View Source
const RpmDBGlob = "**/{var/lib,usr/share}/rpm/{Packages,Packages.db,rpmdb.sqlite}"

/var/lib/rpm/... is the typical path for most distributions /usr/share/rpm/... is common for rpm-ostree distributions (coreos-like) Packages is the legacy Berkely db based format Packages.db is the "ndb" format used in SUSE rpmdb.sqlite is the sqlite format used in fedora + derivates

View Source
const RpmManifestGlob = "**/var/lib/rpmmanifest/container-manifest-2"

Used in CBL-Mariner distroless images

Variables

AllLanguages is a set of all programming languages detected by syft.

AllPkgs represents all supported package types

View Source
var MetadataTypeByName = map[MetadataType]reflect.Type{
	AlpmMetadataType:               reflect.TypeOf(AlpmMetadata{}),
	ApkMetadataType:                reflect.TypeOf(ApkMetadata{}),
	BinaryMetadataType:             reflect.TypeOf(BinaryMetadata{}),
	CocoapodsMetadataType:          reflect.TypeOf(CocoapodsMetadata{}),
	ConanLockMetadataType:          reflect.TypeOf(ConanLockMetadata{}),
	ConanMetadataType:              reflect.TypeOf(ConanMetadata{}),
	DartPubMetadataType:            reflect.TypeOf(DartPubMetadata{}),
	DotnetDepsMetadataType:         reflect.TypeOf(DotnetDepsMetadata{}),
	DpkgMetadataType:               reflect.TypeOf(DpkgMetadata{}),
	GemMetadataType:                reflect.TypeOf(GemMetadata{}),
	GolangBinMetadataType:          reflect.TypeOf(GolangBinMetadata{}),
	GolangModMetadataType:          reflect.TypeOf(GolangModMetadata{}),
	HackageMetadataType:            reflect.TypeOf(HackageMetadata{}),
	JavaMetadataType:               reflect.TypeOf(JavaMetadata{}),
	KbPackageMetadataType:          reflect.TypeOf(KbPackageMetadata{}),
	LinuxKernelMetadataType:        reflect.TypeOf(LinuxKernelMetadata{}),
	LinuxKernelModuleMetadataType:  reflect.TypeOf(LinuxKernelModuleMetadata{}),
	MixLockMetadataType:            reflect.TypeOf(MixLockMetadata{}),
	NixStoreMetadataType:           reflect.TypeOf(NixStoreMetadata{}),
	NpmPackageJSONMetadataType:     reflect.TypeOf(NpmPackageJSONMetadata{}),
	NpmPackageLockJSONMetadataType: reflect.TypeOf(NpmPackageLockJSONMetadata{}),
	PhpComposerJSONMetadataType:    reflect.TypeOf(PhpComposerJSONMetadata{}),
	PortageMetadataType:            reflect.TypeOf(PortageMetadata{}),
	PythonPackageMetadataType:      reflect.TypeOf(PythonPackageMetadata{}),
	PythonPipfileLockMetadataType:  reflect.TypeOf(PythonPipfileLockMetadata{}),
	PythonRequirementsMetadataType: reflect.TypeOf(PythonRequirementsMetadata{}),
	RDescriptionFileMetadataType:   reflect.TypeOf(RDescriptionFileMetadata{}),
	RebarLockMetadataType:          reflect.TypeOf(RebarLockMetadata{}),
	RpmMetadataType:                reflect.TypeOf(RpmMetadata{}),
	RustCargoPackageMetadataType:   reflect.TypeOf(CargoPackageMetadata{}),
}

Functions

func IsValid added in v0.47.0

func IsValid(p *Package) bool

IsValid checks whether a package has the minimum necessary info which is a non-empty name. The nil-check was added as a helper as often, in this code base, packages move between callers as pointers. CycloneDX and SPDX define Name as the minimum required info for a valid package: * https://spdx.github.io/spdx-spec/package-information/#73-package-version-field * https://cyclonedx.org/docs/1.4/json/#components_items_name

func Less added in v0.61.0

func Less(i, j Package) bool

func NewRelationships added in v0.13.0

func NewRelationships(catalog *Collection) []artifact.Relationship

func PURLQualifiers added in v0.60.0

func PURLQualifiers(vars map[string]string, release *linux.Release) (q packageurl.Qualifiers)

func RelationshipsByFileOwnership added in v0.31.0

func RelationshipsByFileOwnership(catalog *Collection) []artifact.Relationship

RelationshipsByFileOwnership creates a package-to-package relationship based on discovering which packages have evidence locations that overlap with ownership claim from another package's package manager metadata.

func RelationshipsEvidentBy added in v0.78.0

func RelationshipsEvidentBy(catalog *Collection) []artifact.Relationship

func Sort added in v0.60.3

func Sort(pkgs []Package)

Types

type AlpmFileRecord added in v0.48.0

type AlpmFileRecord struct {
	Path    string        `mapstruture:"path" json:"path,omitempty"`
	Type    string        `mapstructure:"type" json:"type,omitempty"`
	UID     string        `mapstructure:"uid" json:"uid,omitempty"`
	GID     string        `mapstructure:"gid" json:"gid,omitempty"`
	Time    time.Time     `mapstructure:"time" json:"time,omitempty"`
	Size    string        `mapstructure:"size" json:"size,omitempty"`
	Link    string        `mapstructure:"link" json:"link,omitempty"`
	Digests []file.Digest `mapstructure:"digests" json:"digest,omitempty"`
}

type AlpmMetadata added in v0.48.0

type AlpmMetadata struct {
	BasePackage  string           `mapstructure:"base" json:"basepackage" cyclonedx:"basepackage"`
	Package      string           `mapstructure:"name" json:"package" cyclonedx:"package"`
	Version      string           `mapstructure:"version" json:"version" cyclonedx:"version"`
	Description  string           `mapstructure:"desc" json:"description" cyclonedx:"description"`
	Architecture string           `mapstructure:"arch" json:"architecture" cyclonedx:"architecture"`
	Size         int              `mapstructure:"size" json:"size" cyclonedx:"size"`
	Packager     string           `mapstructure:"packager" json:"packager"`
	URL          string           `mapstructure:"url" json:"url"`
	Validation   string           `mapstructure:"validation" json:"validation"`
	Reason       int              `mapstructure:"reason" json:"reason"`
	Files        []AlpmFileRecord `mapstructure:"files" json:"files"`
	Backup       []AlpmFileRecord `mapstructure:"backup" json:"backup"`
}

func (AlpmMetadata) OwnedFiles added in v0.48.0

func (m AlpmMetadata) OwnedFiles() (result []string)

type ApkFileRecord

type ApkFileRecord struct {
	Path        string       `json:"path"`
	OwnerUID    string       `json:"ownerUid,omitempty"`
	OwnerGID    string       `json:"ownerGid,omitempty"`
	Permissions string       `json:"permissions,omitempty"`
	Digest      *file.Digest `json:"digest,omitempty"`
}

ApkFileRecord represents a single file listing and metadata from a APK DB entry (which may have many of these file records).

type ApkMetadata

type ApkMetadata struct {
	Package       string          `mapstructure:"P" json:"package"`
	OriginPackage string          `mapstructure:"o" json:"originPackage" cyclonedx:"originPackage"`
	Maintainer    string          `mapstructure:"m" json:"maintainer"`
	Version       string          `mapstructure:"V" json:"version"`
	Architecture  string          `mapstructure:"A" json:"architecture"`
	URL           string          `mapstructure:"U" json:"url"`
	Description   string          `mapstructure:"T" json:"description"`
	Size          int             `mapstructure:"S" json:"size" cyclonedx:"size"`
	InstalledSize int             `mapstructure:"I" json:"installedSize" cyclonedx:"installedSize"`
	Dependencies  []string        `mapstructure:"D" json:"pullDependencies" cyclonedx:"pullDependencies"`
	Provides      []string        `mapstructure:"p" json:"provides" cyclonedx:"provides"`
	Checksum      string          `mapstructure:"C" json:"pullChecksum" cyclonedx:"pullChecksum"`
	GitCommit     string          `mapstructure:"c" json:"gitCommitOfApkPort" cyclonedx:"gitCommitOfApkPort"`
	Files         []ApkFileRecord `json:"files"`
}

ApkMetadata represents all captured data for a Alpine DB package entry. See the following sources for more information: - https://wiki.alpinelinux.org/wiki/Apk_spec - https://git.alpinelinux.org/apk-tools/tree/src/package.c - https://git.alpinelinux.org/apk-tools/tree/src/database.c

func (ApkMetadata) OwnedFiles added in v0.24.0

func (m ApkMetadata) OwnedFiles() (result []string)

func (*ApkMetadata) UnmarshalJSON added in v0.61.0

func (m *ApkMetadata) UnmarshalJSON(data []byte) error

type ArchiveInfo added in v0.34.0

type ArchiveInfo struct {
	Hash string `json:"hash"`
}

type BinaryMetadata added in v0.60.0

type BinaryMetadata struct {
	Matches []ClassifierMatch `mapstructure:"Matches" json:"matches"`
}

type CargoPackageMetadata added in v0.15.0

type CargoPackageMetadata struct {
	Name         string   `toml:"name" json:"name"`
	Version      string   `toml:"version" json:"version"`
	Source       string   `toml:"source" json:"source"`
	Checksum     string   `toml:"checksum" json:"checksum"`
	Dependencies []string `toml:"dependencies" json:"dependencies"`
}

type Catalog deprecated

type Catalog = Collection

Deprecated: use Collection instead

func NewCatalog deprecated

func NewCatalog(pkgs ...Package) *Catalog

Deprecated: use NewCollection() instead

type Cataloger added in v0.60.0

type Cataloger interface {
	// Name returns a string that uniquely describes a cataloger
	Name() string
	// Catalog is given an object to resolve file references and content, this function returns any discovered Packages after analyzing the catalog source.
	Catalog(resolver file.Resolver) ([]Package, []artifact.Relationship, error)
}

Cataloger describes behavior for an object to participate in parsing container image or file system contents for the purpose of discovering Packages. Each concrete implementation should focus on discovering Packages for a specific Package Type or ecosystem.

type ClassifierMatch added in v0.73.0

type ClassifierMatch struct {
	Classifier string        `mapstructure:"Classifier" json:"classifier"`
	Location   file.Location `mapstructure:"Location" json:"location"`
}

type CocoapodsMetadata added in v0.51.0

type CocoapodsMetadata struct {
	Checksum string `mapstructure:"checksum" json:"checksum"`
}

type Collection added in v0.80.0

type Collection struct {
	// contains filtered or unexported fields
}

Collection represents a collection of Packages.

func NewCollection added in v0.80.0

func NewCollection(pkgs ...Package) *Collection

NewCollection returns a new empty Collection

func (*Collection) Add added in v0.80.0

func (c *Collection) Add(pkgs ...Package)

Add n packages to the catalog.

func (*Collection) Delete added in v0.80.0

func (c *Collection) Delete(ids ...artifact.ID)

func (*Collection) Enumerate added in v0.80.0

func (c *Collection) Enumerate(types ...Type) <-chan Package

Enumerate all packages for the given type(s), enumerating all packages if no type is specified.

func (*Collection) Package added in v0.80.0

func (c *Collection) Package(id artifact.ID) *Package

Package returns the package with the given ID.

func (*Collection) PackageCount added in v0.80.0

func (c *Collection) PackageCount() int

PackageCount returns the total number of packages that have been added.

func (*Collection) Packages added in v0.80.0

func (c *Collection) Packages(ids []artifact.ID) (result []Package)

Packages returns all packages for the given ID.

func (*Collection) PackagesByName added in v0.80.0

func (c *Collection) PackagesByName(name string) []Package

PackagesByName returns all packages that were discovered with a matching name.

func (*Collection) PackagesByPath added in v0.80.0

func (c *Collection) PackagesByPath(path string) []Package

PackagesByPath returns all packages that were discovered from the given path.

func (*Collection) Sorted added in v0.80.0

func (c *Collection) Sorted(types ...Type) (pkgs []Package)

Sorted enumerates all packages for the given types sorted by package name. Enumerates all packages if no type is specified.

type ConanLockMetadata added in v0.58.0

type ConanLockMetadata struct {
	Ref            string            `json:"ref"`
	PackageID      string            `json:"package_id,omitempty"`
	Prev           string            `json:"prev,omitempty"`
	Requires       string            `json:"requires,omitempty"`
	BuildRequires  string            `json:"build_requires,omitempty"`
	PythonRequires string            `json:"py_requires,omitempty"`
	Options        map[string]string `json:"options,omitempty"`
	Path           string            `json:"path,omitempty"`
	Context        string            `json:"context,omitempty"`
}

func (ConanLockMetadata) NameAndVersion added in v0.58.0

func (m ConanLockMetadata) NameAndVersion() (name, version string)

NameAndVersion returns the name and version of the package. If ref is not in the format of "name/version@user/channel", then an empty string is returned for both.

func (ConanLockMetadata) PackageURL added in v0.58.0

func (m ConanLockMetadata) PackageURL(_ *linux.Release) string

type ConanMetadata added in v0.50.0

type ConanMetadata struct {
	Ref string `mapstructure:"ref" json:"ref"`
}

type DartPubMetadata added in v0.43.0

type DartPubMetadata struct {
	Name      string `mapstructure:"name" json:"name"`
	Version   string `mapstructure:"version" json:"version"`
	HostedURL string `mapstructure:"hosted_url" json:"hosted_url,omitempty"`
	VcsURL    string `mapstructure:"vcs_url" json:"vcs_url,omitempty"`
}

type DirInfo added in v0.34.0

type DirInfo struct {
	Editable bool `json:"editable"`
}

type DirectURLOrigin added in v0.34.0

type DirectURLOrigin struct {
	URL         string      `json:"url"`
	VCSInfo     VCSInfo     `json:"vcs_info"`
	ArchiveInfo ArchiveInfo `json:"archive_info"`
	DirInfo     DirInfo     `json:"dir_info"`
}

type DotnetDepsMetadata added in v0.46.0

type DotnetDepsMetadata struct {
	Name     string `mapstructure:"name" json:"name"`
	Version  string `mapstructure:"version" json:"version"`
	Path     string `mapstructure:"path" json:"path"`
	Sha512   string `mapstructure:"sha512" json:"sha512"`
	HashPath string `mapstructure:"hashPath" json:"hashPath"`
}

type DpkgFileRecord added in v0.7.0

type DpkgFileRecord struct {
	Path         string       `json:"path"`
	Digest       *file.Digest `json:"digest,omitempty"`
	IsConfigFile bool         `json:"isConfigFile"`
}

DpkgFileRecord represents a single file attributed to a debian package.

type DpkgMetadata

type DpkgMetadata struct {
	Package       string           `mapstructure:"Package" json:"package"`
	Source        string           `mapstructure:"Source" json:"source" cyclonedx:"source"`
	Version       string           `mapstructure:"Version" json:"version"`
	SourceVersion string           `mapstructure:"SourceVersion" json:"sourceVersion" cyclonedx:"sourceVersion"`
	Architecture  string           `mapstructure:"Architecture" json:"architecture"`
	Maintainer    string           `mapstructure:"Maintainer" json:"maintainer"`
	InstalledSize int              `mapstructure:"InstalledSize" json:"installedSize" cyclonedx:"installedSize"`
	Description   string           `mapstructure:"Description" hash:"ignore" json:"-"`
	Files         []DpkgFileRecord `json:"files"`
}

DpkgMetadata represents all captured data for a Debian package DB entry; available fields are described at http://manpages.ubuntu.com/manpages/xenial/man1/dpkg-query.1.html in the --showformat section.

func (DpkgMetadata) OwnedFiles added in v0.24.0

func (m DpkgMetadata) OwnedFiles() (result []string)

type FileMetadata added in v0.62.3

type FileMetadata struct {
	Classifier  string `mapstructure:"Classifier" json:"classifier"`
	RealPath    string `mapstructure:"RealPath" json:"realPath"`
	VirtualPath string `mapstructure:"VirtualPath" json:"virtualPath"`
}

type FileOwner added in v0.24.0

type FileOwner interface {
	OwnedFiles() []string
}

FileOwner is the interface that wraps OwnedFiles method.

OwnedFiles returns a list of files that a piece of package Metadata indicates are owned by the package.

type GemMetadata added in v0.2.0

type GemMetadata struct {
	Name    string `mapstructure:"name" json:"name"`
	Version string `mapstructure:"version" json:"version"`
	// note regarding if Files can contribute to GemMetadata being able to implement FileOwner: this list is a
	// "logical" list of files, not a list of paths that can be used to find the files without additional processing.
	//
	// For example: The "bundler" gem has a file entry of:
	//   "lib/bundler/vendor/uri/lib/uri/ldap.rb"
	// but the actual file is located at:
	//   "/usr/local/lib/ruby/3.2.0/bundler/vendor/uri/lib/uri/ldap.rb"
	// which do not match (the "lib" prefix is missing even for relative processing).
	//
	// without additional information about:
	// 	- the gem installation path
	// 	- the ruby installation path
	// 	- the ruby version
	// 	- environment variables (e.g. GEM_HOME) that may affect the gem installation path
	// ... we can't reliably determine the full path to the file on disk, thus cannot implement FileOwner (...yet...).
	Files    []string `mapstructure:"files" json:"files,omitempty"`
	Authors  []string `mapstructure:"authors" json:"authors,omitempty"`
	Homepage string   `mapstructure:"homepage" json:"homepage,omitempty"`
}

GemMetadata represents all metadata parsed from the gemspec file

type GolangBinMetadata added in v0.26.0

type GolangBinMetadata struct {
	BuildSettings     map[string]string `json:"goBuildSettings,omitempty" cyclonedx:"goBuildSettings"`
	GoCompiledVersion string            `json:"goCompiledVersion" cyclonedx:"goCompiledVersion"`
	Architecture      string            `json:"architecture" cyclonedx:"architecture"`
	H1Digest          string            `json:"h1Digest,omitempty" cyclonedx:"h1Digest"`
	MainModule        string            `json:"mainModule,omitempty" cyclonedx:"mainModule"`
}

GolangBinMetadata represents all captured data for a Golang binary

type GolangModMetadata added in v0.66.2

type GolangModMetadata struct {
	H1Digest string `json:"h1Digest,omitempty" cyclonedx:"h1Digest"`
}

GolangModMetadata represents all captured data for a Golang source scan with go.mod/go.sum

type HackageMetadata added in v0.52.0

type HackageMetadata struct {
	Name        string `mapstructure:"name" json:"name"`
	Version     string `mapstructure:"version" json:"version"`
	PkgHash     string `mapstructure:"pkgHash" json:"pkgHash,omitempty"`
	SnapshotURL string `mapstructure:"snapshotURL" json:"snapshotURL,omitempty"`
}

type JavaManifest

type JavaManifest struct {
	Main          map[string]string            `json:"main,omitempty"`
	NamedSections map[string]map[string]string `json:"namedSections,omitempty"`
}

JavaManifest represents the fields of interest extracted from a Java archive's META-INF/MANIFEST.MF file.

type JavaMetadata

type JavaMetadata struct {
	VirtualPath    string         `json:"virtualPath" cyclonedx:"virtualPath"` // we need to include the virtual path in cyclonedx documents to prevent deduplication of jars within jars
	Manifest       *JavaManifest  `mapstructure:"Manifest" json:"manifest,omitempty"`
	PomProperties  *PomProperties `mapstructure:"PomProperties" json:"pomProperties,omitempty" cyclonedx:"-"`
	PomProject     *PomProject    `mapstructure:"PomProject" json:"pomProject,omitempty"`
	ArchiveDigests []file.Digest  `hash:"ignore" json:"digest,omitempty"`
	Parent         *Package       `hash:"ignore" json:"-"` // note: the parent cannot be included in the minimal definition of uniqueness since this field is not reproducible in an encode-decode cycle (is lossy).
}

JavaMetadata encapsulates all Java ecosystem metadata for a package as well as an (optional) parent relationship.

type KbPackageMetadata added in v0.15.2

type KbPackageMetadata struct {
	ProductID string `toml:"product_id" json:"product_id"`
	Kb        string `toml:"kb" json:"kb"`
}

KbPackageMetadata is slightly odd in how it is expected to map onto data. This is critical to grasp because there is no MSRC cataloger. The `ProductID` field is expected to be the MSRC Product ID, for example: "Windows 10 Version 1703 for 32-bit Systems". `Kb` is expected to be the actual KB number, for example "5001028"

type Language

type Language string

Language represents a single programming language.

const (
	// the full set of supported programming languages
	UnknownLanguage Language = ""
	CPP             Language = "c++"
	Dart            Language = "dart"
	Dotnet          Language = "dotnet"
	Elixir          Language = "elixir"
	Erlang          Language = "erlang"
	Go              Language = "go"
	Haskell         Language = "haskell"
	Java            Language = "java"
	JavaScript      Language = "javascript"
	PHP             Language = "php"
	Python          Language = "python"
	R               Language = "R"
	Ruby            Language = "ruby"
	Rust            Language = "rust"
	Swift           Language = "swift"
)

func LanguageByName added in v0.38.0

func LanguageByName(name string) Language

func LanguageFromPURL added in v0.37.0

func LanguageFromPURL(p string) Language

func (Language) String

func (l Language) String() string

String returns the string representation of the language.

type License added in v0.81.0

type License struct {
	Value          string             `json:"value"`
	SPDXExpression string             `json:"spdxExpression"`
	Type           license.Type       `json:"type"`
	URLs           internal.StringSet `hash:"ignore"`
	Locations      file.LocationSet   `hash:"ignore"`
}

License represents an SPDX Expression or license value extracted from a packages metadata We want to ignore URLs and Location since we merge these fields across equal licenses. A License is a unique combination of value, expression and type, where its sources are always considered merged and additions to the evidence of where it was found and how it was sourced. This is different from how we treat a package since we consider package paths in order to distinguish if packages should be kept separate this is different for licenses since we're only looking for evidence of where a license was declared/concluded for a given package

func NewLicense added in v0.81.0

func NewLicense(value string) License

func NewLicenseFromLocations added in v0.81.0

func NewLicenseFromLocations(value string, locations ...file.Location) License

func NewLicenseFromType added in v0.81.0

func NewLicenseFromType(value string, t license.Type) License

func NewLicenseFromURLs added in v0.81.0

func NewLicenseFromURLs(value string, urls ...string) License

func NewLicensesFromLocation added in v0.81.0

func NewLicensesFromLocation(location file.Location, values ...string) (licenses []License)

func NewLicensesFromValues added in v0.81.0

func NewLicensesFromValues(values ...string) (licenses []License)

func (License) Merge added in v0.81.0

func (s License) Merge(l License) (*License, error)

this is a bit of a hack to not infinitely recurse when hashing a license

type LicenseSet added in v0.81.0

type LicenseSet struct {
	// contains filtered or unexported fields
}

func NewLicenseSet added in v0.81.0

func NewLicenseSet(licenses ...License) (s LicenseSet)

func (*LicenseSet) Add added in v0.81.0

func (s *LicenseSet) Add(licenses ...License)

func (LicenseSet) Empty added in v0.81.0

func (s LicenseSet) Empty() bool

func (LicenseSet) Hash added in v0.81.0

func (s LicenseSet) Hash() (uint64, error)

func (LicenseSet) ToSlice added in v0.81.0

func (s LicenseSet) ToSlice() []License

type Licenses added in v0.81.0

type Licenses []License

func (Licenses) Len added in v0.81.0

func (l Licenses) Len() int

func (Licenses) Less added in v0.81.0

func (l Licenses) Less(i, j int) bool

func (Licenses) Swap added in v0.81.0

func (l Licenses) Swap(i, j int)

type LinuxKernelMetadata added in v0.78.0

type LinuxKernelMetadata struct {
	Name            string `mapstructure:"name" json:"name" cyclonedx:"name"`
	Architecture    string `mapstructure:"architecture" json:"architecture" cyclonedx:"architecture"`
	Version         string `mapstructure:"version" json:"version" cyclonedx:"version"`
	ExtendedVersion string `mapstructure:"extendedVersion" json:"extendedVersion,omitempty" cyclonedx:"extendedVersion"`
	BuildTime       string `mapstructure:"buildTime" json:"buildTime,omitempty" cyclonedx:"buildTime"`
	Author          string `mapstructure:"author" json:"author,omitempty" cyclonedx:"author"`
	Format          string `mapstructure:"format" json:"format,omitempty" cyclonedx:"format"`
	RWRootFS        bool   `mapstructure:"rwRootFS" json:"rwRootFS,omitempty" cyclonedx:"rwRootFS"`
	SwapDevice      int    `mapstructure:"swapDevice" json:"swapDevice,omitempty" cyclonedx:"swapDevice"`
	RootDevice      int    `mapstructure:"rootDevice" json:"rootDevice,omitempty" cyclonedx:"rootDevice"`
	VideoMode       string `mapstructure:"videoMode" json:"videoMode,omitempty" cyclonedx:"videoMode"`
}

LinuxKernelMetadata represents all captured data for a Linux kernel

type LinuxKernelModuleMetadata added in v0.78.0

type LinuxKernelModuleMetadata struct {
	Name          string                                `mapstructure:"name" json:"name,omitempty" cyclonedx:"name"`
	Version       string                                `mapstructure:"version" json:"version,omitempty" cyclonedx:"version"`
	SourceVersion string                                `mapstructure:"sourceVersion" json:"sourceVersion,omitempty" cyclonedx:"sourceVersion"`
	Path          string                                `mapstructure:"path" json:"path,omitempty" cyclonedx:"path"`
	Description   string                                `mapstructure:"description" json:"description,omitempty" cyclonedx:"description"`
	Author        string                                `mapstructure:"author" json:"author,omitempty" cyclonedx:"author"`
	License       string                                `mapstructure:"license" json:"license,omitempty" cyclonedx:"license"`
	KernelVersion string                                `mapstructure:"kernelVersion" json:"kernelVersion,omitempty" cyclonedx:"kernelVersion"`
	VersionMagic  string                                `mapstructure:"versionMagic" json:"versionMagic,omitempty" cyclonedx:"versionMagic"`
	Parameters    map[string]LinuxKernelModuleParameter `mapstructure:"parameters" json:"parameters,omitempty" cyclonedx:"parameters"`
}

type LinuxKernelModuleParameter added in v0.78.0

type LinuxKernelModuleParameter struct {
	Type        string `mapstructure:"type" json:"type,omitempty" cyclonedx:"type"`
	Description string `mapstructure:"description" json:"description,omitempty" cyclonedx:"description"`
}

type MetadataType added in v0.4.0

type MetadataType string

MetadataType represents the data shape stored within pkg.Package.Metadata.

const (
	UnknownMetadataType            MetadataType = "UnknownMetadata"
	AlpmMetadataType               MetadataType = "AlpmMetadata"
	ApkMetadataType                MetadataType = "ApkMetadata"
	BinaryMetadataType             MetadataType = "BinaryMetadata"
	CocoapodsMetadataType          MetadataType = "CocoapodsMetadataType"
	ConanLockMetadataType          MetadataType = "ConanLockMetadataType"
	ConanMetadataType              MetadataType = "ConanMetadataType"
	DartPubMetadataType            MetadataType = "DartPubMetadata"
	DotnetDepsMetadataType         MetadataType = "DotnetDepsMetadata"
	DpkgMetadataType               MetadataType = "DpkgMetadata"
	GemMetadataType                MetadataType = "GemMetadata"
	GolangBinMetadataType          MetadataType = "GolangBinMetadata"
	GolangModMetadataType          MetadataType = "GolangModMetadata"
	HackageMetadataType            MetadataType = "HackageMetadataType"
	JavaMetadataType               MetadataType = "JavaMetadata"
	KbPackageMetadataType          MetadataType = "KbPackageMetadata"
	LinuxKernelMetadataType        MetadataType = "LinuxKernelMetadata"
	LinuxKernelModuleMetadataType  MetadataType = "LinuxKernelModuleMetadata"
	MixLockMetadataType            MetadataType = "MixLockMetadataType"
	NixStoreMetadataType           MetadataType = "NixStoreMetadata"
	NpmPackageJSONMetadataType     MetadataType = "NpmPackageJsonMetadata"
	NpmPackageLockJSONMetadataType MetadataType = "NpmPackageLockJsonMetadata"
	PhpComposerJSONMetadataType    MetadataType = "PhpComposerJsonMetadata"
	PortageMetadataType            MetadataType = "PortageMetadata"
	PythonPackageMetadataType      MetadataType = "PythonPackageMetadata"
	PythonPipfileLockMetadataType  MetadataType = "PythonPipfileLockMetadata"
	PythonRequirementsMetadataType MetadataType = "PythonRequirementsMetadata"
	RebarLockMetadataType          MetadataType = "RebarLockMetadataType"
	RDescriptionFileMetadataType   MetadataType = "RDescriptionFileMetadataType"
	RpmMetadataType                MetadataType = "RpmMetadata"
	RustCargoPackageMetadataType   MetadataType = "RustCargoPackageMetadata"
)

func CleanMetadataType added in v0.56.0

func CleanMetadataType(typ MetadataType) MetadataType

type MixLockMetadata added in v0.66.0

type MixLockMetadata struct {
	Name       string `mapstructure:"name" json:"name"`
	Version    string `mapstructure:"version" json:"version"`
	PkgHash    string `mapstructure:"pkgHash" json:"pkgHash"`
	PkgHashExt string `mapstructure:"pkgHashExt" json:"pkgHashExt"`
}

type NixStoreMetadata added in v0.76.1

type NixStoreMetadata struct {
	// OutputHash is the prefix of the nix store basename path
	OutputHash string `mapstructure:"outputHash" json:"outputHash"`

	// Output allows for optionally specifying the specific nix package output this package represents (for packages that support multiple outputs).
	// Note: the default output for a package is an empty string, so will not be present in the output.
	Output string `mapstructure:"output" json:"output,omitempty"`

	// Files is a listing a files that are under the nix/store path for this package
	Files []string `mapstructure:"files" json:"files"`
}

func (NixStoreMetadata) OwnedFiles added in v0.76.1

func (m NixStoreMetadata) OwnedFiles() (result []string)

type NpmPackageJSONMetadata added in v0.4.0

type NpmPackageJSONMetadata struct {
	Name        string `mapstructure:"name" json:"name"`
	Version     string `mapstructure:"version" json:"version"`
	Author      string `mapstructure:"author" json:"author"`
	Homepage    string `mapstructure:"homepage" json:"homepage"`
	Description string `mapstructure:"description" json:"description"`
	URL         string `mapstructure:"url" json:"url"`
	Private     bool   `mapstructure:"private" json:"private"`
}

NpmPackageJSONMetadata holds parsing information for a javascript package.json file

type NpmPackageLockJSONMetadata added in v0.66.0

type NpmPackageLockJSONMetadata struct {
	Resolved  string `mapstructure:"resolved" json:"resolved"`
	Integrity string `mapstructure:"integrity" json:"integrity"`
}

NpmPackageLockJSONMetadata holds parsing information for a javascript package-lock.json file

type Package

type Package struct {
	Name         string           // the package name
	Version      string           // the version of the package
	FoundBy      string           `hash:"ignore" cyclonedx:"foundBy"` // the specific cataloger that discovered this package
	Locations    file.LocationSet // the locations that lead to the discovery of this package (note: this is not necessarily the locations that make up this package)
	Licenses     LicenseSet       // licenses discovered with the package metadata
	Language     Language         `hash:"ignore" cyclonedx:"language"` // the language ecosystem this package belongs to (e.g. JavaScript, Python, etc)
	Type         Type             `cyclonedx:"type"`                   // the package type (e.g. Npm, Yarn, Python, Rpm, Deb, etc)
	CPEs         []cpe.CPE        `hash:"ignore"`                      // all possible Common Platform Enumerators (note: this is NOT included in the definition of the ID since all fields on a CPE are derived from other fields)
	PURL         string           `hash:"ignore"`                      // the Package URL (see https://github.com/package-url/purl-spec)
	MetadataType MetadataType     `cyclonedx:"metadataType"`           // the shape of the additional data in the "metadata" field
	Metadata     interface{}      // additional data found while parsing the package source
	// contains filtered or unexported fields
}

Package represents an application or library that has been bundled into a distributable format. TODO: if we ignore FoundBy for ID generation should we merge the field to show it was found in two places?

func (Package) ID

func (p Package) ID() artifact.ID

func (*Package) OverrideID added in v0.45.0

func (p *Package) OverrideID(id artifact.ID)

func (*Package) SetID added in v0.33.0

func (p *Package) SetID()

func (Package) String

func (p Package) String() string

Stringer to represent a package.

type PhpComposerAuthors added in v0.36.0

type PhpComposerAuthors struct {
	Name     string `json:"name"`
	Email    string `json:"email,omitempty"`
	Homepage string `json:"homepage,omitempty"`
}

type PhpComposerExternalReference added in v0.36.0

type PhpComposerExternalReference struct {
	Type      string `json:"type"`
	URL       string `json:"url"`
	Reference string `json:"reference"`
	Shasum    string `json:"shasum,omitempty"`
}

type PhpComposerJSONMetadata added in v0.36.0

type PhpComposerJSONMetadata struct {
	Name            string                       `json:"name"`
	Version         string                       `json:"version"`
	Source          PhpComposerExternalReference `json:"source"`
	Dist            PhpComposerExternalReference `json:"dist"`
	Require         map[string]string            `json:"require,omitempty"`
	Provide         map[string]string            `json:"provide,omitempty"`
	RequireDev      map[string]string            `json:"require-dev,omitempty"`
	Suggest         map[string]string            `json:"suggest,omitempty"`
	License         []string                     `json:"license,omitempty"`
	Type            string                       `json:"type,omitempty"`
	NotificationURL string                       `json:"notification-url,omitempty"`
	Bin             []string                     `json:"bin,omitempty"`
	Authors         []PhpComposerAuthors         `json:"authors,omitempty"`
	Description     string                       `json:"description,omitempty"`
	Homepage        string                       `json:"homepage,omitempty"`
	Keywords        []string                     `json:"keywords,omitempty"`
	Time            string                       `json:"time,omitempty"`
}

PhpComposerJSONMetadata represents information found from composer v1/v2 "installed.json" files as well as composer.lock files

type PomParent added in v0.22.0

type PomParent struct {
	GroupID    string `json:"groupId"`
	ArtifactID string `json:"artifactId"`
	Version    string `json:"version"`
}

PomParent contains the fields within the <parent> tag in a pom.xml file

type PomProject added in v0.22.0

type PomProject struct {
	Path        string     `json:"path"`
	Parent      *PomParent `json:"parent,omitempty"`
	GroupID     string     `json:"groupId"`
	ArtifactID  string     `json:"artifactId"`
	Version     string     `json:"version"`
	Name        string     `json:"name"`
	Description string     `json:"description,omitempty"`
	URL         string     `json:"url,omitempty"`
}

PomProject represents fields of interest extracted from a Java archive's pom.xml file. See https://maven.apache.org/ref/3.6.3/maven-model/maven.html for more details.

type PomProperties

type PomProperties struct {
	Path       string            `mapstructure:"path" json:"path"`
	Name       string            `mapstructure:"name" json:"name"`
	GroupID    string            `mapstructure:"groupId" json:"groupId" cyclonedx:"groupID"`
	ArtifactID string            `mapstructure:"artifactId" json:"artifactId" cyclonedx:"artifactID"`
	Version    string            `mapstructure:"version" json:"version"`
	Scope      string            `mapstructure:"scope" json:"scope,omitempty"`
	Extra      map[string]string `mapstructure:",remain" json:"extraFields,omitempty"`
}

PomProperties represents the fields of interest extracted from a Java archive's pom.properties file.

func (PomProperties) PkgTypeIndicated added in v0.15.0

func (p PomProperties) PkgTypeIndicated() Type

PkgTypeIndicated returns the package Type indicated by the data contained in the PomProperties.

type PortageFileRecord added in v0.51.0

type PortageFileRecord struct {
	Path   string       `json:"path"`
	Digest *file.Digest `json:"digest,omitempty"`
}

PortageFileRecord represents a single file attributed to a portage package.

type PortageMetadata added in v0.51.0

type PortageMetadata struct {
	InstalledSize int                 `mapstructure:"InstalledSize" json:"installedSize" cyclonedx:"installedSize"`
	Files         []PortageFileRecord `json:"files"`
}

PortageMetadata represents all captured data for a Package package DB entry.

func (PortageMetadata) OwnedFiles added in v0.76.1

func (m PortageMetadata) OwnedFiles() (result []string)

type PythonDirectURLOriginInfo added in v0.34.0

type PythonDirectURLOriginInfo struct {
	URL      string `json:"url"`
	CommitID string `json:"commitId,omitempty"`
	VCS      string `json:"vcs,omitempty"`
}

type PythonFileDigest added in v0.8.0

type PythonFileDigest struct {
	Algorithm string `json:"algorithm"`
	Value     string `json:"value"`
}

PythonFileDigest represents the file metadata for a single file attributed to a python package.

type PythonFileRecord added in v0.4.0

type PythonFileRecord struct {
	Path   string            `json:"path"`
	Digest *PythonFileDigest `json:"digest,omitempty"`
	Size   string            `json:"size,omitempty"`
}

PythonFileRecord represents a single entry within a RECORD file for a python wheel or egg package

type PythonPackageMetadata added in v0.4.0

type PythonPackageMetadata struct {
	Name                 string                     `json:"name" mapstruct:"Name"`
	Version              string                     `json:"version" mapstruct:"Version"`
	Author               string                     `json:"author" mapstruct:"Author"`
	AuthorEmail          string                     `json:"authorEmail" mapstruct:"Authoremail"`
	Platform             string                     `json:"platform" mapstruct:"Platform"`
	Files                []PythonFileRecord         `json:"files,omitempty"`
	SitePackagesRootPath string                     `json:"sitePackagesRootPath"`
	TopLevelPackages     []string                   `json:"topLevelPackages,omitempty"`
	DirectURLOrigin      *PythonDirectURLOriginInfo `json:"directUrlOrigin,omitempty"`
}

PythonPackageMetadata represents all captured data for a python egg or wheel package.

func (PythonPackageMetadata) OwnedFiles added in v0.24.0

func (m PythonPackageMetadata) OwnedFiles() (result []string)

type PythonPipfileLockMetadata added in v0.66.0

type PythonPipfileLockMetadata struct {
	Hashes []string `mapstructure:"hashes" json:"hashes"`
	Index  string   `mapstructure:"index" json:"index"`
}

type PythonRequirementsMetadata added in v0.80.0

type PythonRequirementsMetadata struct {
	Name              string            `json:"name" mapstruct:"Name"`
	Extras            []string          `json:"extras" mapstruct:"Extras"`
	VersionConstraint string            `json:"versionConstraint" mapstruct:"VersionConstraint"`
	URL               string            `json:"url" mapstruct:"URL"`
	Markers           map[string]string `json:"markers" mapstruct:"Markers"`
}

type RDescriptionFileMetadata added in v0.81.0

type RDescriptionFileMetadata struct {
	/*
		Fields chosen by:
		docker run --rm -it rocker/r-ver bash
		$ install2.r ggplot2 # has a lot of dependencies
		$ find /usr/local/lib/R -name DESCRIPTION | xargs cat | grep -v '^\s' | cut -d ':' -f 1 | sort | uniq -c | sort -nr
	*/
	Title            string   `json:"title,omitempty"`
	Description      string   `json:"description,omitempty"`
	Author           string   `json:"author,omitempty"`
	Maintainer       string   `json:"maintainer,omitempty"`
	URL              []string `json:"url,omitempty"`
	Repository       string   `json:"repository,omitempty"`
	Built            string   `json:"built,omitempty"`
	NeedsCompilation bool     `json:"needsCompilation,omitempty"`
	Imports          []string `json:"imports,omitempty"`
	Depends          []string `json:"depends,omitempty"`
	Suggests         []string `json:"suggests,omitempty"`
}

type RebarLockMetadata added in v0.66.0

type RebarLockMetadata struct {
	Name       string `mapstructure:"name" json:"name"`
	Version    string `mapstructure:"version" json:"version"`
	PkgHash    string `mapstructure:"pkgHash" json:"pkgHash"`
	PkgHashExt string `mapstructure:"pkgHashExt" json:"pkgHashExt"`
}

type RpmMetadata

type RpmMetadata struct {
	Name            string            `json:"name"`
	Version         string            `json:"version"`
	Epoch           *int              `json:"epoch"  cyclonedx:"epoch" jsonschema:"nullable"`
	Arch            string            `json:"architecture"`
	Release         string            `json:"release" cyclonedx:"release"`
	SourceRpm       string            `json:"sourceRpm" cyclonedx:"sourceRpm"`
	Size            int               `json:"size" cyclonedx:"size"`
	Vendor          string            `json:"vendor"`
	ModularityLabel string            `json:"modularityLabel"`
	Files           []RpmdbFileRecord `json:"files"`
}

RpmMetadata represents all captured data for a RPM DB package entry.

func (RpmMetadata) OwnedFiles added in v0.56.0

func (m RpmMetadata) OwnedFiles() (result []string)

type RpmdbFileMode added in v0.6.0

type RpmdbFileMode uint16

RpmdbFileMode is the raw file mode for a single file. This can be interpreted as the linux stat.h mode (see https://pubs.opengroup.org/onlinepubs/007908799/xsh/sysstat.h.html)

type RpmdbFileRecord added in v0.6.0

type RpmdbFileRecord struct {
	Path      string        `json:"path"`
	Mode      RpmdbFileMode `json:"mode"`
	Size      int           `json:"size"`
	Digest    file.Digest   `json:"digest"`
	UserName  string        `json:"userName"`
	GroupName string        `json:"groupName"`
	Flags     string        `json:"flags"`
}

RpmdbFileRecord represents the file metadata for a single file attributed to a RPM package.

type Type

type Type string

Type represents a Package Type for or within a language ecosystem (there may be multiple package types within a language ecosystem)

const (
	// the full set of supported packages
	UnknownPkg            Type = "UnknownPackage"
	AlpmPkg               Type = "alpm"
	ApkPkg                Type = "apk"
	BinaryPkg             Type = "binary"
	CocoapodsPkg          Type = "pod"
	ConanPkg              Type = "conan"
	DartPubPkg            Type = "dart-pub"
	DebPkg                Type = "deb"
	DotnetPkg             Type = "dotnet"
	GemPkg                Type = "gem"
	GoModulePkg           Type = "go-module"
	GraalVMNativeImagePkg Type = "graalvm-native-image"
	HackagePkg            Type = "hackage"
	HexPkg                Type = "hex"
	JavaPkg               Type = "java-archive"
	JenkinsPluginPkg      Type = "jenkins-plugin"
	KbPkg                 Type = "msrc-kb"
	LinuxKernelPkg        Type = "linux-kernel"
	LinuxKernelModulePkg  Type = "linux-kernel-module"
	NixPkg                Type = "nix"
	NpmPkg                Type = "npm"
	PhpComposerPkg        Type = "php-composer"
	PortagePkg            Type = "portage"
	PythonPkg             Type = "python"
	Rpkg                  Type = "R-package"
	RpmPkg                Type = "rpm"
	RustPkg               Type = "rust-crate"
)

func TypeByName added in v0.38.0

func TypeByName(name string) Type

func TypeFromPURL added in v0.37.0

func TypeFromPURL(p string) Type

func (Type) PackageURLType

func (t Type) PackageURLType() string

PackageURLType returns the PURL package type for the current package.

type VCSInfo added in v0.34.0

type VCSInfo struct {
	CommitID          string `json:"commit_id"`
	VCS               string `json:"vcs"`
	RequestedRevision string `json:"requested_revision"`
}

Directories

Path Synopsis
Package cataloger provides the ability to process files from a container image or file system and discover packages (gems, wheels, jars, rpms, debs, etc).
Package cataloger provides the ability to process files from a container image or file system and discover packages (gems, wheels, jars, rpms, debs, etc).
apkdb
Package apkdb provides a concrete Cataloger implementation for Alpine DB files.
Package apkdb provides a concrete Cataloger implementation for Alpine DB files.
cpp
deb
Package deb provides a concrete Cataloger implementation for Debian package DB status files.
Package deb provides a concrete Cataloger implementation for Debian package DB status files.
elixir
Package elixir provides a concrete Cataloger implementation for elixir specific package manger files.
Package elixir provides a concrete Cataloger implementation for elixir specific package manger files.
erlang
Package erlang provides a concrete Cataloger implementation for erlang specific package manger files.
Package erlang provides a concrete Cataloger implementation for erlang specific package manger files.
golang
Package golang provides a concrete Cataloger implementation for go.mod files.
Package golang provides a concrete Cataloger implementation for go.mod files.
java
Package java provides a concrete Cataloger implementation for Java archives (jar, war, ear, par, sar, jpi, hpi, and native-image formats).
Package java provides a concrete Cataloger implementation for Java archives (jar, war, ear, par, sar, jpi, hpi, and native-image formats).
javascript
Package javascript provides a concrete Cataloger implementation for JavaScript ecosystem files (yarn and npm).
Package javascript provides a concrete Cataloger implementation for JavaScript ecosystem files (yarn and npm).
kernel
Package kernel provides a concrete Cataloger implementation for linux kernel and module files.
Package kernel provides a concrete Cataloger implementation for linux kernel and module files.
nix
php
Package php provides a concrete Cataloger implementation for PHP ecosystem files.
Package php provides a concrete Cataloger implementation for PHP ecosystem files.
portage
Package portage provides a concrete Cataloger implementation for Gentoo Portage.
Package portage provides a concrete Cataloger implementation for Gentoo Portage.
r
rpm
Package rpm provides a concrete DBCataloger implementation for RPM "Package" DB files and a FileCataloger for RPM files.
Package rpm provides a concrete DBCataloger implementation for RPM "Package" DB files and a FileCataloger for RPM files.
ruby
Package ruby bundler provides a concrete Cataloger implementation for Ruby Gemfile.lock bundler files.
Package ruby bundler provides a concrete Cataloger implementation for Ruby Gemfile.lock bundler files.
rust
Package rust provides a concrete Cataloger implementation for Cargo.lock files.
Package rust provides a concrete Cataloger implementation for Cargo.lock files.
swift
Package swift provides a concrete Cataloger implementation for Podfile.lock files.
Package swift provides a concrete Cataloger implementation for Podfile.lock files.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL