spdx

package
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 31, 2023 License: Apache-2.0 Imports: 52 Imported by: 11

Documentation

Overview

SHA1 is the currently accepted hash algorithm for SPDX documents, used for file integrity checks, NOT security. Instances of G401 and G505 can be safely ignored in this file.

ref: https://github.com/spdx/spdx-spec/issues/11

SHA1 is the currently accepted hash algorithm for SPDX documents, used for file integrity checks, NOT security. Instances of G401 and G505 can be safely ignored in this file.

ref: https://github.com/spdx/spdx-spec/issues/11

SHA1 is the currently accepted hash algorithm for SPDX documents, used for file integrity checks, NOT security. Instances of G401 and G505 can be safely ignored in this file.

ref: https://github.com/spdx/spdx-spec/issues/11

Index

Constants

View Source 
const (
	GoModFileName = "go.mod"
	GoSumFileName = "go.sum"
)
View Source 
const (

	// Consts of some SPDX expressions
	NONE        = "NONE"
	NOASSERTION = "NOASSERTION"

	CatPackageManager = "PACKAGE-MANAGER"
)
View Source 
const FormatJSON = "json"

FormatJSON is the JSON format for an SPDX document.

View Source 
const FormatTagValue = "tag-value"

FormatTagValue is the default format for an SPDX document.

View Source 
const (
	MessageHashMismatch = "Hash mismatch"
)

Variables

View Source 
var DefaultProvenanceOptions = &ProvenanceOptions{
	Relationships: map[string][]RelationshipType{
		"include": {},
		"exclude": {
			EXAMPLE_OF,
			DEPENDS_ON,
		},
	},
}

DefaultProvenanceOptions we consider examples and dependencies as not part of the doc

View Source 
var ExternalRefCategories = map[string][]string{
	"SECURITY":        {"cpe22Type", "cpe23Type", "advisory", "fix", "url", "swid"},
	"PACKAGE_MANAGER": {"maven-central", "npm", "nuget", "bower", "purl"},
	"PACKAGE-MANAGER": {"maven-central", "npm", "nuget", "bower", "purl"},
	"PERSISTENT-ID":   {"swh", "gitoid"},
	"PERSISTENT_ID":   {"swh", "gitoid"},
	"OTHER":           {},
}
View Source 
var PackagePurposes = []string{
	"APPLICATION", "FRAMEWORK", "LIBRARY", "CONTAINER", "OPERATING-SYSTEM",
	"DEVICE", "FIRMWARE", "SOURCE", "ARCHIVE", "FILE", "INSTALL", "OTHER",
}

PackagePurposes lists the valid package purposes https://spdx.github.io/spdx-spec/v2.3/package-information/#724-primary-package-purpose-field

View Source 
var (
	SupportedHashAlgorithms = []string{"SHA1", "SHA256", "SHA25"}
)

Functions 

func Banner() string

func DetectSBOMEncoding added in v0.3.0 

func DetectSBOMEncoding(f *os.File) (format string, err error)

detectSBOMEncoding reads a few bytes from the SBOM and returns

func PullImageToArchive 

func PullImageToArchive(referenceString, path string) error

Types

type ArchiveManifest 

type ArchiveManifest struct {
	ConfigFilename string   `json:"Config"`
	RepoTags       []string `json:"RepoTags"`
	LayerFiles     []string `json:"Layers"`
}

type ContainerLayerAnalyzer 

type ContainerLayerAnalyzer interface {
	ReadPackageData(layerPath string, pkg *Package) error
	CanHandle(layerPath string) (bool, error)
}

ContainerLayerAnalyzer is an interface that knows how to read a known container layer and populate a SPDX package

type ContainerLayerAnalyzerOptions 

type ContainerLayerAnalyzerOptions struct {
	LicenseCacheDir string
}

type DocBuilder 

type DocBuilder struct {
	// contains filtered or unexported fields
}

DocBuilder is a tool to write SPDX SBOMs. It is configurable by defining values in its DocBuilderOptions. Options to customize the generated document are passed to the Generate() method in DocGenerateOptions struct.

func NewDocBuilder 

func NewDocBuilder(options ...NewDocBuilderOption) *DocBuilder

func (*DocBuilder) Generate 

func (db *DocBuilder) Generate(genopts *DocGenerateOptions) (*Document, error)

Generate creates a new SPDX SBOM. The resulting document will describe the all artifacts specified in the DocGenerateOptions struct passed.

type DocBuilderImplementation 

type DocBuilderImplementation interface {
	WriteDoc(*Document, string) error
	ReadYamlConfiguration(string, *DocGenerateOptions) error
	CreateSPDXClient(*DocGenerateOptions, *DocBuilderOptions) (*SPDX, error)
	ValidateOptions(*DocGenerateOptions) error

	// Document generation functions
	CreateDocument(*DocGenerateOptions, *SPDX) (*Document, error)
	ScanDirectories(*DocGenerateOptions, *SPDX, *Document) error
	ScanImages(*DocGenerateOptions, *SPDX, *Document) error
	ScanImageArchives(*DocGenerateOptions, *SPDX, *Document) error
	ScanArchives(*DocGenerateOptions, *SPDX, *Document) error
	ScanFiles(*DocGenerateOptions, *SPDX, *Document) error
}

type DocBuilderOptions 

type DocBuilderOptions struct {
	WorkDir string // Working directory (defaults to a tmp dir)
}

type DocGenerateOptions 

type DocGenerateOptions struct {
	AnalyseLayers       bool                  // A flag that controls if deep layer analysis should be performed
	NoGitignore         bool                  // Do not read exclusions from gitignore file
	ProcessGoModules    bool                  // Analyze go.mod to include data about packages
	OnlyDirectDeps      bool                  // Only include direct dependencies from go.mod
	ScanLicenses        bool                  // Try to look into files to determine their license
	ScanImages          bool                  // When true, scan images for OS information
	ConfigFile          string                // Path to SBOM configuration file
	Format              string                // Output format
	OutputFile          string                // Output location
	Name                string                // Name to use in the resulting document
	Namespace           string                // Namespace for the document (a unique URI)
	CreatorPerson       string                // Document creator information
	License             string                // Main license of the document
	LicenseListVersion  string                // Version of the SPDX list to use
	Tarballs            []string              // A slice of docker archives (tar)
	Archives            []string              // A list of archive files to add as packages
	Files               []string              // A slice of naked files to include in the bom
	Images              []string              // A slice of docker images
	Directories         []string              // A slice of directories to convert into packages
	IgnorePatterns      []string              // A slice of regexp patterns to ignore when scanning dirs
	ExternalDocumentRef []ExternalDocumentRef // List of external documents related to the bom
}

func (*DocGenerateOptions) Validate 

func (o *DocGenerateOptions) Validate() error

type Document 

type Document struct {
	Version     string // SPDX-2.2
	DataLicense string // CC0-1.0
	ID          string // SPDXRef-DOCUMENT
	Name        string // hello-go-src
	Namespace   string // https://swinslow.net/spdx-examples/example6/hello-go-src-v1
	Creator     struct {
		Person       string // Steve Winslow (steve@swinslow.net)
		Organization string
		Tool         []string // github.com/spdx/tools-golang/builder
	}
	Created            time.Time // 2020-11-24T01:12:27Z
	LicenseListVersion string
	Packages           map[string]*Package
	Files              map[string]*File      // List of files
	ExternalDocRefs    []ExternalDocumentRef // List of related external documents
}

Document abstracts the SPDX document

func NewDocument 

func NewDocument() *Document

NewDocument returns a new SPDX document with some defaults preloaded

func OpenDoc 

func OpenDoc(path string) (doc *Document, err error)

OpenDoc opens a file, parses a SPDX tag-value file and returns a loaded spdx.Document object. This functions has the cyclomatic chec disabled as it spans specific cases for each of the tags it recognizes.

func (*Document) AddFile 

func (d *Document) AddFile(file *File) error

AddFile adds a file contained in the package

func (*Document) AddPackage 

func (d *Document) AddPackage(pkg *Package) error

AddPackage adds a new empty package to the document

func (*Document) GetElementByID added in v0.2.2 

func (d *Document) GetElementByID(id string) Object

GetPackageByID queries the packages to search for a specific entity by name note that this method returns a copy of the entity if found.

func (*Document) GetPackagesByPurl added in v0.3.0 

func (d *Document) GetPackagesByPurl(purlSpec *purl.PackageURL, opts ...PurlSearchOption) []*Package

GetPackagesByPurl queries the document packages and returns all that match the specified purl bits

func (*Document) Outline 

func (d *Document) Outline(o *DrawingOptions) (outline string, err error)

Outline draws an outline of the relationships inside the doc

func (*Document) Render 

func (d *Document) Render() (doc string, err error)

Render reders the spdx manifest

func (*Document) ToProvenanceStatement 

func (d *Document) ToProvenanceStatement(opts *ProvenanceOptions) *provenance.Statement

func (*Document) ValidateFiles added in v0.3.0 

func (d *Document) ValidateFiles(filePaths []string) ([]ValidationResults, error)

ValidateFiles gets a list of paths and checks the files in the document to make sure their integrity is known

func (*Document) Write 

func (d *Document) Write(path string) error

Write outputs the SPDX document into a file

func (*Document) WriteProvenanceStatement added in v0.2.0 

func (d *Document) WriteProvenanceStatement(opts *ProvenanceOptions, path string) error

WriteProvenanceStatement writes the sbom as an in-toto provenance statement

type DrawingOptions 

type DrawingOptions struct {
	Width       int
	Height      int
	Recursion   int
	DisableTerm bool
	LastItem    bool
	SkipName    bool
	OnlyIDs     bool
	ASCIIOnly   bool
	Purls       bool
	Version     bool
}

type Entity 

type Entity struct {
	ID               string            // Identifier string  for the object in the doc
	SourceFile       string            // Local file to read for information
	Name             string            // Name of the package
	DownloadLocation string            // Download point for the entity
	CopyrightText    string            // NOASSERTION
	FileName         string            // Name of the file
	LicenseConcluded string            // LicenseID o NOASSERTION
	LicenseComments  string            // record any relevant background information or analysis that went in to arriving at the Concluded License
	Opts             *ObjectOptions    // Entity options
	Relationships    []*Relationship   // List of objects that have a relationship woth this package
	Checksum         map[string]string // Colection of source file checksums
}

func (*Entity) AddRelationship 

func (e *Entity) AddRelationship(rel *Relationship)

AddRelated this adds a related object to the file to be rendered on the document. The exact output depends on the related obj options

func (*Entity) BuildID 

func (e *Entity) BuildID(seeds ...string)

BuildID sets the file ID, optionally from a series of strings

func (*Entity) GetElementByID added in v0.2.2 

func (e *Entity) GetElementByID(string) Object

GetElementByID nil function to be overridden by package and file

func (*Entity) GetRelationships 

func (e *Entity) GetRelationships() *[]*Relationship

func (*Entity) Options 

func (e *Entity) Options() *ObjectOptions

func (*Entity) ReadChecksums 

func (e *Entity) ReadChecksums(filePath string) error

ReadChecksums receives a path to a file and calculates its checksums

func (*Entity) ReadSourceFile 

func (e *Entity) ReadSourceFile(path string) error

ReadSourceFile reads the source file for the package and populates 

the fields derived from it (Checksums and FileName)

func (*Entity) Render 

func (e *Entity) Render() (string, error)

Render is overridden by Package and File with their own variants

func (*Entity) SPDXID 

func (e *Entity) SPDXID() string

SPDXID returns the SPDX reference string for the object

func (*Entity) SetSPDXID added in v0.2.2 

func (e *Entity) SetSPDXID(id string)

SPDXID returns the SPDX reference string for the object

func (*Entity) ToProvenanceSubject 

func (e *Entity) ToProvenanceSubject() *intoto.Subject

ToProvenanceSubject converts the element to an intoto subject, suitable to use inprovenance attestaions

type ExternalDocumentRef 

type ExternalDocumentRef struct {
	ID        string            `yaml:"id"`        // Identifier for the external doc (eg "external-source-bom")
	URI       string            `yaml:"uri"`       // URI where the doc can be retrieved
	Checksums map[string]string `yaml:"checksums"` // Document checksums
}

ExternalDocumentRef is a pointer to an external, related document

func (*ExternalDocumentRef) ReadSourceFile 

func (ed *ExternalDocumentRef) ReadSourceFile(path string) error

ReadSourceFile populates the external reference data (the sha256 checksum) from a given path

func (*ExternalDocumentRef) String 

func (ed *ExternalDocumentRef) String() string

String returns the SPDX string of the external document ref

type ExternalRef 

type ExternalRef struct {
	Category string // SECURITY | PACKAGE-MANAGER | PERSISTENT-ID | OTHER
	Type     string // cpe22Type | cpe23Type | maven-central | npm | nuget | bower | purl | swh | other
	Locator  string // unique string with no spaces
}

Example: cpe23Type cpe:2.3:a:base-files:base-files:10.3+deb10u9:*:*:*:*:*:*:*

type File 

type File struct {
	Entity
	FileType          []string
	LicenseInfoInFile string // GPL-3.0-or-later
}

File abstracts a file contained in a package

func NewFile 

func NewFile() (f *File)

func (*File) BuildID 

func (f *File) BuildID(seeds ...string)

BuildID sets the file ID, optionally from a series of strings

func (*File) Draw 

func (f *File) Draw(builder *strings.Builder, o *DrawingOptions, depth int, seen *map[string]struct{})

Draw renders the file data as a tree-like structure

func (*File) GetElementByID added in v0.2.2 

func (f *File) GetElementByID(id string) Object

GetElementByID search the file and its peers looking for the specified SPDX id. If found, the function returns a copy of the object identified by the SPDX-ID provided

func (*File) ReadSourceFile added in v0.2.0 

func (f *File) ReadSourceFile(path string) error

func (*File) Render 

func (f *File) Render() (docFragment string, err error)

Render renders the document fragment of a file

func (*File) SetEntity 

func (f *File) SetEntity(e *Entity)

type Format added in v0.3.0 

type Format string

Format is valid format for an SPDX document.

type GoModDefaultImpl 

type GoModDefaultImpl struct {
	// contains filtered or unexported fields
}

func (*GoModDefaultImpl) BuildPackageList 

func (di *GoModDefaultImpl) BuildPackageList(gomod *modfile.File) ([]*GoPackage, error)

BuildPackageList builds a slice of packages to assign to the module

func (*GoModDefaultImpl) DownloadPackage 

func (di *GoModDefaultImpl) DownloadPackage(pkg *GoPackage, _ *GoModuleOptions, force bool) error

DownloadPackage takes a pkg, downloads it from its src and sets 

the download dir in the LocalDir field

func (*GoModDefaultImpl) LicenseReader 

func (di *GoModDefaultImpl) LicenseReader() (*license.Reader, error)

LicenseReader returns a license reader

func (*GoModDefaultImpl) OpenModule 

func (di *GoModDefaultImpl) OpenModule(opts *GoModuleOptions) (*modfile.File, error)

OpenModule opens the go,mod file for the module and parses it

func (*GoModDefaultImpl) RemoveDownloads 

func (di *GoModDefaultImpl) RemoveDownloads(packageList []*GoPackage) error

RemoveDownloads takes a list of packages and remove its downloads

func (*GoModDefaultImpl) ScanPackageLicense 

func (di *GoModDefaultImpl) ScanPackageLicense(
	pkg *GoPackage, reader *license.Reader, _ *GoModuleOptions,
) error

ScanPackageLicense scans a package for licensing info

type GoModImplementation 

type GoModImplementation interface {
	OpenModule(*GoModuleOptions) (*modfile.File, error)
	BuildPackageList(*modfile.File) ([]*GoPackage, error)
	DownloadPackage(*GoPackage, *GoModuleOptions, bool) error
	RemoveDownloads([]*GoPackage) error
	LicenseReader() (*license.Reader, error)
	ScanPackageLicense(*GoPackage, *license.Reader, *GoModuleOptions) error
}

type GoModule 

type GoModule struct {
	GoMod *modfile.File

	Packages []*GoPackage // maps of package download locations
	// contains filtered or unexported fields
}

GoModule abstracts the go module data of a project

func NewGoModule 

func NewGoModule() *GoModule

func NewGoModuleFromPath 

func NewGoModuleFromPath(path string) (*GoModule, error)

NewGoModule returns a new go module from the specified path

func (*GoModule) BuildFullPackageList 

func (mod *GoModule) BuildFullPackageList(_ *modfile.File) (packageList []*GoPackage, err error)

BuildFullPackageList return the complete of packages imported into the module, instead of reading go.mod, this functions calls go list and works from there

func (*GoModule) DownloadPackages 

func (mod *GoModule) DownloadPackages() error

DownloadPackages downloads all the module's packages to the local disk

func (*GoModule) Open 

func (mod *GoModule) Open() error

Initializes a go module from the specified path

func (*GoModule) Options 

func (mod *GoModule) Options() *GoModuleOptions

Options returns a pointer to the module options set

func (*GoModule) RemoveDownloads 

func (mod *GoModule) RemoveDownloads() error

RemoveDownloads cleans all downloads

func (*GoModule) ScanLicenses 

func (mod *GoModule) ScanLicenses() error

ScanLicenses scans the licenses and populats the fields

type GoModuleOptions 

type GoModuleOptions struct {
	Path           string // Path to the dir where go.mod resides
	OnlyDirectDeps bool   // Only include direct dependencies from go.mod
	ScanLicenses   bool   // Scan licenses from everypossible place unless false
}

type GoPackage 

type GoPackage struct {
	TmpDir        bool
	ImportPath    string
	Revision      string
	LocalDir      string
	LocalInstall  string
	LicenseID     string
	CopyrightText string
}

GoPackage basic pkg data we need

func (*GoPackage) PackageURL added in v0.3.0 

func (pkg *GoPackage) PackageURL() string

PackageURL returns a purl if the go package has enough data to generate one. If data is missing, it will return an empty string

func (*GoPackage) ToSPDXPackage 

func (pkg *GoPackage) ToSPDXPackage() (*Package, error)

SPDXPackage builds a spdx package from the go package data

type ImageAnalyzer 

type ImageAnalyzer struct {
	Analyzers map[string]ContainerLayerAnalyzer
}

ImageAnalyzer is an object that checks images to see if we can add more information to a spdx package based on its content. Each analyzer is written specifically for a layer type. The idea is to be able to enrich common base images with more data to have the most common images covered.

func NewImageAnalyzer 

func NewImageAnalyzer() *ImageAnalyzer

func (*ImageAnalyzer) AnalyzeLayer 

func (ia *ImageAnalyzer) AnalyzeLayer(layerPath string, pkg *Package) error

AnalyzeLayer is the main method of the analyzer 

it will query each of the analyzers to see if we can
extract more image from the layer and enrich the
spdx package referenced by pkg

type ImageReferenceInfo added in v0.4.0 

type ImageReferenceInfo struct {
	Digest    string
	Reference string
	Archive   string
	Arch      string
	OS        string
	MediaType string
	Images    []ImageReferenceInfo
}

ImageReferenceInfo is a type to move information about a container image reference

type NewDocBuilderOption added in v0.3.0 

type NewDocBuilderOption func(*newDocBuilderSettings)

NewDocBuilderOption is a function with operates on a newDocBuilderSettings object.

func WithFormat added in v0.3.0 

func WithFormat(format Format) NewDocBuilderOption

WithFormat returns an NewDocBuilderOption setting the format.

type Object 

type Object interface {
	SPDXID() string
	SetSPDXID(string)
	ReadSourceFile(string) error
	Render() (string, error)
	BuildID(seeds ...string)
	SetEntity(*Entity)
	AddRelationship(*Relationship)
	GetRelationships() *[]*Relationship
	ToProvenanceSubject() *intoto.Subject

	GetElementByID(string) Object
	// contains filtered or unexported methods
}

Object is an interface that dictates the common methods of spdx objects. Currently this includes files and packages.

type ObjectOptions 

type ObjectOptions struct {
	Prefix  string
	WorkDir string
}

type Options 

type Options struct {
	AnalyzeLayers      bool
	NoGitignore        bool     // Do not read exclusions from gitignore file
	ProcessGoModules   bool     // If true, spdx will check if dirs are go modules and analize the packages
	OnlyDirectDeps     bool     // Only include direct dependencies from go.mod
	ScanLicenses       bool     // Scan licenses from everypossible place unless false
	AddTarFiles        bool     // Scan and add files inside of tarfiles
	ScanImages         bool     // When true, scan container images for OS information
	LicenseCacheDir    string   // Directory to cache SPDX license downloads
	LicenseData        string   // Directory to store the SPDX licenses
	LicenseListVersion string   // Version of the SPDX license list to use
	IgnorePatterns     []string // Patterns to ignore when scanning file
}

type Package 

type Package struct {
	Entity
	sync.RWMutex
	FilesAnalyzed        bool     // true
	VerificationCode     string   // 6486e016b01e9ec8a76998cefd0705144d869234
	LicenseInfoFromFiles []string // GPL-3.0-or-later
	LicenseDeclared      string   // GPL-3.0-or-later
	Version              string   // Package version
	Comment              string   // a place for the SPDX document creator to record any general comments
	HomePage             string   // A web site that serves as the package home page
	PrimaryPurpose       string   // Estimate of the most likely package usage

	// Supplier: the actual distribution source for the package/directory
	Supplier struct {
		Person       string // person name and optional (<email>)
		Organization string // organization name and optional (<email>)
	}
	// Originator: For example, the SPDX file identifies the package glibc and Red Hat as the Package Supplier,
	// but the Free Software Foundation is the Package Originator.
	Originator struct {
		Person       string // person name and optional (<email>)
		Organization string // organization name and optional (<email>)
	}

	ExternalRefs []ExternalRef // List of external references
}

Package groups a set of files

func NewPackage 

func NewPackage() (p *Package)

func (*Package) AddDependency 

func (p *Package) AddDependency(pkg *Package) error

AddDependency adds a new subpackage as a dependency

func (*Package) AddFile 

func (p *Package) AddFile(file *File) error

AddFile adds a file contained in the package

func (*Package) AddPackage 

func (p *Package) AddPackage(pkg *Package) error

AddPackage adds a new subpackage to a package

func (*Package) BuildID 

func (p *Package) BuildID(seeds ...string)

BuildID sets the file ID, optionally from a series of strings

func (*Package) CheckRelationships 

func (p *Package) CheckRelationships() error

CheckRelationships ensures al linked relationships are complete before rendering.

func (*Package) ComputeLicenseList added in v0.3.0 

func (p *Package) ComputeLicenseList() error

ComputeLicenseListComputes the license list from the files contained in the package

func (*Package) ComputeVerificationCode added in v0.3.0 

func (p *Package) ComputeVerificationCode() error

ComputeVerificationCode calculates the package verification code according to the SPDX spec

func (*Package) Draw 

func (p *Package) Draw(builder *strings.Builder, o *DrawingOptions, depth int, seen *map[string]struct{})

Draw renders the package data as a tree-like structure

func (*Package) Files 

func (p *Package) Files() []*File

Files returns all contained files in the package

func (*Package) GetElementByID added in v0.2.2 

func (p *Package) GetElementByID(id string) Object

GetElementByID search the package and its peers looking for the specified SPDX id. If found, the function returns a copy of the object

func (*Package) GetPackagesByPurl added in v0.3.0 

func (p *Package) GetPackagesByPurl(purlSpec *purl.PackageURL, opts ...PurlSearchOption) []*Package

GetPackagesByPurl queries the package and returns all the nodes it is connected to that match the specified purl bits

func (*Package) Purl added in v0.3.0 

func (p *Package) Purl() *purl.PackageURL

Purl searches the external refs in the package and returns a parsed purl if it finds a purl PACKAGE_MANAGER extref:

func (*Package) PurlMatches added in v0.3.0 

func (p *Package) PurlMatches(spec *purl.PackageURL, _ ...PurlSearchOption) bool

PurlMatches gets a spec url and returns true if its defined parts match the analog parts in the package's purl

func (*Package) ReadSourceFile added in v0.2.0 

func (p *Package) ReadSourceFile(path string) error

ReadSourceFile reads a file from the filesystem and assigns its properties to the package metadata

func (*Package) Render 

func (p *Package) Render() (docFragment string, err error)

Render renders the document fragment of the package

func (*Package) SetEntity 

func (p *Package) SetEntity(e *Entity)

type ProvenanceOptions 

type ProvenanceOptions struct {
	Relationships map[string][]RelationshipType
}

type PurlSearchOption added in v0.3.0 

type PurlSearchOption string
const OptionVersionPattern PurlSearchOption = "VERSION_PATTERN"

type Relationship 

type Relationship struct {
	FullRender       bool             // Flag, then true the package will be rendered in the doc
	PeerReference    string           // SPDX Ref of the peer object. Will override the ID of provided package if set
	PeerExtReference string           // External doc reference if peer is a different doc
	Comment          string           // Relationship ship commnet
	Type             RelationshipType // Relationship of the specified package
	Peer             Object           // SPDX object that acts as peer
}

func (*Relationship) Render 

func (ro *Relationship) Render(hostObject Object) (string, error)

type RelationshipType 

type RelationshipType string
const (
	DESCRIBES                   RelationshipType = "DESCRIBES"
	DESCRIBED_BY                RelationshipType = "DESCRIBED_BY"
	CONTAINS                    RelationshipType = "CONTAINS"
	CONTAINED_BY                RelationshipType = "CONTAINED_BY"
	DEPENDS_ON                  RelationshipType = "DEPENDS_ON"
	DEPENDENCY_OF               RelationshipType = "DEPENDENCY_OF"
	DEPENDENCY_MANIFEST_OF      RelationshipType = "DEPENDENCY_MANIFEST_OF"
	BUILD_DEPENDENCY_OF         RelationshipType = "BUILD_DEPENDENCY_OF"
	DEV_DEPENDENCY_OF           RelationshipType = "DEV_DEPENDENCY_OF"
	OPTIONAL_DEPENDENCY_OF      RelationshipType = "OPTIONAL_DEPENDENCY_OF"
	PROVIDED_DEPENDENCY_OF      RelationshipType = "PROVIDED_DEPENDENCY_OF"
	TEST_DEPENDENCY_OF          RelationshipType = "TEST_DEPENDENCY_OF"
	RUNTIME_DEPENDENCY_OF       RelationshipType = "RUNTIME_DEPENDENCY_OF"
	EXAMPLE_OF                  RelationshipType = "EXAMPLE_OF"
	GENERATES                   RelationshipType = "GENERATES"
	GENERATED_FROM              RelationshipType = "GENERATED_FROM"
	ANCESTOR_OF                 RelationshipType = "ANCESTOR_OF"
	DESCENDANT_OF               RelationshipType = "DESCENDANT_OF"
	VARIANT_OF                  RelationshipType = "VARIANT_OF"
	DISTRIBUTION_ARTIFACT       RelationshipType = "DISTRIBUTION_ARTIFACT"
	PATCH_FOR                   RelationshipType = "PATCH_FOR"
	PATCH_APPLIED               RelationshipType = "PATCH_APPLIED"
	COPY_OF                     RelationshipType = "COPY_OF"
	FILE_ADDED                  RelationshipType = "FILE_ADDED"
	FILE_DELETED                RelationshipType = "FILE_DELETED"
	FILE_MODIFIED               RelationshipType = "FILE_MODIFIED"
	EXPANDED_FROM_ARCHIVE       RelationshipType = "EXPANDED_FROM_ARCHIVE"
	DYNAMIC_LINK                RelationshipType = "DYNAMIC_LINK"
	STATIC_LINK                 RelationshipType = "STATIC_LINK"
	DATA_FILE_OF                RelationshipType = "DATA_FILE_OF"
	TEST_CASE_OF                RelationshipType = "TEST_CASE_OF"
	BUILD_TOOL_OF               RelationshipType = "BUILD_TOOL_OF"
	DEV_TOOL_OF                 RelationshipType = "DEV_TOOL_OF"
	TEST_OF                     RelationshipType = "TEST_OF"
	TEST_TOOL_OF                RelationshipType = "TEST_TOOL_OF"
	DOCUMENTATION_OF            RelationshipType = "DOCUMENTATION_OF"
	OPTIONAL_COMPONENT_OF       RelationshipType = "OPTIONAL_COMPONENT_OF"
	METAFILE_OF                 RelationshipType = "METAFILE_OF"
	PACKAGE_OF                  RelationshipType = "PACKAGE_OF"
	AMENDS                      RelationshipType = "AMENDS"
	PREREQUISITE_FOR            RelationshipType = "PREREQUISITE_FOR"
	HAS_PREREQUISITE            RelationshipType = "HAS_PREREQUISITE"
	REQUIREMENT_DESCRIPTION_FOR RelationshipType = "REQUIREMENT_DESCRIPTION_FOR"
	SPECIFICATION_FOR           RelationshipType = "SPECIFICATION_FOR"
	OTHER                       RelationshipType = "OTHER"
)

type SPDX 

type SPDX struct {
	// contains filtered or unexported fields
}

func NewSPDX 

func NewSPDX() *SPDX

func (*SPDX) AnalyzeImageLayer 

func (spdx *SPDX) AnalyzeImageLayer(layerPath string, pkg *Package) error

AnalyzeLayer uses the collection of image analyzers to see if 

it matches a known image from which a spdx package can be
enriched with more information

func (*SPDX) ExtractTarballTmp 

func (spdx *SPDX) ExtractTarballTmp(tarPath string) (tmpDir string, err error)

ExtractTarballTmp extracts a tarball to a temp file

func (*SPDX) FileFromPath 

func (spdx *SPDX) FileFromPath(filePath string) (*File, error)

FileFromPath creates a File object from a path

func (*SPDX) ImageRefToPackage 

func (spdx *SPDX) ImageRefToPackage(reference string) (pkg *Package, err error)

ImageRefToPackage gets an image reference (tag or digest) and returns a spdx package describing it. It can take two forms:

  • When the reference is a digest (or single image), a single package describing the layers is returned
  • When the reference is an image index, the returned package is a package referencing each of the images, each in its own packages. All subpackages are returned with a relationship of VARIANT_OF

func (*SPDX) Options 

func (spdx *SPDX) Options() *Options

func (*SPDX) PackageFromArchive added in v0.2.0 

func (spdx *SPDX) PackageFromArchive(archivePath string) (imagePackage *Package, err error)

PackageFromArchive returns a SPDX package from a tarball

func (*SPDX) PackageFromDirectory 

func (spdx *SPDX) PackageFromDirectory(dirPath string) (pkg *Package, err error)

PackageFromDirectory indexes all files in a directory and builds a SPDX package describing its contents

func (*SPDX) PackageFromImageTarball 

func (spdx *SPDX) PackageFromImageTarball(tarPath string) (imagePackage *Package, err error)

PackageFromImageTarball returns a SPDX package from a tarball

func (*SPDX) PullImagesToArchive 

func (spdx *SPDX) PullImagesToArchive(reference, path string) (*ImageReferenceInfo, error)

PullImagesToArchive downloads all the images found from a reference to disk

func (*SPDX) SetImplementation 

func (spdx *SPDX) SetImplementation(impl spdxImplementation)

type TarballOptions 

type TarballOptions struct {
	ExtractDir string // Directory where the docker tar archive will be extracted
	AddFiles   bool
}

ImageOptions set of options for processing tar files

type ValidationResults added in v0.3.0 

type ValidationResults struct {
	Success          bool
	Message          string
	FileName         string
	FailedAlgorithms []string
}

type YamlBOMConfiguration 

type YamlBOMConfiguration struct {
	Namespace string `yaml:"namespace"`
	License   string `yaml:"license"` // Document wide license
	Name      string `yaml:"name"`
	Creator   struct {
		Person string `yaml:"person"`
		Tool   string `yaml:"tool"`
	} `yaml:"creator"`
	ExternalDocRefs []ExternalDocumentRef `yaml:"external-docs"`
	Artifacts       []*YamlBuildArtifact  `yaml:"artifacts"`
}

type YamlBuildArtifact 

type YamlBuildArtifact struct {
	Type      string `yaml:"type"` //  directory
	Source    string `yaml:"source"`
	License   string `yaml:"license"`   // SPDX license ID Apache-2.0
	GoModules *bool  `yaml:"gomodules"` // Shoud we scan go modules
}

Source Files

View all Source files

Directories

Path Synopsis
json
document
v2.2
v2.3
Code generated by counterfeiter.
 Code generated by counterfeiter.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.