Documentation
¶
Overview ¶
Package pkg provides the data structures for a package, a package catalog, package types, and domain-specific metadata.
Index ¶
- Constants
- Variables
- func IsValid(p *Package) bool
- func Less(i, j Package) bool
- func NewRelationships(catalog *Collection) []artifact.Relationship
- func PURLQualifiers(vars map[string]string, release *linux.Release) (q packageurl.Qualifiers)
- func RelationshipsByFileOwnership(catalog *Collection) []artifact.Relationship
- func RelationshipsEvidentBy(catalog *Collection) []artifact.Relationship
- func Sort(pkgs []Package)
- type AlpmFileRecord
- type AlpmMetadata
- type ApkFileRecord
- type ApkMetadata
- type ArchiveInfo
- type BinaryMetadata
- type CargoPackageMetadata
- type Catalogdeprecated
- type Cataloger
- type ClassifierMatch
- type CocoapodsMetadata
- type Collection
- func (c *Collection) Add(pkgs ...Package)
- func (c *Collection) Delete(ids ...artifact.ID)
- func (c *Collection) Enumerate(types ...Type) <-chan Package
- func (c *Collection) Package(id artifact.ID) *Package
- func (c *Collection) PackageCount() int
- func (c *Collection) Packages(ids []artifact.ID) (result []Package)
- func (c *Collection) PackagesByName(name string) []Package
- func (c *Collection) PackagesByPath(path string) []Package
- func (c *Collection) Sorted(types ...Type) (pkgs []Package)
- type ConanLockMetadata
- type ConanMetadata
- type DartPubMetadata
- type DirInfo
- type DirectURLOrigin
- type DotnetDepsMetadata
- type DpkgFileRecord
- type DpkgMetadata
- type FileMetadata
- type FileOwner
- type GemMetadata
- type GolangBinMetadata
- type GolangModMetadata
- type HackageMetadata
- type JavaManifest
- type JavaMetadata
- type KbPackageMetadata
- type Language
- type License
- func NewLicense(value string) License
- func NewLicenseFromLocations(value string, locations ...file.Location) License
- func NewLicenseFromType(value string, t license.Type) License
- func NewLicenseFromURLs(value string, urls ...string) License
- func NewLicensesFromLocation(location file.Location, values ...string) (licenses []License)
- func NewLicensesFromValues(values ...string) (licenses []License)
- type LicenseSet
- type Licenses
- type LinuxKernelMetadata
- type LinuxKernelModuleMetadata
- type LinuxKernelModuleParameter
- type MetadataType
- type MixLockMetadata
- type NixStoreMetadata
- type NpmPackageJSONMetadata
- type NpmPackageLockJSONMetadata
- type Package
- type PhpComposerAuthors
- type PhpComposerExternalReference
- type PhpComposerJSONMetadata
- type PomParent
- type PomProject
- type PomProperties
- type PortageFileRecord
- type PortageMetadata
- type PythonDirectURLOriginInfo
- type PythonFileDigest
- type PythonFileRecord
- type PythonPackageMetadata
- type PythonPipfileLockMetadata
- type PythonRequirementsMetadata
- type RDescriptionFileMetadata
- type RebarLockMetadata
- type RpmMetadata
- type RpmdbFileMode
- type RpmdbFileRecord
- type Type
- type VCSInfo
Constants ¶
View Source
const ( EvidenceAnnotationKey = "evidence" PrimaryEvidenceAnnotation = "primary" SupportingEvidenceAnnotation = "supporting" )
View Source
const ( PURLQualifierArch = "arch" PURLQualifierDistro = "distro" PURLQualifierEpoch = "epoch" PURLQualifierVCSURL = "vcs_url" // PURLQualifierUpstream this qualifier is not in the pURL spec, but is used by grype to perform indirect matching based on source information PURLQualifierUpstream = "upstream" )
View Source
const AlpmDBGlob = "**/var/lib/pacman/local/**/desc"
View Source
const AltRpmDBGlob = "**/rpm/{Packages,Packages.db,rpmdb.sqlite}"
AltRpmDBGlob allows db matches against new locations introduced in fedora:{36,37} See https://github.com/anchore/syft/issues/1077 for larger context
View Source
const ApkDBGlob = "**/lib/apk/db/installed"
View Source
const DpkgDBGlob = "**/var/lib/dpkg/{status,status.d/**}"
View Source
const RpmDBGlob = "**/{var/lib,usr/share}/rpm/{Packages,Packages.db,rpmdb.sqlite}"
/var/lib/rpm/... is the typical path for most distributions /usr/share/rpm/... is common for rpm-ostree distributions (coreos-like) Packages is the legacy Berkely db based format Packages.db is the "ndb" format used in SUSE rpmdb.sqlite is the sqlite format used in fedora + derivates
View Source
const RpmManifestGlob = "**/var/lib/rpmmanifest/container-manifest-2"
Used in CBL-Mariner distroless images
Variables ¶
View Source
var AllLanguages = []Language{ CPP, Dart, Dotnet, Elixir, Erlang, Go, Haskell, Java, JavaScript, PHP, Python, R, Ruby, Rust, Swift, }
AllLanguages is a set of all programming languages detected by syft.
View Source
var AllMetadataTypes = []MetadataType{ AlpmMetadataType, ApkMetadataType, BinaryMetadataType, CocoapodsMetadataType, ConanLockMetadataType, ConanMetadataType, DartPubMetadataType, DotnetDepsMetadataType, DpkgMetadataType, GemMetadataType, GolangBinMetadataType, GolangModMetadataType, HackageMetadataType, JavaMetadataType, KbPackageMetadataType, LinuxKernelMetadataType, LinuxKernelModuleMetadataType, MixLockMetadataType, NixStoreMetadataType, NpmPackageJSONMetadataType, NpmPackageLockJSONMetadataType, PhpComposerJSONMetadataType, PortageMetadataType, PythonPackageMetadataType, PythonPipfileLockMetadataType, PythonRequirementsMetadataType, RDescriptionFileMetadataType, RebarLockMetadataType, RpmMetadataType, RustCargoPackageMetadataType, }
View Source
var AllPkgs = []Type{ AlpmPkg, ApkPkg, BinaryPkg, CocoapodsPkg, ConanPkg, DartPubPkg, DebPkg, DotnetPkg, GemPkg, GoModulePkg, HackagePkg, HexPkg, JavaPkg, JenkinsPluginPkg, KbPkg, LinuxKernelPkg, LinuxKernelModulePkg, NixPkg, NpmPkg, PhpComposerPkg, PortagePkg, PythonPkg, Rpkg, RpmPkg, RustPkg, }
AllPkgs represents all supported package types
View Source
var MetadataTypeByName = map[MetadataType]reflect.Type{ AlpmMetadataType: reflect.TypeOf(AlpmMetadata{}), ApkMetadataType: reflect.TypeOf(ApkMetadata{}), BinaryMetadataType: reflect.TypeOf(BinaryMetadata{}), CocoapodsMetadataType: reflect.TypeOf(CocoapodsMetadata{}), ConanLockMetadataType: reflect.TypeOf(ConanLockMetadata{}), ConanMetadataType: reflect.TypeOf(ConanMetadata{}), DartPubMetadataType: reflect.TypeOf(DartPubMetadata{}), DotnetDepsMetadataType: reflect.TypeOf(DotnetDepsMetadata{}), DpkgMetadataType: reflect.TypeOf(DpkgMetadata{}), GemMetadataType: reflect.TypeOf(GemMetadata{}), GolangBinMetadataType: reflect.TypeOf(GolangBinMetadata{}), GolangModMetadataType: reflect.TypeOf(GolangModMetadata{}), HackageMetadataType: reflect.TypeOf(HackageMetadata{}), JavaMetadataType: reflect.TypeOf(JavaMetadata{}), KbPackageMetadataType: reflect.TypeOf(KbPackageMetadata{}), LinuxKernelMetadataType: reflect.TypeOf(LinuxKernelMetadata{}), LinuxKernelModuleMetadataType: reflect.TypeOf(LinuxKernelModuleMetadata{}), MixLockMetadataType: reflect.TypeOf(MixLockMetadata{}), NixStoreMetadataType: reflect.TypeOf(NixStoreMetadata{}), NpmPackageJSONMetadataType: reflect.TypeOf(NpmPackageJSONMetadata{}), NpmPackageLockJSONMetadataType: reflect.TypeOf(NpmPackageLockJSONMetadata{}), PhpComposerJSONMetadataType: reflect.TypeOf(PhpComposerJSONMetadata{}), PortageMetadataType: reflect.TypeOf(PortageMetadata{}), PythonPackageMetadataType: reflect.TypeOf(PythonPackageMetadata{}), PythonPipfileLockMetadataType: reflect.TypeOf(PythonPipfileLockMetadata{}), PythonRequirementsMetadataType: reflect.TypeOf(PythonRequirementsMetadata{}), RDescriptionFileMetadataType: reflect.TypeOf(RDescriptionFileMetadata{}), RebarLockMetadataType: reflect.TypeOf(RebarLockMetadata{}), RpmMetadataType: reflect.TypeOf(RpmMetadata{}), RustCargoPackageMetadataType: reflect.TypeOf(CargoPackageMetadata{}), }
Functions ¶
func IsValid ¶ added in v0.47.0
IsValid checks whether a package has the minimum necessary info which is a non-empty name. The nil-check was added as a helper as often, in this code base, packages move between callers as pointers. CycloneDX and SPDX define Name as the minimum required info for a valid package: * https://spdx.github.io/spdx-spec/package-information/#73-package-version-field * https://cyclonedx.org/docs/1.4/json/#components_items_name
func NewRelationships ¶ added in v0.13.0
func NewRelationships(catalog *Collection) []artifact.Relationship
func PURLQualifiers ¶ added in v0.60.0
func RelationshipsByFileOwnership ¶ added in v0.31.0
func RelationshipsByFileOwnership(catalog *Collection) []artifact.Relationship
RelationshipsByFileOwnership creates a package-to-package relationship based on discovering which packages have evidence locations that overlap with ownership claim from another package's package manager metadata.
func RelationshipsEvidentBy ¶ added in v0.78.0
func RelationshipsEvidentBy(catalog *Collection) []artifact.Relationship
Types ¶
type AlpmFileRecord ¶ added in v0.48.0
type AlpmFileRecord struct {
Path string `mapstruture:"path" json:"path,omitempty"`
Type string `mapstructure:"type" json:"type,omitempty"`
UID string `mapstructure:"uid" json:"uid,omitempty"`
GID string `mapstructure:"gid" json:"gid,omitempty"`
Time time.Time `mapstructure:"time" json:"time,omitempty"`
Size string `mapstructure:"size" json:"size,omitempty"`
Link string `mapstructure:"link" json:"link,omitempty"`
Digests []file.Digest `mapstructure:"digests" json:"digest,omitempty"`
}
type AlpmMetadata ¶ added in v0.48.0
type AlpmMetadata struct {
BasePackage string `mapstructure:"base" json:"basepackage" cyclonedx:"basepackage"`
Package string `mapstructure:"name" json:"package" cyclonedx:"package"`
Version string `mapstructure:"version" json:"version" cyclonedx:"version"`
Description string `mapstructure:"desc" json:"description" cyclonedx:"description"`
Architecture string `mapstructure:"arch" json:"architecture" cyclonedx:"architecture"`
Size int `mapstructure:"size" json:"size" cyclonedx:"size"`
Packager string `mapstructure:"packager" json:"packager"`
URL string `mapstructure:"url" json:"url"`
Validation string `mapstructure:"validation" json:"validation"`
Reason int `mapstructure:"reason" json:"reason"`
Files []AlpmFileRecord `mapstructure:"files" json:"files"`
Backup []AlpmFileRecord `mapstructure:"backup" json:"backup"`
}
func (AlpmMetadata) OwnedFiles ¶ added in v0.48.0
func (m AlpmMetadata) OwnedFiles() (result []string)
type ApkFileRecord ¶
type ApkFileRecord struct {
Path string `json:"path"`
OwnerUID string `json:"ownerUid,omitempty"`
OwnerGID string `json:"ownerGid,omitempty"`
Permissions string `json:"permissions,omitempty"`
Digest *file.Digest `json:"digest,omitempty"`
}
ApkFileRecord represents a single file listing and metadata from a APK DB entry (which may have many of these file records).
type ApkMetadata ¶
type ApkMetadata struct {
Package string `mapstructure:"P" json:"package"`
OriginPackage string `mapstructure:"o" json:"originPackage" cyclonedx:"originPackage"`
Maintainer string `mapstructure:"m" json:"maintainer"`
Version string `mapstructure:"V" json:"version"`
Architecture string `mapstructure:"A" json:"architecture"`
URL string `mapstructure:"U" json:"url"`
Description string `mapstructure:"T" json:"description"`
Size int `mapstructure:"S" json:"size" cyclonedx:"size"`
InstalledSize int `mapstructure:"I" json:"installedSize" cyclonedx:"installedSize"`
Dependencies []string `mapstructure:"D" json:"pullDependencies" cyclonedx:"pullDependencies"`
Provides []string `mapstructure:"p" json:"provides" cyclonedx:"provides"`
Checksum string `mapstructure:"C" json:"pullChecksum" cyclonedx:"pullChecksum"`
GitCommit string `mapstructure:"c" json:"gitCommitOfApkPort" cyclonedx:"gitCommitOfApkPort"`
Files []ApkFileRecord `json:"files"`
}
ApkMetadata represents all captured data for a Alpine DB package entry. See the following sources for more information: - https://wiki.alpinelinux.org/wiki/Apk_spec - https://git.alpinelinux.org/apk-tools/tree/src/package.c - https://git.alpinelinux.org/apk-tools/tree/src/database.c
func (ApkMetadata) OwnedFiles ¶ added in v0.24.0
func (m ApkMetadata) OwnedFiles() (result []string)
func (*ApkMetadata) UnmarshalJSON ¶ added in v0.61.0
func (m *ApkMetadata) UnmarshalJSON(data []byte) error
type ArchiveInfo ¶ added in v0.34.0
type ArchiveInfo struct {
Hash string `json:"hash"`
}
type BinaryMetadata ¶ added in v0.60.0
type BinaryMetadata struct {
Matches []ClassifierMatch `mapstructure:"Matches" json:"matches"`
}
type CargoPackageMetadata ¶ added in v0.15.0
type Catalog
deprecated
type Cataloger ¶ added in v0.60.0
type Cataloger interface {
// Name returns a string that uniquely describes a cataloger
Name() string
// Catalog is given an object to resolve file references and content, this function returns any discovered Packages after analyzing the catalog source.
Catalog(resolver file.Resolver) ([]Package, []artifact.Relationship, error)
}
Cataloger describes behavior for an object to participate in parsing container image or file system contents for the purpose of discovering Packages. Each concrete implementation should focus on discovering Packages for a specific Package Type or ecosystem.
type ClassifierMatch ¶ added in v0.73.0
type CocoapodsMetadata ¶ added in v0.51.0
type CocoapodsMetadata struct {
Checksum string `mapstructure:"checksum" json:"checksum"`
}
type Collection ¶ added in v0.80.0
type Collection struct {
// contains filtered or unexported fields
}
Collection represents a collection of Packages.
func NewCollection ¶ added in v0.80.0
func NewCollection(pkgs ...Package) *Collection
NewCollection returns a new empty Collection
func (*Collection) Add ¶ added in v0.80.0
func (c *Collection) Add(pkgs ...Package)
Add n packages to the catalog.
func (*Collection) Delete ¶ added in v0.80.0
func (c *Collection) Delete(ids ...artifact.ID)
func (*Collection) Enumerate ¶ added in v0.80.0
func (c *Collection) Enumerate(types ...Type) <-chan Package
Enumerate all packages for the given type(s), enumerating all packages if no type is specified.
func (*Collection) Package ¶ added in v0.80.0
func (c *Collection) Package(id artifact.ID) *Package
Package returns the package with the given ID.
func (*Collection) PackageCount ¶ added in v0.80.0
func (c *Collection) PackageCount() int
PackageCount returns the total number of packages that have been added.
func (*Collection) Packages ¶ added in v0.80.0
func (c *Collection) Packages(ids []artifact.ID) (result []Package)
Packages returns all packages for the given ID.
func (*Collection) PackagesByName ¶ added in v0.80.0
func (c *Collection) PackagesByName(name string) []Package
PackagesByName returns all packages that were discovered with a matching name.
func (*Collection) PackagesByPath ¶ added in v0.80.0
func (c *Collection) PackagesByPath(path string) []Package
PackagesByPath returns all packages that were discovered from the given path.
func (*Collection) Sorted ¶ added in v0.80.0
func (c *Collection) Sorted(types ...Type) (pkgs []Package)
Sorted enumerates all packages for the given types sorted by package name. Enumerates all packages if no type is specified.
type ConanLockMetadata ¶ added in v0.58.0
type ConanLockMetadata struct {
Ref string `json:"ref"`
PackageID string `json:"package_id,omitempty"`
Prev string `json:"prev,omitempty"`
Requires string `json:"requires,omitempty"`
BuildRequires string `json:"build_requires,omitempty"`
PythonRequires string `json:"py_requires,omitempty"`
Options map[string]string `json:"options,omitempty"`
Path string `json:"path,omitempty"`
Context string `json:"context,omitempty"`
}
func (ConanLockMetadata) NameAndVersion ¶ added in v0.58.0
func (m ConanLockMetadata) NameAndVersion() (name, version string)
NameAndVersion returns the name and version of the package. If ref is not in the format of "name/version@user/channel", then an empty string is returned for both.
func (ConanLockMetadata) PackageURL ¶ added in v0.58.0
func (m ConanLockMetadata) PackageURL(_ *linux.Release) string
type ConanMetadata ¶ added in v0.50.0
type ConanMetadata struct {
Ref string `mapstructure:"ref" json:"ref"`
}
type DartPubMetadata ¶ added in v0.43.0
type DirectURLOrigin ¶ added in v0.34.0
type DirectURLOrigin struct {
URL string `json:"url"`
VCSInfo VCSInfo `json:"vcs_info"`
ArchiveInfo ArchiveInfo `json:"archive_info"`
DirInfo DirInfo `json:"dir_info"`
}
type DotnetDepsMetadata ¶ added in v0.46.0
type DpkgFileRecord ¶ added in v0.7.0
type DpkgFileRecord struct {
Path string `json:"path"`
Digest *file.Digest `json:"digest,omitempty"`
IsConfigFile bool `json:"isConfigFile"`
}
DpkgFileRecord represents a single file attributed to a debian package.
type DpkgMetadata ¶
type DpkgMetadata struct {
Package string `mapstructure:"Package" json:"package"`
Source string `mapstructure:"Source" json:"source" cyclonedx:"source"`
Version string `mapstructure:"Version" json:"version"`
SourceVersion string `mapstructure:"SourceVersion" json:"sourceVersion" cyclonedx:"sourceVersion"`
Architecture string `mapstructure:"Architecture" json:"architecture"`
Maintainer string `mapstructure:"Maintainer" json:"maintainer"`
InstalledSize int `mapstructure:"InstalledSize" json:"installedSize" cyclonedx:"installedSize"`
Description string `mapstructure:"Description" hash:"ignore" json:"-"`
Files []DpkgFileRecord `json:"files"`
}
DpkgMetadata represents all captured data for a Debian package DB entry; available fields are described at http://manpages.ubuntu.com/manpages/xenial/man1/dpkg-query.1.html in the --showformat section.
func (DpkgMetadata) OwnedFiles ¶ added in v0.24.0
func (m DpkgMetadata) OwnedFiles() (result []string)
type FileMetadata ¶ added in v0.62.3
type FileOwner ¶ added in v0.24.0
type FileOwner interface {
OwnedFiles() []string
}
FileOwner is the interface that wraps OwnedFiles method.
OwnedFiles returns a list of files that a piece of package Metadata indicates are owned by the package.
type GemMetadata ¶ added in v0.2.0
type GemMetadata struct {
Name string `mapstructure:"name" json:"name"`
Version string `mapstructure:"version" json:"version"`
// note regarding if Files can contribute to GemMetadata being able to implement FileOwner: this list is a
// "logical" list of files, not a list of paths that can be used to find the files without additional processing.
//
// For example: The "bundler" gem has a file entry of:
// "lib/bundler/vendor/uri/lib/uri/ldap.rb"
// but the actual file is located at:
// "/usr/local/lib/ruby/3.2.0/bundler/vendor/uri/lib/uri/ldap.rb"
// which do not match (the "lib" prefix is missing even for relative processing).
//
// without additional information about:
// - the gem installation path
// - the ruby installation path
// - the ruby version
// - environment variables (e.g. GEM_HOME) that may affect the gem installation path
// ... we can't reliably determine the full path to the file on disk, thus cannot implement FileOwner (...yet...).
Files []string `mapstructure:"files" json:"files,omitempty"`
Authors []string `mapstructure:"authors" json:"authors,omitempty"`
Homepage string `mapstructure:"homepage" json:"homepage,omitempty"`
}
GemMetadata represents all metadata parsed from the gemspec file
type GolangBinMetadata ¶ added in v0.26.0
type GolangBinMetadata struct {
BuildSettings map[string]string `json:"goBuildSettings,omitempty" cyclonedx:"goBuildSettings"`
GoCompiledVersion string `json:"goCompiledVersion" cyclonedx:"goCompiledVersion"`
Architecture string `json:"architecture" cyclonedx:"architecture"`
H1Digest string `json:"h1Digest,omitempty" cyclonedx:"h1Digest"`
MainModule string `json:"mainModule,omitempty" cyclonedx:"mainModule"`
}
GolangBinMetadata represents all captured data for a Golang binary
type GolangModMetadata ¶ added in v0.66.2
type GolangModMetadata struct {
H1Digest string `json:"h1Digest,omitempty" cyclonedx:"h1Digest"`
}
GolangModMetadata represents all captured data for a Golang source scan with go.mod/go.sum
type HackageMetadata ¶ added in v0.52.0
type JavaManifest ¶
type JavaManifest struct {
Main map[string]string `json:"main,omitempty"`
NamedSections map[string]map[string]string `json:"namedSections,omitempty"`
}
JavaManifest represents the fields of interest extracted from a Java archive's META-INF/MANIFEST.MF file.
type JavaMetadata ¶
type JavaMetadata struct {
VirtualPath string `json:"virtualPath" cyclonedx:"virtualPath"` // we need to include the virtual path in cyclonedx documents to prevent deduplication of jars within jars
Manifest *JavaManifest `mapstructure:"Manifest" json:"manifest,omitempty"`
PomProperties *PomProperties `mapstructure:"PomProperties" json:"pomProperties,omitempty" cyclonedx:"-"`
PomProject *PomProject `mapstructure:"PomProject" json:"pomProject,omitempty"`
ArchiveDigests []file.Digest `hash:"ignore" json:"digest,omitempty"`
Parent *Package `hash:"ignore" json:"-"` // note: the parent cannot be included in the minimal definition of uniqueness since this field is not reproducible in an encode-decode cycle (is lossy).
}
JavaMetadata encapsulates all Java ecosystem metadata for a package as well as an (optional) parent relationship.
type KbPackageMetadata ¶ added in v0.15.2
type KbPackageMetadata struct {
ProductID string `toml:"product_id" json:"product_id"`
Kb string `toml:"kb" json:"kb"`
}
KbPackageMetadata is slightly odd in how it is expected to map onto data. This is critical to grasp because there is no MSRC cataloger. The `ProductID` field is expected to be the MSRC Product ID, for example: "Windows 10 Version 1703 for 32-bit Systems". `Kb` is expected to be the actual KB number, for example "5001028"
type Language ¶
type Language string
Language represents a single programming language.
const ( // the full set of supported programming languages UnknownLanguage Language = "" CPP Language = "c++" Dart Language = "dart" Dotnet Language = "dotnet" Elixir Language = "elixir" Erlang Language = "erlang" Go Language = "go" Haskell Language = "haskell" Java Language = "java" JavaScript Language = "javascript" PHP Language = "php" Python Language = "python" R Language = "R" Ruby Language = "ruby" Rust Language = "rust" Swift Language = "swift" )
func LanguageByName ¶ added in v0.38.0
func LanguageFromPURL ¶ added in v0.37.0
type License ¶ added in v0.81.0
type License struct {
Value string `json:"value"`
SPDXExpression string `json:"spdxExpression"`
Type license.Type `json:"type"`
URLs internal.StringSet `hash:"ignore"`
Locations file.LocationSet `hash:"ignore"`
}
License represents an SPDX Expression or license value extracted from a packages metadata We want to ignore URLs and Location since we merge these fields across equal licenses. A License is a unique combination of value, expression and type, where its sources are always considered merged and additions to the evidence of where it was found and how it was sourced. This is different from how we treat a package since we consider package paths in order to distinguish if packages should be kept separate this is different for licenses since we're only looking for evidence of where a license was declared/concluded for a given package
func NewLicense ¶ added in v0.81.0
func NewLicenseFromLocations ¶ added in v0.81.0
func NewLicenseFromType ¶ added in v0.81.0
func NewLicenseFromURLs ¶ added in v0.81.0
func NewLicensesFromLocation ¶ added in v0.81.0
func NewLicensesFromValues ¶ added in v0.81.0
type LicenseSet ¶ added in v0.81.0
type LicenseSet struct {
// contains filtered or unexported fields
}
func NewLicenseSet ¶ added in v0.81.0
func NewLicenseSet(licenses ...License) (s LicenseSet)
func (*LicenseSet) Add ¶ added in v0.81.0
func (s *LicenseSet) Add(licenses ...License)
func (LicenseSet) Empty ¶ added in v0.81.0
func (s LicenseSet) Empty() bool
func (LicenseSet) Hash ¶ added in v0.81.0
func (s LicenseSet) Hash() (uint64, error)
func (LicenseSet) ToSlice ¶ added in v0.81.0
func (s LicenseSet) ToSlice() []License
type LinuxKernelMetadata ¶ added in v0.78.0
type LinuxKernelMetadata struct {
Name string `mapstructure:"name" json:"name" cyclonedx:"name"`
Architecture string `mapstructure:"architecture" json:"architecture" cyclonedx:"architecture"`
Version string `mapstructure:"version" json:"version" cyclonedx:"version"`
ExtendedVersion string `mapstructure:"extendedVersion" json:"extendedVersion,omitempty" cyclonedx:"extendedVersion"`
BuildTime string `mapstructure:"buildTime" json:"buildTime,omitempty" cyclonedx:"buildTime"`
Author string `mapstructure:"author" json:"author,omitempty" cyclonedx:"author"`
Format string `mapstructure:"format" json:"format,omitempty" cyclonedx:"format"`
RWRootFS bool `mapstructure:"rwRootFS" json:"rwRootFS,omitempty" cyclonedx:"rwRootFS"`
SwapDevice int `mapstructure:"swapDevice" json:"swapDevice,omitempty" cyclonedx:"swapDevice"`
RootDevice int `mapstructure:"rootDevice" json:"rootDevice,omitempty" cyclonedx:"rootDevice"`
VideoMode string `mapstructure:"videoMode" json:"videoMode,omitempty" cyclonedx:"videoMode"`
}
LinuxKernelMetadata represents all captured data for a Linux kernel
type LinuxKernelModuleMetadata ¶ added in v0.78.0
type LinuxKernelModuleMetadata struct {
Name string `mapstructure:"name" json:"name,omitempty" cyclonedx:"name"`
Version string `mapstructure:"version" json:"version,omitempty" cyclonedx:"version"`
SourceVersion string `mapstructure:"sourceVersion" json:"sourceVersion,omitempty" cyclonedx:"sourceVersion"`
Path string `mapstructure:"path" json:"path,omitempty" cyclonedx:"path"`
Description string `mapstructure:"description" json:"description,omitempty" cyclonedx:"description"`
Author string `mapstructure:"author" json:"author,omitempty" cyclonedx:"author"`
License string `mapstructure:"license" json:"license,omitempty" cyclonedx:"license"`
KernelVersion string `mapstructure:"kernelVersion" json:"kernelVersion,omitempty" cyclonedx:"kernelVersion"`
VersionMagic string `mapstructure:"versionMagic" json:"versionMagic,omitempty" cyclonedx:"versionMagic"`
Parameters map[string]LinuxKernelModuleParameter `mapstructure:"parameters" json:"parameters,omitempty" cyclonedx:"parameters"`
}
type LinuxKernelModuleParameter ¶ added in v0.78.0
type MetadataType ¶ added in v0.4.0
type MetadataType string
MetadataType represents the data shape stored within pkg.Package.Metadata.
const ( UnknownMetadataType MetadataType = "UnknownMetadata" AlpmMetadataType MetadataType = "AlpmMetadata" ApkMetadataType MetadataType = "ApkMetadata" BinaryMetadataType MetadataType = "BinaryMetadata" CocoapodsMetadataType MetadataType = "CocoapodsMetadataType" ConanLockMetadataType MetadataType = "ConanLockMetadataType" ConanMetadataType MetadataType = "ConanMetadataType" DartPubMetadataType MetadataType = "DartPubMetadata" DotnetDepsMetadataType MetadataType = "DotnetDepsMetadata" DpkgMetadataType MetadataType = "DpkgMetadata" GemMetadataType MetadataType = "GemMetadata" GolangBinMetadataType MetadataType = "GolangBinMetadata" GolangModMetadataType MetadataType = "GolangModMetadata" HackageMetadataType MetadataType = "HackageMetadataType" JavaMetadataType MetadataType = "JavaMetadata" KbPackageMetadataType MetadataType = "KbPackageMetadata" LinuxKernelMetadataType MetadataType = "LinuxKernelMetadata" LinuxKernelModuleMetadataType MetadataType = "LinuxKernelModuleMetadata" MixLockMetadataType MetadataType = "MixLockMetadataType" NixStoreMetadataType MetadataType = "NixStoreMetadata" NpmPackageJSONMetadataType MetadataType = "NpmPackageJsonMetadata" NpmPackageLockJSONMetadataType MetadataType = "NpmPackageLockJsonMetadata" PhpComposerJSONMetadataType MetadataType = "PhpComposerJsonMetadata" PortageMetadataType MetadataType = "PortageMetadata" PythonPackageMetadataType MetadataType = "PythonPackageMetadata" PythonPipfileLockMetadataType MetadataType = "PythonPipfileLockMetadata" PythonRequirementsMetadataType MetadataType = "PythonRequirementsMetadata" RebarLockMetadataType MetadataType = "RebarLockMetadataType" RDescriptionFileMetadataType MetadataType = "RDescriptionFileMetadataType" RpmMetadataType MetadataType = "RpmMetadata" RustCargoPackageMetadataType MetadataType = "RustCargoPackageMetadata" )
func CleanMetadataType ¶ added in v0.56.0
func CleanMetadataType(typ MetadataType) MetadataType
type MixLockMetadata ¶ added in v0.66.0
type NixStoreMetadata ¶ added in v0.76.1
type NixStoreMetadata struct {
// OutputHash is the prefix of the nix store basename path
OutputHash string `mapstructure:"outputHash" json:"outputHash"`
// Output allows for optionally specifying the specific nix package output this package represents (for packages that support multiple outputs).
// Note: the default output for a package is an empty string, so will not be present in the output.
Output string `mapstructure:"output" json:"output,omitempty"`
// Files is a listing a files that are under the nix/store path for this package
Files []string `mapstructure:"files" json:"files"`
}
func (NixStoreMetadata) OwnedFiles ¶ added in v0.76.1
func (m NixStoreMetadata) OwnedFiles() (result []string)
type NpmPackageJSONMetadata ¶ added in v0.4.0
type NpmPackageJSONMetadata struct {
Name string `mapstructure:"name" json:"name"`
Version string `mapstructure:"version" json:"version"`
Author string `mapstructure:"author" json:"author"`
Homepage string `mapstructure:"homepage" json:"homepage"`
Description string `mapstructure:"description" json:"description"`
URL string `mapstructure:"url" json:"url"`
Private bool `mapstructure:"private" json:"private"`
}
NpmPackageJSONMetadata holds parsing information for a javascript package.json file
type NpmPackageLockJSONMetadata ¶ added in v0.66.0
type NpmPackageLockJSONMetadata struct {
Resolved string `mapstructure:"resolved" json:"resolved"`
Integrity string `mapstructure:"integrity" json:"integrity"`
}
NpmPackageLockJSONMetadata holds parsing information for a javascript package-lock.json file
type Package ¶
type Package struct {
Name string // the package name
Version string // the version of the package
FoundBy string `hash:"ignore" cyclonedx:"foundBy"` // the specific cataloger that discovered this package
Locations file.LocationSet // the locations that lead to the discovery of this package (note: this is not necessarily the locations that make up this package)
Licenses LicenseSet // licenses discovered with the package metadata
Language Language `hash:"ignore" cyclonedx:"language"` // the language ecosystem this package belongs to (e.g. JavaScript, Python, etc)
Type Type `cyclonedx:"type"` // the package type (e.g. Npm, Yarn, Python, Rpm, Deb, etc)
CPEs []cpe.CPE `hash:"ignore"` // all possible Common Platform Enumerators (note: this is NOT included in the definition of the ID since all fields on a CPE are derived from other fields)
PURL string `hash:"ignore"` // the Package URL (see https://github.com/package-url/purl-spec)
MetadataType MetadataType `cyclonedx:"metadataType"` // the shape of the additional data in the "metadata" field
Metadata interface{} // additional data found while parsing the package source
// contains filtered or unexported fields
}
Package represents an application or library that has been bundled into a distributable format. TODO: if we ignore FoundBy for ID generation should we merge the field to show it was found in two places?
func (*Package) OverrideID ¶ added in v0.45.0
type PhpComposerAuthors ¶ added in v0.36.0
type PhpComposerExternalReference ¶ added in v0.36.0
type PhpComposerJSONMetadata ¶ added in v0.36.0
type PhpComposerJSONMetadata struct {
Name string `json:"name"`
Version string `json:"version"`
Source PhpComposerExternalReference `json:"source"`
Dist PhpComposerExternalReference `json:"dist"`
Require map[string]string `json:"require,omitempty"`
Provide map[string]string `json:"provide,omitempty"`
RequireDev map[string]string `json:"require-dev,omitempty"`
Suggest map[string]string `json:"suggest,omitempty"`
License []string `json:"license,omitempty"`
Type string `json:"type,omitempty"`
NotificationURL string `json:"notification-url,omitempty"`
Bin []string `json:"bin,omitempty"`
Authors []PhpComposerAuthors `json:"authors,omitempty"`
Description string `json:"description,omitempty"`
Homepage string `json:"homepage,omitempty"`
Keywords []string `json:"keywords,omitempty"`
Time string `json:"time,omitempty"`
}
PhpComposerJSONMetadata represents information found from composer v1/v2 "installed.json" files as well as composer.lock files
type PomParent ¶ added in v0.22.0
type PomParent struct {
GroupID string `json:"groupId"`
ArtifactID string `json:"artifactId"`
Version string `json:"version"`
}
PomParent contains the fields within the <parent> tag in a pom.xml file
type PomProject ¶ added in v0.22.0
type PomProject struct {
Path string `json:"path"`
Parent *PomParent `json:"parent,omitempty"`
GroupID string `json:"groupId"`
ArtifactID string `json:"artifactId"`
Version string `json:"version"`
Name string `json:"name"`
Description string `json:"description,omitempty"`
URL string `json:"url,omitempty"`
}
PomProject represents fields of interest extracted from a Java archive's pom.xml file. See https://maven.apache.org/ref/3.6.3/maven-model/maven.html for more details.
type PomProperties ¶
type PomProperties struct {
Path string `mapstructure:"path" json:"path"`
Name string `mapstructure:"name" json:"name"`
GroupID string `mapstructure:"groupId" json:"groupId" cyclonedx:"groupID"`
ArtifactID string `mapstructure:"artifactId" json:"artifactId" cyclonedx:"artifactID"`
Version string `mapstructure:"version" json:"version"`
Scope string `mapstructure:"scope" json:"scope,omitempty"`
Extra map[string]string `mapstructure:",remain" json:"extraFields,omitempty"`
}
PomProperties represents the fields of interest extracted from a Java archive's pom.properties file.
func (PomProperties) PkgTypeIndicated ¶ added in v0.15.0
func (p PomProperties) PkgTypeIndicated() Type
PkgTypeIndicated returns the package Type indicated by the data contained in the PomProperties.
type PortageFileRecord ¶ added in v0.51.0
type PortageFileRecord struct {
Path string `json:"path"`
Digest *file.Digest `json:"digest,omitempty"`
}
PortageFileRecord represents a single file attributed to a portage package.
type PortageMetadata ¶ added in v0.51.0
type PortageMetadata struct {
InstalledSize int `mapstructure:"InstalledSize" json:"installedSize" cyclonedx:"installedSize"`
Files []PortageFileRecord `json:"files"`
}
PortageMetadata represents all captured data for a Package package DB entry.
func (PortageMetadata) OwnedFiles ¶ added in v0.76.1
func (m PortageMetadata) OwnedFiles() (result []string)
type PythonDirectURLOriginInfo ¶ added in v0.34.0
type PythonFileDigest ¶ added in v0.8.0
PythonFileDigest represents the file metadata for a single file attributed to a python package.
type PythonFileRecord ¶ added in v0.4.0
type PythonFileRecord struct {
Path string `json:"path"`
Digest *PythonFileDigest `json:"digest,omitempty"`
Size string `json:"size,omitempty"`
}
PythonFileRecord represents a single entry within a RECORD file for a python wheel or egg package
type PythonPackageMetadata ¶ added in v0.4.0
type PythonPackageMetadata struct {
Name string `json:"name" mapstruct:"Name"`
Version string `json:"version" mapstruct:"Version"`
Author string `json:"author" mapstruct:"Author"`
AuthorEmail string `json:"authorEmail" mapstruct:"Authoremail"`
Platform string `json:"platform" mapstruct:"Platform"`
Files []PythonFileRecord `json:"files,omitempty"`
SitePackagesRootPath string `json:"sitePackagesRootPath"`
TopLevelPackages []string `json:"topLevelPackages,omitempty"`
DirectURLOrigin *PythonDirectURLOriginInfo `json:"directUrlOrigin,omitempty"`
}
PythonPackageMetadata represents all captured data for a python egg or wheel package.
func (PythonPackageMetadata) OwnedFiles ¶ added in v0.24.0
func (m PythonPackageMetadata) OwnedFiles() (result []string)
type PythonPipfileLockMetadata ¶ added in v0.66.0
type PythonRequirementsMetadata ¶ added in v0.80.0
type PythonRequirementsMetadata struct {
Name string `json:"name" mapstruct:"Name"`
Extras []string `json:"extras" mapstruct:"Extras"`
VersionConstraint string `json:"versionConstraint" mapstruct:"VersionConstraint"`
URL string `json:"url" mapstruct:"URL"`
Markers map[string]string `json:"markers" mapstruct:"Markers"`
}
type RDescriptionFileMetadata ¶ added in v0.81.0
type RDescriptionFileMetadata struct {
/*
Fields chosen by:
docker run --rm -it rocker/r-ver bash
$ install2.r ggplot2 # has a lot of dependencies
$ find /usr/local/lib/R -name DESCRIPTION | xargs cat | grep -v '^\s' | cut -d ':' -f 1 | sort | uniq -c | sort -nr
*/
Title string `json:"title,omitempty"`
Description string `json:"description,omitempty"`
Author string `json:"author,omitempty"`
Maintainer string `json:"maintainer,omitempty"`
URL []string `json:"url,omitempty"`
Repository string `json:"repository,omitempty"`
Built string `json:"built,omitempty"`
NeedsCompilation bool `json:"needsCompilation,omitempty"`
Imports []string `json:"imports,omitempty"`
Depends []string `json:"depends,omitempty"`
Suggests []string `json:"suggests,omitempty"`
}
type RebarLockMetadata ¶ added in v0.66.0
type RpmMetadata ¶
type RpmMetadata struct {
Name string `json:"name"`
Version string `json:"version"`
Epoch *int `json:"epoch" cyclonedx:"epoch" jsonschema:"nullable"`
Arch string `json:"architecture"`
Release string `json:"release" cyclonedx:"release"`
SourceRpm string `json:"sourceRpm" cyclonedx:"sourceRpm"`
Size int `json:"size" cyclonedx:"size"`
Vendor string `json:"vendor"`
ModularityLabel string `json:"modularityLabel"`
Files []RpmdbFileRecord `json:"files"`
}
RpmMetadata represents all captured data for a RPM DB package entry.
func (RpmMetadata) OwnedFiles ¶ added in v0.56.0
func (m RpmMetadata) OwnedFiles() (result []string)
type RpmdbFileMode ¶ added in v0.6.0
type RpmdbFileMode uint16
RpmdbFileMode is the raw file mode for a single file. This can be interpreted as the linux stat.h mode (see https://pubs.opengroup.org/onlinepubs/007908799/xsh/sysstat.h.html)
type RpmdbFileRecord ¶ added in v0.6.0
type RpmdbFileRecord struct {
Path string `json:"path"`
Mode RpmdbFileMode `json:"mode"`
Size int `json:"size"`
Digest file.Digest `json:"digest"`
UserName string `json:"userName"`
GroupName string `json:"groupName"`
Flags string `json:"flags"`
}
RpmdbFileRecord represents the file metadata for a single file attributed to a RPM package.
type Type ¶
type Type string
Type represents a Package Type for or within a language ecosystem (there may be multiple package types within a language ecosystem)
const ( // the full set of supported packages UnknownPkg Type = "UnknownPackage" AlpmPkg Type = "alpm" ApkPkg Type = "apk" BinaryPkg Type = "binary" CocoapodsPkg Type = "pod" ConanPkg Type = "conan" DartPubPkg Type = "dart-pub" DebPkg Type = "deb" DotnetPkg Type = "dotnet" GemPkg Type = "gem" GoModulePkg Type = "go-module" GraalVMNativeImagePkg Type = "graalvm-native-image" HackagePkg Type = "hackage" HexPkg Type = "hex" JavaPkg Type = "java-archive" JenkinsPluginPkg Type = "jenkins-plugin" KbPkg Type = "msrc-kb" LinuxKernelPkg Type = "linux-kernel" LinuxKernelModulePkg Type = "linux-kernel-module" NixPkg Type = "nix" NpmPkg Type = "npm" PhpComposerPkg Type = "php-composer" PortagePkg Type = "portage" PythonPkg Type = "python" Rpkg Type = "R-package" RpmPkg Type = "rpm" RustPkg Type = "rust-crate" )
func TypeByName ¶ added in v0.38.0
func TypeFromPURL ¶ added in v0.37.0
func (Type) PackageURLType ¶
PackageURLType returns the PURL package type for the current package.
Source Files
¶
- alpm_metadata.go
- apk_metadata.go
- binary_metadata.go
- cargo_package_metadata.go
- catalog.go
- cataloger.go
- cocoapods_metadata.go
- conan_lock_metadata.go
- conan_metadata.go
- dart_pub_metadata.go
- deprecated.go
- dotnet_deps_metadata.go
- dpkg_metadata.go
- evidence.go
- file_metadata.go
- file_owner.go
- gem_metadata.go
- golang_metadata.go
- hackage_metadata.go
- java_metadata.go
- kb_package_metadata.go
- language.go
- license.go
- license_set.go
- linux_kernel_metadata.go
- metadata.go
- mix_lock_metadata.go
- nix_store_metadata.go
- npm_package_json_metadata.go
- npm_package_lock_json_metadata.go
- package.go
- php_composer_json_metadata.go
- portage_metadata.go
- python_package_metadata.go
- python_pipefile_lock_metadata.go
- python_requirements_metadata.go
- r_package_metadata.go
- rebar_lock_metadata.go
- relationships.go
- relationships_by_file_ownership.go
- relationships_evident_by.go
- rpm_metadata.go
- type.go
- url.go
Directories
¶
| Path | Synopsis |
|---|---|
|
Package cataloger provides the ability to process files from a container image or file system and discover packages (gems, wheels, jars, rpms, debs, etc).
|
Package cataloger provides the ability to process files from a container image or file system and discover packages (gems, wheels, jars, rpms, debs, etc). |
|
apkdb
Package apkdb provides a concrete Cataloger implementation for Alpine DB files.
|
Package apkdb provides a concrete Cataloger implementation for Alpine DB files. |
|
deb
Package deb provides a concrete Cataloger implementation for Debian package DB status files.
|
Package deb provides a concrete Cataloger implementation for Debian package DB status files. |
|
elixir
Package elixir provides a concrete Cataloger implementation for elixir specific package manger files.
|
Package elixir provides a concrete Cataloger implementation for elixir specific package manger files. |
|
erlang
Package erlang provides a concrete Cataloger implementation for erlang specific package manger files.
|
Package erlang provides a concrete Cataloger implementation for erlang specific package manger files. |
|
golang
Package golang provides a concrete Cataloger implementation for go.mod files.
|
Package golang provides a concrete Cataloger implementation for go.mod files. |
|
java
Package java provides a concrete Cataloger implementation for Java archives (jar, war, ear, par, sar, jpi, hpi, and native-image formats).
|
Package java provides a concrete Cataloger implementation for Java archives (jar, war, ear, par, sar, jpi, hpi, and native-image formats). |
|
javascript
Package javascript provides a concrete Cataloger implementation for JavaScript ecosystem files (yarn and npm).
|
Package javascript provides a concrete Cataloger implementation for JavaScript ecosystem files (yarn and npm). |
|
kernel
Package kernel provides a concrete Cataloger implementation for linux kernel and module files.
|
Package kernel provides a concrete Cataloger implementation for linux kernel and module files. |
|
php
Package php provides a concrete Cataloger implementation for PHP ecosystem files.
|
Package php provides a concrete Cataloger implementation for PHP ecosystem files. |
|
portage
Package portage provides a concrete Cataloger implementation for Gentoo Portage.
|
Package portage provides a concrete Cataloger implementation for Gentoo Portage. |
|
rpm
Package rpm provides a concrete DBCataloger implementation for RPM "Package" DB files and a FileCataloger for RPM files.
|
Package rpm provides a concrete DBCataloger implementation for RPM "Package" DB files and a FileCataloger for RPM files. |
|
ruby
Package ruby bundler provides a concrete Cataloger implementation for Ruby Gemfile.lock bundler files.
|
Package ruby bundler provides a concrete Cataloger implementation for Ruby Gemfile.lock bundler files. |
|
rust
Package rust provides a concrete Cataloger implementation for Cargo.lock files.
|
Package rust provides a concrete Cataloger implementation for Cargo.lock files. |
|
swift
Package swift provides a concrete Cataloger implementation for Podfile.lock files.
|
Package swift provides a concrete Cataloger implementation for Podfile.lock files. |
Click to show internal directories.
Click to hide internal directories.