Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package syft for openSUSE:Factory checked in at 2022-07-08 14:01:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/syft (Old) and /work/SRC/openSUSE:Factory/.syft.new.1523 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "syft" Fri Jul 8 14:01:42 2022 rev:4 rq:987414 version:0.50.0 Changes: -------- --- /work/SRC/openSUSE:Factory/syft/syft.changes 2022-06-28 15:21:59.689908580 +0200 +++ /work/SRC/openSUSE:Factory/.syft.new.1523/syft.changes 2022-07-08 14:01:47.550439021 +0200 @@ -1,0 +2,16 @@ +Wed Jul 06 18:12:23 UTC 2022 - ka...@b1-systems.de + +- Update to version 0.50.0: + * feat: add new login cmd (#1068) + * update AltRpmDbGlob with comment and context (#1085) + * feat: add support for conan packages (C/C++) (#1083) + * add golang main module and pseudo-version (#916) + * fix: add glob to filter list to ensure rpm metadata files are matched??? (#1079) + * remove pr automation until service account creation (#1080) + * fix: purl generation for pom.xml (#1078) + * Update Stereoscope to 5bd627c0f9ce7facbd63ed1f0cf894d97021aa5e (#1072) + * fix: add new languages found in cpes (#1069) + * fix: add php catalogers to all catalogers (#1065) + * feat: add use-all-catalogers flag (#1050) + +------------------------------------------------------------------- Old: ---- syft-0.49.0.tar.gz New: ---- syft-0.50.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ syft.spec ++++++ --- /var/tmp/diff_new_pack.GXU1ym/_old 2022-07-08 14:01:49.082440662 +0200 +++ /var/tmp/diff_new_pack.GXU1ym/_new 2022-07-08 14:01:49.086440666 +0200 @@ -19,7 +19,7 @@ %define __arch_install_post export NO_BRP_STRIP_DEBUG=true Name: syft -Version: 0.49.0 +Version: 0.50.0 Release: 0 Summary: CLI tool and library for generating a Software Bill of Materials License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.GXU1ym/_old 2022-07-08 14:01:49.126440709 +0200 +++ /var/tmp/diff_new_pack.GXU1ym/_new 2022-07-08 14:01:49.130440713 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/anchore/syft</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v0.49.0</param> + <param name="revision">v0.50.0</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> @@ -16,7 +16,7 @@ <param name="compression">gz</param> </service> <service name="go_modules" mode="disabled"> - <param name="archive">syft-0.49.0.tar.gz</param> + <param name="archive">syft-0.50.0.tar.gz</param> </service> </services> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.GXU1ym/_old 2022-07-08 14:01:49.154440739 +0200 +++ /var/tmp/diff_new_pack.GXU1ym/_new 2022-07-08 14:01:49.154440739 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/anchore/syft</param> - <param name="changesrevision">d5e12ff89c2d3af684152dd401618533a6f1b67e</param></service></servicedata> + <param name="changesrevision">69134ed3b54bc8b1d86d868611f7d069ce3290a8</param></service></servicedata> (No newline at EOF) ++++++ syft-0.49.0.tar.gz -> syft-0.50.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/.github/workflows/pr.yaml new/syft-0.50.0/.github/workflows/pr.yaml --- old/syft-0.49.0/.github/workflows/pr.yaml 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/.github/workflows/pr.yaml 1970-01-01 01:00:00.000000000 +0100 @@ -1,17 +0,0 @@ -# Uses https://github.com/actions/add-to-project example to add PR to Anchore OSS project -name: Add pr to OSS project - -on: - pull_request: - types: - - opened - -jobs: - add-to-project: - name: Add pr to project - runs-on: ubuntu-latest - steps: - - uses: actions/add-to-project@main - with: - project-url: https://github.com/orgs/anchore/projects/22 - github-token: ${{ secrets.CI_WRITE_GITHUB_TOKEN }} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/README.md new/syft-0.50.0/README.md --- old/syft-0.49.0/README.md 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/README.md 2022-07-05 17:57:28.000000000 +0200 @@ -30,6 +30,8 @@ ### Supported Ecosystems - Alpine (apk) +- C (conan) +- C++ (conan) - Dart (pubs) - Debian (dpkg) - Dotnet (deps.json) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/cmd/syft/cli/commands.go new/syft-0.50.0/cmd/syft/cli/commands.go --- old/syft-0.49.0/cmd/syft/cli/commands.go 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/cmd/syft/cli/commands.go 2022-07-05 17:57:28.000000000 +0200 @@ -15,6 +15,7 @@ "github.com/anchore/syft/internal/log" "github.com/anchore/syft/internal/version" "github.com/anchore/syft/syft/event" + cranecmd "github.com/google/go-containerregistry/cmd/crane/cmd" "github.com/gookit/color" "github.com/spf13/cobra" "github.com/spf13/viper" @@ -30,6 +31,7 @@ // at this level. Values from the config should only be used after `app.LoadAllValues` has been called. // Cobra does not have knowledge of the user provided flags until the `RunE` block of each command. // `RunE` is the earliest that the complete application configuration can be loaded. +// nolint:funlen func New() (*cobra.Command, error) { app := &config.Application{} @@ -82,13 +84,22 @@ return nil, err } + // commands to add to root + cmds := []*cobra.Command{ + packagesCmd, + attestCmd, + convertCmd, + poweruserCmd, + poweruserCmd, + Completion(), + Version(v, app), + cranecmd.NewCmdAuthLogin("syft"), + } + // Add sub-commands. - rootCmd.AddCommand(packagesCmd) - rootCmd.AddCommand(attestCmd) - rootCmd.AddCommand(convertCmd) - rootCmd.AddCommand(poweruserCmd) - rootCmd.AddCommand(Completion()) - rootCmd.AddCommand(Version(v, app)) + for _, cmd := range cmds { + rootCmd.AddCommand(cmd) + } return rootCmd, err } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/go.mod new/syft-0.50.0/go.mod --- old/syft-0.49.0/go.mod 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/go.mod 2022-07-05 17:57:28.000000000 +0200 @@ -13,7 +13,7 @@ github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04 github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b github.com/anchore/packageurl-go v0.1.1-0.20220428202044-a072fa3cb6d7 - github.com/anchore/stereoscope v0.0.0-20220616165231-b0fd10fdee06 + github.com/anchore/stereoscope v0.0.0-20220628191509-5bd627c0f9ce github.com/antihax/optional v1.0.0 github.com/bmatcuk/doublestar/v4 v4.0.2 github.com/dustin/go-humanize v1.0.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/go.sum new/syft-0.50.0/go.sum --- old/syft-0.49.0/go.sum 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/go.sum 2022-07-05 17:57:28.000000000 +0200 @@ -273,8 +273,8 @@ github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E= github.com/anchore/packageurl-go v0.1.1-0.20220428202044-a072fa3cb6d7 h1:kDrYkTSM9uIxaX/P9s0F4nKYNM+hnSgLJdLpqvsaQ/g= github.com/anchore/packageurl-go v0.1.1-0.20220428202044-a072fa3cb6d7/go.mod h1:Blo6OgJNiYF41ufcgHKkbCKF2MDOMlrqhXv/ij6ocR4= -github.com/anchore/stereoscope v0.0.0-20220616165231-b0fd10fdee06 h1:TSRA7gtuia3eyleTO3t7iPU+9xHbdSaufoUFNQUwUXo= -github.com/anchore/stereoscope v0.0.0-20220616165231-b0fd10fdee06/go.mod h1:sai2ZjAtT/y1GRQBDRbynhdhnQcGWBvVcv8CN3hTWmI= +github.com/anchore/stereoscope v0.0.0-20220628191509-5bd627c0f9ce h1:KNB0d342QvE6V7iwqyf4NoyxRp6LVYoGjU1htgf0at8= +github.com/anchore/stereoscope v0.0.0-20220628191509-5bd627c0f9ce/go.mod h1:sai2ZjAtT/y1GRQBDRbynhdhnQcGWBvVcv8CN3hTWmI= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y= github.com/andybalholm/brotli v1.0.2/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/internal/config/registry.go new/syft-0.50.0/internal/config/registry.go --- old/syft-0.49.0/internal/config/registry.go 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/internal/config/registry.go 2022-07-05 17:57:28.000000000 +0200 @@ -30,7 +30,7 @@ v.SetDefault("registry.auth", []RegistryCredentials{}) } -// nolint: unparam +// nolint:unparam func (cfg *registry) parseConfigValues() error { // there may be additional credentials provided by env var that should be appended to the set of credentials authority, username, password, token := diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/internal/formats/common/spdxhelpers/source_info.go new/syft-0.50.0/internal/formats/common/spdxhelpers/source_info.go --- old/syft-0.49.0/internal/formats/common/spdxhelpers/source_info.go 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/internal/formats/common/spdxhelpers/source_info.go 2022-07-05 17:57:28.000000000 +0200 @@ -35,6 +35,8 @@ answer = "acquired package info from rust cargo manifest" case pkg.PhpComposerPkg: answer = "acquired package info from PHP composer manifest" + case pkg.ConanPkg: + answer = "acquired package info from conan manifest" default: answer = "acquired package info from the following paths" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/internal/formats/common/spdxhelpers/source_info_test.go new/syft-0.50.0/internal/formats/common/spdxhelpers/source_info_test.go --- old/syft-0.49.0/internal/formats/common/spdxhelpers/source_info_test.go 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/internal/formats/common/spdxhelpers/source_info_test.go 2022-07-05 17:57:28.000000000 +0200 @@ -150,6 +150,14 @@ "from ALPM DB", }, }, + { + input: pkg.Package{ + Type: pkg.ConanPkg, + }, + expected: []string{ + "from conan manifest", + }, + }, } var pkgTypes []pkg.Type for _, test := range tests { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/internal/formats/syftjson/model/package.go new/syft-0.50.0/internal/formats/syftjson/model/package.go --- old/syft-0.49.0/internal/formats/syftjson/model/package.go 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/internal/formats/syftjson/model/package.go 2022-07-05 17:57:28.000000000 +0200 @@ -63,7 +63,7 @@ return unpackMetadata(p, unpacker) } -// nolint:funlen +// nolint:funlen,gocognit,gocyclo func unpackMetadata(p *Package, unpacker packageMetadataUnpacker) error { p.MetadataType = unpacker.MetadataType switch p.MetadataType { @@ -144,6 +144,12 @@ if err := json.Unmarshal(unpacker.Metadata, &payload); err != nil { return err } + p.Metadata = payload + case pkg.ConanaMetadataType: + var payload pkg.ConanMetadata + if err := json.Unmarshal(unpacker.Metadata, &payload); err != nil { + return err + } p.Metadata = payload case pkg.DotnetDepsMetadataType: var payload pkg.DotnetDepsMetadata diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/syft/lib.go new/syft-0.50.0/syft/lib.go --- old/syft-0.49.0/syft/lib.go 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/syft/lib.go 2022-07-05 17:57:28.000000000 +0200 @@ -64,6 +64,10 @@ return nil, nil, nil, fmt.Errorf("unable to determine cataloger set from scheme=%+v", src.Metadata.Scheme) } + if cataloger.RequestedAllCatalogers(cfg) { + catalogers = cataloger.AllCatalogers(cfg) + } + catalog, relationships, err := cataloger.Catalog(resolver, release, catalogers...) if err != nil { return nil, nil, nil, err diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/syft/pkg/cataloger/cataloger.go new/syft-0.50.0/syft/pkg/cataloger/cataloger.go --- old/syft-0.49.0/syft/pkg/cataloger/cataloger.go 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/syft/pkg/cataloger/cataloger.go 2022-07-05 17:57:28.000000000 +0200 @@ -13,6 +13,7 @@ "github.com/anchore/syft/syft/pkg" "github.com/anchore/syft/syft/pkg/cataloger/alpm" "github.com/anchore/syft/syft/pkg/cataloger/apkdb" + "github.com/anchore/syft/syft/pkg/cataloger/cpp" "github.com/anchore/syft/syft/pkg/cataloger/dart" "github.com/anchore/syft/syft/pkg/cataloger/deb" "github.com/anchore/syft/syft/pkg/cataloger/dotnet" @@ -27,6 +28,8 @@ "github.com/anchore/syft/syft/source" ) +const AllCatalogersPattern = "all" + // Cataloger describes behavior for an object to participate in parsing container image or file system // contents for the purpose of discovering Packages. Each concrete implementation should focus on discovering Packages // for a specific Package Type or ecosystem. @@ -73,6 +76,7 @@ rust.NewCargoLockCataloger(), dart.NewPubspecLockCataloger(), dotnet.NewDotnetDepsCataloger(), + cpp.NewConanfileCataloger(), }, cfg.Catalogers) } @@ -96,14 +100,31 @@ rust.NewCargoLockCataloger(), dart.NewPubspecLockCataloger(), dotnet.NewDotnetDepsCataloger(), + php.NewPHPComposerInstalledCataloger(), + php.NewPHPComposerLockCataloger(), + cpp.NewConanfileCataloger(), }, cfg.Catalogers) } +func RequestedAllCatalogers(cfg Config) bool { + for _, enableCatalogerPattern := range cfg.Catalogers { + if enableCatalogerPattern == AllCatalogersPattern { + return true + } + } + return false +} + func filterCatalogers(catalogers []Cataloger, enabledCatalogerPatterns []string) []Cataloger { // if cataloger is not set, all applicable catalogers are enabled by default if len(enabledCatalogerPatterns) == 0 { return catalogers } + for _, enableCatalogerPattern := range enabledCatalogerPatterns { + if enableCatalogerPattern == AllCatalogersPattern { + return catalogers + } + } var keepCatalogers []Cataloger for _, cataloger := range catalogers { if contains(enabledCatalogerPatterns, cataloger.Name()) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/syft/pkg/cataloger/cpp/cataloger.go new/syft-0.50.0/syft/pkg/cataloger/cpp/cataloger.go --- old/syft-0.49.0/syft/pkg/cataloger/cpp/cataloger.go 1970-01-01 01:00:00.000000000 +0100 +++ new/syft-0.50.0/syft/pkg/cataloger/cpp/cataloger.go 2022-07-05 17:57:28.000000000 +0200 @@ -0,0 +1,14 @@ +package cpp + +import ( + "github.com/anchore/syft/syft/pkg/cataloger/common" +) + +// NewConanfileCataloger returns a new C++ Conanfile cataloger object. +func NewConanfileCataloger() *common.GenericCataloger { + globParsers := map[string]common.ParserFn{ + "**/conanfile.txt": parseConanfile, + } + + return common.NewGenericCataloger(nil, globParsers, "conan-cataloger") +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/syft/pkg/cataloger/cpp/parse_conanfile.go new/syft-0.50.0/syft/pkg/cataloger/cpp/parse_conanfile.go --- old/syft-0.49.0/syft/pkg/cataloger/cpp/parse_conanfile.go 1970-01-01 01:00:00.000000000 +0100 +++ new/syft-0.50.0/syft/pkg/cataloger/cpp/parse_conanfile.go 2022-07-05 17:57:28.000000000 +0200 @@ -0,0 +1,60 @@ +package cpp + +import ( + "bufio" + "errors" + "fmt" + "io" + "strings" + + "github.com/anchore/syft/syft/artifact" + "github.com/anchore/syft/syft/pkg" + "github.com/anchore/syft/syft/pkg/cataloger/common" +) + +// integrity check +var _ common.ParserFn = parseConanfile + +type Conanfile struct { + Requires []string `toml:"requires"` +} + +// parseConanfile is a parser function for conanfile.txt contents, returning all packages discovered. +func parseConanfile(_ string, reader io.Reader) ([]*pkg.Package, []artifact.Relationship, error) { + r := bufio.NewReader(reader) + inRequirements := false + pkgs := []*pkg.Package{} + for { + line, err := r.ReadString('\n') + switch { + case errors.Is(io.EOF, err): + return pkgs, nil, nil + case err != nil: + return nil, nil, fmt.Errorf("failed to parse conanfile.txt file: %w", err) + } + + switch { + case strings.Contains(line, "[requires]"): + inRequirements = true + case strings.ContainsAny(line, "[]#"): + inRequirements = false + } + + splits := strings.Split(strings.TrimSpace(line), "/") + if len(splits) < 2 || !inRequirements { + continue + } + pkgName, pkgVersion := splits[0], splits[1] + pkgs = append(pkgs, &pkg.Package{ + Name: pkgName, + Version: pkgVersion, + Language: pkg.CPP, + Type: pkg.ConanPkg, + MetadataType: pkg.ConanaMetadataType, + Metadata: pkg.ConanMetadata{ + Name: pkgName, + Version: pkgVersion, + }, + }) + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/syft/pkg/cataloger/cpp/parse_conanfile_test.go new/syft-0.50.0/syft/pkg/cataloger/cpp/parse_conanfile_test.go --- old/syft-0.49.0/syft/pkg/cataloger/cpp/parse_conanfile_test.go 1970-01-01 01:00:00.000000000 +0100 +++ new/syft-0.50.0/syft/pkg/cataloger/cpp/parse_conanfile_test.go 2022-07-05 17:57:28.000000000 +0200 @@ -0,0 +1,96 @@ +package cpp + +import ( + "os" + "testing" + + "github.com/anchore/syft/syft/pkg" + "github.com/go-test/deep" +) + +func TestParseConanfile(t *testing.T) { + expected := []*pkg.Package{ + { + Name: "catch2", + Version: "2.13.8", + Language: pkg.CPP, + Type: pkg.ConanPkg, + MetadataType: pkg.ConanaMetadataType, + Metadata: pkg.ConanMetadata{ + Name: "catch2", + Version: "2.13.8", + }, + }, + { + Name: "docopt.cpp", + Version: "0.6.3", + Language: pkg.CPP, + Type: pkg.ConanPkg, + MetadataType: pkg.ConanaMetadataType, + Metadata: pkg.ConanMetadata{ + Name: "docopt.cpp", + Version: "0.6.3", + }, + }, + { + Name: "fmt", + Version: "8.1.1", + Language: pkg.CPP, + Type: pkg.ConanPkg, + MetadataType: pkg.ConanaMetadataType, + Metadata: pkg.ConanMetadata{ + Name: "fmt", + Version: "8.1.1", + }, + }, + { + Name: "spdlog", + Version: "1.9.2", + Language: pkg.CPP, + Type: pkg.ConanPkg, + MetadataType: pkg.ConanaMetadataType, + Metadata: pkg.ConanMetadata{ + Name: "spdlog", + Version: "1.9.2", + }, + }, + { + Name: "sdl", + Version: "2.0.20", + Language: pkg.CPP, + Type: pkg.ConanPkg, + MetadataType: pkg.ConanaMetadataType, + Metadata: pkg.ConanMetadata{ + Name: "sdl", + Version: "2.0.20", + }, + }, + { + Name: "fltk", + Version: "1.3.8", + Language: pkg.CPP, + Type: pkg.ConanPkg, + MetadataType: pkg.ConanaMetadataType, + Metadata: pkg.ConanMetadata{ + Name: "fltk", + Version: "1.3.8", + }, + }, + } + + fixture, err := os.Open("test-fixtures/conanfile.txt") + if err != nil { + t.Fatalf("failed to open fixture: %+v", err) + } + + // TODO: no relationships are under test yet + actual, _, err := parseConanfile(fixture.Name(), fixture) + if err != nil { + t.Error(err) + } + + differences := deep.Equal(expected, actual) + if differences != nil { + t.Errorf("returned package list differed from expectation: %+v", differences) + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/syft/pkg/cataloger/cpp/test-fixtures/conanfile.txt new/syft-0.50.0/syft/pkg/cataloger/cpp/test-fixtures/conanfile.txt --- old/syft-0.49.0/syft/pkg/cataloger/cpp/test-fixtures/conanfile.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/syft-0.50.0/syft/pkg/cataloger/cpp/test-fixtures/conanfile.txt 2022-07-05 17:57:28.000000000 +0200 @@ -0,0 +1,12 @@ +# Docs at https://docs.conan.io/en/latest/reference/conanfile_txt.html + +[requires] +catch2/2.13.8 +docopt.cpp/0.6.3 +fmt/8.1.1 +spdlog/1.9.2 +sdl/2.0.20 +fltk/1.3.8 + +[generators] +cmake_find_package_multi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/syft/pkg/cataloger/golang/parse_go_bin.go new/syft-0.50.0/syft/pkg/cataloger/golang/parse_go_bin.go --- old/syft-0.49.0/syft/pkg/cataloger/golang/parse_go_bin.go 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/syft/pkg/cataloger/golang/parse_go_bin.go 2022-07-05 17:57:28.000000000 +0200 @@ -10,11 +10,13 @@ "io" "runtime/debug" "strings" + "time" "github.com/anchore/syft/internal/log" "github.com/anchore/syft/syft/pkg" "github.com/anchore/syft/syft/pkg/cataloger/golang/internal/xcoff" "github.com/anchore/syft/syft/source" + "golang.org/x/mod/module" ) const GOARCH = "GOARCH" @@ -24,14 +26,30 @@ // appear to be in a known format, or it breaks the rules of that format, // or when there are I/O errors reading the file. errUnrecognizedFormat = errors.New("unrecognized file format") + // devel is used to recognize the current default version when a golang main distribution is built + // https://github.com/golang/go/issues/29228 this issue has more details on the progress of being able to + // inject the correct version into the main module of the build process ) +const devel = "(devel)" + func makeGoMainPackage(mod *debug.BuildInfo, arch string, location source.Location) pkg.Package { gbs := getBuildSettings(mod.Settings) main := newGoBinaryPackage(&mod.Main, mod.Main.Path, mod.GoVersion, arch, location, gbs) - - if v, ok := gbs["vcs.revision"]; ok { - main.Version = v + if main.Version == devel { + if version, ok := gbs["vcs.revision"]; ok { + if timestamp, ok := gbs["vcs.time"]; ok { + //NOTE: err is ignored, because if parsing fails + // we still use the empty Time{} struct to generate an empty date, like 00010101000000 + // for consistency with the pseudo-version format: https://go.dev/ref/mod#pseudo-versions + ts, _ := time.Parse(time.RFC3339, timestamp) + if len(version) >= 12 { + version = version[:12] + } + version = module.PseudoVersion("", "", ts, version) + } + main.Version = version + } } return main diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/syft/pkg/cataloger/java/parse_pom_xml.go new/syft-0.50.0/syft/pkg/cataloger/java/parse_pom_xml.go --- old/syft-0.49.0/syft/pkg/cataloger/java/parse_pom_xml.go 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/syft/pkg/cataloger/java/parse_pom_xml.go 2022-07-05 17:57:28.000000000 +0200 @@ -63,6 +63,11 @@ Type: pkg.JavaPkg, // TODO: should we differentiate between packages from jar/war/zip versus packages from a pom.xml that were not installed yet? MetadataType: pkg.JavaMetadataType, FoundBy: javaPomCataloger, + Metadata: pkg.JavaMetadata{ + PomProperties: &pkg.PomProperties{ + GroupID: dep.GroupID, + }, + }, } p.Metadata = pkg.JavaMetadata{PURL: packageURL(*p)} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/syft/pkg/cataloger/java/parse_pom_xml_test.go new/syft-0.50.0/syft/pkg/cataloger/java/parse_pom_xml_test.go --- old/syft-0.49.0/syft/pkg/cataloger/java/parse_pom_xml_test.go 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/syft/pkg/cataloger/java/parse_pom_xml_test.go 2022-07-05 17:57:28.000000000 +0200 @@ -26,7 +26,7 @@ Type: pkg.JavaPkg, MetadataType: pkg.JavaMetadataType, Metadata: pkg.JavaMetadata{ - PURL: "pkg:maven/joda-time/joda-time@2.9.2", + PURL: "pkg:maven/com.joda/joda-time@2.9.2", }, }, { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/syft/pkg/cataloger/java/test-fixtures/pom/pom.xml new/syft-0.50.0/syft/pkg/cataloger/java/test-fixtures/pom/pom.xml --- old/syft-0.49.0/syft/pkg/cataloger/java/test-fixtures/pom/pom.xml 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/syft/pkg/cataloger/java/test-fixtures/pom/pom.xml 2022-07-05 17:57:28.000000000 +0200 @@ -1,6 +1,5 @@ <?xml version="1.0" encoding="UTF-8"?> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> +<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>org.anchore</groupId> @@ -16,7 +15,7 @@ <dependencies> <!-- tag::joda[] --> <dependency> - <groupId>joda-time</groupId> + <groupId>com.joda</groupId> <artifactId>joda-time</artifactId> <version>2.9.2</version> </dependency> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/syft/pkg/conan_metadata.go new/syft-0.50.0/syft/pkg/conan_metadata.go --- old/syft-0.49.0/syft/pkg/conan_metadata.go 1970-01-01 01:00:00.000000000 +0100 +++ new/syft-0.50.0/syft/pkg/conan_metadata.go 2022-07-05 17:57:28.000000000 +0200 @@ -0,0 +1,24 @@ +package pkg + +import ( + "github.com/anchore/packageurl-go" + "github.com/anchore/syft/syft/linux" +) + +type ConanMetadata struct { + Name string `mapstructure:"name" json:"name"` + Version string `mapstructure:"version" json:"version"` +} + +func (m ConanMetadata) PackageURL(_ *linux.Release) string { + var qualifiers packageurl.Qualifiers + + return packageurl.NewPackageURL( + packageurl.TypeConan, + "", + m.Name, + m.Version, + qualifiers, + "", + ).ToString() +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/syft/pkg/language.go new/syft-0.50.0/syft/pkg/language.go --- old/syft-0.49.0/syft/pkg/language.go 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/syft/pkg/language.go 2022-07-05 17:57:28.000000000 +0200 @@ -21,6 +21,7 @@ Rust Language = "rust" Dart Language = "dart" Dotnet Language = "dotnet" + CPP Language = "c++" ) // AllLanguages is a set of all programming languages detected by syft. @@ -34,6 +35,7 @@ Rust, Dart, Dotnet, + CPP, } // String returns the string representation of the language. @@ -58,7 +60,7 @@ return PHP case packageurl.TypeGolang, string(GoModulePkg), string(Go): return Go - case packageurl.TypeNPM, string(JavaScript): + case packageurl.TypeNPM, string(JavaScript), "nodejs", "node.js": return JavaScript case packageurl.TypePyPi, string(Python): return Python @@ -70,6 +72,8 @@ return Dart case packageurl.TypeDotnet: return Dotnet + case packageurl.TypeConan, string(CPP): + return CPP default: return UnknownLanguage } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/syft/pkg/language_test.go new/syft-0.50.0/syft/pkg/language_test.go --- old/syft-0.49.0/syft/pkg/language_test.go 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/syft/pkg/language_test.go 2022-07-05 17:57:28.000000000 +0200 @@ -50,6 +50,10 @@ purl: "pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?type=zip&classifier=dist", want: Java, }, + { + purl: "pkg:conan/catch2@2.13.8", + want: CPP, + }, } var languages []string @@ -128,6 +132,14 @@ language: JavaScript, }, { + name: "node.js", + language: JavaScript, + }, + { + name: "nodejs", + language: JavaScript, + }, + { name: "pypi", language: Python, }, @@ -175,6 +187,14 @@ name: "unknown", language: UnknownLanguage, }, + { + name: "conan", + language: CPP, + }, + { + name: "c++", + language: CPP, + }, } for _, test := range tests { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/syft/pkg/metadata.go new/syft-0.50.0/syft/pkg/metadata.go --- old/syft-0.49.0/syft/pkg/metadata.go 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/syft/pkg/metadata.go 2022-07-05 17:57:28.000000000 +0200 @@ -25,6 +25,7 @@ KbPackageMetadataType MetadataType = "KbPackageMetadata" GolangBinMetadataType MetadataType = "GolangBinMetadata" PhpComposerJSONMetadataType MetadataType = "PhpComposerJsonMetadata" + ConanaMetadataType MetadataType = "ConanaMetadataType" ) var AllMetadataTypes = []MetadataType{ @@ -42,6 +43,7 @@ KbPackageMetadataType, GolangBinMetadataType, PhpComposerJSONMetadataType, + ConanaMetadataType, } var MetadataTypeByName = map[MetadataType]reflect.Type{ @@ -59,4 +61,5 @@ KbPackageMetadataType: reflect.TypeOf(KbPackageMetadata{}), GolangBinMetadataType: reflect.TypeOf(GolangBinMetadata{}), PhpComposerJSONMetadataType: reflect.TypeOf(PhpComposerJSONMetadata{}), + ConanaMetadataType: reflect.TypeOf(ConanMetadata{}), } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/syft/pkg/relationships_by_file_ownership.go new/syft-0.50.0/syft/pkg/relationships_by_file_ownership.go --- old/syft-0.49.0/syft/pkg/relationships_by_file_ownership.go 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/syft/pkg/relationships_by_file_ownership.go 2022-07-05 17:57:28.000000000 +0200 @@ -7,12 +7,17 @@ "github.com/scylladb/go-set/strset" ) +// AltRpmDBGlob allows db matches against new locations introduced in fedora:{36,37} +// See https://github.com/anchore/syft/issues/1077 for larger context +const AltRpmDBGlob = "**/rpm/{Packages,Packages.db,rpmdb.sqlite}" + var globsForbiddenFromBeingOwned = []string{ // any OS DBs should automatically be ignored to prevent cyclic issues (e.g. the "rpm" RPM owns the path to the // RPM DB, so if not ignored that package would own all other packages on the system). ApkDBGlob, DpkgDBGlob, RpmDBGlob, + AltRpmDBGlob, // DEB packages share common copyright info between, this does not mean that sharing these paths implies ownership. "/usr/share/doc/**/copyright", } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/syft/pkg/type.go new/syft-0.50.0/syft/pkg/type.go --- old/syft-0.49.0/syft/pkg/type.go 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/syft/pkg/type.go 2022-07-05 17:57:28.000000000 +0200 @@ -23,6 +23,7 @@ KbPkg Type = "msrc-kb" DartPubPkg Type = "dart-pub" DotnetPkg Type = "dotnet" + ConanPkg Type = "conan" ) // AllPkgs represents all supported package types @@ -42,6 +43,7 @@ KbPkg, DartPubPkg, DotnetPkg, + ConanPkg, } // PackageURLType returns the PURL package type for the current package. @@ -73,6 +75,8 @@ return packageurl.TypePub case DotnetPkg: return packageurl.TypeDotnet + case ConanPkg: + return packageurl.TypeConan default: // TODO: should this be a "generic" purl type instead? return "" @@ -116,6 +120,8 @@ return DartPubPkg case packageurl.TypeDotnet: return DotnetPkg + case packageurl.TypeConan: + return ConanPkg default: return UnknownPkg } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/syft/pkg/type_test.go new/syft-0.50.0/syft/pkg/type_test.go --- old/syft-0.49.0/syft/pkg/type_test.go 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/syft/pkg/type_test.go 2022-07-05 17:57:28.000000000 +0200 @@ -68,6 +68,10 @@ purl: "pkg:alpm/arch/linux@5.10.0?arch=x86_64&distro=arch", expected: AlpmPkg, }, + { + purl: "pkg:conan/catch2@2.13.8", + expected: ConanPkg, + }, } var pkgTypes []string diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/syft/pkg/url_test.go new/syft-0.50.0/syft/pkg/url_test.go --- old/syft-0.49.0/syft/pkg/url_test.go 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/syft/pkg/url_test.go 2022-07-05 17:57:28.000000000 +0200 @@ -208,6 +208,21 @@ expected: "pkg:alpm/arch/linux@5.10.0?distro=arch-rolling", }, + { + name: "conan", + pkg: Package{ + Name: "catch2", + Version: "2.13.8", + Type: ConanPkg, + Language: CPP, + MetadataType: ConanaMetadataType, + Metadata: ConanMetadata{ + Name: "catch2", + Version: "2.13.8", + }, + }, + expected: "pkg:conan/catch2@2.13.8", + }, } var pkgTypes []string diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/test/integration/catalog_packages_cases_test.go new/syft-0.50.0/test/integration/catalog_packages_cases_test.go --- old/syft-0.49.0/test/integration/catalog_packages_cases_test.go 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/test/integration/catalog_packages_cases_test.go 2022-07-05 17:57:28.000000000 +0200 @@ -168,6 +168,19 @@ }, }, { + name: "find conan packages", + pkgType: pkg.ConanPkg, + pkgLanguage: pkg.CPP, + pkgInfo: map[string]string{ + "catch2": "2.13.8", + "docopt.cpp": "0.6.3", + "fmt": "8.1.1", + "spdlog": "1.9.2", + "sdl": "2.0.20", + "fltk": "1.3.8", + }, + }, + { name: "find rust crates", pkgType: pkg.RustPkg, pkgLanguage: pkg.Rust, @@ -264,7 +277,6 @@ "netbase": "5.4", }, }, - { name: "find jenkins plugins", pkgType: pkg.JenkinsPluginPkg, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/test/integration/catalog_packages_test.go new/syft-0.50.0/test/integration/catalog_packages_test.go --- old/syft-0.49.0/test/integration/catalog_packages_test.go 2022-06-24 17:05:25.000000000 +0200 +++ new/syft-0.50.0/test/integration/catalog_packages_test.go 2022-07-05 17:57:28.000000000 +0200 @@ -67,6 +67,7 @@ definedLanguages.Remove(pkg.Rust.String()) definedLanguages.Remove(pkg.Dart.String()) definedLanguages.Remove(pkg.Dotnet.String()) + definedLanguages.Remove(pkg.CPP.String()) observedPkgs := internal.NewStringSet() definedPkgs := internal.NewStringSet() @@ -80,6 +81,7 @@ definedPkgs.Remove(string(pkg.RustPkg)) definedPkgs.Remove(string(pkg.DartPubPkg)) definedPkgs.Remove(string(pkg.DotnetPkg)) + definedPkgs.Remove(string(pkg.ConanPkg)) var cases []testCase cases = append(cases, commonTestCases...) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/syft-0.49.0/test/integration/test-fixtures/image-pkg-coverage/conan/conanfile.txt new/syft-0.50.0/test/integration/test-fixtures/image-pkg-coverage/conan/conanfile.txt --- old/syft-0.49.0/test/integration/test-fixtures/image-pkg-coverage/conan/conanfile.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/syft-0.50.0/test/integration/test-fixtures/image-pkg-coverage/conan/conanfile.txt 2022-07-05 17:57:28.000000000 +0200 @@ -0,0 +1,12 @@ +# Docs at https://docs.conan.io/en/latest/reference/conanfile_txt.html + +[requires] +catch2/2.13.8 +docopt.cpp/0.6.3 +fmt/8.1.1 +spdlog/1.9.2 +sdl/2.0.20 +fltk/1.3.8 + +[generators] +cmake_find_package_multi ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/syft/vendor.tar.gz /work/SRC/openSUSE:Factory/.syft.new.1523/vendor.tar.gz differ: char 5, line 1