Documentation ¶
Overview ¶
SHA1 is the currently accepted hash algorithm for SPDX documents, used for file integrity checks, NOT security. Instances of G401 and G505 can be safely ignored in this file.
ref: https://github.com/spdx/spdx-spec/issues/11
SHA1 is the currently accepted hash algorithm for SPDX documents, used for file integrity checks, NOT security. Instances of G401 and G505 can be safely ignored in this file.
ref: https://github.com/spdx/spdx-spec/issues/11
SHA1 is the currently accepted hash algorithm for SPDX documents, used for file integrity checks, NOT security. Instances of G401 and G505 can be safely ignored in this file.
Index ¶
- Constants
- Variables
- func Banner() string
- func PullImageToArchive(referenceString, path string) error
- type ArchiveManifest
- type ContainerLayerAnalyzer
- type ContainerLayerAnalyzerOptions
- type DocBuilder
- type DocBuilderImplementation
- type DocBuilderOptions
- type DocGenerateOptions
- type Document
- func (d *Document) AddFile(file *File) error
- func (d *Document) AddPackage(pkg *Package) error
- func (d *Document) Outline(o *DrawingOptions) (outline string, err error)
- func (d *Document) Render() (doc string, err error)
- func (d *Document) ToProvenanceStatement(opts *ProvenanceOptions) *provenance.Statement
- func (d *Document) Write(path string) error
- func (d *Document) WriteProvenanceStatement(opts *ProvenanceOptions, path string) error
- type DrawingOptions
- type Entity
- func (e *Entity) AddRelationship(rel *Relationship)
- func (e *Entity) BuildID(seeds ...string)
- func (e *Entity) GetRelationships() *[]*Relationship
- func (e *Entity) Options() *ObjectOptions
- func (e *Entity) ReadChecksums(filePath string) error
- func (e *Entity) ReadSourceFile(path string) error
- func (e *Entity) Render() (string, error)
- func (e *Entity) SPDXID() string
- func (e *Entity) ToProvenanceSubject() *intoto.Subject
- type ExternalDocumentRef
- type ExternalRef
- type File
- type GoModDefaultImpl
- func (di *GoModDefaultImpl) BuildPackageList(gomod *modfile.File) ([]*GoPackage, error)
- func (di *GoModDefaultImpl) DownloadPackage(pkg *GoPackage, opts *GoModuleOptions, force bool) error
- func (di *GoModDefaultImpl) LicenseReader() (*license.Reader, error)
- func (di *GoModDefaultImpl) OpenModule(opts *GoModuleOptions) (*modfile.File, error)
- func (di *GoModDefaultImpl) RemoveDownloads(packageList []*GoPackage) error
- func (di *GoModDefaultImpl) ScanPackageLicense(pkg *GoPackage, reader *license.Reader, opts *GoModuleOptions) error
- type GoModImplementation
- type GoModule
- func (mod *GoModule) BuildFullPackageList(g *modfile.File) (packageList []*GoPackage, err error)
- func (mod *GoModule) DownloadPackages() error
- func (mod *GoModule) Open() error
- func (mod *GoModule) Options() *GoModuleOptions
- func (mod *GoModule) RemoveDownloads() error
- func (mod *GoModule) ScanLicenses() error
- type GoModuleOptions
- type GoPackage
- type ImageAnalyzer
- type Object
- type ObjectOptions
- type Options
- type Package
- func (p *Package) AddDependency(pkg *Package) error
- func (p *Package) AddFile(file *File) error
- func (p *Package) AddPackage(pkg *Package) error
- func (p *Package) BuildID(seeds ...string)
- func (p *Package) CheckRelationships() error
- func (p *Package) Draw(builder *strings.Builder, o *DrawingOptions, depth int, ...)
- func (p *Package) Files() []*File
- func (p *Package) ReadSourceFile(path string) error
- func (p *Package) Render() (docFragment string, err error)
- func (p *Package) SetEntity(e *Entity)
- type ProvenanceOptions
- type Relationship
- type RelationshipType
- type SPDX
- func (spdx *SPDX) AnalyzeImageLayer(layerPath string, pkg *Package) error
- func (spdx *SPDX) ExtractTarballTmp(tarPath string) (tmpDir string, err error)
- func (spdx *SPDX) FileFromPath(filePath string) (*File, error)
- func (spdx *SPDX) ImageRefToPackage(reference string) (pkg *Package, err error)
- func (spdx *SPDX) Options() *Options
- func (spdx *SPDX) PackageFromArchive(archivePath string) (imagePackage *Package, err error)
- func (spdx *SPDX) PackageFromDirectory(dirPath string) (pkg *Package, err error)
- func (spdx *SPDX) PackageFromImageTarball(tarPath string) (imagePackage *Package, err error)
- func (spdx *SPDX) PullImagesToArchive(reference, path string) ([]struct{ ... }, error)
- func (spdx *SPDX) SetImplementation(impl spdxImplementation)
- type TarballOptions
- type YamlBOMConfiguration
- type YamlBuildArtifact
Constants ¶
const ( GoModFileName = "go.mod" GoSumFileName = "go.sum" )
const ( // Consts of some SPDX expressions NONE = "NONE" NOASSERTION = "NOASSERTION" )
Variables ¶
var DefaultProvenanceOptions = &ProvenanceOptions{ Relationships: map[string][]RelationshipType{ "include": {}, "exclude": { EXAMPLE_OF, DEPENDS_ON, }, }, }
DefaultProvenanceOptions we consider examples and dependencies as not part of the doc
Functions ¶
func PullImageToArchive ¶
Types ¶
type ArchiveManifest ¶
type ContainerLayerAnalyzer ¶
type ContainerLayerAnalyzer interface { ReadPackageData(layerPath string, pkg *Package) error CanHandle(layerPath string) (bool, error) }
ContainerLayerAnalyzer is an interface that knows how to read a known container layer and populate a SPDX package
type ContainerLayerAnalyzerOptions ¶
type ContainerLayerAnalyzerOptions struct {
LicenseCacheDir string
}
type DocBuilder ¶
type DocBuilder struct {
// contains filtered or unexported fields
}
DocBuilder is a tool to write spdx manifests
func NewDocBuilder ¶
func NewDocBuilder() *DocBuilder
func (*DocBuilder) Generate ¶
func (db *DocBuilder) Generate(genopts *DocGenerateOptions) (*Document, error)
Generate creates anew SPDX document describing the artifacts specified in the options
type DocBuilderImplementation ¶
type DocBuilderImplementation interface { GenerateDoc(*DocBuilderOptions, *DocGenerateOptions) (*Document, error) WriteDoc(*Document, string) error ReadYamlConfiguration(string, *DocGenerateOptions) error }
type DocBuilderOptions ¶
type DocBuilderOptions struct {
WorkDir string // Working directory (defaults to a tmp dir)
}
type DocGenerateOptions ¶
type DocGenerateOptions struct { AnalyseLayers bool // A flag that controls if deep layer analysis should be performed NoGitignore bool // Do not read exclusions from gitignore file ProcessGoModules bool // Analyze go.mod to include data about packages OnlyDirectDeps bool // Only include direct dependencies from go.mod ScanLicenses bool // Try to look into files to determine their license ScanImages bool // When true, scan images for OS information ConfigFile string // Path to SBOM configuration file OutputFile string // Output location Name string // Name to use in the resulting document Namespace string // Namespace for the document (a unique URI) CreatorPerson string // Document creator information License string // Main license of the document Tarballs []string // A slice of docker archives (tar) Archives []string // A list of archive files to add as packages Files []string // A slice of naked files to include in the bom Images []string // A slice of docker images Directories []string // A slice of directories to convert into packages IgnorePatterns []string // A slice of regexp patterns to ignore when scanning dirs ExternalDocumentRef []ExternalDocumentRef // List of external documents related to the bom }
func (*DocGenerateOptions) Validate ¶
func (o *DocGenerateOptions) Validate() error
type Document ¶
type Document struct { Version string // SPDX-2.2 DataLicense string // CC0-1.0 ID string // SPDXRef-DOCUMENT Name string // hello-go-src Namespace string // https://swinslow.net/spdx-examples/example6/hello-go-src-v1 Creator struct { Person string // Steve Winslow (steve@swinslow.net) Organization string Tool []string // github.com/spdx/tools-golang/builder } Created time.Time // 2020-11-24T01:12:27Z LicenseListVersion string Packages map[string]*Package Files map[string]*File // List of files ExternalDocRefs []ExternalDocumentRef // List of related external documents }
Document abstracts the SPDX document
func NewDocument ¶
func NewDocument() *Document
NewDocument returns a new SPDX document with some defaults preloaded
func OpenDoc ¶
OpenDoc opens a file, parses a SPDX tag-value file and returns a loaded spdx.Document object. This functions has the cyclomatic chec disabled as it spans specific cases for each of the tags it recognizes. nolint:gocyclo
func (*Document) AddPackage ¶
AddPackage adds a new empty package to the document
func (*Document) Outline ¶
func (d *Document) Outline(o *DrawingOptions) (outline string, err error)
Outline draws an outline of the relationships inside the doc
func (*Document) ToProvenanceStatement ¶
func (d *Document) ToProvenanceStatement(opts *ProvenanceOptions) *provenance.Statement
func (*Document) WriteProvenanceStatement ¶ added in v0.2.0
func (d *Document) WriteProvenanceStatement(opts *ProvenanceOptions, path string) error
WriteProvenanceStatement writes the sbom as an in-toto provenance statement
type DrawingOptions ¶
type Entity ¶
type Entity struct { ID string // Identifier string for the object in the doc SourceFile string // Local file to read for information Name string // Name of the package DownloadLocation string // Download point for the entity CopyrightText string // NOASSERTION FileName string // Name of the file LicenseConcluded string // LicenseID o NOASSERTION Opts *ObjectOptions // Entity options Relationships []*Relationship // List of objects that have a relationship woth this package Checksum map[string]string // Colection of source file checksums }
func (*Entity) AddRelationship ¶
func (e *Entity) AddRelationship(rel *Relationship)
AddRelated this adds a related object to the file to be rendered on the document. The exact output depends on the related obj options
func (*Entity) GetRelationships ¶
func (e *Entity) GetRelationships() *[]*Relationship
func (*Entity) Options ¶
func (e *Entity) Options() *ObjectOptions
func (*Entity) ReadChecksums ¶
ReadChecksums receives a path to a file and calculates its checksums
func (*Entity) ReadSourceFile ¶
ReadSourceFile reads the source file for the package and populates
the fields derived from it (Checksums and FileName)
func (*Entity) ToProvenanceSubject ¶
ToProvenanceSubject converts the element to an intoto subject, suitable to use inprovenance attestaions
type ExternalDocumentRef ¶
type ExternalDocumentRef struct { ID string `yaml:"id"` // Identifier for the external doc (eg "external-source-bom") URI string `yaml:"uri"` // URI where the doc can be retrieved Checksums map[string]string `yaml:"checksums"` // Document checksums }
ExternalDocumentRef is a pointer to an external, related document
func (*ExternalDocumentRef) ReadSourceFile ¶
func (ed *ExternalDocumentRef) ReadSourceFile(path string) error
ReadSourceFile populates the external reference data (the sha256 checksum) from a given path
func (*ExternalDocumentRef) String ¶
func (ed *ExternalDocumentRef) String() string
String returns the SPDX string of the external document ref
type ExternalRef ¶
type ExternalRef struct { Category string // SECURITY | PACKAGE-MANAGER | PERSISTENT-ID | OTHER Type string // cpe22Type | cpe23Type | maven-central | npm | nuget | bower | purl | swh | other Locator string // unique string with no spaces }
Example: cpe23Type cpe:2.3:a:base-files:base-files:10.3+deb10u9:*:*:*:*:*:*:*
type File ¶
File abstracts a file contained in a package
func (*File) Draw ¶
func (f *File) Draw(builder *strings.Builder, o *DrawingOptions, depth int, seen *map[string]struct{})
Draw renders the file data as a tree-like structure nolint:gocritic
func (*File) ReadSourceFile ¶ added in v0.2.0
type GoModDefaultImpl ¶
type GoModDefaultImpl struct {
// contains filtered or unexported fields
}
func (*GoModDefaultImpl) BuildPackageList ¶
func (di *GoModDefaultImpl) BuildPackageList(gomod *modfile.File) ([]*GoPackage, error)
BuildPackageList builds a slice of packages to assign to the module
func (*GoModDefaultImpl) DownloadPackage ¶
func (di *GoModDefaultImpl) DownloadPackage(pkg *GoPackage, opts *GoModuleOptions, force bool) error
DownloadPackage takes a pkg, downloads it from its src and sets
the download dir in the LocalDir field
func (*GoModDefaultImpl) LicenseReader ¶
func (di *GoModDefaultImpl) LicenseReader() (*license.Reader, error)
LicenseReader returns a license reader
func (*GoModDefaultImpl) OpenModule ¶
func (di *GoModDefaultImpl) OpenModule(opts *GoModuleOptions) (*modfile.File, error)
OpenModule opens the go,mod file for the module and parses it
func (*GoModDefaultImpl) RemoveDownloads ¶
func (di *GoModDefaultImpl) RemoveDownloads(packageList []*GoPackage) error
RemoveDownloads takes a list of packages and remove its downloads
func (*GoModDefaultImpl) ScanPackageLicense ¶
func (di *GoModDefaultImpl) ScanPackageLicense( pkg *GoPackage, reader *license.Reader, opts *GoModuleOptions) error
ScanPackageLicense scans a package for licensing info
type GoModImplementation ¶
type GoModImplementation interface { OpenModule(*GoModuleOptions) (*modfile.File, error) BuildPackageList(*modfile.File) ([]*GoPackage, error) DownloadPackage(*GoPackage, *GoModuleOptions, bool) error RemoveDownloads([]*GoPackage) error LicenseReader() (*license.Reader, error) ScanPackageLicense(*GoPackage, *license.Reader, *GoModuleOptions) error }
type GoModule ¶
type GoModule struct { GoMod *modfile.File Packages []*GoPackage // maps of package download locations // contains filtered or unexported fields }
GoModule abstracts the go module data of a project
func NewGoModule ¶
func NewGoModule() *GoModule
func NewGoModuleFromPath ¶
NewGoModule returns a new go module from the specified path
func (*GoModule) BuildFullPackageList ¶
BuildFullPackageList return the complete of packages imported into the module, instead of reading go.mod, this functions calls go list and works from there
func (*GoModule) DownloadPackages ¶
DownloadPackages downloads all the module's packages to the local disk
func (*GoModule) Options ¶
func (mod *GoModule) Options() *GoModuleOptions
Options returns a pointer to the module options set
func (*GoModule) RemoveDownloads ¶
RemoveDownloads cleans all downloads
func (*GoModule) ScanLicenses ¶
ScanLicenses scans the licenses and populats the fields
type GoModuleOptions ¶
type GoPackage ¶
type GoPackage struct { TmpDir bool ImportPath string Revision string LocalDir string LocalInstall string LicenseID string CopyrightText string }
GoPackage basic pkg data we need
func (*GoPackage) ToSPDXPackage ¶
SPDXPackage builds a spdx package from the go package data
type ImageAnalyzer ¶
type ImageAnalyzer struct {
Analyzers map[string]ContainerLayerAnalyzer
}
ImageAnalyzer is an object that checks images to see if we can add more
information to a spdx package based on its content. Each analyzer is written specifically for a layer type. The idea is to be able to enrich common base images with more data to have the most common images covered.
func NewImageAnalyzer ¶
func NewImageAnalyzer() *ImageAnalyzer
func (*ImageAnalyzer) AnalyzeLayer ¶
func (ia *ImageAnalyzer) AnalyzeLayer(layerPath string, pkg *Package) error
AnalyzeLayer is the main method of the analyzer
it will query each of the analyzers to see if we can extract more image from the layer and enrich the spdx package referenced by pkg
type Object ¶
type Object interface { SPDXID() string ReadSourceFile(string) error Render() (string, error) BuildID(seeds ...string) SetEntity(*Entity) AddRelationship(*Relationship) GetRelationships() *[]*Relationship ToProvenanceSubject() *intoto.Subject // contains filtered or unexported methods }
Object is an interface that dictates the common methods of spdx objects. Currently this includes files and packages.
type ObjectOptions ¶
type Options ¶
type Options struct { AnalyzeLayers bool NoGitignore bool // Do not read exclusions from gitignore file ProcessGoModules bool // If true, spdx will check if dirs are go modules and analize the packages OnlyDirectDeps bool // Only include direct dependencies from go.mod ScanLicenses bool // Scan licenses from everypossible place unless false AddTarFiles bool // Scan and add files inside of tarfiles ScanImages bool // When true, scan container images for OS information LicenseCacheDir string // Directory to cache SPDX license downloads LicenseData string // Directory to store the SPDX licenses IgnorePatterns []string // Patterns to ignore when scanning file }
type Package ¶
type Package struct { Entity sync.RWMutex FilesAnalyzed bool // true VerificationCode string // 6486e016b01e9ec8a76998cefd0705144d869234 LicenseInfoFromFiles []string // GPL-3.0-or-later LicenseDeclared string // GPL-3.0-or-later LicenseComments string // record any relevant background information or analysis that went in to arriving at the Concluded License Version string // Package version Comment string // a place for the SPDX document creator to record any general comments // Supplier: the actual distribution source for the package/directory Supplier struct { Person string // person name and optional (<email>) Organization string // organization name and optional (<email>) } // Originator: For example, the SPDX file identifies the package glibc and Red Hat as the Package Supplier, // but the Free Software Foundation is the Package Originator. Originator struct { Person string // person name and optional (<email>) Organization string // organization name and optional (<email>) } ExternalRefs []ExternalRef // List of external references }
Package groups a set of files
func NewPackage ¶
func NewPackage() (p *Package)
func (*Package) AddDependency ¶
AddDependency adds a new subpackage as a dependency
func (*Package) AddPackage ¶
AddPackage adds a new subpackage to a package
func (*Package) CheckRelationships ¶
CheckRelationships ensures al linked relationships are complete before rendering.
func (*Package) Draw ¶
func (p *Package) Draw(builder *strings.Builder, o *DrawingOptions, depth int, seen *map[string]struct{})
Draw renders the package data as a tree-like structure nolint:gocritic
func (*Package) ReadSourceFile ¶ added in v0.2.0
type ProvenanceOptions ¶
type ProvenanceOptions struct {
Relationships map[string][]RelationshipType
}
type Relationship ¶
type Relationship struct { FullRender bool // Flag, then true the package will be rendered in the doc PeerReference string // SPDX Ref of the peer object. Will override the ID of provided package if set PeerExtReference string // External doc reference if peer is a different doc Comment string // Relationship ship commnet Type RelationshipType // Relationship of the specified package Peer Object // SPDX object that acts as peer }
type RelationshipType ¶
type RelationshipType string
const ( DESCRIBES RelationshipType = "DESCRIBES" DESCRIBED_BY RelationshipType = "DESCRIBED_BY" CONTAINS RelationshipType = "CONTAINS" CONTAINED_BY RelationshipType = "CONTAINED_BY" DEPENDS_ON RelationshipType = "DEPENDS_ON" DEPENDENCY_OF RelationshipType = "DEPENDENCY_OF" DEPENDENCY_MANIFEST_OF RelationshipType = "DEPENDENCY_MANIFEST_OF" BUILD_DEPENDENCY_OF RelationshipType = "BUILD_DEPENDENCY_OF" DEV_DEPENDENCY_OF RelationshipType = "DEV_DEPENDENCY_OF" OPTIONAL_DEPENDENCY_OF RelationshipType = "OPTIONAL_DEPENDENCY_OF" PROVIDED_DEPENDENCY_OF RelationshipType = "PROVIDED_DEPENDENCY_OF" TEST_DEPENDENCY_OF RelationshipType = "TEST_DEPENDENCY_OF" RUNTIME_DEPENDENCY_OF RelationshipType = "RUNTIME_DEPENDENCY_OF" EXAMPLE_OF RelationshipType = "EXAMPLE_OF" GENERATES RelationshipType = "GENERATES" GENERATED_FROM RelationshipType = "GENERATED_FROM" ANCESTOR_OF RelationshipType = "ANCESTOR_OF" DESCENDANT_OF RelationshipType = "DESCENDANT_OF" VARIANT_OF RelationshipType = "VARIANT_OF" DISTRIBUTION_ARTIFACT RelationshipType = "DISTRIBUTION_ARTIFACT" PATCH_FOR RelationshipType = "PATCH_FOR" PATCH_APPLIED RelationshipType = "PATCH_APPLIED" COPY_OF RelationshipType = "COPY_OF" FILE_ADDED RelationshipType = "FILE_ADDED" FILE_DELETED RelationshipType = "FILE_DELETED" FILE_MODIFIED RelationshipType = "FILE_MODIFIED" EXPANDED_FROM_ARCHIVE RelationshipType = "EXPANDED_FROM_ARCHIVE" DYNAMIC_LINK RelationshipType = "DYNAMIC_LINK" STATIC_LINK RelationshipType = "STATIC_LINK" DATA_FILE_OF RelationshipType = "DATA_FILE_OF" TEST_CASE_OF RelationshipType = "TEST_CASE_OF" BUILD_TOOL_OF RelationshipType = "BUILD_TOOL_OF" DEV_TOOL_OF RelationshipType = "DEV_TOOL_OF" TEST_OF RelationshipType = "TEST_OF" TEST_TOOL_OF RelationshipType = "TEST_TOOL_OF" DOCUMENTATION_OF RelationshipType = "DOCUMENTATION_OF" OPTIONAL_COMPONENT_OF RelationshipType = "OPTIONAL_COMPONENT_OF" METAFILE_OF RelationshipType = "METAFILE_OF" PACKAGE_OF RelationshipType = "PACKAGE_OF" AMENDS RelationshipType = "AMENDS" PREREQUISITE_FOR RelationshipType = "PREREQUISITE_FOR" HAS_PREREQUISITE RelationshipType = "HAS_PREREQUISITE" OTHER RelationshipType = "OTHER" )
type SPDX ¶
type SPDX struct {
// contains filtered or unexported fields
}
func (*SPDX) AnalyzeImageLayer ¶
AnalyzeLayer uses the collection of image analyzers to see if
it matches a known image from which a spdx package can be enriched with more information
func (*SPDX) ExtractTarballTmp ¶
ExtractTarballTmp extracts a tarball to a temp file
func (*SPDX) FileFromPath ¶
FileFromPath creates a File object from a path
func (*SPDX) ImageRefToPackage ¶
ImageRefToPackage gets an image reference (tag or digest) and returns a spdx package describing it. It can take two forms:
- When the reference is a digest (or single image), a single package describing the layers is returned
- When the reference is an image index, the returned package is a package referencing each of the images, each in its own packages. All subpackages are returned with a relationship of VARIANT_OF
func (*SPDX) PackageFromArchive ¶ added in v0.2.0
PackageFromArchive returns a SPDX package from a tarball
func (*SPDX) PackageFromDirectory ¶
PackageFromDirectory indexes all files in a directory and builds a SPDX package describing its contents
func (*SPDX) PackageFromImageTarball ¶
PackageFromImageTarball returns a SPDX package from a tarball
func (*SPDX) PullImagesToArchive ¶
func (spdx *SPDX) PullImagesToArchive(reference, path string) ([]struct { Reference string Archive string Arch string OS string }, error)
PullImagesToArchive
func (*SPDX) SetImplementation ¶
func (spdx *SPDX) SetImplementation(impl spdxImplementation)
type TarballOptions ¶
type TarballOptions struct { ExtractDir string // Directory where the docker tar archive will be extracted AddFiles bool }
ImageOptions set of options for processing tar files
type YamlBOMConfiguration ¶
type YamlBOMConfiguration struct { Namespace string `yaml:"namespace"` License string `yaml:"license"` // Document wide license Name string `yaml:"name"` Creator struct { Person string `yaml:"person"` Tool string `yaml:"tool"` } `yaml:"creator"` ExternalDocRefs []ExternalDocumentRef `yaml:"external-docs"` Artifacts []*YamlBuildArtifact `yaml:"artifacts"` }