pkg

package
v0.97.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 17, 2023 License: Apache-2.0 Imports: 20 Imported by: 241

Documentation

Overview

Package pkg provides the data structures for a package, a package catalog, package types, and domain-specific metadata.

Index

Constants

View Source
const (
	EvidenceAnnotationKey        = "evidence"
	PrimaryEvidenceAnnotation    = "primary"
	SupportingEvidenceAnnotation = "supporting"
)
View Source
const (
	PURLQualifierArch   = "arch"
	PURLQualifierDistro = "distro"
	PURLQualifierEpoch  = "epoch"
	PURLQualifierVCSURL = "vcs_url"

	// PURLQualifierUpstream this qualifier is not in the pURL spec, but is used by grype to perform indirect matching based on source information
	PURLQualifierUpstream = "upstream"
)
View Source
const AlpmDBGlob = "**/var/lib/pacman/local/**/desc"
View Source
const AltRpmDBGlob = "**/rpm/{Packages,Packages.db,rpmdb.sqlite}"

AltRpmDBGlob allows db matches against new locations introduced in fedora:{36,37} See https://github.com/anchore/syft/issues/1077 for larger context

View Source
const ApkDBGlob = "**/lib/apk/db/installed"
View Source
const DpkgDBGlob = "**/var/lib/dpkg/{status,status.d/**}"
View Source
const RpmDBGlob = "**/{var/lib,usr/share,usr/lib/sysimage}/rpm/{Packages,Packages.db,rpmdb.sqlite}"

RpmDBGlob is the glob pattern used to find RPM DB files. Where: - /var/lib/rpm/... is the typical path for most distributions - /usr/share/rpm/... is common for rpm-ostree distributions (coreos-like) - Packages is the legacy Berkeley db based format - Packages.db is the "ndb" format used in SUSE - rpmdb.sqlite is the sqlite format used in fedora + derivates

View Source
const RpmManifestGlob = "**/var/lib/rpmmanifest/container-manifest-2"

RpmManifestGlob is used in CBL-Mariner distroless images

Variables

AllLanguages is a set of all programming languages detected by syft.

AllPkgs represents all supported package types

Functions

func IsValid added in v0.47.0

func IsValid(p *Package) bool

IsValid checks whether a package has the minimum necessary info which is a non-empty name. The nil-check was added as a helper as often, in this code base, packages move between callers as pointers. CycloneDX and SPDX define Name as the minimum required info for a valid package: * https://spdx.github.io/spdx-spec/package-information/#73-package-version-field * https://cyclonedx.org/docs/1.4/json/#components_items_name

func Less added in v0.61.0

func Less(i, j Package) bool

func NewRelationships added in v0.13.0

func NewRelationships(catalog *Collection) []artifact.Relationship

func PURLQualifiers added in v0.60.0

func PURLQualifiers(vars map[string]string, release *linux.Release) (q packageurl.Qualifiers)

func RelationshipsByFileOwnership added in v0.31.0

func RelationshipsByFileOwnership(catalog *Collection) []artifact.Relationship

RelationshipsByFileOwnership creates a package-to-package relationship based on discovering which packages have evidence locations that overlap with ownership claim from another package's package manager metadata.

func RelationshipsEvidentBy added in v0.78.0

func RelationshipsEvidentBy(catalog *Collection) []artifact.Relationship

func Sort added in v0.60.3

func Sort(pkgs []Package)

func SortRelationships added in v0.94.0

func SortRelationships(rels []artifact.Relationship)

SortRelationships takes a set of package-to-package relationships and sorts them in a stable order by name and version. Note: this does not consider package-to-other, other-to-package, or other-to-other relationships. TODO: ideally this should be replaced with a more type-agnostic sort function that resides in the artifact package.

Types

type AlpmDBEntry added in v0.95.0

type AlpmDBEntry struct {
	BasePackage  string           `mapstructure:"base" json:"basepackage" cyclonedx:"basepackage"`
	Package      string           `mapstructure:"name" json:"package" cyclonedx:"package"`
	Version      string           `mapstructure:"version" json:"version" cyclonedx:"version"`
	Description  string           `mapstructure:"desc" json:"description" cyclonedx:"description"`
	Architecture string           `mapstructure:"arch" json:"architecture" cyclonedx:"architecture"`
	Size         int              `mapstructure:"size" json:"size" cyclonedx:"size"`
	Packager     string           `mapstructure:"packager" json:"packager"`
	URL          string           `mapstructure:"url" json:"url"`
	Validation   string           `mapstructure:"validation" json:"validation"`
	Reason       int              `mapstructure:"reason" json:"reason"`
	Files        []AlpmFileRecord `mapstructure:"files" json:"files"`
	Backup       []AlpmFileRecord `mapstructure:"backup" json:"backup"`
}

AlpmDBEntry is a struct that represents the package data stored in the pacman fla-filet stores for arch linux.

func (AlpmDBEntry) OwnedFiles added in v0.95.0

func (m AlpmDBEntry) OwnedFiles() (result []string)

type AlpmFileRecord added in v0.48.0

type AlpmFileRecord struct {
	Path    string        `mapstruture:"path" json:"path,omitempty"`
	Type    string        `mapstructure:"type" json:"type,omitempty"`
	UID     string        `mapstructure:"uid" json:"uid,omitempty"`
	GID     string        `mapstructure:"gid" json:"gid,omitempty"`
	Time    time.Time     `mapstructure:"time" json:"time,omitempty"`
	Size    string        `mapstructure:"size" json:"size,omitempty"`
	Link    string        `mapstructure:"link" json:"link,omitempty"`
	Digests []file.Digest `mapstructure:"digests" json:"digest,omitempty"`
}

type ApkDBEntry added in v0.95.0

type ApkDBEntry struct {
	Package       string          `mapstructure:"P" json:"package"`
	OriginPackage string          `mapstructure:"o" json:"originPackage" cyclonedx:"originPackage"`
	Maintainer    string          `mapstructure:"m" json:"maintainer"`
	Version       string          `mapstructure:"V" json:"version"`
	Architecture  string          `mapstructure:"A" json:"architecture"`
	URL           string          `mapstructure:"U" json:"url"`
	Description   string          `mapstructure:"T" json:"description"`
	Size          int             `mapstructure:"S" json:"size" cyclonedx:"size"`
	InstalledSize int             `mapstructure:"I" json:"installedSize" cyclonedx:"installedSize"`
	Dependencies  []string        `mapstructure:"D" json:"pullDependencies" cyclonedx:"pullDependencies"`
	Provides      []string        `mapstructure:"p" json:"provides" cyclonedx:"provides"`
	Checksum      string          `mapstructure:"C" json:"pullChecksum" cyclonedx:"pullChecksum"`
	GitCommit     string          `mapstructure:"c" json:"gitCommitOfApkPort" cyclonedx:"gitCommitOfApkPort"`
	Files         []ApkFileRecord `json:"files"`
}

ApkDBEntry represents all captured data for the alpine linux package manager flat-file store. See the following sources for more information: - https://wiki.alpinelinux.org/wiki/Apk_spec - https://git.alpinelinux.org/apk-tools/tree/src/package.c - https://git.alpinelinux.org/apk-tools/tree/src/database.c

func (ApkDBEntry) OwnedFiles added in v0.95.0

func (m ApkDBEntry) OwnedFiles() (result []string)

func (*ApkDBEntry) UnmarshalJSON added in v0.95.0

func (m *ApkDBEntry) UnmarshalJSON(data []byte) error

type ApkFileRecord

type ApkFileRecord struct {
	Path        string       `json:"path"`
	OwnerUID    string       `json:"ownerUid,omitempty"`
	OwnerGID    string       `json:"ownerGid,omitempty"`
	Permissions string       `json:"permissions,omitempty"`
	Digest      *file.Digest `json:"digest,omitempty"`
}

ApkFileRecord represents a single file listing and metadata from a APK DB entry (which may have many of these file records).

type BinarySignature added in v0.95.0

type BinarySignature struct {
	Matches []ClassifierMatch `mapstructure:"Matches" json:"matches"`
}

BinarySignature represents a set of matched values within a binary file.

type Catalog deprecated

type Catalog = Collection

Deprecated: use Collection instead

func NewCatalog deprecated

func NewCatalog(pkgs ...Package) *Catalog

Deprecated: use NewCollection() instead

type Cataloger added in v0.60.0

type Cataloger interface {
	// Name returns a string that uniquely describes a cataloger
	Name() string
	// Catalog is given an object to resolve file references and content, this function returns any discovered Packages after analyzing the catalog source.
	Catalog(resolver file.Resolver) ([]Package, []artifact.Relationship, error)
}

Cataloger describes behavior for an object to participate in parsing container image or file system contents for the purpose of discovering Packages. Each concrete implementation should focus on discovering Packages for a specific Package Type or ecosystem.

type ClassifierMatch added in v0.73.0

type ClassifierMatch struct {
	Classifier string        `mapstructure:"Classifier" json:"classifier"`
	Location   file.Location `mapstructure:"Location" json:"location"`
}

ClassifierMatch represents a single matched value within a binary file and the "class" name the search pattern represents.

type CocoaPodfileLockEntry added in v0.95.0

type CocoaPodfileLockEntry struct {
	Checksum string `mapstructure:"checksum" json:"checksum"`
}

CocoaPodfileLockEntry represents a single entry from the "Pods" section of a Podfile.lock file.

type Collection added in v0.80.0

type Collection struct {
	// contains filtered or unexported fields
}

Collection represents a collection of Packages.

func NewCollection added in v0.80.0

func NewCollection(pkgs ...Package) *Collection

NewCollection returns a new empty Collection

func (*Collection) Add added in v0.80.0

func (c *Collection) Add(pkgs ...Package)

Add n packages to the catalog.

func (*Collection) Delete added in v0.80.0

func (c *Collection) Delete(ids ...artifact.ID)

func (*Collection) Enumerate added in v0.80.0

func (c *Collection) Enumerate(types ...Type) <-chan Package

Enumerate all packages for the given type(s), enumerating all packages if no type is specified.

func (*Collection) Package added in v0.80.0

func (c *Collection) Package(id artifact.ID) *Package

Package returns the package with the given ID.

func (*Collection) PackageCount added in v0.80.0

func (c *Collection) PackageCount() int

PackageCount returns the total number of packages that have been added.

func (*Collection) Packages added in v0.80.0

func (c *Collection) Packages(ids []artifact.ID) (result []Package)

Packages returns all packages for the given ID.

func (*Collection) PackagesByName added in v0.80.0

func (c *Collection) PackagesByName(name string) []Package

PackagesByName returns all packages that were discovered with a matching name.

func (*Collection) PackagesByPath added in v0.80.0

func (c *Collection) PackagesByPath(path string) []Package

PackagesByPath returns all packages that were discovered from the given path.

func (*Collection) Sorted added in v0.80.0

func (c *Collection) Sorted(types ...Type) (pkgs []Package)

Sorted enumerates all packages for the given types sorted by package name. Enumerates all packages if no type is specified.

type ConanLockEntry added in v0.95.0

type ConanLockEntry struct {
	Ref            string            `json:"ref"`
	PackageID      string            `json:"package_id,omitempty"`
	Prev           string            `json:"prev,omitempty"`
	Requires       []string          `json:"requires,omitempty"`
	BuildRequires  []string          `json:"build_requires,omitempty"`
	PythonRequires []string          `json:"py_requires,omitempty"`
	Options        map[string]string `json:"options,omitempty"`
	Path           string            `json:"path,omitempty"`
	Context        string            `json:"context,omitempty"`
}

ConanLockEntry represents a single "node" entry from a conan.lock file.

type ConanfileEntry added in v0.95.0

type ConanfileEntry struct {
	Ref string `mapstructure:"ref" json:"ref"`
}

ConanfileEntry represents a single "Requires" entry from a conanfile.txt.

type ConaninfoEntry added in v0.95.0

type ConaninfoEntry struct {
	Ref       string `json:"ref"`
	PackageID string `json:"package_id,omitempty"`
}

ConaninfoEntry represents a single "full_requires" entry from a conaninfo.txt.

type DartPubspecLockEntry added in v0.95.0

type DartPubspecLockEntry struct {
	Name      string `mapstructure:"name" json:"name"`
	Version   string `mapstructure:"version" json:"version"`
	HostedURL string `mapstructure:"hosted_url" json:"hosted_url,omitempty"`
	VcsURL    string `mapstructure:"vcs_url" json:"vcs_url,omitempty"`
}

DartPubspecLockEntry is a struct that represents a single entry found in the "packages" section in a Dart pubspec.lock file.

type DotnetDepsEntry added in v0.95.0

type DotnetDepsEntry struct {
	Name     string `mapstructure:"name" json:"name"`
	Version  string `mapstructure:"version" json:"version"`
	Path     string `mapstructure:"path" json:"path"`
	Sha512   string `mapstructure:"sha512" json:"sha512"`
	HashPath string `mapstructure:"hashPath" json:"hashPath"`
}

DotnetDepsEntry is a struct that represents a single entry found in the "libraries" section in a .NET [*.]deps.json file.

type DotnetPortableExecutableEntry added in v0.95.0

type DotnetPortableExecutableEntry struct {
	AssemblyVersion string `json:"assemblyVersion"`
	LegalCopyright  string `json:"legalCopyright"`
	Comments        string `json:"comments,omitempty"`
	InternalName    string `json:"internalName,omitempty"`
	CompanyName     string `json:"companyName"`
	ProductName     string `json:"productName"`
	ProductVersion  string `json:"productVersion"`
}

DotnetPortableExecutableEntry is a struct that represents a single entry found within "VersionResources" section of a .NET Portable Executable binary file.

type DpkgDBEntry added in v0.95.0

type DpkgDBEntry struct {
	Package       string `json:"package"`
	Source        string `json:"source" cyclonedx:"source"`
	Version       string `json:"version"`
	SourceVersion string `json:"sourceVersion" cyclonedx:"sourceVersion"`

	// Architecture can include the following sets of values depending on context and the control file used:
	//  - a unique single word identifying a Debian machine architecture as described in Architecture specification string (https://www.debian.org/doc/debian-policy/ch-customized-programs.html#s-arch-spec) .
	//  - an architecture wildcard identifying a set of Debian machine architectures, see Architecture wildcards (https://www.debian.org/doc/debian-policy/ch-customized-programs.html#s-arch-wildcard-spec). any matches all Debian machine architectures and is the most frequently used.
	//  - "all", which indicates an architecture-independent package.
	//  - "source", which indicates a source package.
	Architecture string `json:"architecture"`

	// Maintainer is the package maintainer’s name and email address. The name must come first, then the email
	// address inside angle brackets <> (in RFC822 format).
	Maintainer string `json:"maintainer"`

	InstalledSize int `json:"installedSize" cyclonedx:"installedSize"`

	// Description contains a description of the binary package, consisting of two parts, the synopsis or the short
	// description, and the long description (in a multiline format).
	Description string `hash:"ignore" json:"-"`

	// Provides is a virtual package that is provided by one or more packages. A virtual package is one which appears
	// in the Provides control field of another package. The effect is as if the package(s) which provide a particular
	// virtual package name had been listed by name everywhere the virtual package name appears. (See also Virtual packages)
	Provides []string `json:"provides,omitempty"`

	// Depends This declares an absolute dependency. A package will not be configured unless all of the packages listed in
	// its Depends field have been correctly configured (unless there is a circular dependency).
	Depends []string `json:"depends,omitempty"`

	// PreDepends is like Depends, except that it also forces dpkg to complete installation of the packages named
	// before even starting the installation of the package which declares the pre-dependency.
	PreDepends []string `json:"preDepends,omitempty"`

	Files []DpkgFileRecord `json:"files"`
}

DpkgDBEntry represents all captured data for a Debian package DB entry; available fields are described at http://manpages.ubuntu.com/manpages/xenial/man1/dpkg-query.1.html in the --showformat section. Additional information about how these fields are used can be found at

func (DpkgDBEntry) OwnedFiles added in v0.95.0

func (m DpkgDBEntry) OwnedFiles() (result []string)

type DpkgFileRecord added in v0.7.0

type DpkgFileRecord struct {
	Path         string       `json:"path"`
	Digest       *file.Digest `json:"digest,omitempty"`
	IsConfigFile bool         `json:"isConfigFile"`
}

DpkgFileRecord represents a single file attributed to a debian package.

type ElixirMixLockEntry added in v0.95.0

type ElixirMixLockEntry struct {
	Name       string `mapstructure:"name" json:"name"`
	Version    string `mapstructure:"version" json:"version"`
	PkgHash    string `mapstructure:"pkgHash" json:"pkgHash"`
	PkgHashExt string `mapstructure:"pkgHashExt" json:"pkgHashExt"`
}

ElixirMixLockEntry is a struct that represents a single entry in a mix.lock file

type ErlangRebarLockEntry added in v0.95.0

type ErlangRebarLockEntry struct {
	Name       string `mapstructure:"name" json:"name"`
	Version    string `mapstructure:"version" json:"version"`
	PkgHash    string `mapstructure:"pkgHash" json:"pkgHash"`
	PkgHashExt string `mapstructure:"pkgHashExt" json:"pkgHashExt"`
}

ErlangRebarLockEntry represents a single package entry from the "deps" section within an Erlang rebar.lock file.

type FileOwner added in v0.24.0

type FileOwner interface {
	OwnedFiles() []string
}

FileOwner is the interface that wraps OwnedFiles method.

OwnedFiles returns a list of files that a piece of package Metadata indicates are owned by the package.

type GolangBinaryBuildinfoEntry added in v0.95.0

type GolangBinaryBuildinfoEntry struct {
	BuildSettings     map[string]string `json:"goBuildSettings,omitempty" cyclonedx:"goBuildSettings"`
	GoCompiledVersion string            `json:"goCompiledVersion" cyclonedx:"goCompiledVersion"`
	Architecture      string            `json:"architecture" cyclonedx:"architecture"`
	H1Digest          string            `json:"h1Digest,omitempty" cyclonedx:"h1Digest"`
	MainModule        string            `json:"mainModule,omitempty" cyclonedx:"mainModule"`
	GoCryptoSettings  []string          `json:"goCryptoSettings,omitempty" cyclonedx:"goCryptoSettings"`
}

GolangBinaryBuildinfoEntry represents all captured data for a Golang binary

type GolangModuleEntry added in v0.95.0

type GolangModuleEntry struct {
	H1Digest string `json:"h1Digest,omitempty" cyclonedx:"h1Digest"`
}

GolangModuleEntry represents all captured data for a Golang source scan with go.mod/go.sum

type HackageStackYamlEntry added in v0.95.0

type HackageStackYamlEntry struct {
	PkgHash string `mapstructure:"pkgHash" json:"pkgHash,omitempty"`
}

HackageStackYamlEntry represents a single entry from the "extra-deps" section of a stack.yaml file.

type HackageStackYamlLockEntry added in v0.95.0

type HackageStackYamlLockEntry struct {
	PkgHash     string `mapstructure:"pkgHash" json:"pkgHash,omitempty"`
	SnapshotURL string `mapstructure:"snapshotURL" json:"snapshotURL,omitempty"`
}

HackageStackYamlLockEntry represents a single entry from the "packages" section of a stack.yaml.lock file.

type JavaArchive added in v0.95.0

type JavaArchive struct {
	VirtualPath    string             `json:"virtualPath" cyclonedx:"virtualPath"` // we need to include the virtual path in cyclonedx documents to prevent deduplication of jars within jars
	Manifest       *JavaManifest      `mapstructure:"Manifest" json:"manifest,omitempty"`
	PomProperties  *JavaPomProperties `mapstructure:"PomProperties" json:"pomProperties,omitempty" cyclonedx:"-"`
	PomProject     *JavaPomProject    `mapstructure:"PomProject" json:"pomProject,omitempty"`
	ArchiveDigests []file.Digest      `hash:"ignore" json:"digest,omitempty"`
	Parent         *Package           `hash:"ignore" json:"-"` // note: the parent cannot be included in the minimal definition of uniqueness since this field is not reproducible in an encode-decode cycle (is lossy).
}

JavaArchive encapsulates all Java ecosystem metadata for a package as well as an (optional) parent relationship.

type JavaManifest

type JavaManifest struct {
	Main          map[string]string            `json:"main,omitempty"`
	NamedSections map[string]map[string]string `json:"namedSections,omitempty"`
}

JavaManifest represents the fields of interest extracted from a Java archive's META-INF/MANIFEST.MF file.

type JavaPomParent added in v0.95.0

type JavaPomParent struct {
	GroupID    string `json:"groupId"`
	ArtifactID string `json:"artifactId"`
	Version    string `json:"version"`
}

JavaPomParent contains the fields within the <parent> tag in a pom.xml file

type JavaPomProject added in v0.95.0

type JavaPomProject struct {
	Path        string         `json:"path"`
	Parent      *JavaPomParent `json:"parent,omitempty"`
	GroupID     string         `json:"groupId"`
	ArtifactID  string         `json:"artifactId"`
	Version     string         `json:"version"`
	Name        string         `json:"name"`
	Description string         `json:"description,omitempty"`
	URL         string         `json:"url,omitempty"`
}

JavaPomProject represents fields of interest extracted from a Java archive's pom.xml file. See https://maven.apache.org/ref/3.6.3/maven-model/maven.html for more details.

type JavaPomProperties added in v0.95.0

type JavaPomProperties struct {
	Path       string            `mapstructure:"path" json:"path"`
	Name       string            `mapstructure:"name" json:"name"`
	GroupID    string            `mapstructure:"groupId" json:"groupId" cyclonedx:"groupID"`
	ArtifactID string            `mapstructure:"artifactId" json:"artifactId" cyclonedx:"artifactID"`
	Version    string            `mapstructure:"version" json:"version"`
	Scope      string            `mapstructure:"scope" json:"scope,omitempty"`
	Extra      map[string]string `mapstructure:",remain" json:"extraFields,omitempty"`
}

JavaPomProperties represents the fields of interest extracted from a Java archive's pom.properties file.

func (JavaPomProperties) PkgTypeIndicated added in v0.95.0

func (p JavaPomProperties) PkgTypeIndicated() Type

PkgTypeIndicated returns the package Type indicated by the data contained in the JavaPomProperties.

type Language

type Language string

Language represents a single programming language.

const (
	// the full set of supported programming languages
	UnknownLanguage Language = ""
	CPP             Language = "c++"
	Dart            Language = "dart"
	Dotnet          Language = "dotnet"
	Elixir          Language = "elixir"
	Erlang          Language = "erlang"
	Go              Language = "go"
	Haskell         Language = "haskell"
	Java            Language = "java"
	JavaScript      Language = "javascript"
	PHP             Language = "php"
	Python          Language = "python"
	R               Language = "R"
	Ruby            Language = "ruby"
	Rust            Language = "rust"
	Swift           Language = "swift"
)

func LanguageByName added in v0.38.0

func LanguageByName(name string) Language

func LanguageFromPURL added in v0.37.0

func LanguageFromPURL(p string) Language

func (Language) String

func (l Language) String() string

String returns the string representation of the language.

type License added in v0.81.0

type License struct {
	Value          string
	SPDXExpression string
	Type           license.Type
	URLs           []string         `hash:"ignore"`
	Locations      file.LocationSet `hash:"ignore"`
}

License represents an SPDX Expression or license value extracted from a packages metadata We want to ignore URLs and Location since we merge these fields across equal licenses. A License is a unique combination of value, expression and type, where its sources are always considered merged and additions to the evidence of where it was found and how it was sourced. This is different from how we treat a package since we consider package paths in order to distinguish if packages should be kept separate this is different for licenses since we're only looking for evidence of where a license was declared/concluded for a given package

func NewLicense added in v0.81.0

func NewLicense(value string) License

func NewLicenseFromFields added in v0.93.0

func NewLicenseFromFields(value, url string, location *file.Location) License

func NewLicenseFromLocations added in v0.81.0

func NewLicenseFromLocations(value string, locations ...file.Location) License

func NewLicenseFromType added in v0.81.0

func NewLicenseFromType(value string, t license.Type) License

func NewLicenseFromURLs added in v0.81.0

func NewLicenseFromURLs(value string, urls ...string) License

func NewLicensesFromLocation added in v0.81.0

func NewLicensesFromLocation(location file.Location, values ...string) (licenses []License)

func NewLicensesFromValues added in v0.81.0

func NewLicensesFromValues(values ...string) (licenses []License)

func (License) Merge added in v0.81.0

func (s License) Merge(l License) (*License, error)

Merge two licenses into a new license object. If the merge is not possible due to unmergeable fields (e.g. different values for Value, SPDXExpression, Type, or any non-collection type) an error is returned. TODO: this is a bit of a hack to not infinitely recurse when hashing a license

type LicenseSet added in v0.81.0

type LicenseSet struct {
	// contains filtered or unexported fields
}

func NewLicenseSet added in v0.81.0

func NewLicenseSet(licenses ...License) (s LicenseSet)

func (*LicenseSet) Add added in v0.81.0

func (s *LicenseSet) Add(licenses ...License)

func (LicenseSet) Empty added in v0.81.0

func (s LicenseSet) Empty() bool

func (LicenseSet) Hash added in v0.81.0

func (s LicenseSet) Hash() (uint64, error)

func (LicenseSet) ToSlice added in v0.81.0

func (s LicenseSet) ToSlice() []License

type Licenses added in v0.81.0

type Licenses []License

func (Licenses) Len added in v0.81.0

func (l Licenses) Len() int

func (Licenses) Less added in v0.81.0

func (l Licenses) Less(i, j int) bool

func (Licenses) Swap added in v0.81.0

func (l Licenses) Swap(i, j int)

type LinuxKernel added in v0.95.0

type LinuxKernel struct {
	Name            string `mapstructure:"name" json:"name" cyclonedx:"name"`
	Architecture    string `mapstructure:"architecture" json:"architecture" cyclonedx:"architecture"`
	Version         string `mapstructure:"version" json:"version" cyclonedx:"version"`
	ExtendedVersion string `mapstructure:"extendedVersion" json:"extendedVersion,omitempty" cyclonedx:"extendedVersion"`
	BuildTime       string `mapstructure:"buildTime" json:"buildTime,omitempty" cyclonedx:"buildTime"`
	Author          string `mapstructure:"author" json:"author,omitempty" cyclonedx:"author"`
	Format          string `mapstructure:"format" json:"format,omitempty" cyclonedx:"format"`
	RWRootFS        bool   `mapstructure:"rwRootFS" json:"rwRootFS,omitempty" cyclonedx:"rwRootFS"`
	SwapDevice      int    `mapstructure:"swapDevice" json:"swapDevice,omitempty" cyclonedx:"swapDevice"`
	RootDevice      int    `mapstructure:"rootDevice" json:"rootDevice,omitempty" cyclonedx:"rootDevice"`
	VideoMode       string `mapstructure:"videoMode" json:"videoMode,omitempty" cyclonedx:"videoMode"`
}

LinuxKernel represents all captured data for a Linux kernel

type LinuxKernelModule added in v0.95.0

type LinuxKernelModule struct {
	Name          string                                `mapstructure:"name" json:"name,omitempty" cyclonedx:"name"`
	Version       string                                `mapstructure:"version" json:"version,omitempty" cyclonedx:"version"`
	SourceVersion string                                `mapstructure:"sourceVersion" json:"sourceVersion,omitempty" cyclonedx:"sourceVersion"`
	Path          string                                `mapstructure:"path" json:"path,omitempty" cyclonedx:"path"`
	Description   string                                `mapstructure:"description" json:"description,omitempty" cyclonedx:"description"`
	Author        string                                `mapstructure:"author" json:"author,omitempty" cyclonedx:"author"`
	License       string                                `mapstructure:"license" json:"license,omitempty" cyclonedx:"license"`
	KernelVersion string                                `mapstructure:"kernelVersion" json:"kernelVersion,omitempty" cyclonedx:"kernelVersion"`
	VersionMagic  string                                `mapstructure:"versionMagic" json:"versionMagic,omitempty" cyclonedx:"versionMagic"`
	Parameters    map[string]LinuxKernelModuleParameter `mapstructure:"parameters" json:"parameters,omitempty" cyclonedx:"parameters"`
}

type LinuxKernelModuleParameter added in v0.78.0

type LinuxKernelModuleParameter struct {
	Type        string `mapstructure:"type" json:"type,omitempty" cyclonedx:"type"`
	Description string `mapstructure:"description" json:"description,omitempty" cyclonedx:"description"`
}

type MicrosoftKbPatch added in v0.95.0

type MicrosoftKbPatch struct {
	ProductID string `toml:"product_id" json:"product_id"`
	Kb        string `toml:"kb" json:"kb"`
}

MicrosoftKbPatch is slightly odd in how it is expected to map onto data. This is critical to grasp because there is no MSRC cataloger. The `ProductID` field is expected to be the MSRC Product ID, for example: "Windows 10 Version 1703 for 32-bit Systems". `Kb` is expected to be the actual KB number, for example "5001028"

type NixStoreEntry added in v0.95.0

type NixStoreEntry struct {
	// OutputHash is the prefix of the nix store basename path
	OutputHash string `mapstructure:"outputHash" json:"outputHash"`

	// Output allows for optionally specifying the specific nix package output this package represents (for packages that support multiple outputs).
	// Note: the default output for a package is an empty string, so will not be present in the output.
	Output string `mapstructure:"output" json:"output,omitempty"`

	// Files is a listing a files that are under the nix/store path for this package
	Files []string `mapstructure:"files" json:"files"`
}

func (NixStoreEntry) OwnedFiles added in v0.95.0

func (m NixStoreEntry) OwnedFiles() (result []string)

type NpmPackage added in v0.95.0

type NpmPackage struct {
	Name        string `mapstructure:"name" json:"name"`
	Version     string `mapstructure:"version" json:"version"`
	Author      string `mapstructure:"author" json:"author"`
	Homepage    string `mapstructure:"homepage" json:"homepage"`
	Description string `mapstructure:"description" json:"description"`
	URL         string `mapstructure:"url" json:"url"`
	Private     bool   `mapstructure:"private" json:"private"`
}

NpmPackage represents the contents of a javascript package.json file.

type NpmPackageLockEntry added in v0.95.0

type NpmPackageLockEntry struct {
	Resolved  string `mapstructure:"resolved" json:"resolved"`
	Integrity string `mapstructure:"integrity" json:"integrity"`
}

NpmPackageLockEntry represents a single entry within the "packages" section of a package-lock.json file.

type Package

type Package struct {
	Name      string           // the package name
	Version   string           // the version of the package
	FoundBy   string           `hash:"ignore" cyclonedx:"foundBy"` // the specific cataloger that discovered this package
	Locations file.LocationSet // the locations that lead to the discovery of this package (note: this is not necessarily the locations that make up this package)
	Licenses  LicenseSet       // licenses discovered with the package metadata
	Language  Language         `hash:"ignore" cyclonedx:"language"` // the language ecosystem this package belongs to (e.g. JavaScript, Python, etc)
	Type      Type             `cyclonedx:"type"`                   // the package type (e.g. Npm, Yarn, Python, Rpm, Deb, etc)
	CPEs      []cpe.CPE        `hash:"ignore"`                      // all possible Common Platform Enumerators (note: this is NOT included in the definition of the ID since all fields on a CPE are derived from other fields)
	PURL      string           `hash:"ignore"`                      // the Package URL (see https://github.com/package-url/purl-spec)
	Metadata  interface{}      // additional data found while parsing the package source
	// contains filtered or unexported fields
}

Package represents an application or library that has been bundled into a distributable format. TODO: if we ignore FoundBy for ID generation should we merge the field to show it was found in two places?

func (Package) ID

func (p Package) ID() artifact.ID

func (*Package) OverrideID added in v0.45.0

func (p *Package) OverrideID(id artifact.ID)

func (*Package) SetID added in v0.33.0

func (p *Package) SetID()

func (Package) String

func (p Package) String() string

Stringer to represent a package.

type PhpComposerAuthors added in v0.36.0

type PhpComposerAuthors struct {
	Name     string `json:"name"`
	Email    string `json:"email,omitempty"`
	Homepage string `json:"homepage,omitempty"`
}

type PhpComposerExternalReference added in v0.36.0

type PhpComposerExternalReference struct {
	Type      string `json:"type"`
	URL       string `json:"url"`
	Reference string `json:"reference"`
	Shasum    string `json:"shasum,omitempty"`
}

type PhpComposerInstalledEntry added in v0.95.0

type PhpComposerInstalledEntry PhpComposerLockEntry

PhpComposerInstalledEntry represents a single package entry from a composer v1/v2 "installed.json" files (very similar to composer.lock files).

type PhpComposerLockEntry added in v0.95.0

type PhpComposerLockEntry struct {
	Name            string                       `json:"name"`
	Version         string                       `json:"version"`
	Source          PhpComposerExternalReference `json:"source"`
	Dist            PhpComposerExternalReference `json:"dist"`
	Require         map[string]string            `json:"require,omitempty"`
	Provide         map[string]string            `json:"provide,omitempty"`
	RequireDev      map[string]string            `json:"require-dev,omitempty"`
	Suggest         map[string]string            `json:"suggest,omitempty"`
	License         []string                     `json:"license,omitempty"`
	Type            string                       `json:"type,omitempty"`
	NotificationURL string                       `json:"notification-url,omitempty"`
	Bin             []string                     `json:"bin,omitempty"`
	Authors         []PhpComposerAuthors         `json:"authors,omitempty"`
	Description     string                       `json:"description,omitempty"`
	Homepage        string                       `json:"homepage,omitempty"`
	Keywords        []string                     `json:"keywords,omitempty"`
	Time            string                       `json:"time,omitempty"`
}

PhpComposerLockEntry represents a single package entry found from a composer.lock file.

type PortageEntry added in v0.95.0

type PortageEntry struct {
	InstalledSize int                 `mapstructure:"InstalledSize" json:"installedSize" cyclonedx:"installedSize"`
	Files         []PortageFileRecord `json:"files"`
}

PortageEntry represents a single package entry in the portage DB flat-file store.

func (PortageEntry) OwnedFiles added in v0.95.0

func (m PortageEntry) OwnedFiles() (result []string)

type PortageFileRecord added in v0.51.0

type PortageFileRecord struct {
	Path   string       `json:"path"`
	Digest *file.Digest `json:"digest,omitempty"`
}

PortageFileRecord represents a single file attributed to a portage package.

type PythonDirectURLOriginInfo added in v0.34.0

type PythonDirectURLOriginInfo struct {
	URL      string `json:"url"`
	CommitID string `json:"commitId,omitempty"`
	VCS      string `json:"vcs,omitempty"`
}

type PythonFileDigest added in v0.8.0

type PythonFileDigest struct {
	Algorithm string `json:"algorithm"`
	Value     string `json:"value"`
}

PythonFileDigest represents the file metadata for a single file attributed to a python package.

type PythonFileRecord added in v0.4.0

type PythonFileRecord struct {
	Path   string            `json:"path"`
	Digest *PythonFileDigest `json:"digest,omitempty"`
	Size   string            `json:"size,omitempty"`
}

PythonFileRecord represents a single entry within a RECORD file for a python wheel or egg package

type PythonPackage added in v0.95.0

type PythonPackage struct {
	Name                 string                     `json:"name" mapstruct:"Name"`
	Version              string                     `json:"version" mapstruct:"Version"`
	Author               string                     `json:"author" mapstruct:"Author"`
	AuthorEmail          string                     `json:"authorEmail" mapstruct:"Authoremail"`
	Platform             string                     `json:"platform" mapstruct:"Platform"`
	Files                []PythonFileRecord         `json:"files,omitempty"`
	SitePackagesRootPath string                     `json:"sitePackagesRootPath"`
	TopLevelPackages     []string                   `json:"topLevelPackages,omitempty"`
	DirectURLOrigin      *PythonDirectURLOriginInfo `json:"directUrlOrigin,omitempty"`
}

PythonPackage represents all captured data for a python egg or wheel package (specifically as outlined in the PyPA core metadata specification https://packaging.python.org/en/latest/specifications/core-metadata/). Historically these were defined in PEPs 345, 314, and 241, but have been superseded by PEP 566. This means that this struct can (partially) express at least versions 1.0, 1.1, 1.2, 2.1, 2.2, and 2.3 of the metadata format.

func (PythonPackage) OwnedFiles added in v0.95.0

func (m PythonPackage) OwnedFiles() (result []string)

type PythonPipfileLockEntry added in v0.95.0

type PythonPipfileLockEntry struct {
	Hashes []string `mapstructure:"hashes" json:"hashes"`
	Index  string   `mapstructure:"index" json:"index"`
}

PythonPipfileLockEntry represents a single package entry within a Pipfile.lock file.

type PythonRequirementsEntry added in v0.95.0

type PythonRequirementsEntry struct {
	Name              string   `json:"name" mapstruct:"Name"`
	Extras            []string `json:"extras,omitempty" mapstruct:"Extras"`
	VersionConstraint string   `json:"versionConstraint" mapstruct:"VersionConstraint"`
	URL               string   `json:"url,omitempty" mapstruct:"URL"`
	Markers           string   `json:"markers,omitempty" mapstruct:"Markers"`
}

PythonRequirementsEntry represents a single entry within a [*-]requirements.txt file.

type RDescription added in v0.95.0

type RDescription struct {
	/*
		Fields chosen by:
		docker run --rm -it rocker/r-ver bash
		$ install2.r ggplot2 # has a lot of dependencies
		$ find /usr/local/lib/R -name DESCRIPTION | xargs cat | grep -v '^\s' | cut -d ':' -f 1 | sort | uniq -c | sort -nr
	*/
	Title            string   `json:"title,omitempty"`
	Description      string   `json:"description,omitempty"`
	Author           string   `json:"author,omitempty"`
	Maintainer       string   `json:"maintainer,omitempty"`
	URL              []string `json:"url,omitempty"`
	Repository       string   `json:"repository,omitempty"`
	Built            string   `json:"built,omitempty"`
	NeedsCompilation bool     `json:"needsCompilation,omitempty"`
	Imports          []string `json:"imports,omitempty"`
	Depends          []string `json:"depends,omitempty"`
	Suggests         []string `json:"suggests,omitempty"`
}

type RpmArchive added in v0.95.0

type RpmArchive RpmDBEntry

RpmArchive represents all captured data from a RPM package archive.

type RpmDBEntry added in v0.95.0

type RpmDBEntry struct {
	Name            string          `json:"name"`
	Version         string          `json:"version"`
	Epoch           *int            `json:"epoch"  cyclonedx:"epoch" jsonschema:"nullable"`
	Arch            string          `json:"architecture"`
	Release         string          `json:"release" cyclonedx:"release"`
	SourceRpm       string          `json:"sourceRpm" cyclonedx:"sourceRpm"`
	Size            int             `json:"size" cyclonedx:"size"`
	Vendor          string          `json:"vendor"`
	ModularityLabel string          `json:"modularityLabel"`
	Files           []RpmFileRecord `json:"files"`
}

RpmDBEntry represents all captured data from a RPM DB package entry.

func (RpmDBEntry) OwnedFiles added in v0.95.0

func (m RpmDBEntry) OwnedFiles() (result []string)

type RpmFileMode added in v0.95.0

type RpmFileMode uint16

RpmFileMode is the raw file mode for a single file. This can be interpreted as the linux stat.h mode (see https://pubs.opengroup.org/onlinepubs/007908799/xsh/sysstat.h.html)

type RpmFileRecord added in v0.95.0

type RpmFileRecord struct {
	Path      string      `json:"path"`
	Mode      RpmFileMode `json:"mode"`
	Size      int         `json:"size"`
	Digest    file.Digest `json:"digest"`
	UserName  string      `json:"userName"`
	GroupName string      `json:"groupName"`
	Flags     string      `json:"flags"`
}

RpmFileRecord represents the file metadata for a single file attributed to a RPM package.

type RubyGemspec added in v0.95.0

type RubyGemspec struct {
	Name    string `mapstructure:"name" json:"name"`
	Version string `mapstructure:"version" json:"version"`
	// note regarding if Files can contribute to GemMetadata being able to implement FileOwner: this list is a
	// "logical" list of files, not a list of paths that can be used to find the files without additional processing.
	//
	// For example: The "bundler" gem has a file entry of:
	//   "lib/bundler/vendor/uri/lib/uri/ldap.rb"
	// but the actual file is located at:
	//   "/usr/local/lib/ruby/3.2.0/bundler/vendor/uri/lib/uri/ldap.rb"
	// which do not match (the "lib" prefix is missing even for relative processing).
	//
	// without additional information about:
	// 	- the gem installation path
	// 	- the ruby installation path
	// 	- the ruby version
	// 	- environment variables (e.g. GEM_HOME) that may affect the gem installation path
	// ... we can't reliably determine the full path to the file on disk, thus cannot implement FileOwner (...yet...).
	Files    []string `mapstructure:"files" json:"files,omitempty"`
	Authors  []string `mapstructure:"authors" json:"authors,omitempty"`
	Homepage string   `mapstructure:"homepage" json:"homepage,omitempty"`
}

RubyGemspec represents all metadata parsed from the *.gemspec file

type RustBinaryAuditEntry added in v0.95.0

type RustBinaryAuditEntry struct {
	Name    string `toml:"name" json:"name"`
	Version string `toml:"version" json:"version"`
	Source  string `toml:"source" json:"source"`
}

type RustCargoLockEntry added in v0.95.0

type RustCargoLockEntry struct {
	Name         string   `toml:"name" json:"name"`
	Version      string   `toml:"version" json:"version"`
	Source       string   `toml:"source" json:"source"`
	Checksum     string   `toml:"checksum" json:"checksum"`
	Dependencies []string `toml:"dependencies" json:"dependencies"`
}

type SwiftPackageManagerResolvedEntry added in v0.95.0

type SwiftPackageManagerResolvedEntry struct {
	Revision string `mapstructure:"revision" json:"revision"`
}

type Type

type Type string

Type represents a Package Type for or within a language ecosystem (there may be multiple package types within a language ecosystem)

const (
	// the full set of supported packages
	UnknownPkg              Type = "UnknownPackage"
	AlpmPkg                 Type = "alpm"
	ApkPkg                  Type = "apk"
	BinaryPkg               Type = "binary"
	CocoapodsPkg            Type = "pod"
	ConanPkg                Type = "conan"
	DartPubPkg              Type = "dart-pub"
	DebPkg                  Type = "deb"
	DotnetPkg               Type = "dotnet"
	GemPkg                  Type = "gem"
	GithubActionPkg         Type = "github-action"
	GithubActionWorkflowPkg Type = "github-action-workflow"
	GoModulePkg             Type = "go-module"
	GraalVMNativeImagePkg   Type = "graalvm-native-image"
	HackagePkg              Type = "hackage"
	HexPkg                  Type = "hex"
	JavaPkg                 Type = "java-archive"
	JenkinsPluginPkg        Type = "jenkins-plugin"
	KbPkg                   Type = "msrc-kb"
	LinuxKernelPkg          Type = "linux-kernel"
	LinuxKernelModulePkg    Type = "linux-kernel-module"
	NixPkg                  Type = "nix"
	NpmPkg                  Type = "npm"
	PhpComposerPkg          Type = "php-composer"
	PortagePkg              Type = "portage"
	PythonPkg               Type = "python"
	Rpkg                    Type = "R-package"
	RpmPkg                  Type = "rpm"
	RustPkg                 Type = "rust-crate"
	SwiftPkg                Type = "swift"
)

func TypeByName added in v0.38.0

func TypeByName(name string) Type

func TypeFromPURL added in v0.37.0

func TypeFromPURL(p string) Type

func (Type) PackageURLType

func (t Type) PackageURLType() string

PackageURLType returns the PURL package type for the current package.

Directories

Path Synopsis
Package cataloger provides the ability to process files from a container image or file system and discover packages (gems, wheels, jars, rpms, debs, etc).
Package cataloger provides the ability to process files from a container image or file system and discover packages (gems, wheels, jars, rpms, debs, etc).
alpine
Package alpine provides a concrete Cataloger implementations for packages relating to the Alpine linux distribution.
Package alpine provides a concrete Cataloger implementations for packages relating to the Alpine linux distribution.
arch
Package arch provides a concrete Cataloger implementations for packages relating to the Arch linux distribution.
Package arch provides a concrete Cataloger implementations for packages relating to the Arch linux distribution.
binary
Package binary provides a concrete Cataloger implementations for surfacing possible packages based on signatures found within binary files.
Package binary provides a concrete Cataloger implementations for surfacing possible packages based on signatures found within binary files.
common/cpe/dictionary/index-generator
This program downloads the latest CPE dictionary from NIST and processes it into a JSON file that can be embedded into Syft for more accurate CPE results.
This program downloads the latest CPE dictionary from NIST and processes it into a JSON file that can be embedded into Syft for more accurate CPE results.
cpp
Package cpp provides a concrete Cataloger implementations for the C/C++ language ecosystem.
Package cpp provides a concrete Cataloger implementations for the C/C++ language ecosystem.
dart
Package dart provides a concrete Cataloger implementations for the Dart language ecosystem.
Package dart provides a concrete Cataloger implementations for the Dart language ecosystem.
debian
Package debian provides a concrete Cataloger implementation relating to packages within the Debian linux distribution.
Package debian provides a concrete Cataloger implementation relating to packages within the Debian linux distribution.
dotnet
Package dotnet provides a concrete Cataloger implementation relating to packages within the C#/.NET language/runtime ecosystem.
Package dotnet provides a concrete Cataloger implementation relating to packages within the C#/.NET language/runtime ecosystem.
elixir
Package elixir provides a concrete Cataloger implementation relating to packages within the Elixir language ecosystem.
Package elixir provides a concrete Cataloger implementation relating to packages within the Elixir language ecosystem.
erlang
Package erlang provides a concrete Cataloger implementation relating to packages within the Erlang language ecosystem.
Package erlang provides a concrete Cataloger implementation relating to packages within the Erlang language ecosystem.
gentoo
Package gentoo provides a concrete Cataloger implementation related to packages within the Gentoo linux ecosystem.
Package gentoo provides a concrete Cataloger implementation related to packages within the Gentoo linux ecosystem.
githubactions
Package githubactions provides a concrete Cataloger implementation for GitHub Actions packages (both actions and workflows).
Package githubactions provides a concrete Cataloger implementation for GitHub Actions packages (both actions and workflows).
golang
Package golang provides a concrete Cataloger implementation relating to packages within the Go language ecosystem.
Package golang provides a concrete Cataloger implementation relating to packages within the Go language ecosystem.
haskell
Package haskell provides a concrete Cataloger implementation relating to packages within the Haskell language ecosystem.
Package haskell provides a concrete Cataloger implementation relating to packages within the Haskell language ecosystem.
java
Package java provides a concrete Cataloger implementation for packages relating to the Java language ecosystem.
Package java provides a concrete Cataloger implementation for packages relating to the Java language ecosystem.
javascript
Package javascript provides a concrete Cataloger implementation for packages relating to the JavaScript language ecosystem.
Package javascript provides a concrete Cataloger implementation for packages relating to the JavaScript language ecosystem.
kernel
Package kernel provides a concrete Cataloger implementation for linux kernel and module files.
Package kernel provides a concrete Cataloger implementation for linux kernel and module files.
nix
Package nix provides a concrete Cataloger implementation for packages within the Nix packaging ecosystem.
Package nix provides a concrete Cataloger implementation for packages within the Nix packaging ecosystem.
php
Package php provides a concrete Cataloger implementation relating to packages within the PHP language ecosystem.
Package php provides a concrete Cataloger implementation relating to packages within the PHP language ecosystem.
python
Package python provides a concrete Cataloger implementation relating to packages within the Python language ecosystem.
Package python provides a concrete Cataloger implementation relating to packages within the Python language ecosystem.
r
Package r provides a concrete Cataloger implementation relating to packages within the R language ecosystem.
Package r provides a concrete Cataloger implementation relating to packages within the R language ecosystem.
redhat
Package redhat provides a concrete DBCataloger implementation relating to packages within the RedHat linux distribution.
Package redhat provides a concrete DBCataloger implementation relating to packages within the RedHat linux distribution.
ruby
Package ruby provides a concrete Cataloger implementation relating to packages within the Ruby language ecosystem.
Package ruby provides a concrete Cataloger implementation relating to packages within the Ruby language ecosystem.
rust
Package rust provides a concrete Cataloger implementation relating to packages within the Rust language ecosystem.
Package rust provides a concrete Cataloger implementation relating to packages within the Rust language ecosystem.
sbom
Package sbom provides a concrete Cataloger implementation for capturing packages embedded within SBOM files.
Package sbom provides a concrete Cataloger implementation for capturing packages embedded within SBOM files.
swift
Package swift provides a concrete Cataloger implementation relating to packages within the swift language ecosystem.
Package swift provides a concrete Cataloger implementation relating to packages within the swift language ecosystem.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL