Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package syft for openSUSE:Factory checked in
at 2022-07-08 14:01:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/syft (Old)
and /work/SRC/openSUSE:Factory/.syft.new.1523 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "syft"
Fri Jul 8 14:01:42 2022 rev:4 rq:987414 version:0.50.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/syft/syft.changes 2022-06-28
15:21:59.689908580 +0200
+++ /work/SRC/openSUSE:Factory/.syft.new.1523/syft.changes 2022-07-08
14:01:47.550439021 +0200
@@ -1,0 +2,16 @@
+Wed Jul 06 18:12:23 UTC 2022 - ka...@b1-systems.de
+
+- Update to version 0.50.0:
+ * feat: add new login cmd (#1068)
+ * update AltRpmDbGlob with comment and context (#1085)
+ * feat: add support for conan packages (C/C++) (#1083)
+ * add golang main module and pseudo-version (#916)
+ * fix: add glob to filter list to ensure rpm metadata files are matched???
(#1079)
+ * remove pr automation until service account creation (#1080)
+ * fix: purl generation for pom.xml (#1078)
+ * Update Stereoscope to 5bd627c0f9ce7facbd63ed1f0cf894d97021aa5e (#1072)
+ * fix: add new languages found in cpes (#1069)
+ * fix: add php catalogers to all catalogers (#1065)
+ * feat: add use-all-catalogers flag (#1050)
+
+-------------------------------------------------------------------
Old:
----
syft-0.49.0.tar.gz
New:
----
syft-0.50.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ syft.spec ++++++
--- /var/tmp/diff_new_pack.GXU1ym/_old 2022-07-08 14:01:49.082440662 +0200
+++ /var/tmp/diff_new_pack.GXU1ym/_new 2022-07-08 14:01:49.086440666 +0200
@@ -19,7 +19,7 @@
%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
Name: syft
-Version: 0.49.0
+Version: 0.50.0
Release: 0
Summary: CLI tool and library for generating a Software Bill of
Materials
License: Apache-2.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.GXU1ym/_old 2022-07-08 14:01:49.126440709 +0200
+++ /var/tmp/diff_new_pack.GXU1ym/_new 2022-07-08 14:01:49.130440713 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/anchore/syft</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
- <param name="revision">v0.49.0</param>
+ <param name="revision">v0.50.0</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>
@@ -16,7 +16,7 @@
<param name="compression">gz</param>
</service>
<service name="go_modules" mode="disabled">
- <param name="archive">syft-0.49.0.tar.gz</param>
+ <param name="archive">syft-0.50.0.tar.gz</param>
</service>
</services>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.GXU1ym/_old 2022-07-08 14:01:49.154440739 +0200
+++ /var/tmp/diff_new_pack.GXU1ym/_new 2022-07-08 14:01:49.154440739 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/anchore/syft</param>
- <param
name="changesrevision">d5e12ff89c2d3af684152dd401618533a6f1b67e</param></service></servicedata>
+ <param
name="changesrevision">69134ed3b54bc8b1d86d868611f7d069ce3290a8</param></service></servicedata>
(No newline at EOF)
++++++ syft-0.49.0.tar.gz -> syft-0.50.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.49.0/.github/workflows/pr.yaml
new/syft-0.50.0/.github/workflows/pr.yaml
--- old/syft-0.49.0/.github/workflows/pr.yaml 2022-06-24 17:05:25.000000000
+0200
+++ new/syft-0.50.0/.github/workflows/pr.yaml 1970-01-01 01:00:00.000000000
+0100
@@ -1,17 +0,0 @@
-# Uses https://github.com/actions/add-to-project example to add PR to Anchore
OSS project
-name: Add pr to OSS project
-
-on:
- pull_request:
- types:
- - opened
-
-jobs:
- add-to-project:
- name: Add pr to project
- runs-on: ubuntu-latest
- steps:
- - uses: actions/add-to-project@main
- with:
- project-url: https://github.com/orgs/anchore/projects/22
- github-token: ${{ secrets.CI_WRITE_GITHUB_TOKEN }}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.49.0/README.md new/syft-0.50.0/README.md
--- old/syft-0.49.0/README.md 2022-06-24 17:05:25.000000000 +0200
+++ new/syft-0.50.0/README.md 2022-07-05 17:57:28.000000000 +0200
@@ -30,6 +30,8 @@
### Supported Ecosystems
- Alpine (apk)
+- C (conan)
+- C++ (conan)
- Dart (pubs)
- Debian (dpkg)
- Dotnet (deps.json)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.49.0/cmd/syft/cli/commands.go
new/syft-0.50.0/cmd/syft/cli/commands.go
--- old/syft-0.49.0/cmd/syft/cli/commands.go 2022-06-24 17:05:25.000000000
+0200
+++ new/syft-0.50.0/cmd/syft/cli/commands.go 2022-07-05 17:57:28.000000000
+0200
@@ -15,6 +15,7 @@
"github.com/anchore/syft/internal/log"
"github.com/anchore/syft/internal/version"
"github.com/anchore/syft/syft/event"
+ cranecmd "github.com/google/go-containerregistry/cmd/crane/cmd"
"github.com/gookit/color"
"github.com/spf13/cobra"
"github.com/spf13/viper"
@@ -30,6 +31,7 @@
// at this level. Values from the config should only be used after
`app.LoadAllValues` has been called.
// Cobra does not have knowledge of the user provided flags until the `RunE`
block of each command.
// `RunE` is the earliest that the complete application configuration can be
loaded.
+// nolint:funlen
func New() (*cobra.Command, error) {
app := &config.Application{}
@@ -82,13 +84,22 @@
return nil, err
}
+ // commands to add to root
+ cmds := []*cobra.Command{
+ packagesCmd,
+ attestCmd,
+ convertCmd,
+ poweruserCmd,
+ poweruserCmd,
+ Completion(),
+ Version(v, app),
+ cranecmd.NewCmdAuthLogin("syft"),
+ }
+
// Add sub-commands.
- rootCmd.AddCommand(packagesCmd)
- rootCmd.AddCommand(attestCmd)
- rootCmd.AddCommand(convertCmd)
- rootCmd.AddCommand(poweruserCmd)
- rootCmd.AddCommand(Completion())
- rootCmd.AddCommand(Version(v, app))
+ for _, cmd := range cmds {
+ rootCmd.AddCommand(cmd)
+ }
return rootCmd, err
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.49.0/go.mod new/syft-0.50.0/go.mod
--- old/syft-0.49.0/go.mod 2022-06-24 17:05:25.000000000 +0200
+++ new/syft-0.50.0/go.mod 2022-07-05 17:57:28.000000000 +0200
@@ -13,7 +13,7 @@
github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04
github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b
github.com/anchore/packageurl-go v0.1.1-0.20220428202044-a072fa3cb6d7
- github.com/anchore/stereoscope v0.0.0-20220616165231-b0fd10fdee06
+ github.com/anchore/stereoscope v0.0.0-20220628191509-5bd627c0f9ce
github.com/antihax/optional v1.0.0
github.com/bmatcuk/doublestar/v4 v4.0.2
github.com/dustin/go-humanize v1.0.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.49.0/go.sum new/syft-0.50.0/go.sum
--- old/syft-0.49.0/go.sum 2022-06-24 17:05:25.000000000 +0200
+++ new/syft-0.50.0/go.sum 2022-07-05 17:57:28.000000000 +0200
@@ -273,8 +273,8 @@
github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b/go.mod
h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
github.com/anchore/packageurl-go v0.1.1-0.20220428202044-a072fa3cb6d7
h1:kDrYkTSM9uIxaX/P9s0F4nKYNM+hnSgLJdLpqvsaQ/g=
github.com/anchore/packageurl-go v0.1.1-0.20220428202044-a072fa3cb6d7/go.mod
h1:Blo6OgJNiYF41ufcgHKkbCKF2MDOMlrqhXv/ij6ocR4=
-github.com/anchore/stereoscope v0.0.0-20220616165231-b0fd10fdee06
h1:TSRA7gtuia3eyleTO3t7iPU+9xHbdSaufoUFNQUwUXo=
-github.com/anchore/stereoscope v0.0.0-20220616165231-b0fd10fdee06/go.mod
h1:sai2ZjAtT/y1GRQBDRbynhdhnQcGWBvVcv8CN3hTWmI=
+github.com/anchore/stereoscope v0.0.0-20220628191509-5bd627c0f9ce
h1:KNB0d342QvE6V7iwqyf4NoyxRp6LVYoGjU1htgf0at8=
+github.com/anchore/stereoscope v0.0.0-20220628191509-5bd627c0f9ce/go.mod
h1:sai2ZjAtT/y1GRQBDRbynhdhnQcGWBvVcv8CN3hTWmI=
github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod
h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
github.com/andybalholm/brotli v1.0.1/go.mod
h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
github.com/andybalholm/brotli v1.0.2/go.mod
h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.49.0/internal/config/registry.go
new/syft-0.50.0/internal/config/registry.go
--- old/syft-0.49.0/internal/config/registry.go 2022-06-24 17:05:25.000000000
+0200
+++ new/syft-0.50.0/internal/config/registry.go 2022-07-05 17:57:28.000000000
+0200
@@ -30,7 +30,7 @@
v.SetDefault("registry.auth", []RegistryCredentials{})
}
-// nolint: unparam
+// nolint:unparam
func (cfg *registry) parseConfigValues() error {
// there may be additional credentials provided by env var that should
be appended to the set of credentials
authority, username, password, token :=
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.49.0/internal/formats/common/spdxhelpers/source_info.go
new/syft-0.50.0/internal/formats/common/spdxhelpers/source_info.go
--- old/syft-0.49.0/internal/formats/common/spdxhelpers/source_info.go
2022-06-24 17:05:25.000000000 +0200
+++ new/syft-0.50.0/internal/formats/common/spdxhelpers/source_info.go
2022-07-05 17:57:28.000000000 +0200
@@ -35,6 +35,8 @@
answer = "acquired package info from rust cargo manifest"
case pkg.PhpComposerPkg:
answer = "acquired package info from PHP composer manifest"
+ case pkg.ConanPkg:
+ answer = "acquired package info from conan manifest"
default:
answer = "acquired package info from the following paths"
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.49.0/internal/formats/common/spdxhelpers/source_info_test.go
new/syft-0.50.0/internal/formats/common/spdxhelpers/source_info_test.go
--- old/syft-0.49.0/internal/formats/common/spdxhelpers/source_info_test.go
2022-06-24 17:05:25.000000000 +0200
+++ new/syft-0.50.0/internal/formats/common/spdxhelpers/source_info_test.go
2022-07-05 17:57:28.000000000 +0200
@@ -150,6 +150,14 @@
"from ALPM DB",
},
},
+ {
+ input: pkg.Package{
+ Type: pkg.ConanPkg,
+ },
+ expected: []string{
+ "from conan manifest",
+ },
+ },
}
var pkgTypes []pkg.Type
for _, test := range tests {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.49.0/internal/formats/syftjson/model/package.go
new/syft-0.50.0/internal/formats/syftjson/model/package.go
--- old/syft-0.49.0/internal/formats/syftjson/model/package.go 2022-06-24
17:05:25.000000000 +0200
+++ new/syft-0.50.0/internal/formats/syftjson/model/package.go 2022-07-05
17:57:28.000000000 +0200
@@ -63,7 +63,7 @@
return unpackMetadata(p, unpacker)
}
-// nolint:funlen
+// nolint:funlen,gocognit,gocyclo
func unpackMetadata(p *Package, unpacker packageMetadataUnpacker) error {
p.MetadataType = unpacker.MetadataType
switch p.MetadataType {
@@ -144,6 +144,12 @@
if err := json.Unmarshal(unpacker.Metadata, &payload); err !=
nil {
return err
}
+ p.Metadata = payload
+ case pkg.ConanaMetadataType:
+ var payload pkg.ConanMetadata
+ if err := json.Unmarshal(unpacker.Metadata, &payload); err !=
nil {
+ return err
+ }
p.Metadata = payload
case pkg.DotnetDepsMetadataType:
var payload pkg.DotnetDepsMetadata
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.49.0/syft/lib.go new/syft-0.50.0/syft/lib.go
--- old/syft-0.49.0/syft/lib.go 2022-06-24 17:05:25.000000000 +0200
+++ new/syft-0.50.0/syft/lib.go 2022-07-05 17:57:28.000000000 +0200
@@ -64,6 +64,10 @@
return nil, nil, nil, fmt.Errorf("unable to determine cataloger
set from scheme=%+v", src.Metadata.Scheme)
}
+ if cataloger.RequestedAllCatalogers(cfg) {
+ catalogers = cataloger.AllCatalogers(cfg)
+ }
+
catalog, relationships, err := cataloger.Catalog(resolver, release,
catalogers...)
if err != nil {
return nil, nil, nil, err
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.49.0/syft/pkg/cataloger/cataloger.go
new/syft-0.50.0/syft/pkg/cataloger/cataloger.go
--- old/syft-0.49.0/syft/pkg/cataloger/cataloger.go 2022-06-24
17:05:25.000000000 +0200
+++ new/syft-0.50.0/syft/pkg/cataloger/cataloger.go 2022-07-05
17:57:28.000000000 +0200
@@ -13,6 +13,7 @@
"github.com/anchore/syft/syft/pkg"
"github.com/anchore/syft/syft/pkg/cataloger/alpm"
"github.com/anchore/syft/syft/pkg/cataloger/apkdb"
+ "github.com/anchore/syft/syft/pkg/cataloger/cpp"
"github.com/anchore/syft/syft/pkg/cataloger/dart"
"github.com/anchore/syft/syft/pkg/cataloger/deb"
"github.com/anchore/syft/syft/pkg/cataloger/dotnet"
@@ -27,6 +28,8 @@
"github.com/anchore/syft/syft/source"
)
+const AllCatalogersPattern = "all"
+
// Cataloger describes behavior for an object to participate in parsing
container image or file system
// contents for the purpose of discovering Packages. Each concrete
implementation should focus on discovering Packages
// for a specific Package Type or ecosystem.
@@ -73,6 +76,7 @@
rust.NewCargoLockCataloger(),
dart.NewPubspecLockCataloger(),
dotnet.NewDotnetDepsCataloger(),
+ cpp.NewConanfileCataloger(),
}, cfg.Catalogers)
}
@@ -96,14 +100,31 @@
rust.NewCargoLockCataloger(),
dart.NewPubspecLockCataloger(),
dotnet.NewDotnetDepsCataloger(),
+ php.NewPHPComposerInstalledCataloger(),
+ php.NewPHPComposerLockCataloger(),
+ cpp.NewConanfileCataloger(),
}, cfg.Catalogers)
}
+func RequestedAllCatalogers(cfg Config) bool {
+ for _, enableCatalogerPattern := range cfg.Catalogers {
+ if enableCatalogerPattern == AllCatalogersPattern {
+ return true
+ }
+ }
+ return false
+}
+
func filterCatalogers(catalogers []Cataloger, enabledCatalogerPatterns
[]string) []Cataloger {
// if cataloger is not set, all applicable catalogers are enabled by
default
if len(enabledCatalogerPatterns) == 0 {
return catalogers
}
+ for _, enableCatalogerPattern := range enabledCatalogerPatterns {
+ if enableCatalogerPattern == AllCatalogersPattern {
+ return catalogers
+ }
+ }
var keepCatalogers []Cataloger
for _, cataloger := range catalogers {
if contains(enabledCatalogerPatterns, cataloger.Name()) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.49.0/syft/pkg/cataloger/cpp/cataloger.go
new/syft-0.50.0/syft/pkg/cataloger/cpp/cataloger.go
--- old/syft-0.49.0/syft/pkg/cataloger/cpp/cataloger.go 1970-01-01
01:00:00.000000000 +0100
+++ new/syft-0.50.0/syft/pkg/cataloger/cpp/cataloger.go 2022-07-05
17:57:28.000000000 +0200
@@ -0,0 +1,14 @@
+package cpp
+
+import (
+ "github.com/anchore/syft/syft/pkg/cataloger/common"
+)
+
+// NewConanfileCataloger returns a new C++ Conanfile cataloger object.
+func NewConanfileCataloger() *common.GenericCataloger {
+ globParsers := map[string]common.ParserFn{
+ "**/conanfile.txt": parseConanfile,
+ }
+
+ return common.NewGenericCataloger(nil, globParsers, "conan-cataloger")
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.49.0/syft/pkg/cataloger/cpp/parse_conanfile.go
new/syft-0.50.0/syft/pkg/cataloger/cpp/parse_conanfile.go
--- old/syft-0.49.0/syft/pkg/cataloger/cpp/parse_conanfile.go 1970-01-01
01:00:00.000000000 +0100
+++ new/syft-0.50.0/syft/pkg/cataloger/cpp/parse_conanfile.go 2022-07-05
17:57:28.000000000 +0200
@@ -0,0 +1,60 @@
+package cpp
+
+import (
+ "bufio"
+ "errors"
+ "fmt"
+ "io"
+ "strings"
+
+ "github.com/anchore/syft/syft/artifact"
+ "github.com/anchore/syft/syft/pkg"
+ "github.com/anchore/syft/syft/pkg/cataloger/common"
+)
+
+// integrity check
+var _ common.ParserFn = parseConanfile
+
+type Conanfile struct {
+ Requires []string `toml:"requires"`
+}
+
+// parseConanfile is a parser function for conanfile.txt contents, returning
all packages discovered.
+func parseConanfile(_ string, reader io.Reader) ([]*pkg.Package,
[]artifact.Relationship, error) {
+ r := bufio.NewReader(reader)
+ inRequirements := false
+ pkgs := []*pkg.Package{}
+ for {
+ line, err := r.ReadString('\n')
+ switch {
+ case errors.Is(io.EOF, err):
+ return pkgs, nil, nil
+ case err != nil:
+ return nil, nil, fmt.Errorf("failed to parse
conanfile.txt file: %w", err)
+ }
+
+ switch {
+ case strings.Contains(line, "[requires]"):
+ inRequirements = true
+ case strings.ContainsAny(line, "[]#"):
+ inRequirements = false
+ }
+
+ splits := strings.Split(strings.TrimSpace(line), "/")
+ if len(splits) < 2 || !inRequirements {
+ continue
+ }
+ pkgName, pkgVersion := splits[0], splits[1]
+ pkgs = append(pkgs, &pkg.Package{
+ Name: pkgName,
+ Version: pkgVersion,
+ Language: pkg.CPP,
+ Type: pkg.ConanPkg,
+ MetadataType: pkg.ConanaMetadataType,
+ Metadata: pkg.ConanMetadata{
+ Name: pkgName,
+ Version: pkgVersion,
+ },
+ })
+ }
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.49.0/syft/pkg/cataloger/cpp/parse_conanfile_test.go
new/syft-0.50.0/syft/pkg/cataloger/cpp/parse_conanfile_test.go
--- old/syft-0.49.0/syft/pkg/cataloger/cpp/parse_conanfile_test.go
1970-01-01 01:00:00.000000000 +0100
+++ new/syft-0.50.0/syft/pkg/cataloger/cpp/parse_conanfile_test.go
2022-07-05 17:57:28.000000000 +0200
@@ -0,0 +1,96 @@
+package cpp
+
+import (
+ "os"
+ "testing"
+
+ "github.com/anchore/syft/syft/pkg"
+ "github.com/go-test/deep"
+)
+
+func TestParseConanfile(t *testing.T) {
+ expected := []*pkg.Package{
+ {
+ Name: "catch2",
+ Version: "2.13.8",
+ Language: pkg.CPP,
+ Type: pkg.ConanPkg,
+ MetadataType: pkg.ConanaMetadataType,
+ Metadata: pkg.ConanMetadata{
+ Name: "catch2",
+ Version: "2.13.8",
+ },
+ },
+ {
+ Name: "docopt.cpp",
+ Version: "0.6.3",
+ Language: pkg.CPP,
+ Type: pkg.ConanPkg,
+ MetadataType: pkg.ConanaMetadataType,
+ Metadata: pkg.ConanMetadata{
+ Name: "docopt.cpp",
+ Version: "0.6.3",
+ },
+ },
+ {
+ Name: "fmt",
+ Version: "8.1.1",
+ Language: pkg.CPP,
+ Type: pkg.ConanPkg,
+ MetadataType: pkg.ConanaMetadataType,
+ Metadata: pkg.ConanMetadata{
+ Name: "fmt",
+ Version: "8.1.1",
+ },
+ },
+ {
+ Name: "spdlog",
+ Version: "1.9.2",
+ Language: pkg.CPP,
+ Type: pkg.ConanPkg,
+ MetadataType: pkg.ConanaMetadataType,
+ Metadata: pkg.ConanMetadata{
+ Name: "spdlog",
+ Version: "1.9.2",
+ },
+ },
+ {
+ Name: "sdl",
+ Version: "2.0.20",
+ Language: pkg.CPP,
+ Type: pkg.ConanPkg,
+ MetadataType: pkg.ConanaMetadataType,
+ Metadata: pkg.ConanMetadata{
+ Name: "sdl",
+ Version: "2.0.20",
+ },
+ },
+ {
+ Name: "fltk",
+ Version: "1.3.8",
+ Language: pkg.CPP,
+ Type: pkg.ConanPkg,
+ MetadataType: pkg.ConanaMetadataType,
+ Metadata: pkg.ConanMetadata{
+ Name: "fltk",
+ Version: "1.3.8",
+ },
+ },
+ }
+
+ fixture, err := os.Open("test-fixtures/conanfile.txt")
+ if err != nil {
+ t.Fatalf("failed to open fixture: %+v", err)
+ }
+
+ // TODO: no relationships are under test yet
+ actual, _, err := parseConanfile(fixture.Name(), fixture)
+ if err != nil {
+ t.Error(err)
+ }
+
+ differences := deep.Equal(expected, actual)
+ if differences != nil {
+ t.Errorf("returned package list differed from expectation:
%+v", differences)
+ }
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.49.0/syft/pkg/cataloger/cpp/test-fixtures/conanfile.txt
new/syft-0.50.0/syft/pkg/cataloger/cpp/test-fixtures/conanfile.txt
--- old/syft-0.49.0/syft/pkg/cataloger/cpp/test-fixtures/conanfile.txt
1970-01-01 01:00:00.000000000 +0100
+++ new/syft-0.50.0/syft/pkg/cataloger/cpp/test-fixtures/conanfile.txt
2022-07-05 17:57:28.000000000 +0200
@@ -0,0 +1,12 @@
+# Docs at https://docs.conan.io/en/latest/reference/conanfile_txt.html
+
+[requires]
+catch2/2.13.8
+docopt.cpp/0.6.3
+fmt/8.1.1
+spdlog/1.9.2
+sdl/2.0.20
+fltk/1.3.8
+
+[generators]
+cmake_find_package_multi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.49.0/syft/pkg/cataloger/golang/parse_go_bin.go
new/syft-0.50.0/syft/pkg/cataloger/golang/parse_go_bin.go
--- old/syft-0.49.0/syft/pkg/cataloger/golang/parse_go_bin.go 2022-06-24
17:05:25.000000000 +0200
+++ new/syft-0.50.0/syft/pkg/cataloger/golang/parse_go_bin.go 2022-07-05
17:57:28.000000000 +0200
@@ -10,11 +10,13 @@
"io"
"runtime/debug"
"strings"
+ "time"
"github.com/anchore/syft/internal/log"
"github.com/anchore/syft/syft/pkg"
"github.com/anchore/syft/syft/pkg/cataloger/golang/internal/xcoff"
"github.com/anchore/syft/syft/source"
+ "golang.org/x/mod/module"
)
const GOARCH = "GOARCH"
@@ -24,14 +26,30 @@
// appear to be in a known format, or it breaks the rules of that
format,
// or when there are I/O errors reading the file.
errUnrecognizedFormat = errors.New("unrecognized file format")
+ // devel is used to recognize the current default version when a golang
main distribution is built
+ // https://github.com/golang/go/issues/29228 this issue has more
details on the progress of being able to
+ // inject the correct version into the main module of the build process
)
+const devel = "(devel)"
+
func makeGoMainPackage(mod *debug.BuildInfo, arch string, location
source.Location) pkg.Package {
gbs := getBuildSettings(mod.Settings)
main := newGoBinaryPackage(&mod.Main, mod.Main.Path, mod.GoVersion,
arch, location, gbs)
-
- if v, ok := gbs["vcs.revision"]; ok {
- main.Version = v
+ if main.Version == devel {
+ if version, ok := gbs["vcs.revision"]; ok {
+ if timestamp, ok := gbs["vcs.time"]; ok {
+ //NOTE: err is ignored, because if parsing fails
+ // we still use the empty Time{} struct to
generate an empty date, like 00010101000000
+ // for consistency with the pseudo-version
format: https://go.dev/ref/mod#pseudo-versions
+ ts, _ := time.Parse(time.RFC3339, timestamp)
+ if len(version) >= 12 {
+ version = version[:12]
+ }
+ version = module.PseudoVersion("", "", ts,
version)
+ }
+ main.Version = version
+ }
}
return main
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.49.0/syft/pkg/cataloger/java/parse_pom_xml.go
new/syft-0.50.0/syft/pkg/cataloger/java/parse_pom_xml.go
--- old/syft-0.49.0/syft/pkg/cataloger/java/parse_pom_xml.go 2022-06-24
17:05:25.000000000 +0200
+++ new/syft-0.50.0/syft/pkg/cataloger/java/parse_pom_xml.go 2022-07-05
17:57:28.000000000 +0200
@@ -63,6 +63,11 @@
Type: pkg.JavaPkg, // TODO: should we differentiate
between packages from jar/war/zip versus packages from a pom.xml that were not
installed yet?
MetadataType: pkg.JavaMetadataType,
FoundBy: javaPomCataloger,
+ Metadata: pkg.JavaMetadata{
+ PomProperties: &pkg.PomProperties{
+ GroupID: dep.GroupID,
+ },
+ },
}
p.Metadata = pkg.JavaMetadata{PURL: packageURL(*p)}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.49.0/syft/pkg/cataloger/java/parse_pom_xml_test.go
new/syft-0.50.0/syft/pkg/cataloger/java/parse_pom_xml_test.go
--- old/syft-0.49.0/syft/pkg/cataloger/java/parse_pom_xml_test.go
2022-06-24 17:05:25.000000000 +0200
+++ new/syft-0.50.0/syft/pkg/cataloger/java/parse_pom_xml_test.go
2022-07-05 17:57:28.000000000 +0200
@@ -26,7 +26,7 @@
Type: pkg.JavaPkg,
MetadataType: pkg.JavaMetadataType,
Metadata: pkg.JavaMetadata{
- PURL:
"pkg:maven/joda-time/joda-time@2.9.2",
+ PURL:
"pkg:maven/com.joda/joda-time@2.9.2",
},
},
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.49.0/syft/pkg/cataloger/java/test-fixtures/pom/pom.xml
new/syft-0.50.0/syft/pkg/cataloger/java/test-fixtures/pom/pom.xml
--- old/syft-0.49.0/syft/pkg/cataloger/java/test-fixtures/pom/pom.xml
2022-06-24 17:05:25.000000000 +0200
+++ new/syft-0.50.0/syft/pkg/cataloger/java/test-fixtures/pom/pom.xml
2022-07-05 17:57:28.000000000 +0200
@@ -1,6 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
https://maven.apache.org/xsd/maven-4.0.0.xsd";>
+<project xmlns="http://maven.apache.org/POM/4.0.0";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
https://maven.apache.org/xsd/maven-4.0.0.xsd";>
<modelVersion>4.0.0</modelVersion>
<groupId>org.anchore</groupId>
@@ -16,7 +15,7 @@
<dependencies>
<!-- tag::joda[] -->
<dependency>
- <groupId>joda-time</groupId>
+ <groupId>com.joda</groupId>
<artifactId>joda-time</artifactId>
<version>2.9.2</version>
</dependency>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.49.0/syft/pkg/conan_metadata.go
new/syft-0.50.0/syft/pkg/conan_metadata.go
--- old/syft-0.49.0/syft/pkg/conan_metadata.go 1970-01-01 01:00:00.000000000
+0100
+++ new/syft-0.50.0/syft/pkg/conan_metadata.go 2022-07-05 17:57:28.000000000
+0200
@@ -0,0 +1,24 @@
+package pkg
+
+import (
+ "github.com/anchore/packageurl-go"
+ "github.com/anchore/syft/syft/linux"
+)
+
+type ConanMetadata struct {
+ Name string `mapstructure:"name" json:"name"`
+ Version string `mapstructure:"version" json:"version"`
+}
+
+func (m ConanMetadata) PackageURL(_ *linux.Release) string {
+ var qualifiers packageurl.Qualifiers
+
+ return packageurl.NewPackageURL(
+ packageurl.TypeConan,
+ "",
+ m.Name,
+ m.Version,
+ qualifiers,
+ "",
+ ).ToString()
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.49.0/syft/pkg/language.go
new/syft-0.50.0/syft/pkg/language.go
--- old/syft-0.49.0/syft/pkg/language.go 2022-06-24 17:05:25.000000000
+0200
+++ new/syft-0.50.0/syft/pkg/language.go 2022-07-05 17:57:28.000000000
+0200
@@ -21,6 +21,7 @@
Rust Language = "rust"
Dart Language = "dart"
Dotnet Language = "dotnet"
+ CPP Language = "c++"
)
// AllLanguages is a set of all programming languages detected by syft.
@@ -34,6 +35,7 @@
Rust,
Dart,
Dotnet,
+ CPP,
}
// String returns the string representation of the language.
@@ -58,7 +60,7 @@
return PHP
case packageurl.TypeGolang, string(GoModulePkg), string(Go):
return Go
- case packageurl.TypeNPM, string(JavaScript):
+ case packageurl.TypeNPM, string(JavaScript), "nodejs", "node.js":
return JavaScript
case packageurl.TypePyPi, string(Python):
return Python
@@ -70,6 +72,8 @@
return Dart
case packageurl.TypeDotnet:
return Dotnet
+ case packageurl.TypeConan, string(CPP):
+ return CPP
default:
return UnknownLanguage
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.49.0/syft/pkg/language_test.go
new/syft-0.50.0/syft/pkg/language_test.go
--- old/syft-0.49.0/syft/pkg/language_test.go 2022-06-24 17:05:25.000000000
+0200
+++ new/syft-0.50.0/syft/pkg/language_test.go 2022-07-05 17:57:28.000000000
+0200
@@ -50,6 +50,10 @@
purl:
"pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?type=zip&classifier=dist",
want: Java,
},
+ {
+ purl: "pkg:conan/catch2@2.13.8",
+ want: CPP,
+ },
}
var languages []string
@@ -128,6 +132,14 @@
language: JavaScript,
},
{
+ name: "node.js",
+ language: JavaScript,
+ },
+ {
+ name: "nodejs",
+ language: JavaScript,
+ },
+ {
name: "pypi",
language: Python,
},
@@ -175,6 +187,14 @@
name: "unknown",
language: UnknownLanguage,
},
+ {
+ name: "conan",
+ language: CPP,
+ },
+ {
+ name: "c++",
+ language: CPP,
+ },
}
for _, test := range tests {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.49.0/syft/pkg/metadata.go
new/syft-0.50.0/syft/pkg/metadata.go
--- old/syft-0.49.0/syft/pkg/metadata.go 2022-06-24 17:05:25.000000000
+0200
+++ new/syft-0.50.0/syft/pkg/metadata.go 2022-07-05 17:57:28.000000000
+0200
@@ -25,6 +25,7 @@
KbPackageMetadataType MetadataType = "KbPackageMetadata"
GolangBinMetadataType MetadataType = "GolangBinMetadata"
PhpComposerJSONMetadataType MetadataType = "PhpComposerJsonMetadata"
+ ConanaMetadataType MetadataType = "ConanaMetadataType"
)
var AllMetadataTypes = []MetadataType{
@@ -42,6 +43,7 @@
KbPackageMetadataType,
GolangBinMetadataType,
PhpComposerJSONMetadataType,
+ ConanaMetadataType,
}
var MetadataTypeByName = map[MetadataType]reflect.Type{
@@ -59,4 +61,5 @@
KbPackageMetadataType: reflect.TypeOf(KbPackageMetadata{}),
GolangBinMetadataType: reflect.TypeOf(GolangBinMetadata{}),
PhpComposerJSONMetadataType: reflect.TypeOf(PhpComposerJSONMetadata{}),
+ ConanaMetadataType: reflect.TypeOf(ConanMetadata{}),
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.49.0/syft/pkg/relationships_by_file_ownership.go
new/syft-0.50.0/syft/pkg/relationships_by_file_ownership.go
--- old/syft-0.49.0/syft/pkg/relationships_by_file_ownership.go 2022-06-24
17:05:25.000000000 +0200
+++ new/syft-0.50.0/syft/pkg/relationships_by_file_ownership.go 2022-07-05
17:57:28.000000000 +0200
@@ -7,12 +7,17 @@
"github.com/scylladb/go-set/strset"
)
+// AltRpmDBGlob allows db matches against new locations introduced in
fedora:{36,37}
+// See https://github.com/anchore/syft/issues/1077 for larger context
+const AltRpmDBGlob = "**/rpm/{Packages,Packages.db,rpmdb.sqlite}"
+
var globsForbiddenFromBeingOwned = []string{
// any OS DBs should automatically be ignored to prevent cyclic issues
(e.g. the "rpm" RPM owns the path to the
// RPM DB, so if not ignored that package would own all other packages
on the system).
ApkDBGlob,
DpkgDBGlob,
RpmDBGlob,
+ AltRpmDBGlob,
// DEB packages share common copyright info between, this does not mean
that sharing these paths implies ownership.
"/usr/share/doc/**/copyright",
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.49.0/syft/pkg/type.go
new/syft-0.50.0/syft/pkg/type.go
--- old/syft-0.49.0/syft/pkg/type.go 2022-06-24 17:05:25.000000000 +0200
+++ new/syft-0.50.0/syft/pkg/type.go 2022-07-05 17:57:28.000000000 +0200
@@ -23,6 +23,7 @@
KbPkg Type = "msrc-kb"
DartPubPkg Type = "dart-pub"
DotnetPkg Type = "dotnet"
+ ConanPkg Type = "conan"
)
// AllPkgs represents all supported package types
@@ -42,6 +43,7 @@
KbPkg,
DartPubPkg,
DotnetPkg,
+ ConanPkg,
}
// PackageURLType returns the PURL package type for the current package.
@@ -73,6 +75,8 @@
return packageurl.TypePub
case DotnetPkg:
return packageurl.TypeDotnet
+ case ConanPkg:
+ return packageurl.TypeConan
default:
// TODO: should this be a "generic" purl type instead?
return ""
@@ -116,6 +120,8 @@
return DartPubPkg
case packageurl.TypeDotnet:
return DotnetPkg
+ case packageurl.TypeConan:
+ return ConanPkg
default:
return UnknownPkg
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.49.0/syft/pkg/type_test.go
new/syft-0.50.0/syft/pkg/type_test.go
--- old/syft-0.49.0/syft/pkg/type_test.go 2022-06-24 17:05:25.000000000
+0200
+++ new/syft-0.50.0/syft/pkg/type_test.go 2022-07-05 17:57:28.000000000
+0200
@@ -68,6 +68,10 @@
purl:
"pkg:alpm/arch/linux@5.10.0?arch=x86_64&distro=arch",
expected: AlpmPkg,
},
+ {
+ purl: "pkg:conan/catch2@2.13.8",
+ expected: ConanPkg,
+ },
}
var pkgTypes []string
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/syft-0.49.0/syft/pkg/url_test.go
new/syft-0.50.0/syft/pkg/url_test.go
--- old/syft-0.49.0/syft/pkg/url_test.go 2022-06-24 17:05:25.000000000
+0200
+++ new/syft-0.50.0/syft/pkg/url_test.go 2022-07-05 17:57:28.000000000
+0200
@@ -208,6 +208,21 @@
expected:
"pkg:alpm/arch/linux@5.10.0?distro=arch-rolling",
},
+ {
+ name: "conan",
+ pkg: Package{
+ Name: "catch2",
+ Version: "2.13.8",
+ Type: ConanPkg,
+ Language: CPP,
+ MetadataType: ConanaMetadataType,
+ Metadata: ConanMetadata{
+ Name: "catch2",
+ Version: "2.13.8",
+ },
+ },
+ expected: "pkg:conan/catch2@2.13.8",
+ },
}
var pkgTypes []string
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.49.0/test/integration/catalog_packages_cases_test.go
new/syft-0.50.0/test/integration/catalog_packages_cases_test.go
--- old/syft-0.49.0/test/integration/catalog_packages_cases_test.go
2022-06-24 17:05:25.000000000 +0200
+++ new/syft-0.50.0/test/integration/catalog_packages_cases_test.go
2022-07-05 17:57:28.000000000 +0200
@@ -168,6 +168,19 @@
},
},
{
+ name: "find conan packages",
+ pkgType: pkg.ConanPkg,
+ pkgLanguage: pkg.CPP,
+ pkgInfo: map[string]string{
+ "catch2": "2.13.8",
+ "docopt.cpp": "0.6.3",
+ "fmt": "8.1.1",
+ "spdlog": "1.9.2",
+ "sdl": "2.0.20",
+ "fltk": "1.3.8",
+ },
+ },
+ {
name: "find rust crates",
pkgType: pkg.RustPkg,
pkgLanguage: pkg.Rust,
@@ -264,7 +277,6 @@
"netbase": "5.4",
},
},
-
{
name: "find jenkins plugins",
pkgType: pkg.JenkinsPluginPkg,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.49.0/test/integration/catalog_packages_test.go
new/syft-0.50.0/test/integration/catalog_packages_test.go
--- old/syft-0.49.0/test/integration/catalog_packages_test.go 2022-06-24
17:05:25.000000000 +0200
+++ new/syft-0.50.0/test/integration/catalog_packages_test.go 2022-07-05
17:57:28.000000000 +0200
@@ -67,6 +67,7 @@
definedLanguages.Remove(pkg.Rust.String())
definedLanguages.Remove(pkg.Dart.String())
definedLanguages.Remove(pkg.Dotnet.String())
+ definedLanguages.Remove(pkg.CPP.String())
observedPkgs := internal.NewStringSet()
definedPkgs := internal.NewStringSet()
@@ -80,6 +81,7 @@
definedPkgs.Remove(string(pkg.RustPkg))
definedPkgs.Remove(string(pkg.DartPubPkg))
definedPkgs.Remove(string(pkg.DotnetPkg))
+ definedPkgs.Remove(string(pkg.ConanPkg))
var cases []testCase
cases = append(cases, commonTestCases...)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/syft-0.49.0/test/integration/test-fixtures/image-pkg-coverage/conan/conanfile.txt
new/syft-0.50.0/test/integration/test-fixtures/image-pkg-coverage/conan/conanfile.txt
---
old/syft-0.49.0/test/integration/test-fixtures/image-pkg-coverage/conan/conanfile.txt
1970-01-01 01:00:00.000000000 +0100
+++
new/syft-0.50.0/test/integration/test-fixtures/image-pkg-coverage/conan/conanfile.txt
2022-07-05 17:57:28.000000000 +0200
@@ -0,0 +1,12 @@
+# Docs at https://docs.conan.io/en/latest/reference/conanfile_txt.html
+
+[requires]
+catch2/2.13.8
+docopt.cpp/0.6.3
+fmt/8.1.1
+spdlog/1.9.2
+sdl/2.0.20
+fltk/1.3.8
+
+[generators]
+cmake_find_package_multi
++++++ vendor.tar.gz ++++++
/work/SRC/openSUSE:Factory/syft/vendor.tar.gz
/work/SRC/openSUSE:Factory/.syft.new.1523/vendor.tar.gz differ: char 5, line 1
