Documentation ¶
Overview ¶
Package pkg provides the data structures for a package, a package catalog, package types, and domain-specific metadata.
Index ¶
- Constants
- Variables
- func IsValid(p *Package) bool
- func Less(i, j Package) bool
- func NewRelationships(catalog *Collection) []artifact.Relationship
- func PURLQualifiers(vars map[string]string, release *linux.Release) (q packageurl.Qualifiers)
- func RelationshipsByFileOwnership(catalog *Collection) []artifact.Relationship
- func RelationshipsEvidentBy(catalog *Collection) []artifact.Relationship
- func Sort(pkgs []Package)
- func SortRelationships(rels []artifact.Relationship)
- type AlpmDBEntry
- type AlpmFileRecord
- type ApkDBEntry
- type ApkFileRecord
- type BinarySignature
- type Catalogdeprecated
- type Cataloger
- type ClassifierMatch
- type CocoaPodfileLockEntry
- type Collection
- func (c *Collection) Add(pkgs ...Package)
- func (c *Collection) Delete(ids ...artifact.ID)
- func (c *Collection) Enumerate(types ...Type) <-chan Package
- func (c *Collection) Package(id artifact.ID) *Package
- func (c *Collection) PackageCount() int
- func (c *Collection) Packages(ids []artifact.ID) (result []Package)
- func (c *Collection) PackagesByName(name string) []Package
- func (c *Collection) PackagesByPath(path string) []Package
- func (c *Collection) Sorted(types ...Type) (pkgs []Package)
- type ConanLockEntry
- type ConanfileEntry
- type ConaninfoEntry
- type DartPubspecLockEntry
- type DotnetDepsEntry
- type DotnetPortableExecutableEntry
- type DpkgDBEntry
- type DpkgFileRecord
- type ElixirMixLockEntry
- type ErlangRebarLockEntry
- type FileOwner
- type GolangBinaryBuildinfoEntry
- type GolangModuleEntry
- type HackageStackYamlEntry
- type HackageStackYamlLockEntry
- type JavaArchive
- type JavaManifest
- type JavaPomParent
- type JavaPomProject
- type JavaPomProperties
- type Language
- type License
- func NewLicense(value string) License
- func NewLicenseFromFields(value, url string, location *file.Location) License
- func NewLicenseFromLocations(value string, locations ...file.Location) License
- func NewLicenseFromType(value string, t license.Type) License
- func NewLicenseFromURLs(value string, urls ...string) License
- func NewLicensesFromLocation(location file.Location, values ...string) (licenses []License)
- func NewLicensesFromValues(values ...string) (licenses []License)
- type LicenseSet
- type Licenses
- type LinuxKernel
- type LinuxKernelModule
- type LinuxKernelModuleParameter
- type MicrosoftKbPatch
- type NixStoreEntry
- type NpmPackage
- type NpmPackageLockEntry
- type Package
- type PhpComposerAuthors
- type PhpComposerExternalReference
- type PhpComposerInstalledEntry
- type PhpComposerLockEntry
- type PortageEntry
- type PortageFileRecord
- type PythonDirectURLOriginInfo
- type PythonFileDigest
- type PythonFileRecord
- type PythonPackage
- type PythonPipfileLockEntry
- type PythonRequirementsEntry
- type RDescription
- type RpmArchive
- type RpmDBEntry
- type RpmFileMode
- type RpmFileRecord
- type RubyGemspec
- type RustBinaryAuditEntry
- type RustCargoLockEntry
- type SwiftPackageManagerResolvedEntry
- type Type
Constants ¶
const ( EvidenceAnnotationKey = "evidence" PrimaryEvidenceAnnotation = "primary" SupportingEvidenceAnnotation = "supporting" )
const ( PURLQualifierArch = "arch" PURLQualifierDistro = "distro" PURLQualifierEpoch = "epoch" PURLQualifierVCSURL = "vcs_url" // PURLQualifierUpstream this qualifier is not in the pURL spec, but is used by grype to perform indirect matching based on source information PURLQualifierUpstream = "upstream" )
const AlpmDBGlob = "**/var/lib/pacman/local/**/desc"
const AltRpmDBGlob = "**/rpm/{Packages,Packages.db,rpmdb.sqlite}"
AltRpmDBGlob allows db matches against new locations introduced in fedora:{36,37} See https://github.com/anchore/syft/issues/1077 for larger context
const ApkDBGlob = "**/lib/apk/db/installed"
const DpkgDBGlob = "**/var/lib/dpkg/{status,status.d/**}"
const RpmDBGlob = "**/{var/lib,usr/share,usr/lib/sysimage}/rpm/{Packages,Packages.db,rpmdb.sqlite}"
RpmDBGlob is the glob pattern used to find RPM DB files. Where: - /var/lib/rpm/... is the typical path for most distributions - /usr/share/rpm/... is common for rpm-ostree distributions (coreos-like) - Packages is the legacy Berkeley db based format - Packages.db is the "ndb" format used in SUSE - rpmdb.sqlite is the sqlite format used in fedora + derivates
const RpmManifestGlob = "**/var/lib/rpmmanifest/container-manifest-2"
RpmManifestGlob is used in CBL-Mariner distroless images
Variables ¶
var AllLanguages = []Language{ CPP, Dart, Dotnet, Elixir, Erlang, Go, Haskell, Java, JavaScript, PHP, Python, R, Ruby, Rust, Swift, }
AllLanguages is a set of all programming languages detected by syft.
var AllPkgs = []Type{ AlpmPkg, ApkPkg, BinaryPkg, CocoapodsPkg, ConanPkg, DartPubPkg, DebPkg, DotnetPkg, GemPkg, GithubActionPkg, GithubActionWorkflowPkg, GoModulePkg, HackagePkg, HexPkg, JavaPkg, JenkinsPluginPkg, KbPkg, LinuxKernelPkg, LinuxKernelModulePkg, NixPkg, NpmPkg, PhpComposerPkg, PortagePkg, PythonPkg, Rpkg, RpmPkg, RustPkg, SwiftPkg, }
AllPkgs represents all supported package types
Functions ¶
func IsValid ¶ added in v0.47.0
IsValid checks whether a package has the minimum necessary info which is a non-empty name. The nil-check was added as a helper as often, in this code base, packages move between callers as pointers. CycloneDX and SPDX define Name as the minimum required info for a valid package: * https://spdx.github.io/spdx-spec/package-information/#73-package-version-field * https://cyclonedx.org/docs/1.4/json/#components_items_name
func NewRelationships ¶ added in v0.13.0
func NewRelationships(catalog *Collection) []artifact.Relationship
func PURLQualifiers ¶ added in v0.60.0
func RelationshipsByFileOwnership ¶ added in v0.31.0
func RelationshipsByFileOwnership(catalog *Collection) []artifact.Relationship
RelationshipsByFileOwnership creates a package-to-package relationship based on discovering which packages have evidence locations that overlap with ownership claim from another package's package manager metadata.
func RelationshipsEvidentBy ¶ added in v0.78.0
func RelationshipsEvidentBy(catalog *Collection) []artifact.Relationship
func SortRelationships ¶ added in v0.94.0
func SortRelationships(rels []artifact.Relationship)
SortRelationships takes a set of package-to-package relationships and sorts them in a stable order by name and version. Note: this does not consider package-to-other, other-to-package, or other-to-other relationships. TODO: ideally this should be replaced with a more type-agnostic sort function that resides in the artifact package.
Types ¶
type AlpmDBEntry ¶ added in v0.95.0
type AlpmDBEntry struct { BasePackage string `mapstructure:"base" json:"basepackage" cyclonedx:"basepackage"` Package string `mapstructure:"name" json:"package" cyclonedx:"package"` Version string `mapstructure:"version" json:"version" cyclonedx:"version"` Description string `mapstructure:"desc" json:"description" cyclonedx:"description"` Architecture string `mapstructure:"arch" json:"architecture" cyclonedx:"architecture"` Size int `mapstructure:"size" json:"size" cyclonedx:"size"` Packager string `mapstructure:"packager" json:"packager"` URL string `mapstructure:"url" json:"url"` Validation string `mapstructure:"validation" json:"validation"` Reason int `mapstructure:"reason" json:"reason"` Files []AlpmFileRecord `mapstructure:"files" json:"files"` Backup []AlpmFileRecord `mapstructure:"backup" json:"backup"` }
AlpmDBEntry is a struct that represents the package data stored in the pacman fla-filet stores for arch linux.
func (AlpmDBEntry) OwnedFiles ¶ added in v0.95.0
func (m AlpmDBEntry) OwnedFiles() (result []string)
type AlpmFileRecord ¶ added in v0.48.0
type AlpmFileRecord struct { Path string `mapstruture:"path" json:"path,omitempty"` Type string `mapstructure:"type" json:"type,omitempty"` UID string `mapstructure:"uid" json:"uid,omitempty"` GID string `mapstructure:"gid" json:"gid,omitempty"` Time time.Time `mapstructure:"time" json:"time,omitempty"` Size string `mapstructure:"size" json:"size,omitempty"` Link string `mapstructure:"link" json:"link,omitempty"` Digests []file.Digest `mapstructure:"digests" json:"digest,omitempty"` }
type ApkDBEntry ¶ added in v0.95.0
type ApkDBEntry struct { Package string `mapstructure:"P" json:"package"` OriginPackage string `mapstructure:"o" json:"originPackage" cyclonedx:"originPackage"` Maintainer string `mapstructure:"m" json:"maintainer"` Version string `mapstructure:"V" json:"version"` Architecture string `mapstructure:"A" json:"architecture"` URL string `mapstructure:"U" json:"url"` Description string `mapstructure:"T" json:"description"` Size int `mapstructure:"S" json:"size" cyclonedx:"size"` InstalledSize int `mapstructure:"I" json:"installedSize" cyclonedx:"installedSize"` Dependencies []string `mapstructure:"D" json:"pullDependencies" cyclonedx:"pullDependencies"` Provides []string `mapstructure:"p" json:"provides" cyclonedx:"provides"` Checksum string `mapstructure:"C" json:"pullChecksum" cyclonedx:"pullChecksum"` GitCommit string `mapstructure:"c" json:"gitCommitOfApkPort" cyclonedx:"gitCommitOfApkPort"` Files []ApkFileRecord `json:"files"` }
ApkDBEntry represents all captured data for the alpine linux package manager flat-file store. See the following sources for more information: - https://wiki.alpinelinux.org/wiki/Apk_spec - https://git.alpinelinux.org/apk-tools/tree/src/package.c - https://git.alpinelinux.org/apk-tools/tree/src/database.c
func (ApkDBEntry) OwnedFiles ¶ added in v0.95.0
func (m ApkDBEntry) OwnedFiles() (result []string)
func (*ApkDBEntry) UnmarshalJSON ¶ added in v0.95.0
func (m *ApkDBEntry) UnmarshalJSON(data []byte) error
type ApkFileRecord ¶
type ApkFileRecord struct { Path string `json:"path"` OwnerUID string `json:"ownerUid,omitempty"` OwnerGID string `json:"ownerGid,omitempty"` Permissions string `json:"permissions,omitempty"` Digest *file.Digest `json:"digest,omitempty"` }
ApkFileRecord represents a single file listing and metadata from a APK DB entry (which may have many of these file records).
type BinarySignature ¶ added in v0.95.0
type BinarySignature struct {
Matches []ClassifierMatch `mapstructure:"Matches" json:"matches"`
}
BinarySignature represents a set of matched values within a binary file.
type Catalog
deprecated
type Cataloger ¶ added in v0.60.0
type Cataloger interface { // Name returns a string that uniquely describes a cataloger Name() string // Catalog is given an object to resolve file references and content, this function returns any discovered Packages after analyzing the catalog source. Catalog(resolver file.Resolver) ([]Package, []artifact.Relationship, error) }
Cataloger describes behavior for an object to participate in parsing container image or file system contents for the purpose of discovering Packages. Each concrete implementation should focus on discovering Packages for a specific Package Type or ecosystem.
type ClassifierMatch ¶ added in v0.73.0
type ClassifierMatch struct { Classifier string `mapstructure:"Classifier" json:"classifier"` Location file.Location `mapstructure:"Location" json:"location"` }
ClassifierMatch represents a single matched value within a binary file and the "class" name the search pattern represents.
type CocoaPodfileLockEntry ¶ added in v0.95.0
type CocoaPodfileLockEntry struct {
Checksum string `mapstructure:"checksum" json:"checksum"`
}
CocoaPodfileLockEntry represents a single entry from the "Pods" section of a Podfile.lock file.
type Collection ¶ added in v0.80.0
type Collection struct {
// contains filtered or unexported fields
}
Collection represents a collection of Packages.
func NewCollection ¶ added in v0.80.0
func NewCollection(pkgs ...Package) *Collection
NewCollection returns a new empty Collection
func (*Collection) Add ¶ added in v0.80.0
func (c *Collection) Add(pkgs ...Package)
Add n packages to the catalog.
func (*Collection) Delete ¶ added in v0.80.0
func (c *Collection) Delete(ids ...artifact.ID)
func (*Collection) Enumerate ¶ added in v0.80.0
func (c *Collection) Enumerate(types ...Type) <-chan Package
Enumerate all packages for the given type(s), enumerating all packages if no type is specified.
func (*Collection) Package ¶ added in v0.80.0
func (c *Collection) Package(id artifact.ID) *Package
Package returns the package with the given ID.
func (*Collection) PackageCount ¶ added in v0.80.0
func (c *Collection) PackageCount() int
PackageCount returns the total number of packages that have been added.
func (*Collection) Packages ¶ added in v0.80.0
func (c *Collection) Packages(ids []artifact.ID) (result []Package)
Packages returns all packages for the given ID.
func (*Collection) PackagesByName ¶ added in v0.80.0
func (c *Collection) PackagesByName(name string) []Package
PackagesByName returns all packages that were discovered with a matching name.
func (*Collection) PackagesByPath ¶ added in v0.80.0
func (c *Collection) PackagesByPath(path string) []Package
PackagesByPath returns all packages that were discovered from the given path.
func (*Collection) Sorted ¶ added in v0.80.0
func (c *Collection) Sorted(types ...Type) (pkgs []Package)
Sorted enumerates all packages for the given types sorted by package name. Enumerates all packages if no type is specified.
type ConanLockEntry ¶ added in v0.95.0
type ConanLockEntry struct { Ref string `json:"ref"` PackageID string `json:"package_id,omitempty"` Prev string `json:"prev,omitempty"` Requires []string `json:"requires,omitempty"` BuildRequires []string `json:"build_requires,omitempty"` PythonRequires []string `json:"py_requires,omitempty"` Options map[string]string `json:"options,omitempty"` Path string `json:"path,omitempty"` Context string `json:"context,omitempty"` }
ConanLockEntry represents a single "node" entry from a conan.lock file.
type ConanfileEntry ¶ added in v0.95.0
type ConanfileEntry struct {
Ref string `mapstructure:"ref" json:"ref"`
}
ConanfileEntry represents a single "Requires" entry from a conanfile.txt.
type ConaninfoEntry ¶ added in v0.95.0
type ConaninfoEntry struct { Ref string `json:"ref"` PackageID string `json:"package_id,omitempty"` }
ConaninfoEntry represents a single "full_requires" entry from a conaninfo.txt.
type DartPubspecLockEntry ¶ added in v0.95.0
type DartPubspecLockEntry struct { Name string `mapstructure:"name" json:"name"` Version string `mapstructure:"version" json:"version"` HostedURL string `mapstructure:"hosted_url" json:"hosted_url,omitempty"` VcsURL string `mapstructure:"vcs_url" json:"vcs_url,omitempty"` }
DartPubspecLockEntry is a struct that represents a single entry found in the "packages" section in a Dart pubspec.lock file.
type DotnetDepsEntry ¶ added in v0.95.0
type DotnetDepsEntry struct { Name string `mapstructure:"name" json:"name"` Version string `mapstructure:"version" json:"version"` Path string `mapstructure:"path" json:"path"` Sha512 string `mapstructure:"sha512" json:"sha512"` HashPath string `mapstructure:"hashPath" json:"hashPath"` }
DotnetDepsEntry is a struct that represents a single entry found in the "libraries" section in a .NET [*.]deps.json file.
type DotnetPortableExecutableEntry ¶ added in v0.95.0
type DotnetPortableExecutableEntry struct { AssemblyVersion string `json:"assemblyVersion"` LegalCopyright string `json:"legalCopyright"` Comments string `json:"comments,omitempty"` InternalName string `json:"internalName,omitempty"` CompanyName string `json:"companyName"` ProductName string `json:"productName"` ProductVersion string `json:"productVersion"` }
DotnetPortableExecutableEntry is a struct that represents a single entry found within "VersionResources" section of a .NET Portable Executable binary file.
type DpkgDBEntry ¶ added in v0.95.0
type DpkgDBEntry struct { Package string `json:"package"` Source string `json:"source" cyclonedx:"source"` Version string `json:"version"` SourceVersion string `json:"sourceVersion" cyclonedx:"sourceVersion"` // Architecture can include the following sets of values depending on context and the control file used: // - a unique single word identifying a Debian machine architecture as described in Architecture specification string (https://www.debian.org/doc/debian-policy/ch-customized-programs.html#s-arch-spec) . // - an architecture wildcard identifying a set of Debian machine architectures, see Architecture wildcards (https://www.debian.org/doc/debian-policy/ch-customized-programs.html#s-arch-wildcard-spec). any matches all Debian machine architectures and is the most frequently used. // - "all", which indicates an architecture-independent package. // - "source", which indicates a source package. Architecture string `json:"architecture"` // Maintainer is the package maintainer’s name and email address. The name must come first, then the email // address inside angle brackets <> (in RFC822 format). Maintainer string `json:"maintainer"` InstalledSize int `json:"installedSize" cyclonedx:"installedSize"` // Description contains a description of the binary package, consisting of two parts, the synopsis or the short // description, and the long description (in a multiline format). Description string `hash:"ignore" json:"-"` // Provides is a virtual package that is provided by one or more packages. A virtual package is one which appears // in the Provides control field of another package. The effect is as if the package(s) which provide a particular // virtual package name had been listed by name everywhere the virtual package name appears. (See also Virtual packages) Provides []string `json:"provides,omitempty"` // Depends This declares an absolute dependency. A package will not be configured unless all of the packages listed in // its Depends field have been correctly configured (unless there is a circular dependency). Depends []string `json:"depends,omitempty"` // PreDepends is like Depends, except that it also forces dpkg to complete installation of the packages named // before even starting the installation of the package which declares the pre-dependency. PreDepends []string `json:"preDepends,omitempty"` Files []DpkgFileRecord `json:"files"` }
DpkgDBEntry represents all captured data for a Debian package DB entry; available fields are described at http://manpages.ubuntu.com/manpages/xenial/man1/dpkg-query.1.html in the --showformat section. Additional information about how these fields are used can be found at
- https://www.debian.org/doc/debian-policy/ch-controlfields.html
- https://www.debian.org/doc/debian-policy/ch-relationships.html
- https://www.debian.org/doc/debian-policy/ch-binary.html#s-virtual-pkg
- https://www.debian.org/doc/debian-policy/ch-relationships.html#s-virtual
func (DpkgDBEntry) OwnedFiles ¶ added in v0.95.0
func (m DpkgDBEntry) OwnedFiles() (result []string)
type DpkgFileRecord ¶ added in v0.7.0
type DpkgFileRecord struct { Path string `json:"path"` Digest *file.Digest `json:"digest,omitempty"` IsConfigFile bool `json:"isConfigFile"` }
DpkgFileRecord represents a single file attributed to a debian package.
type ElixirMixLockEntry ¶ added in v0.95.0
type ElixirMixLockEntry struct { Name string `mapstructure:"name" json:"name"` Version string `mapstructure:"version" json:"version"` PkgHash string `mapstructure:"pkgHash" json:"pkgHash"` PkgHashExt string `mapstructure:"pkgHashExt" json:"pkgHashExt"` }
ElixirMixLockEntry is a struct that represents a single entry in a mix.lock file
type ErlangRebarLockEntry ¶ added in v0.95.0
type ErlangRebarLockEntry struct { Name string `mapstructure:"name" json:"name"` Version string `mapstructure:"version" json:"version"` PkgHash string `mapstructure:"pkgHash" json:"pkgHash"` PkgHashExt string `mapstructure:"pkgHashExt" json:"pkgHashExt"` }
ErlangRebarLockEntry represents a single package entry from the "deps" section within an Erlang rebar.lock file.
type FileOwner ¶ added in v0.24.0
type FileOwner interface {
OwnedFiles() []string
}
FileOwner is the interface that wraps OwnedFiles method.
OwnedFiles returns a list of files that a piece of package Metadata indicates are owned by the package.
type GolangBinaryBuildinfoEntry ¶ added in v0.95.0
type GolangBinaryBuildinfoEntry struct { BuildSettings map[string]string `json:"goBuildSettings,omitempty" cyclonedx:"goBuildSettings"` GoCompiledVersion string `json:"goCompiledVersion" cyclonedx:"goCompiledVersion"` Architecture string `json:"architecture" cyclonedx:"architecture"` H1Digest string `json:"h1Digest,omitempty" cyclonedx:"h1Digest"` MainModule string `json:"mainModule,omitempty" cyclonedx:"mainModule"` GoCryptoSettings []string `json:"goCryptoSettings,omitempty" cyclonedx:"goCryptoSettings"` }
GolangBinaryBuildinfoEntry represents all captured data for a Golang binary
type GolangModuleEntry ¶ added in v0.95.0
type GolangModuleEntry struct {
H1Digest string `json:"h1Digest,omitempty" cyclonedx:"h1Digest"`
}
GolangModuleEntry represents all captured data for a Golang source scan with go.mod/go.sum
type HackageStackYamlEntry ¶ added in v0.95.0
type HackageStackYamlEntry struct {
PkgHash string `mapstructure:"pkgHash" json:"pkgHash,omitempty"`
}
HackageStackYamlEntry represents a single entry from the "extra-deps" section of a stack.yaml file.
type HackageStackYamlLockEntry ¶ added in v0.95.0
type HackageStackYamlLockEntry struct { PkgHash string `mapstructure:"pkgHash" json:"pkgHash,omitempty"` SnapshotURL string `mapstructure:"snapshotURL" json:"snapshotURL,omitempty"` }
HackageStackYamlLockEntry represents a single entry from the "packages" section of a stack.yaml.lock file.
type JavaArchive ¶ added in v0.95.0
type JavaArchive struct { VirtualPath string `json:"virtualPath" cyclonedx:"virtualPath"` // we need to include the virtual path in cyclonedx documents to prevent deduplication of jars within jars Manifest *JavaManifest `mapstructure:"Manifest" json:"manifest,omitempty"` PomProperties *JavaPomProperties `mapstructure:"PomProperties" json:"pomProperties,omitempty" cyclonedx:"-"` PomProject *JavaPomProject `mapstructure:"PomProject" json:"pomProject,omitempty"` ArchiveDigests []file.Digest `hash:"ignore" json:"digest,omitempty"` Parent *Package `hash:"ignore" json:"-"` // note: the parent cannot be included in the minimal definition of uniqueness since this field is not reproducible in an encode-decode cycle (is lossy). }
JavaArchive encapsulates all Java ecosystem metadata for a package as well as an (optional) parent relationship.
type JavaManifest ¶
type JavaManifest struct { Main map[string]string `json:"main,omitempty"` NamedSections map[string]map[string]string `json:"namedSections,omitempty"` }
JavaManifest represents the fields of interest extracted from a Java archive's META-INF/MANIFEST.MF file.
type JavaPomParent ¶ added in v0.95.0
type JavaPomParent struct { GroupID string `json:"groupId"` ArtifactID string `json:"artifactId"` Version string `json:"version"` }
JavaPomParent contains the fields within the <parent> tag in a pom.xml file
type JavaPomProject ¶ added in v0.95.0
type JavaPomProject struct { Path string `json:"path"` Parent *JavaPomParent `json:"parent,omitempty"` GroupID string `json:"groupId"` ArtifactID string `json:"artifactId"` Version string `json:"version"` Name string `json:"name"` Description string `json:"description,omitempty"` URL string `json:"url,omitempty"` }
JavaPomProject represents fields of interest extracted from a Java archive's pom.xml file. See https://maven.apache.org/ref/3.6.3/maven-model/maven.html for more details.
type JavaPomProperties ¶ added in v0.95.0
type JavaPomProperties struct { Path string `mapstructure:"path" json:"path"` Name string `mapstructure:"name" json:"name"` GroupID string `mapstructure:"groupId" json:"groupId" cyclonedx:"groupID"` ArtifactID string `mapstructure:"artifactId" json:"artifactId" cyclonedx:"artifactID"` Version string `mapstructure:"version" json:"version"` Scope string `mapstructure:"scope" json:"scope,omitempty"` Extra map[string]string `mapstructure:",remain" json:"extraFields,omitempty"` }
JavaPomProperties represents the fields of interest extracted from a Java archive's pom.properties file.
func (JavaPomProperties) PkgTypeIndicated ¶ added in v0.95.0
func (p JavaPomProperties) PkgTypeIndicated() Type
PkgTypeIndicated returns the package Type indicated by the data contained in the JavaPomProperties.
type Language ¶
type Language string
Language represents a single programming language.
const ( // the full set of supported programming languages UnknownLanguage Language = "" CPP Language = "c++" Dart Language = "dart" Dotnet Language = "dotnet" Elixir Language = "elixir" Erlang Language = "erlang" Go Language = "go" Haskell Language = "haskell" Java Language = "java" JavaScript Language = "javascript" PHP Language = "php" Python Language = "python" R Language = "R" Ruby Language = "ruby" Rust Language = "rust" Swift Language = "swift" )
func LanguageByName ¶ added in v0.38.0
func LanguageFromPURL ¶ added in v0.37.0
type License ¶ added in v0.81.0
type License struct { Value string SPDXExpression string Type license.Type URLs []string `hash:"ignore"` Locations file.LocationSet `hash:"ignore"` }
License represents an SPDX Expression or license value extracted from a packages metadata We want to ignore URLs and Location since we merge these fields across equal licenses. A License is a unique combination of value, expression and type, where its sources are always considered merged and additions to the evidence of where it was found and how it was sourced. This is different from how we treat a package since we consider package paths in order to distinguish if packages should be kept separate this is different for licenses since we're only looking for evidence of where a license was declared/concluded for a given package
func NewLicense ¶ added in v0.81.0
func NewLicenseFromFields ¶ added in v0.93.0
func NewLicenseFromLocations ¶ added in v0.81.0
func NewLicenseFromType ¶ added in v0.81.0
func NewLicenseFromURLs ¶ added in v0.81.0
func NewLicensesFromLocation ¶ added in v0.81.0
func NewLicensesFromValues ¶ added in v0.81.0
func (License) Merge ¶ added in v0.81.0
Merge two licenses into a new license object. If the merge is not possible due to unmergeable fields (e.g. different values for Value, SPDXExpression, Type, or any non-collection type) an error is returned. TODO: this is a bit of a hack to not infinitely recurse when hashing a license
type LicenseSet ¶ added in v0.81.0
type LicenseSet struct {
// contains filtered or unexported fields
}
func NewLicenseSet ¶ added in v0.81.0
func NewLicenseSet(licenses ...License) (s LicenseSet)
func (*LicenseSet) Add ¶ added in v0.81.0
func (s *LicenseSet) Add(licenses ...License)
func (LicenseSet) Empty ¶ added in v0.81.0
func (s LicenseSet) Empty() bool
func (LicenseSet) Hash ¶ added in v0.81.0
func (s LicenseSet) Hash() (uint64, error)
func (LicenseSet) ToSlice ¶ added in v0.81.0
func (s LicenseSet) ToSlice() []License
type LinuxKernel ¶ added in v0.95.0
type LinuxKernel struct { Name string `mapstructure:"name" json:"name" cyclonedx:"name"` Architecture string `mapstructure:"architecture" json:"architecture" cyclonedx:"architecture"` Version string `mapstructure:"version" json:"version" cyclonedx:"version"` ExtendedVersion string `mapstructure:"extendedVersion" json:"extendedVersion,omitempty" cyclonedx:"extendedVersion"` BuildTime string `mapstructure:"buildTime" json:"buildTime,omitempty" cyclonedx:"buildTime"` Author string `mapstructure:"author" json:"author,omitempty" cyclonedx:"author"` Format string `mapstructure:"format" json:"format,omitempty" cyclonedx:"format"` RWRootFS bool `mapstructure:"rwRootFS" json:"rwRootFS,omitempty" cyclonedx:"rwRootFS"` SwapDevice int `mapstructure:"swapDevice" json:"swapDevice,omitempty" cyclonedx:"swapDevice"` RootDevice int `mapstructure:"rootDevice" json:"rootDevice,omitempty" cyclonedx:"rootDevice"` VideoMode string `mapstructure:"videoMode" json:"videoMode,omitempty" cyclonedx:"videoMode"` }
LinuxKernel represents all captured data for a Linux kernel
type LinuxKernelModule ¶ added in v0.95.0
type LinuxKernelModule struct { Name string `mapstructure:"name" json:"name,omitempty" cyclonedx:"name"` Version string `mapstructure:"version" json:"version,omitempty" cyclonedx:"version"` SourceVersion string `mapstructure:"sourceVersion" json:"sourceVersion,omitempty" cyclonedx:"sourceVersion"` Path string `mapstructure:"path" json:"path,omitempty" cyclonedx:"path"` Description string `mapstructure:"description" json:"description,omitempty" cyclonedx:"description"` Author string `mapstructure:"author" json:"author,omitempty" cyclonedx:"author"` License string `mapstructure:"license" json:"license,omitempty" cyclonedx:"license"` KernelVersion string `mapstructure:"kernelVersion" json:"kernelVersion,omitempty" cyclonedx:"kernelVersion"` VersionMagic string `mapstructure:"versionMagic" json:"versionMagic,omitempty" cyclonedx:"versionMagic"` Parameters map[string]LinuxKernelModuleParameter `mapstructure:"parameters" json:"parameters,omitempty" cyclonedx:"parameters"` }
type LinuxKernelModuleParameter ¶ added in v0.78.0
type MicrosoftKbPatch ¶ added in v0.95.0
type MicrosoftKbPatch struct { ProductID string `toml:"product_id" json:"product_id"` Kb string `toml:"kb" json:"kb"` }
MicrosoftKbPatch is slightly odd in how it is expected to map onto data. This is critical to grasp because there is no MSRC cataloger. The `ProductID` field is expected to be the MSRC Product ID, for example: "Windows 10 Version 1703 for 32-bit Systems". `Kb` is expected to be the actual KB number, for example "5001028"
type NixStoreEntry ¶ added in v0.95.0
type NixStoreEntry struct { // OutputHash is the prefix of the nix store basename path OutputHash string `mapstructure:"outputHash" json:"outputHash"` // Output allows for optionally specifying the specific nix package output this package represents (for packages that support multiple outputs). // Note: the default output for a package is an empty string, so will not be present in the output. Output string `mapstructure:"output" json:"output,omitempty"` // Files is a listing a files that are under the nix/store path for this package Files []string `mapstructure:"files" json:"files"` }
func (NixStoreEntry) OwnedFiles ¶ added in v0.95.0
func (m NixStoreEntry) OwnedFiles() (result []string)
type NpmPackage ¶ added in v0.95.0
type NpmPackage struct { Name string `mapstructure:"name" json:"name"` Version string `mapstructure:"version" json:"version"` Author string `mapstructure:"author" json:"author"` Homepage string `mapstructure:"homepage" json:"homepage"` Description string `mapstructure:"description" json:"description"` URL string `mapstructure:"url" json:"url"` Private bool `mapstructure:"private" json:"private"` }
NpmPackage represents the contents of a javascript package.json file.
type NpmPackageLockEntry ¶ added in v0.95.0
type NpmPackageLockEntry struct { Resolved string `mapstructure:"resolved" json:"resolved"` Integrity string `mapstructure:"integrity" json:"integrity"` }
NpmPackageLockEntry represents a single entry within the "packages" section of a package-lock.json file.
type Package ¶
type Package struct { Name string // the package name Version string // the version of the package FoundBy string `hash:"ignore" cyclonedx:"foundBy"` // the specific cataloger that discovered this package Locations file.LocationSet // the locations that lead to the discovery of this package (note: this is not necessarily the locations that make up this package) Licenses LicenseSet // licenses discovered with the package metadata Language Language `hash:"ignore" cyclonedx:"language"` // the language ecosystem this package belongs to (e.g. JavaScript, Python, etc) Type Type `cyclonedx:"type"` // the package type (e.g. Npm, Yarn, Python, Rpm, Deb, etc) CPEs []cpe.CPE `hash:"ignore"` // all possible Common Platform Enumerators (note: this is NOT included in the definition of the ID since all fields on a CPE are derived from other fields) PURL string `hash:"ignore"` // the Package URL (see https://github.com/package-url/purl-spec) Metadata interface{} // additional data found while parsing the package source // contains filtered or unexported fields }
Package represents an application or library that has been bundled into a distributable format. TODO: if we ignore FoundBy for ID generation should we merge the field to show it was found in two places?
func (*Package) OverrideID ¶ added in v0.45.0
type PhpComposerAuthors ¶ added in v0.36.0
type PhpComposerExternalReference ¶ added in v0.36.0
type PhpComposerInstalledEntry ¶ added in v0.95.0
type PhpComposerInstalledEntry PhpComposerLockEntry
PhpComposerInstalledEntry represents a single package entry from a composer v1/v2 "installed.json" files (very similar to composer.lock files).
type PhpComposerLockEntry ¶ added in v0.95.0
type PhpComposerLockEntry struct { Name string `json:"name"` Version string `json:"version"` Source PhpComposerExternalReference `json:"source"` Dist PhpComposerExternalReference `json:"dist"` Require map[string]string `json:"require,omitempty"` Provide map[string]string `json:"provide,omitempty"` RequireDev map[string]string `json:"require-dev,omitempty"` Suggest map[string]string `json:"suggest,omitempty"` License []string `json:"license,omitempty"` Type string `json:"type,omitempty"` NotificationURL string `json:"notification-url,omitempty"` Bin []string `json:"bin,omitempty"` Authors []PhpComposerAuthors `json:"authors,omitempty"` Description string `json:"description,omitempty"` Homepage string `json:"homepage,omitempty"` Keywords []string `json:"keywords,omitempty"` Time string `json:"time,omitempty"` }
PhpComposerLockEntry represents a single package entry found from a composer.lock file.
type PortageEntry ¶ added in v0.95.0
type PortageEntry struct { InstalledSize int `mapstructure:"InstalledSize" json:"installedSize" cyclonedx:"installedSize"` Files []PortageFileRecord `json:"files"` }
PortageEntry represents a single package entry in the portage DB flat-file store.
func (PortageEntry) OwnedFiles ¶ added in v0.95.0
func (m PortageEntry) OwnedFiles() (result []string)
type PortageFileRecord ¶ added in v0.51.0
type PortageFileRecord struct { Path string `json:"path"` Digest *file.Digest `json:"digest,omitempty"` }
PortageFileRecord represents a single file attributed to a portage package.
type PythonDirectURLOriginInfo ¶ added in v0.34.0
type PythonFileDigest ¶ added in v0.8.0
PythonFileDigest represents the file metadata for a single file attributed to a python package.
type PythonFileRecord ¶ added in v0.4.0
type PythonFileRecord struct { Path string `json:"path"` Digest *PythonFileDigest `json:"digest,omitempty"` Size string `json:"size,omitempty"` }
PythonFileRecord represents a single entry within a RECORD file for a python wheel or egg package
type PythonPackage ¶ added in v0.95.0
type PythonPackage struct { Name string `json:"name" mapstruct:"Name"` Version string `json:"version" mapstruct:"Version"` Author string `json:"author" mapstruct:"Author"` AuthorEmail string `json:"authorEmail" mapstruct:"Authoremail"` Platform string `json:"platform" mapstruct:"Platform"` Files []PythonFileRecord `json:"files,omitempty"` SitePackagesRootPath string `json:"sitePackagesRootPath"` TopLevelPackages []string `json:"topLevelPackages,omitempty"` DirectURLOrigin *PythonDirectURLOriginInfo `json:"directUrlOrigin,omitempty"` }
PythonPackage represents all captured data for a python egg or wheel package (specifically as outlined in the PyPA core metadata specification https://packaging.python.org/en/latest/specifications/core-metadata/). Historically these were defined in PEPs 345, 314, and 241, but have been superseded by PEP 566. This means that this struct can (partially) express at least versions 1.0, 1.1, 1.2, 2.1, 2.2, and 2.3 of the metadata format.
func (PythonPackage) OwnedFiles ¶ added in v0.95.0
func (m PythonPackage) OwnedFiles() (result []string)
type PythonPipfileLockEntry ¶ added in v0.95.0
type PythonPipfileLockEntry struct { Hashes []string `mapstructure:"hashes" json:"hashes"` Index string `mapstructure:"index" json:"index"` }
PythonPipfileLockEntry represents a single package entry within a Pipfile.lock file.
type PythonRequirementsEntry ¶ added in v0.95.0
type PythonRequirementsEntry struct { Name string `json:"name" mapstruct:"Name"` Extras []string `json:"extras,omitempty" mapstruct:"Extras"` VersionConstraint string `json:"versionConstraint" mapstruct:"VersionConstraint"` URL string `json:"url,omitempty" mapstruct:"URL"` Markers string `json:"markers,omitempty" mapstruct:"Markers"` }
PythonRequirementsEntry represents a single entry within a [*-]requirements.txt file.
type RDescription ¶ added in v0.95.0
type RDescription struct { /* Fields chosen by: docker run --rm -it rocker/r-ver bash $ install2.r ggplot2 # has a lot of dependencies $ find /usr/local/lib/R -name DESCRIPTION | xargs cat | grep -v '^\s' | cut -d ':' -f 1 | sort | uniq -c | sort -nr */ Title string `json:"title,omitempty"` Description string `json:"description,omitempty"` Author string `json:"author,omitempty"` Maintainer string `json:"maintainer,omitempty"` URL []string `json:"url,omitempty"` Repository string `json:"repository,omitempty"` Built string `json:"built,omitempty"` NeedsCompilation bool `json:"needsCompilation,omitempty"` Imports []string `json:"imports,omitempty"` Depends []string `json:"depends,omitempty"` Suggests []string `json:"suggests,omitempty"` }
type RpmArchive ¶ added in v0.95.0
type RpmArchive RpmDBEntry
RpmArchive represents all captured data from a RPM package archive.
type RpmDBEntry ¶ added in v0.95.0
type RpmDBEntry struct { Name string `json:"name"` Version string `json:"version"` Epoch *int `json:"epoch" cyclonedx:"epoch" jsonschema:"nullable"` Arch string `json:"architecture"` Release string `json:"release" cyclonedx:"release"` SourceRpm string `json:"sourceRpm" cyclonedx:"sourceRpm"` Size int `json:"size" cyclonedx:"size"` Vendor string `json:"vendor"` ModularityLabel string `json:"modularityLabel"` Files []RpmFileRecord `json:"files"` }
RpmDBEntry represents all captured data from a RPM DB package entry.
func (RpmDBEntry) OwnedFiles ¶ added in v0.95.0
func (m RpmDBEntry) OwnedFiles() (result []string)
type RpmFileMode ¶ added in v0.95.0
type RpmFileMode uint16
RpmFileMode is the raw file mode for a single file. This can be interpreted as the linux stat.h mode (see https://pubs.opengroup.org/onlinepubs/007908799/xsh/sysstat.h.html)
type RpmFileRecord ¶ added in v0.95.0
type RpmFileRecord struct { Path string `json:"path"` Mode RpmFileMode `json:"mode"` Size int `json:"size"` Digest file.Digest `json:"digest"` UserName string `json:"userName"` GroupName string `json:"groupName"` Flags string `json:"flags"` }
RpmFileRecord represents the file metadata for a single file attributed to a RPM package.
type RubyGemspec ¶ added in v0.95.0
type RubyGemspec struct { Name string `mapstructure:"name" json:"name"` Version string `mapstructure:"version" json:"version"` // note regarding if Files can contribute to GemMetadata being able to implement FileOwner: this list is a // "logical" list of files, not a list of paths that can be used to find the files without additional processing. // // For example: The "bundler" gem has a file entry of: // "lib/bundler/vendor/uri/lib/uri/ldap.rb" // but the actual file is located at: // "/usr/local/lib/ruby/3.2.0/bundler/vendor/uri/lib/uri/ldap.rb" // which do not match (the "lib" prefix is missing even for relative processing). // // without additional information about: // - the gem installation path // - the ruby installation path // - the ruby version // - environment variables (e.g. GEM_HOME) that may affect the gem installation path // ... we can't reliably determine the full path to the file on disk, thus cannot implement FileOwner (...yet...). Files []string `mapstructure:"files" json:"files,omitempty"` Authors []string `mapstructure:"authors" json:"authors,omitempty"` Homepage string `mapstructure:"homepage" json:"homepage,omitempty"` }
RubyGemspec represents all metadata parsed from the *.gemspec file
type RustBinaryAuditEntry ¶ added in v0.95.0
type RustCargoLockEntry ¶ added in v0.95.0
type SwiftPackageManagerResolvedEntry ¶ added in v0.95.0
type SwiftPackageManagerResolvedEntry struct {
Revision string `mapstructure:"revision" json:"revision"`
}
type Type ¶
type Type string
Type represents a Package Type for or within a language ecosystem (there may be multiple package types within a language ecosystem)
const ( // the full set of supported packages UnknownPkg Type = "UnknownPackage" AlpmPkg Type = "alpm" ApkPkg Type = "apk" BinaryPkg Type = "binary" CocoapodsPkg Type = "pod" ConanPkg Type = "conan" DartPubPkg Type = "dart-pub" DebPkg Type = "deb" DotnetPkg Type = "dotnet" GemPkg Type = "gem" GithubActionPkg Type = "github-action" GithubActionWorkflowPkg Type = "github-action-workflow" GoModulePkg Type = "go-module" GraalVMNativeImagePkg Type = "graalvm-native-image" HackagePkg Type = "hackage" HexPkg Type = "hex" JavaPkg Type = "java-archive" JenkinsPluginPkg Type = "jenkins-plugin" KbPkg Type = "msrc-kb" LinuxKernelPkg Type = "linux-kernel" LinuxKernelModulePkg Type = "linux-kernel-module" NixPkg Type = "nix" NpmPkg Type = "npm" PhpComposerPkg Type = "php-composer" PortagePkg Type = "portage" PythonPkg Type = "python" Rpkg Type = "R-package" RpmPkg Type = "rpm" RustPkg Type = "rust-crate" SwiftPkg Type = "swift" )
func TypeByName ¶ added in v0.38.0
func TypeFromPURL ¶ added in v0.37.0
func (Type) PackageURLType ¶
PackageURLType returns the PURL package type for the current package.
Source Files ¶
- alpm.go
- apk.go
- binary_signature.go
- catalog.go
- cataloger.go
- cocoapods.go
- conan.go
- dart.go
- deprecated.go
- dotnet.go
- dpkg.go
- elixir.go
- erlang.go
- evidence.go
- file_owner.go
- golang.go
- hackage.go
- java.go
- language.go
- license.go
- license_set.go
- linux_kernel.go
- microsoft.go
- nix.go
- npm.go
- package.go
- php.go
- portage.go
- python.go
- r.go
- relationships.go
- relationships_by_file_ownership.go
- relationships_evident_by.go
- rpm.go
- ruby.go
- rust.go
- swift.go
- type.go
- url.go
Directories ¶
Path | Synopsis |
---|---|
Package cataloger provides the ability to process files from a container image or file system and discover packages (gems, wheels, jars, rpms, debs, etc).
|
Package cataloger provides the ability to process files from a container image or file system and discover packages (gems, wheels, jars, rpms, debs, etc). |
alpine
Package alpine provides a concrete Cataloger implementations for packages relating to the Alpine linux distribution.
|
Package alpine provides a concrete Cataloger implementations for packages relating to the Alpine linux distribution. |
arch
Package arch provides a concrete Cataloger implementations for packages relating to the Arch linux distribution.
|
Package arch provides a concrete Cataloger implementations for packages relating to the Arch linux distribution. |
binary
Package binary provides a concrete Cataloger implementations for surfacing possible packages based on signatures found within binary files.
|
Package binary provides a concrete Cataloger implementations for surfacing possible packages based on signatures found within binary files. |
common/cpe/dictionary/index-generator
This program downloads the latest CPE dictionary from NIST and processes it into a JSON file that can be embedded into Syft for more accurate CPE results.
|
This program downloads the latest CPE dictionary from NIST and processes it into a JSON file that can be embedded into Syft for more accurate CPE results. |
cpp
Package cpp provides a concrete Cataloger implementations for the C/C++ language ecosystem.
|
Package cpp provides a concrete Cataloger implementations for the C/C++ language ecosystem. |
dart
Package dart provides a concrete Cataloger implementations for the Dart language ecosystem.
|
Package dart provides a concrete Cataloger implementations for the Dart language ecosystem. |
debian
Package debian provides a concrete Cataloger implementation relating to packages within the Debian linux distribution.
|
Package debian provides a concrete Cataloger implementation relating to packages within the Debian linux distribution. |
dotnet
Package dotnet provides a concrete Cataloger implementation relating to packages within the C#/.NET language/runtime ecosystem.
|
Package dotnet provides a concrete Cataloger implementation relating to packages within the C#/.NET language/runtime ecosystem. |
elixir
Package elixir provides a concrete Cataloger implementation relating to packages within the Elixir language ecosystem.
|
Package elixir provides a concrete Cataloger implementation relating to packages within the Elixir language ecosystem. |
erlang
Package erlang provides a concrete Cataloger implementation relating to packages within the Erlang language ecosystem.
|
Package erlang provides a concrete Cataloger implementation relating to packages within the Erlang language ecosystem. |
gentoo
Package gentoo provides a concrete Cataloger implementation related to packages within the Gentoo linux ecosystem.
|
Package gentoo provides a concrete Cataloger implementation related to packages within the Gentoo linux ecosystem. |
githubactions
Package githubactions provides a concrete Cataloger implementation for GitHub Actions packages (both actions and workflows).
|
Package githubactions provides a concrete Cataloger implementation for GitHub Actions packages (both actions and workflows). |
golang
Package golang provides a concrete Cataloger implementation relating to packages within the Go language ecosystem.
|
Package golang provides a concrete Cataloger implementation relating to packages within the Go language ecosystem. |
haskell
Package haskell provides a concrete Cataloger implementation relating to packages within the Haskell language ecosystem.
|
Package haskell provides a concrete Cataloger implementation relating to packages within the Haskell language ecosystem. |
java
Package java provides a concrete Cataloger implementation for packages relating to the Java language ecosystem.
|
Package java provides a concrete Cataloger implementation for packages relating to the Java language ecosystem. |
javascript
Package javascript provides a concrete Cataloger implementation for packages relating to the JavaScript language ecosystem.
|
Package javascript provides a concrete Cataloger implementation for packages relating to the JavaScript language ecosystem. |
kernel
Package kernel provides a concrete Cataloger implementation for linux kernel and module files.
|
Package kernel provides a concrete Cataloger implementation for linux kernel and module files. |
nix
Package nix provides a concrete Cataloger implementation for packages within the Nix packaging ecosystem.
|
Package nix provides a concrete Cataloger implementation for packages within the Nix packaging ecosystem. |
php
Package php provides a concrete Cataloger implementation relating to packages within the PHP language ecosystem.
|
Package php provides a concrete Cataloger implementation relating to packages within the PHP language ecosystem. |
python
Package python provides a concrete Cataloger implementation relating to packages within the Python language ecosystem.
|
Package python provides a concrete Cataloger implementation relating to packages within the Python language ecosystem. |
r
Package r provides a concrete Cataloger implementation relating to packages within the R language ecosystem.
|
Package r provides a concrete Cataloger implementation relating to packages within the R language ecosystem. |
redhat
Package redhat provides a concrete DBCataloger implementation relating to packages within the RedHat linux distribution.
|
Package redhat provides a concrete DBCataloger implementation relating to packages within the RedHat linux distribution. |
ruby
Package ruby provides a concrete Cataloger implementation relating to packages within the Ruby language ecosystem.
|
Package ruby provides a concrete Cataloger implementation relating to packages within the Ruby language ecosystem. |
rust
Package rust provides a concrete Cataloger implementation relating to packages within the Rust language ecosystem.
|
Package rust provides a concrete Cataloger implementation relating to packages within the Rust language ecosystem. |
sbom
Package sbom provides a concrete Cataloger implementation for capturing packages embedded within SBOM files.
|
Package sbom provides a concrete Cataloger implementation for capturing packages embedded within SBOM files. |
swift
Package swift provides a concrete Cataloger implementation relating to packages within the swift language ecosystem.
|
Package swift provides a concrete Cataloger implementation relating to packages within the swift language ecosystem. |