spdx

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 15, 2024 License: Apache-2.0 Imports: 52 Imported by: 11

Documentation

Overview

SHA1 is the currently accepted hash algorithm for SPDX documents, used for file integrity checks, NOT security. Instances of G401 and G505 can be safely ignored in this file.

ref: https://github.com/spdx/spdx-spec/issues/11

SHA1 is the currently accepted hash algorithm for SPDX documents, used for file integrity checks, NOT security. Instances of G401 and G505 can be safely ignored in this file.

ref: https://github.com/spdx/spdx-spec/issues/11

SHA1 is the currently accepted hash algorithm for SPDX documents, used for file integrity checks, NOT security. Instances of G401 and G505 can be safely ignored in this file.

ref: https://github.com/spdx/spdx-spec/issues/11

Index

Constants

View Source
const (
	GoModFileName = "go.mod"
	GoSumFileName = "go.sum"
)
View Source
const (

	// Consts of some SPDX expressions
	NONE        = "NONE"
	NOASSERTION = "NOASSERTION"

	CatPackageManager = "PACKAGE-MANAGER"
)
View Source
const FormatJSON = "json"

FormatJSON is the JSON format for an SPDX document.

View Source
const FormatTagValue = "tag-value"

FormatTagValue is the default format for an SPDX document.

View Source
const (
	MessageHashMismatch = "Hash mismatch"
)

Variables

View Source
var DefaultProvenanceOptions = &ProvenanceOptions{
	Relationships: map[string][]RelationshipType{
		"include": {},
		"exclude": {
			EXAMPLE_OF,
			DEPENDS_ON,
		},
	},
}

DefaultProvenanceOptions we consider examples and dependencies as not part of the doc

View Source
var ExternalRefCategories = map[string][]string{
	"SECURITY":        {"cpe22Type", "cpe23Type", "advisory", "fix", "url", "swid"},
	"PACKAGE_MANAGER": {"maven-central", "npm", "nuget", "bower", "purl"},
	"PACKAGE-MANAGER": {"maven-central", "npm", "nuget", "bower", "purl"},
	"PERSISTENT-ID":   {"swh", "gitoid"},
	"PERSISTENT_ID":   {"swh", "gitoid"},
	"OTHER":           {},
}
View Source
var PackagePurposes = []string{
	"APPLICATION", "FRAMEWORK", "LIBRARY", "CONTAINER", "OPERATING-SYSTEM",
	"DEVICE", "FIRMWARE", "SOURCE", "ARCHIVE", "FILE", "INSTALL", "OTHER",
}

PackagePurposes lists the valid package purposes https://spdx.github.io/spdx-spec/v2.3/package-information/#724-primary-package-purpose-field

View Source
var (
	SupportedHashAlgorithms = []string{"SHA1", "SHA256", "SHA25"}
)

Functions

func Banner() string

func DetectSBOMEncoding added in v0.3.0

func DetectSBOMEncoding(f *os.File) (format string, err error)

detectSBOMEncoding reads a few bytes from the SBOM and returns

func PullImageToArchive

func PullImageToArchive(referenceString, path string) error

Types

type ArchiveManifest

type ArchiveManifest struct {
	ConfigFilename string   `json:"Config"`
	RepoTags       []string `json:"RepoTags"`
	LayerFiles     []string `json:"Layers"`
}

type ContainerLayerAnalyzer

type ContainerLayerAnalyzer interface {
	ReadPackageData(layerPath string, pkg *Package) error
	CanHandle(layerPath string) (bool, error)
}

ContainerLayerAnalyzer is an interface that knows how to read a known container layer and populate a SPDX package

type ContainerLayerAnalyzerOptions

type ContainerLayerAnalyzerOptions struct {
	LicenseCacheDir string
}

type DocBuilder

type DocBuilder struct {
	// contains filtered or unexported fields
}

DocBuilder is a tool to write SPDX SBOMs. It is configurable by defining values in its DocBuilderOptions. Options to customize the generated document are passed to the Generate() method in DocGenerateOptions struct.

func NewDocBuilder

func NewDocBuilder(options ...NewDocBuilderOption) *DocBuilder

func (*DocBuilder) Generate

func (db *DocBuilder) Generate(genopts *DocGenerateOptions) (*Document, error)

Generate creates a new SPDX SBOM. The resulting document will describe the all artifacts specified in the DocGenerateOptions struct passed.

type DocBuilderImplementation

type DocBuilderImplementation interface {
	WriteDoc(*Document, string) error
	ReadYamlConfiguration(string, *DocGenerateOptions) error
	CreateSPDXClient(*DocGenerateOptions, *DocBuilderOptions) (*SPDX, error)
	ValidateOptions(*DocGenerateOptions) error

	// Document generation functions
	CreateDocument(*DocGenerateOptions, *SPDX) (*Document, error)
	ScanDirectories(*DocGenerateOptions, *SPDX, *Document) error
	ScanImages(*DocGenerateOptions, *SPDX, *Document) error
	ScanImageArchives(*DocGenerateOptions, *SPDX, *Document) error
	ScanArchives(*DocGenerateOptions, *SPDX, *Document) error
	ScanFiles(*DocGenerateOptions, *SPDX, *Document) error
}

type DocBuilderOptions

type DocBuilderOptions struct {
	WorkDir string // Working directory (defaults to a tmp dir)
}

type DocGenerateOptions

type DocGenerateOptions struct {
	AnalyseLayers       bool                  // A flag that controls if deep layer analysis should be performed
	NoGitignore         bool                  // Do not read exclusions from gitignore file
	ProcessGoModules    bool                  // Analyze go.mod to include data about packages
	OnlyDirectDeps      bool                  // Only include direct dependencies from go.mod
	ScanLicenses        bool                  // Try to look into files to determine their license
	ScanImages          bool                  // When true, scan images for OS information
	ConfigFile          string                // Path to SBOM configuration file
	Format              string                // Output format
	OutputFile          string                // Output location
	Name                string                // Name to use in the resulting document
	Namespace           string                // Namespace for the document (a unique URI)
	CreatorPerson       string                // Document creator information
	License             string                // Main license of the document
	LicenseListVersion  string                // Version of the SPDX list to use
	Tarballs            []string              // A slice of docker archives (tar)
	Archives            []string              // A list of archive files to add as packages
	Files               []string              // A slice of naked files to include in the bom
	Images              []string              // A slice of docker images
	Directories         []string              // A slice of directories to convert into packages
	IgnorePatterns      []string              // A slice of regexp patterns to ignore when scanning dirs
	ExternalDocumentRef []ExternalDocumentRef // List of external documents related to the bom
}

func (*DocGenerateOptions) Validate

func (o *DocGenerateOptions) Validate() error

type Document

type Document struct {
	Version     string // SPDX-2.2
	DataLicense string // CC0-1.0
	ID          string // SPDXRef-DOCUMENT
	Name        string // hello-go-src
	Namespace   string // https://swinslow.net/spdx-examples/example6/hello-go-src-v1
	Creator     struct {
		Person       string // Steve Winslow (steve@swinslow.net)
		Organization string
		Tool         []string // github.com/spdx/tools-golang/builder
	}
	Created            time.Time // 2020-11-24T01:12:27Z
	LicenseListVersion string
	Packages           map[string]*Package
	Files              map[string]*File      // List of files
	ExternalDocRefs    []ExternalDocumentRef // List of related external documents
}

Document abstracts the SPDX document

func NewDocument

func NewDocument() *Document

NewDocument returns a new SPDX document with some defaults preloaded

func OpenDoc

func OpenDoc(path string) (doc *Document, err error)

OpenDoc opens a file, parses a SPDX tag-value file and returns a loaded spdx.Document object. This functions has the cyclomatic chec disabled as it spans specific cases for each of the tags it recognizes.

func (*Document) AddFile

func (d *Document) AddFile(file *File) error

AddFile adds a file contained in the package

func (*Document) AddPackage

func (d *Document) AddPackage(pkg *Package) error

AddPackage adds a new empty package to the document

func (*Document) GetElementByID added in v0.2.2

func (d *Document) GetElementByID(id string) Object

GetPackageByID queries the packages to search for a specific entity by name note that this method returns a copy of the entity if found.

func (*Document) GetPackagesByPurl added in v0.3.0

func (d *Document) GetPackagesByPurl(purlSpec *purl.PackageURL, opts ...PurlSearchOption) []*Package

GetPackagesByPurl queries the document packages and returns all that match the specified purl bits

func (*Document) Outline

func (d *Document) Outline(o *DrawingOptions) (outline string, err error)

Outline draws an outline of the relationships inside the doc

func (*Document) Render

func (d *Document) Render() (doc string, err error)

Render reders the spdx manifest

func (*Document) ToProvenanceStatement

func (d *Document) ToProvenanceStatement(opts *ProvenanceOptions) *provenance.Statement

func (*Document) ValidateFiles added in v0.3.0

func (d *Document) ValidateFiles(filePaths []string) ([]ValidationResults, error)

ValidateFiles gets a list of paths and checks the files in the document to make sure their integrity is known

func (*Document) Write

func (d *Document) Write(path string) error

Write outputs the SPDX document into a file

func (*Document) WriteProvenanceStatement added in v0.2.0

func (d *Document) WriteProvenanceStatement(opts *ProvenanceOptions, path string) error

WriteProvenanceStatement writes the sbom as an in-toto provenance statement

type DrawingOptions

type DrawingOptions struct {
	Width       int
	Height      int
	Recursion   int
	DisableTerm bool
	LastItem    bool
	SkipName    bool
	OnlyIDs     bool
	ASCIIOnly   bool
	Purls       bool
	Version     bool
}

type Entity

type Entity struct {
	ID               string            // Identifier string  for the object in the doc
	SourceFile       string            // Local file to read for information
	Name             string            // Name of the package
	DownloadLocation string            // Download point for the entity
	CopyrightText    string            // NOASSERTION
	FileName         string            // Name of the file
	LicenseConcluded string            // LicenseID o NOASSERTION
	LicenseComments  string            // record any relevant background information or analysis that went in to arriving at the Concluded License
	Opts             *ObjectOptions    // Entity options
	Relationships    []*Relationship   // List of objects that have a relationship woth this package
	Checksum         map[string]string // Colection of source file checksums
}

func (*Entity) AddRelationship

func (e *Entity) AddRelationship(rel *Relationship)

AddRelated this adds a related object to the file to be rendered on the document. The exact output depends on the related obj options

func (*Entity) BuildID

func (e *Entity) BuildID(seeds ...string)

BuildID sets the file ID, optionally from a series of strings

func (*Entity) GetElementByID added in v0.2.2

func (e *Entity) GetElementByID(string) Object

GetElementByID nil function to be overridden by package and file

func (*Entity) GetRelationships

func (e *Entity) GetRelationships() *[]*Relationship

func (*Entity) Options

func (e *Entity) Options() *ObjectOptions

func (*Entity) ReadChecksums

func (e *Entity) ReadChecksums(filePath string) error

ReadChecksums receives a path to a file and calculates its checksums

func (*Entity) ReadSourceFile

func (e *Entity) ReadSourceFile(path string) error

ReadSourceFile reads the source file for the package and populates

the fields derived from it (Checksums and FileName)

func (*Entity) Render

func (e *Entity) Render() (string, error)

Render is overridden by Package and File with their own variants

func (*Entity) SPDXID

func (e *Entity) SPDXID() string

SPDXID returns the SPDX reference string for the object

func (*Entity) SetSPDXID added in v0.2.2

func (e *Entity) SetSPDXID(id string)

SPDXID returns the SPDX reference string for the object

func (*Entity) ToProvenanceSubject

func (e *Entity) ToProvenanceSubject() *intoto.Subject

ToProvenanceSubject converts the element to an intoto subject, suitable to use inprovenance attestaions

type ExternalDocumentRef

type ExternalDocumentRef struct {
	ID        string            `yaml:"id"`        // Identifier for the external doc (eg "external-source-bom")
	URI       string            `yaml:"uri"`       // URI where the doc can be retrieved
	Checksums map[string]string `yaml:"checksums"` // Document checksums
}

ExternalDocumentRef is a pointer to an external, related document

func (*ExternalDocumentRef) ReadSourceFile

func (ed *ExternalDocumentRef) ReadSourceFile(path string) error

ReadSourceFile populates the external reference data (the sha256 checksum) from a given path

func (*ExternalDocumentRef) String

func (ed *ExternalDocumentRef) String() string

String returns the SPDX string of the external document ref

type ExternalRef

type ExternalRef struct {
	Category string // SECURITY | PACKAGE-MANAGER | PERSISTENT-ID | OTHER
	Type     string // cpe22Type | cpe23Type | maven-central | npm | nuget | bower | purl | swh | other
	Locator  string // unique string with no spaces
}

Example: cpe23Type cpe:2.3:a:base-files:base-files:10.3+deb10u9:*:*:*:*:*:*:*

type File

type File struct {
	Entity
	FileType          []string
	LicenseInfoInFile string // GPL-3.0-or-later
}

File abstracts a file contained in a package

func NewFile

func NewFile() (f *File)

func (*File) BuildID

func (f *File) BuildID(seeds ...string)

BuildID sets the file ID, optionally from a series of strings

func (*File) Draw

func (f *File) Draw(builder *strings.Builder, o *DrawingOptions, depth int, seen *map[string]struct{})

Draw renders the file data as a tree-like structure

func (*File) GetElementByID added in v0.2.2

func (f *File) GetElementByID(id string) Object

GetElementByID search the file and its peers looking for the specified SPDX id. If found, the function returns a copy of the object identified by the SPDX-ID provided

func (*File) ReadSourceFile added in v0.2.0

func (f *File) ReadSourceFile(path string) error

func (*File) Render

func (f *File) Render() (docFragment string, err error)

Render renders the document fragment of a file

func (*File) SetEntity

func (f *File) SetEntity(e *Entity)

type Format added in v0.3.0

type Format string

Format is valid format for an SPDX document.

type GoModDefaultImpl

type GoModDefaultImpl struct {
	// contains filtered or unexported fields
}

func (*GoModDefaultImpl) BuildPackageList

func (di *GoModDefaultImpl) BuildPackageList(gomod *modfile.File) ([]*GoPackage, error)

BuildPackageList builds a slice of packages to assign to the module

func (*GoModDefaultImpl) DownloadPackage

func (di *GoModDefaultImpl) DownloadPackage(pkg *GoPackage, _ *GoModuleOptions, force bool) error

DownloadPackage takes a pkg, downloads it from its src and sets

the download dir in the LocalDir field

func (*GoModDefaultImpl) LicenseReader

func (di *GoModDefaultImpl) LicenseReader() (*license.Reader, error)

LicenseReader returns a license reader

func (*GoModDefaultImpl) OpenModule

func (di *GoModDefaultImpl) OpenModule(opts *GoModuleOptions) (*modfile.File, error)

OpenModule opens the go,mod file for the module and parses it

func (*GoModDefaultImpl) RemoveDownloads

func (di *GoModDefaultImpl) RemoveDownloads(packageList []*GoPackage) error

RemoveDownloads takes a list of packages and remove its downloads

func (*GoModDefaultImpl) ScanPackageLicense

func (di *GoModDefaultImpl) ScanPackageLicense(
	pkg *GoPackage, reader *license.Reader, _ *GoModuleOptions,
) error

ScanPackageLicense scans a package for licensing info

type GoModImplementation

type GoModImplementation interface {
	OpenModule(*GoModuleOptions) (*modfile.File, error)
	BuildPackageList(*modfile.File) ([]*GoPackage, error)
	DownloadPackage(*GoPackage, *GoModuleOptions, bool) error
	RemoveDownloads([]*GoPackage) error
	LicenseReader() (*license.Reader, error)
	ScanPackageLicense(*GoPackage, *license.Reader, *GoModuleOptions) error
}

type GoModule

type GoModule struct {
	GoMod *modfile.File

	Packages []*GoPackage // maps of package download locations
	// contains filtered or unexported fields
}

GoModule abstracts the go module data of a project

func NewGoModule

func NewGoModule() *GoModule

func NewGoModuleFromPath

func NewGoModuleFromPath(path string) (*GoModule, error)

NewGoModule returns a new go module from the specified path

func (*GoModule) BuildFullPackageList

func (mod *GoModule) BuildFullPackageList(_ *modfile.File) (packageList []*GoPackage, err error)

BuildFullPackageList return the complete of packages imported into the module, instead of reading go.mod, this functions calls go list and works from there

func (*GoModule) DownloadPackages

func (mod *GoModule) DownloadPackages() error

DownloadPackages downloads all the module's packages to the local disk

func (*GoModule) Open

func (mod *GoModule) Open() error

Initializes a go module from the specified path

func (*GoModule) Options

func (mod *GoModule) Options() *GoModuleOptions

Options returns a pointer to the module options set

func (*GoModule) RemoveDownloads

func (mod *GoModule) RemoveDownloads() error

RemoveDownloads cleans all downloads

func (*GoModule) ScanLicenses

func (mod *GoModule) ScanLicenses() error

ScanLicenses scans the licenses and populats the fields

type GoModuleOptions

type GoModuleOptions struct {
	Path           string // Path to the dir where go.mod resides
	OnlyDirectDeps bool   // Only include direct dependencies from go.mod
	ScanLicenses   bool   // Scan licenses from everypossible place unless false
}

type GoPackage

type GoPackage struct {
	TmpDir        bool
	ImportPath    string
	Revision      string
	LocalDir      string
	LocalInstall  string
	LicenseID     string
	CopyrightText string
}

GoPackage basic pkg data we need

func (*GoPackage) PackageURL added in v0.3.0

func (pkg *GoPackage) PackageURL() string

PackageURL returns a purl if the go package has enough data to generate one. If data is missing, it will return an empty string

func (*GoPackage) ToSPDXPackage

func (pkg *GoPackage) ToSPDXPackage() (*Package, error)

SPDXPackage builds a spdx package from the go package data

type ImageAnalyzer

type ImageAnalyzer struct {
	Analyzers map[string]ContainerLayerAnalyzer
}

ImageAnalyzer is an object that checks images to see if we can add more information to a spdx package based on its content. Each analyzer is written specifically for a layer type. The idea is to be able to enrich common base images with more data to have the most common images covered.

func NewImageAnalyzer

func NewImageAnalyzer() *ImageAnalyzer

func (*ImageAnalyzer) AnalyzeLayer

func (ia *ImageAnalyzer) AnalyzeLayer(layerPath string, pkg *Package) error

AnalyzeLayer is the main method of the analyzer

it will query each of the analyzers to see if we can
extract more image from the layer and enrich the
spdx package referenced by pkg

type ImageReferenceInfo added in v0.4.0

type ImageReferenceInfo struct {
	Digest    string
	Reference string
	Archive   string
	Arch      string
	OS        string
	MediaType string
	Images    []ImageReferenceInfo
}

ImageReferenceInfo is a type to move information about a container image reference

type NewDocBuilderOption added in v0.3.0

type NewDocBuilderOption func(*newDocBuilderSettings)

NewDocBuilderOption is a function with operates on a newDocBuilderSettings object.

func WithFormat added in v0.3.0

func WithFormat(format Format) NewDocBuilderOption

WithFormat returns an NewDocBuilderOption setting the format.

type Object

type Object interface {
	SPDXID() string
	SetSPDXID(string)
	ReadSourceFile(string) error
	Render() (string, error)
	BuildID(seeds ...string)
	SetEntity(*Entity)
	AddRelationship(*Relationship)
	GetRelationships() *[]*Relationship
	ToProvenanceSubject() *intoto.Subject

	GetElementByID(string) Object
	// contains filtered or unexported methods
}

Object is an interface that dictates the common methods of spdx objects. Currently this includes files and packages.

type ObjectOptions

type ObjectOptions struct {
	Prefix  string
	WorkDir string
}

type Options

type Options struct {
	AnalyzeLayers      bool
	NoGitignore        bool     // Do not read exclusions from gitignore file
	ProcessGoModules   bool     // If true, spdx will check if dirs are go modules and analize the packages
	OnlyDirectDeps     bool     // Only include direct dependencies from go.mod
	ScanLicenses       bool     // Scan licenses from everypossible place unless false
	AddTarFiles        bool     // Scan and add files inside of tarfiles
	ScanImages         bool     // When true, scan container images for OS information
	LicenseCacheDir    string   // Directory to cache SPDX license downloads
	LicenseData        string   // Directory to store the SPDX licenses
	LicenseListVersion string   // Version of the SPDX license list to use
	IgnorePatterns     []string // Patterns to ignore when scanning file
}

type Package

type Package struct {
	Entity
	sync.RWMutex
	FilesAnalyzed        bool     // true
	VerificationCode     string   // 6486e016b01e9ec8a76998cefd0705144d869234
	LicenseInfoFromFiles []string // GPL-3.0-or-later
	LicenseDeclared      string   // GPL-3.0-or-later
	Version              string   // Package version
	Comment              string   // a place for the SPDX document creator to record any general comments
	HomePage             string   // A web site that serves as the package home page
	PrimaryPurpose       string   // Estimate of the most likely package usage

	// Supplier: the actual distribution source for the package/directory
	Supplier struct {
		Person       string // person name and optional (<email>)
		Organization string // organization name and optional (<email>)
	}
	// Originator: For example, the SPDX file identifies the package glibc and Red Hat as the Package Supplier,
	// but the Free Software Foundation is the Package Originator.
	Originator struct {
		Person       string // person name and optional (<email>)
		Organization string // organization name and optional (<email>)
	}

	ExternalRefs []ExternalRef // List of external references
}

Package groups a set of files

func NewPackage

func NewPackage() (p *Package)

func (*Package) AddDependency

func (p *Package) AddDependency(pkg *Package) error

AddDependency adds a new subpackage as a dependency

func (*Package) AddFile

func (p *Package) AddFile(file *File) error

AddFile adds a file contained in the package

func (*Package) AddPackage

func (p *Package) AddPackage(pkg *Package) error

AddPackage adds a new subpackage to a package

func (*Package) BuildID

func (p *Package) BuildID(seeds ...string)

BuildID sets the file ID, optionally from a series of strings

func (*Package) CheckRelationships

func (p *Package) CheckRelationships() error

CheckRelationships ensures al linked relationships are complete before rendering.

func (*Package) ComputeLicenseList added in v0.3.0

func (p *Package) ComputeLicenseList() error

ComputeLicenseListComputes the license list from the files contained in the package

func (*Package) ComputeVerificationCode added in v0.3.0

func (p *Package) ComputeVerificationCode() error

ComputeVerificationCode calculates the package verification code according to the SPDX spec

func (*Package) Draw

func (p *Package) Draw(builder *strings.Builder, o *DrawingOptions, depth int, seen *map[string]struct{})

Draw renders the package data as a tree-like structure

func (*Package) Files

func (p *Package) Files() []*File

Files returns all contained files in the package

func (*Package) GetElementByID added in v0.2.2

func (p *Package) GetElementByID(id string) Object

GetElementByID search the package and its peers looking for the specified SPDX id. If found, the function returns a copy of the object

func (*Package) GetPackagesByPurl added in v0.3.0

func (p *Package) GetPackagesByPurl(purlSpec *purl.PackageURL, opts ...PurlSearchOption) []*Package

GetPackagesByPurl queries the package and returns all the nodes it is connected to that match the specified purl bits

func (*Package) Purl added in v0.3.0

func (p *Package) Purl() *purl.PackageURL

Purl searches the external refs in the package and returns a parsed purl if it finds a purl PACKAGE_MANAGER extref:

func (*Package) PurlMatches added in v0.3.0

func (p *Package) PurlMatches(spec *purl.PackageURL, _ ...PurlSearchOption) bool

PurlMatches gets a spec url and returns true if its defined parts match the analog parts in the package's purl

func (*Package) ReadSourceFile added in v0.2.0

func (p *Package) ReadSourceFile(path string) error

ReadSourceFile reads a file from the filesystem and assigns its properties to the package metadata

func (*Package) Render

func (p *Package) Render() (docFragment string, err error)

Render renders the document fragment of the package

func (*Package) SetEntity

func (p *Package) SetEntity(e *Entity)

type ProvenanceOptions

type ProvenanceOptions struct {
	Relationships map[string][]RelationshipType
}

type PurlSearchOption added in v0.3.0

type PurlSearchOption string
const OptionVersionPattern PurlSearchOption = "VERSION_PATTERN"

type Relationship

type Relationship struct {
	FullRender       bool             // Flag, then true the package will be rendered in the doc
	PeerReference    string           // SPDX Ref of the peer object. Will override the ID of provided package if set
	PeerExtReference string           // External doc reference if peer is a different doc
	Comment          string           // Relationship ship commnet
	Type             RelationshipType // Relationship of the specified package
	Peer             Object           // SPDX object that acts as peer
}

func (*Relationship) Render

func (ro *Relationship) Render(hostObject Object) (string, error)

type RelationshipType

type RelationshipType string
const (
	DESCRIBES                   RelationshipType = "DESCRIBES"
	DESCRIBED_BY                RelationshipType = "DESCRIBED_BY"
	CONTAINS                    RelationshipType = "CONTAINS"
	CONTAINED_BY                RelationshipType = "CONTAINED_BY"
	DEPENDS_ON                  RelationshipType = "DEPENDS_ON"
	DEPENDENCY_OF               RelationshipType = "DEPENDENCY_OF"
	DEPENDENCY_MANIFEST_OF      RelationshipType = "DEPENDENCY_MANIFEST_OF"
	BUILD_DEPENDENCY_OF         RelationshipType = "BUILD_DEPENDENCY_OF"
	DEV_DEPENDENCY_OF           RelationshipType = "DEV_DEPENDENCY_OF"
	OPTIONAL_DEPENDENCY_OF      RelationshipType = "OPTIONAL_DEPENDENCY_OF"
	PROVIDED_DEPENDENCY_OF      RelationshipType = "PROVIDED_DEPENDENCY_OF"
	TEST_DEPENDENCY_OF          RelationshipType = "TEST_DEPENDENCY_OF"
	RUNTIME_DEPENDENCY_OF       RelationshipType = "RUNTIME_DEPENDENCY_OF"
	EXAMPLE_OF                  RelationshipType = "EXAMPLE_OF"
	GENERATES                   RelationshipType = "GENERATES"
	GENERATED_FROM              RelationshipType = "GENERATED_FROM"
	ANCESTOR_OF                 RelationshipType = "ANCESTOR_OF"
	DESCENDANT_OF               RelationshipType = "DESCENDANT_OF"
	VARIANT_OF                  RelationshipType = "VARIANT_OF"
	DISTRIBUTION_ARTIFACT       RelationshipType = "DISTRIBUTION_ARTIFACT"
	PATCH_FOR                   RelationshipType = "PATCH_FOR"
	PATCH_APPLIED               RelationshipType = "PATCH_APPLIED"
	COPY_OF                     RelationshipType = "COPY_OF"
	FILE_ADDED                  RelationshipType = "FILE_ADDED"
	FILE_DELETED                RelationshipType = "FILE_DELETED"
	FILE_MODIFIED               RelationshipType = "FILE_MODIFIED"
	EXPANDED_FROM_ARCHIVE       RelationshipType = "EXPANDED_FROM_ARCHIVE"
	DYNAMIC_LINK                RelationshipType = "DYNAMIC_LINK"
	STATIC_LINK                 RelationshipType = "STATIC_LINK"
	DATA_FILE_OF                RelationshipType = "DATA_FILE_OF"
	TEST_CASE_OF                RelationshipType = "TEST_CASE_OF"
	BUILD_TOOL_OF               RelationshipType = "BUILD_TOOL_OF"
	DEV_TOOL_OF                 RelationshipType = "DEV_TOOL_OF"
	TEST_OF                     RelationshipType = "TEST_OF"
	TEST_TOOL_OF                RelationshipType = "TEST_TOOL_OF"
	DOCUMENTATION_OF            RelationshipType = "DOCUMENTATION_OF"
	OPTIONAL_COMPONENT_OF       RelationshipType = "OPTIONAL_COMPONENT_OF"
	METAFILE_OF                 RelationshipType = "METAFILE_OF"
	PACKAGE_OF                  RelationshipType = "PACKAGE_OF"
	AMENDS                      RelationshipType = "AMENDS"
	PREREQUISITE_FOR            RelationshipType = "PREREQUISITE_FOR"
	HAS_PREREQUISITE            RelationshipType = "HAS_PREREQUISITE"
	REQUIREMENT_DESCRIPTION_FOR RelationshipType = "REQUIREMENT_DESCRIPTION_FOR"
	SPECIFICATION_FOR           RelationshipType = "SPECIFICATION_FOR"
	OTHER                       RelationshipType = "OTHER"
)

type SPDX

type SPDX struct {
	// contains filtered or unexported fields
}

func NewSPDX

func NewSPDX() *SPDX

func (*SPDX) AnalyzeImageLayer

func (spdx *SPDX) AnalyzeImageLayer(layerPath string, pkg *Package) error

AnalyzeLayer uses the collection of image analyzers to see if

it matches a known image from which a spdx package can be
enriched with more information

func (*SPDX) ExtractTarballTmp

func (spdx *SPDX) ExtractTarballTmp(tarPath string) (tmpDir string, err error)

ExtractTarballTmp extracts a tarball to a temp file

func (*SPDX) FileFromPath

func (spdx *SPDX) FileFromPath(filePath string) (*File, error)

FileFromPath creates a File object from a path

func (*SPDX) ImageRefToPackage

func (spdx *SPDX) ImageRefToPackage(reference string) (pkg *Package, err error)

ImageRefToPackage gets an image reference (tag or digest) and returns a spdx package describing it. It can take two forms:

  • When the reference is a digest (or single image), a single package describing the layers is returned
  • When the reference is an image index, the returned package is a package referencing each of the images, each in its own packages. All subpackages are returned with a relationship of VARIANT_OF

func (*SPDX) Options

func (spdx *SPDX) Options() *Options

func (*SPDX) PackageFromArchive added in v0.2.0

func (spdx *SPDX) PackageFromArchive(archivePath string) (imagePackage *Package, err error)

PackageFromArchive returns a SPDX package from a tarball

func (*SPDX) PackageFromDirectory

func (spdx *SPDX) PackageFromDirectory(dirPath string) (pkg *Package, err error)

PackageFromDirectory indexes all files in a directory and builds a SPDX package describing its contents

func (*SPDX) PackageFromImageTarball

func (spdx *SPDX) PackageFromImageTarball(tarPath string) (imagePackage *Package, err error)

PackageFromImageTarball returns a SPDX package from a tarball

func (*SPDX) PullImagesToArchive

func (spdx *SPDX) PullImagesToArchive(reference, path string) (*ImageReferenceInfo, error)

PullImagesToArchive downloads all the images found from a reference to disk

func (*SPDX) SetImplementation

func (spdx *SPDX) SetImplementation(impl spdxImplementation)

type TarballOptions

type TarballOptions struct {
	ExtractDir string // Directory where the docker tar archive will be extracted
	AddFiles   bool
}

ImageOptions set of options for processing tar files

type ValidationResults added in v0.3.0

type ValidationResults struct {
	Success          bool
	Message          string
	FileName         string
	FailedAlgorithms []string
}

type YamlBOMConfiguration

type YamlBOMConfiguration struct {
	Namespace string `yaml:"namespace"`
	License   string `yaml:"license"` // Document wide license
	Name      string `yaml:"name"`
	Creator   struct {
		Person string `yaml:"person"`
		Tool   string `yaml:"tool"`
	} `yaml:"creator"`
	ExternalDocRefs []ExternalDocumentRef `yaml:"external-docs"`
	Artifacts       []*YamlBuildArtifact  `yaml:"artifacts"`
}

type YamlBuildArtifact

type YamlBuildArtifact struct {
	Type      string `yaml:"type"` //  directory
	Source    string `yaml:"source"`
	License   string `yaml:"license"`   // SPDX license ID Apache-2.0
	GoModules *bool  `yaml:"gomodules"` // Shoud we scan go modules
}

Directories

Path Synopsis
json
Code generated by counterfeiter.
Code generated by counterfeiter.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL